1

未来网络发展与新技术挑战

清华大学

李星

2014-11-27

2

大纲

•回顾

•挑战

•机遇

•人才

3

20周年

4

1983-1991

• Bitnet

• Uunet

• Internet

› machanzi

55

1994年

You need a router！(思科1994年北京办事处的广告图片)

6

CERNET 拓扑

X.25

4500

2500

2500

25002.4K-9.6K

10 PoPs

Shenyang

Xi’an

ChengduShanghai

Beijing

Guangzhou

Nanjing

Wuhan

Shenyang

Xi抋n

Chengdu

Shanghai

Beijing

Guangzhou

Nanjing

Wuhan

1994 1995 1997

2004 20142000

徐闻

长春

哈尔滨

乌鲁木齐

拉萨

西宁兰州银川

呼和浩特

台北

沈阳

南昌

西安 徐州

武汉 合肥

郑州

石家庄

北京

南宁

广州

福州

杭州

上海

南京

天津

贵阳

海口三亚

湛江

无锡

大连

太原 济南 烟台

成都

长沙

重庆黄梅

九江

昆明

青岛

汕头

唐山

汉中

宜昌

珠海

深圳

惠州

柳州

百色 厦门Backbone Regional

GigaPop

Pop

桂林

深圳

77

CERNET主干网带宽的发展

年份 主干带宽

1994年 2.4K X.25

1995年 64K DDN

1997年 4M SCPC

2000年 155M SDH

2002年 2.5G DWDM

2004年 2.5G/5G DWDM

2005年 2.5G/5G/10G DWDM

2007年 2.5G/10G/20G DWDM

2014年 10G/100G DWDM

20年速率增长4千万倍

8

1994 (1)

• TCP/IP› X.25/FR

› DDN

› VSAT

• ATM

9

1994 (2)

• Single router

• Cascade routers

R7主干网 地区网

R71主干网 地区网R7

10

1997 (1)

• DDN

• VSAT

11

1997 (2)

•包月

•流量计费

国内国际出

国际入

12

2010

• SDH

• Ethernet

13

2011

• 10G/100G mixed

• 100G-only

14

CNGI-CERNET2 拓扑

BJ

SHGZ

2003 20061997

IPv6-only backbone

15

2004

• Dual stack

• IPv6-only

16

CERNET IPv6过渡技术演进

Translation

IVIBi-direction Stateless

Translation

IETF Behave WG

Dual-StackNFSCNET

IPv6 only

CERNET2 • 200 universities

• 2M subscribers

Tunnel

IPv6 over IPv4CERNET-6Bone

Tunnel

IPv4 over IPv6IETF softwire WG

IPv4CERNET

• 2000 universities

• 20M subscribers

1994 2000 2004 2005 20111998 2007

MAP-T/MAP-EDouble stateless translation

IETF Softwire WG

17

net-compass/cool-audio

18

挑战

• Net-neutrality

› Business model

• Ossification of the Internet protocols

› NAT and slow deployment of IPv6

• Fragmentation of the Internet

› Pervasive surveillance and national firewalls

19

OTT Customer demand

Data traffic

Data ARPU

Network service challenges

20

Network service microeconomics

Flat rate

Lost revenue

opportunity

Multiple services

offers are enabled

by policy-enforced

QoS

Best effort public Internet Service enabled E2E

users

price price

users

21

Traffic mix

Research

Elephant flows

Enterprise flow

Mice flows

Student and staff

ant flows

22

Internet2网络结构

23

互联网的基本性质

• 带宽是有限资源

• 用户对带宽的使用是幂率分布

• 大带宽的应用依然符合泊松分布

24

Ordinary User Heavy User

Non-VIP User VIP User

Address Switching

Power Law80% users

20% traffic

20% users

80% traffic

Non-VIP service VIP service

(a)

(b)

地址交换概念

25

缺失的链条

• 没有区分用户

› Different address, different

service

» VIP

» Non-VIP

• 没有良好定义的带宽预约控制

› VIP bock: /30 30Mbps

• 没有准入控制

› Soft-switch

› Blocking ratio

26

End

system

Softswitch

End

system

Admission

Control

Gateway

(a)

Other AS Own AS

(b)

(c)

(d)

(e)

(f)

地址交换技术模块

http://info.scichina.com:8083/sciFe/EN/article/downloadArticleFile.do?attachType=PDF&id=413824

27

交换技术比较

电路交换 虚电路交换无连接分组交换

地址交换VIP 尽力而为

28

地址交换技术案例

29

网络体系结构发展

ISDN

X.25

FR

ATM

IPv4

IPv6

OSI

DECNET

AppleTalk

IPX

电路交换

虚电路交换

无连接分组交换

FN

SNA

FI IP

非IP

SDN

80/443

30

固化

•地址

› IPv4地址没有了

› IPv6地址申请一次就够了

•域名

› App对于域名不敏感

•协议

› 退化为TCP 80/443

31

互联网演进过程的窄腰形态变化

32

Hourglass (1)

33

Hourglass (2)

34

Hourglass (3)

35

Hourglass (4)

36

RFC、草案

• RFC6052, IPv6 Addressing of IPv4/IPv6 Translators, 2010-10• RFC6144, Framework for IPv4/IPv6 Translation, 2011-04• RFC6145, IP/ICMP Translation Algorithm, 2011-04• RFC6219, The China Education and Research Network (CERNET) IVI

Translation Design and Deployment for the IPv4/IPv6 Coexistence and Transition, 2011-05

• RFC6791, Stateless Source Address Mapping for ICMPv6 Packets, 2012-11

• draft-ietf-softwire-map-t-04, Mapping of Address and Port using Translation (MAP-T)

• draft-ietf-softwire-map-09, Mapping of Address and Port with Encapsulation (MAP)

• draft-ietf-softwire-map-dhcp-06, DHCPv6 Options for configuration of Softwire Address and Port Mapped Clients

37

IVI dIVI

MAP-T

MAP

MAP-DHCP

MAP-T

LW4o6

MAP-E

464XLAT

DS-Lite

IVI

dIVI-PD

NAT64

RFC2766

RFC6052, RFC6145

RFC6146

RFC6333 (14)

RFC6346

RFC2529

RFC1933

RFC3056

RFC6877

RFC5969

RFC5214

RFC4380

IETF 过渡标准演进

38

双重翻译、封装

IPv4

IPv6

Transport

Link

IPv4

Transport

Link

IPv4

Transport

Link

IPv6

Transport

Link

ORIPv4

Native IPv6 InfrastructureCE BR

MAP MAP

MAP-E MAP-T

RFC2473 RFC6145

39

无状态、有状态

40

IPv6过渡技术实施案例

IPv4 VMs

IPv6 VMs

41

习近平总书记指示

•“网络安全和信息化是事关国家安全和国家发展、事关广大人民群众工作生活的重大战略问题”

•“没有网络安全就没有国家安全，没有信息化就没有现代化”

•“建设网络强国的战略部署要与‘两个一百年’奋斗目标同步推进”

42

•Internet will be entering a turbulent period›斯诺登揭开NSA黑幕

›美国道义与威信丧失

›欧盟着手建立“欧洲通讯网”

斯诺登事件

43

Who will decide your rights in the cyberspace

• 1970s – 1990s:

Rules have been set through “RFC” by a small group of

engineers.

• 1998 – up to now:

Rules have been set through “ICANN” (Private Org) and

IETF, IAB, RIRs, others (CNNIC, JPNIC, KRNIC, etc) through

“Policies” in the name of “consensus”

• Future:

Will Rules be set by “Gov’ts or Private Orgs” through

“national treaties or policies”????

44

• 1998. 2 Green Paper

• 1998. 6 White Paper

• 1998. 10 ICANN Board

• 1998. 11 ICANN Bylaws

Agreement with US Government (NTIA/DOC)(National Telecommunications and Information Administration)

Self-Governance, Self-Regulation (International) ??

