330 likes | 456 Views
IPv6 deployment experiences in European academic networks. Tim Chown University of Southampton, UK IPv6 Task Force Steering Committee tjc@ecs.soton.ac.uk 21st NORDUnet Conference, 24th August 2003. European IPv6 initiatives. Academic and research networks: GÉANT, most NRENs
E N D
IPv6 deployment experiences in European academic networks Tim Chown University of Southampton, UK IPv6 Task Force Steering Committee tjc@ecs.soton.ac.uk 21st NORDUnet Conference, 24th August 2003
European IPv6 initiatives • Academic and research networks: • GÉANT, most NRENs • Good progress on backbone networks • EC IST Research projects • 6NET, Euro6IX, IPv6 Cluster (www.ist-ipv6.org) • IPv6 Task Forces • At the European and National levels • Commercial ISPs • Light activity, very few IPv6 access providers
EC IPv6 Task Force • Initially formed in mid-2001 • Produced recommendations for IPv6 adoption for European Council in early 2002 • Adoption of IPv6 and broadband • Phase 2 Task Force currently underway • Following up initial recommendations • Studying various barriers to IPv6 deployment • Includes IPv6 in academic/research networks • Assisting with formation of National Task Forces • Producing various white papers/position papers • See www.ipv6tf.org
GÉANT, 6NET and IPv6 • European NRENs are interconnected by GÉANT, offering a production IPv4 backbone service • Up to 10Gbit/s links, using Juniper routers • Includes a number of international links, e.g. to Abilene • Introducing an IPv6 service during 2003 • 15 NRENs are members of the 6NET project • An experimental IPv6 research network, using Cisco routers • Both networks are funded in part by the EC • 6NET results and groundwork has accelerated GÉANT IPv6 deployment significantly
IPv6 in the NRENs • Options to carry IPv6 on NREN networks include: • Dual-stack networking • IPv6 in IPv4 tunnels • Parallel IPv6 network • IPv6 over MPLS (where MPLS already exists) • IPv6 over ATM (but ATM is now rare) • NRENs also need IPv6 address allocations • Most NRENs have a production /32 prefix from RIPE NCC • e.g. JANET is 2001:630::/32 • Allows at least a /48 prefix per university
Abilene dual-stack • The US Abilene research network has migrated to dual-stack, running both IPv4 and IPv6 protocols • Initially using Cisco (August 2002) • Now using Juniper routers (since October 2002) • Running at up to 10Gbit/s • IPv6 forwarding tested to over 8Gbit/s using Spirent test equipment across 5 Abilene routers in late 2002.
GÉANT dual-stack • GÉANT has deployed dual-stack since Q1 2003 • Uses Juniper router platforms similar to Abilene • See http://www.join.uni-muenster.de/geantv6/ • Routing policies being established - e.g. 6bone prefixes will not be carried after Q4 2003 • Official GÉANT IPv6 launch event in January 2004 • Many NRENs have already migrated to dual-stack on their production networks • First were SURFnet, Funet and Renater • Generally using Cisco or Juniper • Routers carry both IPv4 and IPv6 routing tables • NRENs are connecting to GÉANT natively with IPv6
Need production quality IPv6 • Requires performance, plus routing policies • Must fly at least as well as IPv4 • Dual-stack performance: • Requires vendor implementation to have fast (hardware-based) IPv6 forwarding, and to support the required IPv6 enabled routing protocols (BGP4+, IS-IS, etc) • Deploying IPv6 should not adversely affect IPv4 • Implementations improving via academic deployment • Abilene/6NET networks in 2002, GÉANT in 2003 • Assisted by the Internet 2 IPv6 Land Speed Record initiative • Routing policies are an issue between networks
IPv6 Land Speed Record • Promoted by Internet2 community • http://lsr.internet2.edu/ • Facilitates demonstration of IPv6 performance • Record set in 2002 on GÉANT backbone and US link • Ran on IPv4 production Juniper M20, M40, M160 routers • Static IPv6 routes used • Primary NREN sites RedIRIS and ARNES • Result as good as IPv4 record at the time (5,154Tbitm/s) • Added confidence for dual-stack on GÉANT in 2003 • LSR beaten again in 2003 by CERN and Caltech • Who will set the new record? An open challenge!
