DREN IPv6 Implementation Update

Similar documents
DREN IPv6 Implementation Update

IPv6 Implementation Update DREN and SPAWAR

Enterprise IPv6 Deployment Security and other topics

DREN IPv6 Implementation Update

DREN IPv6 Implementation Update

IPv6 Implementation Update DREN and SPAWAR

IPv6 Deployment Lessons-Learned and Keys to Success

The Road to IPv6. A Campus in Transition from Learning to Educating

Enterprise IPv6 Deployment Perspectives from US Government

IPv6 Campus Deployment Updates

IPv6 investigation within Informatics. George Ross

Migration Technologies. Dual Stack and Tunneling Using GRE, 6to4, and 6in4.

SLAACers. IPv6 Accountability without DHCPv6. Library and Information Services School of Oriental and African Studies London. Networkshop 39, 2011

IPv6 on Campus. The stuff you need to know

IPv6 Next generation IP

The OSI model of network communications

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

CSCI-1680 Network Layer:

Carl Harris Chief Technology Officer Virginia Tech IT

IPv6 A Positive Approach. Perspectives. APNIC New Delhi. .in. Kusumba S

Using IPv6. Daniel Hagerty

IPv6 Bootcamp Course (5 Days)

The Privileged Remote Access Appliance in the Network

IPv6 Transition Technologies (TechRef)

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

Chapter 15 IPv6 Transition Technologies

MOC 6420A: Fundamentals of Windows Server 2008 Network and Applications Infrastructure

IPv6 Implementation Best Practices For Service Providers

IPv6 Security: Threats and Mitigation

Foreword xxiii Preface xxvii IPv6 Rationale and Features

IPv6 It starts TODAY!

The Bomgar Appliance in the Network

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

The Privileged Access Appliance in the Network

IPv6 at Google. a case study. Angus Lees Site Reliability Engineer. Steinar H. Gunderson Software Engineer

IPv6 Transition Mechanisms

IPv6 Deployment at the University of Pennsylvania

IPv6 Migration - Why do I care anyway? WELCOME Rick Wylie KeyOptions MacSysAdmin 2012

IPv6 Transition Mechanisms

IPv6 Deployment Experiences

Barracuda Link Balancer

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

But we ve always done it this

Indonesia IPv6 Update. Affan Basalamah

Tomáš Podermański, Matěj Grégr,

IPv6 tutorial. RedIRIS Miguel Angel Sotos

Guide to TCP/IP Fourth Edition. Chapter 11: Deploying IPv6

Migration to IPv6 using DNS64/NAT64. Stephan Lagerholm

IPv4/v6 Considerations Ralph Droms Cisco Systems

Setup. Grab a vncviewer like: Or

It's the economy, stupid: the transition from IPv4 to IPv6

LISP Locator/ID Separation Protocol

RIPE Network Coordination Centre. IPv6 at RIPE NCC. Mark Dranse Erik Romijn

Accessing CharityMaster data from another location

IPv6 and IPv4: Twins or Distant Relatives

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

IPv6 Security Safe, Secure, and Supported.

IP Addressing Modes for Cisco Collaboration Products

change possible, or even necessary, but people make it happen David S. McIntosh, CBI Network

Cisco Certified Network Associate ( )

IPv6 Transition Issues - From operational point of view - March Ikuo Nakagawa, INTEC W&G

Considerations and Actions of Content Providers in Adopting IPv6

CompTIA Network+ Study Guide Table of Contents

IPv6 Neighbor Discovery

Debian Configure Static Ipv6 Address Windows Server 2008 R2

COE IPv6 Roadmap Planning. ZyXEL

NetAlly. Application Advisor. Distributed Sites and Applications. Monitor and troubleshoot end user application experience.

Service Discovery Gateway

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

FiberstoreOS IPv6 Service Configuration Guide

TCP/IP Protocol Suite

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

High Availability Synchronization PAN-OS 5.0.3

IPv6: The Ins and Outs. Chris Buechler

Cisco RV180 VPN Router

Network Deployment Guide

Correct Answer: C. Correct Answer: B

IPv6 at Google. Lorenzo Colitti

USER MANUAL. VIA IT Deployment Guide for Firmware 2.3 MODEL: P/N: Rev 7.

Why IPv6? Roque Gagliano LACNIC

FiberstoreOS IPv6 Security Configuration Guide

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Internet Protocol v6.

