IP Engineering Overview

8/18/2019 IP Engineering Overview

http://slidepdf.com/reader/full/ip-engineering-overview 1/294

IP EngineeringOverview

Wray Castle LimitedBridge Mills, Stramongate,Kendal, LA9 4UB, UK.

[email protected]

© Wray Castle Limitedall rights reserved





© Wray Castle Limited

IP ENGINEERING OVERVIEW

IP Engineering Overview

First published 2003Last updated December 2004

WRAY CASTLE LIMITEDBRIDGE MILLS

STRAMONGATE KENDALLA9 4UB UK

Yours to have and to hold but not to copy

The manual you are reading is protected by copyright law. This means that Wray Castle Limited could take you and

your employer to court and claim heavy legal damages.

Apart from fair dealing for the purposes of research or private study, as permitted under the Copyright, Designs andPatents Act 1988, this manual may only be reproduced or transmitted in any form or by any means with the prior

permission in writing of Wray Castle Limited.



© Wray Castle Limitedii





Section 1 IP Networks Overview

Section 2 IP Network Services

Section 3 Service Provider Architectures

Section 4 Future Directions in IP Engineering

IP ENGINEERING OVERVIEW

CONTENTS

iii




© Wray Castle Limitediv





SECTION 1

IP NETWORKS OVERVIEW

v




© Wray Castle Limitedvi





1 Background to the Internet and ISPs 1.11.1 Internet History 1.11.2 Emergence of Commercial Operations 1.31.3 The Changing Architecture of the Public Internet 1.31.4 Internets, Intranets and the Internet 1.51.5 Service Providers (SPs) 1.5

2 The Internet Paradigm 1.72.1 Switching Approaches 1.72.2 Circuit Switching 1.92.3 Packet Switching 1.112.4 Connectionless Versus Connection-Oriented Switching 1.132.5 How High-Functionality IP Networks Alter The Paradigm 1.15

3 Data Link Layer Protocols 1.173.1 The OSI and TCP/IP Protocol Stacks 1.173.2 The Role of L2 Protocols in the WAN 1.19

3.3 The Types of Layer 2 Switching 1.213.4 ATM as an L2 Switching Protocol for IP Traffic 1.233.5 Introduction to MPLS 1.253.6 MPLS as an L2 Switching Protocol 1.273.7 MPLS Forwarding Plane 1.273.8 MPLS Control Plane 1.29

4 The IP Layer 1.314.1 IP Datagram Forwarding 1.314.2 IP Address Classes 1.334.3 IP Subnet Masks 1.354.4 Network and Host Addresses 1.374.5 Control of IP Addresses 1.374.6 Network and Host Addresses 1.394.7 Subnetting IP Networks 1.414.8 Implementation 1.414.9 Classless Interdomain Routing (CIDR) 1.434.10 CIDR Example 1.45

SECTION CONTENTS

vii




© Wray Castle Limitedviii





5 The Transport Layer 1.475.1 Introduction 1.475.2 The Functions of Transmission Control Protocol (TCP) 1.495.3 The Functions of User Datagram Protocol (UDP) 1.51

6 The Domain Name System (DNS) 1.53

6.1 The Role of the DNS 1.536.2 The Overall Architecture of the DNS 1.556.3 DNS Operation 1.576.4 Zones of Authority 1.576.5 Name Resolution 1.596.6 DNS Implementation 1.616.7 Types of DNS Server 1.636.8 Querying the Domain Name System 1.65

7 The Application Layer 1.677.1 Hypertext Transfer Protocol (HTTP) for Web Services 1.67

7.2 Simple Mail Transfer Protocol (SMTP) E-mail 1.697.3 POP3 and IMAP for E-mail Services 1.717.4 Post Office Protocol (POP) 1.717.5 Internet Message Access Protocol (IMAP4) 1.71

8 Section 1 Questions 1.73

SECTION CONTENTS

ix




© Wray Castle Limitedx





At the end of this section you will be able to:

• explain the evolution of public service Internet Protocol (IP) networks

• compare and contrast the features of traditional data networks with IP

networks

• explain the key functions of the IP network layer and IP addressing schemes

• describe the key transport and application-layer protocols of public service IP

networks

SECTION OBJECTIVES

xi





1.1 Internet History

In 1969, the Advanced Research Projects Agency (ARPA) funded a research anddevelopment project to create an experimental ‘packet switching’ network. Thisnetwork was called ARPANET and was built in order to study techniques for theprovision of a robust, reliable, vendor-independent data communications system.

As a direct result of the success of ARPANET, many of the organizations involved inits development began to use it and, in 1975, the experimental network wasconverted into an operational one with the responsibility for it being given to theDefense Communications Agency (DCA). During this time, the early development of the basic Transmission Control Protocol/Internet Protocol (TCP/IP) took place.

The TCP/IP protocols were adopted as Military Standards (MIL STD) in 1983, and allhosts that were to connect to the ARPANET were required to convert to theseprotocols. At the same time, the term Internet came into common use with thedivision of ARPANET into two new networks. These were MILNET, the unclassifiedpart of the Defence Data Network (DDN), and a new, smaller ARPANET. The term‘Internet’ was thus used to refer to the entire network, which comprised MILNET and ARPANET

In 1985, the National Science Foundation (NSF) became involved by creating the

NSFNet, which was connected to the Internet. The original NSFNet comprised fiveNSF super-computer centres, yet was still smaller than ARPANET and was restrictedto data rates of only 56 kbit/s. However, the creation of NSFNet was a significantmilestone in the development of the Internet as it brought a new vision of how theInternet should be used. The NSF wanted every scientist and engineer in the UnitedStates of America to be connected and, as such, they created a new, faster,backbone network that connected regional and local networks.

In 1990, the ARPANET formally passed out of existence. NSFNet ceased its role asthe primary Internet backbone network in 1995.

In 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) wasestablished to take responsibility for Internet address management.

1 BACKGROUND TO THE INTERNET AND ISPS

IP2300/S1/v2.11.1





1.2© Wray Castle LimitedIP2300/S1/v2.1

– Advanced Research Projects Agency

fund research – ARPANET1969

– Defense Communications Agency take responsibility

– TCP/IP development begins

1975

– TCP/IP protocols adopted as standard – Internet formed – MILNET – ARPANET

1983

– National Science Foundation create NSFNet

1985

– ARPANET and NSFNet cease overall responsibility

1990

– Competition introduced with the establishment of ICANN

1998

Figure 1

Internet Development



IP2300/S1/v2.11.3 © Wray Castle Limited

1.2 Emergence of Commercial Operations

The original ARPANET and the successor NFSNET both operated Acceptable UsePolicies (AUP) that did not permit commercial use of the network, and restrictedtraffic to research, educational and government use. Under pressure to make theInternet a commercial entity, the NSF managed a process of handing over responsibility for various functions to new commercial Service Providers (SPs)through the 1990s, including the backbone networks, the interconnect points andvarious registry functions. This new model specifically allowed commercialexploitation of the Internet, and as a result massive growth in the number of attachedhosts and traffic carried has continued.

In October 1998, competition was introduced in domain name registration for the top-level domains. The Internet Corporation for Assigned Names and Numbers (ICANN)was established as a not-for-profit business to take responsibility for Internet addressmanagement, management of the Domain Name System (DNS), management of assigned numbers and operation of the Internet root servers. It achieves this throughcooperation with organizations including the InterNIC, the Internet AssignedNumbers Authority (IANA) and Regional Internet Registries (RIR) that it hasaccredited.

1.3 The Changing Architecture of the Public Internet

The single backbone approach of NFSNET was gradually replaced by a collection of commercial backbone providers such as Sprint and UUNet. Mergers and acquisitionsin the last few years have left five major networks providing most transit within theglobal Internet.

The number of SPs and their peering arrangements continues to grow and becomemore complex. The NSF interconnect points were replaced by Network AccessPoints (NAPs) within north America as part of the commercialization process. Theseprovide a facility where networks can peer, managed by an independent third party.

A large number of Internet eXchange Points (IXP) now operate on a commercial or cooperative basis, allowing smaller ISPs to peer on a regional basis.




1.4© Wray Castle Limited

Time1980

Hosts

200

4

1.7

x106

Data >1,000,000,000,000,000 Bits/Day

The commercial

Internet era

Figure 2

Growth of the Internet

IP2300/S1/v2.1





1.4 Internets, Intranets and the Internet

The term internet was originally used to describe the network built upon the InternetProtocol (IP). However, the term is generic and is used to describe an entire class of networks. We will use the term ‘internet’ to mean any collection of separate physicalnetworks, interconnected by means of the IP protocol, to form a single logicalnetwork. The ‘Internet’ is the worldwide collection of interconnected networks thatgrew out of the original ARPANET. It uses IP to link the various networks into a singlelogical global network.

Since TCP/IP is required for Internet connection, the growth of the Internet hasspurred interest in TCP/IP. More organizations have become familiar with theprotocol suite and have applied it to many other applications. The IPs are now oftenused for local area networking even when the Local Area Network (LAN) is notconnected to the Internet. In addition, TCP/IP is also widely used in buildingEnterprise Networks that use Internet techniques and World Wide Web (WWW) toolsto disseminate internal corporate information. These networks are referred to as‘intranets’ and may or may not be connected to the Internet.

1.5 Service Providers (SPs)

Private organizations obtain services on the public Internet through an SP.

Internet Service Providers (ISPs) offer a range of services on the public Internet totheir customers, such as dial-up access, and mail and web hosting.

IP Service Providers (IPSPs) offer business-class IP networks to their customers.Rather than an open model of interconnection with other networks, where very fewrestrictions on traffic flows are applied, these networks connect with other networksin a much more controlled way. By keeping general Internet traffic off thesenetworks, the quality of service they can offer to their directly connected customers isimproved. These networks still require connectivity to the public Internet to allow

Internet e-mail and other services.





Internet

ISP 3

ISP 2

ISP 1 IPSP 3

IPSP 2

IPSP 1

IntranetNetwork 1

This connectionprovides traditional

Internet access

This connectiongives the customer

access to highfunctionalityIP services

Threeseparate IP

ServiceProviders

These connectionsallow Internetconnectivity to

IPSP customers

Network 2Network 3

Figure 3

Intranets, ISPs and IP Service Providers

IP2300/S1/v2.1





2.1 Switching Approaches

The two main switching approaches used in public switched networks are circuitswitching and packet switching. Within packet switching, the switching process canbe connection-oriented , or connectionless. Connection-oriented switching provides alogical circuit from source to destination, while a connectionless approach has noconcept of a circuit.

We explore these different types of switching in the next few slides.

2 THE INTERNET PARADIGM





Public Switched Networks

Circuit Switched Packet Switched

Physical circuit fromsource to destination

“connection-oriented” “connectionless”

Logical circuit fromsource to destination

No conceptof a circuit

Virtual Circuit Datagram

Figure 4

Types of Switching

IP2300/S1/v2.1





2.2 Circuit Switching

Circuit switching involves a physical circuit being established between two giventerminals for a period of time. The circuit is allocated to, and maintained for, theexclusive use of the terminals concerned for the whole duration of the connection.These resources only become available for use by other terminals upon release of the connection by the initial terminals.

Circuit switching has several advantages. Firstly, the end terminals/devices/users areallocated the full data carrying capability (full bandwidth) of the connection for thewhole duration of the call irrespective of whether they have data to send or not. Inaddition, although the initial routing process (or set-up) takes a period of time to beestablished at the switches, further data exchange via the switches is relatively short.This is because any further data exchange does not involve the analysis of addresses; instead the data simply flows through the provided physical connection.Finally, as all data for the connection takes the same physical route, the time takenfor data to be transferred between terminals is kept nearly constant for the wholeduration of the call.

The disadvantage of circuit switching is that the initial set-up procedure takes time,as does the final release procedure. Also, should the network fail for any reason, theconnection is lost completely and a new connection would need to be created.

In addition, if the end terminals have a circuit-switched connection but no data tosend, the end terminals will still hold the network resources unless they release theconnection. In other words, the resources cannot be used by any other devices. Thisfinal fact is a disadvantage to both the user and the network operator. From the viewof terminal owners it means that they are paying for a connection even though theymay have no data to send; from the network operator’s view, it means that thenetwork may have no resources available for users waiting to use the network.

The advantages and disadvantages of circuit switching are highlighted in Figure 5. Although the two parties, A and C, are not presently speaking, network resources are

still allocated to them. In addition, they are paying for call time. Parties B and D areunable to communicate with one another even though at that moment no meaningfuldata is being sent across the network.

Circuit switching is important in IP engineering because dial-up access to variousdata networks is normally carried across a circuit-switched connection between theuser and the location in the network where the data network is available.





Circuit Switched

Short DelayConstant Delay

Single ConnectionAffected By Network Failure

A

B

C

D

Sorry all

the lines

are busy

Figure 5

Circuit Switching

IP2300/S1/v2.1





2.3 Packet Switching

Packet switching involves the segmentation of users’ information into smaller blocksof data known as packets. Each packet is then fed into the network and passed fromone switching point to the next until it reaches its destination. The network handleseach packet separately therefore each must contain some control information toallow the forwarding process to take place at each switch.

Packet switching has the advantage that each terminal to terminal exchange of datais not provided by a physical connection. Instead terminals share the network, eachterminal being allocated network resources only as and when it has packets (or datagrams) to send.

From the users’ point of view this is advantageous as they pay only for the data sentas opposed to time connected, i.e. users can be charged per packet as opposed toper second. From the network operator’s point of view packet switching allows allusers to be given access to the network and also allows for more efficientdimensioning of the network. This final fact can lead to financial saving that canultimately result in an even lower cost per packet for the user.

In addition, as the network handles each packet separately, any failure within thenetwork need not affect the transfer of packets itself. The network may simply route

the packets via an alternative path so bypassing any failed elements.

One disadvantage of packet switching is that the delay between a packet arriving ata switch and it being routed onwards may vary. This is because a packet switch mayneed to queue packets for sending onwards, the length of the queue varying with thenumber of packets involved with the onward leg.





Packet Switched

Long DelayVariable Delay

Resilient to network failuresShared Resources

Figure 6

Packet Switching

IP2300/S1/v2.1





2.4 Connectionless Versus Connection-Oriented Switching

2.4.1 Connectionless Services

Within the packet-switched network, packets can be forwarded through the networkswitches on a packet-by-packet basis. In other words, when a packet arrives at aswitch or router, it reads the address information within the packet and then forwardsthe packet on to an appropriate destination based on forwarding tables within theswitch. Once the packet has been sent, the switch or router sending it has no further dealings with the packet.

Even packets that have arrived at the switch or router from the same source aretreated individually. Because of this, there is no guarantee that packets sent by asingle source will take the same path through the network, thus it is possible thatpackets could arrive at their destination out of sequence. In other words, theforwarding device makes no association between any packets that it receives or sends. When a network operates in this manner it is said to be providing aconnectionless service to the users.

2.4.2 Connection-Oriented Services

It is possible for a packet-switched network to provide what is termed a connection-oriented service to its users. When providing a connection-oriented service,information must first be passed across the network to set up a path for a user’sdata. This path is termed a logical connection, virtual circuit or software-defined datapath. The network then makes an association between all the packets sent from andto a specific user. This association allows the network to forward all of the packets for a specific user via the same path through the network, thus ensuring that packetsarrive at the destination in the same order that they were sent. At the end of the dataexchange, information is sent across the network to release the logical connection.This set-up and release of virtual circuits is analogous to setting up and releasing aphysical circuit in circuit switching. Some delay is associated with these set-up and

release operations. User packets cannot be forwarded until the virtual circuit hasbeen set up.

With a connection-oriented service, users appear to have their own connectionthrough the network but it must be borne in mind that this is a logical connection onlyand that other users may use segments of the physical connection.





Packet 1

P a c k e t 2

Packet 2 Packet 1

Connectionless Service

(packets may arrive

out of sequence)

Connection-Oriented Service

(guaranteed sequenced delivery)

Figure 7

Connectionless and Connection-Oriented Services

IP2300/S1/v2.1





2.5 How High-Functionality IP Networks Alter The Paradigm

The traditional best-endeavours model of IP networks and services is unsatisfactoryfor most business users. These users typically expect guarantees on networkperformance that a conventional IP network cannot provide. As a result, many of thetechniques of connection-oriented packet-switched networks have been developedas optional components of IP networks, and are widely deployed in SP networks.

Two or more Classes of Service (CoS) may be offered to customers, with differentguarantees on performance for each of these.

Traffic policing may be applied on the customer access circuit to ensure that thecontracted data rates per CoS are not exceeded.

Sophisticated queuing techniques may be applied in the network routers toimplement the CoS behaviour expected by customers.

Policy controls and route filtering may be applied to control how traffic is carriedacross the network, and how it enters and leaves the network.

As well as measures at the IP layer, data link layer traffic engineering may beimplemented to help control how traffic is carried, and more sophisticated restoration

schemes may be implemented to ensure service outages are within acceptable limitsto the customer.

Therefore IP networks can broadly be categorized as:

• Private enterprise networks (intranets) – these only carry the traffic of theowning organization.

• Public, low functionality networks – these are typically part of the Internetstructure, although they need not be. They carry traffic on a best-endeavoursbasis, and are offered by traditional ISPs.

• Public, high functionality networks – these typically connect to the publicInternet as well as to customer networks, but carefully control the traffic flows,types and utilization using the techniques outlined above. These networks areoffered by IPSPs.





Customer 2PremisesRouter

Customer 1PremisesRouter

Customer 1Premises

Router

CustomerAccessRouter

CustomerAccessRouter

CoreNetworkRouter

Traffic policing ensuresthat only the contracted

traffic quantity is accepted

Overuse by onecustomer leaves other

customers starvedof bandwidth

Contention oncustomer access

circuit causes highpriority traffic to

be dropped

Diffserv CoSon access circuitprotects highpriority traffic

Best endeavours queuing

in core routers causeshigh priority traffic tobe dropped whencongestion occurs

QoS-aware queuingin core routers selectslow priority traffic todrop, and protectshigh priority traffic

CoreNetworkRouter

Customer 2Premises

Router

Figure 8

Low- and High-Functionality IP Networks

IP2300/S1/v2.1





3.1 The OSI and TCP/IP Protocol Stacks

The OSI Seven-Layer Reference Model was developed before internetworkingbased upon the IP protocols became widespread. The developers of the TCP/IPsuite produced a five-layer model, where the higher layers of the OSI model arecollapsed into a single application layer.

The TCP/IP model can be described as follows:

Layer 1: Physical Layer Layer 1 deals with the physical network hardware just as Layer 1 in the OSI SevenLayer Reference Model.

Layer 2: Link Layer Layer 2 protocols deal with how to organize data into frames and how a hosttransmits these frames over a network. Once again, these protocols are similar to theLayer 2 protocols in the OSI Seven-Layer Reference Model.

Layer 3: Internet Layer Layer 3 protocols specify the format of the packets which are sent across the Internetas well as the mechanisms used to forward packets from a computer through one or more ‘routers’ to a final destination.

Layer 4: Transport Layer Layer 4 protocols in the TCP/IP suite are similar to those in the OSI Seven-Layer Model in that they ensure reliable transfer of messages.

Layer 5: Application Layer Layer 5 protocols in this model correspond to Layers 5, 6 and 7 in the OSI Model.These protocols specify how an application uses an internet.

TCP/IP can, therefore, be looked upon as a family of protocols, each designed tosolve a particular network communication problem.

3 DATA LINK LAYER PROTOCOLS





OSI Layer 5 – 7

OSI Layer 4

OSI Layer 3

OSI Layer 2

OSI Layer 1

APPLICATION

LAYER

TRANSPORT

LAYER

INTERNET

LAYER

LINK LAYER

PHYSICAL LAYER

Figure 9

The TCP/IP Protocol Suite

IP2300/S1/v2.1





3.2 The Role of L2 Protocols in the WAN

The Link Layer in an IP network operates immediately below the IP layer, and soprovides services to it. Whereas the IP layer is responsible for end-to-end transportof the data between hosts across the network, the link layer is responsible for transport on individual links of the network, between hosts and routers, and betweenintervening routers.

Link layer protocols normally operate in one of three modes:

• connectionless, across a point-to-point connection

• connectionless, across a shared medium

• connection-oriented, across a virtual circuit-switched network





ATM Token RingEthernet

IP (Layer 3)

Router Router

Connectionless(point-to-point)

Connectionless(shared medium)

Connection-oriented(virtual circuit network)

Ethernet(Layer 2)

ATM(Layer 2)

Token Ring(Layer 2)

Figure 10

The Role of Layer 2 Protocols

IP2300/S1/v2.1





3.3 The Types of Layer 2 Switching

It is important to understand the distinction between connection-oriented andconnectionless Layer 2 networks, as this affects how IP operates across them.

When a traditional shared medium network such as Ethernet is partitioned usingEthernet switching, the complete network retains the ability to broadcast frames,because ‘Ethernet’ is a connectionless switching technology. The IP layer uses thesebroadcast frames to discover the address mapping between the IP layer and theconnectionless Layer 2 addresses of hosts and interfaces.

The use of switches can improve the performance of ‘Ethernet’ by reducing thenumber of hosts that share a particular medium. However, this is still connectionlessswitching, and still retains the ability to use broadcast frames across the entireswitched network.

Connection-oriented Layer 2 networks use virtual circuits to connect hosts. Theyhave no ability to send packets to a destination address until the Layer 2 address of the destination is known. Therefore, conventional IP techniques for addressresolution between the IP and Layer 2 addresses are not available. Although theseconnection-oriented Layer 2 technologies are more scalable than the connectionlessapproaches, the lack of broadcast makes interworking with IP networks more

difficult.





ATM Token RingEthernet

IP (Layer 3)

Router Router

Connectionless(point-to-point)

Connectionless(shared medium)

Connection-oriented(virtual circuit network)

Ethernet(Layer 2)

ATM(Layer 2)

Token Ring(Layer 2)

Figure 10 (repeated)

The Role of Layer 2 Protocols

IP2300/S1/v2.1





3.4 ATM as an L2 Switching Protocol for IP Traffic

ATM is a Layer 2 switching technology that is widely used in public servicenetworks¹. The architectures of IP and ATM are quite different, with differentaddressing schemes, forwarding approaches and control planes. Therefore littleintegration between the IP layer and the ATM layer is possible.

Nonetheless, ATM is widely used as a Layer 2 switching technology to carry IPtraffic. Typically a set of ATM virtual circuits is established between edge routers,either through signalling, or more usually by configuration from a Network OperationsCentre (NOC). Viewed from the perspective of the IP layer, these virtual circuits aresimply virtual leased lines that connect adjacent routers. The IP layer has no visibilityof the intervening switches. IP views the ATM protocol as just another encapsulation,similar to HDLC or PPP.

In order to route traffic correctly to the other routers across the ATM Wide AreaNetwork (WAN), each edge router must either have static routes configured whichpoint traffic to the correct outbound virtual circuit, or else a conventional routingprotocol must run across the WAN between edge routers.

¹ Instead of variable length frames, ATM uses short, fixed-length cells to transport traffic across the network,

since this makes delay and delay variation smaller and more predictable. To convert various types of traffic into

cell payloads, ATM requires the use of adaptation functions at the edge of the network. As well as adding any

ATM-specific headers or trai lers required, the ATM adaptat ion process segments inbound traf fic into cellpayloads, and reassembles the original data structures for outbound traffic. Despite this unique aspect of ATM, it

can still be considered as a Layer 2 switching technology; the adaptation process is hidden from the IP layer

above it.





Router

ATM

Phys Phys

ATM

Phys Phys

1. Establish ATM virtual circuit between pairs of routers

2. Routers are adjacent at the IP layer, see ATM network as a virtual leased line

IP

Phys Phys

Ether ATM

IP

Phys Phys

EtherATM

Figure 11

Simple IP Over ATM

IP2300/S1/v2.1





3.5 Introduction to MPLS

Traditionally, switches have offered greater performance than routers in terms of thespeed at which data can be forwarded. However, routers can be configured to makemore sophisticated decisions about the processing of datagrams. As well asforwarding a packet based upon destination IP address, a router can also classifypackets based upon other header fields, including source address and TCP portnumbers. This leads to the argument, why not build a device that combines fastforwarding across the core of a network, based upon classification of packets carriedout at the edge of the network? While this is essentially what an IP over ATMapproach achieves, the key innovation of the MPLS approach was the use of traditional IP routing protocols to determine how these switched paths should be setup. For the first time in MPLS, a switching model closely coupled to the IP layer itwas intended to support was available.

The argument leads to the idea of Label Switching Routers (LSR), devices thatintegrate the best of both routing and switching. Whereas traditional Layer 2switching was not integrated with the IP layer, MPLS is closely coupled to the routingand addressing schemes of the IP layer.





Router

Sophisticated RoutingLayer 3

Connectionless

LSR

Integration of Routing and Switching

Switch

Fast SwitchingLayer 2

Connection-Oriented

V

MPLS

Figure 12

MPLS Combines Routing and Switching

IP2300/S1/v2.1





3.6 MPLS as an L2 Switching Protocol

There are many similarities between the switching and forwarding operations of LSRs and the switching and forwarding of traditional Layer 2 switching technologies,such as Frame Relay and ATM. MPLS introduces some new terminology for Layer 2switching:

• a Label Switching Router (LSR) is an MPLS Layer 2 switch

• a Label Switched Path (LSP) is an end-to-end MPLS virtual connection

• an edge-LSR is a special LSR that originates or terminates LSPs, and can

classify IP traffic for forwarding across the best LSP• a Forwarding Equivalence Class (FEC) is a grouping of IP addresses that are

treated identically by the LSRs, and are forwarded along a common LSP

3.7 MPLS Forwarding Plane

The MPLS forwarding plane can operate on individual packets arriving at an edge-LSR once an appropriate LSP has been set up. When a packet arrives at the ingressedge-LSR, this router determines the outgoing port and FEC. On the assumptionthat LSPs have been set up, the edge-LSR will be able to identify the label to beused for the ongoing port and FEC. The edge-LSR appends this label to the receivedpacket and passes this out over the designated port.

The LSR receiving the MPLS packet on a given port will look up the incoming portand label entry within its Label Information Base (LIB). This will produce an outgoingport and label result. The incoming MPLS packet will then have its label swapped for the new label and is then passed out over the outgoing port (with this new label).

The LSR within the MPLS network (as opposed to the edge-LSR) therefore needoperate at Layer 2 only. All LSRs within the MPLS network operate in this manner

until the packet arrives at the egress LSR. At the egress LSR, the MPLS label isremoved, the packet is passed to Layer 3, and is then routed in the normal router manner. In essence, MPLS allows Layer 3 processing to be pushed to the edge of the MPLS network.





