The Road to IPv6 A Campus in Transition from Learning to Educating
About Louisiana State University Louisiana s Flagship public university campus located in the capital city of Baton Rouge ~30,000 students ~5,000 faculty/staff Information Technology Services Applications, Support, Help Desk, Security and Policy, Communications, UNI, LONI University Networking and Infrastructure (UNI) Voice/data, cable facilities, server support, NOC, email, DNS/DHCP, data center Louisiana Optical Network Initiative (LONI) Fiber-optic network to connect research institutions in LA/MS to each other and Internet2 and the National LambdaRail
DRIVERS & HISTORY OF IPv6 AT LSU
Drivers for IPv6 at LSU Class B IPv4 exhaustion Wireless Devices NAT Stay ahead of users Our answer to the campus strategic plan o www.lsu.edu/fits Center for Computation & Technology Computer Science Department
Drivers (Continued) Continue leadership trend DNSSEC Multicast IPv6?
History of IPv6 at LSU 2008 Host Internet2 meeting inspires curiosity Request /48 from ARIN LONI peers with IPv6 capable providers 2009 Investigate and design o Dual stack o ITS Building only wired/wireless o Experiment: 802.1x, SLAAC, DHCPv6, DNSv6
History (Continued) 2010 Push to entire campus to promote education and experimentation Testing our addressing scheme Acquire IPAM 2011 Security on radar World IPv6 Day Apply for a /40 from ARIN o Multihome o New addressing scheme
Brief History (Continued) 2012 Security a real focus and concern World IPv6 Launch More education and more adopters o www.lsu.edu o www.eng.lsu.edu o www.law.lsu.edu o grok.lsu.edu Many lessons learned (next slides)
World IPv6 Launch 25% of total traffic IPv6 (Summer)
IPv6 SECURITY
IPv6 Security Run IPv6 on your routers! Same as IPv4 security Border firewall Local host firewalls (more to come) Lock down gear/servers/resources with ACLs Known subnets
IPv6 Security (Continued) Addressing WIN machines on AD o Tunneling protocols off o Privacy addressing off DMCA Tie user to NETREG-ed MAC address Tunneling not supported Campus Firewall Foo Router (a.k.a. black hole)
Host Firewalls Windows 7/Server 2008 Unified Must specify both IPv4 and IPv6 addresses Inadvertent exclusion of IPv4/IPv6 Linux Two separate controlling utilities(iptables and ip6tables) Must configure both for dual-stack network Mac / BSD IPFILTER (ipf) IPFIREWALL (ipfw/ip6fw) Mac OS 10.6 Snow Leopard and below PacketFilter (pf) Mac OS 10.7 Lion and above
First Hop Security Rogue router advertisements (RAs) Bogus RAs Self-created (story) Rogue DHCPv6 servers ACL protection
LESSONS LEARNED
IPv6 Addressing Design 2620:105:b000:2180:949b:72c:127a:e814 LSU Prefix Building ID VLAN Interface ID
IPv6 Addressing Design (Continued) Design VLANs are functional (e.g. user, DMZ, devices) Unique routed instance /52s summarize all /64s in a building Simplified Firewall rules for admins Lessons Adapt scheme to your network architecture Design with security entwined Keep it simple
The Perfect Storm: IPv6 Broken Communication Components Windows machines Large Cisco switch-based routers o 4500s, 6500s Voice VLAN Symptoms 2 IPv6 Addresses (data/voice) IPv6 intra-router communication failure IPv6 inter-router communication success
The Perfect Storm: Before
The Perfect Storm: After
The Perfect Storm (Continued) Solution Manual link-local addresses for VLAN interfaces Long Term Approached Microsoft o NDIS guidelines o No luck Cisco next
DNS Bypassed Access Components NETREG IPv6 DNS server Symptoms Bypass NETREG registration If IPv6 site available o Page Found Else o Page Not Found June 6, 2012 (World IPv6 Launch) o More Page Not Found
DNS Bypassed Access (Continued) Solution Don t advertise IPv6 DNS server Resolve AAAA records via IPv4 DNS server
Whitelisting to Blacklisting Components Dual stack network Dual stack sites: Google, Bing, Facebook, Yahoo Symptoms Sites AAAA records unresolvable by DNS servers Solution (unresolved) Find the source of latency
FUTURE OF IPv6 AT LSU
Concerns Infrastructure all vendors Hardware requires upgrade Software lagging Applications Outsourcing o Security o IPv6 not on roadmap Voice, email, mainframe o Hesitant to change o New security avenues and experiences to develop
Concerns (Continued) Education and outreach Material Development Deeper understanding required Change in culture
Future Developments at LSU DHCPv6 IPv6 VPN IPv6 Multicast Provide vendors testing grounds Radius portal for machine registration Enable first-hop security on more devices Experimental networks: IPv6-only networks IPv6 and SDN networks
We Believe! Jeffry Handal jhandal@lsu.edu (225) 578-1966