View
50
Download
0
Category
Preview:
DESCRIPTION
NTT Communications’ IPv6 Backbone, Access, and Applications. Takeshi TOMOCHIKA 6 th July, 2004 NTT Communications. NTT Communications’ IPv6 Activities Dual Stack ADSL Access Service Service Platform & framework. Agenda. NTT Communication ’ s Global IPv6 Backbone. ntt.net - PowerPoint PPT Presentation
Citation preview
NTT Communications Corporation 1
Takeshi TOMOCHIKA
6th July, 2004NTT
Communications
NTT Communications’ IPv6 Backbone,
Access, and Applications
NTT Communications Corporation 2
1.NTT Communications’ IPv6 Activities
2.Dual Stack ADSL Access Service3.Service Platform & framework
Agenda
NTT Communications Corporation 3
NTT Communication’s Global IPv6 Backbone
NSPIXP6 PAIX AMS-IXLINXUK6XJPNAP6 EQUI6IX
JapanJapan
KoreaKorea
TaiwanTaiwan
Hong KongHong Kong
MalaysiaMalaysia AustraliaAustralia
The U.S.The U.S.
EuropeEurope
ntt.netntt.netGlobal BackboneGlobal Backbone
DE-CIXPARIX
Global IPv6 network covering Asia, US, Europe IPv4/IPv6 dual-stack backboneProviding commercial IPv6 transit services in Japan (Apr ’01-), in Europe (Feb ’03-), in U.S. (June ’03-) and many other AP-Region countries (June ’03-)24x7 monitoring and operations by dual NOCs in Japan and U.S.More than 3 year’s experience of operation Worldwide IPv6-IX Connectivity
Japan : NSPIXP6, JPNAP6 (Tokyo)U.S. : PAIX, Equi6IX (West coast), Equi6IX (East coast)Europe : LINX, UK6X (London), AMS-IX (Amsterdam), DE-CIC (Frankfurt), PARIX (Paris), ESPANIX (Madrid)
Global IPv6 network covering Asia, US, Europe IPv4/IPv6 dual-stack backboneProviding commercial IPv6 transit services in Japan (Apr ’01-), in Europe (Feb ’03-), in U.S. (June ’03-) and many other AP-Region countries (June ’03-)24x7 monitoring and operations by dual NOCs in Japan and U.S.More than 3 year’s experience of operation Worldwide IPv6-IX Connectivity
Japan : NSPIXP6, JPNAP6 (Tokyo)U.S. : PAIX, Equi6IX (West coast), Equi6IX (East coast)Europe : LINX, UK6X (London), AMS-IX (Amsterdam), DE-CIC (Frankfurt), PARIX (Paris), ESPANIX (Madrid)
Our StrengthOur Strength
EQUI6IX ESPANIX
NTT Communications Corporation 4
NTT Communications’ two ASes
NSPIXP6 PAIX EQUI6IX AMS-IXLINXUK6XJPNAP6 EQUI6IX
KoreaKoreaNTT KoreaNTT Korea
Hong KongHong KongNTT Com AsiaNTT Com Asia
MalaysiaMalaysiaNTT MSCNTT MSC AustraliaAustralia
NTT AustraliaNTT Australia
EuropeEuropeNTT EuropeNTT Europe
U.S.U.S.VerioVerio
AS2914AS 4713
TaiwanTaiwanNTT TaiwanNTT Taiwan
DE-CIX
ntt.netntt.net
PARIX
ESPANIX
NTT Communications Corporation 5
Transition of NTT Communications’ IPv6 Services
20012001
PersonalPersonal
SOHOSOHO
EnterpriseEnterprise
ISPISP
iDCiDC
BroadBandwith
IPv6Nativeservice
20022002 20032003 20042004 200X200X Year
-ntt.net IPv6 Gateway Service (2001 spring-)
-ntt.net Dual -ntt.net Dual Stack ServiceStack Service (2004 spring-)
IPv6 and IPv4Dual Stack
Service
IPv6over IPv4Tunneling
service
-OCN IPv6 Tunneling Service (2001 spring-)
-ntt.net IPv6-ntt.net IPv6 Tunneling ServiceTunneling Service (2002 spring-)
-OCN ADSL Dual Service (2002 summer-)
NTT Communications Corporation 6
ntt.net’s Global Backbone Transition
ntt.net IPv4 Backbone
ntt.net IPv6 Backbone
Q1 2000 ~ Q2 2003IPv4 and IPv6 separately
