Professional Documents
Culture Documents
Ahmed Gueatri
aguetari@juniper.net
April 2003
Agenda
IPv6 Implementation
IPv6 examples and Case Studies
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 3
IPv6 Addressing
CE–
CE–A2
CE–
CE–A1 interfaces {
PE 2 ge-0/1/0 {
unit 0 {
P family inet {
P address 157.168.0.5/24;
}
family inet6 {
address 8028:20::1/64;
}
PE 1 }
}
}
P P PE 3
CE–
CE–B3
CE–
CE–C1
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 4
Stateless auto-configuration
Node starts by appending its interface ID (EUI-64) to the
link-local network prefix, fe80::/64
Sends router solicitation
Receives prefix from router advertisement
Benefits
Simplifies host configuration
Broadens client coverage
Router Solicitation via ND
Host IP
information
configured Router Advertisement via ND
dynamically
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 5
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 6
Routing Protocols
Static routing
May be used with customer sites
IGP
IPv6 unicast can be routed by RIPng, OSPFv3, or ISIS
Current ISIS backbone don’t need IGP upgrade
Current OSPF backbone need to:
Migrate to IS-IS
Or add/deploy OSPFv3
BGP-MP
Just add the IPv6 routing in existing M-BGP set-up
Can use same design
Can be set-up over v4 or v6
Just add v6 routing over BGP/v4 sessions (next-hop!)
Use BGP over v6 in case of IPv6 deployment in IPv4 tunnels
Separating BGP sessions for v4 and v6 may also have some advantages
Monitoring, flexibility…
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 7
Static Routing
example
routing-options {
rib inet6.0 {
CE–
CE–A2 static {
route 8028:10::1/128
CE–
CE–A1 next-hop 8028:25::2;
}
PE 2 }
}
P P
PE 1
P P PE 3
CE–
CE–B3
CE–
CE–C1
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 8
RIPng Routing
example
protocols {
CE–
CE–A2 ripng {
group igp {
CE– neighbor ge-0/1/0.0;
CE–A1 }
PE 2 }
}
P P
PE 1
P P PE 3
CE–
CE–B3
CE–
CE–C1
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 9
OSPFv3
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 10
OSPFv3 interfaces {
so-0/0/0 {
example unit 0 {
family inet {
address 10.19.6.2/24;
}
family inet6 {
address 9009:6::2/64;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.245.71.6/32;
CE–
CE–A2 }
family inet6 {
CE–
CE–A1
address feee::10:255:71:6/128;
PE 2 }
P P }
}
}
PE 1 protocols {
so-0/0/0.0 ospf3 {
area 0.0.0.2 {
P P PE 3 interface so-0/0/0.0;
interface lo0.0 {
passive;
CE–
CE–B3 }
CE–
CE–C1 }
}
}
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 11
External M-BGP
interfaces {
ge-0/1/0 {
unit 0 {
example family inet {
address 11.19.1.2/24;
}
family inet6 {
address ::11.19.1.2/126;
}
}
}
}
routing-options {
autonomous-system 100;
}
CE–
CE–A2
protocols {
CE–
CE–A1 bgp {
group ebgp_both {
PE 2
type external;
P P local-address 11.19.1.2;
family inet {
unicast;
}
PE 1 family inet6 {
unicast;
}
P P PE 3 peer-as 1;
ge-0/1/0 neighbor 11.19.1.1;
}
CE–
CE–B3 }
CE–
CE–C1 }
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 12
Multicast Routing
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 14
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 15
IP Services
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 16
IP2 Services
Filtering & Policing
Packet filtering
DoS attack prevention
Comprehensive security
Packet Forwarding
E.g. Source Address Filters 120 %
100 %
Policing 80 %
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 17
Filter
Filter Specification
Specification
applications to network }
}
management then {
policer Lim;
Security
accept;
}
}
Monitoring }
Multiple rules may be specified.
Accounting Forward
Compile Silent
All IPv6 Packets Handled By Router Discard
Microcode
•IPv6 source address field Next Term
•IPv6 destination address field IP-II
IP-II Log,
•TCP/UDP source port field Packet
syslog TCP Reset
Count,
•TCP/UDP destination port field Handling Policer,
Or ICMP
•Next header field Programs Loss-priority, Unreachable
•Traffic class field Forwarding-class
•Packet length Routing
•ICMP packet type and code Filters and route lookup are part of Instance
same program
•Source-
Source-class
•Destination-
Destination-class
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 18
Flexible bandwidth
firewall {
family inet6 {
filter LimitCE-A2{
policer LimCE-A2 {
if-exceeding {
3ffe:1411:2205::5 bandwidth-limit 1m;
burst-size-limit 100k;
}
then discard;
CE–
CE–A2 }
term 1 {
CE–
CE–A1 from {
PE 2 source-address {
3ffe:1411:2205::/48;
P P }
}
then {
policer LimCE-A2;
PE 1
accept;
}
P P PE 3 }
}
}
}
CE–
CE–B3
CE–
CE–C1
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 19
Security
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 20
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 21
3ffe:1411:2205::5
CE–
CE–A2
CE–
CE–A1
PE 2
P P
3ffe:1411:2205::/48*[BGP/170]
>via so-0/0/0/0.0
PE 1
so-0/0/0.0
