Performance without compromise
IPv6 solution on Juniper Networks M-series and T-series Internet routers Ahmed Gueatri
[email protected] April 2003 Copyright © 2003 Juniper Networks, Inc.
http://www.juniper.net
Agenda
IPv6 Implementation IPv6 examples and Case Studies
www.juniper.net
Apr-03
Page 1
Performance without compromise
IPv6 Qualified Router What means really Dual Stack? Addressing
& Forwarding Routing Protocols Service Richness Operational Efficiency
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
IPv4 IPv6
3
IPv6 Addressing
Dual IP addressing on the same interface Neighbor discovery ICMPv6 CE– CE–A2 CE– CE–A1
interfaces { ge-0/1/0 { unit 0 { family inet { address 157.168.0.5/24; } family inet6 { address 8028:20::1/64; } } } }
PE 2 P
P
P
P
PE 1
CE– CE–C1
PE 3 CE– CE–B3
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
4
Apr-03
Page 2
Performance without compromise
Autogeneration of EUI 64-bit Interface Addresses for IPv6
Stateless auto-configuration
Node starts by appending its interface ID (EUI-64) to the link-local network prefix, fe80::/64
Sends router solicitation
Receives prefix from router advertisement
Benefits
Simplifies host configuration
Broadens client coverage Router Solicitation via ND Host IP information configured dynamically
Router Advertisement via ND
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
5
IPv6 Qualified Router for ISPs What means really Dual Stack? Addressing
& Forwarding Routing Protocols Service Richness Operational Efficiency
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
IPv4 IPv6
6
Apr-03
Page 3
Performance without compromise
Routing Protocols
Static routing
May be used with customer sites
IGP
IPv6 unicast can be routed by RIPng, OSPFv3, or ISIS Current ISIS backbone don’t need IGP upgrade Current OSPF backbone need to:
Migrate to IS-IS Or add/deploy OSPFv3
BGP-MP
Just add the IPv6 routing in existing M-BGP set-up Can use same design Can be set-up over v4 or v6
Just add v6 routing over BGP/v4 sessions (next-hop!) Use BGP over v6 in case of IPv6 deployment in IPv4 tunnels
Separating BGP sessions for v4 and v6 may also have some advantages
Monitoring, flexibility…
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
7
Static Routing example
CE– CE–A2 CE– CE–A1 PE 2 P
P
P
P
routing-options { rib inet6.0 { static { route 8028:10::1/128 next-hop 8028:25::2; } } }
PE 1
CE– CE–C1
PE 3 CE– CE–B3
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
8
Apr-03
Page 4
Performance without compromise
RIPng Routing example
CE– CE–A2 CE– CE–A1 PE 2 P
P
P
P
protocols { ripng { group igp { neighbor ge-0/1/0.0; } } }
PE 1
CE– CE–C1
PE 3 CE– CE–B3
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
9
OSPFv3
Major changes to accommodate:
Address size
General protocol semantics
Area 1
Area 2
Addressing semantics removed from OSPF packets and LSAs
New LSAs for IPv6 addresses & prefixes
OSPF runs on per-link, not per-subnet
Flooding scope for LSAs generalized
Authentication removed
Area 3
Benefits
Other functions remain the same (e.g. SPF calculation, area support, etc.)
