You are on page 1of 22

Performance without compromise

IPv6 solution on Juniper Networks M-series and T-series Internet routers
Ahmed Gueatri aguetari@juniper.net April 2003
Copyright © 2003 Juniper Networks, Inc. http://www.juniper.net

Agenda

IPv6 Implementation IPv6 examples and Case Studies

www.juniper.net

Apr-03

Page 1

Performance without compromise

IPv6 Qualified Router What means really Dual Stack?

Addressing & Forwarding Routing Protocols Service Richness Operational Efficiency

IPv4 IPv6

http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.

3

IPv6 Addressing
Dual IP addressing on the same interface Neighbor discovery ICMPv6
CE–A2 CE– CE–A1 CE– PE 2 P P
interfaces { ge-0/1/0 { unit 0 { family inet { address 157.168.0.5/24; } family inet6 { address 8028:20::1/64; } } } }

PE 1 P P PE 3 CE–B3 CE–

CE–C1 CE–
http://www.juniper.net Copyright © 2003 Juniper Networks, Inc.

4

www.juniper.net

Apr-03

Page 2

5 IPv6 Qualified Router for ISPs What means really Dual Stack? Addressing & Forwarding Routing Protocols Service Richness Operational Efficiency IPv4 IPv6 http://www.Performance without compromise Autogeneration of EUI 64-bit Interface Addresses for IPv6 Stateless auto-configuration Node starts by appending its interface ID (EUI-64) to the link-local network prefix. Inc. fe80::/64 Sends router solicitation Receives prefix from router advertisement Benefits Simplifies host configuration Broadens client coverage Router Solicitation via ND Host IP information configured dynamically Router Advertisement via ND http://www. 6 www.juniper.juniper. Inc.net Copyright © 2003 Juniper Networks.juniper.net Apr-03 Page 3 .net Copyright © 2003 Juniper Networks.

Inc.net Copyright © 2003 Juniper Networks.Performance without compromise Routing Protocols Static routing May be used with customer sites IGP IPv6 unicast can be routed by RIPng. 8 www.juniper.net Apr-03 Page 4 .juniper. Inc. flexibility… http://www.net Copyright © 2003 Juniper Networks. or ISIS Current ISIS backbone don’t need IGP upgrade Current OSPF backbone need to: Migrate to IS-IS Or add/deploy OSPFv3 BGP-MP Just add the IPv6 routing in existing M-BGP set-up Can use same design Can be set-up over v4 or v6 Just add v6 routing over BGP/v4 sessions (next-hop!) Use BGP over v6 in case of IPv6 deployment in IPv4 tunnels Separating BGP sessions for v4 and v6 may also have some advantages Monitoring. 7 Static Routing example CE–A2 CE– CE–A1 CE– PE 2 P P routing-options { rib inet6. OSPFv3.juniper.0 { static { route 8028:10::1/128 next-hop 8028:25::2. } } } PE 1 P P PE 3 CE–B3 CE– CE–C1 CE– http://www.

9 OSPFv3 Major changes to accommodate: Address size General protocol semantics Area 1 AS1 Area 2 Addressing semantics removed from OSPF packets and LSAs New LSAs for IPv6 addresses & prefixes OSPF runs on per-link. etc. 10 www.net Apr-03 Page 5 .Performance without compromise RIPng Routing example CE–A2 CE– CE–A1 CE– PE 2 P P protocols { ripng { group igp { neighbor ge-0/1/0.) Familiarity .0. not per-subnet Flooding scope for LSAs generalized Authentication removed Area 3 Benefits Other functions remain the same (e.net Copyright © 2003 Juniper Networks. Inc.juniper. } } } PE 1 P P PE 3 CE–B3 CE– CE–C1 CE– http://www.widely deployed IGP AS2 http://www. SPF calculation.g. Inc.net Copyright © 2003 Juniper Networks.juniper.juniper. area support.

