7fc6048f375e2e24f1bd65c4f7b578ab.ppt
- Количество слайдов: 30
DREN IPv 6 Implementation Update Joint Techs Workshop Feb 2007 Minneapolis, MN Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar. navy. mil 13 -Feb-2007 DREN IPv 6 Update 1
Background • DREN … – is Do. D’s ISP for the RDT&E community – also serves as the Do. D IPv 6 “pilot” network – operates 2 IPv 6 wide area networks (testbed, production) 13 -Feb-2007 DREN IPv 6 Update 2
Some History • 2001 – January - May: DREN builds the DREN IPv 6 testbed • 2003 – June: Do. D CIO sets goal to transition all Do. D and Service inter and intra networking by FY ’ 08 – July: DREN chosen at the Do. D IPv 6 “pilot” – August: HPCMP Director directs HPC Centers to transition to dualstack infrastructure • 2004 – Do. D makes plans and organizes. DREN just does it. • 2005 – March: Do. D IPv 6 Transition Plan signed out – Services working on their own transition plans • Still pretty much the case today 13 -Feb-2007 DREN IPv 6 Update 3
DREN IPv 6 philosophy • Push the “I believe” button, and turn on IPv 6 everywhere to see what works (and what doesn’t) • Do it in a production environment – can get away with this in an R&D environment, but not on operational networks. • Go native. (no tunnels) • Even if the world doesn’t convert for years, R&D environments need it now. • Figure out how to deploy IPv 6 to the rest of Do. D in the future. 13 -Feb-2007 DREN IPv 6 Update 4
Overall difficulty • Easy parts – – Dual-stacking the nets (WANs, LANs) Enabling IPv 6 functionality in modern operating systems Establishing basic IPv 6 services (DNS, SMTP, NTP) Enabling IPv 6 in some commodity services (HTTP) • A little more challenging – Getting the address plan right – Operating and debugging a dual stack environment – Multicast (but easier than IPv 4) • Hard parts – Creating the security infrastructure (firewalls, IDS, proxys, IDP/IPS, VPNs, ACLs) – Working around missing or broken functionality – DHCP – Creating incentives to upgrade and try IPv 6 – Getting the vendors to fix bugs or incorporate necessary features • Not enough market pressure, so other activities take priority 13 -Feb-2007 DREN IPv 6 Update 5
DREN sites status 2006 13 -Feb-2007 DREN IPv 6 Update 6
DREN sites status 2007 13 -Feb-2007 DREN IPv 6 Update 7
Performance Measurement and Visualization - Planet DREN 13 -Feb-2007 DREN IPv 6 Update 8
IPv 6 Security Review • Independent security review performed by SAIC for DREN – Publicly available • Some of the conclusions: – protocol is no less secure than v 4 – multicast is still spoofable – mobility is scary – ND – spoofable, but no exploits found yet – Windows – ack’s things twice in all v 6 TCP streams? ? ? – router renumbering – can spoof – possible Do. S – landv 6 attack works, but doesn’t crash machine 13 -Feb-2007 DREN IPv 6 Update 9
IPv 6 Multicast Beacon DREN 13 -Feb-2007 DREN IPv 6 Update 10
Some Lessons Learned • There is no immediate "win" in transitioning to IPv 6. The payoff must be viewed as long-term. • Incentives are needed to encourage near term transition and to make transition a priority. – “If you build it, they won’t necessarily come” • Many security components are still not mature nor widely available. Security takes extra thought and effort. • 1 + 1 > 2 – managing 2 IP networks (IPv 4, IPv 6) can be more than double the design complexity due to new interactions. – Making topologies congruent can minimize such impact. 13 -Feb-2007 DREN IPv 6 Update 11
Example Re-addressing scheme • Re-address the network for consistency between protocols – IPv 4 – move all subnets to /24 or larger – Align VLAN number with 3 rd octet of IPv 4 address – Align IPv 6 “subnet number” with the above IPv 4 128 49 subnet host VLAN-id IPv 6 2001 0480 0010 subnet Interface ID • Benefits – Reduction in complexity – Easier for operations staff, once re-addressing is complete • Note – Assumes you have enough IPv 4 address space to change it as well. 13 -Feb-2007 DREN IPv 6 Update 12
