    中国电信IPv6引入策略Mar,2009,Agenda,IPv6的引入背景及必要性分析国际运营商的IPv6发展情况介绍中国电信IP网络IPv6引入策略IPv6 over MPLS部署模式移动C网引入IPv6的策略,IPv6的引入背景及必要性分析,IPv6 Becoming a Hot Topic Again,More inquires to Juniper and NSP mailers related to IPv6Search on IPv6 on“Google Trend”shows:Rise in in both the number of searches and the reference volume on IPv6ISP and Content Provider are reconsidering IPv6 IPv4 is set to run out next year or so(per ARIN),Service and Content Providers,Business case unclear-its still cheaper and easier to hook up a IPv4 siteISCPs need to play along-no real content on IPv6-only sites today Need a good solution for IPv4 only hosts to communicate with IPv6 only hostsAnd other details to make it work,ISCP Deployments,Cable SP Millions of set-top boxes to be addressed It made sense to use IPv6 addresses rather than make the effort to get millions of IPv4 addressesHW and infrastructure had to changeGiant Telco FTTH access to video servers Content SP Has dual stack in network,but no content yet,What Do We Think Will Happen?,IPv4 address exhaustion is approaching in the next few yearsConsumption of IPv4 addresses is acceleratingCurrent trends predict that IANA will run out of addresses to assign by the end of 2009This may create problems for the internetIf we do nothingInternet will keep workingWill be very challenging to grow,Potential Mitigations for IPv4 exhaustion,Temporary MitigationsReturn experimental blocks to the pool of regular addressChallenges thereRequires standardization effortHW/SW upgrades will be requiredCost will be huge for a small gainReclaim unused addressesMay require renumbering due to fragmented address spaceRequires changes in policiesWill take years.not cheap,Potential Mitigations for IPv4 exhaustion.,Temporary Mitigations.Increased use of NAT(NAT:A Tool to Prevent IPv4 Exhaustion)Has its own issues and challengesscaling issues,expensive,etc.Well see more networks with few global IPv4 addresses They will still use private IP and NAT,NAT Causes Problems,Breaks globally unique address modelBreaks address stabilityBreaks always-on modelBreaks peer-to-peer modelBreaks some applicationsBreaks some security protocolsBreaks some QoS functionsIntroduces a false sense of securityIntroduces hidden costs(applications and operations)NAT inhibits development of new applications,IPv6=plentiful,global addresses=no NAT,IPv6驱动和应用,驱动地址空间效率安全问题自动化配置应用Mobile IPP2P应用Internet智能家电,Mobile IP,Current Wireless Subscribers,Sources:U.S.Census Bureau,International Data Corp.,Region,Number,Regional Percentage,366.8 Million,72.8 Million,332.2 Million,156.6 Million,57.7%,57.3%,10.9%,50.1%,Europe,Japan,Asia Pacific,North America,IPv6驱动力,The common factor in all cases is:,For billions of new usersFor billions of new devicesFor always-on accessFor transparent Internet connectivitythe way it was meant to be,MORE IP ADDRESSES,国际运营商的IPv6发展情况介绍,IPv6 Deployment,IPv6 in the core of SP networksMany backbones/core networks of ISPs have already made a move to IPv6Either native