Upload
micheal-o-foghlu
View
1.758
Download
5
Tags:
Embed Size (px)
DESCRIPTION
I gave this talk to http://www.theiet.org/ on Thu 26th Feb 2010. It gives an overview of the TSSG (Telecommunications Software & Systems Group). The focus is on the unique model of balancing basic research, applied research and commercialisation activity (roughloy equally) in a research centre in Ireland.The next part was a call to arms to migrate to IPv6, giving the historical context of IPv4 depletion.Finally a note was made of the TSSG's progress towards IPv6 deployment, and of our research activity since 199 in various research themes linked to IPv6, particularly SHIM6.
Citation preview
Future Internet
• TSSG Background
• IPv6 -‐ Near Term Future Internet
• IPv6 -‐ TSSG Deployment & Research
• Future Internet -‐ Clean Slate– Was planning to talk about this
– TSSG doing some work EU FP7 4WARD
– But I have removed this element of the talk
TSSG Executive Management
• Willie Donnelly– Director, TSSG
• Mícheál Ó Foghlú– ExecuSve Director Research, TSSG
• Barry Downes– ExecuSve Director InnovaSon & CommercialisaSon, TSSG
• Eamonn de Leastar– CTO, TSSG
TSSG Balanced EcoSystem
CommercialThe Entrepreneur
Basic ResearchThe Science
Applied ResearchThe Engineering
TSSG
Commercial
Basic
AppliedResearch
Research
projects99Completed Projects Jan 2010
projects28AcAve Projects Jan 2010
%71of which TSSG led
projects127Total Projects
Average project = €440k, Total = €56 Million 1996-‐2009Staff number = 140 (20 PhDs, 5 Faculty, 12 Postdocs)Spin-‐in/Spin-‐Out company job number = 60Partners = 150 academic & industrial partners working on funded projectsEnterprise Ireland InnovaAon Partnerships = 50 from 2007-‐2009 *
* Not counted as projects -‐ small scale €5k engagements with Irish SMEs
TSSG Funded Projects
!"#$%&'
()*+'
(,-&'
./)*&'
0(1&2'
Total: €56 M Funding (1996 – 2010) Total: 127 Projects
Balanced Portfolio
TSSG Funding Mix
TSSG Positioning• Basic Research (HEA, SFI)
One of TOP 3 academic centre's in Ireland intelecommunicaSons: WIT (TSSG), TCD (CTVR), DCU(RINCE)
• Applied Research (EU FP7) Irish winner of EU FP7 funding -‐ twice nearest compeStor
Ranked Top 10 insAtute in Europe in Future Internetresearch (i.e. on a par with Nokia, Ericsson, FhG FOKUS)
Engaged in many EU Technology Placorms at board level
(eMobility, NEM, NESSI)
TSSG Positioning Contd…• CommercialisaAon (EI) One of the top research groups for commercialisaAon
Leading edge innovaSon & technology development in: IMS
Web 2.0
Mobile
Commercial ‘Spin-‐offs’ (Separate from TSSG)
Early stage technology clusters emerging based around TSSG
60 jobs created in 14 ‘Spin-‐Out’ and ‘Spin-‐In’ companieslinked to TSSG (since 2001)
ConSnue to develop other companies in the marketplace
TSSG Research & InnovationPhilosophy
• Research and innovaAon is non-‐linear:good ideas come from ALL parts of an ecosystem -‐ requiring abalance of funding to maintain the flow of the ecosystem
• Equal value across all parts of ecosystem:basic research, applied research, and commercialisaAon,build experSse in VC funding and following stages
• Build research teams:uSlise non-‐tradiSonal staff (professional researchers) inapplied and commercial research -‐ fight academicnorms/assumpSons
Stokes’ Pasteur’s Quadrant A detailed Analysis of
Vannevar Bush, NSF, OECDFrascaS and other ways inwhich basic and appliedresearch have been split byfunding mechanisms, to thedetriment of technologicalinnovaAon.
Stokes, Donald E. [1997] Pasteur's Quadrant: Basic Science and TechnologicalInnovation. Washington D.C., USA: Brookings Institution Press.
