IPv6Deployment@IHEP
Download
Report
Transcript IPv6Deployment@IHEP
IPv6 Deployment @IHEP
QI Fazhi/ IHEP CC
[email protected]
HEPiX,Beijing, October 2012
QI Fazhi/IHEP CC
2
Context
•
•
•
•
•
•
Why IPv6?
Background & History
Key technologies
Deployment Principles
Current Status
Work Plan
QI Fazhi/IHEP CC
*
Why?
• A lot of reasons drive the deployment of IPv6
• Every one here knows about it……
• But in China, IPv6 has better available bandwidth
& free to use
QI Fazhi/IHEP CC
IPv6 in China
Chinese Government released the “Twelfth Five-Year”
Development Plan for next-generation
The National Reform and Development Committee fund for the
research of CNGI industrialization and security projects
Premier Wen Jiabao Chaired the State Council meeting to discuss how to
speed up the develpoment of the China Next Generation network
CNGI project approved, Leaded by National Reform and Development
Committee, Started the Chinese IPv6 Network backbone deployment
QI Fazhi/IHEP CC
CNGI Backbone
QI Fazhi/IHEP CC
CNGI-CSTNet & CERNet
QI Fazhi/IHEP CC
IPv6 History @IHEP
• 2008
– 1Gbps IPv6 Link to CNGI, Part of IHEP endpoints
support IPv6
• 2009
– IHEP started to use the IPv6 Link to do the HEP
data transfer between the cooperated
Universities(SDU/…)
• 2011
– IHEP DNS supports IPv6
• 2012
– Dual Stack IHEP Campus Network, 10Gbps IPv6
link CNGI(Fund from The National Reform and
Development Committee )
– Associated with ChinaNet/Universities, applied the
CNGI industrialization and security projects
QI Fazhi/IHEP CC
Key Technologies
• Transition
• Address assignment
• Security
QI Fazhi/IHEP CC
Transition
• Goals
– tunnel between IPv6 islands
– translate between IPv4 and IPv6
• Tunnel application
• Tunnel type
– Configured tunnels
• Router to router
– Automatic tunnels
• Tunnel Brokers (RFC 3053)
– Server-based automatic tunneling
• 6to4 (RFC 3056)
– Router to router
• ISATAP (Intra-Site Automatic Tunnel
Addressing Protocol)
– Host to router, router to host
– Maybe host to host
• 6over4 (RFC 2529)
– Host to router, router to host
QI Fazhi/IHEP CC
Case: IPv4 Over IPv6
IPv6 Network Link (CNGI)
• Goal
– To use the high available bandwidth
of IPv6 in China to do the HEP data
transfer,
• Result
eth0
USTC IPv6 Server
QI Fazhi/IHEP CC
IHEP IPv6 Server
eth1
eth1
eth1
eth1
USTC Router
– Network performance: 10 times
improvement
eth0
USTC
IHEP Router
IHEP
IP Address assignment
• Too long to remember and configure manually
• Two basic methods defined for autoconfiguration
of IPv6 hosts:
– Stateless Autoconfiguration
• A method defined to allow a host to configure itself without help
from any other device.
• Problem: it does not supply a DNS server address.
– Stateful Autoconfiguration
• A technique where configuration information is provided to a host by
a server.
QI Fazhi/IHEP CC
DHCPv6
• The operation of DHCPv6 is similar to that of DHCPv4,
but the protocol itself has been completely rewritten.
• It is not based on the older DHCP or on BOOTP, except
in conceptual terms.
• It still uses UDP but uses
– new port numbers
• Client: 546
• Server/Relay agent: 547
– a new message format, and restructured options
• DHCPv6 is not compatible with DHCPv4 or BOOTP.
