Transcript QXN

Rome, 31 march 2009
Sistema Pubblico di Connettività
QXN
(Qualified eXchange Network)
Mauro Mascagna (Technical Director – QXN s.c.p.a.)
1
Qualified eXchange Network

The QXN Consortium

Goals

QXN Network Infrastructure

QXN Services

Future developments
Pag 2
The QXN Consortium - Milestones

Setup date: July 10th, 2006

Founding members: the four major italian TLC Operators
(60%)
(10%)

(5%)
(25%)
On October 2006, QXN Consortium signed a contract with
CNIPA in order to implement and run QXN infrastructure and
services
Pag 3
QXN Consortium – Organization
•Management Board, formed by founding members representing
the four partners of the Consortium:
•
•
•
•
•
•
1 President (BT Italia)
1 CEO (Fastweb)
4 Fastweb representatives
1 BT Italia representative
1 Wind representative
1 Telecom Italia representative
•Technical Committee:
• 1 Chairman (QXN Technical Director)
• 1 representative each from CNIPA, BT, Fastweb, Wind, Telecom
Italia, Namex, MIX and CG-SPC
Pag 4
QXN on Internet : company website
www.qxn.it
www.qxn-scpa.it
Pag 5
QXN Consortium – Main goals



To design, implement, operate and develop a geographicallydistributed IP backbone infrastructure (QXN) acting as an
exchange network among SPC Q-ISP’s** backbones.
To provide Q-ISPs with access to QXN services (such as housing,
access ports, guaranteed bandwith, centralized DNS, NTP
server)
To guarantee equal access conditions to QXN infrastructure and
services both to Members of Consortium and to other Q-ISPs.
**Q-ISP: Qualified Internet Service Provider
Pag 6
QXN within SPC General Framework
PAL
PAC
SPC
Rete Nazionale
Multifornitore – QISP 1
Centro Servizi
Interoperabilità
Evoluta -1
Centro Servizi
Interoperabilità
Evoluta -2
Centro Servizi
Cooperazione
Applicativa
PAC
SPC
Rete Internazionale
RIPA
PAC
PAL
PAC
PAC
QXN
CG-SPC
SPC
Rete Nazionale
Multifornitore – QISP 2
SPC
Rete Nazionale
Multifornitore – QISP n
PAC
PAL
Nodo
Interconnessione
VOIP
QCN
Qualified Community
Network - n
PAL
PAL
QCN
Qualified Community
Network - n
PAL
PAL
Pag 7
QXN within SPC General Framework (2)
QXN is a “corner stone” within SPC Framework due to its
central role in:
•SPC management
•Technology and services
•Security
•SPC Future developments
Pag 8
QXN Centrality in SPC management
QXN Consortium, through the work of its bodies (Management
Boards, Technical Committee), acts as an aggregation point among
all actors involved in SPC, that are:
•
•
•
•
CNIPA
Q-ISPs
CG-SPC
NIV
This has a fundamental importance in helping CNIPA to manage a
complex environment as SPC is, due to its “multi-provider” nature.
Pag 9
QXN Centrality in technology and services
Q-ISPs may implement their backbones by using different
technologies, with different services and SLAs and according to
different evolution paths.
QXN “smooths” all these differences, by binding all Q-ISPs to
comply with specific technical requirements and rules set by QXN
Technical Committe.
This results in creating a single SPC “virtual” network (integrating
QXN and QISP’s backbones) that provides all SPC customers (the PAs)
with services with high and homogeneous levels of quality, no matter
what Q-ISP is.
Pag 10
QXN centrality in security
The QXN Points of Presence (PoP) have been implemented by taking
specific care to security issues such as:
• physical security of equipment
• logical security of data and traffic flowing through QXN network,
(by using Firewalls that implement policies for traffic segregation,
network intrusion detection, etc.. )
this resulting in a network infrastructure capable of ensuring high
security and availability levels of service.
Pag 11
QXN centrality in SPC future development
As a central bulding block of SPC Framework, QXN is well suited to
implement and provide new “centralized” services to PAs.
As an example, QXN has already implemented and is currently
running the Centralized SPC Domain Name System service, that
ensures resolution of domain names of all hosts and services that PAs
publish on SPC.
Further services are currently under study by CNIPA.
Pag 12
QXN Service Offer
• OPA Interconnection

OPO Interconnection

SPC Domain Name System (DNS)