Familiarity - widely deployed IGP
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
AS1
AS2
10
Apr-03
Page 5
Performance without compromise
OSPFv3 example
interfaces { so-0/0/0 { unit 0 { family inet { address 10.19.6.2/24; } family inet6 { address 9009:6::2/64; } } }
CE– CE–A2 CE– CE–A1 PE 2 P
P
PE 1 so-0/0/0.0
P
P
PE 3 CE– CE–B3
CE– CE–C1 http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
lo0 { unit 0 { family inet { address 10.245.71.6/32; } family inet6 { address feee::10:255:71:6/128; } } } } protocols { ospf3 { area 0.0.0.2 { interface so-0/0/0.0; interface lo0.0 { passive; } } } } 11
External M-BGP example
interfaces { ge-0/1/0 { unit 0 { family inet { address 11.19.1.2/24; } family inet6 { address ::11.19.1.2/126; } } } } routing-options { autonomous-system 100; }
CE– CE–A2 CE– CE–A1 PE 2 P
P
P
P
PE 1 PE 3 ge-0/1/0
CE– CE–C1
CE– CE–B3
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
protocols { bgp { group ebgp_both { type external; local-address 11.19.1.2; family inet { unicast; } family inet6 { unicast; } peer-as 1; neighbor 11.19.1.1; } } }
12
Apr-03
Page 6
Performance without compromise
E-BGP Peering over IPv6 Link Local Addresses
E-BGP Peering over IPv6 LLA
BGP4+ Peering Using IPv6 Link-local Address
draft-kato-bgp-ipv6-link-local-00.txt
Allows use of link-local address for direct peering connections instead of using global addresses
E-BGP
How it works
AS1
Link local addresses can be auto-generated or manually configured
AS2
Benefits
Simpler administration
Flexibility NSPIXP6 uses link local address
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
13
Multicast Routing
Performance and scaling for IPv6 multicast clearly important
PIMv2 to support for IPv4 and IPv6
Multicast Listener Discovery (MLD) protocol to discover the presence of multicast listeners
Derived from IGMPv2 Uses ICMPv6 message type instead of IGMP message types MPDv2 is required for PIM-SSM
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
14
Apr-03
Page 7
Performance without compromise
IPv6 Qualified Router for ISPs What means really Dual Stack? Addressing
& Forwarding Routing Protocols Service Richness Operational Efficiency
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
IPv4 IPv6
15
IP Services
Routers must be able to perform intelligent IPv6 packet handling
Filtering – Selective forwarding and discarding Monitoring - Sampling, counting, logging, etc. QoS - Policing, shaping, queuing, profiling, etc. Forwarding – Directing packets based on any header information
All classification and packet handling must be done in hardware to truly minimize performance impact
IP services and performance must not be mutually exclusive
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
16
Apr-03
Page 8
Performance without compromise
IP2 Services
Filtering & Policing
Packet filtering
DoS attack prevention
Comprehensive security
E.g. Source Address Filters
Packet Forwarding
120 % 100 %
Policing
80 %
Interface-level rate limiting
E.g. Bandwidth - limits bps
E.g. Maximum burst size
60 % 40 % 20 % 0%
Increasing Number of Packet Filters
Predictable performance with rich IPv6 services
Internet Processor II ASIC CPU-based router
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
17
Filter Filter Specification Specification
IPv6 Filtering
IP-II enables significant functionality with applications to network management
Security Monitoring Accounting
filter Limit-Customer-A { policer Lim { if-exceeding { bandwidth-limit 1m; burst-size-limit 100k; } then discard; } term 1 { from { source-address { 3ffe:1002:6411::/48; } } then { policer Lim; accept; } } } Multiple rules may be specified.
Forward Compile
Silent Discard
All IPv6 Packets Handled By Router •IPv6 source address field •IPv6 destination address field •TCP/UDP source port field •TCP/UDP destination port field •Next header field •Traffic class field •Packet length •ICMP packet type and code •SourceSource-class http://www.juniper.net •DestinationDestination-class
Microcode IP-II IP-II Packet Handling Programs
TCP Reset Or ICMP Unreachable Routing Instance
Filters and route lookup are part of same program
Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
Next Term
Log, syslog Count, Policer, Loss-priority, Forwarding-class
18
Apr-03
Page 9
Performance without compromise
Flexible bandwidth
3ffe:1411:2205::5
CE– CE–A2 CE– CE–A1 PE 2 P
P
P
P
PE 1
CE– CE–C1
PE 3 CE– CE–B3
firewall { family inet6 { filter LimitCE-A2{ policer LimCE-A2 { if-exceeding { bandwidth-limit 1m; burst-size-limit 100k; } then discard; } term 1 { from { source-address { 3ffe:1411:2205::/48; } } then { policer LimCE-A2; accept; } } } } }
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
19
Security
Security on routers is more important than ever
for customer and infrastructure protection
On-going DoS work in IPv4 to be extended to IPv6
Hardware-based packet handling, filtering optimize key security actions
SNMPv3 improves router authentication
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
20
Apr-03
Page 10
Performance without compromise
Source Address Verification
uRPF can be configured per-interface/sub-interface Supports both IPv4 and IPv6 Packet/Byte counters for traffic failing the uRPF check Additional filtering available for traffic failing check:
police/reject Can syslog the rejected traffic for later analysis
Two modes available:
Active-paths:
Feasible-paths:
uRPF only considers the best path toward a particular destination uRPF considers all the feasible paths. This is used where routing is asymmetrical.
