IP EDGE DEVICESA solution for the Internet Migration

Patrick Cocquet, 6WIND CEO, IPv6 Forum VP

www.6wind.com

Dubai IPv6 Forum Summit – February 2001

SUMMARY

• 6WIND, the IPv6 company !

• 6WIND Positioning

• IP Edge Device in the Network Architecture

• IP Edge Device, main features

• Conclusion

6WIND

• The IPv6 start-up company

– Spin-outing of the Thomson-CSF IP Network

development activities

– Starting day : 1st September 2000

– Team : 20 engineers + subcontractors

– Experience : 5 years of IP R&D activities

– Member of the IPv6 Forum Board (VP)

6WIND POSITIONING

• To develop IP access devices to provide the user with new IP

services :

– All features in one box : QoS, security, IPv4/v6 migration, mobility, routing

– Significant step in terms of Network Services

• To develop expertise around the introduction of the IPv6 technology

• Markets (1st step) :

– Enterprises and Branch Offices

– Direct sales (ISPs) and Indirect sales (Integrators)

• Markets (future steps) :

– Soho (wireless + zero conf IP networks)

– Home Networks

IP service configuration

MANAGEMENTCENTER

ARCHITECTURE

• Qos management (DiffServ)• IP Security• IPv4 /v6 migration features• Mobility (mobile IP) • Multicast• Routing

6WINDIP Edge Device

6WINDIP Edge Device

6WINDIP Edge Device

Internet or Intranet (IPv4

or IPv6)

End

QoS MANAGEMENT

Issue :Resource guarantee

for time sensitive flows

ConfigArch QoS

QoS MANAGEMENT

DiffServ IPv6 or IPv4 backbone or

Intranet

ClassificationPolicing and shaping

Scheduling

EF and AF DiffServ IETF standard

ConfigArch QoS

QoS MANAGEMENT

Scheduling per Class of

Service

Classification Shapingand

policing

NonclassifiedIP flows

ClassifiedIP packets

In excesspackets

Minimal bandwidth

reserved for each class

ConfigArch QoS

CLASS OF SERVICE

1) Define a class

ConfigArch QoS

FLOW DEFINITION

2) Define an IPv4 or IPv6 flow

ConfigArch QoS

QOS MONITORING

3) Monitor the classes

Arch QoS

IP SECURITY

IPv4 or IPv6non securebackbone

IPv4 or IPv6non securebackbone

QuestionsNew device authentication

Security Association definitionData transfers

ConfigArch

Certification Authority

DEVICE AUTHENTICATION

IPv4 or IPv6non securebackbone

IPv4 or IPv6non securebackbone

Key PairGeneration

RSA algorithmCertificate request

Certification Authority

DEVICE AUTHENTICATION

IPv4 or IPv6non securebackbone

IPv4 or IPv6non securebackbone

Certificategeneration

Pre-shared keys can also be used

Certificate delivery

ConfigArch Sec

SECURITY ASSOCIATION

IPv4 or IPv6non securebackbone

IPv4 or IPv6non securebackbone

IPSec SA statically configured in each deviceAddressesAlgorithms

Session keys

SECURITY ASSOCIATION

IPv4 or IPv6non securebackbone

IPv4 or IPv6non securebackbone

IKE negotiationphases

IPSec SA dynamically configuredAddressesAlgorithms

Session keysLifetime

ConfigArch Sec

DATA EXCHANGE

IPv4 or IPv6non securebackbone

IPv4 or IPv6non securebackbone

Secure traffic between protected zonesvia IPSec tunnels

Policies :

