1 / 12

DREN IPv6 Implementation Update

DREN IPv6 Implementation Update. Joint Techs Workshop July 2005 Vancouver, BC, Canada. Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil. Introduction. DREN is DoD’s network serving the RDT&E community

ulla-berry
Download Presentation

DREN IPv6 Implementation Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DREN IPv6 Implementation Update Joint Techs Workshop July 2005 Vancouver, BC, Canada Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil DREN IPv6 Update

  2. Introduction • DREN is DoD’s network serving the RDT&E community • It serves as the DoD IPv6 “pilot” network. • DREN operates 2 IPv6 wide area networks • Testbed • Dedicated Cisco routers • ATM PVC mesh • Production • Dual stack production backbone • Juniper routers DREN IPv6 Update

  3. DREN “production” network DREN IPv6 Update

  4. DRENv6 “testbed”Logical Topology Cisco AIX-v6 C&W Global Crossing 6TAP Abilene FIX-West Hurricane Electric Abilene LAVAnet TIC WPAFB Dayton NTTCom Verio ARL JITC HP Aberdeen Tunnel broker WCISD San Diego SD-NAP SDSC AOL SSC San Diego Wash D.C. SPRINT HICv6 (Hawaii) NRL Vicksburg Albuquerque SSC Charleston SSAPAC ERDC AFRL Kirtland AFB Stennis vBNS+ ATM PVC (OC-3) NAVO IXP Core Router tunnel DREN IPv6 Update ISP or BGP Neighbor “site”

  5. DREN IPv6 transition architecture – FY04 To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6) links run native IPv6 where possible, otherwise tunnelled in IPv4 DRENv6 (Testbed) Native IPv6 backbone ARL-APG SSCSD ERDC Testbed at DREN site Testbed at DREN site NIDSv6 NIDSv6 v6 ACL v6 ACL NIDSv6 v6 ACL sdp.erdc DREN2 (Production / Pilot) sdp.sandiego sdp.arlapg Dual stack IPv4 and IPv6 wide area infrastructure sdp sdp sdp Goal: As secure as the IPv4 backbone Type “A” (IP) production service to DREN sites IPv4 and IPv6 provided over the same interface DREN IPv6 Update

  6. DREN IPv6 philosophy • Push the “I believe” button, and turn on IPv6 everywhere to see what works (and what doesn’t) • Do it in a production environment • can get away with this in an R&D environment, but not on operational networks. • Go native. (no tunnels) • Even if the world doesn’t convert for years, R&D environments need it now. • Figure out how to deploy IPv6 to the rest of DoD in the future. DREN IPv6 Update

  7. Report on some current efforts • Security • IPv6 Multicast • DHCPv6/DNS DREN IPv6 Update

  8. Security • Reported previously • many security features missing in implementations • IPsec, ACLs, etc • many security products don’t do IPv6 • firewalls, IDS, scanners, etc. • Update • snort-2.3.3 upgraded to IPv6 by DREN • in production as part of DREN’s IDS • giving up on Juniper IPv6 port-mirroring • installing Foundry switches at exchanges • independent security review contracted to SAIC • report due Oct ‘05 DREN IPv6 Update

  9. Independent Security Review • Reviewing… • protocol • stack maturity • tool maturity • Analyzing… • v6 versions of all v4 attacks • packets emitted on boot, as well as other traffic and interactions • how things behave with strange packets • So far… • protocol is no less secure than v4 • mobility is scary • multicast is still spoofable • ND – spoofable, but no exploits found yet • Windows – ack’s things twice in all v6 TCP streams??? • router renumbering – can spoof – possible DoS • landv6 attack works, but doesn’t crash machine • Good stuff… • ethereal – excellent v6 parsing • scapy – great packet hacking tool, supports v6 DREN IPv6 Update

  10. Linux Testbed SSCSD Cisco Juniper sdp.sandiego Production sdp Juniper Site Juniper, Foundry Linux Solaris Linux IPv6 multicast • Focus: get DREN backbones fully ipv6-multicast enabled. • Status (work in progress) • Testbed – fully operational • PIMv2, MLDv2, SSM, ASM, static RP, embedded-rp • Production – operational • routers all upgraded to JunOS 7.2 • PIMv2, MLDv2, SSM, ASM, some embedded-rp • Beacon – operational (dbeacon) • ASM and SSM, using embedded-rp group address • Test environment • Linux 2.6.11, Linux 2.4, Solaris 10 • Cisco (testbed), Juniper (DREN production), Juniper (site), Foundry BI (site) • simulating cross-domain interaction Test Environment (beacon) DREN IPv6 Update

  11. IPv6 Multicast • Learned: • lots of good work already done by folks at m6bone • ssmping – great test/debug tool • server (source) doesn’t need MLDv2, only receivers • dbeacon – new beacon software • notion of multicast/PIM domains blurred or gone. • use embedded-rp for cross-domain ASM • embedded-rp works great • Cisco – enabled by default • Juniper – disabled by default (surprise) • needs to be enabled on all routers between the RP and potential receivers. • Some Issues • Foundry – no MLDv2 yet • no MLDv2 in WinXP, broken in old Linux, Solaris. • ToDo: • test beyond DREN (Abilene? m6bone?) DREN IPv6 Update

  12. DHCPv6/DNS • Goal – implement a dhcpv6 environment, similar to how some sites use it in v4. • common practice: DHCP (v4) assigns addresses, and performs dns-update for A and PTR records. DNS master only has to trust DHCP server, not every client. • Challenge: finding mature and complete DHCP implementation • Testing, status • ISC (popular dhcp reference implementation) • IPv4 only • dhcpv6-linux • incomplete • last version 2 years ago • dhcpv6 (sourceforge) • incomplete, but works – no dns-update • included in Fedora Core 3 and Red Hat 4 • Lucent • tested, and appears to work. Haven’t tested dns-update (awaiting more software). • No documentation • Issues: • no dhcp client in WinXP • uncertainty and debate on interactions between stateless and stateful (DHCP) autoconfig. • M/O bits debate • how useful is DHCPv6, if only use might be to get DNS servers and domain? DREN IPv6 Update

More Related