The HEPiX IPv6 Working Group David Kelsey GridPP29, Oxford 27 Sep 2012

Outline IPv4 status The HEPiX IPv6 Working Group IPv6 testbed and testing WLCG software and tools IPv6 survey Future plans GridPP & IPv6 First presentation on this to GridPP – UK HEP SYSMAN talk last year 27/9/122HEPiX IPv6

IPv4 Addresses From Geoff Huston ( ) IANA Unallocated Address Pool (Global) Exhaustion happened:03-Feb-2011 Projected Regional (RIR) Address Pool Exhaustion Dates: – APNIC: 19-Apr-2011 (Asia Pacific - happened) – RIPENCC: 14-Sep-2012 (Europe - happened) – ARIN: 15-Aug-2013 (North America) – LACNIC: 21-May-2015 (South America) – AFRINIC: 22-Nov-2019 (Africa) 27/9/12HEPiX IPv63

HEPiX IPv6 Working Group Created in April 2011 with aims: Consider whether/how IPv6 should be deployed in HEP – especially WLCG (Worldwide Large Hadron Collider Grid) Readiness and Gap analysis HEP applications, middleware, security issues, system management and monitoring tools, end to end network monitoring tools Run a distributed HEP testbed – to help explore all the above issues We meet face to face 3 or 4 times a year – And by video conference in between 27/9/124HEPiX IPv6

IPv6 Testbed and testing We have deployed a distributed testbed – CERN, DESY, FZU, GARR, INFN, KIT and USLHCnet Connected to IPv6 and IPv4 networks – IPv6-only/IPv4-only names also registered in DNS – e.g. hepix-v6.desy.de & hepix-v4.desy.de A perl script (on wiki) validates configuration – Checks all DNS entries – runs ping and ping6 to all nodes 23 May20125TNC2012, Kelsey, HEP IPv6

Tests for IPv6 Does the service break/slow down when used with IPv4 on a dual-stack host with IPv6 enabled ? Will the service try using (connecting/binding to) an IPv6 address (AAAA record), when available from DNS ? Will the service prefer IPv6 addresses from DNS, when preferred at the host level ? Does this need to be configured ? How ? Can the service be persuaded to fall back to IPv4 if needed ? 27/9/12HEPiX IPv66

Data transfer tests Virtual Organisation – ipv6.hepix.org We have successfully installed and tested GridFTP clients and servers on all nodes Full mesh of data transfers (globus_url_copy) – Tested and works CMS members of the working group – Performing continuous data transfers between pairs of nodes 23 May2012TNC2012, Kelsey, HEP IPv67

8 The CMS file transfer tests - Reliability test - not a stress/performance test - Single 2000 MB file from IPv6 VM at CERN transfered to 4 systems - globus_url_copy and uberftp to confirm file arrived then delete - Tests have been running since February Statistics since April/May 2012: Site#_of_transfers Failed_transf. Average_duration Duration_range DESY (3.3 %) 66s (~30 MB/s) s Gridka (3.7 %) 130s (~15 MB/s) s INFN (3.3 %) 66s (~30 MB/s) s Uslhcnet (2.2 %) 81s (~25 MB/s) s Can still conclude: no show-stoppers. CMS PhEDEx should work. Note: Failure rate increased after installation of new firewall at CERN – reasons still not understood 23 May2012TNC2012, Kelsey, HEP IPv68

File Transfer Service (FTS) An interesting example of “IPv6-ready” middleware Functional IPv6 support in a software component does not imply that IPv6 transport is enabled by default This is hard to capture in either a survey or by automated code-checking tools 23 May2012TNC2012, Kelsey, HEP IPv69