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
21
Source Address Verification
3ffe:1411:2205::5
CE– CE–A2 CE– CE–A1 PE 2 P
P
3ffe:1411:2205::/48*[BGP/170] >via so-0/0/0/0.0
PE 1 so-0/0/0.0
P
P
Attack with
PE 3
Source address
ge-0/1/0
CE– CE–C1
uRPF
= 3ffe:1411:2205::5
CE– CE–B3 3ffe:1541:2305::/48
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
22
Apr-03
Page 11
Performance without compromise
Real-time DoS Identification with Destination Class Usage
CE– CE–A2
interfaces { so-2/0/1 { unit 0 { family inet6 { address feee::10:255:73:2/128; accounting { destination-class-usage; } } } } }
CE– CE–A1 PE 2 P
P
PE 1 so-0/0/0.0
P
P
policy-options { community victim members 100:100; policy-statement set-dest-class term 1 { from { protocol bgp; community victim; } then { destination-class dcu-victim; accept; } } } }
PE 3 ge-0/1/0
routing-options{ forwarding-table{ export set-dest-class; } 3ffe:1541:2305::/48 }
CE– CE–B3
CE– CE–C1 http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
23
Real-time DDoS Identification
CE– CE–A2 CE– CE–A1 PE 2 P
P
PE 1 so-0/0/0.0
P
P
PE 3 ge-0/1/0
CE– CE–C1
CE– CE–B3 3ffe:1541:2305::/48
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
24
Apr-03
Page 12
Performance without compromise
Real-time DDoS Identification
CE– CE–A2 CE– CE–A1 PE 2 P
P
PE 1 so-0/0/0.0
P
P
BGP update 3ffe:1541:2305::12/128 Community 100:100
PE 3 ge-0/1/0
CE– CE–C1
CE– CE–B3 3ffe:1541:2305::12
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
25
QoS
IPv6 header includes traffic class and flow label
Traffic class function = DSCP Largely undefined flow label identifies a traffic flow that needing special handling, I.e. voice, video, etc.
IPv6 routers must be able to use traffic class and flow label without incurring performance cost
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
26
Apr-03
Page 13
Performance without compromise
VPNs
VPNs are a valuable service Provider managed IPv4 VPN models have been successful Established VPN technologies used for IPv4 must be carried over to IPv6 Services offered as part of a VPN, I.e. QoS, will still be required for IPv6 VPN management must be able to support IPv4 and IPv6 traffic
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
27
L3 VPN over MPLS VPN A Site 1, IPv6
VPN A Site2, IPv6 VPN B Site2, IPv4
CE– CE–A2 CE– CE–A1
VPN B Site 1, IPv4
Static Routes
OSPF PE 2 Routing
P
P
CE– CE–B2
PE 1 CE– CE–B1
VPN C Site 1, IPv4
P
PE 3
P
CE– CE–A3 E-BGP
CE– CE–B3
CE– CE–C1
CE– CE–C2 VPN C Site 2, IPv4
VPN B Site3, IPv4
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
VPN A Site 3, IPv6
28
Apr-03
Page 14
Performance without compromise
IPv6 Qualified Router for ISPs What means really Dual Stack? Addressing
& Forwarding Routing Protocols Service Richness Operational Efficiency
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
IPv4 IPv6
29
Network Management
IPv6 Management must be integrated in existing management systems SNMP over v6 with IPv6 MIBs Intuitive CLI IPv6 Accounting APIs (e.g. XML) for OSS integration
Reduce latency between new vendor feature/service and OSS integration Operational efficiency hinges on OSS integration
Router operations over IPv6
telnet, ssh, ftp, ping, traceroute…
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
30
Apr-03
Page 15
Performance without compromise
Robustness and Reliability
Common support of features, services on every interface across all platforms Same approach for hardware-based packet handling as IPv4
