Secure & Successful IPv6 Deployment Using OptiView XG

Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet

At a Glance:




Professional Services


Raleigh, NC

Nephos6 Infograph

Click to View


Quickly build a network capable of demonstrating multiple key IPv6 technologies in support of customer training and transaction programs.


The OptiView XG Network Analysis Tablet reduced deployment time by providing fast and accurate device discovery, identification of tunneling protocols, and easy-to-use tools for troubleshooting integration issues.


OptiView® XG Network Analysis Tablet


IPv6 adoption is accelerating globally. Integrators, long bereft of adequate IPv6 support in IT infrastructure, are demanding feature parity to support next-generation network rollouts. In addition to routers, operating systems, and other “standard” IT infrastructure, network engineers and technicians need IPv6-capable monitoring and analysis tools. NETSCOUT’ OptiView XG Network Analysis Tablet, already a staple tool in many organizations, is ready. With capabilities for IPv6 network discovery, tunneling protocol identification, router advertisement analysis, and IPv6 services detection, OptiView XG is an invaluable aid in supporting IPv6 deployment, troubleshooting integration issues, and helping identify unintentional IPv6 deployment.

The Review

In February 2011, the Internet Assigned Numbers Authority (IANA) distributed the last five /8 (historically referred to as “Class A”) IPv4 address blocks to the Regional Internet Registries (RIR). This event signaled the beginning of the end for the IPv4-based Internet and heralded the start of the global transition to the next generation Internet protocol, IPv6. Standardized in 1995, IPv6 is designed to enhance the Internet protocol and address the issue of IP resource exhaustion, but had never found significant purchase in the marketplace for a variety of economic and technology reasons. While some technology camps believed Network Address Translation (NAT) would suffice, Internet scalability requirements and the ever increasing complexity of multiple NATted environments make a compelling case for IPv6 adoption now.

Despite a lack of widespread interest in IPv6, numerous organizations, including world governments, large IT product companies, major service providers, and some early adopters blazed the trail of IPv6 adoption. The Internet Engineering Task Force (IETF) developed mechanisms to support the co-existence of IPv4 and IPv6 and to mitigate some of the financial burden of migration. IT vendors incorporated support for IPv6 in many of their mainstream products. Emerging from this collective effort of the early adopters are methodologies and best practices for the secure and efficient deployment of IPv6.

Nephos6, Inc. is an IPv6 and Cloud Computing Professional Services firm located in Raleigh, NC. The company was founded by a number of industry experts with significant deployment experience in IPv6 (and cloud computing). The company uses a five-stage methodology to manage the IPv6 integration effort for enterprises and service providers. The first four stages involve cultivating a common understanding of the current environment, aligning business and technical drivers, assessing the IT infrastructure and support systems for IPv6 support capability, and developing architectures and plans for deployment. The fifth stage, Implementation, sees the rollout of IPv6, in a controlled but progressive manner.

The ultimate goal environment for any IPv6 adoption program is to enabled dual stack (both IPv4 and IPv6 running concurrently on the same device) on all devices throughout the organization. But the path to achieving a dual stack installation is rarely the same from organization to organization. Despite different approaches to the end state, all well-managed deployments embody these approaches:

  1. Validate and test designs—configurations and architectures are evaluated in isolated labs first and then systematically deployed in the production environment.
  2. Manage and troubleshoot deployments—nothing ever goes perfectly the first time. Invariably equipment malfunctions, human error, or Murphy’s Law interfere during deployments and require systematic troubleshooting to correct.
  3. Monitor for unauthorized/rogue IPv6 Devices—IPv6 is supported in most modern IT devices and operating systems, enabled by default in some cases. Unintentional deployment is a security issue and needs to be monitored and managed.

A critical element of the implementation process is effective tools to support these key activities. Nephos6 uses packet capture software and network analysis tools but wanted to see if the market offered a comprehensive, portable, and remotely accessible tool. Yurie Rich, chief operating officer of Nephos6 recalls, “It was interesting. I interacted with NETSCOUT all the way back in 2000 when I started working with IPv6, then again sometime in 2007 or 2008 as their OptiView team was working towards JITC [Joint Interoperability Test Command] IPv6 certification. I guess it was kismet when they reached out to our CEO, Ciprian (Chip) Popoviciu, to see if we’d be interested in evaluating the XG.”

After reviewing the OptiView XG’s capabilities on paper, John Spence, vice president of IP Services at Nephos6, developed a series of trials to test OptiView XG’s capabilities. John recalls, “Chip, Yurie and I spent some time thinking about the commonality of the deployments we’d been involved with. No two are the same, but generally you see testing in the lab, a controlled rollout (or prototype or pilot or all of these) into the production environment using one or more transition technologies, then testing and remediation of any problems. That process is continuously evolved until the organization ends up with the optimal target architecture that is operationally sound and dual-stack enabled.”

