IPv6 Campus Deployment Panel
1 like189 views
The document provides an overview of IPv6 deployment updates at the University of Pennsylvania presented at the Internet2 Joint Techs Conference in February 2010. It discusses the current status, deployment timeline, application services, and challenges in IPv6 implementation across various campus services. Additionally, it highlights the need for better categorization of IPv6 services and the transition mechanisms used in the deployment process.
![Questions/Comments?
Shumon Huque
shuque [at] upenn.edu
34](https://image.slidesharecdn.com/ipv6-panel-151026011523-lva1-app6891/85/IPv6-Campus-Deployment-Panel-34-320.jpg)
IPv6 Campus Deployment Panel
- 1. IPv6 Campus Deployment Updates Shumon Huque University of Pennsylvania Internet2 Joint Techs Conference Salt Lake City, Utah February 1st 2010 1
- 2. Campus Deployment Updates Panel • Shumon Huque, University of Pennsylvania • Alan Whinery, University of Hawaii • Randy Bush, Internet Initiative Japan • Focus: move beyond talking about IPv6 just in the network and into applications and services also. 2
- 3. Mark Prior’s deployment survey www.mrp.net/IPv6_Survey.html 3
- 4. Web Mail DNS NTP XMPP 4
- 5. 5
- 6. More comprehensive examination Would be useful to have a more comprehensive, systematic categorization of IPv6 network & application services available and used at the campuses.What is the list of common applications? Which are IPv6 capable? Are they production or non-production? What is the scope (eg. department, entire campus, etc)? ... These panels may be one way of doing this. 6
- 7. Application Services • DNS (authoritative, recursive) • Web (HTTP) • Email (SMTP, POP, IMAP, Submission) • Time services (NTP, SNTP) • Remote Login (SSH,Telnet, ...) • Instant Messaging (XMPP, SIMPLE, ...) • VoIP (SIP or any other protocol based) • Authentication (Kerberos, PKI,Web-ISO systems ..) • Directory (LDAP, ...) 7
- 8. More Services • Address Assignment (SLAAC, stateless/stateful DHCPv6) • RA-Guard, SEND, DHCPv6 filtering • Network Management (SNMP) • Traffic accounting, characterization systems (MRTG, Arbor Peakflow, Netflow v9/IPFIX, ...) • IPsec in IPv6 • Disaster Recovery considerations 8
- 9. Middleboxes • Firewalls • IDS • VPNs • Server Load Balancers • etc 9
- 10. Transition & Coexistence Mechanisms • NAT-PT (deprecated) • NAT64, DNS64 • IVI • Dual Stack Lite • A+P 10
- 11. Multi-homing • Provider-Independent (PI, portable) address space? • Future possibilities: • SHIM6 • LISP (Locator/ID Separation Protocol) • IRTF RRG (routing research group) work 11
- 12. Network • Border, Core, Distribution, Edge, ... • Percentage of subnets/routed-interfaces • How many server & enduser subnets? • How many of those are outside central IT? • Estimated number of IPv6 capable devices connected to native IPv6 infrastructure • How much native vs tunnelled traffic 12
- 14. Documentation • http://www.upenn.edu/computing/ipv6/ • Penn IPv6 Deployment Strategy paper: • http://www.upenn.edu/computing/ipv6/ strategy.html 14
- 15. Penn Deployment Timeline • Initial deployment began in our GigaPoP, MAGPI (late 2002) • Penn campus deployment began 2005 • Work ongoing (of course) 15
- 16. MAGPI GigaPoP • PA Address space from Internet2 /40 • Routing: IS-IS, MBGP-4 • Stateless Address Autoconfiguration • Services: DNS, NTP, SSH,Web • Multicast (work in progress) • Provides IPv6 to UPenn, Princeton, NJEdge 16
- 17. University campus • Production deployment began 2005 • Started with PA space delegated from MAGPI (2001:468:1802::/48) • Later obtained PI space from ARIN - 2607:f470::/32 • Renumbering still in progress 17
- 18. Campus Network • Routing: IS-IS, M-BGP4 • Border, core, & many distribution routers • Growing # of enduser & server subnets • All campus subnets by the end of FY’11? • Engineering School: almost all subnets • drivers: teaching & research; eliminate tunnels 18
- 19. External connectivity • Singly homed today via MAGPI and Internet2 • 2 Commercial ISPs: Level-3 & Cogent • examining IPv6 options through them • Level3:“beta” tunneled IPv6 service today, “limited” (?) native service at end of 1Q • Cogent: native or tunneled service today, depending on location & connection type 19
