390 likes | 399 Views
Learn about NASA's transition to IPv6, OMB requirements, goals, drivers, and benefits. Understand the urgency, steps, and implications for agencies and IT modernization initiatives.
E N D
NASA’s IPv6 Implementation:Now is the time! Kevin L. Jones NASA IPv6 Transition Manager August 15, 2011
Who are you representing? • NASA Civil Servant • NASA Contractor • Other Government Agency • Industry • University • Other • Not Sure?
Why are you here? • I am excited about IPv6 • I am excited about NASA implementing IPv6 • I am interested in learning about IPv6 • What’s the rush to implement IPv6 • I am still skeptical about this IPv6 thing • I have serious concerns about implementing IPv6 • Still recovering from lunch and I have not moved since • An empty seat & wireless access
Agenda • Motivation to implement IPv6 • Federal IPv6 Taskforce • NASA IPv6 Taskforce • World IPv6 Day • Next Steps • Questions
Motivation to Implement IPv6 • Because OMB said so? • But didn’t OMB “say make it so” in 2005 too? • What happened? • Why aren’t we done already? • August 2005 – A memo M-05-22 titled Transition Planning for Internet Protocol Version 6 (IPv6) was sent to the Federal Agency CIOs
Summary of M-05-22 • By June 2008 all agencies’ infrastructure (network backbones) must be using IPv6 and agency networks must interface with that infrastructure • Nov 2005 – assign an agency lead and inventory equipment • Feb 2006 – develop a transition plan & progress report • June 2006 – complete inventory & analysis
Updated Guidance from OMB • Feb 2006 – FAQ on M-05-22, clarified that “must be using IPv6” meant “must demonstrate IPv6 capability on their backbones” • Transmit IPv6 traffic from the Internet and external peers, through the core (WAN), to the LAN • Transmit IPv6 traffic from the LAN, through the core (WAN), out to the Internet and external peers • Transmit IPv6 from the LAN, through the core (WAN), to another LAN (or another node on the same LAN) • NASA was compliant but further progress halted
IPv6 Drivers • Enable the successful deployment and expansion of key Federal information technology (IT) modernization initiatives, such as Cloud Computing, Broadband, and SmartGrid, which rely on robust, scalable Internet networks; • Reduce complexity and increase transparency of Internet services by eliminating the architectural need to rely on Network Address Translation (NAT) technologies; • Enable ubiquitous security services for end-to-end network communications that will serve as the foundation for securing future Federal IT systems; • Enable the Internet to continue to operate efficiently through an integrated, well-architected networking platform and accommodate the future expansion of Internet-based services. • Maintain continuity of operations, and to reach and be reached by customers.
Vivek Kundra’s September 28, 2010 Memorandum: Transition to IPv6 • Designate an IPv6 Transition Manager by 10/30/2010 • Responsible for leading the agency’s IPv6 Transition Activities • Liaison with the wider Federal IPv6 effort as necessary • Ensure agency procurements of networked IT comply with the FAR requirements for use of the USGv6 Profile and Test Program for the completeness and quality of their IPv6 capabilities • (Goal # 1) Upgrade public/external facing servers and services (e.g. web, email, DNS, IP services, etc.) to operationally use native IPv6 by the end of FY 2012 • (Goal # 2) Upgrade internal client applications that communicate with public internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014 http://www.cio.gov/documents/IPv6MemoFINAL.pdf
So what does the first goal mean? • Intent of the FY2012 requirement is to ensure that any and all networked services that agencies provide to the general public over the Internet are seamlessly accessible via both IPv6 and IPv4 • Out of Scope: internal services, external services only accessible via VPN or closed user groups, • In Scope: external web (http), email (stmp), and domain name system (dns)
And what about the 2nd goal? • Intent of the 2014 requirement is to ensure that public IPv6-enabled network services that are provided external to an agency, are accessible to USG users residing in their agency enterprise networks • Definition of public is the same for this goal • agency clients applications, host operating systems, and supporting networking infrastructure should be IPv6-enabled such that it is possible to establish native IPv6 end-to-end communication between client application and the external IPv6-enabled public server/service
More on “Operationally use native IPv6” • Native IPv6 transport end-to-end: • From public facing servers to IPv6 enabled clients on the public Internet (FY2012) • From internal client systems to external IPv6 servers (FY2014) • Support of IPv6 is transparent to the end user • www.nasa.gov must support both IPv4 and IPv6 (not create a new www.ipv6.nasa.gov for IPv6 clients)