• The network switch should support dhcpv6 relay
QI Fazhi/IHEP CC
Security
• Security Zones
– Isolated physically
– Different level security
• Firewall
– iptables
QI Fazhi/IHEP CC
IPv6 deployment principles
@IHEP
• Dual Stack
• The same management and security policies with IPv4
– Users (IP) management
– Monitoring
– Access control
• Network Services
–
–
–
–
DNS
WEB
Email
……
• Grid & Cloud Computing
QI Fazhi/IHEP CC
User Information
Management & Access Control
• Central Database – IPDB
– MAC Address is the key
• Static IP address for Users
– IPv6/IPv4 host addresses assigned by DHCPv6/DHCPv4
servers, based on the MAC address declared in the IPDB
• Central Control System
–
–
–
–
User information management
Network devices information management
Dhcpd configuration auto-updated
Release access policies to the proper user switch
QI Fazhi/IHEP CC
Security
• ZONEs & Firewall
– Internal(Private) Network
• End-points in the offices
• The highest-level security
– To Internet: open
– From Internet: Deny
– DMZ1:Special Server/User Network
•
•
•
•
Locates in the meeting rooms and user offices
Use the same link with private network(but isolated by VLAN with trunk)
For video conference …….
Can be accessed from internet and internal, but can not access internal area
– DMZ2: Public Server Network
• Locates in CC for public services(DNS/Email/……)
• Can be accessed from internet and internal with special TCP/UDP ports, but
can not access internal area
– WAN: Internet zone
• Locates in IHEP CC, no firewall policy
• Perfsonar/perfsonar1.ihep.ac.cn
QI Fazhi/IHEP CC
Security(2)
• IDS
– Tcpdump based system
– Rules added based IHEP needs
• ssh port scan frequency
• Windows virus……
– Action(Send policies) to firewall system to control the
network access
• Network traffic and behavior analysis
QI Fazhi/IHEP CC
Current Status
• Infrastructure deployment ✔
– All the network devices(switch/router/firewall) support IPv6
• Infrastructure Monitoring ✔
– Easy to do (all the devices are dual stack supported)
– Cacti & Nagios with IPv6 patch
• User(IP) management
– The ipdb & access control system: in production
– DHCPv6: on going
•
•
•
DHCPv6 service is ready(running on the same server with DHCPv4)
no perfect windows xp client for IPv6 !!!
Most of IHEP users are Using stateless ipv6 address now, but IHEP CC users use the DHCPv6 to
achieve ipv6 address.
• Security ✔
– Firewall: in production
– IDS: in production
– Network traffic and user behavior analysis: on going
QI Fazhi/IHEP CC
Current Status(cont.)
• IHEP IPv6 prefixes
– 2001:cc0:2010::0/48
• globally routed, full Internet connectivity
• IPv6 User address assignment
– One IPv6 subnet per vlan, together with the IPv4 subnet. Subnet
mask: /64
– For example:Vlan 32: 202.122.32.0/24 2001:cc0:2010:32::0/64
• IPv6 Network Services
–
–
–
–
–
DNS: ✔
DHCP: ✔
NTP: ✔
Web(partly supported)
Video webcast: on going
QI Fazhi/IHEP CC
IHEP User Access
Control Procedure
Online Register
MAC/User
Name/Email/Tel/Building/R
oom number/Plugin
number/……
Submit
no
Approved
by Admin
ok
Assign IP address
save
DHCP configuration
updated
IPDB
Switch configuration
updated
Switch information: IP/Port/Vlan/
Switch-Room/Plugin Number relationship
Vlan/IP subnet/switch-port relationship
IP/MAC relationship
……
QI Fazhi/IHEP CC
Current Status(cont.)
QI Fazhi/IHEP CC
Problems
• IPv6 address assignment
– DHCPv6 client for windows xp
•
No enough resources and applications in the IPv6
internet world
– Most of the IHEP IPv6 traffic are video/iptv/……
– Less scientific data go through IPv6
QI Fazhi/IHEP CC
Work Plan
• Virtual Envionment (Openstack)
– Public web services running here
• IPv6 enabled in Data Area Network(testbed for Grid)
– HEPiX IPv6 Group
• HEP(BESIII/DYB Experiments) data transfer with IPv6
– In discussion
QI Fazhi/IHEP CC
Questions?
&
Thank you for your attention!
QI Fazhi/IHEP CC