deploying ipv6 services over broadband connections: the greek school network case athanassios...
TRANSCRIPT
Deploying IPv6 Services over broadband connections: The Greek School Network case
Athanassios LiakopoulosKostas Kalevras
Dimitrios KalogerasTERENA Conference 2006
TNC2006, Catania2
Outline
Introduction to xDSL technology IPv6 @glance The Greek School Network Reasons to use IPv6 technology IPv6 in GSN
– Roadmap, Addressing, Routing, Applications, etc
Conclusion & Recommendations
TNC2006, Catania3
Entities involved in an xDSL environment
Subscriber (xDSL User)– PCs, modem, bridge/router
Network Access Provider (NAP)– Responsible for the management of the copper local loop.– DSLAM, BBRAS, radius server*
Network Service Provider – Responsible for providing interconnection with the Internet.
May offer other added-value services.– Edge router, radius server*
Subscriber
CPE
ModemDSLAM BBRAS
Network Access Provider (NAP)
Network Service Provider (NSP)
Radius server
RouterEdge router
TNC2006, Catania4
Implementation details
xDSL modem– Encapsulates Subscribers’ traffic to ATM cells, signal
(de)modulation
DSL Access Multiplexer (DSLAM)– Signal (de)modulation, aggregates traffic over ATM links
Broad Band Remote Access Concentrator (BBRAS)– Terminates the Subscribers’ ATM connections, tunnels or routes
traffic to the NSP edge router.
Radius Server– Contains subscriber configuration templates
NSP edge router– Terminates PPP sessions or L2TP tunnels, gateway to Internet
TNC2006, Catania5
Ethernet bridging over ATM
The CPE forwards IP packets using multi-protocol encapsulation over ATM adaptation layer 5 (AAL5).
Minimum functionality is required for CPE, aka xDSL modem (L3 unaware device).
A single ATM PVC is used for IPv4/6 interconnection Subscriber’s PCs are configured with static IPv6 address, or via DHCPv6
or via auto-configuration This method does not support authentication and authorization
functionality!
Subscriber
CPE
ModemDSLAM
xDSL
ATM
PHY
IPv6
802.3
PHY
802.3RFC1483
ATM
xDSL
Ethernet bridging
PHY
TNC2006, Catania6
PPP over AAL5 (PPPoA) - PTA
Subscriber
CPE
Modem DSLAM BBRAS
Network Access Provider (NAP) / Network Service
Provider
Radius server
Router
xDSL
ATM
PHY
IPv6
802.3
PHY
802.3RFC1483
ATM
xDSLPHY
PPPoA
IPv6
RFC1483
ATM
PHY
PPPoA
IPv6
PPPoA
The CPE supports IPv6/4 packet forwarding and interconnects multiple systems in the Subscriber’s local network.
A single PPPoA session is established over a ATM PVC allowing the CPE router to establish two PPP sessions; an IPv6 (IPCPv6) and an IPv4 (IPCPv6).
IPv6 addresses are assigned automatically over the PPP session using attributes stored in a centralised radius server or local database.
The CPE can be authenticated using one of the multiple protocols, such as PAP, CHAP, MS-CHAP, EAP, etc.
TNC2006, Catania7
PPP over AAL5 (PPPoA) - LAA
Subscriber
CPE
Modem DSLAM LAC(BBRAS)
Router
PPPoA
Network Access Provider (NAP)
Network Service Provider (NSP)
Radius server
LNS(Edge router)
L2TP
In case the NAP and the NSP are different, the PPP sessions do not terminate at the BBRAS but at the edge router.
– BBRAS = L2TP Access Concentrator (LAC)– Edge router = L2TP Network Server (LNS)
Two PPP sessions are established from the CPE router, which terminate at the LNS. LAC is IPv6-unaware.
Address assignment and authentications methods are performed in the same way as previously but now the radius server is managed by the NSP.
