IPv6 past, present, future with Michael Sinatra and Nick Buraglio

2021-03-302021-03-30 ~ Michael Sinatra

In March 2020, the U.S. Government Office of Management and Budget (OMB) released a draft memo outlining a required migration to IPv6 only. Memorandum M-21-07 was made official on November 19, 2020. Among other things, this memo mandates that 80% of IP-enabled assets on Federal networks are operating in IPv6-only environments by the end of FY 2025.

ESnet is in the process of planning this transition now, to ensure that we provide our users with the support and resources they need to continue their work uninterrupted and unimpeded by the transition. Practically speaking, this means for ESnet that by 2025, all of our nodes will be transitioned to IPv6 address space, and we will not support dual-stacking with IPv4 and IPv6 addresses.

Transitioning to an IPv6-only network has been over a quarter-century in the making for ESnet. Here’s a look back at our history with IPv6

IPv6: Past and Present

ESnet’s history of helping to develop, support, and operationalize new protocols begins well before the advent of IPv6.

In the early 1990s, Cathy Aronson, an employee of Lawrence Livermore National Laboratory working on ESnet, helped establish a production implementation and support plan for the Open Systems Interconnect (OSI) Connectionless-mode Network Service (CLNS) suite of network protocols. Crucially, Aronson developed a scalable network addressing plan that provided a model for the utilization of the kinds of massive address spaces that OSI CLNS and, later, IPv6 would come to use. CLNS itself was a logical progression from DECnet which had been embraced and supported by ESnet’s precursors (MFEnet and HEPnet).

As the IPv6 draft standard (RFC2460) developed in the 1990s, ESnet staff created an operational support model for the new protocol. The stakes were high; if IPv6 were to succeed in supplanting IPv4, and prevent the ill effects of IPv4 address exhaustion, it would need a smooth roll-out. Bob Fink, Tony Hain, and Becca Nitzan spearheaded early IPv6 adoption processes, and their efforts reached far beyond ESnet and the Department of Energy (DOE). The trio were instrumental in establishing a set of operational practices and testbeds under the auspices of the Internet Engineering Task Force–the body where IPv6 was standardized–and this led to the development of a worldwide collaboration known as the 6bone. 6bone was a set of tunnels that allowed IPv6 “islands” to be connected, forming a global overlay network. More importantly, it was a collaboration that brought together commercial and research networks, vendors, and scientists, all with the goal of creating a robust internet protocol for the future.

Not only were Fink, Hain, and Nitzan critical in this development of what would become a production IPv6 network (their names appear on a number of IETF RFCs), they would also spearhead the adoption of the protocol within ESnet and DOE. In the summer of 1996, ESnet was officially connected to the 6bone; by 1999, the Regional Internet Registries had received their production allocations of IPv6 address space. Just one month later, the first US allocation of that space was made–to ESnet. ESnet has the distinction of being the first IPv6 allocation from ARIN – assigned on August 3, 1999, with the prefix 2001:0400::/32.

Nitzan continued her pioneering work, establishing native IPv6 support on ESnet, and placing what we believe was the first workstation on a production IPv6 network. This was part of becoming the first production network in North America to adopt IPv6 in tandem with IPv4 via the use of an IPv6 “dual-stack.” As US Government requirements and mandates developed in 2005, 2012, and 2014, the ESnet team met these requirements for increased IPv6 adoption, while also providing support and consultation for the DOE community.

Although Aronson, Fink, Hain, and Nitzan have all moved on from ESnet, a new generation of staff continued the spirit of innovation and early adoption. In the early 2010s, ESnet’s internal routing protocols were consolidated around the use of multi-topology Intermediate System to Intermediate System or IS-IS. This allowed for the deployment of flexible and disparate IPv4 and IPv6 topologies, paving the way for the creation of IPv6-only portions of ESnet, allowing the use of optimized routing protocols for the entire network. ESnet’s acquisition strategy has long emphasized IPv6 support and feature parity between IPv4 and IPv6.

All IPv6: Switching over, and the future

As ESnet moves into ESnet6, it is well-positioned to build and expand an IPv6-only network, while retaining legacy support for IPv4 where needed. ESnet will soon finish a two-year project to switch our management plane entirely over to IPv6.

For our customers and those connected to us, here’s what this means:

ESnet will be ready, willing, and able to support connectors, constituents, and partners in their journey to deploying IPv6-only across our international network.
ESnet planning and architecture team members have been included in the Department of Energy Integration and Product Team (DOE IPT) for migration to IPv6-only, and are supporting planning and documentation efforts for the DOE Complex.
We look forward to supporting our customers and users, as we all make this change to IPv6 together.

Three Questions with John Hess

2021-03-16 ~ Andrew Wiedlea

John comes to ESnet’s Network Engineering team from the Corporation for Education Network Initiatives in California (CENIC), operator of the State of California Research and Education Network (CALREN). At CENIC, John was involved in a number of projects, including the Pacific Wave, the Pacific Research Platform, and participation in Global Network Advancement Group (GNA-G) teams exploring AutoGOLE/NSI and Data Intensive Science, as well as other collaborative efforts.

