CERN IT Department CH-1211 Genève 23 Switzerland t IPv6 Deployment Project 2 April 2012...

CERN IT Department

CH-1211 Genève 23

Switzerlandwww.cern.ch/

it

IPv6 Deployment Project

2 April [email protected]

2CERN IT

DepartmentCH-1211 Genève

23Switzerland

www.cern.ch/it

Summary

• Why IPv6?• What is IPv6?• CERN IPv6 Network Service• v4/v6 coexistence risks• IT-CS work plan• Implications for network users• Progressing together

3CERN IT


23Switzerland

www.cern.ch/it

Why IPv6?

4CERN IT


23Switzerland

www.cern.ch/it

IPv4 ends

IPv4 address pool soon depleted

5CERN IT


23Switzerland

www.cern.ch/it

IPv4 exhaustion predictions

http://www.potaroo.net/tools/ipv4/rir.jpg

6CERN IT


23Switzerland

www.cern.ch/it

IPv4 exhaustion consequences

In general:- Problematic for new players to join the IPv4

Internet => part of the Internet will be v6 only- Difficult to deploy new large services based on

IPv4 (virtualization, clouds, mobile devices...) => users hidden behind layers of NAT (CGN, Carrier Grade NAT)

For CERN:

IPv6 necessary to reach all CERN remote users and to deploy new

large scale services

7CERN IT


23Switzerland

www.cern.ch/it

What is IPv6?

8CERN IT


23Switzerland

www.cern.ch/it

IPv6 in a nutshell

2001:1458:a137:b138:c000:d000:e000:f001/64 Site Subnet Host Length

- 128 bits, written in 8 groups of 4 hexadecimal digits

- 64 bits for network address, 64 bits for host address (recommendation)

- typical major site allocation: /32. It gives 2^32 subnets available (the whole IPv4 address space) . Every subnet has 2^64 host addresses available.

- NAT not available

9CERN IT


23Switzerland

www.cern.ch/it

Transition strategies

Many NAT/Tunneling “solutions”:

DUAL-STACK:

Dual Stack: only viable solution

Address TranslatorIPv4/IPv6 bridge

IPv4 Internet

IPv6 Internet

IPv4 Network IPv6 Internet

DEPRECATED

10CERN IT


23Switzerland

www.cern.ch/it

CERN IPv6 Service

11CERN IT


23Switzerland

www.cern.ch/it

Strategy

IPv6 ≥ IPv4

The CERN IPv6 service must be at the same level of the IPv4 service.

Plus the advantages peculiar to IPv6.

12CERN IT


23Switzerland

www.cern.ch/it

Service Description

- Dual Stack

- One IPv6 address assigned to every IPv4 one

- Identical performance as IPv4, no degradation

- Common provisioning tools for IPv4 and IPv6

- Same network services portfolio as IPv4

- Common security policies for IPv4 and IPv6

- Connectivity to IPv6 only systems!

13CERN IT


23Switzerland

www.cern.ch/it

CERN IPv6 prefixes

Public prefix 2001:1458::/32 (globally routed, full Internet connectivity)

Local prefix FD01:1458::/32 (private addresses like 10.0.0.0,

no Internet connectivity)

14CERN IT


23Switzerland

www.cern.ch/it

IPv6 User services

At least one IPv6 sub-prefix per physical subnet, public and/or local.

Subnet size: /64 (i.e. 64 bits for the network address, 64 bits for the host address)Available host addresses per subnets: 264 (recommended size).

137.138.14.0/242001:1458:0201:0E00::/64

15CERN IT


23Switzerland

www.cern.ch/it

Infrastructure management

Keep control to ensure stability and security

Addresses assigned from the Network DB (LANDB):- IPv6 addresses assigned by DHCPv6 servers. Static or Dynamic

assignments based on the MAC address (same principles as IPv4).

Avoid Risks:- IPv6 autoconfiguration disabled

.

16CERN IT


23Switzerland

www.cern.ch/it

Network Services

DNS, DHCPv6, Radius and NTP will be available over the IPv6 network.

The existing IPv4 DNS, Radius and NTP servers will provide the IPv6 services.

DHCPv6 and DHCP(v4): two services running on the same physical server.

