how internet works

1

How the Internet works

Kae HsuCommunication Network Dept.

[email protected]

http://www.seed.net.tw

2

Agenda

Internet topologyInternet elements IP address & Autonomous system number

IPv4, IPv6, ASN attributes Router & switch Routing protocols

IGP, EGPInternet securityMultiprotocol Label Switching (MPLS)


3

About the speaker

Join seednet on 2000/12 Maintain network management platform from

2001/1 Maintain frame-relay backbone from 2001/4 Maintain domestic backbone from 2001/7 Maintain domestic peering/transit circuit from

2002/8 Maintain oversea peering/transit circuit from 2004/3 Promotion on 2005/1

Certification SCSA, SCNA (Solaris 8) CCIE#12740 (Routing & switching) JNCIP#266


4

Internet topology

Autonomous SystemAutonomo

us System

Autonomous System

Autonomous System

Autonomous System

Autonomous System

Autonomous System

Autonomous System


5

Internet elements

IP address IPv4: 32bits address space IPv6: 128bits address space

Who will allocate IP address? Local Internet Registry (LIR)

ISPs National Internet Registry (NIR)

TWNIC in Taiwan, JPNIC in Japan Regional Internet Registry (RIR)

APNIC in Asia/Pacific, ARIN in North America Internet Assigned Numbers Authority (IANA)

Top level of IP & AS number assigned


6

Internet elements

IPv4 address attributes Class A, B, C, D, E Public/Private/Specialized IPv4 address

Public IP address: Routable address on Internet Private IP address (RFC1918):

10/8 172.16/12 192.168/16

Specialized IPv4 address (RFC3330): Assigned by IANA directly


7

Internet elements

IPv6 address attributes http://www.iana.org/assignments/ipv6-address-space

Last update on 2006/2/27 IPv6 Prefix Allocation Reference ----------- ------------------------ ------------ 0000::/8 Reserved by IETF [RFC3513] 0100::/8 Reserved by IETF [RFC3513] 0200::/7 Reserved by IETF [RFC4048] 0400::/6 Reserved by IETF [RFC3513] 0800::/5 Reserved by IETF [RFC3513] 1000::/4 Reserved by IETF [RFC3513] 2000::/3 Global Unicast [RFC3513] 4000::/3 Reserved by IETF [RFC3513] 6000::/3 Reserved by IETF [RFC3513] 8000::/3 Reserved by IETF [RFC3513] A000::/3 Reserved by IETF [RFC3513] C000::/3 Reserved by IETF [RFC3513] E000::/4 Reserved by IETF [RFC3513] F000::/5 Reserved by IETF [RFC3513] F800::/6 Reserved by IETF [RFC3513] FC00::/7 Unique Local Unicast [RFC4193] FE00::/9 Reserved by IETF [RFC3513] FE80::/10 Link Local Unicast [RFC3513] FEC0::/10 Reserved by IETF [RFC3879] FF00::/8 Multicast [RFC3513]


8

Internet elements

Autonomous system On the Internet, an autonomous system is a

collection of IP networks under the control of a single entity that presents a common routing policy to the Internet .

See RFC1930 for detailAutonomous system number (ASN) A public AS has a globally unique number, an

Autonomous System number (ASN), associated with it; this number is used in both the exchange of exterior routing information (between neighboring Autonomous Systems), and as an identifier of the AS itself.


9

Internet elements

ASN address space 2-byte ASN 4-byte ASN (In IETF draft)

ASN attribute Public ASN: 1~64511

0000000000000001~1111101111111111 Private ASN: 64512~65535

1111110000000000~1111111111111111 Private ASN is not routable on Internet


10

Internet elements

Build ISP POPs (Point of presences)

Autonomous System

ISP POP

ISP POPISP POP

ISP POP

ISP POP

ISP POP


11

Internet elements

Network topology in ISP POP Three layers architecture

Core layer Distribution layer Access layer

ISP POP Distribution layer

Core layer

Access layer


12

Internet elements

Core layer Use high end router in this layer

Cisco System (CSCO) XR 12000 & 12000 series router CRS-1 Carrier Routing System

Juniper Networks (JNPR) M series router

» M7i, M10i, M40e, M120, M320 T series router

» T320, T640, TX Matrix


13

Internet elements

Core router: CSCO XR 12000 series router


14

Internet elements

Core router: CSCO CRS-1 Carrier Routing System


15

Internet elements

Core router: JNPR M-series router


16

Internet elements

Core router – JNPR T-series router


17

Internet elements

Distribution layer Keep local traffic in local Higher port density than core router

