Download Slides - TERENA> Events> tnc2006

Deploying IPv6 Services over
broadband connections: The
Greek School Network case
Athanassios Liakopoulos
Kostas Kalevras
Dimitrios Kalogeras
TERENA Conference 2006
Outline
 Introduction to xDSL technology
 IPv6 @glance
 The Greek School Network
 Reasons to use IPv6 technology
 IPv6 in GSN
– Roadmap, Addressing, Routing, Applications, etc
 Conclusion & Recommendations
2
TNC2006, Catania
Entities involved in an xDSL environment
 Subscriber (xDSL User)
– PCs, modem, bridge/router
 Network Access Provider (NAP)
– Responsible for the management of the copper local loop.
– DSLAM, BBRAS, radius server*
 Network Service Provider
– Responsible for providing interconnection with the Internet.
May offer other added-value services.
– Edge router, radius server*
CPE
Network Access
Provider (NAP)
Router
Subscriber
3
Modem
DSLAM
BBRAS
Edge router
Radius
server
TNC2006, Catania
Network Service
Provider (NSP)
Implementation details
 xDSL modem
– Encapsulates Subscribers’ traffic to ATM cells, signal
(de)modulation
 DSL Access Multiplexer (DSLAM)
– Signal (de)modulation, aggregates traffic over ATM links
 Broad Band Remote Access Concentrator (BBRAS)
– Terminates the Subscribers’ ATM connections, tunnels or routes
traffic to the NSP edge router.
 Radius Server
– Contains subscriber configuration templates
 NSP edge router
– Terminates PPP sessions or L2TP tunnels, gateway to Internet
4
TNC2006, Catania
Ethernet bridging over ATM
 The CPE forwards IP packets using multi-protocol encapsulation over
ATM adaptation layer 5 (AAL5).
 Minimum functionality is required for CPE, aka xDSL modem (L3 unaware
device).
 A single ATM PVC is used for IPv4/6 interconnection
 Subscriber’s PCs are configured with static IPv6 address, or via DHCPv6
or via auto-configuration
 This method does not support authentication and authorization
functionality!
CPE
Modem
Subscriber
DSLAM
Ethernet bridging
IPv6
802.3
PHY
5
802.3
PHY
RFC1483
ATM
xDSL
TNC2006, Catania
ATM
xDSL
PHY
PPP over AAL5 (PPPoA) - PTA
 The CPE supports IPv6/4 packet forwarding and interconnects multiple
systems in the Subscriber’s local network.
 A single PPPoA session is established over a ATM PVC allowing the
CPE router to establish two PPP sessions; an IPv6 (IPCPv6) and an
IPv4 (IPCPv6).
 IPv6 addresses are assigned automatically over the PPP session using
attributes stored in a centralised radius server or local database.
 The CPE can be authenticated using one of the multiple protocols, such
as PAP, CHAP, MS-CHAP, EAP, etc.
PPPoA
CPE
Router
Modem
Network Access
Provider (NAP) /
Network Service
Provider
DSLAM
BBRAS
Subscriber
IPv6
802.3
802.3
6
PHY
IPv6
IPv6
PPPoA
PPPoA
RFC1483
ATM
PHY
ATM
xDSL
xDSL
TNC2006, Catania
RFC1483
PHY
ATM
PHY
Radius
server
PPP over AAL5 (PPPoA) - LAA
 In case the NAP and the NSP are different, the PPP sessions do not
terminate at the BBRAS but at the edge router.
– BBRAS = L2TP Access Concentrator (LAC)
– Edge router = L2TP Network Server (LNS)
 Two PPP sessions are established from the CPE router, which terminate
at the LNS. LAC is IPv6-unaware.
 Address assignment and authentications methods are performed in the
same way as previously but now the radius server is managed by the
NSP.
PPPoA
L2TP
CPE
Network Service
Provider (NSP)
Network Access
Provider (NAP)
Router
Subscriber
Modem
DSLAM
LAC
(BBRAS)
LNS
(Edge router)
Radius
server
7
TNC2006, Catania
PPP over Ethernet (PPPoE)
 Separate PPP sessions are established between the Subscriber’s
systems (or CPE) and the BBRAS for IPv6 and IPv4 traffic.
– Same IPv4/6 address allocation schema as in PPPoA
– Sessions may terminate in the LNS in the NSP network (not shown).
– If PPP sessions terminate at the Subscriber’s system, then the CPE may be
L3 unaware, aka cheap(!). It requires, however, specific software to be
installed in the Subscribers’ systems. The advantage of this approach is that
allows access control and service selection to be done on per-subscriber
rather than on per-site basis.
PPPoE
Network Access
Provider (NAP) /
Network Service
Provider
CPE
Router
Modem
DSLAM
BBRAS
Subscriber
IPv6
802.3
802.3
PHY
8
IPv6
IPv6
PPPoE
PPPoE
RFC1483
ATM
PHY
ATM
xDSL
xDSL
TNC2006, Catania
RFC1483
PHY
ATM
PHY
Radius
server
IPv6 @ a glance
 IPv6 Address: 128 bits
– GRNET address space  2001:648::/32
 Allows for routable addresses for “everything”
– IP phones, 3G devices, sensors, personal devices, appliances …
 Easy way of end-system configuration
– IP address stateless auto-configuration: address_prefix:f(MAC_address)
– Enhanced DHCP parameter passing: NTP, SMPT, SIP … servers (in addition
to IP address, GW, DNS)
– DHCP prefix delegation – assign multiple addresses to a client
 Better support of mobility
– Multiple IPv6 addresses per interface, associated with multiple networks
 Security
– Mandatory IPSec support -> This is not a panacea.
– End-to-end encryption is now possible
– Might open unknown network security hazards (new technology)
 Multicasting
–
Embedded Rendezvous Points selected at session initiation
 QoS
–
9
Flow Label in header allows easy packet differentiation
 Multi-homing potential
TNC2006, Catania
Greek School Network
Backbone: 8 PoPs
• Connected to GRNET
Distribution : 52 PoPs
• 9 major
• 43 secondary
• 75 routers, 71 servers,
Access:
• 6k Primary and 3.7k
secondary schools
Access Technologies
•
•
•
•
PSTN / ISDN
Leased Lines
Wireless
ADSL, VDSL
GRnet
Distribution Network
www.sch.gr
10
TNC2006, Catania
GSN – cont. - Services
Basic Services Υπηρεσίες
Communication
1.
Dial-up
1.
E-mail (POP3, IMAP, web-mail)
2.
Proxy/Cache
2.
Forums (www.sch.gr/forums)
3.
Web-Filtering
3.
NNews (www.sch.gr/news)
4.
Web-Page Generator
4.
Instant Messaging (www.sch.gr/im)
5.
Web-Hosting
5.
Teleconference (www.sch.gr/conf)
6.
Portal (www.sch.gr)
6.
Voice over IP
Infrastructure
11
Advanced
1.
DNS
2.
Directory Service (LDAP)
3.
User registration service
4.
Statistics (www.sch.gr/statistics)
5.
Help-Desk (www.sch.gr/helpdesk)
6.
GIS
TNC2006, Catania
1.
E-learning (www.sch.gr/e-learning)
2.
Video on Demand – VoD
(www.sch.gr/vod)
3.
Secure Content Delivery with
Reliable multicast (www.sch.gr/scd)
4.
Real time services (www.sch.gr/rts)
Why to use IPv6 (and not to stuck to IPv4)?
 IPv6 removes the limitations imposed by the
inadequate number of available IPv4 addresses
– Every school has a ΝΑΤ / PAT gateway due to
address shortage.
– Difficult to debug interconnection problems.
– Need for static addresses, e.g. for local servers.
– Enough address space for every school and pupils!
 P2P applications do not work with servers
behind PAT
– Multimedia e-learning and peer-to-peer virtual
collaboration applications.
– Easier P2P application development.
12
TNC2006, Catania
Why to use IPv6 (and not to stuck to IPv4)?
 Management and security issues
– Deployment procedures in large numbers.
 Stateless auto-configuration
 CPE routers, Windows Vista
– Security -based on ACLs- is simplified using the IPv6
addressing schema.
 Innovation – Expose to new technologies
– Today’s school pupils are the future engineers.
– IPv6 allows the development of new advanced
services that exploit features unique to IPv6
environments, such as enhanced security or mobility.
