CNGI-CERNET2 SAVI Deployment Update

China Education and Research Network (CERNET)/Tsinghua Univ.

IETF78, MaastrichtJuly 26, 2010

Outline

• SAVI Switches Implementation• SAVI Switches Testing• SAVI Deployment in CNGI-CERNET2• SAVI Management System and MIB Design

Brief Introduction• CNGI is China Next Generation Internet• CNGI-CERNET2

– CERNET: was the 2nd Large ISP in China, 2000+ university campus networks, 20M+ users

– CERNET2 is the largest IPv6 network• CNGI-CERNET2 SAVI Deployment Plan

– 100 universities campus networks nationwide– 1 Million users– Time frame: 2008-2010– SAVI software upgrade at about 20K+ access switches– SAVI management system installation in 100 campuses

• China Telecom and China Mobile will also deploy

SAVI switches installation:100 Univ. campus net (red dot)

SAVI Switches Implementation

SAVI Switch Implementation• Solutions implemented

– draft-ietf-savi-dhcp-04– draft-bi-savi-stateless-01 (from draft-bj-cps, and

proposed to be merged with draft-savi-fcfs)• Vendors

– ZTE– Huawei (New)– H3C (3Com)– Ruijie– Digital China (spun off from Lenovo)– Bitway– Centac

SAVI-Software upgradable• Savi-upgradable switches in our deployment

– ZTE: ZXR10 8900,5900,3900A– Huawei: S5600, 5300, 3500,3300,2300– H3C (3Com): S5500EI, S5500SI, S5120EI、

E126A, E152, E328, E352– Digital China: DCRS-5950,3950– Ruijie: RG-S8600,S5750,S5760,S2900,S2600– Bitway: BitStream 7000, 6000, 3000– Centec: E600 and E300

Command Line Design• Snooping

– Enabled at global view or vlan view• Command line: XXX Snooping enable

– Start snooping and binding– Drop the server-end message(DHCP reply, RA) by

default, except for packets from anchor with attribute XXX-Trust

• For example, in DHCP-only senario:– Dhcp snooping enable– NDP snooping link-local enable

• Undo XXX snooping– Stop snooping– Stop filter server-end message

• SHOULD write memory if snooping is enabled, and enable snooping automatically after reboot.

Command Line Design

• Verification– Enabled at port view– IP check source IP-address

Command Line Design• Port configuration• Attached to monitored host

– IP check source IP-address• Attached to router or DHCP server/relay

– RA trust or DHCP trust• Fully trusted port

– RA trust and DHCP trust• Default port

– No configuration

Command Line Design

• View & Modification– At global view

• View: show all the IPv6 bindings– display ipv6 check source binding table

• Modification: add or del bindings manually– ipv6 check source binding table add IP XXX

MAC XXX PORT XXX TYPE XXX [LIFETIME XXX]

– Ipv6 check source binding table del IP XXX PORT XXX

Binding State Table of H3C S5500Entry:Source IP | Source MAC | Vlan ID | Type(DHCP or ND)

Console Example

SAVI Switches Testing

Catalogs of SAVI Testing

• CERNET organized formal testing for SAVI switches

• Test types:– Conformance testing– Performance testing– Test-bed (interoperability) testing– Testing in the production network

• Each type has 3 scenarios– DHCPv6-only– SLAAC-only– DHCPv6-SLAAC-mixed– In each scenario, the static binding for manual

configured address is also tested

SAVI Switch Testing

• 10 switches models passed this formal testing

– ZTE: ZXR10-5928 、ZXR10-3928

– H3C: S5500，S5100，E126A

– Ruijei: RG-S5760，RG-S2924，RG-S2628

– Digital China: DCS-5950，DCS-3950

• Totally 4 testing types x 3 scenarios x 10 models= 120 testing reports generated

SAVI Switches under Test(form difference vendors)

Conformance Testing (TTCN3 based testing system developed by Tsinghua)

Performance Testing (AGILENT N2X)

SAVI perf testing result example: delay (micro-second) after binding enabled

Binding table size• size

– C1

– C2

– C3

640383488SLAAC-only

320191244DHCPv6-only

H3CDCRJ

460125494SLAAC-only

23062247DHCPv6-only

H3CZTERJ

980125400254SLAAC-only49062200127DHCPv6-onlyH3CZTEDCRJ

Test-bed (interoperability) testing

Test-bed (interoperability) testing

Interoperability test for host OS

• Windows XP with SP3 • Windows Vista• Windows 7• Linux• MAC OS• Some dhcpv6 client software, such as dibbler

SAVI Deployment in CERNET2

Scenarios in Deployment• DHCP-only

– Only DHCP and link local address are allowed.– DHCP and link local address snooping are enabled.

