Rome, 31 march 2009 Sistema Pubblico di Connettività QXN (Qualified eXchange Network) Mauro Mascagna (Technical Director – QXN s.c.p.a.) 1
Pag 2 Qualified eXchange Network The QXN Consortium Goals Goals QXN Network Infrastructure QXN Network Infrastructure QXN Services QXN Services Future developments Future developments
Pag 3 Setup date: July 10th, 2006 Founding members: the four major italian TLC Operators On October 2006, QXN Consortium signed a contract with CNIPA in order to implement and run QXN infrastructure and services The QXN Consortium - Milestones (60%) (10%) (5%) (25%)
Pag 4 QXN Consortium – Organization Management BoardManagement Board, formed by founding members representing the four partners of the Consortium: 1 President (BT Italia) 1 CEO (Fastweb) 4 Fastweb representatives 1 BT Italia representative 1 Wind representative 1 Telecom Italia representative Technical CommitteeTechnical Committee: 1 Chairman (QXN Technical Director) 1 representative each from CNIPA, BT, Fastweb, Wind, Telecom Italia, Namex, MIX and CG-SPC
Pag 5 QXN on Internet : company website
Pag 6 To design, implement, operate and develop a geographically- distributed IP backbone infrastructure (QXN) acting as an exchange network among SPC Q-ISP’s** backbones. To provide Q-ISPs with access to QXN services (such as housing, access ports, guaranteed bandwith, centralized DNS, NTP server) To guarantee equal access conditions to QXN infrastructure and services both to Members of Consortium and to other Q-ISPs. **Q-ISP: Qualified Internet Service Provider QXN Consortium – Main goals
Pag 7 QXN within SPC General Framework PALPAL QXNQXN QCN Qualified Community Network - n QCN Qualified Community Network - n Centro Servizi CooperazioneApplicativa CooperazioneApplicativa CG-SPCCG-SPC NodoInterconnessioneVOIPNodoInterconnessioneVOIP Interoperabilità Evoluta -1 Centro Servizi Interoperabilità Evoluta -1 Centro Servizi Interoperabilità Evoluta -2 Centro Servizi Interoperabilità Evoluta -2 SPC Rete Nazionale Multifornitore – QISP 1 SPC Rete Nazionale Multifornitore – QISP 1 SPC Rete Nazionale Multifornitore – QISP 2 SPC Rete Nazionale Multifornitore – QISP 2 SPC Rete Nazionale Multifornitore – QISP n SPC Rete Nazionale Multifornitore – QISP n SPC Rete Internazionale RIPASPC RIPA PACPAC PACPAC PACPAC PALPAL PACPAC PACPAC PACPACPALPALPALPALPALPALPALPALPALPAL QCN Qualified Community Network - n QCN Qualified Community Network - n
Pag 8 QXN within SPC General Framework (2) SPC managementSPC management Technology and servicesTechnology and services SecuritySecurity SPC Future developmentsSPC Future developments central role QXN is a “corner stone” within SPC Framework due to its central role in:
Pag 9 QXN Centrality in SPC management QXN Consortium, through the work of its bodies (Management Boards, Technical Committee), acts as an aggregation point among all actors involved in SPC, that are: CNIPA Q-ISPs Q-ISPs CG-SPC CG-SPC NIV NIV SPC ismulti-provider” This has a fundamental importance in helping CNIPA to manage a complex environment as SPC is, due to its “multi-provider” nature.
Pag 10 QXN Centrality in technology and services Q-ISPsdifferent technologiesdifferentservices andSLAs different evolution paths Q-ISPs may implement their backbones by using different technologies, with different services and SLAs and according to different evolution paths. QXN “smooths” all these differences QXN “smooths” all these differences, by binding all Q-ISPs to comply with specific technical requirements and rules set by QXN Technical Committe. a single SPC “virtual” network This results in creating a single SPC “virtual” network (integrating QXN and QISP’s backbones) that provides all SPC customers (the PAs) with services with high and homogeneous levels of quality, no matter what Q-ISP is.
Pag 11 QXN centrality in security The QXN Points of Presence (PoP) have been implemented by taking specific care to security issues such as: physical security physical security of equipment logical security logical security of data and traffic flowing through QXN network, (by using Firewalls that implement policies for traffic segregation, network intrusion detection, etc.. ) this resulting in a network infrastructure capable of ensuring high security and availability levels of service.