How to plan and deploy GovWiFi - its IPv6 now! Jul 2013

DNS, DHCP and Auto- Configuration. IPv6 Training Day 18 th September 2012 Philip Smith APNIC

CCNA Routing and Switching (NI )

Visualization Performance & Fault Manager

IPv6: An Introduction

Cisco Wide Area Bonjour Solution Overview

Top-Down Network Design

Measuring IPv6 Deployment

ip dhcp-client network-discovery through ip nat sip-sbc

Service Discovery Gateway

ForeScout CounterACT. Work with IPv6 Addressable Endpoints. How-to Guide. Version 8.0

IPv6 in Internet2. Rick Summerhill Associate Director, Backbone Network Infrastructure, Internet2

Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)

IPv6 Client IP Address Learning

Guide to Vyatta Documentation

FW- 525B Quick Start Guide

Transcription:

DREN IPv6 Implementation Update Internet2 Joint Techs, Winter 2010 2 Feb, 2010 Salt Lake City, UT Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil 2-Feb-2010 DREN IPv6 Update 1

Introduction Aggressive deployment of IPv6 to DoD s R&E WAN (DREN) and to all campuses of one major customer (SPAWAR) These are production networks with 10 s of thousands of users and systems. i.e., not just a testbed Goals See what works and what s broken See what s missing Share lessons learned 2-Feb-2010 DREN IPv6 Update 2

BLUF Enabling IPv6 throughout your environment needs to be a cultural thing. Get everyone involved Do it as part of tech refresh. Far less expensive than in crisis mode It may seem overwhelming in the beginning, but its really not that hard to get started. jump right in everyone gets it wrong at first, and you will too, so don t wait around trying to get it right before doing anything. Very important that we focus on making our public facing services dual-stack. There are still many problems and issues to be worked. 2-Feb-2010 DREN IPv6 Update 3

Previously discussed Reported at Indianapolis meeting: Google over IPv6 (for SPAWAR) Lack of IPv6 support in Net::LDAP pearl module Oracle lack of IPv6 support NetApp storage appliance problems with IPv6 support java defaults to IPv4 instead of IPv6, and a fix. Using ISATAP to solve VPN issues Wrong tunnel metrics in Windows, chooses wrong interface Auto-sync for IPv6 records in DNS Mac OSX failings (DHCPv6, ISATAP) Broken Path MTU discovery in Juniper routers 2-Feb-2010 DREN IPv6 Update 4

New approach to getting people started Training approach is more pragmatic No more everything you wanted to know about IPv6 Instead, turn on IPv6 in 5 easy steps including templates for emails that you need to send Pre-configure IPv6 on all DREN customer interfaces Lay out some best practices In very strong terms: Read my lips. Mostly addressing guidelines. forget about being conservative like in IPv4 subnets are /64. don t encode v4 subnet values into bottom 64 bits. 2-Feb-2010 DREN IPv6 Update 5

Feb 3, 2009 added all of SPAWAR Google over IPv6 July 28, 2009 DREN and ALL customers added Any DREN user that is IPv6 enabled will get to Google services over IPv6 Faster (over non congested links) DREN private peering with Google is IPv6 only Helps to quickly idensfy IPv6 connecsvity problems As incensve, we block IPv4 to Google 2-Feb-2010 DREN IPv6 Update 6

Deployment progress WAN dual stack everywhere, peering (unicast+multicast) LANs all subnets fully support v6, renumber v4 Infrastructure services recursive DNS, NTP, SMTP, XMPP Support services RADIUS, LDAP, Kerberos Public facing services authoritative DNS, MX s, www, NTP Security stack firewall, IDS, IPS, etc. To Do: Get all the desktops, laptops, and servers running dual-stack 2-Feb-2010 DREN IPv6 Update 7

Expanding internal IPv6 adoption Jan 2009 only 5% of our systems (servers, desktops, laptops, etc.) were doing IPv6 Double from the year before Today: A major internal campaign has us now at 87.6%. A totally volunteer and optional effort We had to provide encouragement and incentives for over 500 independent projects and systems administrators 2-Feb-2010 DREN IPv6 Update 8

Making progress visible within organizations another incentive Percentage of systems doing IPv6 2-Feb-2010 DREN IPv6 Update 9

Utilization comparison IPv4 traffic IPv6 traffic Approx 2.5% of traffic is IPv6 2-Feb-2010 DREN IPv6 Update 10

Something changed last week IPv4 traffic 90 IPv6 traffic Google adds IPv6 support for YouTube. 9 2 Over 4x increase in IPv6 traffic Now 10% of our traffic is IPv6 2-Feb-2010 DREN IPv6 Update 11

New problem areas Windows 2000 systems Don t bother with v6. Just upgrade them. Printers Most lack IPv6 support. We ve started to upgrade the Jet Direct cards in our HP printers. Maintaining all the new IPv6 addresses in DNS Large groups of systems that are under configuration control, and can t be modified. Sys admins that are too busy with other priorities. Rogue 6to4 relays sending RAs Windows systems with ICS enabled. Symantec Endpoint Protection (SEP) breaks IPv6 Broken external DNS servers prevent some of our clients from running IPv6 Vmware ESX 3.x systems need upgrade to 4.x Blackberry Enterprise Services (BES) on IPv6-enabled Windows server will crash. 2-Feb-2010 DREN IPv6 Update 12