TNC2006, Catania8
PPP over Ethernet (PPPoE)
Subscriber
CPE
Modem DSLAM BBRAS
Network Access Provider (NAP) / Network Service
Provider
Radius server
Router
xDSL
ATM
PHY
IPv6
802.3
PHY
802.3RFC1483
ATM
xDSLPHY
PPPoE
IPv6
RFC1483
ATM
PHY
PPPoE
IPv6
PPPoE
Separate PPP sessions are established between the Subscriber’s systems (or CPE) and the BBRAS for IPv6 and IPv4 traffic.– Same IPv4/6 address allocation schema as in PPPoA– Sessions may terminate in the LNS in the NSP network (not shown). – If PPP sessions terminate at the Subscriber’s system, then the CPE may be L3
unaware, aka cheap(!). It requires, however, specific software to be installed in the Subscribers’ systems. The advantage of this approach is that allows access control and service selection to be done on per-subscriber rather than on per-site basis.
TNC2006, Catania9
IPv6 @ a glance
IPv6 Address: 128 bits – GRNET address space 2001:648::/32
Allows for routable addresses for “everything”– IP phones, 3G devices, sensors, personal devices, appliances …
Easy way of end-system configuration – IP address stateless auto-configuration: address_prefix:f(MAC_address)– Enhanced DHCP parameter passing: NTP, SMPT, SIP … servers (in addition
to IP address, GW, DNS) – DHCP prefix delegation – assign multiple addresses to a client
Better support of mobility– Multiple IPv6 addresses per interface, associated with multiple networks
Security – Mandatory IPSec support -> This is not a panacea.– End-to-end encryption is now possible– Might open unknown network security hazards (new technology)
Multicasting – Embedded Rendezvous Points selected at session initiation
QoS – Flow Label in header allows easy packet differentiation
Multi-homing potential
TNC2006, Catania10
Greek School Network
BackboneBackbone:: 8 PoPs 8 PoPs • Connected to GRNETConnected to GRNET
Distribution Distribution :: 52 PoPs 52 PoPs• 9 major9 major• 43 secondary43 secondary• 75 routers, 775 routers, 71 1 servers, servers,
Access: Access: • 6k Primary and 3.7k
secondary schools
Access TechnologiesAccess Technologies• PSTN / ISDNPSTN / ISDN• Leased Lines Leased Lines • WirelessWireless• ADSL, VDSLADSL, VDSL
GRnet
Distribution Network
www.sch.grwww.sch.gr
TNC2006, Catania11
GSN – cont. - Services
Basic Services Υπηρεσίες
1. Dial-up
2. Proxy/Cache
3. Web-Filtering
4. Web-Page Generator
5. Web-Hosting
6. Portal (www.sch.gr)
Infrastructure
1. DNS
2. Directory Service (LDAP)
3. User registration service
4. Statistics (www.sch.gr/statistics)
5. Help-Desk (www.sch.gr/helpdesk)
6. GIS
Communication
1. E-mail (POP3, IMAP, web-mail)
2. Forums (www.sch.gr/forums)
3. NNews (www.sch.gr/news)
4. Instant Messaging (www.sch.gr/im)
5. Teleconference (www.sch.gr/conf)
6. Voice over IP
Advanced
1. E-learning - (www.sch.gr/e-learning)
2. Video on Demand – VoD (www.sch.gr/vod)
3. Secure Content Delivery with Reliable multicast (www.sch.gr/scd)
4. Real time services (www.sch.gr/rts)
TNC2006, Catania12
Why to use IPv6 (and not to stuck to IPv4)?
IPv6 removes the limitations imposed by the inadequate number of available IPv4 addresses– Every school has a ΝΑΤ / PAT gateway due to
address shortage.– Difficult to debug interconnection problems.– Need for static addresses, e.g. for local servers.– Enough address space for every school and pupils!
P2P applications do not work with servers behind PAT– Multimedia e-learning and peer-to-peer virtual
collaboration applications.– Easier P2P application development.
TNC2006, Catania13
Why to use IPv6 (and not to stuck to IPv4)?
Management and security issues– Deployment procedures in large numbers.
Stateless auto-configuration CPE routers, Windows Vista
– Security -based on ACLs- is simplified using the IPv6 addressing schema.
