Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN IT Department CH-1211 Genève 23 Switzerland t IPv6 Deployment Project 2 April 2012

Published byGervase Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "CERN IT Department CH-1211 Genève 23 Switzerland t IPv6 Deployment Project 2 April 2012"— Presentation transcript:

1 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t IPv6 Deployment Project 2 April 2012 edoardo.martelli@cern.ch

2 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 2 Summary Why IPv6? What is IPv6? CERN IPv6 Network Service v4/v6 coexistence risks IT-CS work plan Implications for network users Progressing together

3 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 3 Why IPv6?

4 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 4 IPv4 ends IPv4 address pool soon depleted

5 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 5 IPv4 exhaustion predictions http://www.potaroo.net/tools/ipv4/rir.jpg

6 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 6 IPv4 exhaustion consequences In general: - Problematic for new players to join the IPv4 Internet => part of the Internet will be v6 only - Difficult to deploy new large services based on IPv4 (virtualization, clouds, mobile devices...) => users hidden behind layers of NAT (CGN, Carrier Grade NAT) For CERN: IPv6 necessary to reach all CERN remote users and to deploy new large scale services

7 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 7 What is IPv6?

8 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 8 IPv6 in a nutshell 2001:1458:a137:b138:c000:d000:e000:f001/64 Site Subnet Host Length - 128 bits, written in 8 groups of 4 hexadecimal digits - 64 bits for network address, 64 bits for host address (recommendation) - typical major site allocation: /32. It gives 2^32 subnets available (the whole IPv4 address space). Every subnet has 2^64 host addresses available. - NAT not available

9 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 9 Transition strategies Many NAT/Tunneling “solutions”: DUAL-STACK: Dual Stack: only viable solution Address Translator IPv4/IPv6 bridge IPv4 Internet IPv6 Internet IPv4 NetworkIPv6 Internet DEPRECATED

10 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 10 CERN IPv6 Service

11 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 11 Strategy IPv6 ≥ IPv4 The CERN IPv6 service must be at the same level of the IPv4 service. Plus the advantages peculiar to IPv6.

12 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 12 Service Description - Dual Stack - One IPv6 address assigned to every IPv4 one - Identical performance as IPv4, no degradation - Common provisioning tools for IPv4 and IPv6 - Same network services portfolio as IPv4 - Common security policies for IPv4 and IPv6 - Connectivity to IPv6 only systems!

13 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 13 CERN IPv6 prefixes Public prefix 2001:1458::/32 (globally routed, full Internet connectivity) Local prefix FD01:1458::/32 (private addresses like 10.0.0.0, no Internet connectivity)

14 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 14 IPv6 User services At least one IPv6 sub-prefix per physical subnet, public and/or local. Subnet size: /64 (i.e. 64 bits for the network address, 64 bits for the host address) Available host addresses per subnets: 2 64 (recommended size). 137.138.14.0/24 2001:1458:0201:0E00::/64

15 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 15 Infrastructure management Keep control to ensure stability and security Addresses assigned from the Network DB (LANDB): - IPv6 addresses assigned by DHCPv6 servers. Static or Dynamic assignments based on the MAC address (same principles as IPv4). Avoid Risks: - IPv6 autoconfiguration disabled.

16 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 16 Network Services DNS, DHCPv6, Radius and NTP will be available over the IPv6 network. The existing IPv4 DNS, Radius and NTP servers will provide the IPv6 services. DHCPv6 and DHCP(v4): two services running on the same physical server.

17 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 17 LANDB - LANDB central repository for all network information - IPv6 is now the main navigation source - New schema has been introduced on 25 th of March 2012 keeping the compatibility with existing applications and queries

18 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 18 Monitoring IPv6 will be monitored as the equivalent IPv4 counterpart But initial monitoring not at the same level as IPv4 (upcoming missing features).