Depletion of IPv4 Address • The Internet Assigned Numbers Authority (IANA) coordinates the global IP and AS number space, and allocates these to Regional Internet Registries (RIRs) • On Thursday, February 3, 2011, IANA depleted their IPv4 address space • A formal ceremony was held to commemoratethe significant event, IANA’s distributionof the last five /8s to the RIRs • Video of this historic event are listed at: http://www.nro.net/media-center/video-archive-3-february-2011 • Also available via IPv6 on YouTube: http://www.youtube.com/watch?v=p9AzSl2MdFk&feature=related http://www.youtube.com/watch?v=gveJs6YRYXU • NOTE: NASA has a sufficient amount of IPv4 address space
More Motivation • More IP addresses • IPv4 provides 32 bit address ~ 4.2 x 109 addresses • IPv6 provides 128 bit address ~ 3.4 x 1038 addresses • Significantly enhanced mobility features • Opportunity to increase the ubiquity of network security capabilities • NASA will need to ensure that external services are seamlessly accessible via both IPv6 and IPv4 • Because OMB said so… • And they said it twice!! • NASA is NOT going to wait for the October 2015 OMB memo to implement IPv6
NIST’s IPv6 Deployment Monitor • NIST’s IPv6 Deployment Monitor – is a measurement tool that attempts to estimate the status of IPv6 enabled external facing services across the USG. Currently the monitor tests the status of WWW, Email and DNS services and tracks the progress of IPv6 deployment over time. • http://fedv6-deployment.antd.nist.gov/
v6task-force@nist.gov Federal CIO Council Executive Chair: Jeffrey Zients Director: Steven VanRokel Architecture and Infrastructure Committee (AIC) Chair: Michael Carleton Technology Infrastructure Subcommittee Cita Furlani (NIST) Co-Chair Bobbie Stempfley (DoD) Co-Chair Federal Chief Architect: Scott Bernard OMB Lead Policy Analyst: Carol Bales Federal IPv6 Task Force Federal IPv6 Initiative Support Contractors Chair: Peter Tseronis (DOE) Co-Chair: Jane Coffin NTIA ACT/IAC IPv6 SIG Doug Montgomery (NIST) Stephen Nightingale (NIST) Ron Broersma (DoD) Sean Donelan (DHS) Don Beaver Frank Tiller (GSA) Industry Collaboration Federal IPv6 Interagency Working Group Technical Sub Team Stu Mitchell, Chair (DOI) Sharon Lattanze, Co-Chair (Commerce) IT Management Sub Team Luis Gonzalez, Chair (DHS) Outreach Sub Team Steven Pirzchaiski, Chair (VA)
Not part of Federal Government? • … but you want to get in on the fun of helping the government implement IPv6? • Consider joining the American Council for Technology, Industry Advisory Council (ACT-IAC) • Members consist of private industry, academia & state/local government • Responsible for updating the “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government” • Contact Chris Chroniger to join cchroniger@gmail.com
Transition Manager Responsibilities • Agency Transition Manager’s Fedv6-deploy@nist.gov
World IPv6 Day: June 8, 2011 • June 8th a 24-hour IPv6 Test Flight occurred • Goal was to motivate organizations across the industry – Internet service providers, hardware makers, operating system vendors and web companies – to prepare their services for IPv6 to ensure successful implementations • Universities were involved as well • OMB has mandated that government participation • Implement a website with IPv6 (dual-stack) • Even before World IPv6 day occurred, there were already discussions of potentially having another World IPv6 Day • Might even be sooner than 6/8/2012
NASA World IPv6 Participation • Coordinated by the Internet Society (ISOC) • http://isoc.org/wp/worldipv6day/ • NASA participating websites captured on the main NASA website blog. • Confirmed NASA websites • www.nas.nasa.gov • www.caib.nasa.gov (Limelight) • www.km.nasa.gov (Akamai) • apod.eos.nasa.gov • earthobservatory.eos.nasa.gov • ipv6.nasa.gov (Akamai) • Due to a launch and therefore anticipated heavy traffic, decided not to implement www.nasa.gov on World IPv6 Day
NASA’s interest in World IPv6 • It was more than just because OMB said so • OMB mandated all agencies participate in World IPv6 Day and have requested that they try to implement their top level domains • NASA has over 1000 public/external facing websites that need to be implemented by September 2012, so this was an excellent opportunity to document lessons learned, help scope workload and test approaches for successful implementations • It provided an opportunity for NASA to evaluate vendor’s IPv6 implementations. Specifically, Akamai & Limelight
What happened on World IPv6 Day? • IPv6 worked according to plan • Google, Facebook, Yahoo!, Akamai & Limelight hosted parties • This is my first time hearing about World IPv6 Day, so it could not have been much • IPv6 traffic adversely impacted IPv4 traffic • Complete waste of time? IPv6 worked according to plan Google, Facebook, Yahoo!, Akamai & Limelight hosted parties This is my first time hearing about World IPv6 Day, so it could not have been much IPv6 traffic adversely impacted IPv4 traffic Complete waste of time?
World IPv6 Participation • There were 434 registered ISOC participants • 90% of those sites were reachable and viewable via IPv6 • Participation by 25 US Government agencies • 94% had resolvable AAAA DNS records • There were so few problems, some considered it practically a non-event • “World IPv6 Day fails to kill the Internet” • 99% of the World IPv6 websites were reaching using IPv4 • Basic layer 3 routing worked to the sites
The Good – Things worked! • Operating systems (Linux/Unix, Mac OS X, Windows), web servers (e.g. Apache) clients (Firefox, Safari, IE) • Most dual stack IPv4/IPv6 host client and server applications including ssh, scp, Kerberized telnet and rcp (although Kerberos itself was only using IPv4), and http/https client and server • IPAM and DNS (both forward AAAA and reverse PTR records) • Global IPv6 routing exchange and packet forwarding verified to a number of sites • ping6 and traceroute6 IPv6 network diagnostic tools performed analogously to their ping and traceroute IPv4 tools • 10-GigE IPv6 network performance between GSFC and ARC using our automated nuttperf/nuttcp network performance measurement capability was demonstrated to be very comparable to the equivalent IPv4 network performance tests
The Bad – Things to watch out for… • Some sites did not make IPv6 DNS available via IPv6 (making pure IPv6 problematic). Some sites were so intent on trying to make sure that there was zero impact to IPv4 users that it caused a few unnecessary issues for IPv6 • In some cases, infrastructure software had to be updated. Some existing router/switch software still relies on IPv4 for certain things (e.g. SNMP) and can't run IPv6-only. • No general way to force IPv4 or IPv6 name resolution for a specific command • Limited IPv6 peering (e.g. Level 3 & Hurricane Electric) caused additional routing workarounds necessary • Needed to modify a network monitoring system to deal with IPv6 addresses, since it was using a “:” as the field separator in the control file • Firewalls will probably need to replicate IPv4 rulesets with equivalent IPv6 rulesets. Perhaps intelligent firewall frontends will eventually minimize the required effort to support simultaneous IPv4/IPv6 access restrictions No single transition day for IPv4 to IPv6 Some apps & tools still require IPv4 only Need creative approaches for troubleshooting IPv6 ISPs are in the process of upgrading IPv6 by 2012 too Network monitoring needs to support IPv6 Dual-stack requires security for both IPv4 & IPv6
The Ugly – Warning: Lots of work ahead… • Policy development is behind the technology development, and some policies are contradictory (e.g. "scanning must be done by package X, but, package X doesn't support IPv6") • Security is behind the other aspects of IPv6. Many IDS systems handle IPv6 poorly (if at all), likewise some firewall appliances. Some host scanners (at least the legacy versions) do not do IPv6 at all. Some security software vendors seem to have not taken IPv6 mandates and plans seriously, so security will have to play catch-up in order to meet mandated deadlines. • If no IPv6 route exists to some service such as a web server, the system automatically drops back to an IPv4 connection, but if an IPv6 route exists (even an IPv6 default route), and the IPv6 destination is not actually reachable for some reason, the user will experience about a 2 minute TCP timeout before switching to IPv4. • Postponing the implementing IPv6 is no longer an option. It is critical to “break glass” now to maintain a continuity of operations. Need to update both policies & equipment Need communicate IPv6 security reqs. to vendors early Growing pains in this transition are inevitable Now is the time!
Security Sub Team Luke Drury Bryan Boatright Bobby Cates Tony Arivola Terry Brugger Chris Jones Debra Rushing Ken White Greg Coggins Dawn Bedard Ron Colvin Ralph Bischof Linda Wood Stephanie Chandler Terri Chow Chris Mishaga Tom Hinke Dennis Kay Dennis Taylor Alex Baldwin Gary Gapinski Glen Morhew Greg Campbell Hugh LaMaster Michael Neblett Patrick Patterson Tim Baldridge Vince Moyers Bill Terry Kevin Jones IT Procurements Sub Team TBD Gary Gapinski Kevin Jones NASA IPv6 Taskforce Sub Teams Web & Applications Sub Team Ian Sturken Alvin Cottles Dawn Bedard Duane Smith Eashwer Srinivasan Greg Coggins Greg Campbell JJ Toothman Linda Hong Luke Drury Marcus Friske Peter Cauwels Ralph Bischof Steven Funderburk Tim Baldridge Tommy Mcguire Kevin Jones Test & Verification Sub Team Bill Fink Aruna Muppalla Dave Guevara Dave Hartzell George Uhl Greg Coggins Greg Campbell Hugh LaMaster Pat Gary Kathy Hatley Ken White Luke Drury Mark Foster Paul Lang Ralph Bischof Kevin Jones Routing Sub Team Hugh LaMaster Andy Germain Dawn Bedard George Uhl Greg Coggins Greg Campbell James Good Ken White Kevin Kranacs Kofi Burney Luke Drury Michael Neblett Ralph Bischoff Bill Fink Kevin Jones DNS Sub Team Dave Swager Carol Bryant Dawn Bedard Gary Gapinski Greg Coggins Joshua Being Kofi Burney Luke Drury Nancy Shelvin Ralph Bischoff Tony Arviola Kevin Jones
