ipv6 dod pilot implementation on dren l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IPv6: DoD Pilot Implementation on DREN PowerPoint Presentation
Download Presentation
IPv6: DoD Pilot Implementation on DREN

Loading in 2 Seconds...

play fullscreen
1 / 31

IPv6: DoD Pilot Implementation on DREN - PowerPoint PPT Presentation


  • 363 Views
  • Uploaded on

IPv6: DoD Pilot Implementation on DREN. Joint Techs Workshop July 2004 Columbus, OH. Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil. Context for this briefing. Historical June 2003 – DoD CIO issues IPv6 transition memorandum

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IPv6: DoD Pilot Implementation on DREN' - paul


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ipv6 dod pilot implementation on dren

IPv6: DoD Pilot Implementation on DREN

Joint Techs Workshop

July 2004

Columbus, OH

Ron Broersma

DREN Chief Engineer

High Performance Computing Modernization Program

ron@spawar.navy.mil

IPv6: DoD Pilot - DREN

context for this briefing
Context for this briefing
  • Historical
    • June 2003 – DoD CIO issues IPv6 transition memorandum
      • Target completion: 2008
    • July 2003 – DREN chosen as the DoD IPv6 “pilot” implementation
      • Plans to implement in 2004
  • Within DoD…
    • Each of the services (Army, Navy, Air Force) developing their own transition plans for the “operational networks”.
      • Most will not begin implementation for a year or more
      • Most will not be complete until after 2008
    • DREN is DoD’s “research network”, and is transitioning now.
      • Chartered to support the DoD HPC community, and other R&D organizations.

IPv6: DoD Pilot - DREN

dren today
DREN Today
  • 10 “core nodes” on OC-48 backbone (CONUS), with extensions to Hawaii and Alaska.
    • Now updating to OC-192 (10 Gigabit)
  • About 100 sites (“Service Delivery Points”), connected at DS-3 to OC-48 rates.
  • IPv4 unicast and multicast, IPv6 unicast, and ATM services now.
  • Dual IPv6 networks (“testbed”, and “production”)
  • “jumbo-clean” (i.e. 9K MTU everywhere)
  • Multiple security levels.
    • Both unclassified and classified networks

IPv6: DoD Pilot - DREN

dren map
DREN Map

IPv6: DoD Pilot - DREN

dren ipv6 history
DREN IPv6 History
  • 1995-2000
    • Ad-hoc tunnels, playing on 6bone.
    • Presentation at conferences
    • IPSEC (NRL)
    • Early implementations (NRL stack)
  • Jan 2001 -
    • DRENv6 “testbed”
      • Native IPv6 (no tunnels)
      • Logically separate from DREN IPv4 backbone
      • OC-3 interconnects (ATM PVC mesh)
      • 8 core nodes (Cisco routers – dedicated to IPv6)
      • Sites connect via PVCs (native IPv6), or tunnels.
      • Peering with IPv6 enabled ISPs
    • DREN sites encouraged to connect and participate in testing and experimentation. Many tests conducted, many lessons learned.
      • “If you build it, they will come”
  • 2002
    • New DREN2 backbone contract (MCI) includes IPv6
  • Jul 2003
    • Selected as DoD IPv6 “pilot” (details below)
  • Oct 2003
    • Added DRENv6 node at Ft Huachuca (TIC, JITC) for Moonv6 interconnect between DoD and Abilene (UNH)

IPv6: DoD Pilot - DREN

slide6

DRENv6 “testbed”Logical Topology

Cisco

AIX-v6

C&W

Global

Crossing

6TAP

Abilene

Abilene

FIX-West

Hurricane

Electric

LAVAnet

TIC

WPAFB

Dayton

NTTCom

Verio

ARL

JITC

HP

Aberdeen

Tunnel broker

WCISD

San Diego

SD-NAP

SDSC

AOL

SSC San Diego

Wash D.C.

SPRINT

HICv6

(Hawaii)

NRL

Vicksburg

Albuquerque

SSC Charleston

SSAPAC

ERDC

AFRL

Kirtland AFB

Stennis

vBNS+

ATM PVC (OC-3)

NAVO

IXP

Core Router

tunnel

IPv6: DoD Pilot - DREN

ISP or

BGP Neighbor

“site”

lessons from testbed experience state of things 1 year ago
Lessons from Testbed experience(state of things 1 year ago)
  • Our customer sites find little or no incentive to run IPv6 (LAN administrator perspective).
    • There is no capability or feature of the Internet that you can't do today by not running IPv6. 
    • Turning it on brings additional complexity, and has a learning curve.
    • Users aren’t asking for IPv6.
    • There is no immediate "win" to transitioning to the new protocol.  The payoff is long-term.  External incentives will be needed to encourage near term adoption and transition.
      • “If you build it, they won’t necessarily come”
  • Many commercial security components (like Intrusion Detection Systems, Firewalls, Security Scanners, etc.) don't yet support IPv6, so it is very difficult to deploy the technology to our sensitive DoD networks in a secure fashion.

