310 likes | 342 Views
NTT Communications’ IPv6 Backbone, Access, and Applications. Takeshi TOMOCHIKA 6 th July, 2004 NTT Communications. NTT Communications’ IPv6 Activities Dual Stack ADSL Access Service Service Platform & framework. Agenda. NTT Communication ’ s Global IPv6 Backbone. ntt.net
E N D
NTT Communications’ IPv6 Backbone, Access, and Applications Takeshi TOMOCHIKA 6th July, 2004 NTT Communications
NTT Communications’ IPv6 Activities Dual Stack ADSL Access Service Service Platform & framework Agenda
NTT Communication’s Global IPv6 Backbone ntt.net Global Backbone EQUI6IX NSPIXP6 JPNAP6 PAIX EQUI6IX ESPANIX PARIX UK6X LINX AMS-IX DE-CIX Korea The U.S. Taiwan Japan Hong Kong Australia Europe Malaysia Our Strength • Global IPv6 network covering Asia, US, Europe • IPv4/IPv6 dual-stack backbone • Providing commercial IPv6 transit services in Japan (Apr ’01-), in Europe (Feb ’03-), in U.S. (June ’03-) and many other AP-Region countries (June ’03-) • 24x7 monitoring and operations by dual NOCs in Japan and U.S. • More than 3 year’s experience of operation • Worldwide IPv6-IX Connectivity • Japan : NSPIXP6, JPNAP6 (Tokyo) • U.S. : PAIX, Equi6IX (West coast), Equi6IX (East coast) • Europe : LINX, UK6X (London), AMS-IX (Amsterdam), DE-CIC (Frankfurt), PARIX (Paris), ESPANIX (Madrid)
NTT Communications’ two ASes LINX AMS-IX UK6X NSPIXP6 PAIX JPNAP6 EQUI6IX EQUI6IX U.S. Verio Korea NTT Korea Hong Kong NTT Com Asia Europe NTT Europe Taiwan NTT Taiwan AS2914 ntt.net AS 4713 Malaysia NTT MSC Australia NTT Australia DE-CIX PARIX ESPANIX
Transition of NTT Communications’ IPv6 Services 2001 2002 2003 2004 200X Year -OCN ADSL Dual Service (2002 summer-) Personal -OCN IPv6 Tunneling Service (2001 spring-) IPv6 and IPv4 Dual Stack Service SOHO IPv6 over IPv4 Tunneling service -ntt.net IPv6 Tunneling Service (2002 spring-) Enterprise IPv6 Native service -ntt.net Dual Stack Service (2004 spring-) iDC -ntt.net IPv6 Gateway Service (2001 spring-) ISP Broad Bandwith
Current IPv4/IPv6 Dual stack Q1 2000 ~ Q2 2003 IPv4 and IPv6 separately Before 2000 Only IPv4 ntt.net IPv6 Backbone ntt.net IPv4/IPv6 Dual Stack Backbone • World wide global IP network • Global tier1 network as one AS;2914 • Only IPv4 available IPv4/IPv6 Dual-link IPv6 Native-link IPv6 over IPv4 Tunnel-link ntt.net IPv4 Backbone ntt.net IPv4 Backbone v6 v4 v6 v4 v4 v6 • Setup global IPv6 backbone covering Asia, the U.S. and Europe • IPv4 and IPv6 network are separate • Routing control and peering policies are independent between • IPv4 and IPv6 • <<IPv6 Backbone>> • Use Tunneling-link, where appropriate, to save cost • Provide Native service and tunneling service, not dual service • <<IPv4 Backbone>> • No effect for existing IPv4 backbone from IPv6 side • IPv6 traffic are transferred as IPv4 traffic on the tunneling-link • All of backbone routers handle both • IPv4 and IPv6 traffic • Routing control and peering policies • are independent between IPv4 and IPv6 • Basically trouble on one protocol is • isolated from the ones in another • protocol • ntt.net runs more than 100 dual stack backbone routers now! ntt.net’s Global Backbone Transition
1996 NTT Labs started to operate one of the world’s largest global IPv6 research networks. 1997 CICNet and NWNet, later acquired by Verio, started operating major nodes of 6bone. 1999 NTT Communications (NTT Com) obtained sTLA from APNIC. NTT Com started IPv6 tunneling trial service for its domestic ISP “OCN” customers in Japan (over 200 trial customers). 2000 NTT MCL started the world’s first commercial IPv6 IX (s-IX) in San Jose, US. NTT Europe started IPv6 trial service (over 400 trial customers). 2001 NTT Com started the world’s first commercial IPv6 services, “ntt.net IPv6 Gateway Service” and “OCN IPv6 Tunneling Service”. HKNet started commercial IPv6 services in Hong Kong. NTT Com played a key role in Japan National Project “IPv6 Home Appliance Trials”. NTT Com participated in European Communities’ “6NET/ Large-Scale International IPv6 Test bed” Project . NTT Com participated in Chinese IPv6 Telecom Trial Network “6TNET” Project . History of NTT Communications IPv6 Activities
2002 OCN started “IPv6/IPv4 dual stack ADSL access service” with Plug and Play feature (site auto-configuration). NTT MSC started commercial IPv6 services in Malaysia. NTT Australia IP started IPv6 services in Australia. NTT Com won the World Communication Awards 2002, “Best Technology Foresight – IPv6” and “Best carrier – AP Region”. 2003 NTT Europe just started commercial IPv6 services in Europe. VERIO (in US) and some Asia/Pacific Region subsidiaries (Korea, Taiwan) started commercial IPv6 services. ntt.net’s backbone supported IPv4 and IPv6 dual stack. 2004 We Provide IPv6/IPv4 dual stack services at all of ntt.net’ s POPs. History of NTT Communications IPv6 Activities (Cont’)
NTT Communications’ Evolution in IPv6 Service platform p2p application trial “P2P VPN Platform” Join European Project “6net” Activities Join Chinese Project “6TNet” Application layer Join Japanese National Project 1996 1997 1998 1999 2000 2001 2002 2003 Research Phase Trial Phase Commercial Service Phase - NTT Labs started global IPv6 research network - NTT Communications started commercial IPv6 service in Japan - Verio joined 6bone in the U.S. - NTT Com obtained sTLA address Services in Japan OCN Tunneling Trial (200 users) Network layer - NTT MCL started commercial IPv6-IX service in the U.S. Service in Europe NTT Europe IPv6 Trial (400 users) Service in Hong Kong Services in Malaysia / Australia Services in Korea, Taiwan, and The U.S.