Government Initiatives (US Government)

45

美国政府计划移交互联网管理权

46

NTIA (ICANN SG meeting)

• US government’s role in IANA is purely clerical• 4 key principles – and that's it

› Support and enhance the multistakeholder model› Maintain the security, stability, and resiliency of the Internet DNS› Meet the needs and expectation of the global customers and partners of

the IANA services, and› Maintain the openness of the Internet

• Governments are only one stakeholder and cannot be in charge• Answer to the transition lies in IANA's 'customers'• US domestic politics is a factor• The bigger picture is developing countries and the

multistakeholder process• ICANN accountability is something for the community to figure

out

47

NTIA (IGF USA July 16)

• Our work on Internet policy is guided by three simple principles› First, we support the Internet as a platform for economic growth. In doing so,

we focus on both increasing the number of Internet users worldwide and encouraging more intensive use by existing users.

› Second, we support the Internet as a platform for innovation. In doing so, we seek to develop policies that are flexible, creative, and rapidly adaptable to fast changing technology.

› Third, we view the Internet as our client, not any one set of stakeholders. So, in developing policy, we must balance the competing interests of users by focusing on what policies best support economic growth and innovation.

• The two key concepts we apply in support of growth are maintaining and increasing the trust of users to the Internet and expanding the global reach of the Internet economy.

• To support innovation, we want to make sure that policymaking is flexible and adaptable, which is why we are such a strong supporter of the multistakeholder model of Internet governance.

48

NTIA (American Enterprise Institute July 22)

• Let me explain why this is the right move at the right time› First, as ICANN has performed the IANA functions over the years, it has matured as an organization and has taken important steps to improve its accountability and transparency as well as its technical competence.

› Second, as witnessed so strongly in the past several months, international support has continued to grow for the multistakeholder model of Internet governance. And as a result, many of the Internet’s key stakeholders, including Internet firms like Google; communications providers like AT&T and Cisco; and civil society groups such as Human Rights Watch and Public Knowledge support this transition as the right course, at the right time.

49

CFCAA principles

• 平等开放。互联网将世界变成了地球村，让各国人民互联互通。

• 多方参与。互联网是人类共同的家园，大家都来描绘装扮，才能“五色交辉，相得益彰；八音合奏，终和且平”。 （政府、互联网企业、技术社群、网民 ）

• 安全可信。没有人愿意生活在谣言四起、隐私暴露、犯罪横行的网络空间里。包括中国在内的很多国家，都是网络监控、网络攻击、网络窃密的受害国。

• 合作共赢。英国作家萧伯纳有句名言:“你有一个苹果，我有一个苹果，我们彼此交换，每人还是一个苹果；你有一种思想，我有一种思想，我们彼此交换，每人可拥有两种思想。”

Lu Wei in ICANN London

China's Minister for Cyberspace Affairs Administration

50

Comparison of the 4-printciples

USG

• Support and enhance the multistakeholder model

• Maintain the security, stability, and resiliency of the Internet DNS

• Meet the needs and expectationof the global customers and partners of the IANA services, and

• Maintain the openness of the Internet

CNG

• Equality and Openness

• Multistakeholder

• Security and Trust

• Cooperation for win -win game

51

习近平巴西演讲首提互联网治理体系

• 当今世界，互联网发展对国家主权、安全、发展利益提出了新的挑战，必须认真应对。

• 虽然互联网具有高度全球化的特征，但每一个国家在信息领域 的主权权益都不应受到侵犯，互联网技术再发展也不能侵犯他国的信息主权。

• 在信息领域没有双重标准，各国都有权维护自己的信息安全，不能一个国家安全而其他 国家不安全，一部分国家安全而另一部分国家不安全，更不能牺牲别国安全谋求自身所谓绝对安全。

• 国际社会要本着相互尊重和相互信任的原则，通过积极有效的国 际合作，共同构建和平、安全、开放、合作的网络空间，建立多边、民主、透明的国际互联网治理体系。

52

IANA功能

53

DNS root

54

DNSSEC

DNS 权力体系 DNSSEC 权力体系

shamir 机密共享机制

Trust anchor

55

DANE

•服务由域名识别 && DNSSEC 正好构建了 PKI 体系

•通过开源插件实现

56

Internet Registry Hierarchy

ASO

(and Address Council)

