IPv6 investigation within Informatics George Ross

Slides:

Advertisements

Similar presentations

Implementing IPv6 Module B 8: Implementing IPv6

Advertisements

Wireless and Switch Security NETS David Mitchell.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.

Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.

Campus IPv6 Deployment Phillip Deneault WPI Network Security Officer 1.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.

CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

IPv6 at the University of Wisconsin Hopefully 79,228,162,514,264,337,593,543,950,336 IP addresses will be enough for a while. A subset of the UW IPv6 Task.

Guide to TCP/IP Fourth Edition Chapter 11: Deploying IPv6.

IPv6 – What You Need To Know Tom Hollingsworth CCNP,CCVP,CCSP, MCSE.

RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.

A powerful network monitoring system

APTLD Meeting APNIC’s Experience with IPv6 24 February 2009, Manila Arth Paulite – APNIC.

Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.

Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.

1/28/2010 Network Plus IP Addressing Review. IP Address Classes.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

IPv6 Investigation: Progress to December IPv6 investigation areas Initial questions DNS Edge switches Core switches and routing iptables Linux routing.

Computer Networks 0110-IP Gergely Windisch

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

IPv6 Status, Management, & Configuration Issues Winter 2013 ESCC meeting January 18, 2013.

Maurice Castro IPv6: The Basics Maurice Castro

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

Aarnet Australia's Academic and Research Network Glen Turner IPv6 birds of a feather meeting QUESTnet 2011 IPv6 — the elevator pitch.

Home Networking CCCC Linux Desktop SIG August 20, 2007.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester December 2009.

Ip addressing: dhcp & dns

Troubleshooting a Network

Instructor Materials Chapter 9: Transport Layer

IPv6 investigation within Informatics George Ross

Vmware 2V0-642 VMware Certified Professional 6 - Network Virtualization (NSX v6.2) VCE Question Answers.

Mattias Wadenstein System Integrator, NDGF HEPiX Spring 2008 at CERN

While deploying DHCPv6 at CERN…

DHCP server & Client Objectives Contents

Configuring CPE for IPv6 Transition Mechanisms

XWN740 X-Windows Configuring and Using Remote Access

Chapter 10: DHCP Routing & Switching Chapter 10: DHCP

Introduction to Networking

Introduction to Networking

LESSON 3.3_A Networking Fundamentals Understand IPv6 Part 1.

Welcome To : Group 1 VC Presentation

Net 431 D: ADVANCED COMPUTER NETWORKS

NTC 324 RANK Education Your Life - ntc324rank.com.

NTC 324 RANK Perfect Education/ ntc324rank.com.

NTC 324 RANK Education for Service-- ntc324rank.com.

DHCP, DNS, Client Connection, Assignment 1 1.3

New Functionality in ARIN Online

By - Ricardo Sanchez, Ken Wolters and William Hibbard

SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast

IPv6 Investigation (preliminary!) gdmr, September 2015

OPS235: Configuring a Network Using Virtual Machines – Part 2

Implementing IP Addressing Services

COMPUTER NETWORK TECHNOLOGY

Allocating IP Addressing by Using Dynamic Host Configuration Protocol

Ip addressing: dhcp & dns

AbbottLink™ - IP Address Overview

Refs: Chapter 10, Appendix A

Generic Network demonstration guide

IPv6: where we’re at and what next.

Computer Networks Protocols

Windows Networking ICCM 2004 Tim Young

Presentation transcript:

IPv6 investigation within Informatics George Ross gdmr@inf.ed.ac.uk

Overview We enabled IPv6 on some of our subnets It basically just worked The End … a bit more to it than that, of course Going to assume that you already know the IPv6 basics “Investigation” involving quite a lot of implementation

Why? Why might we have wanted to implement IPv6? Make ourselves visible to IPv6-only ISPs In particular: web, ssh, OpenVPN Allow our users to speak to IPv6-only services elsewhere Machines are increasingly IPv6-enabled, and if we want to set some policy we have to have the support in the network.

