20070213-broersma
Download
Report
Transcript 20070213-broersma
DREN IPv6 Implementation
Update
Joint Techs Workshop
Feb 2007
Minneapolis, MN
Ron Broersma
DREN Chief Engineer
High Performance Computing Modernization Program
[email protected]
13-Feb-2007
DREN IPv6 Update
1
Background
• DREN …
– is DoD’s ISP for the RDT&E community
– also serves as the DoD IPv6 “pilot” network
– operates 2 IPv6 wide area networks (testbed,
production)
13-Feb-2007
DREN IPv6 Update
2
Some History
• 2001
– January - May: DREN builds the DREN IPv6 testbed
• 2003
– June: DoD CIO sets goal to transition all DoD and Service inter and
intra networking by FY ’08
– July: DREN chosen at the DoD IPv6 “pilot”
– August: HPCMP Director directs HPC Centers to transition to dualstack infrastructure
• 2004
– DoD makes plans and organizes. DREN just does it.
• 2005
– March: DoD IPv6 Transition Plan signed out
– Services working on their own transition plans
• Still pretty much the case today
13-Feb-2007
DREN IPv6 Update
3
DREN IPv6 philosophy
• Push the “I believe” button, and turn on IPv6
everywhere to see what works (and what
doesn’t)
• Do it in a production environment
– can get away with this in an R&D environment,
but not on operational networks.
• Go native. (no tunnels)
• Even if the world doesn’t convert for years,
R&D environments need it now.
• Figure out how to deploy IPv6 to the rest of
DoD in the future.
13-Feb-2007
DREN IPv6 Update
4
Overall difficulty
• Easy parts
–
–
–
–
Dual-stacking the nets (WANs, LANs)
Enabling IPv6 functionality in modern operating systems
Establishing basic IPv6 services (DNS, SMTP, NTP)
Enabling IPv6 in some commodity services (HTTP)
• A little more challenging
– Getting the address plan right
– Operating and debugging a dual stack environment
– Multicast (but easier than IPv4)
• Hard parts
– Creating the security infrastructure (firewalls, IDS, proxys, IDP/IPS,
VPNs, ACLs)
– Working around missing or broken functionality
– DHCP
– Creating incentives to upgrade and try IPv6
– Getting the vendors to fix bugs or incorporate necessary features
• Not enough market pressure, so other activities take priority
13-Feb-2007
DREN IPv6 Update
5
DREN sites status 2006
13-Feb-2007
DREN IPv6 Update
6
DREN sites status 2007
13-Feb-2007
DREN IPv6 Update
7
Performance Measurement and
Visualization - Planet DREN
13-Feb-2007
DREN IPv6 Update
8
IPv6 Security Review
• Independent security review
performed by SAIC for DREN
– Publicly available
• Some of the conclusions:
– protocol is no less secure
than v4
– multicast is still spoofable
– mobility is scary
– ND – spoofable, but no
exploits found yet
– Windows – ack’s things
twice in all v6 TCP
streams???
– router renumbering – can
spoof – possible DoS
– landv6 attack works, but
doesn’t crash machine
13-Feb-2007
DREN IPv6 Update
9
IPv6 Multicast Beacon
DREN
13-Feb-2007
DREN IPv6 Update
10
Some Lessons Learned
• There is no immediate "win" in transitioning to
IPv6. The payoff must be viewed as long-term.
• Incentives are needed to encourage near term
transition and to make transition a priority.
– “If you build it, they won’t necessarily come”
• Many security components are still not mature nor
widely available. Security takes extra thought and
effort.
• 1+1>2
– managing 2 IP networks (IPv4, IPv6) can be more than
double the design complexity due to new interactions.
– Making topologies congruent can minimize such impact.
13-Feb-2007
DREN IPv6 Update
11
Example Re-addressing scheme
• Re-address the network for consistency between protocols
– IPv4 – move all subnets to /24 or larger
– Align VLAN number with 3rd octet of IPv4 address
– Align IPv6 “subnet number” with the above
IPv4
128
49 subnet host
VLAN-id
IPv6
2001 0480 0010
subnet
Interface ID
• Benefits
– Reduction in complexity
– Easier for operations staff, once re-addressing is complete
• Note
– Assumes you have enough IPv4 address space to change it as well.
