IPv6 deployment on a broadband access network
Athanasios Douitsis
National Technical University of Athens / Greek Research Network
PTT infrastructure
Cisco Products
Cisco Systems Corporate Iconography
ContentServiceRouter
ContentTransformation Engine
(CTE)
CSU/DSU DetectorCUCCSM-SCS Mars
DirectoryServer
Director-classFibre
Channel director
DistributedDirector
DSLAMDPT DWDMFilter
FDDIRing
Fibre Channel Disk Subsystem
Fibre Channel Fabric switch
FileServer
FirewallFC Storage Front EndProcessor
FireWallServicemodule(FWSM)
Generalappliance
Gatekeeper Genericprocessor
Genericgateway
Genericsoftswitch
GuardHost IAD
router
ICM ICS IOSFirewall
IOSSLB
IntelliSwitchStack
IPDSL
IPCommunicator
IP TelephonyRouter
IP
IPTC IPTV contentmanager
IPTV broadcastserver IP Softphone iSCSI router ISDN switch JBOD Layer 3
SwitchLayer 2
Remote Switch
LocalDirector
LightweightAccessPoint
Locationserver
LongReach CPE MAS Gateway ME 1100 Mesh APMeetingPlace
MCU Metro 1500
DSU/CSU
FDDI
X.25 HostIAD
Hub
V
DPT
IP Phone
IP
MGX 8000Multiservice switch
LWAPP W ESN
Cisco Products
Cisco Systems Corporate Iconography
100BaseT Hub 15200 3174 (desktop)cluster controller
3X74 (floor)cluster controller
6700 series 7500ARS(7513)
ADM
10700 AccessPoint ApplicationControl Engine
(ACE)
ASICProcessor
ATM 3800ATA ATM Router ATM Switch ATM TagSwitchRouter
ATM FastGigabit
Etherswitch
AVS(Application
Velocity Engine)
ADM
Bridge BBSM Broadbandrouter
BTS 10200 Cable Modem CallManager CarrierRoutingSystem
CatalystAccess Gateway
CDDI-FDDI
CDMContent Distribution
Manager
Centri Firewall Cisco 1000 Cisco HubCiscoFile Engine
Cisco CA
Cisco Unified
Presence Server
CiscoSecurityCisco ASA 5500 CiscoWorksworkstation
CiscoUnity Express
Class4/5switch
Contact CenterCommunicationsserver Content
Engine(Cache Director)
Content ServiceSwitch 1100
Content Switchmodule
Content Switch
V
V
M
V
WWW
Cisco Products
Cisco Systems Corporate Iconography
MicroWebserver MobileAccessrouter
MobileAccess IP
phone
Multilayerswitch
Multi-FabricServerSwitch
MultilayerRemote switch
MoH server(Music on Hold)
MultiSwitchDevice
NACappliance
NetRanger NetSonar NetworkManagement
NetFlowrouter
Optical ServicesRouter
Optical AmpliiferONS15500 OpticalTransport
PC RouterCard
PIXFirewall
PMC ProgrammableSwitch
ProtocolTranslator
PXF RateMUX RelationalDatabase
Repeater
Route SwitchProcessor
Router withSilicon Switch
Router Smallhub
SoftswitchPGWMGC
SSCStandardhost
Streamer
SIP Proxyserver
Server withPC Router
ServerSwitch
Service control
StorageRouter
Storagearray STP
Systemcontroller
Tape array TDMrouter
Transpath uBR910 uMG series Unity server UniversalGateway
UPC
Vault VIP
Router withFirewall
Si
PC AdapterCard
Si
STP
TDM
IP
Virtualswitch controller
(VSC 3000)
802.11
VirtualLayer Switch
SSC
A. Douitsis - IPv6 deployment on a broadband access network
EduDSL in a nutshell
proxy radius
ISP1
ISP2
ISP3
Cisco Products
Cisco Systems Corporate Iconography
MicroWebserver MobileAccessrouter
MobileAccess IP
phone
Multilayerswitch
Multi-FabricServerSwitch
MultilayerRemote switch
MoH server(Music on Hold)
MultiSwitchDevice
NACappliance
NetRanger NetSonar NetworkManagement
NetFlowrouter
Optical ServicesRouter
Optical AmpliiferONS15500 OpticalTransport
PC RouterCard
PIXFirewall
PMC ProgrammableSwitch
ProtocolTranslator
PXF RateMUX RelationalDatabase
Repeater
Route SwitchProcessor
Router withSilicon Switch
Router Smallhub
SoftswitchPGWMGC
SSCStandardhost
Streamer
SIP Proxyserver
Server withPC Router
ServerSwitch
Service control
StorageRouter
Storagearray STP
Systemcontroller
Tape array TDMrouter
Transpath uBR910 uMG series Unity server UniversalGateway
UPC
Vault VIP
Router withFirewall
Si
PC AdapterCard
Si
STP
TDM
IP
Virtualswitch controller
(VSC 3000)
802.11
VirtualLayer Switch
SSC
uplink
Greek Student Network infrastructure
Home RADIUSes
PPP
LNS’s
institution address pools
A. Douitsis - IPv6 deployment on a broadband access network
Present Status
• 50 institutions - provisioning of IP addresses
• 30,000 users - assignment of IP to each user according to affiliated institution
• 3 commercial ISPs - user account management, billing, accounting
• Greek Research Network - connectivity, administration, equipment
• 9 LNS’s, 3 Gigabit uplinks, 2 Proxy RADIUSes
A. Douitsis - IPv6 deployment on a broadband access network
Objective: Native IPv6 over PPP (PPPv6)
• IPv6-enabled PPP connections
• IPv6-enabled home LAN support (behind CPE)
• IPv6 accounting
• No user action necessary
• EduDSL-specific: IPv6 addresses per institution
• EduDSL-specific: ISP RADIUSes unaffected
• CPE: Windows Vista, MacOSX, GNU/Linux, FreeBSD, other vendors
A. Douitsis - IPv6 deployment on a broadband access network
Addressing Scheme
• 2 /64 prefixes for each user (1 PPP, 1 Home LAN).
institution prefix LNS id address pool interface id
48-bits 4-bits 12-bits 64-bits
• ipv6 local pool inst2-pool 2001:648:2001::/52 64
>=1 prefix from each institution
at most 16 LNSs4096 prefixes per LNS per institution
unique persistent interface id per user
A. Douitsis - IPv6 deployment on a broadband access network
IPv6 over PPP (RFC 2472)
• LCP unchanged
• IPv6CP
• (Optional) Interface ID - lower 64 bits settable by the LNS
• IPv6 Address auto-configuration over established link after PPP start
• Recommendation for /64 prefixes
PPP
LNS CPErouter advertisement
A. Douitsis - IPv6 deployment on a broadband access network
IPv6 on Home LAN - Neighbor Discovery Proxies
• RFC 4389
• Proxying of ICMPv6 ND messages to the Home LAN
• Only 1 /64 prefix needed per user for both PPP and Home LAN
• No known implementations at this point - adoption postponed
PPP Home LAN
LNS CPErouter advertisement proxy router
advertisement
A. Douitsis - IPv6 deployment on a broadband access network
IPv6 on Home LAN - DHCPv6 prefix delegation
• Request of additional prefix by the CPE
• DHCPv6 requests and responses over the PPP link
• delegation of IPv6 /64 prefix to the CPE by the LNS
• Home LAN enumerated using address auto-configuration and the delegated /64 prefix
PPP Home LAN
LNS CPEDHCPv6 request router advertisementprefix a:b:c:d/64DHCPv6 responce
a:b:c:d/64ipv6 local pool inst2-pool 2001:648:2001::/52 64
A. Douitsis - IPv6 deployment on a broadband access network
RADIUS attributes for IPv6
• Framed-IPv6-Pool
• Framed-Interface-ID
access request
access acceptFramed-IPv6-Pool = inst2Framed-Interface-Id = aaaa:bbbb:cccc:dddd
RADIUSLNS
accounting (start/stop)Framed-Interface-Id = aaaa:bbbb:cccc:dddd
A. Douitsis - IPv6 deployment on a broadband access network
RADIUS attributes for IPv6 Prefix Delegation
• EduDSL: Usage of the same prefix pool for PPP and Home LAN
• Simpler configuration
• Uniformity
• Efficient Usage
LNSCPE
DHCPv6 request
DHCPv6 responcea:b:c:d/64RADIUS access accept
Framed-IPv6-Pool = inst2Framed-Interface-Id = aaaa:bbbb:cccc:dddd
cisco-avpair = "lcp:interface-config=ipv6 dhcp server inst2-dhcp"
ipv6 local pool inst2-pool 2001:648:2001::/52 64
ipv6 dhcp pool inst2-dhcp prefix-delegation pool inst2-pool
A. Douitsis - IPv6 deployment on a broadband access network
IPv6 DNS (see RFC 4339)
• RFC 5006: IPv6 Router Advertisement Option for DNS Configuration -- not available
• Anycast DNS -- to be evaluated later
• DHCPv6 stateless mode - used for EduDSL
• “Other” options flag in LNS RA
• Ability to include other options in the future: SNTP server etc.