– Multiply the impact of other IPv6-enabled networks in
Greece.
13
TNC2006, Catania
IPv6 from the ISP perspective (1)
 Small differenced between IPv4 and IPv6
 Address size of IP addresses
– Extension of address space from 32bit to 128 bit
– Change in the representation of addresses:
 From decimal to hexadecimal format
– Example: IPv4: 192.168.128.254
– Example: IPv6: 2001:db8:0:d802:2d0:b7ff:fe88:eb8a
 RFC3513 “IPv6 Addressing Architecture”
 Smaller routing table
– IPv4: ~ 150,000 routes
– IPv6: ~ 600 routes
 multiples /35 in Τier-1
 multiples of /48 in Tier-2 networks
14
TNC2006, Catania
IPv6 from the ISP perspective (2)
 Address delegation is structured
– Large (or practically unlimited) IPv6 address space is
available.
– Easy to structure your own addressing architecture
– Homogeneous blocks – Address conservation is not
anymore an issue.
 Address assignment
– LANs: /64, using stateless auto-configuration)
– Point-to-point: /64 (or 126)
– End Sites: /48
15
TNC2006, Catania
IPv6 deployment phases in GSN
 Study and define transition strategy
 Prepare the IPv6 addressing and routing plan
– Get IPv6 address from the LIR
 Upgrade the core and distribution network
– Dual stack network – No need for tunnels
– No major problems with the support of IPv6 in commercial
products
 Select the methods for address allocation to school
access networks
– Multi-vendor access routers exhibited different capabilities. So,
different models were tested.
– Minimize the management overhead. Prefer DHCP prefix
delegation (DHCP-PD) when possible.
16
TNC2006, Catania
IPv6 deployment phases in GSN (2)
 Enable IPv6 to basic and advance services
– Difficult to identify software dependencies between commercial,
open-source and in-house developed software.
– DNS (BIND), Email (Qmail, Courier-IMAP), Web portal (Apache),
Directory Services (iPlanet), Web filtering (Squid web proxy),
multiple in-house built tools, etc.
 Update management tools to monitor and control the
network
 Select a small group of schools as a testbed
– Gradual extend IPv6 interconnection to all access nodes (in
progress)
 Extend IPv6 services to PC-based LANs (in progress)
– Use IPv6 stateless autoconfiguration
17
TNC2006, Catania
Addressing IPv6 in GSN
 Assign a /35 address prefix for the GSN
– Allocated from the GRNET sTLA 2001:648::/32
 Allocate a /56 for each school
– RIPE allows a /48 every non-single-node customer
– Enough address space for any future needs
 Addressing plan is aligned with the hierarchical
structure of the network
18
– Aggregate into /52 address prefixes in each
distribution node and further aggregate into /48 in
each GSN PoP
– Addressing schema allows the interconnection of
32K Schools
TNC2006, Catania
Routing (1)
 OSPFv3 as Internal Gateway Protocol
– OSPFv3 for IPv6 traffic while OSPFv2 for IPv4 traffic
 OSPF instead of IS-IS because:
–
–
–
–
19
Familiarity with OSPFv2 used for IPv4
Supported by most low-edge access routers
Increased granularity with area management
IS-IS demands for a “D – Day” (transition). Otherwise,
it requires the support of incongruent network
topologies for IPv6 and IPv4 - Multi-topology
extensions of IS-IS
TNC2006, Catania
Routing (2)
 BGP-MP as Exterior Gateway Protocol
– Separate routing for IPv4 and IPv6
– Same routing policy for IPv4/6
– ΙPv6 connections for IPv6 routes exchange
 Smooth transition without affecting current
routing
20
TNC2006, Catania
Address delegation in schools
 Delegating IPv4/6 addresses in GSN is a two-step
process
– Delegate an IPv6 prefix to the WAN interface and then assign
an IPv6 prefix for the LAN interfaces.
– Use another -different and independent- process for delegating
IPv4 addresses.
 Scenario A – Simple
– WAN interface gets an /128 IPv6 address via IPCPv6 or IPv6
loopback is statically configured.
– LAN interface(s) is manually configured.
– Statically set a static route at the LNS towards the CPE
– Easy to deploy to IPv6-enabled routers but difficult to manage
the access network! No means to provide extra configuration
parameters to the local PCs, e.g. NTP servers.