13-Feb-2007
DREN IPv6 Update
12
One way to handle PTR records
• Example site:
– Already records MAC addresses for registered
devices on the network, and stores in a database
– Uses stateless address auto-configuration (SLAAC)
for most machines, in particular the clients
• Built script to generate PTR records for all
registered devices, regardless of whether
they were running IPv6 or not, and installed
it in their DNS.
• If any device happens to turn on IPv6 and
uses SLAAC, they are already pre-registered.
13-Feb-2007
DREN IPv6 Update
13
IPv6 capability in products
• These are necessary but not sufficient to show functional
equivalence to IPv4:
– Standards activities (IETF, DISR), theoretical analysis of standards (NSA),
test equipment (Agilent, Ixia, Spirent), JITC generic test plans and approved
product lists, and test beds (DRENv6, MoonV6).
• These are sufficient but not conclusive to show equivalence:
– Extended use in real networks to expose and fix remaining errors (Internet2,
DREN IPv6 pilot, still more would be nice).
• To really determine IPv6 support for your needs, query the
vendor for specific features that matter to you. Be careful
in evaluating their response. Try not to let your expectations
dictate the results you find, or you will overlook/misinterpret
results that contradict those expectations.
It is crucial that IPv6 products have functionality equivalent to IPv4 products!
13-Feb-2007
DREN IPv6 Update
14
Some Challenges
• Keeping security policies consistent
– ACLs
– Firewall policies
• Adversaries now have a new entry vector
– Don’t allow IPv6 path to be a new weakest link
• Diagnosing network problems
– Especially if the routing topology isn’t congruent
– Confusion over which protocol is broken, and what protocol is being
tested using diagnostic tools.
• Trying to outlaw NAT
– Some think that it brings important features (i.e. “security”).
– Be sure to see draft-ietf-v6ops-nap-06.txt (Local Network
Protection)
• Fighting the pressure to disable IPv6 in Vista
– Uncertainty in whether it is “safe”, from a security perspective.
– We need to make sure this doesn’t happen
13-Feb-2007
DREN IPv6 Update
15
Examples of things that are
broken or missing
•
•
Juniper Router
–
–
Port-mirroring doesn’t support IPv6 except in very high-end devices.
MLDv2 incompatible with Linux
–
IPSEC for IPv6 only recently added
–
Finally have IPv6 in mainline code, but…
•
A fix is “not on the product roadmap”
Juniper Netscreen firewall
•
•
Only in one of the hardware products (ISG-2000)
Still missing OSPFv3, BGP, IPv6 multicast, transparent-mode, GRE, …
•
Red Hat
•
Mozilla Thunderbird
•
DHCPv6
–
RHEL4-U4 feels slow with IPv6 load, due to kernel bug. Not officially fixed until -U5
(March).
–
–
LDAP fails if IPv6 is enabled. A long term problem.
Emergence of Vista added pressure to achieve a fix.
–
–
–
No reference implementation from ISC
“No usable DHCPv6” – Karl Auer, nullarbor
DHCPv6 relay not implemented in some routers.
•
13-Feb-2007
Support recently added by Foundry, based on our feature requests.
DREN IPv6 Update
16
Examples of things that are
broken or missing
• Many products that are critical to security
infrastructure are not IPv6-enabled
– Bluecoat cache/proxy
– Netscreen IDP
– Tipping-Point IPS
• Originally promised for 1Q07 but just slipped 18 months
– Many VPN products
• Both SSL VPNs and IPSEC VPNs
– Netscreen Security Manager
• Can’t manage IPv6-enabled products
– Vulnerability assessment and forensics tools from
most vendors
13-Feb-2007
DREN IPv6 Update
17
Vista and IPv6
• Extensive beta testing performed (see backup
slides)
• Microsoft claiming full support for IPv6
• But…
– no IPv6 access support for…
•
•
•
•
Windows Activation after installation
Windows Update
IE7 Phishing filter
Beta Client bug reporting
– Winhlp32 not in RTM but promised download not
available yet.