The OptiView XG contains a robust discovery capability, the ability to capture IPv6 tunnel traffic and identify the type of transition mechanism being used. It can also identify a number of IPv6 services types a node is offering, and an analysis of router advertisements. Collectively these features provided a valuable tool chest to support Nephos6’ common requirements.

Leveraging the Network and Device Discovery Feature

Figure 1 is a very simplified diagram of a typical enterprise environment. It consists of three disparate campus environments, a data center, and centralized access to the Internet. John developed a lab environment that mirrored this architecture and identified touch points to connect the OptiView XG. Most IPv6 deployments start with a prototype conducted in a lab. The first step was to leverage its discovery capability.

Figure 1: Example Enterprise Architecture

The lab started as IPv4-only and then IPv6 is enabled on a few devices. The OptiView XG allows both onsubnet device discovery, and through some configuration parameters, discovery of off-subnet devices as well. In IPv6 deployments, most enterprises (and service providers) will likely want a managed IPv6 address space - meaning the use of DHCPv6. Information provided by the Discovery process will verify that nodes are using properly obtained IPv6 address configuration information. The Discovery process also categorizes discovered nodes as a router, server, switch, or end node. Figure 2 is a sample screen capture of the OptiView XG Discovery user interface from the lab on one subnet.

Figure 2: OptiView XG Network and Device Discovery Interface

The highlighted device is a server on this particular LAN segment. The IPv6 address space is highly diversified. In addition to having a number of address types (unicast, multicast, anycast - like IPv4), there are address scopes (such as link local - identifiable here as fe80::82c:6ff:fe55:1c2b). And, just to make things a bit more interesting, IPv6 addresses can be derived through a number of processes.

Here, the upstream router is configured to use address autoconfiguration and send router advertisements to the node, which is properly configuring its IPv6 address based partly on information contained in the RA. The preference in this case is an address configured using the Extended Unique Identifier (EUI-64) process. This is verified by examining the last 64 bits, which have the hex characters FF FE placed in the middle of the MAC address. Combined with the prefix of 2001:db8:ff:70::/64,the interface created 2001:db8:ff:70:82c:6ff:fe55:1c 2b as its IPv6 address

The Nephos6 team quickly recognized several benefits of the OptiView’s Discovery capability:

  1. Validation of on-link device IPv6 configuration—recall that one of the common requirements of all IPv6 integration processes is the need to test and validate deployments. The information supplied by the OptiView XG clearly yields solid information to verify IPv6 connectivity, IPv6 address information, and, with further analysis, what specific nodes are doing in terms of open ports and service offerings.
  2. Identification of rogue or unintentional IPv6 deployment—certainly anytime the discovery process is run and IPv6 devices are present on the link, the OptiView XG will find and report them.
  3. Remote access means remote expertise—IPv6 skill sets take some time to accrue. It is not uncommon for field personnel, who do much of the heavy lifting in the IPv6 integration process, to be last on the list for IPv6 training. The remote access capability of the OptiView XG means that IPv6 savvy engineers can collaborate with field engineers to not only conduct testing and validation exercises, but also continue the IPv6 knowledge transfer process.
Integrating IPv6

Once base configurations are implemented and the environment is operating as predicted, the next step is to expand the deployment to other areas of the network. In the lab example, as shown in Figure 3, IPv6 is deployed in another section of the “campus” and the two islands are connected with a manually configured tunnel, commonly known as a 6in4 tunnel. At each tunnel end point, the routers are dual stacked - supporting both IPv4 and IPv6 simultaneously. The IPv6-in-IPv4 tunnels are manually configured on each router.

Figure 3: Manually Configured (6in4) Tunnel

John Spence notes, “Manual tunnels are relatively simple to create (but do not scale well as deployments grow), which is both good and bad. It is an easy way to connect IPv6 islands over an organizations existing infrastructure. The challenge is that too many deployed network elements (routers, IDS, firewalls), those tunneled packets look pretty much like any other IPv4 traffic. Two parties can establish an IPv6 tunnel between their computers with almost no effort. From a general standpoint, this isn’t the end of the world, but in a managed environment, and especially from a security perspective, the IPv6 deployment process needs to be controlled and managed.”

The OptiView XG is a very effective IPv6 tunneling identification tool. Figure 4 shows a screen capture of the IPv6 Tunneling Protocol user interface, which is found under the Traffic Analysis tab. In this particular example, John was able to place the OptiView XG discovery interface on a SPAN (monitor) port over which the IPv6 tunneled traffic was passing. Monitoring the traffic on that port, the OptiView XG automatically identifies the tunnel type at 6in4. The capture also identifies the tunnel end points, which is extremely important in the

Figure 4: IPv6 Tunneling Protocol Screen Capture

“detecting and eliminating rogues” scenario. “With the information provided on this screen, I can identify this traffic as one of my intended deployments. If I don’t recognize those endpoints, it is easy to track them down through the DDI (DHCP, DNS, IP Address Management) infrastructure and work with IT to bring those deployments under control” commented John.