•Setup global IPv6 backbone covering Asia, the U.S. and Europe•IPv4 and IPv6 network are separate•Routing control and peering policies are independent between IPv4 and IPv6
<<IPv6 Backbone>>•Use Tunneling-link, where appropriate, to save cost•Provide Native service and tunneling service, not dual service
<<IPv4 Backbone>>•No effect for existing IPv4 backbone from IPv6 side•IPv6 traffic are transferred as IPv4 traffic on the tunneling-link
IPv6 Native-linkIPv6 over IPv4
Tunnel-link
v4v6
v6
ntt.net IPv4 Backbone
Before 2000
Only IPv4
•World wide global IP network•Global tier1 network as one AS;2914•Only IPv4 available
v4
ntt.net IPv4/IPv6Dual Stack Backbone
CurrentIPv4/IPv6 Dual stackDual stack
v4v6
IPv4/IPv6 Dual-link
•All of backbone routers handle both IPv4 and IPv6 traffic•Routing control and peering policies are independent between IPv4 and IPv6•Basically trouble on one protocol is isolated from the ones in another protocol
ntt.net runs more than 100 ntt.net runs more than 100 dual stack backbone dual stack backbone
routers now!routers now!
NTT Communications Corporation 7
History of NTT Communications IPv6 Activities
1996 NTT Labs started to operate one of the world’s largest global IPv6 research networks.
1997 CICNet and NWNet, later acquired by Verio, started operating major nodes of 6bone.
1999 NTT Communications (NTT Com) obtained sTLA from APNIC.
NTT Com started IPv6 tunneling trial service for its domestic ISP “OCN” customers in Japan (over 200 trial customers).
2000 NTT MCL started the world’s first commercial IPv6 IX (s-IX) in San Jose, US.
NTT Europe started IPv6 trial service (over 400 trial customers).
2001 NTT Com started the world’s first commercial IPv6 services, “ntt.net IPv6 Gateway Service” and “OCN IPv6 Tunneling Service”.
HKNet started commercial IPv6 services in Hong Kong.
NTT Com played a key role in Japan National Project “IPv6 Home Appliance Trials”.
NTT Com participated in European Communities’ “6NET/ Large-Scale International IPv6 Test bed” Project .
NTT Com participated in Chinese IPv6 Telecom Trial Network “6TNET” Project .
NTT Communications Corporation 8
History of NTT Communications IPv6 Activities (Cont’)
2002 OCN started “IPv6/IPv4 dual stack ADSL access service” with Plug and Play feature (site auto-configuration).
NTT MSC started commercial IPv6 services in Malaysia.
NTT Australia IP started IPv6 services in Australia.
NTT Com won the World Communication Awards 2002, “Best Technology Foresight – IPv6” and “Best carrier – AP Region”.
2003 NTT Europe just started commercial IPv6 services in Europe.
VERIO (in US) and some Asia/Pacific Region subsidiaries (Korea, Taiwan) started commercial IPv6 services.
ntt.net’s backbone supported IPv4 and IPv6 dual stack.
2004 We Provide IPv6/IPv4 dual stack services at all of ntt.net’ s POPs.
NTT Communications Corporation 9
NTT Communications’ Evolution in IPv6
1996 1997 1998 1999 2000 2001 2002 2003
- NTT Com obtained sTLA address
OCN Tunneling Trial (200 users)
NTT Europe IPv6 Trial (400 users)
Trial Phase
- NTT MCL started commercial IPv6-IX service in the U.S.
Services in JapanJapan
Service in Hong KongHong Kong
Services in Malaysia / AustraliaMalaysia / Australia
Services in Korea, Taiwan,Korea, Taiwan,and The U.S.and The U.S.