One way to handle PTR records • Example site: – Already records MAC addresses for registered devices on the network, and stores in a database – Uses stateless address auto-configuration (SLAAC) for most machines, in particular the clients • Built script to generate PTR records for all registered devices, regardless of whether they were running IPv 6 or not, and installed it in their DNS. • If any device happens to turn on IPv 6 and uses SLAAC, they are already pre-registered. 13 -Feb-2007 DREN IPv 6 Update 13
IPv 6 capability in products • These are necessary but not sufficient to show functional equivalence to IPv 4: – Standards activities (IETF, DISR), theoretical analysis of standards (NSA), test equipment (Agilent, Ixia, Spirent), JITC generic test plans and approved product lists, and test beds (DRENv 6, Moon. V 6). • These are sufficient but not conclusive to show equivalence: – Extended use in real networks to expose and fix remaining errors (Internet 2, DREN IPv 6 pilot, still more would be nice). • To really determine IPv 6 support for your needs, query the vendor for specific features that matter to you. Be careful in evaluating their response. Try not to let your expectations dictate the results you find, or you will overlook/misinterpret results that contradict those expectations. It is crucial that IPv 6 products have functionality equivalent to IPv 4 products! 13 -Feb-2007 DREN IPv 6 Update 14
Some Challenges • Keeping security policies consistent – ACLs – Firewall policies • Adversaries now have a new entry vector – Don’t allow IPv 6 path to be a new weakest link • Diagnosing network problems – Especially if the routing topology isn’t congruent – Confusion over which protocol is broken, and what protocol is being tested using diagnostic tools. • Trying to outlaw NAT – Some think that it brings important features (i. e. “security”). – Be sure to see draft-ietf-v 6 ops-nap-06. txt (Local Network Protection) • Fighting the pressure to disable IPv 6 in Vista – Uncertainty in whether it is “safe”, from a security perspective. – We need to make sure this doesn’t happen 13 -Feb-2007 DREN IPv 6 Update 15
Examples of things that are broken or missing • • Juniper Router – – Port-mirroring doesn’t support IPv 6 except in very high-end devices. MLDv 2 incompatible with Linux – IPSEC for IPv 6 only recently added – Finally have IPv 6 in mainline code, but… • A fix is “not on the product roadmap” Juniper Netscreen firewall • Only in one of the hardware products (ISG-2000) • Still missing OSPFv 3, BGP, IPv 6 multicast, transparent-mode, GRE, … • Red Hat • Mozilla Thunderbird • DHCPv 6 – RHEL 4 -U 4 feels slow with IPv 6 load, due to kernel bug. Not officially fixed until -U 5 (March). – – LDAP fails if IPv 6 is enabled. A long term problem. Emergence of Vista added pressure to achieve a fix. – – – No reference implementation from ISC “No usable DHCPv 6” – Karl Auer, nullarbor DHCPv 6 relay not implemented in some routers. • Support recently added by Foundry, based on our feature requests. 13 -Feb-2007 DREN IPv 6 Update 16
Examples of things that are broken or missing • Many products that are critical to security infrastructure are not IPv 6 -enabled – Bluecoat cache/proxy – Netscreen IDP – Tipping-Point IPS • Originally promised for 1 Q 07 but just slipped 18 months – Many VPN products • Both SSL VPNs and IPSEC VPNs – Netscreen Security Manager • Can’t manage IPv 6 -enabled products – Vulnerability assessment and forensics tools from most vendors 13 -Feb-2007 DREN IPv 6 Update 17
Vista and IPv 6 • Extensive beta testing performed (see backup slides) • Microsoft claiming full support for IPv 6 • But… – no IPv 6 access support for… • • Windows Activation after installation Windows Update IE 7 Phishing filter Beta Client bug reporting – Winhlp 32 not in RTM but promised download not available yet. 13 -Feb-2007 DREN IPv 6 Update 18