- 20. Address Assignment • Servers: static addresses • Endstations • Stateless autoconfig (mainly) • DHCPv6 (planning) 20
- 21. Application Services • Campus Wide Production Services: • DNS • NTP • Jabber (XMPP) 21
- 22. DNS • Authoritative DNS - ISC BIND • Campus resolver - ISC BIND • DNS Content Management system • Homegrown, custom protocol • Supports AAAA and v6 PTR records 22
- 23. Authoritative DNS $ dig @192.5.6.30 +norecurse www.upenn.edu a ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1895 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 6 ;; AUTHORITY SECTION: upenn.edu. 172800 IN NS dns1.udel.edu. upenn.edu. 172800 IN NS dns2.udel.edu. upenn.edu. 172800 IN NS noc2.dccs.upenn.edu. upenn.edu. 172800 IN NS noc3.dccs.upenn.edu. ;; ADDITIONAL SECTION: dns1.udel.edu. 172800 IN A 128.175.13.16 dns2.udel.edu. 172800 IN A 128.175.13.17 noc2.dccs.upenn.edu. 172800 IN A 128.91.254.1 noc2.dccs.upenn.edu. 172800 IN AAAA 2001:468:1802:102::805b:fe01 noc3.dccs.upenn.edu. 172800 IN A 128.91.251.158 noc3.dccs.upenn.edu. 172800 IN AAAA 2607:f470:1003::3:3 Looking at upenn.edu referral answer from EDU nameservers referralglue 23
- 24. DNS resolver service • IPv6 capable campus recursive resolvers available, but ... • No easy way to distribute them (don’t do DHCPv6 yet, and not all clients can even do DHCPv6, like Mac OS X) • If someone asks, we tell them, and they manually configure the addresses 24
- 25. Application Services • Services posing impediments: • Web (Akamai)* • E-mail (Message Labs/Symantec) *Disclaimer: I wasn’t involved in Akamaizing the Penn website, and this is probably not the place to discuss the topic of whether querier-specific DNS responses are good or evil, so I’m not going to do that (today). 25
- 26. Web ;; QUESTION SECTION: ;www.upenn.edu.!! ! IN!A ;; ANSWER SECTION: www.upenn.edu.! ! 300!IN!CNAME! www.upenn.edu.edgesuite.net. www.upenn.edu.edgesuite.net. 19482 IN! CNAME! a536.g.akamai.net. a536.g.akamai.net.! 20! IN! A! 128.91.34.234 a536.g.akamai.net.! 20! IN! A! 128.91.34.233 Penn website via Akamai IPv4, as viewed from Penn Penn-campus Akamai nodes, located on IPv6 capable network, so IPv6 possible in theory. 26
- 27. Web ;; QUESTION SECTION: ;www.upenn.edu.!! ! IN!AAAA ;; ANSWER SECTION: www.upenn.edu.! ! 300!IN!CNAME! www.upenn.edu.edgesuite.net. www.upenn.edu.edgesuite.net. 19482 IN! CNAME! a536.g.akamai.net. Penn website IPv6 view, via Akamai: We had been talking privately with Akamai about a possible trial IPv6 on the Penn campus Akamai nodes. But latest answer (1/28): “No IPv6 rollout plan in the immediate future. However, we’d be glad to work with you in rolling out IPv6 when we start the phased rollout”. No address records returned. No official IPv6 plans have been announced by Akamai. 27
- 28. E-mail • Central mail service uses Message Labs • inbound/outbound virus scanning, and SPAM scoring • from our Message Labs rep: “IPv6 is not currently on our roadmap” (June 2009) • Mail access/submission? (IMAP, POP, webmail)? • we might start with these first 28
- 29. Application Services • Kerberos • RADIUS • CoSign/Shibboleth (Web ISO, federation) • LDAP 29
- 30. Kerberos • Server implementation: MIT Kerberos • Production server names not yet IPv6 addressable • We do have IPv6 specific server names • kerberos{1,2,3}.ipv6.upenn.edu • Users can manually install client side configuration files that use them 30
- 31. CoSign • Web ISO system (umich, weblogin.org) • Login server support not there yet • Web application servers can be deployed on IPv6 and will be able to authenticate users with CoSign • Our Shibboleth deployment uses CoSign as IDP (bottleneck) - I’ve heard other work is needed to support it. 31
- 32. IPv6-IPv4 Transition • Trial deployment of DualStack Lite on campus, with Comcast & Engineering school faculty, as an experiment/research project. • http://tools.ietf.org/html/draft-ietf-softwire-dual- stack-lite-02 • It’s more likely that Penn will deploy something like NAT64 & DNS64 though, ie. enable v4-only and v6-only devices to communicate. 32
- 33. 33
- 34. Questions/Comments? Shumon Huque shuque [at] upenn.edu 34