17CERN IT


23Switzerland

www.cern.ch/it

LANDB

- LANDB central repository for all network information

- IPv6 is now the main navigation source

- New schema has been introduced on 25th of March 2012 keeping the compatibility with existing applications and queries

18CERN IT


23Switzerland

www.cern.ch/it

Monitoring

IPv6 will be monitored as the equivalent IPv4 counterpartBut initial monitoring not at the same level as IPv4 (upcoming missing features).

19CERN IT


23Switzerland

www.cern.ch/it

Security

The same IPv4 security policies will be applied to the IPv6 service.

Every existing IPv4 firewall and CNIC rules will be extended with IPv6 information.

Firewall rules concerning host addresses: the IPv6 opening counterpart will be activated only when the host administrator will declare the server IPv6 ready.

Dear WEBREQ: my device is now IPv6 ready, please apply IPv6 security policies

20CERN IT


23Switzerland

www.cern.ch/it

Coexistence risks

21CERN IT


23Switzerland

www.cern.ch/it

client application's behavior

The choice of the IP protocol to be used is up to the client application or operating system, based on the DNS reply and its own settings.

Being the name of a server independent by the applications it runs, all the applications must be listening on both protocols

22CERN IT


23Switzerland

www.cern.ch/it

Server not listening

If the DNS returns a IPv6 address for a server that is not listening over IPv6, delays may occur:

I want to see http://edh.cern.ch

CERN DNS server

edh.cern.ch is either:IPv6 2001:1458:8001::68IPv4 137.138.7.65

EDH WEB server IPv4 only

Dear client, here is the EDH page

...20 to 180 seconds later...

No IPv6 reply yet? Let's try 137.138.7.65 TCP port 80 then

My application prefers IPv6; connect to 2001:1458:8001::68 TCP port 80

...

23CERN IT


23Switzerland

www.cern.ch/it

Control by DNS

Servers cannot decide which IP protocol the client will use. IPv6 can be avoided by the DNS not returning the IPV6 address

I want to see http://edh.cern.ch

DNS server

Although I'd prefer IPv6, I'll connect to 137.138.144.168 TCP port 80

For the time being edh.cern.ch is only IPv4 137.138.7.65

24CERN IT


23Switzerland

www.cern.ch/it

LANDB flag: IPv6 ready

The DNS device name .cern.ch will be resolved only with the IPv4 address until the user declares to LANDB to be IPv6 ready via WEBREQ.

IPv6 ready means: - IPv6 connectivity is OK - all the server's applications are listening on both IPv4 and IPv6 protocols

Consequences:- IPv6 security openings activated- name.cern.ch returns IPv4 and IPv6 addresses (A and AAAA records)

25CERN IT


23Switzerland

www.cern.ch/it

LANDB flag: Not IPv6 ready

Not IPv6 ready means: - Still testing IPv6 or Client-Only machine

Consequences:- No IPv6 security openings- different DNS names (name.cern.ch for IPv4 and name.ipv6.cern.ch for IPv6)

26CERN IT


23Switzerland

www.cern.ch/it

Issue with remote sites

If broken IPv6 connectivity, clients will wait up to 180secs before falling back to IPv4

If only degraded IPv6 connectivity, fall back will never occur

Client's perception: there's a server issue

Remote siteCERN

IPv4: OK

IPv6: KO

INTERNET

27CERN IT


23Switzerland

www.cern.ch/it

Deployment Plan

28CERN IT


23Switzerland

www.cern.ch/it

IPv6 deployment plan

- Testing of network devices: completed

- IPv6 Testbed for CERN users: available

- New LANDB schema: in production

- Addressing plan in LANDB: in production

- Provisioning tools (cfmgr and csdbweb): on going

- Network configuration: on going

- Network services (DNS, DHCPv6, Radius, NTP)

- User interface (webreq)

- User training

- IPv6 Service ready for production in 2013 2013Q1

2011Q2

Today

2011Q3

2021Q1

2012Q1

29CERN IT


23Switzerland

www.cern.ch/it

Implications for Network Users

30CERN IT


23Switzerland

www.cern.ch/it

Everybody is concerned

“It shouldn't matter to an application whether it runs over IPv4 or IPv6. Unfortunately, for many applications,

it does matter”

IPv6 affects:

- Operating Systems

- Server applications

- Client applications

- Closed hardware (printers, PLCs..)

- Operational teams

- Security matters

- ...