Service in EuropeEurope
- NTT Communications started commercial IPv6 service in Japan
Commercial Service Phase
Join Japanese National ProjectJapanese National Project
Join Chinese Project “6TNet6TNet”
Join European Project “6net6net”
p2p application trial “P2P VPN PlatformP2P VPN Platform”
Application layer
- NTT Labs started global IPv6 research network- Verio joined 6bone in the U.S.
Research Phase
Network layer
Activities
Service platform
NTT Communications Corporation 10
1.NTT Communications’ IPv6 Activities
2.Dual Stack ADSL Access Service3.Service Platform & framework
NTT Communications Corporation 11
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
9,000,000
10,000,000
1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
DSL
FTTH
NTTCom36%
NTTPC2%
IIJ4%
others/no
answers30%
S2%
C2% N
3%
F4%
J6%
K11%
Subscribers
2001 2002 2003( Source: Nikkei Market Access Report, and www.soumu.go.jp )
Corporate BB ( Oct. 2002 )
Residential BB (Mar, 2003)
DSL access ( Mar. 2003 )
Broadband Market in Japan & Our Position
NTT Communications Corporation 12
Features:– Broad band (12M) access service via ADSL line of ACCA networks– Provide IPv4 and IPv6 dual stack connectivity– Ease to set up by Plug and Play function
Prospective customer segments:– Advanced individual / So-Ho users– IPv6 applications or devices developer
Address assignment:– IPv4 : one global address (dynamic)– IPv6 : one /48 global address prefix (static)
Additional service:– As same as OCN IPv4 services (e-mail, Web, News, etc…)– IPv6 DNS service
OCN IPv6/IPv4 Dual ADSL Service outline
OCN/ACC
A
OCN/ACC
A
ADSL access line Customer’s LAN
Auto configurationFor router
Auto configurationFor hosts
Plug and Play function
Service description
OCNv6OCNv4
IPv4 access
IPv6 access
\5,980 / month
NTT Communications Corporation 13
OCN IPv6/IPv4 Dual ADSL Service with PnP function
DHCPv6-PD
/48 /64
PPP
IPCP
Global IPv4 Address
IPV6CP+PD
Link local IPv6 address
ADSL LAN
PE CPE Host
DHCPv4
RA
IPv4 connectionIPv4 connection
IPv6 connectionIPv6 connection
Private IPv4 Address
Global IPv6 address /48
Site Prefix ???? ????????
Site Prefix
NW ID
????????
Router Advertisement
/48 /64
Interface ID
NTT Communications Corporation 14
Standardization
RADIUS ADSL
LAN
PE CPE Host
RADIUSv6RFC3162
PPP(IPV6CP)RFC2472
DHCPv6-PD
RFC3315RFC3633RFC3769RFC3646
Stateless ADDRRFC2462
(DHCPv6-lite or etc.)
RFC3736
AuthenticationLink configuration
AuthenticationLink configuration
CPE configuration(Prefix / DNS)
CPE configuration(Prefix / DNS)
Host configuration(Address / DNS)
Host configuration(Address / DNS)
NTT Communications contributed to
these RFCs
draft-shirasaki-dualstack-service-04
NTT Communications Corporation 15
Experiences with our Dual ADSL Service
• Has been working well since the beggining of the service
• No impact on IPv4 single stack CPE• Nation wide service via L2TP• Other ISPs in Japan are using same spec
– 1500+ customers use this mechanism today
NTT Communications Corporation 16
1.NTT Communications’ IPv6 Activities
2.Dual Stack ADSL Access Service3.Service Platform & framework
NTT Communications Corporation 17
NAT
IPv4IPv4
Global IP address
Private address
IPv4 : one-way communication・ due to NAT, the business model is only client & server.
