ntt communications’ ipv6 backbone, access, and applications

NTT Communications Corporation 　　1

Takeshi TOMOCHIKA

6th July, 2004NTT

Communications

NTT Communications’ IPv6 Backbone,

Access, and Applications


1.NTT Communications’ IPv6 Activities

2.Dual Stack ADSL Access Service3.Service Platform & framework

Agenda


NTT Communication’s Global IPv6 Backbone

NSPIXP6 PAIX AMS-IXLINXUK6XJPNAP6 EQUI6IX

JapanJapan

KoreaKorea

TaiwanTaiwan

Hong KongHong Kong

MalaysiaMalaysia AustraliaAustralia

The U.S.The U.S.

EuropeEurope

ntt.netntt.netGlobal BackboneGlobal Backbone

DE-CIXPARIX

Global IPv6 network covering Asia, US, Europe IPv4/IPv6 dual-stack backboneProviding commercial IPv6 transit services in Japan (Apr ’01-), in Europe (Feb ’03-), in U.S. (June ’03-) and many other AP-Region countries (June ’03-)24x7 monitoring and operations by dual NOCs in Japan and U.S.More than 3 year’s experience of operation Worldwide IPv6-IX Connectivity

Japan : NSPIXP6, JPNAP6 (Tokyo)U.S. : PAIX, Equi6IX (West coast), Equi6IX (East coast)Europe : LINX, UK6X (London), AMS-IX (Amsterdam), DE-CIC (Frankfurt), PARIX (Paris), ESPANIX (Madrid)

Global IPv6 network covering Asia, US, Europe IPv4/IPv6 dual-stack backboneProviding commercial IPv6 transit services in Japan (Apr ’01-), in Europe (Feb ’03-), in U.S. (June ’03-) and many other AP-Region countries (June ’03-)24x7 monitoring and operations by dual NOCs in Japan and U.S.More than 3 year’s experience of operation Worldwide IPv6-IX Connectivity

Japan : NSPIXP6, JPNAP6 (Tokyo)U.S. : PAIX, Equi6IX (West coast), Equi6IX (East coast)Europe : LINX, UK6X (London), AMS-IX (Amsterdam), DE-CIC (Frankfurt), PARIX (Paris), ESPANIX (Madrid)

Our StrengthOur Strength

EQUI6IX ESPANIX


NTT Communications’ two ASes

NSPIXP6 PAIX EQUI6IX AMS-IXLINXUK6XJPNAP6 EQUI6IX

KoreaKoreaNTT KoreaNTT Korea

Hong KongHong KongNTT Com AsiaNTT Com Asia

MalaysiaMalaysiaNTT MSCNTT MSC AustraliaAustralia

NTT AustraliaNTT Australia

EuropeEuropeNTT EuropeNTT Europe

U.S.U.S.VerioVerio

AS2914AS 4713

TaiwanTaiwanNTT TaiwanNTT Taiwan

DE-CIX

ntt.netntt.net

PARIX

ESPANIX


Transition of NTT Communications’ IPv6 Services

20012001

PersonalPersonal

SOHOSOHO

EnterpriseEnterprise

ISPISP

iDCiDC

BroadBandwith

IPv6Nativeservice

20022002 20032003 20042004 200X200X Year

-ntt.net IPv6 Gateway Service (2001 spring-)

-ntt.net Dual -ntt.net Dual Stack ServiceStack Service (2004 spring-)

IPv6 and IPv4Dual Stack

Service

IPv6over IPv4Tunneling

service

-OCN IPv6 Tunneling Service (2001 spring-)

-ntt.net IPv6-ntt.net IPv6 Tunneling ServiceTunneling Service (2002 spring-)

-OCN ADSL Dual Service (2002 summer-)


ntt.net’s Global Backbone Transition

ntt.net IPv4 Backbone


Q1 2000 ~ Q2 2003IPv4 and IPv6 separately

•Setup global IPv6 backbone covering Asia, the U.S. and Europe•IPv4 and IPv6 network are separate•Routing control and peering policies are independent between IPv4 and IPv6

<<IPv6 Backbone>>•Use Tunneling-link, where appropriate, to save cost•Provide Native service and tunneling service, not dual service

<<IPv4 Backbone>>•No effect for existing IPv4 backbone from IPv6 side•IPv6 traffic are transferred as IPv4 traffic on the tunneling-link

IPv6 Native-linkIPv6 over IPv4

Tunnel-link

v4v6

v6


Before 2000

Only IPv4

•World wide global IP network•Global tier1 network as one AS;2914•Only IPv4 available

v4

ntt.net IPv4/IPv6Dual Stack Backbone

CurrentIPv4/IPv6 Dual stackDual stack

v4v6

IPv4/IPv6 Dual-link

•All of backbone routers handle both IPv4 and IPv6 traffic•Routing control and peering policies are independent between IPv4 and IPv6•Basically trouble on one protocol is isolated from the ones in another protocol

ntt.net runs more than 100 ntt.net runs more than 100 dual stack backbone dual stack backbone

routers now!routers now!


