18-Jul-05 DREN IPv6 Update 1

DREN IPv6 Implementation Update

Joint Techs WorkshopJuly 2005

Vancouver, BC, Canada

Ron BroersmaDREN Chief Engineer

High Performance Computing Modernization Programron@spawar.navy.mil

18-Jul-05 DREN IPv6 Update 2

Introduction• DREN is DoD’s network serving the

RDT&E community• It serves as the DoD IPv6 “pilot” network.• DREN operates 2 IPv6 wide area networks

– Testbed• Dedicated Cisco routers• ATM PVC mesh

– Production• Dual stack production backbone• Juniper routers

18-Jul-05 DREN IPv6 Update 3

DREN “production” network

18-Jul-05 DREN IPv6 Update 4

DRENv6 “testbed”Logical Topology

Dayton

San Diego

Albuquerque

Wash D.C.

Stennis

Vicksburg

Aberdeen

ATM PVC (OC-3)tunnel

HICv6

(Hawaii)

GlobalCrossingHurricaneElectric

LAVAnet

SPRINT

vBNS+

6TAP

SSC CharlestonSSAPAC

SSC San Diego

WCISD

AOL

NRL

ARLWPAFB

ERDC

NAVO

C&W

Cisco

NTTComVerio

AFRLKirtland AFB

Abilene

SD-NAPSDSC

Core Router

“site”

IXP

ISP orBGP Neighbor

FIX-West Abilene

HP

AIX-v6

TIC

JITC

Tunnel broker

18-Jul-05 DREN IPv6 Update 5

DREN IPv6 transition architecture – FY04

DRENv6 (Testbed)

DREN2 (Production / Pilot)sdp.arlapgsdp.sandiego

sdp.erdc

SSCSDERDC

ARL-APG

NIDSv6NIDSv6 NIDSv6

v6 ACLv6 ACLv6 ACL

To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6)

Dual stack IPv4 and IPv6 wide area infrastructuresdp sdp sdp

Type “A” (IP) production service to DREN sitesIPv4 and IPv6 provided over the same interface

Testbed atDREN site

Testbed atDREN site

Native IPv6 backbone

links run native IPv6 where possible, otherwise tunnelled in IPv4

Goal: As secure asthe IPv4 backbone

18-Jul-05 DREN IPv6 Update 6

DREN IPv6 philosophy• Push the “I believe” button, and turn on

IPv6 everywhere to see what works (and what doesn’t)

• Do it in a production environment– can get away with this in an R&D

environment, but not on operational networks.• Go native. (no tunnels)• Even if the world doesn’t convert for

years, R&D environments need it now.• Figure out how to deploy IPv6 to the rest

of DoD in the future.

18-Jul-05 DREN IPv6 Update 7

Report on some current efforts

• Security• IPv6 Multicast• DHCPv6/DNS

18-Jul-05 DREN IPv6 Update 8

Security• Reported previously

– many security features missing in implementations

• IPsec, ACLs, etc– many security products don’t do IPv6

• firewalls, IDS, scanners, etc.• Update

– snort-2.3.3 upgraded to IPv6 by DREN• in production as part of DREN’s IDS

– giving up on Juniper IPv6 port-mirroring• installing Foundry switches at exchanges

– independent security review contracted to SAIC• report due Oct ‘05

18-Jul-05 DREN IPv6 Update 9

Independent Security Review

• Reviewing…– protocol– stack maturity– tool maturity

• Analyzing…– v6 versions of all v4 attacks– packets emitted on boot, as well as other traffic and interactions– how things behave with strange packets

• So far…– protocol is no less secure than v4– mobility is scary– multicast is still spoofable– ND – spoofable, but no exploits found yet– Windows – ack’s things twice in all v6 TCP streams???– router renumbering – can spoof – possible DoS– landv6 attack works, but doesn’t crash machine

• Good stuff…– ethereal – excellent v6 parsing– scapy – great packet hacking tool, supports v6

18-Jul-05 DREN IPv6 Update 10

IPv6 multicast• Focus: get DREN backbones fully

ipv6-multicast enabled.• Status (work in progress)

– Testbed – fully operational• PIMv2, MLDv2, SSM, ASM, static RP,

embedded-rp– Production – operational

• routers all upgraded to JunOS 7.2• PIMv2, MLDv2, SSM, ASM, some

embedded-rp– Beacon – operational (dbeacon)

• ASM and SSM, using embedded-rp group address

– Test environment• Linux 2.6.11, Linux 2.4, Solaris 10• Cisco (testbed), Juniper (DREN

production), Juniper (site), Foundry BI (site)

– simulating cross-domain interaction

Testbed

Production

sdp.sandiego

SSCSD

sdp

Site

Linux

SolarisLinux Linux

Juniper,Foundry

Juniper

Juniper

Cisco

Test Environment(beacon)

18-Jul-05 DREN IPv6 Update 11

IPv6 Multicast• Learned:

– lots of good work already done by folks at m6bone– ssmping – great test/debug tool

• server (source) doesn’t need MLDv2, only receivers– dbeacon – new beacon software– notion of multicast/PIM domains blurred or gone.

• use embedded-rp for cross-domain ASM– embedded-rp works great

• Cisco – enabled by default• Juniper – disabled by default (surprise)

– needs to be enabled on all routers between the RP and potential receivers.

• Some Issues– Foundry – no MLDv2 yet– no MLDv2 in WinXP, broken in old Linux, Solaris.

• ToDo:– test beyond DREN (Abilene? m6bone?)

18-Jul-05 DREN IPv6 Update 13

DHCPv6/DNS• Goal – implement a dhcpv6 environment, similar to how some sites use

it in v4.– common practice: DHCP (v4) assigns addresses, and performs dns-update

for A and PTR records. DNS master only has to trust DHCP server, not every client.

• Challenge: finding mature and complete DHCP implementation• Testing, status

– ISC (popular dhcp reference implementation)• IPv4 only

– dhcpv6-linux• incomplete• last version 2 years ago

– dhcpv6 (sourceforge)• incomplete, but works – no dns-update• included in Fedora Core 3 and Red Hat 4

– Lucent• tested, and appears to work. Haven’t tested dns-update (awaiting more software).• No documentation

• Issues:– no dhcp client in WinXP– uncertainty and debate on interactions between stateless and stateful

(DHCP) autoconfig.• M/O bits debate• how useful is DHCPv6, if only use might be to get DNS servers and domain?