• SLAAC-only– Only SLAAC address is allowed.– SLAAC snooping is enabled.

• DHCP-SLAAC-Mixed– DHCP and SLAAC address are allowed.– DHCP snooping and SLAAC snooping are enabled.

• Static addresses (usually for servers) are manually configured in the above scenarios.

Example: Tsinghua Univ. campus network had deployed (software upgrade at access switch)

Resource

ZJ8＃

Office/Teaching area

Faculty apartments

Student Dorm

FIT

Exit 1

Exit 2

9003

GZTCC1

CC2Lib

Main6#16#1

ZJ3＃

1＃

SCI

Phone

HQY

NW

shop

EDUH1

SE

Lib

LQY

Arch

16＃

Campus Backbone（IPv4/IPv6）

Hub

S D

i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b

C h an ge h ub s pe ed

P ow erC ol li s ion

M a na ge d

1 0B A S E- T

1 00 B AS E - TXS ta t us

B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)

B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4

Server

Laser printer

Workstation

Workstation

Workstation

F3

F2

F1

Hub

S D

i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b

C h a n g e h u b s p e e d

P o w e rC o l li s io n

M a n a g e d

1 0 B A S E - T

1 0 0 B A S E - T XS ta t u s

B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)

B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4

Server

Laser printer

Workstation

Workstation

Workstation

F3

F2

F1

Hub

S D

i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b

C h a n g e h u b s p e e d

P o w e rC o l li s io n

M a n a g e d

1 0 B A S E - T

1 0 0 B A S E - T XS ta t u s

B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)

B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4

Server

Laser printer

Workstation

Workstation

Workstation

F3

F2

F1

Hub

S D

i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b

C h a n g e h u b s p e e d

P o w e rC o l li s io n

M a n a g e d

1 0 B A S E - T

1 0 0 B A S E - T XS ta t u s

B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)

B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4

Server

Laser printer

Workstation

Workstation

Workstation

F3

F2

F1

SAVI-access switch

20K users（students）

Aggregation Level

Access Level

subnets switches port hosts users114 1018 23414 22644 20280

Deployment at Campus Network• Tsinghua Student Dorms: 20+ builidings, 20K+

students

10 models form different vendors at 3

scenarios

DHCPv6-relay

DHCPv6 Server

WS2008

Deployment in Students Buildings

Real Deployment in Student Dorms

H3C: DHCPv6-onlyDigital China: DHCP-SLAAC-mixed

Rujie: SLAAC-only

ZTE: SLAAC-only

Example: SAVI deployment in Tsinghua FIT building

166.111.143.112/28

166.111.243.17/28

166.111.130.0/24 2001:da8:200:9000::/6

4

166.111.131.0/24 2001:da8:200:9001::/6

4

166.111.132/24 166.111.143.129/26 2001:da8:200:9002::/64

166.111.128.76/30

166.111.128.72/30

166.111.143.0/28 2001:DA8:200:900C::0/6416

6.11

1.13

8.0/

24

200

1:da

8:20

0:90

08::/

64

166.1

11.1

37.0/

24

2001

:da8

:200

:900

7::/6

4

166.1

11.13

6.1/24

20

01:da

8:200

:9006

::/64

166.1

1113

5.0/24

200

1:da8

:200:9

005::

/64

166.111.133.0/24 2001:da8:200:9003::/6

4

166.111

.134.0

/24 2

001:da8:

