ip engineering overview
TRANSCRIPT
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 1/294
IP EngineeringOverview
Wray Castle LimitedBridge Mills, Stramongate,Kendal, LA9 4UB, UK.
© Wray Castle Limitedall rights reserved
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 2/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 3/294
© Wray Castle Limited
IP ENGINEERING OVERVIEW
IP Engineering Overview
First published 2003Last updated December 2004
WRAY CASTLE LIMITEDBRIDGE MILLS
STRAMONGATE KENDALLA9 4UB UK
Yours to have and to hold but not to copy
The manual you are reading is protected by copyright law. This means that Wray Castle Limited could take you and
your employer to court and claim heavy legal damages.
Apart from fair dealing for the purposes of research or private study, as permitted under the Copyright, Designs andPatents Act 1988, this manual may only be reproduced or transmitted in any form or by any means with the prior
permission in writing of Wray Castle Limited.
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 4/294
© Wray Castle Limitedii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 5/294
© Wray Castle Limited
Section 1 IP Networks Overview
Section 2 IP Network Services
Section 3 Service Provider Architectures
Section 4 Future Directions in IP Engineering
IP ENGINEERING OVERVIEW
CONTENTS
iii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 6/294
© Wray Castle Limitediv
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 7/294
© Wray Castle Limited
SECTION 1
IP NETWORKS OVERVIEW
v
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 8/294
© Wray Castle Limitedvi
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 9/294
© Wray Castle Limited
1 Background to the Internet and ISPs 1.11.1 Internet History 1.11.2 Emergence of Commercial Operations 1.31.3 The Changing Architecture of the Public Internet 1.31.4 Internets, Intranets and the Internet 1.51.5 Service Providers (SPs) 1.5
2 The Internet Paradigm 1.72.1 Switching Approaches 1.72.2 Circuit Switching 1.92.3 Packet Switching 1.112.4 Connectionless Versus Connection-Oriented Switching 1.132.5 How High-Functionality IP Networks Alter The Paradigm 1.15
3 Data Link Layer Protocols 1.173.1 The OSI and TCP/IP Protocol Stacks 1.173.2 The Role of L2 Protocols in the WAN 1.19
3.3 The Types of Layer 2 Switching 1.213.4 ATM as an L2 Switching Protocol for IP Traffic 1.233.5 Introduction to MPLS 1.253.6 MPLS as an L2 Switching Protocol 1.273.7 MPLS Forwarding Plane 1.273.8 MPLS Control Plane 1.29
4 The IP Layer 1.314.1 IP Datagram Forwarding 1.314.2 IP Address Classes 1.334.3 IP Subnet Masks 1.354.4 Network and Host Addresses 1.374.5 Control of IP Addresses 1.374.6 Network and Host Addresses 1.394.7 Subnetting IP Networks 1.414.8 Implementation 1.414.9 Classless Interdomain Routing (CIDR) 1.434.10 CIDR Example 1.45
SECTION CONTENTS
vii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 10/294
© Wray Castle Limitedviii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 11/294
© Wray Castle Limited
5 The Transport Layer 1.475.1 Introduction 1.475.2 The Functions of Transmission Control Protocol (TCP) 1.495.3 The Functions of User Datagram Protocol (UDP) 1.51
6 The Domain Name System (DNS) 1.53
6.1 The Role of the DNS 1.536.2 The Overall Architecture of the DNS 1.556.3 DNS Operation 1.576.4 Zones of Authority 1.576.5 Name Resolution 1.596.6 DNS Implementation 1.616.7 Types of DNS Server 1.636.8 Querying the Domain Name System 1.65
7 The Application Layer 1.677.1 Hypertext Transfer Protocol (HTTP) for Web Services 1.67
7.2 Simple Mail Transfer Protocol (SMTP) E-mail 1.697.3 POP3 and IMAP for E-mail Services 1.717.4 Post Office Protocol (POP) 1.717.5 Internet Message Access Protocol (IMAP4) 1.71
8 Section 1 Questions 1.73
SECTION CONTENTS
ix
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 12/294
© Wray Castle Limitedx
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 13/294
© Wray Castle Limited
At the end of this section you will be able to:
• explain the evolution of public service Internet Protocol (IP) networks
• compare and contrast the features of traditional data networks with IP
networks
• explain the key functions of the IP network layer and IP addressing schemes
• describe the key transport and application-layer protocols of public service IP
networks
SECTION OBJECTIVES
xi
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 14/294
© Wray Castle Limited
1.1 Internet History
In 1969, the Advanced Research Projects Agency (ARPA) funded a research anddevelopment project to create an experimental ‘packet switching’ network. Thisnetwork was called ARPANET and was built in order to study techniques for theprovision of a robust, reliable, vendor-independent data communications system.
As a direct result of the success of ARPANET, many of the organizations involved inits development began to use it and, in 1975, the experimental network wasconverted into an operational one with the responsibility for it being given to theDefense Communications Agency (DCA). During this time, the early development of the basic Transmission Control Protocol/Internet Protocol (TCP/IP) took place.
The TCP/IP protocols were adopted as Military Standards (MIL STD) in 1983, and allhosts that were to connect to the ARPANET were required to convert to theseprotocols. At the same time, the term Internet came into common use with thedivision of ARPANET into two new networks. These were MILNET, the unclassifiedpart of the Defence Data Network (DDN), and a new, smaller ARPANET. The term‘Internet’ was thus used to refer to the entire network, which comprised MILNET and ARPANET
In 1985, the National Science Foundation (NSF) became involved by creating the
NSFNet, which was connected to the Internet. The original NSFNet comprised fiveNSF super-computer centres, yet was still smaller than ARPANET and was restrictedto data rates of only 56 kbit/s. However, the creation of NSFNet was a significantmilestone in the development of the Internet as it brought a new vision of how theInternet should be used. The NSF wanted every scientist and engineer in the UnitedStates of America to be connected and, as such, they created a new, faster,backbone network that connected regional and local networks.
In 1990, the ARPANET formally passed out of existence. NSFNet ceased its role asthe primary Internet backbone network in 1995.
In 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) wasestablished to take responsibility for Internet address management.
1 BACKGROUND TO THE INTERNET AND ISPS
IP2300/S1/v2.11.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 15/294
IP Engineering Overview
1.2© Wray Castle LimitedIP2300/S1/v2.1
– Advanced Research Projects Agency
fund research – ARPANET1969
– Defense Communications Agency take responsibility
– TCP/IP development begins
1975
– TCP/IP protocols adopted as standard – Internet formed – MILNET – ARPANET
1983
– National Science Foundation create NSFNet
1985
– ARPANET and NSFNet cease overall responsibility
1990
– Competition introduced with the establishment of ICANN
1998
Figure 1
Internet Development
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 16/294
IP2300/S1/v2.11.3 © Wray Castle Limited
1.2 Emergence of Commercial Operations
The original ARPANET and the successor NFSNET both operated Acceptable UsePolicies (AUP) that did not permit commercial use of the network, and restrictedtraffic to research, educational and government use. Under pressure to make theInternet a commercial entity, the NSF managed a process of handing over responsibility for various functions to new commercial Service Providers (SPs)through the 1990s, including the backbone networks, the interconnect points andvarious registry functions. This new model specifically allowed commercialexploitation of the Internet, and as a result massive growth in the number of attachedhosts and traffic carried has continued.
In October 1998, competition was introduced in domain name registration for the top-level domains. The Internet Corporation for Assigned Names and Numbers (ICANN)was established as a not-for-profit business to take responsibility for Internet addressmanagement, management of the Domain Name System (DNS), management of assigned numbers and operation of the Internet root servers. It achieves this throughcooperation with organizations including the InterNIC, the Internet AssignedNumbers Authority (IANA) and Regional Internet Registries (RIR) that it hasaccredited.
1.3 The Changing Architecture of the Public Internet
The single backbone approach of NFSNET was gradually replaced by a collection of commercial backbone providers such as Sprint and UUNet. Mergers and acquisitionsin the last few years have left five major networks providing most transit within theglobal Internet.
The number of SPs and their peering arrangements continues to grow and becomemore complex. The NSF interconnect points were replaced by Network AccessPoints (NAPs) within north America as part of the commercialization process. Theseprovide a facility where networks can peer, managed by an independent third party.
A large number of Internet eXchange Points (IXP) now operate on a commercial or cooperative basis, allowing smaller ISPs to peer on a regional basis.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 17/294
1.4© Wray Castle Limited
Time1980
Hosts
200
4
1.7
x106
Data >1,000,000,000,000,000 Bits/Day
The commercial
Internet era
Figure 2
Growth of the Internet
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 18/294
IP2300/S1/v2.11.5 © Wray Castle Limited
1.4 Internets, Intranets and the Internet
The term internet was originally used to describe the network built upon the InternetProtocol (IP). However, the term is generic and is used to describe an entire class of networks. We will use the term ‘internet’ to mean any collection of separate physicalnetworks, interconnected by means of the IP protocol, to form a single logicalnetwork. The ‘Internet’ is the worldwide collection of interconnected networks thatgrew out of the original ARPANET. It uses IP to link the various networks into a singlelogical global network.
Since TCP/IP is required for Internet connection, the growth of the Internet hasspurred interest in TCP/IP. More organizations have become familiar with theprotocol suite and have applied it to many other applications. The IPs are now oftenused for local area networking even when the Local Area Network (LAN) is notconnected to the Internet. In addition, TCP/IP is also widely used in buildingEnterprise Networks that use Internet techniques and World Wide Web (WWW) toolsto disseminate internal corporate information. These networks are referred to as‘intranets’ and may or may not be connected to the Internet.
1.5 Service Providers (SPs)
Private organizations obtain services on the public Internet through an SP.
Internet Service Providers (ISPs) offer a range of services on the public Internet totheir customers, such as dial-up access, and mail and web hosting.
IP Service Providers (IPSPs) offer business-class IP networks to their customers.Rather than an open model of interconnection with other networks, where very fewrestrictions on traffic flows are applied, these networks connect with other networksin a much more controlled way. By keeping general Internet traffic off thesenetworks, the quality of service they can offer to their directly connected customers isimproved. These networks still require connectivity to the public Internet to allow
Internet e-mail and other services.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 19/294
1.6© Wray Castle Limited
Internet
ISP 3
ISP 2
ISP 1 IPSP 3
IPSP 2
IPSP 1
IntranetNetwork 1
This connectionprovides traditional
Internet access
This connectiongives the customer
access to highfunctionalityIP services
Threeseparate IP
ServiceProviders
These connectionsallow Internetconnectivity to
IPSP customers
Network 2Network 3
Figure 3
Intranets, ISPs and IP Service Providers
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 20/294
IP2300/S1/v2.11.7 © Wray Castle Limited
2.1 Switching Approaches
The two main switching approaches used in public switched networks are circuitswitching and packet switching. Within packet switching, the switching process canbe connection-oriented , or connectionless. Connection-oriented switching provides alogical circuit from source to destination, while a connectionless approach has noconcept of a circuit.
We explore these different types of switching in the next few slides.
2 THE INTERNET PARADIGM
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 21/294
1.8© Wray Castle Limited
Public Switched Networks
Circuit Switched Packet Switched
Physical circuit fromsource to destination
“connection-oriented” “connectionless”
Logical circuit fromsource to destination
No conceptof a circuit
Virtual Circuit Datagram
Figure 4
Types of Switching
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 22/294
IP2300/S1/v2.11.9 © Wray Castle Limited
2.2 Circuit Switching
Circuit switching involves a physical circuit being established between two giventerminals for a period of time. The circuit is allocated to, and maintained for, theexclusive use of the terminals concerned for the whole duration of the connection.These resources only become available for use by other terminals upon release of the connection by the initial terminals.
Circuit switching has several advantages. Firstly, the end terminals/devices/users areallocated the full data carrying capability (full bandwidth) of the connection for thewhole duration of the call irrespective of whether they have data to send or not. Inaddition, although the initial routing process (or set-up) takes a period of time to beestablished at the switches, further data exchange via the switches is relatively short.This is because any further data exchange does not involve the analysis of addresses; instead the data simply flows through the provided physical connection.Finally, as all data for the connection takes the same physical route, the time takenfor data to be transferred between terminals is kept nearly constant for the wholeduration of the call.
The disadvantage of circuit switching is that the initial set-up procedure takes time,as does the final release procedure. Also, should the network fail for any reason, theconnection is lost completely and a new connection would need to be created.
In addition, if the end terminals have a circuit-switched connection but no data tosend, the end terminals will still hold the network resources unless they release theconnection. In other words, the resources cannot be used by any other devices. Thisfinal fact is a disadvantage to both the user and the network operator. From the viewof terminal owners it means that they are paying for a connection even though theymay have no data to send; from the network operator’s view, it means that thenetwork may have no resources available for users waiting to use the network.
The advantages and disadvantages of circuit switching are highlighted in Figure 5. Although the two parties, A and C, are not presently speaking, network resources are
still allocated to them. In addition, they are paying for call time. Parties B and D areunable to communicate with one another even though at that moment no meaningfuldata is being sent across the network.
Circuit switching is important in IP engineering because dial-up access to variousdata networks is normally carried across a circuit-switched connection between theuser and the location in the network where the data network is available.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 23/294
1.10© Wray Castle Limited
Circuit Switched
Short DelayConstant Delay
Single ConnectionAffected By Network Failure
A
B
C
D
Sorry all
the lines
are busy
Figure 5
Circuit Switching
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 24/294
IP2300/S1/v2.11.11 © Wray Castle Limited
2.3 Packet Switching
Packet switching involves the segmentation of users’ information into smaller blocksof data known as packets. Each packet is then fed into the network and passed fromone switching point to the next until it reaches its destination. The network handleseach packet separately therefore each must contain some control information toallow the forwarding process to take place at each switch.
Packet switching has the advantage that each terminal to terminal exchange of datais not provided by a physical connection. Instead terminals share the network, eachterminal being allocated network resources only as and when it has packets (or datagrams) to send.
From the users’ point of view this is advantageous as they pay only for the data sentas opposed to time connected, i.e. users can be charged per packet as opposed toper second. From the network operator’s point of view packet switching allows allusers to be given access to the network and also allows for more efficientdimensioning of the network. This final fact can lead to financial saving that canultimately result in an even lower cost per packet for the user.
In addition, as the network handles each packet separately, any failure within thenetwork need not affect the transfer of packets itself. The network may simply route
the packets via an alternative path so bypassing any failed elements.
One disadvantage of packet switching is that the delay between a packet arriving ata switch and it being routed onwards may vary. This is because a packet switch mayneed to queue packets for sending onwards, the length of the queue varying with thenumber of packets involved with the onward leg.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 25/294
1.12© Wray Castle Limited
Packet Switched
Long DelayVariable Delay
Resilient to network failuresShared Resources
Figure 6
Packet Switching
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 26/294
IP2300/S1/v2.11.13 © Wray Castle Limited
2.4 Connectionless Versus Connection-Oriented Switching
2.4.1 Connectionless Services
Within the packet-switched network, packets can be forwarded through the networkswitches on a packet-by-packet basis. In other words, when a packet arrives at aswitch or router, it reads the address information within the packet and then forwardsthe packet on to an appropriate destination based on forwarding tables within theswitch. Once the packet has been sent, the switch or router sending it has no further dealings with the packet.
Even packets that have arrived at the switch or router from the same source aretreated individually. Because of this, there is no guarantee that packets sent by asingle source will take the same path through the network, thus it is possible thatpackets could arrive at their destination out of sequence. In other words, theforwarding device makes no association between any packets that it receives or sends. When a network operates in this manner it is said to be providing aconnectionless service to the users.
2.4.2 Connection-Oriented Services
It is possible for a packet-switched network to provide what is termed a connection-oriented service to its users. When providing a connection-oriented service,information must first be passed across the network to set up a path for a user’sdata. This path is termed a logical connection, virtual circuit or software-defined datapath. The network then makes an association between all the packets sent from andto a specific user. This association allows the network to forward all of the packets for a specific user via the same path through the network, thus ensuring that packetsarrive at the destination in the same order that they were sent. At the end of the dataexchange, information is sent across the network to release the logical connection.This set-up and release of virtual circuits is analogous to setting up and releasing aphysical circuit in circuit switching. Some delay is associated with these set-up and
release operations. User packets cannot be forwarded until the virtual circuit hasbeen set up.
With a connection-oriented service, users appear to have their own connectionthrough the network but it must be borne in mind that this is a logical connection onlyand that other users may use segments of the physical connection.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 27/294
1.14© Wray Castle Limited
Packet 1
P a c k e t 2
Packet 2 Packet 1
Connectionless Service
(packets may arrive
out of sequence)
Connection-Oriented Service
(guaranteed sequenced delivery)
Figure 7
Connectionless and Connection-Oriented Services
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 28/294
IP2300/S1/v2.11.15 © Wray Castle Limited
2.5 How High-Functionality IP Networks Alter The Paradigm
The traditional best-endeavours model of IP networks and services is unsatisfactoryfor most business users. These users typically expect guarantees on networkperformance that a conventional IP network cannot provide. As a result, many of thetechniques of connection-oriented packet-switched networks have been developedas optional components of IP networks, and are widely deployed in SP networks.
Two or more Classes of Service (CoS) may be offered to customers, with differentguarantees on performance for each of these.
Traffic policing may be applied on the customer access circuit to ensure that thecontracted data rates per CoS are not exceeded.
Sophisticated queuing techniques may be applied in the network routers toimplement the CoS behaviour expected by customers.
Policy controls and route filtering may be applied to control how traffic is carriedacross the network, and how it enters and leaves the network.
As well as measures at the IP layer, data link layer traffic engineering may beimplemented to help control how traffic is carried, and more sophisticated restoration
schemes may be implemented to ensure service outages are within acceptable limitsto the customer.
Therefore IP networks can broadly be categorized as:
• Private enterprise networks (intranets) – these only carry the traffic of theowning organization.
• Public, low functionality networks – these are typically part of the Internetstructure, although they need not be. They carry traffic on a best-endeavoursbasis, and are offered by traditional ISPs.
• Public, high functionality networks – these typically connect to the publicInternet as well as to customer networks, but carefully control the traffic flows,types and utilization using the techniques outlined above. These networks areoffered by IPSPs.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 29/294
1.16© Wray Castle Limited
Customer 2PremisesRouter
Customer 1PremisesRouter
Customer 1Premises
Router
CustomerAccessRouter
CustomerAccessRouter
CoreNetworkRouter
Traffic policing ensuresthat only the contracted
traffic quantity is accepted
Overuse by onecustomer leaves other
customers starvedof bandwidth
Contention oncustomer access
circuit causes highpriority traffic to
be dropped
Diffserv CoSon access circuitprotects highpriority traffic
Best endeavours queuing
in core routers causeshigh priority traffic tobe dropped whencongestion occurs
QoS-aware queuingin core routers selectslow priority traffic todrop, and protectshigh priority traffic
CoreNetworkRouter
Customer 2Premises
Router
Figure 8
Low- and High-Functionality IP Networks
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 30/294
IP2300/S1/v2.11.17 © Wray Castle Limited
3.1 The OSI and TCP/IP Protocol Stacks
The OSI Seven-Layer Reference Model was developed before internetworkingbased upon the IP protocols became widespread. The developers of the TCP/IPsuite produced a five-layer model, where the higher layers of the OSI model arecollapsed into a single application layer.
