DREN IPv 6 Implementation Update Joint Techs Workshop

DREN IPv 6 Implementation Update Joint Techs Workshop Feb 2006 Albuquerque, NM Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@hpcmo. hpc. mil 6 -Feb-2006 DREN IPv 6 Update 1

Previously… • DREN … – is Do. D’s network for the RDT&E community – also serves as the Do. D IPv 6 “pilot” network – operates 2 IPv 6 wide area networks (testbed, production) • IPv 6 approach – Push “I believe” button and see what works. – Do it in a production environment. – Researchers & developers need it now, even if others don’t. 6 -Feb-2006 DREN IPv 6 Update 2

DREN IPv 6 Pilot Status 6 -Feb-2006 DREN IPv 6 Update 3

Report on some current efforts • Performance • Security • IPv 6 Multicast 6 -Feb-2006 DREN IPv 6 Update 4

Performance • Monitoring TCP performance between some high-end sites. – Using nuttcp, 9 K MTU, Linux 2. 4. 26 -web 100 kernel • Observations – RTT nearly identical between v 4 and v 6 – TCP jumbo between ARL and ASC fails. – One or more paths demonstrated near line rate performance for both v 4 and v 6 – In some cases, v 4 appeared more robust. Reasons unknown. • See http: //www. wcisd. hpc. mil/~phil/ipv 6 6 -Feb-2006 DREN IPv 6 Update 5

Performance, cont’d The above graphs show TCP throughput second by second for the 20 second tests for IPv 4 and IPv 6. Colors may not be the same between the windows because some IPv 6 tests are missing (due to filter problems). The first second or two are usually TCP slow start followed by equilibrium. The 1 Gbps and OC 12 line rate tests stand out. Also clear from these graphs is the greater stability or robustness of IPv 4 over IPv 6 on some paths. The reason(s) for this are TBD. It could be from the Linux IPv 6 implementation, or from hardware along the path. 6 -Feb-2006 DREN IPv 6 Update 6

Security • Independent security review contracted to SAIC – Final draft due this week. – Summary: • • 6 -Feb-2006 protocol is no less secure than v 4 mobility is scary multicast is still spoofable ND – spoofable, but no exploits found yet Windows – ack’s things twice in all v 6 TCP streams? ? ? router renumbering – can spoof – possible Do. S landv 6 attack works, but doesn’t crash machine DREN IPv 6 Update 7

S/DREN • Secret/DREN (S/DREN) – A small overlay of the DREN network. • Classified computers behind hardware encryptors. • Designed, equipment in hand, beginning implementation. – Addressing challenges. – Current hardware encryptors are not IPv 6 capable. • Add tunnel broker. – Early real world testing of next generation IPv 6 capable hardware encryptors. 6 -Feb-2006 DREN IPv 6 Update 8

IPv 6 multicast • • Focus: get DREN backbones fully ipv 6 -multicast enabled. Status (work in progress) Test Environment Linux (beacon) – Testbed – fully operational • PIMv 2, MLDv 2, SSM, ASM, static RP, Embedded-RP • Peering with m 6 bone Testbed – Production – operational SSCSD • routers all upgraded to Jun. OS 7. 2 m 6 bone • PIMv 2, MLDv 2, SSM, ASM, some Embedded-RP – Beacon – operational (dbeacon) sdp. sandiego • ASM and SSM, using Embedded-RP group address • Linux 2. 6. 11, Linux 2. 4, Solaris 10 • Cisco (testbed), Juniper (DREN production), Juniper (site), Foundry BI (site) – simulating cross-domain interaction Linux DREN IPv 6 Update Juniper Production – Test environment 6 -Feb-2006 Cisco Solaris sdp Juniper Site Juniper, Foundry Linux 9

DREN 6 -Feb-2006 DREN IPv 6 Update 10

IPv 6 Multicast • Some Issues – Foundry – no MLDv 2, but coming soon. – Juniper – MLDv 2 implementation fundamentally incompatible with modern Linux implementations. • A fix is “not yet on the product roadmap” • – no MLDv 2 in Win. XP, broken in old Linux, Solaris. Working on… – IP Vi. Pr implementation – Pressuring the vendors to implement needed features 6 -Feb-2006 DREN IPv 6 Update 11

Backup 6 -Feb-2006 DREN IPv 6 Update 12

DREN “production” network 6 -Feb-2006 DREN IPv 6 Update 13

DRENv 6 “testbed” Logical Topology Cisco AIX-v 6 C&W Global Crossing LAVAnet 6 TAP Abilene FIX-West Hurricane Electric Abilene TIC NTTCom Verio WPAFB Dayton ARL JITC HP San Diego WCISD SD-NAP SDSC San Diego Aberdeen Tunnel broker AOL Wash D. C. HICv 6 NRL Vicksburg (Hawaii) SSAPAC SPRINT Albuquerque AFRL Kirtland AFB ATM PVC (OC-3) tunnel 6 -Feb-2006 SSC Charleston ERDC Stennis NAVO DREN IPv 6 Update v. BNS+ IXP Core Router ISP or BGP Neighbor “site” 14

DREN IPv 6 transition architecture – FY 04 To 6 bone, Abilene, and other IPv 6 enabled ISPs IPv 6 demonstrations (Moonv 6) links run native IPv 6 where possible, otherwise tunnelled in IPv 4 DRENv 6 (Testbed) Native IPv 6 backbone SSCSD ARL-APG ERDC Testbed at DREN site v 6 ACL sdp. sandiego NIDSv 6 ACL NIDSv 6 v 6 ACL sdp. erdc DREN 2 (Production / Pilot) sdp. arlapg Dual stack IPv 4 and IPv 6 wide area infrastructure sdp Goal: As secure as the IPv 4 backbone 6 -Feb-2006 sdp Type “A” (IP) production service to DREN sites IPv 4 and IPv 6 provided over the same interface DREN IPv 6 Update 15