Three Challenges to the Internet

Xing Li 2015-09-21 Outline

• Review

• Three challenges

• Open Internet

2 21 years ago

3 Routing

A cisco router is required. 4 CERNET

4500

Shenyang Shenyang Beijing X.25 Beijing

2.4K-9.6K Xi抋n 2500 2500 Nanjing 2500 Xi’an Chengdu Nanjing Shanghai Chengdu Wuhan WuhanShanghai Guangzhou 10 PoPs Guangzhou 1994 1995 1997

哈尔滨 乌鲁木齐 长春 沈阳 呼和浩特北京唐山

天津大连 银川 石家庄 兰州 太原 济南烟台 西宁 青岛 郑州徐州 汉中西安 南京 成都 无锡 宜昌 黄梅 上海 拉萨 重庆 武汉合肥 九江 杭州 长沙 南昌 贵阳 福州 桂林柳州 台北 Backbone 昆明 百色 广州汕头厦门 Regional 惠州 湛江 深圳 GigaPop 珠海 南宁 徐闻 深圳 Pop 海口 三亚 2000 2004 2014 5 CERNET backbone

Year Link speed 1994 2.4K X.25 1995 64K DDN 1997 4M SCPC 2000 155M SDH 2002 2.5G DWDM 2004 2.5G/5G DWDM 2005 2.5G/5G/10G DWDM 2007 2.5G/10G/20G DWDM 2014 10G/100G DWDM

Ratio = 40 million 6 CIDR ranking

7 University ranking

8 CNGI-CERNET2

IPv6-only backbone

BJ

GZ SH

1997 2003 2006

9 Global connectivity

10 2008 Beijing Olympics

11 IPv6 innovation

4over6

SAVI

IVI/MAP 12 Internet population

13 World Internet population

14 Top 10s

15 2025 prediction

16 Address demand

17 Bandwidth demand

18 Governance demand

19 Application demand

20 Human resource demand

Globalization Distributed Science Education Costs

Changing Competitive Lifelong Learning Landscape Risk Management

21 Internet of ……

22 Outline

• Review

• Three challenges

• Open Internet

23 Three challenges

• Net-neutrality – Traffic optimization for business • Protocol ossification – NAT and slow deployment of IPv6 • Internet fragmentation – Pervasive surveillance and national firewalls

24 Net-neutrality

Data traffic

OTT Customer demand Data ARPU

25 Different traffics

Research Elephant flows

Enterprise flow Mice flows

Student and staff ant flows

26 Economics

Best effort public Internet Service enabled E2E price price Multiple services offers Lost revenue are enabled by opportunity policy- enforced QoS

Flat rate

users users

27 Fundamental Features

• Bandwidth is a scarce resource. • 20% of the users consume more than 80% of the bandwidth • The user’s session arrival process is Poisson

28 Missing links

• No distinction among users – Flat rate charging model • No well-defined bandwidth reservation – Best effort • No network admission control – Best effort

29 Switching technologies

Virtual Circuit Circuit Connection-oriented switching switching

Packet Address Switching Connectionless switching IP

30 Address-switching concept

Power Law 80% users 20% users 20% traffic 80% traffic (a)

Ordinary User Heavy User

Address Switching

Non-VIP service VIP service (b) Non-VIP User VIP User

31 Building blocks

Softswitch (c) (d)

(a) Admission End (b) (f) End Control system Other AS Own AS system Gateway (e)

32 Switching

33 Example

34 Remarks

• Concept – Non-VIP: best effort – VIP: VIP address with bandwidth reservation and admission control • Solutions – Routing (BGP reflector) – Tunneling – Translation (NAT, etc) – SDN (Openflow)

35 Protocol ossification

• Addresses – IPv4 depletion – IPv6 onetime shopping •DNS – APP is not sensitive to DNS • Protocol – Only TCP 80/443 are universally available

36 Network architecture

Circuit switching ISDN

Virtual circuit X.25 switching FR ATM SDN

IPv4 80/443 Datagram Packet switching IPv6 IP FI

OSI

IPX Non-IP FN SNA

AppleTalk

DECNET 37 CERNET IPv6 experience

Double Dual stack translation NFSCNET IETF Softwire WG

IPv6 over IPv4 over IPv6 IPv4 IETF softwire WG Unification CERNET-6Bone IETF Softwire WG IETF v6ops WG Translation IVI IPv6 only IPv4 IETF Behave WG CERNET CERNET2 • 2000 univ. •200 univ. • 20M users • 2M users

19941998 2000 2004 2005 2007 2011 2014

38 Stateless translation (IVI)

IPv6 IVI IPv4

A subset of IPv6 addresses

Real IPv4 host mirrored IPv6 host mirrored IPv4 host Real IPv6 host

A subset of IPv6 addresses 39 IETF transition

IVI dIVI MAP RFC7598 RFC6052, RFC6145, RFC6791 DHCP

RFC6146 464XLAT

RFC6877 dIVI-PDMAP-T

RFC7040 RFC7599

DS-Lite

RFC6333

MAP-E

RFC7597 40 Stateless translation

1. RFC6052, IPv6 Addressing of IPv4/IPv6 Translators, https://datatracker.ietf.org/doc/rfc6052/ 2010-10 2. RFC6144, Framework for IPv4/IPv6 Translation, https://datatracker.ietf.org/doc/rfc6144/ 2011-04 3. RFC6145, IP/ICMP Translation Algorithm, https://datatracker.ietf.org/doc/rfc6145/ 2011-04 4. RFC6219, The China Education and Research Network (CERNET) IVI Translation Design and Deployment for the IPv4/IPv6 Coexistence and Transition, https://datatracker.ietf.org/doc/rfc6219/ 2011-05 5. RFC6791, Stateless Source Address Mapping for ICMPv6 Packets, https://datatracker.ietf.org/doc/rfc6791 2012-11 6. RFC7597, Mapping of Address and Port with Encapsulation (MAP-E), https://datatracker.ietf.org/doc/rfc7597/ , 2015-07 7. RFC7598, DHCPv6 Options for configuration of Softwire Address and Port Mapped Clients, https://datatracker.ietf.org/doc/rfc7598/ , 2015- 07 8. RFC7599, Mapping of Address and Port using Translation (MAP-T), https://datatracker.ietf.org/doc/rfc7599/ , 2015-07 41 Comparisons

Translation IVI NAT64

MAP-T 464XLAT

RFC6NAT64 Double 146 RFC6 RFC6145 translation 145 RFC6 145

MAP-E DS-Lite

Tunneling RFC2473

Stateless Stateful 42 dIVI deployment

43 Remarks

• SaaS • PaaS IVI IVI

IPv6IPv6 • IaaS IVI IVI

• 4aaS IVI IVI

44 Internet fragmentation

• Snowden – Encryption – Control points • IANA transition – Governance • Trust anchor – Game theory

45 Snowden

IETF87

IETF88 Encryption without authentication 46 Five hums

• The IETF is willing to respond to the pervasive surveillance attack? – Overwhelming YES. Silence for NO. • Pervasive surveillance is an attack, and the IETF needs to adjust our threat model to consider it when developing standards track specifications. – Very strong YES. Silence for NO • The IETF should include encryption, even outside authentication, where practical. – Strong YES. Silence for NO • The IETF should strive for end-to-end encryption, even when there are middleboxes in the path. – Mixed response, but more YES than NO. • Many insecure protocols are used in the Internet today, and the IETF should create a Hardening The Internet secure alternative for the popular ones. – Mostly YES, but some NO. 47 IAB Statement

• Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258. • We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.

48 Control points

49 IANA transition

50 NTIA (ICANN SG meeting)

• US government’s role in IANA is purely clerical • 4 key principles – and that's it – Support and enhance the multistakeholder model – Maintain the security, stability, and resiliency of the Internet DNS – Meet the needs and expectation of the global customers and partners of the IANA services, and – Maintain the openness of the Internet • Governments are only one stakeholder and cannot be in charge • Answer to the transition lies in IANA's 'customers' • US domestic politics is a factor • The bigger picture is developing countries and the multistakeholder process • ICANN accountability is something for the community to figure out 51 Comparison

USG CNG • Support and enhance the • Equality and multistakeholder model Openness • Maintain the security, stability, and resiliency of • Multilateral the Internet DNS • Security and Trust • Meet the needs and • Cooperation for win - expectation of the global win game customers and partners of the IANA services, and • Maintain the openness of the Internet 52 Trust anchor

• Domain Name – Root server – DNSSEC • Address –rPKI • Protocol parameters – Standard – Security protocols (authentication)

53 A closed survey

• Multistakeholde model • Security, stability, and resiliency •Meet the global customer needs • Keep openness • Government should lead •Enhance the national control • Support the current DNS model • Support mDNS • Support DNSSEC • Support unique DNS root • Support national IPv6 aggregation • Support rPKI • Support encrypt everything 54 Comparisons

• Differences – Government should lead 27% (high) – Enhance the national control 72% (high) – Support unique DNS root 49% (low) – Support encrypt everything 36% (low)

55 The worst case scenario

• We end up with some or all of – Competing DNS roots (the most likely new possibility), – National regulations about traffic going in and out of the country and how internal ISPs can connect (we already have some of that) – National (or ITU-based) allocation of addresses (both IPv4 and IPv6) that simply ignore the RIRs and global routing architecture so that we end up with addresses in some countries ignoring the ICANN/RIR allocations. – Multiple organizations claiming to perform the IANA function, with competing and diverging copies of registries (even protocol registries).

56 Remarks

• Classifications – Legal Fragmentation – Data Localization and Related Issues – Territorial Routing and Related Issues – Proprietary Protocols – Restriction on Digital Flows – Walled Garden –Security – Localization (IDN, Content) –IPv6

57 Outline

• Review

• Three challenges

• Open Internet

58 Architecture

59 Protocol

60 Interoperate

61 Open Internet

•Open protocol •Open implementation

Open Process •Open system

62 Three generations

Telephone Æ router Æ programmer 63 Huawei vs Tencent

64 Permissionless innovation

• No one is “in charge” of the Internet. Instead, many people cooperate to make it work. • Each person brings a unique perspective of the Internet, We believe a strong focus on enabling the broadly based dialogue is necessary, and that the “permissionless innovation” given as the goal of this effort is better served by first enabling infrastructure (web site, collection and a set of tools). Further efforts may emerge later, and those may require additional structure.

65 Human network (US)

66 Human network (CN)

1. 张朝阳 Tsinghua-MIT Sohu 2. 王小川 Tsinghua Sogo 3. 史立荣 Tsinghua ZTE 4. 李彦宏 PKU-Buffalo Baidu 5. 俞敏洪 PKU New Oriental 6. 杨元庆 SJTU Lenovo 7. 周鸿祎 XJTU Qihu 360 8. 陈天桥 Fudan Shanda 9. 曹国伟 Fudan Sina 10. 丁磊 UESTC Netease 11. 雷军 Wuhan Univ. Millet 12. 柳传志 Xidian Univ. Lenovo 13. 刘强东 People’s Univ. Jingdong 14. 马化腾 ShenZhen Univ. Tencent 15. 马云 Hangzhou Normal U. Alibaba 16. 任正非 Chongqing Construction Inst. Huawei 17. 古永锵 New South Wales Youku 67 Global academic network

• High performance, dynamic network to provide open VIP services via distributed management. • IPv6 and new applications. • Non-fragmented academic Internet.

• Permissionless innovation

68