Enterprise Dual Stack without IPv6 Transit

Steve Housego Steve.Housego at itps.co.uk
Tue Dec 9 17:59:05 CET 2014 

-----Original Message-----
From: Jeroen Massar <jeroen at massar.ch>
Organization: Massar
Date: Tuesday, 9 December 2014 16:35
To: Steve Housego <steve.housego at itps.co.uk>, "ipv6-ops at lists.cluenet.de"
<ipv6-ops at lists.cluenet.de>
Subject: Re: Enterprise Dual Stack without IPv6 Transit

>On 2014-12-09 17:27, Steve Housego wrote:
>> First a bit of background, a client of mine is looking to deploy
>> Microsoft DirectAccess and as part of that we are planning to
>> Dual Stack IPv6 the path between the direct access clients (who are
>> IPv6 only) [..]
>
>Do you mean that the underlying network is IPv6-only while in the
>DirectAccess tunnel (read: IPSEC tunnel) you run both IPv4 + IPv6?
>
>What are you expecting clients to contact, only IPv4 or also IPv6
>destinations?
>
>Also, watch out for leaks from such tunnels (See RFC7359)

DirectAccess is essentially an IPv6 tunnel between two IPv4 endpoints, the
DA server and a remote user who could be anywhere home/train etc. These
ŒVPN users¹ are only given an IPv6 address.

The DirectAccess server then NAT64/DNS64¹s all the clients traffic into
the IPv4 Œserver LAN¹. Which is effectively a ŒPAT¹ so all the VPN users
appear to come from the DA servers LAN IPv4 address.

Which.. Is horrible, so we want to enable IPv6 for the path from the
Direct Access clients to the Œserver LAN¹ so nothing is NAT¹d.

>
>[..]
>> They do not however (yet) have an IPv6 internet connection.
>
>Why not? :)

ISP doesn¹t support it yet (even for business customers), we have already
asked to be part of their trials.

>
>> i.e. as it has a global unicast address will it prefer IPv6 and try to
>>reach it
>> with IPv6 first which will obviously fail and then use IPv4?
>
>As long as you do not filter ICMPv6 and your routers return !N you
>should be fine. All dual-stacked applications should try other addresses
>and fall back. Happy Eyeballs typically makes this 'better'.

This is interesting, I hadn¹t came across ŒHappy Eyeballs¹ essentially
they attempt both connections simultaneously - this is great.

>
>> My second question which is a bit more Microsoft centric ­ but worth
>> asking ­ Is there likely to be some issue¹s with the DirectAccess
>> clients trying to access the IPv4 internet (which is all tunneled
>> through the DA server).. as the DNS server will likely return a 'true'
>> IPv6 address in the DNS response to the client, this bit further boggles
>> me as it needs to be DNS64/NAT64 for this traffic.
>
>The issues are the same for any other tunneled setup where you NAT
>outbound.
>
>
>What is actually the use-case for DirectAccess? Do you want to force
>corporate devices to always use the corporate network and never the
>locally available connectivity? Or do you just use it to access the
>resources in the corporate network?

Yeah $company really likes the idea of whenever a laptop is switched on
and on the internet that it¹s part of the corporate network, they also
want to control web browsing through the corporate network proxy¹s which
to be honest kind of answers my own question, the proxy will hopefully be
IPv6 enabled available in the Œserver LAN¹ on IPv6 addressing anyway,
worst case I suppose they could live with NAT64 for access to the proxy.

>
>Oh, and watch out for split-DNS, don't fall for that one ;)
>
>Greets,
> Jeroen

Many thanks!

SteveH

[http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png]

"Helping Your ICT Budget Deliver to its Maximum Potential"

Steve Housego
Principal Consultant

IT Professional Services
Axwell House
Waterside Drive
Metrocentre East Business Park
Gateshead
Tyne & Wear NE11 9HU

T. 0191 442 8300
F. 0191 442 8301

Steve.Housego at itps.co.uk<mailto:Steve.Housego at itps.co.uk>


Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less.

[http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<http://twitter.com/#!/itpsltd>  [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] <http://www.facebook.com/pages/ITPS/180607505381380>   [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] <http://uk.linkedin.com/in/itpsltd>

Company No. 3930001<tel:3930001> registered in England
VAT No. 734 1935 33<tel:734%201935%2033>

More information about the ipv6-ops mailing list