IPv6(dual stack)Or using some kind of tunnels(including MPLS)Many others have concrete plans for supporting IPv6.matter of appropriate time,IPv6 Deployment.,IPv6 in the end user platformsMany Operating Systems have supported ipv6 for years.fair to say that all OSs marketed today support IPv6Some IPv6 applications,such as peer-to-peer,may be cheaper to develop then IPv4 apps because of NAT implications,IPv6 Deployment.,Majority of Access/Edge networks(last-mile)dont yet support IPv6no economic incentive to update access networksNo new services to help pay for the upgrade costMost of the low cost residential routers are not IPv6 readyNo real content available on ipv6-only sites todayNo real incentive for Content Providers to move to IPv6No new revenues are foreseen.not at least till new applications can be offered that take advantage of IPv6No benefit of IPv6 when it comes to applications such as internet browsing,email,client-to-server appsThese work fine with NAT,IPv6 Deployment around the globe.,In North America,networks are generally less IPv6 ready as compared to Asia&EuropeIn Japan,some ISPs provide IPv6 up to the edge for residential customers.has not yet happened in North AmericaMuch larger percentage of ISPs in Asia and Europe support IPv6 in the core of their networks than in North AmericaMost of the Research and Education networks and universities in Japan and Europe support IPv6,The Preferred IPv6 Supplier,Juniper included IPv6 from the beginningIPv6 support in the very first M40 ASICsJuniper supported IPv6 in hardware when others supported it only in software,if at allJuniper has long been the preferred vendor for high-performance,next-generation IPv6 networks,Osiris,Juniper在CNGI中的应用,Cernet:5台T640位于5个核心节点,8OC192、52OC48、910GE、20GE中国电信:3台T640位于京沪穗三个核心节点中国网通:4台T640位于北京、沈阳和长春三个核心节点中国移动:1台T640作为核心节点中国联通:9台M320,利用原有的由 T640构成的MPLS L2 电路承载IPv6,IGP采用ISISv4/v6中国铁通:3台M320,1台M40e,IPv6 Around the World:Japan,Government mandates that IPv6 be implemented by 2005eJapan InitiativeeJapan II(May 2003)Refocus on applicationsMedical,Food,Finance,Homelife,Intelligence,Labor,Government ServicesIPv6 Promotion Council of Japan8B(US$70M)for IPv6 R&D2002-2003 Tax Incentive ProgramISPs can get reduced corporate and fixed property tax for newly acquired IPv6 ready routersNTT is worldwide provider of commercial IPv6 APAC,US,and EuropePioneering work on IPv6 broadband accessFor up-to-date IPv6 information and resources:www.ipv6style.jp,IPv6 Around the World:Japan,NTTIIJPJapan Telecom,KDDIGlobal CrossingChita MediasMIS,Commercial IPv6 ISPs:,Research&Initiatives:Japan Gigabit Network(JGN)KAMEBSD IPv6USAGIIPv6 for LinuxTAHIIPv6 verification technologyWidely IntegratedDistributed Environment(WIDE)Very focused on innovative,practical applications,IPv6 Around the World:South Korea,Currently the leader in broadband use45%of householdsGovernment-mandated transition roadmap February 2001),IPv6 Around the World:South Korea,Research and DevelopmentKRv6 ProjectDeveloping transition