History of NTT Communications IPv6 Activities

1996 NTT Labs started to operate one of the world’s largest global IPv6 research networks.

1997 CICNet and NWNet, later acquired by Verio, started operating major nodes of 6bone.

1999 NTT Communications (NTT Com) obtained sTLA from APNIC.

NTT Com started IPv6 tunneling trial service for its domestic ISP “OCN” customers in Japan (over 200 trial customers).

2000 NTT MCL started the world’s first commercial IPv6 IX (s-IX) in San Jose, US.

NTT Europe started IPv6 trial service (over 400 trial customers).

2001 NTT Com started the world’s first commercial IPv6 services, “ntt.net IPv6 Gateway Service” and “OCN IPv6 Tunneling Service”.

HKNet started commercial IPv6 services in Hong Kong.

NTT Com played a key role in Japan National Project “IPv6 Home Appliance Trials”.

NTT Com participated in European Communities’ “6NET/ Large-Scale International IPv6 Test bed” Project .

NTT Com participated in Chinese IPv6 Telecom Trial Network “6TNET” Project .


History of NTT Communications IPv6 Activities (Cont’)

2002 OCN started “IPv6/IPv4 dual stack ADSL access service” with Plug and Play feature (site auto-configuration).

NTT MSC started commercial IPv6 services in Malaysia.

NTT Australia IP started IPv6 services in Australia.

NTT Com won the World Communication Awards 2002, “Best Technology Foresight – IPv6” and “Best carrier – AP Region”.

2003 NTT Europe just started commercial IPv6 services in Europe.

VERIO (in US) and some Asia/Pacific Region subsidiaries (Korea, Taiwan) started commercial IPv6 services.

ntt.net’s backbone supported IPv4 and IPv6 dual stack.

2004 We Provide IPv6/IPv4 dual stack services at all of ntt.net’ s POPs.


NTT Communications’ Evolution in IPv6

1996 1997 1998 1999 2000 2001 2002 2003

- NTT Com obtained sTLA address

OCN Tunneling Trial (200 users)

NTT Europe IPv6 Trial (400 users)

Trial Phase

- NTT MCL started commercial IPv6-IX service in the U.S.

Services in JapanJapan

Service in Hong KongHong Kong

Services in Malaysia / AustraliaMalaysia / Australia

Services in Korea, Taiwan,Korea, Taiwan,and The U.S.and The U.S.

Service in EuropeEurope

- NTT Communications started commercial IPv6 service in Japan

Commercial Service Phase

Join Japanese National ProjectJapanese National Project

Join Chinese Project “6TNet6TNet”

Join European Project “6net6net”

p2p application trial “P2P VPN PlatformP2P VPN Platform”

Application layer

- NTT Labs started global IPv6 research network- Verio joined 6bone in the U.S.

Research Phase

Network layer

Activities

Service platform


0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

8,000,000

9,000,000

10,000,000

1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6

DSL

FTTH

NTTCom36%

NTTPC2%

IIJ4%

others/no

answers30%

S2%

C2% N

3%

F4%

J6%

K11%

Subscribers

2001 2002 2003（ Source: Nikkei Market Access Report, and www.soumu.go.jp ）

Corporate BB （ Oct. 2002 ）

Residential BB (Mar, 2003)

DSL access （ Mar. 2003 ）

Broadband Market in Japan & Our Position


Features:– Broad band (12M) access service via ADSL line of ACCA networks– Provide IPv4 and IPv6 dual stack connectivity– Ease to set up by Plug and Play function

Prospective customer segments:– Advanced individual / So-Ho users– IPv6 applications or devices developer

Address assignment:– IPv4 : one global address (dynamic)– IPv6 : one /48 global address prefix (static)

Additional service:– As same as OCN IPv4 services (e-mail, Web, News, etc…)– IPv6 DNS service

OCN IPv6/IPv4 Dual ADSL Service outline

OCN/ACC

A

OCN/ACC

A

ADSL access line Customer’s LAN

Auto configurationFor router

Auto configurationFor hosts

Plug and Play function

Service description

OCNv6OCNv4

IPv4 access

IPv6 access

\5,980 / month


OCN IPv6/IPv4 Dual ADSL Service with PnP function

DHCPv6-PD

/48 /64

PPP

IPCP

Global IPv4 Address

IPV6CP+PD

Link local IPv6 address

ADSL LAN

PE CPE Host

DHCPv4

RA

IPv4 connectionIPv4 connection

IPv6 connectionIPv6 connection

Private IPv4 Address

Global IPv6 address /48

Site Prefix ???? ????????