19 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 19 Security The same IPv4 security policies will be applied to the IPv6 service. Every existing IPv4 firewall and CNIC rules will be extended with IPv6 information. Firewall rules concerning host addresses: the IPv6 opening counterpart will be activated only when the host administrator will declare the server IPv6 ready. Dear WEBREQ: my device is now IPv6 ready, please apply IPv6 security policies

20 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 20 Coexistence risks

21 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 21 client application's behavior The choice of the IP protocol to be used is up to the client application or operating system, based on the DNS reply and its own settings. Being the name of a server independent by the applications it runs, all the applications must be listening on both protocols

22 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 22 Server not listening If the DNS returns a IPv6 address for a server that is not listening over IPv6, delays may occur: I want to see http://edh.cern.ch CERN DNS server edh.cern.ch is either: IPv6 2001:1458:8001::68 IPv4 137.138.7.65 EDH WEB server IPv4 only Dear client, here is the EDH page...20 to 180 seconds later... No IPv6 reply yet? Let's try 137.138.7.65 TCP port 80 then My application prefers IPv6; connect to 2001:1458:8001::68 TCP port 80...

23 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 23 Control by DNS Servers cannot decide which IP protocol the client will use. IPv6 can be avoided by the DNS not returning the IPV6 address I want to see http://edh.cern.ch DNS server Although I'd prefer IPv6, I'll connect to 137.138.144.168 TCP port 80 For the time being edh.cern.ch is only IPv4 137.138.7.65

24 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 24 LANDB flag: IPv6 ready The DNS device name.cern.ch will be resolved only with the IPv4 address until the user declares to LANDB to be IPv6 ready via WEBREQ. IPv6 ready means: - IPv6 connectivity is OK - all the server's applications are listening on both IPv4 and IPv6 protocols Consequences: - IPv6 security openings activated - name.cern.ch returns IPv4 and IPv6 addresses (A and AAAA records)

25 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 25 LANDB flag: Not IPv6 ready Not IPv6 ready means: - Still testing IPv6 or Client-Only machine Consequences: - No IPv6 security openings - different DNS names (name.cern.ch for IPv4 and name.ipv6.cern.ch for IPv6)

26 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 26 Issue with remote sites If broken IPv6 connectivity, clients will wait up to 180secs before falling back to IPv4 If only degraded IPv6 connectivity, fall back will never occur Client's perception: there's a server issue Remote site CERN IPv4: OK IPv6: KO INTERNET

27 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 27 Deployment Plan

28 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 28 IPv6 deployment plan - Testing of network devices: completed - IPv6 Testbed for CERN users: available - New LANDB schema: in production - Addressing plan in LANDB: in production - Provisioning tools (cfmgr and csdbweb): on going - Network configuration: on going - Network services (DNS, DHCPv6, Radius, NTP) - User interface (webreq) - User training - IPv6 Service ready for production in 2013 2013Q1 2011Q2 Today 2011Q3 2021Q1 2012Q1

29 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 29 Implications for Network Users

30 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 30 Everybody is concerned “It shouldn't matter to an application whether it runs over IPv4 or IPv6. Unfortunately, for many applications, it does matter” IPv6 affects: - Operating Systems - Server applications - Client applications - Closed hardware (printers, PLCs..) - Operational teams - Security matters -...

31 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 31 System managers Most recent versions of Windows, Linux and MacOS support IPv6. Installation of a DHCPv6 client may be necessary. Upgrade/replace old OSes with no/broken IPv6 support. Local firewall configuration

32 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 32 Application managers In house and open source applications (i.e. CDB, QUATTOR, LEMON, CASTOR, GridFTP, EDH...): - understand IPv6 addresses - connect/listen over IPv6 and IPv4 Commercial applications (i.e. Oracle, LSF, printers, PLCs...): - Ask vendors to implement IPv6 support - Upgrade the applications

33 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 33 Developers Make applications protocol agnostic: - connect to names and not to numerical addresses - avoid protocol specific actions (ARP replaced by Network Discovery Protocol, broadcast no longer exist...) If working with numerical addresses, beware: - syntax has changed [2001:db8:1234:abcd::cafe]:80 - the IPv6 header is bigger than the IPv4 one - new DNS AAAA record - hosts will have multiple v6 addresses