Stokes’ Pasteur’s Quadrant
Pure AppliedResearch
(Edison)
Taxonomies and Tools
Researchers are the users
Use-‐InspiredBasic Research
(Pasteur)
Pure BasicResearch
(Bohr)Quest forFundamentalunderstanding?
Considerations for Use ?No Yes
No
Yes
(Adapted from Pasteur’s Quadrant: Basic Science and Technological Innovation, Stokes1997, p. 73).
IPv6 -‐ Near Term Future Internet
Future Internet
• Near Term– We have to move from IPv4 to IPv6 as this talk will explain
• Longer Term– There is a lot of room for academic research intoalternaSves to IP, but it will take 10 years or more to agreeand then maybe another 10 to implement
• Remember IP is 40 years old now, but only took offfrom the 1990s as the web popularised IP outside ofacademia and of specialist IT companies
IPv4 Exhaustion - Summary• There are around 4.3 billion IPv4 addresses 232 not allof which can actually be used
• There are over 6 billion people• As countries develop it is typical for each person tohave mulSple devices requiring addresses
• There are more and more other services linkingmachines to machines that also require addresses
• Therefore there are not enough IPv4 addresses• There are 2128 IPv6 addresses, this is definitelyenough
Shape of IPv4Shape of IPv4
Originally, three classes of network
were "good enough"
...but not for long
Class B ExhaustionClass B Exhaustion
Workarounds were needed
Short term
– Classless Inter-‐domain RouSng (CIDR)
• finer tuned allocaSon
– Encourage private addresses (RFC1918) and NAT
• avoid allocaSon
– RIRs enter conservaSon mode
• minimise allocaSon
Long Term
– New protocol with bigger address space
Workarounds: CIDRWorkarounds: CIDR
CIDR took the
reigns off the
subnet masks
Address space now "shrinks to fit” each network.
AddressAddress NetmaskNetmask HostsHosts
193.1.219.90 255.255.0.0 65534255.255.128.0 32766255.255.192.0 16382255.255.224.0 8190255.255.240.0 4094255.255.248.0 2046255.255.252.0 1022255.255.254.0 510255.255.255.0 254255.255.255.128 126255.255.255.192 62255.255.255.224 30255.255.255.240 14255.255.255.248 6255.255.255.252 2
Success of the Success of the WorkaroundsWorkarounds
• So IPv4 addresses have a smaller address rangethan IPv6, but the life of IPv4 has been extended by:
– CIDR
– NAT
End of the road for WorkaroundsEnd of the road for Workarounds
• But sSll, there is huge demand for more IPv4 addresses:– many new wireline connecSons as broadband penetrates new markets– many new wireless data access connecSons as mobile broadband picks up– many new mobile devices on the Internet, smart phones are becoming the norm– the promised new “Internet of things” where many more embedded devices have wired
and wireless Internet connecSvity (e.g. mulSple electrical devices in houses and offices)– every IPv4 SSL web server needs a unique IPv4 address– many geographical regions of the world (especially in Asia with later uptake of IPv4 and
huge populaSons – China and India) have a much higher demand for new IPv4addresses than we have in Europe
• So… When will we run out ? ….
IPv4: How long have we got?IPv4: How long have we got?• Tony Hain reckons 2010 (IANA /8 Pool will run out)
– htp://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_8-‐3/ipv4.html
• Geoff Huston reckons (*) 25 September 2011 (IANA /8 Pool will run out)– htp://www.potaroo.net/tools/ipv4/index.html
“Here the exhausSon point is the date where the first RIR has exhausted itsavailable pool of addresses, and no further numbers are available in theIANA unallocated pool to replenish the RIR's pool. The data availablesuggests a best fit predicSve model where this will occur on 11-‐Oct-‐2010.
A related predicSon is the exhausSon of the IANA unallocated number pool,which this model predicts will occur on 25-‐Sep-‐2011.”