NTT Communications’ IPv6 Activities Dual Stack ADSL Access Service Service Platform & framework
Broadband Market in Japan & Our Position Corporate BB (Oct. 2002) DSL access (Mar. 2003) Subscribers Residential BB (Mar, 2003) 2001 2002 2003 (Source: Nikkei Market Access Report, and www.soumu.go.jp)
Features: Broad band (12M) access service via ADSL line of ACCA networks Provide IPv4 and IPv6 dual stack connectivity Ease to set up by Plug and Play function Prospective customer segments: Advanced individual / So-Ho users IPv6 applications or devices developer Address assignment: IPv4 : one global address (dynamic) IPv6 : one /48 global address prefix (static) Additional service: As same as OCN IPv4 services (e-mail, Web, News, etc…) IPv6 DNS service IPv4 access OCNv6 OCNv4 IPv6 access OCN IPv6/IPv4 Dual ADSL Service outline \5,980 / month Service description Customer’s LAN ADSL access line OCN/ ACCA Auto configuration For router Auto configuration For hosts Plug and Play function
OCN IPv6/IPv4 Dual ADSL Service with PnP function PE Host CPE ADSL LAN IPCP PPP Global IPv4 Address Private IPv4 Address DHCPv4 IPV6CP+PD IPv4 connection RA IPv6 connection Link local IPv6 address Global IPv6 address /48 /48 /64 Site Prefix ???? ???????? Interface ID DHCPv6-PD /64 /48 Site Prefix NW ID ???????? Router Advertisement
Standardization PE Host CPE RADIUS ADSL LAN Authentication Link configuration RADIUSv6 PPP(IPV6CP) RFC2472 RFC3162 CPE configuration (Prefix / DNS) DHCPv6-PD RFC3315 RFC3633 RFC3769 RFC3646 Stateless ADDR RFC2462 NTT Communications contributed to these RFCs Host configuration (Address / DNS) (DHCPv6-lite or etc.) RFC3736 draft-shirasaki-dualstack-service-04
Has been working well since the beggining of the service No impact on IPv4 single stack CPE Nation wide service via L2TP Other ISPs in Japan are using same spec 1500+ customers use this mechanism today Experiences with our Dual ADSL Service
NTT Communications’ IPv6 Activities Dual Stack ADSL Access Service Service Platform & framework
New Internet Business model created by IPv6 Global IP address Mobile equipment NW for mobile Real-time data distribution Remote Maintenance × Secure End-to-End Communication IPv4 IPv6 Remote Control Data exchange NAT LAN Home Network Private address Information appliances OA equipment IPv4 : one-way communication ・ due to NAT, the business model is only client & server. IPv6: two-way communication ・two-way communications between information appliance and mobile equipment ・New internet business models will be created
IPv4 (conventional model) Access from “MANY” Access from “IN side” to “OUT side” Office Web server Mail server IPv4 Internet LAN Company’s Intranet IPsec Node IPsec Node Secure Transmission : Site to Site IPsec VPN Private address segments Global address segments Private address segments IPv6 (improved model) Out side Access from “OUT-side” to ”IN-side” Office Restricted, secure access IPv6 Internet LAN Remote office LAN Secure Transmission : End to End IPsec VPN Global address segments VPN model in IPv4 world and IPv6 world
One of a problem of p2p secure communication… IPv4 IPv6 • Lack of Global IP address • Apply NAT and • introduce private address • Enough Global IP address • Can assign Global IP addresses • on every device networked Global IP Address • Only Site to Site secure • communications available • Can setup secure communication • not only Site to Site connection • but also End to End connectio: • the key of the IPv6 market Secure communication One of a problem is Management of security configuration End users have to manage security policy which can involve many different configurations at end equipment. Our solution is :P2P VPN Platform
Hacker IPv6 P2P VPN Platform Trial Service IPsec policy server to provide IPsec policy file to each peer on demand - Effortless setup: Set up end-to-end secure communication easily using web interface No or low skill requirements - Adaptable to all communication modes: Client-Server, Peer-to-Peer, Mobile - Secure instant communication: Connect instantly, while achieving end-to-end security CA IPsec Policy Server Verio Data Center Headquarters Branch Office :A Strategic Team IPsec Policy ntt.net IPv6 Global Backbone IPsec Server IPsec Branch Office :B IPsec IPsec HOTSPOT ・・:xσ+]%・・ ? ? Joint development by Digital Certificate
Case study : P2P VPN Platform Exchange medical data via End to End IPsec secure connection Set up IPsec connection and manage their security policy easily: Just only register the correspondent person on his/her own address book in the web site • Set up users • Certify users IPsec Management server IPsec (authentication, encryption) certificate IPv6 network User : C Clinic : B Hospital : A certificate Secure data exchange certificate User : B ?? User : A Keep integrity ・・:xσ+]%・・ Hacker
m2m-x (Machine to Machine for any[thing|place|time]) ~Provide End-to-End Secure Communications Using IPv6~ m2m-x Management Server “Secure, Easy and Low-priced” Mobile Phone Gateway Signaling Channel IPv6 Internet Non-PC devices Enterprise Network Data Channel Home Network • M2m-x management server functions: • - Authentication of all the devices • - Access Control based on the security policy • Transmission of encryption keys in a way making the calculation process light-weighted • The existence of the device is hidden from unauthorized users • Transmission of Information necessary for dynamic control of Firewall devices Core Technology = SIP & IPsec
m2m-x IP Home Appliance trials (2004.1Q-3Q) Multi-Media Communication (Sanyo) Personal VPN (NTT Com, Fujitsu, Toshiba, DIT) Ubiquitous Printing (Ricoh) PS2 TV-Phone (Sony) Ubiquitous Office Visual Communication IPv6 m2m-x (NTT Com) Cyber Conference (Pioneer) Net Toy Home Security EMIT Home System (Matsushita) Hotline w/ TOY Control Port (Takara) Bluetooth Home Security (Toshiba)
Ubiquitous Open Platform Forum • Home Appliance Manufacturers and ISPs established “Ubiquitous Open Platform Forum” to accelerate Internet Home Appliance market (Feb. 10th, 2004) • Manufacturers: Hitachi, Matsushita Electric Works, Mitsubishi, Panasonic, Pioneer, Sanyo, Sony, Toshiba • ISPs: NTT Com, KDDI, Fujitsu, NEC, Panasonic, Sony • To establish a ubiquitous platform that permits easy setup, secure communication, and easy real-time connection among various home appliances • NTT Com is leading this forum and NTT Com employees are acting in key roles • NTT Com is proposing m2m-x as the standard platform of UOPF http://uopf.org/en/
Technology Outline of m2m-x ~Security Based on SIP/IPsec~ - RADIUS Authentication friendly to ISPs’ operation Signaling based on SIP m2m-x Management Server RADIUS Auth-Server Mutual Authentication Based on Pre-Shared Key or X.509 Certificate Signaling Channel is encrypted with IPsec at the time of SIP REGISTER Authentication process. SIP REGISTER Establishment of IPsec Tunnel UA2 m2m-x Management Server UA1 Encryption Key Exchange for Data Channel Data Channel is also encrypted with IPsec making use of secure Signaling Channel. SIP INVITE Establishment of IPsec Tunnel UA2 Data Channel UA1
DNS vs m2m-x (example: private server access) X anybody can see the presence and address of your home server X tiresome FW/ NAT configuration X services are always open for anybody DNS X tiresome id/pass and access management WAN LAN My PDA My Server FW/NAT • access list • - - • - - Attacker access management automatic and real-time access security control Possible to hide the existence of a node from unauthorized users • access list • - - • - - m2m-x automatic encryption management WAN × LAN My PDA FW/NAT My Server X Attacker
Key Management Method Pre-Shared Key: some advantages but, Not Scalable. So, Normal Pre-shared Key model m2m-x Pre-shared Key model m2m-x Management Server All User Agents (UAs) have shared keys with the others (Full mesh model) - Not scalable Each UA has the shared key only with the management server (trusted 3rd party model)
Conclusion • We have worldwidefull dual stack backbone. • We have more than three years experience to provide commercial IPv6 connectivity services. • We have not only IPv6 connectivity services but also IPv6 promotions, service platforms and new frameworks. • We are your partner.
Contact • NTT Communications: • http://www.v6.ntt.net/index_e.html • IPv6 portal site: • http://www.ipv6style.jp/en/index.shtml • UOPF: http://uopf.org/en/ • Mail to : ipv6@ntt.com Thank you for your attention!