Enterprise IPv6 Migration - End of proxypac ? Start of Point-to-Point ? +10K users

Let's start with a diagram : Company in IPv4

We can see a "typical" IPv4 company network with :

  • An Internet acces through a proxy
  • An "Others companys" access through an dedicated proxy
  • A direct access to local resources

All computers have a proxy.pac file that indicates which proxy to use or whether to connect directly. Computers have access to just a local DNS (no name resolution for google.com for example.)

By the way ... The company does not respect the RFC1918 internally and uses public addresses! (historical reason). The use of internet proxy explicitly makes it possible to not to have problem.

What if we would migrate to IPv6?


Step 1 : IPv6 internet access

Internet access in IPv6 is easy. Indeed, just connect the proxy in Internet IPv4 and IPv6. There is nothing to do in internal network : Internet access IPv4 and IPv6


Step 2 : IPv6 AND IPv4 in internal network

And why not full IPv6 network directly? Because there is always the old servers that are not compatible IPv6 ..

Option 1 : Same architecture as in IPv4 with a proxy pac

This is probably the easiest solution. But is this the best?

I think the transition to IPv6 is an opportunity not to bother with this proxy pac!

Option 2 : New architecture with transparent proxy, whithout proxypac, recursive DNS

Oh yes!

In this new architecture, we have:

  • Explicit Internet Proxy becomes a Transparent Internet Proxy
  • Local DNS becomes a Normal Recursive DNS + authorative for local domains
  • No proxypac
  • Explicit Company Proxy becomes a Transparent Company Proxy
  • Routing
    • Internal Routers reditect IP of appx.ext.example.com to Company Proxy.
    • The default gateway is the Transparent Internet proxy.

Questions

  • What do you think of this architecture IPv6?
  • This architecture will reveal the IP addresses of our internal network but it is protected by firewalls. Is this a real big problem? Should we keep the explicit use of a proxy? -How would you make for this migration scenario? -And you, how do you do in your company?

Thanks! Feel free to edit my post to make it better.


Solution 1:

Well transparent proxies don't work for SSL traffic unless you deploy an alternative trusted root to each device, so you lose many security and auditing benefits there, and introduce new ones.

I would go with option 2, but using an explicit proxy, fire-walling everything else off. If internal machines don't use your proxy, they don't get access to the internet. You should already have tools in place to distribute proxy configuration automatically via scripting, Windows Group Policies, DHCP, or DNS/proxy.pac.

Simpler is usually better.