IANA

Marina del Rey, CA, US

LIR

LIR

LIR

LIR LIR

NIR

APNIC

Brisbane, Australia

ISP ISP

ISP ISP

ISP

ARIN

Reston, VA, US

LIR LIR LIR LIR LIR

RIPE-NCC

Amsterdam, The Netherlands

ICANN

57

BGPv4

58

CERNET BGP

校园网1.1.0.0/20

CERNET 其它ISP

R

R NAT

ip route 1.1.0.0/20 A

ip route 0.0.0.0/0 B

A

B

ip pool 3.3.3.0/24

校园网1.1.0.0/20

公有AS号码

CERNET 其它ISP

R

R NAT

eBGPA

B

ip pool 3.3.3.0/24

国内路由表

1.1.0.0/20

iBGP

CERNET

和国内路由

其它ISP’s routing

国内路由表条数： 44,276

全球路由表条数：478,889

59

网络性能测试搜索引擎

地址（IPv4、IPv6） 域名 自治域号码

http://search.sasm3.net/

60

BGP Hijacking

United States

Pakistan Telecom

PCCW HK

AS3549

AS174

AS2914

AS17557

AS3491

AS36561

www.youtube.com

NTT America

Cognet

208.65.153.0/24

欺骗路由

YouTube.com is here

208.65.153.0/22

真实路由

61

BGP MITM

62

•争议

› 董仲舒：独尊儒术，内强皇权，外化庶民

› IETF：RPKI，Centralization of IANA/ICANN or U.S.A ?

•焦点：

› Internet Governance（互联网治理）» 1. 分治 VS 集权？

» 2. 权力如何分配？

» 3. 一个权力中心还是多个权力中心？

THE CONFUCIANISM WORSHIP ALONE

63

rPKI

64

• Numerous Academic Genre（诸子百家）› 道

»无为而治

–我无为，而民自化；我好静，而民自正；我无事，而民自富；我无欲，而民自朴 。

– 治大国若烹小鲜 -------《道德经》

› 兵

»知己知彼，百战不殆。

»昔之善战者，先为不可胜，以待敌之可胜。 ------《孙子兵法》

»进攻者希望并采取行动，而防御者则等待行动。防御的规则以进攻的规则为依据，而进攻的规则又以防御的规则为依据。” ------《战争论》

› 儒

»中央集权，三纲五常

–齐景公问政于孔子。孔子对曰：‘君君、臣臣、父父、子子。’公曰：‘善哉！，信如君不君，臣不臣，父不父，子不子，虽有粟，吾得而食诸’

–君为臣纲，父为子纲，夫为妻纲 -------《礼纬·含文嘉》

网络治理

65

66

Snowden

IETF87

IETF88

67

IETF88 Technical Plenary

Hardening The Internet

68

In IETF88 Technical Plenary, there were five hums

• The IETF is willing to respond to the pervasive surveillance attack?

› Overwhelming YES. Silence for NO.

• Pervasive surveillance is an attack, and the IETF needs to adjust our threat model to consider it when developing standards track specifications.

› Very strong YES. Silence for NO

• The IETF should include encryption, even outside authentication, where practical.

› Strong YES. Silence for NO

• The IETF should strive for end-to-end encryption, even when there are middleboxes in the path.

› Mixed response, but more YES than NO.

• Many insecure protocols are used in the Internet today, and the IETF should create a secure alternative for the popular ones.

› Mostly YES, but some NO.

69

Encryption and authentication

• Encryption› Meta data› Content

• Choices› Clear text if you CAN, encryption if you MUST› Encryption if you CAN, cleartext if you MUST.

Cleartext authentication

encryptionEncryption

authenticationGFW

Trust

anchor

• .

70

71

IAB Statement on Internet Confidentiality (1)

• The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic. Encryption should be authenticated

where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258.

