IPv6 SLAC update

1
IPv6 SLAC update

• Paola Grosso
• SLAC Networking Group
• grosso_at_slac.stanford.edu

2
IPv6 pros

• More addresses
• 128 bits addresses (1030 addresses/per person)
• to take care of the depletion of IPv4 addresses
• to allow new devices to be network enabled.
• Better mobility
• Auto configuration of nodes
• to allow movement without losing network
  connectivity (home address vs. care-of address).
• Better security
• IPSec part of the protocols
• to enable end-to-end services (data integrity,
  access control).

3
IPv6 out there

• The research networks
• Native connection to the research networks
  backbones (Internet2, ESnet, GEANT)
• IPv6 Land Speed record by CERN and CalTech of 983
  mbps
• http//info.web.cern.ch/info/Press/PressReleases/R
  eleases2003/PR09.03EInternet.html
• The implementers
• Asia
• Japan to convert IT infrastructure to IPv6 by
  2005
• DOD to transition to IPv6 by 2008
• http//www.dod.mil/releases/2003/nr20030613-0097.h
  tml
• The commercial world
• Major vendors (start to) ship IPv6 enabled
  products

4
IPv6 at SLAC why?

• We have not exhausted our address space (still
  plenty of addresses in our /16) .
• We do not have any users/applications in need of
  IPv6.
• Why bother?
• Gain experience with the technology
• Think and plan ahead
• Find first portable applications.

5
SLAC IPv6 network setup

• SLAC connects to the IPv6 Internet via a native
  connection provided from ESnet.

IPv6 configuration ipv6 unicast-routing interface
ltint-namegt no ip address ipv6 address
ltaddress/maskgt
Not BGP, but static route.
6
SLAC IPv6 Addressing Schema

• ESnet provides us with a
• Point to point network, for the router
  connections
• 20014000e028/64
• The internal SLAC IPv6 network
• 200104000e10/48
• Internal addressing schemahttp//www.slac.stanfo
  rd.edu/comp/net/ipv6/Addressing-ipv6.html
• The grand schema is to have
• 16 services each one with up to 64 subnets.
• (4 bits for services and 6 bits for the service
  subnets)

7
SLAC IPv6 code requirements

• Three requirements for the project approval from
  the SLAC security group
• Running a cryptographic image that allows SSH
  client/server on the router
• Support for Reflexive Access Lists
• A Client-based network, i.e all connections have
  to be initiated from within, with few exceptions
• SSH incoming
• IPv6 ping to internal nodes
• WEB server (approval pending)
• The Cisco code that can do this is 12.3(1a)

8
Access lists rules

• Few basic rules
• 0. Anti-spoofing rules
• Filter the non routable address
• deny ipv6 /3 any
• deny ipv6 4000/2 any
• deny ipv6 8000/1 any log
• Allow neighbor-advertisement and
  neighbor-solicitation traffic (implicit)
• Permit icmp any any nd-na
• Permit icpm any any nd-ns
• Deny ipv6 any any

9
IPv6 on Linux

• RedHat Linux has been our OS of choice, so far.
• On the network in few steps with automatic
  configuration
• Add following line in /etc/sysconfig/network
  NETWORKING_IPV6"yes"
• Restart networking (or reboot)
• Static configuration for servers (as our Www)
• Add the following line in /etc/sysconfig/network
  IPV6_AUTOCONFno
• Add the following line in /etc/sysconfig/ifcfg-ltin
  tgt
• IPV6_INITyes

10
Software

• Bind/DNS
• www.isc.org/products/BIND/bind9.html
• Version 9 with IPv6 support.
• Configured an IPv6 DNS for caching-only Name
  Server
• Added entries for IPv6 nodes on the SLAC IPv4
  Name Server
• Using the Indiana GigaPop DNS (ns4.indiana.edu)
• NTP
• www.ntp.org
• Distribution 4 with IPv6 support.
• Running version 1.74
• Synchronized our nodes to the public Viagenie
  server
• (www.viagenie.qc.ca/en/ipv6/ntpv6/utilisation.shtm
  l)

