Recently, I had conversations with several partners, regarding their concerns with OMB M-21-07 (Completing the transition to internet protocol version 6 (IPv6). Part of OMB M-21-07 is to develop an IPv6 implementation plan by the end of FY2021. IPv6 adoption has been lacking over the years, and this mandate is a renewed attempt to increase the adoption. The specific section of the mandate that ties closely with your cloud environment requires Federal government agencies to have the following details:
At least 20% of IP-enabled assets on Federal networks are operating in IPv6-only environments by the end of FY 2023.
At least 50% of IP-enabled assets on Federal networks are operating in IPv6-only environments by the end of FY 2024.
At least 80% of IP-enabled assets on Federal networks are operating in IPv6-only environments by the end of FY 2025.
Identify and justify federal information systems that cannot be converted to use IPv6 and provide a schedule for replacing or retiring these systems.
For people in the commercial world looking for guidance, the memo provides a great guide to create and develop a plan and strategy. With Oracle Cloud Infrastructure (OCI), the IPv6 capabilities are enabled across all our regions, both commercial and government. You can take advantage of what the federal government has developed as a mandate and use it as a guideline for your deadlines. If you’re just starting the journey to the cloud, consider the following concepts and account for them sooner rather than later.
IPv6 adaptation is still at its early stages. Different cloud providers have different strategies and viewpoints, no single set of standards to follow exists. Oracle has developed what we believe to be a path forward. IPv6 is complex, but we hope to ease the transition and help prepare for the future. We encourage you to look at overview of IPv6 and how it operates with Oracle Government Cloud. The following high-level points can help you to formulate your plan and strategy to address OMB M-21-07.
IPv6 enabled VCNs to use a /56 CIDR block. Oracle assigns a /56 public IPv6 CIDR block to the virtual cloud network (VCN) for internet communication. All subnets are /64. The IPv6 CIDR block can be the same as the public CIDR, and your understanding of IPv6 here is critical. You need a plan to lay out the subnets as you would with IPv4 addressing.
Part of the subnet planning includes determining if the subnet is public or private. Consider the security concerns of how the resources communicate with the internet with an IPv6 address. Here, you can determine whether internet communication with IPv6-enabled resources is permitted or prohibited by specifying the subnet is public or private. If an IPv6-enabled resource is hosted in a public subnet, communication to and from the internet is permitted. If an IPv6-enabled resource is hosted in a private subnet, communication to and from the internet is prohibited. If you have a public subnet, review your security rules for IPv6.
In creating a VCN, you want to enable IPv6. We have built the capability to allow IPv6 at creation for your network. This ability creates a dual stack VCN. It allows your network to transport both IPv6 and IPv4 traffic, which isn’t going away.
If you have existing VCNs, we have you covered. You can convert your existing VCN running IPv4 into a dual-stack VCN that accommodates IPv4 and IPv6 by adding an IPv6 CIDR block. You can find this option in your VCN under the CIDR Blocks resource tab.
Assigning a new or existing instance an IPv6 address is similar to assigning a secondary IP address to an instance. The settings are within the VNIC settings. By default, you need to perform this action manually. You also need to issue a command to refresh or acquire an IPv6 address after you enable this option in the VNIC settings.
After you enable IPv6 and are routing traffic with IPv6, you need to examine the security lists. Create security lists and apply them for your IPv6 network, easily accomplished by mirroring your IPv4 security lists.
If you’re using FastConnect to connect to your on-premises environment, ensure that the FastConnect circuit has IPv6 BGP addresses and update the VCN’s routing and security rules for IPv6 traffic.
If you require IPv6 for load balancers, you need to re-create load balancers.
The IPv6 address assignment occurs only at load balancer creation, but remember that you can’t assign an IPv6 address to an existing load balancer. After creation, the load balancer service is assigned to both IPv4 and IPv6 addresses. It receives IPv6 traffic when sent to the address but uses IPv4 addresses to communicate with backend servers.
These steps are only the beginning that allow you to form those plans and meet the mandates. There’s more to come with IPv6 as Oracle adds more exciting capabilities. We encourage you to review the following resources to gain more knowledge to formulate your plans. They discuss use case scenarios, caveats, limitations, and help with mitigating risks.
Blog post: IPv6 on Oracle Cloud Infrastructure
Release note: IPv6 general availability
Technical documentation: Networking concepts for IPv6
Demo: IPv6 new features
If you prefer a more hands-on approach you can create an Oracle Cloud Free Tier or a 30-day free trial in our commercial regions, which includes US$300 in credits to get you started with a range of services, including compute, storage, and networking. If you prefer, the Oracle Cloud Infrastructure regions dedicated for the Government consist of FedRAMP High federal and civilian authorized regions and IL5 Department of Defense (DoD) authorized regions. Consult your Oracle sales representative for proof of concept in the appropriate region.