Keeping DNS updated Need to get all PTRs and some AAAA s in DNS for all devices doing IPv6 Manual editing of zone files? Much more painful than IPv4 How do you know when some device starts doing IPv6 and gets a SLAAC address? DHCPv6? Use DHCPv6 to provide addresses, and use dynamic DNS update Problem: too many clients do not yet support DHCPv6 (Windows XP, MAC OSX, others) 2-Feb-2010 DREN IPv6 Update 13

DNS auto-update Basic scheme Use SNMP to poll the routers Grab the ARP cache and the ND table For all MAC addresses in the ND table with global unicast addresses matching the site IPv6 prefix: Find the corresponding IPv4 address from the ARP cache Find the FQDN for the IPv4 address in DNS (PTR lookup) Build a PTR record for the IPv6 address, using FQDN from IPv4 address Push to DNS dynamically Works very well Yes, there are some additional complexities, and optimizations required, like garbage collection of temporary and privacy addresses. Hoping to release tool tool as open-source. Lingering problems with IPv6 objects in the IP-MIB and IPV6-MIB We really need all routers supporting RFC 4293 (version independent IP-MIB) 2-Feb-2010 DREN IPv6 Update 14

Privacy addresses See RFC 4941 Windows systems do this by default (and we don t like it!) Breaks many things in our environment Forensics Stable DNS entries Automated management tools Could fix with DHCPv6, but client not available in important OS s Windows XP, Mac OSX Would be nice if RA s could say don t do this So we have to visit every Windows machine to disable this. Breaks the plug and play goal of IPv6 for clients. How To: (next slide) 2-Feb-2010 DREN IPv6 Update 15

Windows XP ipv6 -p gpu UseTemporaryAddresses no Windows 2003 Windows Vista Windows 2008 Disabling privacy addresses netsh interface ipv6 set privacy state=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent 2-Feb-2010 DREN IPv6 Update 16

nga.mil Query to resolve www.extranet.nga.mil with AAAA returns RCODE 3, no such name (NXDOMAIN). Windows XP will never do the A query If the name exists, even if no RRs for it, it should not return NXDomain. 09:29:59.312403 IP newiview.17577 > ins1.sd.domain: 17998+ [1au] AAAA? www.extranet.nga.mil. (49) 09:29:59.392933 IP ins1.sd.domain > newiview.17577: 17998 NXDomain 0/0/1 (49) 09:30:15.731744 IP newiview.11851 > ins1.sd.domain: 35028+ [1au] A? www.extranet.nga.mil. (49) 09:30:15.895239 IP ins1.sd.domain > newiview.11851: 35028 1/2/1 A 164.214.10.84 (105) Due to faulty behavior of Cisco CSS load balancer doing DNS functions Windows XP machines that are IPv6-enabled can t get to web site. See 4.2 of RFC 4074. 2-Feb-2010 DREN IPv6 Update 17

Mac OSX 10.6 (Snow Leopard) After upgrade to Snow Leopard, web browsing and other apps no longer seemed to prefer IPv6 over IPv4. Behavior is that only the first DNS answer to any query is accepted, and the others are dropped. if you get the A before the AAAA, the AAAA will get dropped In 10.6, mdnsresponder is now used for all unicast DNS queries, not just for multicast as was the case in earlier releases. mdnsresponder will query for A and AAAA, but will immediately stop listening after the first reply. the application never receives the other responses References: http://support.apple.com/kb/ht3789 http://openradar.appspot.com/7333104 2-Feb-2010 DREN IPv6 Update 18

java on Mac OS X java defaults to IPv4 instead of IPv6 reported earlier You can change the behavior by setting a preference -Djava.net.preferIPv6Addresses=true This preference setting has no effect in Mac OS X can t override the bad default Reference: http://openradar.appspot.com/7100919 2-Feb-2010 DREN IPv6 Update 19

Windows patching We upgraded to Windows Software Update Service (WSUS) 3.0 supports IPv6 All of our Windows patching now happens over IPv6 2-Feb-2010 DREN IPv6 Update 20

Mac OS X and IPv6 printers You can t configure an IPv6 address for a printer It has to find the printer using Bonjour, or you have to specify a DNS name. an explicit IPv6 address will not work. Apple says: this is expected behavior Reference: http://openradar.appspot.com/7100507 2-Feb-2010 DREN IPv6 Update 21

Freeradius 2 supports IPv6 A note on Freeradius 2 Documentation and discussion would lead you to believe that it can t do IPv4 and IPv6 at the same time see notes in radiusd.conf see discussion on various web forums Actually, all you need to do is add another listen clause 2-Feb-2010 DREN IPv6 Update 22

Freeradius 2 example listen { type = auth ipaddr = * port = 0 clients = clients-ipv4 } clients config file for all your IPv4 clients # Listen on the IPv6 address too listen { type = auth ipv6addr = :: port = 0 clients = clients-ipv6 } IPv6 clients config file 2-Feb-2010 DREN IPv6 Update 23

END 2-Feb-2010 DREN IPv6 Update 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback