Three Challenges to the Internet
Xing Li 2015-09-21 Outline
• Review
• Three challenges
• Open Internet
2 21 years ago
3 Routing
A cisco router is required. 4 CERNET
4500
Shenyang Shenyang Beijing X.25 Beijing
2.4K-9.6K Xi抋n 2500 2500 Nanjing 2500 Xi’an Chengdu Nanjing Shanghai Chengdu Wuhan WuhanShanghai Guangzhou 10 PoPs Guangzhou 1994 1995 1997
哈尔滨 乌鲁木齐 长春 沈阳 呼和浩特北京唐山
天津大连 银川 石家庄 兰州 太原 济南烟台 西宁 青岛 郑州徐州 汉中西安 南京 成都 无锡 宜昌 黄梅 上海 拉萨 重庆 武汉合肥 九江 杭州 长沙 南昌 贵阳 福州 桂林柳州 台北 Backbone 昆明 百色 广州汕头厦门 Regional 惠州 湛江 深圳 GigaPop 珠海 南宁 徐闻 深圳 Pop 海口 三亚 2000 2004 2014 5 CERNET backbone
Year Link speed 1994 2.4K X.25 1995 64K DDN 1997 4M SCPC 2000 155M SDH 2002 2.5G DWDM 2004 2.5G/5G DWDM 2005 2.5G/5G/10G DWDM 2007 2.5G/10G/20G DWDM 2014 10G/100G DWDM
Ratio = 40 million 6 CIDR ranking
7 University ranking
8 CNGI-CERNET2
IPv6-only backbone
BJ
GZ SH
1997 2003 2006
9 Global connectivity
10 2008 Beijing Olympics
11 IPv6 innovation
4over6
SAVI
IVI/MAP 12 Internet population
13 World Internet population
14 Top 10s
15 2025 prediction
16 Address demand
17 Bandwidth demand
18 Governance demand
19 Application demand
20 Human resource demand
Globalization Distributed Science Education Costs
Changing Competitive Lifelong Learning Landscape Risk Management
21 Internet of ……
22 Outline
• Review
• Three challenges
• Open Internet
23 Three challenges
• Net-neutrality – Traffic optimization for business • Protocol ossification – NAT and slow deployment of IPv6 • Internet fragmentation – Pervasive surveillance and national firewalls
24 Net-neutrality
Data traffic
OTT Customer demand Data ARPU
25 Different traffics
Research Elephant flows
Enterprise flow Mice flows
Student and staff ant flows
26 Economics
Best effort public Internet Service enabled E2E price price Multiple services offers Lost revenue are enabled by opportunity policy- enforced QoS
Flat rate
users users
27 Fundamental Features
• Bandwidth is a scarce resource. • 20% of the users consume more than 80% of the bandwidth • The user’s session arrival process is Poisson
28 Missing links
• No distinction among users – Flat rate charging model • No well-defined bandwidth reservation – Best effort • No network admission control – Best effort
29 Switching technologies
Virtual Circuit Circuit Connection-oriented switching switching
Packet Address Switching Connectionless switching IP
30 Address-switching concept
Power Law 80% users 20% users 20% traffic 80% traffic (a)
Ordinary User Heavy User
Address Switching
Non-VIP service VIP service (b) Non-VIP User VIP User
31 Building blocks
Softswitch (c) (d)
(a) Admission End (b) (f) End Control system Other AS Own AS system Gateway (e)
32 Switching
33 Example
34 Remarks
• Concept – Non-VIP: best effort – VIP: VIP address with bandwidth reservation and admission control • Solutions – Routing (BGP reflector) – Tunneling – Translation (NAT, etc) – SDN (Openflow)
35 Protocol ossification
• Addresses – IPv4 depletion – IPv6 onetime shopping •DNS – APP is not sensitive to DNS • Protocol – Only TCP 80/443 are universally available
36 Network architecture
Circuit switching ISDN
Virtual circuit X.25 switching FR ATM SDN
IPv4 80/443 Datagram Packet switching IPv6 IP FI
OSI
IPX Non-IP FN SNA
AppleTalk
DECNET 37 CERNET IPv6 experience
Double Dual stack translation NFSCNET IETF Softwire WG
IPv6 over IPv4 over IPv6 IPv4 IETF softwire WG Unification CERNET-6Bone IETF Softwire WG IETF v6ops WG Translation IVI IPv6 only IPv4 IETF Behave WG CERNET CERNET2 • 2000 univ. •200 univ. • 20M users • 2M users
19941998 2000 2004 2005 2007 2011 2014
38 Stateless translation (IVI)
IPv6 IVI IPv4
A subset of IPv6 addresses
Real IPv4 host mirrored IPv6 host mirrored IPv4 host Real IPv6 host
A subset of IPv6 addresses 39 IETF transition
IVI dIVI MAP RFC7598 RFC6052, RFC6145, RFC6791 DHCP
RFC6146 464XLAT
RFC6877 dIVI-PDMAP-T
RFC7040 RFC7599
DS-Lite
RFC6333
MAP-E
RFC7597 40 Stateless translation
1. RFC6052, IPv6 Addressing of IPv4/IPv6 Translators, https://datatracker.ietf.org/doc/rfc6052/ 2010-10 2. RFC6144, Framework for IPv4/IPv6 Translation, https://datatracker.ietf.org/doc/rfc6144/ 2011-04 3. RFC6145, IP/ICMP Translation Algorithm, https://datatracker.ietf.org/doc/rfc6145/ 2011-04 4. RFC6219, The China Education and Research Network (CERNET) IVI Translation Design and Deployment for the IPv4/IPv6 Coexistence and Transition, https://datatracker.ietf.org/doc/rfc6219/ 2011-05 5. RFC6791, Stateless Source Address Mapping for ICMPv6 Packets, https://datatracker.ietf.org/doc/rfc6791 2012-11 6. RFC7597, Mapping of Address and Port with Encapsulation (MAP-E), https://datatracker.ietf.org/doc/rfc7597/ , 2015-07 7. RFC7598, DHCPv6 Options for configuration of Softwire Address and Port Mapped Clients, https://datatracker.ietf.org/doc/rfc7598/ , 2015- 07 8. RFC7599, Mapping of Address and Port using Translation (MAP-T), https://datatracker.ietf.org/doc/rfc7599/ , 2015-07 41 Comparisons
Translation IVI NAT64
MAP-T 464XLAT
RFC6NAT64 Double 146 RFC6 RFC6145 translation 145 RFC6 145
MAP-E DS-Lite
Tunneling RFC2473
Stateless Stateful 42 dIVI deployment
43 Remarks
• SaaS • PaaS IVI IVI
IPv6IPv6 • IaaS IVI IVI
• 4aaS IVI IVI
44 Internet fragmentation
• Snowden – Encryption – Control points • IANA transition – Governance • Trust anchor – Game theory
45 Snowden
IETF87
IETF88 Encryption without authentication 46 Five hums
• The IETF is willing to respond to the pervasive surveillance attack? – Overwhelming YES. Silence for NO. • Pervasive surveillance is an attack, and the IETF needs to adjust our threat model to consider it when developing standards track specifications. – Very strong YES. Silence for NO • The IETF should include encryption, even outside authentication, where practical. – Strong YES. Silence for NO • The IETF should strive for end-to-end encryption, even when there are middleboxes in the path. – Mixed response, but more YES than NO. • Many insecure protocols are used in the Internet today, and the IETF should create a Hardening The Internet secure alternative for the popular ones. – Mostly YES, but some NO. 47 IAB Statement
• Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258. • We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.