Pag 12 QXN centrality in SPC future development new “centralized” services As a central bulding block of SPC Framework, QXN is well suited to implement and provide new “centralized” services to PAs. Centralized SPC Domain Name System As an example, QXN has already implemented and is currently running the Centralized SPC Domain Name System service, that ensures resolution of domain names of all hosts and services that PAs publish on SPC. Further services are currently under study by CNIPA.
Pag 13 QXN Service Offer OPA Interconnection OPA Interconnection OPO Interconnection OPO Interconnection (between Fastweb e other Q-ISPs who won SPC Bid, only) SPC Domain Name System (DNS) SPC Domain Name System (DNS) SPC Network Time Source SPC Network Time Source (NTP server) Network Operation Center Network Operation Center (24x365 service coverage) NTP= Network Time Protocol OPA = Offerta per le Amministrazioni OPO = Offerta per Operatori
Pag 14 Types of traffic flowing through QXN Infranet traffic – OPA* interconnectionInfranet traffic – IP traffic exchanged between two PAs participating in SPC through different Q-ISPs they’re connected to (OPA* interconnection); Intranet traffic (OPO* interconnection)Intranet traffic – IP traffic exchanged among VPN sites of a single PAs, some sites of the VPN being connected to the network of one Q-ISP (Q-ISP1), some other sites being connected to the network of another Q-ISP (Q-ISP2). Q-ISP1 and Q-ISP2 exchange traffic flowing between the two parts of the VPN by using their interconnection to QXN (OPO* interconnection) OPA = Offerta per le Amministrazioni OPO = Offerta per gli Operatori
Pag 15 QXN service offer – OPA Interconnection QISP-1 SPC Network QISP-2 SPC Network PA m PA 1 PA 3 PA INTERNET QXN I II Infranet traffic (Intra Q-ISP) I I I Infranet traffic (Inter Q-ISPs) I I I Internet traffic
Pag 16 QXN Service Offer – OPO Interconnection Fastweb QISP VPN PA1 (clt QISP) Sedi in OPA QXN ROMA QXN MILANO VLAN1 IP subnet1 (/30) VLAN2 IP subnet2 (/30) VLAN3 IP subnet3 (/30) VLAN4 IP subnet4 (/30) RM-Bropo-FWRM-BRopo-QISP RM-BRqxn1 RM-BRqxn2 MI-BRqxn1 MI-BRqxn2 MI-BRopo-QISP MI-BRopo-FW VPN PA1 (clt QISP) VPN PA1 (clt QISP) Sedi in OPO VPN PA1 (clt QISP)
Pag 17 QXN - Main features Two PoP Cisco technology, (NAMEX) (MIX) Two PoP based on Cisco technology, located at major italian NAP (Neutral Access Point) premises in Rome (NAMEX) and Milan (MIX) High security levels High security levels (physical and logical) Service Level Agreement (SLA) Service Avalilability = 99,99% One Way Delay <= 20 ms Packet Loss <= 0,05% One set of technical rules One set of technical rules that every Q-ISP must follow in order to be interconnected to QXN (certification process) Commercial service started Service Trial completed on July 26th, 2007, Commercial service started on July 27th, 2007
Pag 18 QXN – Network Architecture Rete QISP A Rete QISP B BRqxn PA 2 PA 1 PA 3 PA n INTERNET BRqxn BRqxn BRqxn BRqx BRqxBRqxBRqx BRqx BRqxBRqxBRqx Nodo QXN Roma Milano DNS
Pag 19 QXN network architecture (continued..) Two nodes two redundant high speed transmission links high availability Two nodes - Rome and Milan – interconnected by two redundant high speed transmission links (2x100 Mbps SDH, upgradable up to 1 Gbps), designed for high availability (equipment redundancy and physical path diversity) Each node is equipped with : n.2 Cisco 7609 high-performance routers n.2 Cisco 7609 high-performance routers (BRqxn – Border Routers QXN) interconnected locally and to BRqxn at the remote site; SLA management system Cisco IP SLA SLA management system (based on Cisco IP SLA solution) in order to monitor and measure network quality parameters (One Way Delay, Packet Loss); Firewall e Intrusion Detection System, Firewall e Intrusion Detection System, in order to protect PA’s data and traffic flowing through QXN Infrastructure for housing(rack) Infrastructure for housing (rack), in order to accomodate equipment that QISPs use to interconnect their backbone to QXN nodes. These equipment must be co-located to the QXN Border Routers