(*) Huston’s model dynamically updated -‐ these figures taken 2010-‐02-‐24
Consensus on IPv4 exhaustion began tobe reached in 2007
• On May 21, 2007, the American Registry for Internet Numbers (ARIN), the North American RIR, advisedthe internet community that due to the expected exhausSon in 2010 "migraSon to IPv6 numberingresources is necessary for any applicaSons which require ongoing availability from ARIN of conSguous IPnumbering resources". It should be noted that "applicaSons" include general connecSvity betweendevices on the Internet, as some devices only have an IPv6 address allocated.
• On June 20, 2007, the LaSn American and Caribbean Internet Addresses Registry (LACNIC), the SouthAmerican RIR, advised "preparing its regional networks for IPv6" by January 1, 2011 for the exhausSon ofIPv4 addresses "in three years Sme".
• On June 26, 2007, the Asia-‐Pacific Network InformaSon Centre (APNIC), the RIR for the Pacific and Asia,endorsed a statement by the Japan Network InformaSon Center (JPNIC) that to conSnue the expansionand development of the Internet a move towards an IPv6-‐based Internet is advised. This with an eye onthe expected exhausSon around 2010 which will create a great restricSon on the Internet.
IPv4: How Long do we haveIPv4: How Long do we havewhen the /8 pool is gone?when the /8 pool is gone?
• In reality this depends on unpredictable factors– The policies will probably get Sghter– There will probably be a rush– Something else could blow it apart– Note that economic crisis has slowed consumpSon ofIPv4 address pool slightly giving us maybe 6-‐12 monthslonger than Tony Hain predicted in 2005
The Internet Protocol Journal -‐ Volume 8, Number 3, September 2005A PragmaAc Report on IPv4 Address Space ConsumpAonby Tony Hain, Cisco Systemsby Tony Hain, Cisco Systems
• Network Address TranslaAon (NAT) and CIDR did their jobs and bought the 10 years needed toget IPv6 standards and products developed. Now is the Ame to recognize the end to sustainablegrowth of the IPv4-‐based Internet has arrived and that it is Ame to move on. IPv6 is ready asthe successor, so the gaAng issue is aotude.
• When CIOs make firm decisions to deploy IPv6, the process is fairly straighcorward. Staff willneed to be trained, management tools will need to be enhanced, routers and operaAng systemswill need to be updated, and IPv6-‐enabled versions of applicaAons will need to be deployed. Allthese steps will take Ame—in many cases mulAple years.
• The point of this arAcle has been to show that the recent consumpAon rates of IPv4 will not besustainable from the central pool beyond this decade, so organizaAons would be wise to startthe process of planning for an IPv6 deployment now. Those who delay may find that the IANApool for IPv4 has run dry before they have completed their move to IPv6. Although that maynot be a problem for most, organizaAons that need to acquire addiAonal IPv4 space to conAnuegrowing during the transiAon could be out of luck.
hqp://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_8-‐3/ipv4.html
IPv4 Addresses are Running OutIPv4 Addresses are Running Out
Comments on IPv6 Adoption• CAIDA (CooperaAve AssociaAon for Internet Data Analysis)
– in UCSD/SDSC graphs indicate that IPv6 internet in 2005 is as complexas IPv4 internet in 2000
– htp://www.caida.org/home/• So the topology of IPv6 is already as complex as IPv4 was at
the height of the dot com boom• But, admitedly, IPv6 is sSll less than 1% of all IP traffic in the
world today (topology good, traffic volumes not so good)• More promising, the allocaSon of IPv6 address space has
been picking up in 2009, it had been very slow up unSl then• So we have missed the window of being able to do dual-‐stack
IPv4 and IPv6 on all machines, as IPv4 will be in too shortsupply -‐-‐ so the change over will be more painful and laterthan originally planned by IETF
44thth March 2005 IPv6 Topology (CAIDA.org) March 2005 IPv6 Topology (CAIDA.org)
October 2000July 2001
April 2002April 2003April 2005
January 2000
IPv4 Historical Development
Example IPv6 AddressExample IPv6 Address• IPv6 = 128 bit address (3.4 x 1038 max possible)
• IPv4 = 32 bit address (4,294,967,296 max possible)
• 2001:0db8:0010:0300:0000:0000:0ae2:510b– Long version.
• 2001:db8:10:300:0:0:ae2:510b– Omit leading zeros.