1. family inet { unicast.Performance without compromise OSPFv3 example interfaces { so-0/0/0 { unit 0 { family inet { address 10. } family inet6 { address feee::10:255:71:6/128.6/32.1.0 P P PE 3 CE–B3 CE– CE–C1 CE– http://www. Inc.net Copyright © 2003 Juniper Networks.juniper. } CE–A2 CE– CE–A1 CE– PE 2 P P PE 1 P P PE 3 ge-0/1/0 CE–C1 CE– http://www. Inc. } family inet6 { address 9009:6::2/64. } } } } 11 CE–A2 CE– CE–A1 CE– PE 2 P P PE 1 so-0/0/0.19.0.juniper.1. } family inet6 { address ::11.2 { interface so-0/0/0.net Apr-03 Page 6 .2/24. } } } 12 www. local-address 11. } } } } routing-options { autonomous-system 100.2/24.0. CE–B3 CE– protocols { bgp { group ebgp_both { type external.net Copyright © 2003 Juniper Networks.1.19.245. } } } lo0 { unit 0 { family inet { address 10.6.19. } } } } protocols { ospf3 { area 0. interface lo0.0.1.2.2/126.19.juniper.19. External M-BGP example interfaces { ge-0/1/0 { unit 0 { family inet { address 11. } peer-as 1. } family inet6 { unicast.0 { passive. neighbor 11.71.

net Copyright © 2003 Juniper Networks. Inc. Inc.juniper.Performance without compromise E-BGP Peering over IPv6 Link Local Addresses E-BGP Peering over IPv6 LLA BGP4+ Peering Using IPv6 Link-local Address draft-kato-bgp-ipv6-link-local-00.txt Allows use of link-local address for direct peering connections instead of using global addresses E-BGP AS1 How it works Link local addresses can be auto-generated or manually configured AS2 Benefits Simpler administration Flexibility http://www. NSPIXP6 uses link local address 13 Multicast Routing Performance and scaling for IPv6 multicast clearly important PIMv2 to support for IPv4 and IPv6 Multicast Listener Discovery (MLD) protocol to discover the presence of multicast listeners Derived from IGMPv2 Uses ICMPv6 message type instead of IGMP message types MPDv2 is required for PIM-SSM http://www.juniper. 14 www.juniper.net Apr-03 Page 7 .net Copyright © 2003 Juniper Networks.

Sampling.juniper.net Copyright © 2003 Juniper Networks. Inc.juniper. queuing. etc. shaping. counting. etc. profiling.juniper. logging.net Apr-03 Page 8 . QoS .Performance without compromise IPv6 Qualified Router for ISPs What means really Dual Stack? Addressing & Forwarding Routing Protocols Service Richness Operational Efficiency IPv4 IPv6 http://www. Forwarding – Directing packets based on any header information All classification and packet handling must be done in hardware to truly minimize performance impact IP services and performance must not be mutually exclusive http://www. 16 www.Policing. Inc. 15 IP Services Routers must be able to perform intelligent IPv6 packet handling Filtering – Selective forwarding and discarding Monitoring .net Copyright © 2003 Juniper Networks.

net Copyright © 2003 Juniper Networks.net Apr-03 Page 9 .juniper. Source Address Filters 120 % 100 % 80 % 60 % 40 % 20 % 0% Packet Forwarding Policing Interface-level rate limiting E. Increasing Number of Packet Filters Internet Processor II ASIC CPU-based router 17 Filter Specification Filter Specification IPv6 Filtering IP-II enables significant functionality with applications to network management Security Monitoring Accounting All IPv6 Packets Handled By Router •IPv6 source address field •IPv6 destination address field •TCP/UDP source port field •TCP/UDP destination port field •Next header field •Traffic class field •Packet length •ICMP packet type and code •Source-class Sourcehttp://www. Bandwidth . accept. Inc.limits bps E. filter Limit-Customer-A { policer Lim { if-exceeding { bandwidth-limit 1m. Maximum burst size Predictable performance with rich IPv6 services http://www. } } } Multiple rules may be specified.juniper. } term 1 { from { source-address { 3ffe:1002:6411::/48. Forward Compile Microcode IP-II IP-II Packet Handling Programs Log. syslog Count. } } then { policer Lim. } then discard.Performance without compromise IP2 Services Filtering & Policing Packet filtering DoS attack prevention Comprehensive security E.net -class •DestinationDestination Copyright © 2003 Juniper Networks. burst-size-limit 100k.g.g. Loss-priority. Inc. Policer. Forwarding-class Silent Discard Next Term TCP Reset Or ICMP Unreachable Routing Instance 18 Filters and route lookup are part of same program www.juniper.g.

20 www.juniper. } } } } } 3ffe:1411:2205::5 CE–A2 CE– CE–A1 CE– PE 2 P P PE 1 P P PE 3 CE–B3 CE– CE–C1 CE– http://www. } } then { policer LimCE-A2. Inc. 19 Security Security on routers is more important than ever for customer and infrastructure protection On-going DoS work in IPv4 to be extended to IPv6 Hardware-based packet handling. Inc. } term 1 { from { source-address { 3ffe:1411:2205::/48. filtering optimize key security actions SNMPv3 improves router authentication http://www. accept.juniper.net Apr-03 Page 10 .Performance without compromise Flexible bandwidth firewall { family inet6 { filter LimitCE-A2{ policer LimCE-A2 { if-exceeding { bandwidth-limit 1m.net Copyright © 2003 Juniper Networks.juniper. burst-size-limit 100k. } then discard.net Copyright © 2003 Juniper Networks.

juniper.net Copyright © 2003 Juniper Networks.net Apr-03 Page 11 . Inc. This is used where routing is asymmetrical.juniper. http://www.net Copyright © 2003 Juniper Networks. CE–B3 CE– 3ffe:1541:2305::/48 22 www.Performance without compromise Source Address Verification uRPF can be configured per-interface/sub-interface Supports both IPv4 and IPv6 Packet/Byte counters for traffic failing the uRPF check Additional filtering available for traffic failing check: police/reject Can syslog the rejected traffic for later analysis Two modes available: Active-paths: uRPF only considers the best path toward a particular destination Feasible-paths: uRPF considers all the feasible paths. Inc. 21 Source Address Verification 3ffe:1411:2205::5 CE–A2 CE– CE–A1 CE– PE 2 P P 3ffe:1411:2205::/48*[BGP/170] >via so-0/0/0/0.0 PE 1 so-0/0/0.juniper.0 P P PE 3 ge-0/1/0 Attack with Source address = 3ffe:1411:2205::5 uRPF CE–C1 CE– http://www.

accounting { destination-class-usage.Performance without compromise Real-time DoS Identification with Destination Class Usage policy-options { community victim members 100:100. Inc.net Copyright © 2003 Juniper Networks. } } } } } CE–A2 CE– CE–A1 CE– PE 2 P P PE 1 so-0/0/0. CE–B3 CE– 3ffe:1541:2305::/48 24 www.0 P P PE 3 ge-0/1/0 CE–C1 CE– http://www.juniper. Inc. policy-statement set-dest-class term 1 { from { protocol bgp.juniper. } } } } interfaces { so-2/0/1 { unit 0 { family inet6 { address feee::10:255:73:2/128. CE–B3 CE– routing-options{ forwarding-table{ export set-dest-class.0 P P PE 3 ge-0/1/0 CE–C1 CE– http://www. accept.net Copyright © 2003 Juniper Networks.juniper. } 3ffe:1541:2305::/48 } 23 Real-time DDoS Identification CE–A2 CE– CE–A1 CE– PE 2 P P PE 1 so-0/0/0. community victim.net Apr-03 Page 12 . } then { destination-class dcu-victim.