34 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 34 Resources for Developers Recommendations and Code checker: https://twiki.cern.ch/twiki/bin/view/EGEE/IPv6FollowUp Implementing IPv6 applications: http://www.6deploy.eu/tutorials/210-6deploy_devel_v0_4.pdf Application aspects of IPv6 transitions: http://tools.ietf.org/html/rfc4038 Socket interface extensions for IPv6: http://tools.ietf.org/html/rfc3493 Fast Fallback algorithm: http://datatracker.ietf.org/doc/draft-ietf-v6ops-happy-eyeballs/

35 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 35 IPv6 Forum

36 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 36 CERN IPv6 Forum Representatives from: - each IT group - each department - each experiment Place for: - knowing about IPv6 deployment status - use of the IPv6 testbed - sharing of information and knowledge - giving feedback and propose enhancements Mailing list: ipv6-forum@cern.ch

37 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 37 IPv6 Testbed

38 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 38 Testbed setup - Two dual stack IPv4/IPv6 services, one in LCG and one in GPN - Autoconfiguration in the first stage, DHCPv6 when all options will be available - DNS service over IPv6 - Global IPv6 connectivity via a statically configured statefull firewall - Servers running Virtual Machines with IPv6 capabilities

39 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 39 Testbed setup IPv6 firewall LCG IPv4/IPv6 router IPv4/IPv6 Virtual Machines IPv4/IPv6 Dual-Stack network IPv4 firewall IPv4/IPv6 Virtual Machines GPN IPv4/IPv6 router IPv6 only network IPv4 only network IPv4 Internet IPv6 Internet CERN network

40 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 40 How to get an IPv6/v4 VM - Be part of the egroup ipv6-testbed-users - Login to the Virtual Machine Manager http://cern.ch/cvi - Click on Request Virtual Machine - Fill the form with the necessary information - Choose the Host Group: "IT-CS\IPv6 testbed\LCG" for LCG domain (v4 address 128.142.0.0/16, LHCOPN access to the Tier1s) "IT-CS\IPv6 testbed\GPN" for GPN domain (v4 address 137.138.0.0/16, normal campus machine) https://twiki.cern.ch/twiki/bin/view/IPv6/IPv6TestbedAccess

41 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 41 Conclusions

42 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 42 Conclusions - IPv6 is necessary - Implementation already started - It will take time - It will be expensive - New operational problems will arise - Everybody is concerned

43 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 43 More information: http://cern.ch/ipv6

Download ppt "CERN IT Department CH-1211 Genève 23 Switzerland t IPv6 Deployment Project 2 April 2012"

Similar presentations

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 May, 2007: American Registry for Internet Numbers (ARIN) “advises the Internet community that migration to IPv6 numbering resources is necessary for.

1 May, 2007: American Registry for Internet Numbers (ARIN) “advises the Internet community that migration to IPv6 numbering resources is necessary for.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
IPv6 Planning and Implementation at PSU.  1986 – PSU gets Class B network (128.118.0.0) & 5 Class C networks 192.5.157-.161  1988 – Department of Computer.

IPv6 Planning and Implementation at PSU.  1986 – PSU gets Class B network ( ) & 5 Class C networks  1988 – Department of Computer.
IPv4 Depletion IPv6 Adoption 3 February 2011 0 /8s Remaining.

IPv4 Depletion IPv6 Adoption 3 February /8s Remaining.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Module 4: Configuring Network Connectivity

Module 4: Configuring Network Connectivity
IPv6 Network Security.

IPv6 Network Security.
IPv6 at CERN Update on Network status David Gutiérrez Co-autor: Edoardo MartelliEdoardo Martelli Communication Services / Engineering

IPv6 at CERN Update on Network status David Gutiérrez Co-autor: Edoardo MartelliEdoardo Martelli Communication Services / Engineering
Understanding Internet Protocol

Understanding Internet Protocol
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Module 4: Configuring Network Connectivity

Module 4: Configuring Network Connectivity
An Engineering Approach to Computer Networking

An Engineering Approach to Computer Networking
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Subnetting.

Subnetting.

Similar presentations

Ads by Google