×
IPv6 : two-way communication・ two-way communications between information appliance and mobile equipment・ New internet business models will be created
NW for mobile
LAN
HomeNetwork
Information appliances
Mobile equipment
OA equipment
IPv6IPv6Data exchange
RemoteMaintenance
RemoteControl
Real-time datadistribution
Secure End-to-EndCommunication
New Internet Business model created by IPv6
NTT Communications Corporation 18
VPN model in IPv4 world and IPv6 world
OfficeOffice
IPv4 InternetIPv4 InternetLANCompany
’sIntranet
Web serverMail server
Access from “IN side” to “OUT side”
Access from “MANY”IPv4 IPv4 (conventional model)(conventional model)
Global address segments
Private address segments
Private address segments
Secure Transmission : Site to SiteSite to Site IPsec VPNIPsecNode
IPsecNode
Remote officeRemote office
LAN
OfficeOffice
LAN IPv6 InternetIPv6 Internet
Restricted, secure access
IPv6 IPv6 (improved model)(improved model) Out sideOut side
Global address segments
Secure Transmission : End to EndEnd to End IPsec VPN
Access from “OUT-side” to ”IN-side”
NTT Communications Corporation 19
One of a problem of p2p secure communication…
IPv4IPv4 IPv6IPv6
Our solution is : P2P VPN P2P VPN PlatformPlatform
Our solution is : P2P VPN P2P VPN PlatformPlatform
One of a problem is Management of security configurationEnd users have to manage security policy which can involve
many different configurations at end equipment.
One of a problem is Management of security configurationEnd users have to manage security policy which can involve
many different configurations at end equipment.
Global IP Address
•Lack of Global IP address•Apply NAT and introduce private address
•Enough Global IP address•Can assign Global IP addresses on every device networked
Secure communication•Only Site to Site secure communications available
•Can setup secure communication not only Site to Site connection but also End to End connectio: the key of the IPv6 market
NTT Communications Corporation 20
IPv6 P2P VPN Platform Trial Service
IPsec policy server to provide IPsec policy file to each peer on demand - Effortless setup: Set up end-to-end secure communication easily using web interface
No or low skill requirements - Adaptable to all communication modes: Client-Server, Peer-to-Peer, Mobile - Secure instant communication: Connect instantly, while achieving end-to-end security
IPsec policy server to provide IPsec policy file to each peer on demand - Effortless setup: Set up end-to-end secure communication easily using web interface
No or low skill requirements - Adaptable to all communication modes: Client-Server, Peer-to-Peer, Mobile - Secure instant communication: Connect instantly, while achieving end-to-end security
ntt.net IPv6 Global Backbone
IPsecPolicyServer
CA Headquarters
HOTSPOT
Branch Office :A
Branch Office :B
Hacker
・・: xσ+]% ・・ ??
StrategicTeam
IPsec
IPsec IPsec
IPsec
IPsecPolicy
Digital Certificate
VerioData Center
VerioData Center
Server
Joint development byJoint development by
NTT Communications Corporation 21
Set up IPsec connection and manage their security policy easily:Just only register the correspondent personon his/her own address book in the web site
Set up IPsec connection and manage their security policy easily:Just only register the correspondent personon his/her own address book in the web site
Case study : P2P VPN Platform
User : A
Hospital : A
User : B
Clinic : B
IPv6 network
IPsecManagement
server
IPsec (authentication, encryption)
Secure data exchange
Exchange medical data via End to End IPsec secure connectionExchange medical data via End to End IPsec secure connection
User : C
certificate
certificatecertificate
•Set up users•Certify users
Hacker
Keep integrity・・: xσ+]% ・・
??