0 P P PE 3 ge-0/1/0 BGP update 3ffe:1541:2305::12/128 Community 100:100 CE–C1 CE– http://www.juniper. video.net Copyright © 2003 Juniper Networks. CE–B3 CE– 3ffe:1541:2305::12 25 QoS IPv6 header includes traffic class and flow label Traffic class function = DSCP Largely undefined flow label identifies a traffic flow that needing special handling.Performance without compromise Real-time DDoS Identification CE–A2 CE– CE–A1 CE– PE 2 P P PE 1 so-0/0/0.e. 26 www. etc.juniper. I. IPv6 routers must be able to use traffic class and flow label without incurring performance cost http://www.net Apr-03 Page 13 . Inc. voice.net Copyright © 2003 Juniper Networks. Inc.juniper.

net Copyright © 2003 Juniper Networks. 28 www. IPv6 VPN A Site2. I.juniper.net Apr-03 Page 14 . IPv4 VPN C Site 1. IPv4 VPN B Site 1. Inc.net Copyright © 2003 Juniper Networks.juniper. IPv4 CE–A3 CE– E-BGP P P OSPF PE 2 Routing CE–B2 CE– VPN A Site 3. IPv6 VPN B Site2. 27 L3 VPN over MPLS VPN A Site 1. IPv4 CE–C1 CE– http://www. Inc.e. will still be required for IPv6 VPN management must be able to support IPv4 and IPv6 traffic http://www.juniper.Performance without compromise VPNs VPNs are a valuable service Provider managed IPv4 VPN models have been successful Established VPN technologies used for IPv4 must be carried over to IPv6 Services offered as part of a VPN. IPv4 VPN C Site 2. IPv6 CE–A2 CE– CE–A1 CE– Static Routes PE 1 CE–B1 CE– P P PE 3 CE–B3 CE– CE–C2 CE– VPN B Site3. QoS.

XML) for OSS integration Reduce latency between new vendor feature/service and OSS integration Operational efficiency hinges on OSS integration Router operations over IPv6 telnet. traceroute… http://www. 29 Network Management IPv6 Management must be integrated in existing management systems SNMP over v6 with IPv6 MIBs Intuitive CLI IPv6 Accounting APIs (e. ssh.net Apr-03 Page 15 . 30 www.juniper. ftp. ping. Inc.Performance without compromise IPv6 Qualified Router for ISPs What means really Dual Stack? Addressing & Forwarding Routing Protocols Service Richness Operational Efficiency IPv4 IPv6 http://www.net Copyright © 2003 Juniper Networks.g.juniper.juniper. Inc.net Copyright © 2003 Juniper Networks.

LDP… Linear software releases continuity to ensure common support and evolution http://www.net Copyright © 2003 Juniper Networks. 32 www. services on every interface across all platforms Same approach for hardware-based packet handling as IPv4 Performance is critical Maintaining SLA agreement for IPv4 while operating IPv6 Separation of routing and control planes Graceful restart mechanisms BGP. OSPF.juniper.juniper. IS-IS. RSVP.net Apr-03 Page 16 . Inc. Inc.net Copyright © 2003 Juniper Networks.Performance without compromise Robustness and Reliability Common support of features. 31 Integration of non IPv6 capable routers IPv6 in IPv4 tunnels GRE or IP-IP Tunnels Only possible: with performance (hardware tunneling) at small scale for manageability Connecting IPv6 Islands with IPv4 MPLS Requires MPLS capable routers in the core http://www.juniper.

