tomáš podermański , [email protected]
DESCRIPTION
Tomáš Podermański , [email protected]. the Czech Republic Area: 78 866 Km2 Population: 10 230 060 Capital city : Prague 1989: communist regime collapsed 1999: meber of NATO 2004: member of EU. Brno. NREN – CESNET z.s.p.o.. 26 members Universities & Czech academy - PowerPoint PPT PresentationTRANSCRIPT
Tomáš Podermański, [email protected]
Brno
• the Czech Republic– Area: 78 866 Km2 – Population: 10 230 060 – Capital city : Prague– 1989: communist regime collapsed– 1999: meber of NATO – 2004: member of EU
NREN – CESNET z.s.p.o.
– 26 members– Universities & Czech academy
– Many other institutions connected indirectly – Government institutions, hospitals, high schools,
research institutions
– Network based on DWDM & MPLS technology
Rumors about IPv6
• Do you know that IPv4 address space will be exhausted very soon ? – Really, again? I already heard about it 10 years ago.
• We are working on IPv6 transition !– Do you still use it?
• How do you get on with IPv6 ?– Everything is ready. The network is well prepared and all
applications support dual stack. There is no problem with IPv6.
• Very well, can I see how it works? – Ehh, em, you know…. maybe later
• Actual point of view– We know that IPv6 is a real problem, but we don’t have time and
money to deal with it. – We’d like to cope with IPv6, but we don’t know how.
Why IPv6 ?
Top 10 Features that make IPv6 'greater' than IPv4
1. Larger IP address space2. Better end-to-end connectivity3. Ability for autoconfiguring devices4. Simplified header structures5. Better security (IPSEC – ESP, AH)6. Better quality of services7. Better multicast and anycast abilities8. Mobility features9. Ease of administration10.Smooth transition from IPv4
source: http://ipv6.com/
Why IPv6 ?
Top 10 Features that make IPv6 'greater' than IPv4
1. Larger IP address space2. Better end-to-end connectivity3. Ability for autoconfiguring devices4. Simplified header structures5. Better security (IPSEC – ESP, AH)6. Better quality of services7. Better multicast and anycast abilities8. Mobility features9. Ease of administration10.Smooth transition from IPv4
source: http://ipv6.com/
Ten years ago we had a plan …
IPv6 Deployment
IPv4 Pool Size
Size of the Internet
IPv6 Transition usingDual Stack
Time
6 - 10 years
20002006-2010
Source: http://www.potaroo.net/presentations/
What’s the revised plan?
IPv6 Deployment
IPv4 PoolSize
Size of the Internet
IPv6 TransitionToday
Time
?
1%
100%
1 year
2010
Source: http://www.potaroo.net/presentations/
An Internet Transition Plan
• Recommendation based on RFC5211 (07/2008)
• Phase I (2008 – 2009)– Backbone network, basic infrastructure– Native connectivity to each location (low speed)– Some public services available on IPv6 (web, ftp)
• Phase II (2010/1 - 2011/12)– Stable backbone infrastructure– Hardware routing – Monitoring of applications & hotline support– IPv6 connectivity for end users in selected locations– IPv6 multicast in testing mode
• Phase III (2012/1)– IPv6 network in good working order (unicast & multicast)– Native IPv6 connectivity for all users– majority of services available through IPv6
IANA: Allocation of /8 IPv4 prefixes
Source: http://www.potaroo.net/tools/ipv4/index.html
NAT
1992: The first call
2001: Win XP, SP1 dulastack
2008: European commision targets 25% IPv6 availability by 2010
2007: Win Vista, SP1 dulastackPrefered IPv6
1996: IPv6 pon Linux
1998: RFC 2460