Prior to CENIC, John worked as a network engineer for UC, as well as a systems engineer during a brief stint with Cisco. Among his interests are interconnection protocols, network performance, and data movement.

What brought you to ESnet?

Through my activities with CENIC and Pacific Wave, I had the opportunity to collaborate with colleagues at ESnet on a variety of projects. The ESnet folks with whom I have worked consistently impressed me with their depth of expertise, willingness to share their knowledge, and their commitment to advancing the interests of researchers and multidisciplinary, data-intensive initiatives involving the national labs and institutions across the broader R&E community. I wanted to join and contribute as part of that team.

What is the most exciting thing going on in your field right now?

Due to the COVID-19 pandemic, there is a more general realization and sense of urgency of the need to close the digital divide. I am excited about (further) democratizing access to technology — to under-served communities, to a more diverse set of potential researchers and contributors. As much as the advances in basic research with HEP (high energy physics), Astro-Physics, Genomics, Earth Sciences, and other domains, I am excited about advancing pervasive access to technology.

What book would you recommend?

Burch, David. Celestial Navigation, A Complete Home Study Course, Second Edition. Seattle, Starpath Publications, 2019.

I began sailing as a kid with our family’s 13’ SunFish on a lake near our home in NJ. This began what has become a life-long passion for sailing and the realization of a childhood dream of someday owning and living on a sailboat. Though my boat is equipped with a state-of-the-art navigation system, among my current dreams is to become conversant with celestial navigation and to complete ocean passages relying exclusively on this centuries-old technology.

Cyber Infrastructure Engineering Lunch & Learn Series Hits 100!

2021-03-09 ~ Andrew Wiedlea

In 2017 ESnet, in collaboration with the National Science Foundation, created a series of bi-weekly talks on network engineering and research engagement topics. These “Cyberinfrastructure (CI) Engineering Lunch & Learn” presentations, held every other Friday afternoon at 2:00pm ET, have become an important way for engineers from the research and education community to share technical best practices for deploying and operating laboratory and campus networks. It has also served as a social event for a common community of interest especially during the pandemic.

A representative slide from Jason’s 4 May 2020 CI Lunch & Learn Talk on “TCP Basics and Science DMZ” — networking science with a healthy dose of LoLcats.

On March 12th, ESnet’s Jason Zurawski – who developed and still leads the events – will convene the 100th CI Engineering Lunch and Learn. A complete set of recordings of past sessions is available on the EPOC YouTube Channel located here. An anniversary is always a chance to look back on what has been accomplished; here are 5 Questions with Jason to get his thoughts on the Lunch and Learn series.

Thinking back over the past 100 talks, which have particularly stuck in your mind?

The best turn-out and feedback that I receive from the participants comes from either “hot topics” or engaging speakers.

For instance, we have had a number of popular, well attended talks on the development of the BBR protocol (going as far back as 2017). . Other sessions that were well attended focused on topics like perfSONAR, Science DMZ, and Data Transfer; all of these are critical to building an effective and high performing cyberinfrastructure that supports data transfers in service of global science collaborations.

Other critical talks come from innovative and important voices from the R&E community. Hyojoon Kim from Princeton talking about P4 and how it is used on their campus to facilitate network research (https://youtu.be/R2UQH4Y8Uec), and the perfSONAR project’s use of new measurement protocols such as TWAMP (https://youtu.be/7wRZbmKmtAY) are great examples of these kind of talks. As of last year, many of these folks would have given a talk ‘in person’ at a conference, but have not been able to do so due to the pandemic. We have also done a number of tutorials and project updates that remain popular. For example, tutorials by Fatema Bannat Wala on Zeek Use Cases and by Alan Whinery with University of Hawaii on IPv6 Deployment, have been especially notable.

Have you seen a change in attendance or role for these CI events from before the pandemic and now?

We have seen moderate (10-15%) increases for both the live and recorded sessions during the week of a talk. We have also seen a similar increase in subscription to our membership list since its inception in 2017. . Some of the “tutorial” content has increased viewership over time – perhaps as the pandemic lets our audience review content from home, that they were not able to previously study due to a lack of time. This is a net positive, as it points to a general trend that it is easier/more desirable to watch a video on a topic (e.g. deploying software) versus reading documentation/following instructions.

What makes for a successful CI talk?

Passion from the speaker is very important. We want to hear from community members that are excited about what they are presenting: a research project, a new operational component, or a problem they want to solve (or have solved). Speaking from experience is also valuable, as the audience wants to know deep technical details for most of the talks.

What do you think has been the biggest challenge keeping this series going?

We’ve always had willing presenters, and to date, we are always able to schedule between 20 and 30 talks over the course of the year. The primary challenge is making sure we can continue to find fresh perspectives that hit on some core values:

Supporting the diversity of voices (gender, ethnicity, institutional background). When reflecting on the prior 100 talks, we unfortunately skewed strongly away from these diverse categories; this is a trend that must be reversed. Recruitment to address this is already underway for 2021 and beyond.
Focusing on talks that address the needs of modern CI: operational best practices, policy choices, translation of research to production, etc.
Ensuring our audience is growing. These talks assist in bringing new contributors up to speed vis a vis retirements and other attrition where knowledge may not be passed down to newcomers.

