SLIDE 1
QI Fazhi/IHEP CC
IPv6 Deployment @IHEP
QI Fazhi/ IHEP CC Fazhi.QI@ihep.ac.cn HEPiX,Beijing, October 2012
QI Fazhi/IHEP CC
2 *
- Why IPv6?
- Background & History
- Key technologies
- Deployment Principles
- Current Status
- Work Plan
IPv6 Deployment @IHEP QI Fazhi/ IHEP CC Fazhi.QI@ihep.ac.cn - - PowerPoint PPT Presentation
IPv6 Deployment @IHEP QI Fazhi/ IHEP CC Fazhi.QI@ihep.ac.cn - - PowerPoint PPT Presentation
IPv6 Deployment @IHEP QI Fazhi/ IHEP CC Fazhi.QI@ihep.ac.cn HEPiX,Beijing, October 2012 QI Fazhi IHEP CC 2 Context Why IPv6? Background & History Key technologies Deployment Principles Current Status Work Plan QI
SLIDE 2
SLIDE 3
QI Fazhi/IHEP CC
Why?
- A lot of reasons drive the deployment of IPv6
- Every one here knows about it……
- But in China, IPv6 has better available bandwidth
& free to use
SLIDE 4
QI Fazhi/IHEP CC
IPv6 in China
CNGI project approved, Leaded by National Reform and Development Committee, Started the Chinese IPv6 Network backbone deployment Chinese Government released the “Twelfth Five-Year” Development Plan for next-generation
Premier Wen Jiabao Chaired the State Council meeting to discuss how to speed up the develpoment of the China Next Generation network
The National Reform and Development Committee fund for the research of CNGI industrialization and security projects
SLIDE 5
QI Fazhi/IHEP CC
CNGI Backbone
SLIDE 6
QI Fazhi/IHEP CC
CNGI-CSTNet & CERNet
SLIDE 7
QI Fazhi/IHEP CC
IPv6 History @IHEP
- 2008
– 1Gbps IPv6 Link to CNGI, Part of IHEP endpoints support IPv6
- 2009
– IHEP started to use the IPv6 Link to do the HEP data transfer between the cooperated Universities(SDU/…)
- 2011
– IHEP DNS supports IPv6
- 2012
– Dual Stack IHEP Campus Network, 10Gbps IPv6 link CNGI(Fund from The National Reform and Development Committee ) – Associated with ChinaNet/Universities, applied the CNGI industrialization and security projects
SLIDE 8
QI Fazhi/IHEP CC
Key Technologies
- Transition
- Address assignment
- Security
SLIDE 9
QI Fazhi/IHEP CC
Transition
- Goals
– tunnel between IPv6 islands – translate between IPv4 and IPv6
- Tunnel application
- Tunnel type
– Configured tunnels
- Router to router
– Automatic tunnels
- Tunnel Brokers (RFC 3053)
– Server-based automatic tunneling
- 6to4 (RFC 3056)
– Router to router
- ISATAP (Intra-Site Automatic Tunnel
Addressing Protocol)
– Host to router, router to host – Maybe host to host
- 6over4 (RFC 2529)
– Host to router, router to host
SLIDE 10
QI Fazhi/IHEP CC
Case: IPv4 Over IPv6
- Goal
– To use the high available bandwidth
- f IPv6 in China to do the HEP data
transfer,
- Result
– Network performance: 10 times improvement
USTC IPv6 Server IHEP IPv6 Server USTC Router IHEP Router eth0 eth0 eth1 eth1 eth1 eth1 USTC IHEP IPv6 Network Link (CNGI)
SLIDE 11
QI Fazhi/IHEP CC
IP Address assignment
- Too long to remember and configure manually
- Two basic methods defined for autoconfiguration
- f IPv6 hosts:
– Stateless Autoconfiguration
- A method defined to allow a host to configure itself without help
from any other device.
- Problem: it does not supply a DNS server address.
– Stateful Autoconfiguration
- A technique where configuration information is provided to a host by
a server.
SLIDE 12
QI Fazhi/IHEP CC
DHCPv6
- The operation of DHCPv6 is similar to that of DHCPv4,
but the protocol itself has been completely rewritten.
- It is not based on the older DHCP or on BOOTP, except
in conceptual terms.
- It still uses UDP but uses
– new port numbers
- Client: 546
- Server/Relay agent: 547
– a new message format, and restructured options
- DHCPv6 is not compatible with DHCPv4 or BOOTP.
