Athanasios Douitsis - NANOG Archive · 2009. 6. 16. · MicroWebserver Mobile Access router Mobile Access IP phone Multilayer switch Multi-Fabric Server Switch Multilayer Remote switch

IPv6 deployment on a broadband access network

Athanasios Douitsis

National Technical University of Athens / Greek Research Network

PTT infrastructure

Cisco Products

Cisco Systems Corporate Iconography

ContentServiceRouter

ContentTransformation Engine

(CTE)

CSU/DSU DetectorCUCCSM-SCS Mars

DirectoryServer

Director-classFibre

Channel director

DistributedDirector

DSLAMDPT DWDMFilter

FDDIRing

Fibre Channel Disk Subsystem

Fibre Channel Fabric switch

FileServer

FirewallFC Storage Front EndProcessor

FireWallServicemodule(FWSM)

Generalappliance

Gatekeeper Genericprocessor

Genericgateway

Genericsoftswitch

GuardHost IAD

router

ICM ICS IOSFirewall

IOSSLB

IntelliSwitchStack

IPDSL

IPCommunicator

IP TelephonyRouter

IP

IPTC IPTV contentmanager

IPTV broadcastserver IP Softphone iSCSI router ISDN switch JBOD Layer 3

SwitchLayer 2

Remote Switch

LocalDirector

LightweightAccessPoint

Locationserver

LongReach CPE MAS Gateway ME 1100 Mesh APMeetingPlace

MCU Metro 1500

DSU/CSU

FDDI

X.25 HostIAD

Hub

V

DPT

IP Phone

IP

MGX 8000Multiservice switch

LWAPP W ESN

Cisco Products


100BaseT Hub 15200 3174 (desktop)cluster controller

3X74 (floor)cluster controller

6700 series 7500ARS(7513)

ADM

10700 AccessPoint ApplicationControl Engine

(ACE)

ASICProcessor

ATM 3800ATA ATM Router ATM Switch ATM TagSwitchRouter

ATM FastGigabit

Etherswitch

AVS(Application

Velocity Engine)

ADM

Bridge BBSM Broadbandrouter

BTS 10200 Cable Modem CallManager CarrierRoutingSystem

CatalystAccess Gateway

CDDI-FDDI

CDMContent Distribution

Manager

Centri Firewall Cisco 1000 Cisco HubCiscoFile Engine

Cisco CA

Cisco Unified

Presence Server

CiscoSecurityCisco ASA 5500 CiscoWorksworkstation

CiscoUnity Express

Class4/5switch

Contact CenterCommunicationsserver Content

Engine(Cache Director)

Content ServiceSwitch 1100

Content Switchmodule

Content Switch

V

V

M

V

WWW

Cisco Products


MicroWebserver MobileAccessrouter

MobileAccess IP

phone

Multilayerswitch

Multi-FabricServerSwitch

MultilayerRemote switch

MoH server(Music on Hold)

MultiSwitchDevice

NACappliance

NetRanger NetSonar NetworkManagement

NetFlowrouter

Optical ServicesRouter

Optical AmpliiferONS15500 OpticalTransport

PC RouterCard

PIXFirewall

PMC ProgrammableSwitch

ProtocolTranslator

PXF RateMUX RelationalDatabase

Repeater

Route SwitchProcessor

Router withSilicon Switch

Router Smallhub

SoftswitchPGWMGC

SSCStandardhost

Streamer

SIP Proxyserver

Server withPC Router

ServerSwitch

Service control

StorageRouter

Storagearray STP

Systemcontroller

Tape array TDMrouter

Transpath uBR910 uMG series Unity server UniversalGateway

UPC

Vault VIP

Router withFirewall

Si

PC AdapterCard

Si

STP

TDM

IP

Virtualswitch controller

(VSC 3000)

802.11

VirtualLayer Switch

SSC

A. Douitsis - IPv6 deployment on a broadband access network

EduDSL in a nutshell

[email protected]

proxy radius

ISP1

ISP2

ISP3

Cisco Products


MicroWebserver MobileAccessrouter

MobileAccess IP

phone

Multilayerswitch

Multi-FabricServerSwitch

MultilayerRemote switch

MoH server(Music on Hold)

MultiSwitchDevice

NACappliance

NetRanger NetSonar NetworkManagement

NetFlowrouter

Optical ServicesRouter

Optical AmpliiferONS15500 OpticalTransport

PC RouterCard

PIXFirewall

PMC ProgrammableSwitch

ProtocolTranslator

PXF RateMUX RelationalDatabase

Repeater

Route SwitchProcessor

Router withSilicon Switch

Router Smallhub

SoftswitchPGWMGC

SSCStandardhost

Streamer

SIP Proxyserver

Server withPC Router

ServerSwitch

Service control

StorageRouter

Storagearray STP

Systemcontroller

Tape array TDMrouter

Transpath uBR910 uMG series Unity server UniversalGateway

UPC

Vault VIP

Router withFirewall

Si

PC AdapterCard

Si

STP

TDM

IP

Virtualswitch controller

(VSC 3000)

802.11

VirtualLayer Switch

SSC

uplink

Greek Student Network infrastructure

Home RADIUSes

PPP

LNS’s

institution address pools

mailto:[email protected]



Present Status

• 50 institutions - provisioning of IP addresses

• 30,000 users - assignment of IP to each user according to affiliated institution

• 3 commercial ISPs - user account management, billing, accounting

• Greek Research Network - connectivity, administration, equipment

• 9 LNS’s, 3 Gigabit uplinks, 2 Proxy RADIUSes


Objective: Native IPv6 over PPP (PPPv6)

• IPv6-enabled PPP connections

• IPv6-enabled home LAN support (behind CPE)

• IPv6 accounting

• No user action necessary

• EduDSL-specific: IPv6 addresses per institution

• EduDSL-specific: ISP RADIUSes unaffected

• CPE: Windows Vista, MacOSX, GNU/Linux, FreeBSD, other vendors


Addressing Scheme

• 2 /64 prefixes for each user (1 PPP, 1 Home LAN).

institution prefix LNS id address pool interface id

48-bits 4-bits 12-bits 64-bits

• ipv6 local pool inst2-pool 2001:648:2001::/52 64

>=1 prefix from each institution

at most 16 LNSs4096 prefixes per LNS per institution

unique persistent interface id per user


IPv6 over PPP (RFC 2472)

• LCP unchanged

• IPv6CP

• (Optional) Interface ID - lower 64 bits settable by the LNS

• IPv6 Address auto-configuration over established link after PPP start

• Recommendation for /64 prefixes

PPP

LNS CPErouter advertisement


IPv6 on Home LAN - Neighbor Discovery Proxies

• RFC 4389

• Proxying of ICMPv6 ND messages to the Home LAN

• Only 1 /64 prefix needed per user for both PPP and Home LAN

• No known implementations at this point - adoption postponed

PPP Home LAN

LNS CPErouter advertisement proxy router

advertisement


IPv6 on Home LAN - DHCPv6 prefix delegation

• Request of additional prefix by the CPE

• DHCPv6 requests and responses over the PPP link

• delegation of IPv6 /64 prefix to the CPE by the LNS

• Home LAN enumerated using address auto-configuration and the delegated /64 prefix

