China’s modern Internet architecture – a framework for effective and efficient Internet traffic communication or model for mass censorship

// March 14th, 2013 // Technology

China map

When it comes to Internet architecture, China has a huge advantage over the rest of the world.  Given its relatively new elevated economic status (the Internet was not introduced to China until 1994), China is in the unique position to build its Internet, from the ground up, using proven and sound architectural schemas and new technology (in contrast to their mobile networks which rely primarily on imported technology from Europe and North America).  The benefit to China is an inherent ability to control malware and other malicious attacks.  The disadvantage of course, is the “control” over the framework also allows China to efficiently and effectively censor what its citizens are allowed to do on the Net.

Source Address Validation Architecture (SAVA)

China’s next-generation backbone is built around a security feature known as Source Address Validation Architecture (SAVA). Many of the existing security problems stem from an inability to authenticate IP addresses of computers that try to connect to your network. SAVA fixes this by adding checkpoints across the network. The SAVA checkpoints build up a database of trusted computers matched up with their IP addresses. Packets of data will be blocked if the computer and IP address don’t match. The result is that malicious spoofing becomes near impossible, instead of ludicrously easy.  Steve Wolff, one of the internet’s early pioneers, calls it a “model that should be much more widely adopted”.  Manipulation of SAVA is also key to bypassing, or penetrating, nodes within the Chinese network.

Source Address Validation Improvement (SAVI)

In addition to SAVA , Source Address Validation Improvement (SAVI) is deployed across all CNGI-CERNET2 (Chinese Education and Research Network, an academic research network – see Details below) access switches between individual hosts in IPv6 subnets and their corresponding default routers.  The SAVI devices monitor control packets sent by a host for a legitimate IP address, and then binds the IP address to a host (as specified by a particular link layer property of the host’s network attachment or binding anchor), filtering out the packets found to be inconsistent with the binding entry.  Devices in the IPv6 subnet (a college campus for instance) implement SAVI and are programmed so that the SAVI feature cannot be disabled.

Exclusive use of IPv6

China also has a national internet backbone in place that operates under IPv6 as the native network protocol.   IPv4 as its core technology, is facing increasingly severe technical challenges: an insufficient number of network addresses (thus limiting the large-scale expansion of the network); poor credibility (resulting from a large number of security flaws); a poor ability to control Internet quality of service (thus leaving high-quality network services unguaranteed); network bandwidth and performance levels which cannot always meet the needs of users; and difficulties in achieving a highly efficient mobile Internet, owing to the different systems of traditional wireless mobile communications technology and Internet technology. IPv6 solves many of the problems inherent in the IPv4 protocol (but introduces an additional problem – the translation of IPv4 addresses, which the rest of the world relies on, to IPv6 addresses).

All major ISPs participated in China’s Next Generation Internet project.  China Telecom, China Unicom, China Netcom (now merged with Unicom), China Mobile and China Railcom (now merged with China Mobile) have built their own IPv6 backbone networks based on IPv6/IPv4 dual-stack technologies. As a research-oriented ISP, the China Education and Research Network (CERNET) chose to build an IPv6-only backbone, (CNGI-CERNET2). The transition between IPv4 and IPv6 addresses can be accomplished via translation or tunneling (or a combination of both) via a mechanism known as 4over6.  China’s Internet utilizes both stateless and stateful methods in 4over6 to translate IP addresses.  Whether a stateless or stateful method is used depends on the specific scenario.

Scalable Processing Capacity

China’s Internet architecture shoots for scalable processing capacity of network nodes: as the demands of users grow, the core exchange node of the next generation Internet should have scalable processing capacity.

Connectionless QOS controls

China’s next generation internet aims for a connectionless quality-of-service control mechanism.  Achieving quality-of-service control based on hop-by-hop and connectionless routing is one of the goals of next generation Internet research, and is believed to have the capacity to improve performance scalability and service scalability.

The Details (important points)

Chinese Internet network topology

There were 59 giga-points of presence (PoPs) developed in Chinese IPv6 backbone networks, extending the IPv6 network to over 22 major cities. More than 270 access networks are connected to this IPv6 backbone.

Two IPv6 international exchange centers were established, the CNGI-6IX (aka CNGI-BJIX – AS 23911) and CNGI-SHIX (AS 38035). CNGI-6IX is located at the Tsinghua University in Beijing.  The CNGI-CERNET2 (AS 23910) core network runs through this exchange  and interconnects to the six demonstration core networks of CNGI: China Telecom, China Unicom, China Network Communications/CAS (Chinese Academy of Science), China Mobile and China Railway Communications.  It  also connects with the US Internet2 network, the European GEANT2 network, and the Asia-Pacific APAN network.  As of 2010, CNGI-6IX router equipment consisted of Cisco CRS-16, Cisco GSR 12410 and Juniper T640 equipment while the switches used Cisco 7609 and Force 10 E600 hardware.

CNGI-SHIX was constructed by China Telcom and is located in Shanghai.

These CNGI-6IX and CNGI-SHIX exchange centers connect IPv6 backbone networks comprising different Chinese ISPs with each other, and also connect Chinese IPv6 networks with IPv6 ISPs in the USA, European and Asia-Pacific regions.

The CNGI-CERNET2 backbone, a core network in the CNGI-6IX exchange, is based on SAVA and runs the IPv6 protocol to connect to 25 PoPs distributed throughout 20 cities in China.  It uses the  IPv6 address block of 2001:0da8::/32.  This block was further allocated into access networks according to geographical location. Ten large cities were given a /36 block, while 12 small cities were given a /37 block. As stub nodes, each access network was given a /48 address block.

