paola grosso - i2/escc joint tech ipv6 slac update paola grosso slac networking group...

Paola Grosso - I2/ESCC Joint Tech

IPv6 SLAC update

Paola GrossoSLAC Networking Group

[email protected]


IPv6 pros

• More addresses– 128 bits addresses (1030 addresses/per person)

to take care of the depletion of IPv4 addresses;to allow new devices to be network enabled.

• Better mobility– Auto configuration of nodes

to allow movement without losing network connectivity (home address vs. care-of address).

• Better security– IPSec part of the protocols

to enable end-to-end services (data integrity, access control).


IPv6 out there…

• The research networks:– Native connection to the research networks backbones (Internet2,

ESnet, GEANT)

– IPv6 Land Speed record by CERN and CalTech of 983 mbpshttp://info.web.cern.ch/info/Press/PressReleases/Releases2003/

PR09.03EInternet.html

• The implementers:– Asia:

• Japan to convert IT infrastructure to IPv6 by 2005

– DOD to transition to IPv6 by 2008http://www.dod.mil/releases/2003/nr20030613-0097.html

• The commercial world:– Major vendors (start to) ship IPv6 enabled products


IPv6 at SLAC: why?

We have not exhausted our address space (still “plenty” of addresses in our /16) .

We do not have any users/applications in need of IPv6.

Why bother?

• Gain experience with the technology;• Think and plan ahead;• Find first portable applications.


SLAC IPv6 network setup

SLAC connects to the IPv6 Internet via a native connection provided from ESnet.

Cisco 3640

Rtr-ipv6 IPv6 internetESnet

Juniper M10

SLACIPv6 intranet

IPv6 configuration:ipv6 unicast-routinginterface <int-name> no ip address ipv6 address <address/mask>

Not BGP, but static route.


SLAC IPv6 Addressing Schema

ESnet provides us with a:

Point to point network, for the router connections2001:400:0e02:8::/64

The internal SLAC IPv6 network 2001:0400:0e10::/48

Internal addressing schema:http://www.slac.stanford.edu/comp/net/ipv6/Addressing-ipv6.html

The grand schema is to have:• 16 services each one with up to 64 subnets.(4 bits for services and 6 bits for the service subnets)


SLAC IPv6 code requirements

Three requirements for the project approval from the SLAC security group:

– Running a cryptographic image that allows SSH client/server on the router;

– Support for Reflexive Access Lists;

– A Client-based network, i.e all connections have to be initiated from within, with few exceptions:

• SSH incoming• IPv6 ping to internal nodes• WEB server (approval pending)

The Cisco code that can do this is : 12.3(1a)


Access lists rules

Few basic rules:0. Anti-spoofing rules

1. Filter the non routable address:• deny ipv6 ::/3 any• deny ipv6 4000::/2 any• deny ipv6 8000::/1 any log

2. Allow neighbor-advertisement and neighbor-solicitation traffic (implicit):• Permit icmp any any nd-na• Permit icpm any any nd-ns• Deny ipv6 any any


IPv6 on Linux

• RedHat Linux has been our OS of choice, so far.

• On the network in few steps with automatic configuration:

– Add following line in /etc/sysconfig/network: NETWORKING_IPV6="yes"

– Restart networking (or reboot)

• Static configuration for servers (as our Www):

– Add the following line in /etc/sysconfig/network: IPV6_AUTOCONF=no

– Add the following line in /etc/sysconfig/ifcfg-<int>:IPV6_INIT=yes


Software

• Bind/DNSwww.isc.org/products/BIND/bind9.html– Version 9 with IPv6 support.– Configured an IPv6 DNS for caching-only Name Server– Added entries for IPv6 nodes on the SLAC IPv4 Name

Server– Using the Indiana GigaPop DNS (ns4.indiana.edu)

• NTPwww.ntp.org– Distribution 4 with IPv6 support.– Running version 1.74 – Synchronized our nodes to the public Viagenie server:(www.viagenie.qc.ca/en/ipv6/ntpv6/utilisation.shtml)


PingER for IPv6

• Previous experience at SLAC with IPv6 year ago was with PingER (www.6bone.net).

