1 / 15

DREN IPv6 Implementation Update

DREN IPv6 Implementation Update. Joint Techs Workshop Feb 2006 Albuquerque, NM. Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@hpcmo.hpc.mil. Previously…. DREN … is DoD’s network for the RDT&E community also serves as the DoD IPv6 “pilot” network

jdejong
Download Presentation

DREN IPv6 Implementation Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DREN IPv6 Implementation Update Joint Techs Workshop Feb 2006 Albuquerque, NM Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@hpcmo.hpc.mil DREN IPv6 Update

  2. Previously… • DREN … • is DoD’s network for the RDT&E community • also serves as the DoD IPv6 “pilot” network • operates 2 IPv6 wide area networks (testbed, production) • IPv6 approach • Push “I believe” button and see what works. • Do it in a production environment. • Researchers & developers need it now, even if others don’t. DREN IPv6 Update

  3. DREN IPv6 Pilot Status DREN IPv6 Update

  4. Report on some current efforts • Performance • Security • IPv6 Multicast DREN IPv6 Update

  5. Performance • Monitoring TCP performance between some high-end sites. • Using nuttcp, 9K MTU, Linux 2.4.26-web100 kernel • Observations • RTT nearly identical between v4 and v6 • TCP jumbo between ARL and ASC fails. • One or more paths demonstrated near line rate performance for both v4 and v6 • In some cases, v4 appeared more robust. Reasons unknown. • See http://www.wcisd.hpc.mil/~phil/ipv6 DREN IPv6 Update

  6. Performance, cont’d The above graphs show TCP throughput second by second for the 20 second tests for IPv4 and IPv6. Colors may not be the same between the windows because some IPv6 tests are missing (due to filter problems). The first second or two are usually TCP slow start followed by equilibrium. The 1 Gbps and OC12 line rate tests stand out. Also clear from these graphs is the greater stability or robustness of IPv4 over IPv6 on some paths. The reason(s) for this are TBD. It could be from the Linux IPv6 implementation, or from hardware along the path. DREN IPv6 Update

  7. Security • Independent security review contracted to SAIC • Final draft due this week. • Summary: • protocol is no less secure than v4 • mobility is scary • multicast is still spoofable • ND – spoofable, but no exploits found yet • Windows – ack’s things twice in all v6 TCP streams??? • router renumbering – can spoof – possible DoS • landv6 attack works, but doesn’t crash machine DREN IPv6 Update

  8. S/DREN • Secret/DREN (S/DREN) • A small overlay of the DREN network. • Classified computers behind hardware encryptors. • Designed, equipment in hand, beginning implementation. • Addressing challenges. • Current hardware encryptors are not IPv6 capable. • Add tunnel broker. • Early real world testing of next generation IPv6 capable hardware encryptors. DREN IPv6 Update

  9. Linux Testbed SSCSD Cisco m6bone Juniper sdp.sandiego Production sdp Juniper Site Juniper, Foundry Linux Solaris Linux IPv6 multicast • Focus: get DREN backbones fully ipv6-multicast enabled. • Status (work in progress) • Testbed – fully operational • PIMv2, MLDv2, SSM, ASM, static RP, Embedded-RP • Peering with m6bone • Production – operational • routers all upgraded to JunOS 7.2 • PIMv2, MLDv2, SSM, ASM, some Embedded-RP • Beacon – operational (dbeacon) • ASM and SSM, using Embedded-RP group address • Test environment • Linux 2.6.11, Linux 2.4, Solaris 10 • Cisco (testbed), Juniper (DREN production), Juniper (site), Foundry BI (site) • simulating cross-domain interaction Test Environment (beacon) DREN IPv6 Update

  10. DREN DREN IPv6 Update

  11. IPv6 Multicast • Some Issues • Foundry – no MLDv2, but coming soon. • Juniper – MLDv2 implementation fundamentally incompatible with modern Linux implementations. • A fix is “not yet on the product roadmap” • no MLDv2 in WinXP, broken in old Linux, Solaris. • Working on… • IP ViPr implementation • Pressuring the vendors to implement needed features DREN IPv6 Update

  12. Backup DREN IPv6 Update

  13. DREN “production” network DREN IPv6 Update

  14. DRENv6 “testbed”Logical Topology Cisco AIX-v6 C&W Global Crossing 6TAP Abilene FIX-West Hurricane Electric Abilene LAVAnet TIC WPAFB Dayton NTTCom Verio ARL JITC HP Aberdeen Tunnel broker WCISD San Diego SD-NAP SDSC AOL SSC San Diego Wash D.C. SPRINT HICv6 (Hawaii) NRL Vicksburg Albuquerque SSC Charleston SSAPAC ERDC AFRL Kirtland AFB Stennis vBNS+ ATM PVC (OC-3) NAVO IXP Core Router tunnel DREN IPv6 Update ISP or BGP Neighbor “site”

  15. DREN IPv6 transition architecture – FY04 To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6) links run native IPv6 where possible, otherwise tunnelled in IPv4 DRENv6 (Testbed) Native IPv6 backbone ARL-APG SSCSD ERDC Testbed at DREN site Testbed at DREN site NIDSv6 NIDSv6 v6 ACL v6 ACL NIDSv6 v6 ACL sdp.erdc DREN2 (Production / Pilot) sdp.sandiego sdp.arlapg Dual stack IPv4 and IPv6 wide area infrastructure sdp sdp sdp Goal: As secure as the IPv4 backbone Type “A” (IP) production service to DREN sites IPv4 and IPv6 provided over the same interface DREN IPv6 Update

More Related