120 likes | 141 Views
DREN IPv6 Implementation Update. Joint Techs Workshop July 2005 Vancouver, BC, Canada. Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil. Introduction. DREN is DoD’s network serving the RDT&E community
E N D
DREN IPv6 Implementation Update Joint Techs Workshop July 2005 Vancouver, BC, Canada Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil DREN IPv6 Update
Introduction • DREN is DoD’s network serving the RDT&E community • It serves as the DoD IPv6 “pilot” network. • DREN operates 2 IPv6 wide area networks • Testbed • Dedicated Cisco routers • ATM PVC mesh • Production • Dual stack production backbone • Juniper routers DREN IPv6 Update
DREN “production” network DREN IPv6 Update
DRENv6 “testbed”Logical Topology Cisco AIX-v6 C&W Global Crossing 6TAP Abilene FIX-West Hurricane Electric Abilene LAVAnet TIC WPAFB Dayton NTTCom Verio ARL JITC HP Aberdeen Tunnel broker WCISD San Diego SD-NAP SDSC AOL SSC San Diego Wash D.C. SPRINT HICv6 (Hawaii) NRL Vicksburg Albuquerque SSC Charleston SSAPAC ERDC AFRL Kirtland AFB Stennis vBNS+ ATM PVC (OC-3) NAVO IXP Core Router tunnel DREN IPv6 Update ISP or BGP Neighbor “site”
DREN IPv6 transition architecture – FY04 To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6) links run native IPv6 where possible, otherwise tunnelled in IPv4 DRENv6 (Testbed) Native IPv6 backbone ARL-APG SSCSD ERDC Testbed at DREN site Testbed at DREN site NIDSv6 NIDSv6 v6 ACL v6 ACL NIDSv6 v6 ACL sdp.erdc DREN2 (Production / Pilot) sdp.sandiego sdp.arlapg Dual stack IPv4 and IPv6 wide area infrastructure sdp sdp sdp Goal: As secure as the IPv4 backbone Type “A” (IP) production service to DREN sites IPv4 and IPv6 provided over the same interface DREN IPv6 Update
DREN IPv6 philosophy • Push the “I believe” button, and turn on IPv6 everywhere to see what works (and what doesn’t) • Do it in a production environment • can get away with this in an R&D environment, but not on operational networks. • Go native. (no tunnels) • Even if the world doesn’t convert for years, R&D environments need it now. • Figure out how to deploy IPv6 to the rest of DoD in the future. DREN IPv6 Update
Report on some current efforts • Security • IPv6 Multicast • DHCPv6/DNS DREN IPv6 Update
Security • Reported previously • many security features missing in implementations • IPsec, ACLs, etc • many security products don’t do IPv6 • firewalls, IDS, scanners, etc. • Update • snort-2.3.3 upgraded to IPv6 by DREN • in production as part of DREN’s IDS • giving up on Juniper IPv6 port-mirroring • installing Foundry switches at exchanges • independent security review contracted to SAIC • report due Oct ‘05 DREN IPv6 Update
Independent Security Review • Reviewing… • protocol • stack maturity • tool maturity • Analyzing… • v6 versions of all v4 attacks • packets emitted on boot, as well as other traffic and interactions • how things behave with strange packets • So far… • protocol is no less secure than v4 • mobility is scary • multicast is still spoofable • ND – spoofable, but no exploits found yet • Windows – ack’s things twice in all v6 TCP streams??? • router renumbering – can spoof – possible DoS • landv6 attack works, but doesn’t crash machine • Good stuff… • ethereal – excellent v6 parsing • scapy – great packet hacking tool, supports v6 DREN IPv6 Update
Linux Testbed SSCSD Cisco Juniper sdp.sandiego Production sdp Juniper Site Juniper, Foundry Linux Solaris Linux IPv6 multicast • Focus: get DREN backbones fully ipv6-multicast enabled. • Status (work in progress) • Testbed – fully operational • PIMv2, MLDv2, SSM, ASM, static RP, embedded-rp • Production – operational • routers all upgraded to JunOS 7.2 • PIMv2, MLDv2, SSM, ASM, some embedded-rp • Beacon – operational (dbeacon) • ASM and SSM, using embedded-rp group address • Test environment • Linux 2.6.11, Linux 2.4, Solaris 10 • Cisco (testbed), Juniper (DREN production), Juniper (site), Foundry BI (site) • simulating cross-domain interaction Test Environment (beacon) DREN IPv6 Update
IPv6 Multicast • Learned: • lots of good work already done by folks at m6bone • ssmping – great test/debug tool • server (source) doesn’t need MLDv2, only receivers • dbeacon – new beacon software • notion of multicast/PIM domains blurred or gone. • use embedded-rp for cross-domain ASM • embedded-rp works great • Cisco – enabled by default • Juniper – disabled by default (surprise) • needs to be enabled on all routers between the RP and potential receivers. • Some Issues • Foundry – no MLDv2 yet • no MLDv2 in WinXP, broken in old Linux, Solaris. • ToDo: • test beyond DREN (Abilene? m6bone?) DREN IPv6 Update
DHCPv6/DNS • Goal – implement a dhcpv6 environment, similar to how some sites use it in v4. • common practice: DHCP (v4) assigns addresses, and performs dns-update for A and PTR records. DNS master only has to trust DHCP server, not every client. • Challenge: finding mature and complete DHCP implementation • Testing, status • ISC (popular dhcp reference implementation) • IPv4 only • dhcpv6-linux • incomplete • last version 2 years ago • dhcpv6 (sourceforge) • incomplete, but works – no dns-update • included in Fedora Core 3 and Red Hat 4 • Lucent • tested, and appears to work. Haven’t tested dns-update (awaiting more software). • No documentation • Issues: • no dhcp client in WinXP • uncertainty and debate on interactions between stateless and stateful (DHCP) autoconfig. • M/O bits debate • how useful is DHCPv6, if only use might be to get DNS servers and domain? DREN IPv6 Update