Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | gervase-melton |
View: | 217 times |
Download: | 1 times |
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
IPv6 Deployment Project
2 April [email protected]
2CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Summary
• Why IPv6?• What is IPv6?• CERN IPv6 Network Service• v4/v6 coexistence risks• IT-CS work plan• Implications for network users• Progressing together
3CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Why IPv6?
4CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv4 ends
IPv4 address pool soon depleted
5CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv4 exhaustion predictions
http://www.potaroo.net/tools/ipv4/rir.jpg
6CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv4 exhaustion consequences
In general:- Problematic for new players to join the IPv4
Internet => part of the Internet will be v6 only- Difficult to deploy new large services based on
IPv4 (virtualization, clouds, mobile devices...) => users hidden behind layers of NAT (CGN, Carrier Grade NAT)
For CERN:
IPv6 necessary to reach all CERN remote users and to deploy new
large scale services
7CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
What is IPv6?
8CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv6 in a nutshell
2001:1458:a137:b138:c000:d000:e000:f001/64 Site Subnet Host Length
- 128 bits, written in 8 groups of 4 hexadecimal digits
- 64 bits for network address, 64 bits for host address (recommendation)
- typical major site allocation: /32. It gives 2^32 subnets available (the whole IPv4 address space) . Every subnet has 2^64 host addresses available.
- NAT not available
9CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Transition strategies
Many NAT/Tunneling “solutions”:
DUAL-STACK:
Dual Stack: only viable solution
Address TranslatorIPv4/IPv6 bridge
IPv4 Internet
IPv6 Internet
IPv4 Network IPv6 Internet
DEPRECATED
10CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
CERN IPv6 Service
11CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Strategy
IPv6 ≥ IPv4
The CERN IPv6 service must be at the same level of the IPv4 service.
Plus the advantages peculiar to IPv6.
12CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Service Description
- Dual Stack
- One IPv6 address assigned to every IPv4 one
- Identical performance as IPv4, no degradation
- Common provisioning tools for IPv4 and IPv6
- Same network services portfolio as IPv4
- Common security policies for IPv4 and IPv6
- Connectivity to IPv6 only systems!
13CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
CERN IPv6 prefixes
Public prefix 2001:1458::/32 (globally routed, full Internet connectivity)
Local prefix FD01:1458::/32 (private addresses like 10.0.0.0,
no Internet connectivity)
14CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv6 User services
At least one IPv6 sub-prefix per physical subnet, public and/or local.
Subnet size: /64 (i.e. 64 bits for the network address, 64 bits for the host address)Available host addresses per subnets: 264 (recommended size).
137.138.14.0/242001:1458:0201:0E00::/64
15CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Infrastructure management
Keep control to ensure stability and security
Addresses assigned from the Network DB (LANDB):- IPv6 addresses assigned by DHCPv6 servers. Static or Dynamic
assignments based on the MAC address (same principles as IPv4).
Avoid Risks:- IPv6 autoconfiguration disabled
.
16CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Network Services
DNS, DHCPv6, Radius and NTP will be available over the IPv6 network.
The existing IPv4 DNS, Radius and NTP servers will provide the IPv6 services.
DHCPv6 and DHCP(v4): two services running on the same physical server.
17CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
LANDB
- LANDB central repository for all network information
- IPv6 is now the main navigation source
- New schema has been introduced on 25th of March 2012 keeping the compatibility with existing applications and queries
18CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Monitoring
IPv6 will be monitored as the equivalent IPv4 counterpartBut initial monitoring not at the same level as IPv4 (upcoming missing features).
19CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Security
The same IPv4 security policies will be applied to the IPv6 service.
Every existing IPv4 firewall and CNIC rules will be extended with IPv6 information.
Firewall rules concerning host addresses: the IPv6 opening counterpart will be activated only when the host administrator will declare the server IPv6 ready.
Dear WEBREQ: my device is now IPv6 ready, please apply IPv6 security policies
20CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Coexistence risks
21CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
client application's behavior
The choice of the IP protocol to be used is up to the client application or operating system, based on the DNS reply and its own settings.
Being the name of a server independent by the applications it runs, all the applications must be listening on both protocols
22CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Server not listening
If the DNS returns a IPv6 address for a server that is not listening over IPv6, delays may occur:
I want to see http://edh.cern.ch
CERN DNS server
edh.cern.ch is either:IPv6 2001:1458:8001::68IPv4 137.138.7.65
EDH WEB server IPv4 only
Dear client, here is the EDH page
...20 to 180 seconds later...
No IPv6 reply yet? Let's try 137.138.7.65 TCP port 80 then
My application prefers IPv6; connect to 2001:1458:8001::68 TCP port 80
...
23CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Control by DNS
Servers cannot decide which IP protocol the client will use. IPv6 can be avoided by the DNS not returning the IPV6 address
I want to see http://edh.cern.ch
DNS server
Although I'd prefer IPv6, I'll connect to 137.138.144.168 TCP port 80
For the time being edh.cern.ch is only IPv4 137.138.7.65
24CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
LANDB flag: IPv6 ready
The DNS device name .cern.ch will be resolved only with the IPv4 address until the user declares to LANDB to be IPv6 ready via WEBREQ.