MPLS Network

Downstream

Upstream

edge-LSRs

LSRs

PerformsLabel

Swapping

MPLS Packet

IP Packet

IP

M P L S

P a c k e

t

M

P L S

P a c k e

t

edge-LSR

LSR

Header A

IP Packet

IPHeader A

Label B

L a b e

l A

L a b

e l C

Both operate at L2 and L3

Figure 13

MPLS Forwarding of Packets

IP2300/S1/v2.1





3.8 MPLS Control Plane

ATM and Frame Relay use a development of traditional ISDN signalling protocols toset up, tear down and manage virtual circuits. This is known as a data drivenapproach.

MPLS generalizes this approach, and allows LSPs to be set up in several differentways:

• by extensions to traditional IP routing protocols such as Border GatewayProtocol (BGP)

• by a specialized IP signalling protocol, Resource Reservation Protocol (RSVP)

• by a dedicated label distribution protocol operating between LSRs, LabelDistribution Protocol (LDP)

However the LSPs are set up, once they are in place, the forwarding and switchingoperations carried out by LSRs are identical.





MPLS Network

IP Packet

1. Extensions to BGPprotocol carry LSPinformation

between LSRs

2. RSVP protocol used to signal the set-up

of LSP, as requiredby data flows

3. LDP protocoldistributes LSP

informationbetween

adjacentLSRs

edge-LSR

LSR

edge-LSRs

LSRsBoth operate at L2 and L3

Figure 14

MPLS Control Plane Options

IP2300/S1/v2.1





4.1 IP Datagram Forwarding

Because IP networks operate a connectionless forwarding model, the routers holdno information about the flow of packets; the routing decision is made independentlyfor each packet arriving at each router along its path. The router makes this decisionby comparing the destination address of an incoming packet with the entries alreadyheld in its routing table. The most specific match in the routing table to thedestination address is used to find the next hop for this packet.

We can see from Figure 15 that the routing table contains three parameters: aDestination field, which contains network addresses, an Address Mask that specifieswhich bits of the destination correspond to the network ID, and finally a Next Hopfield, which contains the IP address of the router if required.

For example, if we consider a datagram designed for address 192.4.10.3 andassume the datagram arrives at router 2, which contains the routing table shown inFigure 16, the router software will sequentially search the routing table.

4 THE IP LAYER





40.0.0.0

40.0.0.7

40.0.0.0

40.0.0.8

30.0.0.7

30.0.0.0

128.1.0.8

128.1.0.9

128.1.0.0

192.4.10.9

192.4.10.3

192.4.10.0

Direct40.0.0.7

Direct

128.1.0.9

30.0.0.0

128.1.0.0

Router#1

Destination

Simplified Routing TableFor Router #2

Router#2

Router#3192.4.10.0

Next Hop

Figure 15

IP Datagram Forwarding

IP2300/S1/v2.1





4.2 IP Address Classes

The problem with using an IP Address containing network IDs and host IDs isdeciding how big to make each field. If the network ID field is too small (limitedpermutations), only a few networks will be able to be connected to the Internet andstill ensure that each has a unique address; yet should the network ID field beincreased, then the host ID will have to be reduced and only a few computers will beable to be connected to a particular network with a given network ID. As an internetis likely to include various types of network technologies, one given structure of an IP Address is not appropriate. The developers of IP therefore chose a compromise inthe IP addressing scheme that is able to accommodate both large and smallnetworks.

This scheme divides the IP Address (32 bits) into three primary classes where eachclass has a different-size network ID and host ID. The first four bits of an IP Addressdetermine which class the address belongs to, and how much of the remainder of the 32 bits have been divided into network and host addresses.

Although IP Addresses are 32 bits in length, they are seldom represented in binaryformat but instead use a dotted decimal notation. This method of representationtakes the four 8-bit sections (octets) and represents each as a decimal number. The‘.’ sign is used to separate each of the four decimal numbers. For example, the 32-bit

binary code:

10000100 00110000 00000110 00000000

has the dotted decimal notation:

132.48.6.0

Since each octet can have a maximum decimal value of 255, IP addresses canrange from:

0.0.0.0 to 255.255.255.255





32 bits

Class B

Class A

Class B

Class C

Class D

Class E

Example 0

Network ID Host ID

A B C

Network ID Host ID

Network ID Host ID

Network ID Host ID

Experimental

Multicast

D.

.

.

. .

.

132 48 6

0

01

01 1

011 1

11 1 1

Figure 16

IP Address Classes

IP2300/S1/v2.1





4.3 IP Subnet Masks

A subnet mask is applied to the IP address to determine which part of the 32-bitaddress makes up the network address, and which part constitutes the host address.Figure 17a shows the default subnet masks for Class A, B and C networks, andFigure 17b shows how it is applied to a Class B network.

When sending packets, a host or router needs to determine if the IP address of thedestination host is on the local or a remote network. When TCP/IP initializes, thehost’s IP address is ANDed with its subnet mask, and the result stored. Whensending data to another host the destination IP address is also ANDed with the localhost’s subnet mask. If the resulting values match (see Figure 17c), the destinationhost is on the local network; if not, the datagram is sent to the source host’s defaultrouter.





Default Subnet MasksAddress

Class

Class A

Class B

Class C

Bits used for

Subnet Mask

Dotted Decimal

Notation

11111111 00000000 00000000 00000000 255.0.0.0

11111111 11111111 00000000 00000000 255.255.0.0

11111111 11111111 11111111 00000000 255.255.255.0

IP Address

Subnet Mask

Network ID

Host ID

6 0. .

0 0. .

x x. .

x x. .

Destination Hosts IP Address is ANDed

with local Subnet Mask

• 1 AND 1=1

• Other Combinations = 0

• If ANDed results of source and destination hosts match,

the destination is local.

IP Address

Subnet Mask

Result

10000100 00110000 00000110 00000000

11111111 11111111 00000000 00000000

10000100 00110000 00000000 00000000

132 48 0• • • 0

132 48.

255 255.

132 48.

6 0..

Figure 17c

IP Subnet Masks and Determination of a Packet’s Destination

Figure 17b

Determination of a Packet’s Destination

Figure 17a

Example of a Class B Subnet Mask

IP2300/S1/v2.1





4.4 Network and Host Addresses

Relating the dotted decimal notation method to the different classes of IP address,we can see that first octet will carry the information necessary to determine the IPclass of the host.

The IP class scheme does not divide the 32-bit address space into equal sizeclasses and these classes do not contain equal numbers of networks. For example,half of all IP addresses lie within Class A, as this class is represented by a zero inthe first bit position. Therefore, since Class A addresses only have eight bits torepresent the network ID and one of these is used to indicate this is an A classaddress, there only remain seven bits to indicate the network. In other words, aClass A address can only account for a maximum of 128 different networks.However, the host ID in a Class A address is made up of 24 bits, which allows up to16,777,216 computers to be connected to each of the 128 networks.

4.5 Control of IP Addresses

As we have already determined, each network ID must be unique and as such allnetworks connecting to the global Internet must have their own unique networkaddress. Therefore, if an organization wishes to connect its network to the Internet, it

must obtain a network address from an ISP. The ISPs obtain network numbersthrough a system of approved Internet registries, who ensure that numbers areglobally unique.

In the case of a private internet (intranet), the choice of the IP Address can be madeby the organization, although no two computers may have the same address. It isdifficult and time-consuming to renumber a large IP network, and historicallyproblems have occurred when private IP networks have subsequently connected tothe public Internet, and found that address conflicts occurred. For this reason, agroup of class A, B and C addresses were reserved for private use in RCF 1918, andorganizations often use these addresses for private IP networks, whether connected

to the public Internet or not.





AddressClass

AB

C

Bits inPrefix

816

24

Maximum numberof Networks

12616382

2097150

Bits inSuffix

2416

8

Maximum number ofHosts per Network

1677721465534

254

Range of Values

A 0 – 127

B 128 – 191

C 192 – 223

D 224 – 239

E 240 – 255

Class

Figure 18b

Network/Host Numbers

Figure 18a

IP Address Classes and Dotted Decimal Notation

IP2300/S1/v2.1





4.6 Network and Host Addresses

In summary, when assigning a network ID, a number must be selected from either Class A, B or C depending upon the size of the physical network. In real terms, anetwork will be assigned a Class C address ((256 – 2) hosts per network) unless aClass B is needed ((65,536 – 2) hosts). Class A addresses are seldom assigned.

Figure 19 shows a possible configuration when connecting four networks together; asmall network (Class C), two medium size networks (Class B), and one largenetwork (Class A). Thus, the four networks may have the following IP Addresses:

Class A 11.0.0.0

Class B 128.270.0145.56.0.0

Class C 195.34.127.0

Note: IP reserves the host address set to zero and uses it to denote the networkaddress. Likewise the all 1s host address is used for broadcasts to all hosts. Theseaddresses cannot be assigned to any host on that particular network.

As we can see, all host computers connected to each network carry the samenetwork ID. However, the host ID will be different for each of the hosts connected tothat network.





‘C’ ‘B’

router

Prefix = 195.34.127

Prefix = 145.56

Prefix = 10

10.0.127.16

195.34.127.48

195.34.127.13 128.27.0.18

Prefix =128.27

128.27.0.19145.56.74.118

145.56.19.4

10.18.74.15

‘B’

‘A’

Figure 19

Example Network with IP Addressing

IP2300/S1/v2.1







192.168.0.0/24

Traditional Class C address has:

Subnetting on /29 boundary

Each subnetwork has: 23 – 2 host addresses

Total number of subnets is: 25 – 2

28 – 2 host addresses

192.168.0.16/29

1 9 2. 1 6 8

. 0. 8 / 2 9

1 9 2 .1 6 8 .0 .2 4 / 2 9

X . X . X . 0

X . X . X . nnnnnhhh

= network address

X . X . X . 255 = broadcast addressX . X . X . 1

= host address space

= 6 host addresses

= 30 subnets

X . X . X . 254

Figure 20

An Example of IP Subnetting

IP2300/S1/v2.1





4.9 Classless Interdomain Routing (CIDR)

Subnetting allows more efficient use of a traditional class-based IP network within anorganization, by allowing it to be subdivided. However traditional subnetting does notpropagate through the Internet routing tables, because routes are summarized backto their classful form at the administrative boundary of the network. ThereforeInternet routing tables in this model must contain separate routes for each assignedclass A, B or C address.

In the mid-1990s, the size of Internet routing tables was growing massively, to thepoint where performance of the backbone networks was affected. It was realized thatmuch of the fine-grained detail in Internet routing tables was redundant, and that amore flexible hierarchy should be imposed, by allowing routes for smaller networks tobe aggregated together before they were advertised into the public Internet. Thisalso allows more efficient use of available IP addresses by allocating blocks of classC addresses rather than a single class B, and by subnetting class A and B networksinto smaller allocations, rather than offering an entire classful network to anenterprise.

CIDR is essentially a generalization of the subnetting concept². To make CIDReffective, it was necessary to impose some geographical structure on the IP addressspace, so that aggregation could be as effective as possible. As a result of a policy

change, IP addresses are now assigned in blocks through a hierarchy of SPs. Ingeneral, large blocks of IP addresses are allocated to regional registries, which will inturn assign smaller blocks of address space to SP, which will in turn assign yetsmaller blocks to ISP. Finally, individual users will rent IP addresses from their respective ISP.

² CIDR allows larger networks to be subdivided, and smaller networks to be aggregated together into a single

routing table entry, in a flexible way, by using VLSM. By carrying these VLSM values in routing protocol updates,

and within routing tables, it allows the VLSM structure to propagate across the Internet between domains, instead

of reverting to classful networks at the boundaries, according to the original subnetting model.





Block A Block B IANA and IR

Smaller

ISP

Smaller

ISP

Users

Leased IP Addresses

Sub Blocks

of A

Sub

Blocks

of B

Area

Multiregional

Address

192.0.0.0-193.255.255.225

Europe 194.0.0.0-195.255.255.225

Others 196.0.0.0-197.255.255.225

North America 198.0.0.0-199.255.255.225

Central/South America 200.0.0.0-201.255.255.225

Pacific Rim 202.0.0.0-203.255.255.225

Others 204.0.0.0-205.255.255.225

Others 206.0.0.0-207.255.255.225

A B Major

ISP

Reference

RFC 1518

Figure 21

IP Address Blocks

IP2300/S1/v2.1





4.10 CIDR Example

A common use of both subnetting and CIDR occurs where an SP wants to offer afew public network IP addresses to a small business network, for example as part of a business ADSL offering, where the customer may host some servers at their premises.

In the example shown in Figure 22, the SP has subnetted a class C address into 30subnets, each with 6 host addresses, by subnetting at the /29 boundary. The detail of one such subnet is shown, where the subscriber has 5 host addresses available, inaddition to the IP address needed for the ADSL router on the customer premises. Intotal 120 customer subnets are available from the 4 class C addresses shown.

Within the SP network, rather than advertise the individual class C addresses,instead it aggregates 4 networks into a new /22 route advertisement, and passes thisinto the Internet routing tables.

In this example, traffic for all of the customer networks shown would be representedby a common /22 routing entry within the Internet until it reached the SP network.Individual /24 routing table entries in router A would direct it to the correct customer access router, in our example router B. Router B would then direct traffic to thecorrect customer network using /29 entries in its routing table.





192.168.0.0/22

.17

.18

.19

.20 .22

.21

Routed on /22

CIDR route aggregationat this layer, beyond theconventional Class C

boundary

Route summarization

up to conventionalClass C boundaryat this layer

RA

RB

Routers

Routers

1 9 2. 1 6 8

. 2. 0 / 2 4 1 9

2. 1 6 8

. 3. 0 / 2

4

192.168.1.0/24

1 9 8. 1 6 4

. 0. 2 4 / 2 9 1 9 8. 1

6 4. 0. 3 2

/ 2 9

198.164.0.16/29

1 9 8 . 1 6

4 . 0 . 8 / 2

9

R o u t e d o n / 2

4

1 9 2 . 1 6 8 . 0 . 0 / 2

4

Routed on /29

Figure 22

An Example of CIDR

IP2300/S1/v2.1





5.1 Introduction

The transport layer of the TCP/IP Protocol Suite comprises two protocols:Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

Fundamentally, the services offered by TCP are reliable and connection-oriented ,whereas UDP provides a best efforts, connectionless service.

5 THE TRANSPORT LAYER





TransmissionControlProtocol

UserDatagramProtocol

InternetControl

MessagingProtocol

InternetProtocol

AddressResolutionProtocol

Link Layer Protocols

Physical Networks

APPLICATION

LAYER

OSI Layer 5 – 7

TRANSPORT

LAYER

OSI Layer 4

INTERNETLAYER

OSI Layer 3

LINK LAYER

OSI Layer 2

PHYSICAL LAYER

OSI Layer 1

Figure 23

TCP/IP Suite

IP2300/S1/v2.1





5.2 The Functions of Transmission Control Protocol (TCP)

The Transmission Control Protocol (TCP) provides a highly reliable transport service. Applications such as FTP and HTTP that require reliable transport services use theTCP protocol. TCP offers several key features as shown below.

5.2.1 Connection-Oriented

TCP provides a connection-oriented service in which an application must first establisha connection to the destination before any data is transferred. TCP requires that bothapplications creating a connection agree to the new connection.

5.2.2 Error Control

TCP ensures that data sent across a connection is error free and in the correctsequence. It does this by including sequence numbers within the protocol header, andrequesting retransmission of lost or corrupted packets.

5.2.3 Flow Control

TCP measures the throughput of traffic between TCP applications, and tries tomaximise the bandwidth available. When packets are lost in transit, TCP assumes thisis due to congestion, and slows down its transmission rate. When packets are arrivingsuccessfully, TCP assumes more bandwidth is available, and increases its transmissionrate. In this way, TCP is always trying to get the maximum available bandwidth from thenetwork.

5.2.4 TCP Port Addressing

Within an IP network, data is routed according to its IP address, with no distinctionmade regarding the user or process on the destination host. The Transport Layer extends the TCP/IP protocol suit to distinguish between applications on a given host.These ports are known as ‘Protocol Ports’ and can be addressed using the 16 bits inthe Source and Destination Port address fields. These 16 bits can describe 65,536possible ports on the host.





0

1

2

3

4

5

67

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

7 6 5 4 3 2 1 0 - bits

Octets

Sequence Number

Options(Optional)

Padding

Data Offset Reserved

Reserved URG ACK PSH RST SYN FIN

Window

Checksum

Urgent Pointer

Acknowledgement Number

Source Port

Destination Port

Connection-oriented

Error control

Flow control

Source and destination ports

Figure 24

TCP Functions

IP2300/S1/v2.1





5.3 The Functions of User Datagram Protocol (UDP)

User Datagram Protocol (UDP) provides Application Layer Services with atransaction-oriented, datagram-type service that is connectionless and unreliable. Itis a simple and efficient protocol that is stateless, and so ideal for such applicationsas Trivial File Transfer Protocol (TFTP), Simple Network Management Protocol(SNMP) and queries to the Domain Name System (DNS).

The UDP protocol is extremely simple, and this is reflected in the protocol fields of UDP. As for TCP, the UDP protocol carries source and destination port values, sothat traffic can be directed to the correct applications on machines running multiplesimultaneous sessions. The Checksum field allows corrupted data to be detectedand (silently) discarded, but UDP does not have the error recovery mechanisms of TCP. Responsibility for error recover lies with the higher layer protocol that is usingthe UDP service in this case.





Connectionless

No error control

No flow control

Source and destination ports

0

1

2

3

4

5

6

7

01234567

Octets

Bits

Source Port

Destination Port

Message Length

Checksum

Figure 25

UDP Functions

IP2300/S1/v2.1





6.1 The Role of the DNS

To a human, identifying hosts on a network by their IP address is not easy. IPaddresses are difficult to remember and do not convey any meaning about therespective host. Humans find it far easier to remember names, and if the nameindicates the role of the host, it can also be used to convey meaning.

In the 1980s there were only a few hundred hosts on the ARPANET. The computer name-to-IP mapping was held in a single file called Hosts.txt on a server at theStamford Research Institute Network Information Centre (SRI-NIC).

This was manually updated. If details of a host changed, the SRI-NIC was called andasked to change the file. As the network grew this system became too difficult toadminister.

DNS was designed as a distributed database using a hierarchical name structure toovercome this problem.

6 THE DOMAIN NAME SYSTEM (DNS)





Root

Domain Domain Domain

Sub-Domain Sub-Domain Sub-Domain

Figure 26

Domain Name System (DNS)

IP2300/S1/v2.1





6.2 The Overall Architecture of the DNS

The root domain of the Internet is represented by a single period (.), and the InternetCorporation for Assigned Numbers (ICANN) manages the operation of the rootservers that resolve for all domains beneath the root. Beneath this root are the TopLevel Domains (TLDs) that may be global or contain a country code (ccTLDs).

Some examples of these domains, and their intended use, is given in Figure 27, anddescribed below:

com Commercial organizations such as: America OnLine (aol.com), BritishTelecom (bt.com) and Wray Castle (wraycastle.com)

edu Educational institutions (namely colleges and universities in USA)

net Networking organizations such as the central network concerning theInternet, i.e. InterNIC (Internet Network Information Centre) – internic.net

org Non-commercial organizations such as the Internet Engineering Task Force(IETF) at ietf.org

Recently some new TLDs have been created, including the .biz TLD, which is

intended to be broadly equivalent to the popular .com domain.

As might be expected, the Internet namespace is extremely inefficient, with evenvery small businesses wanting a second level domain.

Overall control of the Domain Name System is within ICANN. The central IR is heldon INTERNIC.NET, which is in North America and is responsible for networks in thisarea and other unspecified parts of the world. Europe and Asia-Pacific are twospecified areas and as such have their own registries. These are RIPE NCC (or ripe.net) and APNIC (or apnic.net) respectively.





root

.biz .com

wraycastle.com

.edu .net .uk.org

telecoms-engineering.net

wraycastle.co.uk

.co.uk .ac.uk

Figure 27

The Hierarchy of the Internet DNS

IP2300/S1/v2.1





6.3 DNS Operation

The DNS is a client/server-distributed database management system. The client isknown as the ‘Resolver’. It passes name requests that contain queries to a server known as the ‘Name Server’. These name servers are grouped into logical levelsknown as ‘Domains’.

DNS is analogous to a telephone book. You look up the name of the person youwant to call, and read across to get the telephone number. Using DNS, the resolver passes the name to the name server who runs a query on the database to return theIP address. The host name queried must be in the form of a Fully Qualified DomainName (FQDN).

6.4 Zones of Authority

The implementation of the DNS uses the concept of Zones of Authority to makeadministration of the hierarchy easier. The zone of authority is the portion of thedomain for which a particular primary name server is responsible. It stores allmappings for the zone and answers queries for those names. The name server’szone of authority covers at least one domain, known as the zone root domain. Thezone of authority may also cover sub-domains.

The zone does not necessarily cover all the sub-domains under the root domain, butthe zone must be contiguous. So in the example shown, the zone one databasedoes not contain name-to-IP address mapping for machines in the sales domain,although the sales domain is a sub-domain of the wraycastle domain.

A single DNS server can be configured to manage one or more multiple zone files.





zone 2database

.com

zone 1database

sales.wraycastle.com

development.wraycastle.com

wraycastle.com

Figure 28

DNS Zones of Authority

IP2300/S1/v2.1





6.5 Name Resolution

The operation of a DNS query to resolve the IP address of a web server within anexample domain, ‘wraycastle.com’, is shown in Figure 29.

1 The client sends a query to its local name server, requesting the IP address of www.wraycastle.com.

2 The local name server checks its zone for the name www.wraycastle.com. Itthen sends an iterative query for this name to the root server.

3 The root server has authority for the root domain and will reply with the IPaddress of the .com top-level domain. It returns this to the local server.

4 The local server sends an iterative query to the .com name server for www.wraycastle.com. The name server responds with the IP address of thewraycastle.com name server.

5 The local server sends an iterative query to the wraycastle.com name server for the full address. The wraycastle.com server sends the IP address of www.wraycastle.com back to the local server.

6 The local server sends the IP address for www.wraycastle.com back to theoriginal resolver.





root

name server

.comname server

Localnameserver

localhost

host

www.wraycastle.com

wraycastle.comname server

2 . r e q u e

s t a d d

r e s s

w w w .

w r a y c a s t l e

. c o m

1 .

Q u

e r y

: w

h a t

i s t h e

I P a d

d r e

s s o

f

w w w

. w r a

y c a s

t l e . c

o m

6 . A n

s w e r :

T h e

I P a

d d

r e s

s o f

w w w

. w r a y

c a s

t l e . c

o m

i s 2 1 7 . 1

9 9 . 1 6

1 . 3

4. re q ue s t a d d re

s s w w w. w ra y ca

s t le. c o m 3 . r e f e r

t o . c o m

n a m

e s e

r v e r

r e f e r t o w r a y c a

s t l e. c o m n a m e s

e r v e r

5 . r e q u e s t a d d r e s s w w w .w r a y c a s t l e .c o m

R E S P O N S E = a d d r e s s o f w w w .w r a y c a s t l e .c o m

Figure 29

Name Resolution

IP2300/S1/v2.1





6.6 DNS Implementation

6.6.1 DNS Data Structure

The commonest use of the DNS is to map from a Fully Qualified Domain Name(FQDN) to the corresponding IP address of the host, or vica versa, as shown in theprevious diagram. In fact each entry in the DNS can have a large number of properties associated with it. Each property is stored as a set of four parameters:

• the Type field indicates which parameter is stored

• the Class field indicates the protocol family

• the Time To Live (TTL) field indicates for how long the data may be cashed by aresolver or other cache before a fresh request should be made to the definitivesource of the data

• the Data field holds the actual parameter value

Most records of interest are of class IN, for Internet. The data field might be an IPaddress, or a FQDN, or other field, depending upon the type of parameter beingstored.

6.6.2 Commonly Used DNS Entries

Figure 30 shows a few of the key parameters commonly accessed in the DNS,together with how these might be used in forwarding an e-mail. In this example, anorganization has its own domain name, but uses a commercial hosting service for itse-mail and web presence.

• the A fields gives the IPv4 address of a host named

• the MX fields gives the FQDN of a Mail eXchange (i.e. a mail forwarder or

server)• the CNAME field gives the canonical name matching an alias, in other words

the actual definitive name for a host

• the TXT field gives freeform text related to the host, for example its type or location

Another key entry in the DNS is the Start of Authority (SOA) record. The SOA givesvarious times and sequence numbers that are important to control for how long anydownstream server caches the information it obtains from a zone transfer.





> dig -t MX wraycastle.com

wraycastle.com

wraycastle.com

43049 IN MX 10 wray-ltd.demon.co.uk

43049 IN MX 20 etrn.magic-moments.com

wraycastle.com

wraycastle.com

172616 IN NS NS0.magic-moments.com

172616 IN NS NS1.magic-moments.com

NS0.magic-moments.com

NS1.magic-moments.com

34155 IN A 217.199.161.27

25665 IN A 212.67.202.220

.

.

.

.

Time to Live(TTL) in seconds

Class Type Data

A:

MX:

CNAME:

TXT:

NS:

IPv4 address

Mail eXchanger

Canonical Name

Free-form textual information

Name server

Figure 30

Data Structures Within the DNS

IP2300/S1/v2.1





6.7 Types of DNS Server

6.7.1 Primary Name Server

Each domain must have a primary domain server. It is the administrative point for thecontrol and configuration of the domain. This is where hosts are added and zonesare maintained.

6.7.2 Secondary Name Server

Secondary name servers obtain their data from the primary server, which hasauthority for the zone. This transfer of data is called a zone transfer . Secondaryservers give redundancy, faster access at remote locations, can avoid resolvingacross slow links, and allow load sharing across multiple servers. The primary andsecondary server definition is set at zone level, hence a secondary server in onezone may be a primary server in another. Information for each zone is stored in aseparate file on the server.

6.7.3 Caching Servers/Forwarders

Cache servers are often used to conduct queries for resolvers (clients) and cachethe results; they have no authority for zone databases. If the cache does not hold therequested DNS information already, it performs a recursive query to obtain it, andthen caches the result. Most ISPs operate caching servers, and implementedproperly they can substantially speed up the operation of the DNS. Forwarders arenormally caches that hold no DNS data, and so must forward all requests theyreceive.





