200 likes | 322 Views
DREN IPv6 Experiences - Update -. Summer 07 Joint Techs Workshop July 2007 Batavia, IL. Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil. Background. WAN provider for the DoD R&D community
E N D
DREN IPv6 Experiences- Update - Summer 07 Joint Techs Workshop July 2007 Batavia, IL Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil DREN IPv6 Status
Background • WAN provider for the DoD R&D community • Also serving as DoD’s IPv6 pilot implementation of the DoD CIO June ’08 mandate • Deploying IPv6 where possible in a production environment • See what works and what’s broken • See what’s missing • Share lessons learned DREN IPv6 Status
Previously • Reported to you previously: • Most serious problem is lack of IPv6 support in many security products (firewall, IDS, IPS, VPNs, web proxy, etc). • Major inhibitor to deployment of IPv6 in protected enclaves • Various bugs hurt deployment and require workarounds • Router MLDv2 • LDAP • Linux • and many more… • Increased complexities with running dual-stack DREN IPv6 Status
Overall difficulty • Easy parts • Dual-stacking the nets (WANs, LANs) • Enabling IPv6 functionality in modern operating systems • Establishing basic IPv6 services (DNS, SMTP, NTP) • Enabling IPv6 in some commodity services (HTTP) • A little more challenging • Getting the address plan right • Operating and debugging a dual stack environment • Multicast (but easier than IPv4) • Hard parts • Creating the security infrastructure (firewalls, IDS, proxys, IDP/IPS, VPNs, ACLs) • Working around missing or broken functionality • DHCP • Creating incentives to upgrade and try IPv6 • Getting the vendors to fix bugs or incorporate necessary features • Not enough market pressure, so other activities take priority DREN IPv6 Status
What’s new • Thunderbird LDAP problem fixed (as of 2.0) • Had been forcing people to disable IPv6, or stop using Thunderbird • Emergence of Vista helped encourage the fix • Red Hat Enterprise Linux performance bug fixed • Fixed in RHEL5 • Some increased interest from network product companies to improve their IPv6 support • Driven by upcoming June ’08 deadline • Driven by demands from Asia, especially China • Vista • Claims full IPv6 support DREN IPv6 Status
New issues • Juniper NS-5400 can’t do Jumbo and IPv6 at the same time • RH0 security issue • http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf • Routers can only filter on first header • Can’t break RH2 (mobile IP) when filtering/disabling RH0 • Linux ip6tables state matching is broken • Bugzilla 209945, 190590 • But being disabled by default in Linux 2.6.20.9 • Trying to get address space from DoD NIC • Found out they don’t have an addressing plan yet • DREN meltdown DREN IPv6 Status
DREN meltdown • Demands on forwarding engine board (FEB) memory in DREN implementation: • default free (full Internet routes) • Multicast routes • IPv4 and IPv6 routes • uRPF (43% overhead) • Recently started exceeding FEB memory in some Juniper routers • Due to increasing IPv4 routes • Due to code updates • Workaround: carry default instead of full routes • Long term: replace the older routers • Lesson: continued IPv4 routing table growth reminds us of need to move to aggregatable solution (IPv6) DREN IPv6 Status
Vista and IPv6 • Extensive beta testing performed by DREN • Microsoft claiming full support for IPv6 • But… • no IPv6 access support for… • Windows Activation after installation • Windows Update • IE7 Phishing filter • Beta Client bug reporting (during beta period) DREN IPv6 Status
Safe use of Vista • Vista enables IPv6 tunneling (Teredo) by default • Creates tunnel to Microsoft • It is even in the Vista software license terms, and you have to consent to its use, but you are allowed to disable it. • Can bypass firewalls if not disabled • Some organizations recommend disabling IPv6 in Vista (and other operating systems) • We recommend just disabling the unsafe features: • Disable tunneling • Disable random IIDs netsh interface 6to4 set state state=disabled undoonstop=disabled netsh interface isatap set state state=disabled netsh interface teredo set state type=disabled netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent DREN IPv6 Status
Some current work • Readdressing nets to make IPv4 and IPv6 addressing congruent for ease of management • Working with many vendors • Product evaluation and testing • Getting bugs discovered and fixed • Feature requests • Recommending implementation priorities • Merging firewalls • Had been using separate IPv6 firewalls DREN IPv6 Status
Still no major incentives to do IPv6 • Extremely low customer demand for IPv6 products • No money in it for the manufacturers • So other products and features take precedence • Basic IPv6 capabilities take precedence over security features • Manufacturers just want to check the “IPv6 capable” box • Lack of full IPv6 functionality discourages deployment • IPv6 isn’t as good as IPv4, so why use it? • Lack of security components hinders ability to deploy in most environments • If nobody is deploying it, then there’s nothing you are missing by not having it • Lack of incentives result in lack of customer demand • Loop back to top of page DREN IPv6 Status
Commitment to IPv6? • Are network product vendors really committed to IPv6 support? • Are they using it in their production networks? • Do they have an IPv6 presence on the Internet? • Do they follow the “eat your own dogfood” principle? • A survey… DREN IPv6 Status
Vendor scorecard • Looked in DNS to see if there were AAAA records for www, MX, and DNS. • Quick sampling of major computer and network companies showed no public facing IPv6. DREN IPv6 Status
Scorecard – IPv6 Summit Sponsors (March ’07) • Grand and Gold Sponsors of 2007 IPv6 Summit. • Only one has an IPv6 presence at their corporate “front door” DREN IPv6 Status
Situation Today • We’ve been successfully using IPv6 in a production environment, with many dual-stack systems and services, for at least 3 years. • Modern operating systems just work, out of the box (MacOSX, Vista, Solaris 10, etc) • Most urgent needs from our perspective: • Need parity with IPv4 in all implementations • Enabling IPv6 must NOT break things • Need to make security stacks fully IPv6 capable • Firewalls, IDS, proxies, IDP/IPS, ACLs • Need more incentives to do IPv6 (generate demand) • Basic layer 3 (IP routing) implementations are mature • ISPs and WANs should be IPv6-enabled now. • What about SOHO modems/routers? • Consumer CPE doesn’t do IPv6! DREN IPv6 Status
The Future? • Will DoD (the operational world) be running IPv6 by the June 2008 deadline? • Highly doubtful • Last public statement indicated the milestone was “enterprise authorization to use IPv6 on NIPRnet by June 2008” to meet the OMB directive. • SIPRnet by 2010 • Lack of mature IPv6-capable security products will hinder deployment into protected enclaves, possibly for years • Lack of a killer app or other incentives will also hinder progress • DoD may need to resort to stronger mandates or directives at some point DREN IPv6 Status
Backup DREN IPv6 Status
2001 0480 0010 subnet Interface ID IPv4 128 49 subnet host VLAN-id IPv6 Example Re-addressing scheme • Re-address the network for consistency between protocols • IPv4 – move all subnets to /24 or larger • Align VLAN number with 3rd octet of IPv4 address • Align IPv6 “subnet number” with the above • Benefits • Reduction in complexity • Easier for operations staff, once re-addressing is complete • Note • Assumes you have enough IPv4 address space to change it as well. DREN IPv6 Status
One way to handle PTR records • Example site: • Already records MAC addresses for registered devices on the network, and stores in a database • Uses stateless address auto-configuration (SLAAC) for most machines, in particular the clients • Built script to generate PTR records for all registered devices, regardless of whether they were running IPv6 or not, and installed it in their DNS. • If any device happens to turn on IPv6 and uses SLAAC, they are already pre-registered. DREN IPv6 Status