IPv6 Solutions On Juniper Networks

Performance without compromise
IPv6 solution on Juniper Networks

M-series and T-series
Internet routers
Ahmed Gueatri
aguetari@juniper.net
April 2003
Copyright © 2003 Juniper Networks, Inc. http://www.juniper.net
Agenda
IPv6 Implementation
IPv6 examples and Case Studies
www.juniper.net Apr-03 Page 1

IPv6 Qualified Router

What means really Dual Stack?
Addressing & Forwarding

IPv4
Routing Protocols
IPv6
Service Richness
Operational Efficiency
http://www.juniper.net
Copyright © 2003 Juniper Networks, Inc. 3
IPv6 Addressing
Dual IP addressing on the same interface

Neighbor discovery
ICMPv6
CE–
CE–A2
CE–
CE–A1 interfaces {
PE 2 ge-0/1/0 {
unit 0 {
P family inet {
P address 157.168.0.5/24;
}
family inet6 {
address 8028:20::1/64;
}
PE 1 }
}
}
P P PE 3
CE–
CE–B3
CE–
CE–C1

Autogeneration of EUI 64-bit

Interface Addresses for IPv6
Stateless auto-configuration
Node starts by appending its interface ID (EUI-64) to the
link-local network prefix, fe80::/64
Sends router solicitation
Receives prefix from router advertisement
Benefits
Simplifies host configuration
Broadens client coverage
Router Solicitation via ND
Host IP
information
configured Router Advertisement via ND
dynamically
IPv6 Qualified Router for ISPs


IPv4
Routing Protocols
IPv6
Service Richness

Routing Protocols
Static routing
May be used with customer sites
IGP
IPv6 unicast can be routed by RIPng, OSPFv3, or ISIS
Current ISIS backbone don’t need IGP upgrade
Current OSPF backbone need to:
Migrate to IS-IS
Or add/deploy OSPFv3
BGP-MP
Just add the IPv6 routing in existing M-BGP set-up
Can use same design
Can be set-up over v4 or v6
Just add v6 routing over BGP/v4 sessions (next-hop!)
Use BGP over v6 in case of IPv6 deployment in IPv4 tunnels
Separating BGP sessions for v4 and v6 may also have some advantages
Monitoring, flexibility…
Static Routing
example
routing-options {
rib inet6.0 {
CE–
CE–A2 static {
route 8028:10::1/128
CE–
CE–A1 next-hop 8028:25::2;
}
PE 2 }
}
P P
PE 1
P P PE 3
CE–
CE–B3
CE–
CE–C1

RIPng Routing
example
protocols {
CE–
CE–A2 ripng {
group igp {
CE– neighbor ge-0/1/0.0;
CE–A1 }
PE 2 }
}
P P
PE 1
P P PE 3
CE–
CE–B3
CE–
CE–C1
OSPFv3
Major changes to accommodate:

Address size AS1
General protocol semantics Area 1 Area 2
Addressing semantics removed from

OSPF packets and LSAs
New LSAs for IPv6 addresses & prefixes
OSPF runs on per-link, not per-subnet Area 3
Flooding scope for LSAs generalized
Authentication removed
Benefits
Other functions remain the same (e.g.
SPF calculation, area support, etc.)
AS2
Familiarity - widely deployed IGP

OSPFv3 interfaces {
so-0/0/0 {
example unit 0 {
family inet {
address 10.19.6.2/24;
}
family inet6 {
address 9009:6::2/64;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.245.71.6/32;
CE–
CE–A2 }
family inet6 {
CE–
CE–A1
address feee::10:255:71:6/128;
PE 2 }
P P }
}
}
PE 1 protocols {
so-0/0/0.0 ospf3 {
area 0.0.0.2 {
P P PE 3 interface so-0/0/0.0;
interface lo0.0 {
passive;
CE–
CE–B3 }
CE–
CE–C1 }
}
}
External M-BGP
interfaces {
ge-0/1/0 {
unit 0 {
example family inet {
address 11.19.1.2/24;
}
family inet6 {
address ::11.19.1.2/126;
}
}
}
}
routing-options {
autonomous-system 100;
}
CE–
CE–A2
protocols {
CE–
CE–A1 bgp {
group ebgp_both {
PE 2
type external;
P P local-address 11.19.1.2;
family inet {
unicast;
}
PE 1 family inet6 {
unicast;
}
P P PE 3 peer-as 1;
ge-0/1/0 neighbor 11.19.1.1;
}
CE–
CE–B3 }
CE–
CE–C1 }

E-BGP Peering over IPv6

Link Local Addresses
E-BGP Peering over IPv6 LLA

BGP4+ Peering Using IPv6 Link-local
Address
draft-kato-bgp-ipv6-link-local-00.txt AS1
Allows use of link-local address for direct

peering connections instead of using global E-BGP
addresses
How it works
AS2
Link local addresses can be auto-generated
or manually configured
Benefits
Simpler administration
Flexibility

http://www.juniper.net NSPIXP6 uses link local address
Multicast Routing
Performance and scaling for IPv6 multicast clearly

important
PIMv2 to support for IPv4 and IPv6
Multicast Listener Discovery (MLD) protocol to discover

the presence of multicast listeners
Derived from IGMPv2
Uses ICMPv6 message type instead of IGMP message types
MPDv2 is required for PIM-SSM



IPv4
Routing Protocols
IPv6
Service Richness
IP Services
Routers must be able to perform intelligent IPv6

packet handling
Filtering – Selective forwarding and discarding
Monitoring - Sampling, counting, logging, etc.
QoS - Policing, shaping, queuing, profiling, etc.
Forwarding – Directing packets based on any header
information
All classification and packet handling must be done

in hardware to truly minimize performance impact
IP services and performance must not be mutually

exclusive

IP2 Services
Filtering & Policing
Packet filtering
DoS attack prevention
Comprehensive security
Packet Forwarding
E.g. Source Address Filters 120 %
100 %
Policing 80 %
Interface-level rate limiting 60 %

40 %
E.g. Bandwidth - limits bps 20 %
E.g. Maximum burst size 0%
Increasing Number of Packet Filters

Predictable performance
Internet Processor II ASIC
with rich IPv6 services CPU-based router
Filter
Filter Specification
Specification
IPv6 Filtering filter Limit-Customer-A {

policer Lim {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 100k;
}
then discard;
IP-II enables significant

}
term 1 {
from {
functionality with source-address {
3ffe:1002:6411::/48;
applications to network }
}
management then {
policer Lim;
Security
accept;
}
}
Monitoring }
Multiple rules may be specified.
Accounting Forward
Compile Silent
All IPv6 Packets Handled By Router Discard
Microcode
•IPv6 source address field Next Term
•IPv6 destination address field IP-II
IP-II Log,
•TCP/UDP source port field Packet
syslog TCP Reset
Count,
•TCP/UDP destination port field Handling Policer,
Or ICMP
•Next header field Programs Loss-priority, Unreachable
•Traffic class field Forwarding-class
•Packet length Routing
•ICMP packet type and code Filters and route lookup are part of Instance
same program
•Source-
Source-class
•Destination-
Destination-class

Flexible bandwidth
firewall {
family inet6 {
filter LimitCE-A2{
policer LimCE-A2 {
if-exceeding {
3ffe:1411:2205::5 bandwidth-limit 1m;
burst-size-limit 100k;
}
then discard;
CE–
CE–A2 }
term 1 {
CE–
CE–A1 from {
PE 2 source-address {
3ffe:1411:2205::/48;
P P }
}
then {
policer LimCE-A2;
PE 1
accept;
}
P P PE 3 }
}
}
}
CE–
CE–B3
CE–
CE–C1
Security
Security on routers is more important than ever

for customer and infrastructure protection
On-going DoS work in IPv4 to be extended to IPv6
Hardware-based packet handling, filtering optimize key

security actions
SNMPv3 improves router authentication

Source Address Verification

uRPF can be configured per-interface/sub-interface
Supports both IPv4 and IPv6
Packet/Byte counters for traffic failing the uRPF check
Additional filtering available for traffic failing check:
police/reject
Can syslog the rejected traffic for later analysis
Two modes available:
Active-paths:
uRPF only considers the best path toward a particular destination
Feasible-paths:
uRPF considers all the feasible paths. This is used where routing is
asymmetrical.
Source Address Verification
3ffe:1411:2205::5
CE–
CE–A2
CE–
CE–A1
PE 2
P P
3ffe:1411:2205::/48*[BGP/170]
>via so-0/0/0/0.0
PE 1
so-0/0/0.0
Attack with
P P PE 3 uRPF
Source address
ge-0/1/0 = 3ffe:1411:2205::5
CE–
CE–B3
CE–
CE–C1
3ffe:1541:2305::/48

policy-options {
Real-time DoS Identification community victim members 100:100;
with Destination Class Usage policy-statement set-dest-class
term 1 {
from {
protocol bgp;
community victim;
}
then {
destination-class dcu-victim;
accept;
}
}
}
}
CE–
CE–A2 interfaces {
CE–
CE–A1 so-2/0/1 {
unit 0 {
PE 2
family inet6 {
P P address feee::10:255:73:2/128;
accounting {
destination-class-usage;
}
PE 1 }
so-0/0/0.0 }
}
P P PE 3 }
ge-0/1/0
routing-options{
CE–
CE–B3 forwarding-table{
CE–
CE–C1 export set-dest-class;
}
3ffe:1541:2305::/48
}
Real-time DDoS Identification
CE–
CE–A2
CE–
CE–A1
PE 2
P P
PE 1
so-0/0/0.0
P P PE 3
ge-0/1/0
CE–
CE–B3
CE–
CE–C1
3ffe:1541:2305::/48

Real-time DDoS Identification
CE–
CE–A2
CE–
CE–A1
PE 2
P P
PE 1
so-0/0/0.0
BGP update
3ffe:1541:2305::12/128
P P PE 3
Community 100:100
ge-0/1/0
CE–
CE–B3
CE–
CE–C1
3ffe:1541:2305::12
QoS
IPv6 header includes traffic class and flow label

Traffic class function = DSCP
Largely undefined flow label identifies a traffic flow that
needing special handling, I.e. voice, video, etc.
IPv6 routers must be able to use traffic class and flow

label without incurring performance cost

VPNs
VPNs are a valuable service

Provider managed IPv4 VPN models have been successful
Established VPN technologies used for IPv4 must be carried
over to IPv6
Services offered as part of a VPN, I.e. QoS, will still be
required for IPv6
VPN management must be able to support IPv4 and IPv6
traffic
L3 VPN over MPLS

VPN A VPN A
Site 1, IPv6 Site2, IPv6
CE–
CE–A2 VPN B
Site2, IPv4
CE–
CE–A1
OSPF
P P PE 2 Routing
Static
VPN B Routes CE–
CE–B2
Site 1, IPv4
VPN A
PE 1
Site 3, IPv6
CE–
CE–A3
E-BGP
CE–
CE–B1 P P PE 3
CE–
CE–B3
VPN C CE–
CE–C1 CE–
CE–C2
Site 1, IPv4 VPN C
Site 2, IPv4
VPN B
Site3, IPv4



IPv4
Routing Protocols
IPv6
Service Richness
Network Management
IPv6 Management must be integrated in existing

management systems
SNMP over v6 with IPv6 MIBs
Intuitive CLI
IPv6 Accounting
APIs (e.g. XML) for OSS integration
Reduce latency between new vendor feature/service and
OSS integration
Operational efficiency hinges on OSS integration
Router operations over IPv6
telnet, ssh, ftp, ping, traceroute…

Robustness and Reliability
Common support of features, services on every interface

across all platforms
Same approach for hardware-based packet handling as IPv4
Performance is critical
Maintaining SLA agreement for IPv4 while operating IPv6
Separation of routing and control planes
Graceful restart mechanisms
BGP, OSPF, IS-IS, RSVP, LDP…
Linear software releases continuity to ensure common
support and evolution
Integration of non IPv6 capable

routers
IPv6 in IPv4 tunnels

GRE or IP-IP Tunnels
Only possible:
with performance (hardware tunneling)
at small scale for manageability
Connecting IPv6 Islands with IPv4 MPLS

Requires MPLS capable routers in the core

IPv6 in IPv4 tunnels
interfaces {
so-0/0/0 {
unit 0 {
family inet {
address 100.255.3.2/24;
}
}
CE–
CE–A2
}
CE–
CE–A1 gr-1/0/0 {
PE 2 unit 0 {
tunnel {
P P source 100.255.3.2;
Rv4 Rv4 destination 100.255.2.1;
}
family inet6 {
PE 1 address 9009:6::2/64;
Rv4
100.255.2.1 Rv4 so-0/0/0.0 }
100.255.3.2 }
P P PE 3 }
}
CE–
CE–B3
CE–
CE–C1
Connecting IPv6 Islands with IPv4

MPLS (1)
IETF Draft as defined in draft-ietf-ngtrans-bgp-tunnel-
04.txt
Connecting IPv6 Islands across IPv4 Clouds with BGP
Also known as “6PE”
PEs run Dual Stack MP-BGP over IPv4
PE and CE exchanges IPv6 routes
MPLS LDP/RSVP LSPs are set up using IPv4
Benefits
Leverages existing MPLS infrastructure
Requires IPv6 support only on PE router IPv6
IPv6 IPv4
MPLS
PE2
IPv6
PE1
IPv6


MPLS (2) interfaces {
so-0/0/0 {
unit 0 {
family inet {
address 100.255.3.2/24;
}
family inet6;
family mpls;
}
}
ge-0/1/0
unit 0 {
CE–
CE–A2 family inet6 {
address 8002::1/126;
CE–
CE–A1
}
PE 2 }
P P }
lo0 {
Rv4 Rv4 unit 0 {
family inet {
PE 1 address 10.245.71.6/32;
}
Rv4
100.255.2.1 Rv4 so-0/0/0.0
100.255.3.2 family mpls;
P P PE 3 }
}
ge-0/1/0 }
CE–
CE–B3 routing-options {
CE–
CE–C1 autonomous-system 100;
}

MPLS (3) protocols {
rsvp {
interface so-0/0/0.0;
}
mpls {
ipv6-tunneling;
label-switched-path to_PE1 {
to 10.245.72.6;
}
}
bgp {
group to_PE1 {
CE–
CE–A2 type internal;
local-address 10.245.71.6;
CE–
CE–A1 family inet6 {
PE 2 labeled-unicast {
explicit-null;
P P }
Rv4 Rv4 }
export red-export;
neighbor 10.245.72.6;
PE 1 }
Rv4
100.255.2.1 Rv4 so-0/0/0.0 }
100.255.3.2 ospf {
P P PE 3 traffic-engineering;
ge-0/1/0 area 0.0.0.0 {
CE–
CE–B3 interface lo0.0 {
CE–
CE–C1 passive;
}
}
http://www.juniper.net }


MPLS (4)
# protocols (next)
ripng {
group to_CE-B3 {
export red-import;
neighbor ge-0/1/0.0;
}
}
}
CE–
CE–A2
policy-options {
CE–
CE–A1 policy-statement red-export {
PE 2 term 1 {
from protocol ripng;
P P then accept;
Rv4 Rv4 }
term 2 {
then reject;
PE 1 }
Rv4
100.255.2.1 Rv4 so-0/0/0.0 }
100.255.3.2 policy-statement red-import {
P P PE 3 from protocol bgp;
ge-0/1/0.0 then accept;
}
CE–
CE–B3 }
CE–
CE–C1
Agenda
IPv6 Implementation
IPv6 examples and Case Studies

Juniper Networks IPV6 deployment

in R&E and ISPs
Americas EMEA APAC
Case 1: direct connection to IPv4

IPv6 direct peering + IPv6 services
interfaces {
ge-0/1/0 {
unit 0 {
family inet {
address 192.168.0.5/24;
}
family inet6 {
address 8028:20::1/64;
}
}
}
so-0/0/0 {
unit 0 { Switch
family inet {
address 204.146.35.1/30;
IPv4
6bone
}
family inet6 {
}
address 8028:25::1/64;
+ IPv6
}
}
lo0 {
unit 0 {
family inet { Switch
address 192.168.5.1/32
address 127.0.0.1/32;
}
family inet6 {
LAN
address 8028:5::1/128;
address ::1/128;
}
routing-options {
routing-options {
autonomous-system 100;
}
} IPv6
protocols {
ripng { Service
group igp { BGP
}
neighbor ge-0/1/0.0; Metropolitan,
}
bgp { RIPv6 Regional or
group NREN-4-6 {
local-address 204.146.35.1; National
family inet6 { Switch
unicast;
} Network
POS
family inet {
unicast;
ATM
}
peer-as 64595;
neighbor 204.146.35.2;
} GigE…
}
}http://www.juniper.net IPv4 + IPv6 addresses
Copyright © 2003 Juniper Networks, Inc. on each interface 40

Case 2: remote connection

to IPv6 service
IPv6 direct peering
6bone
interfaces {
ge-0/1/0 {
unit 0 {
family inet {
address 192.168.0.5/24;
}
family inet6 {
address 8028:20::1/64;
}
}
} Switch
so-0/0/0 {
unit 0 {
IPv6
family inet {
address 204.146.35.1/30;
}
IPv4
}
+ IPv6
Service
gr-1/0/0 {
unit 0 {
tunnel {
source 204.146.35.1; # so-0/0/0.0
destination 195.150.10.34;
} Switch
family inet6 {
address 8028:25::1/64;
}
LAN
}
}
lo0 {
unit 0 {
family inet {
address 192.168.10.1/32 BGP with
v6 addresses
address 127.0.0.1/32;
}
IPv6 in IPv4 tunnel
family inet6 {
address 8028:5::1/128;
address ::1/128;
}
routing-options {
rib inet6.0 {
static {
route 8028:10::1/128 next-hop 8028:25::2; Metropolitan,
Regional or
}
}
protocols { RIPv6
ripng {
group igp { National
neighbor ge-0/1/0.0; Switch
}
}
bgp {
Network
group peering-v6 {
type external;
POS
local-address 8028:5::1; # Loopback
peer-as 64595; ATM
}
neighbor 8028:10::1;
GigE…
}
}http://www.juniper.net
IPv4 + IPv6 addresses
Copyright © 2003 Juniper Networks, Inc. on each interface 41
Pan-European Research Networking

10 Gb/s
RHnet backbone
with Juniper
SUNET
M160s
Multicast
FUNET
UNINETT
WDM optical
EENet technology
UKERNA Forskningsnettet IP Premium
LATNET
LITNET 30 R&E
HEAnet
SURFnet
connected
POL-34
Belnet DFN organizations
RESTENA
VPN RENATER
CESNET
Aconet
SANET
European
SWITCH HUNGARNET
ARNES RoEduNet connectivity
to over 3000
IPv6
CARNet
UNICOM-B
GARR
RCTS RedIRIS CYNET R&E
GRNET institutions
IUCC
Copyright © 2003 Juniper Networks, Inc.
http://www.dante.net/geant/ 42

Now
IPv6 Available Features
Available on all M-series and T-series platforms
Addressing & Routing Operations &

Forwarding Protocols Transition
Forwarding IS-IS Common support
in hardware ICMPv6
OSPFv3
Addressing SNMP over v6 + MIBs
Link, site, global MP-BGP over
v4/v6 IP applications
Stateless Ping, telnet, ssh, ftp…
autoconfiguration RIPng
Neighbor discovery Transition
Static Configured tunnels
IPv6 Packet Filtering
IPv6 VPN Dual stack
EUI 64 Autogeneration
(RFC2547bis) Transport IPv6 in MPLS
Unicast RPF
FBF and CBF for IPv6 PIM v2
Destination/Source MLD
Class Usage
Thank You
Copyright © 2003 Juniper Networks, Inc. http://www.juniper.net

IPv6 Solutions On Juniper Networks

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPv6 Solutions On Juniper Networks

Uploaded by

Copyright:

Available Formats

Performance without compromise

IPv6 solution on Juniper Networks

Copyright © 2003 Juniper Networks, Inc. http://www.juniper.net

www.juniper.net Apr-03 Page 1

IPv6 Qualified Router

 Addressing & Forwarding

 Dual IP addressing on the same interface

www.juniper.net Apr-03 Page 2

Autogeneration of EUI 64-bit

IPv6 Qualified Router for ISPs

 Addressing & Forwarding

www.juniper.net Apr-03 Page 3

www.juniper.net Apr-03 Page 4

 Major changes to accommodate:

 Addressing semantics removed from

www.juniper.net Apr-03 Page 5

www.juniper.net Apr-03 Page 6

E-BGP Peering over IPv6

 E-BGP Peering over IPv6 LLA

 Allows use of link-local address for direct

 Performance and scaling for IPv6 multicast clearly

 PIMv2 to support for IPv4 and IPv6

 Multicast Listener Discovery (MLD) protocol to discover

www.juniper.net Apr-03 Page 7

IPv6 Qualified Router for ISPs

 Addressing & Forwarding

 Routers must be able to perform intelligent IPv6

 All classification and packet handling must be done

 IP services and performance must not be mutually

www.juniper.net Apr-03 Page 8

 Interface-level rate limiting 60 %

 E.g. Maximum burst size 0%

Increasing Number of Packet Filters

IPv6 Filtering filter Limit-Customer-A {

IP-II enables significant

www.juniper.net Apr-03 Page 9

 Security on routers is more important than ever

 On-going DoS work in IPv4 to be extended to IPv6

 Hardware-based packet handling, filtering optimize key

 SNMPv3 improves router authentication

www.juniper.net Apr-03 Page 10

Source Address Verification

Source Address Verification

www.juniper.net Apr-03 Page 11

Real-time DDoS Identification

www.juniper.net Apr-03 Page 12

Real-time DDoS Identification

 IPv6 header includes traffic class and flow label

 IPv6 routers must be able to use traffic class and flow

www.juniper.net Apr-03 Page 13

 VPNs are a valuable service

L3 VPN over MPLS

www.juniper.net Apr-03 Page 14

IPv6 Qualified Router for ISPs

 Addressing & Forwarding

 IPv6 Management must be integrated in existing

www.juniper.net Apr-03 Page 15

Robustness and Reliability

 Common support of features, services on every interface

Integration of non IPv6 capable

 IPv6 in IPv4 tunnels

 Connecting IPv6 Islands with IPv4 MPLS

Addressing & Forwarding

Dual IP addressing on the same interface

Addressing & Forwarding

Major changes to accommodate:

Addressing semantics removed from

E-BGP Peering over IPv6 LLA

Allows use of link-local address for direct

Performance and scaling for IPv6 multicast clearly

PIMv2 to support for IPv4 and IPv6

Multicast Listener Discovery (MLD) protocol to discover

Addressing & Forwarding

Routers must be able to perform intelligent IPv6

All classification and packet handling must be done

IP services and performance must not be mutually

Interface-level rate limiting 60 %

E.g. Maximum burst size 0%

Security on routers is more important than ever

On-going DoS work in IPv4 to be extended to IPv6

Hardware-based packet handling, filtering optimize key

SNMPv3 improves router authentication

IPv6 header includes traffic class and flow label

IPv6 routers must be able to use traffic class and flow

VPNs are a valuable service

Addressing & Forwarding

IPv6 Management must be integrated in existing

Common support of features, services on every interface

IPv6 in IPv4 tunnels

Connecting IPv6 Islands with IPv4 MPLS

Available on all M-series and T-series platforms