* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Slides - TERENA> Events> tnc2006
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Remote Desktop Services wikipedia , lookup
TV Everywhere wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Distributed firewall wikipedia , lookup
Wireless security wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Point-to-Point Protocol over Ethernet wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Deploying IPv6 Services over broadband connections: The Greek School Network case Athanassios Liakopoulos Kostas Kalevras Dimitrios Kalogeras TERENA Conference 2006 Outline Introduction to xDSL technology IPv6 @glance The Greek School Network Reasons to use IPv6 technology IPv6 in GSN – Roadmap, Addressing, Routing, Applications, etc Conclusion & Recommendations 2 TNC2006, Catania Entities involved in an xDSL environment Subscriber (xDSL User) – PCs, modem, bridge/router Network Access Provider (NAP) – Responsible for the management of the copper local loop. – DSLAM, BBRAS, radius server* Network Service Provider – Responsible for providing interconnection with the Internet. May offer other added-value services. – Edge router, radius server* CPE Network Access Provider (NAP) Router Subscriber 3 Modem DSLAM BBRAS Edge router Radius server TNC2006, Catania Network Service Provider (NSP) Implementation details xDSL modem – Encapsulates Subscribers’ traffic to ATM cells, signal (de)modulation DSL Access Multiplexer (DSLAM) – Signal (de)modulation, aggregates traffic over ATM links Broad Band Remote Access Concentrator (BBRAS) – Terminates the Subscribers’ ATM connections, tunnels or routes traffic to the NSP edge router. Radius Server – Contains subscriber configuration templates NSP edge router – Terminates PPP sessions or L2TP tunnels, gateway to Internet 4 TNC2006, Catania Ethernet bridging over ATM The CPE forwards IP packets using multi-protocol encapsulation over ATM adaptation layer 5 (AAL5). Minimum functionality is required for CPE, aka xDSL modem (L3 unaware device). A single ATM PVC is used for IPv4/6 interconnection Subscriber’s PCs are configured with static IPv6 address, or via DHCPv6 or via auto-configuration This method does not support authentication and authorization functionality! CPE Modem Subscriber DSLAM Ethernet bridging IPv6 802.3 PHY 5 802.3 PHY RFC1483 ATM xDSL TNC2006, Catania ATM xDSL PHY PPP over AAL5 (PPPoA) - PTA The CPE supports IPv6/4 packet forwarding and interconnects multiple systems in the Subscriber’s local network. A single PPPoA session is established over a ATM PVC allowing the CPE router to establish two PPP sessions; an IPv6 (IPCPv6) and an IPv4 (IPCPv6). IPv6 addresses are assigned automatically over the PPP session using attributes stored in a centralised radius server or local database. The CPE can be authenticated using one of the multiple protocols, such as PAP, CHAP, MS-CHAP, EAP, etc. PPPoA CPE Router Modem Network Access Provider (NAP) / Network Service Provider DSLAM BBRAS Subscriber IPv6 802.3 802.3 6 PHY IPv6 IPv6 PPPoA PPPoA RFC1483 ATM PHY ATM xDSL xDSL TNC2006, Catania RFC1483 PHY ATM PHY Radius server PPP over AAL5 (PPPoA) - LAA In case the NAP and the NSP are different, the PPP sessions do not terminate at the BBRAS but at the edge router. – BBRAS = L2TP Access Concentrator (LAC) – Edge router = L2TP Network Server (LNS) Two PPP sessions are established from the CPE router, which terminate at the LNS. LAC is IPv6-unaware. Address assignment and authentications methods are performed in the same way as previously but now the radius server is managed by the NSP. PPPoA L2TP CPE Network Service Provider (NSP) Network Access Provider (NAP) Router Subscriber Modem DSLAM LAC (BBRAS) LNS (Edge router) Radius server 7 TNC2006, Catania PPP over Ethernet (PPPoE) Separate PPP sessions are