200:90

04::/6

4

2001:da8:200:f000::/64 166.111.128.32/30

FIT大楼CS_2

FIT大楼CS_1

G7/24 128.33/302001:da8:200:f000::1

G7/24 128.34/30 2001:da8:200:f000::2

310_VOD_CST FIREWALL

Ipv6 ISATAP Tunnel

IPV4采用HSRP做各接入设

备上连的热备份，CS_1为Active，CS_2为standby

Vip：*.*.*.1

G5/2

G7/1

G7/2 131.3

G7/4 132.3 247.131

G7/2

2 12

8.73

G7/8 1

34.3

G7/9 1

35.3

G7/11

136.3

G7/1

2 13

7.3G7

/14

138.3

G7/

16 1

39.3

G7/

20 1

43.1G7/6 133.3/24

G7/2

3 12

8.77

Tunnel source: 59.66.4.50

IPV6 prefix: 2001:da8:200:900e::/64

G7/1

130

.4G

7/2

131

.4

G7/

8 1

34.4

G7/9

135

.4

G7/1

1 13

6.4

G7/12

137.4

G7/14

138.4

G7/16

139.4G7/18 140.4

Fire

wall

In

Fire

wall

Out

G7/21 镜像

T2/1出入数

据

166.111.143.192/26 2001:DA

8:200:900B::0/64

G7/

19 1

43.1

93

59.66.66.0/28 166.111.111.0/28 2001:DA8:200:900F::1/64

G7/15 59.66.66.1 166.111.143.32/28 2001:DA8:200:9010::1/64

XinXiXY FIT Center

G7/13 143.33

G5/2 143.113

DragonLab

神码 神码神码

D05_ChinaGridCorsair 1N1

5x48

1S13×48

2S1 5x48

2N15x48

3S13x48

3N14x48

4S13x48

4N14x48

5S14x48

5N14x48

6N14x48

YaoQiZhi-Lab166.111.142.0/24

1-211

128

.74

10GE

GEFE

SAVI SAVI

Prefix granularity anti-spoofing by RPF

Host granularity

anti-spoofing by SAVI

Deployment in Office Builiding

• FIT Building of Tsinghua Univ

• From Oct 2009-(about 10 months)

• No initial DAD-NS loss observed (link local addr bound)

• Ruijie RG-2652• Digital China

S3950 Switches

Digital China console61 addresses bound at a 24-ports switch, multiple addr per host

6to4

Global

Link local

SAVI Management System and MIB Design

MIB tree

Function

• Set : – SAVI-DHCP or SAVI-SLAAC function– Anchor (switch port) type– Binding limitation of anchor

• Get:– Binding State Table entries– Filtering Table entries– Statistics

Structure of SAVI-MIB

• Two separate MIB tree– IPV4SAVI-MIB for IPv4– IPV6SAVI-MIB for IPv6– They have Similar Structure

• Following we illustrate IPV6SAVI-MIB

Structure of IPV6SAVI-MIB• ipv6SaviObjectsStatus

– SAVI-DHCP/SAVI-SLAAC Status

• ipv6SaviObjectsMaxDadDelay, ipv6SaviObjectsMaxDadPrepareDelay, – constants of SAVI

• ipv6SaviObjectsIfStatusTable– Validation type of anchor– Trust type of anchor– Binding limitation of anchor

• ipv6SaviObjectsBindingTable– Binding State Table entries

Structure of IPV6SAVI-MIB

• ipv6SaviObjectsIfStatusTable– ipv6SaviObjectsIfStatusIfIndex InterfaceIndex,– ipv6SaviObjectsIfStatusCheckStatus Integer32,– ipv6SaviObjectsIfStatusTrustStatus Integer32,– ipv6SaviObjectsIfStatusBindingNum Unsigned32

Structure of IPV6SAVI-MIB

• ipv6SaviObjectsBindingTable– ipv6SaviObjectsBindingIfIndex InterfaceIndex,– ipv6SaviObjectsBindingType Integer32,– ipv6SaviObjectsBindingIdentifier InetAddressIPv6,– ipv6SaviObjectsBindingMacAddr MacAddress,– ipv6SaviObjectsBindingState Integer32,– ipv6SaviObjectsBindingLifetime TimeInterval,– ipv6SaviObjectsBindingRowStatus RowStatus

SAVI management system implmemented-Subnet view

Switch view (data gathered in Tsinghua FIT building)

Interface Status

Binding and Filtering table of a switch

Log of User come and leave

Thank You!Q & A

Conclusions• SAVI drafts have been implemented by multiple

vendors and being largely deployed in CERNET2– draft-ietf-savi-dhcp-04– draft-bi-savi-stateless-01

• SAVI switches in CNGI-CERNET2 have been fully tested

• SAVI management system and MIB have been designed

• A light-weight savi-slaac is necessary for low end access switch for large scale deployment

– Currently, no major problem found– For details: draft-bi-savi-stateless-01