deployment in Forthnet

Similar documents
TR-296 IPv6 Transition Mechanisms Test Plan

Anastasios Chatzithomaoglou IP Engineering Forthnet

Real World IPv6 Migration Solutions. Asoka De Saram Sr. Director of Systems Engineering, A10 Networks

Challenges in NetFlow based Event Logging

TR-242 IPv6 Transition Mechanisms for Broadband Networks Issue: 2 Issue Date: February 2015

CPE requirements and IPv6. Ole Trøan, February 2010

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

IPv6 TRANSITION TECHNOLOGIES

IPv6 Transition Work in the IETF

WHITE PAPER. Best Practices for Deploying IPv6 over Broadband Access

Carrier Grade NAT. Requirements and Challenges in the Real World. Amir Tabdili Cypress Consulting

Reverse DNS considerations for IPv6

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

TR-187 IPv6 for PPP Broadband Access

Security implications of the Internet transition to IPv6

Developing an IPv6 Addressing Plan Guidelines, Rules, Best Practice

EXPEDITING ACCESS TO V6 SERVICES: GETTING WEB CONTENT AVAILABLE OVER IPV6 QUICKLY AND AT LOW COST

LifeSize Transit Deployment Guide June 2011

About Firewall Protection

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

UIP1868P User Interface Guide

IPv6-only hosts in a dual stack environnment

Technical White Paper

Securing the Transition Mechanisms

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Chapter 3 Security and Firewall Protection

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

IPv6 Tunnels through Routers with NAT 1.6. Consulintel

Netgear TA612VMNF & TA612VLD Netgear WGR613VAL. Quality of Service (QOS) function

Residential IPv6 IPv6 a t at S wisscom Swisscom a, n an overview overview Martin Gysi

NAT Tutorial. Dan Wing, IETF78, Maastricht July 25, 2010

A Model of Customer Premises Equipment for Internet Protocol Version 6

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Multi-Homing Security Gateway

Applicability of the Tunnel Setup Protocol (TSP) for the Hubs and Spokes Problem draft-blanchet-v6ops-tunnelbroker-tsp-03.txt

ProCurve Networking IPv6 The Next Generation of Networking

Securing Networks with PIX and ASA

Application Note Startup Tool - Getting Started Guide

IP Gateways. Gdansk University of Technology Mariusz Stankiewicz 24th March 2011

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

CIRA s experience in deploying IPv6

464XLAT: Breaking Free of IPv4. T-Mobile.com NANOG 61 June 2014

IPv6 Security from point of view firewalls

Review: Lecture 1 - Internet History

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Network Address Translation (NAT)

Configuring an Etherspeak SIP Trunk in Microsoft Lync 2013

SAN/iQ Remote Copy Networking Requirements OPEN iscsi SANs 1

Transition to IPv6 in Service Providers

DSL-G604T Install Guides

Internet Engineering Task Force (IETF) Category: Best Current Practice ISSN: Facebook, Inc. S. Sheppard ATT Labs June 2011

DNSSEC Support in SOHO CPE. OARC Workshop Ottawa 24 th September 2008

This presentation discusses the new support for the session initiation protocol in WebSphere Application Server V6.1.

IPv6 for AT&T Broadband

Basic IPv6 WAN and LAN Configuration

Firewall Defaults and Some Basic Rules

SIP Trunking Manual Technical Support Web Site: (registration is required)

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

ewon-vpn - User Guide Virtual Private Network by ewons

Transition to IPv6 for Managed Service Providers: Meet Customer Requirements for IP Addressing

Vulnerabili3es and A7acks

Deploying IPv6 at Scale As an ISP. Clinton Work Member of the TELUS team October 2015

Network Address Translation (NAT) Good Practice Guideline

GregSowell.com. Mikrotik Basics

Broadband Phone Gateway BPG510 Technical Users Guide

An Architecture View of Softbank

F-Secure Messaging Security Gateway. Deployment Guide

Deployment of IPv6 protocol in broadband networks. Dmitry Sakharchuk

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Network Terminology Review

Guideline for setting up a functional VPN

IPv6 Potential Routing Table Size

Cisco TelePresence Server 7010 and MSE 8710 in Remotely Managed Mode Printable Online Help (4.1

France Telecom s IPv6 Strategy. Christian JACQUENET

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

Microsoft Office Web Apps Server 2013 Integration with SharePoint 2013 Setting up Load Balanced Office Web Apps Farm with SSL (HTTPS)

ReadyNAS Remote White Paper. NETGEAR May 2010

IPv6, Perspective from small to medium ISP

NAT Configuration. Contents. 1 NAT Configuration. 1.1 NAT Overview NAT Configuration

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

DEPLOYMENT GUIDE Version 1.4. Configuring IP Address Sharing in a Large Scale Network: DNS64/NAT64

Mobile IP. Bheemarjuna Reddy Tamma IIT Hyderabad. Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP

Whitepaper IPv6. OpenScape UC Suite IPv6 Transition Strategy

BroadCloud PBX Customer Minimum Requirements

Industry Automation White Paper Januar 2013 IPv6 in automation technology

464XLAT in mobile networks

Application Note. SIP Domain Management

2015 Spring Technical Forum Proceedings

Challenges and Opportunities in Deploying IPv6 Applications

INTRODUCTION TO FIREWALL SECURITY

CGN Deployment with MPLS/VPNs

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net

HP LeftHand SAN Solutions

To Configure Network Connect, We need to follow the steps below:

V310 Support Note Version 1.0 November, 2011

IPv6 Market Drivers and IPv6

Configuring High Availability for Embedded NGX Gateways in SmartCenter

Firewall Firewall August, 2003

NAT (Network Address Translation)

Transcription:

Forthnet & IPv6 deployment in Forthnet RIPE 65 (Amsterdam) Anastasios Chatzithomaoglou achatz@forthnetgroup.gr IP Engineering 26-Sep-2012

Forthnet & IPv6 Agenda Intro-addiction Why, When and Where Experience and Experiments Nanobots Game Consoles

Mandatory IPv6 Support Required for All IP-Capable Nodes Given the global lack of available IPv4 space, and limitations in IPv4 extension and transition technologies, this document advises that IPv6 support is no longer considered optional. It also cautions that there are places in existing IETF documents where the term "IP" is used in a way that could be misunderstood by implementers as the term "IP" becomes a generic which can mean IPv4 + IPv6, IPv6-only, or IPv4-only, depending on context and application. New IP implementations must support IPv6. Updates to current IP implementations should support IPv6. IPv6 support must be equivalent or better in quality and functionality when compared to IPv4 support in a new or updated IP implementation. New and updated IP networking implementations should support IPv4 and IPv6 coexistence (dual-stack), but must not require IPv4 for proper and complete function. Implementers are encouraged to update existing hardware and software to enable IPv6 wherever technically feasible. RFC 6540 (BCP, Apr 2012)

Numbers Some interesting (or not) numbers General: Largest alternative fixed broadband provider in Greece ~500k Internet subscribers (Forthnet) & ~400k PayTV subscribers (Nova) IPv6 related (current): ~100 Dual-Stack active pilot- subscribers (60% bridging, 40% CPE) ~2k Dual-Stack active subscribers (95% bridging, 5% CPE) ~5k Dual-Stack ready subscribers (100% CPE, to be activated in Nov 2012) ~140k Dual-Stack capable subscribers (100% CPE, to be activated after firmware upgrade) IPv6 related (future): ~30k Dual-Stack active subscribers until 21st Dec 2012 ~150k Dual-Stack active subscribers until end of 2013 (Maya permitting) Rules: Since 2011 every new CPE provided to customers MUST support* Dual-Stack Since 2012 every new CPE provided to customers MUST support* Dual-Stack, DS-Lite From 2013 every new CPE provided to customers MUST support* Dual-Stack, DS-Lite, PCP * with or without firmware upgrade