established between the Subscriber’s systems (or CPE) and the BBRAS for IPv6 and IPv4 traffic. – Same IPv4/6 address allocation schema as in PPPoA – Sessions may terminate in the LNS in the NSP network (not shown). – If PPP sessions terminate at the Subscriber’s system, then the CPE may be L3 unaware, aka cheap(!). It requires, however, specific software to be installed in the Subscribers’ systems. The advantage of this approach is that allows access control and service selection to be done on per-subscriber rather than on per-site basis. PPPoE Network Access Provider (NAP) / Network Service Provider CPE Router Modem DSLAM BBRAS Subscriber IPv6 802.3 802.3 PHY 8 IPv6 IPv6 PPPoE PPPoE RFC1483 ATM PHY ATM xDSL xDSL TNC2006, Catania RFC1483 PHY ATM PHY Radius server IPv6 @ a glance IPv6 Address: 128 bits – GRNET address space 2001:648::/32 Allows for routable addresses for “everything” – IP phones, 3G devices, sensors, personal devices, appliances … Easy way of end-system configuration – IP address stateless auto-configuration: address_prefix:f(MAC_address) – Enhanced DHCP parameter passing: NTP, SMPT, SIP … servers (in addition to IP address, GW, DNS) – DHCP prefix delegation – assign multiple addresses to a client Better support of mobility – Multiple IPv6 addresses per interface, associated with multiple networks Security – Mandatory IPSec support -> This is not a panacea. – End-to-end encryption is now possible – Might open unknown network security hazards (new technology) Multicasting – Embedded Rendezvous Points selected at session initiation QoS – 9 Flow Label in header allows easy packet differentiation Multi-homing potential TNC2006, Catania Greek School Network Backbone: 8 PoPs • Connected to GRNET Distribution : 52 PoPs • 9 major • 43 secondary • 75 routers, 71 servers, Access: • 6k Primary and 3.7k secondary schools Access Technologies • • • • PSTN / ISDN Leased Lines Wireless ADSL, VDSL GRnet Distribution Network www.sch.gr 10 TNC2006, Catania GSN – cont. - Services Basic Services Υπηρεσίες Communication 1. Dial-up 1. E-mail (POP3, IMAP, web-mail) 2. Proxy/Cache 2. Forums (www.sch.gr/forums) 3. Web-Filtering 3. NNews (www.sch.gr/news) 4. Web-Page Generator 4. Instant Messaging (www.sch.gr/im) 5. Web-Hosting 5. Teleconference (www.sch.gr/conf) 6. Portal (www.sch.gr) 6. Voice over IP Infrastructure 11 Advanced 1. DNS 2. Directory Service (LDAP) 3. User registration service 4. Statistics (www.sch.gr/statistics) 5. Help-Desk (www.sch.gr/helpdesk) 6. GIS TNC2006, Catania 1. E-learning (www.sch.gr/e-learning) 2. Video on Demand – VoD (www.sch.gr/vod) 3. Secure Content Delivery with Reliable multicast (www.sch.gr/scd) 4. Real time services (www.sch.gr/rts) Why to use IPv6 (and not to stuck to IPv4)? IPv6 removes the limitations imposed by the inadequate number of available IPv4 addresses – Every school has a ΝΑΤ / PAT gateway due to address shortage. – Difficult to debug interconnection problems. – Need for static addresses, e.g. for local servers. – Enough address space for every school and pupils! P2P applications do not work with servers behind PAT – Multimedia e-learning and peer-to-peer virtual collaboration applications. – Easier P2P application development. 12 TNC2006, Catania Why to use IPv6 (and not to stuck to IPv4)? Management and security issues – Deployment procedures in large numbers. Stateless auto-configuration CPE routers, Windows Vista – Security -based on ACLs- is simplified using the IPv6 addressing schema. Innovation – Expose to new technologies – Today’s school pupils are the future engineers. – IPv6 allows the development of new advanced services that exploit features unique to IPv6 environments, such as enhanced security or mobility. – Multiply the impact of other IPv6-enabled networks in Greece. 