strategiesDeveloping IPv6 infrastructure and NGI applicationsKOREN(Korea Research and Education Network)Native IPv6 network connectivityTransEurasia Information Network(6neat)Continental network between Korea and EuropeNetwork Trials and Services6NGIX(IPv6 Next Generation Internet eXchange)First IPv6 exchange point in Korea6KANet(IPv6 Korea Advanced Network),IPv6 Around the World:Taiwan,Research and DevelopmentTANet/TANet2(Taiwan Research Network)NBEN(National Broadband Experimental Network)6TANET(IPv6 Translation Network Environment of Taiwan)6TIME(IPv6 Transition for Mobile Environment)6GIANT(IPv6 Gallop Internet Appliance of Taiwan)6NDHU(Pv6 National Dong Hwa University)6REAL(IPv6 Ready Application Lab)Commercial TrialHiNetImportant for gaining experience with transition mechanismsNational IPv6 Deployment and Development Program(October 2001)2003 budget:US$1.7MPhase I:IPv6 Steering Committee(2002)Phase II:Transition,native network deployment(2002-2006)Phase III:Complete transition from IPv4 to native IPv6(2007-),IPv6 Around the World:IPv6 Exchange Points in Asia,(as of February 2004),IPv6 Around the World:Europe,Over 40 Research Projects,including:GEANT Includes over 25 NRENs6INITEU fundedFirst phase toward large-scale IPv6 deployment6NETHigh-capacity IPv6 research networkEuro6IXPan-European native IPv6 R&D backboneConsortium of telcos,industries,universitiesIPv6 PKI(Public Key Infrastructure)serviceEurov6Permanent IPv6 multi-vendor showcase and testbed6LINKIPv6 project clustersConsensus building for IPv6 development and deployment6POWERIPv6 over power lines6QMIPv6 QoS measurement,IPv6 Around the World:Europe,Commercial DeploymentNTT EuropeMany commercial pilot projectsFrance TelecomTelecom ItaliaEdisonTel(Italy)ArsysTelefonica DataSwisscomDeutsche TelekomBritish TelecomTelia,IPv6 Around the World:Exchange Points in Europe,(as of February 2004),IPv6 Around the World:United States,Early adoption slower than Asia and EuropeLess IPv4 address depletionWireless is behind the timesEveryone wants to see the business case firstNo government initiatives(yet!),“Compounding the problem,carriers have cut spendingamid a weak U.S.economy and tight capital supply.North America,which has 74 percent of the worlds Internet Protocol addresses,has little incentive to make the change.Europe has 17 percent of the addresses while Asiahas 9 percent.“W,IPv6 Around the World:United States,Department of Defense(DoD)initiative will quickly change the US“laggard”reputationAs of October 2003,all network equipment purchased by DoD must be IPv6-capableMoonv6 testbed in operation,moving to Phase IIMinimizing future transition costs by adding IPv6 capabilities nowTransition to IPv6 to be completed by 2008Already inspiring interest in other government agencies(Department of Commerce,for example)Already inspiring interest in other military organizations(Japans SDF,for example)More on the DoD Global Information Grid in case studies,IPv6 Around the World:United States,Research and