Caching name server

zone transfer

moves, changes,updates

DNSrequests

DNSrequests

DNSrequests

Secondary name server

Primary name server

Forwarder

Resolver

Figure 31

Types of DNS Server

IP2300/S1/v2.1





6.8 Querying the Domain Name System

Details of the primary and one secondary name server are required when a domainis registered, and the names and addresses of the name servers are one of thefields returned by a basic ‘whois’ query against a domain.

Other tools that are standard on Unix systems allow interactive querying of the DNS,including the host command, the dig command, and nslookup command. Many websites provide web-based access to these tools.





whois wraycastle.com

. .Name Server ........................ NS1.MAGIC-MOMENTS.COMName Server ........................ NS0.MAGIC-MOMENTS.COM

host -t ns wraycastle.com.

wraycastle.com NS ns1.magic-moments.comwraycastle.com NS ns0.magic-moments.com

host -t mx wraycastle.com.

wraycastle.com mail is handled (pri=10) by wray-ltd.demon.co.ukwraycastle.com mail is handled (pri=20) by etrn.magic-moments.com

dig @<nameserver> wraycastle.com. axfr

will return all DNS entries for the host through a zone transfer, if thename server permits it

Figure 32

Tools to Query the DNS

IP2300/S1/v2.1





7.1 Hypertext Transfer Protocol (HTTP) for Web Services

Hypertext Transfer Protocol (HTTP) is specified in IETF RFC 2616. It is a generic,stateless, object-oriented protocol that can be used for many tasks.

HTTP has been in use by the WWW global information initiative since 1990. This firstversion, known as HTTP/0.9, was a simple protocol for raw data transfer across theInternet. HTTP/1.0 refined the earlier version by the introduction of MIME-likemessages. These Multipurpose Internet Mail Extensions (MIME) messagescontained meta-information about the data transferred and modifiers on therequest/response semantics. The current version, HTTP/1.1 (RFC 2616) providespersistent connections, so that multiple requests and responses can be carriedacross a single connection, rather than requiring a new connection for each protocolexchange. It also supports a negotiation on compression of data. Both of thesechanges improve the efficiency and responsiveness of the protocol.

HTTP is best described as a request/response protocol. A client, normally a webbrowser application, sends a request to the server in the form of a request method,URI (Uniform Resource Identifier) and protocol version, followed by a MIME-likemessage containing request modifiers, client information, and possibly content. Theserver runs a process or daemon which listens for HTTP requests, and responds tothe client with a status line, including the message’s protocol version and a success

or error code, followed by a MIME-like message containing server information, entitymeta-information, and possibly entity-body content. The status codes returned by theserver are grouped into major categories as follows:

• Informational 1xx

• Success 2xx

• Redirection 3xx

• Client Error 4xx

• Server Errors 5xx

The ISP browser software will provide the User Agent (UA) HTTP communicationbetween itself and the resource located on some (HTTP) Origin Server (OS), the OSbeing the device containing the requested resource(s). The simplest type of connection is direct between the user and the OS, as shown in Figure 33.

Other forms of connection are those of the UA to OS with a number of other networkdevices in between. These will be proxies, gateways, or tunnelling servers.

7 THE APPLICATION LAYER





HTTP

HTTP

User Agent

Origin Server

U s e r P I

Database

single connection

Resources

a) User Agent to Origin Server – Direct Connection

User Agent

Origin Server

U s e r P I

Database

connection

Resources

b) User Agent to Origin Server – via Proxy Server

HTTP Transfer

HTTP

Server acting as proxy

connection

Figure 33

HTTP Connections

IP2300/S1/v2.1





7.2 Simple Mail Transfer Protocol (SMTP) E-mail

Internet mail is based on RFC 821, which defines the Simple Mail Transfer Protocol(SMTP), and RFC 822, which defines the format of Internet Text Messages.

A further set of RFCs, RFC 2045-2049 inclusive, defines the MIME, which areextensions to the standard text messages found in RFC 822. These extensions allowthe inclusion of multimedia information within the e-mail.

SMTP was originally designed for use on Unix machines that were permanentlyconnected to each other. Individual users of these machines have a mailbox to whichmessages can be delivered, whether they are logged in or not.

In the SMTP architecture, mail users interact with a Mail User Agent (MUA), which inturn queues their messages for transport between machines by Message Transfer Agents (MTA). The MUA provides the interface to the user, as well as presentingviews of various mailboxes, etc. The MTAs communicate with each other across aTCP connection using SMTP messages. Mail for users is received from an MTA by aMail Delivery Agent (MDA), which places the mail in the appropriate mailbox.

SMTP is a very simple command/response protocol. Five commands are used in thisexample to send mail between the MTAs.

• HELO is used to establish the SMTP connection,

• MAIL is used to identify the sender of an outbound e-mail

• RCPT is used to identify the recipient of an outbound e-mail

• DATA is used to begin sending the message body

• QUIT is used to close the SMTP connection

There are additional SMTP commands, including RSET, to abort the currentconnection, and TURN, to allow client and server to swap roles without having to

start a new TCP connection.





Mailboxes

220 mailser ver.acme.com

HELO mailser v er .w r ay cast le.com

250 mailser ver.acme.com

MAIL F ROM: <anot her @w r ay cast le.com>

250 <ano ther@ wra ycas tle.com>

RCPT t o: < [email protected]>

250 < [email protected]>

DAT A

354 En ter message

(body of message)

250 mail accep ted

221 closing connec tion

QUIT

TCP connection to port 25

SMTP MTA(Client)

SMTP MTA(Server)

Figure 34

SMTP Protocol Operation

IP2300/S1/v2.1





7.3 POP3 and IMAP for E-mail Services

SMTP is not well suited to machines that are not permanently connected to theInternet, and do not have a public IP address. Increasingly, SPs offer both dial-upaccounts to their users, and mail relays that accept inbound and outbound mail for these clients. The two main protocols used to retrieve and manage mailboxes over adial-up account are Post Office Protocol (POP) and Interactive Mail Access Protocol(IMAP). Neither protocol allows e-mail to be sent, only retrieved. Normally, aseparate SMTP session is used to transfer outbound mail from the dial-up client tothe SMTP mail relay. Both POP and IMAP include optional user authentication usinga shared secret.

7.4 Post Office Protocol (POP)

Post Office Protocol Revision 3 (POP3) allows users to connect through a POP3client in their mail application to a POP3 server, authenticate using a username andpassword pair, and then retrieve messages from the server to their mail client.Messages that have been retrieved may be left on the server or deleted.

7.5 Internet Message Access Protocol (IMAP4)

The Internet Message Access Protocol, Version 4rev1 (IMAP4rev1) allows a client toaccess and manipulate electronic mail messages on a server. IMAP4rev1 permitsmanipulation of remote message folders, called ‘mailboxes’, in a way that isfunctionally equivalent to local mailboxes. IMAP4rev1 also provides the capability for an offline client to resynchronize with the server.

IMAP4rev1 includes operations for creating, deleting and renaming mailboxes;checking for new messages; permanently removing messages; setting and clearingflags; RFC-822 and MIME parsing; searching; and selective fetching of messageattributes, texts and portions thereof.





FileSystem

UserTerminal(client)

FileSystem

TCP

Retrieve Mail

Send Mail – SMTP

POP3retrieve and delete

IMAP4retrieve and manipulate

Server

Figure 35

E-mail Protocols

IP2300/S1/v2.1





1 What are the three main types of switching? Give an example of each that is in

widespread use.

2 What are the three different ways that Layer 2 switching is used in WANs?

3 IP forwarding is carried out using:

a virtual circuit forwarding tablesb next hop forwarding tablesc explicit source routingd static routing configured by network operations centres only

4 IP subnetting:

a allows multiple smaller networks to be created from one larger networkb allows one larger network to be created from multiple smaller networksc is not permitted unless the routing protocol carries subnet masksd is obsolete now that CIDR is standardized

5 Reliable transport can be achieved across IP networks:

a by using the UDP transport layer b by using the TCP transport layer c by using the RTP transport layer d IP automatically achieves reliable transport without the need for an

additional transport layer protocol, just like X.25

6 The Domain Name System is used to:

a provide mappings from domain names to IP addressesb provide mappings from IP addresses to domain namesc provide the names and addresses of other name servers and mail serversd provide all of the above

8 SECTION 1 QUESTIONS




IP2300/S1/v2.1 1.74© Wray Castle Limited

7 The software in a client of the DNS is called a:

a resolver b caching name server c forwarding name server d Web browser

8 POP3 and IMAP4 are:

a alternative protocols for the transfer of e-mail between serversb protocols to prevent unsolicited commercial e-mail being sent through

open mail relaysc protocols for retrieval and management of e-mail from mail serversd applications that allow proprietary e-mail servers to communicate with

SMTP servers









SECTION 2

IP NETWORK SERVICES

i




© Wray Castle Limitedii





1 Access Services 2.11.1 Traditional Dial-up Internet Access 2.11.2 Centralized Dial-up Access Services using a

Number Translation Service (NTS) 2.11.3 PSTN Offload Architectures for Dial Access 2.31.4 The Changing Architecture of Network Access Servers 2.51.5 Dynamic Host Configuration Protocol (DHCP) 2.71.6 DHCP for Dial-up Users 2.9

1.7 Network Address Translation (NAT) 2.111.8 Dial-up Access for Client Networks 2.111.9 Point-to-Point Protocol (PPP) 2.131.10 PAP and CHAP Authentication 2.151.11 Authentication Using RADIUS or TACACS 2.171.12 Permanently Connected Access 2.191.13 Introduction to ADSL 2.191.14 ADSL as a Full-Service Access Network 2.211.15 ADSL as a Broadband IP Access Service 2.211.16 Service Provider Selection Through the BAS 2.211.17 Local Loop Unbundling 2.23

2 E-mail Services 2.252.1 Mail Servers and the DNS 2.252.2 Mail Accounts on the Service Provider Domain 2.272.3 Full Outsourcing of the Customer Domain Mail Services 2.292.4 Secondary Mail Servers 2.312.5 Mail Relay Vulnerabilities and

Unsolicited Commercial E-mail (UCE) 2.332.6 Integration with Enterprise Mail Servers 2.35

3 Web Hosting 2.373.1 Static Versus Dynamic Content 2.373.2 Multi-user Hosting 2.393.3 Virtual Hosting 2.413.4 Dedicated Hardware 2.453.5 Co-location 2.453.6 Web Caching 2.47

4 Providing Name Servers 2.494.1 Implementing Primary and Secondary DNS Servers 2.494.2 DNS Caches and Forwarders 2.51

4.3 Partitioning Enterprise and Service Provider DNS 2.53


SECTION CONTENTS

iii




© Wray Castle Limitediv






• explain the technical architecture of the main IP network services

• discuss the implementation of public service DNS

• understand the options for access services, and why these have changed

• describe the integration of public and private e-mail services

SECTION OBJECTIVES

v





1.1 Traditional Dial-up Internet Access

Early dial-up Internet access typically used a conventional analogue circuit-switchedcall between the dial-up user and their ISP, who purchased conventional retail voicelines from a network operator, and hosted modem banks, or Network Access Servers(NAS), on their premises to accept incoming calls. The modem termination pointswere in the end-user’s computer and at the ISP premises. When ISDN accessbecame available from ISPs and within PC systems, data rates across circuit-switched connections increased to 64 kbit/s, but the underlying architecture did notfundamentally change. Typically local access servers were located at each major town or city that the ISP served, to provide a regionally based NAS architecture.

1.2 Centralized Dial-up Access Services using aNumber Translation Service (NTS)

In the late 1990s, network operators began to offer network-based NAS as a serviceto ISPs. This allowed them to consolidate modem banks for many wholesalecustomers (the ISPs), and get economies of scale in the implementation.

Typically a Number Translation Service (NTS) was used to provide the appearanceof a single, national infrastructure for each ISP. The Non-Geographic Number (NGN)

dialled by the customer was translated into a conventional number for the modembank by this NTS service.

1 ACCESS SERVICES

IP2300/S2/v2.12.1







1.3 PSTN Offload Architectures for Dial Access

From around 2000 onwards, demand on the circuit-switched network drove the pointwhere modem or ISDN calls were terminated closer to dial-up users. Backhaulacross an IP network was used to complete the transport.

The reasons for this were that conventional Internet access had grown in volume tothe point where off-loading these calls from the circuit-switched network as soon aspossible was necessary to protect the availability of voice services. Although thebusy hour for Internet users was typically in the evening and did not conflict with thedaytime voice busy hour, call holding times for Internet calls were substantially longer than those for true voice calls, leading to exhaustion of the bearer network even

before call control capacity in the switches was exhausted. In the traditional dial-upaccess architecture, a massive investment in PSTN switches would have beennecessary to accommodate the demand growth.

Also, traditional PSTN transport requires a dedicated 64 kbit/s channel per modemuser, although the effective bandwidth is much less than this. By recognizing the callas an ISP call, and carrying the traffic over a packet-switched infrastructure, over-subscription of network capacity can be applied; bandwidth over-subscription rates of around 10:1 are common in this application, making IP backhaul a much moreeconomically effective solution economically.

It is common in this off-load architecture to locate a modem bank as close as

possible to the customer access switch. Calls may be routed to the modem bankusing conventional PSTN numbering plans in the access switch, or by using an NTSapproach.





Internet

User 1

Internet

User 2

Internet

User 3

Internet

User 4

Figure 1c

Local NAS with PSTN Offload

IP2300/S2/v2.1





1.4 The Changing Architecture of Network Access Servers

Traditionally ISPs have been end-users, rather than licensed carriers, and Internetaccess calls to these ISPs were handed over using ISDN Primary Rate Interfaces(PRI) and ISDN user-to-network signalling. The associated signalling model of ISDNPRI was a significant impediment to large-scale equipment implementations suitablefor public service networks.

The latest generation of NAS now includes Signalling System No. 7 (SS7) andnetwork-side bearers. This functionality has led to a strong market in wholesaleInternet access services, where operators incorporate the NAS as part of their network infrastructure and use IP tunnelling techniques to deliver traffic across acommon infrastructure to the serving ISP.





ISP2

ISP1

PRI portsdeliveredto NASwithassociated

signalling

TDM bearersdelivered toNAS, underthe control ofa separatesignallingcontroller

C7 signalling

Separatesignalling controller

NAS

Figure 2

Network Access Servers

IP2300/S2/v2.1





1.5 Dynamic Host Configuration Protocol (DHCP)

When TCP/IP is installed on a host, the protocol requires some minimal configurationto allow packets to be sent to other hosts on the same or interconnected IP subnets.The three basic components are:

• the IP address of the host

• the subnet mask of the host, to identify the boundary between host and networkportions of the address

• the IP address of the default router for this host

Other information is typically required to support applications, including the addressof the Domain Name Server (DNS) that should be queried for mapping names to IPaddresses. Vendor-specific networking information, such as the windows domainthat the host is a member of, is also typically required.

DHCP is a simple client/server protocol that allows hosts (DHCP clients) to requestthis information from a DHCP server in the network when they reboot, and to renewthis information as necessary. The server may be another host in the network, butDHCP servers are also implemented on many network devices, such as routers.

DHCP allows a pool of IP addresses to be allocated as needed to clients as theyrequest and release them. The advantages of this are:

• use of the IP space is more efficient, as disconnected hosts do not requireaddresses

• configuration errors are less likely, as IP addresses are centrally administered

• moves and changes of hosts between subnets, and of subnet addressingschemes, are automatically accommodated, instead of requiring manualreconfiguration

DHCP can be used in several different modes:

• in automatic mode, an IP address is permanently provided to a host

• in dynamic mode, an IP address is ‘leased’ to a host for a fixed period of time,after which the lease must be renewed by a further DHCP dialogue

• in manual mode, the host’s IP address is configured manually in the DHCPserver, rather than being drawn from a pool, and DHCP conveys this to theDHCP client

Figure 3 shows DHCP using an address pool in a small business network. The

DHCP server runs within an ISDN access router in this example.





MENU: DHCP Parameters

Starting IP Address:Number of Addresses:

Lease Duration:Lease Unit:

Domain Name:Primary DNS:

Secondary DNS:Default Gateway:

192.168.1.2501Houracme.com192.168.1.10.0.0.0192.168.1.1

MAC Address IP Address Type Lease Expiration

00-50-04-2b-9c-fe

00-20-18-3c-44-5e

00-20-18-3c-44-61

00-50-bf-4a-85-7b

192.168.1.7

192.168.1.3

192.168.1.4

192.168.1.5

DHCP

DHCP

DHCP

DHCP

0 Days 0 Hrs 40 Mins 5 Secs




.3

.4

.5

.7

DHCP serverDNS forwarder

DHCPconfiguration

DHCPtable

To Internet

192.168.1.1

Router

Figure 3

DHCP Operation

IP2300/S2/v2.1





1.6 DHCP for Dial-up Users

Early ISPs allocated a fixed IP address to dial-up hosts from their own allocation of public address space. However, this was particularly inefficient in the use of addressspace, as most users are connected for a small proportion of time. It also madeexpansion of the network difficult, as these early address allocations requiredcontinuing support.

Dynamic address allocation using DHCP is the normal approach taken for dial-up or other intermittent Internet access. A block of addresses is available at the servingNAS, and one of these is allocated on a leased basis to the dial-up user. A staticrouting announcement for the complete address block at the NAS is normallyinjected into the Interior Gateway Protocol (IGP) of the ISP, so that all traffic for thesehosts is directed to the serving NAS.

Because the address allocation is dynamic, dial-up hosts can normally makeoutbound connections only. This satisfies the requirements of most dial-up users, butwhere the user wishes to host a server on a dial-up connection, then a permanentaddress assignment to this user is required. This situation is more likely to occur where the user operates a dial-up network, rather than a single host.





DHCP server

NAS

Router

Active Call Information

Port used:

Profile Name:Call Direction:

Call Type:

Remote Number:

Data Call Option:

Compression:

Authentication:

Local IP address:

Remote IP address:

Primary DNS:

Secondary DNS:Bytes Received:

Bytes Transmitted:

Call Duration:

Data 2

ISPOut

Data-64K

01234 123456

Normal

No

CHAP (Encrypted)

62.25.154.117

62.25.154.1

195.92.195.94

195.92.195.9512149

12961

0h 09min 25sec

ISPnetwork

Dial-up connection settings,including IP addresses

obtained by DHCP

Figure 4

DHCP for Dial-up Users

IP2300/S2/v2.1





1.7 Network Address Translation (NAT)

Network Address Translation (NAT) [RFC 1631] was originally devised as a means of conserving public IP address space, by mapping addresses from an internal IPaddress space (realm) to the public address space. Typically, enterprises use thespecial addresses reserved for private use within the enterprise [RFC 1918]. NATcan operate in several ways, depending upon whether one or several public IPaddresses are available to carry the private network traffic across the public network.In each case, the NAT device maintains an internal table of address mappings toallow the address conversions to be carried out on a packet-by-packet basis.

Static NAT maps on a permanent one-to-one basis, mapping each private IP addressto a public IP address. This method is sometimes used where networks are beingconsolidated or migrated to a new address space.

Dynamic NAT allocates public addresses as required from an available pool.

Port Address Translation (NAPT, or PAT) makes multiple internal hosts appear as asingle host by using a single external address with dynamic port allocations.

1.8 Dial-up Access for Client Networks

Increasingly dial-up accounts are used to support small client networks. Where theclient network does not require permanent IP addresses that are visible to the publicInternet, then an access router providing NAT is a popular solution. In this scenario,NAT allows multiple machines to appear as a single machine to the public network.From the service provider perspective, a client network using NAT is identical to aconventional single-user dial-up connection. In Figure 5, NAPT is used to representseveral private network hosts as a single publicly addressed host.

If the dial-up client network requires visible servers on the public network, then oneor more permanent address assignments must normally be made.





Client192.168.1.2

Client192.168.1.3

Web Server

207.28.194.84

206.245.160.1

SMTP Server205.197.101.111

NAT Router

INTERNET192.168.1.1

Private

Network

Public

Network

NAPT Table

Inside192.168.1.2 : 1132 61016192.168.1.3 : 1132 61017

Outside

Src: 192.168.1.3 : 1132Dst: 197.101.111 : 25 Src: 206.245.160.1: 61017Dst: 205.197.101.111: 25

Src: 192.168.1.2 : 1132Dst: 207.28.194.84 : 80

Src: 206.245.160.1: 61016Dst: 207.28.194.84 : 80

Figure 5

Network Address Translation

IP2300/S2/v2.1





1.9 Point-to-Point Protocol (PPP)

Point-to-Point Protocol (PPP) was developed by the IETF [RFC 1661] in the early1990s. It was based upon requirements stated in [RFC 1547] to provide a simple L2protocol that was extensible, allowed for endpoint authentication and compression,incorporated protocol multiplexing so that multiple protocols could be carried aspayload, and allowed negotiation of higher layer protocol properties such as IPaddresses of the end points. The main motivation was to support dial-up access tothe public Internet across modem access circuits with better security andmanagement features than were provided by the Serial Line IP (SLIP) protocolwidely used at the time.

PPP includes an encapsulation scheme and a higher layer protocol field, in commonwith many other L2 protocols. However, its strength as a protocol for dial-up Internetaccess lies in the fact that it also provides a Link Control Protocol (LCP) and a familyof Network Control Protocols (NCPs) which can be carried within PPP frames. Theseallow various configuration issues to be addressed by the protocol, such as tunnelendpoint authentication (by LCP), dynamic network layer address assignment (byNCP) and data compression (by LCP).

These features have made PPP the dominant link layer protocol for dial-up modemand ISDN access to ISPs, as well as the basis for many IP Virtual Private Network

(IP-VPN) implementations.





PPP client PPP server

establishesbasic

link layer

parameters

configures IPparameters(IP address,

DNS, domain,etc.)

callback and compressionnegotiation

authenticatesendpoint(client)

LC P c o n f i g u r a t i o n r e q u e s t

LC P i d e n t i f i c a t i o n

C H AP r e s p o n s e

I P C P c o n f i g u r a t i o n r e q u e s t

I P C P c o n f i g u r a

t i o n a c k n o w l e d

g e

DA TA

L C P c o n f i g u r a t i o n

a c k n o w l e d g e

C HA P c h a l l e n g

e

C HA P s u c c e s s

Figure 6

The Operation of PPP

IP2300/S2/v2.1





1.10 PAP and CHAP Authentication

Because of the intermittent nature of dial-up Internet access, effective authenticationof the dial-up user is required to ensure the security of the network and to avoidfraud and misuse of resources.

Authentication of dial-up Internet users is normally based upon a shared secretpassword known to both the user and the authentication server within the ISPnetwork. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) [RFC 1994] are both supported within the frameworkof PPP.

PAP sends the shared secret and username as a matched pair across the network inplaintext form, and without any replay protection. An interceptor who captures PAPtraffic can easily masquerade as a genuine user until the password is changed. Insituations where physical interception of the PAP traffic is highly unlikely, it may bean acceptable authentication protocol, but its use should be avoided in mostsituations.

CHAP uses a simple handshaking protocol combined with a hashing function toavoid sending the shared secret across the network in plaintext form. The challengeissued by the authenticating server is used once only, and should be generated in an

unpredictable sequence. The hashing algorithm generates a repeatable output for agiven challenge and shared secret, and has two important properties.

If an interceptor has access to the challenge and the response he/she cannot use asimple replay approach, because the authentication server will recognize thisresponse as already used. Knowledge of even a large number of challenge/responsepairs does not allow an attacker to discover the shared secret.

As well as supporting the shared secret method of authentication, CHAP has beenextended to operate with other authentication schemes, such as digital certificates.





passwordfile

passwordfile

passwordfile

PAP client

CHAP client

compare

l o g i n ( us e r n am e , p as s w o r d )

l o g i n r e q ue s t ( us e r n am e )

r e s p o n s e

a c k n o w le d ge

c ha l le n ge

a c k n o w le d ge

compare

#

generatechallenge

#

PAP server

Figure 7

PAP and CHAP Authentication

IP2300/S2/v2.1





1.11 Authentication Using RADIUS or TACACS

As the scale and physical distribution of public service ISP networks grows, thesimple PAP/CHAP model of authentication becomes unmanageable, because theaccount information must be available at each NAS location. The Terminal AccessController Access Control System (TACACS) and Remote Authentication Dial-InUser Service (RADIUS) protocols were designed to improve this scalability, to addfacilities for accounting and auditing of resource usage, and to allow user-specificprofiles to be invoked for particular connections, so that authorization can also beprovided.

In both architectures, multiple NAS devices terminate the PPP authenticationprocess, but these devices are also clients to a RADIUS or TACACS authenticationserver. This authentication server can be centrally located, making management andoperational security easier to achieve. In this architecture, the user accountinformation need no longer be distributed to multiple NAS devices at the networkedge.

A wide range of integration options exist within the RADIUS standards in particular,including support for the use of shared secrets, digital certificates and tokens. Inorder to prevent a rogue NAS sending authentication requests to the server, theRADIUS and TACACS protocols include mutual authentication using shared secrets

or other means as agreed between the RADIUS clients and server.

Strong vendor support for RADIUS in particular means it continues to be widelydeployed as a stable and reliable method of integrating authentication schemes, bothfor large-scale IP networks, and more generally where heterogeneous platformsmust be integrated.





User NASlocal account

databases

PPPCHAP

RADIUS/TACACSclient

RADIUS/TACACSserver

central accountdatabase

central accountdatabase

PPP

CHAP

RADIUS/TACACS

Figure 8

RADIUS and TACACS Authentication

IP2300/S2/v2.1





1.12 Permanently Connected Access

Permanently connected users typically connect a private network to the serviceprovider network, rather than a single host. In addition to leased lines and Layer 2services such as Frame Relay used as an access mechanism, Asymmetric DigitalSubscriber Line (ADSL) services are increasingly used to provide always-onconnections. The size of the private network that is connected may be anything froma few machines to a large enterprise network with multiple sites, and multiple serviceproviders.

From a service provider perspective, a small, permanently connected network can betreated similarly to a dial-up network. Typically NAT is used to limit the number of public IP addresses necessary for the site. Most permanently connected sites dohave one or more public IP addresses which are used to provide inbound access toe-mail servers, corporate web servers and VPN connections.

As the complexity of the customer network increases, dynamic routing protocolsmust be run across the service provider/customer interface to provide resilient andefficient transport of traffic. Once routing protocols are run across thecustomer/service provider interface, the solution becomes increasingly complex toadminister.

1.13 Introduction to ADSL

ADSL is a technology that allows much higher data rates across a voice-gradetwisted copper pair than has been possible in the past. It is widely used to extend thebandwidth of traditional twisted-pair local loop connections between subscribers andtheir local exchange building.