Separation of routing and control planes Graceful restart mechanisms
Performance is critical Maintaining SLA agreement for IPv4 while operating IPv6
BGP, OSPF, IS-IS, RSVP, LDP…
Linear software releases continuity to ensure common support and evolution
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
31
Integration of non IPv6 capable routers
IPv6 in IPv4 tunnels
GRE or IP-IP Tunnels Only possible: with
performance (hardware tunneling) at small scale for manageability
Connecting IPv6 Islands with IPv4 MPLS
Requires MPLS capable routers in the core
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
32
Apr-03
Page 16
Performance without compromise
IPv6 in IPv4 tunnels
interfaces { so-0/0/0 { unit 0 { family inet { address 100.255.3.2/24; } } } gr-1/0/0 { unit 0 { tunnel { source 100.255.3.2; destination 100.255.2.1; } family inet6 { address 9009:6::2/64; } } } }
CE– CE–A2 CE– CE–A1 PE 2 P
P
Rv4
Rv4
PE 1
Rv4 100.255.2.1 P
Rv4
so-0/0/0.0
100.255.3.2
PE 3
P
CE– CE–B3
CE– CE–C1
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
33
Connecting IPv6 Islands with IPv4 MPLS (1)
IETF Draft as defined in draft-ietf-ngtrans-bgp-tunnel-
04.txt
PEs run Dual Stack MP-BGP over IPv4
Connecting IPv6 Islands across IPv4 Clouds with BGP Also known as “6PE” PE and CE exchanges IPv6 routes MPLS LDP/RSVP LSPs are set up using IPv4
Benefits
Leverages existing MPLS infrastructure Requires IPv6 support only on PE router
IPv6
IPv4
IPv6
MPLS PE2 IPv6
PE1
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
IPv6
34
Apr-03
Page 17
Performance without compromise
Connecting IPv6 Islands with IPv4 MPLS (2) interfaces {
CE– CE–A2 CE– CE–A1 PE 2 P
P
Rv4
Rv4
PE 1
Rv4 100.255.2.1 P
Rv4
so-0/0/0.0
100.255.3.2
PE 3
P
ge-0/1/0
CE– CE–B3
CE– CE–C1
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
so-0/0/0 { unit 0 { family inet { address 100.255.3.2/24; } family inet6; family mpls; } } ge-0/1/0 unit 0 { family inet6 { address 8002::1/126; } } } lo0 { unit 0 { family inet { address 10.245.71.6/32; } family mpls; } } } routing-options { autonomous-system 100; }
35
Connecting IPv6 Islands with IPv4 protocols { MPLS (3) rsvp {
CE– CE–A2 CE– CE–A1 PE 2 P
P
Rv4
Rv4
PE 1
Rv4 100.255.2.1 P
Rv4 P
so-0/0/0.0
100.255.3.2
PE 3 ge-0/1/0
CE– CE–C1
CE– CE–B3
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
interface so-0/0/0.0; } mpls { ipv6-tunneling; label-switched-path to_PE1 { to 10.245.72.6; } interface so-0/0/0.0; } bgp { group to_PE1 { type internal; local-address 10.245.71.6; family inet6 { labeled-unicast { explicit-null; } } export red-export; neighbor 10.245.72.6; } } ospf { traffic-engineering; area 0.0.0.0 { interface so-0/0/0.0; interface lo0.0 { passive; } } } 36
Apr-03
Page 18
Performance without compromise
Connecting IPv6 Islands with IPv4 MPLS (4) # protocols (next) ripng { group to_CE-B3 { export red-import; neighbor ge-0/1/0.0; } } }
CE– CE–A2 CE– CE–A1 PE 2 P
P
Rv4
Rv4
PE 1
Rv4 100.255.2.1 P
Rv4 P
so-0/0/0.0
100.255.3.2
PE 3 ge-0/1/0.0
CE– CE–C1
CE– CE–B3
policy-options { policy-statement red-export { term 1 { from protocol ripng; then accept; } term 2 { then reject; } } policy-statement red-import { from protocol bgp; then accept; } }
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
37
Agenda
IPv6 Implementation IPv6 examples and Case Studies
www.juniper.net
Apr-03
Page 19
Performance without compromise
Juniper Networks IPV6 deployment in R&E and ISPs Americas