Development project overview Project started in June 2015 … much reading, preliminary testing, internal routing, core and edge switch configuration Global routing enabled in February 2016 More testing, roll-out carefully staged All managed staff/PG and server subnets enabled by October 2016 10 weeks actual effort, spread over 16 elapsed months http://www.dice.inf.ed.ac.uk/units/infrastructure/Projects/352-IPv6/FinalReport.html

Network We manage our own network (routing, switches, etc.), which made things a lot easier. Core uses ProCurve (now Aruba) 54xx and 3800 switches OSPFv3 on selected subnets BIRD on Linux routers Router Advertisement RA-guard on all untrusted network ports Biggest problem: old switches, which were missing some features or implemented some SNMP OIDs differently.

Addressing Everything already has a link-local address Most machines acquire a MAC-based SLAAC- style global IPv6 address We already have MAC addresses in lcfg, so it’s easy to generate DNS entries for these (IPv6-enabled) Client subnets: always generate both forward and reverse entries for everything which has an IPv4 address on the subnet Server subnets: only reverse entries by default, but managers can easily add forward entries as required Mechanism in place to give machines specific addresses, and add these to DNS 4866 A RRs, 601 AAAA RRs (excluding dhcp-*) (extractBySubnet and makeDNSv6 in the latest makeDNS package in lcfg svn) Some machines prefer to use privacy addresses (RFC4941)

Address use auditing We use arpwatch for IPv4 Decided on addrwatch for IPv6 Doesn’t send emails (so we’re actually now using both for IPv4) Logs all ARP and ND, rather than trying to keep a “current mapping” Logs are copious, so we consolidate them nightly Address-search tools enhanced to use both

iptables lcfg-iptables already had IPv6 support Some rule fragment-files were IPv4-only Rule-generating scripts needed to be told how to handle IPv6 We now automatically handle edge-holes where a DNS name has an AAAA RR, just as we do for IPv4 A RRs At last count we had 5379 IPv4 rules and 545 IPv6 rules

Linux summary Surprisingly few problems Most things just worked IPv6 is preferred over IPv4 where possible (RFC6724) We didn’t have to make any gai.conf changes for IPv6 ssh and svn need the -4 flag to force IPv4 for a few cases No user feedback at all, so presumably it hasn’t broken anything for them

Windows and Macs We didn’t really try these in earnest Initial tests with the Windows 7 managed desktop showed some IPv4 DHCP oddities when IPv6 was enabled on the subnet Might be fixed with Windows 10, but we haven’t tried that Meantime, we have all of our Windows managed desktops on their own non-IPv6 subnets Macs appear to just work

OpenVPN Our test, DR and AT service endpoints are handing out IPv6 tunnel addresses alongside IPv4 Won’t be routed through unless client-end configuration has it enabled … but works perfectly in tests IPv6 endpoint addresses work too Unfortunately, dual-stack endpoints don’t appear to work, even on SL7

Access control BEWARE! Some systems (e.g. ProCurve / Aruba switches) allow free access from IPv6 addresses unless an IPv6 access control list is explicitly provided Others default to closed unless IPv6 access is explicitly enabled (much more sensible!) If you advertise an IPv6 address, machines out there will expect to be able to use it just as they would your IPv4 address Moral of the story: check what your applications really do (That’s why we don’t automatically add forward IPv6 DNS entries for server subnets)

Other issues Address-based authentication to some sites (e.g. IEEExplore) broke until IS got the University’s IPv6 block added to the necessary lists Our central-firewall settings disappeared after an upgrade (IPv6 is now on the checklist)

Where next? Will enable IPv6 for the student labs after we return to Appleton Tower (400+ more machines) Need to look at DHCPv6 Edge-switch upgrade for the Forum, which will enable RA-guard throughout Roll out to self-managed subnets

Summary For managed Linux machines within Informatics, IPv6 is now as well supported as IPv4 You may already be using it, even if you don’t mean to (so turn on RA-guard everywhere, just in case) When buying, make sure you specify “proper” IPv6 support now, even if you don’t intend using it immediately. Old models may have issues. Check your access control lists!