Attack with
P P PE 3 uRPF
Source address
ge-0/1/0 = 3ffe:1411:2205::5
CE–
CE–B3
CE–
CE–C1
3ffe:1541:2305::/48
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 22
policy-options {
Real-time DoS Identification community victim members 100:100;
with Destination Class Usage policy-statement set-dest-class
term 1 {
from {
protocol bgp;
community victim;
}
then {
destination-class dcu-victim;
accept;
}
}
}
}
CE–
CE–A2 interfaces {
CE–
CE–A1 so-2/0/1 {
unit 0 {
PE 2
family inet6 {
P P address feee::10:255:73:2/128;
accounting {
destination-class-usage;
}
PE 1 }
so-0/0/0.0 }
}
P P PE 3 }
ge-0/1/0
routing-options{
CE–
CE–B3 forwarding-table{
CE–
CE–C1 export set-dest-class;
}
3ffe:1541:2305::/48
}
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 23
CE–
CE–A2
CE–
CE–A1
PE 2
P P
PE 1
so-0/0/0.0
P P PE 3
ge-0/1/0
CE–
CE–B3
CE–
CE–C1
3ffe:1541:2305::/48
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 24
CE–
CE–A2
CE–
CE–A1
PE 2
P P
PE 1
so-0/0/0.0
BGP update
3ffe:1541:2305::12/128
P P PE 3
Community 100:100
ge-0/1/0
CE–
CE–B3
CE–
CE–C1
3ffe:1541:2305::12
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 25
QoS
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 26
VPNs
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 27
CE–
CE–A2 VPN B
Site2, IPv4
CE–
CE–A1
OSPF
P P PE 2 Routing
Static
VPN B Routes CE–
CE–B2
Site 1, IPv4
VPN A
PE 1
Site 3, IPv6
CE–
CE–A3
E-BGP
CE–
CE–B1 P P PE 3
CE–
CE–B3
VPN C CE–
CE–C1 CE–
CE–C2
Site 1, IPv4 VPN C
Site 2, IPv4
VPN B
Site3, IPv4
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 28
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 29
Network Management
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 30
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 31
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 32
interfaces {
so-0/0/0 {
unit 0 {
family inet {
address 100.255.3.2/24;
}
}
CE–
CE–A2
}
CE–
CE–A1 gr-1/0/0 {
PE 2 unit 0 {
tunnel {
P P source 100.255.3.2;
Rv4 Rv4 destination 100.255.2.1;
}
family inet6 {
PE 1 address 9009:6::2/64;
Rv4
100.255.2.1 Rv4 so-0/0/0.0 }
100.255.3.2 }
P P PE 3 }
}
CE–
CE–B3
CE–
CE–C1
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 33
IPv6 IPv4
MPLS
PE2
IPv6
PE1
IPv6
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 34
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 35
ripng {
group to_CE-B3 {
export red-import;
neighbor ge-0/1/0.0;
}
}
}
CE–
CE–A2
policy-options {
CE–
CE–A1 policy-statement red-export {
PE 2 term 1 {
from protocol ripng;
P P then accept;
Rv4 Rv4 }
term 2 {
then reject;
PE 1 }
Rv4
100.255.2.1 Rv4 so-0/0/0.0 }
100.255.3.2 policy-statement red-import {
P P PE 3 from protocol bgp;
ge-0/1/0.0 then accept;
}
CE–
CE–B3 }
CE–
CE–C1
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 37
Agenda
IPv6 Implementation
IPv6 examples and Case Studies
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 39
LAN
address 8028:5::1/128;
address ::1/128;
}
routing-options {
routing-options {
autonomous-system 100;
}
} IPv6
protocols {
ripng { Service
group igp { BGP
}
neighbor ge-0/1/0.0; Metropolitan,
}
bgp { RIPv6 Regional or
group NREN-4-6 {
local-address 204.146.35.1; National
family inet6 { Switch
unicast;
} Network
POS
family inet {
unicast;
ATM
}
peer-as 64595;
neighbor 204.146.35.2;
} GigE…
}
}http://www.juniper.net IPv4 + IPv6 addresses
Copyright © 2003 Juniper Networks, Inc. on each interface 40
6bone
interfaces {
ge-0/1/0 {
unit 0 {
family inet {
address 192.168.0.5/24;
}
family inet6 {
address 8028:20::1/64;
}
}
} Switch
so-0/0/0 {
unit 0 {
IPv6
family inet {
address 204.146.35.1/30;
}
IPv4
}
+ IPv6
Service
gr-1/0/0 {
unit 0 {
tunnel {
source 204.146.35.1; # so-0/0/0.0
destination 195.150.10.34;
} Switch
family inet6 {
address 8028:25::1/64;
}
LAN
}
}
lo0 {
unit 0 {
family inet {
address 192.168.10.1/32 BGP with
v6 addresses
address 127.0.0.1/32;
}
IPv6 in IPv4 tunnel
family inet6 {
address 8028:5::1/128;
address ::1/128;
}
routing-options {
rib inet6.0 {
static {
route 8028:10::1/128 next-hop 8028:25::2; Metropolitan,
Regional or
}
}
protocols { RIPv6
ripng {
group igp { National
neighbor ge-0/1/0.0; Switch
}
}
bgp {
Network
group peering-v6 {
type external;
POS
local-address 8028:5::1; # Loopback
peer-as 64595; ATM
}
neighbor 8028:10::1;
GigE…
}
}http://www.juniper.net
IPv4 + IPv6 addresses
Copyright © 2003 Juniper Networks, Inc. on each interface 41
SURFnet
connected
POL-34
Belnet DFN organizations
RESTENA
VPN RENATER
CESNET
Aconet
SANET
European
SWITCH HUNGARNET
ARNES RoEduNet connectivity
to over 3000
IPv6
CARNet
UNICOM-B
GARR
RCTS RedIRIS CYNET R&E
GRNET institutions
IUCC
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc.
http://www.dante.net/geant/ 42
Now
IPv6 Available Features
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 43
Thank You
http://www.juniper.net