ADSL uses sophisticated signal processing techniques and channelized digitaltransmitters and receivers to achieve acceptable performance at much higher bandwidths than before across a normal copper pair. It uses ATM as a Layer 2

switching technology, which means that it can support a wide range of applicationsby assigning appropriate categories of service to them.

An ADSL modem pair is located at the ends of the copper pair to implement theservice. Where another access technology, such as a remote concentrator or other device that aggregates individual voice channels into a high-level multiplex isdeployed ahead of the local exchange/central office location, then the ADSLconnection must terminate at this location. In other words, the ADSL modems mustbe directly connected to the copper pairs to achieve the necessary bandwidthextension.

High density DSL Access Multiplexers (DSLAM) are deployed at the network end of the ADSL link to terminate DSL connections from subscribers.





ADSL DSLAM ATMswitching

ADSL

customerpremises

twisted pair E1/T1or greater

transmissionconcentrator

site

local exchange/ central office

ADSL

freq 1 MHz

traditional analoguevoice channel

Previously unusedfrequency band containingADSL channels

40

Figure 9

ADSL Architecture

IP2300/S2/v2.1





1.14 ADSL as a Full-Service Access Network

The architecture of the network beyond the DSLAM varies depending upon the set of services being offered across the DSL access network. Most ADSL services deployed todayoffer only high-speed Internet access, but for many operators the strategic intention of ADSLdeployment is to provide a full service access mechanism, as discussed below.

The ATM transport employed by ADSL makes it suitable as an integrated services accessmedium. Where multiple services are being offered across ADSL, the Customer PremisesEquipment (CPE) is a specialized Integrated Access Device (IAD). The role of the IAD is:

• termination of the various conventional interfaces, such as POTS, ISDN, Ethernet, etc.

• ATM adaptation using the appropriate ATM Adaptation Layers (AALs)

• ATM multiplexing of the individual virtual circuits carrying traffic between the IAD andtheir termination point on the appropriate gateway device in the network

• service-specific adaptation functions, for example conversion of DTMF tones into theappropriate form, typically as defined in ATM Forum standards

The service provider DSLAM terminates all inbound ADSL physical layer connections fromthe IADs. It typically then passes traffic to an ATM switch node which can groom andaggregate traffic before directing virtual circuit and virtual paths towards the correct gateway

device for the desired service. For example, a voice gateway in this architecture wouldaccept inbound calls over ATM virtual circuits, and convert these to traditional TDM form for interconnection with a conventional PSTN switch.

1.15 ADSL as a Broadband IP Access Service

For high-speed Internet access, the broadband equivalent of a NAS, the Broadband Access Server (BAS) is required. The main difference between this device and thetraditional NAS is the use of ATM virtual circuits as the Layer 2 protocol. This requires theBAS to terminate the ATM virtual circuits, operate the appropriate AAL functions necessaryto extract IP packets, and to carry out authentication, auditing and accounting functions for

the ISP. The BAS may also apply policy and filtering actions on IP traffic in the same way asa traditional NAS.

1.16 Service Provider Selection Through the BAS

Most current implementations of ADSL Internet access effectively tie the subscriber to aparticular service provider. This contrasts with the traditional dial-up services, where asubscriber could have several active accounts, and select which service provider to usebased upon dialled number. Two approaches to selection of the service provider have beenproposed to remedy this: a preselection approach, based upon the customer notifying the

ADSL provider of moves and changes and a common BAS model, where users wouldconnect to a common BAS, and make their service provider selection at this point. Neither model has been widely deployed to date.





IAD DSLAM

DSLAM

DSLAM

ATM switchednetwork

ATMaggregator

switch

IP over ethernet

IP over ATM

voice over ATM

analogue voice

BAS

Internet PSTN

VGW

Figure 10

ADSL Integration with the Core Network

IP2300/S2/v2.1





1.17 Local Loop Unbundling

In many countries, ADSL deployment has occurred alongside government-ledinitiatives for increased competition for broadband services in the access network.Various models have been proposed, but these can broadly be classed as physicalunbundling of the local loop and logical unbundling of the local loop.

In physical unbundling, a competitive operator/Competitive Local Exchange Carrier (CLEC) leases the existing local loop copper pair for a subscriber from the incumbentoperator, and installs their own ADSL modems and DSLAMs at the ends of this pair,typically by attaching close to the Main Distribution Frame (MDF). This requires co-location of the competitive operator DSLAM equipment in the local exchange/centraloffice of the incumbent operator, and has led to practical and political implementationdifficulties in many cases.

In logical unbundling, the incumbent operator remains responsible for the physicalcopper pair and the ADSL equipment at both ends of the link. However when asubscriber wishes to use an alternative competitive operator/CLEC for services, theincumbent passes traffic within a virtual circuit from their aggregation switch to theaggregation switch of the competing operator. In this case the incumbent operator isselling a wholesale ADSL service to the competing operator. This approach avoidsissues of physical access and access to space at the local exchange. It also avoids

technical issues with spectrum management on the ADSL-equipped local loop thatcan arise in the physical unbundling case.





IAD

IAD

DSLAM

Co-located DSLAMs

Physical Unbundling

Logical Unbundling

LE/CO Building

IAD

IAD

DSLAM

IAD

IAD

Co-located DSLAMs

LE/CO Building CLEC site

IAD

IAD

DSLAM

Figure 11

Local Loop Unbundling

IP2300/S2/v2.1





2.1 Mail Servers and the DNS

The original designers of SMTP intended it to operate between mainframe machinesthat were permanently connected to the Internet, and on which users had mailboxeslinked to their accounts. Increasingly organizations use mail relays to forward e-mail,and this is one of the main services offered by service providers also. Given theimportance of e-mail to business users in particular, methods to make the mailservice resilient are also important.

The DNS supports the definition of multiple mail servers for delivery of SMTP e-mail.When an outbound e-mail is ready for delivery to the destination domain, the DNS isqueried to find the Mail Exchanger (MX) record for the domain, as shown in Figure12. The MX record includes a preference value, and the server with the lowestpreference value is selected as the first choice for delivery of the e-mail. A further entry will be given in the DNS answer that maps the canonical name to its IPaddress.

Once the preferred server IP address is known, the sending mail server attempts aTCP connection with it on the well-known SMTP port, port 25. If for any reason thisconnection cannot be made, then the next-preferred mail server in the DNS will betried, and if necessary further mail servers at lower preference values also. Thisapproach can provide resilience in the e-mail architecture, and is widely deployed.

2 E-MAIL SERVICES





DNSDNSDNS

2. q u e r y f

o r M X r e c

o r d s o f a

c m e. c o m

3. r e s p o n s

e w i t h M X

r e c o r d s f

o r

a c m e. c o m

a n d e x t r a

p a r a m e t e

r s1. mail to: [email protected] SMTP MTA (client)

SMTP MTA (server)mx1.acme.com192.168.10.20

4. SMTPconnectionto mx1

TCP(port 25)

5. SMTP responses

IN MX 10 mx1.acme.com



IN A 192.168.10.20

IN A 192.168.20.20

IN A 192.168.40.20

acme.com

mx1.acme.com

mx2.acme.com

mx3.acme.com

Figure 12

SMTP Integration with the DNS

IP2300/S2/v2.1





2.2 Mail Accounts on the Service Provider Domain

This model is popular with consumer services and free Internet access providers, butis not widely used by business users because it seems less professional than adedicated domain. In this model, users are simply given a user account at the ISPdomain, of the form:

[email protected]

Because the username chosen must be unique across a potentially very largedomain, users are normally forced to use digits as well as common names.

E-mail is sent using SMTP, and retrieved using POP3 or IMAPv4. Both schemesallow for user authentication using a simple shared secret password. Mail is sent andreceived between servers using SMTP, and normally a secondary and tertiary mailserver will be configured within the ISPs own domain to provide resilience anddisaster recovery.

In the example shown, the ISP operates a separate mail server for inbound andoutbound traffic. The inbound SMTP server also provides a POP3/IMAP4 server for access to e-mail by the dial-up accounts. The outbound SMTP server need not havean MX record in the DNS, as it only ever originates transfers to the Internet. A

secondary MX server is also available should the primary be unreachable from theInternet.

To provide an even more scalable solution, it is possible to separate the mailhandling function into three parts:

• an inbound SMTP server, which has an MX record in the DNS. It accepts alldomain e-mail, and relays it to a separate POP3/IMAP server

• a POP3/IMAP server, which provides the mailboxes and access for users. Thisserver only accepts mail from the ISP’s own inbound SMTP server

• an SMTP outbound server, which accepts e-mail from users, and sends it out tothe Internet

This architecture should have one or more secondary MX machines, as before,which can accept inbound SMTP e-mail if the primary is unavailable for any reason.





O u t b o u n d e - m

a i l

( S M T P )

I n b o u n d e - m a i l ( P O P 3 o r I M AP 4 )

f r o m I n t e r n e t

t o I n t e r n e t ( S M T P )

( S M T P )

Mailclient

[email protected]

Secondary mail server

SMTPserver

mx2.myISP.com

SMTP and POP3or IMAP4

server

mx1.myISP.com

IN MX 10 mx1.myISP.comIN MX 20 mx2.myISP.com

myISP.com

Figure 13

Simple Service Provider Mail Accounts

IP2300/S2/v2.1





2.3 Full Outsourcing of the Customer Domain Mail Services

Many small to medium-sized businesses require Internet e-mail for a set of internalusers, but cannot easily run an enterprise mail server internally. This may bebecause they use dial-up access and have no permanent IP address, or becausetheir use of e-mail internal to the organization does not justify a corporate e-mailinfrastructure.

In this case, many service providers offer Internet e-mail services linked to adedicated customer domain, and often bundled with web hosting services.

In this case, the ISP will typically organize domain registration through an ICANNapproved registrar, if the domain has not yet been registered. If the domain has beenregistered, but the customer is transferring to a new service provider, then theregistration details must be modified to identify the correct name servers for thedomain, normally the name servers of the new ISP.

In this scenario, mail between users within the customer domain is sent via thedomain mail server within the ISP network, just as for external mail. In other words,all e-mail is Internet e-mail.

The mail delivery methods are the same as for the earlier example, typically SMTP

for outbound mail, and POP3 or IMAP4 for inbound delivery. All corporate users musthave the correct details for their account configured in their mail client, includingserver names, username and password.

As the customer now has a registered domain, the DNS records for this domain willshow that mail is being handled by the ISP mail servers, as shown in Figure 14.

The ISP will not actually run a separate instance of a mail server, physically or logically, in this case. Instead the e-mail addresses of the customer may be mappedby a mail alias onto an internal account on the ISP server. So, for example [email protected] might be mapped to [email protected]. This

retains the uniqueness of the user name, but maps it into the ISP mail namespace.The mail alias is then used to translate inbound and outbound mail transfersbetween the two names. An alternative approach is to provide a virtual mail server for each domain, and many mail server applications allow this.





O u t b o u n d

e - m a i l

( S M T P )

I n b o u n d e - m a i l

( P O P 3 o r I M A P 4 )

f r o m I n t e r n e t

t o I n t e r n e t ( S M T P )

( S M T P )

[email protected]

[email protected]

Secondary mail server

SMTPserver

mx2.myISP.com

SMTP and POP3or IMAP4

server

mx1.myISP.com

IN MX 10 mx1.myISP.comIN MX 20 mx2.myISP.com

wraycastle.com

Mail

client

.

.

.

.

Figure 14

Outsourced Customer Mail Service

IP2300/S2/v2.1





2.4 Secondary Mail Servers

Where a business operates an existing Internet mail server, they may require that aservice provider offer a secondary mail server, to improve the resilience of theservice. These resilience measures are particularly important once key servers,including mail, DNS and web servers, are hosted at customer premises; the reliabilityof the access circuits, power circuit and equipment at these locations is normallymuch poorer than that to the data centres where network servers are typicallylocated.

A common architecture is to configure a secondary mail server within the ISP domainas a mail relay . In this model, the relay will attempt to deliver mail on to the primaryserver (at the customer premises) for some period of time, before eventually deletingthe mail, perhaps after several days.

This approach can also be used where a dial-up network has a legitimate domainand a primary mail server with an MX record in the DNS. In that case, the secondarymail server effectively acts as a store and forward server for the corporate e-mailwhen the dial-up connection is down, then relays it to the primary mail server whenthe dial-up connection comes up.





Mail deliveredto ISP SMTP

server

Mail delivereddirectly to corporate

SMTP server

Mail deliveredto corporateSMTP server

from mail relay

CorporateSMTPserver

ISPSMTP server

IN MX 10 mx1.wraycastle.com

IN MX 20 mx2.myISP.com

wraycastle.com

Server provider networkCustomer premises

Normal Operation

Internet

CorporateSMTPserver

ISPSMTP server

Internet

Corporate

SMTPserver

ISPSMTP server

Internet

Figure 15

ISP Secondary Mail Servers

IP2300/S2/v2.1





2.5 Mail Relay Vulnerabilities and Unsolicited Commercial E-mail (UCE)

A major and continuing vulnerability in the Internet e-mail architecture is the abuse of mail relays. In addition to accepting inbound SMTP e-mail from other MTAs, a mailserver may accept mail for forwarding on to another SMTP server, as in the exampleabove of a service provider offering a secondary mail relay.

Most mail servers block relaying mail by default as a security feature, so this must beenabled for the specific domains where it should be allowed. Unfortunately openrelays, i.e. relays that do not verify or filter traffic before forwarding it on, are stillavailable.

The following example shows how UCE, also known as spam, can exploit such anopen relay, and how this can be used to mount a Denial of Service (DoS) attack.

• an e-mail marketer has gathered several hundred thousand candidate e-mailaddresses, and creates a marketing e-mail to send using his list

• he creates a free Internet account for basic access, and uses an open SMTPrelay he has found to forward his e-mail out to users

• he sets his e-mail client to use a return and from address of [email protected],although he has nothing to do with the company

• he sends his e-mails out in blocks of 1000 at a time, using the Blind carboncopy (Bcc) field, over his new Internet account

From the perspective or the sender of the spam, he has been successful. However tens of thousands of e-mails are undeliverable, and are returned [email protected], where they completely block the system. As a result, thewraycastle mail server becomes unavailable, and the disruption is likely to last for several days at least.

The main defence against this type of attack is to ensure that mail exchangers

cannot act as open relays. Many ISPs, especially those offering free Internet access,do not allow users to send traffic on TCP port 25 (the well-known SMTP port) todestinations beyond the ISP domain, to make it more difficult to use an external mailrelay for UCE.





SMT P ( p o r t 2 5 )

Marketeer

SMTP MTAacme.com

SMTPMTA

SMTPMTA

SMTPMTA

SMTPMTA

Free Internetprovider

The Internet

SMTP MTAopen relay

mode

[email protected] from:

Mail rcpt:

Figure 16

Exploiting an Open Mail Relay

IP2300/S2/v2.1





2.6 Integration with Enterprise Mail Servers

Many enterprises run proprietary workgroup applications for internal messaging andcollaboration. Recent releases of these applications all support SMTP either directlyor through a gateway function for Internet e-mail. Therefore from a service provider perspective, whether a client organization uses a traditional Internet mail server or acorporate mail server, the interface to the public service should be SMTP-based.

A common approach taken within organizations is to place a simple SMTP MX relayin the De-Militarized Zone (DMZ) behind an Internet firewall . This mail relay thenforwards inbound traffic to the internal corporate mail servers, and accepts traffic for the public Internet. Most MTAs will allow inbound traffic to be partitioned bydestination address to a variety of internal servers, so that the DMZ relay can directexternal e-mail to the correct departmental servers within the corporate domain.

The DMZ MTA in this case requires a valid IP address and MX record in the DNS,but the internal mail servers are invisible to the public network, and protected by thenetwork security measures put in place at the Internet, corporate firewalls andelsewhere.





mx1.wraycastle.com

The Internet

sales MTA

MTA

MTA

MTA

MTA

development MTA

CorporateFirewall

SMTPrelay

WWWserver

DMZ

VPNserver

InternetFirewall

Internet e-mailvia SMTP withexternal MTAs

mail to: [email protected] to: [email protected]

Figure 17

Integration of Internet and Enterprise Mail Servers

IP2300/S2/v2.1





3.1 Static Versus Dynamic Content

Web hosting services are an important part of most businesses, and this might bedesigned and operated in-house, or outsourced to a service provider.

Originally, the WWW was used to provide static file content to clients. However mostweb sites now use client or server-side programming to enhance the content andappearance of the site by making it to some extent dynamic. Common GatewayInterface (CGI) allows a web server to route the contents of a web form to a programrunning on another server platform through a set of standard procedures. It is widelyused to allow users to input data via a web site, for example requesting e-mailcontent, selecting data from a database, etc. The programme to be executed isnormally in a cgi-bin folder on the web server. CGI has many limitations, and moresophisticated open and proprietary server-side programming is increasingly replacingit.

Some examples of server-side programming approaches are listed in Figure 18. Active Server Page™ (ASP) is a Microsoft proprietary approach that al lowsexecution of code in a web page before it is delivered to a browser client. HypertextPre-Processor (PHP) is an open source approach that is similar to ASP, anddistributed as part of most Linux distributions.

Because these programming languages can open up vulnerabilities on the hostplatform (the web server) running them, service providers must be careful about howmuch freedom to include server-side programming is provided to clients whenhosting web services.

Programming that operates on the client side of a web connection, i.e. in thebrowser, has less security implication for the hosting service provider. Applets aresmall programmes written in the Java™ programming language that execute within abrowser application. JavaScript™, is a programming language that can beinterpreted by a browser to carry out simple functions to animate the page contents. Active-X allows dynamic content and controls in browsers.

3 WEB HOSTING





Server-side programming

Common Gateway Interface (CGI)

Active Server Page ASP™ [Microsoft]

PHP: Hypertext Pre-Processor (PHP)

Client-side programming

Java™ applets

JavaScript™

Active-X

Figure 18

Ways to Produce Dynamic Web Content

IP2300/S2/v2.1





3.2 Multi-user Hosting

The multi-user hosting approach is widely used by ISPs to provide homepage spaceto their users. Each user is given a controlled amount of storage and accessbandwidth, and their Universal Resource Locator (URL) is part of the ISP domain, for example

www.myISP.com/~another

This approach is simple and low cost. It does not require domain registration or nameserver entries for the client. However it also presents the client as part of theISP domain, rather than their own domain, which is unsuitable to most businessclients.

Typically a very limited set of programmability is included with the service; the ISPmay provide some simple CGI scripts that allow the contents of forms to be collectedand e-mailed to the customer, for example. Customers will typically not be allowed toexecute their own scripts or programs on the ISP web servers.





http://www.myISP.com

http://www.myISP.com/~jdoe http://www.myISP.com/~another

about_us holiday_snaps family_tree.index etc.

1999 2000 2001 2002

Figure 19

Multi-user Hosting

IP2300/S2/v2.1





3.3 Virtual Hosting

Virtual hosting allows multiple domains to be hosted on a single web server. Anumber of approaches to virtual hosting are possible. In each case a visitor to thesite will have the impression of a dedicated hosting solution.

3.3.1 Virtual Hardware Hosting

The virtual hardware approach assigns a unique IP address to each virtual webserver. This can be done using one of the virtual machine implementations that areavailable for both Windows and Unix platforms. Using this approach, the physicalmemory, disk space and processing power in the server is apportioned betweeneach virtual machine. It is possible to start-up and shut down virtual machine webservers independently, and it is also easy to port a virtual web server between onephysical platform and another, making moves, changes and hardware upgrades fairlyeasy to achieve.

In Figure 20, a virtual machine application has been used to provide three virtualplatforms and operating systems, and each of these hosts a separate hostingapplication. The virtual machine software provides virtual hardware for each virtualmachine, including network interface cards, and so each virtual machine is

separately addressed.

Note that each virtual machine in this case has a separate name server addressentry that resolves the relevant host name to its IP address.





192.168.1.2

virtualO/S

www.wraycastle.com

192.168.1.4

virtualO/S

www.ISP.org

192.168.1.3

192.168.1.1

virtualO/S

www.company.co.uk

virtual machine s/w

physical platform(e.g. Unix™,

Windows2000™)

www.wraycastle.com

www.company.co.uk

www.ISP.org

IN A 192.168.1.2

IN A 192.168.1.3

IN A 192.168.1.4

Figure 20

Virtual Hardware Hosting

IP2300/S2/v2.1





3.3.2 Virtual Web Server Hosting

The main web server application supports a virtual hosting model, where multipledomains can be hosted on a single instance of the web server. In this case theserver will have both global configuration settings, and settings that are specific toeach domain being hosted. The virtual web server approach is typically used in aservice provider context, where only web server functions are required from theplatform, but for large numbers of domains.

In the example in Figure 21, a single host provides all of the domain web services,however the web server application has been configured with details of each virtualhost, as shown in Figure 21. When the DNS is queried for the IP addresses of thevirtual web servers, it returns the same IP address in each case. Note that a nameserver entry is required for each domain in order to resolve URL requests to theserver IP address.





192.168.1.1

<Virtual Host> DocumentRoot /var/www/wraycastlecom ServerName www.wraycastle.com ServerAdmin [email protected]

</Virtual Host><Virtual Host> DocumentRoot /var/www/companycouk ServerName www.company.co.uk ServerAdmin [email protected]

</Virtual Host><Virtual Host> DocumentRoot /var/www/ISPorg ServerName www.ISP.org ServerAdmin [email protected]</Virtual Host>

www.wraycastle.com

www.company.co.uk

www.ISP.org

IN A 192.168.1.1

IN A 192.168.1.1

IN A 192.168.1.1

.

.

.

.

.

.

Figure 21

Virtual Web Server Hosting

IP2300/S2/v2.1





3.4 Dedicated Hardware

Some organizations wish to have a dedicated physical server from which to hosttheir web content. In these cases, the service provider typically offers a suitablephysical server dedicated to the customer, along with WAN and LAN connectivity,and the name server facilities to make the device reachable.

Typically first level support for the platform from the service provider is part of thispackage; the service provider will repair faulty hardware or software on the basicplatform. However web content and scripting is the responsibility of the customer.The customer can normally access the web server securely for remoteadministration.

This is a common model for small to medium-sized hosting companies. They rentphysical servers and infrastructure from a large data centre operator, then resellhosting and other services on these physical platforms using a virtual hosting modelto their customers.

3.5 Co-location

In the co-location model, the service provider is responsible for space, power,

network connectivity and basic network services such as name servers. However thecustomer provides their own physical servers into the rack space provided by thedata centre operator. Normally this model requires operational staff from thecustomer to be present at the facility to provide first level support, and so is onlysuitable for large data centres and large customers. This approach is more popular for other than web hosting scenarios, particularly for Internet exchange Points andcarriers wanting access to backbone transmission facilities for core Internet nodes.





www.wraycastle.com

www.company.co.uk

www.ISP.org

IN A 192.168.1.1

IN A 192.168.1.2

IN A 192.168.1.3

>whois wraycastle.com

name server ....... ns1.myISP.com

.

.

.

192.168.1.1

www.wraycastle.com

192.168.1.2www.company.co.uk

192.168.1.3

192.168.2.1

Router Router

toInternetwww.ISP.org

ns1.myISP.com

Figure 22

Dedicated Hardware or Co-location Hosting

IP2300/S2/v2.1







w w w. w r a

y c a s t l e. c

o m

w w w. w r a

y c a s t l e. c o

m

G E T w w w .w r a y c a s t l e .c o m



w w w. w r a

y c a s t l e. c o m

w w w. w r a

y c a s t l e. c

o m

G E T w w w .w r a y c a s t l e .c o m G E T w w

w .w r a y c a s t l e .c o m

w w w. w r a

y c a s t l e. c

o m

Page

expiryperiod

Web client Web cache Web server

.

.

.

.

Figure 23

Web Cache Operation

IP2300/S2/v2.1





4.1 Implementing Primary and Secondary DNS Servers

For a given domain, it is a requirement of registration that at least one secondarydomain server is implemented, and normally two secondary domain servers areimplemented for extra resilience; without an operating name server, mosttransactions involving the domain will fail. These servers should be physicallyseparate, and ideally served by completely different infrastructure, to minimize therisk of a single point of failure.

The simplest configuration of public name server services has the ISP providingentries in its name servers for the customer domain.

However, in some cases, the customer may wish to operate the primary nameserver, and have the ISP operate secondary name servers for resilience.

In order to implement one or more secondary name servers homed to a corporateprimary name server, careful configuration of all of the servers is necessary:

• the parent domain, for example the .com domain for our example, should list allof the name servers for the domain directly

• the primary name server should permit zone transfers from the named

secondary servers, while normally (for security reasons) blocking all other zonetransfers

• the secondary name servers should be configured with the details of theprimary name server, specifically its IP address to allow transfers to take place

4 PROVIDING NAME SERVERS







4.2 DNS Caches and Forwarders

DNS caches are operated by large enterprises as well as ISPs to speed theresolution of information from the global DNS. They are not definitive for any domain,and carry out recursive DNS queries. In other words they will request a DNSresolution on behalf of their clients. DNS software normally includes a setting thatallows forwarding of requests that the DNS itself cannot resolve. This type of operation is known as recursion.

The service provided by an ISP normally includes providing a DNS cache as part of the client configuration. For dial-up accounts, the IP address of the DNS cache isnormally provided as part of the Dynamic Host Configuration Protocol (DHCP) whenthe client machine connects.

For client networks that access the Internet via an access router, this router normallyoperates as a DNS forwarder . Although definitions vary, it is useful to think of aforwarder as a special case of a cache that holds no cache information. Because itholds no DNS data, all requests are forwarded to the designated name server, whichin this case will normally be the ISP cache, as before.

This forwarding action can be used to implement internal and external DNS for aclient within the corporate network, as follows:

• requests are sent to a local name server in the business domain, whichresolves requests for hosts internally

• because the corporate DNS cannot resolve Internet addresses, these arepassed to the Internet DNS for resolution

Figure 25 shows this scheme for as dial-up network, where DHCP from the ISP isused to assign the public dial-up router address for the client (192.168.1.1 in thisexample), and a DHCP server also operates within the dial-up router to provide IPaddresses to the private network clients (in this example the internal address of the

DHCP server is 10.0.0.1, and it assigns addresses in the range 10.0.0.0/24). EachDHCP dialogue lists the correct DNS server, so that DNS requests from internalhosts are passed to the dial-up router, which in turn forwards them on to the ISPcache for resolution.