Site Prefix

NW ID

????????

Router Advertisement

/48 /64

Interface ID


Standardization

RADIUS ADSL

LAN

PE CPE Host

RADIUSv6RFC3162

PPP(IPV6CP)RFC2472

DHCPv6-PD

RFC3315RFC3633RFC3769RFC3646

Stateless ADDRRFC2462

(DHCPv6-lite or etc.)

RFC3736

AuthenticationLink configuration

AuthenticationLink configuration

CPE configuration(Prefix / DNS)

CPE configuration(Prefix / DNS)

Host configuration(Address / DNS)

Host configuration(Address / DNS)

NTT Communications contributed to

these RFCs

draft-shirasaki-dualstack-service-04


Experiences with our Dual ADSL Service

• Has been working well since the beggining of the service

• No impact on IPv4 single stack CPE• Nation wide service via L2TP• Other ISPs in Japan are using same spec

– 1500+ customers use this mechanism today


NAT

IPv4IPv4

Global IP address

Private address

IPv4 : one-way communication・ due to NAT, the business model is only client & server.

×

IPv6 ： two-way communication・ two-way communications between information appliance and mobile equipment・ New internet business models will be created

NW for mobile

LAN

HomeNetwork

Information appliances

Mobile equipment

OA equipment

IPv6IPv6Data exchange

RemoteMaintenance

RemoteControl

Real-time datadistribution

Secure End-to-EndCommunication

New Internet Business model created by IPv6


VPN model in IPv4 world and IPv6 world

OfficeOffice

IPv4 InternetIPv4 InternetLANCompany

’sIntranet

Web serverMail server

Access from “IN side” to “OUT side”

Access from “MANY”IPv4 IPv4 (conventional model)(conventional model)

Global address segments

Private address segments

Private address segments

Secure Transmission : Site to SiteSite to Site IPsec VPNIPsecNode

IPsecNode

Remote officeRemote office

LAN

OfficeOffice

LAN IPv6 InternetIPv6 Internet

Restricted, secure access

IPv6 IPv6 (improved model)(improved model) Out sideOut side

Global address segments

Secure Transmission : End to EndEnd to End IPsec VPN

Access from “OUT-side” to ”IN-side”


One of a problem of p2p secure communication…

IPv4IPv4 IPv6IPv6

Our solution is : P2P VPN P2P VPN PlatformPlatform

Our solution is : P2P VPN P2P VPN PlatformPlatform

One of a problem is Management of security configurationEnd users have to manage security policy which can involve

many different configurations at end equipment.

One of a problem is Management of security configurationEnd users have to manage security policy which can involve

many different configurations at end equipment.

Global IP Address

•Lack of Global IP address•Apply NAT and introduce private address

•Enough Global IP address•Can assign Global IP addresses on every device networked

Secure communication•Only Site to Site secure communications available

•Can setup secure communication not only Site to Site connection but also End to End connectio: the key of the IPv6 market


IPv6 P2P VPN Platform Trial Service

IPsec policy server to provide IPsec policy file to each peer on demand - Effortless setup: Set up end-to-end secure communication easily using web interface

No or low skill requirements - Adaptable to all communication modes: Client-Server, Peer-to-Peer, Mobile - Secure instant communication: Connect instantly, while achieving end-to-end security

IPsec policy server to provide IPsec policy file to each peer on demand - Effortless setup: Set up end-to-end secure communication easily using web interface

No or low skill requirements - Adaptable to all communication modes: Client-Server, Peer-to-Peer, Mobile - Secure instant communication: Connect instantly, while achieving end-to-end security

ntt.net IPv6 Global Backbone

IPsecPolicyServer

CA Headquarters

HOTSPOT

Branch Office :A

Branch Office :B

Hacker

・・： xσ+]% ・・ ??

StrategicTeam

IPsec

IPsec IPsec

IPsec

IPsecPolicy

Digital Certificate

VerioData Center

VerioData Center

Server

Joint development byJoint development by


Set up IPsec connection and manage their security policy easily:Just only register the correspondent personon his/her own address book in the web site

Set up IPsec connection and manage their security policy easily:Just only register the correspondent personon his/her own address book in the web site

Case study : P2P VPN Platform

User : A

Hospital : A

User : B

Clinic : B

IPv6 network

IPsecManagement

server

IPsec (authentication, encryption)

Secure data exchange

Exchange medical data via End to End IPsec secure connectionExchange medical data via End to End IPsec secure connection

User : C

certificate

certificatecertificate

•Set up users•Certify users

Hacker

Keep integrity・・： xσ+]% ・・

??