IPv6: DoD Pilot - DREN

dren as dod ipv6 pilot
DREN as DoD IPv6 Pilot
  • DREN is in a unique position to serve as a DoD IPv6 pilot
    • Experience running IPv6 WAN.
    • R&D environment – familiar with technology insertion, and being a pioneer.
    • New contract includes IPv6 support in the WAN (we just have to turn it on).
    • Management support.
    • Have the means to deal with the challenges.

IPv6: DoD Pilot - DREN

fy04 dren ipv6 initiative
FY04 DREN IPv6 Initiative
  • DoD IPv6 Pilot network
  • Goals for 2004
    • IPv6 enabled DREN infrastructure (all Service Delivery Points, the Wide Area Network, the NOC).
    • Facilitate IPv6 deployment into infrastructure at HPC user sites and DREN user sites.
    • IPv6 enabled HPCMPO, HPCMP funded assets and services, HPCMP user community support applications, selected user application candidates.
    • Performance and Security as good as existing IPv4 service.
    • Provide product feedback, lessons learned, published via web.
  • Functional Areas in this project:
    • IP transport and infrastructure Ron Broersma, Navy
    • Infrastructure services Phil Dykstra, WCI
    • Network Management Tom Kile, Army
    • Security Doug Butler, OSD
    • Applications Ralph McEldowney, Air Force
    • Planning for the Future Ron Broersma, Navy
    • HPC Community Involvement John Baird, OSD

IPv6: DoD Pilot - DREN

transition strategy notional
Transition Strategy (Notional)
  • Start with core, and work out to the edge
  • Hybrid (Dual Stack) infrastructure
  • Minimize need for tunnels, translators, and other transition schemes

S

A

S

Site

LAN

A

Site

LAN

S

Site

LAN

A

S

A

S

Site

LAN

WAN (DREN)

NOC

Application

A

Internet

S

Server

IPv6: DoD Pilot - DREN

goal 1 ipv6 enabled dren infrastructure all service delivery points the wide area network the noc
Goal #1: IPv6 enabled DREN infrastructure (all Service Delivery Points, the Wide Area Network, the NOC).
  • All 100+ WAN routers (Juniper) upgraded to JunOS 6.1 to support IPv6.
    • Includes all Service Delivery Points (SDPs) and DREN Core Nodes (DCNs).
  • Connectivity to Internet (IPv6) via DREN Testbed.
  • Backbone is now IPv6 enabled and ready to bring production sites online.
    • Sites already turned up: HPCMO, SSC San Diego, ARL, NRL, ERDC, Indian Head, Quantico, Norfolk, Charleston, DREN NOC.
  • Tunnel Brokers (Hexago) for each network.
    • Testbed, DREN, S/DREN
  • Network and Users conferences are IPv6 enabled.
  • Cleanup: readdressed entire WAN to conform to new addressing plan.

Complete

IPv6: DoD Pilot - DREN

goal 2 facilitate ipv6 deployment into infrastructure at hpc user sites and dren user sites
Goal #2: Facilitate IPv6 deployment into infrastructure at HPC user sites and DREN user sites.
  • “Road show” to 13 sites (to date)
    • ARL, ASC, ERDC, NAVO, AHPCRC, ARSC, MHPCC, SMDC, NRL-DC, RTTC, HPCMPO, DREN NOC, HPC CERT.
  • Briefing for Executives, Management, and technical staff.
    • Get buy-in from all levels of management.
    • Incentivise sites to upgrade local infrastructure and systems.
    • Offer assistance, resources, training.
    • Establish transition team within each organization.
  • ASC went “live” on 26 June. ARL in August. Others to follow.

Complete (at HPC sites)

IPv6: DoD Pilot - DREN

hpc sites being ipv6 enabled

ARSC

AHPCRC

ARL

ASC

NRL-DC

SMDC

WSMR

RTTC

SSCSD

Legend:

Legend:

ERDC

“Allocated” DCs

“Allocated” DCs

NAVO

“MSRCs”

“Dedicated” DCs

MHPCC

HPC sites being IPv6 enabled

IPv6: DoD Pilot - DREN

new challenge
New Challenge
  • Before:
    • Little incentive to transition to IPv6
  • Now:
    • No real resistance.
    • Site visits are paying off.
  • New Problem:
    • Transition to IPv6 is just one of many new priorities (security, new systems, etc).
    • Efforts with near term return on investment (ROI) get priority. IPv6 transition has far term ROI.

