three challenges to the internet -...
TRANSCRIPT
Three Challenges to the Internet
Xing Li2015-09-21
2
Outline
• Review
• Three challenges
• Open Internet
3
21 years ago
4
Routing
A cisco router is required.
5
CERNET
X.25
4500
25002500
25002.4K-9.6K
10 PoPs
Shenyang
Xi’anChengdu
Shanghai
Beijing
Guangzhou
NanjingWuhan
Shenyang
Xi抋n
Chengdu
Shanghai
Beijing
Guangzhou
Nanjing
Wuhan
1994 1995 1997
2004 20142000
徐闻
长春
哈尔滨
乌鲁木齐
拉萨
西宁兰州银川
呼和浩特
台北
沈阳
南昌
西安 徐州
武汉合肥
郑州
石家庄
北京
南宁
广州
福州
杭州上海
南京
天津
贵阳
海口三亚
湛江
无锡
大连
太原 济南烟台
成都
长沙
重庆黄梅
九江
昆明
青岛
汕头
唐山
汉中
宜昌
珠海深圳
惠州
柳州百色 厦门
Backbone Regional
GigaPopPop
桂林
深圳
6
CERNET backbone
10G/100G DWDM20142.5G/10G/20G DWDM20072.5G/5G/10G DWDM20052.5G/5G DWDM20042.5G DWDM2002155M SDH20004M SCPC199764K DDN19952.4K X.251994Link speedYear
Ratio = 40 million
7
CIDR ranking
8
University ranking
9
CNGI-CERNET2
BJ
SHGZ
2003 20061997
IPv6-only backbone
10
Global connectivity
11
2008 Beijing Olympics
12
IPv6 innovation
SAVI
4over6
IVI/MAP
13
Internet population
14
World Internet population
15
Top 10s
16
2025 prediction
17
Address demand
18
Bandwidth demand
19
Governance demand
20
Application demand
21
Human resource demand
Globalization Distributed Science Education Costs
Lifelong LearningChanging Competitive
Landscape Risk Management
22
Internet of ……
23
Outline
• Review
• Three challenges
• Open Internet
24
Three challenges
• Net-neutrality– Traffic optimization for business
• Protocol ossification– NAT and slow deployment of IPv6
• Internet fragmentation– Pervasive surveillance and national firewalls
25
OTT Customer demand
Data traffic
Data ARPU
Net-neutrality
26
Different traffics
ResearchElephant flows
Enterprise flowMice flows
Student and staffant flows
27
Economics
Flat rate
Lost revenue opportunity
Multiple services offers are enabled by policy-enforced QoS
Best effort public Internet Service enabled E2E
users
price price
users
28
Fundamental Features
• Bandwidth is a scarce resource. • 20% of the users consume more than 80% of
the bandwidth • The user’s session arrival process is Poisson
29
Missing links
• No distinction among users – Flat rate charging model
• No well-defined bandwidth reservation– Best effort
• No network admission control– Best effort
30
Switching technologies
Circuitswitching
VirtualCircuit
switching
Addressswitching
PacketSwitching
IP
Connection-oriented
Connectionless
31
Ordinary User Heavy User
Non-VIP User VIP User
Address Switching
Power Law80% users20% traffic
20% users80% traffic
Non-VIP service VIP service
(a)
(b)
Address-switching concept
32
End system
Softswitch
End system
AdmissionControl
Gateway
(a)
Other AS Own AS(b)
(c)(d)
(e)
(f)
Building blocks
33
Switching
34
Example
35
Remarks
• Concept – Non-VIP: best effort– VIP: VIP address with bandwidth reservation
and admission control• Solutions
– Routing (BGP reflector)– Tunneling– Translation (NAT, etc)– SDN (Openflow)
36
Protocol ossification
• Addresses – IPv4 depletion– IPv6 onetime shopping
• DNS– APP is not sensitive to DNS
• Protocol – Only TCP 80/443 are universally available
37
Network architectureISDN
X.25FR
ATM
IPv4