- The network switch should support dhcpv6 relay
SLIDE 13
QI Fazhi/IHEP CC
Security
- Security Zones
– Isolated physically – Different level security
- Firewall
– iptables
SLIDE 14
QI Fazhi/IHEP CC
IPv6 deployment principles @IHEP
- Dual Stack
- The same management and security policies with IPv4
– Users (IP) management – Monitoring – Access control
- Network Services
– DNS – WEB – Email – ……
- Grid & Cloud Computing
SLIDE 15
QI Fazhi/IHEP CC
User Information Management & Access Control
- Central Database – IPDB
– MAC Address is the key
- Static IP address for Users
– IPv6/IPv4 host addresses assigned by DHCPv6/DHCPv4 servers, based on the MAC address declared in the IPDB
- Central Control System
– User information management – Network devices information management – Dhcpd configuration auto-updated – Release access policies to the proper user switch
SLIDE 16
QI Fazhi/IHEP CC
Security
- ZONEs & Firewall
– Internal(Private) Network
- End-points in the offices
- The highest-level security
– To Internet: open – From Internet: Deny
– DMZ1:Special Server/User Network
- Locates in the meeting rooms and user offices
- Use the same link with private network(but isolated by VLAN with trunk)
- For video conference …….
- Can be accessed from internet and internal, but can not access internal area
– DMZ2: Public Server Network
- Locates in CC for public services(DNS/Email/……)
- Can be accessed from internet and internal with special TCP/UDP ports, but
can not access internal area
– WAN: Internet zone
- Locates in IHEP CC, no firewall policy
- Perfsonar/perfsonar1.ihep.ac.cn
SLIDE 17
QI Fazhi/IHEP CC
Security(2)
- IDS
– Tcpdump based system – Rules added based IHEP needs
- ssh port scan frequency
- Windows virus……
– Action(Send policies) to firewall system to control the network access
- Network traffic and behavior analysis
SLIDE 18
QI Fazhi/IHEP CC
Current Status
- Infrastructure deployment ✔
– All the network devices(switch/router/firewall) support IPv6
- Infrastructure Monitoring ✔
– Easy to do (all the devices are dual stack supported) – Cacti & Nagios with IPv6 patch
- User(IP) management
– The ipdb & access control system: in production – DHCPv6: on going
- DHCPv6 service is ready(running on the same server with DHCPv4)
- no perfect windows xp client for IPv6 !!!
- Most of IHEP users are Using stateless ipv6 address now, but IHEP CC users use the DHCPv6 to
achieve ipv6 address.
- Security ✔
– Firewall: in production – IDS: in production – Network traffic and user behavior analysis: on going
SLIDE 19
QI Fazhi/IHEP CC
Current Status(cont.)
- IHEP IPv6 prefixes
– 2001:cc0:2010::0/48
- globally routed, full Internet connectivity
- IPv6 User address assignment
– One IPv6 subnet per vlan, together with the IPv4 subnet. Subnet mask: /64 – For example:Vlan 32: 202.122.32.0/24 2001:cc0:2010:32::0/64
- IPv6 Network Services
– DNS: ✔ – DHCP: ✔ – NTP: ✔ – Web(partly supported) – Video webcast: on going
SLIDE 20
QI Fazhi/IHEP CC
IHEP User Access Control Procedure
Online Register
MAC/User Name/Email/Tel/Building/R
- om number/Plugin
number/……
Switch configuration updated Assign IP address
- k
IPDB
DHCP configuration updated save
Approved by Admin
Submit no
Switch information: IP/Port/Vlan/ Switch-Room/Plugin Number relationship Vlan/IP subnet/switch-port relationship IP/MAC relationship ……
SLIDE 21
QI Fazhi/IHEP CC
Current Status(cont.)
SLIDE 22
QI Fazhi/IHEP CC
Problems
- IPv6 address assignment
– DHCPv6 client for windows xp
- No enough resources and applications in the IPv6
internet world
– Most of the IHEP IPv6 traffic are video/iptv/…… – Less scientific data go through IPv6
SLIDE 23
QI Fazhi/IHEP CC
Work Plan
- Virtual Envionment (Openstack)
– Public web services running here
- IPv6 enabled in Data Area Network(testbed for Grid)
– HEPiX IPv6 Group
- HEP(BESIII/DYB Experiments) data transfer with IPv6
– In discussion
SLIDE 24
QI Fazhi/IHEP CC