13 TNC2006, Catania IPv6 from the ISP perspective (1) Small differenced between IPv4 and IPv6 Address size of IP addresses – Extension of address space from 32bit to 128 bit – Change in the representation of addresses: From decimal to hexadecimal format – Example: IPv4: 192.168.128.254 – Example: IPv6: 2001:db8:0:d802:2d0:b7ff:fe88:eb8a RFC3513 “IPv6 Addressing Architecture” Smaller routing table – IPv4: ~ 150,000 routes – IPv6: ~ 600 routes multiples /35 in Τier-1 multiples of /48 in Tier-2 networks 14 TNC2006, Catania IPv6 from the ISP perspective (2) Address delegation is structured – Large (or practically unlimited) IPv6 address space is available. – Easy to structure your own addressing architecture – Homogeneous blocks – Address conservation is not anymore an issue. Address assignment – LANs: /64, using stateless auto-configuration) – Point-to-point: /64 (or 126) – End Sites: /48 15 TNC2006, Catania IPv6 deployment phases in GSN Study and define transition strategy Prepare the IPv6 addressing and routing plan – Get IPv6 address from the LIR Upgrade the core and distribution network – Dual stack network – No need for tunnels – No major problems with the support of IPv6 in commercial products Select the methods for address allocation to school access networks – Multi-vendor access routers exhibited different capabilities. So, different models were tested. – Minimize the management overhead. Prefer DHCP prefix delegation (DHCP-PD) when possible. 16 TNC2006, Catania IPv6 deployment phases in GSN (2) Enable IPv6 to basic and advance services – Difficult to identify software dependencies between commercial, open-source and in-house developed software. – DNS (BIND), Email (Qmail, Courier-IMAP), Web portal (Apache), Directory Services (iPlanet), Web filtering (Squid web proxy), multiple in-house built tools, etc. Update management tools to monitor and control the network Select a small group of schools as a testbed – Gradual extend IPv6 interconnection to all access nodes (in progress) Extend IPv6 services to PC-based LANs (in progress) – Use IPv6 stateless autoconfiguration 17 TNC2006, Catania Addressing IPv6 in GSN Assign a /35 address prefix for the GSN – Allocated from the GRNET sTLA 2001:648::/32 Allocate a /56 for each school – RIPE allows a /48 every non-single-node customer – Enough address space for any future needs Addressing plan is aligned with the hierarchical structure of the network 18 – Aggregate into /52 address prefixes in each distribution node and further aggregate into /48 in each GSN PoP – Addressing schema allows the interconnection of 32K Schools TNC2006, Catania Routing (1) OSPFv3 as Internal Gateway Protocol – OSPFv3 for IPv6 traffic while OSPFv2 for IPv4 traffic OSPF instead of IS-IS because: – – – – 19 Familiarity with OSPFv2 used for IPv4 Supported by most low-edge access routers Increased granularity with area management IS-IS demands for a “D – Day” (transition). Otherwise, it requires the support of incongruent network topologies for IPv6 and IPv4 - Multi-topology extensions of IS-IS TNC2006, Catania Routing (2) BGP-MP as Exterior Gateway Protocol – Separate routing for IPv4 and IPv6 – Same routing policy for IPv4/6 – ΙPv6 connections for IPv6 routes exchange Smooth transition without affecting current routing 20 TNC2006, Catania Address delegation in schools Delegating IPv4/6 addresses in GSN is a two-step process – Delegate an IPv6 prefix to the WAN interface and then assign an IPv6 prefix for the LAN interfaces. – Use another -different and independent- process for delegating IPv4 addresses. Scenario A – Simple – WAN interface gets an /128 IPv6 address via IPCPv6 or IPv6 loopback is statically configured. – LAN interface(s) is manually configured. – Statically set a static route at the LNS towards the CPE – Easy to deploy to IPv6-enabled routers but difficult to manage the access network! No means to provide extra configuration parameters to the local PCs, e.g. NTP servers. 