IPv6 ready means: - IPv6 connectivity is OK - all the server's applications are listening on both IPv4 and IPv6 protocols
Consequences:- IPv6 security openings activated- name.cern.ch returns IPv4 and IPv6 addresses (A and AAAA records)
25CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
LANDB flag: Not IPv6 ready
Not IPv6 ready means: - Still testing IPv6 or Client-Only machine
Consequences:- No IPv6 security openings- different DNS names (name.cern.ch for IPv4 and name.ipv6.cern.ch for IPv6)
26CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Issue with remote sites
If broken IPv6 connectivity, clients will wait up to 180secs before falling back to IPv4
If only degraded IPv6 connectivity, fall back will never occur
Client's perception: there's a server issue
Remote siteCERN
IPv4: OK
IPv6: KO
INTERNET
27CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Deployment Plan
28CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv6 deployment plan
- Testing of network devices: completed
- IPv6 Testbed for CERN users: available
- New LANDB schema: in production
- Addressing plan in LANDB: in production
- Provisioning tools (cfmgr and csdbweb): on going
- Network configuration: on going
- Network services (DNS, DHCPv6, Radius, NTP)
- User interface (webreq)
- User training
- IPv6 Service ready for production in 2013 2013Q1
2011Q2
Today
2011Q3
2021Q1
2012Q1
29CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Implications for Network Users
30CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Everybody is concerned
“It shouldn't matter to an application whether it runs over IPv4 or IPv6. Unfortunately, for many applications,
it does matter”
IPv6 affects:
- Operating Systems
- Server applications
- Client applications
- Closed hardware (printers, PLCs..)
- Operational teams
- Security matters
- ...
31CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
System managers
Most recent versions of Windows, Linux and MacOS support IPv6.
Installation of a DHCPv6 client may be necessary.
Upgrade/replace old OSes with no/broken IPv6 support.
Local firewall configuration
32CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Application managers
In house and open source applications(i.e. CDB, QUATTOR, LEMON, CASTOR, GridFTP, EDH...):- understand IPv6 addresses - connect/listen over IPv6 and IPv4
Commercial applications(i.e. Oracle, LSF, printers, PLCs...):- Ask vendors to implement IPv6 support- Upgrade the applications
33CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Developers
Make applications protocol agnostic:- connect to names and not to numerical addresses- avoid protocol specific actions (ARP replaced by Network Discovery Protocol, broadcast no longer exist...)
If working with numerical addresses, beware:- syntax has changed [2001:db8:1234:abcd::cafe]:80- the IPv6 header is bigger than the IPv4 one- new DNS AAAA record- hosts will have multiple v6 addresses
34CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Resources for Developers
Recommendations and Code checker:https://twiki.cern.ch/twiki/bin/view/EGEE/IPv6FollowUp
Implementing IPv6 applications:http://www.6deploy.eu/tutorials/210-6deploy_devel_v0_4.pdf
Application aspects of IPv6 transitions:http://tools.ietf.org/html/rfc4038
Socket interface extensions for IPv6:http://tools.ietf.org/html/rfc3493
Fast Fallback algorithm: http://datatracker.ietf.org/doc/draft-ietf-v6ops-happy-eyeballs/
35CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv6 Forum
36CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
CERN IPv6 Forum
Representatives from:- each IT group - each department- each experiment
Place for:- knowing about IPv6 deployment status- use of the IPv6 testbed- sharing of information and knowledge- giving feedback and propose enhancements
Mailing list: [email protected]
37CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
IPv6 Testbed
38CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Testbed setup
- Two dual stack IPv4/IPv6 services, one in LCG and one in GPN
- Autoconfiguration in the first stage, DHCPv6 when all options will be available
- DNS service over IPv6
- Global IPv6 connectivity via a statically configured statefull firewall
- Servers running Virtual Machines with IPv6 capabilities
39CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Testbed setup
IPv6 firewall
LCG IPv4/IPv6
router
IPv4/IPv6 Virtual Machines
IPv4/IPv6 Dual-Stack network
IPv4 firewall
IPv4/IPv6 Virtual Machines
GPN IPv4/IPv6
router
IPv6 only network
IPv4 only network
IPv4 InternetIPv6 Internet
CERN network
40CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
How to get an IPv6/v4 VM
- Be part of the egroup ipv6-testbed-users
- Login to the Virtual Machine Manager http://cern.ch/cvi
- Click on Request Virtual Machine
- Fill the form with the necessary information
- Choose the Host Group: "IT-CS\IPv6 testbed\LCG" for LCG domain (v4 address 128.142.0.0/16, LHCOPN access to the Tier1s) "IT-CS\IPv6 testbed\GPN" for GPN domain (v4 address 137.138.0.0/16, normal campus machine)
https://twiki.cern.ch/twiki/bin/view/IPv6/IPv6TestbedAccess
41CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Conclusions
42CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
Conclusions
- IPv6 is necessary
- Implementation already started
- It will take time
- It will be expensive
- New operational problems will arise
- Everybody is concerned
43CERN IT
DepartmentCH-1211 Genève
23Switzerland
www.cern.ch/it
More information:http://cern.ch/ipv6