Commitment to IPv 6 • • What about other vendors’ commitments to IPv 6? Are they using it in their production networks? Do they have an IPv 6 presence on the Internet? Do they follow the “eat your own dogfood” principle? • Time for a survey… 13 -Feb-2007 DREN IPv 6 Update 19
Vendor scorecard • Looked in DNS to see if there were AAAA records for www, MX, and DNS. • Quick sampling of major computer and network companies showed no public facing IPv 6. • We will be expanding our survey – Additional attributes – Additional companies 13 -Feb-2007 DREN IPv 6 Update 20
Situation Today • We’ve been successfully using IPv 6 in a production environment, with many dual-stack systems and services, for at least 3 years. – Modern operating systems just work, out of the box (Mac. OSX, Vista, Solaris 10, etc) • Most urgent needs from our perspective: – Need parity with IPv 4 in all implementations – Enabling IPv 6 must NOT break things – Need to make security stacks fully IPv 6 capable • Firewalls, IDS, proxies, IDP/IPS, ACLs – Need more incentives to do IPv 6 (generate demand) • Basic layer 3 (IP routing) implementations are mature – ISPs and WANs should be IPv 6 -enabled now. • What about SOHO modems/routers? • Consumer CPE doesn’t do IPv 6! 13 -Feb-2007 DREN IPv 6 Update 21
Testing of Microsoft Vista (Ethan Strike, NRL) 13 -Feb-2007 DREN IPv 6 Update 22
Windows Networking Comparison Feature Windows XP/2003 Shared IPv 4/IPv 6 stack and firewall IPv 6 Installed by Default IPv 6 Configured on the command line Windows Vista (Windows 2003) IPv 6 Configured using the GUI Complete IPv 4/IPv 6 IPsec implementation Privacy Setting used by default 13 -Feb-2007 DREN IPv 6 Update 23
Screenshot: IPv 6 GUI Configuration 13 -Feb-2007 DREN IPv 6 Update 24
Windows Networking Comparison Cont. Feature IPv 6 preferred over IPv 4 when IPv 6 is available Windows XP/2003 Windows Vista IPv 6 -only Windows Network Services (Active Directory) Advanced Windows Firewall for complete control of network traffic and IPsec Automatic adjustment of TCP receive window 13 -Feb-2007 DREN IPv 6 Update 25
Screenshot: Advanced Firewall 13 -Feb-2007 DREN IPv 6 Update 26
Additional properties of Vista • Choice of Public and Private Networking Settings – Determines if following services are run by default (Private = enabled) • • Network Discovery File, Printer, Public-folder and Media Library Sharing – Configures Windows Firewall for these services • Stateless autoconfiguration does not use hardware address of interface when determining 64 -bit suffix • Caution: tunneling protocols are enabled by default • Caution: DHCPv 6 is enabled by default to receive additional network information (i. e. preferred DNS server) 13 -Feb-2007 DREN IPv 6 Update 27
Longhorn Active Directory Testbed over DREN • • Goals Setup Of Longhorn Server Access Extended to Remote Clients Conclusions 13 -Feb-2007 DREN IPv 6 Update 28
Goals • Test IPv 6 networking in Windows Vista and Longhorn by setting up a Longhorn Active Directory server • Test interoperability between a Longhorn server and Windows XP client using IPv 4 • Have clients join from across DREN to identify possible issues across a wide-area network 13 -Feb-2007 DREN IPv 6 Update 29
Conclusions for Vista • Biggest snags in process were due to other factors in beta testing – Third party software – Vista Graphics Interface unstable • IPv 6 -only connectivity worked as advertised • IPv 4 connectivity from Windows XP hosts worked as well • Additional technologies to test – IPsec between clients and domain controller – Adding an additional domain controller for AD and DNS replication – Service interoperability between Longhorn AD and *NIX hosts 13 -Feb-2007 DREN IPv 6 Update 30