Rise and fall of the 6bone • The 6bone network has evolved over 7 years • See http://www.6bone.net/ • It works, sometimes, but it is not reliable • People now demand a stable network for day-to-day use • The 6bone has become a Gordian knot of tunnels • Many 6bone ISPs “hobbyist” - collecting peerings for “fun” • They mistake a peering for a means of direct collaboration • But lack of reliability leads to more tunnelled peerings… • IPv6 ISPs should seek tighter peering agreements • Apply policies, include community tags in BGP peerings
IPv6 for day-to-day use • Need a predictable IPv6 network in place • Performance is good, and is improving • Academic networks paving way for commercial ISPs • Routing is really a policy issue • Academic/research networks working together • e.g. native link between Abilene and GÉANT • Policies being revised through experience • 6bone prefixes beginning to be filtered (blocked) • Monitoring of routing is important • e.g. using RIPE NCC IPv6 Test Traffic systems
NREN next steps… • The key now is to bring universities online • Transition strategies and cookbooks for NRENs • But note that users want applications, not IP versions • And that there is no mandate for universities to deploy • But no commercial case is required by them either • Early interest probably in Computer Science departments • Universities are the best place to get IPv6 in the hands of innovative developers and researchers • To generate the next wave of innovative IPv6 applications • Build and encourage national communities • Avoid fragmenting the IPv6 user base
Site deployments • A few universities already running IPv6 services • Almost all those doing so are using dual-stack • Can, for example, carry IPv6 traffic in existing IPv4 VLANs • Relatively easy to enable IPv6 on links • Harder to enable dual-stack services • A small number of IPv6-only networks • Still rather experimental at this time • See 6NET deliverables: • http://www.6net.org/publications, for “cookbook” texts • D2.3.1 describes Tromso IPv6-only wireless IPv6 network • These will be updated during 6NET’s lifetime
Connecting isolated users • Staff or students wish to gain IPv6 connectivity • At home, in student halls or shared accommodation • Visiting other networks (conferences, etc) • IPv6 provision is then outside of university’s control • Common options • Manual tunnel to university network • Requires cooperation at the university end • Tunnel broker service to university or other network • Can be automated, and may also be authenticated • Use of 6to4 • Requires a 6to4 relay, then automatic for the user
Connectivity issues • May need to overcome IPv4 NATs • Can use a tunnel broker if a global IPv4 address is available • May need to also do Protocol 41 forwarding in the NAT box • May need firewall changes • Enable Protocol 41 (to allow the IPv6-in-IPv4 tunnel) • Potentially a security risk if this creates a back door… • Should methods be manual or automatic? • Need to consider routing efficiency • Do not want to use a Canadian tunnel broker while in the UK • May have other security concerns, e.g. 6to4 relays
Preferences for IPv6 • Preference in application for IPv4 or IPv6 addresses • Many applications will try to use IPv6 in preference to IPv4 where an AAAA record is returned • A well-intended way to “encourage” IPv6 use • But DNS is not a reliable indicator of connectivity • Application may fall back to IPv4 only after a delay • Or may not fall back to IPv4 at all • Application developers should consider dual-stack operation modes and combinations carefully • Currently seeing proxies as a commonly used tool
New implications of IPv6 • Use of IPv6 site local addresses (fec0::/10) • Currently being deprecated by the IETF • General problem of address ambiguity and leakage • Some concerns on potential use of IPv6 NAT • Use of the IPv6 Flow Label • Current definition is “open” in nature • No agreed usage for these 20 bits of IPv6 header yet • Use of RFC3041 privacy extensions • Designed to avoid user tracking • Causes problems, e.g. for authentication by IP • Need to be able to control use per application
IPv6 applications • 6NET is working on many applications • List is available online: • Includes descriptions and IPv6 notes for each application • http://6net.laares.info/ • Also a fuller database of applications and patches: • Can be searched by name or keyword, .e.g.”perl”: • http://6net.iif.hu/ipv6_apps/ • Key focus is to ensure that porting effort feeds back into the main development efforts • Else we keep repeating the patching effort…
IPv6 code porting • IPv6 API available in C and Java • Java Development Kit 1.4.1 • Currently for Linux and Solaris • JDK 1.5 should enable IPv6 Java on Windows platforms • Wireless PDAs an exciting platform for IPv6 applications • Best practice in porting being established: • Making code IP (AF) independent • Documents: • LONG: http://long.ccaba.upc.es/ • KAME: http://www.kame.net/newsletter/19980604/
Security issues • Implementation and use of IPv6 IPSec • Support “mandated” in “full IPv6 implementation” • IPv6 Firewalls • Commercial, basic systems beginning to appear • Handling end to end encrypted traffic • Handling extension header chains, unknown options • Port scanning is harder to do in IPv6 • Security of transition methods • Have two protocols to handle, not one • Specific transition issues, e.g. open 6to4 relays
IPv6 multihoming • Being discussed in the IETF Multi6 WG • Progress slow to date • Classic method is multi-addressing • Acquire IPv6 global address from each provider • Select src/dst addresses to use for each connection • Can be problematic, e.g. for upstream ingress filters • Related to provider independence: • No PI address space for IPv6 • Cannot advertise all /48 site prefixes to the DFZ • Long-term view may be a locator-identifier split • A single identifier, one or more locators
Monitoring on 6NET • 6NET weather map: • http://netmon.grnet.gr/6net.html • Relies on IPv6-only property for SNMP gathering • Shows average flows, with MRTG plots • Working on IPv6 Netflow with Cisco • RIPE NCC Test Traffic server • http://www.ripe.net/ttm/index.html • 70+ servers deployed, 18 now IPv6-enabled • All new server shipped have IPv6 support • Shows delays, packet loss between servers • Includes historical traceroute records between servers
Advances since last year • GÉANT and NRENs have deployed dual-stack IPv6 • We have native connectivity to Abilene • Enables predictable use of IPv6 for day-to-day tasks • The 6bone is being phased out • And 3ffe::/16 prefixes will be filtered on GÉANT • Implementations hardening for deployment • Microsoft distributed an IPv6 p2p application • ThreeDegrees • Key IETF standards (eventually) finished: • MIPv6, DHCPv6
Closing comments • Implications of IPv6 becoming better understood • Updating services such as IPv6 multicast • Network management and monitoring, running an IPv6 NOC • New IPv6 features - e.g. IPv6 Privacy Extensions • Focus now is on applications and end users • Generating traffic, stimulating adoption • Enhancing existing areas with IPv6, e.g. Grid computing • Enabling staff/students to innovate in “6Wifi” environments • 6NET has 16 months left to document best practice • Various “cookbooks” at http://www.6net.org/
Related Links • IPv6 Task Forces • http://www.ipv6tf.org/ • 6NET Project Web site • http://www.6net.org/ • GÉANT • http://www.dante.net/geant/ • The EC IST IPv6 Cluster web site • http://www.ist-ipv6.org/ • IPv6 Forum • http://www.ipv6forum.org/