31CERN IT


23Switzerland

www.cern.ch/it

System managers

Most recent versions of Windows, Linux and MacOS support IPv6.

Installation of a DHCPv6 client may be necessary.

Upgrade/replace old OSes with no/broken IPv6 support.

Local firewall configuration

32CERN IT


23Switzerland

www.cern.ch/it

Application managers

In house and open source applications(i.e. CDB, QUATTOR, LEMON, CASTOR, GridFTP, EDH...):- understand IPv6 addresses - connect/listen over IPv6 and IPv4

Commercial applications(i.e. Oracle, LSF, printers, PLCs...):- Ask vendors to implement IPv6 support- Upgrade the applications

33CERN IT


23Switzerland

www.cern.ch/it

Developers

Make applications protocol agnostic:- connect to names and not to numerical addresses- avoid protocol specific actions (ARP replaced by Network Discovery Protocol, broadcast no longer exist...)

If working with numerical addresses, beware:- syntax has changed [2001:db8:1234:abcd::cafe]:80- the IPv6 header is bigger than the IPv4 one- new DNS AAAA record- hosts will have multiple v6 addresses

34CERN IT


23Switzerland

www.cern.ch/it

Resources for Developers

Recommendations and Code checker:https://twiki.cern.ch/twiki/bin/view/EGEE/IPv6FollowUp

Implementing IPv6 applications:http://www.6deploy.eu/tutorials/210-6deploy_devel_v0_4.pdf

Application aspects of IPv6 transitions:http://tools.ietf.org/html/rfc4038

Socket interface extensions for IPv6:http://tools.ietf.org/html/rfc3493

Fast Fallback algorithm: http://datatracker.ietf.org/doc/draft-ietf-v6ops-happy-eyeballs/

35CERN IT


23Switzerland

www.cern.ch/it

IPv6 Forum

36CERN IT


23Switzerland

www.cern.ch/it

CERN IPv6 Forum

Representatives from:- each IT group - each department- each experiment

Place for:- knowing about IPv6 deployment status- use of the IPv6 testbed- sharing of information and knowledge- giving feedback and propose enhancements

Mailing list: [email protected]

37CERN IT


23Switzerland

www.cern.ch/it

IPv6 Testbed

38CERN IT


23Switzerland

www.cern.ch/it

Testbed setup

- Two dual stack IPv4/IPv6 services, one in LCG and one in GPN

- Autoconfiguration in the first stage, DHCPv6 when all options will be available

- DNS service over IPv6

- Global IPv6 connectivity via a statically configured statefull firewall

- Servers running Virtual Machines with IPv6 capabilities

39CERN IT


23Switzerland

www.cern.ch/it

Testbed setup

IPv6 firewall

LCG IPv4/IPv6

router

IPv4/IPv6 Virtual Machines

IPv4/IPv6 Dual-Stack network

IPv4 firewall

IPv4/IPv6 Virtual Machines

GPN IPv4/IPv6

router

IPv6 only network

IPv4 only network

IPv4 InternetIPv6 Internet

CERN network

40CERN IT


23Switzerland

www.cern.ch/it

How to get an IPv6/v4 VM

- Be part of the egroup ipv6-testbed-users

- Login to the Virtual Machine Manager http://cern.ch/cvi

- Click on Request Virtual Machine

- Fill the form with the necessary information

- Choose the Host Group: "IT-CS\IPv6 testbed\LCG" for LCG domain (v4 address 128.142.0.0/16, LHCOPN access to the Tier1s) "IT-CS\IPv6 testbed\GPN" for GPN domain (v4 address 137.138.0.0/16, normal campus machine)

https://twiki.cern.ch/twiki/bin/view/IPv6/IPv6TestbedAccess

41CERN IT


23Switzerland

www.cern.ch/it

Conclusions

42CERN IT


23Switzerland

www.cern.ch/it

Conclusions

- IPv6 is necessary

- Implementation already started

- It will take time

- It will be expensive

- New operational problems will arise

- Everybody is concerned

43CERN IT


23Switzerland

www.cern.ch/it

More information:http://cern.ch/ipv6

Date post:	31-Dec-2015
Category:	Documents
Upload:	gervase-melton
View:	217 times
Download:	1 times

CERN IT Department CH-1211 Genève 23 Switzerland t IPv6 Deployment Project 2 April 2012...

Documents