SPC Network Time Source

Network Operation Center (24x365 service coverage)
(between Fastweb e other Q-ISPs who won SPC Bid, only)
(NTP server)
NTP= Network Time Protocol
OPA = Offerta per le Amministrazioni
OPO = Offerta per Operatori
Pag 13
Types of traffic flowing through QXN
•Infranet traffic–
IP traffic exchanged between two PAs
participating in SPC through different Q-ISPs they’re connected to
(OPA* interconnection);
•Intranet traffic
– IP traffic exchanged among VPN sites of a
single PAs, some sites of the VPN being connected to the network of
one Q-ISP (Q-ISP1), some other sites being connected to the network
of another Q-ISP (Q-ISP2). Q-ISP1 and Q-ISP2 exchange traffic flowing
between the two parts of the VPN by using their interconnection to
QXN (OPO* interconnection)
OPA = Offerta per le Amministrazioni
OPO = Offerta per gli Operatori
Pag 14
QXN service offer – OPA Interconnection
PA 3
PA m
www.pa2.it
QISP-1 SPC Network
www.pa2.it
Infranet traffic (Intra Q-ISP)
 Infranet traffic (Inter Q-ISPs)
 Internet traffic

QXN
INTERNET
QISP-2 SPC Network
www.pa2.it
PA 1
PA 2
www.pa2.it
Pag 15
QXN Service Offer – OPO Interconnection
RM-BRqxn1
QXN
ROMA
VLAN1
IP subnet1 (/30)
VPN PA1 (clt QISP)
Sedi in OPO
RM-Bropo-FW
VLAN2
IP subnet2 (/30)
RM-BRopo-QISP
VPNRM-BRqxn2
PA1
(clt QISP)
VPN PA1
(clt QISP)
MI-BRqxn1
Fastweb
VPN PA1 (clt QISP)
Sedi in OPA
QISP
VLAN3
IP subnet3 (/30)
MI-BRopo-FW
VLAN4
IP subnet4 (/30)
MI-BRqxn2
MI-BRopo-QISP
QXN
MILANO
Pag 16
QXN - Main features

Two PoP based on Cisco technology, located at major italian NAP
(Neutral Access Point) premises in Rome (NAMEX) and Milan (MIX)

High security levels (physical and logical)

Service Level Agreement (SLA)
Service Avalilability
One Way Delay
 Packet Loss




= 99,99%
<= 20 ms
<= 0,05%
One set of technical rules that every Q-ISP must follow in order to
be interconnected to QXN (certification process)
Service Trial completed on July 26th, 2007, Commercial service
started on July 27th, 2007
Pag 17
QXN – Network Architecture
PA 1
PA 2
Rete QISP A
BRqx
BRqx
BRqx
BRqx
DNS
BRqxn
BRqxn
INTERNET
DNS
BRqxn
Nodo QXN
Roma
BRqx
BRqxn
BRqx
BRqx
BRqx
Nodo QXN
Milano
Rete QISP B
PA 3
PA n
Pag 18
QXN network architecture (continued..)


Two nodes - Rome and Milan – interconnected by two redundant high speed
transmission links (2x100 Mbps SDH, upgradable up to 1 Gbps), designed for
high availability (equipment redundancy and physical path diversity)
Each node is equipped with :




