Building Networks: Engineering for Objectives

1© 2002, Cisco Systems, Inc. All rights reserved.

KeynoteTerena 2002

Building Networks:Engineering for Objectives

Fred Baker

Cisco Fellow

222© 2002, Cisco Systems, Inc. All rights reserved.Terena 2002

Economic news

• The economists think it’s good news

• Enterprise starting to show growth

Slow but apparently solid

• Service Provider market should follow growth of its customer markets

Not so important to NRENs per se, but important to the service provider marketplace


Questions from the Service Providers:

• What will spur more utilization, and therefore revenue?

New applications that consume bandwidth

• How can I reduce service to traffic that is costing me money?

New applications in which users are servers but don’t pay for the bandwidth


Technology on the upswing

• So I’m thinking:

“If I were a service provider, and I was starting to plan future deployments, what would be at the top of my list?”

• Key issues: “more bang, less buck”

It would come down to how I might best meet increasing customer needs while reducing the cost of deploying and managing the service.

I would also be looking at ways to extract more money from existing services.


KeynoteTerena 2002

Advancement into Next Generation Applications


Growing applications

• Peer to Peer application models

Morpheus, Gnutella, etc

• Multiparty Games

Interactions modeled on Flight Simulator, video combat games


Service model mismatch

• Service Providers:

“We want to entertain you”

Client/Server applications in which many users access relatively few servers at hosting sites

Video on Demand

• Application Designers:

“Facilitate us entertaining ourselves and each other”

Peer to peer model

Server in the home

Morpheus, Gnutella, Gaming


Authentication/Authorization dichotomy

• Worms, viruses

Intent is to destroy the network

Access control required to analyze and eliminate

• Unauthorized Access

Use your machine for unintended purposes

• Peers in games

Can I signal directly rather than to a server?

• Can I control who I send content to, or who uses it?

Intellectual property issues


Client/Server Access control

• We trust people to access servers and do limited operations on them


Peer-peer access control model

• Model with all the same access control and therefore accountability

• Utilizes compute capability of peer computers to perform game


Here’s the hard part

• I have to be able to address the peer computers across perimeter security (global addresses)

• I have to be able to keep out the bad guys

Good intrusion detection and avoidance

• I have to be able to convince Mom, Dad, and the service provider that this is OK

• We have to manage IPR issues related to content

• There is no global PKI, and won’t be in my lifetime


KeynoteTerena 2002

Advancement into Critical Infrastructure


Networks coming to the party

• Emergency Telecommunications System (ETS)

• ITU I.225.3 Communications Networks

DISA Converged VoIP network

US NCS telecommunications network


Today’s Internet

• The optical internet backbone

Gigabit to terabit links

U N I V E R S I T YU N I V E R S I T Y

• Access networksxDSL, cable modem, ISDN, asynchronous dial

20,000 instantaneous sessions per GBPS backbone bandwidth

Campus Networks (LANs)UoSAT-12

Internetin Airlines


What are their objectives?

• Preferential treatment

• Security

• Non-traceability

• Restorability

• International connectivity

• Interoperability

• Mobility

• Ubiquitous coverage

• Survivability

• Voice service

• Broadband service

• Scalable bandwidth

• Affordability

• Reliability


Preferential treatment

• Specific [telephone] calls get reserved bandwidth or preempt other calls

• Data streams have variable drop thresholds

Able to change routing and applications in the face of serious failure or loss


“Security”

• Authentication

• Authorization

• Control of traffic's use of bandwidth

• Privacy using advanced encryption


Interesting Routing

• “Non-traceability”

Specialized requirement for anonymity servers

• “International connectivity”

Connects to international carriers

• “Interoperability”

Connects to government networks

• Ubiquitous coverage

Works everywhere


“Mobility”

• Transportable

• Redeployable

• Mobile


“Survivability”

• Robust under extreme load

• Ability to re-route preferentially


Target services

• Voice service

• Web data distribution

• Database transaction services

• Instant messaging

• Broadband service


“Scalable bandwidth”

• An interesting point

They don’t ask for specific bandwidth or interconnection services

They want to be able to use whatever exists


“Reliability”

• Perform consistently

• Availability

• Meets design requirements and specifications

• Usable with high confidence


KeynoteTerena 2002

Key technologies


Data stream routing

• OSPF DSCP routing?

• Secure routing technologies


VPNs of various types

• CPE IPSEC VPNs

• BGP/MPLS VPNs

• L2TP Occasional Access VPNs


Voice call management

• Key point: Interoperable with SS7

Able to tunnel calls from SS7 domain to SS7 domain

Able to originate or terminate calls that might operate in those domains

PSTN

PSTN


Security

• Strong authorization

• Strong authentication

• Various layers


Resilience to attack

• Issues:

Denial of service

Intrusion detection

• There is room for a service offering here

Sell as a service that you will detect potential attacks and notify the customer

Expect this to include offering assistance:

Customer will want attack mitigation

Law enforcement will want attack tracing


Scalable Key Infrastructure

• Need

Stateless authenticator with no active attribute database

Peer exchange of attributes

Authenticator

Authenticated exchange of attributes


Lawful intercept

• Traffic data = netflow?

• Content intercept


Real-time collection of traffic data

Each Party shall…

… compel a service provider, within its existing technical capability, to:

i. collect or record …

traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.

“

”http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm


Cybercrime treaty, Article 21

Each Party shall …

a. collect or record …

b. compel a service provider…

i. collect or record …

ii. co-operate … in the collection or recording of,

content data, in real-time, of specified communications in its territory transmitted by means of a computer system.

“

”http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm


KeynoteTerena 2002

Conclusions


Technology deployment necessary

• Many of these technologies exist, but are not generally thought of as “services”

• Need to think through service provider deployment issues

Often not “quick fixes”


KeynoteTerena 2002

Working Smarter

Fred Baker

Cisco Fellow

Documents

Building Networks: Engineering for Objectives