1 / 18

DREN IPv6 Implementation Update

DREN IPv6 Implementation Update. Joint Techs Workshop Feb 2005 Salt Lake City, UT. Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil. Context. Historical 2001 – DREN IPv6 testbed Wide area Dedicated hardware – 10 “core” nodes.

mirit
Download Presentation

DREN IPv6 Implementation Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DREN IPv6 Implementation Update Joint Techs Workshop Feb 2005 Salt Lake City, UT Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil DREN IPv6 Update

  2. Context • Historical • 2001 – DREN IPv6 testbed • Wide area • Dedicated hardware – 10 “core” nodes. • Native IPv6 over partial ATM mesh • 2003 – DoD and IPv6 • DoD CIO issues memorandum to transition by 2008 • DREN chosen as the DoD “pilot implementation” • 2003/2004 – DoD “pilot” on DREN production network • dual stack, native, running on production DREN network • 2004/2005 – additional efforts • site deployment, multicast, DHCP/DNS, mobility • Within DoD… • Each of the services (Army, Navy, Air Force) developing their own transition plans for the “operational networks”. • Most will not begin implementation for a year or more • Most will not be complete until after 2008 • DREN is DoD’s “research network”, and is transitioning now. • Chartered to support the DoD HPC community, and other R&D organizations. DREN IPv6 Update

  3. DREN Today • 10 “core nodes” on OC-192 backbone (CONUS), with OC-12 extensions to Hawaii and Alaska. • About 100 sites (“Service Delivery Points”), connected at DS-3 to OC-48 rates. • IPv4 unicast and multicast, IPv6 unicast, and ATM services now. • Dual IPv6 networks (“testbed”, and “production”) • “jumbo-clean” (i.e. 9K MTU everywhere) • Multiple security levels. • Both unclassified and classified networks DREN IPv6 Update

  4. DREN “production” network DREN IPv6 Update

  5. DRENv6 “testbed”Logical Topology Cisco AIX-v6 C&W Global Crossing 6TAP Abilene FIX-West Hurricane Electric Abilene LAVAnet TIC WPAFB Dayton NTTCom Verio ARL JITC HP Aberdeen Tunnel broker WCISD San Diego SD-NAP SDSC AOL SSC San Diego Wash D.C. SPRINT HICv6 (Hawaii) NRL Vicksburg Albuquerque SSC Charleston SSAPAC ERDC AFRL Kirtland AFB Stennis vBNS+ ATM PVC (OC-3) NAVO IXP Core Router tunnel DREN IPv6 Update ISP or BGP Neighbor “site”

  6. DREN IPv6 philosophy • Push the “I believe” button, and turn on IPv6 everywhere to see what works (and what doesn’t) • Do it in a production environment • can get away with this in an R&D environment, but not on operational networks. • Go native. (no tunnels) • Even if the world doesn’t convert for years, R&D environments need it now. • Figure out how to deploy IPv6 to the rest of DoD in the future. DREN IPv6 Update

  7. 2003/2004 DREN IPv6 Initiative • DoD IPv6 Pilot network • Goals for 2004 • IPv6 enabled DREN infrastructure (all Service Delivery Points, the Wide Area Network, the NOC). Done • Facilitate IPv6 deployment into infrastructure at HPC user sites and DREN user sites. Done • IPv6 enabled HPCMPO, HPCMP funded assets and services, HPCMP user community support applications, selected user application candidates. Partial completion • Performance and Security as good as existing IPv4 service. Done • Provide product feedback, lessons learned, published via web. Done DREN IPv6 Update

  8. Some things we learned • Many security components are missing. • 1 + 1 > 2 • managing 2 IP networks (IPv4, IPv6) can be more than double the complexity due to new interactions. Making topologies congruent can minimize this effect. • Site deployment – little priority for IPv6 • Lack of applications support DREN IPv6 Update

  9. Lack of Security Features (Examples) • Router Access Control Lists (ACLs) • Juniper doesn’t support “tcp established” • Vulnerability Assessment (Scanners) • ISS doesn’t support IPv6 and has no published plans to do so. • NESSUS doesn’t support IPv6 (yet) • Intrusion Detection Systems • If we want IPv6 support, we have to add it ourselves. • Juniper port mirroring doesn’t support IPv6 • IPSEC • Missing in most IPv6 implementations • Juniper ASPIC doesn’t support IPv6 (until much later) • Firewalls • Until recently, no production quality IPv6 support • Netscreen (Juniper): • no OSPFv3, only RIP • IPv6 support only available in certain products It is crucial that IPv6 products have equivalent functionality to the IPv4 world DREN IPv6 Update

  10. DoD Security Model • “Defense in Depth” • Protections at multiple levels • Problem: How to securely deploy IPv6 in DoD without these components. S Scanners LAN Firewall IDS ACL WAN ACL IDS Internet DREN IPv6 Update