Development:6BoneIPv6 testbedStar TapInternational High PerformanceFunded by National Science Foundation(NSF)vBNSFunded by NSF and Worldcom6RENResearch and Education NetworkEstablished by ESnet(Energy and Sciences Network)Internet2Partnership of government,academia,and industryApplicationsMiddlewareAdvanced network infrastructure(Abilene)Commercial IPv6 Offerings:NTT/VerioWorldcom,Cable&Wireless,Qwest,others,IPv6 Around the World:Exchange Points in Americas,(as of February 2004),中国电信IP网络的IPv6引入策略,引入IPv6所需要解决的核心问题,IPv4与IPv6的关系迁移与共存IPv6业务定位初期主要开放C网业务未来逐步开放个人业务骨干网、城域网和接入网的IPv6引入策略C网的IPv6引入策略IPv6流量监管IPv6安全考虑,IPv4与IPv6的关系,迁移与共存IPv6与IPv4在一段时期内会共存整个系统(网络/操作系统/应用)支持IPv6需要时间今天的大部分应用仍然是基于IPv4IPv4仍将会存在很长一段时间由应用来选择使用IPv4或IPv6DNS同时返回IPv4和IPv6地址部分应用开始首选IPv6MS Internet Explorer,IPv6引入原则,不同网络对IPv6的引入要求不同各自的计划分阶段部署考虑不同因素技术是否需要升级?有什么应用?策略如何管理和监控IPv6流量?教育技术人员是否接受过IPv6的培训?按计划引入,IP骨干网IPv6引入策略,不同骨干网采用不同引入策略初期通过CN2承载C网IPv6业务未来通过163承载个人IPv6业务CN2主要承载C网/NGN、视频和大客户业务初期通过MPLS隧道承载IPv6业务最终实现IPv6双栈融合开启多拓扑IGP路由开启v6 BGP协议开启Netflow v9实现对v6流量的采样对v6流量实现安全管控,IPv6路由协议支持要求,ISIS支持IPv6多拓扑支持支持协议认证BFD支持BGP支持IPv6支持协议认证策略控制路由过滤策略路由QPPB,Routing Protocols,Static RoutesBFDRIPngGraceful RestartOSPFv3IPv6 EH authenticationIPSec encryption(ESP Header)OverloadingGraceful RestartBFDIS-ISAuthenticationUnicast Mesh GroupsMulticast Mesh GroupsGraceful RestartBFD,Multitopology IS-ISUnicastMulticastMBGPAuthenticationBGP peering to IPv6 endpointsIPv6 routes over IPv4 peeringIPv6 Prefix LimitsInterface countersRouting PolicyIPv6 multicast scopingIPv6 address familyIPv6 prefixesIPv6 route destination address,Netflow v9支持,Export flow records as per RFC 3954.RFC 3954 provides a way to define templates.Templates and the fields included in the template are transmitted to the collector periodically.Support fields for various protocols.MPLS,IPv4,IPv6The IPv6 template includes the following specific fields:IPv6 Source Address and MaskIPv6 Destination Address and MaskL4 Source PortL4 Destination PortIPv6 TOSIPv6 ProtocolTCP FlagsSource MAC AddressDestination MAC AddressIP Protocol Version,IPv6安全管控,SNMPHP Openview/IBM Tivoli Tools:Argus/Nagios/MRTG/AS PATH tree/Weathermap/Rancid/Looking Glass安全Unicast IPv6 RPFIPv6 FirewallIPSec for IPv6其他措施自动隧道容易造成地址欺骗尽量避免进行地址翻译如果采用自动隧道,通过IPSec增加安全性双栈机制更加安全仅允许显式配置的隧道手动配置具有适当鉴权功能的自动隧道不在IPv6地址中植入IPv4地址不要对不出现的IPv6地址格式进行定义对欺骗性的数据包进行严格过滤,Operations,SNMP Agents and Data over IPv6IPv6 MIBsIPv6 Packet FilteringSource/Destination AddressICMP ValuesNext Header fieldPacket LengthTraffic Class fieldTCP FlagscFlowdv9 for IPv6DHCPv6Support for IPv6 NTP serverNAT PT using Service PIC,IPv6 PingSSHTelnetSyslog,Packet Forwarding,Hardware ForwardingM and TDSCP-IPv6 ClassificationBA ClassifiersFilter-Based ClassificationMF ClassifiersDSCP-IPv6 Rewrite MarkersTwo-Rate Tri-Color MarkingUnicast RPFIPv6 Aggregate Policing,Filter-Based ForwardingClass-Based ForwardingDestination/Source Class UsageRoute Class PolicyForwarding Table Filteringfiltering tcp/udp in the presence of ipv6 extension headers,Transition Planning,Assumption:Existing IPv4 networkEasy Does ItDeploy IPv6 incrementally,carefullyHave a master planThink IPv4/IPv6 interoperability,not migrationEvaluate hardware/software supportEvaluate application portingKEEP TRANSITION SIMPLELimit scope and interaction of mechanismsMake sure normal humans can fully understand the interactions and implications of all mechanismsMonitor IETF v6ops WGngtrans wg has been closed,IPv6引入步骤1-规划,设备选型明确要求支持IPv6各项功能确保设备能够部署IPv6从APNIC申请IPv6地址对站点进行地址规划相关技术人员安排IPv6培训确定系统和应用的IPv6情况制定IPv6路由和访问策略,IPv6引入步骤2-测试/试点,选择试点设备部署IPv6配置IPv6路由和认证设置IPv6访问控制Filter与CNGI节点建立连接试点设备与测试主机建立连接开启IPv4/IPv6双栈主机打开IPv6协议栈,也可同时设置DNS进行相关IPv6应用测试检查IPv6的安全问题,IPv6引入步骤3-MPLS隧道部署,MPLS隧道部署CN2骨干网PE为CNGI节点提供IPv6隧道穿越采用流量工程等手段对IPv6流量进行管理监控通过DNS部署IPv6应用DNS增加IPv6地址,实现IPv6 DNS解析开展IPv6应用,如:www,SMTP周期检查IPv6的安全问题,IPv6引入步骤4-融合部署,双栈分阶段部署(网络部署完成再开展业务)京沪穗超级核心节点先进行部署部署扩展至整个核心层八大节点分布层部署汇聚层部署,完成CN2骨干网的部署与CNGI节点实现融合采用管理/监控工具实现IPv6流量监控通过DNS部署IPv6应用DNS增加IPv6地址,实现IPv6 DNS解析开展IPv6应用,如:www,SMTP周期检查IPv6的安全问题,双栈部署优势及问题,优势隧道和翻译技术只是临时解决与IPv6的访问问题隧道技术带来了安全问题翻译技术带来了性能问题双栈技术才真正实现了IPv6与IPv4的融合问题应用必须明确所使用的协议,v4还是v6DNS返回IPv4(A记录)和IPv6(AAAA记录)MS Internet Explorer首选IPv6如果IPv6网络没有部署好,不要发送AAAA记录设备性能是否受影响IPv6打开是否影响IPv4性能双栈打开是否影响设备性能,Transition Strategies:Dual Stacked IPv4/IPv6 Backbone,(Possibly)lower capital expense(Possibly)higher operational complexityMore risk of network disruption during migrationLess incremental migrationLegacy equipment issues,Access,Access,IPv4,IPv4/IPv6,Transition Strategies:Dual-Stacked IPv4/IPv6 Backbone,Migration Direction:All at onceIf all hardware and software is IPv6 capableMigration is then controlled by DNS and address assignmentEdge-to-coreThe edge is the killer app!When services are importantWhen addresses are scarceUser(customer)drivenCore-to-edgeReduced complexity(no tunneling)What hardware/software must be upgraded?If“a lot,”cost/complexity of migration is significantly increasedWatch for dependencies!Perform careful regression testing,Transition Strategies:Separate IPv4/IPv6 Backbones,(Possibly)higher capital expenseLower operational complexityLow risk to operational networkEasier,more incremental migration,IPv4,IPv6,Access,Access,城域网的IPv6引入与部署,IPv6部署建议原则现有城域网采用的网络拓扑、技术协议的基础上,部署方案必须保证与现有城域网架构统一,尽可能的减少因引入IPv6而带来的网络复杂性,应该避免对IPV4业务和网络造成影响对于边缘接入方式,我们不建议采用NAT-PT/ALG等协议转换技术,破坏了IP协议端到端的特性,不能很好的满足支持多媒体等新型业务结合各城域网的具体IPv6需求,选择合理的IPv6演进部署方案IP城域骨干网部署方案业务发展初期:建议中小城域网采用GRE隧道方式/虚拟路由器组建IPv6网络,选用专用IPv6设备对业务进行集中管理大型城域网IP城域骨干网采用6PE/6VPN进行组网;业务大规模部署阶段:采用双栈方式进行组网接入网部署方案L2TP隧道LNS双栈模式(LNS集中提供IPv6服务)PPP 双栈模式(layer 2 CPE+dual stack PC/EDGE)专线用户:采用双栈模式+静态配置IPV6,GRE隧道方式/虚拟路由器组建IPv6网络,对于中小型城域网设备性能相对差,未完成城域网改造优化建议采用GRE隧道方式/虚拟路由器组建IPv6网络6to4(RFC 3056)隧道技术建议采用手工配置,减少复杂性用户IPv6通过静态配置或者PPP授权,暂时不采用DHCP方式,虚拟路由器组建IPv6网络现有IPv4网络根据业务需求情况虚拟出专用IPv6专网部署IPv6 NATVIE网络,独立的物理链路资源,IPv6网络,IPv4网络,Carrier IPv4 and IPv6 Network,Layer 2 Access,VC or VLAN,IPv4 and/or IPv6 devices,Layer 2 or Layer 3 CPE device,ERX IPv4/IPv6 Edge Router,RADIUS,Simultaneous Support for IPv4 and IPv6 traffic over a s