Much cheaper than core router (per port) Use router or L3 switch

Router CSCO 7600 series router JNPR MX960

L3 switch CSCO 6500 series switch Foundry Extreme


18

Internet elements

Distribution layer router: CSCO 7600


19

Internet elements

Distribution layer router: JNPR MX960


20

Internet elements

Distribution layer router: CSCO 6500


21

Internet elements

Access layer Face to customers Aggregate many low-speed circuit to one or two high-speed circuit

Face to customer: T1, E1, ADSL Connect to distribution layer: FE, GE

Use access router or Broadband Remote Access Server (BRAS) Router

CSCO 3700, 7200, 7300 series router JNPR M-series router

BRAS Redback SmartEdge JNPR E-series BRAS routing platform (ERX)


22

Internet elements

Access layer: CSCO 7200 series router


23

Internet elements

Access layer: Redback SmartEdge


24

Internet elements

Access layer: JNPR E-series routing platform


25

Internet elements

How to connect each equipments in POP? Ethernet family

Ten Gigabit Ethernet (10000Mbps) Gigabit Ethernet (1000Mbps) Fast Ethernet (100Mbps)

How to connect each POPs? Kinds of circuits

SONET/SDH based circuit ATM or Frame-relay based circuit Ethernet based circuit DWDM based circuit Dark fiber


26

Internet elements

SONET/SDH based circuit SONET: ANSI/Telcordia standard SDH: ITU-T standard Major different in framing structure

Basic SONET framing unit: STS-1, 51.84Mbps STS-1 frame size: 6480bits

Basic SDH framing unit: STM-1, 155.52Mbps STM-1 frame size: 19440bits

Frame rate of SONET/SDH is 8000 frame/sec Use mux/demux to package low-speed circuit (T1/E1/E3/T3/ATM/Ethernet) into SONET/SDH frame

Advantage: low overhead SONET/SDH overhead: 3.33% ATM overhead: 9.43%


27

Internet elements

ATM and Frame-relay based circuit Basic in ATM circuit: cell

fix length: 53bytes, use 5 bytes for header speed: from 155Mbps to 622Mbps

Basic in Frame-relay circuit: Frame speed: from 64Kbps to 45Mbps

Ethernet based circuit Metro Ethernet

DWDM based circuit Use different lambda (λ) to carry different traffic Physical layer equipment

Dark fiber


28

Internet elements

Routing protocol used by ISP Interior Gateway Protocol (IGP)

A set of routing protocols that are used within an autonomous system

Opposites: Exterior Gateway Protocol (EGP)Routing protocol used among ISP POPs 100% control by ISP OSPF or IS-IS

Routing protocol used between ISP and customer static route for only one circuit Use RIP for multiple circuit


29

Internet elements

Distance Vector routing protocol Routing Information Protocol (RIP)

RIPv1 (classful), RIPv2 (classless), RIPng (IPv6) Interior Gateway Routing Protocol (IGRP)

Cisco system property Add other factors for routing selection


30

Internet elements

Link State routing protocol Open Shortest Path First (OSPF)

Based on Dijkstra Shortest Path First algorithm Draft/standardized by Internet Engineering Task Force (IETF) OSPFv2, OSPFv3 (IPv6)

Intermediate system to intermediate system (IS-IS) Based on Dijkstra Shortest Path First algorithm Draft/standardized by International Standards Organization (ISO)

Enhanced IGRP Cisco system property Integrated link state and distance vector routing protocol


31

Internet elements

Routing information exchange Access layer propagate customer routes to

distribution layer Distribution layer propagate/aggregate customer

routes to core layer Core layer exchange POPs routing information Scalability problem?


32

Seednet domestic backbone

蘭嶼

綠島

OC3/STM-1

STM-4

GE

STM-16/Fiber

Router(s) of POP

Shiji

TaoyuanHsinchu

YilanMiaoli

TaichungChanghwa

Yungling Hualian

TaitongPingtong

Kaohsiung

Tainan

NeiHu

NantouChiayi Icon remark


33

Internet elements

How to connect to other ASN? Use lots of circuit to connect to other ASN

Localloop IPLC

Core router colocation in Internet eXchange (IX), use in-house wire to peering with other ASN Use public peering service of IX

NOT all of the ASN in the world would peering with you in free Mostly, free peering happened between two ISPs with similar scale

Inbound/Outbound traffic is not the key


34

Internet elements

It is hard to peer with all ASN in the world Cost Cost Cost

Transit service Upstream ISP bring Internet traffic to downstream ISP

ISPs didn’t need anyone to transit traffic for them: Tier-1 ISP There are 9 Tier-1 ISP defined by wiki


35

Seednet exterior status

Icon remarkRouter(s) of POP

US

Hinet

China

T3100M FE

TWIX

GSN

155M STM-1

Gigamedia

GigabitEthernet

Asia/HK/JP

STM-4

STM-16

JP(NTT)

APTG

FLAG

Taoyuan

MOECC(TANet)NCU(600M)

NCTU

NCHU(600M)

NCKU

NSYSU(600M)

CCU(600M)

Taipei

ASCC

Hsinchu

Taichung

Chiayi

Tainan

Kaohsiung


36

Internet elements

Routing exchange between ISPs Exterior Gateway Protocol

EGP Border Gateway Protocol (BGP)

BGP Currently: BGP version 4 Lots of attribute for routing control Distance Vector routing protocol Use AS path to prevent routing loop Use AS path length to select best route Flexible on routing tag, attribute re-write, filtering Flexible and capable in attribute extention.