Why Why IPv6 in Forthnet Business Continuity How well would our business run if we could only talk to only a part of our customers? What would we do if we could no longer obtain a crucial part in our business sector? What if customers want IPv6 and we can only supply IPv4? What if we can t support customer growth due to IPv4 exhaustion? Technological Imperative Internet is evolving, do we really want to ignore our main business? How are we going to serve all these mobile/home devices in the future? Global Competitiveness All major carriers are already deploying it, why stay behind? Government Requirement What will happen if IPv6 becomes a national IT strategy? What about EU initiatives? IPv6 Project was officially initiated by Technical Division and as such it met many difficulties until endorsed by all other Divisions

When Jun 2010 IPv6 network from RIPE 6 Jun 2012 World IPv6 Launch 2008-2009 IPv6 experimentations (2001:DB8::/32) 2010 IPv6 project initiated (2a02:2148::/32) IPv6 tests 2011 Dual-Stack IPv6 pilot 2012 H1 IPv6 in BRAS DS-Lite tests 2012 H2 (2a02:2148::/29) IPv6 in BRAS IPv6 CPEs DS-Lite pilot 2013 PCP tests DS-Lite subscribers 2014? May 2011 Appearance on IPv6 Internet 08 Jun 2011 World IPv6 Day

(every)where Various pilots running CORE Ready Running IT Alert

Experience Experience until now RIPE IPv6 Training Courses Hellenic IPv6 Task Force Meetings/Workshops Internal IPv6 Trainings Vendor IPv6 Workshops World IPv6 Day/Launch IETF WGs Educate - Participate IPv6 Tests on various network devices IPv6 Web & DNS tests IPv6 Pilot for Residential Customers IPv6 Pilot for Business Customers Explore - Activate

Major Issues

W6D World IPv6 Day (8-Jun-2011) Forthnet Actions Live IPv6 streaming through WebTV (webtv.ipv6.forthnet.gr) Web site with IPv6 information (ipv6.forthnet.gr) Web site with IPv6 test (test-ipv6.forthnet.gr) IPv6 pilot for Residential Customers (@ipv6forthnet.gr)

08/06/2011 15:00 08/06/2011 20:00 09/06/2011 01:00 09/06/2011 06:00 09/06/2011 11:00 09/06/2011 16:00 09/06/2011 21:00 10/06/2011 02:00 10/06/2011 07:00 10/06/2011 12:00 10/06/2011 17:00 10/06/2011 22:00 11/06/2011 03:00 11/06/2011 08:00 11/06/2011 13:00 11/06/2011 18:00 11/06/2011 23:00 12/06/2011 04:00 12/06/2011 09:00 12/06/2011 14:00 12/06/2011 19:00 13/06/2011 00:00 13/06/2011 05:00 13/06/2011 10:00 13/06/2011 15:00 13/06/2011 20:00 14/06/2011 01:00 14/06/2011 06:00 14/06/2011 11:00 Pilot Users 140 120 100 ~1/5 of pilot users had actually managed to activate IPv6 after 1 week 80 60 40 20 Total Dual-Stack 0

W6L 2 days after W6L After enabling dual-stack in some of our production BRAS we started seeing major IPv6 traffic increase Many users had already IPv6 enabled in their desktops/cpes

IPv4/IPv6 Ratio (17) 100000000 10000000 1000000 100000 IPv4/IPv6 Input &Output Bytes Ratio Bytes Ratio sample of ~420 dual-stack subscribers (1d Jul 2012) 10000 1000 100 10 INPUT RATIO OUTPUT RATIO 1 0.1 0.01 0.001 0 50 100 150 200 250 300 350 400 Subscribers 36%/28% of dual-stack subscribers download/upload more IPv6 than IPv4 Largest download and/or upload ratio was 99,8% IPv6 and 0,2% IPv4 Highest IPv6 download/upload of a single subscriber was 12/1,3 GB Highest IPv4 download/upload of a single subscriber was 49/27 GB IPv6 traffic is still small compared to IPv4 IPv6 upload is even smaller

Addressing Plan /29 Forthnet 1 x /40 4 x (32 x /40) 12 x (16 x /40) 16 x (8 x /40) n x /40 Infrastructure Level-1 POPs Level-2 POPs Level-3 POPs Reserved 1 x /48 Loopbacks 16 x /40 Business Customers 8 x /40 Business Customers 4 x /40 Business Customers 127 x /48 Internal Networks 16 x /40 Residential Customers 8 x /40 Residential Customers 4 x /40 Residential Customers 128 x /48 Public Networks readdressing is underway Numbers show sizing, not aggregation