FTS (2) gSOAP supports IPv6 – on TCP since version 2.5 (2005) – on UDP since version (still 2005) BUT compiled without the “WITH_IPv6” flag Oracle IPv6-enabled from version 11g rel 2 – but FTS transfer agent libraries in EMI-1 still carry a hard dependency on Oracle V10 Transfer agents (Tomcat/Axis servlets) can be invoked on dual stack hosts and from dual stack clients – but ‘urlcopy’ agent still uses IPv4 for file transfer As in the globus-url-copy command, IPv6 resolution in the Globus FTP client needs to be explicitly enabled 23 May2012TNC2012, Kelsey, HEP IPv610

Data tests – summer 2012 Several FTS channels defined and used over IPv6 Successfully installed IPv6 DPM on several nodes Successfully transferred data to a dual-stack DPM server over IPv6 27/9/12HEPiX IPv611

IPv6 problems found OpenAFS, dCache, UberFTP FTS & globus_url_copy MyProxy ISC dhcp on Scientific Linux (Red Hat like) v5 ARNES/Slovenia – EGI testing – No LRMS system works (ARC) – SLURM, Torque, PBS, … Many IGTF CA CRLs not available on IPv6 Work ongoing! 23 May2012TNC2012, Kelsey, HEP IPv612

Managing IPv6 at large sites Best practices are still far from clear! Large sites (e.g. CERN and DESY) wish to manage the allocation of addresses – Do not like autoconfiguration (SLAAC) Wish to filter out Router Advertisements DHCPv6 very attractive – BUT IETF still discussing – Will the ‘route’ options be there or not? 23 May2012TNC2012, Kelsey, HEP IPv613

Software & Tools IPv6 Survey An “Asset” survey is underway (BUT SLOW!) – A spreadsheet to be completed by sites and the LHC experiments – Includes all applications, middleware and tools – Tickets to be entered for all problems found If IPv6-readiness is known, can be recorded Otherwise we will need to investigate further – Ask developer and/or supplier – Scan source code or look for network calls while running – Test the running application under dual stack conditions 27/9/1214HEPiX IPv6

IPv6 security Are operational security teams ready for IPv6? No! Challenges include – Address format has multiple forms, many addresses per host and addresses difficult to remember – IPv6 standards contain many suggestions - implementation optional – Required security features, like RAGuard and SEND, are a long way from full deployment – Incomplete and immature implementations – Many vulnerabilities expected – Log parsing tools must all change – Dual stack and tunnels cause problems – e.g. packet inspection Must test that things which are not supposed to work do not 23 May2012TNC2012, Kelsey, HEP IPv615

Future plans Performing a WLCG/HEP site readiness survey now Continue asset survey and testbed/testing Now merging more with EGI testbed – Common BDII – but separate VOs – EGI is testing WMS and batch systems Review status at end of 2012 Produce plans for LS1 and/or later Need to perform tests on the production infrastructure – involve WLCG Tier 1 centres Plan several HEP IPv6 “Days” (for LS1?) – turn on dual stack for 24 hours on production infrastructure and test/observe Earliest date for production support of IPv6-only systems is (currently) Jan May201216TNC2012, Kelsey, HEP IPv6

GridPP & IPv6? !st priority – Glasgow and Manchester to join testbed We need IPv6 at RAL (to join testbed) Would be good to get the UK Tier 1 involved Other UK sites? – Please reply to the site survey – Try some GridPP testing in 2013? 27/9/12HEPiX IPv617

Further info HEPiX IPv6 wiki Working group meetings 27/9/12HEPiX IPv618

For info - EGEE IPv6 tools Presented at several conferences in 2010 Source code checker – A bash script looking for non compliant function calls and address data structures Dynamic Code Checker (IPV6 CARE tool) – A tool based on the LD_PRELOAD mechanism to intercept calls to non compliant functions in the dynamically linked libraries Analysis of all gLite code was performed – And code was modified to fix problems 23 May2012TNC2012, Kelsey, HEP IPv619

Summary MUCH work still to be done during the next year or three & effort is difficult to find – Further volunteers welcome to join – Please contact me not able to support IPv6-only systems in WLCG before 2014 – Decision on timetable to be made during 2013 – And needs to be jointly made with EGI, OSG etc. 27/9/12HEPiX IPv620