255. Inc.3.juniper. } } } gr-1/0/0 { unit 0 { tunnel { source 100. } } } } CE–C1 CE– CE–B3 CE– http://www. Inc.txt IETF Draft as defined in draft-ietf-ngtrans-bgp-tunnelConnecting IPv6 Islands across IPv4 Clouds with BGP Also known as “6PE” PEs run Dual Stack MP-BGP over IPv4 PE and CE exchanges IPv6 routes MPLS LDP/RSVP LSPs are set up using IPv4 Benefits Leverages existing MPLS infrastructure Requires IPv6 support only on PE router IPv6 IPv4 IPv6 MPLS PE2 IPv6 http://www.net Copyright © 2003 Juniper Networks.3.255.255.Performance without compromise IPv6 in IPv4 tunnels CE–A2 CE– CE–A1 CE– PE 2 P P Rv4 PE 1 Rv4 Rv4 P R 100. PE1 IPv6 34 www.255.net Copyright © 2003 Juniper Networks. destination 100.3.0 PE 3 interfaces { so-0/0/0 { unit 0 { family inet { address 100.1.net Apr-03 Page 17 .juniper.2 so-0/0/0.2. } family inet6 { address 9009:6::2/64.2.2/24. 33 Connecting IPv6 Islands with IPv4 MPLS (1) 04.2.juniper.1 v4 P 100.255.

juniper. } } ospf { traffic-engineering. } } } 36 CE–A2 CE– CE–A1 CE– PE 2 P P Rv4 PE 1 Rv4 Rv4 P R 100.2 so-0/0/0. interface lo0.juniper. } } } lo0 { unit 0 { family inet { address 10. Inc.0. area 0.net Apr-03 Page 18 .245.2/24.0 PE 3 ge-0/1/0 CE–C1 CE– CE–B3 CE– http://www.0. family mpls.net Copyright © 2003 Juniper Networks.3. } } export red-export.245. } } ge-0/1/0 unit 0 { family inet6 { address 8002::1/126.Performance without compromise Connecting IPv6 Islands with IPv4 MPLS (2) interfaces { so-0/0/0 { unit 0 { family inet { address 100. } } } routing-options { autonomous-system 100. } family mpls.255.255.0 { passive.1 v4 P 100. } family inet6.0.6.6.255.2 so-0/0/0.0 PE 3 ge-0/1/0 CE–C1 CE– CE–B3 CE– http://www. 35 Connecting IPv6 Islands with IPv4 protocols { MPLS (3) rsvp { interface so-0/0/0.2.0 { interface so-0/0/0.6.net Copyright © 2003 Juniper Networks. Inc.71. local-address 10.juniper. } CE–A2 CE– CE–A1 CE– PE 2 P P Rv4 PE 1 Rv4 Rv4 P R 100.255.2.0.71. } interface so-0/0/0. family inet6 { labeled-unicast { explicit-null. } mpls { ipv6-tunneling.1 v4 P 100. www.72.6/32.255.245.0. neighbor 10.3.72. } bgp { group to_PE1 { type internal. label-switched-path to_PE1 { to 10.245.3.

} } policy-statement red-import { from protocol bgp.0.net Apr-03 Page 19 .juniper.0 PE 3 ge-0/1/0.net Copyright © 2003 Juniper Networks. } } http://www. 37 Agenda IPv6 Implementation IPv6 examples and Case Studies www. neighbor ge-0/1/0.2.juniper. } } } CE–A2 CE– CE–A1 CE– PE 2 P P Rv4 PE 1 Rv4 Rv4 P R 100.Performance without compromise Connecting IPv6 Islands with IPv4 MPLS (4) # protocols (next) ripng { group to_CE-B3 { export red-import.1 v4 P 100.3.255. Inc. } term 2 { then reject.0 CE–C1 CE– CE–B3 CE– policy-options { policy-statement red-export { term 1 { from protocol ripng.2 so-0/0/0. then accept.255. then accept.