APAC
EMEA
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
39
Case 1: direct connection to IPv4 + IPv6 services IPv6 direct peering interfaces { ge-0/1/0 { unit 0 { family inet { address 192.168.0.5/24; } family inet6 { address 8028:20::1/64; } } } so-0/0/0 { unit 0 { family inet { address 204.146.35.1/30; } family inet6 { address 8028:25::1/64; } } } lo0 { unit 0 { family inet { address 192.168.5.1/32 address 127.0.0.1/32; } family inet6 { address 8028:5::1/128; address ::1/128; } routing-options { routing-options { autonomous-system 100; } } protocols { ripng { group igp { neighbor ge-0/1/0.0; } } bgp { group NREN-4-6 { local-address 204.146.35.1; family inet6 { unicast; } family inet { unicast; } peer-as 64595; neighbor 204.146.35.2; } } }http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
Switch
6bone
IPv4 + IPv6 Switch
LAN BGP RIPv6 Switch
POS ATM GigE…
IPv4 + IPv6 addresses on each interface
Apr-03
IPv6 Service Metropolitan, Regional or National Network
40
Page 20
Performance without compromise
Case 2: remote connection to IPv6 service
IPv6 direct peering
6bone
interfaces { ge-0/1/0 { unit 0 { family inet { address 192.168.0.5/24; } family inet6 { address 8028:20::1/64; } } } so-0/0/0 { unit 0 { family inet { address 204.146.35.1/30; } }
Switch
IPv6 Service
IPv4 + IPv6
gr-1/0/0 { unit 0 { tunnel { source 204.146.35.1; # so-0/0/0.0 destination 195.150.10.34; } family inet6 { address 8028:25::1/64; } } } lo0 { unit 0 { family inet { address 192.168.10.1/32 address 127.0.0.1/32; } family inet6 { address 8028:5::1/128; address ::1/128; } routing-options { rib inet6.0 { static { route 8028:10::1/128 next-hop 8028:25::2; } } protocols { ripng { group igp { neighbor ge-0/1/0.0; } } bgp { group peering-v6 { type external; local-address 8028:5::1; # Loopback peer-as 64595; neighbor 8028:10::1; } } }http://www.juniper.net
Switch
LAN
BGP with v6 addresses
IPv6 in IPv4 tunnel Metropolitan, Regional or National
RIPv6 Switch
POS ATM GigE…
Network
IPv4 + IPv6 addresses on each interface
Copyright © 2003 Juniper Networks, Inc.
41
Pan-European Research Networking 10 Gb/s backbone with Juniper M160s
RHnet
Multicast
SUNET
FUNET
WDM optical technology
UNINETT EENet LATNET IP Premium LITNET
UKERNA Forskningsnettet HEAnet SURFnet
VPN
30 R&E connected organizations
POL-34
Belnet DFN RESTENA
CESNET SANET RENATER Aconet SWITCH HUNGARNET ARNES RoEduNet UNICOM-B IPv6
CARNet RCTS
RedIRIS
GARR
CYNET
GRNET
European connectivity to over 3000 R&E institutions
IUCC http://www.juniper.net Copyright © 2003 Juniper Networks, Inc. http://www.dante.net/geant/
www.juniper.net
42
Apr-03
Page 21
Performance without compromise
Now
IPv6 Available Features
Available on all M-series and T-series platforms Addressing & Forwarding
Forwarding in hardware Addressing
Link, site, global Stateless autoconfiguration
Neighbor discovery IPv6 Packet Filtering EUI 64 Autogeneration Unicast RPF FBF and CBF for IPv6 Destination/Source Class Usage
Routing Protocols
IS-IS OSPFv3 MP-BGP over v4/v6 RIPng Static IPv6 VPN (RFC2547bis) PIM v2 MLD
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.
Operations & Transition
Common support ICMPv6 SNMP over v6 + MIBs IP applications
Transition
Ping, telnet, ssh, ftp…
Configured tunnels Dual stack Transport IPv6 in MPLS
43
Thank You http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc.
www.juniper.net
http://www.juniper.net
Apr-03
Page 22