2008: Google on IPv6
Action plans of deployment IPv6
• EU : ADVANCING THE INTERNET – Action Plan for the deployment of Internet Protocol version 6 (IPv6) in
Europe,Brussels, 27.5.2008, COM(2008) 313 final
• USA: Transition Planning for Internet Protocol Version 6 (IPv6), to set the US Federal Agencies a hard deadline for compliance to IPv6 on their core IP networks
• China : China Next Generation Internet (CNGI) sets out a 5 year plan (2006-2010) for the early adoption of IPv6
• Korea: IPv6 Promotion Plan II which sets a vision of deploying IPv6 for the public sector by 2010
• Australia: Preparation Jan 2008-Dec 2009, Transition Jan 2010-Dec 2012, Implementation Jan 2013-Dec 2015
NREN‘s activities
• Backbone infrastructure– IPv6 has been available in each node for
many years – Every member can have an IPv6
connectivity
• IPv6 workgroup– meetings 3 times a year– a few campuses are usually presented– Usually 20 – 30 participants– good place to
• meet specialist from other universities• share experience & knowledge
IPv6 and Czech Universities
Some other numbers
• 31% of members have their web available on IPv6• 31% of members have MX record on IPv6• 36% of members have DNS servers on IPv6
• 3 members uses Google IPv6 services
• Very different opinion about using isatap– 27% of members have a ISATAP record in DNS – some members don’t (won’t) support isatap
Let’s move on to the campus
IPv6 status at
the Brno University of Technology
the Brno University of Technology
• http://www.vutbr.cz• One of the largest universities in the Czech Republic• Founded in 1899, 110th anniversary was recently celebrated • 15,000 students and 2,000 employees• 9 faculties• 6 other organizational units• Dormitory for 6,000 students
VUT FIT, Božetechova 2
VUT Koleje, Mánesova 12
AV VFU, Palackého 1/3
MU CESNET , Botanická 68a
VUT Koleje , Kounicova 46/48
VUT Rektorát, Antonínská 1
VUT , Gorkého 13
VUT FaVU, Údolní 19
VUT FEKTÚdolní 53
MU, Vinařská 5
VUT FaVU, Rybářská 13AV ČR, Rybářská 13
VUT FA, Poříčí 5
VUT FAST, Veveří 95
AV ČR UFM
VUT, Kounicova 67a
MZLU, Tauferova
VUT FEKT, Technická 8
VUT Koleje, Kolejní 2
VUT FP, FEKT, Kolejní 4
VUT FCH, FEKT, Purkyňova 118
AV ČR UPT
VUT Koleje, Purk.
VUT TI, Technická 4
VUT FSI, Technická 2
Milestones
1992-1995 1992-1995 Modems, dedicated connections, bandwidth 32 - 128 Kb/s, first fiber was build, Ethernet 10 Mb/s, PC based routers KA9Q a BSD/386.
1995-19981995-1998connections among locations almost transferred to fiber, the ATM 155 Mb/s was being built, PC based routers with BSD Unix.
1998-20011998-2001optical connections with multiple fibers, first attempts to build up circuits on Gigabit Ethernet, L3 switches Extreme Networks.
2002-20042002-2004 All-core-network circuits on backbone converted to Gigabit Ethernet. Gigabit Ethernet was used to connect each location.
20052005First experience with 10 Gbp/s Ethernet. Looking for popper technology to build up new backbone.
2006-2006-20082008Step-by-step converting from Gigabit Ehernet to 10 Gigabit Ethernet. Selected technology: Extreme Networks, Hewlett Packard.
20020088For management and L2 cross connections the backuped L2 circuit has been build. Each location had been connected on 10 Gigabit.
2002009-now9-nowThe IPv6 backbone has been built up. All tunnel-like connections have been converted to native. The OSPFv3 based routing has been turned on. IPv6 connectivity is now ready to be used in all locations.