• 2001:db8:10:300::ae2:510b– Replace run of zeros with ::
• 2001:db8:10:300::10:226:81:11– Can write end as IPv4 address.
IPv4 uses A recordsIPv6 uses AAAA records
|p.heanet.ie IN A 193.1.193.64|p.heanet.ie IN AAAA2001:770:18:aa40::c101:c140
Client atempts IPv6 first (AAAA record)and if that fails, IPv4 (A record)
AutomaSc transiSon to IPv6
Dual stacking & DNSDual stacking & DNS
IPv4 Workaround ImpactsIPv4 Workaround Impacts(Private Address Space)(Private Address Space)
• Benefits of private addresses have been exploited for ITsecurity
– Internal hosts are not directly addressable,therefore only reachable indirectly
– Enforces a central point of administraSon
– NAT used as "poor man's firewall"to disallow new connecSons inward
The Cost of PrivateThe Cost of PrivateAddressing (NAT)Addressing (NAT)
• NAT also provides a way of preserving IPv4 Address Space, at a price– Large number of private address spaces– Each set of private addresses funnelled via a “middle box” a Network
Address TranslaSon gateway, to the real Internet– The NAT box needs to modify addresses embedded in every packet as it
traverses the gateway – inefficient/CPU intensive– The NAT box breaks the original end-‐to-‐end model of the Internet making it
very difficult for machines behind a NAT gateway to offer services to othermachines on the Internet (hobbling peer-‐2-‐peer for example) -‐ inelegant
– ApplicaSons developers are then forced to find workarounds at the higherlayers of the stack for NAT problems, e.g. the use of STUN with VoIP to allowp2p traffic – inefficient to have to solve the same problem repeatedly
The Cost of Private Addressing (NAT)The Cost of Private Addressing (NAT)
• AddiSonal problems with the use of NAT– It hurts security (yes, really!) e.g. your wholecompany/campus is blacklisted due to one usermisbehaving
– It's extra hassle to avoid leaks– It's bad news if networks merge (and they use the sameprivate IP space)
The side benefit of large addressThe side benefit of large addressspacespace
– IPv6 uses 264 addresses on a link instead of usually less than 28 forIPv4
– Aqacks based on simply scanning a whole network
– would need years for performing it
– would thereby consume a massive bandwidth on the scanned link
– are therefore no longer appropriate
– However
one needs to take care about the addressing of server (use of arbitraryidenSfiers)
one needs to secure neighbour discovery messages
Cryptographically Generated AddressesCryptographically Generated Addresses– IPv6 addresses, which carry hashed informaAon about public key in
the idenAfier part
– Benefits
CerSficate funcSonality without requiring a key managementinfrastructure
SoluSon for securing IPv6 Neighbour Discovery (resolve chicken-‐eggproblem of IPsec)
Subnet prefix (64 bit) CGA specific ID (64 bit)
Cryptographically Generated Address
Hash of sender public key
Traceability of (mobile) usersTraceability of (mobile) users
In stateless IPv6 address autoconfiguraAon idenAfiers can be derivedfrom HW (staAc part in address)
Does this mean that I‘m traceable (locaAon, sites visited, …)?
• IPv6 supports also random idenSfiers for privacy reasons
• These random idenSfiers are default se~ng in some operaSng systems
Subnet prefix (64 bit)Random or staticidentifier (64 bit)
Disappearance of Disappearance of NATsNATsWithout NAT boxes my home / company deviceswill have public addresses
Does this mean that I’m easily reachable from outside and therefore also moreaffected by aqacks?
– NO, as NAT boxes do not give any security or privacy.
– A (host) firewall can effecSvely shield parts which should not be reachablefrom outside.
– Even more, a firewall can provide applicaSon layer security, a NAT box cannot
– BUT NAT by default denys access -‐-‐ a good thing in general
InternetGlobal AddressesCompany A
Public Address ACompany B
Public Address B
FW FW
PrivacyPrivacy
• IPv6 has a real privacy protocol
• IPv4 has no real privacy protocol
• Network elements based on IPv4 need to beprotected by firewalls, cable modems are a classicexample, whereas IPv6 equivalents can be muchmore secure
IPv6 ServicesIPv6 Services
• Technically there’s no huge advantage for any IP-‐based services to use IPv6 over IPv4.