The TCP/IP model can be described as follows:
Layer 1: Physical Layer Layer 1 deals with the physical network hardware just as Layer 1 in the OSI SevenLayer Reference Model.
Layer 2: Link Layer Layer 2 protocols deal with how to organize data into frames and how a hosttransmits these frames over a network. Once again, these protocols are similar to theLayer 2 protocols in the OSI Seven-Layer Reference Model.
Layer 3: Internet Layer Layer 3 protocols specify the format of the packets which are sent across the Internetas well as the mechanisms used to forward packets from a computer through one or more ‘routers’ to a final destination.
Layer 4: Transport Layer Layer 4 protocols in the TCP/IP suite are similar to those in the OSI Seven-Layer Model in that they ensure reliable transfer of messages.
Layer 5: Application Layer Layer 5 protocols in this model correspond to Layers 5, 6 and 7 in the OSI Model.These protocols specify how an application uses an internet.
TCP/IP can, therefore, be looked upon as a family of protocols, each designed tosolve a particular network communication problem.
3 DATA LINK LAYER PROTOCOLS
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 31/294
1.18© Wray Castle Limited
OSI Layer 5 – 7
OSI Layer 4
OSI Layer 3
OSI Layer 2
OSI Layer 1
APPLICATION
LAYER
TRANSPORT
LAYER
INTERNET
LAYER
LINK LAYER
PHYSICAL LAYER
Figure 9
The TCP/IP Protocol Suite
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 32/294
IP2300/S1/v2.11.19 © Wray Castle Limited
3.2 The Role of L2 Protocols in the WAN
The Link Layer in an IP network operates immediately below the IP layer, and soprovides services to it. Whereas the IP layer is responsible for end-to-end transportof the data between hosts across the network, the link layer is responsible for transport on individual links of the network, between hosts and routers, and betweenintervening routers.
Link layer protocols normally operate in one of three modes:
• connectionless, across a point-to-point connection
• connectionless, across a shared medium
• connection-oriented, across a virtual circuit-switched network
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 33/294
1.20© Wray Castle Limited
ATM Token RingEthernet
IP (Layer 3)
Router Router
Connectionless(point-to-point)
Connectionless(shared medium)
Connection-oriented(virtual circuit network)
Ethernet(Layer 2)
ATM(Layer 2)
Token Ring(Layer 2)
Figure 10
The Role of Layer 2 Protocols
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 34/294
IP2300/S1/v2.11.21 © Wray Castle Limited
3.3 The Types of Layer 2 Switching
It is important to understand the distinction between connection-oriented andconnectionless Layer 2 networks, as this affects how IP operates across them.
When a traditional shared medium network such as Ethernet is partitioned usingEthernet switching, the complete network retains the ability to broadcast frames,because ‘Ethernet’ is a connectionless switching technology. The IP layer uses thesebroadcast frames to discover the address mapping between the IP layer and theconnectionless Layer 2 addresses of hosts and interfaces.
The use of switches can improve the performance of ‘Ethernet’ by reducing thenumber of hosts that share a particular medium. However, this is still connectionlessswitching, and still retains the ability to use broadcast frames across the entireswitched network.
Connection-oriented Layer 2 networks use virtual circuits to connect hosts. Theyhave no ability to send packets to a destination address until the Layer 2 address of the destination is known. Therefore, conventional IP techniques for addressresolution between the IP and Layer 2 addresses are not available. Although theseconnection-oriented Layer 2 technologies are more scalable than the connectionlessapproaches, the lack of broadcast makes interworking with IP networks more
difficult.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 35/294
1.22© Wray Castle Limited
ATM Token RingEthernet
IP (Layer 3)
Router Router
Connectionless(point-to-point)
Connectionless(shared medium)
Connection-oriented(virtual circuit network)
Ethernet(Layer 2)
ATM(Layer 2)
Token Ring(Layer 2)
Figure 10 (repeated)
The Role of Layer 2 Protocols
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 36/294
IP2300/S1/v2.11.23 © Wray Castle Limited
3.4 ATM as an L2 Switching Protocol for IP Traffic
ATM is a Layer 2 switching technology that is widely used in public servicenetworks¹. The architectures of IP and ATM are quite different, with differentaddressing schemes, forwarding approaches and control planes. Therefore littleintegration between the IP layer and the ATM layer is possible.
Nonetheless, ATM is widely used as a Layer 2 switching technology to carry IPtraffic. Typically a set of ATM virtual circuits is established between edge routers,either through signalling, or more usually by configuration from a Network OperationsCentre (NOC). Viewed from the perspective of the IP layer, these virtual circuits aresimply virtual leased lines that connect adjacent routers. The IP layer has no visibilityof the intervening switches. IP views the ATM protocol as just another encapsulation,similar to HDLC or PPP.
In order to route traffic correctly to the other routers across the ATM Wide AreaNetwork (WAN), each edge router must either have static routes configured whichpoint traffic to the correct outbound virtual circuit, or else a conventional routingprotocol must run across the WAN between edge routers.
¹ Instead of variable length frames, ATM uses short, fixed-length cells to transport traffic across the network,
since this makes delay and delay variation smaller and more predictable. To convert various types of traffic into
cell payloads, ATM requires the use of adaptation functions at the edge of the network. As well as adding any
ATM-specific headers or trai lers required, the ATM adaptat ion process segments inbound traf fic into cellpayloads, and reassembles the original data structures for outbound traffic. Despite this unique aspect of ATM, it
can still be considered as a Layer 2 switching technology; the adaptation process is hidden from the IP layer
above it.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 37/294
1.24© Wray Castle Limited
Router
ATM
Phys Phys
ATM
Phys Phys
1. Establish ATM virtual circuit between pairs of routers
2. Routers are adjacent at the IP layer, see ATM network as a virtual leased line
IP
Phys Phys
Ether ATM
IP
Phys Phys
EtherATM
Figure 11
Simple IP Over ATM
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 38/294
IP2300/S1/v2.11.25 © Wray Castle Limited
3.5 Introduction to MPLS
Traditionally, switches have offered greater performance than routers in terms of thespeed at which data can be forwarded. However, routers can be configured to makemore sophisticated decisions about the processing of datagrams. As well asforwarding a packet based upon destination IP address, a router can also classifypackets based upon other header fields, including source address and TCP portnumbers. This leads to the argument, why not build a device that combines fastforwarding across the core of a network, based upon classification of packets carriedout at the edge of the network? While this is essentially what an IP over ATMapproach achieves, the key innovation of the MPLS approach was the use of traditional IP routing protocols to determine how these switched paths should be setup. For the first time in MPLS, a switching model closely coupled to the IP layer itwas intended to support was available.
The argument leads to the idea of Label Switching Routers (LSR), devices thatintegrate the best of both routing and switching. Whereas traditional Layer 2switching was not integrated with the IP layer, MPLS is closely coupled to the routingand addressing schemes of the IP layer.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 39/294
1.26© Wray Castle Limited
Router
Sophisticated RoutingLayer 3
Connectionless
LSR
Integration of Routing and Switching
Switch
Fast SwitchingLayer 2
Connection-Oriented
V
MPLS
Figure 12
MPLS Combines Routing and Switching
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 40/294
IP2300/S1/v2.11.27 © Wray Castle Limited
3.6 MPLS as an L2 Switching Protocol
There are many similarities between the switching and forwarding operations of LSRs and the switching and forwarding of traditional Layer 2 switching technologies,such as Frame Relay and ATM. MPLS introduces some new terminology for Layer 2switching:
• a Label Switching Router (LSR) is an MPLS Layer 2 switch
• a Label Switched Path (LSP) is an end-to-end MPLS virtual connection
• an edge-LSR is a special LSR that originates or terminates LSPs, and can
classify IP traffic for forwarding across the best LSP• a Forwarding Equivalence Class (FEC) is a grouping of IP addresses that are
treated identically by the LSRs, and are forwarded along a common LSP
3.7 MPLS Forwarding Plane
The MPLS forwarding plane can operate on individual packets arriving at an edge-LSR once an appropriate LSP has been set up. When a packet arrives at the ingressedge-LSR, this router determines the outgoing port and FEC. On the assumptionthat LSPs have been set up, the edge-LSR will be able to identify the label to beused for the ongoing port and FEC. The edge-LSR appends this label to the receivedpacket and passes this out over the designated port.
The LSR receiving the MPLS packet on a given port will look up the incoming portand label entry within its Label Information Base (LIB). This will produce an outgoingport and label result. The incoming MPLS packet will then have its label swapped for the new label and is then passed out over the outgoing port (with this new label).
The LSR within the MPLS network (as opposed to the edge-LSR) therefore needoperate at Layer 2 only. All LSRs within the MPLS network operate in this manner
until the packet arrives at the egress LSR. At the egress LSR, the MPLS label isremoved, the packet is passed to Layer 3, and is then routed in the normal router manner. In essence, MPLS allows Layer 3 processing to be pushed to the edge of the MPLS network.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 41/294
1.28© Wray Castle Limited
MPLS Network
Downstream
Upstream
edge-LSRs
LSRs
PerformsLabel
Swapping
MPLS Packet
IP Packet
IP
M P L S
P a c k e
t
M
P L S
P a c k e
t
edge-LSR
LSR
Header A
IP Packet
IPHeader A
Label B
L a b e
l A
L a b
e l C
Both operate at L2 and L3
Figure 13
MPLS Forwarding of Packets
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 42/294
IP2300/S1/v2.11.29 © Wray Castle Limited
3.8 MPLS Control Plane
ATM and Frame Relay use a development of traditional ISDN signalling protocols toset up, tear down and manage virtual circuits. This is known as a data drivenapproach.
MPLS generalizes this approach, and allows LSPs to be set up in several differentways:
• by extensions to traditional IP routing protocols such as Border GatewayProtocol (BGP)
• by a specialized IP signalling protocol, Resource Reservation Protocol (RSVP)
• by a dedicated label distribution protocol operating between LSRs, LabelDistribution Protocol (LDP)
However the LSPs are set up, once they are in place, the forwarding and switchingoperations carried out by LSRs are identical.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 43/294
1.30© Wray Castle Limited
MPLS Network
IP Packet
1. Extensions to BGPprotocol carry LSPinformation
between LSRs
2. RSVP protocol used to signal the set-up
of LSP, as requiredby data flows
3. LDP protocoldistributes LSP
informationbetween
adjacentLSRs
edge-LSR
LSR
edge-LSRs
LSRsBoth operate at L2 and L3
Figure 14
MPLS Control Plane Options
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 44/294
IP2300/S1/v2.11.31 © Wray Castle Limited
4.1 IP Datagram Forwarding
Because IP networks operate a connectionless forwarding model, the routers holdno information about the flow of packets; the routing decision is made independentlyfor each packet arriving at each router along its path. The router makes this decisionby comparing the destination address of an incoming packet with the entries alreadyheld in its routing table. The most specific match in the routing table to thedestination address is used to find the next hop for this packet.
We can see from Figure 15 that the routing table contains three parameters: aDestination field, which contains network addresses, an Address Mask that specifieswhich bits of the destination correspond to the network ID, and finally a Next Hopfield, which contains the IP address of the router if required.
For example, if we consider a datagram designed for address 192.4.10.3 andassume the datagram arrives at router 2, which contains the routing table shown inFigure 16, the router software will sequentially search the routing table.
4 THE IP LAYER
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 45/294
1.32© Wray Castle Limited
40.0.0.0
40.0.0.7
40.0.0.0
40.0.0.8
30.0.0.7
30.0.0.0
128.1.0.8
128.1.0.9
128.1.0.0
192.4.10.9
192.4.10.3
192.4.10.0
Direct40.0.0.7
Direct
128.1.0.9
30.0.0.0
128.1.0.0
Router#1
Destination
Simplified Routing TableFor Router #2
Router#2
Router#3192.4.10.0
Next Hop
Figure 15
IP Datagram Forwarding
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 46/294
IP2300/S1/v2.11.33 © Wray Castle Limited
4.2 IP Address Classes
The problem with using an IP Address containing network IDs and host IDs isdeciding how big to make each field. If the network ID field is too small (limitedpermutations), only a few networks will be able to be connected to the Internet andstill ensure that each has a unique address; yet should the network ID field beincreased, then the host ID will have to be reduced and only a few computers will beable to be connected to a particular network with a given network ID. As an internetis likely to include various types of network technologies, one given structure of an IP Address is not appropriate. The developers of IP therefore chose a compromise inthe IP addressing scheme that is able to accommodate both large and smallnetworks.
This scheme divides the IP Address (32 bits) into three primary classes where eachclass has a different-size network ID and host ID. The first four bits of an IP Addressdetermine which class the address belongs to, and how much of the remainder of the 32 bits have been divided into network and host addresses.
Although IP Addresses are 32 bits in length, they are seldom represented in binaryformat but instead use a dotted decimal notation. This method of representationtakes the four 8-bit sections (octets) and represents each as a decimal number. The‘.’ sign is used to separate each of the four decimal numbers. For example, the 32-bit
binary code:
10000100 00110000 00000110 00000000
has the dotted decimal notation:
132.48.6.0
Since each octet can have a maximum decimal value of 255, IP addresses canrange from:
0.0.0.0 to 255.255.255.255
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 47/294
1.34© Wray Castle Limited
32 bits
Class B
Class A
Class B
Class C
Class D
Class E
Example 0
Network ID Host ID
A B C
Network ID Host ID
Network ID Host ID
Network ID Host ID
Experimental
Multicast
D.
.
.
. .
.
132 48 6
0
01
01 1
011 1
11 1 1
Figure 16
IP Address Classes
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 48/294
IP2300/S1/v2.11.35 © Wray Castle Limited
4.3 IP Subnet Masks
A subnet mask is applied to the IP address to determine which part of the 32-bitaddress makes up the network address, and which part constitutes the host address.Figure 17a shows the default subnet masks for Class A, B and C networks, andFigure 17b shows how it is applied to a Class B network.
When sending packets, a host or router needs to determine if the IP address of thedestination host is on the local or a remote network. When TCP/IP initializes, thehost’s IP address is ANDed with its subnet mask, and the result stored. Whensending data to another host the destination IP address is also ANDed with the localhost’s subnet mask. If the resulting values match (see Figure 17c), the destinationhost is on the local network; if not, the datagram is sent to the source host’s defaultrouter.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 49/294
1.36© Wray Castle Limited
Default Subnet MasksAddress
Class
Class A
Class B
Class C
Bits used for
Subnet Mask
Dotted Decimal
Notation
11111111 00000000 00000000 00000000 255.0.0.0
11111111 11111111 00000000 00000000 255.255.0.0
11111111 11111111 11111111 00000000 255.255.255.0
IP Address
Subnet Mask
Network ID
Host ID
6 0. .
0 0. .
x x. .
x x. .
Destination Hosts IP Address is ANDed
with local Subnet Mask
• 1 AND 1=1
• Other Combinations = 0
• If ANDed results of source and destination hosts match,
the destination is local.
IP Address
Subnet Mask
Result
10000100 00110000 00000110 00000000
11111111 11111111 00000000 00000000
10000100 00110000 00000000 00000000
132 48 0• • • 0
132 48.
255 255.
132 48.
6 0..
Figure 17c
IP Subnet Masks and Determination of a Packet’s Destination
Figure 17b
Determination of a Packet’s Destination
Figure 17a
Example of a Class B Subnet Mask
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 50/294
IP2300/S1/v2.11.37 © Wray Castle Limited
4.4 Network and Host Addresses
Relating the dotted decimal notation method to the different classes of IP address,we can see that first octet will carry the information necessary to determine the IPclass of the host.
The IP class scheme does not divide the 32-bit address space into equal sizeclasses and these classes do not contain equal numbers of networks. For example,half of all IP addresses lie within Class A, as this class is represented by a zero inthe first bit position. Therefore, since Class A addresses only have eight bits torepresent the network ID and one of these is used to indicate this is an A classaddress, there only remain seven bits to indicate the network. In other words, aClass A address can only account for a maximum of 128 different networks.However, the host ID in a Class A address is made up of 24 bits, which allows up to16,777,216 computers to be connected to each of the 128 networks.
4.5 Control of IP Addresses
As we have already determined, each network ID must be unique and as such allnetworks connecting to the global Internet must have their own unique networkaddress. Therefore, if an organization wishes to connect its network to the Internet, it
must obtain a network address from an ISP. The ISPs obtain network numbersthrough a system of approved Internet registries, who ensure that numbers areglobally unique.
In the case of a private internet (intranet), the choice of the IP Address can be madeby the organization, although no two computers may have the same address. It isdifficult and time-consuming to renumber a large IP network, and historicallyproblems have occurred when private IP networks have subsequently connected tothe public Internet, and found that address conflicts occurred. For this reason, agroup of class A, B and C addresses were reserved for private use in RCF 1918, andorganizations often use these addresses for private IP networks, whether connected
to the public Internet or not.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 51/294
1.38© Wray Castle Limited
AddressClass
AB
C
Bits inPrefix
816
24
Maximum numberof Networks
12616382
2097150
Bits inSuffix
2416
8
Maximum number ofHosts per Network
1677721465534
254
Range of Values
A 0 – 127
B 128 – 191
C 192 – 223
D 224 – 239
E 240 – 255
Class
Figure 18b
Network/Host Numbers
Figure 18a
IP Address Classes and Dotted Decimal Notation
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 52/294
IP2300/S1/v2.11.39 © Wray Castle Limited
4.6 Network and Host Addresses
In summary, when assigning a network ID, a number must be selected from either Class A, B or C depending upon the size of the physical network. In real terms, anetwork will be assigned a Class C address ((256 – 2) hosts per network) unless aClass B is needed ((65,536 – 2) hosts). Class A addresses are seldom assigned.
Figure 19 shows a possible configuration when connecting four networks together; asmall network (Class C), two medium size networks (Class B), and one largenetwork (Class A). Thus, the four networks may have the following IP Addresses:
Class A 11.0.0.0
Class B 128.270.0145.56.0.0
Class C 195.34.127.0
Note: IP reserves the host address set to zero and uses it to denote the networkaddress. Likewise the all 1s host address is used for broadcasts to all hosts. Theseaddresses cannot be assigned to any host on that particular network.
As we can see, all host computers connected to each network carry the samenetwork ID. However, the host ID will be different for each of the hosts connected tothat network.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 53/294
1.40© Wray Castle Limited
‘C’ ‘B’
router
Prefix = 195.34.127
Prefix = 145.56
Prefix = 10
10.0.127.16
195.34.127.48
195.34.127.13 128.27.0.18
Prefix =128.27
128.27.0.19145.56.74.118
145.56.19.4
10.18.74.15
‘B’
‘A’
Figure 19
Example Network with IP Addressing
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 54/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 55/294
1.42© Wray Castle Limited
192.168.0.0/24
Traditional Class C address has:
Subnetting on /29 boundary
Each subnetwork has: 23 – 2 host addresses
Total number of subnets is: 25 – 2
28 – 2 host addresses
192.168.0.16/29
1 9 2. 1 6 8
. 0. 8 / 2 9
1 9 2 .1 6 8 .0 .2 4 / 2 9
X . X . X . 0
X . X . X . nnnnnhhh
= network address
X . X . X . 255 = broadcast addressX . X . X . 1
= host address space
= 6 host addresses
= 30 subnets
X . X . X . 254
Figure 20
An Example of IP Subnetting
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 56/294
IP2300/S1/v2.11.43 © Wray Castle Limited
4.9 Classless Interdomain Routing (CIDR)
Subnetting allows more efficient use of a traditional class-based IP network within anorganization, by allowing it to be subdivided. However traditional subnetting does notpropagate through the Internet routing tables, because routes are summarized backto their classful form at the administrative boundary of the network. ThereforeInternet routing tables in this model must contain separate routes for each assignedclass A, B or C address.
In the mid-1990s, the size of Internet routing tables was growing massively, to thepoint where performance of the backbone networks was affected. It was realized thatmuch of the fine-grained detail in Internet routing tables was redundant, and that amore flexible hierarchy should be imposed, by allowing routes for smaller networks tobe aggregated together before they were advertised into the public Internet. Thisalso allows more efficient use of available IP addresses by allocating blocks of classC addresses rather than a single class B, and by subnetting class A and B networksinto smaller allocations, rather than offering an entire classful network to anenterprise.
CIDR is essentially a generalization of the subnetting concept². To make CIDReffective, it was necessary to impose some geographical structure on the IP addressspace, so that aggregation could be as effective as possible. As a result of a policy
change, IP addresses are now assigned in blocks through a hierarchy of SPs. Ingeneral, large blocks of IP addresses are allocated to regional registries, which will inturn assign smaller blocks of address space to SP, which will in turn assign yetsmaller blocks to ISP. Finally, individual users will rent IP addresses from their respective ISP.
² CIDR allows larger networks to be subdivided, and smaller networks to be aggregated together into a single
routing table entry, in a flexible way, by using VLSM. By carrying these VLSM values in routing protocol updates,
and within routing tables, it allows the VLSM structure to propagate across the Internet between domains, instead
of reverting to classful networks at the boundaries, according to the original subnetting model.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 57/294
1.44© Wray Castle Limited
Block A Block B IANA and IR
Smaller
ISP
Smaller
ISP
Users
Leased IP Addresses
Sub Blocks
of A
Sub
Blocks
of B
Area
Multiregional
Address
192.0.0.0-193.255.255.225
Europe 194.0.0.0-195.255.255.225
Others 196.0.0.0-197.255.255.225
North America 198.0.0.0-199.255.255.225
Central/South America 200.0.0.0-201.255.255.225
Pacific Rim 202.0.0.0-203.255.255.225
Others 204.0.0.0-205.255.255.225
Others 206.0.0.0-207.255.255.225
A B Major
ISP
Reference
RFC 1518
Figure 21
IP Address Blocks
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 58/294
IP2300/S1/v2.11.45 © Wray Castle Limited
4.10 CIDR Example
A common use of both subnetting and CIDR occurs where an SP wants to offer afew public network IP addresses to a small business network, for example as part of a business ADSL offering, where the customer may host some servers at their premises.
In the example shown in Figure 22, the SP has subnetted a class C address into 30subnets, each with 6 host addresses, by subnetting at the /29 boundary. The detail of one such subnet is shown, where the subscriber has 5 host addresses available, inaddition to the IP address needed for the ADSL router on the customer premises. Intotal 120 customer subnets are available from the 4 class C addresses shown.
Within the SP network, rather than advertise the individual class C addresses,instead it aggregates 4 networks into a new /22 route advertisement, and passes thisinto the Internet routing tables.
In this example, traffic for all of the customer networks shown would be representedby a common /22 routing entry within the Internet until it reached the SP network.Individual /24 routing table entries in router A would direct it to the correct customer access router, in our example router B. Router B would then direct traffic to thecorrect customer network using /29 entries in its routing table.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 59/294
1.46© Wray Castle Limited
192.168.0.0/22
.17
.18
.19
.20 .22
.21
Routed on /22
CIDR route aggregationat this layer, beyond theconventional Class C
boundary
Route summarization
up to conventionalClass C boundaryat this layer
RA
RB
Routers
Routers
1 9 2. 1 6 8
. 2. 0 / 2 4 1 9
2. 1 6 8
. 3. 0 / 2
4
192.168.1.0/24
1 9 8. 1 6 4
. 0. 2 4 / 2 9 1 9 8. 1
6 4. 0. 3 2
/ 2 9
198.164.0.16/29
1 9 8 . 1 6
4 . 0 . 8 / 2
9
R o u t e d o n / 2
4
1 9 2 . 1 6 8 . 0 . 0 / 2
4
Routed on /29
Figure 22
An Example of CIDR
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 60/294
IP2300/S1/v2.11.47 © Wray Castle Limited
5.1 Introduction
The transport layer of the TCP/IP Protocol Suite comprises two protocols:Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
Fundamentally, the services offered by TCP are reliable and connection-oriented ,whereas UDP provides a best efforts, connectionless service.
5 THE TRANSPORT LAYER
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 61/294
1.48© Wray Castle Limited
TransmissionControlProtocol
UserDatagramProtocol
InternetControl
MessagingProtocol
InternetProtocol
AddressResolutionProtocol
Link Layer Protocols
Physical Networks
APPLICATION
LAYER
OSI Layer 5 – 7
TRANSPORT
LAYER
OSI Layer 4
INTERNETLAYER
OSI Layer 3
LINK LAYER
OSI Layer 2
PHYSICAL LAYER
OSI Layer 1
Figure 23
TCP/IP Suite
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 62/294
IP2300/S1/v2.11.49 © Wray Castle Limited
5.2 The Functions of Transmission Control Protocol (TCP)
The Transmission Control Protocol (TCP) provides a highly reliable transport service. Applications such as FTP and HTTP that require reliable transport services use theTCP protocol. TCP offers several key features as shown below.
5.2.1 Connection-Oriented
TCP provides a connection-oriented service in which an application must first establisha connection to the destination before any data is transferred. TCP requires that bothapplications creating a connection agree to the new connection.
5.2.2 Error Control
TCP ensures that data sent across a connection is error free and in the correctsequence. It does this by including sequence numbers within the protocol header, andrequesting retransmission of lost or corrupted packets.
5.2.3 Flow Control
TCP measures the throughput of traffic between TCP applications, and tries tomaximise the bandwidth available. When packets are lost in transit, TCP assumes thisis due to congestion, and slows down its transmission rate. When packets are arrivingsuccessfully, TCP assumes more bandwidth is available, and increases its transmissionrate. In this way, TCP is always trying to get the maximum available bandwidth from thenetwork.
5.2.4 TCP Port Addressing
Within an IP network, data is routed according to its IP address, with no distinctionmade regarding the user or process on the destination host. The Transport Layer extends the TCP/IP protocol suit to distinguish between applications on a given host.These ports are known as ‘Protocol Ports’ and can be addressed using the 16 bits inthe Source and Destination Port address fields. These 16 bits can describe 65,536possible ports on the host.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 63/294
1.50© Wray Castle Limited
0
1
2
3
4
5
67
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
7 6 5 4 3 2 1 0 - bits
Octets
Sequence Number
Options(Optional)
Padding
Data Offset Reserved
Reserved URG ACK PSH RST SYN FIN
Window
Checksum
Urgent Pointer
Acknowledgement Number
Source Port
Destination Port
Connection-oriented
Error control
Flow control
Source and destination ports
Figure 24
TCP Functions
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 64/294
IP2300/S1/v2.11.51 © Wray Castle Limited
5.3 The Functions of User Datagram Protocol (UDP)
User Datagram Protocol (UDP) provides Application Layer Services with atransaction-oriented, datagram-type service that is connectionless and unreliable. Itis a simple and efficient protocol that is stateless, and so ideal for such applicationsas Trivial File Transfer Protocol (TFTP), Simple Network Management Protocol(SNMP) and queries to the Domain Name System (DNS).
The UDP protocol is extremely simple, and this is reflected in the protocol fields of UDP. As for TCP, the UDP protocol carries source and destination port values, sothat traffic can be directed to the correct applications on machines running multiplesimultaneous sessions. The Checksum field allows corrupted data to be detectedand (silently) discarded, but UDP does not have the error recovery mechanisms of TCP. Responsibility for error recover lies with the higher layer protocol that is usingthe UDP service in this case.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 65/294
1.52© Wray Castle Limited
Connectionless
No error control
No flow control
Source and destination ports
0
1
2
3
4
5
6
7
01234567
Octets
Bits
Source Port
Destination Port
Message Length
Checksum
Figure 25
UDP Functions
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 66/294
IP2300/S1/v2.11.53 © Wray Castle Limited
6.1 The Role of the DNS
To a human, identifying hosts on a network by their IP address is not easy. IPaddresses are difficult to remember and do not convey any meaning about therespective host. Humans find it far easier to remember names, and if the nameindicates the role of the host, it can also be used to convey meaning.
In the 1980s there were only a few hundred hosts on the ARPANET. The computer name-to-IP mapping was held in a single file called Hosts.txt on a server at theStamford Research Institute Network Information Centre (SRI-NIC).
This was manually updated. If details of a host changed, the SRI-NIC was called andasked to change the file. As the network grew this system became too difficult toadminister.
DNS was designed as a distributed database using a hierarchical name structure toovercome this problem.
6 THE DOMAIN NAME SYSTEM (DNS)
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 67/294
1.54© Wray Castle Limited
Root
Domain Domain Domain
Sub-Domain Sub-Domain Sub-Domain
Figure 26
Domain Name System (DNS)
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 68/294
IP2300/S1/v2.11.55 © Wray Castle Limited
6.2 The Overall Architecture of the DNS
The root domain of the Internet is represented by a single period (.), and the InternetCorporation for Assigned Numbers (ICANN) manages the operation of the rootservers that resolve for all domains beneath the root. Beneath this root are the TopLevel Domains (TLDs) that may be global or contain a country code (ccTLDs).
Some examples of these domains, and their intended use, is given in Figure 27, anddescribed below:
com Commercial organizations such as: America OnLine (aol.com), BritishTelecom (bt.com) and Wray Castle (wraycastle.com)
edu Educational institutions (namely colleges and universities in USA)
net Networking organizations such as the central network concerning theInternet, i.e. InterNIC (Internet Network Information Centre) – internic.net
org Non-commercial organizations such as the Internet Engineering Task Force(IETF) at ietf.org
Recently some new TLDs have been created, including the .biz TLD, which is
intended to be broadly equivalent to the popular .com domain.
As might be expected, the Internet namespace is extremely inefficient, with evenvery small businesses wanting a second level domain.
Overall control of the Domain Name System is within ICANN. The central IR is heldon INTERNIC.NET, which is in North America and is responsible for networks in thisarea and other unspecified parts of the world. Europe and Asia-Pacific are twospecified areas and as such have their own registries. These are RIPE NCC (or ripe.net) and APNIC (or apnic.net) respectively.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 69/294
1.56© Wray Castle Limited
root
.biz .com
wraycastle.com
.edu .net .uk.org
telecoms-engineering.net
wraycastle.co.uk
.co.uk .ac.uk
Figure 27
The Hierarchy of the Internet DNS
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 70/294
IP2300/S1/v2.11.57 © Wray Castle Limited
6.3 DNS Operation
The DNS is a client/server-distributed database management system. The client isknown as the ‘Resolver’. It passes name requests that contain queries to a server known as the ‘Name Server’. These name servers are grouped into logical levelsknown as ‘Domains’.
DNS is analogous to a telephone book. You look up the name of the person youwant to call, and read across to get the telephone number. Using DNS, the resolver passes the name to the name server who runs a query on the database to return theIP address. The host name queried must be in the form of a Fully Qualified DomainName (FQDN).
6.4 Zones of Authority
The implementation of the DNS uses the concept of Zones of Authority to makeadministration of the hierarchy easier. The zone of authority is the portion of thedomain for which a particular primary name server is responsible. It stores allmappings for the zone and answers queries for those names. The name server’szone of authority covers at least one domain, known as the zone root domain. Thezone of authority may also cover sub-domains.
The zone does not necessarily cover all the sub-domains under the root domain, butthe zone must be contiguous. So in the example shown, the zone one databasedoes not contain name-to-IP address mapping for machines in the sales domain,although the sales domain is a sub-domain of the wraycastle domain.
A single DNS server can be configured to manage one or more multiple zone files.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 71/294
1.58© Wray Castle Limited
zone 2database
.com
zone 1database
sales.wraycastle.com
development.wraycastle.com
wraycastle.com
Figure 28
DNS Zones of Authority
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 72/294
IP2300/S1/v2.11.59 © Wray Castle Limited
6.5 Name Resolution
The operation of a DNS query to resolve the IP address of a web server within anexample domain, ‘wraycastle.com’, is shown in Figure 29.
1 The client sends a query to its local name server, requesting the IP address of www.wraycastle.com.
2 The local name server checks its zone for the name www.wraycastle.com. Itthen sends an iterative query for this name to the root server.
3 The root server has authority for the root domain and will reply with the IPaddress of the .com top-level domain. It returns this to the local server.
4 The local server sends an iterative query to the .com name server for www.wraycastle.com. The name server responds with the IP address of thewraycastle.com name server.
5 The local server sends an iterative query to the wraycastle.com name server for the full address. The wraycastle.com server sends the IP address of www.wraycastle.com back to the local server.
6 The local server sends the IP address for www.wraycastle.com back to theoriginal resolver.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 73/294
1.60© Wray Castle Limited
root
name server
.comname server
Localnameserver
localhost
host
www.wraycastle.com
wraycastle.comname server
2 . r e q u e
s t a d d
r e s s
w w w .
w r a y c a s t l e
. c o m
1 .
Q u
e r y
: w
h a t
i s t h e
I P a d
d r e
s s o
f
w w w
. w r a
y c a s
t l e . c
o m
6 . A n
s w e r :
T h e
I P a
d d
r e s
s o f
w w w
. w r a y
c a s
t l e . c
o m
i s 2 1 7 . 1
9 9 . 1 6
1 . 3
4. re q ue s t a d d re
s s w w w. w ra y ca
s t le. c o m 3 . r e f e r
t o . c o m
n a m
e s e
r v e r
r e f e r t o w r a y c a
s t l e. c o m n a m e s
e r v e r
5 . r e q u e s t a d d r e s s w w w .w r a y c a s t l e .c o m
R E S P O N S E = a d d r e s s o f w w w .w r a y c a s t l e .c o m
Figure 29
Name Resolution
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 74/294
IP2300/S1/v2.11.61 © Wray Castle Limited
6.6 DNS Implementation
6.6.1 DNS Data Structure
The commonest use of the DNS is to map from a Fully Qualified Domain Name(FQDN) to the corresponding IP address of the host, or vica versa, as shown in theprevious diagram. In fact each entry in the DNS can have a large number of properties associated with it. Each property is stored as a set of four parameters:
• the Type field indicates which parameter is stored
• the Class field indicates the protocol family
• the Time To Live (TTL) field indicates for how long the data may be cashed by aresolver or other cache before a fresh request should be made to the definitivesource of the data
• the Data field holds the actual parameter value
Most records of interest are of class IN, for Internet. The data field might be an IPaddress, or a FQDN, or other field, depending upon the type of parameter beingstored.
6.6.2 Commonly Used DNS Entries
Figure 30 shows a few of the key parameters commonly accessed in the DNS,together with how these might be used in forwarding an e-mail. In this example, anorganization has its own domain name, but uses a commercial hosting service for itse-mail and web presence.
• the A fields gives the IPv4 address of a host named
• the MX fields gives the FQDN of a Mail eXchange (i.e. a mail forwarder or
server)• the CNAME field gives the canonical name matching an alias, in other words
the actual definitive name for a host
• the TXT field gives freeform text related to the host, for example its type or location
Another key entry in the DNS is the Start of Authority (SOA) record. The SOA givesvarious times and sequence numbers that are important to control for how long anydownstream server caches the information it obtains from a zone transfer.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 75/294
1.62© Wray Castle Limited
> dig -t MX wraycastle.com
wraycastle.com
wraycastle.com
43049 IN MX 10 wray-ltd.demon.co.uk
43049 IN MX 20 etrn.magic-moments.com
wraycastle.com
wraycastle.com
172616 IN NS NS0.magic-moments.com
172616 IN NS NS1.magic-moments.com
NS0.magic-moments.com
NS1.magic-moments.com
34155 IN A 217.199.161.27
25665 IN A 212.67.202.220
.
.
.
.
Time to Live(TTL) in seconds
Class Type Data
A:
MX:
CNAME:
TXT:
NS:
IPv4 address
Mail eXchanger
Canonical Name
Free-form textual information
Name server
Figure 30
Data Structures Within the DNS
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 76/294
IP2300/S1/v2.11.63 © Wray Castle Limited
6.7 Types of DNS Server
6.7.1 Primary Name Server
Each domain must have a primary domain server. It is the administrative point for thecontrol and configuration of the domain. This is where hosts are added and zonesare maintained.
6.7.2 Secondary Name Server
Secondary name servers obtain their data from the primary server, which hasauthority for the zone. This transfer of data is called a zone transfer . Secondaryservers give redundancy, faster access at remote locations, can avoid resolvingacross slow links, and allow load sharing across multiple servers. The primary andsecondary server definition is set at zone level, hence a secondary server in onezone may be a primary server in another. Information for each zone is stored in aseparate file on the server.
6.7.3 Caching Servers/Forwarders
Cache servers are often used to conduct queries for resolvers (clients) and cachethe results; they have no authority for zone databases. If the cache does not hold therequested DNS information already, it performs a recursive query to obtain it, andthen caches the result. Most ISPs operate caching servers, and implementedproperly they can substantially speed up the operation of the DNS. Forwarders arenormally caches that hold no DNS data, and so must forward all requests theyreceive.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 77/294
1.64© Wray Castle Limited
Caching name server
zone transfer
moves, changes,updates
DNSrequests
DNSrequests
DNSrequests
Secondary name server
Primary name server
Forwarder
Resolver
Figure 31
Types of DNS Server
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 78/294
IP2300/S1/v2.11.65 © Wray Castle Limited
6.8 Querying the Domain Name System
Details of the primary and one secondary name server are required when a domainis registered, and the names and addresses of the name servers are one of thefields returned by a basic ‘whois’ query against a domain.
Other tools that are standard on Unix systems allow interactive querying of the DNS,including the host command, the dig command, and nslookup command. Many websites provide web-based access to these tools.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 79/294
1.66© Wray Castle Limited
whois wraycastle.com
. .Name Server ........................ NS1.MAGIC-MOMENTS.COMName Server ........................ NS0.MAGIC-MOMENTS.COM
host -t ns wraycastle.com.
wraycastle.com NS ns1.magic-moments.comwraycastle.com NS ns0.magic-moments.com
host -t mx wraycastle.com.
wraycastle.com mail is handled (pri=10) by wray-ltd.demon.co.ukwraycastle.com mail is handled (pri=20) by etrn.magic-moments.com
dig @<nameserver> wraycastle.com. axfr
will return all DNS entries for the host through a zone transfer, if thename server permits it
Figure 32
Tools to Query the DNS
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 80/294
IP2300/S1/v2.11.67 © Wray Castle Limited
7.1 Hypertext Transfer Protocol (HTTP) for Web Services
Hypertext Transfer Protocol (HTTP) is specified in IETF RFC 2616. It is a generic,stateless, object-oriented protocol that can be used for many tasks.
HTTP has been in use by the WWW global information initiative since 1990. This firstversion, known as HTTP/0.9, was a simple protocol for raw data transfer across theInternet. HTTP/1.0 refined the earlier version by the introduction of MIME-likemessages. These Multipurpose Internet Mail Extensions (MIME) messagescontained meta-information about the data transferred and modifiers on therequest/response semantics. The current version, HTTP/1.1 (RFC 2616) providespersistent connections, so that multiple requests and responses can be carriedacross a single connection, rather than requiring a new connection for each protocolexchange. It also supports a negotiation on compression of data. Both of thesechanges improve the efficiency and responsiveness of the protocol.
HTTP is best described as a request/response protocol. A client, normally a webbrowser application, sends a request to the server in the form of a request method,URI (Uniform Resource Identifier) and protocol version, followed by a MIME-likemessage containing request modifiers, client information, and possibly content. Theserver runs a process or daemon which listens for HTTP requests, and responds tothe client with a status line, including the message’s protocol version and a success
or error code, followed by a MIME-like message containing server information, entitymeta-information, and possibly entity-body content. The status codes returned by theserver are grouped into major categories as follows:
• Informational 1xx
• Success 2xx
• Redirection 3xx
• Client Error 4xx
• Server Errors 5xx
The ISP browser software will provide the User Agent (UA) HTTP communicationbetween itself and the resource located on some (HTTP) Origin Server (OS), the OSbeing the device containing the requested resource(s). The simplest type of connection is direct between the user and the OS, as shown in Figure 33.
Other forms of connection are those of the UA to OS with a number of other networkdevices in between. These will be proxies, gateways, or tunnelling servers.
7 THE APPLICATION LAYER
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 81/294
1.68© Wray Castle Limited
HTTP
HTTP
User Agent
Origin Server
U s e r P I
Database
single connection
Resources
a) User Agent to Origin Server – Direct Connection
User Agent
Origin Server
U s e r P I
Database
connection
Resources
b) User Agent to Origin Server – via Proxy Server
HTTP Transfer
HTTP
Server acting as proxy
connection
Figure 33
HTTP Connections
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 82/294
IP2300/S1/v2.11.69 © Wray Castle Limited
7.2 Simple Mail Transfer Protocol (SMTP) E-mail
Internet mail is based on RFC 821, which defines the Simple Mail Transfer Protocol(SMTP), and RFC 822, which defines the format of Internet Text Messages.
A further set of RFCs, RFC 2045-2049 inclusive, defines the MIME, which areextensions to the standard text messages found in RFC 822. These extensions allowthe inclusion of multimedia information within the e-mail.
SMTP was originally designed for use on Unix machines that were permanentlyconnected to each other. Individual users of these machines have a mailbox to whichmessages can be delivered, whether they are logged in or not.
In the SMTP architecture, mail users interact with a Mail User Agent (MUA), which inturn queues their messages for transport between machines by Message Transfer Agents (MTA). The MUA provides the interface to the user, as well as presentingviews of various mailboxes, etc. The MTAs communicate with each other across aTCP connection using SMTP messages. Mail for users is received from an MTA by aMail Delivery Agent (MDA), which places the mail in the appropriate mailbox.
SMTP is a very simple command/response protocol. Five commands are used in thisexample to send mail between the MTAs.
• HELO is used to establish the SMTP connection,
• MAIL is used to identify the sender of an outbound e-mail
• RCPT is used to identify the recipient of an outbound e-mail
• DATA is used to begin sending the message body
• QUIT is used to close the SMTP connection
There are additional SMTP commands, including RSET, to abort the currentconnection, and TURN, to allow client and server to swap roles without having to
start a new TCP connection.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 83/294
1.70© Wray Castle Limited
Mailboxes
220 mailser ver.acme.com
HELO mailser v er .w r ay cast le.com
250 mailser ver.acme.com
MAIL F ROM: <anot her @w r ay cast le.com>
250 <ano ther@ wra ycas tle.com>
RCPT t o: < [email protected]>
250 < [email protected]>
DAT A
354 En ter message
(body of message)
250 mail accep ted
221 closing connec tion
QUIT
TCP connection to port 25
SMTP MTA(Client)
SMTP MTA(Server)
Figure 34
SMTP Protocol Operation
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 84/294
IP2300/S1/v2.11.71 © Wray Castle Limited
7.3 POP3 and IMAP for E-mail Services
SMTP is not well suited to machines that are not permanently connected to theInternet, and do not have a public IP address. Increasingly, SPs offer both dial-upaccounts to their users, and mail relays that accept inbound and outbound mail for these clients. The two main protocols used to retrieve and manage mailboxes over adial-up account are Post Office Protocol (POP) and Interactive Mail Access Protocol(IMAP). Neither protocol allows e-mail to be sent, only retrieved. Normally, aseparate SMTP session is used to transfer outbound mail from the dial-up client tothe SMTP mail relay. Both POP and IMAP include optional user authentication usinga shared secret.
7.4 Post Office Protocol (POP)
Post Office Protocol Revision 3 (POP3) allows users to connect through a POP3client in their mail application to a POP3 server, authenticate using a username andpassword pair, and then retrieve messages from the server to their mail client.Messages that have been retrieved may be left on the server or deleted.
7.5 Internet Message Access Protocol (IMAP4)
The Internet Message Access Protocol, Version 4rev1 (IMAP4rev1) allows a client toaccess and manipulate electronic mail messages on a server. IMAP4rev1 permitsmanipulation of remote message folders, called ‘mailboxes’, in a way that isfunctionally equivalent to local mailboxes. IMAP4rev1 also provides the capability for an offline client to resynchronize with the server.
IMAP4rev1 includes operations for creating, deleting and renaming mailboxes;checking for new messages; permanently removing messages; setting and clearingflags; RFC-822 and MIME parsing; searching; and selective fetching of messageattributes, texts and portions thereof.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 85/294
1.72© Wray Castle Limited
FileSystem
UserTerminal(client)
FileSystem
TCP
Retrieve Mail
Send Mail – SMTP
POP3retrieve and delete
IMAP4retrieve and manipulate
Server
Figure 35
E-mail Protocols
IP2300/S1/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 86/294
IP2300/S1/v2.11.73 © Wray Castle Limited
1 What are the three main types of switching? Give an example of each that is in
widespread use.
2 What are the three different ways that Layer 2 switching is used in WANs?
3 IP forwarding is carried out using:
a virtual circuit forwarding tablesb next hop forwarding tablesc explicit source routingd static routing configured by network operations centres only
4 IP subnetting:
a allows multiple smaller networks to be created from one larger networkb allows one larger network to be created from multiple smaller networksc is not permitted unless the routing protocol carries subnet masksd is obsolete now that CIDR is standardized
5 Reliable transport can be achieved across IP networks:
a by using the UDP transport layer b by using the TCP transport layer c by using the RTP transport layer d IP automatically achieves reliable transport without the need for an
additional transport layer protocol, just like X.25
6 The Domain Name System is used to:
a provide mappings from domain names to IP addressesb provide mappings from IP addresses to domain namesc provide the names and addresses of other name servers and mail serversd provide all of the above
8 SECTION 1 QUESTIONS
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 87/294
IP2300/S1/v2.1 1.74© Wray Castle Limited
7 The software in a client of the DNS is called a:
a resolver b caching name server c forwarding name server d Web browser
8 POP3 and IMAP4 are:
a alternative protocols for the transfer of e-mail between serversb protocols to prevent unsolicited commercial e-mail being sent through
open mail relaysc protocols for retrieval and management of e-mail from mail serversd applications that allow proprietary e-mail servers to communicate with
SMTP servers
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 88/294
IP2300/S1/v2.11.75 © Wray Castle Limited
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 89/294
© Wray Castle Limited
SECTION 2
IP NETWORK SERVICES
i
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 90/294
© Wray Castle Limitedii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 91/294
© Wray Castle Limited
1 Access Services 2.11.1 Traditional Dial-up Internet Access 2.11.2 Centralized Dial-up Access Services using a
Number Translation Service (NTS) 2.11.3 PSTN Offload Architectures for Dial Access 2.31.4 The Changing Architecture of Network Access Servers 2.51.5 Dynamic Host Configuration Protocol (DHCP) 2.71.6 DHCP for Dial-up Users 2.9
1.7 Network Address Translation (NAT) 2.111.8 Dial-up Access for Client Networks 2.111.9 Point-to-Point Protocol (PPP) 2.131.10 PAP and CHAP Authentication 2.151.11 Authentication Using RADIUS or TACACS 2.171.12 Permanently Connected Access 2.191.13 Introduction to ADSL 2.191.14 ADSL as a Full-Service Access Network 2.211.15 ADSL as a Broadband IP Access Service 2.211.16 Service Provider Selection Through the BAS 2.211.17 Local Loop Unbundling 2.23
2 E-mail Services 2.252.1 Mail Servers and the DNS 2.252.2 Mail Accounts on the Service Provider Domain 2.272.3 Full Outsourcing of the Customer Domain Mail Services 2.292.4 Secondary Mail Servers 2.312.5 Mail Relay Vulnerabilities and
Unsolicited Commercial E-mail (UCE) 2.332.6 Integration with Enterprise Mail Servers 2.35
3 Web Hosting 2.373.1 Static Versus Dynamic Content 2.373.2 Multi-user Hosting 2.393.3 Virtual Hosting 2.413.4 Dedicated Hardware 2.453.5 Co-location 2.453.6 Web Caching 2.47
4 Providing Name Servers 2.494.1 Implementing Primary and Secondary DNS Servers 2.494.2 DNS Caches and Forwarders 2.51
4.3 Partitioning Enterprise and Service Provider DNS 2.53
5 Section 2 Questions 2.55
SECTION CONTENTS
iii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 92/294
© Wray Castle Limitediv
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 93/294
© Wray Castle Limited
At the end of this section you will be able to:
• explain the technical architecture of the main IP network services
• discuss the implementation of public service DNS
• understand the options for access services, and why these have changed
• describe the integration of public and private e-mail services
SECTION OBJECTIVES
v
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 94/294
© Wray Castle Limited
1.1 Traditional Dial-up Internet Access
Early dial-up Internet access typically used a conventional analogue circuit-switchedcall between the dial-up user and their ISP, who purchased conventional retail voicelines from a network operator, and hosted modem banks, or Network Access Servers(NAS), on their premises to accept incoming calls. The modem termination pointswere in the end-user’s computer and at the ISP premises. When ISDN accessbecame available from ISPs and within PC systems, data rates across circuit-switched connections increased to 64 kbit/s, but the underlying architecture did notfundamentally change. Typically local access servers were located at each major town or city that the ISP served, to provide a regionally based NAS architecture.
1.2 Centralized Dial-up Access Services using aNumber Translation Service (NTS)
In the late 1990s, network operators began to offer network-based NAS as a serviceto ISPs. This allowed them to consolidate modem banks for many wholesalecustomers (the ISPs), and get economies of scale in the implementation.
Typically a Number Translation Service (NTS) was used to provide the appearanceof a single, national infrastructure for each ISP. The Non-Geographic Number (NGN)
dialled by the customer was translated into a conventional number for the modembank by this NTS service.
1 ACCESS SERVICES
IP2300/S2/v2.12.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 95/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 96/294
IP2300/S2/v2.12.3 © Wray Castle Limited
1.3 PSTN Offload Architectures for Dial Access
From around 2000 onwards, demand on the circuit-switched network drove the pointwhere modem or ISDN calls were terminated closer to dial-up users. Backhaulacross an IP network was used to complete the transport.
The reasons for this were that conventional Internet access had grown in volume tothe point where off-loading these calls from the circuit-switched network as soon aspossible was necessary to protect the availability of voice services. Although thebusy hour for Internet users was typically in the evening and did not conflict with thedaytime voice busy hour, call holding times for Internet calls were substantially longer than those for true voice calls, leading to exhaustion of the bearer network even
before call control capacity in the switches was exhausted. In the traditional dial-upaccess architecture, a massive investment in PSTN switches would have beennecessary to accommodate the demand growth.
Also, traditional PSTN transport requires a dedicated 64 kbit/s channel per modemuser, although the effective bandwidth is much less than this. By recognizing the callas an ISP call, and carrying the traffic over a packet-switched infrastructure, over-subscription of network capacity can be applied; bandwidth over-subscription rates of around 10:1 are common in this application, making IP backhaul a much moreeconomically effective solution economically.
It is common in this off-load architecture to locate a modem bank as close as
possible to the customer access switch. Calls may be routed to the modem bankusing conventional PSTN numbering plans in the access switch, or by using an NTSapproach.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 97/294
2.4© Wray Castle Limited
Internet
User 1
Internet
User 2
Internet
User 3
Internet
User 4
Figure 1c
Local NAS with PSTN Offload
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 98/294
IP2300/S2/v2.12.5 © Wray Castle Limited
1.4 The Changing Architecture of Network Access Servers
Traditionally ISPs have been end-users, rather than licensed carriers, and Internetaccess calls to these ISPs were handed over using ISDN Primary Rate Interfaces(PRI) and ISDN user-to-network signalling. The associated signalling model of ISDNPRI was a significant impediment to large-scale equipment implementations suitablefor public service networks.
The latest generation of NAS now includes Signalling System No. 7 (SS7) andnetwork-side bearers. This functionality has led to a strong market in wholesaleInternet access services, where operators incorporate the NAS as part of their network infrastructure and use IP tunnelling techniques to deliver traffic across acommon infrastructure to the serving ISP.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 99/294
2.6© Wray Castle Limited
ISP2
ISP1
PRI portsdeliveredto NASwithassociated
signalling
TDM bearersdelivered toNAS, underthe control ofa separatesignallingcontroller
C7 signalling
Separatesignalling controller
NAS
Figure 2
Network Access Servers
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 100/294
IP2300/S2/v2.12.7 © Wray Castle Limited
1.5 Dynamic Host Configuration Protocol (DHCP)
When TCP/IP is installed on a host, the protocol requires some minimal configurationto allow packets to be sent to other hosts on the same or interconnected IP subnets.The three basic components are:
• the IP address of the host
• the subnet mask of the host, to identify the boundary between host and networkportions of the address
• the IP address of the default router for this host
Other information is typically required to support applications, including the addressof the Domain Name Server (DNS) that should be queried for mapping names to IPaddresses. Vendor-specific networking information, such as the windows domainthat the host is a member of, is also typically required.
DHCP is a simple client/server protocol that allows hosts (DHCP clients) to requestthis information from a DHCP server in the network when they reboot, and to renewthis information as necessary. The server may be another host in the network, butDHCP servers are also implemented on many network devices, such as routers.
DHCP allows a pool of IP addresses to be allocated as needed to clients as theyrequest and release them. The advantages of this are:
• use of the IP space is more efficient, as disconnected hosts do not requireaddresses
• configuration errors are less likely, as IP addresses are centrally administered
• moves and changes of hosts between subnets, and of subnet addressingschemes, are automatically accommodated, instead of requiring manualreconfiguration
DHCP can be used in several different modes:
• in automatic mode, an IP address is permanently provided to a host
• in dynamic mode, an IP address is ‘leased’ to a host for a fixed period of time,after which the lease must be renewed by a further DHCP dialogue
• in manual mode, the host’s IP address is configured manually in the DHCPserver, rather than being drawn from a pool, and DHCP conveys this to theDHCP client
Figure 3 shows DHCP using an address pool in a small business network. The
DHCP server runs within an ISDN access router in this example.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 101/294
2.8© Wray Castle Limited
MENU: DHCP Parameters
Starting IP Address:Number of Addresses:
Lease Duration:Lease Unit:
Domain Name:Primary DNS:
Secondary DNS:Default Gateway:
192.168.1.2501Houracme.com192.168.1.10.0.0.0192.168.1.1
MAC Address IP Address Type Lease Expiration
00-50-04-2b-9c-fe
00-20-18-3c-44-5e
00-20-18-3c-44-61
00-50-bf-4a-85-7b
192.168.1.7
192.168.1.3
192.168.1.4
192.168.1.5
DHCP
DHCP
DHCP
DHCP
0 Days 0 Hrs 40 Mins 5 Secs
0 Days 0 Hrs 45 Mins 29 Secs
0 Days 0 Hrs 51 Mins 7 Secs
0 Days 0 Hrs 55 Mins 27 Secs
.3
.4
.5
.7
DHCP serverDNS forwarder
DHCPconfiguration
DHCPtable
To Internet
192.168.1.1
Router
Figure 3
DHCP Operation
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 102/294
IP2300/S2/v2.12.9 © Wray Castle Limited
1.6 DHCP for Dial-up Users
Early ISPs allocated a fixed IP address to dial-up hosts from their own allocation of public address space. However, this was particularly inefficient in the use of addressspace, as most users are connected for a small proportion of time. It also madeexpansion of the network difficult, as these early address allocations requiredcontinuing support.
Dynamic address allocation using DHCP is the normal approach taken for dial-up or other intermittent Internet access. A block of addresses is available at the servingNAS, and one of these is allocated on a leased basis to the dial-up user. A staticrouting announcement for the complete address block at the NAS is normallyinjected into the Interior Gateway Protocol (IGP) of the ISP, so that all traffic for thesehosts is directed to the serving NAS.
Because the address allocation is dynamic, dial-up hosts can normally makeoutbound connections only. This satisfies the requirements of most dial-up users, butwhere the user wishes to host a server on a dial-up connection, then a permanentaddress assignment to this user is required. This situation is more likely to occur where the user operates a dial-up network, rather than a single host.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 103/294
2.10© Wray Castle Limited
DHCP server
NAS
Router
Active Call Information
Port used:
Profile Name:Call Direction:
Call Type:
Remote Number:
Data Call Option:
Compression:
Authentication:
Local IP address:
Remote IP address:
Primary DNS:
Secondary DNS:Bytes Received:
Bytes Transmitted:
Call Duration:
Data 2
ISPOut
Data-64K
01234 123456
Normal
No
CHAP (Encrypted)
62.25.154.117
62.25.154.1
195.92.195.94
195.92.195.9512149
12961
0h 09min 25sec
ISPnetwork
Dial-up connection settings,including IP addresses
obtained by DHCP
Figure 4
DHCP for Dial-up Users
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 104/294
IP2300/S2/v2.12.11 © Wray Castle Limited
1.7 Network Address Translation (NAT)
Network Address Translation (NAT) [RFC 1631] was originally devised as a means of conserving public IP address space, by mapping addresses from an internal IPaddress space (realm) to the public address space. Typically, enterprises use thespecial addresses reserved for private use within the enterprise [RFC 1918]. NATcan operate in several ways, depending upon whether one or several public IPaddresses are available to carry the private network traffic across the public network.In each case, the NAT device maintains an internal table of address mappings toallow the address conversions to be carried out on a packet-by-packet basis.
Static NAT maps on a permanent one-to-one basis, mapping each private IP addressto a public IP address. This method is sometimes used where networks are beingconsolidated or migrated to a new address space.
Dynamic NAT allocates public addresses as required from an available pool.
Port Address Translation (NAPT, or PAT) makes multiple internal hosts appear as asingle host by using a single external address with dynamic port allocations.
1.8 Dial-up Access for Client Networks
Increasingly dial-up accounts are used to support small client networks. Where theclient network does not require permanent IP addresses that are visible to the publicInternet, then an access router providing NAT is a popular solution. In this scenario,NAT allows multiple machines to appear as a single machine to the public network.From the service provider perspective, a client network using NAT is identical to aconventional single-user dial-up connection. In Figure 5, NAPT is used to representseveral private network hosts as a single publicly addressed host.
If the dial-up client network requires visible servers on the public network, then oneor more permanent address assignments must normally be made.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 105/294
2.12© Wray Castle Limited
Client192.168.1.2
Client192.168.1.3
Web Server
207.28.194.84
206.245.160.1
SMTP Server205.197.101.111
NAT Router
INTERNET192.168.1.1
Private
Network
Public
Network
NAPT Table
Inside192.168.1.2 : 1132 61016192.168.1.3 : 1132 61017
Outside
Src: 192.168.1.3 : 1132Dst: 197.101.111 : 25 Src: 206.245.160.1: 61017Dst: 205.197.101.111: 25
Src: 192.168.1.2 : 1132Dst: 207.28.194.84 : 80
Src: 206.245.160.1: 61016Dst: 207.28.194.84 : 80
Figure 5
Network Address Translation
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 106/294
IP2300/S2/v2.12.13 © Wray Castle Limited
1.9 Point-to-Point Protocol (PPP)
Point-to-Point Protocol (PPP) was developed by the IETF [RFC 1661] in the early1990s. It was based upon requirements stated in [RFC 1547] to provide a simple L2protocol that was extensible, allowed for endpoint authentication and compression,incorporated protocol multiplexing so that multiple protocols could be carried aspayload, and allowed negotiation of higher layer protocol properties such as IPaddresses of the end points. The main motivation was to support dial-up access tothe public Internet across modem access circuits with better security andmanagement features than were provided by the Serial Line IP (SLIP) protocolwidely used at the time.
PPP includes an encapsulation scheme and a higher layer protocol field, in commonwith many other L2 protocols. However, its strength as a protocol for dial-up Internetaccess lies in the fact that it also provides a Link Control Protocol (LCP) and a familyof Network Control Protocols (NCPs) which can be carried within PPP frames. Theseallow various configuration issues to be addressed by the protocol, such as tunnelendpoint authentication (by LCP), dynamic network layer address assignment (byNCP) and data compression (by LCP).
These features have made PPP the dominant link layer protocol for dial-up modemand ISDN access to ISPs, as well as the basis for many IP Virtual Private Network
(IP-VPN) implementations.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 107/294
2.14© Wray Castle Limited
PPP client PPP server
establishesbasic
link layer
parameters
configures IPparameters(IP address,
DNS, domain,etc.)
callback and compressionnegotiation
authenticatesendpoint(client)
LC P c o n f i g u r a t i o n r e q u e s t
LC P i d e n t i f i c a t i o n
C H AP r e s p o n s e
I P C P c o n f i g u r a t i o n r e q u e s t
I P C P c o n f i g u r a
t i o n a c k n o w l e d
g e
DA TA
L C P c o n f i g u r a t i o n
a c k n o w l e d g e
C HA P c h a l l e n g
e
C HA P s u c c e s s
Figure 6
The Operation of PPP
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 108/294
IP2300/S2/v2.12.15 © Wray Castle Limited
1.10 PAP and CHAP Authentication
Because of the intermittent nature of dial-up Internet access, effective authenticationof the dial-up user is required to ensure the security of the network and to avoidfraud and misuse of resources.
Authentication of dial-up Internet users is normally based upon a shared secretpassword known to both the user and the authentication server within the ISPnetwork. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) [RFC 1994] are both supported within the frameworkof PPP.
PAP sends the shared secret and username as a matched pair across the network inplaintext form, and without any replay protection. An interceptor who captures PAPtraffic can easily masquerade as a genuine user until the password is changed. Insituations where physical interception of the PAP traffic is highly unlikely, it may bean acceptable authentication protocol, but its use should be avoided in mostsituations.
CHAP uses a simple handshaking protocol combined with a hashing function toavoid sending the shared secret across the network in plaintext form. The challengeissued by the authenticating server is used once only, and should be generated in an
unpredictable sequence. The hashing algorithm generates a repeatable output for agiven challenge and shared secret, and has two important properties.
If an interceptor has access to the challenge and the response he/she cannot use asimple replay approach, because the authentication server will recognize thisresponse as already used. Knowledge of even a large number of challenge/responsepairs does not allow an attacker to discover the shared secret.
As well as supporting the shared secret method of authentication, CHAP has beenextended to operate with other authentication schemes, such as digital certificates.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 109/294
2.16© Wray Castle Limited
passwordfile
passwordfile
passwordfile
PAP client
CHAP client
compare
l o g i n ( us e r n am e , p as s w o r d )
l o g i n r e q ue s t ( us e r n am e )
r e s p o n s e
a c k n o w le d ge
c ha l le n ge
a c k n o w le d ge
compare
#
generatechallenge
#
PAP server
Figure 7
PAP and CHAP Authentication
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 110/294
IP2300/S2/v2.12.17 © Wray Castle Limited
1.11 Authentication Using RADIUS or TACACS
As the scale and physical distribution of public service ISP networks grows, thesimple PAP/CHAP model of authentication becomes unmanageable, because theaccount information must be available at each NAS location. The Terminal AccessController Access Control System (TACACS) and Remote Authentication Dial-InUser Service (RADIUS) protocols were designed to improve this scalability, to addfacilities for accounting and auditing of resource usage, and to allow user-specificprofiles to be invoked for particular connections, so that authorization can also beprovided.
In both architectures, multiple NAS devices terminate the PPP authenticationprocess, but these devices are also clients to a RADIUS or TACACS authenticationserver. This authentication server can be centrally located, making management andoperational security easier to achieve. In this architecture, the user accountinformation need no longer be distributed to multiple NAS devices at the networkedge.
A wide range of integration options exist within the RADIUS standards in particular,including support for the use of shared secrets, digital certificates and tokens. Inorder to prevent a rogue NAS sending authentication requests to the server, theRADIUS and TACACS protocols include mutual authentication using shared secrets
or other means as agreed between the RADIUS clients and server.
Strong vendor support for RADIUS in particular means it continues to be widelydeployed as a stable and reliable method of integrating authentication schemes, bothfor large-scale IP networks, and more generally where heterogeneous platformsmust be integrated.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 111/294
2.18© Wray Castle Limited
User NASlocal account
databases
PPPCHAP
RADIUS/TACACSclient
RADIUS/TACACSserver
central accountdatabase
central accountdatabase
PPP
CHAP
RADIUS/TACACS
Figure 8
RADIUS and TACACS Authentication
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 112/294
IP2300/S2/v2.12.19 © Wray Castle Limited
1.12 Permanently Connected Access
Permanently connected users typically connect a private network to the serviceprovider network, rather than a single host. In addition to leased lines and Layer 2services such as Frame Relay used as an access mechanism, Asymmetric DigitalSubscriber Line (ADSL) services are increasingly used to provide always-onconnections. The size of the private network that is connected may be anything froma few machines to a large enterprise network with multiple sites, and multiple serviceproviders.
From a service provider perspective, a small, permanently connected network can betreated similarly to a dial-up network. Typically NAT is used to limit the number of public IP addresses necessary for the site. Most permanently connected sites dohave one or more public IP addresses which are used to provide inbound access toe-mail servers, corporate web servers and VPN connections.
As the complexity of the customer network increases, dynamic routing protocolsmust be run across the service provider/customer interface to provide resilient andefficient transport of traffic. Once routing protocols are run across thecustomer/service provider interface, the solution becomes increasingly complex toadminister.
1.13 Introduction to ADSL
ADSL is a technology that allows much higher data rates across a voice-gradetwisted copper pair than has been possible in the past. It is widely used to extend thebandwidth of traditional twisted-pair local loop connections between subscribers andtheir local exchange building.
ADSL uses sophisticated signal processing techniques and channelized digitaltransmitters and receivers to achieve acceptable performance at much higher bandwidths than before across a normal copper pair. It uses ATM as a Layer 2
switching technology, which means that it can support a wide range of applicationsby assigning appropriate categories of service to them.
An ADSL modem pair is located at the ends of the copper pair to implement theservice. Where another access technology, such as a remote concentrator or other device that aggregates individual voice channels into a high-level multiplex isdeployed ahead of the local exchange/central office location, then the ADSLconnection must terminate at this location. In other words, the ADSL modems mustbe directly connected to the copper pairs to achieve the necessary bandwidthextension.
High density DSL Access Multiplexers (DSLAM) are deployed at the network end of the ADSL link to terminate DSL connections from subscribers.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 113/294
2.20© Wray Castle Limited
ADSL DSLAM ATMswitching
ADSL
customerpremises
twisted pair E1/T1or greater
transmissionconcentrator
site
local exchange/ central office
ADSL
freq 1 MHz
traditional analoguevoice channel
Previously unusedfrequency band containingADSL channels
40
Figure 9
ADSL Architecture
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 114/294
IP2300/S2/v2.12.21 © Wray Castle Limited
1.14 ADSL as a Full-Service Access Network
The architecture of the network beyond the DSLAM varies depending upon the set of services being offered across the DSL access network. Most ADSL services deployed todayoffer only high-speed Internet access, but for many operators the strategic intention of ADSLdeployment is to provide a full service access mechanism, as discussed below.
The ATM transport employed by ADSL makes it suitable as an integrated services accessmedium. Where multiple services are being offered across ADSL, the Customer PremisesEquipment (CPE) is a specialized Integrated Access Device (IAD). The role of the IAD is:
• termination of the various conventional interfaces, such as POTS, ISDN, Ethernet, etc.
• ATM adaptation using the appropriate ATM Adaptation Layers (AALs)
• ATM multiplexing of the individual virtual circuits carrying traffic between the IAD andtheir termination point on the appropriate gateway device in the network
• service-specific adaptation functions, for example conversion of DTMF tones into theappropriate form, typically as defined in ATM Forum standards
The service provider DSLAM terminates all inbound ADSL physical layer connections fromthe IADs. It typically then passes traffic to an ATM switch node which can groom andaggregate traffic before directing virtual circuit and virtual paths towards the correct gateway
device for the desired service. For example, a voice gateway in this architecture wouldaccept inbound calls over ATM virtual circuits, and convert these to traditional TDM form for interconnection with a conventional PSTN switch.
1.15 ADSL as a Broadband IP Access Service
For high-speed Internet access, the broadband equivalent of a NAS, the Broadband Access Server (BAS) is required. The main difference between this device and thetraditional NAS is the use of ATM virtual circuits as the Layer 2 protocol. This requires theBAS to terminate the ATM virtual circuits, operate the appropriate AAL functions necessaryto extract IP packets, and to carry out authentication, auditing and accounting functions for
the ISP. The BAS may also apply policy and filtering actions on IP traffic in the same way asa traditional NAS.
1.16 Service Provider Selection Through the BAS
Most current implementations of ADSL Internet access effectively tie the subscriber to aparticular service provider. This contrasts with the traditional dial-up services, where asubscriber could have several active accounts, and select which service provider to usebased upon dialled number. Two approaches to selection of the service provider have beenproposed to remedy this: a preselection approach, based upon the customer notifying the
ADSL provider of moves and changes and a common BAS model, where users wouldconnect to a common BAS, and make their service provider selection at this point. Neither model has been widely deployed to date.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 115/294
2.22© Wray Castle Limited
IAD DSLAM
DSLAM
DSLAM
ATM switchednetwork
ATMaggregator
switch
IP over ethernet
IP over ATM
voice over ATM
analogue voice
BAS
Internet PSTN
VGW
Figure 10
ADSL Integration with the Core Network
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 116/294
IP2300/S2/v2.12.23 © Wray Castle Limited
1.17 Local Loop Unbundling
In many countries, ADSL deployment has occurred alongside government-ledinitiatives for increased competition for broadband services in the access network.Various models have been proposed, but these can broadly be classed as physicalunbundling of the local loop and logical unbundling of the local loop.
In physical unbundling, a competitive operator/Competitive Local Exchange Carrier (CLEC) leases the existing local loop copper pair for a subscriber from the incumbentoperator, and installs their own ADSL modems and DSLAMs at the ends of this pair,typically by attaching close to the Main Distribution Frame (MDF). This requires co-location of the competitive operator DSLAM equipment in the local exchange/centraloffice of the incumbent operator, and has led to practical and political implementationdifficulties in many cases.
In logical unbundling, the incumbent operator remains responsible for the physicalcopper pair and the ADSL equipment at both ends of the link. However when asubscriber wishes to use an alternative competitive operator/CLEC for services, theincumbent passes traffic within a virtual circuit from their aggregation switch to theaggregation switch of the competing operator. In this case the incumbent operator isselling a wholesale ADSL service to the competing operator. This approach avoidsissues of physical access and access to space at the local exchange. It also avoids
technical issues with spectrum management on the ADSL-equipped local loop thatcan arise in the physical unbundling case.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 117/294
2.24© Wray Castle Limited
IAD
IAD
DSLAM
Co-located DSLAMs
Physical Unbundling
Logical Unbundling
LE/CO Building
IAD
IAD
DSLAM
IAD
IAD
Co-located DSLAMs
LE/CO Building CLEC site
IAD
IAD
DSLAM
Figure 11
Local Loop Unbundling
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 118/294
IP2300/S2/v2.12.25 © Wray Castle Limited
2.1 Mail Servers and the DNS
The original designers of SMTP intended it to operate between mainframe machinesthat were permanently connected to the Internet, and on which users had mailboxeslinked to their accounts. Increasingly organizations use mail relays to forward e-mail,and this is one of the main services offered by service providers also. Given theimportance of e-mail to business users in particular, methods to make the mailservice resilient are also important.
The DNS supports the definition of multiple mail servers for delivery of SMTP e-mail.When an outbound e-mail is ready for delivery to the destination domain, the DNS isqueried to find the Mail Exchanger (MX) record for the domain, as shown in Figure12. The MX record includes a preference value, and the server with the lowestpreference value is selected as the first choice for delivery of the e-mail. A further entry will be given in the DNS answer that maps the canonical name to its IPaddress.
Once the preferred server IP address is known, the sending mail server attempts aTCP connection with it on the well-known SMTP port, port 25. If for any reason thisconnection cannot be made, then the next-preferred mail server in the DNS will betried, and if necessary further mail servers at lower preference values also. Thisapproach can provide resilience in the e-mail architecture, and is widely deployed.
2 E-MAIL SERVICES
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 119/294
2.26© Wray Castle Limited
DNSDNSDNS
2. q u e r y f
o r M X r e c
o r d s o f a
c m e. c o m
3. r e s p o n s
e w i t h M X
r e c o r d s f
o r
a c m e. c o m
a n d e x t r a
p a r a m e t e
r s1. mail to: [email protected] SMTP MTA (client)
SMTP MTA (server)mx1.acme.com192.168.10.20
4. SMTPconnectionto mx1
TCP(port 25)
5. SMTP responses
IN MX 10 mx1.acme.com
IN MX 20 mx2.acme.com
IN MX 30 mx3.acme.com
IN A 192.168.10.20
IN A 192.168.20.20
IN A 192.168.40.20
acme.com
mx1.acme.com
mx2.acme.com
mx3.acme.com
Figure 12
SMTP Integration with the DNS
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 120/294
IP2300/S2/v2.12.27 © Wray Castle Limited
2.2 Mail Accounts on the Service Provider Domain
This model is popular with consumer services and free Internet access providers, butis not widely used by business users because it seems less professional than adedicated domain. In this model, users are simply given a user account at the ISPdomain, of the form:
Because the username chosen must be unique across a potentially very largedomain, users are normally forced to use digits as well as common names.
E-mail is sent using SMTP, and retrieved using POP3 or IMAPv4. Both schemesallow for user authentication using a simple shared secret password. Mail is sent andreceived between servers using SMTP, and normally a secondary and tertiary mailserver will be configured within the ISPs own domain to provide resilience anddisaster recovery.
In the example shown, the ISP operates a separate mail server for inbound andoutbound traffic. The inbound SMTP server also provides a POP3/IMAP4 server for access to e-mail by the dial-up accounts. The outbound SMTP server need not havean MX record in the DNS, as it only ever originates transfers to the Internet. A
secondary MX server is also available should the primary be unreachable from theInternet.
To provide an even more scalable solution, it is possible to separate the mailhandling function into three parts:
• an inbound SMTP server, which has an MX record in the DNS. It accepts alldomain e-mail, and relays it to a separate POP3/IMAP server
• a POP3/IMAP server, which provides the mailboxes and access for users. Thisserver only accepts mail from the ISP’s own inbound SMTP server
• an SMTP outbound server, which accepts e-mail from users, and sends it out tothe Internet
This architecture should have one or more secondary MX machines, as before,which can accept inbound SMTP e-mail if the primary is unavailable for any reason.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 121/294
2.28© Wray Castle Limited
O u t b o u n d e - m
a i l
( S M T P )
I n b o u n d e - m a i l ( P O P 3 o r I M AP 4 )
f r o m I n t e r n e t
t o I n t e r n e t ( S M T P )
( S M T P )
Mailclient
Secondary mail server
SMTPserver
mx2.myISP.com
SMTP and POP3or IMAP4
server
mx1.myISP.com
IN MX 10 mx1.myISP.comIN MX 20 mx2.myISP.com
myISP.com
Figure 13
Simple Service Provider Mail Accounts
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 122/294
IP2300/S2/v2.12.29 © Wray Castle Limited
2.3 Full Outsourcing of the Customer Domain Mail Services
Many small to medium-sized businesses require Internet e-mail for a set of internalusers, but cannot easily run an enterprise mail server internally. This may bebecause they use dial-up access and have no permanent IP address, or becausetheir use of e-mail internal to the organization does not justify a corporate e-mailinfrastructure.
In this case, many service providers offer Internet e-mail services linked to adedicated customer domain, and often bundled with web hosting services.
In this case, the ISP will typically organize domain registration through an ICANNapproved registrar, if the domain has not yet been registered. If the domain has beenregistered, but the customer is transferring to a new service provider, then theregistration details must be modified to identify the correct name servers for thedomain, normally the name servers of the new ISP.
In this scenario, mail between users within the customer domain is sent via thedomain mail server within the ISP network, just as for external mail. In other words,all e-mail is Internet e-mail.
The mail delivery methods are the same as for the earlier example, typically SMTP
for outbound mail, and POP3 or IMAP4 for inbound delivery. All corporate users musthave the correct details for their account configured in their mail client, includingserver names, username and password.
