© 2005 Caspian. Caspian Confidential Next Generation Internet Architectures: Emerging Trends,...

© 2005 Caspian. Caspian Confidential

Next Generation Internet Architectures: Emerging

Trends, Challenges and Solutions

Dr. Riad Hartani

Chief Architect, Caspian

Bangkok, May 4th 2006


Agenda

• IPv6: Where are we today…Briefly !

• Emerging Networks Trends and Implications

• Evolution of IPv6 Router Architectures

• Benefits and Applications

• Q&A


IPv6 Networks: State of the Art

• Motivations for IPv6 well understood

- Addressing space, routing hierarchy, dynamic configuration, security, mobility

- Popularity of P2P and Multimedia services

• Protocol specifications largely finalized

- IETF specifications for IPv6 migration ready

- Interoperability demonstrated, major router/application vendors support

• Ongoing network/services deployments

- Aggressive deployment in the Far East, Semi-aggressive deployments in Europe, Slow deployments in America, mainly government/federal driven

- Consumer electronics, computing industries (grid/collaborative networking) and retail industries driving applications developments


Network Trends and Challenges

• FACTS:

- Services and network convergence accelerating – Internet Protocol based- Towards an always on ubiquitous broadband connectivity (DSL, FTTH, Wifi, Wimax,

etc.)

• TRENDS:

- From centralized to distributed information models (P2P content distribution, grid computing, etc.)

- Emergence of overlay service providers (e.g. Skype, etc.) – Disruptive competitive landscape

- Shift from geography specific competition to global competition (e.g. Google, Yahoo, Microsoft, etc.)


Networks Trends and Challenges

• CHALLENGES:

- Challenge 1: How to improve Internet (node and network levels) traffic control & oversubscription dimensioning ?

- Challenge 2: How to delivery QoS with low OPEX, in fixed/mobile environments ?

- Challenge 3: How to secure / protect the infrastructure ?

• CONSTRAINTS:

- Constraint 1: No change to IP / MPLS protocols

- Constraint 2: No change to principles that made the Internet successful


IPv6 Routers Architecture Evolution

IP/MPLS

-Deterministic QoS -Deterministic routing

DPI Appliances

- Traffic Analysis- Stateful processing

Architectural Principles

- Evolution towards traffic aware QoS, traffic control and routing- Evolution towards behavioral models, optimal for Privacy, Application

Agnostic, Neutrality, Encryption, Privacy, etc.- Leverage TCP/UDP/IP inherent characteristics


Conventional vs. Stateful IPv6 Routing Architectures

RAM RAM

Route Each Packet

Queue (Class) & Forward

RAM RAM

Sw

itch

Fab

ricConventional Forwarding/Routing

1. Forwarding each packet

2. Switch to output

3. Class-based QoS

RAM RAM

Hash, Lookup State, Route, Store, WFQ/Flow, Switch

RAM RAM

Lookup State, Store, and WFQ/Flow

Flow-based Forwarding/Routing

1. Hash for flow identification• 2M flows/s and 6M flows per 10 Gig• Flexible definition of flows: IP flows,

Pseudo-WireoMPLS flows, IPoMPLS flows

2. Create “soft” state or look up• Route, switch, filters, stats

3. Per-flow QoS behavior• Leverage flow state for advanced QoS• Shape, police, CAC, congestion control

Sw

itch

ing

N

etw

ork


Flow Aware Traffic Management Principles

• Per Flow Actions / Controls- Generic actions based on traffic control principles

- Specific actions based on specific network services

Dynamic Flow/Aggregate Identification

Per-Flow Traffic Control

• Identification Methods

- Function of network service- Function of traffic control business case


Flow Aware Architecture Benefits

• Customized congestion/resources control schemes for Video/Voice/P2P/Wireless traffic

• Advanced application level QoS (Shaping/Policing/CAC) guarantees

• Preventive DDOS security models

• Others: Traffic aware routing, Dynamic services diagnostic, Lawful intercept, etc.

State Intelligence Improved nodal behavior Enhanced network services at lower cost

State Intelligence Improved nodal behavior Enhanced network services at lower cost


Example: IPv6 Dynamic Flow Identification & Customized Congestion Management

Unknown Traffic

• Browsing

• Streaming

• Voice/Video over IP

• Some P2P (skype, small transfers, etc)

• Small web downloads

• Large FTP Transfers

• Some P2P (large transfers)

•Flow routers leverage state information to characterize traffic flows - Can enforce specified congestion control policies- (responsive vs. unresponsive, high rate vs. low rate, short lived vs. long lived, P2P

vs. web, “legal” vs. “illegal” content )

Non-interactive Traffic

• Large FTP Transfers

• Some P2P (large transfers)

Interactive Traffic

• Browsing

• Streaming

• Voice/Video over IP

• Some P2P (skype, small transfers, etc)

• Small web downloads


Example: IPv6 Flow-aware Connection Admission Control

Port New flows CACed Preserves integrity of existing

flows, no performance degradation

Enables ON/OFF service model

Port

With CAC

Without CAC

New UDP/TCP flows rejected

All flows allowed into a class wRED on class congestion Many flows affected - poor service

lack of determinism


Example: IPv6 Flow-based Shaping/Policing

Port Shaping aims at changing characteristics

of input stream to produce an output stream with required characteristics

• Benefits for the end users, and

• For the downstream network

Policing aims at enforcing traffic contracts

Flow routing allows shaping and policing of desired flows

Flows are shaped/policed based on requirements


Example: IPv6 Flow Graduation Application

Control Traffic Class

Video & Voice over IP Class

Virtual Leased Line Class

Unknown Traffic Class

(Default)

Non Interactive Traffic Class

BGP, IS-IS, OSPF Flows

VoIP and VIDoIP Flows

Corporate Flows

Unknown Flows

Flows dynamically thresholds are graduated to a different class, policy routed or mirrored

Dynamic Traffic Aware Management, Routing

Dynamic Traffic Aware Management, Routing


Example: IPv6 Covert Intercept

67% P2P

17% TCP

11% HTTP4% Video

1% VoIP

• VoIP hides in Internet

• Which links to monitor?

• HTTP & random ports used

Explicit Identification and analysis of Traffic

Dynamic Re-routing of traffic

Explicit Identification and analysis of Traffic

Dynamic Re-routing of traffic


• Put in specific focal points for DOS attacks

• Detect anomalies in traffic flows, online

• Raise alarms to operator for immediate investigation

• Fast, inexpensive way to detect attack before customer is impacted

Example: Flow-based DDOS Prevention in IPv6

Other Carrier Network

Other Carrier Network

ISP

Dynamic Security ModelsDynamic Security Models


Conclusions

• Gradual migration from IPv4 to IPv6 with long term co-existence of IPv4 and IPv6

• Deployment of IPv6 networks required to satisfy evolving network/service architecture models

• Stateful IPv6 routers nodal behavior, fully interoperable with existing technologies – a new resources management model, QoS and security architectures

• Enhances value proposition & ROI of migration to IPv6


Thank you !

Riad Hartani, Caspian

[email protected]

© 2005 Caspian. Caspian Confidential Next Generation Internet Architectures: Emerging Trends,...

Documents

Transcript of © 2005 Caspian. Caspian Confidential Next Generation Internet Architectures: Emerging Trends,...