37

Internet elements

Routing/traffic control by BGP

AS100, 192.168/1

6

AS300

AS200

AS400

AS500expensive

cheap

AS100

AS200+AS100

AS100

AS300+AS100

AS400+AS300+AS100


38

Internet elementsRouting/traffic control by BGP – AS path length AS prepend

AS100, 192.168/1

6

AS300

AS200

AS400

AS500expensive

cheap

AS100+AS100+AS100

AS200+AS100+AS100+AS100

AS100

AS300+AS100

AS400+AS300+AS100


39

Internet elementsRouting/traffic control by BGP – longest match IP blocks slice

AS100, 192.168/1

6

AS300

AS200

AS400

AS500expensive

cheap

192.168/16

192.168/16

192.168/17, 192.168.128/17

192.168/17, 192.168.128/17

192.168/17, 192.168.128/17


40

Internet elements

Risk in IP blocks slice Normal situation

AS100, 192.168/1

6

AS200, transit

AS600, peering

InternetSTM-16

FE

192.168/16

192.168/17, 192.168.128/17

192.168/16


41

Internet elements

Risks in IP blocks slice OOPS situation

AS100, 192.168/1

6

AS200, transit

AS600, peering

InternetSTM-16

FE

192.168/16

192.168/17, 192.168.128/17

192.168/16

192.168/17, 192.168.128/17

congestion!!!

error


42

Internet elements

Use BGP to scale IGP BGP used in the ASN called Interior BGP (iBGP) BGP used between ASN is called Exterior BGP (eBGP) Tiny characteristic difference between iBGP and eBGP

Use iBGP to carry customer routes in ASN Add suitable attribute in customer BGP routes Store routes:next-hop information

Use IGP to carry next-hop information for iBGP Router will use “recursive lookup” for routing search

Check routes:next-hop from iBGP Check next-hop from IGP Forwarding packets to next-hop


43

Internet elements

Information resource RFC Internet group

IANA, RIR NANOG (North American Network Operators' Group) Internet society IETF

Internet forum & newsgroup http://www.groupstudy.com/ puck.nether.net Mailing Lists Internet group newsgroup


44

Internet security

Security issue on BGP Authenticated BGP neighbor?

Use MD5 password to protect BGP session Authenticated BGP routes?

Routing Assets Database (RADB) IP address & ASes certification

APNIC project


45

Internet security

Discard BGP routes from BGP routes belong private IP addresses

RFC1918 Some BGP routes belong specialized IP addresses

RFC3330 BGP routes belong private ASN

RFC1930 BGP routes belong “Bogon IP blocks”

Bogon IP blocks: IP blocks assigned by IANA but not assigned by RIR

Discard packets that source IP address belong BGP routes above is safe


46

Internet security

Prevent IP spoofing Prevent IP spoofing outside your network

Check source IP address of packets from your BGP neighbor

For packet with source IP address belong your ASN, just discard it

Prevent IP spoofing in your network Check source IP address of packets from your

customer For packet with source IP address doesn’t belong

your customer, just discard it


47

Internet security

Internet attack TCP sync flooding Smurf attack Distributed Denied of Service


48

Internet security

Common ways to block DDoS attack Black hole Sink hole


49

MPLS

Traditional packet forwarding Routing lookup

MPLS packet forwarding Each MPLS router will build a database to map

routes to special label Use label to forward packet

MPLS application MPLS VPN MPLS Traffic Engineering (MPLS TE) MPLS QoS


50

MPLS

Virtual Private Network (VPN) Traditional VPN

Based on ATM and Frame-relay IPsec VPN MPLS VPN

Use label stack to differentiate different VPN Provision for L2 or L3 network

MPLS TE Use MPLS to pre-build some MPLS TE tunnels Router forward traffic via MPLS TE tunnel path,

instead of IGP path. Provide more flexibility than IGP

MPLS QoS

how internet works

Technology

ip blocks slice

prevent ip spoofing

exterior gateway protocol

dijkstra shortest path

cisco system property

ip address

dwdm based circuit

autonomous system number