} } bgp { group NREN-4-6 { local-address 204. } family inet { unicast.5. } } protocols { ripng { group igp { neighbor ge-0/1/0. address ::1/128. neighbor 204.168.0.168. IPv4 + IPv6 addresses on each interface POS ATM GigE… 40 www. } family inet6 { address 8028:20::1/64.0. } routing-options { routing-options { autonomous-system 100.35.2.juniper.net Copyright © 2003 Juniper Networks.146. Inc.net } Switch IPv4 + IPv6 Switch 6bone LAN BGP RIPv6 Switch IPv6 Service Metropolitan.146. } peer-as 64595.5/24. Inc.35. } } } lo0 { unit 0 { family inet { address 192.Performance without compromise Juniper Networks IPV6 deployment in R&E and ISPs Americas EMEA APAC http://www.1/30.juniper.1/32 address 127.juniper.net Apr-03 Page 20 . } } http://www.1/32. Regional or National Network Copyright © 2003 Juniper Networks. } } } so-0/0/0 { unit 0 { family inet { address 204.35.1. family inet6 { unicast.0. } family inet6 { address 8028:25::1/64.146.0. 39 Case 1: direct connection to IPv4 + IPv6 services IPv6 direct peering interfaces { ge-0/1/0 { unit 0 { family inet { address 192. } family inet6 { address 8028:5::1/128.

address ::1/128. } } bgp { group peering-v6 { type external.net } IPv6 Service BGP with v6 addresses LAN RIPv6 Switch IPv6 in IPv4 tunnel Metropolitan. } family inet6 { address 8028:5::1/128.net/geant/ 42 www.34. } } http://www.1/32.168. } family inet6 { address 8028:20::1/64.146.0 destination 195.0.35. # so-0/0/0.1/32 address 127.1. Inc. http://www. } routing-options { rib inet6.net Copyright © 2003 Juniper Networks. } } } so-0/0/0 { unit 0 { family inet { address 204. # Loopback peer-as 64595. } } protocols { ripng { group igp { neighbor ge-0/1/0.35.Performance without compromise IPv6 direct peering interfaces { ge-0/1/0 { unit 0 { family inet { address 192.0.net Apr-03 Page 21 .0. } family inet6 { address 8028:25::1/64. neighbor 8028:10::1. } } } lo0 { unit 0 { family inet { address 192.10.dante.juniper. IPv4 + IPv6 addresses on each interface POS ATM GigE… Network 41 Pan-European Research Networking RHnet Multicast SUNET UNINETT FUNET 10 Gb/s backbone with Juniper M160s WDM optical technology 30 R&E connected organizations European connectivity to over 3000 R&E institutions EENet UKERNA Forskningsnettet HEAnet SURFnet LATNET IP Premium LITNET POL-34 VPN RCTS RedIRIS CESNET SANET RENATER Aconet SWITCH HUNGARNET ARNES RoEduNet CARNet GARR UNICOM-B IPv6 GRNET Belnet DFN RESTENA CYNET IUCC http://www.0 { static { route 8028:10::1/128 next-hop 8028:25::2. } } Case 2: remote connection to IPv6 service 6bone Switch IPv4 + IPv6 Switch gr-1/0/0 { unit 0 { tunnel { source 204.5/24.juniper.146.0.150.1/30.juniper. Inc. local-address 8028:5::1. Regional or National Copyright © 2003 Juniper Networks.10.168.

ssh. telnet.juniper. site.Performance without compromise IPv6 Available Features Available on all M-series and T-series platforms Addressing & Forwarding Forwarding in hardware Addressing Link.net Copyright © 2003 Juniper Networks. 43 Thank You http://www. ftp… Neighbor discovery IPv6 Packet Filtering EUI 64 Autogeneration Unicast RPF FBF and CBF for IPv6 Destination/Source Class Usage Transition Configured tunnels Dual stack Transport IPv6 in MPLS http://www.juniper.net Copyright © 2003 Juniper Networks.juniper.juniper.net www. global Stateless autoconfiguration Now Routing Protocols IS-IS OSPFv3 MP-BGP over v4/v6 RIPng Static IPv6 VPN (RFC2547bis) PIM v2 MLD Operations & Transition Common support ICMPv6 SNMP over v6 + MIBs IP applications Ping. Inc. Inc. http://www.net Apr-03 Page 22 .