Upload
marilyn-hines
View
220
Download
0
Embed Size (px)
DESCRIPTION
18-Jul-05DREN IPv6 Update3 DREN “production” network
Citation preview
18-Jul-05 DREN IPv6 Update 1
DREN IPv6 Implementation Update
Joint Techs WorkshopJuly 2005
Vancouver, BC, Canada
Ron BroersmaDREN Chief Engineer
High Performance Computing Modernization [email protected]
18-Jul-05 DREN IPv6 Update 2
Introduction• DREN is DoD’s network serving the
RDT&E community• It serves as the DoD IPv6 “pilot” network.• DREN operates 2 IPv6 wide area networks
– Testbed• Dedicated Cisco routers• ATM PVC mesh
– Production• Dual stack production backbone• Juniper routers
18-Jul-05 DREN IPv6 Update 3
DREN “production” network
18-Jul-05 DREN IPv6 Update 4
DRENv6 “testbed”Logical Topology
Dayton
San Diego
Albuquerque
Wash D.C.
Stennis
Vicksburg
Aberdeen
ATM PVC (OC-3)tunnel
HICv6
(Hawaii)
GlobalCrossingHurricaneElectric
LAVAnet
SPRINT
vBNS+
6TAP
SSC CharlestonSSAPAC
SSC San Diego
WCISD
AOL
NRL
ARLWPAFB
ERDC
NAVO
C&W
Cisco
NTTComVerio
AFRLKirtland AFB
Abilene
SD-NAPSDSC
Core Router
“site”
IXP
ISP orBGP Neighbor
FIX-West Abilene
HP
AIX-v6
TIC
JITC
Tunnel broker
18-Jul-05 DREN IPv6 Update 5
DREN IPv6 transition architecture – FY04
DRENv6 (Testbed)
DREN2 (Production / Pilot)sdp.arlapgsdp.sandiego
sdp.erdc
SSCSDERDC
ARL-APG
NIDSv6NIDSv6 NIDSv6
v6 ACLv6 ACLv6 ACL
To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6)
Dual stack IPv4 and IPv6 wide area infrastructuresdp sdp sdp
Type “A” (IP) production service to DREN sitesIPv4 and IPv6 provided over the same interface
Testbed atDREN site
Testbed atDREN site
Native IPv6 backbone
links run native IPv6 where possible, otherwise tunnelled in IPv4
Goal: As secure asthe IPv4 backbone
18-Jul-05 DREN IPv6 Update 6
DREN IPv6 philosophy• Push the “I believe” button, and turn on
IPv6 everywhere to see what works (and what doesn’t)
• Do it in a production environment– can get away with this in an R&D
environment, but not on operational networks.• Go native. (no tunnels)• Even if the world doesn’t convert for
years, R&D environments need it now.• Figure out how to deploy IPv6 to the rest
of DoD in the future.
18-Jul-05 DREN IPv6 Update 7
Report on some current efforts
• Security• IPv6 Multicast• DHCPv6/DNS
18-Jul-05 DREN IPv6 Update 8
Security• Reported previously
– many security features missing in implementations
• IPsec, ACLs, etc– many security products don’t do IPv6
• firewalls, IDS, scanners, etc.• Update
– snort-2.3.3 upgraded to IPv6 by DREN• in production as part of DREN’s IDS
– giving up on Juniper IPv6 port-mirroring• installing Foundry switches at exchanges
– independent security review contracted to SAIC• report due Oct ‘05
18-Jul-05 DREN IPv6 Update 9
Independent Security Review
• Reviewing…– protocol– stack maturity– tool maturity
• Analyzing…– v6 versions of all v4 attacks– packets emitted on boot, as well as other traffic and interactions– how things behave with strange packets
• So far…– protocol is no less secure than v4– mobility is scary– multicast is still spoofable– ND – spoofable, but no exploits found yet– Windows – ack’s things twice in all v6 TCP streams???– router renumbering – can spoof – possible DoS– landv6 attack works, but doesn’t crash machine
• Good stuff…– ethereal – excellent v6 parsing– scapy – great packet hacking tool, supports v6
18-Jul-05 DREN IPv6 Update 10
IPv6 multicast• Focus: get DREN backbones fully
ipv6-multicast enabled.• Status (work in progress)
– Testbed – fully operational• PIMv2, MLDv2, SSM, ASM, static RP,
embedded-rp– Production – operational
• routers all upgraded to JunOS 7.2• PIMv2, MLDv2, SSM, ASM, some
embedded-rp– Beacon – operational (dbeacon)
• ASM and SSM, using embedded-rp group address
– Test environment• Linux 2.6.11, Linux 2.4, Solaris 10• Cisco (testbed), Juniper (DREN
production), Juniper (site), Foundry BI (site)
– simulating cross-domain interaction
Testbed
Production
sdp.sandiego
SSCSD
sdp
Site
Linux
SolarisLinux Linux
Juniper,Foundry
Juniper
Juniper
Cisco
Test Environment(beacon)
18-Jul-05 DREN IPv6 Update 11
IPv6 Multicast• Learned:
– lots of good work already done by folks at m6bone– ssmping – great test/debug tool
• server (source) doesn’t need MLDv2, only receivers– dbeacon – new beacon software– notion of multicast/PIM domains blurred or gone.
• use embedded-rp for cross-domain ASM– embedded-rp works great
• Cisco – enabled by default• Juniper – disabled by default (surprise)
– needs to be enabled on all routers between the RP and potential receivers.
• Some Issues– Foundry – no MLDv2 yet– no MLDv2 in WinXP, broken in old Linux, Solaris.
• ToDo:– test beyond DREN (Abilene? m6bone?)
18-Jul-05 DREN IPv6 Update 13
DHCPv6/DNS• Goal – implement a dhcpv6 environment, similar to how some sites use
it in v4.– common practice: DHCP (v4) assigns addresses, and performs dns-update
for A and PTR records. DNS master only has to trust DHCP server, not every client.
• Challenge: finding mature and complete DHCP implementation• Testing, status
– ISC (popular dhcp reference implementation)• IPv4 only
– dhcpv6-linux• incomplete• last version 2 years ago
– dhcpv6 (sourceforge)• incomplete, but works – no dns-update• included in Fedora Core 3 and Red Hat 4
– Lucent• tested, and appears to work. Haven’t tested dns-update (awaiting more software).• No documentation
• Issues:– no dhcp client in WinXP– uncertainty and debate on interactions between stateless and stateful
(DHCP) autoconfig.• M/O bits debate• how useful is DHCPv6, if only use might be to get DNS servers and domain?