• Works harmoniously with IPCP-defined DNS settings for IPv4
ipv6 dhcp pool inst2-dhcp prefix-delegation pool inst2-pool dns-server 2001:648:2FFC:100::2211
A. Douitsis - IPv6 deployment on a broadband access network
IPv6 accounting
• Based on Framed-Interface-ID (== lower 64-bits of PPP IPv6 Address)
• 1 unique Framed-Interface-ID per unique user
• Generation of Framed-Int-ID by hashing ‘[email protected]’ to 64-bits
• Other option: Storage of IDs into DB
• Optional adoption by ISP Home RADIUSes
A. Douitsis - IPv6 deployment on a broadband access network
Problems & Workarounds
• Cisco IOS: IPv4+IPv6 ACL name clash on dual stack virtual templates -- serious
• kill ACLs from virtual template (d’oh!)
• DHCPv6: Crazy, buggy or malevolent clients -- address exhaustion, need for resource controls
• Critical
• Accounting: Missing of some IPv6-* RADIUS attributes from Acct. messages
• Usage of Frame-Interface-ID
A. Douitsis - IPv6 deployment on a broadband access network
Problems & Workarounds - 2
• DHCPv6 prefix delegation: No way to configure using IETF RADIUS attributes
• Use VSA pairs (IOS virtual profile cloning disabled?)
• DHCPv6 accounting
• Critical
A. Douitsis - IPv6 deployment on a broadband access network
Why not static IPv6 prefixes per user?
✓Simplified RADIUS configuration
✓easy setup of DHCPv6 prefix delegation
✓decoupling from LNS implementation
• But: random destination LNS for each PPP session -- very bad for routing
• Tens of thousands of IGP routes constantly changing
A. Douitsis - IPv6 deployment on a broadband access network
Current Status
• IPv6 enabled test accounts to selected individuals
• Native IPv6 CPEs
• PPPoE and Vista
• Proxy RADIUS changes readily available
• Windows Vista
• Seamless home LAN enumeration by Internet Connection Sharing Agent
A. Douitsis - IPv6 deployment on a broadband access network
Future Directions
• Fixing of current problems (Accounting, DHCPv6)
• Investigation of a tunnel switch possibility
• IPv6-enabling of one institution
• monitoring and fixing of problems
• Testing of a Juniper E-Series 320
A. Douitsis - IPv6 deployment on a broadband access network
Addendum -- JunOSe10.1
• Framed-IPv6-Prefix required for NDRA over PPP link (cannot use Framed-IPv6-Pool yet)
• Framed-IPv6-Pool usable only for DHCPv6 Prefix Delegation
• Delegated-IPv6-Prefix (IETF) for DHCPv6 Prefix Delegation
Approaches:
• Use Framed-IPv6-Prefix and Delegated-IPv6-Prefix (RADIUS-centric)
• Use Framed-IPv6-Pool for DHCPv6 and Framed-IPv6-Prefix for PPP (awkward)
A. Douitsis - IPv6 deployment on a broadband access network
Thank You! Any Questions?
Many thanks to:
NTUA NOC
GRNet NOC
Alexandros Kosiaris