Innovation – Expose to new technologies– Today’s school pupils are the future engineers.– IPv6 allows the development of new advanced
services that exploit features unique to IPv6 environments, such as enhanced security or mobility.
– Multiply the impact of other IPv6-enabled networks in Greece.
TNC2006, Catania14
IPv6 from the ISP perspective (1)
Small differenced between IPv4 and IPv6 Address size of IP addresses
– Extension of address space from 32bit to 128 bit– Change in the representation of addresses:
From decimal to hexadecimal format– Example: IPv4: 192.168.128.254– Example: IPv6: 2001:db8:0:d802:2d0:b7ff:fe88:eb8a
RFC3513 “IPv6 Addressing Architecture”
Smaller routing table– IPv4: ~ 150,000 routes– IPv6: ~ 600 routes
multiples /35 in Τier-1 multiples of /48 in Tier-2 networks
TNC2006, Catania15
IPv6 from the ISP perspective (2)
Address delegation is structured– Large (or practically unlimited) IPv6 address space is
available.– Easy to structure your own addressing architecture– Homogeneous blocks – Address conservation is not
anymore an issue.
Address assignment– LANs: /64, using stateless auto-configuration)– Point-to-point: /64 (or 126) – End Sites: /48
TNC2006, Catania16
IPv6 deployment phases in GSN
Study and define transition strategy Prepare the IPv6 addressing and routing plan
– Get IPv6 address from the LIR
Upgrade the core and distribution network– Dual stack network – No need for tunnels– No major problems with the support of IPv6 in commercial
products
Select the methods for address allocation to school access networks
– Multi-vendor access routers exhibited different capabilities. So, different models were tested.
– Minimize the management overhead. Prefer DHCP prefix delegation (DHCP-PD) when possible.
TNC2006, Catania17
IPv6 deployment phases in GSN (2)
Enable IPv6 to basic and advance services– Difficult to identify software dependencies between commercial,
open-source and in-house developed software.– DNS (BIND), Email (Qmail, Courier-IMAP), Web portal (Apache),
Directory Services (iPlanet), Web filtering (Squid web proxy), multiple in-house built tools, etc.
Update management tools to monitor and control the network
Select a small group of schools as a testbed– Gradual extend IPv6 interconnection to all access nodes (in
progress)
Extend IPv6 services to PC-based LANs (in progress)– Use IPv6 stateless autoconfiguration
TNC2006, Catania18
Addressing IPv6 in GSN
Assign a /35 address prefix for the GSN– Allocated from the GRNET sTLA 2001:648::/32
Allocate a /56 for each school– RIPE allows a /48 every non-single-node customer– Enough address space for any future needs
Addressing plan is aligned with the hierarchical structure of the network– Aggregate into /52 address prefixes in each distribution
node and further aggregate into /48 in each GSN PoP– Addressing schema allows the interconnection of 32K
Schools
TNC2006, Catania19
Routing (1)
OSPFv3 as Internal Gateway Protocol– OSPFv3 for IPv6 traffic while OSPFv2 for IPv4 traffic
OSPF instead of IS-IS because:– Familiarity with OSPFv2 used for IPv4– Supported by most low-edge access routers– Increased granularity with area management– IS-IS demands for a “D – Day” (transition). Otherwise,
it requires the support of incongruent network topologies for IPv6 and IPv4 - Multi-topology extensions of IS-IS
TNC2006, Catania20
BGP-MP as Exterior Gateway Protocol– Separate routing for IPv4 and IPv6– Same routing policy for IPv4/6– ΙPv6 connections for IPv6 routes exchange
Smooth transition without affecting current routing
Routing (2)
TNC2006, Catania21
Address delegation in schools
Delegating IPv4/6 addresses in GSN is a two-step process– Delegate an IPv6 prefix to the WAN interface and then assign an
IPv6 prefix for the LAN interfaces.– Use another -different and independent- process for delegating
IPv4 addresses.