13-Feb-2007
DREN IPv6 Update
18
Commitment to IPv6
•
•
•
•
What about other vendors’ commitments to IPv6?
Are they using it in their production networks?
Do they have an IPv6 presence on the Internet?
Do they follow the “eat your own dogfood”
principle?
• Time for a survey…
13-Feb-2007
DREN IPv6 Update
19
Vendor scorecard
• Looked in DNS to see if
there were AAAA
records for www, MX,
and DNS.
• Quick sampling of major
computer and network
companies showed no
public facing IPv6.
• We will be expanding
our survey
– Additional attributes
– Additional companies
13-Feb-2007
DREN IPv6 Update
20
Situation Today
• We’ve been successfully using IPv6 in a production
environment, with many dual-stack systems and
services, for at least 3 years.
– Modern operating systems just work, out of the box
(MacOSX, Vista, Solaris 10, etc)
• Most urgent needs from our perspective:
– Need parity with IPv4 in all implementations
– Enabling IPv6 must NOT break things
– Need to make security stacks fully IPv6 capable
• Firewalls, IDS, proxies, IDP/IPS, ACLs
– Need more incentives to do IPv6 (generate demand)
• Basic layer 3 (IP routing) implementations are mature
– ISPs and WANs should be IPv6-enabled now.
• What about SOHO modems/routers?
• Consumer CPE doesn’t do IPv6!
13-Feb-2007
DREN IPv6 Update
21
Testing of Microsoft Vista
(Ethan Strike, NRL)
13-Feb-2007
DREN IPv6 Update
22
Windows Networking
Comparison
Feature
Windows XP/2003
Shared IPv4/IPv6
stack and firewall
IPv6 Installed by
Default
IPv6 Configured on
the command line
Windows Vista
(Windows 2003)
IPv6 Configured
using the GUI
Complete IPv4/IPv6
IPsec
implementation
Privacy Setting used
by default
13-Feb-2007
DREN IPv6 Update
23
Screenshot: IPv6 GUI
Configuration
13-Feb-2007
DREN IPv6 Update
24
Windows Networking
Comparison Cont.
Feature
IPv6 preferred over
IPv4 when IPv6 is
available
Windows XP/2003
Windows Vista
IPv6-only Windows
Network Services
(Active Directory)
Advanced Windows
Firewall for
complete control of
network traffic and
IPsec
Automatic
adjustment of TCP
receive window
13-Feb-2007
DREN IPv6 Update
25
Screenshot: Advanced
Firewall
13-Feb-2007
DREN IPv6 Update
26
Additional properties of Vista
• Choice of Public and Private Networking Settings
– Determines if following services are run by default (Private =
enabled)
•
•
Network Discovery
File, Printer, Public-folder and Media Library Sharing
– Configures Windows Firewall for these services
• Stateless autoconfiguration does not use hardware
address of interface when determining 64-bit suffix
• Caution: tunneling protocols are enabled by default
• Caution: DHCPv6 is enabled by default to receive
additional network information (i.e. preferred DNS
server)
13-Feb-2007
DREN IPv6 Update
27
Longhorn Active Directory
Testbed over DREN
•
•
•
•
Goals
Setup Of Longhorn Server
Access Extended to Remote Clients
Conclusions
13-Feb-2007
DREN IPv6 Update
28
Goals
• Test IPv6 networking in Windows Vista and
Longhorn by setting up a Longhorn Active
Directory server
• Test interoperability between a Longhorn server
and Windows XP client using IPv4
• Have clients join from across DREN to identify
possible issues across a wide-area network
13-Feb-2007
DREN IPv6 Update
29
Conclusions for Vista
• Biggest snags in process were due to other factors in
beta testing
– Third party software
– Vista Graphics Interface unstable
• IPv6-only connectivity worked as advertised
• IPv4 connectivity from Windows XP hosts worked as well
• Additional technologies to test
– IPsec between clients and domain controller
– Adding an additional domain controller for AD and DNS
replication
– Service interoperability between Longhorn AD and *NIX hosts
13-Feb-2007
DREN IPv6 Update
30