The OptiView XG’s IPv6 Discovery capability is not limited to 6in4 tunnels. It supports identification of the most widely utilized tunnels leveraged in industry today (See table below). This is exceptionally important as most modern operating systems have IPv6 enabled by default and the stacks are aggressive about obtaining IPv6 connectivity via established transition mechanisms. As an example, Windows® 7 has IPv6 enabled by default and in IPv4-only environment will attempt to establish IPv6 capability via 6to4, ISATAP, and Teredo transition mechanisms.

IPv6 Tunneling Protocols
Manual Tunneling Description
6in4 Encapsulates IPv6 datagram in IPv4 packet using Protocol 41 marker. Tunnel endpoints are manually configured with pre-shared endpoint information.
Automatic Tunneling Description
ISATAP Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is used primarily to allow isolated dual stack nodes to use the IPv4 network as an Non-Broadcast Multiple Access (NBMA) data link layer. Requires ISATAP server/router and minimal client configuration.
6to4 6to4 uses a system of gateways and relays to allow isolated IPv6 networks (or hosts) to create a /48 IPv6 network prefix and communicate with other 6to4 users and IPv6-only clients on the Internet.
Teredo Complex mechanism that uses a system of servers and relays to provision isolated dual stacked hosts with IPv6 connectivity. Capable of NAT traversal.
Tunnel Setup Protocol (TSP) Establishes a tunnel between the client and a tunnel server, usually through a tunnel broker. Also capable of NAT traversal.

The benefit of the OptiView XG lies not only in the capability to identify tunneled IPv6 traffic, but also in how it categorizes the tunnel type and the participating end points. This is a significant time saver in the analysis process as IT staff can focus on mitigation rather than shuffling through packet captures attempting to compile the same type of detailed information OptiView XG can provide immediately.

Troubleshooting IPv6 Deployments

It is no secret that most IT projects take longer than hoped and almost never come off without a hitch. There are a lot of moving parts in the IPv6 implementation process, and troubleshooting is a given. The key to quickly troubleshooting issues is having the right information, and this is an area where the OptiView excels. In addition the information generated in the standard discovery process, the OptiView XG also supports an IPv6 applications discovery capability.

Figure 5: TCP/IPv6 Port Scan

Figure 5 identifies the outcome of the IPv6 port scanning process on a specific device - in this case a server in the example deployment. When John finished the scanning process, he noticed there was no DHCPv6 service identified, even though this device is supposed to be the DHCPv6 server in this lab site.

Figure 6: OptiView XG IPv6 Address Configuration

Once again reviewing the information in the Discovery pane, John noticed that the OptiView XG itself was not using addresses from the DHCPv6 pool, but rather was autoconfiguring IPv6 addresses using the default privacy extension enabled on Windows® 7 - which was not the intended configuration. Figure 6 highlights the unintended addresses.

Figure 7: DHCPv6 Troubleshooting Resolution

The discovery prompted further research into the underlying configuration settings on the operating system of the OptiView XG and the server itself. The outcome from troubleshooting was an incorrect DHCPv6 server configuration. Once fixed, the Discovery process was rerun and Figure 7 demonstrates the outcome - a properly configured IPv6 address on the XG.


The finding on the OptiView XG’s IPv6 capabilities are very positive. After reviewing the findings, the Nephos6 team came to following conclusions:

  • The OptiView XG is an excellent IPv6 analytics tools that allows engineers and technicians to gather large amounts of data about the IPv6 capabilities and activities of devices on the network without having to go to each device individually - saving time and effort.
  • The Discovery, IPv6 Tunneling Protocol, and Router Advertisement (tested, but not covered in this write up) can help IPv6 implementers monitor their networks for rogue IPv6 deployments - whether malicious, unintentional, or curious IT engineers conducting independent research on IPv6.
  • All of the OptiView XG’s IPv6 centered features will not only aid in the testing of v6 deployments, but is also a great resource for collecting and sharing information to expedite troubleshooting efforts.
  • The wide array of Layer 2 connection types (such as Ethernet, 10GbE, Wi-Fi) means that the OptiView XG is valuable to a wide variety of markets that are currently engaged in IPv6 deployment, including service providers, large enterprises, government, and academia.
  • The features and capabilities of the OptiView XG around IPv6 are quite advanced compared to other devices in the marketplace, which means it is a device ready to support the IPv6 deployments that are happening today. This is helpful for Nephos6 customers, many of whom continue to experience a “It’s on our roadmap” statement from many of their current IT vendors.