IPv6
OSI
DECNET
AppleTalk
IPX
Circuit switching
Virtual circuitswitching
Datagram Packet switching
FN
SNA
FI IP
Non-IP
SDN
80/443
38
CERNET IPv6 experience
Translation IVIIETF Behave WG
Dual stackNFSCNET
IPv6 onlyCERNET2 • 200 univ.• 2M users
IPv6 over IPv4
CERNET-6Bone
IPv4 over IPv6IETF softwire
WG
IPv4CERNET
• 2000 univ.• 20M users
1994 2000 2004 2005 20111998 2007
Double translation
IETF Softwire WG
2014
Unification IETF Softwire WGIETF v6ops WG
39
Stateless translation (IVI)
A subset of IPv6 addresses
IPv6
IPv4
Real IPv6 hostReal IPv4 host mirrored IPv6 host mirrored IPv4 host
IVI
A subset of IPv6 addresses
40
IETF transitionIVI dIVI
dIVI-PD MAP-T
MAP
DHCP
MAP-T
MAP-E
464XLAT
DS-Lite
RFC6052, RFC6145, RFC6791
RFC7040 RFC7599
RFC7597
RFC7598
RFC6333
RFC6877
RFC6146
41
Stateless translation1. RFC6052, IPv6 Addressing of IPv4/IPv6 Translators,
https://datatracker.ietf.org/doc/rfc6052/ 2010-102. RFC6144, Framework for IPv4/IPv6 Translation,
https://datatracker.ietf.org/doc/rfc6144/ 2011-043. RFC6145, IP/ICMP Translation Algorithm,
https://datatracker.ietf.org/doc/rfc6145/ 2011-044. RFC6219, The China Education and Research Network (CERNET)
IVI Translation Design and Deployment for the IPv4/IPv6 Coexistence and Transition, https://datatracker.ietf.org/doc/rfc6219/2011-05
5. RFC6791, Stateless Source Address Mapping for ICMPv6 Packets, https://datatracker.ietf.org/doc/rfc6791 2012-11
6. RFC7597, Mapping of Address and Port with Encapsulation (MAP-E), https://datatracker.ietf.org/doc/rfc7597/ , 2015-07
7. RFC7598, DHCPv6 Options for configuration of Softwire Address and Port Mapped Clients, https://datatracker.ietf.org/doc/rfc7598/ , 2015-07
8. RFC7599, Mapping of Address and Port using Translation (MAP-T), https://datatracker.ietf.org/doc/rfc7599/ , 2015-07
42
Comparisons
RFC
6145
RFC
2473
NAT64
RFC6145
RFC6146RFC6145
MAP-T 464XLAT
MAP-E DS-LiteDS-Lite
Stateless Stateful
IVI NAT64Translation
Doubletranslation
Tunneling
43
dIVI deployment
44
Remarks
• SaaS• PaaS• IaaS• 4aaS
IPv6IPv6IVI
IVI
IVI
IVIIVI
IVI
45
Internet fragmentation
• Snowden– Encryption – Control points
• IANA transition– Governance
• Trust anchor– Game theory
46
Snowden
IETF87
IETF88
Encryption without authentication
47
Five hums • The IETF is willing to respond to the pervasive
surveillance attack?– Overwhelming YES. Silence for NO.
• Pervasive surveillance is an attack, and the IETF needs to adjust our threat model to consider it when developing standards track specifications.
– Very strong YES. Silence for NO• The IETF should include encryption, even
outside authentication, where practical.– Strong YES. Silence for NO
• The IETF should strive for end-to-end encryption, even when there are middleboxesin the path.
– Mixed response, but more YES than NO. • Many insecure protocols are used in the
Internet today, and the IETF should create a secure alternative for the popular ones.
– Mostly YES, but some NO.
Hardening The Internet
48
IAB Statement
• Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258.
• We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.
