IPv6 Deployment @IHEP

QI Fazhi ／ IHEP CC

IPv6 Deployment @IHEP

QI Fazhi/ IHEP [email protected]

HEPiX,Beijing, October 2012


2

*

• Why IPv6?

• Background & History

• Key technologies

• Deployment Principles

• Current Status

• Work Plan

Context


Why?

• A lot of reasons drive the deployment of IPv6• Every one here knows about it……

• But in China, IPv6 has better available bandwidth & free to use


IPv6 in China

CNGI project approved, Leaded by National Reform and Development Committee, Started the Chinese IPv6 Network backbone deploymentCNGI project approved, Leaded by National Reform and Development Committee, Started the Chinese IPv6 Network backbone deployment

Chinese Government released the “Twelfth Five-Year” Development Plan for next-generation Chinese Government released the “Twelfth Five-Year” Development Plan for next-generation

Premier Wen Jiabao Chaired the State Council meeting to discuss how to speed up the develpoment of the China Next Generation networkPremier Wen Jiabao Chaired the State Council meeting to discuss how to speed up the develpoment of the China Next Generation network

The National Reform and Development Committee fund for the research of CNGI industrialization and security projects The National Reform and Development Committee fund for the research of CNGI industrialization and security projects


CNGI Backbone


CNGI-CSTNet & CERNet


IPv6 History @IHEP

• 2008 – 1Gbps IPv6 Link to CNGI, Part of IHEP endpoints

support IPv6

• 2009– IHEP started to use the IPv6 Link to do the HEP

data transfer between the cooperated Universities(SDU/…)

• 2011– IHEP DNS supports IPv6

• 2012– Dual Stack IHEP Campus Network, 10Gbps IPv6

link CNGI(Fund from The National Reform and Development Committee )

– Associated with ChinaNet/Universities, applied the CNGI industrialization and security projects


Key Technologies

• Transition

• Address assignment

• Security


Transition

• Goals– tunnel between IPv6 islands– translate between IPv4 and IPv6

• Tunnel application• Tunnel type

– Configured tunnels• Router to router

– Automatic tunnels• Tunnel Brokers (RFC 3053)

– Server-based automatic tunneling• 6to4 (RFC 3056)

– Router to router• ISATAP (Intra-Site Automatic Tunnel

Addressing Protocol)– Host to router, router to host– Maybe host to host

• 6over4 (RFC 2529)– Host to router, router to host


Case: IPv4 Over IPv6

• Goal– To use the high available bandwidth

of IPv6 in China to do the HEP data transfer,

• Result – Network performance: 10 times

improvement

USTC IPv6 Server IHEP IPv6 Server

USTC Router IHEP Router

eth0 eth0

eth1 eth1

eth1 eth1

USTC IHEP

IPv6 Network Link (CNGI)


IP Address assignment

• Too long to remember and configure manually

• Two basic methods defined for autoconfiguration of IPv6 hosts:

– Stateless Autoconfiguration• A method defined to allow a host to configure itself without help from

any other device.• Problem: it does not supply a DNS server address.

– Stateful Autoconfiguration• A technique where configuration information is provided to a host by

a server.


DHCPv6

• The operation of DHCPv6 is similar to that of DHCPv4, but the protocol itself has been completely rewritten.

• It is not based on the older DHCP or on BOOTP, except in conceptual terms.

• It still uses UDP but uses – new port numbers

• Client: 546• Server/Relay agent: 547

– a new message format, and restructured options

• DHCPv6 is not compatible with DHCPv4 or BOOTP.

• The network switch should support dhcpv6 relay


Security

• Security Zones– Isolated physically– Different level security

• Firewall – iptables


IPv6 deployment principles @IHEP

• Dual Stack• The same management and security policies with IPv4

– Users (IP) management– Monitoring – Access control

• Network Services– DNS– WEB– Email– ……

• Grid & Cloud Computing


User Information Management & Access Control

• Central Database – IPDB– MAC Address is the key

• Static IP address for Users– IPv6/IPv4 host addresses assigned by DHCPv6/DHCPv4 servers, based on

the MAC address declared in the IPDB

• Central Control System– User information management– Network devices information management– Dhcpd configuration auto-updated– Release access policies to the proper user switch

•


Security • ZONEs & Firewall

– Internal(Private) Network• End-points in the offices• The highest-level security

– To Internet: open– From Internet: Deny

– DMZ1:Special Server/User Network • Locates in the meeting rooms and user offices• Use the same link with private network(but isolated by VLAN with trunk)• For video conference …….• Can be accessed from internet and internal, but can not access internal area

– DMZ2: Public Server Network • Locates in CC for public services(DNS/Email/……)• Can be accessed from internet and internal with special TCP/UDP ports, but

can not access internal area

– WAN: Internet zone• Locates in IHEP CC, no firewall policy• Perfsonar/perfsonar1.ihep.ac.cn


Security(2)

• IDS– Tcpdump based system– Rules added based IHEP needs

• ssh port scan frequency• Windows virus……

– Action(Send policies) to firewall system to control the network access

• Network traffic and behavior analysis


Current Status• Infrastructure deployment ✔

– All the network devices(switch/router/firewall) support IPv6

• Infrastructure Monitoring ✔– Easy to do (all the devices are dual stack supported)

– Cacti & Nagios with IPv6 patch

• User(IP) management– The ipdb & access control system: in production

– DHCPv6: on going• DHCPv6 service is ready(running on the same server with DHCPv4)• no perfect windows xp client for IPv6 !!! • Most of IHEP users are Using stateless ipv6 address now, but IHEP CC users use the DHCPv6 to

achieve ipv6 address.

• Security ✔– Firewall: in production

– IDS: in production

– Network traffic and user behavior analysis: on going


Current Status(cont.)

• IHEP IPv6 prefixes– 2001:cc0:2010::0/48

• globally routed, full Internet connectivity

• IPv6 User address assignment– One IPv6 subnet per vlan, together with the IPv4 subnet. Subnet

mask: /64 – For example:Vlan 32: 202.122.32.0/24 2001:cc0:2010:32::0/64

• IPv6 Network Services– DNS: ✔– DHCP: ✔– NTP: ✔– Web(partly supported)– Video webcast: on going


IHEP User Access Control Procedure

Online Register

MAC/User Name/Email/Tel/Building/Room number/Plugin number/……

MAC/User Name/Email/Tel/Building/Room number/Plugin number/……

Switch configuration updated

Assign IP address

ok

IPDB

DHCP configuration updated

save

Approved by Admin

Submit

no

Switch information: IP/Port/Vlan/Switch-Room/Plugin Number relationshipVlan/IP subnet/switch-port relationshipIP/MAC relationship……

Switch information: IP/Port/Vlan/Switch-Room/Plugin Number relationshipVlan/IP subnet/switch-port relationshipIP/MAC relationship……


Current Status(cont.)


Problems

• IPv6 address assignment – DHCPv6 client for windows xp

• No enough resources and applications in the IPv6 internet world– Most of the IHEP IPv6 traffic are video/iptv/……– Less scientific data go through IPv6


Work Plan

• Virtual Envionment (Openstack) – Public web services running here

• IPv6 enabled in Data Area Network(testbed for Grid)– HEPiX IPv6 Group

• HEP(BESIII/DYB Experiments) data transfer with IPv6– In discussion


Questions?

&

Thank you for your attention!

Documents

IPv6 Deployment @IHEP