IPv6: DoD Pilot - DREN

slide15

Goal #3: IPv6 enabled HPCMPO, HPCMP funded assets and services, HPCMP user community support applications, selected user application candidates.

  • HPC Program office
    • done
  • HPC assets/services
    • first ones starting to go live now
  • HPC support applications
    • Kerberos – mostly complete
    • IDS – done
    • Web sites (InfoEnv, OKC) – Fall ‘04
  • User applications (mostly 3rd party)
    • Discovery process well along
    • Actual transition depends on vendor/developer
    • Recent breakthrough: FlexLM (Macrovision) committed to IPv6 support

Continuing Effort

IPv6: DoD Pilot - DREN

goal 4 performance and security as good as existing ipv4 service
Goal #4: Performance and Security as good as existing IPv4 service
  • Performance:
    • IPv6 performance within 0.3% of IPv4 on various stress tests.
  • Security
    • Through workarounds, we can achieve equivalent security posture.
    • Catching attacks, blocking viruses.
    • DSAWG Review: “no issues”.

Success

IPv6: DoD Pilot - DREN

performance results
Performance Results
  • Phil Dykstra (on DREN2 “pilot” net):
    • “Using iperf, SSC [San Diego, CA] to ARL [Aberdeen, Maryland], MTU 9k, I get about 567 Mbps with IPv4, 565 Mbps with IPv6. So at first glance, performance seems nearly identical (minus the extra header overhead of course).”
    • Done between 2 Linux machines on opposite coasts connected to DREN OC-12 sites.
  • 10Gb-E testing at HPC Center, sending a 4 Gb/s stream from Linux with 10Gb-E NIC.
    • 3939.8044 Mbps UDP single stream (IPv4)
    • 3930.6234 Mbps UDP single stream (IPv6)

IPv6: DoD Pilot - DREN

dod security model
DoD Security Model
  • “Defense in Depth”
    • Protections at multiple levels
  • Problem: How to securely deploy IPv6 in DoD without these components.

S

Scanners

LAN

Firewall

IDS

ACL

WAN

ACL

IDS

Internet

IPv6: DoD Pilot - DREN

lack of security features examples
Lack of Security Features (Examples)
  • Router Access Control Lists (ACLs)
    • Juniper doesn’t support “tcp established”
  • Vulnerability Assessment (Scanners)
    • ISS doesn’t support IPv6 and has no published plans to do so.
    • NESSUS doesn’t support IPv6 (yet)
  • Intrusion Detection Systems
    • If we want IPv6 support, we have to add it ourselves.
    • Juniper port mirroring doesn’t support IPv6
  • IPSEC
    • Missing in most IPv6 implementations
    • Juniper ASPIC doesn’t support IPv6 (until much later)
  • Firewalls
    • Until recently, no production quality IPv6 support
    • Netscreen (Juniper):
      • no OSPFv3, only RIP
      • IPv6 support only available in certain products
        • High end products won’t have IPv6 support until next year.

It is crucial that IPv6 products have equivalent functionality to the IPv4 world

IPv6: DoD Pilot - DREN

overcoming the security issue workaround
Overcoming the security issue (workaround)
  • Use DRENv6 testbed for transit to Internet
    • use to peer with rest of IPv6 enable Internet and other testbeds
    • continue to operate as an “untrusted” IPv6 network
  • Enable IPv6 on new DREN2 (MCI) production network.
    • Dual stack everywhere.
  • Establish trusted gateways between v6 enabled DREN2 and the DRENv6 testbed
    • Upgrade HPC Network Intrusion Detection Systems (NIDS) to be v6-compliant, monitored by the HPC Computer Emergency Response Team (CERT), and install at the trusted gateways.
    • Install v6 version of standard DREN v4 Access Control Lists (ACLs) to protect pilot network to same level as IPv4 production network.
  • DREN customers receive “safe” native IPv6 service via existing service delivery point (SDP), in parallel with IPv4 service.