DHCP configurationIP address: 192.168.1.1IP address mask: 124Gateway address: 192.168.1.254DNS server address: 192.168.1.100

DHCP configurationIP address: 10.0.0.XIP address mask: 124Gateway address: 10.0.0.1DNS server address: 10.0.0.1

IP address: 192.168.1.1IP address mask: 124Gateway addressDNS server address: 192.168.1.100

DNSforwarder

Recursiveresolutionfor clientvia DNS

forwarder

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

ns1.myISP.com192.168.1.100

NAS

Internet

DHCP configuration

ns1.myISP.com192.168.1.100

DNS Cache

NAS

Internet

DNS Cache

192.168.1.254192.168.1.1

Figure 25

DNS Configuration through DHCP

IP2300/S2/v2.1





4.3 Partitioning Enterprise and Service Provider DNS

Any large organization will typically be operating an internal DNS, as well as makingsome parts of the corporate DNS visible on the public Internet. At least two Internetname servers are required for the public parts of the domain, and multiple nameservers may be configured within the corporate network to provide fast and efficientname resolution between sites, or to partition the administration tasks betweendivisions or geographies.

This combination of public and private DNS entries requires the DNS to operate as asplit DNS, for security reasons. In a split DNS architecture, the DNS is divided intotwo types of logical platform:

• a public name server provides resolution of the public DNS fields of theenterprise

• a private name server provides resolution from internal and trusted sources

Corruption of name server data can be a very effective method of mounting DoS andmasquerading attacks against a domain. It is extremely important that internal hostinformation is not visible from the Internet. The DNS application should be hardenedin various ways beyond the basic splitting described above, but this is a more

detailed topic than can be covered in this introduction to the subject.





publicname serverwraycastle.com

ISPname server(cache)

sales.wraycastle.comsales name servers

development name serversdevelopment.wraycastle.com

Internet

external queryexternal host

external queryinternal host

internal queryinternal host

Public Server

Private Server

Authoritative for public zonesListed in parent zones as NS recordsQueried by Internet name serversNon-recursive

Authoritative for private (internal) zonesQueried only by internal or trusted forwarders or resolversRecursive for trusted sources through ISP name server cache

Figure 26

Implementing a Split DNS

IP2300/S2/v2.1





1 Explain the function of DHCP.

2 What are the advantages of DHCP over static configuration of host IPparameters?

3 The PPP protocol is widely used in dial-up Internet access because:

a it is the most efficient link layer protocolb it includes additional protocols to support dial-up user, including link and

IP configurationc it operates end-to-end between IP hosts, whereas other link layer

protocols are limited to the access network onlyd it can carry multiple network layer protocols, using its NLPID field, rather

than just IP

4 Local loop unbundling may be:

a physicalb logical

c neither a nor bd both a and b

5 Explain how a sending mail server would discover the IP address of the mailserver it wishes to send SMTP mail to.

6 When might a business with its own Internet domain use an ISP-hostedsecondary mail server? How would the MX preference records be set in thiscase?

7 Dynamic content can be generated for web pages using:

a server-side programmingb client-side programmingc neither a nor bd both a and b

8 When would an enterprise use a split DNS approach?





© wray castle limited

SECTION 3

SERVICE PROVIDER

ARCHITECTURES

i




© wray castle limitedii





1 Network Architectures 3.11.1 The Core, Distribution and Access Model 3.31.2 The Access Layer 3.51.3 The Distribution Layer 3.111.4 The Core Layer 3.131.5 Peering Points and Internet Exchanges 3.15

1.6 Intra-PoP Architecture 3.171.7 Core Transmission Networks 3.19

2 Routing Overview 3.212.1 The Role of Routing Protocols 3.212.2 Routing Dynamics 3.232.3 Routing Protocols for Service Provider Networks 3.252.4 The AS Architecture of IP Networks 3.272.5 Interior (IGP) Versus Exterior (EGP) Routing 3.272.6 OSPF Basic Operation 3.292.7 BGP4 Basic Operation 3.31

3 Routing across the Customer/Service Provider Interface 3.333.1 Maintaining Separation of Routing Domains 3.333.2 Routing for Dial-up Users 3.353.3 Static Routing for a Single-homed Customer 3.373.4 Dynamic Routing for a Multi-homed Customer 3.39

4 Design Considerations for Control, Scale and Stability 3.414.1 Balancing SDH, ATM and IP Restoration 3.414.2 Isolation of Routing Domains and Traffic Filtering 3.43

4.3 Selection of OSPF Areas 3.454.4 The use of Default Routes and Networks for Network Protection 3.474.5 Route Reflectors and BGP Confederations for Scaling iBGP 3.494.6 IP Traffic Management using BGP4 Techniques 3.51


SECTION CONTENTS

iii




© wray castle limitediv






explain the hierarchy of a typical IP network

• compare and contrast router and switch features at core, distribution and

access layers

• explain the functions and key properties of routing protocols

• evaluate a routing design at the customer/service provider interface

• present the key mechanisms for control, scale and stability in routing design

SECTION OBJECTIVES

v





Before a technical architecture can be proposed or updated, it is important to answer

various ‘business case’ questions, such as:

• the set of services the infrastructure must provide. For example, does thenetwork provide dial-up access or GSM access?

• the customers the network intends to serve. For example, residential users,small business users, large global enterprises, or other service providers?

• the rollout of network and service functionality. For example a regional, nationalor international network, and in what sequence?

• the forecast volumes of traffic over time, and the traffic matrix

Assuming answers to these questions are available, then a range of technicalarchitecture decisions can be made, including:

• what access platforms must be provided?

• what protocols must be supported directly or through tunnelling?

• what network services platform must be provided?

• how should peering be carried out?

• what capacity should key components be designed for?

The results of these considerations leads to a technical architecture for the network,which allows the planned set of services to be offered, at the volumes predicted andthe locations planned.

1 NETWORK ARCHITECTURES

IP2300/S3/v2.13.1





3.2 © wray castle limitedIP2300/S3/v2.1

Business Plan

Services

Customers

LocationsForecast volumes

etc.

Technical Architecture

Access platforms

Service platforms

Routing architecture

Switching architecture

PoP architecture

Peering arrangements

Protocols

etc.

Figure 1

Relating the Technical Architecture to the Business Plan



IP2300/S3/v2.13.3 © wray castle limited

1.1 The Core, Distribution and Access Model

The IP network of any medium to large ISP is structured into (typically) three logicallevels of hierarchy. This approach normally achieves the best overall balance betweenmanageability, scalability, reliability and economy.

The three levels of hierarchy are commonly known as the Core, Distribution andAccess layers.

• the Core is responsible for simple, high-speed switching of transit traffic

• the Distribution Layer contains network services, and collects traffic from theaccess layer for the core layer

• the Access Layer connects users to the network in an efficient way

We discuss each of these layers in more detail in the next few slides.




3.4 © wray castle limited

Access

Core

Distribution

Simple,high-speedswitching

Customerpremisesequipment

ADSLaccess

etc.

Modembanks

User

connectionsServiceplatforms

LocalPoPs

Peering

Policy

Aggregation

Figure 2

The Core, Distribution and Access Architecture

IP2300/S3/v2.1





1.2 The Access Layer

The access layer occurs at the edge of the network. It provides customer premisesrouters, where these are managed by the service provider, as well as the bearerconnection to a Point of Presence (PoP). Dial-up customers are connected to the PoPthrough a circuit-switched connection to a Network Access Server at the PoP, whiledirectly connected customers are attached to a customer access router.

1.2.1 Customer Premises Equipment (CPE)

A customer premises router will normally offer a suitable WAN access interface, suchas ISDN, E1 or E3, or switched services such as Frame Relay or ATM. Often a serialinterface based upon the X.21, V.35 or High-Speed Serial Interface (HSSI)specifications is provided, and this is fed into a service provider Channel ServiceUnit/Data Service Unit (CSU/DSU) or Network Termination Point (NTU), whichprovides a standard signal interface complying with the G.703 standard of the ITU-T.

The customer side of the CPE normally provides an ‘Ethernet’ interface at 10 or 100Mbit/s, to which the LAN network can be attached. Units designed for small officeuse may have an integral 8 or 16 port ‘Ethernet’ switch, so that hosts can be directlyconnected.

These routers may contain various value-added components of hardware or software,including:

• firewalls

• network address translation

• DHCP servers for the LAN

• IP-VPN gateways

• packet classification, where QoS techniques have been implemented on theaccess circuit





‘Ethernet’ switch

Customer premises router Customer access router

DHCP server

NAT device

Firewall

IPVPN gateway

Flexible WANinterfaces High port density

Traffic policing

Traffic shaping

Traffic classification

Packet filtering

Dual power supplies

Hot-swappable modules

ToDistributionLayer

Figure 3

The Access Layer

IP2300/S3/v2.1





1.2.2 Access Routers

Customer access routers must match the WAN capabilities of CPE routers, includingthe ability to provide traditional leased line and switched service connectivity.Normally a mid-range router with a configurable chassis is used, to give the bestpossible port density. Normally this device will contain dual power supplies, multipleroute processor cards (to perform IP forwarding), and the ability to hot-swapcomponents, including customer interfaces.

In addition to any routing protocol run across the service interface, the access routerprovides the boundary of the service provider network, and so filtering and policing

actions normally take place on this unit. These may include:

• filtering of traffic on source address for security reasons

• packet classification, where QoS techniques have been implemented in the corenetwork

• policing of traffic flows against permitted volumes, particularly where QoStechniques have been implemented on the access circuit

• filtering of routing information against a list of allowed customer networks at thesite being serviced





‘Ethernet’ switch

Customer premises router Customer access router

DHCP server

NAT device

Firewall

IPVPN gateway

Flexible WANinterfaces High port density

Traffic policing

Traffic shaping

Traffic classification

Packet filtering

Dual power supplies

Hot-swappable modules

ToDistributionLayer

Figure 3 (repeated)

The Access Layer

IP2300/S3/v2.1







ToDistributionLayer

Signalling controller/ Media gateway controller

SS7

High port densityFlexible modem/ISDN termination

Voice gateway functionalitySS7 control functionalityVirtual modem banks

Bearerswith ISDN/

modem

Figure 4

The Network Access Server

IP2300/S3/v2.1





1.3 The Distribution Layer

The distribution layer provides aggregation of traffic from the customer accessrouters, as well as providing transit for traffic within the local area from a routingperspective. Traffic within the local area is normally routed between access routers bythe distribution layer; traffic between areas is routed by the core layer, via thedistribution layer routers.

The distribution layer is the layer at which:

• network servers are deployed

• peering with other service providers takes place

• high bandwidth access circuits are attached to the network

1.3.1 Distribution Layer Routers

Distribution layer routers typically require lower port density than an access router,since they will interconnect with banks of access routers and typically with a smallnumber of core routers. A LAN switched network may be used to concentrate accesstraffic onto the distribution routers.

The distribution router may need to apply policing, traffic shaping and filtering totraffic from high-speed customer connections that enters the network at thedistribution layer. The distribution router must be able to perform a range of IPprocessing functions, including participating in the IGP protocol of the ISP, effectively,as well as achieving a high packet-forwarding rate.





Medium port densityFiltering and policing for high-speed accessDual power suppliesHot-swappable modulesPowerful route processingLine-speed forwarding

ToCore

FromAccessLayer

Figure 5

Properties of a Distribution Router

IP2300/S3/v2.1





1.4 The Core Layer

The core layer acts as a high-speed transit layer for traffic flowing between theseparate distribution areas of the network. The core routers must be able to forwardtraffic at extremely high line speeds, and must also have the memory and processingpower to hold the full Internet routing tables for the ISP. Whereas lower levels of therouting architecture typically use a default route to pass traffic up to the core, the corerouters must either route each packet on a genuine routing, or discard it.

The core network connecting these routers is typically a Layer 2 switchingtechnology, either ATM or MPLS. Traditionally, separate ATM switches were used to

provision a full mesh connectivity between core routers, however as MPLS isdeployed into routers the need for a separate switching layer reduces, and the costand complexity saving that this provides is attractive.

The use of Layer 2 switching makes traffic engineering much easier for the coreportion of the network. By configuring multiple virtual circuits across the physicalinfrastructure between core router sites, it is possible to control the bandwidthavailable between destinations, and to adjust this to react to unusual demand or tomeet medium term demand.





R o ut ing ad jace n c y

R o u t ing ad jac en c y

R o u t i n g

a d j a

c e n c y

R o u t i n

g a d j

a c e n c y

Routingadjacency

Full meshPVCs

Routingadjacency

Figure 6

The Core Architecture

IP2300/S3/v2.1





1.5 Peering Points and Internet Exchanges

Peering between service providers can take place at a managed Internet eXchangePoint (IXP) or on a bilateral basis between two operators. In both cases, the technicalrequirements include a public Autonomous System Number (ASN) and a BorderGateway Protocol (BGP4) router facing the peering point.

Some IXPs limit themselves to purely providing a switched infrastructure; others offerextra technical services, e.g. route servers, private interconnects. The majority ofIXPs are located in co-location facilities, which provide basic services includingpower, air-conditioning, security and first level support.

1.5.1 LAN Infrastructure

The majority of IXPs have adopted a Layer 2 switched ‘Ethernet’ architecture. Thereare examples of other architectures such as ATM and FDDI, however these are notcommon.

1.5.2 Collector Router

To assist in troubleshooting peering arrangements, some IXPs provide a router withwhich all members peer and announce their routes. The router listens to, or ‘collects’these announcements, but does not announce any routes itself; hence some IXPsuse the term ‘collector’ router for this equipment. IXP staff and member ISPs haveuser accounts on this router, enabling them to have a central ‘view’ of all of thepeering dialogues at the IXP, independent of the view through their own connection.

1.5.3 Private Interconnect

The concentration of ISP connections at an IXP can make it a very convenient placefor one ISP to have a direct physical connection to another where their routerequipment is co-located and with whom they exchange significant traffic. This is theequivalent of a bilateral peering connection, but hosted at the IXP.

1.5.4 Route Servers

Some IXPs offer a route server facility. This is typically a device that interrogatesrouting registries, builds a database of the entries in the registries for the membernetworks, and provides a routing table based on this information. An IXP member’s

router may then build its routing table with just one peering session with the routeserver rather than taking many routing tables from all its peers. The principal aim is toreduce the processing power required in the member router connected to the IXP.





Internet Exchange Point (IXP)

ASBRISP4

ASBRISP5

ASBRIXP

ASBRISP3

Route server

ASBRISP1

ASBRISP2

I S P 1 and ISP 3

p e e r

I S P 4

a n d IS P 5 p e e r

PrivatePeering

Collectorrouter

Figure 7

Architecture of an Internet Exchange Point

IP2300/S3/v2.1





1.6 Intra-PoP Architecture

A service provider PoP will typically contain many access routers and at least twodistribution routers. In order to achieve the fan-out necessary at the PoP, and to makethe LAN connections resilient, it is common to use a dual-homed switched ‘Ethernet’to interconnect the layers of the architecture, as shown in Figure 8.

Where the distribution layer routers are co-located with core routers, the same modelmay be repeated.





Access layer Distribution layer

Point of Presence

LANSwitch

LANSwitch

Figure 8

Switching used within an Internet PoP

IP2300/S3/v2.1





1.7 Core Transmission Networks

For large Internet networks, the interconnection of the core routers has traditionallybeen across an ATM switched infrastructure that is dedicated to the Internet core. Inthis architecture the switching layer is used to provide control of the path traffic takesacross the backbone, and to control bandwidth utilization. The physical layerconnections are essentially point-to-point, rather than across a managedtransmission network such as Synchronous Digital Hierarchy (SDH).

Traditional telecommunication operators have often built their IP services networkseparate from the public Internet. The traffic volumes in this case are smaller than in

an Internet backbone. Also these operators often have a network strategy basedupon multiservice ATM switching and a common SDH-based transmission network.As a result, they have often, at least initially, run their IP services traffic as anotherservice across an integrated ATM layer.

As the demand for bandwidth grows in a typical IP services network, it dominates theutilization of general-purpose transmission and switching capacity, and the operatortypically moves to a model of dedicated IP switching and transmission capacity in thecore network.

In the future, it is likely that MPLS will replace ATM as the Layer 2 traffic engineering

technology for large IP networks, running across switched wavelengths in a managedoptical network.





IP

Managed optical switch

PVCs for each service

SDH SDH

MPLS trafficengineering

IP

IP FR FRATM ATMVoice Voice IP

IP

Traffic engineering

IP over ATMCore

IP over MPLSCore

IP overmultiserviceATM Core

Figure 9

Options for Core Transmission Architecture

IP2300/S3/v2.1





2.1 The Role of Routing Protocols

Packet forwarding in an IP network is carried out by checking the destination IPaddress of arriving packets against a routing table within the router. This routing tablecontains matched entries of IP network or host addresses, and the address of thenext hop router which can best be used to reach the packet destination.

The entries in the routing table may be generated manually, in which case they areknown as static routes. Static routes can be useful in certain circumstances, howeverthey also have two drawbacks.

• Static routes have no resilience. If the physical connection that a static routepoints to becomes unavailable, it may be impossible to deliver traffic to itsdestination, even if alternative paths could be found.

• In all but the smallest networks, the manual configuration of static routes, andthe effort involved in moves and changes, makes them unattractive.

Routing protocols are used to make IP networks more scaleable and more resilient.The main role of routing protocols is to keep the routing tables accurate, even if thenetwork state changes. Routing protocols consist of advertisements, which

communicate routing information to neighbouring routers and a routing algorithm,which processes the routing advertisements, and generates routing table entries.

Figure 10 shows a simple network of three routers, and the routing table that mightresult once updates have been exchanged. In this example we have subnetted the192.168.1.0/24 network to produce two /27 networks, and we have used Cisco’sInterior Gateway Routing Protocol (IGRP) to exchange advertisements and tocalculate the best route to destination subnets.

The table at the bottom of Figure 10 shows the routing table entry that results in

router 3. It shows that the subnet connecting routers 1 and 2 was learnt through theIGRP routing protocol, as well as indicating the interface traffic should be transmittedon to reach the subnet (Ethernet 1), and the IP address of the router interface itshould be sent to (192.168.1.65).

2 ROUTING OVERVIEW





e0 e0

192.168.1.34/27 192.168.1.66/27

192.168.1.33/27 192.168.1.65/27

e1e1R1 R2 R3

> router igrp> network 192.168.1.0

Run the igrprouting protocolfor network192.168.1.0

Outbound

interface

Address

of nexthop router

Metric

measureshow ‘good’ thenext hop is

How this

route was learnt

I – IGRPC – direct connection alsoS – static (i.e. manually configured)...and many others

The subnet

that can bereached

router3 > show ip route192.168.1.0 is subnetted, 2 subnets I 192.168.1.32 [metric] via 192.168.1.65 eth 1C 192.168.1.64 is directly connected, eth 1

.32 .64

Figure 10

An Example of Routing Protocol Operation

IP2300/S3/v2.1





2.2 Routing Dynamics

The structure of a network, i.e. its nodes and links, is known as the network topology .When the topology of the network changes, routing updates are sent from theaffected router to its neighbouring routers. When a router receives a routing updatethat indicates a change in the network topology, the router must recalculate therouting table entries using its routing algorithm. These updates and recalculationsquickly propagate to all of the routers in the routing domain.

The routing algorithm is designed to generate optimum routes to any givendestination, based upon the routing protocol metric provided in routing

advertisements. Different protocols use different metrics, but examples of metricscommonly used include the number of router hops, the bandwidth of a link and thedelay across a link.

The time taken to calculate these new routing table entries, and for these topropagate between all of the routers, is called the convergence time of the routingprotocol. Early routing protocols either took a long time to converge as the networksize grew, or generated a lot of unnecessary routing traffic. Modern routing protocolssuch as Open Shortest Path First (OSPF) and Intermediate System to IntermediateSystem (IS-IS) are more complex to configure than these earlier, simpler protocols,but also perform much more effectively in large networks.





R1

R3

Stability

TimeInterfacefails

New topologystable

Initial topology

Routingupdates

Routing updatessent and topology

recalculated ineach router

R2 discovers

that this interface has failed

Routecalculation

Convergence time

R2

R1

R3

R2

<R2> directly connected<R3> directly connected

<R2> reachable via <R3><R3> directly connected

1

2

2

Figure 11

The Dynamics of Routing Protocols

IP2300/S3/v2.1





2.3 Routing Protocols for Service Provider Networks

Routing protocols operating within a large service provider network must be scalable,efficient and stable, even if attached networks are themselves unstable. Comparedwith the early routing protocols such as RIP, protocols such as OSPF and IS-IS haveseveral desirable properties:

• they only transmit changes, rather than the complete routing table, making themmore efficient in their use of network bandwidth

• they can separate a routing domain into smaller areas, which allows them toscale to extremely large networks

• they support Variable Length Subnet Masks (VLSM), which allows flexible useof the address space, and Classless Interdomain Routing (CIDR)

• they avoid routing loops, including indirect routing loops, which early protocolscould not achieve

• they converge very quickly, compared to the convergence time of older routingprotocols

• they allow load sharing across parallel links, rather than simply selecting thesingle best link between two points





Routing Protocols for largeService Provider Networks

only transmit changes

routing domain hierarchy

protocol supports VLSM and CIDRprotect against routing loops

fast convergence

algorithm supports load sharing

Figure 12

Requirements for Service Provider Routing Protocols

IP2300/S3/v2.1





2.4 The AS Architecture of IP Networks

The global Internet is a highly connected set of networks, each under separateadministrative control. For this reason, networks operate one or more interior routingprotocols (within their own network), and an exterior routing protocol across pointswhere they interconnect with other IP networks. These interior protocols are known asInterior Gateway Protocols (IGP), and we will explore the operation of Open ShortestPath First (OSPF). The exterior routing protocols are known as Exterior GatewayProtocols (EGP), and we will explore the operation of Border Gateway Protocolversion 4 (BGP4).

Each IP network that is connected to the Internet and under a single administrativecontrol is known as an Autonomous System (AS).

2.5 Interior (IGP) Versus Exterior (EGP) Routing

The roles of interior and exterior routing protocols are very different, although each isconcerned with allowing routers to forward packets towards their destination.

An IGP protocol provides full and free exchange of topology information betweenparticipating routers. There is normally no commercial or other reason to restrict this

flow of information, and by allowing all routers to see the internal structure of thenetwork they are part of, they can best optimize their routing tables.

An EGP protocol provides reachability information from the routers in one AS to therouters in other ASs. They do not specifically provide information on the internalstructure of their own network; they simply inform their neighbours in other networksthat particular destinations are reachable through them. This protects thecommercially sensitive structure of the service provider network, while still allowingtraffic to be effectively forwarded to its destination.

This approach also more easily allows routing policies between ASs to be imposedthrough the EGP protocol routing updates.





EGP protocol

‘network 192.168.1.0 is reachable

through AS1234’

‘network 10.0.0.0 is reachable

through AS5678’

192.168.1.0customer 1

IGP protocol

Full topologyexchange

10.0.0.0customer 2

IGP protocol


AS1234service provider 1

AS5678service provider 2

Figure 13

Interior versus Exterior Routing

IP2300/S3/v2.1





2.6 OSPF Basic Operation

The structure of OSPF is hierarchical and is detailed in Figure 14. The AutonomousSystem (AS) is split into areas that are in turn linked together by a backbone area.Within an area, each router builds an identical link state database, by sending andreceiving Link State Advertisements (LSA) to all of the participating routers within thearea.

If routers are on a shared medium or Non-Broadcast Multiple Access (NBMA)network, they hold elections in which a Designated Router (DR) and a BackupDesignated Router (BDR) are identified to represent the area, in which case each DR

is responsible for building the link state database for its respective area. Otherwise,each router builds this link state database independently. Area Border Routers (ABR)connect each area to the backbone area. The ABRs may either forward all LSAs fromtheir area to the backbone routers, or more usually summarize this information.

In an OSPF network, traffic between destinations within an area must be routedentirely within the area. This is known as inter-area routing. Traffic betweendestinations in different areas must be carried across the backbone area, area 0.This approach imposes a strict hierarchy in the routing of traffic. Although this may beless than optimal in any particular case, it makes the design of the overall network,the control of traffic flows, and the isolation of problems much simpler than would be

the case if this hierarchy were not imposed. Perhaps most importantly, it protects theareas from bad topology information in another area, and so allows the scope of suchproblems to be constrained.





area 0

area 1

area 2

area 3

area 4

Backbonerouters

Areaborderrouters

Arearouters

L S A

L S A

L S A L S A

L S A

L S A L

S A

L S A

L

S A

L S A

L S A

L S A

L S A

L S A

L S A L

S A

L S AL S A

LSA

L S A

L S A

L SA

L S A

L S A L

S A

L S A

L S A

L S A

L S A

Figure 14

OSPF Basic Operation

IP2300/S3/v2.1





2.7 BGP4 Basic Operation

Border Gateway Protocol version 4 (BGP4) is the main routing protocol that operatesbetween ASs. It communicates the reachability of networks it is aware of, as well asthe AS path necessary to reach them. Much of the emphasis in BGP operation is incontrolling how traffic is routed across peering points; BGP provides various settingsthat can be used to impose a policy on interconnect points.

BGP can operate in two modes: External BGP (eBGP) operates between a pair ofAutonomous System Border Routers (ASBR), and so runs across external links andInternal BGP (iBGP) operates between ASBRs within an autonomous system, and so

runs across internal links.

The BGP routers must also participate in the autonomous system IGP, since trafficdestined for the ASBRs must be routed across the internal network. BGP routingtables include a next-hop entry which is the address of the correct ASBR; howeverthere will be intervening routers in most cases that must also route these packets.

Routes learnt from BGP can be added to the IGP routing tables, and routes learntfrom the IGP can be added to the BGP routing tables.





IGP protocol


iBGP protocol

AS1234S 34

AS5678S5678

iBGP

‘network 192.168.1.0 is reachable through AS1234’


eBGP

eBGP

i B G P

iBGP

i B G P

IGPI G P





I G P

I G

P

I G P

192.168.1.0

10.0.0.0

Figure 15

BGP4 Basic Operation

IP2300/S3/v2.1





3.1 Maintaining Separation of Routing Domains

Routing protocols are designed to quickly propagate changes in the topology of onepart of the network to all routers in the network. While this is generally a good way tomaintain optimal routing within a network, it can cause problems across theboundary between a service provider network and a customer network:

• it is important that changes in the customer network do not affect the routingwithin the service provider network

• it is important that internal changes within the service provider network do notaffect the customer network

• it is particularly important that service providers are protected from any routinginstability that might occur in a customer network; if allowed to enter the serviceprovider network, this could make other customer network unreachable, andservices unavailable

The guiding principle in connecting customers to the service provider network is tomaintain good separation of the routing domains. How easy this is to achievedepends upon the routing relationship between the two networks.

