© 2005 Caspian. Caspian Confidential Next Generation Internet Architectures: Emerging Trends, Challenges and Solutions Dr. Riad Hartani Chief Architect, Caspian Bangkok, May 4 th 2006

© 2005 Caspian. Caspian Confidential Agenda IPv6: Where are we today…Briefly ! Emerging Networks Trends and Implications Evolution of IPv6 Router Architectures Benefits and Applications Q&A

© 2005 Caspian. Caspian Confidential IPv6 Networks: State of the Art Motivations for IPv6 well understood -Addressing space, routing hierarchy, dynamic configuration, security, mobility -Popularity of P2P and Multimedia services Protocol specifications largely finalized -IETF specifications for IPv6 migration ready -Interoperability demonstrated, major router/application vendors support Ongoing network/services deployments -Aggressive deployment in the Far East, Semi-aggressive deployments in Europe, Slow deployments in America, mainly government/federal driven -Consumer electronics, computing industries (grid/collaborative networking) and retail industries driving applications developments

© 2005 Caspian. Caspian Confidential Network Trends and Challenges FACTS: -Services and network convergence accelerating – Internet Protocol based -Towards an always on ubiquitous broadband connectivity (DSL, FTTH, Wifi, Wimax, etc.) TRENDS: -From centralized to distributed information models (P2P content distribution, grid computing, etc.) -Emergence of overlay service providers (e.g. Skype, etc.) – Disruptive competitive landscape -Shift from geography specific competition to global competition (e.g. Google, Yahoo, Microsoft, etc.)

© 2005 Caspian. Caspian Confidential Networks Trends and Challenges CHALLENGES: -Challenge 1: How to improve Internet (node and network levels) traffic control & oversubscription dimensioning ? -Challenge 2: How to delivery QoS with low OPEX, in fixed/mobile environments ? -Challenge 3: How to secure / protect the infrastructure ? CONSTRAINTS: -Constraint 1: No change to IP / MPLS protocols -Constraint 2: No change to principles that made the Internet successful

© 2005 Caspian. Caspian Confidential IPv6 Routers Architecture Evolution IP/MPLS -Deterministic QoS -Deterministic routing DPI Appliances - Traffic Analysis - Stateful processing Architectural Principles - Evolution towards traffic aware QoS, traffic control and routing - Evolution towards behavioral models, optimal for Privacy, Application Agnostic, Neutrality, Encryption, Privacy, etc. - Leverage TCP/UDP/IP inherent characteristics

© 2005 Caspian. Caspian Confidential Conventional vs. Stateful IPv6 Routing Architectures RAM Route Each Packet Queue (Class) & Forward RAM Switch Fabric Conventional Forwarding/Routing 1.Forwarding each packet 2.Switch to output 3.Class-based QoS RAM Hash, Lookup State, Route, Store, WFQ/Flow, Switch RAM Lookup State, Store, and WFQ/Flow Flow-based Forwarding/Routing 1.Hash for flow identification 2M flows/s and 6M flows per 10 Gig Flexible definition of flows: IP flows, Pseudo-WireoMPLS flows, IPoMPLS flows 2.Create “soft” state or look up Route, switch, filters, stats 3.Per-flow QoS behavior Leverage flow state for advanced QoS Shape, police, CAC, congestion control Switching Network

© 2005 Caspian. Caspian Confidential Flow Aware Traffic Management Principles Per Flow Actions / Controls -Generic actions based on traffic control principles -Specific actions based on specific network services Dynamic Flow/Aggregate Identification Per-Flow Traffic Control Identification Methods -Function of network service -Function of traffic control business case

© 2005 Caspian. Caspian Confidential Flow Aware Architecture Benefits Customized congestion/resources control schemes for Video/Voice/P2P/Wireless traffic Advanced application level QoS (Shaping/Policing/CAC) guarantees Preventive DDOS security models Others: Traffic aware routing, Dynamic services diagnostic, Lawful intercept, etc. State  Intelligence  Improved nodal behavior  Enhanced network services at lower cost

© 2005 Caspian. Caspian Confidential Example: IPv6 Dynamic Flow Identification & Customized Congestion Management Unknown Traffic Browsing Streaming Voice/Video over IP Some P2P (skype, small transfers, etc) Small web downloads Large FTP Transfers Some P2P (large transfers) Flow routers leverage state information to characterize traffic flows -Can enforce specified congestion control policies -(responsive vs. unresponsive, high rate vs. low rate, short lived vs. long lived, P2P vs. web, “legal” vs. “illegal” content ) Non-interactive Traffic Large FTP Transfers Some P2P (large transfers) Interactive Traffic Browsing Streaming Voice/Video over IP Some P2P (skype, small transfers, etc) Small web downloads

© 2005 Caspian. Caspian Confidential Example: IPv6 Flow-aware Connection Admission Control Port  New flows CACed  Preserves integrity of existing flows, no performance degradation  Enables ON/OFF service model Port With CAC Without CAC New UDP/TCP flows rejected  All flows allowed into a class  wRED on class congestion  Many flows affected - poor service lack of determinism

© 2005 Caspian. Caspian Confidential Example: IPv6 Flow-based Shaping/Policing Port  Shaping aims at changing characteristics of input stream to produce an output stream with required characteristics Benefits for the end users, and For the downstream network  Policing aims at enforcing traffic contracts  Flow routing allows shaping and policing of desired flows Flows are shaped/policed based on requirements

© 2005 Caspian. Caspian Confidential Example: IPv6 Flow Graduation Application Control Traffic Class Video & Voice over IP Class Virtual Leased Line Class Unknown Traffic Class (Default) Non Interactive Traffic Class BGP, IS-IS, OSPF Flows VoIP and VIDoIP Flows Corporate Flows Unknown Flows Flows dynamically thresholds are graduated to a different class, policy routed or mirrored Dynamic Traffic Aware Management, Routing

© 2005 Caspian. Caspian Confidential Example: IPv6 Covert Intercept 67% P2P 17% TCP 11% HTTP 4% Video 1% VoIP VoIP hides in Internet Which links to monitor? HTTP & random ports used Explicit Identification and analysis of Traffic Dynamic Re-routing of traffic Explicit Identification and analysis of Traffic Dynamic Re-routing of traffic

© 2005 Caspian. Caspian Confidential Put in specific focal points for DOS attacks Detect anomalies in traffic flows, online Raise alarms to operator for immediate investigation Fast, inexpensive way to detect attack before customer is impacted Example: Flow-based DDOS Prevention in IPv6 Other Carrier Network ISP Dynamic Security Models

© 2005 Caspian. Caspian Confidential Conclusions Gradual migration from IPv4 to IPv6 with long term co- existence of IPv4 and IPv6 Deployment of IPv6 networks required to satisfy evolving network/service architecture models Stateful IPv6 routers nodal behavior, fully interoperable with existing technologies – a new resources management model, QoS and security architectures Enhances value proposition & ROI of migration to IPv6

© 2005 Caspian. Caspian Confidential Thank you ! Riad Hartani, Caspian