DREN IPv 6 Implementation Update Joint Techs Workshop
- Slides: 12
DREN IPv 6 Implementation Update Joint Techs Workshop July 2005 Vancouver, BC, Canada Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar. navy. mil 18 -Jul-05 DREN IPv 6 Update 1
Introduction • DREN is Do. D’s network serving the RDT&E community • It serves as the Do. D IPv 6 “pilot” network. • DREN operates 2 IPv 6 wide area networks – Testbed • Dedicated Cisco routers • ATM PVC mesh – Production • Dual stack production backbone • Juniper routers 18 -Jul-05 DREN IPv 6 Update 2
DREN “production” network 18 -Jul-05 DREN IPv 6 Update 3
DRENv 6 “testbed” Logical Topology Cisco AIX-v 6 C&W Global Crossing LAVAnet 6 TAP Abilene FIX-West Hurricane Electric Abilene TIC NTTCom Verio WPAFB Dayton ARL JITC HP San Diego WCISD SD-NAP SDSC San Diego Aberdeen Tunnel broker AOL Wash D. C. HICv 6 NRL Vicksburg (Hawaii) SSAPAC SPRINT Albuquerque AFRL Kirtland AFB ATM PVC (OC-3) 18 -Jul-05 tunnel SSC Charleston ERDC Stennis NAVO DREN IPv 6 Update v. BNS+ IXP Core Router ISP or BGP Neighbor “site” 4
DREN IPv 6 transition architecture – FY 04 To 6 bone, Abilene, and other IPv 6 enabled ISPs IPv 6 demonstrations (Moonv 6) links run native IPv 6 where possible, otherwise tunnelled in IPv 4 DRENv 6 (Testbed) Native IPv 6 backbone SSCSD ARL-APG ERDC Testbed at DREN site v 6 ACL sdp. sandiego NIDSv 6 ACL NIDSv 6 v 6 ACL sdp. erdc DREN 2 (Production / Pilot) sdp. arlapg Dual stack IPv 4 and IPv 6 wide area infrastructure sdp Goal: As secure as the IPv 4 backbone 18 -Jul-05 sdp Type “A” (IP) production service to DREN sites IPv 4 and IPv 6 provided over the same interface DREN IPv 6 Update 5
DREN IPv 6 philosophy • Push the “I believe” button, and turn on IPv 6 everywhere to see what works (and what doesn’t) • Do it in a production environment – can get away with this in an R&D environment, but not on operational networks. • Go native. (no tunnels) • Even if the world doesn’t convert for years, R&D environments need it now. • Figure out how to deploy IPv 6 to the rest of Do. D in the future. 18 -Jul-05 DREN IPv 6 Update 6
Report on some current efforts • Security • IPv 6 Multicast • DHCPv 6/DNS 18 -Jul-05 DREN IPv 6 Update 7
Security • Reported previously – many security features missing in implementations • IPsec, ACLs, etc – many security products don’t do IPv 6 • firewalls, IDS, scanners, etc. • Update – snort-2. 3. 3 upgraded to IPv 6 by DREN • in production as part of DREN’s IDS – giving up on Juniper IPv 6 port-mirroring • installing Foundry switches at exchanges – independent security review contracted to SAIC • report due Oct ‘ 05 18 -Jul-05 DREN IPv 6 Update 8
Independent Security Review • Reviewing… • Analyzing… • So far… • Good stuff… – – – protocol stack maturity tool maturity – – – v 6 versions of all v 4 attacks packets emitted on boot, as well as other traffic and interactions how things behave with strange packets – – – – protocol is no less secure than v 4 mobility is scary multicast is still spoofable ND – spoofable, but no exploits found yet Windows – ack’s things twice in all v 6 TCP streams? ? ? router renumbering – can spoof – possible Do. S landv 6 attack works, but doesn’t crash machine – – ethereal – excellent v 6 parsing scapy – great packet hacking tool, supports v 6 18 -Jul-05 DREN IPv 6 Update 9
IPv 6 multicast • Focus: get DREN backbones fully ipv 6 multicast enabled. • Status (work in progress) Test Environment Linux – Testbed – fully operational Testbed • PIMv 2, MLDv 2, SSM, ASM, static RP, embedded-rp SSCSD – Production – operational • routers all upgraded to Jun. OS 7. 2 • PIMv 2, MLDv 2, SSM, ASM, some embedded -rp sdp. sandiego • ASM and SSM, using embedded-rp group address – Test environment – simulating cross-domain interaction 18 -Jul-05 DREN IPv 6 Update Cisco Juniper Production – Beacon – operational (dbeacon) • Linux 2. 6. 11, Linux 2. 4, Solaris 10 • Cisco (testbed), Juniper (DREN production), Juniper (site), Foundry BI (site) (beacon) Linux Solaris sdp Juniper Site Juniper, Foundry Linux 10
IPv 6 Multicast • Learned: – lots of good work already done by folks at m 6 bone – ssmping – great test/debug tool • server (source) doesn’t need MLDv 2, only receivers – dbeacon – new beacon software – notion of multicast/PIM domains blurred or gone. • use embedded-rp for cross-domain ASM – embedded-rp works great • Cisco – enabled by default • Juniper – disabled by default (surprise) – needs to be enabled on all routers between the RP and potential receivers. • Some Issues – Foundry – no MLDv 2 yet – no MLDv 2 in Win. XP, broken in old Linux, Solaris. • To. Do: – test beyond DREN (Abilene? m 6 bone? ) 18 -Jul-05 DREN IPv 6 Update 11
DHCPv 6/DNS • Goal – implement a dhcpv 6 environment, similar to how some sites use it in v 4. • • Challenge: finding mature and complete DHCP implementation Testing, status • – common practice: DHCP (v 4) assigns addresses, and performs dns-update for A and PTR records. DNS master only has to trust DHCP server, not every client. – ISC (popular dhcp reference implementation) – dhcpv 6 -linux – dhcpv 6 (sourceforge) – Lucent • IPv 4 only • incomplete • last version 2 years ago • incomplete, but works – no dns-update • included in Fedora Core 3 and Red Hat 4 • tested, and appears to work. Haven’t tested dns-update (awaiting more software). • No documentation Issues: – – no dhcp client in Win. XP uncertainty and debate on interactions between stateless and stateful (DHCP) autoconfig. • M/O bits debate • how useful is DHCPv 6, if only use might be to get DNS servers and domain? 18 -Jul-05 DREN IPv 6 Update 13
Oc techs
T dren u kirurgiji
Peg-pej
Is an alternative of log based recovery.
Pes anserine bursa injection
Ways of making permanent joints
Joint venture accounting journal entries
Break joint vs spool joint
Break joint vs spool joint
Superior costotransverse ligament
Condyloid joint and ellipsoid joint
Bt smar
Ipv format