  11. Overcoming the security issue (workaround) • Use DRENv6 testbed for transit to Internet • use to peer with rest of IPv6 enable Internet and other testbeds • continue to operate as an “untrusted” IPv6 network • Enable IPv6 on new DREN2 (MCI) production network. • Dual stack everywhere. • Establish trusted gateways between v6 enabled DREN2 and the DRENv6 testbed • Upgrade HPC Network Intrusion Detection Systems (NIDS) to be v6-compliant, monitored by the HPC Computer Emergency Response Team (CERT), and install at the trusted gateways. • Install v6 version of standard DREN v4 Access Control Lists (ACLs) to protect pilot network to same level as IPv4 production network. • DREN customers receive “safe” native IPv6 service via existing service delivery point (SDP), in parallel with IPv4 service. DREN IPv6 Update

  12. DREN IPv6 transition architecture – FY04 To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6) links run native IPv6 where possible, otherwise tunnelled in IPv4 DRENv6 (Testbed) Native IPv6 backbone ARL-APG SSCSD ERDC Testbed at DREN site Testbed at DREN site NIDSv6 NIDSv6 v6 ACL v6 ACL NIDSv6 v6 ACL sdp.erdc DREN2 (Production / Pilot) sdp.sandiego sdp.arlapg Dual stack IPv4 and IPv6 wide area infrastructure sdp sdp sdp Goal: As secure as the IPv4 backbone Type “A” (IP) production service to DREN sites IPv4 and IPv6 provided over the same interface DREN IPv6 Update

  13. Site Security Solution(Example – SPAWAR) • SPAWAR Intrusion Detection System (IDS) modified to support IPv6 • Netscreen Firewall operating “beta” release with IPv6 support in parallel with production firewall. DREN2 (Pilot) WAN IPv4 unicast and multicast services + IPv6 unicast SPAWAR Border router (Juniper M20) IDS IPv6 IPv4 Netscreen 2000 Firewall Netscreen 208 Firewall Note: Netscreen (Juniper) now has mainstream IPv6 support for some models. IPv6 Firewall Production Firewall switch to LAN DREN IPv6 Update

  14. Plans for 2004/2005 • Continued IPv6 deployment into site infrastructure, and site upgrades. • includes training, and site visits • Upgrade HPC applications to IPv6 • Additional external peering • IPv6 multicast (both networks) • DHCPv6/DNS experiments • what is best design model for DoD sites? • Mobility experiments • Overcoming security challenges • BGP confederations • IPv6 on S/DREN DREN IPv6 Update

  15. New challenges impacting IPv6 implementation efforts • Encrypt DREN backbone • Full IPSEC mesh between all DREN sites • Using Juniper Adaptive Services (AS) PIC. • Surprise: Doesn’t support IPv6.  • still 6 months away (JunOS 7.4?) • BGP confederations – improved unicast and multicast routing. • CONUS, Hawaii, Testbed • OC-48 sites. • IPSEC Encryption is the hard part. Trying to do it with Netscreen 5400s using 10GbE interfaces. But they weren’t jumbo-clean. DREN IPv6 Update

  16. IPv6 multicast • Initiative: • turn up IPv6 multicast on both nets (testbed, production) • PIM, MLDv2, MBGP, SSM, Embedded RP • apps: diag tools like beacon, mping, mtrace • then try other apps (vic, rat, …) • Status (work in progress) • Testbed: Done • routers all upgraded – IOS 12.3(11)T • Static RP • Production: Some initial configuration completed • Setting up beacon infrastructure within DREN • Some Issues • no MSDP, so use SSM or Embedded-RP between domains • Embedded RP is fairly new (i.e. need JunOS 7.0 or later) • many tools don’t operate over SSM (example: beacon) • hard to do cross-domain testing • no MLDv2 in WinXP, broken in old Linux, Solaris. DREN IPv6 Update

  17. IPv6 DHCP/DNS • Problem: • for sites that manually register everything in DNS today, this isn’t going to work well in IPv6. • How to leverage auto-configuration capabilities, yet stay within local policies. • Initiative: • what model and tools to recommend to DoD sites? • test various implementations, and see what works • Status (work in progress): • playing with open-source (sourceforge) DHCPv6 implementation • Some Issues: • no DNS update in sourceforge DHCPv6 • ISC DHPC (what most sites use) doesn’t do IPv6 • WinXP doesn’t do DHCPv6 DREN IPv6 Update

  18. Site infrastructure work • IPv6 firewall, IDS, ACLs • LAN infrastructure (San Diego example) • Backbone upgrade (Foundry core/dist’n/edge) • BigIron MG8 • 10GbE backbone • (low power) • line rate IPv4 and IPv6 requirement • recent test – 6 x 10G IPv6 – ran at line rate • Issues: • Foundry: NUD seems broken – loses initial packets of new connections. • Foundry: IPv6 PIM-SM not supported (yet) • No production 10Gb firewall capable of IPv6 and jumbo. • have beta netscreen hardware DREN IPv6 Update

More Related