IPv6: DoD Pilot - DREN

dren ipv6 transition architecture fy04
DREN IPv6 transition architecture – FY04

To 6bone, Abilene, and other IPv6 enabled ISPs

IPv6 demonstrations (Moonv6)

links run native IPv6 where possible, otherwise tunnelled in IPv4

DRENv6 (Testbed)

Native IPv6 backbone

ARL-APG

SSCSD

ERDC

Testbed at

DREN site

Testbed at

DREN site

NIDSv6

NIDSv6

v6 ACL

v6 ACL

NIDSv6

v6 ACL

sdp.erdc

DREN2 (Production / Pilot)

sdp.sandiego

sdp.arlapg

Dual stack IPv4 and IPv6 wide area infrastructure

sdp

sdp

sdp

Goal: As secure as

the IPv4 backbone

Type “A” (IP) production service to DREN sites

IPv4 and IPv6 provided over the same interface

IPv6: DoD Pilot - DREN

site security solution example spawar
Site Security Solution(Example – SPAWAR)
  • SPAWAR Intrusion Detection System (IDS) modified to support IPv6
  • Netscreen Firewall operating “beta” release with IPv6 support in parallel with production firewall.

DREN2 (Pilot)

WAN

IPv4 unicast and

multicast services

+ IPv6 unicast

SPAWAR

Border router

(Juniper M20)

IDS

IPv6

IPv4

Netscreen 500

Firewall

Netscreen 208

Firewall

Note: Netscreen (Juniper) now has

mainstream IPv6 support for some models.

IPv6 Firewall

(beta code)

Production

Firewall

switch

to LAN

IPv6: DoD Pilot - DREN

ongoing security effort
Ongoing Security Effort
  • Snort 2.0.1
    • Upgraded to IPv6 – Ken Renard
    • In production use today by HPC CERT
  • Snort 2.1.1
    • Upgraded to IPv6 and available.
    • Unable to get support included in main snort distribution.
  • IPSEC interoperability testing in Moonv6 phase II.
  • ACL and Firewall testing in next phase of Moonv6
  • LIBNIDS
    • Work underway to modify for IPv6. Available late summer.
  • Kerberos v1.3 (MIT)
    • IPv6 updates for DREN release by Ken Hornstein (NRL)
  • Working on IPv6 for…
    • DoD CAC with OpenSSL, PKI, OCSP, LDAP

IPv6: DoD Pilot - DREN

goal 5 provide product feedback lessons learned published via web
Goal #5: Provide product feedback, lessons learned, published via web
  • DREN IPv6 knowledge base
    • https://kb.v6.dren.net
      • Open to all DoD (with PKI certificate)
    • Online and ready for articles
    • Initial articles published
  • Challenge: getting people to input their lessons learned.

Complete

IPv6: DoD Pilot - DREN

large projects with interest in ipv6 using dren
Large projects with interest in IPv6, using DREN
  • Global Information Grid (GIG) related experiments (NRL, SPAWAR)
  • Future Combat System (FCS) (Army)
    • Existing DREN sites, plus 8 new Boeing sites
  • E10A Constellation (Air Force).
  • Fleet global unified routing architecture (Navy), FORCENET
  • Military Service Academies
    • Train future leaders to expect benefits of IPv6

IPv6: DoD Pilot - DREN

mobility utilization
Mobility Utilization
  • Transition to support future mobile soldiers: Force XXI Land Warriors

Helmet mounted computer and display systems, weapons with video imaging tied to GPS, backpacks with satellite and ground communication links, radios, 15 pounds of batteries, and more computers, all networked with other warriors and nearby tanks, helicopters, and personnel carriers

IPv6: DoD Pilot - DREN

mobility utilization27
Mobility Utilization
  • Transition to support future mobile Service platforms: the Command and Control Constellation E-10A aircraft

A fully connected array of platform-, space-, and land-based sensors that use common standards and communication protocols to relay information automatically via machine-to-machine interfaces

IPv6: DoD Pilot - DREN

mobility utilization28
Mobility Utilization
  • Transition to support future mobile sensor webs: blue-water and littoral sensor webs for FORCEnet

IPv6: DoD Pilot - DREN

backup

Backup

IPv6: DoD Pilot - DREN

dren performance measurement tools
DREN performance measurement tools
  • DREN “AMP”
    • Active Performance Measurement system
    • IPv6 updates – Phil Dykstra
  • nuttcp 4.0 (NRL)
    • TCP performance tester (client/server)
    • IPv6 updates – Rob Scott (NRL)
    • ftp://ftp.lcp.nrl.navy.mil/pub/nuttcp

IPv6: DoD Pilot - DREN

addressing
Addressing
  • 2001:480::/32
  • /44 reserved for each SDP
  • Sites get a /48
  • All subnets are /64
    • No tiny subnets for point-to-points

IPv6: DoD Pilot - DREN