72

IAB Statement on Internet Confidentiality (2)

• We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and weurge firewall policy administrators to permit encrypted traffic.

• We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload. For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default.

73

74

事实？

75

76

77

The worst case scenario

• We end up with some or all of

› Competing DNS roots (the most likely new possibility),

› National regulations about traffic going in and out of the country and how internal ISPs can connect (we already have some of that)

› National (or ITU-based) allocation of addresses (both IPv4 and IPv6) that simply ignore the RIRs and global routing architecture so that we end up with addresses in some countries ignoring the ICANN/RIR allocations.

› Multiple organizations claiming to perform the IANA function,with competing and diverging copies of registries (even protocol registries).

7878

中国互联网用户规模

7979

世界互联网用户规模

8080

全球互联网服务的发展

8181

2025预测

8282

技术发展（1）

8383

技术发展（2）

84

地址需求

85

带宽需求

86

管理需求

87

应用需求

88

人才需求

Globalization Distributed Science Education Costs

Lifelong Learning Changing Competitive Landscape

Risk Management

89

开放（Open）

•开放的协议（Open protocol）

•开放的实现（Open implementation）

•开放的系统（Open system）

Open

Pro

cess

人才

90

先驱

91

NSF演变

• 《布什报告》与 NSF 成立› 以麻省理工学院、霍普金斯大学、哈佛大学、斯坦福大学、加州大学等一批重 点大学为依托，建立国家重点实验室，用于原子弹、雷达等武器和设施的研制，促使了联邦政府与大学之间广泛的科研合作。

› 现代科学已经从“小科学”的状态跃进大科学时代

• 《国防教育法》与 NSF 资助黄金时期› 1957 年苏联率先成功发射第一颗人造地球卫星，强烈刺激美国公众信心，总统和国会才开始意识到大学基础研究的重要性

• 《更新诺言》与 NSF 资助政策转向› 20 世纪 90 年代以来，随着苏联解体，美国成为世界唯一超级大国，美国科技政策重心转向刺激经济增长

› 《在国家的利益中：联邦政府和研究密集型大学》报告中强调“研究的重要部分，特别是基础研究的重要部分，是在高校进行的。这有多方面的好处，研究和 教育以极为高产的方式联接起来。高校研究者们提供的智力自由和被一代代有好奇心的年轻头脑不断更新，激励了研究事业的发展。”

1965 1970 1975 1980 1985 19951990

Timesharing

Graphics

Networking

Workstations

Windows

CTSS. Mutics

BSD Unix

SDS 940, 360, VMS

Seetchpad, Utah

GM/IBM, LucasFilm

E&S, SGI

Arpanet, Internet

Ethernet, Pup, DataKit

DECnet, LANs, TCP/IP

Lisp machine, Stanford

Xerox Alto

Apollo, SUN

Englebart, Rochester

Alto, Smalltalk

Star, Mac, Microsoft

gov res Ind res Ind devp $1M buss

transfer of ideas or people

93

《NSF2020年远景报告》

• NSF应通过引领变革性 研究、卓越的科学教育来确保美国在全球科学、工程和知识发展等方面的领先优势，从而达到促进经济发展、改善生活质量、保证国家安全等目标。

• NSF 在战略管理层面紧扣研究项目、研究设施、教育培训三大功能, 提出了“人才 ( people) 、构想(idea) 、工具( tool) 和组织卓越( organizational excellence) ”作为其预算战略目标。

94

三代网络工程师

电话/传输系统 路由器 程序员

95

SDO

96

OSS (1)

97

OSS (2)

98

OSS (3)

99

SDO, OSS

100

Loop

101101

Internet of ……

102

Permissionless innovation

• No one is “in charge” of the Internet. Instead, many people cooperate to make it work.

• Each person brings a unique perspective of the Internet, We believe a strong focus on enabling the broadly based dialogue is necessary, and that the “permissionless innovation” given as the goal of this effort is better served by first enabling infrastructure (web site, collection and a set of tools). Further efforts may emerge later, and those may require additional structure.

103

创造