NTT Communications Corporation 22
m2m-xManagement Server
Home Network
Mobile PhoneGateway
IPv6Internet
Enterprise Network
~Provide End-to-End Secure Communications Using IPv6~~Provide End-to-End Secure Communications Using IPv6~m2m-x (Machine to Machine for any[thing|place|time])m2m-x (Machine to Machine for any[thing|place|time])
M2m-x management server functions:- Authentication of all the devices- Access Control based on the security policy- Transmission of encryption keys in a way making the calculation process light-weighted- The existence of the device is hidden from unauthorized users- Transmission of Information necessary for dynamic control of Firewall devices
“Secure, Easy and Low-priced”
Core TechnologyCore Technology
= SIP & IPsec= SIP & IPsec
Signaling Channel
Data Channel
Non-PC devices
NTT Communications Corporation 23
m2m-x IP Home Appliance trials (2004.1Q-3Q)
IPv6
m2m-x
(NTT Com)
IPv6
m2m-x
(NTT Com)
HomeSecurity
HomeSecurity
VisualCommunication
VisualCommunication
UbiquitousOffice
UbiquitousOffice
Net ToyNet Toy
Personal VPNPersonal VPN(NTT Com, Fujitsu, Toshiba, DIT)
Multi-Media CommunicationMulti-Media Communication(Sanyo)
PS2 TV-PhonePS2 TV-Phone(Sony)
Hotline w/ TOY Control PortHotline w/ TOY Control Port(Takara)
Bluetooth Home SecurityBluetooth Home Security(Toshiba)
Cyber ConferenceCyber Conference(Pioneer)
EMIT Home SystemEMIT Home System(Matsushita)
Ubiquitous PrintingUbiquitous Printing(Ricoh)
NTT Communications Corporation 24
Ubiquitous Open Platform Forum
• Home Appliance Manufacturers and ISPs established “Ubiquitous Open Platform Forum” to accelerate Internet Home Appliance market (Feb. 10th, 2004)
– Manufacturers: Hitachi, Matsushita Electric Works, Mitsubishi, Panasonic, Pioneer, Sanyo, Sony, Toshiba
– ISPs: NTT Com, KDDI, Fujitsu, NEC, Panasonic, Sony• To establish a ubiquitous platform that permits easy setup, secure
communication, and easy real-time connection among various home appliances
• NTT Com is leading this forum and NTT Com employees are acting in key roles
• NTT Com is proposing m2m-x as the standard platform of UOPF
http://uopf.org/en/
NTT Communications Corporation 25
Establishment ofIPsec Tunnel
Technology Outline of m2m-x ~Security Based on SIP/IPsec~
SIP REGISTER
SIP INVITE
RADIUSAuth-Server
- RADIUS Authentication friendly to ISPs’ operation
Signaling Channel is encrypted with IPsec at the time of SIP REGISTER Authentication process.
Data Channel is also encryptedwith IPsec making use ofsecure Signaling Channel.
Mutual AuthenticationBased on
Pre-Shared Keyor X.509 Certificate
Establishment ofIPsec Tunnel
Encryption Key Exchangefor Data Channel
UA1
UA1UA2
UA2m2m-x Management
Server
Data Channel
m2m-x Management
Server
Signaling based on SIP
NTT Communications Corporation 26
DNS vs m2m-x (example: private server access)
WANWAN LAN
FW/N
AT
DNSDNS
X anybody can see the presence and address of your home server
X tiresome FW/ NAT configuration
X services are always open for anybody
X tiresome id/pass and access management
AttackerAttacker
access list- - - - - -
My ServerMy ServerMy PDAMy PDA
WANWAN LANFW
/NA
T
m2m-xm2m-x
Possible to hide the existence of a node from unauthorized users
automatic and real-time access security control
×
X
automatic encryption management
access list- - - - - -
My PDAMy PDA
AttackerAttacker
My ServerMy Server
access management
NTT Communications Corporation 27
m2m-x Management
Server
All User Agents (UAs) have shared keys with the others (Full mesh model)- Not scalable
Each UA has the shared key only with the management server (trusted 3rd party model)
Key Management MethodKey Management Method
Pre-Shared Key: some advantages but, Not Scalable. So,
Normal Pre-shared Key model m2m-x Pre-shared Key model
NTT Communications Corporation 28
Conclusion
•We have worldwideworldwide full dual stack backbonefull dual stack backbone.
•We have more than three years experiencemore than three years experience to provide commercial IPv6 connectivity services.
•We have not only IPv6 connectivity services but also IPv6 promotions, service platforms and IPv6 promotions, service platforms and new frameworksnew frameworks.
•We are your partner.
NTT Communications Corporation 29
Contact
•NTT Communications: http://www.v6.ntt.net/index_e.html
•IPv6 portal site: http://www.ipv6style.jp/en/index.shtml
•UOPF: http://uopf.org/en/
•Mail to : ipv6@ntt.com
Thank you for your attention!
Recommended