At some point, you will want all of your equipment, where feasible, to be running IPv6. This is really just a matter of setting up the dual-stack system on each host. Obviously that's a certain amount of work per machine, and while ad-hoc deployments may be suitable for small networks, for large networks being systematic is necessary.

One sensible way to proceed for converting hosts is to create a standard patch distribution for such old machines and operating systems as require it. Apply the patches via your standard systems maintenance or scheduled outage^[13] interface and then evaluate the change. (You may prefer to do this with a sacrificial machine or two first, if you run unusual applications or have a particularly different O.S. configuration.) Usually vendors will have extensively stress-tested their stacks before letting the public see them, but occasionally your situation may trigger an obscure problem, so it is wise to evaluate patches before rolling out. Having done that, you can, at your leisure, convert the rest of the hosts on the network. Another option is to allow IPv6 to be deployed as part of your normal upgrade cycle—once the operating system versions you install supports IPv6, you can just deploy it with IPv6 enabled (again after appropriate testing).

The great benefit of this rolling dual-stacked deployment is that there is no flag day: in other words, a day where everything changes. Experienced network managers know that changes on massive scales quickly expose hidden dependencies that can make life highly exciting for hours or even days. Apart from standard scheduled outage management, the overhead of the gradual roll-out is really quite small. Obviously the more equipment converted in a single session, the more you can amortize the cost (in both time and money).

At the end of this process, you can have systems that can pick up addresses via IPv6 router solicitation and behave as if they were solid citizens of both the IPv4 and IPv6 Internet. This is an important stepping-stone on the way to implementing almost any deployment plan.

From a network managers perspective, if you are rolling out dual-stack throughout a network, or if dual-stack is mandated for you, as much on-link IPv6 infrastructure as possible is one obvious way to short-circuit many classes of performance or reliability problems experienced by these machines. There are other transition mechanisms which may also help, some relying on existing IPv4 infrastructure; you will find them discussed in Section 4.1 earlier in this chapter.

In summary, we feel the rolling dual-stack method to be quite well understood. Deployment plans that involve converting networks of desktop machines could use it with relatively small risk.

One thing that you'll want to consider before doing an organized large scale roll out of IPv6 is how to provide connectivity. Deploying one or two test hosts with their own tunnels or 6to4 connectivity is relatively easy and sensible. However, it is probably not a good idea to deploy a LAN of many hosts all with their own individual tunnels to the IPv6 Internet! As we saw in Chapter 3, IPv6 routers play an important part in the IPv6 configuration process, so if you are deploying more than a couple of hosts, consider configuring a router and using a tunnel or 6to4 on the router. If you don't have dedicated router hardware, that's fine: most operating systems that support IPv6 can be configured as a router.

Dedicated routers themselves raise different questions. Depending on your manufacturer, you may have to buy an OS upgrade in order to have an IPv6 capable machine. Before that upgrade is bought or borrowed you'll need to do some planning. There are two points to be aware of when doing this planning. First, IPv6 dual stack obviously uses more CPU and memory resources than a single stack and sometimes routers don't have much of either to spare. Check your vendor's specifications to make sure the upgrade will fit on the router in question. (Router memory upgrades in particular can have unpleasant step functions in the financial resources required.)

The second issue that applies particularly to dedicated routers is that, because IPv6 is a younger protocol, the IPv6 path in a router can be less well optimized than the IPv4 path.^[14] For core networks that expect to process millions of packets per second, this can be catastrophic, and if your router has this issue, we advise you to look at other options such as using a separate router for IPv6 or using 6PE.^[15] Chapter 5 goes into more detail on the level of support in Cisco and Juniper routers. We'll talk more later about network topologies and how to ship traffic around.

With all this in mind, the question arises as to whether to use one's existing IPv4 router(s) for IPv6 traffic. Like always, this decision comes down to a balance of tradeoffs. The two main cases to consider are WAN links and ingress/egress routing, and the issue with both is whether the safety and resilience of a separate infrastructure justifies the management and cost overhead of supporting that infrastructure, even if that infrastructure is a single PC with a tunnel.

If you use a separate router on your LAN for IPv6, then you can gain experience^[16] without fear of impacting your production IPv4 systems. As time goes on, however, you may find that this flexibility actually works against providing a reliable IPv6 service. It duplicates the administration and maintenance work involved and can create an easily-ignored support "ghetto" that busy staff without spare time will, despite best intentions, find themselves unable to gain experience with. Face it, who has spare time in this day and age?

Most importantly, it will also prevent you of taking full advantage of any IPv6 support that might become available on your WAN link. Workarounds like IPv6-in-IPv4 tunnels, while great to start with, don't scale very well and are prone to failure in ways that a native network is not. Maintaining it, of course, invites all the same problems of support ghettos. Once you have confidence that you understand IPv6 and its potential impacts on your network, the ideal way to leverage your existing experience and its similarity with IPv4 is to deploy it exactly in parallel, and use all the same troubleshooting and monitoring mechanisms to maintain it.

As a result of this, our observation is that sites that experiment with IPv6 will typically start with an entirely separate infrastructure and move toward integration as time goes on and experience grows. On the other hand, sites looking to save money and have a deployment period with a fixed timescale, generally re-use existing infrastructure where possible.