49
Control points
50
IANA transition
51
NTIA (ICANN SG meeting)• US government’s role in IANA is purely clerical• 4 key principles – and that's it
– Support and enhance the multistakeholder model– Maintain the security, stability, and resiliency of the Internet
DNS– Meet the needs and expectation of the global customers and
partners of the IANA services, and– Maintain the openness of the Internet
• Governments are only one stakeholder and cannot be in charge
• Answer to the transition lies in IANA's 'customers'• US domestic politics is a factor• The bigger picture is developing countries and the
multistakeholder process• ICANN accountability is something for the community to
figure out
52
Comparison
USG• Support and enhance the
multistakeholder model• Maintain the security,
stability, and resiliency of the Internet DNS
• Meet the needs and expectation of the global customers and partners of the IANA services, and
• Maintain the openness of the Internet
CNG• Equality and
Openness• Multilateral• Security and Trust• Cooperation for win -
win game
53
Trust anchor
• Domain Name– Root server– DNSSEC
• Address– rPKI
• Protocol parameters– Standard – Security protocols (authentication)
54
A closed survey
• Multistakeholde model• Security, stability, and resiliency• Meet the global customer needs• Keep openness• Government should lead• Enhance the national control• Support the current DNS model• Support mDNS• Support DNSSEC• Support unique DNS root • Support national IPv6 aggregation• Support rPKI• Support encrypt everything
55
Comparisons
• Differences – Government should lead 27% (high)– Enhance the national control 72% (high)– Support unique DNS root 49% (low)– Support encrypt everything 36% (low)
56
The worst case scenario
• We end up with some or all of – Competing DNS roots (the most likely new possibility), – National regulations about traffic going in and out of the country
and how internal ISPs can connect (we already have some of that)
– National (or ITU-based) allocation of addresses (both IPv4 and IPv6) that simply ignore the RIRs and global routing architecture so that we end up with addresses in some countries ignoring the ICANN/RIR allocations.
– Multiple organizations claiming to perform the IANA function,with competing and diverging copies of registries (even protocolregistries).
57
Remarks
• Classifications – Legal Fragmentation– Data Localization and Related Issues– Territorial Routing and Related Issues– Proprietary Protocols– Restriction on Digital Flows– Walled Garden– Security– Localization (IDN, Content)– IPv6
58
Outline
• Review
• Three challenges
• Open Internet
59
Architecture
60
Protocol
61
Interoperate
62
Open Internet
• Open protocol• Open implementation• Open systemO
pen
Pro
cess
63
Three generations
Telephone router programmer
64
Huawei vs Tencent
65
Permissionless innovation
• No one is “in charge” of the Internet. Instead, many people cooperate to make it work.
• Each person brings a unique perspective of the Internet, We believe a strong focus on enabling the broadly based dialogue is necessary, and that the “permissionless innovation” given as the goal of this effort is better served by first enabling infrastructure (web site, collection and a set of tools). Further efforts may emerge later, and those may require additional structure.
66
Human network (US)
67
Human network (CN)1. 张朝阳 Tsinghua-MIT Sohu2. 王小川 Tsinghua Sogo 3. 史立荣 Tsinghua ZTE 4. 李彦宏 PKU-Buffalo Baidu5. 俞敏洪 PKU New Oriental 6. 杨元庆 SJTU Lenovo7. 周鸿祎 XJTU Qihu 3608. 陈天桥 Fudan Shanda9. 曹国伟 Fudan Sina10. 丁磊 UESTC Netease11. 雷军 Wuhan Univ. Millet12. 柳传志 Xidian Univ. Lenovo13. 刘强东 People’s Univ. Jingdong14. 马化腾 ShenZhen Univ. Tencent15. 马云 Hangzhou Normal U. Alibaba16. 任正非 Chongqing Construction Inst. Huawei17. 古永锵 New South Wales Youku
68
Global academic network
• High performance, dynamic network to provide open VIP services via distributed management.
• IPv6 and new applications.• Non-fragmented academic Internet.
• Permissionless innovation