how internet works
DESCRIPTION
TRANSCRIPT
http://www.seed.net.tw
2
Agenda
Internet topologyInternet elements IP address & Autonomous system number
IPv4, IPv6, ASN attributes Router & switch Routing protocols
IGP, EGPInternet securityMultiprotocol Label Switching (MPLS)
http://www.seed.net.tw
3
About the speaker
Join seednet on 2000/12 Maintain network management platform from
2001/1 Maintain frame-relay backbone from 2001/4 Maintain domestic backbone from 2001/7 Maintain domestic peering/transit circuit from
2002/8 Maintain oversea peering/transit circuit from 2004/3 Promotion on 2005/1
Certification SCSA, SCNA (Solaris 8) CCIE#12740 (Routing & switching) JNCIP#266
http://www.seed.net.tw
4
Internet topology
Autonomous SystemAutonomo
us System
Autonomous System
Autonomous System
Autonomous System
Autonomous System
Autonomous System
Autonomous System
http://www.seed.net.tw
5
Internet elements
IP address IPv4: 32bits address space IPv6: 128bits address space
Who will allocate IP address? Local Internet Registry (LIR)
ISPs National Internet Registry (NIR)
TWNIC in Taiwan, JPNIC in Japan Regional Internet Registry (RIR)
APNIC in Asia/Pacific, ARIN in North America Internet Assigned Numbers Authority (IANA)
Top level of IP & AS number assigned
http://www.seed.net.tw
6
Internet elements
IPv4 address attributes Class A, B, C, D, E Public/Private/Specialized IPv4 address
Public IP address: Routable address on Internet Private IP address (RFC1918):
10/8 172.16/12 192.168/16
Specialized IPv4 address (RFC3330): Assigned by IANA directly
http://www.seed.net.tw
7
Internet elements
IPv6 address attributes http://www.iana.org/assignments/ipv6-address-space
Last update on 2006/2/27 IPv6 Prefix Allocation Reference ----------- ------------------------ ------------ 0000::/8 Reserved by IETF [RFC3513] 0100::/8 Reserved by IETF [RFC3513] 0200::/7 Reserved by IETF [RFC4048] 0400::/6 Reserved by IETF [RFC3513] 0800::/5 Reserved by IETF [RFC3513] 1000::/4 Reserved by IETF [RFC3513] 2000::/3 Global Unicast [RFC3513] 4000::/3 Reserved by IETF [RFC3513] 6000::/3 Reserved by IETF [RFC3513] 8000::/3 Reserved by IETF [RFC3513] A000::/3 Reserved by IETF [RFC3513] C000::/3 Reserved by IETF [RFC3513] E000::/4 Reserved by IETF [RFC3513] F000::/5 Reserved by IETF [RFC3513] F800::/6 Reserved by IETF [RFC3513] FC00::/7 Unique Local Unicast [RFC4193] FE00::/9 Reserved by IETF [RFC3513] FE80::/10 Link Local Unicast [RFC3513] FEC0::/10 Reserved by IETF [RFC3879] FF00::/8 Multicast [RFC3513]
http://www.seed.net.tw
8
Internet elements
Autonomous system On the Internet, an autonomous system is a
collection of IP networks under the control of a single entity that presents a common routing policy to the Internet .
See RFC1930 for detailAutonomous system number (ASN) A public AS has a globally unique number, an
Autonomous System number (ASN), associated with it; this number is used in both the exchange of exterior routing information (between neighboring Autonomous Systems), and as an identifier of the AS itself.
http://www.seed.net.tw
9
Internet elements
ASN address space 2-byte ASN 4-byte ASN (In IETF draft)
ASN attribute Public ASN: 1~64511
0000000000000001~1111101111111111 Private ASN: 64512~65535
1111110000000000~1111111111111111 Private ASN is not routable on Internet
http://www.seed.net.tw
10
Internet elements
Build ISP POPs (Point of presences)
Autonomous System
ISP POP
ISP POPISP POP
ISP POP
ISP POP
ISP POP
http://www.seed.net.tw
11
Internet elements
Network topology in ISP POP Three layers architecture
Core layer Distribution layer Access layer
ISP POP Distribution layer
Core layer
Access layer
http://www.seed.net.tw
12
Internet elements
Core layer Use high end router in this layer
Cisco System (CSCO) XR 12000 & 12000 series router CRS-1 Carrier Routing System
Juniper Networks (JNPR) M series router
» M7i, M10i, M40e, M120, M320 T series router
» T320, T640, TX Matrix
http://www.seed.net.tw
13
Internet elements
Core router: CSCO XR 12000 series router
http://www.seed.net.tw
14
Internet elements
Core router: CSCO CRS-1 Carrier Routing System
http://www.seed.net.tw
15
Internet elements
Core router: JNPR M-series router
http://www.seed.net.tw
16
Internet elements
Core router – JNPR T-series router
http://www.seed.net.tw
17
Internet elements
Distribution layer Keep local traffic in local Higher port density than core router
Much cheaper than core router (per port) Use router or L3 switch
Router CSCO 7600 series router JNPR MX960
L3 switch CSCO 6500 series switch Foundry Extreme
http://www.seed.net.tw
18
Internet elements
Distribution layer router: CSCO 7600
http://www.seed.net.tw
19
Internet elements
Distribution layer router: JNPR MX960
http://www.seed.net.tw
20
Internet elements
Distribution layer router: CSCO 6500
http://www.seed.net.tw
21
Internet elements
Access layer Face to customers Aggregate many low-speed circuit to one or two high-speed circuit
Face to customer: T1, E1, ADSL Connect to distribution layer: FE, GE
Use access router or Broadband Remote Access Server (BRAS) Router
CSCO 3700, 7200, 7300 series router JNPR M-series router
BRAS Redback SmartEdge JNPR E-series BRAS routing platform (ERX)
http://www.seed.net.tw
22
Internet elements
Access layer: CSCO 7200 series router
http://www.seed.net.tw
23
Internet elements
Access layer: Redback SmartEdge
http://www.seed.net.tw
24
Internet elements
Access layer: JNPR E-series routing platform
http://www.seed.net.tw
25
Internet elements
How to connect each equipments in POP? Ethernet family
Ten Gigabit Ethernet (10000Mbps) Gigabit Ethernet (1000Mbps) Fast Ethernet (100Mbps)
How to connect each POPs? Kinds of circuits
SONET/SDH based circuit ATM or Frame-relay based circuit Ethernet based circuit DWDM based circuit Dark fiber
http://www.seed.net.tw
26
Internet elements
SONET/SDH based circuit SONET: ANSI/Telcordia standard SDH: ITU-T standard Major different in framing structure
Basic SONET framing unit: STS-1, 51.84Mbps STS-1 frame size: 6480bits
Basic SDH framing unit: STM-1, 155.52Mbps STM-1 frame size: 19440bits
Frame rate of SONET/SDH is 8000 frame/sec Use mux/demux to package low-speed circuit (T1/E1/E3/T3/ATM/Ethernet) into SONET/SDH frame
Advantage: low overhead SONET/SDH overhead: 3.33% ATM overhead: 9.43%
http://www.seed.net.tw
27
Internet elements
ATM and Frame-relay based circuit Basic in ATM circuit: cell
fix length: 53bytes, use 5 bytes for header speed: from 155Mbps to 622Mbps
Basic in Frame-relay circuit: Frame speed: from 64Kbps to 45Mbps
Ethernet based circuit Metro Ethernet
DWDM based circuit Use different lambda (λ) to carry different traffic Physical layer equipment
Dark fiber
http://www.seed.net.tw
28
Internet elements
Routing protocol used by ISP Interior Gateway Protocol (IGP)
A set of routing protocols that are used within an autonomous system
Opposites: Exterior Gateway Protocol (EGP)Routing protocol used among ISP POPs 100% control by ISP OSPF or IS-IS
Routing protocol used between ISP and customer static route for only one circuit Use RIP for multiple circuit
http://www.seed.net.tw
29
Internet elements
Distance Vector routing protocol Routing Information Protocol (RIP)
RIPv1 (classful), RIPv2 (classless), RIPng (IPv6) Interior Gateway Routing Protocol (IGRP)
Cisco system property Add other factors for routing selection
http://www.seed.net.tw
30
Internet elements
Link State routing protocol Open Shortest Path First (OSPF)
Based on Dijkstra Shortest Path First algorithm Draft/standardized by Internet Engineering Task Force (IETF) OSPFv2, OSPFv3 (IPv6)
Intermediate system to intermediate system (IS-IS) Based on Dijkstra Shortest Path First algorithm Draft/standardized by International Standards Organization (ISO)
Enhanced IGRP Cisco system property Integrated link state and distance vector routing protocol
http://www.seed.net.tw
31
Internet elements
Routing information exchange Access layer propagate customer routes to
distribution layer Distribution layer propagate/aggregate customer
routes to core layer Core layer exchange POPs routing information Scalability problem?
http://www.seed.net.tw
32
Seednet domestic backbone
蘭 嶼
綠 島
OC3/STM-1
STM-4
GE
STM-16/Fiber
Router(s) of POP
Shiji
TaoyuanHsinchu
YilanMiaoli
TaichungChanghwa
Yungling Hualian
TaitongPingtong
Kaohsiung
Tainan
NeiHu
NantouChiayi Icon remark
http://www.seed.net.tw
33
Internet elements
How to connect to other ASN? Use lots of circuit to connect to other ASN
Localloop IPLC
Core router colocation in Internet eXchange (IX), use in-house wire to peering with other ASN Use public peering service of IX
NOT all of the ASN in the world would peering with you in free Mostly, free peering happened between two ISPs with similar scale
Inbound/Outbound traffic is not the key
http://www.seed.net.tw
34
Internet elements
It is hard to peer with all ASN in the world Cost Cost Cost
Transit service Upstream ISP bring Internet traffic to downstream ISP
ISPs didn’t need anyone to transit traffic for them: Tier-1 ISP There are 9 Tier-1 ISP defined by wiki
http://www.seed.net.tw
35
Seednet exterior status
Icon remarkRouter(s) of POP
US
Hinet
China
T3100M FE
TWIX
GSN
155M STM-1
Gigamedia
GigabitEthernet
Asia/HK/JP
STM-4
STM-16
JP(NTT)
APTG
FLAG
Taoyuan
MOECC(TANet)NCU(600M)
NCTU
NCHU(600M)
NCKU
NSYSU(600M)
CCU(600M)
Taipei
ASCC
Hsinchu
Taichung
Chiayi
Tainan
Kaohsiung
http://www.seed.net.tw
36
Internet elements
Routing exchange between ISPs Exterior Gateway Protocol
EGP Border Gateway Protocol (BGP)
BGP Currently: BGP version 4 Lots of attribute for routing control Distance Vector routing protocol Use AS path to prevent routing loop Use AS path length to select best route Flexible on routing tag, attribute re-write, filtering Flexible and capable in attribute extention.