Part of providing an IP service in many cases is:

• the propagation of customer routes into the public network, so that publicnetwork traffic can reach the corporate network

• the propagation (in some sense) of Internet routes into the private network, sothat traffic destined for the public network is sent to the service provider

3 ROUTING ACROSS THE CUSTOMER/SERVICE PROVIDER INTERFACE





‘Network192.168.1.0is reachablethroughAS1234’

AS1234

‘The Internetis reachableover this link’

InternetService providernetwork

Customer network192.168.1.0

Customerrouting domain Service providerrouting domain

Figure 16

Maintaining Separation at the Customer/Service Provider Interface

IP2300/S3/v2.1





3.2 Routing for Dial-up Users

Dial-up users normally do not have a static IP address. Instead they are assigned anIP address using Dynamic Host Configuration Protocol (DHCP) from a pool ofaddresses available at a Network Access Server (NAS) operated by their ISP.

In this case, there are no customer routes to propagate, since the customer eitheroperates a single host, or uses Network Address Translation to map multiple privateIP addresses into the address assigned dynamically by their ISP.

In this case, the ISP normally injects a static route for the subnet containing the

DHCP pool into their IGP, which then propagates across the public Internet. Thisallows traffic from the public network to be delivered to the correct NAS. The NASthen directs this traffic to the NAS port on which the customer is attached.¹

The example in Figure 17 shows a dial-up network receiving an address from theNAS address pool (192.168.1.2). A default route has been set up (represented by theall zeros network address), so that all non-local traffic is sent to the ISP. The ISP inturn routes this traffic on to its destination. In the reverse direction, the ISP hasadvertised the NAS address pool into its IGP and from there out into the widerInternet via BGP at its peering points.

The situation is more complicated if the user has a fixed IP address. In this case, thecorrect address can be assigned on a repeatable basis to this user by including extrainformation in their RADIUS or TACACS profile, which is invoked when the userconnects to their ISP. A static route to this address is also announced from the NASinto the service provider IGP. If the fixed-address dial-up user is also mobile, a routecan be dynamically loaded into the NAS as part of the RADIUS profile, however thislevel of complexity is seldom justified or implemented.

¹ Interestingly, several specialized service providers now offer Dynamic Domain Name Service (DDNS) to the

public. This allows users with a DHCP-assigned public address to have this captured and entered into the DNS

system while they are logged into the network.





DHCP serverwith address pool

192.168.1.2(for example)

assignedby DHCP

Internet

NAS

192.168.1.2 192.168.1.254

All Internettraffic

192.168.1.0/24

0.0.0.0 via me 198.168.1.0/24 via me

Figure 17

Routing for Dial-up Users

IP2300/S3/v2.1





3.3 Static Routing for a Single-homed Customer

A single-homed customer is a customer with a single service provider. We willassume the customer site is permanently connected, and operating a private IPnetwork that has some public address space. Because the customer has their ownpublic IP addresses, the service provider must advertise the customer routes acrossthe public Internet.

A static routing approach can still work in this case, and thereby avoid the need tooperate a routing protocol across the customer/service provider interface. This couldbe achieved by configuring the customer network addresses as static routes within

the customer access router, so that these propagate in a stable way into the serviceprovider IGP and beyond. In a similar way a default route to the ISP can beconfigured in the Customer Premises Equipment (CPE) router, which then propagatesthrough the customer network via the customer’s own IGP.

A strong advantage of this approach is that it avoids completely any dynamic routingupdates across the service boundary, and so protects each network from instability inthe other. One disadvantage of this approach is that it requires reconfiguration of theservice provider router when the customer makes a change to the addressing in theirnetwork.

If a client has multiple sites, but still uses a single service provider, this sameapproach can be extended, with the access router for each site announcing thesubnets at that site based upon static route entries.

If a single-homed client has a large private network, it may be better to operate adynamic routing protocol across the service interface, to minimize the overhead ofmaintaining static routes for the client network. In this case, the same approach asthat used for multi-homed clients can be followed (see Figure 19).





Internet

192.168.1.0/24

Customer routingdomain Service provider routingdomain

IntoserviceproviderIGP

Intocustomer

IGP

0.0.0.0 via me 192.168.1.0/24 via me

Figure 18

Routing for Single-homed Customers

IP2300/S3/v2.1





3.4 Dynamic Routing for a Multi-homed Customer

A multi-homed customer is a customer that uses more than one service provider forInternet access. We assume the customer has a substantial network of public IPaddresses that must be announced to the public network.

Customers may choose to be multi-homed for resilience, for commercial reasons, ormay simply be multi-homed for historical reasons.

Static routing is typically not a good approach for multi-homed clients. Although inprinciple traffic from the customer sites and the Internet will choose the nearest exit

service provider, this approach provides no techniques for tuning the flow of traffic,and troubleshooting is difficult.

Typically eBGP is used in these circumstances, since it maintains isolation of therouting domains, while still providing reachability information. If the customer doesnot have an AS number for the private network, one may be assigned from the privateAS space by the service provider. Normal eBGP peering then takes place betweenthe customer AS and the various service providers ASs, through their respectiveAutonomous System Border Routers (ASBR).

The service providers can now apply BGP policies to the routes learnt from the

customer, before importing these into their own IGP. These routes are thenpropagated across the public network via eBGP peering with other service providers,and are represented as part of the originating ISP’s AS.

The customer may also apply filtering and policy settings to the routes learnt fromeach ISP through the eBGP peering sessions. This would allow traffic meetingcertain criteria to be directed towards a chosen ISP or exit point, for example. Thecustomer must in turn import the routes learnt from eBGP into their IGP, so that theseroutes are available to their internal routers.

This approach adds significant complexity to the internal customer network over thesingle-homed case, where default routes can be used.





ISP1

ISP2

Internet

Customernetwork

Intocustomer

IGP

ASBRs ASBRs

Intoserviceprovider

IGP

Intoserviceprovider

IGP

C u s t o m e r r o u t e s v i a e B G P

I n t e r n e t r o u t e s v i a e B G P

C u s t o m

e r r o u t e s

v i a e B G P

I n t e r n e t r o u t e

s

v i a e B G P

Figure 19

Routing for Multi-homed Customers

IP2300/S3/v2.1





4.1 Balancing SDH, ATM and IP Restoration

A typical IP service provider network carries IP traffic across some switched Layer 2technology (often ATM), and this in turn may operate over a resilient physical layer,such as Synchronous Digital Hierarchy (SDH) or a managed optical network.

The responsiveness of these technologies varies greatly:

• SDH restoration across pre-provisioned links takes between 50–100 ms

• ATM restoration using backup PVC or Soft-PVCs takes between 100–1000 ms

• IP restoration using routing updates and reconfiguration takes between 1 secondand perhaps 30 seconds

Given this spread of responsiveness, it is important that hold-off timers are used toprevent the various restoration schemes working against each other. Otherwise, a faultat the SDH layer might trigger restoration at the SDH, ATM and IP layerssimultaneously, and these might work against each other in the overall restoration oftraffic.

4 DESIGN CONSIDERATIONS FOR CONTROL, SCALE AND STABILITY





IP

ATM

SDH

IP

ATM

SDH

IP restoration time: 1 s – 30 s

ATM restoration time: 100 ms – 1 s

SDH restoration time: 50 – 100 ms

Figure 20

Comparing Restoration Times

IP2300/S3/v2.1





4.2 Isolation of Routing Domains and Traffic Filtering

The filtering of routing updates at both the customer/provider boundary and theboundary between service providers is a key technique in protecting the stability ofthe service provider network. Various filtering scenarios are discussed below.

4.2.1 BGP Damping

When routes within the Internet are unstable, that instability can propagate throughthe Internet and remain for some time. Most BGP implementations include a form of

damping to contain this effect as close to the source as possible. Typically a routewhich has changed several times in quick succession is removed from the BGProuting tables of the receiving AS, and not reinstated until some hold-down timer hasexpired. Although this prevents traffic from being routed to the destination, thismaintains stability in the receiving network, and penalises networks that allow routeflapping to occur.

4.2.2 Filtering at Peering Points

Filtering of BGP updates across peering points is one of the key methods of

controlling the networks transited by specific traffic. By filtering out BGP routes thattransit specific ASs, or by removing entries for specific networks, the transit behaviourof traffic can be influenced.

4.2.3 Filtering at the Customer Interface

Where eBGP is used to connect a multi-homed client, it is necessary to apply filtersto the routing updates. If this is not done, the service provider may inadvertently allowtransit through the customer AS. The normal approach is to permit only the agreednetwork addresses to be announced into the service provider IGP across thecustomer/service provider interface.





myISP

192.168.1.0

AS65100

e B G P

eBGP

e B G P

Inbound filteringOutbound filtering

Inbound filteringOutbound filtering

Route flap on10.0.0.1 (for example)

Remove 10.0.0.1from BGP routingtable

> allow 192.168.1.0 AS_PATH 65100

> deny all

Blockstransit

Figure 21

Route Filtering in BGP4

IP2300/S3/v2.1





4.3 Selection of OSPF Areas

The OSPF routing model of a single backbone area and multiple distribution areasinterconnected through it fits well with the Internet model of network hierarchy basedaround a core, distribution and access layer.

A typical design might construct an OSFP area 0 from the set of core routers, with thedistribution and access layers partitioned into a further set of areas based upon thetraffic matrix. The OSFP routing paradigm then treats traffic according to whether it iswithin or between areas. Intra-area (typically intra-region) traffic is routed entirelywithin the area, without passing over the backbone area. Inter-area (typically inter-

regional) traffic is always passed across the backbone area.

To keep the processing load manageable on the area routers, most vendorsrecommend an upper limit of 50–100 routers within an OSPF area.





Inter-area traffic transitsArea 0

Intra-areatraffic stayswith area

Area 0

Area 1Area 2

Area 3

Corerouters

Distributionrouters

Accessrouters

Figure 22

Designing OSPF Areas

IP2300/S3/v2.1





4.4 The use of Default Routes and Networks for Network Protection

Current Internet routing tables, even with the introduction of CIDR and a morehierarchical allocation of address space, now exceed 140,000 entries, and continue togrow. This size of routing table would be impossible to manage at the lower networklevels. Also, by allowing these externally learnt routes explicitly into the IGP, then anyinstability in these routes will also propagate into the IGP.

A better approach is to inject a default route from the various backbone transit routersinto the IGP. This will then propagate down to the lower-level routers via the IGP, sothat traffic they cannot route directly is passed to the transit routers automatically. In

this case, the normal IGP metrics will select the lowest cost transit router, based uponthe cost between the access router and the transits (rather than the total cost toegress from the ISP network). These transit routers must also be iBGP peers with theASBR routers, otherwise they will not be able to select the best route for egress fromthe ISP network.





ASxxxx

eBGP

iBGPpeering Into

serviceprovider

IGP

Corerouters

Distributionrouters

myISP

ASBRs

0.0.0.0

via me

0.0.0.0.

via me

0.0.0.0.

via me

eBGP

ASyyyy

Figure 23

The Use of Default Routes in Service Provider Networks

IP2300/S3/v2.1





4.5 Route Reflectors and BGP Confederations for Scaling iBGP

4.5.1 Route Reflectors

The operation of iBGP can place considerable strain on routers participating in BGPpeering. The basic operation of BGP prevents one BGP peer from passing on routeslearnt by another, so normally a full mesh topology is required. The use of BGP RouteReflectors converts this topology from a full mesh to a hub and spoke topology, whereeach iBGP router peers with a central iBGP peer; as a result the number of peeringsessions is greatly reduced.

Route reflectors consider the routers that peer with them as clients, although theclients themselves need no special configuration. Even a simple topology with alliBGP handled through a route reflector should have logical and physical redundancyincorporated into the design, as shown in Figure 24.

4.5.2 Confederations

A BGP confederation is an alternative approach to scaling the iBGP process. In thiscase, the original AS is divided into sub-ASs, and each is typically allocated a privateAS number.

Within each sub-AS, iBGP is used in a full mesh topology. Between the sub-ASs,eBGP is used, and the private AS numbers are used in these sessions. Peeringbetween the confederation and other public ASs is via eBGP, using the (public)confederation AS number.

Both route reflectors and confederations are methods of scaling iBGP. Confederationscan also be used when networks are combined or consolidated into a larger AS.Neither approach need affect the external appearance or peering behaviour of thenetwork.





AS1234Client

Client

Client

Client

iBGP Route Reflectors

BGP route reflectors

eBGP

AS1234

eBGP

AS1234

AS1234

AS65100

AS65101

iBGP Confederation

eBGP

AS1234

e B G P

A S 6 5 1 0 0

A S 6 5 1 0 1

eBGP

AS1234

Figure 24

Route Reflectors and Confederations

IP2300/S3/v2.1





4.6 IP Traffic Management using BGP4 Techniques

BGP has several techniques to allow the flow of traffic towards and across an eBGPpeering point to be modified. Reachability is carried in the AS_PATH attributes forroutes, and so most tuning of traffic flows using BGP involves altering the pathattributes between ASs. Path attributes can be modified before being sent, or afterreceipt. There are three common techniques used. By removing particular ASnumbers from the AS path before sending it across an eBGP session, an AS canavoid offering transit for this traffic from other ASs. The other two, path pre-pendingand specific route injection are discussed overleaf.





192.168.1.0/24AS_PATH 1 AS2

AS1

192.168.1.0

AS4

All traffic

192.168.1.0/24AS_PATH 1

192.168.1.0/24AS_PATH 2 1

192.168.1.0/24AS_PATH 3 2 1

192.168.1.0/24AS_PATH 4 1

AS3

Internet

Figure 25

BGP Traffic Engineering Techniques

IP2300/S3/v2.1





4.6.1 Path Pre-pending

By pre-pending the BGP path to particular networks with its own AS number, an ISPcan negatively bias the ISPs receiving these announcements against sending trafficfor this ISP via them. This approach can modify the flow of ingress traffic at thispeering point, but can make Internet routing very sub-optimal.





192.168.1.0/24AS_PATH 1 AS2

AS1

192.168.1.0

AS4

A l l t r a f f i c

192.168.1.0/24AS_PATH 2 1

192.168.1.0/24AS_PATH 3 2 1

192.168.1.0/24AS_PATH 1 1 1

192.168.1.0/24AS_PATH 4 1 1 1

AS3

Internet

Figure 25 (continued)


IP2300/S3/v2.1





4.6.2 Specific Route Injection

BGP route calculation always prefers a longer prefix match over the AS path length.Therefore by injecting a more specific route into eBGP announcements, it is possibleto attract traffic for this destination network across the peering point. This approachhas a high administrative overhead, however, and works against address aggregationand CIDR.





AS2

AS1

192.168.1.0

AS4

R e m a

i n i n g

1 9 2 . 1

6 8 . 1 . 0 / 2

4 t r a f f i c

1 9 2 . 1 6 8 . 1 . 8 / 2 9 t r a f f i c

192.168.1.8/29AS_PATH 2 1

192.168.1.8/29AS_PATH 1 192.168.1.8/29

AS_PATH 3 2 1

192.168.1.0/24AS_PATH 1

192.168.1.0/24AS_PATH 4 1

AS3

Internet

Figure 25 (continued)


IP2300/S3/v2.1





1 Describe the main functions carried out in the core, distribution and access

layers of a service provider IP network.

2 An IXP mainly offers:

a the ability to host application servers to smaller ISPsb the ability to outsource network operationsc the ability to interconnect with other ISPs in a shared facilityd the ability to access the overall Internet backbone, operated by the NSF

3 Routing tables may be populated:

a staticallyb dynamicallyc neither, routes are learnt from routing protocols running in the networkd both a and b

4 OSPF is an example of:

a a traditional IGP, which does not scale wellb a traditional EGP, which does not scale wellc a modern IGP, which scales welld a modern EGP, which scales well

5 BGP4 is an example of:

a a protocol that exchanges reachability information between autonomoussystems

b a protocol that allows policy control across peering pointsc a protocol that allows the control of traffic flows through tuning of its

routing metricsd all of the above





IP2300/S3/v2.1 3.58 © wray castle limited

6 Routing across the customer/service provider routing domain should adhere to

the following principles:

a use a dynamic routing protocol where possible across thecustomer/service provider interface, to minimize administrative work

b avoid dynamic routing across the customer/service provider interface,unless the size or complexity of the customer network demands it

c always import and export the maximum number of routes between thecustomer and service provider, so that customer routers can alwaysforwards packets successfully

d always allocate a private AS number to customer networks, so that eBGP

can operate across the customer/service provider interface

7 BGP implementations within an AS can be made more scalable by the use of:

a BGP path pre-pendingb BGP route filteringc OSPF areasd BGP route reflectors









SECTION 4

FUTURE DIRECTIONS IN IP

ENGINEERING

i




© wray castle limitedii





1 IP QoS Technologies 4.11.1 What is Quality of Service (QoS)? 4.11.2 Why QoS is Important 4.31.3 What Causes Poor QoS? 4.31.4 Where do Packet Loss and Delay Occur? 4.31.5 QoS Approaches in IP Networks 4.5

1.6 The Overcapacity Approach 4.51.7 IETF Approach to IP QoS 4.71.8 Integrated Services Model 4.71.9 Resource Reservation Protocol (RSVP) 4.91.10 Differentiated Services Model (DiffServ) 4.111.11 IP over ATM QoS 4.131.12 QoS in MPLS Networks 4.15

2 IP Virtual Private Networks (VPN) 4.172.1 What is a VPN? 4.172.2 Tunnelling 4.17

2.3 VPN Applications: Intranets, Extranets and Remote Access 4.192.4 Types of VPN 4.212.5 MPLS-based IP-VPN Motivation 4.232.6 Architecture of MPLS-based IP-VPNs 4.252.7 MPLS VPN Operation 4.272.8 Motivation for Encryption-based IP-VPNs 4.292.9 Secret Key Cryptography 4.312.10 Public Key Cryptography (PKC) 4.312.11 IPSec Operation 4.332.12 IPSec Gateway Location 4.35

2.13 Products Supporting IPSec 4.35

SECTION CONTENTS

iii




© wray castle limitediv





3 Security Engineering 4.393.1 The Basics 4.393.2 Quantifying the Risk 4.413.3 Basic Countermeasures 4.433.4 Other Countermeasures – Security Appliances 4.453.5 Other Countermeasures – Software Solutions 4.47

3.6 Proportionality of Countermeasures 4.493.7 Case Study 1 – Enabling B2B and B2C Communications 4.513.8 Case Study 2 – Enabling B2C Transactions 4.533.9 Case Study 3 – Mobile Computing 4.55

4 IPv6 4.574.1 Motivation for IPv6 Development 4.574.2 IPv4/IPv6 Co-existence 4.594.3 IPv6 Product Availability 4.59

5 Mobility 4.61

5.1 Public Service Wireless LANs 4.615.2 The IETF Architecture for Mobile IP 4.63


SECTION CONTENTS

v









1.1 What is Quality of Service (QoS)?

The ITU has defined both Quality of Service (QoS) and Network Performance asimportant measures of communications effectiveness. In their model QoS isconcerned with the experience of users of the service, while network performance isconcerned purely with the network, rather than end equipments or subjectivemeasures. However, the general models have not been well developed forconnectionless networks such as IP, for the reasons discussed below. QoS measurescan be applied to aspects such as the availability of a service on a long-term basis.The focus in this section will be on the short-term performance of the network for aparticular flow of traffic.

QoS is easily measured and engineered in circuit-switched networks, partly becauseof many years of experience in doing it, but mainly because the circuit-switching isrelatively simple to analyze and measure. Generally the QoS is characterized for eachphase of a call, namely connection set-up, user information transfer and connectiontear-down. Measures such a Post Dial Delay (PDD) and Grade of Service (GoS) arewell-established and effective measures of the performance of a circuit-switchednetwork in the call-set-up phase, and because a hard resource reservation is madewhen a voice circuit is seized, performance in the user information transfer phase isdominated by the Bit Error Rate (BER) of the transmission system.

Virtual circuit technologies present additional challenges in measuring QoS. Thethree phases used in circuit-switching still apply, and so measures such as PDD andGoS can still be used to assess the quality of the call set-up phase in Broadband-ISDN networks, for example. However the packet-switched information transfer phaseintroduces new complications, such as lost packets, misdelivered packets, delay anddelay variation. The ATM model also makes hard resource reservations when avirtual circuit is established (at least for the higher priority services), and so bymaking the correct planning assumptions, and running effective ConnectionAdmission Control (CAC) in the network when calls are offered, an ATM network canmeet any necessary QoS performance required of it.

Connectionless technologies, such as IP, no longer have the set-up and tear-downphases that occur for real in virtual circuit switching. Because there is no concept of acircuit in an IP network, there can be no reservation of resources on a per-circuitbasis. Therefore traditional IP networks have been unable to offer any meaningfulQoS guarantees, because the techniques to engineer QoS were not available withinthe architecture.

1 IP QOS TECHNOLOGIES

IP2300/S4/v2.14.1







1.2 Why QoS is Important

Different applications place different requirements upon the QoS available from anetwork as it carries user traffic. Real-time interactive applications such as voice andvideoconferencing require very low delay and delay variation, but will tolerentsignificant packet loss within the network. Non-real-time applications such as filetransfers will accept significant delay and delay variation but are intolerant of packetloss that is not recovered.

1.3 What Causes Poor QoS?

Lack of resources within the network to meet demand is the cause of poor QoS. Inthe circuit-switched case, insufficient call handling capacity or bearer capacity leadsto blocked calls.

In an IP network, congestion at the routers can cause increased delay, increaseddelay variation and dropped packets. If packets do not experience congestion, thenthey will achieve the best performance possible with the network.

1.4 Where do Packet Loss and Delay Occur?

In most cases, network congestion occurs at the edge of the network, rather than inthe core. It is typically at the edge of the network that bandwidth is most constrained.This may be because of the high cost of access bandwidth to the service providerPoint of Presence (PoP), or high contention ratios in the distribution network.





User

Ok Ok

Droppedpackets

Low

bandwidthlink

High

contentionratios

Droppedpackets

OkOk

Increasing bandwidth

Increasing congestion

Customerrouter

Accessrouter

Distributionrouter

Corerouter

Figure 2

The Causes of Poor QoS

IP2300/S4/v2.1





1.5 QoS Approaches in IP Networks

There are three main approaches to avoiding congestion in IP networks:

• overcapacity

• integrated services

• differentiated services

1.6 The Overcapacity Approach

The overcapacity approach simply relies on planning to have excess capacity thatprovides headroom within the network, and so avoids congestion. Most Internetbackbones rely on this overcapacity approach to achieve very low packet loss, anddelay close to the physical propagation limits.

This approach has been strongly advocated by Internet ‘purists’, who dislike the moveaway from the dumb network , smart host model of IP networks, which other QoSapproaches represent. However there are issues with this approach:

• the overcapacity model works well when network demand is growing strongly; bycommissioning capacity a few months earlier than necessary, the networkmaintains the necessary headroom to operate without loss or delay

• conversely, when growth is not strong, this overcapacity is expensive

• overcapacity works well in the core of the network, but is difficult to provide onexpensive access circuits

• the overcapacity model works well with large numbers of independent trafficflows (as in the core), but works less well with a smaller number of flows, whichare not independent (as at the access layer)

• the over capacity model may work well in ‘normal’ operating conditions, but inextreme conditions, it is impossible to protect critical traffic, since there is noway to distinguish it from other traffic





Q1

2003

Q2 Q3 Q4 Q2 Q3 Q4Q1

2004

Q2 Time

Networkcapacity

Q1

2005

D e m a n d f

o r e c a s t

S u p p l y f o r

e c a s t

Figure 3

The Overcapacity QoS Model

IP2300/S4/v2.1





1.7 IETF Approach to IP QoS

Two methods of providing QoS on the Internet have been proposed by the IETF. Thefirst uses Resource Reservation Protocol (RSVP) and is known as the IntegratedServices (IntServ) architecture. The second is known as Differentiated Services(DiffServ). Both approaches rely upon altering the Per Hop Behaviours (PHBs) ofrouters forwarding IP traffic. However, whereas DiffServ simply sets up categories oftraffic in the routers, and classifies packets into one of these categories for properhandling, IntServ uses a signalling protocol to request the reservation of resources ona flow-by-flow basis.

1.8 Integrated Services Model

The Integrated Services Model uses a protocol called RSVP for a call set-up processin which users request bandwidth and QoS. The routers in the network respond as towhether they have sufficient resources. Processing is required within each router fromsource to destination and each packet sent by the source is monitored to ensure thatthe source does not exceed the agreed traffic specification. Each packet hasattached to it a flow identifier, which is analyzed by each router, which it traverses soas to identify the packet as one for which bandwidth has been reserved.





Guaranteed

QoS

Destination

Resources

reserved

across

networks

Source

Individual

User

Controlled Load

Figure 4

The Integrated Services QoS Model

IP2300/S4/v2.1





1.9 Resource Reservation Protocol (RSVP)

RSVP has two fundamental RSVP message types for Reserving QoS. These are thePATH and RESV messages. The PATH messages are sent to the receiver in order tostore path state in each node along the way. The RESV messages are sent from thereceiver towards the sender following the reverse of the PATH message. They createand maintain reservation state in each node towards the sender.

1.9.1 PATH Message

The source sends out a PATH message requesting a certain Reserved Rate, R. Eachrouter and switch between source and destination examines the PATH message andestimates the delay that it would cause to traffic if the connection specified in thePATH message was established. These delays are accumulated as the PATHmessage traverses the network.

1.9.2 RESV Message

By the time the PATH message has reached the destination, it contains thecumulated total of all the nodal delays. The destination can then calculate the end-to-

end delay and send a RESV message back to the source with the requested QoS. Ifthe destination can accept a longer delay, it can inform the network about this bysetting a slack term, S, in seconds. In return, the destination would expect thenetwork operator to give a discounted price. The RESV message contains a flowspecwhich has two parameters, an Rspec and Tspec.

1.9.3 Have We Created a Virtual Circuit?

The IntServ model using RSVP mimics some of the behaviour of circuit switching. Itallows the path through the network to be established and stored for each signalledflow, and it makes a resource reservation for that flow at each router. The concept ofa connection has been imposed upon the connectionless IP network.