Customer Addresses Allocation N x /40 Business Customers N x /40 Residential Customers 1 x /48 1 x /56 (?) 1 x /64 WAN 1 x /56 LAN 1 x /64 WAN 1 x /56 LAN Enterprise SOHO Dynamic (long-lived) Static (permanent) from 1 hour to 1 month (user selectable)

Prefix Allocation/Assignment IPv6 Prefix Allocation/Assignment Issues: Keep the same IPv6 prefix per subscriber for as long as possible (=> static is preferred) De-aggregation of IPv6 routing table on BRAS (=> dynamic is preferred) Conflicts: Marketing doesn t like the static scenario Some subscribers do not like the static scenario (i.e. free downloading from file-hosting sites) Most technical people do not like the dynamic scenario Facts: According to our current BRAS clustering design, each subscriber might log in to a different bras on each try No DHCPv6 server available, everything must be done with current infrastructure At the time of authentication, radius server doesn t know if the subscriber is IPv6 enabled Solution: Give everyone what he wants kind of. Warning: Please do not try this at home!

Prefix Allocation/Assignment IPv6 Prefix Allocation/Assignment Our solution: IPv6 prefixes are stored on radius/db using categories per BRAS id (i.e. nas-ip-address) A unique IPv6 prefix is reserved for X time for each subscriber, the 1 st time the subscriber logs in to a BRAS As long as the X time hasn t expired, the subscriber will get the same IPv6 prefix regardless of the BRAS he might log in to (during that X time) After the X time expires, the subscriber will get a new IPv6 prefix the next time he logs in to a BRAS (the same logic will apply to the new prefix and so on) Let the subscriber define the X time, current default is 1 week Technical details/issues: Create the appropriate procedures and tables in Sybase for assignment of IPv6 prefixes Create the appropriate code in Radius (Radiator) for handling the allocation/assignment Create a web interface to have the subscriber choose how often to change the IPv6 prefix (always, 1h, 1d, 1w, 1m, never) Radius response time per auth request increased from <10ms to >100ms (128 procs x 2 servers => 1 db cluster) After optimizing procedures and indexes in Sybase, above time fell to ~30ms Still not good enough, so we need to optimize/change db or try DHCPv6 or use static

Radius Attributes Radius IPv6 Attributes WAN prefix: global /64 through SLAAC LAN prefix: global /56 through DHCPv6-PD AAA through Radius BRAS as DHCPv6-PD server Authentication Framed-IPv6-Prefix (WAN Prefix) Delegated-IPv6-Prefix (LAN Prefix) Framed-Interface-Id Accounting Framed-IPv6-Prefix (WAN Prefix) Delegated-IPv6-Prefix (LAN Prefix) Framed-Interface-Id IPv6-Acct-Input-Octets IPv6-Acct-Output-Octets

Topology Dual-Stack Lite (RFC 6333) enables a broadband service provider to share IPv4 addresses among customers by combining two well-known technologies: IP in IP (IPv4-in-IPv6) and Network Address Translation (NAT) DS-Lite was chosen because at the time we had to take a decision (Sep 2011),it was evaluated to be the best available solution for our IPv4 exhaustion problem.

DS-Lite Platforms: 1 AFTR (Juniper) 3 CPEs (Huawei, Technicolor, Gennet) Tests Issues on AFTR: IPv4 MTU enforced to 1444 without any apparent reason Not clear whether to use physical or logical interface for tunnel termination No support for radius acct records with NAT mappings No support for deterministic Port Block Allocation (NAT) with DS-Lite Port usage sometimes shows unrealistic numbers Using port block allocation sometimes breaks NAT Issues on CPEs: Throughput decreased by 20%-40% MTU/MSS havoc (every vendor is following a unique approach) Default route expires due to RAs not sent Status/diagnostic pages miss a lot of information IPv6 firewall setup is not user friendly IPv6 access on the WAN interface cannot be blocked DS-Lite and IPv4 can be used simultaneously (btw, this works)

