DREN IPv6 Implementation Update

1
DREN IPv6 Implementation Update

• Joint Techs Workshop
• Feb 2006
• Albuquerque, NM

Ron Broersma DREN Chief Engineer High Performance
Computing Modernization Program ron_at_hpcmo.hpc.mil
2
Previously

• DREN
• is DoDs network for the RDTE community
• also serves as the DoD IPv6 pilot network
• operates 2 IPv6 wide area networks (testbed,
  production)
• IPv6 approach
• Push I believe button and see what works.
• Do it in a production environment.
• Researchers developers need it now, even if
  others dont.

3
DREN IPv6 Pilot Status
4
Report on some current efforts

• Performance
• Security
• IPv6 Multicast

5
Performance

• Monitoring TCP performance between some high-end
  sites.
• Using nuttcp, 9K MTU, Linux 2.4.26-web100 kernel
• Observations
• RTT nearly identical between v4 and v6
• TCP jumbo between ARL and ASC fails.
• One or more paths demonstrated near line rate
  performance for both v4 and v6
• In some cases, v4 appeared more robust. Reasons
  unknown.
• See http//www.wcisd.hpc.mil/phil/ipv6

6
Performance, contd
The above graphs show TCP throughput second by
second for the 20 second tests for IPv4 and IPv6.
Colors may not be the same between the windows
because some IPv6 tests are missing (due to
filter problems). The first second or two are
usually TCP slow start followed by equilibrium.
The 1 Gbps and OC12 line rate tests stand out.
Also clear from these graphs is the greater
stability or robustness of IPv4 over IPv6 on some
paths. The reason(s) for this are TBD. It could
be from the Linux IPv6 implementation, or from
hardware along the path.
7
Security

• Independent security review contracted to SAIC
• Final draft due this week.
• Summary
• protocol is no less secure than v4
• mobility is scary
• multicast is still spoofable
• ND spoofable, but no exploits found yet
• Windows acks things twice in all v6 TCP
  streams???
• router renumbering can spoof possible DoS
• landv6 attack works, but doesnt crash machine

8
S/DREN

• Secret/DREN (S/DREN)
• A small overlay of the DREN network.
• Classified computers behind hardware encryptors.
• Designed, equipment in hand, beginning
  implementation.
• Addressing challenges.
• Current hardware encryptors are not IPv6 capable.
• Add tunnel broker.
• Early real world testing of next generation IPv6
  capable hardware encryptors.

9
IPv6 multicast

• Focus get DREN backbones fully ipv6-multicast
  enabled.
• Status (work in progress)
• Testbed fully operational
• PIMv2, MLDv2, SSM, ASM, static RP, Embedded-RP
• Peering with m6bone
• Production operational
• routers all upgraded to JunOS 7.2
• PIMv2, MLDv2, SSM, ASM, some Embedded-RP
• Beacon operational (dbeacon)
• ASM and SSM, using Embedded-RP group address
• Test environment
• Linux 2.6.11, Linux 2.4, Solaris 10
• Cisco (testbed), Juniper (DREN production),
  Juniper (site), Foundry BI (site)
• simulating cross-domain interaction

Test Environment
(beacon)
10
DREN
11
IPv6 Multicast

• Some Issues
• Foundry no MLDv2, but coming soon.
• Juniper MLDv2 implementation fundamentally
  incompatible with modern Linux implementations.
• A fix is not yet on the product roadmap
• no MLDv2 in WinXP, broken in old Linux, Solaris.
• Working on
• IP ViPr implementation
• Pressuring the vendors to implement needed
  features

12
Backup
13
DREN production network
14
DRENv6 testbedLogical Topology
Cisco
AIX-v6
CW
Global Crossing
6TAP
Abilene
FIX-West
Hurricane Electric
Abilene
LAVAnet
TIC
WPAFB
Dayton
ARL
NTTCom Verio
JITC
HP
Aberdeen
Tunnel broker
San Diego
WCISD
AOL
SD-NAP SDSC
SSC San Diego
Wash D.C.
SPRINT
HICv6 (Hawaii)
NRL
Vicksburg
Albuquerque
SSC Charleston
SSAPAC
ERDC
AFRL Kirtland AFB
Stennis
vBNS
ATM PVC (OC-3)
NAVO
IXP
Core Router
tunnel
site
ISP or BGP Neighbor
15
DREN IPv6 transition architecture FY04
To 6bone, Abilene, and other IPv6 enabled ISPs
IPv6 demonstrations (Moonv6)
links run native IPv6 where possible, otherwise
tunnelled in IPv4
DRENv6 (Testbed)
ARL-APG
Native IPv6 backbone
SSCSD
ERDC
Testbed at DREN site
Testbed at DREN site
NIDSv6
NIDSv6
v6 ACL
NIDSv6
v6 ACL
v6 ACL
sdp.erdc
DREN2 (Production / Pilot)
sdp.arlapg
sdp.sandiego
Dual stack IPv4 and IPv6 wide area infrastructure
sdp
sdp
sdp
Goal As secure as the IPv4 backbone
Type A (IP) production service to DREN
sites IPv4 and IPv6 provided over the same
interface