http://www.seed.net.tw
37
Internet elements
Routing/traffic control by BGP
AS100, 192.168/1
6
AS300
AS200
AS400
AS500expensive
cheap
AS100
AS200+AS100
AS100
AS300+AS100
AS400+AS300+AS100
http://www.seed.net.tw
38
Internet elementsRouting/traffic control by BGP – AS path length AS prepend
AS100, 192.168/1
6
AS300
AS200
AS400
AS500expensive
cheap
AS100+AS100+AS100
AS200+AS100+AS100+AS100
AS100
AS300+AS100
AS400+AS300+AS100
http://www.seed.net.tw
39
Internet elementsRouting/traffic control by BGP – longest match IP blocks slice
AS100, 192.168/1
6
AS300
AS200
AS400
AS500expensive
cheap
192.168/16
192.168/16
192.168/17, 192.168.128/17
192.168/17, 192.168.128/17
192.168/17, 192.168.128/17
http://www.seed.net.tw
40
Internet elements
Risk in IP blocks slice Normal situation
AS100, 192.168/1
6
AS200, transit
AS600, peering
InternetSTM-16
FE
192.168/16
192.168/17, 192.168.128/17
192.168/16
http://www.seed.net.tw
41
Internet elements
Risks in IP blocks slice OOPS situation
AS100, 192.168/1
6
AS200, transit
AS600, peering
InternetSTM-16
FE
192.168/16
192.168/17, 192.168.128/17
192.168/16
192.168/17, 192.168.128/17
congestion!!!
error
http://www.seed.net.tw
42
Internet elements
Use BGP to scale IGP BGP used in the ASN called Interior BGP (iBGP) BGP used between ASN is called Exterior BGP (eBGP) Tiny characteristic difference between iBGP and eBGP
Use iBGP to carry customer routes in ASN Add suitable attribute in customer BGP routes Store routes:next-hop information
Use IGP to carry next-hop information for iBGP Router will use “recursive lookup” for routing search
Check routes:next-hop from iBGP Check next-hop from IGP Forwarding packets to next-hop
http://www.seed.net.tw
43
Internet elements
Information resource RFC Internet group
IANA, RIR NANOG (North American Network Operators' Group) Internet society IETF
Internet forum & newsgroup http://www.groupstudy.com/ puck.nether.net Mailing Lists Internet group newsgroup
http://www.seed.net.tw
44
Internet security
Security issue on BGP Authenticated BGP neighbor?
Use MD5 password to protect BGP session Authenticated BGP routes?
Routing Assets Database (RADB) IP address & ASes certification
APNIC project
http://www.seed.net.tw
45
Internet security
Discard BGP routes from BGP routes belong private IP addresses
RFC1918 Some BGP routes belong specialized IP addresses
RFC3330 BGP routes belong private ASN
RFC1930 BGP routes belong “Bogon IP blocks”
Bogon IP blocks: IP blocks assigned by IANA but not assigned by RIR
Discard packets that source IP address belong BGP routes above is safe
http://www.seed.net.tw
46
Internet security
Prevent IP spoofing Prevent IP spoofing outside your network
Check source IP address of packets from your BGP neighbor
For packet with source IP address belong your ASN, just discard it
Prevent IP spoofing in your network Check source IP address of packets from your
customer For packet with source IP address doesn’t belong
your customer, just discard it
http://www.seed.net.tw
47
Internet security
Internet attack TCP sync flooding Smurf attack Distributed Denied of Service
http://www.seed.net.tw
48
Internet security
Common ways to block DDoS attack Black hole Sink hole
http://www.seed.net.tw
49
MPLS
Traditional packet forwarding Routing lookup
MPLS packet forwarding Each MPLS router will build a database to map
routes to special label Use label to forward packet
MPLS application MPLS VPN MPLS Traffic Engineering (MPLS TE) MPLS QoS
http://www.seed.net.tw
50
MPLS
Virtual Private Network (VPN) Traditional VPN
Based on ATM and Frame-relay IPsec VPN MPLS VPN
Use label stack to differentiate different VPN Provision for L2 or L3 network
MPLS TE Use MPLS to pre-build some MPLS TE tunnels Router forward traffic via MPLS TE tunnel path,
instead of IGP path. Provide more flexibility than IGP
MPLS QoS