11
PingER for IPv6

• Previous experience at SLAC with IPv6 year ago
  was with PingER (www.6bone.net).
• Starting point the Perl module for IPv4 PingER.
• PingER-IPv6 required us minor code modifications
• To handle address/name resolution (like
  gethostbyname)
• The installation of Perl modules that do not come
  with the standard RedHat distribution
• TimeCTime.pm (to format time a la ctime(3))
• DB_file.pm (to tie to DB files)
• Socket.pm

12
Monitored nodes

• A list of ping-able nodes, put together by Bill
  Owens, circulated on the I2 IPv6 mailing list
• http//ipv6.internet2.edu/ipv6hosts.shtml
• The 39 nodes are located in
• Abilene network (core routers and measurement
  nodes)
• Front Range GigaPop
• Great Plains Network
• Indiana GigaPop
• InterMountain GigaPop
• Merit
• NYSernet
• Pittsburgh SuperComputing
• Oregon GigaPop
• WiscNet

13
Monitored path

• The monitoring traffic leaves the ESnet network
  at Sunnyvale (one hop from SLAC) and it flows
  over the I2 network.
• Looking into having IPv6 nodes at ESnet sites, to
  look into the performance of the ESnet network.

14
PingER metrics

• The information that can be extracted is the same
  as in the IPv4 PingER
• Duplicate Packets
• Average Round Trip Time
• Minimum Packet Loss
• Inter-Quartile Range
• Conditional Loss Probability
• TCP Throughput
• Ping Unreachability
• Ping Unpredictability
• Minimum Round Trip Time
• Packet Loss
• Out of Order Packets
• Zero Packet Loss Frequency
• Inter-Packet Delay Variation

15
Results RTT
Sudden improvement on July21
16
Results RTT IPv6 vs. IPv4
CHIN,HSTN,IPLS still slower on IPv6 than IPv4
After the July 21 improvement
17
Results packets loss
Only 3 sites have shown packets losses maybe
due to nodes reconfiguration?
Other sites have 0 losses
18
Results other variables

• We have looked at the following
• Reachability very good. These nodes are always
  up and stable. Only node we are having problem
  with is mon.chpc.utah.edu being
  configured/rebooted?)
• Out-of-order-packetsnone
• Inter-packet-delay normal (jitter slightly
  higher for WISCNET, NEXTGEN and COLUMBIA)

19
Next

• Monitoring
• Expand the list of monitored nodes keen on
  finding partners in the ESnet community!
• Publish and make available the IPv6 Pinger module
  (Perl module)
• Port to IPv6 other monitoring tools we are using
  (AbwE, IEPM-BW).
• Infrastructure
• Add more nodes and experiment with other OSes
• Windows XP and Sun Solaris (as in SLAC IPv4
  environment)
• Extend the services web server coming, more work
  on DNS, mail
• Physics research applications that could benefit
  from running on IPv6.

20
Conclusions

• The easy part
• Connect to the native IPv6 ESnet
• Find some nodes to devote to IPv6 and
  configure/debug/port applications
• The hard part
• Try to involve the other groups (system managers,
  web managers, security)
• Define the same standards of manageability,
  security as we have in the IPv4 environment
• Move the product to the user community.
• The path from a few nodes on IPv6 to a
  production network is a long one. But we are
  starting

21
Starting too?

• Participating in the PingER-IPV6?
• Email ipv6-l_at_slac.stanford.edu
• Web pages with PingER-IPv6 data
• IPv4 web server
• http//www.slac.stanford.edu/comp/net/ipv6
• http//www-iepm.slac.stanford.edu/cgi-wrap/pingtab
  le.pl?datasetipv6
• IPv6 web server (coming-pending SLAC security
  approval)
• http//www-ipv6.slac.stanford.edu/monitoring/pi
  nger-ipv6
• General IPv6 mailing lists
• Internet2 wg-ipv6_at_internet2.edu
• 6Bone 6bone_at_mailman.isi.edu

22
Backup slide RTT to routers