Plan, Deploy & Operate Dual-Stack the Right Way (Addressing, DNS, Security & Evidence)
IPv6 removes address scarcity and simplifies routing—but only if you deploy it intentionally.
SolveForce delivers IPv6 as a program: address plan → dual-stack rollout → DNS/DHCPv6/SLAAC → security controls → app readiness → telemetry & audits. You get a network that is future-proof, operable, and measurably successful.
Where IPv6 touches the stack:
🔀 Routing → BGP Management • 🌐 WAN → SD-WAN • ☁️ Cloud on-ramps → Direct Connect
🛡️ Security → Cybersecurity • 🌐 Edge → WAF / Bot Management • 🔒 Access → ZTNA / SASE
🖧 Fabric → Networks & Data Centers • 🌐 Catalog → Connectivity
🎯 Outcomes (Why SolveForce IPv6)
- Clean address plan — /48 per site (typical), /64 per VLAN (always), P2P links on /127 (or /64 w/ guardrails).
- Dual-stack without the drama — phased rollout (core → DC → WAN → campus → users).
- Apps & DNS ready — AAAA, reverse ip6.arpa, load balancers, logs.
- Security-aware — ND/RA protection, ICMPv6 policy (don’t break PMTUD), no “accidental NAT66”.
- Evidence-driven — success SLOs, dashboards, and change artifacts in SIEM.
🧭 Scope (What We Deliver)
- Address architecture — provider-independent (RIR) or provider-assigned; aggregation & summarization strategy.
- Numbering — site /48, infra /56, user/server VLANs /64, p2p /127; reserved blocks for growth.
- Host config — SLAAC (RAs), DHCPv6 (options & stateful), or hybrid; DNS & NTP options.
- DNS — AAAA, ip6.arpa reverse, split-horizon, health checks; load balancer listeners.
- Routing — IGP (OSPFv3/IS-IS) + BGP design (peering, policy, communities). → BGP Management
- Security controls — RA Guard, ND Inspection, DHCPv6 Guard, uRPF/BCP-38, firewall rules, DDoS stance. → Cybersecurity
- Cloud & WAN — IPv6 for VPC/VNet/VPCe, LB/ALB/FW, Direct Connect/ExpressRoute/Interconnect parity. → Direct Connect
- Observability — logs, flows, and ND stats to SIEM; SLO dashboards; carrier/NOC integration. → SIEM / SOAR • NOC Services
🧱 Building Blocks (Spelled Out)
- Address plan truths
- Don’t subnet smaller than /64 for LANs (SLAAC, DAD, ND depend on it).
- /127 for routed p2p (or /64 with strict ND/RA guard).
- Keep aggregation: per-region/site blocks that summarize in the core/WAN.
- Host configuration
- RAs (Router Advertisements) for default gateway & on-link; DHCPv6 for DNS/NTP or full state.
- Wi-Fi/endpoint policy: disable “privacy extensions” only where auditing requires stable EUI-64 or DHCPv6 IAID/DUID.
- Routing & peering
- OSPFv3/IS-IS for IGP; eBGP for Internet/partners; policy symmetry vs hot-potato per app.
- Anycast services publish AAAA with IPv6-capable health checks.
- DNS & load balancing
- Add AAAA alongside A; ensure LB/WAF supports IPv6 at the edge and to origins (or v6→v4 NAT64 where needed). → WAF / Bot Management
- Security
- Don’t block ICMPv6 generically—allow ND, RA (guarded), and Packet MTU Discovery (PTB type-2).
- RA Guard / DHCPv6 Guard / ND inspection on switches; strict first-hop security on Wi-Fi.
- Firewalls: explicit IPv6 policy; mirror IPv4 controls; drop extension-header abuse; log summary, not every ND.
- Migration/transition
- Dual-stack first → remove CGNAT pressure and test apps.
- NAT64/DNS64 for v6-only segments calling v4-only services; 464XLAT for mobile/edge where needed.
- Avoid NAT66/NPTv6 except for rare multi-homing policies.
🛠️ Design Patterns (Choose Your Fit)
A) Data Center & DCI
- Fabric-wide /64 per VLAN; loopbacks /128; p2p /127; IGP + BGP; LB/WAF with AAAA; IPv6 on storage mgmt where vendor-supported.
B) WAN & SD-WAN
- Native IPv6 underlays where offered; BGP policy per class; SD-WAN treats IPv6 SLOs same as v4 (loss/latency/jitter). → SD-WAN
C) Cloud-First
- IPv6 VPC/VNet subnets + Private Link; dual-stack LBs; IPv6-enabled gateways and on-ramps; consider v6-only serverless or containers for scale. → Cloud • Direct Connect
D) Campus & Wi-Fi
- RA Guard / DHCPv6 Guard; /64 per SSID/VLAN; MDM/UEM posture for clients; DNS64/NAT64 if you pilot v6-only Wi-Fi.