The main difference between this approach and a virtual circuit is that the path takenis still controlled by routing protocols in the IP network. Therefore if the networkdecides that traffic should be rerouted, the RSVP messages will request reservationson the new routers they cross. A reservation will expire if new messages are notreceived to renew it, hence the continuous flow of signalling that is required in theRSVP model¹.

¹ This approach is known as soft state, to distinguish it from the hard state of traditional circuit switching or virtual

circuit switching.





134.199.200.20

134.199.200.1 158.20.2.1

Source

158.20.2.7

Receiver

PATH PATHPATHPATH

RESV RESVRESVRESV

PATH

Dest:158.20.2.7Source: 134.199.200.20UDP Port 1234Tspec

RESVUDP to 134.199.200.20

Flowspec (Rspec, Tspec)

RESVUDP to 134.199.200.1


RESVUDP to 158.20.2.1


PATH


PATH


Figure 5

RSVP Operation

IP2300/S4/v2.1





1.10 Differentiated Services Model (DiffServ)

The Diffserv architecture does not include a signalling mechanism such as RSVP,and does not reserve resources for individual flows. Instead a set of Class of Service(CoS) is designed for the network, and router resources are apportioned to theseclasses. So, for example, a network operator might implement a gold, silver andbronze CoS which can be sold to customers.

By configuring the queuing behaviour of the routers within the network, it is possibleto give priority to packets in the gold category over those in the silver, and to those inthe silver over those in the bronze. Queuing algorithms also allow a guaranteed

portion of the available output bandwidth on any port to be allocated to one of theCoS. So, for example, 20% of the available bandwidth might be guaranteed for thegold class. If more bandwidth is required, the non-guaranteed bronze bandwidth canbe taken. However if the gold class required more than 70% of the availablebandwidth, this could not be provided, because this would violate the silverguarantees (30%). All unused bandwidth is available for other classes as required.So in the example in Figure 6, when silver no longer needs its allocation, this isavailable for gold (or bronze) to use.

To allow routers to recognize which category a packet belongs to, it must be taggedas belonging to the gold, silver or bronze class. This is done as the packet enters the

DiffServ network, by packet classifiers. These classifiers are configured to recognizetraffic from particular addresses, or on particular TCP or UDP ports, as belonging toone of the three classes.

The DiffServ CoS for a packet is carried in the IPv4 datagram Type of Service (ToS)byte, which has been re-designated the Differentiated Services (DS) header for thispurpose.





10

20

30

40

80

90

100

50

Time

% B

a n d w i d t h

Gold

bandwidth

utilization

Silver

bandwidth

utilization

Bronze

bandwidth

utilization

DiffServrouters

Site A

from to port CoS Comment

* .* .* .* * .* .* .* tcp/80 bronze Internet WWW

* .* .* .* * .* .* .* tcp/21 bronze Internet FTP

* .* .* .* * .* .* .* tcp/110 bronze Internet POP3 e-mail

tcp/80corp. site A corp. site B silver Intranet WWW

udp/rtpcorp. site A corp. site B gold Corporate VoIP.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Per hop behaviour

Per hop behaviour

Category Priority% Bandwidth

Gold High20 %

Silver Medium30 %

Bronze Lowunassigned

Site B

DiffServpacket

classifier

Figure 6

The Differentiated Services QoS Model

IP2300/S4/v2.1





1.11 IP over ATM QoS

1.11.1 ATM Class of Service (CoS)

ATM has CoS which allow predictable performance to be achieved for a wide range ofrequirements. Although other classes are available, most public service ATM networkslimit the CoS available to Constant Bit Rate, Variable Bit Rate, and Unassigned Bit Rate.

1.11.2 QoS mapping between IP and ATM

With the introduction of IntServ and DiffServ, IP and ATM each have QoS mechanisms.

ATM Permanent Virtual Circuits (PVC) allow traffic to be carried on trunk connections,without the need to set up connections through ATM signalling. Each PVC has a categoryof service, which defines the QoS to be expected from the connection.

ATM Switched Virtual Connections allow circuits to be set-up and disconnected ondemand using ATM signalling, and with a CoS to meet the QoS parameters of theconnection being requested.

The IP Diffserv architecture allows reservations of bandwidth to be made for each CoS

being carried by the network, without the need to signal each flow.

The IntServ architecture provides a signalling mechanism rather like ATM signalling, whichallows reservations to be set up on demand for particular flows through the network.

Public ATM networks almost unanimously use a PVC-only model of service, and do notsupport user-network signalling to set up ATM connections on demand. Furthermore, theIP network operators have unanimously preferred the DiffServ model to the IntServ modelfor providing QoS in IP networks. And finally, the signalling models of ATM and RSVP arefundamentally different; ATM assumes a sender-initiated connection, whereas RSVPassumes a received-initiated connection.

For these reasons, approaches that involve service interworking between Intserv and ATMsignalling have not been deployed, and IP over ATM approaches are based uponcombinations of DiffServ, ATM PVCs and packet classification.





IWF

RSVP path

DS packets

Packetclassifier

ATM SVC

ATM PVC

ATM PVC and DiffServ Interworking

ATM SVC and IntServ Interworking

RSVP resv

IWF must provide signalling interworking

IWF provides Class of Serviceto Category of Service mapping

Packets containDS pattern

Packets containDS pattern

RSVP path

RSVP resv

IWF

IWF IWF

IWF Functions

DS code to ATM CoS mappings

IP to ATM adaptation functions

IP address to PVC mappings

(RSVP to ATM signalling mapping)

Figure 7

IP over ATM QoS Models

IP2300/S4/v2.1





1.12 QoS in MPLS Networks

MPLS technology was designed to support the IP QoS techniques. The MPLSheader has a section designed to carry the CoS field from IP packets.

MPLS allows Label Switched Paths (LSPs) to be set up in a variety of ways, includingby signalling using RSVP, and by manual configuration.

The manual configuration of MPLS LSPs is similar to the PVC approach of ATM andthe signalling approach of MPLS using RSVP is similar to the RSVP signallingapproach of the Intserv architecture, or the signalling approach of ATM.

Although an MPLS core network could establish LSPs for each flow of traffic ondemand (the equivalent of ATM Virtual circuits), instead it typically operates more likeDiffserv, by providing a trunk connection between the edges of the network, andguaranteeing the delay, delay variation and loss performance of that trunk for alltraffic carried across it.

Public network operators generally see MPLS technology as a way to provide reliable,controlled forwarding of IP traffic. Normally a separate trunk connection is providedbetween the edges of the MPLS network for each CoS being carried by the serviceprovider. When MPLS implements QoS in this way, then instead of one FEC for a set

of IP addresses, there are multiple FECs, one per CoS to this group of addresses.This also means that the MPLS Label Switched Routers (LSRs) do not need toconsider QoS when forwarding packets, making their operation simpler.

Packet classifiers in the LSRs at the edge of the network place traffic into the correctFEC (and hence trunk) within the MPLS network by classifying packets as in theDiffServ architecture. If the packets have already been classified (perhaps becauseDiffServ has operated at the edge of the network), then the DiffServ codes would bemapped into the appropriate FEC.

Effectively setting up and managing the MPLS trunks that provide this service is itselfa complex task, known as traffic engineering.





corp. site A corp. site B

edge-LSR

MPLS‘packet

classifier’

LSR

.* .*192.168

bronze LSP

silver LSP

g o l d L S P

.* .*10.2

from to port CoS FEC

.* .* tcp/ ** bronze 24

tcp/21

corp. site A

192.168 .* .*10.2

corp. site B 25udp/rtp

corp. site A corp. site B

gold

silver 26.

.

.

.

.

.

LSR LSR

LSR

LSR

Figure 8

QoS in MPLS Networks

IP2300/S4/v2.1





2.1 What is a VPN?

The answer to the simple question ‘What is a VPN?’ is anything but simple, andleads to much of the confusion and debate surrounding the subject. AT&T coined theterm Virtual Private Network (VPN) to market a corporate voice service that ranacross their Public Switched Telephone Network (PSTN), but which provided the lookand feel of a leased line interconnection between Private Branch Exchanges (PBXs)by using a proprietary signalling protocol.

A good working definition of a VPN might be ‘A service with the behaviour and characteristics of a private, dedicated network, but constructed on a shared

infrastructure’ . Although this definition could include a private leased circuit as aLayer 1 VPN, we normally limit the definition to L2 services and above.

2.2 Tunnelling

VPNs normally require that user traffic be tunnelled across the shared infrastructure.This provides several benefits:

• it ensures that VPN traffic enters and exits the public network at the intendedpoints, rather than by some alternative route

• it ‘hides’ the private address scheme from the shared network, so that addressconflicts are avoided, and changes within the private network do not requirechanges to the public service

• it ‘hides’ the shared network architecture from the private network, so thatinternal architecture issues do not affect the service, and changes to it do notaffect the operation of the VPN

Figure 9 shows IP traffic being tunnelled within IP. The hosts communicating haveaddresses in the 192.168.1.0 network, but are connected through routers with

addresses in the 10.0.0.0 network. These interfaces on the routers are alsoconfigured to act as tunnel endpoints, and so they encapsulate the user traffic so thatit appears to originate and terminate on the routers. The original IP source anddestination addresses are now simply part of the payload of the tunnelled packet. Atthe far-end tunnel endpoint, the encapsulation is removed, and the original packet isrouted to the intended host at 192.168.1.2.

This example shows tunnelling of IP traffic within IP, but we can consider transport ofIP traffic across Layer 2 switched connection such as Frame Relay and ATM astunnelling also. The two main types of VPN we will consider in this section areMultiprotocol Label Switching (MPLS) VPNs and IP Security (IPSec) VPNs. MPLS

VPNs tunnel IP traffic across MPLS LSPs. IPSec VPNs tunnel IP traffic across IPSectunnels.

2 IP VIRTUAL PRIVATE NETWORKS (VPN)





Virtual Private Network

Conventional Connection

Tunnelled Connection

‘A service with the behaviour andcharacteristics of a private, dedicated

network, but constructed on ashared infrastructure’

192.168.1.1

(A)

10.0.0.1(C)

Tunnel established

10.0.0.2(D)

192.168.1.2

(B)

B A

B A D C

Payload header

B A

Payload header

B A

Payload header

192.168.1.1(A)

10.0.0.1(C)

10.0.0.2(D)

192.168.1.2(B)

B A

Payload header Payload header

B A

Payload header

Figure 9

Tunnelling

IP2300/S4/v2.1





2.3 VPN Applications: Intranets, Extranets and Remote Access

2.3.1 Intranet

An Intranet application connects separate sites within an organization across a publicinfrastructure. These connections are normally long-standing, and can be in a huband spoke, full mesh or hybrid configuration. Traditional L2 VPN technologies havefavoured hub and spoke arrangements, due to the higher cost of provisioning a meshof PVCs. In an intranet VPN, it is assumed that all sites are equally trusted withaccess to other sites across the VPN, and that users already have accounts andprivileges on the remote systems, hence implementing an intranet VPN and

integrating it with existing enterprise systems is normally fairly straightforward.

2.3.2 Extranet

An Extranet VPN application connects separate sites within separate organizationsacross a public infrastructure. Extranet VPNs allow businesses to permit access tocontrolled portions of their IT systems to partners, customers or suppliers on a long orshort-term basis. Establishing suitable access control mechanisms for extranet usersis typically a separate issue from the authentication of end-points and the security ofdata across the VPN, and can lead to difficult policy and practice issues. One of the

attractions of the Secure Socket Layer (SSL) protocol for extranet use is the ability toplace shared information and applications in a controlled zone away from the maincorporate network.

2.3.3 Remote Access

A Remote Access VPN provides access to the corporate intranet via some on-demand access technology , typically a dial-up modem or ISDN call across the circuit-switched network, or an ADSL connection for a home worker. Because theconnection is on demand and may be roaming, special care must be taken in mutualauthentication of the client and gateway, and to ensure that vulnerabilities of thelaptop or home system do not allow penetration of the corporate network across the‘trusted’ VPN connection. Once the VPN is established, remote workers typicallyhave the same access to facilities as they would have at their normal office location,although of course the end-to-end performance of the VPN connection will determinethe QoS experienced by the user.





wraycastle UK

Intranet

ExtranetRemoteaccess

Public IPnetwork

wraycastle USA

Customersite

wraycastlehome worker

Figure 10

Intranets, Extranets and Remote Access VPNs

IP2300/S4/v2.1





2.4 Types of VPN

Various approaches to building VPNs have been developed:

• Layer 2 virtual leased line VPNs (for example Frame Relay and ATM)

• Layer 3 over native Layer 2 VPNs (for example Multiprotocol over ATM (MPOA)and LAN Emulation (LANE))

• transport layer VPNs (for example Secure Sockets Layer (SSL) and TransportLayer Security (TLS))

• application layer VPNs (for example Secure MIME (S/MIME) and Secure Shell

(SSH))

In this course, we concentrate on the two main approaches to implementing VPNs atthe IP layer. These are very different in their approach, but both are sold by a widerange of IP Service Providers as IP-VPNs.

2.4.1 Layer 3 Network Protocol-based VPNs

The IP networking community, led by the major equipment vendors, has developed

an MPLS-based VPN architecture, specified in RFC 2547. The MPLS architecturebuilds upon the basic technology of IP and MPLS. It can be viewed as a developmentof the traditional Layer 2 VPNs and the Layer 3 over native Layer 2 VPNs.

2.4.2 Layer 3 Encryption-based VPNs

The network security community has developed an IP VPN architecture based upona technology called IPSec, which is specified in RFCs 2401–2412. The IPSecarchitecture is driven by security, and it has much in common with protocols such asSecure Sockets Layer, in that its basic technology is encryption. However IPSec

operates exclusively at the IP layer, by encrypting packet payloads, and so is a true IPlayer VPN.





Encryption-based VPNs

Application Layer: S/MIME

SSH

etc.Transport Layer: SSL

TLS

IP Layer: IPSec

Network Protocol-based VPNs

IP Layer overNative Layer 2: LAN emulation

MPOA

Link Layer: Virtual Leased Lines ATM Frame Relay

IP Layer: MPLS VPN

Reference

RFC 2401 – 2412

Reference

RFC 2547

Figure 11

Encryption and Network-Protocol-Based VPNs

IP2300/S4/v2.1





2.5 MPLS-based IP-VPN Motivation

MPLS integrates the label swapping approach of Frame Relay and ATM with a newcontrol plane model for setting up and tearing down ‘connections’ (LSPs in MPLSterminology) that moves away from the ITU-T signalling model, and towards IProuting for control.

This philosophy extends to the MPLS-VPN application also, and potentially deliverssome attractive benefits:

• A Layer 2 VPN requires configuration by the Network Operations Centre (NOC)

of the Customer Premises Equipment (CPE) router with virtual circuit identifiersand IP to Layer 2 mappings, however the MPLS VPN approach requires noCPE configuration; all provisioning is carried out on the Provider Edge (PE)routers within the service provider network.

• A Layer 2 VPN must be provisioned by the NOC through the core network byestablishing end-to-end virtual circuits for each customer. However, an MPLScore network holds no information concerning the MPLS-VPNs that run acrossit.

• A Layer 2 VPN has scalability limitations because all CPE routers are adjacentfrom a routing perspective, leading to processing overload as the number of

customer sites grows, unless some routing hierarchy is introduced. In an MPLSVPN, each CPE router has a single routing peer, and has no direct interactionwith the other CPE routers, therefore the processing load on customer routers ismuch reduced.





Customerpremises

Customerpremises

Service providernetwork

Routers A and B arerouting peers

Provisioningof VPN

CPE CPE

NOC

Router BRouter A

Customerpremises

Conventional Frame Relay or ATM VPN Service

MPLS VPN Service

Customerpremises

Service providernetwork

Router A and serviceprovider router arerouting peers

Router B and serviceprovider router arerouting peers

Provisioningof VPNCPE CPE

NOC

Router BRouter A

LSR

LSR

LSR LSR

LSR

LSR

LSR

Figure 12

Motivation for MPLS VPNs

IP2300/S4/v2.1





2.6 Architecture of MPLS-based IP-VPNs

MPLS VPNs operate from a service perspective at the IP layer, and classify routers inthe customer and service provider network into one of four types, as shown in Figure13. Customer Edge (CE) and Provider Edge (PE) routers operate at the boundary ofthe customer and service provider networks respectively.

Unlike the L2 VPN model, the CE and PE routers are peers from a routingperspective. The VPN functionality is centred on the PE router. The CE routertypically requires no VPN-specific configuration, simply treating the PE router as thenext hop router in a ‘private’ network. The Provider routers (P) in the service provider

core also have no knowledge of the VPN address or routing information, and simplyprovide transport across the core network. The Customer (C) routers are conventionalenterprise routers, with no special relationship to the VPN service.

MPLS VPNs assume that the service provider operates an MPLS core between PErouters to which customers attach, and that this core has mechanisms for theestablishment of LSPs between these edge routers. The MPLS core LSPs may havebeen manually provisioned, or may have been established by one of the other MPLScontrol plane mechanisms. All of this is independent of the MPLS VPN service, butthis infrastructure is required for the MPLS VPN model of RFC 2457 to operate.

This separation of the core routing from the VPN functionality that MPLS VPNsachieve is possible because the MPLS VPN architecture uses label stacking totunnel a customer’s VPN traffic across the MPLS core. Decisions about how to switchthe traffic are made at the originating PE router, which understands both the customerVPN locations, and the LSPs in place across the core. Therefore it can apply a pair oflabels as traffic enters the network from customer sites.

The inner label is a VPN label, and allows the traffic to be routed to the correctcustomer site at the destination PE router. This label is not examined or changed bythe core routers.

The outer label is a conventional LSP label, which allows the packet to be switchedacross a trunk LSP through the network core which joins the PE routers. This label isexamined and modified at the core routers, and operates like a conventional virtualcircuit identifier.





2

Provider routersPE

routerPE

router

PE – Provider Edge

1 = VPN label

2, 3, 4 = MPLS trunk labels

CE – Customer Edge

CErouter

CErouter

Customerrouter

ConventionalIP packet

from customer

ConventionalIP packet

to customer

IP packet within MPLSlabel stack

Customerrouter

IP IP1 31 41IP IP IP

LSR

LSR LSR

LSR

LSR LSR

Figure 13

Architecture of MPLS VPNs

IP2300/S4/v2.1





2.7 MPLS VPN Operation

To set up an MPLS VPN, a service provider provisions the service at the PE routersserving that customer’s sites only. No configuration of non-serving PE routers, or ofthe core routers, is required. Conventional Interior Gateway Protocols (IGP) runningbetween Provider and Provider Edge routers propagate reachability within the serviceprovider core, and conventional MPLS techniques are used to establish the trunkLSPs between PE routers. All of this is independent of the VPN service.

The VPN service itself is controlled by a routing overlay that does not interact with thecore network routing and switching.

Once the VPN sites have been configured within the PE routers, the PE routers learnwhich customer networks are reachable at the directly connected customer site.These customer routes may be statically configured by the service provider, or learntthrough a conventional routing protocol running between the PE and CE routers. Thisinformation is stored in what are logically per-VPN routing tables, by attaching a VPNIdentifier to the routing entries that is unique to each customer VPN.

The per-VPN routing table entries held in the PE routers are propagated between allPE routers in the service provider network using Multiprotocol Border GatewayProtocol (MP-BGP). The PE routers therefore operate rather like conventional iBGP

peers advertising external reachability. As the number of PE routers and customersites grows, scalability of the MPLS/VPN approach can be improved by normal BGPmechanisms, such as use of BGP route reflectors.

Traffic is forwarded between PE routers serving different sites of a VPN by MPLSlabel stacking. The originating PE router attaches a label for the destination IPaddress within the relevant VPN, followed by a label for the LSP across the core tothe relevant PE router. The outer label is used to switch the packet across the serviceprovider core without the core network needing any awareness of customer VPNrouting. Subsequently at the destination PE router, the VPN-specific label is used todirect the packet to the appropriate local VPN site.

Moves and changes to sites on an existing VPN are automatically propagated oncethe PE router serving the affected sites has been configured.





3. MP-BGP propagationof VPN routes and labels

4. Forwarding ofcustomer trafficin label stack

2.Customer/SP

routingprotocol

2.Customer/SP

routingprotocol

1. VPNconfiguration

1. VPNconfiguration

NOC

Figure 14

Operation of MPLS VPNs

IP2300/S4/v2.1





2.8 Motivation for Encryption-based IP-VPNs

Encryption-based VPNs achieve the separation of a customer’s traffic from that ofother customers and the shared network infrastructure by using the mathematics ofsecret and/or Public Key Cryptography (PKC). The basic building blocks ofcryptography are used to provide a set of security services in the encryption-basedVPN approach. IPSec technology was developed because there was a perceivedneed to be able to secure traffic at the IP layer that was travelling across a variety ofnetworks. VPNs are only one example of the use of IPSec, just as MPLS is used forother than VPN applications.

The IPSec VPN approach is typically attractive to organizations with a strong securityfocus, for example financial organizations, healthcare organizations and governmentdepartments.

IPSec VPNs can provide end-point authentication, data integrity, and dataconfidentiality services on a per-packet basis between two IPSec peers².

² It is common in the cryptographic community to use Alice and Bob as the intended communicators on a secure

channel. By convention, Eve is an eavesdropper, and Mallory is an active attacker.





‘Alice’

IPSec VPNuser (source)

IPSec VPNuser (destination)

Intended communication

confidentiality

integrity

authenticity

masquerading

modification

interception

‘Bob’

‘Eve’ / ‘Mallory’

Figure 15

Encryption-based VPN Security Services

IP2300/S4/v2.1





2.9 Secret Key Cryptography

Traditionally secret key encryption has been used in military and government systemsto protect the confidentiality of data in transit.

The mathematics of secret key cryptography have changed very little in hundreds ofyears, but as processing power has increased, the cryptographic strength needed byan algorithm for it to be considered secure has increased dramatically.

Secret key cryptography uses a symmetrical algorithm and a secret key known onlyto the sender and recipient. A plaintext message to be sent across an insecurechannel is encrypted using the secret key and the algorithm. The receiver is able to

recover the plaintext message provided they have the ciphertext, the algorithm andthe secret key that was used to encrypt it.

Secret key cryptography is widely used in many systems, and there are variousalgorithms available, some of which are government approved and licensed.Examples include the Data Encryption Standard and the Advanced EncryptionStandard (AES).

Although secret key encryption is secure and efficient, the distribution of secret keysto the communicators has always been problematic. While government and militaryorganizations could achieve this through their highly structured organizations, secretkey encryption is extremely difficult to implement in less controlled environments.

2.10 Public Key Cryptography (PKC)

In the early 1970s, a new approach to cryptography called Public Key Cryptography was proposed and proved for the first time, and has subsequently revolutionized theuse of encryption.

Public key systems use an asymmetric encryption approach. Two matching keys are

generated, such that a message encrypted with one key of the pair can only bedecrypted using the other, matching key. While the public key is freely distributed, theprivate key is closely guarded. Because someone sending a secure message onlyneeds the recipient’s public key, the key distribution problem is much simplified.

Examples of public key algorithms include the Rivest, Shamir and Adleman (RSA)algorithm, and the Diffie-Helman (DH) algorithm.

The main role of public/private key encryption is in solving the key distributionproblem. It is computationally much less efficient than secret key encryption, and sohybrid systems combining both techniques are commonly developed.





‘Alice’

Secret Key Cryptography

Public Key Cryptography

message

plaintext plaintextciphertext

secret key

algorithm

secret key

secret key

algorithm

secret key ‘Bob’

message

‘Alice’

message

plaintext plaintextciphertext

public/private

key algorithm

Bob’s

public key

public/private

key algorithm

Bob’s

private key‘Bob’

message

Figure 16

Secret and Public Key Cryptography

IP2300/S4/v2.1





2.11 IPSec Operation

IPSec is normally used with IKE, so that the negotiation and configuration of IPSectunnels can be largely automated.

In order to protect traffic between two IP devices using IPSec, an IPSec SecurityAssociation (SA) is established between the IPSec endpoints. This SA defines all ofthe parameters of the IPSec session, including:

• which modes of IPSec are to be used, including tunnel or transport, and ESP orAH

• which algorithms are to be used for key generation, encryption andauthentication

• various timers that control the regeneration of key material and expiry of the SA

• policy filters that specify whether particular traffic should bypass the IPSectunnel or is passed through IPSec

In order to establish an IPSec SA, a number of steps are necessary:

• the candidate end points for the association are configured with the policy

setting to be applied to any SA established, and the definition of traffic thatshould be passed through an IPSec association

• once a host has traffic that requires IPSec protection (based upon the trafficdefinition in the device), an IKE session is negotiated between the hosts. This isessentially a special IPSec tunnel used to carry IKE traffic only. This is knownas IKE Phase One

• once the IKE Phase One association is in place, an IPSec SA for the actualtraffic can be negotiated. This is known as IPIKE Phase Two

• once the IPSec tunnel is in place, traffic can flow across the tunnel. After a

period of inactivity, or when the SA lifetime parameter expires, the IPSec tunnelis cleared







2.12 IPSec Gateway Location

The normal position for IPSec gateway devices is at the boundary between theprivate and public network. Where the enterprise builds and operates an IPSec VPNitself, gateways will normally be behind an Internet firewall. Where a service providerinstalls and operates the VPN gateway, this may be on the customer premises, or atthe local PoP.

IPSec capability is widely supported in network devices, in operating systems and inapplications. Because IPSec places no requirements on the network infrastructure(unlike the MPLS VPN approach), it can be deployed between any two devices that

can operate IPSec.

2.13 Products Supporting IPSec

In practice, IPSec is normally deployed on one of four types of platform

2.13.1 Routers

IPSec functionality is often included in the capabilities of routers, or provided as an

optional component in the software load. The border router connecting an enterpriseto the public network can be used as an IPSec endpoint for Intranet and Extranetconnections. These are typically not used to terminate dial-up users. Small accessrouters of the type used for home workers and branch offices increasingly have anIPSec VPN capability, and make effective branch office VPN endpoints, connecting toa VPN gateway at headquarters.

2.13.2 Firewalls

The main firewall vendors all support VPNs using IPSec on their products. Becausethese devices are already extensively tested from a security perspective, and arelocated at the boundary between the private and public network, they can provide aneffective VPN gateway for remote access, Intranet and Extranet VPNs. For remoteaccess, the firewall vendor may offer a remote access client application that is loadedon the PC connecting to the gateway.