m2m-xManagement Server

Home Network

Mobile PhoneGateway

IPv6Internet

Enterprise Network

~Provide End-to-End Secure Communications Using IPv6~~Provide End-to-End Secure Communications Using IPv6~m2m-x (Machine to Machine for any[thing|place|time])m2m-x (Machine to Machine for any[thing|place|time])

M2m-x management server functions:- Authentication of all the devices- Access Control based on the security policy- Transmission of encryption keys in a way making the calculation process light-weighted- The existence of the device is hidden from unauthorized users- Transmission of Information necessary for dynamic control of Firewall devices

“Secure, Easy and Low-priced”

Core TechnologyCore Technology

= SIP & IPsec= SIP & IPsec

Signaling Channel

Data Channel

Non-PC devices


m2m-x IP Home Appliance trials (2004.1Q-3Q)

IPv6

m2m-x

(NTT Com)

IPv6

m2m-x

(NTT Com)

HomeSecurity

HomeSecurity

VisualCommunication

VisualCommunication

UbiquitousOffice

UbiquitousOffice

Net ToyNet Toy

Personal VPNPersonal VPN(NTT Com, Fujitsu, Toshiba, DIT)

Multi-Media CommunicationMulti-Media Communication(Sanyo)

PS2 TV-PhonePS2 TV-Phone(Sony)

Hotline w/ TOY Control PortHotline w/ TOY Control Port(Takara)

Bluetooth Home SecurityBluetooth Home Security(Toshiba)

Cyber ConferenceCyber Conference(Pioneer)

EMIT Home SystemEMIT Home System(Matsushita)

Ubiquitous PrintingUbiquitous Printing(Ricoh)


Ubiquitous Open Platform Forum

• Home Appliance Manufacturers and ISPs established “Ubiquitous Open Platform Forum” to accelerate Internet Home Appliance market (Feb. 10th, 2004)

– Manufacturers: Hitachi, Matsushita Electric Works, Mitsubishi, Panasonic, Pioneer, Sanyo, Sony, Toshiba

– ISPs: NTT Com, KDDI, Fujitsu, NEC, Panasonic, Sony• To establish a ubiquitous platform that permits easy setup, secure

communication, and easy real-time connection among various home appliances

• NTT Com is leading this forum and NTT Com employees are acting in key roles

• NTT Com is proposing m2m-x as the standard platform of UOPF

http://uopf.org/en/


Establishment ofIPsec Tunnel

Technology Outline of m2m-x ~Security Based on SIP/IPsec~

SIP REGISTER

SIP INVITE

RADIUSAuth-Server

- RADIUS Authentication friendly to ISPs’ operation

Signaling Channel is encrypted with IPsec at the time of SIP REGISTER Authentication process.

Data Channel is also encryptedwith IPsec making use ofsecure Signaling Channel.

Mutual AuthenticationBased on

Pre-Shared Keyor X.509 Certificate

Establishment ofIPsec Tunnel

Encryption Key Exchangefor Data Channel

UA1

UA1UA2

UA2m2m-x Management

Server

Data Channel

m2m-x Management

Server

Signaling based on SIP


DNS vs m2m-x (example: private server access)

WANWAN LAN

FW/N

AT

DNSDNS

X anybody can see the presence and address of your home server

X tiresome FW/ NAT configuration

X services are always open for anybody

X tiresome id/pass and access management

AttackerAttacker

access list- - - - - -

My ServerMy ServerMy PDAMy PDA

WANWAN LANFW

/NA

T

m2m-xm2m-x

Possible to hide the existence of a node from unauthorized users

automatic and real-time access security control

×

X

automatic encryption management

access list- - - - - -

My PDAMy PDA

AttackerAttacker

My ServerMy Server

access management


m2m-x Management

Server

All User Agents (UAs) have shared keys with the others (Full mesh model)- Not scalable

Each UA has the shared key only with the management server (trusted 3rd party model)

Key Management MethodKey Management Method

Pre-Shared Key: some advantages but, Not Scalable. So,

Normal Pre-shared Key model m2m-x Pre-shared Key model


Conclusion

•We have worldwideworldwide full dual stack backbonefull dual stack backbone.

•We have more than three years experiencemore than three years experience to provide commercial IPv6 connectivity services.

•We have not only IPv6 connectivity services but also IPv6 promotions, service platforms and IPv6 promotions, service platforms and new frameworksnew frameworks.

•We are your partner.


Contact

•NTT Communications: http://www.v6.ntt.net/index_e.html

•IPv6 portal site: http://www.ipv6style.jp/en/index.shtml

•UOPF: http://uopf.org/en/

•Mail to : [email protected]

Thank you for your attention!

ntt communications’ ipv6 backbone, access, and applications

Documents