Virginia Tech leads IPv6 security research and shares lessons learned from years of large-scale deployment experience.
Virginia Polytechnic Institute and State University (Virginia Tech) ranks among the top 50 research universities in the United States with a research portfolio of nearly US$400 million. In 2010-2011, the university received 2400 research awards to pursue discoveries in agriculture, biotechnology, information and communication technology, transportation, energy management, and a wide range of other fields, leading to 40 patents and 24 license and option agreements.
One of the ways that Virginia Tech has laid a strong foundation to further stimulate collaboration and innovation is by embracing early, large-scale adoption of IPv6. This next-generation Internet protocol was developed to support the increasing number of devices with IP addresses, a phenomenon referred to as "The Internet of Things."
Under IPv4, the standard in use since 1981, the length of an IP address allows only approximately four billion unique IP addresses, versus IPv6, which allows approximately 340 undecillion (340 with 36 zeroes after it). The importance of IPv6 was further amplified by Cisco® Visual Networking Index projections released in May 2012, which estimate the number of connected devices will reach 10.5 billion by 2016.
To help ensure that Virginia Tech could promote nonstop communications via the Internet, including important collaboration between its researchers and other organizations worldwide, the university started experimenting with IPv6 networking in 1997.
A request for research support from a group of Virginia Tech graduate students coincided with a Cisco announcement of an early field trial for new Cisco IOS® Software with IPv6 capabilities. This announcement prompted the university to begin operating a limited IPv6 environment on a Cisco 4700 Router and heavily-patched UNIX systems, allowing Virginia Tech to ultimately become the first site in the United States to run native IPv6 over ATM on the National Science Foundation's vBNS (very high-speed Backbone Network Service). This opportunity placed Virginia Tech in a leading position to help test, proliferate, and improve IPv6-related technology.
By 2004, IPv6 feature sets were supported on eight Cisco router platforms running Cisco IOS Software Release 12.3, in addition to eight other platforms with Release 12.0S and Release 12.2S. That same year, Virginia Tech installed a parallel network featuring Cisco 7300 Series Routers to run its new IPv6 environment for clients in about 20 campus buildings, while keeping IPv4 running on a separate Cisco Catalyst® 6500 Series Switch platform.
With release of Microsoft Windows Vista by 2007, which had IPv6 enabled as part of the product, the number of IPv6 users on campus accelerated. "As a university, the computer systems here turn over quickly. We get new students every year, and that meant we had maybe 5000 more computers coming on to the network that were already IPv6-enabled," says Steven Lee, research and development manager for Network Infrastructure and Services at Virginia Tech.
Most of the campus, from academic spaces to residence halls, was configured for IPv6 in 2008. By September 2009, Google reports showed that 51 percent of hosts on the Virginia Tech network had working IPv6. Parallel routing infrastructure was removed in 2010 with the Cisco introduction of OSPFv3, which was designed for IPv6 and allows a dual-stack configuration to simultaneously support both IPv4 and IPv6 on the university's Cisco Catalyst 6500 core platform. Today the majority of Virginia Tech's hosts retain a dual-stack configuration to support IPv4 and IPv6 with a unified infrastructure.
Says Phil Benchoff, senior network engineer for Virginia Tech, "We were pleased that Cisco began including IPv6 capabilities in more of its products by 2004. Our strategy for the university at that point was incrementally enabling IPv6, fixing whatever problems we found, and starting on the next iteration. We saw that most things just worked. Cisco's early focus on integration and co-existence was important to this IPv6 evolution."
For more than 15 years, Virginia Tech has collaborated with Cisco to address a number of challenges in moving to IPv6. One early example involved managing suppression of rogue routers, usually hosts that had been misconfigured and were pretending to be routers. The fix for the nonmalicious route advertisements was improving Cisco IOS Software to help enable network administrators to set the priority on their own route advertisements. "Getting that feature into Cisco IOS Software was critical for us. Cisco really listened to us and responded well by delivering that capability quickly," says Benchoff.
More recently, the university reaped benefits in upgrading its Cisco Catalyst 6500 Series Switches from Supervisor Engine 720 to Supervisor Engine 2T. "Since deploying Supervisor Engine 2T, we've seen a huge reduction in CPU utilization on our Catalyst 6500 Series switches, from 95-100 percent utilization with 18,000 Neighbor Discovery table entries with Supervisor Engine 720 to less than 30 percent with 65,000 entries with Supervisor Engine 2T. Getting some of the optimization processes out of software and putting them on the hardware with Sup 2T has been very beneficial," Lee says.
Supervisor Engine 2T offers a multitude of enhancements over previous-generation hardware, including helping enable Virginia Tech to better support growing Layer 2 multicast traffic demand. The hardware-based uRPF check is also a key new feature that the university values for its ability to counteract address spoofing. Additional new capabilities with Supervisor Engine 2T include enhancements in control plane policing, Flexible NetFlow, and IPv6 interface counters to better report on IPv4 compared to IPv6 traffic.
After nearly 15 years of experience, today Virginia Tech proudly counts itself as a leader in large-scale production deployment of IPv6, with thousands of native IPv6 clients. The university has helped enable IPv6 on nearly every possible subnet that it operates, and virtually its entire environment is configured as dual stack to support both IPv4 and IPv6. In 2010, the size of Virginia Tech's deployment ranked it as one of seven networks worldwide, based on unique Autonomous System Number (ASN), that had more than 1 percent of hosts with working IPv6, with a total of 51.3 percent. By May 2012, its aggregate utilization of IPv6 in and out of the campus to external networks was hitting a daily peak of approximately 200-300 megabits per second.
"World IPv6 Launch Day on June 6, 2012 saw top websites and Internet service worldwide permanently enable IPv6 for their products and services. With the eyes of the world watching to see what impacts might be measured on this date, Virginia Tech emerged as one of the organizations with the highest percentage use of IPv6, at 60 percent," says Benchoff.
The university's sizeable base of native IPv6 users has attracted research in the IPv6 management and security arenas, including projects on first hop security and Flexible NetFlow sponsored with grants from Cisco. Says Benchoff, "We have a very large production IPv6 deployment, with a lot of end user traffic on it, so it gives a vendor the opportunity to test products in a realistic environment. A lot of other places don't have that real user traffic to test these kinds of devices."
Research projects administered by the university's Information Technology Security Laboratory (ITSL) included a converged network security visualization tool for IPv6, which merges geographic information with real-time network attack data and physical models, to pinpoint the geographic source of attacks. Another key project features a patent-pending Moving Target IPv6 Defense (MT6D) system that leverages the large address space of IPv6 to dynamically hide network and transport layer packet addresses for enhanced intrusion protection and user anonymity. This work won Virginia Tech an award in the 2011 National Security Innovation Competition sponsored by the National Homeland Defense Foundation.
"A new era of the Internet is upon us. The scarcity of IPv4 address resources, coupled with consumers' aggressive adoption of IPv6-enabled mobile devices, requires enhancements, support, and innovation from the networking industry leaders sooner rather than later. Cisco has a long history of innovation and brings a lot of credibility, particularly with mission-critical networks that require a high level of capabilities around IPv6," says Lee.