As above, this is a conversion process allowing your systems to run IPv6. However, in this case, you turn off the IPv4 stack when you have completed IPv6 configuration.^[17] This is a scenario that you would probably only contemplate when one part of a network that is already converted to IPv6 is working well or if you need to deploy a large number of hosts but don't have the IPv4 address space available. The most important thing to remember is that routers and infrastructure service systems need to be in place first. IPv6-only machines that do not receive RAs are limited to purely local communication,^[18] so you need a working IPv6 router to communicate with the outside world. Even if you do have fully functional IPv6 connectivity, you may need to think about how you will reach IPv4-only sites (including most of the web and DNS servers currently on the Internet). Your conversion plan will therefore need to address these dependencies very carefully.

You will very probably encounter problems in the act of performing the conversion. You could expect the issues to broadly fall into the following categories:

Your system management process here involves the same test and rollout phase as before, only the dangers of removing IPv4 are significant—you are not only adding extra capabilities, you are removing old capabilities, and any users that were using the machine via IPv4, or any services that the machine needed to talk to over IPv4, had better be running on IPv6 also or things will get messy. For that reason alone it is probably best to run such infrastructure servers as are necessary (DHCP, DNS, and so on) on dual-stack until everything is running safely on IPv6.

In summary, if your deployment plan has an IPv6-only network in it, and it must communicate with an existing IPv4-only network, proxies or other front-ending should be deployed and tested first. If the IPv6-only network is "green-field" and does not need to communicate with IPv4 services, life is easier. We highly recommend dual-stacking infrastructure servers that provide DNS and DHCP. Additional single-stacked IPv6 servers performing the above functions are acceptable if the management and money overheads are acceptable.

Historically speaking, it was envisaged that IPv6 would begin to appear in networks in an edge-to-core direction. In other words, given that one of the main benefits of IPv6 was to number large networks natively, it was envisaged that it would be enabled where the maximum benefit accrued. In fact, our experience is that it is going mostly in the opposite direction: the core is only slowly being dual-stacked or otherwise enabled for IPv6, and the edges which previously had to make do with tunnels are switching over to native connections. Based on the realization that most managers are somewhat scared to switch over a well-functioning core, this has prompted a move toward entirely separate IPv4 and IPv6 infrastructure. If existing IPv4 infrastructure and applications absolutely must not be disturbed, this is a good approach. In practice it is very rarely the case that you can have entirely separate infrastructure, especially when the expense of purchasing additional hardware is made clear. (There are of course still cases when it makes sense to buy a limited set of desktops or servers additional network cards, and create a separate switch VLAN for them.)

Conversely, with an edge-to-core implementation, the key question is building support inwards. In the case of ISPs, for example, CPE can often be less flexible and upgrading it to support IPv6 may be problematic. DSL routers are perhaps the canonical example of this, but old equipment is a problem for everyone, not just ISPs. Allowing IPv6 to transit your core until it is natively enabled is a matter for transition mechanisms discussed elsewhere.

With respect to router placement in general or reconfiguration, there are three main cases to consider:

These differences are important when considering your onward connectivity, but they will be transparent to the end host. In a flat (broadcast) network, such as a single LAN, your router's announcements will ensure that every IPv6-capable host receives an address and connectivity. If you happen to have more than one router on your LAN, both will announce themselves; if they are advertising different prefixes then your hosts will receive separate addresses from each.

Also be aware that if your prefix changes from time to time—for example, if you use 6to4 with a dynamic IPv4 address as the endpoint—then the addresses of all your hosts will change as well. This should happen fairly transparently, but you will need to set the lifetime of the advertised prefixes just right; long enough to overcome network instabilities, but short enough to time out when they are no longer valid.

While we like to insist that IPv6 is just like IPv4 in all the best ways, there are some interesting consequences to router advertisement that can catch you out if you use VLANs extensively. When a router turns up on a network, it will typically announce itself and start assigning addresses. If the router is not on the network it is supposed to be on—for example, by being plugged into a switchport on the wrong VLAN—it will start handing out addresses that will, briefly, work (for small values of "work"—they're not likely to be in the DNS and might not match any access control lists you or others have defined).

When the operator notices the error and pulls out the patch cable, the addresses will suddenly stop working, but they will hang around until they time out, and chances are that the machines that have them will continue to try to use them. Since mistakes happen, you might want to consider configuring reasonably short timeouts for router advertisement; after all, if the router does go away for a bit, its addresses aren't going to be much use anyway. Note also that, even when correctly configured, leakage of packets across VLAN boundaries is a well-documented feature of network equipment.

It all gets even more interesting if your router or switch runs a trunking protocol such as VTP. Rather than simply not working if you plug it into a non-VTP port, it's likely that traffic to the default VLAN will still get through, and you'll start getting addresses from somewhere. Typically , it'll almost certainly be wrong somewhere.

In summary, we have shown a number of the possible influences on a deployment plan. You will need to consider at a minimum addressing, routing and naming in your deployment plan, as well as organizational concerns such as who will pay for it, and who will support it.