Routing Sub Team Milestones • Need to implement IPv4/IPv6 dual-stack in the core WAN routers. (10/2011) • Operational IPv6 peering with providers (e.g. Level 3, Hurricane Electric) and some NASA networks (e.g. NISN, NAS, NREN, SEN) (12/2011) • Testing and deployment of updated Router/Switch and monitoring software will need to be done so that, e.g., SNMP and flow data export work over IPv6. (1/2012) • Implement IPv6 in NASA DMZ locations where public facing servers are located (2/2012) • Update agency network management procedures to reflect IPv6 (3/2012)
DNS Sub Team Milestones • Document and publicize approved process for allocating and distributing permanent IPv6 address assignments (8/2011) • NASA's IPAM/DNS servers need to be reachable via IPv6 (10/2011)
Security Sub Team Milestones • Notice to SSP owners & security community about IPv6 mandates and potential impact (8/2011) • Develop security policies, procedures, and devices/tools for securing your Agency's IPv6 operations (9/2011) • Communicate requirements to security vendors (10/2011) • LAN/DMZ/shared-services security hardware and software to be upgraded to be as fully capable in IPv6 as in IPv4 (3/2012) • WAN security hardware and software to be upgraded to be as fully capable in IPv6 as in IPv4 (4/2012) • Update risk assessments and C&A procedures for all public/external facing servers and services operationally using native IPv6 (9/2012)
Testing & Verification Sub Team Milestones • Provide feedback to NIST for proposed USGv6 updates (8/2011) • Develop agency test/demonstration plans for services affected by OMB FY2012 mandate (9/2011) • Update agency testing processes to reflect FY 2012 milestones (10/2011)
Web & Apps Sub Team Milestones • Update of STRAW database with additional public/external facing websites (8/2011) • Identify any unique IPv6 requirements from your user community (9/2011) • Identify any IPv4-only (“legacy”) assets affected by the OMB FY2012 mandate that cannot support IPv6 (9/2011) • Implementation of www.nasa.gov in dual stack mode (2/2012) • 10% of public/external facing websites implemented with dual-stack IPv6 (3/2012) • Upgrade public/external facing servers and services (e.g. web, email, DNS, ISP services, etc) to operationally use native IPv6 (9/2012)
Contact Information • NASA IPv6 Taskforce Sharepoint Site: • https://share.nasa.gov/teams/arc/ipv6-taskforce/default.aspx • NASA IPv6 Distribution Lists: • ipv6-taskforce@lists.nasa.gov • ipv6-routing-subteam@lists.nasa.gov • ipv6-dns@lists.nasa.gov • ipv6-security@lists.nasa.gov • ipv6-tv@lists.nasa.gov • ipv6-web-apps@lists.nasa.gov • Federal IPv6 Taskforce Distribution Lists & Federal IPv6 Wiki • v6task-force@nist.gov • fedv6-deploy@nist.gov • https://max.omb.gov/community/x/EhPVI
Resources 1.Planning Guide and Roadmap toward IPv6 Adoption in USG http://www.cio.gov/documents_details.cfm/uid/1F4376CF-2170-9AD7-F24F363D0A04637E/structure/Enterprise%20Architecture/category/IPv6 2. USG IPv6 Profile http://www.antd.nist.gov/usgv6/usgv6-v1.pdf 3. Federal Acquisition Regulations (FAR) http://edocket.access.gpo.gov/2009/pdf/E9-28931.pdf 4. USGv6 Testing Program for product compliance http://www.antd.nist.gov/usgv6/testing.html 5. Suppliers Declaration of Conformity Template http://www.antd.nist.gov/usgv6/sdoc.html 6. Guidelines for the Secure Deployment of IPv6, SP 800-119 http://csrc.nist.gov/publications
Have your attitudes change about IPv6? • I am so excited, I am going to start writing a test plan on the plane ride home! • I am interested in helping to implement IPv6 • Yes, and for the better! • No, but I was already a proponent • I was scared before, but I am really scared now! • Still a non-believer, I will believe when I see it.
Kevin L. JonesNASA IPv6 Transition Manager Kevin.L.Jones@nasa.gov 650-604-2006
IPv6 Testers • Numerous tools exist to test the IPv6 capabilities of local access and transit networks. These tools might be of use to agencies in testing IPv6 ISP services. • http://test-ipv6.com/ • http://netalyzr.icsi.berkeley.edu/