Download IPv6 SLAC update

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Computer network wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Distributed firewall wikipedia , lookup

Network tap wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Airborne Networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript
IPv6 SLAC update
Paola Grosso
SLAC Networking Group
[email protected]
Paola Grosso - I2/ESCC Joint Tech
IPv6 pros
• More addresses
– 128 bits addresses (1030 addresses/per person)
to take care of the depletion of IPv4 addresses;
to allow new devices to be network enabled.
• Better mobility
– Auto configuration of nodes
to allow movement without losing network connectivity
(home address vs. care-of address).
• Better security
– IPSec part of the protocols
to enable end-to-end services (data integrity, access
control).
Paola Grosso - I2/ESCC Joint Tech
IPv6 out there…
• The research networks:
– Native connection to the research networks backbones (Internet2,
ESnet, GEANT)
– IPv6 Land Speed record by CERN and CalTech of 983 mbps
http://info.web.cern.ch/info/Press/PressReleases/Releases2003/PR09.03E
Internet.html
• The implementers:
– Asia:
• Japan to convert IT infrastructure to IPv6 by 2005
– DOD to transition to IPv6 by 2008
http://www.dod.mil/releases/2003/nr20030613-0097.html
• The commercial world:
– Major vendors (start to) ship IPv6 enabled products
Paola Grosso - I2/ESCC Joint Tech
IPv6 at SLAC: why?
We have not exhausted our address space (still
“plenty” of addresses in our /16) .
We do not have any users/applications in need
of IPv6.
Why bother?
• Gain experience with the technology;
• Think and plan ahead;
• Find first portable applications.
Paola Grosso - I2/ESCC Joint Tech
SLAC IPv6 network setup
SLAC connects to the IPv6 Internet via a native
connection provided from ESnet.
Rtr-ipv6
ESnet
Cisco 3640
Juniper M10
SLAC
IPv6 intranet
Not BGP, but static route.
IPv6 internet
IPv6 configuration:
ipv6 unicast-routing
interface <int-name>
no ip address
ipv6 address <address/mask>
Paola Grosso - I2/ESCC Joint Tech
SLAC IPv6 Addressing Schema
ESnet provides us with a:
Point to point network, for the router connections
2001:400:0e02:8::/64
The internal SLAC IPv6 network
2001:0400:0e10::/48
Internal addressing schema:
http://www.slac.stanford.edu/comp/net/ipv6/Addr
essing-ipv6.html
The grand schema is to have:
• 16 services each one with up to 64 subnets.
(4 bits for services and 6 bits for the service subnets)
Paola Grosso - I2/ESCC Joint Tech
SLAC IPv6 code requirements
Three requirements for the project approval from the SLAC
security group:
– Running a cryptographic image that allows SSH
client/server on the router;
– Support for Reflexive Access Lists;
– A Client-based network, i.e all connections have to be
initiated from within, with few exceptions:
• SSH incoming
• IPv6 ping to internal nodes
• WEB server (approval pending)
The Cisco code that can do this is : 12.3(1a)
Paola Grosso - I2/ESCC Joint Tech
Access lists rules
Few basic rules:
0. Anti-spoofing rules
1. Filter the non routable address:
•
•
•
deny ipv6 ::/3 any
deny ipv6 4000::/2 any
deny ipv6 8000::/1 any log
2. Allow neighbor-advertisement and neighborsolicitation traffic (implicit):
• Permit icmp any any nd-na
• Permit icpm any any nd-ns
• Deny ipv6 any any
Paola Grosso - I2/ESCC Joint Tech
IPv6 on Linux
• RedHat Linux has been our OS of choice, so far.
• On the network in few steps with automatic
configuration:
– Add following line in /etc/sysconfig/network:
NETWORKING_IPV6="yes"
– Restart networking (or reboot)
• Static configuration for servers (as our Www):
– Add the following line in /etc/sysconfig/network:
IPV6_AUTOCONF=no
– Add the following line in /etc/sysconfig/ifcfg-<int>:
IPV6_INIT=yes
Paola Grosso - I2/ESCC Joint Tech
Software
• Bind/DNS
www.isc.org/products/BIND/bind9.html
– Version 9 with IPv6 support.
– Configured an IPv6 DNS for caching-only Name Server
– Added entries for IPv6 nodes on the SLAC IPv4 Name
Server
– Using the Indiana GigaPop DNS (ns4.indiana.edu)
• NTP
www.ntp.org
– Distribution 4 with IPv6 support.