What do you think will be major themes in the next 100 hundred CI sessions?

A theme we have encouraged from the start is to share what we know, and acknowledge what we don’t know. We want to see the major institutions and facilities pass on the lessons they have fought hard to learn and implement so that campuses of smaller size with limited CI knowledge level can benefit. Similarly, we want those individuals that are not as experienced to be vocal and ask (potentially hard) questions to the community to drive what needs to be presented and discussed.

I believe that policy (e.g. long term care, maintenance, upgrades, sustainability) of CI will be an ongoing concern as we approach 10 or more years of operations for some facilities. Security is always a hot area, as the threats continue and adapt over time. Technology continues to evolve and upgrade rapidly, so hearing about the ‘latest and greatest’ will also drive content and speakers for the talks.

Jason, thank you for running the CI series, and all the hard work associated with keeping a regular technical exchange going like clockwork during a pandemic. I look forward to the next 100 CI Lunch & Learn!

Defending ESnet with ZoMbis!

2021-03-022021-03-02 ~ Fatema Bannat Wala

Zeek is a powerful open source network security monitoring software extensively used by ESnet. Zeek (formally called Bro) was initially developed by researchers at Berkeley Lab; it allows users to identify & manage cyber threats by tracking and logging network traffic activity. Zeek operates as a passive monitor, providing a holistic view of what is transpiring in the network and on all network traffic.

In a previous post, I presented some of our efforts in approaching the WAN security using Zeek for general network monitoring, with successes and challenges found during the process. In this blog post I’ll focus on our efforts in using Zeek as part of security monitoring for the ESnet6 management network – ZoMbis (Zeek on Management based information system).

ZoMbis on the ESnet6 management network:

Most research and educational networks employ a dedicated management network as a best practice. The management network provides a configuration command and control layer, as well as conduits for all of the inter-routing communications between the devices used to move our critical customer data. Because of the sensitive nature of these communications, the management network needs to be protected from external and general user network traffic (websites, file transfers, etc.), and our staff needs to have detailed visibility on management network activity.

At ESnet, we typically use real IP addresses for all internal network resources, and our management network is allocated a fairly large address space block advertised in our global routing table, to help protect against opportunistic hijacking attacks. By isolating our management network from user data streams, the amount of routine background noise is vastly reduced making the use of Zeek, or any network monitoring security capability, much more effective.

The above diagram shows an overview of the deployment strategy of Zeek on the ESnet6 management network. The blue dots in the diagram show the locations that will have equipment running Zeek instances for monitoring the network traffic on the management network. The traffic from the routers on those locations is mirrored to the Zeek instances using a spanning port, and the Zeek logs generated are then aggregated in our central security information and event logging and management system (SIEM).

Scott Campbell presented ‘Using Zeek in ESnet6 Management Network Security Monitoring’ during virtual Zeek Week held last year that explained the overall strategy for deployment of Zeek on the management network in greater detail. Some ZoMbis deployment highlights are:

ESnet 6’s new management network will use only IPv6. From a monitoring perspective this change from the traditional IPv4 poses a number of interesting challenges; In particular, IPv6 traffic employs more multicast and link-local traffic for local subnet communications. Accordingly, we are in the process of adjusting and adding to Zeek’s policy based detection scripts to support these changes in network patterns. These new enhancements and custom scripts being written by our cybersecurity team to support IPv6 will be of interest to other Zeek users and we will release them to the entire Zeek community soon.

The set of Zeek policy created for this project can be broken out into two general groups. The first of these is protocol mechanics – particularly looking closer between layer 2 and 3 where there are a number of interesting security behaviors with IPv6. A subset of notices that these protocol mechanic policies will provide are:

ICMP6_RtrSol_NotMulticat – Router solicitation not multicast
ICMP6_RtrAnn_NotMulticat – Router announcement should be a multicast request
ICMP6_RtrAnn_NewMac – Router announcement from an unknown MAC
ICMP6_MacIPChange – If the MAC <-> IP mapping changes
ICMP6_NbrAdv_NotRouter – Advertisement comes from non-router
ICMP6_NbrAdv_UnSolicit – Advertisement is not solicited
ICMP6_NbrAdv_OverRide – Advertisement without override
ICMP6_NbrAdv_NoRequest – Advertisement without known request

The second set of Zeek policies that have been developed in support for ZoMbis involves taking advantage of predictable management network behavioral patterns – we build policy to model anticipated behaviors and let us know if something is amiss. For example looking at DNS and NTP behavior we can identify unexpected hosts and data volumes, since we know which systems are supposed to be communicating with one another, and what patterns traffic between these components should follow.

Stay tuned for the part II of this blogpost, where I will discuss ways of using Sinkholing, together with ZoMbis, to provide better understanding and visibility of unwanted traffic upon the management network.