E) Partner / Internet Edge
- Dual-stack edge with WAF/CDN; AAAA enabled; DDoS policies for IPv6 sources; Anycast DNS & API endpoints. → CDN • DDoS Protection
📐 SLO Guardrails (Success Metrics You Can Prove)
| KPI / SLO | Target (Recommended) |
|---|---|
| Address plan coverage | 100% sites with /48 (or policy) |
| Dual-stack edge readiness | 100% edges publish AAAA + A |
| Internal dual-stack reachability | ≥ 99.99% service reachability |
| ICMPv6 PMTUD pass rate | ≥ 99.5% (no black-hole MTU) |
| IPv6 traffic ratio | Track ↑ month-over-month (goal by app) |
| Security controls deployed | RA/DHCPv6 Guard on 100% access ports |
| Evidence completeness | 100% (plans, changes, tests, logs) |
SLO breaches open tickets and trigger SOAR actions (policy fix, route tweak, MTU clamp, ACL update). → SIEM / SOAR
🔒 Security Checklist (Zero-Trust for IPv6)
- ✅ Allow ICMPv6 essentials: ND, PTB, Echo (rate-limited).
- ✅ Enable RA Guard / DHCPv6 Guard / ND Inspection at access.
- ✅ Mirror IPv4 firewall posture; drop unused ext headers; log summaries.
- ✅ uRPF/BCP-38 to stop spoofing; anti-spoof on access.
- ✅ Harden first-hop (Wi-Fi) & prevent rogue RAs.
- ✅ Ensure WAF/DDoS stack covers IPv6. → WAF / Bot Management • DDoS Protection
📊 Observability & Evidence
- NetFlow/IPFIX (v9/IPFIX v6 fields), ND counters, RA/DHCPv6 events, AAAA hit ratio, PMTUD failures.
- Dashboards per site/app; SLO widgets (reachability, MTU, dual-stack ratio).
- Change artifacts — address plan, router/firewall diffs, DNS zone commits → SIEM. → SIEM / SOAR
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Address & policy — choose PI/PA, carve /48 per site, /64 per VLAN, /127 p2p; reserve growth blocks.
2) Core & edge — enable IPv6 IGP + BGP; firewalls/load balancers; MTU strategy; ICMPv6 policy.
3) DNS & DHCPv6/SLAAC — AAAA + ip6.arpa; RA config; DHCPv6 options; test privacy extensions impact.
4) Security — RA/DHCPv6 Guard, ND Inspection, ACLs, uRPF; WAF/DDoS IPv6 parity.
5) Cloud & WAN — VPC/VNet IPv6, on-ramps, SD-WAN SLOs; peering policy by app.
6) Apps & clients — test top apps; fix hard-coded v4 literals; update allowlists; MDM/UEM posture.
7) Pilot & rings — core/DC → WAN → campus → remote; measure SLOs; auto-rollback if needed.
8) Operate — dashboards, monthly reports; raise IPv6 ratio goals by domain; publish wins & RCAs.
✅ Pre-Engagement Checklist
- 🧭 Need for PI vs PA space; RIR/LIR status.
- 📦 Site list, VLANs, p2p counts; target /48 allocation scheme.
- 🧷 DNS zones (public/private), AAAA readiness, ip6.arpa plan.
- 🔐 Firewall/WAF/DDoS IPv6 capability; RA/DHCPv6 Guard support on switches/APs.
- ☁️ Cloud/VPC/VNet IPv6 support, on-ramp needs.
- 🔀 SD-WAN & BGP policy; MTU/PMTUD tests.
- 👩💻 Application audit for v4 literals; logging & SIEM fields.
- 📊 SLO targets & reporting cadence; escalation contacts.
🔄 Where IPv6 Fits (Recursive View)
1) Grammar — addresses & routes in Connectivity and Networks & Data Centers.
2) Syntax — delivery patterns across Cloud, WAN, and campus.
3) Semantics — Cybersecurity ensures truthful routing & safe ND/RA.
4) Pragmatics — SolveForce AI predicts routing/MTU pitfalls and suggests policy fixes.
5) Foundation — consistent terms via Primacy of Language.
6) Map — indexed in the SolveForce Codex & Knowledge Hub.
📞 Plan & Deploy IPv6 with Confidence
Related pages:
BGP Management • SD-WAN • Direct Connect • WAF / Bot Management • Cybersecurity • Cloud • Networks & Data Centers • Connectivity • Knowledge Hub