– Running version 1.74
– Synchronized our nodes to the public Viagenie server:
(www.viagenie.qc.ca/en/ipv6/ntpv6/utilisation.shtml)
Paola Grosso - I2/ESCC Joint Tech
PingER for IPv6
• Previous experience at SLAC with IPv6 year ago was
with PingER (www.6bone.net).
• Starting point = the Perl module for IPv4 PingER.
• PingER-IPv6 required us minor code modifications:
– To handle address/name resolution (like gethostbyname)
– The installation of Perl modules that do not come with the
standard RedHat distribution:
• Time::CTime.pm (to format time a la ctime(3))
• DB_file.pm (to tie to DB files)
• Socket.pm
Paola Grosso - I2/ESCC Joint Tech
Monitored nodes
A list of ping-able nodes, put together by Bill Owens,
circulated on the I2 IPv6 mailing list:
http://ipv6.internet2.edu/ipv6hosts.shtml
The 39 nodes are located in:
– Abilene network (core routers and measurement nodes)
– Front Range GigaPop
– Great Plains Network
– Indiana GigaPop
– InterMountain GigaPop
– Merit
– NYSernet
– Pittsburgh SuperComputing
– Oregon GigaPop
– WiscNet
Paola Grosso - I2/ESCC Joint Tech
Monitored path
The monitoring traffic leaves the ESnet network
at Sunnyvale (one hop from SLAC) and it flows
over the I2 network.
SLAC
ESnet (SNV)
I2 IPv6 network
Looking into having IPv6 nodes at ESnet sites, to
look into the performance of the ESnet
network.
Paola Grosso - I2/ESCC Joint Tech
PingER metrics
The information that can be extracted is the same as in
the IPv4 PingER:
–
–
–
–
–
–
–
–
–
–
–
–
–
Duplicate Packets
Average Round Trip Time
Minimum Packet Loss
Inter-Quartile Range
Conditional Loss Probability
TCP Throughput
Ping Unreachability
Ping Unpredictability
Minimum Round Trip Time
Packet Loss
Out of Order Packets
Zero Packet Loss Frequency
Inter-Packet Delay Variation
Paola Grosso - I2/ESCC Joint Tech
Results: RTT
Sudden improvement
on July21
Paola Grosso - I2/ESCC Joint Tech
Results: RTT IPv6 vs. IPv4
CHIN,HSTN,IPLS still
slower on IPv6 than IPv4
After the July
21 improvement
Paola Grosso - I2/ESCC Joint Tech
Results: packets loss
Other sites have 0% losses
Only 3 sites have shown
packets losses: maybe
due to nodes reconfiguration?
Paola Grosso - I2/ESCC Joint Tech
Results: other variables
We have looked at the following:
• Reachability= very good. These nodes are
always up and stable. Only node we are
having problem with is mon.chpc.utah.edu:
being configured/rebooted?)
• Out-of-order-packets=none
• Inter-packet-delay= normal (jitter slightly
higher for WISCNET, NEXTGEN and
COLUMBIA)
Paola Grosso - I2/ESCC Joint Tech
Next…
Monitoring
– Expand the list of monitored nodes: keen on finding
partners in the ESnet community!
– Publish and make available the IPv6 Pinger module (Perl
module);
– Port to IPv6 other monitoring tools we are using (AbwE,
IEPM-BW).
Infrastructure
– Add more nodes and experiment with other OSes
• Windows XP and Sun Solaris (as in SLAC IPv4 environment);
– Extend the services: web server coming, more work on
DNS, mail
– Physics research applications that could benefit from
running on IPv6.
Paola Grosso - I2/ESCC Joint Tech
Conclusions
The “easy part”:
• Connect to the native IPv6 ESnet
• Find some nodes to devote to IPv6 and
configure/debug/port applications
The “hard part”:
• Try to involve the other groups (system managers, web
managers, security);
• Define the same standards of manageability, security as
we have in the IPv4 environment;
• Move the product to the user community.
The path from a few nodes on IPv6 to a “production”
network is a long one. But we are starting…
Paola Grosso - I2/ESCC Joint Tech
Starting too?
• Participating in the PingER-IPV6?
– Email [email protected]
• Web pages with PingER-IPv6 data:
– IPv4 web server:
http://www.slac.stanford.edu/comp/net/ipv6
http://www-iepm.slac.stanford.edu/cgiwrap/pingtable.pl?dataset=ipv6
– IPv6 web server (coming-pending SLAC security approval):
http://[www-ipv6.slac.stanford.edu]:/monitoring/pinger-ipv6
• General IPv6 mailing lists:
Internet2 = [email protected]
6Bone
= [email protected]
Paola Grosso - I2/ESCC Joint Tech
Backup slide = RTT to routers
Paola Grosso - I2/ESCC Joint Tech