v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)
1. IPv6 - what’s happening?
APM meeting, Ljubljana, 16-17 February 2011
Matjaž Straus Istenič, ARNES
matjaz.straus@arnes.si
1
What do we know about IPv6 in our networks?
- metering, monitoring and management of IPv6 traffic: how does it compare to v4 “standards”?
- which content is available over IPv6?
2. 4
2
Let us start with IPv4. Being with us for ages, since we remember ;-) (RFC 791, sep. 1981).
3. We can handle v4
• we can count v4 packets
• we can find sources and destinations
• we know how traffic looks like:
• protocols, ports, services
• flow characteristics
• we can spot anomalies
3
We meter/monitor and manage IPv4 traffic - we do accounting, we can recognize traffic characteristics, run traffic analysis and detect sources and
destinations, protocols and ports, based on traffic characteristics we might also identify services/applications etc.
Why? - Planning, accounting/billing, network monitoring - anomaly detection (DoS prevention and detection, warms/viruses, spam, ...), security
analysis (scans, hacking attempts), various statistics, QoS design and monitoring, ...
4. 6?
4
What about IPv6? Oops! Standard since RFC 2460, dec. 1998, but...
Tabula rasa? (page intentionally left blank)
Well, it might not be so bad :-). Let’s take a look...
5. What about v6?
• so, how much traffic is there?
• ... and what’s going on in there?
what’s going on?
5
Two basic questions: accounting and traffic flow ananlysis. OK, amount of IPv6 traffic can be monitored somehow (proper equipment, separate L3
interfaces for IPv4 and IPv6, “hacking” with counters, ...), but what about the “nature” of the traffic (netflow)?
Do we have a clue what’s is flowing in there? Can we detect scans, DoS-es, spam etc via IPv6 or do such events just pass by totally unnoticed?
6. What about v6?
• can we count v6 packets?
• what are the sources and destinations?
• how does the traffic look like?
• protocols, ports, services
• flow characteristics
• who mentioned anomalies?
6
For activities that are now "de facto" standard in IPv4 networks there is still no comparable support for IPv6.
For IPv4, tools and support to capture traffic statistics is widely available (here we are not referring to special and expensive commercial
equipment, but to features available on NRENs common equipment such as Cisco/Juniper routers and open-source software).
What about anomalies!? Hey - we look forward at each IPv6 packet that shows in our graph :-). Sarcastically - we might even happily accept
some DDoS traffic on IPv6 transport, just to bring in more IPv6 to our networks ;-).
7. Traffic counters
• Cisco 4900M
• the magic word counter :-)
wendy4900M(config-if)#counter ?
ipv4 Enable IPv4 statistic counters
ipv6 Enable IPv6 statistic counters
<cr>
wendy4900M(config-if)#counter ipv4 ipv6 separate
wendy4900M#sh int te1/1
TenGigabitEthernet1/1 is up, line protocol is up (connected)
Hardware is Ten Gigabit Ethernet Port, address is ***
5 minute input rate 4715000 bits/sec, 378 packets/sec
5 minute output rate 4716000 bits/sec, 378 packets/sec
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
IPv6 L3 in Switched: ucast: 580132 pkt, 870007556 bytes - mcast: 0 pkt, 0 bytes
IPv6 L3 out Switched: ucast: 579998 pkt, 869997000 bytes - mcast: 0 pkt, 0 bytes
580291 packets input, 880479521 bytes, 0 no buffer
580311 packets output, 880484182 bytes, 0 underruns
IP-MIB::ipIfStatsHCInReceives.ipv6.41 = Counter64: 580202
IP-MIB::ipIfStatsHCInOctets.ipv6.41 = Counter64: 870016344
IP-MIB::ipIfStatsHCOutTransmits.ipv6.41 = Counter64: 580121
IP-MIB::ipIfStatsHCOutOctets.ipv6.41 = Counter64: 870007412
7
Cisco 4900M: good news! By adding the magic word “counter ipv4 and ipv6 separate”, we can read counters for IPv4 and IPv6 traffic. The feature is
also supported by SNMP in IP-MIB.
8. Traffic counters
• Cisco 6500/7600 class-map match-all MatchIPv4
match protocol ip
class-map match-all MatchIPv6
• no interface
match protocol ipv6
!
policy-map CountIPv4AndIPv6
class MatchIPv4
counters :-( set dscp default/police ...action transmit
class MatchIPv6
set dscp default/police ...action transmit
• workaround:
class class-default
set dscp default
!
“service policy”
interface TenGigabitEthernet6/4
switchport
switchport trunk allowed vlan <vlan-id>, ...
switchport mode trunk
• CISCO-CLASS-BASED-QOS-MIB
!
service-policy input CountIPv4AndIPv6
interface Vlan<vlan-id>
ip address 193.***
ipv6 address 2001:***/64
ipv6 enable
service-policy output CountIPv4AndIPv6
8
Cat6500/Sup720-PFC3BXL , Cisco 7600: there are no interface counters. Workaround: service policy, which separates IPv4 and IPv6 traffic.
SNMP support in Cisco Class-based QoS MIB.