21 TNC2006, Catania Address delegation in schools (2) Scenario B – Using DHCP-PD – WAN interface gets an /64 prefix -instead of specific IPv6 address- by using IPCPv6. If there is a need for a static address assignment to the school router, the Frame-Interface-ID* should also be provided. – Internal LAN interfaces are automatically configured using DHCP-PD (prefix delegation). This process takes place in IP layer, aka independent of the PPP session. – Automatically, a static route towards the CPE is set at the LNS. – This scenario allows full automated interface configuration while it is possible to provide extra configuration parameters to the local PCs. * Vendor-specific attribute (VSA) used to support AAA for IPv6. It indicates the interface to be configured. 22 TNC2006, Catania Access (2) Create an IPv6 address using stateless - autoconfiguration Assign a /64 address prefix for the ADSL interface Allocate a /56 address prefix for the internal LAN interfaces L2TP PPPoA CPE Greek School Network NAP Router Subscriber Modem DSLAM LAC (BBRAS) Dial-in request 23 TNC2006, Catania LNS (Edge router) Radius server Return a /64 prefix and a /48 prefix Enabling IPv6 at Servers/Services (1) Servers vs. Services – Multiple services running in each server (node) rather having one service per server. – Always set static IPv6 address – Avoid service degradation while enabling IPv6 24 TNC2006, Catania Enabling IPv6 at Servers/Services (2) DNS – Service based on BIND 9.3.1 Populate the forwards and the ip6.arpa reverse zones For DNS queries, use IPv6 as transport protocol (e.g. Linux, Unix, Vista) or IPv4 (e.g. Win XP) When a DNS query returns both ΑΑΑΑ and Α records, then -by default- prefer ΙPv6 to connect! If it fails, fallback to IPv4. – Activate IPv6 in all supported services at a server node and later on update appropriate DNS records. Initial, use different A (IPv4) and AAAA (IPv6) records, e.g. www-ipv6.sch.gr, and monitor the operation of the service. 25 TNC2006, Catania Enabling IPv6 at Servers/Services (3) SMTP – Service based on Qmail 1.03 using a patch from http://pyon.org/fujiwara/ PoP, IMAP – Courier with IPv6 support – Clients were ready, e.g. Thunderbird, Mozilla, etc. Web service - Portal – Service based on Apache 2.0 + Jboss – J2SDK/JRE 1.4 release, support of IPv6 in Java Networking – Tomcat ver.5 OK – Client were ready, e.g. Firefox, MS Exporer, etc. Instant Messaging 26 – Jabber TNC2006, Catania Enabling IPv6 at Servers/Services (4) Radius – Exchange IPv6 information using IPv4 as transport protocol. – Server support IPv6 related attributes as vendor specific attributes, e.g. interface-id, prefix-id, etc – For DHCP-PD a new attribute was added For user user1 user1-dhcpv6 was added which fixes the prefix to every user. Dialup-admin – In-house management software – User management application – 2 new attributes (interface-id and prefix-id) 27 TNC2006, Catania Next Steps Content Filtering – Squid, SquidGuard Currently, beta version of squid3 branch is used – LDAP activation Sun One i-planet directory server version 5.2 supports IPv6 Deployment of IPv6 capable routers in a larger number of schools. – Activate IPv6 services in internal PC-labs – Duration is related with the equipment life-cycle. 28 TNC2006, Catania Conclusions - Recommendations Avoid any impact to IPv4 interconnection services – Good planning, extended testing Upgrade hardware and software – Add IPv6-related specifications in long-term procurement plans. Educate NOCs – Lack of experience of network engineers may be a problem in large and distributed networks. Use open-source software – IPv6-ready and easily adapted to fulfil most of the requirements, e.g. WEB content filtering in GSN. 29 TNC2006, Catania More info: [email protected] 30 TNC2006, Catania