Download Internet Operation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
Document related concepts

Net neutrality law wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Net bias wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Transcript 
Internet Operation
Matsuzaki ͚maz͛Yoshinobu
<maz@iij.ad.jp>
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
1
Internet
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
2
Internet
AS
AS
ISP
ISP
ISP
IX
IX
ISP
ISP
AS
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
AS
3
philosophy
Autonomous
Distributed
Cooperative
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
4
as a part of the internet
‡ Your good services
‡ Your good operations
‡ Good internet experience
‡ We are changing our network as the internet is changing
± technologies
± operations
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
5
strong operation
‡ Can you persuasively explain your operation?
± policy
± design
± implementation
± configuration
± management
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
6
IIJ case ʹ IPv6
‡ pure IP network
± now dual stacked
± no MPLS
‡ IIJ/AS2497 maintains its backbone in Japan and U.S..
‡ And we have deployed IPv6
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
7
,ŝƐƚŽƌLJŽĨ//:͛Ɛ/WǀϲƐĞƌǀŝĐĞ
‡ 1999
± IPv6 over IPv4 tunnel service (experimental)
‡ 2000
± IPv6 native service (leased line, experimental)
‡ 2001
± IPv4/IPv6 dual stack service (leased line) ± IPv6 data center service
± IPv6 over IPv4 tunnel service for consumers
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
8
,ŝƐƚŽƌLJŽĨ//:͛Ɛ/WǀϲďĂĐŬďŽŶĞ
‡ Initially we started with dedicated backbone
‡ 1998
± PC based router(kame stack)
± tunnel and ethernet
‡ 2000
± cisco c72xx series
± tunnel, ethernet and T1 line
‡ 2005
± we started to migrate to IPv4/IPv6 dual stack backbone
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
9
addressing
‡ /128 for loopback interfaces
‡ /64 for links
± /127 is used on several inter-­‐router links
‡ /48 for customer sites
± still considering the size
± possible sizes are: /48, /52, /56, /60, /64
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
10
global unicast address
‡ Inter-­‐router link does not require global address inside AS
± OSPFv3 uses link-­‐local address to exchange LSAs
± only loopback interface needs to configure global address
‡ But we configure global address on every interface
± as ping destination to check availability
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
11
link-­‐local unicast address ‡ fe80::/64
‡ AS IS
± tĞĚŽŶ͛ƚƚŽƵĐŚ
± Most routers use Modified EUI-­‐64 format address
‡ A virtual address for vrrp/hsrp is another story.
± Customers might configure a static route at their equipments with this address, so the address should be assigned statically like fe80::1.
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
12
routing protocols
IPv4
‡ OSPFv2
IPv6
‡ OSPFv3
± mostly area 0
± md5 authentication
‡ BGP4
‡ BGP4+
± peer through ipv4
± route-­‐reflector
± md5 authentication
2010/07/22
± area 0 only
± ipsec authentication
± peer through ipv6 global
± route-­‐reflector (same as IPv4)
± md5 authentication
Copyright (c) 2010 Internet Initiative Japan Inc.
13
router ID
‡ Routing protocols usually require 32bit ID
± even a routing protocol for IPv6
± We use IPv4 address of loopback interface as its router ID
‡ Every routers has IPv4 address in our network
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
14
OSPFv3 link cost
‡ tĞƐĞƚƚŚĞƐĂŵĞůŝŶŬĐŽƐƚǀĂůƵĞĂƐ/Wǀϰ͛Ɛ͘
± The network topology is almost same. ± working fine -
‡ When we were using RIPng as IGP (we had no choice at that time /), these were so much trouble.
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
15
management
‡ remote access to a router (ssh/telnet)
± IPv4/IPv6 dual stack
± out-­‐of-­‐band port has IPv4 address only
‡ other services
± IPv4 only
± AAA, snmp, syslog, ntp, flow export
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
16
availability check
‡ checking by ping
± both IPv4 and IPv6
± dual stack routers receive ping twice as much
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
17
monitoring
‡ We have to know about our network. ± traffic volume and so on
‡ We are waiting for
± MIB for IP [RFC4293]
± NetFlow v9 [RFC3954] for IPv6
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
18
hostname rules
‡ 3 names
± dual stack, ipv4 only, ipv6 only
± Users can test reachability by themselves
www
IN A
IN AAAA
www-­‐v4 IN A
www-­‐v6 IN AAAA
2010/07/22
210.130.137.80
2001:240:bb42:b000::1:80
210.130.137.80
2001:240:bb42:b000::1:80
Copyright (c) 2010 Internet Initiative Japan Inc.
19
reverse DNS
‡ For our routers and servers
± maintain PTR records as possible
± the same policy as IPv4
‡ For static address users (such as /48)
± delegate NS if they ask
‡ For dynamic address users
± nothing
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
20
IPv6 experience: office network
‡ 1998
± We installed IPv6 in network tech divisions
‡ 2000
± All of our tech divisions got IPv6 enabled
‡ 2003
± We moved to new office, so installed IPv6 to whole office network.
‡ 2008
± We performed IPv6 renumbering
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
21
//:͛ƐŽĨĨŝĐĞŶĞƚǁŽƌŬ
The Internet
datacenter
Server
Dual stack
Server
IPv4 FW
IPv6
FW-1
c7401
cat4500
FW-1
Juniper SSG
Global Router
Juniper SSG
IPv4
IPv6 FW
internal servers
Server
2010/07/22
Server
c7600
c7600
Core
Switch
Core
Switch
Copyright (c) 2010 Internet Initiative Japan Inc.
Private Router
core routers
22
publication
‡ IIJ publishes IPv6 deployment status of its services on its www site.
± http://www.iij.ad.jp/service/IPv6schedule/
± what we did, what we will do
‡ This helps our customers to plan their IPv6 deployment.
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
23
end-­‐user environments analysis
‡ We gathered data from our cache DNS
± AAAA query rate
monitor
root-­‐servers
dns query
dns reply
end-­‐users
2010/07/22
cache DNS
Copyright (c) 2010 Internet Initiative Japan Inc.
authoritative DNS
24
stacked query/sec graph
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
25
observed querying end-­‐hosts
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
26
ratio of AAAA capable source
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
27
again, as a part of the internet
‡ Your good services
‡ Your good operations
‡ Good internet experience
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
28
-­‐ operation -­‐
environmental consideration
routing
policy
config
audit
design change
automated
tools
config
management
secure
remote
access
2010/07/22
time
sync
progress management
anomaly
detection
traffic
analysis
logging
Copyright (c) 2010 Internet Initiative Japan Inc.
monitoring
IP address
assignment
29
mistakes
‡ mistakes degrade our services
‡ In many case, its effects are negligible (hopefully), but sometimes even a small mistake could cause a disaster
‡ >Ğƚ͛ƐůŽŽŬŝŶƚŽŽƵƌŵŝƐƚĂŬĞƐ
± frequent ones and major outages
‡ These cases are gathered from Japanese operational community. Thanks!
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
30
No.1 cut & paste of configuration
‡ One person was writing a router configuration ďLJĐƵƚƚŝŶŐΘƉĂƐƚŝŶŐĨƌŽŵŽƚŚĞƌƌŽƵƚĞƌƐ͛͘
‡ ďƵƚ͙ĨŽƌŐŽƚƚŽŵŽĚŝĨLJ/WĂĚĚƌĞƐƐƐĞƚƚŝŶŐ/
‡ caused unwanted routing, IP address duplications 2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
31
No.1 cut & paste of configuration
One person forget to modify IP address
cut&paste
Interface Bundle-­‐Ether1
ipv4 address 10.0.0.1 255.255.255.0
ipv6 address 2001:db8::1/64
bundle minimum-­‐active links 2
! 2010/07/22
Interface Bundle-­‐Ether1
ipv4 address 10.0.0.1 255.255.255.0
ipv6 address 2001:db8::1/64
bundle minimum-­‐active links 2
! Copyright (c) 2010 Internet Initiative Japan Inc.
32
No.2 cable maintenance
‡ There was a scheduled maintenance at a long distance cable in a network, so one person incremented OSPF link costs on the link
‡ To avoid flapping on the link, the person disabled OSPF on the link /
‡ During the maintenance window, another cable was down
‡ ͙ƚŚĞŶĞƚǁŽƌŬǁĂƐĚŝǀŝĚĞĚ
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
33
No.2 cable maintenance
There was a scheduled maintenance on this cable, so one person disabled OSPF on this link
But another link was down during the maintenance window, so the network was divided
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
34
No.3 BGP FIB reducing
‡ One person was asked to filter BGP routes on small routers to avoid memory overflow
‡ The person forgot to add default route that would cover filtered routes on the routes /
‡ The router lost routes, caused packets discard
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
35
No.3 BGP FIB reducing
iBGP
To avoid memory overflow, they need to change policy from full-­‐
route to default route + several bgp routes
2010/07/22
The person forgot to add default route. So the router simply lost filtered routes, and packets toward these destination were discarded
Copyright (c) 2010 Internet Initiative Japan Inc.
36
No.4 route termination
‡ One prefix was statically routed to a downstream router, and the downstream router had default route to upstream.
‡ But the downstream network used only a part of the prefix, and no care for unused space. /
‡ Packets to unused space like portscan were looped between 2 routers.
± they should add a null route to terminate route at the downstream router, or
± they should adjust the routed prefix as needed
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
37
No.4 route termination
packet
to: 10.255.1.1
static route
10.0.0.0/8
static route
default
They used only /24 of /16, and there was no care for unused network. So packets to unused space were looped on the link
10.0.1.0/24
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
38
No.5 packet filter
‡ One person was asked to modify packet filter of a remote router
‡ The person forgot to permit management access /
‡ After modification, the person was also ĨŝůƚĞƌĞĚŽƵƚ͕ĂŶĚĐŽƵůĚŶ͛ƚĐŽŶƚƌŽůĂŶLJŵŽƌĞ
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
39
No.5 packet filter
remote access
packet filter
One person tried to modify packet filter remotely but the person forgot to permit management access, and lost his remote connection.
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
40
No.6 remote login
‡ One person was asked to change configuration on a certain router.
‡ The person mistyped the remote hostname, but it was still valid one, so the person changed configuration on a wrong router /
± There was a similar case that typing in a wrong terminal among multi terminal windows.
‡ ..causes an unexpected routing 2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
41
No.6 remote login
rt010bb101
rt011bb101
remote access
One person was asked to change configuration HERE!
The person mistyped the hostname, but it was still valid one.
The person changed configuration on a wrong router
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
42
No.7 configuration cleaning
‡ One person was asked to delete unused configuration of a router
‡ The person deleted line by line with leading ͚ŶŽ͛ŬĞLJǁŽƌĚ͕ĂŶĚĐĂƌĞůĞƐƐůLJĚĞůĞƚĞĚĂƌŽƵƚŝŶŐ
process. /
‡ The router stopped the routing process as the ĐŽŵŵĂŶĚƐĂŝĚƐŽ͙͘͘
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
43
No.7 configuration cleaning
expected configuration
router ospf 65535
no network 10.0.0.0 0.0.0.3 area 0
but typed in
no router ospf 65535
no network 10.0.0.0 0.0.0.3 area 0
The routing process was stopped, ͙ĐĂƵƐĞĚĂƌŽƵƚŝŶŐƚƌŽƵďůĞ
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
44
No.8 port move
‡ One team performed a maintenance to move a cable from one switch to another
‡ One person shutdown a port, then another person unplug the cable checking the port number and the port LED.
‡ The person at the switch misunderstood the port number and port LED relationship, then unplugged an wrong cable /
‡ Unexpected network down
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
45
No.8 port move
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
46
react to mistakes
‡ minimize the effects
‡ reduce mistakes
should not be happened
frequency
of mistakes
matters
problems
effects of mistakes
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
47
minimize the effects of mistakes
‡ protection
± straiten the extent of the impact
‡ multiple route filters
‡ restoration
± detect in early stage
‡ monitor of configuration changes, traffic anomaly detection
± notification properly
‡ notify the operator of the mistake
± recovery from mistake quickly
‡ undo the modification, disconnect the wrong part 2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
48
reduce mistakes
‡ In many cases, the main reason of mistakes is ͞ĐĂƌĞůĞƐƐ͟
± more detailed classification would be possible
± as you might know, to understand others (even yourself) is difficult
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
49
mistake, operators and attention
‡ K<͕ůĞƚ͛ƐƉƵƚĂŶĂƐƐƵŵƉƚŝŽŶ
‡ An attention ability is limited, and it depends on operators and environments
± If you have enough ability to complete an operation, there would be zero-­‐mistake.
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
50
but according to our experiences
‡ We have made lots of mistakes
± ǁĞĚŽŶ͛ƚŚĂǀĞĞŶŽƵŐŚĂďŝůŝƚLJ͕ŽƌŚĂǀĞĂďŝůŝƚŝĞƐƚŽ
mistake :P
‡ So we need a support to reduce mistakes
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
51
support for operation
‡ minimum hand-­‐operation
± automation ‡ clear procedure of operation
± operation sheet
‡ support for attention
± better user interface to help operations
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
52
again, as a part of the internet
‡ Your good services
‡ Your good operations
‡ Good internet experience
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
53
sharing
‡ These problems are not only for you
± we have similar issues among the community
‡ Your experience is important for others
± how did, problems, actual stats
‡ We can study from each other
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
54
community
‡ Somehow you can share your experience
± it (probably) makes internet better
‡ You can study from others
± it (probably) makes your network better
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
55
We can improve the internet
2010/07/22
Copyright (c) 2010 Internet Initiative Japan Inc.
56
Related documents
IPv6 Site Renumbering Gap Analysis
IPv6 Site Renumbering Gap Analysis
IPv4 to IPv6 Migration strategies
IPv4 to IPv6 Migration strategies
Sample Quiz
Sample Quiz
Title: ISPs ignore IP timebomb
Title: ISPs ignore IP timebomb
IPv6
IPv6
Semester 4 final exam REVIEW
Semester 4 final exam REVIEW
Document
Document
P.702 - How it works
P.702 - How it works
HOW MANY IP ADDRESSES ARE AVAILABLE IN IPV6
HOW MANY IP ADDRESSES ARE AVAILABLE IN IPV6
PPT Version
PPT Version