DiscardClear

Apply AH and/or ESP

ConfigArch Sec

VPN CONFIGURATION

1) Name the VPN

ConfigArch Sec

VPN CONFIGURATION

2) Define the end point addresses

ConfigArch Sec

VPN CONFIGURATION

Pre defined templates ease the configuration process

3) Choose your security level

ConfigArch Sec

VPN CONFIGURATION

4) Choose the certificate or the key

ConfigArch Sec

IPSec TUNNEL CONFIGURATION

1) Define the zones to be protected

ConfigArch Sec

IPSec TUNNEL CONFIGURATION

2) Apply a policy

Arch Sec

IPv4/v6 MIGRATION MECHANISMS

IPv4 or IPv6non securebackbone

IPv6 cloud

IPv6 cloud

MechanismsAutomatic tunnels

Configured v6 in v4 tunnels 6to4

Configured v4 in v6 tunnels

IPv6 cloud

IPv4backbone

ConfigArch

AUTOMATIC TUNNEL

IPv4 or IPv6non securebackbone

IPv6 cloudIPv6 cloud

IPv4 backbone

IPv6 packet

IPv4-compatible IPv6 @ = 0…0IPv4@No configuration

IPv6 packet

IPv4 encapsulationsrc 137.37.17.53dst 138.38.10.54

From ::137.37.17.53to ::138.38.10.54Dest

::138.38.10.54

ConfigArch Mig

CONFIGURED IPv6 in IPv4 TUNNEL

IPv4 or IPv6non securebackbone

IPv6 cloudIPv6 cloud

IPv4 backbone

IPv6 packet

End Point = IPv4 @ + IPv6 @ Tunnel configuration

IPv6 packet

IPv4 encapsulationwith

end point addresses

IPv6 @

IPv6 @ IPv4 @ IPv4 @

ConfigArch Mig

6to4

IPv4 or IPv6non securebackbone

IPv6 cloudIPv6 cloud

IPv4 backbone

IPv6 packet

6to4 prefix per site = 2002:IPv4@::/48Hides an IPv6 network behind a single IPv4 address

IPv6 packet

IPv4 encapsulationwith

IPv4 addresses 6to4@

6to4 @ IPv4 @ IPv4 @

ConfigArch Mig

CONFIGURED IPv4 in IPv6 TUNNEL

IPv4 or IPv6non securebackbone

IPv4 cloudIPv4 cloud

IPv6 backbone

IPv4 packet

End Point = IPv4 @ + IPv6 @ Tunnel configuration

IPv4 packet

IPv6 encapsulationwith

end point addresses

IPv4 @

IPv4 @ IPv6 @ IPv6 @

ConfigArch Mig

IPv4/v6 MIGRATION CONFIGURATION (CTU)

Name the tunnel and define the IPv4 and IPv6 end point addresses

Ret

IPv6 MOBILITY

Home agent

Correspondent Node

Mobile(Home address)

IPv6 MOBILITY

Home agent

Correspondent Node

Mobile(Home address)

Home agent

Correspondent Node

Mobile(Care of address)

Addressbinding

IPv6 MOBILITY

Mobile(Home address)

Home agent

Correspondent Node

Mobile(Care of address)

Addressbinding

IP in IPencapsulation

IPv6 MOBILITY

ProxyMobile

(Home address)

Home agent

Correspondent Node

Mobile(Care of address)

Addressbinding

IPv6 MOBILITY

Notification

IP in IPencapsulation

ProxyMobile

(Home address)

Home agent

Correspondent Node

Mobile(Care of address)

Addressbinding

Shortcut

IPv6 MOBILITY

Notification

ProxyMobile

(Home address)

Arch

IP SERVICE CONFIGURATION

• Several management levels for dynamic service

configuration :

– Command Line Interface

– SNMP Agent

– NMS tool based on an SNMP platform integrating

6WIND configuration tools

• Open to other management frameworks

• Secure configuration through SSH

Arch

NMS TOOL

6WIND CONFIGURATION TOOLS

1) Click on a device, choose your menu

Ret

6WIND First set of Products

6200 series

PRODUCT FEATURES (HW)

• 2 products :– 6WIND 6211 :

• Three Fast Ethernet : Private, Public, Optional• Able to deliver a 20 Mbps 3DES encrypted

traffic• 2000 tunnels and 2000 QoS flows

– 6WIND 6221 :• Same as 6211 with an E1/T1 public interface

• Next :– ATM interface

PRODUCT FEATURES (SW)

QoS :EF, AF for IPv4 and IPv6

Security :IPSEC, IKE, IP Filter for IPv4 and IPv6, X509 certificates

IPv6 / IPv4 :Both stacks6to4, v6 into v4 tunnels (automatic and configured)

RIP v6Management :

SNMP agent with standard and IPv6 MIBCLIManagement tool integrated in a SNMP framework

CONCLUSION

• 6WIND Edge Devices enable new service

deployment :– Better multi-media performance by implementing

Diffserv

– Security by using IPSec and IKE

– Efficient management

– Nomadism of users by using MobileIP(2nd release)

– Multicasting (3rd release)

Allowing v4 to v6 migration of networks

and v4/v6 interoperability

• Questions ?– Info@6wind.com

• Web sites– www.6wind.com– www.ipv6forum.com– www.6init.org– www.lip6.fr/airs

THE END