Layer 3 network
Core of the networkCore of the network• BBased on 10Gb/s ethernetased on 10Gb/s ethernet• Basic L3 services Basic L3 services • OSPFOSPF a OSPFv3 a OSPFv3• multicast - PIM/SMmulticast - PIM/SM
External connectivity External connectivity • Two Two 10Gb/s lines conneting the 10Gb/s lines conneting the
core to CESNET (BGP, BGP4+)core to CESNET (BGP, BGP4+)• Basic filtering (SMTP, NetBios, Basic filtering (SMTP, NetBios,
445/Microsof DS)445/Microsof DS)
Locality & sub-campusesLocality & sub-campuses• Two 10Gb/s lines to the core Two 10Gb/s lines to the core • More complex firewalls More complex firewalls
configugurations are dependend configugurations are dependend on local administrators on local administrators
Initial IPv6 topology
IPv6 milestones
20022002Basic tunneled connectivity. Assigned own prefix - 2001:718:802::/48 .
2002-20082002-2008Some experimental services. Possibility to connect locations using IPv6 (VLANs) . Static routing based on FreeBSD PC routers.
Native connectivity to NREN20020099
Address plan, prefix divided into organization units. OSPFv3 based routing. PC routers with XORP.3com 4800 GL devices used as HW routersDNS server moved to the dualstack
202010/I, 2010/II10/I, 2010/IIBackuped connectivity to each location Backuped connectivity to each location Every place/subnet can support native IPv6 connectivity Every place/subnet can support native IPv6 connectivity Tests with HP devices (participation on beta testing program)Tests with HP devices (participation on beta testing program)Connectivity to NREN through two 10Gb/s lines – BGP4+Connectivity to NREN through two 10Gb/s lines – BGP4+Basic firewallBasic firewallMonitoring of IPv6 services, collecting neighbor caches (NAV) Monitoring of IPv6 services, collecting neighbor caches (NAV) Some services moved to dualstack Some services moved to dualstack
2010/III, 2010/IV2010/III, 2010/IVCore of the network moved to the dualstack Core of the network moved to the dualstack Disassemble the temporary IPv6 networkDisassemble the temporary IPv6 network
IPv6 milestones - future
• Firmware with full IPv6 support has been released– Temporary solution on xorp routers can be switched off
– IPv6 topology will follow the IPv4 topology
– All subnets will have both IPv4 and native IPv6 connectivity
• PI IPv6 address range has been assigned – Waiting for the process to be finalized.
– Changing address of all subnets and services. We will move from 2001:718:802::/48 to 2001:67c:1220::/46
• Activation of services on dualstack– 90% of services could be moved easily
– rest of services => very complicated issue
=> unpredictable problems
• The basic connectivity is not a problem today. It works fine and any academic institutions can have IPv6 (if intrested). – Most of basic services are ready to be used on IPv6 with dualstack (web, DNS, mail, …)
• The key problem lies on local networks. There are still too many questions to be answered. If– RFC 5006 gets widely accepted (or not). – DHCPv6 supports default route + prefix lengths (or not). – SLAAC gets widely accepted (or not). – Mac OS X supports DHCPv6 (or not).– RA Guard is widely implemented.– DHCPv6 Snooping is widely implemented. – SeND gets widely accepted (or not).
• Nobody knows how to properly manage local networksource: [email protected]
Problematic issues
A bit of statistics…A bit of statistics…collected from the campus networkcollected from the campus network
IPv4, IPv6 & tunneled trafficIPv4, IPv6 & tunneled traffic
HereHere
IPv6 native trafficIPv6 native traffic
How many addressed were we talking withHow many addressed were we talking with
HereHere
How IPv6 many addressed were we talking withHow IPv6 many addressed were we talking with
HCome on, what all this fuss is about. Just take it
easy and see what happens.
Come on, what all this fuss is about. Just take it
easy and see what happens.
Number of unique mac adresses in ARP and NC Number of unique mac adresses in ARP and NC
What conclusions can be drawn
• It doesn’t matter if – you like IPv6 or not– you believe that IPv6 will ever work or not
• IPv6 is here although you may not see it !– 60% of computers have a valid and reachable IPv6
address today– this number is growing every day (with new devices are
being used)– all those devices are potential threats
Implementation of IPv6 can be problematic.
But if you ignore it you will get into more troubles.