48 Control points
49 IANA transition
50 NTIA (ICANN SG meeting)
• US government’s role in IANA is purely clerical • 4 key principles – and that's it – Support and enhance the multistakeholder model – Maintain the security, stability, and resiliency of the Internet DNS – Meet the needs and expectation of the global customers and partners of the IANA services, and – Maintain the openness of the Internet • Governments are only one stakeholder and cannot be in charge • Answer to the transition lies in IANA's 'customers' • US domestic politics is a factor • The bigger picture is developing countries and the multistakeholder process • ICANN accountability is something for the community to figure out 51 Comparison
USG CNG • Support and enhance the • Equality and multistakeholder model Openness • Maintain the security, stability, and resiliency of • Multilateral the Internet DNS • Security and Trust • Meet the needs and • Cooperation for win - expectation of the global win game customers and partners of the IANA services, and • Maintain the openness of the Internet 52 Trust anchor
• Domain Name – Root server – DNSSEC • Address –rPKI • Protocol parameters – Standard – Security protocols (authentication)
53 A closed survey
• Multistakeholde model • Security, stability, and resiliency •Meet the global customer needs • Keep openness • Government should lead •Enhance the national control • Support the current DNS model • Support mDNS • Support DNSSEC • Support unique DNS root • Support national IPv6 aggregation • Support rPKI • Support encrypt everything 54 Comparisons
• Differences – Government should lead 27% (high) – Enhance the national control 72% (high) – Support unique DNS root 49% (low) – Support encrypt everything 36% (low)
55 The worst case scenario
• We end up with some or all of – Competing DNS roots (the most likely new possibility), – National regulations about traffic going in and out of the country and how internal ISPs can connect (we already have some of that) – National (or ITU-based) allocation of addresses (both IPv4 and IPv6) that simply ignore the RIRs and global routing architecture so that we end up with addresses in some countries ignoring the ICANN/RIR allocations. – Multiple organizations claiming to perform the IANA function, with competing and diverging copies of registries (even protocol registries).
56 Remarks
• Classifications – Legal Fragmentation – Data Localization and Related Issues – Territorial Routing and Related Issues – Proprietary Protocols – Restriction on Digital Flows – Walled Garden –Security – Localization (IDN, Content) –IPv6
57 Outline
• Review
• Three challenges
• Open Internet
58 Architecture
59 Protocol
60 Interoperate
61 Open Internet
•Open protocol •Open implementation
Open Process •Open system
62 Three generations
Telephone Æ router Æ programmer 63 Huawei vs Tencent
64 Permissionless innovation
• No one is “in charge” of the Internet. Instead, many people cooperate to make it work. • Each person brings a unique perspective of the Internet, We believe a strong focus on enabling the broadly based dialogue is necessary, and that the “permissionless innovation” given as the goal of this effort is better served by first enabling infrastructure (web site, collection and a set of tools). Further efforts may emerge later, and those may require additional structure.
65 Human network (US)
66 Human network (CN)
1. 张朝阳 Tsinghua-MIT Sohu 2. 王小川 Tsinghua Sogo 3. 史立荣 Tsinghua ZTE 4. 李彦宏 PKU-Buffalo Baidu 5. 俞敏洪 PKU New Oriental 6. 杨元庆 SJTU Lenovo 7. 周鸿祎 XJTU Qihu 360 8. 陈天桥 Fudan Shanda 9. 曹国伟 Fudan Sina 10. 丁磊 UESTC Netease 11. 雷军 Wuhan Univ. Millet 12. 柳传志 Xidian Univ. Lenovo 13. 刘强东 People’s Univ. Jingdong 14. 马化腾 ShenZhen Univ. Tencent 15. 马云 Hangzhou Normal U. Alibaba 16. 任正非 Chongqing Construction Inst. Huawei 17. 古永锵 New South Wales Youku 67 Global academic network
• High performance, dynamic network to provide open VIP services via distributed management. • IPv6 and new applications. • Non-fragmented academic Internet.
• Permissionless innovation
68