• Starting point = the Perl module for IPv4 PingER.

• PingER-IPv6 required us minor code modifications:– To handle address/name resolution (like gethostbyname)

– The installation of Perl modules that do not come with the standard RedHat distribution:

• Time::CTime.pm (to format time a la ctime(3))

• DB_file.pm (to tie to DB files)

• Socket.pm


Monitored nodes

A list of ping-able nodes, put together by Bill Owens, circulated on the I2 IPv6 mailing list:

http://ipv6.internet2.edu/ipv6hosts.shtml

The 39 nodes are located in:– Abilene network (core routers and measurement nodes)– Front Range GigaPop– Great Plains Network– Indiana GigaPop– InterMountain GigaPop– Merit– NYSernet– Pittsburgh SuperComputing– Oregon GigaPop– WiscNet


Monitored path

The monitoring traffic leaves the ESnet network at Sunnyvale (one hop from SLAC) and it flows over the I2 network.

Looking into having IPv6 nodes at ESnet sites, to look into the performance of the ESnet network.

SLAC ESnet (SNV)

I2 IPv6 network


PingER metrics

The information that can be extracted is the same as in the IPv4 PingER:

– Duplicate Packets– Average Round Trip Time– Minimum Packet Loss– Inter-Quartile Range– Conditional Loss Probability– TCP Throughput– Ping Unreachability– Ping Unpredictability– Minimum Round Trip Time– Packet Loss– Out of Order Packets– Zero Packet Loss Frequency– Inter-Packet Delay Variation


Results: RTT

Sudden improvementon July21


Results: RTT IPv6 vs. IPv4

CHIN,HSTN,IPLS stillslower on IPv6 than IPv4

After the July 21 improvement


Results: packets loss

Only 3 sites have shown packets losses: maybe due to nodes reconfiguration?

Other sites have 0% losses


Results: other variables

We have looked at the following:• Reachability= very good. These nodes are

always up and stable. Only node we are having problem with is mon.chpc.utah.edu: being configured/rebooted?)

• Out-of-order-packets=none

• Inter-packet-delay= normal (jitter slightly higher for WISCNET, NEXTGEN and COLUMBIA)


Next…

Monitoring– Expand the list of monitored nodes: keen on finding

partners in the ESnet community!– Publish and make available the IPv6 Pinger module (Perl

module);– Port to IPv6 other monitoring tools we are using (AbwE,

IEPM-BW).

Infrastructure– Add more nodes and experiment with other OSes

• Windows XP and Sun Solaris (as in SLAC IPv4 environment);– Extend the services: web server coming, more work on

DNS, mail– Physics research applications that could benefit from

running on IPv6.


Conclusions

The “easy part”:• Connect to the native IPv6 ESnet• Find some nodes to devote to IPv6 and

configure/debug/port applications

The “hard part”:• Try to involve the other groups (system managers, web

managers, security);• Define the same standards of manageability, security as

we have in the IPv4 environment;• Move the product to the user community.

The path from a few nodes on IPv6 to a “production” network is a long one. But we are starting…


Starting too?

• Participating in the PingER-IPV6?– Email [email protected]

• Web pages with PingER-IPv6 data:– IPv4 web server:

http://www.slac.stanford.edu/comp/net/ipv6http://www-iepm.slac.stanford.edu/cgi-wrap/pingtable.pl?

dataset=ipv6

– IPv6 web server (coming-pending SLAC security approval):http://[www-ipv6.slac.stanford.edu]:/monitoring/pinger-ipv6

• General IPv6 mailing lists:Internet2 = [email protected] 6Bone = [email protected]


Backup slide = RTT to routers

paola grosso - i2/escc joint tech ipv6 slac update paola grosso slac networking group...

Documents