n.2 Cisco 7609 high-performance routers (BRqxn – Border Routers QXN)
interconnected locally and to BRqxn at the remote site;
SLA management system (based on Cisco IP SLA solution) in order to
monitor and measure network quality parameters (One Way Delay, Packet
Loss);
Firewall e Intrusion Detection System, in order to protect PA’s data and
traffic flowing through QXN
Infrastructure for housing (rack), in order to accomodate equipment
that QISPs use to interconnect their backbone to QXN nodes. These
equipment must be co-located to the QXN Border Routers
Pag 19
QXN - Traffic Routing issues
• Traffic symmetry
• All Q-ISPs must ensure that traffic generated by/directed to a PA (or a group
of PAs) connected to their networks is always delivered/received on the same
QXN node (eg. Rome or Milan).
• BGP Communities are used by QXN and Q-ISPs in order to set priorities of
BGP advertisements for their PA’s IP prefixes
• Traffic load balancing
• Traffic must be balanced between Q-ISP Border Routers (BRqx) and QXN
Border Routers (BRQXN);
• Traffic coming from a Q-ISP network is balanced (on per session basis) by BRqx
towards both BRQXNs in a QXN node
• BGP Routing
• OSPF fully-meshed protocol among four BRQXNs placed in Rome and Milan
QXN nodes;
• External BGP v. 4 among BRQXNs and Q-ISP BRqx;
• QXN AS (41407) acting as transit AS among Q-ISP’s public AS;
Pag 20
QXN – Traffic routing issues
• Communities BGP
• All Q-ISPs must announce their IP prefixes to QXN by using BGP communities, so that each
Q-ISP can set a priority among their BRqxs where traffic must be sent to..
• Use of BGP Communities is necessary in order to ensure traffic simmetry over QXN.
• BGP Communities have this format: ASn_QXN:LP
where:
•ASn_QXN = 41407, is the public AS assigned by RIPE to QXN
•LP is the Local Preference parameter value being set, within QXN, for the specific
announcement
• community 41407:130 =
• community 41407:120 =
• community 41407:110 =
• community 41407:100 =
• no community
=
Set LP equal to 130 within QXN network (highest priority)
Set LP equal to 120 within QXN network
Set LP equal to 110 within QXN network
Set LP equal to 100 within QXN network (lowest priority)
traffic dropped by QXN
• All Q-ISP receive from QXN information about BGP Communities set by other Q-ISPs.
Pag 21
OPA Interconnection – traffic routing and fault scenarios
YYY / 23
PA 1
Prefix sede PA1
LP130
Prefix sede PA1
LP110
Prefix sede PA1
LP120
Rete Fornitore SPC A
X
BRqxn
Prefix sede PA1
LP100
BRqxn
X
NODO QXN
ROMA
BRqxn
NODO QXN
MILANO
BRqxn
X
X
Prefix sede PA2
LP100
Rete Fornitore SPC B
PA 2
Prefix sede PA2
LP110
Prefix sede PA2
LP120
Prefix sede PA2
LP130
XXX / 24
Pag 22
Servizi Offerti – Interconnessione OPO
RM-BRqxn1
QXN
ROMA
VLAN1
IP subnet1 (/30)
VPN PA1 (clt QISP)
Sedi in OPO
RM-Bropo-FW
VLAN2
IP subnet2 (/30)
RM-BRopo-QISP
RM-BRqxn2
VPN
PA1
(clt QISP)
FW
VPN PA1 (clt QISP)
Sedi in OPA
VPN PA1
QISP(clt QISP)
MI-BRqxn1
VLAN3
IP subnet3 (/30)
MI-BRopo-FW
VLAN4
IP subnet4 (/30)
MI-BRqxn2
MI-BRopo-QISP
QXN
MILANO
Pag 23
OPO interconnection – routing aspects
• QISPs backbones are interconnected to QXN through their own OPO Border
Routers (BRopo). Each Q-ISP may decide to implement BRopo functions on
the same equipment acting as BRqx (for OPA interconnections), or on different
equipment.
• OPO interconnection and OPA interconnection use different ports on BRQXN.
• In OPO interconnection, BRqxns act as L2 ethernet switches connecting QISP A’s BRopo (Fastweb) and Q-ISP B’s BRopo (being Wind or BT)
• Each L2 Link is configured in trunk mode (IEEE 802.1q), each VLAN whithin a
trunk being associated to a specific VPN of specific PA.
Pag 24
OPO interconnections – traffic routing and fault scenarios
Main node
RM-BRqxn1
QXN
ROMA
X
VLAN1
IP subnet1 (/30)
RM-Bropo-FW
PA1 (clt QISP)
VPN1 -Sede A
(in opo)
VLAN2
IP subnet2 (/30)
RM-BRopo-QISP
X
PA1 (clt QISP)
VPN1 - Sede B
RM-BRqxn2
FW
QISP
MI-BRqxn1
VLAN3
IP subnet3 (/30)