DS-Lite Works: Anything http based Video/Audio streaming from various sites FTP Skype Torrent leeching SIP calls initiated from inside Results Semi/No-Works: Anything expecting incoming connections without first initiating them (servers) Torrent seeding (after a while the leecher learned the external ip/port of the seeder) SIP calls without an intermediate server Online gaming

DS-Lite Softwires & Flows achatz@mx-lab-kln-01> show services softwire flows ds-lite Interface: sp-2/0/0, Service set: DSLITE-SERVICE-SET Flow State Dir Frm count DS-LITE2a02:2148:100:304::1234->2a02:2148:77:77:2::5 Forward I 75819 TCP 192.168.1.69:53428 -> 92.252.240.8:51413 Forward I 58 NAT source 192.168.1.69:53428 -> 194.219.240.1:1078 Softwire 2a02:2148:100:304::1234 -> 2a02:2148:77:77:2::5 UDP 122.160.26.199:24853 -> 194.219.240.1:1816 Forward O 1 NAT dest 194.219.240.1:1816 -> 192.168.1.69:42338 Softwire 2a02:2148:77:77:2::5 -> 2a02:2148:100:304::1234 UDP 192.168.1.69:42338 ->109.195.156.143:35691 Forward I 9 NAT source 192.168.1.69:42338 -> 194.219.240.1:1290 Softwire 2a02:2148:100:304::1234 -> 2a02:2148:77:77:2::5 UDP 178.122.93.189:38121 -> 194.219.240.1:1149 Forward O 31 NAT dest 194.219.240.1:1149 -> 192.168.1.69:42338 Softwire 2a02:2148:77:77:2::5 -> 2a02:2148:100:304::1234 TCP 98.28.107.204:59420 -> 194.219.240.1:1347 Forward O 83 NAT dest 194.219.240.1:1347 -> 192.168.1.69:53460 Softwire 2a02:2148:77:77:2::5 -> 2a02:2148:100:304::1234 TCP 94.19.140.192:58750 -> 194.219.240.1:1490 Forward O 406 NAT dest 194.219.240.1:1490 -> 192.168.1.69:53287 Softwire 2a02:2148:77:77:2::5 -> 2a02:2148:100:304::1234 TCP 90.45.16.240:38317 -> 194.219.240.1:1671 Forward O 105

DS-Lite Translations & Ports achatz@mx-lab-kln-01> show services nat pool detail DSLITE-POOL Interface: sp-2/0/0, Service set: DSLITE-SERVICE-SET NAT pool: DSLITE-POOL, Translation type: dynamic Address range: 194.219.240.1-194.219.240.255 Port range: 1024-65535, Ports in use: 1089, Out of port errors: 0, Max ports used: 1333 achatz@mx-lab-kln-01> show services nat pool detail DSLITE-POOL Interface: sp-2/0/0, Service set: DSLITE-SERVICE-SET NAT pool: DSLITE-POOL, Translation type: dynamic Address range: 194.219.240.1-194.219.240.255 Port range: 1024-65535, Ports in use: 54365, Out of port errors: 0, Max ports used: 54537

Address Sharing IPv4 Address Sharing Issues Restricted allocations of outgoing ports will impact performance for end-users Incoming port negotiation mechanisms may fail Port discovery mechanisms will not work Inbound ICMP will fail in many cases Amplification of security issues will occur Service usage monitoring and abuse logging will be impacted Spam blacklisting will be affected Geo-location services will be impacted Authentication mechanisms may be impacted and many more see RFC 6269 Since our TR-069 platform can identify subscribers that do not use port forwarding (and UPnP) on their CPE, these subscribers can be candidates for address sharing. In any case, an option should be provided for disabling this after subscriber s request. Whether PCP is a viable solution will be proved in the following months Latest PCP draft (27) doesn t (and won t) support multiple ports in a single request/response, so we expect some issues with incoming connections and maybe suboptimal ip/port usage After running a scan on our network, we have chosen 1:6 as the initial ratio

Questions

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information