21
TNC2006, Catania
Address delegation in schools (2)
 Scenario B – Using DHCP-PD
– WAN interface gets an /64 prefix -instead of specific IPv6
address- by using IPCPv6. If there is a need for a static address
assignment to the school router, the Frame-Interface-ID* should
also be provided.
– Internal LAN interfaces are automatically configured using
DHCP-PD (prefix delegation). This process takes place in IP
layer, aka independent of the PPP session.
– Automatically, a static route towards the CPE is set at the LNS.
– This scenario allows full automated interface configuration while
it is possible to provide extra configuration parameters to the
local PCs.
* Vendor-specific attribute (VSA) used to support AAA
for IPv6. It indicates the interface to be configured.
22
TNC2006, Catania
Access (2)
Create an IPv6 address using
stateless - autoconfiguration
Assign a /64 address prefix for the ADSL interface
Allocate a /56 address prefix for the internal LAN interfaces
L2TP
PPPoA
CPE
Greek School
Network
NAP
Router
Subscriber
Modem
DSLAM
LAC
(BBRAS)
Dial-in request
23
TNC2006, Catania
LNS
(Edge router)
Radius
server
Return a /64 prefix
and a /48 prefix
Enabling IPv6 at Servers/Services (1)
 Servers vs. Services
– Multiple services running in each server (node) rather
having one service per server.
– Always set static IPv6 address
– Avoid service degradation while enabling IPv6
24
TNC2006, Catania
Enabling IPv6 at Servers/Services (2)
 DNS
– Service based on BIND 9.3.1
 Populate the forwards and the ip6.arpa reverse zones
 For DNS queries, use IPv6 as transport protocol (e.g. Linux,
Unix, Vista) or IPv4 (e.g. Win XP)
 When a DNS query returns both ΑΑΑΑ and Α records, then -by
default- prefer ΙPv6 to connect! If it fails, fallback to IPv4.
– Activate IPv6 in all supported services at a server node
and later on update appropriate DNS records.
 Initial, use different A (IPv4) and AAAA (IPv6) records, e.g.
www-ipv6.sch.gr, and monitor the operation of the service.
25
TNC2006, Catania
Enabling IPv6 at Servers/Services (3)
 SMTP
– Service based on Qmail 1.03 using a patch from
http://pyon.org/fujiwara/
 PoP, IMAP
– Courier with IPv6 support
– Clients were ready, e.g. Thunderbird, Mozilla, etc.
 Web service - Portal
– Service based on Apache 2.0 + Jboss
– J2SDK/JRE 1.4 release, support of IPv6 in Java
Networking
– Tomcat ver.5 OK
– Client were ready, e.g. Firefox, MS Exporer, etc.
 Instant Messaging
26
– Jabber
TNC2006, Catania
Enabling IPv6 at Servers/Services (4)
 Radius
– Exchange IPv6 information using IPv4 as transport
protocol.
– Server support IPv6 related attributes as vendor
specific attributes, e.g. interface-id, prefix-id, etc
– For DHCP-PD a new attribute was added
 For user user1 user1-dhcpv6 was added which fixes the
prefix to every user.
 Dialup-admin
– In-house management software
– User management application
– 2 new attributes (interface-id and prefix-id)
27
TNC2006, Catania
Next Steps
 Content Filtering
– Squid, SquidGuard
 Currently, beta version of squid3 branch is used
– LDAP activation
 Sun One i-planet directory server version 5.2 supports IPv6
 Deployment of IPv6 capable routers in a larger
number of schools.
– Activate IPv6 services in internal PC-labs
– Duration is related with the equipment life-cycle.
28
TNC2006, Catania
Conclusions - Recommendations
 Avoid any impact to IPv4 interconnection services
– Good planning, extended testing
 Upgrade hardware and software
– Add IPv6-related specifications in long-term procurement plans.
 Educate NOCs
– Lack of experience of network engineers may be a problem in
large and distributed networks.
 Use open-source software
– IPv6-ready and easily adapted to fulfil most of the requirements,
e.g. WEB content filtering in GSN.
29
TNC2006, Catania
More info: [email protected]
30
TNC2006, Catania