PPP Home LAN

LNS CPEDHCPv6 request router advertisementprefix a:b:c:d/64DHCPv6 responce

a:b:c:d/64ipv6 local pool inst2-pool 2001:648:2001::/52 64


RADIUS attributes for IPv6

• Framed-IPv6-Pool

• Framed-Interface-ID

access request

access acceptFramed-IPv6-Pool = inst2Framed-Interface-Id = aaaa:bbbb:cccc:dddd

RADIUSLNS

accounting (start/stop)Framed-Interface-Id = aaaa:bbbb:cccc:dddd


RADIUS attributes for IPv6 Prefix Delegation

• EduDSL: Usage of the same prefix pool for PPP and Home LAN

• Simpler configuration

• Uniformity

• Efficient Usage

LNSCPE

DHCPv6 request

DHCPv6 responcea:b:c:d/64RADIUS access accept

Framed-IPv6-Pool = inst2Framed-Interface-Id = aaaa:bbbb:cccc:dddd

cisco-avpair = "lcp:interface-config=ipv6 dhcp server inst2-dhcp"

ipv6 local pool inst2-pool 2001:648:2001::/52 64

ipv6 dhcp pool inst2-dhcp prefix-delegation pool inst2-pool


IPv6 DNS (see RFC 4339)

• RFC 5006: IPv6 Router Advertisement Option for DNS Configuration -- not available

• Anycast DNS -- to be evaluated later

• DHCPv6 stateless mode - used for EduDSL

• “Other” options flag in LNS RA

• Ability to include other options in the future: SNTP server etc.

• Works harmoniously with IPCP-defined DNS settings for IPv4

ipv6 dhcp pool inst2-dhcp prefix-delegation pool inst2-pool dns-server 2001:648:2FFC:100::2211


IPv6 accounting

• Based on Framed-Interface-ID (== lower 64-bits of PPP IPv6 Address)

• 1 unique Framed-Interface-ID per unique user

• Generation of Framed-Int-ID by hashing ‘[email protected]’ to 64-bits

• Other option: Storage of IDs into DB

• Optional adoption by ISP Home RADIUSes


Problems & Workarounds

• Cisco IOS: IPv4+IPv6 ACL name clash on dual stack virtual templates -- serious

• kill ACLs from virtual template (d’oh!)

• DHCPv6: Crazy, buggy or malevolent clients -- address exhaustion, need for resource controls

• Critical

• Accounting: Missing of some IPv6-* RADIUS attributes from Acct. messages

• Usage of Frame-Interface-ID


Problems & Workarounds - 2

• DHCPv6 prefix delegation: No way to configure using IETF RADIUS attributes

• Use VSA pairs (IOS virtual profile cloning disabled?)

• DHCPv6 accounting

• Critical


Why not static IPv6 prefixes per user?

✓Simplified RADIUS configuration

✓easy setup of DHCPv6 prefix delegation

✓decoupling from LNS implementation

• But: random destination LNS for each PPP session -- very bad for routing

• Tens of thousands of IGP routes constantly changing


Current Status

• IPv6 enabled test accounts to selected individuals

• Native IPv6 CPEs

• PPPoE and Vista

• Proxy RADIUS changes readily available

• Windows Vista

• Seamless home LAN enumeration by Internet Connection Sharing Agent


Future Directions

• Fixing of current problems (Accounting, DHCPv6)

• Investigation of a tunnel switch possibility

• IPv6-enabling of one institution

• monitoring and fixing of problems

• Testing of a Juniper E-Series 320


Addendum -- JunOSe10.1

• Framed-IPv6-Prefix required for NDRA over PPP link (cannot use Framed-IPv6-Pool yet)

• Framed-IPv6-Pool usable only for DHCPv6 Prefix Delegation

• Delegated-IPv6-Prefix (IETF) for DHCPv6 Prefix Delegation

Approaches:

• Use Framed-IPv6-Prefix and Delegated-IPv6-Prefix (RADIUS-centric)

• Use Framed-IPv6-Pool for DHCPv6 and Framed-IPv6-Prefix for PPP (awkward)


Thank You! Any Questions?

Many thanks to:

NTUA NOC

GRNet NOC

Alexandros Kosiaris

[email protected]



Documents

Athanasios Douitsis - NANOG Archive · 2009. 6. 16. · MicroWebserver Mobile Access router Mobile Access IP phone Multilayer switch Multi-Fabric Server Switch Multilayer Remote switch