9. Traffic counters
• Juniper M, MX
• counters in firewall filters
[edit firewall family inet6 filter <filter-name>]
term CountGoogle6 {
from {
source-class GoogleSourceClass;
}
then {
count cntrC_CountGoogle6;
next term;
}
}
show firewall filter <filter-name> counter cntrC_CountGoogle6
Filter: <filter-name>
Counters:
Name Bytes Packets
cntrC_CountGoogle6 4489342428362 3155788767
9
Juniper M, MX: firewall filters (packet filters similar to Cisco ACLs). Great feature! Counters based on many different criteria. With SNMP support.
10. Traffic counters
• Juniper M, MX
• interface counters
[edit forwarding-options family inet6]
route-accounting;
show interfaces xe-0/3/0.0 [statistics] detail
Transit statistics:
Input bytes : 1208084938033011 562048144 bps
Output bytes : 1885425848993971 2961002376 bps
Input packets: 1515213022929 161138 pps
Output packets: 1727060075137 301654 pps
IPv6 transit statistics:
Input bytes : 4164652434717
Output bytes : 683746177338
Input packets: 7842621292
Output packets: 1999956530
10
Juniper M, MX: accounting. Works fine, but don’t forget the magic word “route-accounting”.
11. What’s going on?
• netflow in 4 bullets
• router (“exporter”) meters flows
• flow keys: src/dst address, protocol,
ports
• packets and bytes
• data is exported to a server (“collector”)
11
Netflow “for dummies” ;-) A brief explanation: metering process -> exporter -> collector.
12. NetFlow
• v9 versus v5 export
vir: netflowninjas.lancope.com
12
Transport protocol v5 was defined with fixed format - it lacks IPv6 support. Export process based on netflow v9 uses templates. Support for IPv6,
MPLS, BGP Next-Hop etc.
13. NetFlow v9
• Cisco 6500/7600 mls aging fast time 8 threshold 1
mls aging long 300
mls aging normal 120
• simple!
mls netflow interface
mls flow ip interface-full
mls flow ipv6 interface-full
mls nde sender
mls sampling packet-based 64 16000
!
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination <collector-ip> <port#>
13
Previously criticized equipment deservers a compliment ;-)
It is very easy to enable 6500/7600 for netflow v9 for IPv6: one additional config.command to enable IPv6 netflow and simple change of a version
from 5 to 9.
14. NetFlow v9
• Juniper MX
• we need Multiservices DPC :-(
14
Mucho dinero :-(
Sad but true, we are forced to buy a tank but we only needed a bicycle :-( Rather expensive MS DPC card is extremely powerful and adds much
more features to the system, not only netflow v9. But, we only asked for netflow :-(
Dear Juniper, can we get netflow 9 on “ordinary” interface DPCs, please?
15. NetFlow v9 (collector)
• nfdump/NfSen
• simple!
• IPv4
nfcapd -w -D -p <port#> -S 1 -P <pid-file>
-I <router-name> -l <dir>/<file-name>
• IPv6
nfcapd -w -D -p <port#> -S 1 -P <pid-file>
-I <router-name> -l <dir>/<file-name>
15
Nfdump - very recommended! Good/very satisfactory front end - NsSen.
No, there is not an error on the slide - nfcapd daemon (collector) “auto-magicaly” recognizes v9 packets. There is no need to explicitly define the
version. Great!
16. NetFlow v9 (collector)
• nfcapd, nfdump (v1.6.1p1)
• supported v9 elements/fields
NF9_LAST_SWITCHED
NF9_FIRST_SWITCHED
NF9_IN_BYTES
NF9_IN_PACKETS
NF9_IN_PROTOCOL
NF9_SRC_TOS
NF9_TCP_FLAGS
NF9_FORWARDING_STATUS
NF9_IPV4_SRC_ADDR
NF9_IPV4_DST_ADDR
NF9_IPV6_SRC_ADDR
NF9_IPV6_DST_ADDR
NF9_L4_SRC_PORT
NF9_L4_DST_PORT
NF9_ICMP_TYPE
NF9_SAMPLING_INTERVAL 34 Sampling
NF9_SAMPLING_ALGORITHM 35 Sampling
NF9_FLOW_SAMPLER_ID 48 Sampling
FLOW_SAMPLER_MODE 49 Sampling
NF9_FLOW_SAMPLER_RANDOM_INTERVAL 50 Sampling
16
Support for most common elements, including sampling.
18. Silent IPv6 waters
• slow but steady
traffic growth
• a year ago *
• 1:7.000
• today
• 1:70
* Remark:
Measured dec. 2009 and dec. 2010
students
in Ljubljana Google
18
We are facing the 1:100 increase of IPv6 traffic in the last year (from 11/2009 to 11/2010). Two major events:
- IPv6 was deployed in student dormitories (campus) in Ljubljana (3/2010)
- ARNES entered the IPv6 @Google program in ARNES DNS servers were whitelisted (5/2010). Campus DNS servers were configured to use ARNES
DNS (DNS forwarding): students in Ljubljana can now use google services via IPv6.
Does this mean, that ...