Scenario A – Simple– WAN interface gets an /128 IPv6 address via IPCPv6 or IPv6
loopback is statically configured.– LAN interface(s) is manually configured.– Statically set a static route at the LNS towards the CPE– Easy to deploy to IPv6-enabled routers but difficult to manage the
access network! No means to provide extra configuration parameters to the local PCs, e.g. NTP servers.
TNC2006, Catania22
Address delegation in schools (2)
Scenario B – Using DHCP-PD– WAN interface gets an /64 prefix -instead of specific IPv6
address- by using IPCPv6. If there is a need for a static address assignment to the school router, the Frame-Interface-ID* should also be provided.
– Internal LAN interfaces are automatically configured using DHCP-PD (prefix delegation). This process takes place in IP layer, aka independent of the PPP session.
– Automatically, a static route towards the CPE is set at the LNS.– This scenario allows full automated interface configuration while
it is possible to provide extra configuration parameters to the local PCs.
* Vendor-specific attribute (VSA) used to support AAA for IPv6. It indicates the interface to be configured.
TNC2006, Catania23
Access (2)
Subscriber
CPE
Modem DSLAM LAC(BBRAS)
Router
PPPoA
NAPGreek School
Network
Radius server
LNS(Edge router)
L2TP
Dial-in request Return a /64 prefix and a /48 prefix
Assign a /64 address prefix for the ADSL interfaceAllocate a /56 address prefix for the internal LAN interfacesCreate an IPv6 address using
stateless - autoconfiguration
TNC2006, Catania24
Enabling IPv6 at Servers/Services (1)
Servers vs. Services– Multiple services running in each server (node) rather
having one service per server.– Always set static IPv6 address– Avoid service degradation while enabling IPv6
TNC2006, Catania25
Enabling IPv6 at Servers/Services (2)
DNS– Service based on BIND 9.3.1
Populate the forwards and the ip6.arpa reverse zones For DNS queries, use IPv6 as transport protocol (e.g. Linux,
Unix, Vista) or IPv4 (e.g. Win XP) When a DNS query returns both ΑΑΑΑ and Α records, then -
by default- prefer ΙPv6 to connect! If it fails, fallback to IPv4.
– Activate IPv6 in all supported services at a server node and later on update appropriate DNS records.
Initial, use different A (IPv4) and AAAA (IPv6) records, e.g. www-ipv6.sch.gr, and monitor the operation of the service.
TNC2006, Catania26
Enabling IPv6 at Servers/Services (3)
SMTP– Service based on Qmail 1.03 using a patch from
http://pyon.org/fujiwara/ PoP, IMAP
– Courier with IPv6 support– Clients were ready, e.g. Thunderbird, Mozilla, etc.
Web service - Portal– Service based on Apache 2.0 + Jboss– J2SDK/JRE 1.4 release, support of IPv6 in Java
Networking– Tomcat ver.5 OK– Client were ready, e.g. Firefox, MS Exporer, etc.
Instant Messaging– Jabber
TNC2006, Catania27
Enabling IPv6 at Servers/Services (4)
Radius– Exchange IPv6 information using IPv4 as transport
protocol. – Server support IPv6 related attributes as vendor
specific attributes, e.g. interface-id, prefix-id, etc– For DHCP-PD a new attribute was added
For user user1 user1-dhcpv6 was added which fixes the prefix to every user.
Dialup-admin– In-house management software– User management application– 2 new attributes (interface-id and prefix-id)
TNC2006, Catania28
Next Steps
Content Filtering– Squid, SquidGuard
Currently, beta version of squid3 branch is used
– LDAP activation Sun One i-planet directory server version 5.2 supports IPv6
Deployment of IPv6 capable routers in a larger number of schools.– Activate IPv6 services in internal PC-labs– Duration is related with the equipment life-cycle.
TNC2006, Catania29
Conclusions - Recommendations
Avoid any impact to IPv4 interconnection services– Good planning, extended testing
Upgrade hardware and software– Add IPv6-related specifications in long-term procurement plans.
Educate NOCs– Lack of experience of network engineers may be a problem in
large and distributed networks.
Use open-source software– IPv6-ready and easily adapted to fulfil most of the requirements,
e.g. WEB content filtering in GSN.