• The benefits come from the broader infrastructuralargument relaSng to the end-‐to-‐end architecture.
IPv6 ServicesIPv6 Services• This is most important when looking at
potenSal peer-‐2-‐peer services such as VoIP– In an IPv4 world you need a SIP gateway and a media gateway to
setup a VoIP call using SIP – the media gateway allows connecSvitythrough NAT gateways, and transfers signalling between differenttypes (e.g. SS7 to IP); SIP gateway more like a firewall than NAT
– In an IPv6 world the SIP signalling negoSates a media stream thatthen can flow directly between the two clients
– This the IMS architecture itself is simplified for many services usingIPv6
• As developers there is no major overhead in developing dual stackapplicaSons
• Thus those developing services for the next generaSon internet shoulddevelop dual stack applicaSons that support IPv4 and IPv6
IPv6 -‐ TSSG Deployment & Research
IPv6 - TSSG Deployment &Research
TSSG/WIT IPv6 allocations
Currently running:2 /48s 2001:770:20::/48 and 2001:770:**::/48 (darknet)1 /48 used entirely as a darknet1 /48 subnetted into 4 /50s 3 /50s in use 1 /50 initial darknet - now re-routed to external research network
6 /64s in use (research, Internet routed) 1 /50 production n/w + routed links (WIT)
2 /64s in use 1 /50 production n/w (TSSG)
11 /64s in use (production)16 /64s in use (research, Internet routed)
1 additional /64 on our co-location LAN extension
IPv6 Networking• In the TSSG all our networks are dual-‐stacked, unless there is a
specific reason not to.• Routed uplinks and producSon servers are assigned staSc IPv6
addresses. All other devices obtain auto-‐generated IPv6 addresses.• We use ACLs to strictly limit inbound traffic to all our networks,
except the Darknet of course.• All outbound traffic is allowed and a reflexive rule is associated with
each outbound session so the return traffic is allowed back in.• We originally use a combinaSon of staSc IPv6 routes and OSPFv3 for
our IPv6 rouSng; now we use IS-‐IS as our primary rouSng protocol.• We have found that running IPv6 does not add any more complexity
to network design or layout. It does however introduce more securityissues and can make troubleshooSng more difficult. Hence the needfor monitoring and tracking.
• The restoraSon of the End-‐to-‐End model, whilst welcome, eliminatesthe “auto-‐secure” or unreachable by default protecSon of NAT/PAT.
Network & Host Monitoring
• Open source tools like Nagios and Smokeping can be used tomonitor network and host availability and reliability overIPv6.
• Ntop provides detailed network traffic analysis (if an uplinkport is tap’d / span’d).
• However these tools only provide rudimentary informaSonand can’t really tell you what is happening on your network.
• We now use Ne�low (v9) from Cisco devices to capture andlog all IPv4 and IPv6 headers
Security and traffic monitoring
• IniSally no commercial security or monitoring products. Someopen source products but implementaSons were poor andbadly maintained. No real demand.
• US Department of Defense decree of full IPv6 support by July2008 in July 2005 has improved this situaSon.
• Commercial products are now becoming available with fullIPv6 support for monitoring and security reporSng.
Static Vs Dynamic addresses
• In the TSSG we use staSc addresses for all our servers androuted uplink interfaces.
• We use dynamic address on most networks for client devicesand on internal vlan interfaces.
• We use the router to allocate the dynamic addresses
• We do not use dynamic DNS.