19. IPv6 = google?
19
...does this means that most/all IPv6 traffic comes from Google AS (google, gmail, maps, docs, youtube, ...)?
20. Everything from Google?
• traffic from Google AS 15169
20
First graph in ARNES history, where IPv4 and IPv6 are shown on the same graph with linear (not logarithmic!) scale ;-)
21. Everything from Google?
• google versus all
21
Yes, it is true -- it all comes from Google AS!
22. Example: traffic analysis
• “top ten” sources
$ nfdump -M <dir>/<router1>:<router2>...
-R 2010/11/18/nfcapd.201011180000:2010/11/18/nfcapd.201011182355
-n 10 -s srcip/bytes -6 "inet6 and dst net 2001:1470::/32"
Top 10 Src IP Addr ordered by bytes:
Date first seen Duration Proto Src IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp
2010-11-18 05:20 45211.757 any 2001:878:346::116 26( 0.0) 3.9 M( 3.1) 5.9 G( 3.9) 86 1.0 M 1498
2010-11-17 23:59 86381.670 any 2001:1470:8000::88 12729( 0.1) 3.0 M( 2.4) 4.4 G( 2.9) 34 405824 1469
2010-11-18 11:24 45327.856 any 2a00:1450:4001:8::a 1085( 0.0) 1.6 M( 1.3) 2.3 G( 1.5) 34 412576 1483
2010-11-18 11:41 43762.481 any 2a00:1450:4001:9::e 1132( 0.0) 1.5 M( 1.2) 2.2 G( 1.4) 33 393789 1477
2010-11-18 00:07 53778.938 any 2001:6b0:e:2018::163 96( 0.0) 1.3 M( 1.0) 1.9 G( 1.3) 23 286426 1495
2010-11-18 00:10 85222.844 any 2001:6b0:e:2018::173 253( 0.0) 1.3 M( 1.0) 1.9 G( 1.3) 14 178345 1487
2010-11-18 00:08 85831.323 any 2a00:1450:4001:7::6 1245( 0.0) 1.3 M( 1.0) 1.9 G( 1.2) 14 175448 1463
2010-11-18 12:28 41430.149 any 2a00:1450:4001:8::6 1275( 0.0) 1.3 M( 1.0) 1.9 G( 1.2) 30 363130 1469
2010-11-18 11:33 44681.784 any 2a00:1450:4001:8::12 1144( 0.0) 1.3 M( 1.0) 1.9 G( 1.2) 28 333184 1472
2010-11-18 11:28 45115.116 any 2a00:1450:4001:9::a 1003( 0.0) 1.2 M( 1.0) 1.8 G( 1.2) 27 321403 1484
Summary: total flows: 9347379, total bytes: 151.0 G, total packets: 125.8 M, avg bps: 14.0 M, avg pps: 1455, avg bpp: 1200
Time window: 2010-11-17 23:59:50 - 2010-11-18 23:59:58
Total flows processed: 427390995, Blocks skipped: 0, Bytes read: 20935606668
cache.arnes.si, one “mirror” and two FTP servers far north,
all rest is youtube (123.3 GB iz 2a00:1450:4000::/40)
22
Traffic analysis at 18.11.2010 shows that more than 80% of IPv6 traffic comes from youtube.com (2a00:1450:4001:x::).
23. Example: traffic analysis (cont.)
• youtube, TCP/80
$ nfdump -M <dir>/<router1>:<router2>...
-R 2010/11/18/nfcapd.201011180000:2010/11/18/nfcapd.201011182355
-n 10 -s srcport:p/bytes
"inet6 and dst net 2001:1470::/32 and src net 2a00:1450:4000::/40"
Top 10 Src Port ordered by bytes:
Date first seen Duration Proto Src Port Flows(%) Packets(%) Bytes(%) pps bps bpp
2010-11-17 23:59 86408.444 TCP 80 116151(100.0) 83.3 M(100.0) 123.3 G(100.0) 963 11.4 M 1480
Summary: total flows: 116151, total bytes: 123.3 G, total packets: 83.3 M, avg bps: 11.4 M, avg pps: 963, avg bpp: 1480
Time window: 2010-11-17 23:59:50 - 2010-11-18 23:59:58
Total flows processed: 427390995, Blocks skipped: 0, Bytes read: 20935606668
23
Everything is TCP/80.
24. Wrap up
• Traffic monitoring for v6 is not as mature
as for v4
• Message to content providers:
• network and services are ready
• users are waiting for you!
• it can’t only be ;-)
24
Conclusion:
- IPv6 traffic metering/monitoring/management is not deployed at the same level as for IPv4 but slowly catching up.
- A lack of content available via IPv6 :-(. Currently (jan. 2011), Google services (youtube) are dominant. Should we and can we do something about
it?
NREN community with Dante/GEANT plays important role in IP technology and variety of its deployment in todays innovative networks and
services. We can influence the vendors, prove that full IPv6 support is essential in any modern communication product. Good example: RIPE 501
(Requirements For IPv6 in ICT Equipment). Can we also influence content providers to make steps towards IPv6?
25. Thank you!
Matjaž Straus Istenič, ARNES
matjaz.straus@arnes.si
25