Pag 20 QXN - Traffic Routing issues Traffic symmetryTraffic symmetry All Q-ISPs must ensure that traffic generated by/directed to a PA (or a group of PAs) connected to their networks is always delivered/received on the same QXN node (eg. Rome or Milan). BGP CommunitiesBGP Communities are used by QXN and Q-ISPs in order to set priorities of BGP advertisements for their PA’s IP prefixes Traffic load balancingTraffic load balancing Traffic must be balanced between Q-ISP Border Routers (BRqx) and QXN Border Routers (BRQXN); Traffic coming from a Q-ISP network is balanced (on per session basis) by BRqx towards both BRQXNs in a QXN node BGP RoutingBGP Routing OSPF fully-meshedOSPF fully-meshed protocol among four BRQXNs placed in Rome and Milan QXN nodes; External BGP v. 4External BGP v. 4 among BRQXNs and Q-ISP BRqx; QXN AS (41407) acting as transit ASQXN AS (41407) acting as transit AS among Q-ISP’s public AS;
Pag 21 QXN – Traffic routing issues Communities BGPCommunities BGP All Q-ISPs must announce their IP prefixes to QXN by using BGP communities, so that each Q-ISP can set a priority among their BRqxs where traffic must be sent to.. Use of BGP Communities is necessary in order to ensure traffic simmetry over QXN. ASn_QXN:LPBGP Communities have this format: ASn_QXN:LP where: ASn_QXN = 41407,ASn_QXN = 41407, is the public AS assigned by RIPE to QXN LPLP is the Local Preference parameter value being set, within QXN, for the specific announcement community 41407:130 = Set LP equal to 130 within QXN network (highest priority)community 41407:130 = Set LP equal to 130 within QXN network (highest priority) community 41407:120 = Set LP equal to 120 within QXN networkcommunity 41407:120 = Set LP equal to 120 within QXN network community 41407:110 = Set LP equal to 110 within QXN networkcommunity 41407:110 = Set LP equal to 110 within QXN network community 41407:100 = Set LP equal to 100 within QXN network (lowest priority)community 41407:100 = Set LP equal to 100 within QXN network (lowest priority) no community = traffic dropped by QXNno community = traffic dropped by QXN All Q-ISP receive from QXN information about BGP Communities set by other Q-ISPs.
Pag 22 OPA Interconnection – traffic routing and fault scenarios Rete Fornitore SPC A Rete Fornitore SPC B NODO QXN ROMA ROMA MILANO MILANO BRqxn BRqxn BRqxn BRqxn Prefix sede PA1 LP100 Prefix sede PA1 LP110 PA 1 Prefix sede PA1 LP120 Prefix sede PA1 LP130 PA 2 X X X Prefix sede PA2 LP130 Prefix sede PA2 LP120 Prefix sede PA2 LP110 Prefix sede PA2 LP100 X XXX / 24 YYY / 23
Pag 23 Servizi Offerti – Interconnessione OPO FWQISP VPN PA1 (clt QISP) Sedi in OPA QXN ROMA QXN MILANO VLAN1 IP subnet1 (/30) VLAN2 IP subnet2 (/30) VLAN3 IP subnet3 (/30) VLAN4 IP subnet4 (/30) RM-Bropo-FWRM-BRopo-QISP RM-BRqxn1 RM-BRqxn2 MI-BRqxn1 MI-BRqxn2 MI-BRopo-QISP MI-BRopo-FW VPN PA1 (clt QISP) VPN PA1 (clt QISP) Sedi in OPO VPN PA1 (clt QISP)
Pag 24 OPO interconnection – routing aspects OPO Border Routers (BRopo).QISPs backbones are interconnected to QXN through their own OPO Border Routers (BRopo). Each Q-ISP may decide to implement BRopo functions on the same equipment acting as BRqx (for OPA interconnections), or on different equipment. OPO interconnection and OPA interconnection use different ports on BRQXN. BRqxns act as L2 ethernet switchesIn OPO interconnection, BRqxns act as L2 ethernet switches connecting Q- ISP A’s BRopo (Fastweb) and Q-ISP B’s BRopo (being Wind or BT) (IEEE 802.1q)Each L2 Link is configured in trunk mode (IEEE 802.1q), each VLAN whithin a trunk being associated to a specific VPN of specific PA.