Services: DNS• DNS Primary and Secondary hot-swap
– DNS External 1st (bind9 on Linux ubuntu, HEAnet)– DNS External 2nd (bind9 on Solaris 10 zone, TSSG)
• ns.tssg.org round robins over– ns1.tssg.org - Waterford (Solaris 10 zone, TSSG)
• IPv6 enabled– ns2.tssg.org - Frankfurt (BSD Virtual Private Server, NTT Verio)
• Not IPv6, yet– ns3.tssg.org - Virginia (BSD Virtual Private Server, NTT Verio)
• Not IPv6, yet– ns4.tssg.org - Tokyo (BSD Virtual Private Server, NTT Verio)
• IPv6 enabled
Services: Mail, Web• Mail
– Software: postfix 2.2.8– OS: Sun Solaris– Location: internally hosted in TSSG
• Web– Software: Apache 2.2.0– OS: Linux ubuntu– Location: externally hosted in HEAnet– Note: Acts as host for many virtual domains (from
www.ofoghlu.net to www.ipv6.ie )
Research Older: EU FP5 andearlier
• Converge (TSR Strand III)– Security, Quality of Service and AccounSng for next generaSon IPv6 services
• Torrent (EU FP5 IST)– Use of IPv6 for Secure Provision of ISP Services
• Intermon (EU FP5 IST)– Inter-‐domain Quality of Service for IPv4 and IPv6 networks and services
• SEINIT (EU FP6 IST)– Security for next generaSon IPv6 networks and services
• IPv6 Cluster (EU FP5 IST)– EU-‐sponsored coordinaSon acSvity bring together all EU IST FP5 projects
promoSng or using IPv6
Research Recent: EU FP6, HEA,SFI
– Daidalos I & Daidalos II (EU FP6 IST)• Scenario-‐based next generaSon pervasive services based on IPv6
– M-‐Zones (HEA PRTLI Cycle 3)• Managed Zones of Smart Spaces – managing next generaSon pervasiveservices
– FoundaAons of Autonomics (SFI PI Cluster)• Modelling communicaSons networks and services to enable autonomicnetwork & service management
– ENABLE (EU FP6 IST)• Enabling efficient and operaSonal mobility in large heterogeneous IPnetworks (built on mobile IPv6)
Research Current: EU FP7• Autonomic CommunicaSons
– 4WARD [IP FP7 ICT Call 1]– EFIPSANS [IP FP7 ICT Call 1]– AutoI [STREP FP7 ICT Call 1]
• Services– PERSIST [STREP FP7 ICT Call 1]
• Security– Inco-‐Trust [CA FP7 ICT Call 1]– Think-‐Trust [CA FP7 ICT Call 1]
• Testbeds– PII [IP FP7 ICT Call 2]– Perimeter [STREP FP7 ICT Call 2]– VITAL++ [STREP FP7 ICT Call 2]
Research Current: HEA & Other
– HEA FutureComm (PRTLI Cycle 4)• Partnered with NUI Maynooth and University of Limerick
– SFI SRC FAME• Partnered with TCD, UCD, NUIM and UCC
– NaAonal IPv6 Centre (DCMNR)• Partnered with NUI Maynooth, HEAnet and BT Ireland
– Irish NaAonal IPv6 Task Force (DCMNR/DCENR)• Promote IPv6 in Ireland
• htp://www.ipv6.ie
Irish IPv6 Summit: Event Plug• NaSonal IPv6 Summit• Wed 19th May 2010• Dublin Castle, Dublin, Ireland• Keynote speakers: Brian Carpenter (University ofAuckland) and Geoff Huston (APNIC)
• Panelists/Speakers: Dennis Jennings (ICANN), DanielKarrenberg (ISOC and RIPE), Mat Ford (ISOC)
• RegistraSons opening in March– htp://www.ipv6.ie/summit2010 (website launch soon)– htp://www.ipv6.ie/summit2009 (view last year’s)
Questions?
• Happy to answer any quesSons
Contact DetailsTSSG Offices:TSSG (Waterford, Ireland) Headquarters
ArcLabs Research & InnovaSon Building
WIT West Campus, Carriganore
Co. Waterford, Ireland
TSSG (California, USA) Investment/VC Network
101 California Street
Suite 2450
San FranciscoCA 94111 , USA
TSSG (Dublin, Ireland) Customer MeeAngs
Digital Depot, Roe Lane
The Digital Hub
Dublin 8, Ireland
Mícheál Ó Foghlú
ExecuAve Director ResearchTSSG, WIT
+353 51 302963 (w)
+353 86 8044640 (m)
Barry DownesExecuAve Director 3CS
TSSG, WIT
+353 51 302932 (w)
+353 87 9075535 (m)