MI-BRopo-FW
VLAN4
IP subnet4 (/30)
MI-BRopo-QISP
VLAN 1-2-3-4
: assegnate da QXN
IPsubnet 1-2-3-4: assegnate da QISP
Backup Node
MI-BRqxn2
QXN
MILANO
Pag 25
QXN Architecture – security & SLA management
Sonda
Sonda
Sonda
Sonda
Sonda
Sonda
Sonda
Sonda
Pag 26
SLA measuring and monitoring system
Cisco 2811
Cisco 2811
Cisco 2811
Cisco 2811
Cisco 2811
Cisco 2811
Cisco 2811
Cisco 2811
Pag 27
SLA measuring and monitoring system (continued..)
rm-qxn-sla-301
Q
Q
R
R
RM- BRqxn1
MI- BRqxn1
RM- BRqxn2
MI- BRqxn2
R
R
Q
Q
• Each SLA probe (Querier) sends a specific traffic pattern (10
IPpkt/min, 200 Bytes/pkt, 200 ms delay between two subsequent
packets) to the other four SLA probes (Responders) connected to
each BRqxn
• This results in obtaining 16 traffic measures (one for each traffic
relation) for every hour, that are used to calculate QXN hourly
average PL and OWD
• For every hour, QXN hourly average PL and QXN are matched with
releavant SLA thresholds (PL=0,05%, OWD=20ms) in order to
calculate penalties as foreseen in the service contract between SCQXN and its customers (Q-ISPs)
Array of traffic measures
Pag 28
QXN SLA Monitoring and Reporting
Pag 29
QXN SLA Monitoring and Reporting
Pag 30
SPC Domain Name System
• SPC DNS is a federate systems with participation of :
• PAs DNS
• Q-ISPs DNS
• QXN DNS
• Main goal: to ensure that all IP traffic related to PA domain resolution
process is completely confined within SPC environment.
• This results in providing highest level of security to those critical
applications run by PAs (e.g. Protocollo Informatico), because they can
be based on domain/hosts that cannot be reached or viewed from
outside SPC.
Pag 31
DNS SPC Architecture
Internet
DNS
Root Server
Internet
Server
DNS QXN
QXN
DNS Q-ISP1
DNS Q-ISP2
Q-ISP1
Q-ISP2
DNS PA1
Client
PA1
Server
PA1
Public Administration #1
DNS PA2
Public Administration #2
DNS PAn
Public Administration #n
Pag 32
DNS SPC – functional model
• PA DNS
• It is Authoritative DNS for all domain zone belonging to PA
• It replicates all PA’s domain file zone on DNS’s Q-ISP (zone transfer/notify
mechanism)
• Set Q-ISP’s DNS as forwarder for all domain zones they are not autorithative for.
• Q-ISP DNS
•
•
•
•
Set as slave to PA’s DNS
It ss Authoritative DNS for domain zones belonging to all PAs served by Q-ISP
It replicates all its domain file zones on DNS QXN (zone transfer/notify mechanism)
Set QXN DNS as forwarder for all domain zones it is not authoritative for.
•QXN DNS:
• Set as slave to Q-ISP’s DNSs.
• It ss Authoritative DNS for domain zones belonging to all PAs participating in SPC.
• Set Internet Root Servers as forwarders for all domain zones it’ not auuthoritative
for.
Pag 33
DNS SPC – Functional model (Notify / Zone Transfer mechanism)
DNS QXN
QXN
DNS Notify
Zone Transfer
DNS Q-ISP1
DNS Q-ISP2
Q-ISP1
Change in PA1.it zone
file
(e.g MX Record)
Change in PA#n.it zone
file
(e.g MX Record)
DNS PA1
Client
PA1
Server
PA1
Public Administration #1
Q-ISP2
DNS PA2
Public Administration #2
DNS PAn
Public Administration #n
Pag 34
DNS SPC – Functional model (Query mechanism)
Internet
DNS
Root Server
Internet
Server
DNS QXN
QXN
Query to Server PA1
Query to Server PA2
Query to Server PA3
DNS Q-ISP1
DNS Q-ISP2
Query to Internet Server
Q-ISP1
Q-ISP2
DNS PA1
Client
PA1
Server
PA1
Public Administration #1
DNS PA2
Public Administration #2
DNS PAn
Public Administration #n
Pag 35
WHO are QXN Customers ?
• Current
• The 4 major Italian Telco Operators (BT, TI, Wind, Fastweb)
• SPC Management Center (CG-SPC)
• Coming next
• Application Cooperation Centers
• Regione Toscana Community Network
• Future
• Node for PAs Voip interconnection (NIV)
• Other Q-ISP (with national or regional scope) fulfilling
requirements set by QXN Board and Techical Committe
according to general certification criteria set by CNIPA
• QCN : Qualified Community Networks
Pag 36
Thank you for your attention
www.qxn-scpa.it
www.qxn.it
Pag 37