The Good

As a result of, the massive IP address space available under IPv6, China can stream hi-def television over IPv6 to its citizens, offer real-time educational classes, provide long-distance telephone service, provide remote medical services, and more effectively monitor and control the traffic flow over the Internet.  The service was dramatically introduced to the world during the 2008 Olympics in Beijing in what was the largest showcase of IPv6 technology in history.  During the Olympics, everything from security cameras, taxis, to the Olympic events cameras were networked by IPv6; the events are streamed live over the Internet while networked cars are able to monitor traffic conditions readily.

The Bad and the Ugly

But what about unexpected problems that would naturally result from a new, untried and tested Internet architecture?  Hackers know that the routing is critically important for both successful penetration and performance.  High traffic congestion (possibly caused by a performance bottleneck with IPv4 is converted to IPv6, assuming the addresses are translated and not tunneled, or from an improperly layered SAVA) into and out of the country is notorious and it can be assumed that specific nodes in the route can be buggy.

 

Critical terms and data points

Natural Science Foundation of China (NSFC) In 2003, set up research into Next Generation Internet
National 973 program A major state-funded basic research development program in China
CNGI China Next-Generation Internet – project started in 2003 involving eight ministries  including the China Reform and Development Commission,Ministry of Industry and Information Technology, Ministry of Education, China National Science Foundation Commission, etc.
Autonomous System Number (AS) A collection of connected Internet Protocol (IP) routing prefixes – three categories: multihomed, stub, and transit.
OSPFv3 Protocol for exchanging routing information within each individual access network.  E.g. CNGI-CERNET2 communicate using OSPFv3 within AS 23910.
China Internet Network Information Center (CNNIC) The administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People’s Republic of China. It is based in the Zhongguancun high tech district of Beijing. CNNIC is responsible for operating and administering China’s domain name registry.
Source Address Validation Architecture (SAVA) Authenticates source IP addresses ensuring they are authorized, unique, and traceable.
Source Address Validation Improvement (SAVI) A device monitors control packets sent by a host for a legitimate IP address, and then binds the IP address to a host (as specified by a particular link layer property of the host’s network attachment or binding anchor), filtering out the packets found to be inconsistent with the binding entry.
4over6 IPv4/IPv6 networking interconnection mechanism.  It consists of a control plane and a data plane.  It is mainly composed of two parts: the control plane and the data plane. The control plane is based on border-gateway protocol and designed to advertise 4over6 tunnels and IPv4 network prefixes. It is also in charge of maintaining routing and encapsulation information.  The data plane uses standard IP encapsulation and decapsulation performed at IPv4–IPv6 dual-stack routers. We achieve IPv4 network interconnection by using routing transport on the control plane and packet transport on the data plane.
CNGI-6IX or CNGI-BJIX (AS23911) There are 7 IPv4 prefixes announced by AS23911. Examples of prefixes are 202.38.108.0/24 and 202.38.109.0/24. There are 2 IPv6 prefixes announced by AS23911. Examples of prefixes are 2001:252::/32 and 2001:7fa:5::/48. There are 5 IPv4 peers detected for AS23911. Examples of peers are AS4538 and AS11537. There are3 IPv6 peers detected for AS23911. Examples of peers are AS6939 and AS22388.

 

CNGI participants

–CERNET2 (AS23910)

–China Telecom (AS4134)

–China Unicom (AS9800)

–China Netcom (AS18344)

–China Mobile (AS24311)

–China Tailcom (AS24425)

Domestic Peers

-CERNET (AS4538)

-NSFCNet (AS9406)

-CJ-IPv6 (AS23912)

-Google-China (AS24424)

External Peers

-TEIN2-North (AS24489)

-APAN-JP (AS7660)

-KREONet2 (AS17579)

-HK-IX2 (AS4635)

-CUHK (AS3661)

-Google (AS15169)

-Cable & Wireless (AS1273)

-Hurricane (AS6939)

CNGI participants’ edge router

–CERNET2: Juniper T640

–China Telecom: Huawei NE80E

–China Unicom: Juniper T320

–China Netcom: Juniper T640

–China Mobile: Huawei NE80E

–China Tailcom: Huawei NE5000E

Address and Routing

•IPv6 block

–2001:252::/32

–2001:7fa:5::/48 (obsolete)

•IPv4 block

–210.25.189.0/24

Community List

•CNGI participant

–CERNET2: 23911:23910

–China Telecom: 23911:4134

–China Unicom: 23911:9800

–China Netcom: 23911:18344

–China Mobile: 23911:24311

–China Tailcom: 23911:24425

•Domestic peer

–CERNET: 23911:4538

–NSFCNet: 23911:9406

–CJ-IPv6: 23911:23912

–Google-China: 23911:24424

•External peers

–TEIN2-North: 23911:24489

–APAN-JP: 23911:7660

–KREONet2: 23911:17579

–HK-IX2: 23911:4635

–CUHK: 23911:3661

–Google: 23911:15169

–Cable & Wireless: 23911:1273

–Hurricane: 23911:6939

 

Other diagrams and charts

 

China Next Generation Internet

 

China Next Generation Internet

 

Beijing Equipment

China Next Generation Internet





« « Previous Article: Samsung Galaxy S4 fizzle but device does solidify position as king of the mobile arena – for now…     » » Next Article: Facebook’s latest blunder – bypasses Google Play store with latest software update causing confusion and problems for many users


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: