IPv6 deployment at CERN - status update - CERN, 4th of July 2013 edoardo.martelli@cern.ch CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/it

Agenda IPv4 depletion CERN IPv6 service description IPv6 deployment status Challanges ahead HEPiX IPv6 working group Conclusion Test drive

IPv4 depletion

World IPv4 pools status Region Last /8 date Remaining /8 (16M) Asia-Pacific 19-Apr 2011 0.8562 Europe 14-Sep-2012 0.8892 North America 14-Apr-2014 2.1557 South America 05-Aug-2014 2.3016 Africa 24-Sep-2020 3.7124 [25th June 2013]

CERN IPv4 pools status (June 2013) 128.141.0.0/16 (64K) - GPN dynamics (~65% used) 128.142.0.0/16 (64K) - LCG statics (~41% used) 137.138.0.0/16 (64K) - GPN statics (~92% used) 188.184.0.0/17 (32K) - GPN statics (~9% used) 188.184.128.0/17 (32K) - LCG statics (~8% used) 188.185.0.0/16 (64K) - Wigner datacentre (~1% used) [as of 25th of June 2013]

CERN IPv4 pools status (Jan 2013) 128.141.0.0/16 (64K) - GPN dynamics (~65% used) 128.142.0.0/16 (64K) - LCG statics (~40% used) 137.138.0.0/16 (64K) - GPN statics (~92% used) 188.184.0.0/17 (32K) - GPN statics (~5% used) 188.184.128.0/17 (32K) - LCG statics (0% used) 188.185.0.0/16 (64K) - Wigner datacentre (0% used) [as of 7th of January 2013]

CERN IPv6 service description

CERN IPv6 service - Dual Stack - One IPv6 address assigned to every IPv4 one - Identical performance as IPv4, no degradation - Common provisioning tools for IPv4 and IPv6 - Same network services portfolio as IPv4 - Common security policies for IPv4 and IPv6

Dual stack services At least one IPv6 sub-prefix per physical subnet, public and/or local. Subnet size: /64 (i.e. 64 bits for the network address, 64 bits for the host address) Available host addresses per subnets: 264 (recommended size). Router Switch 137.138.14.0/24 2001:1458:0201:0E00::/64 Servers, Hosts

IPv6 ready The DNS device name .cern.ch will be resolved only with the IPv4 address until the user declares to LANDB (via WEBREQ) to be IPv6 ready. IPv6 ready means: - IPv6 connectivity is OK - all the server's applications are listening on both IPv4 and IPv6 protocols Consequences: - IPv6 security openings activated in the central firewall - name.cern.ch returns IPv4 and IPv6 addresses (A and AAAA records)

IPv6 deployment status

IT/CS Network services DNS: No DNS names for CERN IPv6 addresses DHCPv6 for statics: Ready DHCPv6 for portables: Testing NTP: Ready Internet: Ready Firewall: Static firewall only

IT/CS Network management Network database (LANDB): Ready IT/CS tools (CSDBWEB, cfmgr): Ready User web interface (WEBREQ): Testing SOAP interface: Testing Monitoring (Spectrum): Developing

Timeline - Testing of network devices: completed - IPv6 Testbed for CERN users: available - New LANDB schema: in production - Addressing plan in LANDB: in production - Provisioning tools (cfmgr and csdbweb): ready - User interfaces (webreq): testing - Network configuration: on going - Network services (DNS, DHCPv6...): on going - User training: on going - IPv6 Service ready for production in 2013 2011Q2 2011Q3 2021Q1 2012Q1 2012Q4 Today 2013Q4

Check the current status at Latest news: Check the current status at http://cern.ch/ipv6/content/implementation-plan

Challenges ahead

Opportunities.. - no more address poverty, no more fear to waste - multiple addresses per interface, even in the same IPv6 subnet - no IPv6 NAT (not even designed) - Internet of things

...and challenges - new operational issues - new software development - new protocols to test (DHCPv6...) - new security threats (attacks on mixed stacks...) - some applications don't work (AFS...) - not-homogeneous dual-stacks (private v4 and public v6)

Lots of VMs Current VMs adoption plan will cause IPv4 depletion during 2014. Then two alternative options: A) VMs with only public IPv6 addresses + Unlimited number of VMs - Several applications don't run over IPv6 today (PXE, AFS, ...) - Very few remote sites have IPv6 enabled (limited remote connectivity) + Will push IPv6 adoption in the WLCG community B) VMs with private IPv4 and public IPv6 + Works flawlessly inside CERN domain - No connectivity with remote IPv4-only hosts (NAT solutions not supported nor recommended)

HEPiX IPv6 working group

HEPiX IPv6 Working Group - Chairman: Dave Kelsey (RAL) - Active members: CERN, DESY, FNAL, FZU, GARR, Glasgow, INFN, KIT, Manchester, RAL, SLAC, USLHCnet (Caltech), CMS, ALICE and LHCb - Nearly 50 on the mail list - Regular video and face-to-face meetings

- IPv6 implementation check list WG activities - IPv6 implementation check list - Software and tools compliance survey - Distributed dual-stack testbed - Security awareness Your help is needed! Contact the WG at http://cern.ch/hepix-ipv6/contact

Conclusions

Conclusions - IPv6 deployment at CERN is progressing well - IPv6 will bring new functionalities and opportunities - Future deployments cannot rely on large amounts of IPv4 public addresses - Use of IPv6 in the WLCG has to start as soon as possible

More information: http://cern.ch/ipv6

Let's try

Ask ipv6@cern.ch to IPv6 enable your device

Renew the dhcp lease linux# dhclient -6 linux# ifconfig eth0 Link encap:Ethernet HWaddr 00:22:4d:83:03:19 inet6 addr: fe80::222:4dff:fe83:319/64 Scope:Link inet6 addr: 2001:1458:201:b459::100:5/64 Scope:Global C:\Windows>ipconfig /renew Ethernet adapter Local Area Connection: IPv6 Address. . . . . . . . . . . : 2001:1458:201:17::100:2 Link-local IPv6 Address . . . . . : fe80::a844:b2c4:8637:5e8e%11 Default Gateway . . . . . . . . . : fe80::215:60ff:feed:ce00%11 /macos> sudo ifconfig en0 up

Check: http://ipv6-test.com

SixOrNot Firefox add-on

Enjoy