Intranet, extranet

Intranet, extranet

Remoteaccess

client

DedicatedVPN

gateway

DedicatedVPN

gateway

Softwareonly

Softwareonly

Firewall Firewall

Intranet, extranet

Intranet, extranet

Figure 18

VPN Platforms and Supported Applications

IP2300/S4/v2.1





2.13.3 Dedicated VPN Gateways

Dedicated VPN gateways typically have some routing and firewall functionality, butare primarily designed to make configuration and operation of VPNs using IPSec assimple and scalable as possible. These devices are typically deployed at theboundary of the corporate and public network, often in the De-Militarized Zone(DMZ), so that Intranet, Extranet and remote access VPN endpoints can access thegateway. The product vendor normally supplies a software VPN client for use inremote access applications.

2.13.4 Operating Systems

Since the launch of Windows 2000 Professional™ and Server™, Microsoft™ hasincluded IPSec VPN functionality in their operating system products. The Routing andRemote Access Server (RRAS) component of their server products can act as agateway for multiple remote access clients, and intranet and extranet configurationsbetween machines are also possible.

Other operating systems typically do not include IPSec VPNs as standard, howeverproducts and open source software are available to implement these on mostvarieties of Unix.

Each type of platform has strengths and weaknesses, which will make it more or lesssuitable for a given set of requirements.





Intranet, extranet

Intranet, extranet

Remoteaccess

client

DedicatedVPN

gateway

DedicatedVPN

gateway

Softwareonly

Softwareonly

Firewall Firewall

Intranet, extranet

Intranet, extranet

Figure 18 (repeated)

VPN Platforms and Supported Applications

IP2300/S4/v2.1







‘Alice’

IPSec VPNuser (source)

IPSec VPNuser (destination)

Intended communication

confidentiality

integrity

authenticity

masquerading

modification

interception

‘Bob’

‘Eve’ / ‘Mallory’

Figure 19

Generic Security Services (revisited)

IP2300/S4/v2.1





3.2 Quantifying the Risk

Knowing there is a risk and being able to mitigate it with a proportionate responserequires an organization to quantify (at least to some degree) that risk. A commonview of risk is that it is a function of threat, vulnerability and impact.

Risk = f (threat, vulnerability, impact)

3.2.1 Threat

Threat can be considered to be the likelihood that some person or persons willattempt to compromise your information. Sources of threat may include competitors, journalists, internal staff and even activists.

3.2.2 Vulnerability

This is a measure of what potential vulnerabilities exist in the system that isprotecting the information you care about. What are the mechanisms that you rely onto protect your information and just how well designed and implemented are they?

3.2.3 Impact

If your information is compromised do you care? What are the outcomes (from afinancial perspective as well as reputation) to the business?

Some case studies are given later but it its simplest form, a business with anaggressive competitor, numerous ways for its data be compromised and a significantlikelihood of lost business and/or revenue if such a compromise took place has a lotto consider. A business that perceives no threat, is confident their information cannotbe compromised and cares little if it actually is, probably has little to worry about(apart from being extremely naive!).





Organizedcrime

Pastemployee

Competitor

Hacker

Investigative journalistBusiness network

lost customers and revenue

Removeable media e-mail WWW

fraud

bad publicity

business failure

Presentemployee

Figure 20

Security Threats, Vulnerabilities and Impacts

IP2300/S4/v2.1





3.3 Basic Countermeasures

3.3.1 Identification and Authentication

One of the most widely known security countermeasures is the ubiquitous logon. Toensure only those that are authorized to access information do so, mechanisms tocheck a user’s authenticity are employed. This can be something you know, have orare, but traditionally has been a username and password. However, increasing use isbeing made of tokens and smart cards (something you have) and a significantamount of research is being undertaken into technologies such as biometrics(something you are). This includes fingerprints, retina scanning and face recognition.

3.3.2 Access Control

Once authenticated, users may still want to ensure only certain individuals canaccess sensitive information and this is often enforced using access controls on filesand folders. It is usual for these controls to be Discretionary (i.e. the file/folder ownercan set access rights). Such controls are often implemented using a technique knowas Access Control Lists which allow the file/folder owner to list those with explicitallow and deny permissions.

3.3.3 Accounting and Audit

In order to detect when actual or potential breaches in security occur, accounting isoften performed and this data then audited at regular intervals to highlight anypotential breach. Information such as who has logged on, when, from where and theactions they undertook while online, e.g. sent an e-mail, tried to access a file theydidn’t have authorized access to. This data can be for a significant period of time andused at a later date to identify patterns over time or investigate users’ actions whenthey come under suspicion some time in the future.

Figure 21 shows examples of each of these functions from Microsoft Windows2000™, but similar functions are available in all multi-user operating systems.





Figure 21

An Example of Security Services in Operation

IP2300/S4/v2.1





3.4 Other Countermeasures – Security Appliances

3.4.1 Firewalls

Firewalls are the most widely used security appliance. A firewall is a device thatprotects one network from another, offering a controlled path between the two andproviding a strong barrier to ensure that controlled path isn’t bypassed. Firewalls cancome in a number of varieties.

The simplest type of firewall is known as a stateless packet filter where individualpackets are compared against a set of rules and allowed based on those rules.

These devices are often the quickest as they only have to decode and examine the IPheader of each packet but they offer the least security.

More sophisticated is a stateful inspection firewall that allows more complex rulesand the ability to control access based on the type of application being allowed ordenied. These are perhaps the most common these days as they allow for somesophistication in the rule set but are still relatively quick.

The most comprehensive of firewalls is known as a proxy firewall. Rather thanconnecting to the actual destination host (be it a web server, mail server or otherdevice), a proxy firewall requires you to connect to it and allow it to act on your behalf

by forwarding your requests on to the intended server. Using proxy servers oftenrequires the client software (e.g. a web browser) to be aware of its existence and beconfigured accordingly although transparent proxies are becoming increasing popular,allowing client programs to be unaware that a proxy is acting on its behalf.

3.4.2 Intrusion Detection Systems (IDS)

Intrusion detection technologies are a relatively new security technology but arebecoming increasingly popular. The aim of IDS is to detect (and as the technologydevelops, defend) against network intrusions.

There are two types of IDS, host based and network based. As the name suggests,host-based systems protect a single host and monitor incoming and outgoing networkactivity for malicious activity. Network-based systems run as sensors on the networkitself, monitoring all network traffic for malicious activity.

The main underlying technology behind current IDS systems is signature based and(as with virus scanners), being able to detect the latest attacks relies on having thelatest signatures loaded. There are anomaly detection-based systems that try to learnthe normal activity on a network and then detect when activity diverts from that

profile. However, these systems are still in their infancy and tend to lead to asignificantly high false positive rate (i.e. highlighting problems which are in factinnocuous behaviour).





Corporatenetwork

Publicnetwork

Corporatenetwork

Publicnetwork

SMTP

HTTP(port 80)

IDSmonitoring

IDSprobe

Firewall configuration blocksinbound WWW connections inthis example

IDS monitors packets forsignature of hostile content

HTTP (port 80)

SMTP

Figure 22

Firewalls and Intrusion Detection Systems

IP2300/S4/v2.1





3.5 Other Countermeasures – Software Solutions

3.5.1 Virus Scanning

Virus scanners have been available for many years and the technology has changedlittle in that time. Their aim is to detect malicious software on a machine, either whenit is run, copied from one media to another, or just resident on the machine’s internalhard disk drive.

Virus scanners operate in two basic modes – signature and heuristic. Signaturemode means that files are scanned for known virus signatures. The major

disadvantage of this technique is that the signatures need constant updating if youare to be protected from the latest viruses. Heuristic mode offers the most potentialbut is still less than perfect. The idea behind this technique involves scanning forcertain code segments or operating system library calls within an executable andmaking assumptions about their intent. Unfortunately this is far from an exact scienceand has significantly less than a 100% success rate.

3.5.2 Content Scanning

This is a very similar technique to virus scanning but is done in a slightly different

way. As organizations have rushed to connect their corporate networks to the Internet,the risk from malicious attachments to e-mail or malicious content on web pages hasbecome a significant problem. Content scanners usually reside at the boundarybetween the Internet and a corporate network and filter all incoming e-mail and webcontent for malicious attachments, e.g. executables and feature-rich applicationdocuments, and malicious web pages, e.g. those containing malicious ActiveX, Javaand other active web content.

These devices are increasingly becoming integrated with firewall products offering acheaper single solution (although the security benefits over more traditionalarchitectures is limited).

There is also an increasing trend to outsource this functionality. Numerouscompanies are now offering to scan all incoming e-mails on an organization’s behalf.This can offer significant overhead savings (reduced cost of signature maintenancefor example) but care should be taken when choosing such a provider and there isalways a danger that you increase your risk in other areas by directing all incomingmail via another commercial company that has the potential at least to read it all!





Clientvirus

scanning

Topublic

network

Internet firewallwith content scanning

Mail servervirus scanning

File servervirus scanning

Figure 23

Virus Scanning and Content Scanning

IP2300/S4/v2.1





3.6 Proportionality of Countermeasures

We have considered a number of countermeasures that mitigate some of the riskshighlighted earlier. What is often hard to determine is which one (or combination) ofthese is appropriate and proportionate to the risk being considered.

When considering countermeasures always consider the cost to your business of thecompromise you are trying to prevent.

Example – firewalls don’t prevent content attacks

Organizations often deploy a firewall at the boundary of their corporate network andthe Internet expecting it to mitigate all the risks associated with such a connection.However, with modern attacks becoming more application orientated, firewalls offerlimited protection against such attacks and they can often leave organizations with afalse sense of security. Meanwhile, their corporate secrets may leak out as a result ofsome malicious mail attachment that goes through the corporate firewall(s)unchecked.





Co n erme res

Countermeasures

must be

PROPORTIONATE

to

threats and impacts

Threatsandpact

Figure 24

Proportionality of Countermeasures

IP2300/S4/v2.1







Internet

What are the security implications?

ACMEcorporation

Businesspartner

Supplier

1

Customer

2

Customer

1

Figure 25

Case Study 1: Opening up the Corporate Network

IP2300/S4/v2.1





3.8 Case Study 2 – Enabling B2C Transactions

ACME Corporation is keen to start selling their product via the Internet. What securityimplications are associated with such a plan?

3.8.1 Threats

• customers (wishing to get something for nothing)

• business rivals

• criminals• script kiddies

• others

3.8.2 Vulnerabilities

• attack against the web server

3.8.3 Impact

• loss of business

• loss of reputation with customers and business partners

• loss of money

• loss of customer information (e.g. credit card numbers)

3.8.4 Countermeasures

• authentication of customers

• encrypted communications channel

• firewall between Internet and the web server

• intrusion Detection System





Internet


ACMEcorporation

ACMEproduct databasecustomer databaseorder databaseinventory databaseinvoicing

ACMEe-commerceWWW server

e-commercecustomer

Figure 26

Case Study 2: Operating an E-commerce Site

IP2300/S4/v2.1





3.9 Case Study 3 – Mobile Computing

ACME Corporation would like to allow their staff to work while away from the office.This will entail staff being able to access the corporate network from home or whenworking away from home. They want their staff to able to either dial in via the PSTNand/or connect over the Internet. What security implications are associated with sucha plan?

3.9.1 Threats

• internal staff• competitors

• others

3.9.2 Vulnerabilities

• attack via the Internet connection itself

• attack via the dial-up connection

• attack via a trusted host

3.9.3 Impact

• loss of business

• compromise of proprietary information

3.9.4 Countermeasures

• firewall between Internet and corporate network

• VPN between staff PCs and corporate network

• Intrusion Detection System on corporate network

• security awareness training for staff





Internet


ACMEcorporation

ACMEinternal systems

MobileACMEemployee

Figure 27

Case Study 3: Allowing Remote Access to the Corporate Network

IP2300/S4/v2.1





4.1 Motivation for IPv6 Development

The current version of the IP protocol, IP version 4, has not changed significantlysince it was first developed and standardized in RFC 791. However, despite thesuccess of IPv4, there are some fundamental issues with the protocol in the currentInternet:

• the massive growth of the Internet has threatened to exhaust the IPv4 32-bitaddress space, despite efforts to mitigate this using Network AddressTranslation

• the same growth has made conventional Internet routing tables extremely largeand flat, despite attempts to make the address space more geographicallysignificant through new address allocation policies and CIDR

• the configuration of IP devices is still too complicated, despite the widespreaduse of Dynamic Host Configuration Protocol (DHCP) to assist in this

• IP QoS and security services are often mutually exclusive when IPSecencryption is applied to IPv4 packets

IPv6 addresses these issues by providing

• larger address space• more hierarchical addressing, supporting hierarchical routing

• more flexible address configuration

• improved support for security and QoS features

4 IPv6





IPv4

32-bit address space

Mixed flat and hierarchical

address space

Manual configuration or

DHCP configuration

IPSec support is optional

IPv6

128-bit address space

Hierarchical address space

Address autoconfiguration

link local, site local orglobal unicast

IPSec support is mandatory

Figure 28

Motivation for IPv6

IP2300/S4/v2.1





4.2 IPv4/IPv6 Co-existence

The migration of hosts and routers from IPv4 to IPv6 will take many years, and theoriginal designers of the IPv6 protocol specifically required that IPv4 and IPv6 shouldbe able to interoperate without requiring reconfiguration of other elements to supportthis. In other words, there should be excellent forwards and backwards compatibilitybetween IPv4 and IPv6.

While the migration from IPv4 to IPv6 continues, a host or router may have only anIPv4 protocol stack, only an IPv6 protocol stack, or it may have both. In order toassist with migration, the following components are typically required in network

devices and hosts.

• devices with a dual IP layer, so that communication with IPv4 and IPv6 hosts ispossible during migration

• devices that can provide a gateway function between IPv4 and IPv6

• IPv6 over IPv4 tunnelling, so that IPv6 traffic can be carried across an IPv4infrastructure

• an IPv4 and IPv6 DNS infrastructure, so that name resolution can be carried outfor both forms of address

4.3 IPv6 Product Availability

Although still not widely deployed in operational networks, IPv6 is now widelyavailable in production software for hosts and network devices.







5.1 Public Service Wireless LANs

The increasing use of Local Area Networks has generated a market in privatenetworks over the last five years for wireless access to the LAN, rather than use of aconventional structured wiring approach. The standards governing these wirelessaccess networks are in the IEEE 802.11 series. There are currently four specificationsin the family: 802.11, 802.11a, 802.11b, and 802.11g. All four use the ‘Ethernet’protocol and CSMA/CD (Carrier Sense Multiple Access with Collision Detection) forpath sharing.

The most recently approved standard, 802.11g, offers wireless transmission overrelatively short distances at up to 54 Mbit/s compared with the 11 megabits per

second of the 802.11b standard. Like 802.11b, 802.11g operates in the 2.4 GHzrange and is thus compatible with it. The key components of the architecture are:

• a Wireless LAN Access Point provides a base station and connectivity to thenetwork infrastructure

• a wireless LAN card in each host provides the client end of the wireless link

• a Service Set Identifier (SSID) is a sequence of characters that uniquely namesa wireless local area network. This name allows stations to connect to thedesired network when multiple independent networks operate in the same

physical areaPublic service WLAN Internet access has been offered for some time in North

America, and since 2002 in the UK, through WLAN ‘hot-spots’. To offer the service, anetwork operator installs a WLAN access point in a public location, such as airportdeparture lounge or coffee shops. Subscribers typically purchase the service on amonthly plan, which provides them with a username and password. They configurethe correct SSID for their service provider into their WLAN network card, and canthen connect to the nearest available access point for that service provider. To enablethe connection on each occasion, they typically browse to a login screen on a secureweb server, where they enter their username and password. This allows the user to

be authenticated to the network, and traffic from the MAC address of their networkinterface card will then be permitted through the access point for the duration of thisconnection. Some service providers allow casual use without a subscription, in whichcase the logon screen will include payment options for this session.

The security of WLAN has caused concern for some years. While the login approachdescribed here makes fraudulent use of the service more difficult, it does not protectthe user from a rogue access point, or their traffic from eavesdropping, or the usermachine from attacks through the Internet. Corporate users are normally advised tooperate an IP-VPN between their laptop and a corporate gateway to secure this typeof service, and the user machine should run a personal firewall and virus scanning,

as for any Internet-connected machine.

5 MOBILITY





Roaming user

WLANconnection

SSLconnection

Internetaccess

l o c at e ac c es s p o i nt ( S S I D )

Gener al I nt er net ac c es s

loca te mo b i le (SSID )

‘Acce p t tra f f ic

from t h is MAC a d dress ’

C o nnec t t o S S L s er v er

login/authen-tication

P r o v i d e s es s i o n k ey

MyISPwireless accesspoint

Authenticationserver andweb server

Authen-ticationdatabase

Pro v i de SS L cer t i f ica t

e

Sen d log in form

S ub mi t < us er name, p as s w o r d >

Log in success fu l

Figure 30

Operation of Public Service Wireless LANs

IP2300/S4/v2.1





5.2 The IETF Architecture for Mobile IP

In many situations, an IP host is physically mobile, and must connect to differentsubnets over time. Where the host effectively reboots or resets higher-layer protocolsbetween such moves, then DHCP is sufficient to provide a valid IP address on thecurrent subnet. If the host must be reachable from the public Internet on the currentIP address, then Dynamic DNS (DDNS) coupled with DHCP may be an acceptablesolution.

In some situations, notably in GSM, GPRS and UMTS networks, an IP host needstransparency in the higher-layer protocols while roaming. In this case, the IETF Mobile

IP architecture is appropriate. Mobile IP is intended to address ‘macro’ mobilityissues, in other words roaming away from the normal home location. It is not intendedto address ‘micro’ mobility issues, for example moving between base stationsattached to the same switching centre.

The mobile IP architecture provides mobile stations with a home IP address, which isunchanging. When the host is roaming, it obtains an IP address from the network it iscurrently attached to, and returns this ‘care-of’ address to a home mobility agent.This may be done directly, or through a mobility agent on the foreign network (aforeign mobility agent).

Traffic for the roaming host is always sent to its home address, and this is the onlyaddress advertised for the host. When this traffic arrives at the home network, thehome agent tunnels this traffic to the host at its ‘care of’ address. Traffic from theroaming host uses its home address as the sending address, so that return trafficalways flows through the home agent.

A set of management messages is defined as part of the Mobile IP standards to allowthe roaming host and the home agent to maintain the necessary addressinginformation. Security services are included in this management protocol to preventmasquerading, replay or other attacks based upon exploiting IP mobility.





Foreignmobilityagent

Homemobility agent

– addressis IPhma

Mobile stationon home network

– home IP address

is IPhome Mobile stationon foreign network

– roamingIP addressis IProam

Internet host – address

is IPhost

Foreignnetwork

InternetHome

network

F r o m

I P home t o

I P h o s

t

T o I P

h o m

e from I P h o s t

To/from IPhma IProam

T o / f r o

m I P h o m e I P

h o s t

Figure 31

Mobile IP Architecture

IP2300/S4/v2.1





1 Explain how QoS engineering differs between circuit-switched, virtual circuit,

and datagram networks.

2 RSVP is used as part of the IntServ architecture to:

a establish the path traffic will take through the networkb state the traffic requirements in terms of bandwidth, etcc request the reservation of resources within the network for a specific flowd do all of the above

3 Explain the difference between IntServ and DiffServ architectures. Which ismore common in service provider networks?

4 MPLS can support IP QoS by:

a mapping the DiffServ DS field into the MPLS equivalentb providing a separate MPLS LSP for each DiffServ CoSc MPLS cannot support IP QoSd the approaches in A and B are both possible

5 An IP-VPN can be used to implement:

a intranetsb extranetsc remote Access VPNsd all of the above

6 MPLS VPNs:

a require an MPLS core to operateb benefit from networks with an MPLS core, but it is not essentialc can operate across any core technology, including MPLS, ATM and Frame

Relayd require a private network for each customer, otherwise privacy cannot be

achieved





IP2300/S4/v2.1 4.66 © wray castle limited

7 IPSec VPNs are based upon encryption services. For VPN users these

provide:

a data confidentialityb guaranteed service availabilityc prevention of denial of service attacksd virus checking, but at the VPN gateways only

8 MPLS and IPSec VPNs have different deployment possibilities:

a MPLS and IPSec are both widely built and operated by private enterprisesb IPSec is widely built by private enterprises, but MPLS solutions must beprovided by service providers

c MPLS can be built by private enterprises, but IPSec solutions must beprovided by service providers

d both IPSec and MPLS VPNs are pure service provider technologies, andcannot be implemented by private enterprises

9 Quantifying the risk in security terms is best expressed by:

a risk is a function of threat, vulnerability and impactb risk is a function of threat and vulnerabilityc risk is always there, so maximizing the countermeasures at each point in

the network is the best approachd risk is mainly from outsiders, so an effective firewall is the main precaution

that is necessary










Glossary of Terms

IP2300/Glossary © wray castle limited



IP2300/Glossary G.1 © wray castle limited

AAL ATM Adaptation Layer

ABR Area Border RouterADSL Asymmetric Digital Subscriber LineAES Advanced Encryption StandardAH Authentication HeaderARPA Advanced Research Projects AgencyAS Autonomous SystemASBR Autonomous System Border RouterASN Autonomous System NumberASP Active Server PageATM Asynchronous Transfer Mode

AUP Acceptable Use Policies

B2B Business to BusinessB2C Business to CustomerBAS Broadband Access ServerBcc Blind carbon copyBDR Backup Designated RouterBER Bit Error RateBGP Border Gateway ProtocolBGP4 Border Gateway Protocol Version 4

CAC Connection Admission ControlCE Customer EdgeCGI Common Gateway InterfaceCHAP Challenge Handshake Authentication ProtocolCIDR Classless Interdomain RoutingCLEC Competitive Local Exchange CarrierCNAME Canonical NameCO Central OfficeCoS Class of ServiceCPE Customer Premises EquipmentCRC Cyclic Redundancy CheckingCSMA-CD Carrier Sense Multiple Access with Collision DetectionCSU/DSU Channel Service Unit/Data Service Unit

Glossary of Terms



IP2300/GlossaryG.2 © wray castle limited

DCA Defence Communications Agency

DDN Defence Data NetworkDDNS Dynamic Domain Name ServiceDH Diffie-HelmanDHCP Dynamic Host Configuration ProtocolDiffServ Differentiated ServicesDLCI Data Link Connection IdentifierDMZ De-Militarized ZoneDNS Domain Name ServerDNS Domain Name SystemDoS Denial of Service

DR Designated RouterDS Differentiated ServicesDSLAM DSL Access MultiplexerDTMF Dual Tone Multi Frequency

eBGP external BGPEGP Exterior Gateway ProtocolESP Encapsulating Security Payload

FDDI Fibre Distributed Data InterfaceFEC Forwarding Equivalence Class

FQDN Fully Qualified Domain NameFTP File Transfer Protocol

GoS Grade of ServiceGPRS General Packet Radio ServiceGSM Global System for Mobile communications

HDLC High-level Data Link ControlHSSI High-Speed Serial InterfaceHTTP Hypertext Transfer Protocol

Glossary of Terms




IAD Integrated Access Device

IANA Internet Assigned Number AuthorityiBGP internal BGPICANN Internet Corporation for Assigned Names and NumbersIDS Intruder Detection SystemsIEEE Institute of Electrical and Electronics EngineersIETF Internet Engineering Task ForceIGP Interior Gateway ProtocolIGRP Interior Gateway Routing ProtocolIKE Internet Key ExchangeIMAP Interactive Mail Access Protocol

IMAP4rev1 Internet Message Access Protocol, Version 4 rev 1IntServ Integrated ServicesIP Internet ProtocolIPCP Internet Protocol Control ProtocolIPSec IP SecurityIPSP IP Service ProviderIPv4 Internet Protocol version 4IPv6 Internet Protocol version 6IP-VPN IP Virtual Private NetworkIR Internet RegistryISDN Integrated Services Digital Network

IS-IS Intermediate System to Intermediate SystemISP Internet Service ProviderITU International Telecommunication UnionIWF Interworking FunctionIXP Internet Exchange Point

LAN Local Area NetworkLANE LAN EmulationLCP Link Control ProtocolLDP Label Distribution ProtocolLE Local ExchangeLER Label Edge RouterLIB Label Information BaseLSA Link State AdvertisementLSP Label Switched PathLSR Label Switching Router

Glossary of Terms



IP2300/GlossaryG.4 © wray castle limited

MAC Medium Access Control

Mbit/s Megabits per secondMDA Mail Delivery AgentMDF Main Distribution FrameMIL STD Military StandardMIME Multipurpose Internet Mail ExtensionsMP-BGP Multiprotocol Border Gateway ProtocolMPLS Multiprotocol Label SwitchingMPOA Multiprotocol over ATMMTA Message Transfer AgentMUA Mail User Agent

MX Mail Exchanger

NAP Network Access PointNAPT Network Address Translation/Port Address TranslationNAS Network Access ServerNAT Network Address TranslationNBMA Non-Broadcast Multiple AccessNCP Network Control ProtocolNLPID Network Layer Protocol IdentificationNOC Network Operations CentreNS Name Server

NSF National Science FoundationNTP Network Termination PointNTS Number Translation Services

OS Origin ServerOSI Open Services InterconnectionOSPF Open Shortest Path First

Glossary of Terms




PAP Password Authentication Protocol

PAT Port Address TranslationPBX Private Branch ExchangePDD Post Dial DelayPDU Protocol Data UnitPE Provider EdgePHB Per Hob BehaviourPHP Hypertext PreprocessorPKC Public Key CryptographyPoP Point of PresencePOP Post Office Protocol

POP3 Post Office Protocol Revision 3POTS Plain Old Telephone ServicePPP Point-to-Point ProtocolPRI Primary Rate InterfacePSTN Public Switched Telephone NetworkPVC Permanent Virtual Circuit

QoS Quality of Service

RADIUS Remote Authentication Dial-In User ServiceRFC Request for Comments

RIP Routing Information ProtocolRIPE Réseaux IP EuropéensRIR Regional Internet RegistriesRRAS Routing and Remote Access ServerRSA Rivest, Shamir and AdlemanRSVP Resource Reservation Protocol

S/MIME Secure MIMESA Security AssociationSCP Service Control PointSDH Synchronous Digital HierarchySLIP Serial Line IPSMTP Simple Mail Transfer ProtocolSNMP Simple Network Management ProtocolSOA Start of AuthoritySP Service ProviderSRI-NIC Stamford Research Institute Network Information CentreSS7 Signalling System No. 7SSH Secure ShellSSID Service Set IdentifierSSL Secure Socket Layer

SSP Service Switching PointSVC Switched Virtual Circuit

Glossary of Terms



Glossary of Terms

Documents

IP Engineering Overview