Pag 25 OPO interconnections – traffic routing and fault scenarios FWQISP PA1 (clt QISP) VPN1 -Sede A (in opo) PA1 (clt QISP) VPN1 - Sede B QXN ROMA QXN MILANO VLAN1 IP subnet1 (/30) VLAN2 IP subnet2 (/30) VLAN3 IP subnet3 (/30) VLAN4 IP subnet4 (/30) RM-Bropo-FWRM-BRopo-QISP RM-BRqxn1 RM-BRqxn2 MI-BRqxn1 MI-BRqxn2 MI-BRopo-QISP MI-BRopo-FW VLAN : assegnate da QXN IPsubnet : assegnate da QISP Main node Backup Node X X
Pag 26 QXN Architecture – security & SLA management Sonda
Pag 27 SLA measuring and monitoring system Cisco 2811
Pag 28 SLA measuring and monitoring system (continued..) R R Q Q Q Q R R Q Q R R R R Q Q RM- BRqxn1 RM- BRqxn2 MI- BRqxn1 MI- BRqxn2 Each SLA probe (Querier) sends a specific traffic pattern (10 IPpkt/min, 200 Bytes/pkt, 200 ms delay between two subsequent packets) to the other four SLA probes (Responders) connected to each BRqxn 16 traffic measures for every hourto calculate QXN hourly average PL and OWDThis results in obtaining 16 traffic measures (one for each traffic relation) for every hour, that are used to calculate QXN hourly average PL and OWD For every hour, QXN hourly average PL and QXN are matched with releavant SLA thresholds (PL=0,05%, OWD=20ms) in order to calculate penalties as foreseen in the service contract between SC- QXN and its customers (Q-ISPs) Array of traffic measures rm-qxn-sla-301
Pag 29 QXN SLA Monitoring and Reporting
Pag 30 QXN SLA Monitoring and Reporting
Pag 31 SPC Domain Name System SPC DNS is a federate systems with participation of : PAs DNS PAs DNS Q-ISPs DNS Q-ISPs DNS QXN DNS QXN DNS Main goal:Main goal: to ensure that all IP traffic related to PA domain resolution process is completely confined within SPC environment. This results in providing highest level of security to those critical applications run by PAs (e.g. Protocollo Informatico), because they can be based on domain/hosts that cannot be reached or viewed from outside SPC.
Pag 32 DNS SPC Architecture DNS PA1 Client PA1 Server PA1 DNS PA2 DNS PAn DNS QXN DNS Q-ISP1 DNS Q-ISP2 Q-ISP2 Q-ISP1 Internet DNS Root Server QXN Public Administration #1Public Administration #2Public Administration #n Internet Server
Pag 33 DNS SPC – functional model PA DNS It is Authoritative DNS for all domain zone belonging to PA It replicates all PA’s domain file zone on DNS’s Q-ISP (zone transfer/notify mechanism) Set Q-ISP’s DNS as forwarder for all domain zones they are not autorithative for. Q-ISP DNS Q-ISP DNS Set as slave to PA’s DNS It ss Authoritative DNS for domain zones belonging to all PAs served by Q-ISP It replicates all its domain file zones on DNS QXN (zone transfer/notify mechanism) Set QXN DNS as forwarder for all domain zones it is not authoritative for. QXN DNSQXN DNS : Set as slave to Q-ISP’s DNSs. It ss Authoritative DNS for domain zones belonging to all PAs participating in SPC. Set Internet Root Servers as forwarders for all domain zones it’ not auuthoritative for.
Pag 34 DNS SPC – Functional model (Notify / Zone Transfer mechanism) DNS PA1 Client PA1 Server PA1 DNS PA2 DNS PAn DNS QXN DNS Q-ISP1 DNS Q-ISP2 Q-ISP2 Q-ISP1 QXN Public Administration #1Public Administration #2Public Administration #n DNS Notify Zone Transfer PA1.it Change in PA1.it zone file (e.g MX Record) PA#n.it Change in PA#n.it zone file (e.g MX Record)
Pag 35 DNS SPC – Functional model (Query mechanism) DNS PA1 Client PA1 Server PA1 DNS PA2 DNS PAn DNS QXN DNS Q-ISP1 DNS Q-ISP2 Q-ISP2 Q-ISP1 Internet DNS Root Server QXN Public Administration #1Public Administration #2Public Administration #n Internet Server Query to Server PA1 Query to Server PA2 Query to Server PA3 Query to Internet Server
Pag 36 WHO are QXN Customers ? Current The 4 major Italian Telco Operators (BT, TI, Wind, Fastweb) CG-SPC SPC Management Center (CG-SPC) Coming next Application Cooperation Centers Regione Toscana Community Network Future NIVNode for PAs Voip interconnection (NIV) Other Q-ISPOther Q-ISP (with national or regional scope) fulfilling requirements set by QXN Board and Techical Committe according to general certification criteria set by CNIPA QCNQCN : Qualified Community Networks
Pag 37 Thank you for your attention