As the customer now has a registered domain, the DNS records for this domain willshow that mail is being handled by the ISP mail servers, as shown in Figure 14.
The ISP will not actually run a separate instance of a mail server, physically or logically, in this case. Instead the e-mail addresses of the customer may be mappedby a mail alias onto an internal account on the ISP server. So, for example [email protected] might be mapped to [email protected]. This
retains the uniqueness of the user name, but maps it into the ISP mail namespace.The mail alias is then used to translate inbound and outbound mail transfersbetween the two names. An alternative approach is to provide a virtual mail server for each domain, and many mail server applications allow this.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 123/294
2.30© Wray Castle Limited
O u t b o u n d
e - m a i l
( S M T P )
I n b o u n d e - m a i l
( P O P 3 o r I M A P 4 )
f r o m I n t e r n e t
t o I n t e r n e t ( S M T P )
( S M T P )
Secondary mail server
SMTPserver
mx2.myISP.com
SMTP and POP3or IMAP4
server
mx1.myISP.com
IN MX 10 mx1.myISP.comIN MX 20 mx2.myISP.com
wraycastle.com
client
.
.
.
.
Figure 14
Outsourced Customer Mail Service
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 124/294
IP2300/S2/v2.12.31 © Wray Castle Limited
2.4 Secondary Mail Servers
Where a business operates an existing Internet mail server, they may require that aservice provider offer a secondary mail server, to improve the resilience of theservice. These resilience measures are particularly important once key servers,including mail, DNS and web servers, are hosted at customer premises; the reliabilityof the access circuits, power circuit and equipment at these locations is normallymuch poorer than that to the data centres where network servers are typicallylocated.
A common architecture is to configure a secondary mail server within the ISP domainas a mail relay . In this model, the relay will attempt to deliver mail on to the primaryserver (at the customer premises) for some period of time, before eventually deletingthe mail, perhaps after several days.
This approach can also be used where a dial-up network has a legitimate domainand a primary mail server with an MX record in the DNS. In that case, the secondarymail server effectively acts as a store and forward server for the corporate e-mailwhen the dial-up connection is down, then relays it to the primary mail server whenthe dial-up connection comes up.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 125/294
2.32© Wray Castle Limited
Mail deliveredto ISP SMTP
server
Mail delivereddirectly to corporate
SMTP server
Mail deliveredto corporateSMTP server
from mail relay
CorporateSMTPserver
ISPSMTP server
IN MX 10 mx1.wraycastle.com
IN MX 20 mx2.myISP.com
wraycastle.com
Server provider networkCustomer premises
Normal Operation
Internet
CorporateSMTPserver
ISPSMTP server
Internet
Corporate
SMTPserver
ISPSMTP server
Internet
Figure 15
ISP Secondary Mail Servers
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 126/294
IP2300/S2/v2.12.33 © Wray Castle Limited
2.5 Mail Relay Vulnerabilities and Unsolicited Commercial E-mail (UCE)
A major and continuing vulnerability in the Internet e-mail architecture is the abuse of mail relays. In addition to accepting inbound SMTP e-mail from other MTAs, a mailserver may accept mail for forwarding on to another SMTP server, as in the exampleabove of a service provider offering a secondary mail relay.
Most mail servers block relaying mail by default as a security feature, so this must beenabled for the specific domains where it should be allowed. Unfortunately openrelays, i.e. relays that do not verify or filter traffic before forwarding it on, are stillavailable.
The following example shows how UCE, also known as spam, can exploit such anopen relay, and how this can be used to mount a Denial of Service (DoS) attack.
• an e-mail marketer has gathered several hundred thousand candidate e-mailaddresses, and creates a marketing e-mail to send using his list
• he creates a free Internet account for basic access, and uses an open SMTPrelay he has found to forward his e-mail out to users
• he sets his e-mail client to use a return and from address of [email protected],although he has nothing to do with the company
• he sends his e-mails out in blocks of 1000 at a time, using the Blind carboncopy (Bcc) field, over his new Internet account
From the perspective or the sender of the spam, he has been successful. However tens of thousands of e-mails are undeliverable, and are returned [email protected], where they completely block the system. As a result, thewraycastle mail server becomes unavailable, and the disruption is likely to last for several days at least.
The main defence against this type of attack is to ensure that mail exchangers
cannot act as open relays. Many ISPs, especially those offering free Internet access,do not allow users to send traffic on TCP port 25 (the well-known SMTP port) todestinations beyond the ISP domain, to make it more difficult to use an external mailrelay for UCE.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 127/294
2.34© Wray Castle Limited
SMT P ( p o r t 2 5 )
Marketeer
SMTP MTAacme.com
SMTPMTA
SMTPMTA
SMTPMTA
SMTPMTA
Free Internetprovider
The Internet
SMTP MTAopen relay
mode
[email protected] from:
Mail rcpt:
Figure 16
Exploiting an Open Mail Relay
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 128/294
IP2300/S2/v2.12.35 © Wray Castle Limited
2.6 Integration with Enterprise Mail Servers
Many enterprises run proprietary workgroup applications for internal messaging andcollaboration. Recent releases of these applications all support SMTP either directlyor through a gateway function for Internet e-mail. Therefore from a service provider perspective, whether a client organization uses a traditional Internet mail server or acorporate mail server, the interface to the public service should be SMTP-based.
A common approach taken within organizations is to place a simple SMTP MX relayin the De-Militarized Zone (DMZ) behind an Internet firewall . This mail relay thenforwards inbound traffic to the internal corporate mail servers, and accepts traffic for the public Internet. Most MTAs will allow inbound traffic to be partitioned bydestination address to a variety of internal servers, so that the DMZ relay can directexternal e-mail to the correct departmental servers within the corporate domain.
The DMZ MTA in this case requires a valid IP address and MX record in the DNS,but the internal mail servers are invisible to the public network, and protected by thenetwork security measures put in place at the Internet, corporate firewalls andelsewhere.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 129/294
2.36© Wray Castle Limited
mx1.wraycastle.com
The Internet
sales MTA
MTA
MTA
MTA
MTA
development MTA
CorporateFirewall
SMTPrelay
WWWserver
DMZ
VPNserver
InternetFirewall
Internet e-mailvia SMTP withexternal MTAs
mail to: [email protected] to: [email protected]
Figure 17
Integration of Internet and Enterprise Mail Servers
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 130/294
IP2300/S2/v2.12.37 © Wray Castle Limited
3.1 Static Versus Dynamic Content
Web hosting services are an important part of most businesses, and this might bedesigned and operated in-house, or outsourced to a service provider.
Originally, the WWW was used to provide static file content to clients. However mostweb sites now use client or server-side programming to enhance the content andappearance of the site by making it to some extent dynamic. Common GatewayInterface (CGI) allows a web server to route the contents of a web form to a programrunning on another server platform through a set of standard procedures. It is widelyused to allow users to input data via a web site, for example requesting e-mailcontent, selecting data from a database, etc. The programme to be executed isnormally in a cgi-bin folder on the web server. CGI has many limitations, and moresophisticated open and proprietary server-side programming is increasingly replacingit.
Some examples of server-side programming approaches are listed in Figure 18. Active Server Page™ (ASP) is a Microsoft proprietary approach that al lowsexecution of code in a web page before it is delivered to a browser client. HypertextPre-Processor (PHP) is an open source approach that is similar to ASP, anddistributed as part of most Linux distributions.
Because these programming languages can open up vulnerabilities on the hostplatform (the web server) running them, service providers must be careful about howmuch freedom to include server-side programming is provided to clients whenhosting web services.
Programming that operates on the client side of a web connection, i.e. in thebrowser, has less security implication for the hosting service provider. Applets aresmall programmes written in the Java™ programming language that execute within abrowser application. JavaScript™, is a programming language that can beinterpreted by a browser to carry out simple functions to animate the page contents. Active-X allows dynamic content and controls in browsers.
3 WEB HOSTING
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 131/294
2.38© Wray Castle Limited
Server-side programming
Common Gateway Interface (CGI)
Active Server Page ASP™ [Microsoft]
PHP: Hypertext Pre-Processor (PHP)
Client-side programming
Java™ applets
JavaScript™
Active-X
Figure 18
Ways to Produce Dynamic Web Content
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 132/294
IP2300/S2/v2.12.39 © Wray Castle Limited
3.2 Multi-user Hosting
The multi-user hosting approach is widely used by ISPs to provide homepage spaceto their users. Each user is given a controlled amount of storage and accessbandwidth, and their Universal Resource Locator (URL) is part of the ISP domain, for example
www.myISP.com/~another
This approach is simple and low cost. It does not require domain registration or nameserver entries for the client. However it also presents the client as part of theISP domain, rather than their own domain, which is unsuitable to most businessclients.
Typically a very limited set of programmability is included with the service; the ISPmay provide some simple CGI scripts that allow the contents of forms to be collectedand e-mailed to the customer, for example. Customers will typically not be allowed toexecute their own scripts or programs on the ISP web servers.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 133/294
2.40© Wray Castle Limited
http://www.myISP.com
http://www.myISP.com/~jdoe http://www.myISP.com/~another
about_us holiday_snaps family_tree.index etc.
1999 2000 2001 2002
Figure 19
Multi-user Hosting
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 134/294
IP2300/S2/v2.12.41 © Wray Castle Limited
3.3 Virtual Hosting
Virtual hosting allows multiple domains to be hosted on a single web server. Anumber of approaches to virtual hosting are possible. In each case a visitor to thesite will have the impression of a dedicated hosting solution.
3.3.1 Virtual Hardware Hosting
The virtual hardware approach assigns a unique IP address to each virtual webserver. This can be done using one of the virtual machine implementations that areavailable for both Windows and Unix platforms. Using this approach, the physicalmemory, disk space and processing power in the server is apportioned betweeneach virtual machine. It is possible to start-up and shut down virtual machine webservers independently, and it is also easy to port a virtual web server between onephysical platform and another, making moves, changes and hardware upgrades fairlyeasy to achieve.
In Figure 20, a virtual machine application has been used to provide three virtualplatforms and operating systems, and each of these hosts a separate hostingapplication. The virtual machine software provides virtual hardware for each virtualmachine, including network interface cards, and so each virtual machine is
separately addressed.
Note that each virtual machine in this case has a separate name server addressentry that resolves the relevant host name to its IP address.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 135/294
2.42© Wray Castle Limited
192.168.1.2
virtualO/S
www.wraycastle.com
192.168.1.4
virtualO/S
www.ISP.org
192.168.1.3
192.168.1.1
virtualO/S
www.company.co.uk
virtual machine s/w
physical platform(e.g. Unix™,
Windows2000™)
www.wraycastle.com
www.company.co.uk
www.ISP.org
IN A 192.168.1.2
IN A 192.168.1.3
IN A 192.168.1.4
Figure 20
Virtual Hardware Hosting
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 136/294
IP2300/S2/v2.12.43 © Wray Castle Limited
3.3.2 Virtual Web Server Hosting
The main web server application supports a virtual hosting model, where multipledomains can be hosted on a single instance of the web server. In this case theserver will have both global configuration settings, and settings that are specific toeach domain being hosted. The virtual web server approach is typically used in aservice provider context, where only web server functions are required from theplatform, but for large numbers of domains.
In the example in Figure 21, a single host provides all of the domain web services,however the web server application has been configured with details of each virtualhost, as shown in Figure 21. When the DNS is queried for the IP addresses of thevirtual web servers, it returns the same IP address in each case. Note that a nameserver entry is required for each domain in order to resolve URL requests to theserver IP address.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 137/294
2.44© Wray Castle Limited
192.168.1.1
<Virtual Host> DocumentRoot /var/www/wraycastlecom ServerName www.wraycastle.com ServerAdmin [email protected]
</Virtual Host><Virtual Host> DocumentRoot /var/www/companycouk ServerName www.company.co.uk ServerAdmin [email protected]
</Virtual Host><Virtual Host> DocumentRoot /var/www/ISPorg ServerName www.ISP.org ServerAdmin [email protected]</Virtual Host>
www.wraycastle.com
www.company.co.uk
www.ISP.org
IN A 192.168.1.1
IN A 192.168.1.1
IN A 192.168.1.1
.
.
.
.
.
.
Figure 21
Virtual Web Server Hosting
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 138/294
IP2300/S2/v2.12.45 © Wray Castle Limited
3.4 Dedicated Hardware
Some organizations wish to have a dedicated physical server from which to hosttheir web content. In these cases, the service provider typically offers a suitablephysical server dedicated to the customer, along with WAN and LAN connectivity,and the name server facilities to make the device reachable.
Typically first level support for the platform from the service provider is part of thispackage; the service provider will repair faulty hardware or software on the basicplatform. However web content and scripting is the responsibility of the customer.The customer can normally access the web server securely for remoteadministration.
This is a common model for small to medium-sized hosting companies. They rentphysical servers and infrastructure from a large data centre operator, then resellhosting and other services on these physical platforms using a virtual hosting modelto their customers.
3.5 Co-location
In the co-location model, the service provider is responsible for space, power,
network connectivity and basic network services such as name servers. However thecustomer provides their own physical servers into the rack space provided by thedata centre operator. Normally this model requires operational staff from thecustomer to be present at the facility to provide first level support, and so is onlysuitable for large data centres and large customers. This approach is more popular for other than web hosting scenarios, particularly for Internet exchange Points andcarriers wanting access to backbone transmission facilities for core Internet nodes.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 139/294
2.46© Wray Castle Limited
www.wraycastle.com
www.company.co.uk
www.ISP.org
IN A 192.168.1.1
IN A 192.168.1.2
IN A 192.168.1.3
>whois wraycastle.com
name server ....... ns1.myISP.com
.
.
.
192.168.1.1
www.wraycastle.com
192.168.1.2www.company.co.uk
192.168.1.3
192.168.2.1
Router Router
toInternetwww.ISP.org
ns1.myISP.com
Figure 22
Dedicated Hardware or Co-location Hosting
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 140/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 141/294
2.48© Wray Castle Limited
w w w. w r a
y c a s t l e. c
o m
w w w. w r a
y c a s t l e. c o
m
G E T w w w .w r a y c a s t l e .c o m
G E T w w w .w r a y c a s t l e .c o m
G E T w w w .w r a y c a s t l e .c o m
w w w. w r a
y c a s t l e. c o m
w w w. w r a
y c a s t l e. c
o m
G E T w w w .w r a y c a s t l e .c o m G E T w w
w .w r a y c a s t l e .c o m
w w w. w r a
y c a s t l e. c
o m
Page
expiryperiod
Web client Web cache Web server
.
.
.
.
Figure 23
Web Cache Operation
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 142/294
IP2300/S2/v2.12.49 © Wray Castle Limited
4.1 Implementing Primary and Secondary DNS Servers
For a given domain, it is a requirement of registration that at least one secondarydomain server is implemented, and normally two secondary domain servers areimplemented for extra resilience; without an operating name server, mosttransactions involving the domain will fail. These servers should be physicallyseparate, and ideally served by completely different infrastructure, to minimize therisk of a single point of failure.
The simplest configuration of public name server services has the ISP providingentries in its name servers for the customer domain.
However, in some cases, the customer may wish to operate the primary nameserver, and have the ISP operate secondary name servers for resilience.
In order to implement one or more secondary name servers homed to a corporateprimary name server, careful configuration of all of the servers is necessary:
• the parent domain, for example the .com domain for our example, should list allof the name servers for the domain directly
• the primary name server should permit zone transfers from the named
secondary servers, while normally (for security reasons) blocking all other zonetransfers
• the secondary name servers should be configured with the details of theprimary name server, specifically its IP address to allow transfers to take place
4 PROVIDING NAME SERVERS
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 143/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 144/294
IP2300/S2/v2.12.51 © Wray Castle Limited
4.2 DNS Caches and Forwarders
DNS caches are operated by large enterprises as well as ISPs to speed theresolution of information from the global DNS. They are not definitive for any domain,and carry out recursive DNS queries. In other words they will request a DNSresolution on behalf of their clients. DNS software normally includes a setting thatallows forwarding of requests that the DNS itself cannot resolve. This type of operation is known as recursion.
The service provided by an ISP normally includes providing a DNS cache as part of the client configuration. For dial-up accounts, the IP address of the DNS cache isnormally provided as part of the Dynamic Host Configuration Protocol (DHCP) whenthe client machine connects.
For client networks that access the Internet via an access router, this router normallyoperates as a DNS forwarder . Although definitions vary, it is useful to think of aforwarder as a special case of a cache that holds no cache information. Because itholds no DNS data, all requests are forwarded to the designated name server, whichin this case will normally be the ISP cache, as before.
This forwarding action can be used to implement internal and external DNS for aclient within the corporate network, as follows:
• requests are sent to a local name server in the business domain, whichresolves requests for hosts internally
• because the corporate DNS cannot resolve Internet addresses, these arepassed to the Internet DNS for resolution
Figure 25 shows this scheme for as dial-up network, where DHCP from the ISP isused to assign the public dial-up router address for the client (192.168.1.1 in thisexample), and a DHCP server also operates within the dial-up router to provide IPaddresses to the private network clients (in this example the internal address of the
DHCP server is 10.0.0.1, and it assigns addresses in the range 10.0.0.0/24). EachDHCP dialogue lists the correct DNS server, so that DNS requests from internalhosts are passed to the dial-up router, which in turn forwards them on to the ISPcache for resolution.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 145/294
2.52© Wray Castle Limited
DHCP configurationIP address: 192.168.1.1IP address mask: 124Gateway address: 192.168.1.254DNS server address: 192.168.1.100
DHCP configurationIP address: 10.0.0.XIP address mask: 124Gateway address: 10.0.0.1DNS server address: 10.0.0.1
IP address: 192.168.1.1IP address mask: 124Gateway addressDNS server address: 192.168.1.100
DNSforwarder
Recursiveresolutionfor clientvia DNS
forwarder
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
ns1.myISP.com192.168.1.100
NAS
Internet
DHCP configuration
ns1.myISP.com192.168.1.100
DNS Cache
NAS
Internet
DNS Cache
192.168.1.254192.168.1.1
Figure 25
DNS Configuration through DHCP
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 146/294
IP2300/S2/v2.12.53 © Wray Castle Limited
4.3 Partitioning Enterprise and Service Provider DNS
Any large organization will typically be operating an internal DNS, as well as makingsome parts of the corporate DNS visible on the public Internet. At least two Internetname servers are required for the public parts of the domain, and multiple nameservers may be configured within the corporate network to provide fast and efficientname resolution between sites, or to partition the administration tasks betweendivisions or geographies.
This combination of public and private DNS entries requires the DNS to operate as asplit DNS, for security reasons. In a split DNS architecture, the DNS is divided intotwo types of logical platform:
• a public name server provides resolution of the public DNS fields of theenterprise
• a private name server provides resolution from internal and trusted sources
Corruption of name server data can be a very effective method of mounting DoS andmasquerading attacks against a domain. It is extremely important that internal hostinformation is not visible from the Internet. The DNS application should be hardenedin various ways beyond the basic splitting described above, but this is a more
detailed topic than can be covered in this introduction to the subject.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 147/294
2.54© Wray Castle Limited
publicname serverwraycastle.com
ISPname server(cache)
sales.wraycastle.comsales name servers
development name serversdevelopment.wraycastle.com
Internet
external queryexternal host
external queryinternal host
internal queryinternal host
Public Server
Private Server
Authoritative for public zonesListed in parent zones as NS recordsQueried by Internet name serversNon-recursive
Authoritative for private (internal) zonesQueried only by internal or trusted forwarders or resolversRecursive for trusted sources through ISP name server cache
Figure 26
Implementing a Split DNS
IP2300/S2/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 148/294
IP2300/S2/v2.12.55 © Wray Castle Limited
1 Explain the function of DHCP.
2 What are the advantages of DHCP over static configuration of host IPparameters?
3 The PPP protocol is widely used in dial-up Internet access because:
a it is the most efficient link layer protocolb it includes additional protocols to support dial-up user, including link and
IP configurationc it operates end-to-end between IP hosts, whereas other link layer
protocols are limited to the access network onlyd it can carry multiple network layer protocols, using its NLPID field, rather
than just IP
4 Local loop unbundling may be:
a physicalb logical
c neither a nor bd both a and b
5 Explain how a sending mail server would discover the IP address of the mailserver it wishes to send SMTP mail to.
6 When might a business with its own Internet domain use an ISP-hostedsecondary mail server? How would the MX preference records be set in thiscase?
7 Dynamic content can be generated for web pages using:
a server-side programmingb client-side programmingc neither a nor bd both a and b
8 When would an enterprise use a split DNS approach?
5 SECTION 2 QUESTIONS
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 149/294
© wray castle limited
SECTION 3
SERVICE PROVIDER
ARCHITECTURES
i
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 150/294
© wray castle limitedii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 151/294
© wray castle limited
1 Network Architectures 3.11.1 The Core, Distribution and Access Model 3.31.2 The Access Layer 3.51.3 The Distribution Layer 3.111.4 The Core Layer 3.131.5 Peering Points and Internet Exchanges 3.15
1.6 Intra-PoP Architecture 3.171.7 Core Transmission Networks 3.19
2 Routing Overview 3.212.1 The Role of Routing Protocols 3.212.2 Routing Dynamics 3.232.3 Routing Protocols for Service Provider Networks 3.252.4 The AS Architecture of IP Networks 3.272.5 Interior (IGP) Versus Exterior (EGP) Routing 3.272.6 OSPF Basic Operation 3.292.7 BGP4 Basic Operation 3.31
3 Routing across the Customer/Service Provider Interface 3.333.1 Maintaining Separation of Routing Domains 3.333.2 Routing for Dial-up Users 3.353.3 Static Routing for a Single-homed Customer 3.373.4 Dynamic Routing for a Multi-homed Customer 3.39
4 Design Considerations for Control, Scale and Stability 3.414.1 Balancing SDH, ATM and IP Restoration 3.414.2 Isolation of Routing Domains and Traffic Filtering 3.43
4.3 Selection of OSPF Areas 3.454.4 The use of Default Routes and Networks for Network Protection 3.474.5 Route Reflectors and BGP Confederations for Scaling iBGP 3.494.6 IP Traffic Management using BGP4 Techniques 3.51
5 Section 3 Questions 3.57
SECTION CONTENTS
iii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 152/294
© wray castle limitediv
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 153/294
© wray castle limited
At the end of this section you will be able to:
explain the hierarchy of a typical IP network
• compare and contrast router and switch features at core, distribution and
access layers
• explain the functions and key properties of routing protocols
• evaluate a routing design at the customer/service provider interface
• present the key mechanisms for control, scale and stability in routing design
SECTION OBJECTIVES
v
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 154/294
© wray castle limited
Before a technical architecture can be proposed or updated, it is important to answer
various ‘business case’ questions, such as:
• the set of services the infrastructure must provide. For example, does thenetwork provide dial-up access or GSM access?
• the customers the network intends to serve. For example, residential users,small business users, large global enterprises, or other service providers?
• the rollout of network and service functionality. For example a regional, nationalor international network, and in what sequence?
• the forecast volumes of traffic over time, and the traffic matrix
Assuming answers to these questions are available, then a range of technicalarchitecture decisions can be made, including:
• what access platforms must be provided?
• what protocols must be supported directly or through tunnelling?
• what network services platform must be provided?
• how should peering be carried out?
• what capacity should key components be designed for?
The results of these considerations leads to a technical architecture for the network,which allows the planned set of services to be offered, at the volumes predicted andthe locations planned.
1 NETWORK ARCHITECTURES
IP2300/S3/v2.13.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 155/294
IP Engineering Overview
3.2 © wray castle limitedIP2300/S3/v2.1
Business Plan
Services
Customers
LocationsForecast volumes
etc.
Technical Architecture
Access platforms
Service platforms
Routing architecture
Switching architecture
PoP architecture
Peering arrangements
Protocols
etc.
Figure 1
Relating the Technical Architecture to the Business Plan
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 156/294
IP2300/S3/v2.13.3 © wray castle limited
1.1 The Core, Distribution and Access Model
The IP network of any medium to large ISP is structured into (typically) three logicallevels of hierarchy. This approach normally achieves the best overall balance betweenmanageability, scalability, reliability and economy.
The three levels of hierarchy are commonly known as the Core, Distribution andAccess layers.
• the Core is responsible for simple, high-speed switching of transit traffic
• the Distribution Layer contains network services, and collects traffic from theaccess layer for the core layer
• the Access Layer connects users to the network in an efficient way
We discuss each of these layers in more detail in the next few slides.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 157/294
3.4 © wray castle limited
Access
Core
Distribution
Simple,high-speedswitching
Customerpremisesequipment
ADSLaccess
etc.
Modembanks
User
connectionsServiceplatforms
LocalPoPs
Peering
Policy
Aggregation
Figure 2
The Core, Distribution and Access Architecture
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 158/294
IP2300/S3/v2.13.5 © wray castle limited
1.2 The Access Layer
The access layer occurs at the edge of the network. It provides customer premisesrouters, where these are managed by the service provider, as well as the bearerconnection to a Point of Presence (PoP). Dial-up customers are connected to the PoPthrough a circuit-switched connection to a Network Access Server at the PoP, whiledirectly connected customers are attached to a customer access router.
1.2.1 Customer Premises Equipment (CPE)
A customer premises router will normally offer a suitable WAN access interface, suchas ISDN, E1 or E3, or switched services such as Frame Relay or ATM. Often a serialinterface based upon the X.21, V.35 or High-Speed Serial Interface (HSSI)specifications is provided, and this is fed into a service provider Channel ServiceUnit/Data Service Unit (CSU/DSU) or Network Termination Point (NTU), whichprovides a standard signal interface complying with the G.703 standard of the ITU-T.
The customer side of the CPE normally provides an ‘Ethernet’ interface at 10 or 100Mbit/s, to which the LAN network can be attached. Units designed for small officeuse may have an integral 8 or 16 port ‘Ethernet’ switch, so that hosts can be directlyconnected.
These routers may contain various value-added components of hardware or software,including:
• firewalls
• network address translation
• DHCP servers for the LAN
• IP-VPN gateways
• packet classification, where QoS techniques have been implemented on theaccess circuit
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 159/294
3.6 © wray castle limited
‘Ethernet’ switch
Customer premises router Customer access router
DHCP server
NAT device
Firewall
IPVPN gateway
Flexible WANinterfaces High port density
Traffic policing
Traffic shaping
Traffic classification
Packet filtering
Dual power supplies
Hot-swappable modules
ToDistributionLayer
Figure 3
The Access Layer
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 160/294
IP2300/S3/v2.13.7 © wray castle limited
1.2.2 Access Routers
Customer access routers must match the WAN capabilities of CPE routers, includingthe ability to provide traditional leased line and switched service connectivity.Normally a mid-range router with a configurable chassis is used, to give the bestpossible port density. Normally this device will contain dual power supplies, multipleroute processor cards (to perform IP forwarding), and the ability to hot-swapcomponents, including customer interfaces.
In addition to any routing protocol run across the service interface, the access routerprovides the boundary of the service provider network, and so filtering and policing
actions normally take place on this unit. These may include:
• filtering of traffic on source address for security reasons
• packet classification, where QoS techniques have been implemented in the corenetwork
• policing of traffic flows against permitted volumes, particularly where QoStechniques have been implemented on the access circuit
• filtering of routing information against a list of allowed customer networks at thesite being serviced
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 161/294
3.8 © wray castle limited
‘Ethernet’ switch
Customer premises router Customer access router
DHCP server
NAT device
Firewall
IPVPN gateway
Flexible WANinterfaces High port density
Traffic policing
Traffic shaping
Traffic classification
Packet filtering
Dual power supplies
Hot-swappable modules
ToDistributionLayer
Figure 3 (repeated)
The Access Layer
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 162/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 163/294
3.10 © wray castle limited
ToDistributionLayer
Signalling controller/ Media gateway controller
SS7
High port densityFlexible modem/ISDN termination
Voice gateway functionalitySS7 control functionalityVirtual modem banks
Bearerswith ISDN/
modem
Figure 4
The Network Access Server
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 164/294
IP2300/S3/v2.13.11 © wray castle limited
1.3 The Distribution Layer
The distribution layer provides aggregation of traffic from the customer accessrouters, as well as providing transit for traffic within the local area from a routingperspective. Traffic within the local area is normally routed between access routers bythe distribution layer; traffic between areas is routed by the core layer, via thedistribution layer routers.
The distribution layer is the layer at which:
• network servers are deployed
• peering with other service providers takes place
• high bandwidth access circuits are attached to the network
1.3.1 Distribution Layer Routers
Distribution layer routers typically require lower port density than an access router,since they will interconnect with banks of access routers and typically with a smallnumber of core routers. A LAN switched network may be used to concentrate accesstraffic onto the distribution routers.
The distribution router may need to apply policing, traffic shaping and filtering totraffic from high-speed customer connections that enters the network at thedistribution layer. The distribution router must be able to perform a range of IPprocessing functions, including participating in the IGP protocol of the ISP, effectively,as well as achieving a high packet-forwarding rate.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 165/294
3.12 © wray castle limited
Medium port densityFiltering and policing for high-speed accessDual power suppliesHot-swappable modulesPowerful route processingLine-speed forwarding
ToCore
FromAccessLayer
Figure 5
Properties of a Distribution Router
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 166/294
IP2300/S3/v2.13.13 © wray castle limited
1.4 The Core Layer
The core layer acts as a high-speed transit layer for traffic flowing between theseparate distribution areas of the network. The core routers must be able to forwardtraffic at extremely high line speeds, and must also have the memory and processingpower to hold the full Internet routing tables for the ISP. Whereas lower levels of therouting architecture typically use a default route to pass traffic up to the core, the corerouters must either route each packet on a genuine routing, or discard it.
The core network connecting these routers is typically a Layer 2 switchingtechnology, either ATM or MPLS. Traditionally, separate ATM switches were used to
provision a full mesh connectivity between core routers, however as MPLS isdeployed into routers the need for a separate switching layer reduces, and the costand complexity saving that this provides is attractive.
The use of Layer 2 switching makes traffic engineering much easier for the coreportion of the network. By configuring multiple virtual circuits across the physicalinfrastructure between core router sites, it is possible to control the bandwidthavailable between destinations, and to adjust this to react to unusual demand or tomeet medium term demand.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 167/294
3.14 © wray castle limited
R o ut ing ad jace n c y
R o u t ing ad jac en c y
R o u t i n g
a d j a
c e n c y
R o u t i n
g a d j
a c e n c y
Routingadjacency
Full meshPVCs
Routingadjacency
Figure 6
The Core Architecture
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 168/294
IP2300/S3/v2.13.15 © wray castle limited
1.5 Peering Points and Internet Exchanges
Peering between service providers can take place at a managed Internet eXchangePoint (IXP) or on a bilateral basis between two operators. In both cases, the technicalrequirements include a public Autonomous System Number (ASN) and a BorderGateway Protocol (BGP4) router facing the peering point.
Some IXPs limit themselves to purely providing a switched infrastructure; others offerextra technical services, e.g. route servers, private interconnects. The majority ofIXPs are located in co-location facilities, which provide basic services includingpower, air-conditioning, security and first level support.
1.5.1 LAN Infrastructure
The majority of IXPs have adopted a Layer 2 switched ‘Ethernet’ architecture. Thereare examples of other architectures such as ATM and FDDI, however these are notcommon.
1.5.2 Collector Router
To assist in troubleshooting peering arrangements, some IXPs provide a router withwhich all members peer and announce their routes. The router listens to, or ‘collects’these announcements, but does not announce any routes itself; hence some IXPsuse the term ‘collector’ router for this equipment. IXP staff and member ISPs haveuser accounts on this router, enabling them to have a central ‘view’ of all of thepeering dialogues at the IXP, independent of the view through their own connection.
1.5.3 Private Interconnect
The concentration of ISP connections at an IXP can make it a very convenient placefor one ISP to have a direct physical connection to another where their routerequipment is co-located and with whom they exchange significant traffic. This is theequivalent of a bilateral peering connection, but hosted at the IXP.
1.5.4 Route Servers
Some IXPs offer a route server facility. This is typically a device that interrogatesrouting registries, builds a database of the entries in the registries for the membernetworks, and provides a routing table based on this information. An IXP member’s
router may then build its routing table with just one peering session with the routeserver rather than taking many routing tables from all its peers. The principal aim is toreduce the processing power required in the member router connected to the IXP.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 169/294
3.16 © wray castle limited
Internet Exchange Point (IXP)
ASBRISP4
ASBRISP5
ASBRIXP
ASBRISP3
Route server
ASBRISP1
ASBRISP2
I S P 1 and ISP 3
p e e r
I S P 4
a n d IS P 5 p e e r
PrivatePeering
Collectorrouter
Figure 7
Architecture of an Internet Exchange Point
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 170/294
IP2300/S3/v2.13.17 © wray castle limited
1.6 Intra-PoP Architecture
A service provider PoP will typically contain many access routers and at least twodistribution routers. In order to achieve the fan-out necessary at the PoP, and to makethe LAN connections resilient, it is common to use a dual-homed switched ‘Ethernet’to interconnect the layers of the architecture, as shown in Figure 8.
Where the distribution layer routers are co-located with core routers, the same modelmay be repeated.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 171/294
3.18 © wray castle limited
Access layer Distribution layer
Point of Presence
LANSwitch
LANSwitch
Figure 8
Switching used within an Internet PoP
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 172/294
IP2300/S3/v2.13.19 © wray castle limited
1.7 Core Transmission Networks
For large Internet networks, the interconnection of the core routers has traditionallybeen across an ATM switched infrastructure that is dedicated to the Internet core. Inthis architecture the switching layer is used to provide control of the path traffic takesacross the backbone, and to control bandwidth utilization. The physical layerconnections are essentially point-to-point, rather than across a managedtransmission network such as Synchronous Digital Hierarchy (SDH).
Traditional telecommunication operators have often built their IP services networkseparate from the public Internet. The traffic volumes in this case are smaller than in
an Internet backbone. Also these operators often have a network strategy basedupon multiservice ATM switching and a common SDH-based transmission network.As a result, they have often, at least initially, run their IP services traffic as anotherservice across an integrated ATM layer.
As the demand for bandwidth grows in a typical IP services network, it dominates theutilization of general-purpose transmission and switching capacity, and the operatortypically moves to a model of dedicated IP switching and transmission capacity in thecore network.
In the future, it is likely that MPLS will replace ATM as the Layer 2 traffic engineering
technology for large IP networks, running across switched wavelengths in a managedoptical network.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 173/294
3.20 © wray castle limited
IP
Managed optical switch
PVCs for each service
SDH SDH
MPLS trafficengineering
IP
IP FR FRATM ATMVoice Voice IP
IP
Traffic engineering
IP over ATMCore
IP over MPLSCore
IP overmultiserviceATM Core
Figure 9
Options for Core Transmission Architecture
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 174/294
IP2300/S3/v2.13.21 © wray castle limited
2.1 The Role of Routing Protocols
Packet forwarding in an IP network is carried out by checking the destination IPaddress of arriving packets against a routing table within the router. This routing tablecontains matched entries of IP network or host addresses, and the address of thenext hop router which can best be used to reach the packet destination.
The entries in the routing table may be generated manually, in which case they areknown as static routes. Static routes can be useful in certain circumstances, howeverthey also have two drawbacks.
• Static routes have no resilience. If the physical connection that a static routepoints to becomes unavailable, it may be impossible to deliver traffic to itsdestination, even if alternative paths could be found.
• In all but the smallest networks, the manual configuration of static routes, andthe effort involved in moves and changes, makes them unattractive.
Routing protocols are used to make IP networks more scaleable and more resilient.The main role of routing protocols is to keep the routing tables accurate, even if thenetwork state changes. Routing protocols consist of advertisements, which
communicate routing information to neighbouring routers and a routing algorithm,which processes the routing advertisements, and generates routing table entries.
Figure 10 shows a simple network of three routers, and the routing table that mightresult once updates have been exchanged. In this example we have subnetted the192.168.1.0/24 network to produce two /27 networks, and we have used Cisco’sInterior Gateway Routing Protocol (IGRP) to exchange advertisements and tocalculate the best route to destination subnets.
The table at the bottom of Figure 10 shows the routing table entry that results in
router 3. It shows that the subnet connecting routers 1 and 2 was learnt through theIGRP routing protocol, as well as indicating the interface traffic should be transmittedon to reach the subnet (Ethernet 1), and the IP address of the router interface itshould be sent to (192.168.1.65).
2 ROUTING OVERVIEW
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 175/294
3.22 © wray castle limited
e0 e0
192.168.1.34/27 192.168.1.66/27
192.168.1.33/27 192.168.1.65/27
e1e1R1 R2 R3
> router igrp> network 192.168.1.0
Run the igrprouting protocolfor network192.168.1.0
Outbound
interface
Address
of nexthop router
Metric
measureshow ‘good’ thenext hop is
How this
route was learnt
I – IGRPC – direct connection alsoS – static (i.e. manually configured)...and many others
The subnet
that can bereached
router3 > show ip route192.168.1.0 is subnetted, 2 subnets I 192.168.1.32 [metric] via 192.168.1.65 eth 1C 192.168.1.64 is directly connected, eth 1
.32 .64
Figure 10
An Example of Routing Protocol Operation
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 176/294
IP2300/S3/v2.13.23 © wray castle limited
2.2 Routing Dynamics
The structure of a network, i.e. its nodes and links, is known as the network topology .When the topology of the network changes, routing updates are sent from theaffected router to its neighbouring routers. When a router receives a routing updatethat indicates a change in the network topology, the router must recalculate therouting table entries using its routing algorithm. These updates and recalculationsquickly propagate to all of the routers in the routing domain.
The routing algorithm is designed to generate optimum routes to any givendestination, based upon the routing protocol metric provided in routing
advertisements. Different protocols use different metrics, but examples of metricscommonly used include the number of router hops, the bandwidth of a link and thedelay across a link.
The time taken to calculate these new routing table entries, and for these topropagate between all of the routers, is called the convergence time of the routingprotocol. Early routing protocols either took a long time to converge as the networksize grew, or generated a lot of unnecessary routing traffic. Modern routing protocolssuch as Open Shortest Path First (OSPF) and Intermediate System to IntermediateSystem (IS-IS) are more complex to configure than these earlier, simpler protocols,but also perform much more effectively in large networks.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 177/294
3.24 © wray castle limited
R1
R3
Stability
TimeInterfacefails
New topologystable
Initial topology
Routingupdates
Routing updatessent and topology
recalculated ineach router
R2 discovers
that this interface has failed
Routecalculation
Convergence time
R2
R1
R3
R2
<R2> directly connected<R3> directly connected
<R2> reachable via <R3><R3> directly connected
1
2
2
Figure 11
The Dynamics of Routing Protocols
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 178/294
IP2300/S3/v2.13.25 © wray castle limited
2.3 Routing Protocols for Service Provider Networks
Routing protocols operating within a large service provider network must be scalable,efficient and stable, even if attached networks are themselves unstable. Comparedwith the early routing protocols such as RIP, protocols such as OSPF and IS-IS haveseveral desirable properties:
• they only transmit changes, rather than the complete routing table, making themmore efficient in their use of network bandwidth
• they can separate a routing domain into smaller areas, which allows them toscale to extremely large networks
• they support Variable Length Subnet Masks (VLSM), which allows flexible useof the address space, and Classless Interdomain Routing (CIDR)
• they avoid routing loops, including indirect routing loops, which early protocolscould not achieve
• they converge very quickly, compared to the convergence time of older routingprotocols
• they allow load sharing across parallel links, rather than simply selecting thesingle best link between two points
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 179/294
3.26 © wray castle limited
Routing Protocols for largeService Provider Networks
only transmit changes
routing domain hierarchy
protocol supports VLSM and CIDRprotect against routing loops
fast convergence
algorithm supports load sharing
Figure 12
Requirements for Service Provider Routing Protocols
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 180/294
IP2300/S3/v2.13.27 © wray castle limited
2.4 The AS Architecture of IP Networks
The global Internet is a highly connected set of networks, each under separateadministrative control. For this reason, networks operate one or more interior routingprotocols (within their own network), and an exterior routing protocol across pointswhere they interconnect with other IP networks. These interior protocols are known asInterior Gateway Protocols (IGP), and we will explore the operation of Open ShortestPath First (OSPF). The exterior routing protocols are known as Exterior GatewayProtocols (EGP), and we will explore the operation of Border Gateway Protocolversion 4 (BGP4).
Each IP network that is connected to the Internet and under a single administrativecontrol is known as an Autonomous System (AS).
2.5 Interior (IGP) Versus Exterior (EGP) Routing
The roles of interior and exterior routing protocols are very different, although each isconcerned with allowing routers to forward packets towards their destination.
An IGP protocol provides full and free exchange of topology information betweenparticipating routers. There is normally no commercial or other reason to restrict this
flow of information, and by allowing all routers to see the internal structure of thenetwork they are part of, they can best optimize their routing tables.
An EGP protocol provides reachability information from the routers in one AS to therouters in other ASs. They do not specifically provide information on the internalstructure of their own network; they simply inform their neighbours in other networksthat particular destinations are reachable through them. This protects thecommercially sensitive structure of the service provider network, while still allowingtraffic to be effectively forwarded to its destination.
This approach also more easily allows routing policies between ASs to be imposedthrough the EGP protocol routing updates.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 181/294
3.28 © wray castle limited
EGP protocol
‘network 192.168.1.0 is reachable
through AS1234’
‘network 10.0.0.0 is reachable
through AS5678’
192.168.1.0customer 1
IGP protocol
Full topologyexchange
10.0.0.0customer 2
IGP protocol
Full topologyexchange
AS1234service provider 1
AS5678service provider 2
Figure 13
Interior versus Exterior Routing
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 182/294
IP2300/S3/v2.13.29 © wray castle limited
2.6 OSPF Basic Operation
The structure of OSPF is hierarchical and is detailed in Figure 14. The AutonomousSystem (AS) is split into areas that are in turn linked together by a backbone area.Within an area, each router builds an identical link state database, by sending andreceiving Link State Advertisements (LSA) to all of the participating routers within thearea.
If routers are on a shared medium or Non-Broadcast Multiple Access (NBMA)network, they hold elections in which a Designated Router (DR) and a BackupDesignated Router (BDR) are identified to represent the area, in which case each DR
is responsible for building the link state database for its respective area. Otherwise,each router builds this link state database independently. Area Border Routers (ABR)connect each area to the backbone area. The ABRs may either forward all LSAs fromtheir area to the backbone routers, or more usually summarize this information.
In an OSPF network, traffic between destinations within an area must be routedentirely within the area. This is known as inter-area routing. Traffic betweendestinations in different areas must be carried across the backbone area, area 0.This approach imposes a strict hierarchy in the routing of traffic. Although this may beless than optimal in any particular case, it makes the design of the overall network,the control of traffic flows, and the isolation of problems much simpler than would be
the case if this hierarchy were not imposed. Perhaps most importantly, it protects theareas from bad topology information in another area, and so allows the scope of suchproblems to be constrained.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 183/294
3.30 © wray castle limited
area 0
area 1
area 2
area 3
area 4
Backbonerouters
Areaborderrouters
Arearouters
L S A
L S A
L S A L S A
L S A
L S A L
S A
L S A
L
S A
L S A
L S A
L S A
L S A
L S A
L S A L
S A
L S AL S A
LSA
L S A
L S A
L SA
L S A
L S A L
S A
L S A
L S A
L S A
L S A
Figure 14
OSPF Basic Operation
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 184/294
IP2300/S3/v2.13.31 © wray castle limited
2.7 BGP4 Basic Operation
Border Gateway Protocol version 4 (BGP4) is the main routing protocol that operatesbetween ASs. It communicates the reachability of networks it is aware of, as well asthe AS path necessary to reach them. Much of the emphasis in BGP operation is incontrolling how traffic is routed across peering points; BGP provides various settingsthat can be used to impose a policy on interconnect points.
BGP can operate in two modes: External BGP (eBGP) operates between a pair ofAutonomous System Border Routers (ASBR), and so runs across external links andInternal BGP (iBGP) operates between ASBRs within an autonomous system, and so
runs across internal links.
The BGP routers must also participate in the autonomous system IGP, since trafficdestined for the ASBRs must be routed across the internal network. BGP routingtables include a next-hop entry which is the address of the correct ASBR; howeverthere will be intervening routers in most cases that must also route these packets.
Routes learnt from BGP can be added to the IGP routing tables, and routes learntfrom the IGP can be added to the BGP routing tables.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 185/294
3.32 © wray castle limited
IGP protocol
Full topologyexchange
iBGP protocol
AS1234S 34
AS5678S5678
iBGP
‘network 192.168.1.0 is reachable through AS1234’
‘network 10.0.0.0 is reachable through AS5678’
eBGP
eBGP
i B G P
iBGP
i B G P
IGPI G P
‘network 192.168.1.0 is reachable through AS1234’
‘network 10.0.0.0 is reachable through AS5678’
‘network 192.168.1.0 is reachable through AS1234’
‘network 10.0.0.0 is reachable through AS5678’
I G P
I G
P
I G P
192.168.1.0
10.0.0.0
Figure 15
BGP4 Basic Operation
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 186/294
IP2300/S3/v2.13.33 © wray castle limited
3.1 Maintaining Separation of Routing Domains
Routing protocols are designed to quickly propagate changes in the topology of onepart of the network to all routers in the network. While this is generally a good way tomaintain optimal routing within a network, it can cause problems across theboundary between a service provider network and a customer network:
• it is important that changes in the customer network do not affect the routingwithin the service provider network
• it is important that internal changes within the service provider network do notaffect the customer network
• it is particularly important that service providers are protected from any routinginstability that might occur in a customer network; if allowed to enter the serviceprovider network, this could make other customer network unreachable, andservices unavailable
The guiding principle in connecting customers to the service provider network is tomaintain good separation of the routing domains. How easy this is to achievedepends upon the routing relationship between the two networks.
Part of providing an IP service in many cases is:
• the propagation of customer routes into the public network, so that publicnetwork traffic can reach the corporate network
• the propagation (in some sense) of Internet routes into the private network, sothat traffic destined for the public network is sent to the service provider
3 ROUTING ACROSS THE CUSTOMER/SERVICE PROVIDER INTERFACE
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 187/294
3.34 © wray castle limited
‘Network192.168.1.0is reachablethroughAS1234’
AS1234
‘The Internetis reachableover this link’
InternetService providernetwork
Customer network192.168.1.0
Customerrouting domain Service providerrouting domain
Figure 16
Maintaining Separation at the Customer/Service Provider Interface
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 188/294
IP2300/S3/v2.13.35 © wray castle limited
3.2 Routing for Dial-up Users
Dial-up users normally do not have a static IP address. Instead they are assigned anIP address using Dynamic Host Configuration Protocol (DHCP) from a pool ofaddresses available at a Network Access Server (NAS) operated by their ISP.
In this case, there are no customer routes to propagate, since the customer eitheroperates a single host, or uses Network Address Translation to map multiple privateIP addresses into the address assigned dynamically by their ISP.
In this case, the ISP normally injects a static route for the subnet containing the
DHCP pool into their IGP, which then propagates across the public Internet. Thisallows traffic from the public network to be delivered to the correct NAS. The NASthen directs this traffic to the NAS port on which the customer is attached.¹
The example in Figure 17 shows a dial-up network receiving an address from theNAS address pool (192.168.1.2). A default route has been set up (represented by theall zeros network address), so that all non-local traffic is sent to the ISP. The ISP inturn routes this traffic on to its destination. In the reverse direction, the ISP hasadvertised the NAS address pool into its IGP and from there out into the widerInternet via BGP at its peering points.
The situation is more complicated if the user has a fixed IP address. In this case, thecorrect address can be assigned on a repeatable basis to this user by including extrainformation in their RADIUS or TACACS profile, which is invoked when the userconnects to their ISP. A static route to this address is also announced from the NASinto the service provider IGP. If the fixed-address dial-up user is also mobile, a routecan be dynamically loaded into the NAS as part of the RADIUS profile, however thislevel of complexity is seldom justified or implemented.
¹ Interestingly, several specialized service providers now offer Dynamic Domain Name Service (DDNS) to the
public. This allows users with a DHCP-assigned public address to have this captured and entered into the DNS
system while they are logged into the network.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 189/294
3.36 © wray castle limited
DHCP serverwith address pool
192.168.1.2(for example)
assignedby DHCP
Internet
NAS
192.168.1.2 192.168.1.254
All Internettraffic
192.168.1.0/24
0.0.0.0 via me 198.168.1.0/24 via me
Figure 17
Routing for Dial-up Users
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 190/294
IP2300/S3/v2.13.37 © wray castle limited
3.3 Static Routing for a Single-homed Customer
A single-homed customer is a customer with a single service provider. We willassume the customer site is permanently connected, and operating a private IPnetwork that has some public address space. Because the customer has their ownpublic IP addresses, the service provider must advertise the customer routes acrossthe public Internet.
A static routing approach can still work in this case, and thereby avoid the need tooperate a routing protocol across the customer/service provider interface. This couldbe achieved by configuring the customer network addresses as static routes within
the customer access router, so that these propagate in a stable way into the serviceprovider IGP and beyond. In a similar way a default route to the ISP can beconfigured in the Customer Premises Equipment (CPE) router, which then propagatesthrough the customer network via the customer’s own IGP.
A strong advantage of this approach is that it avoids completely any dynamic routingupdates across the service boundary, and so protects each network from instability inthe other. One disadvantage of this approach is that it requires reconfiguration of theservice provider router when the customer makes a change to the addressing in theirnetwork.
If a client has multiple sites, but still uses a single service provider, this sameapproach can be extended, with the access router for each site announcing thesubnets at that site based upon static route entries.
If a single-homed client has a large private network, it may be better to operate adynamic routing protocol across the service interface, to minimize the overhead ofmaintaining static routes for the client network. In this case, the same approach asthat used for multi-homed clients can be followed (see Figure 19).
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 191/294
3.38 © wray castle limited
Internet
192.168.1.0/24
Customer routingdomain Service provider routingdomain
IntoserviceproviderIGP
Intocustomer
IGP
0.0.0.0 via me 192.168.1.0/24 via me
Figure 18
Routing for Single-homed Customers
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 192/294
IP2300/S3/v2.13.39 © wray castle limited
3.4 Dynamic Routing for a Multi-homed Customer
A multi-homed customer is a customer that uses more than one service provider forInternet access. We assume the customer has a substantial network of public IPaddresses that must be announced to the public network.
Customers may choose to be multi-homed for resilience, for commercial reasons, ormay simply be multi-homed for historical reasons.
Static routing is typically not a good approach for multi-homed clients. Although inprinciple traffic from the customer sites and the Internet will choose the nearest exit
service provider, this approach provides no techniques for tuning the flow of traffic,and troubleshooting is difficult.
Typically eBGP is used in these circumstances, since it maintains isolation of therouting domains, while still providing reachability information. If the customer doesnot have an AS number for the private network, one may be assigned from the privateAS space by the service provider. Normal eBGP peering then takes place betweenthe customer AS and the various service providers ASs, through their respectiveAutonomous System Border Routers (ASBR).
The service providers can now apply BGP policies to the routes learnt from the
customer, before importing these into their own IGP. These routes are thenpropagated across the public network via eBGP peering with other service providers,and are represented as part of the originating ISP’s AS.
The customer may also apply filtering and policy settings to the routes learnt fromeach ISP through the eBGP peering sessions. This would allow traffic meetingcertain criteria to be directed towards a chosen ISP or exit point, for example. Thecustomer must in turn import the routes learnt from eBGP into their IGP, so that theseroutes are available to their internal routers.
This approach adds significant complexity to the internal customer network over thesingle-homed case, where default routes can be used.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 193/294
3.40 © wray castle limited
ISP1
ISP2
Internet
Customernetwork
Intocustomer
IGP
ASBRs ASBRs
Intoserviceprovider
IGP
Intoserviceprovider
IGP
C u s t o m e r r o u t e s v i a e B G P
I n t e r n e t r o u t e s v i a e B G P
C u s t o m
e r r o u t e s
v i a e B G P
I n t e r n e t r o u t e
s
v i a e B G P
Figure 19
Routing for Multi-homed Customers
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 194/294
IP2300/S3/v2.13.41 © wray castle limited
4.1 Balancing SDH, ATM and IP Restoration
A typical IP service provider network carries IP traffic across some switched Layer 2technology (often ATM), and this in turn may operate over a resilient physical layer,such as Synchronous Digital Hierarchy (SDH) or a managed optical network.
The responsiveness of these technologies varies greatly:
• SDH restoration across pre-provisioned links takes between 50–100 ms
• ATM restoration using backup PVC or Soft-PVCs takes between 100–1000 ms
• IP restoration using routing updates and reconfiguration takes between 1 secondand perhaps 30 seconds
Given this spread of responsiveness, it is important that hold-off timers are used toprevent the various restoration schemes working against each other. Otherwise, a faultat the SDH layer might trigger restoration at the SDH, ATM and IP layerssimultaneously, and these might work against each other in the overall restoration oftraffic.
4 DESIGN CONSIDERATIONS FOR CONTROL, SCALE AND STABILITY
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 195/294
3.42 © wray castle limited
IP
ATM
SDH
IP
ATM
SDH
IP restoration time: 1 s – 30 s
ATM restoration time: 100 ms – 1 s
SDH restoration time: 50 – 100 ms
Figure 20
Comparing Restoration Times
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 196/294
IP2300/S3/v2.13.43 © wray castle limited
4.2 Isolation of Routing Domains and Traffic Filtering
The filtering of routing updates at both the customer/provider boundary and theboundary between service providers is a key technique in protecting the stability ofthe service provider network. Various filtering scenarios are discussed below.
4.2.1 BGP Damping
When routes within the Internet are unstable, that instability can propagate throughthe Internet and remain for some time. Most BGP implementations include a form of
damping to contain this effect as close to the source as possible. Typically a routewhich has changed several times in quick succession is removed from the BGProuting tables of the receiving AS, and not reinstated until some hold-down timer hasexpired. Although this prevents traffic from being routed to the destination, thismaintains stability in the receiving network, and penalises networks that allow routeflapping to occur.
4.2.2 Filtering at Peering Points
Filtering of BGP updates across peering points is one of the key methods of
controlling the networks transited by specific traffic. By filtering out BGP routes thattransit specific ASs, or by removing entries for specific networks, the transit behaviourof traffic can be influenced.
4.2.3 Filtering at the Customer Interface
Where eBGP is used to connect a multi-homed client, it is necessary to apply filtersto the routing updates. If this is not done, the service provider may inadvertently allowtransit through the customer AS. The normal approach is to permit only the agreednetwork addresses to be announced into the service provider IGP across thecustomer/service provider interface.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 197/294
3.44 © wray castle limited
myISP
192.168.1.0
AS65100
e B G P
eBGP
e B G P
Inbound filteringOutbound filtering
Inbound filteringOutbound filtering
Route flap on10.0.0.1 (for example)
Remove 10.0.0.1from BGP routingtable
> allow 192.168.1.0 AS_PATH 65100
> deny all
Blockstransit
Figure 21
Route Filtering in BGP4
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 198/294
IP2300/S3/v2.13.45 © wray castle limited
4.3 Selection of OSPF Areas
The OSPF routing model of a single backbone area and multiple distribution areasinterconnected through it fits well with the Internet model of network hierarchy basedaround a core, distribution and access layer.
A typical design might construct an OSFP area 0 from the set of core routers, with thedistribution and access layers partitioned into a further set of areas based upon thetraffic matrix. The OSFP routing paradigm then treats traffic according to whether it iswithin or between areas. Intra-area (typically intra-region) traffic is routed entirelywithin the area, without passing over the backbone area. Inter-area (typically inter-
regional) traffic is always passed across the backbone area.
To keep the processing load manageable on the area routers, most vendorsrecommend an upper limit of 50–100 routers within an OSPF area.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 199/294
3.46 © wray castle limited
Inter-area traffic transitsArea 0
Intra-areatraffic stayswith area
Area 0
Area 1Area 2
Area 3
Corerouters
Distributionrouters
Accessrouters
Figure 22
Designing OSPF Areas
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 200/294
IP2300/S3/v2.13.47 © wray castle limited
4.4 The use of Default Routes and Networks for Network Protection
Current Internet routing tables, even with the introduction of CIDR and a morehierarchical allocation of address space, now exceed 140,000 entries, and continue togrow. This size of routing table would be impossible to manage at the lower networklevels. Also, by allowing these externally learnt routes explicitly into the IGP, then anyinstability in these routes will also propagate into the IGP.
A better approach is to inject a default route from the various backbone transit routersinto the IGP. This will then propagate down to the lower-level routers via the IGP, sothat traffic they cannot route directly is passed to the transit routers automatically. In
this case, the normal IGP metrics will select the lowest cost transit router, based uponthe cost between the access router and the transits (rather than the total cost toegress from the ISP network). These transit routers must also be iBGP peers with theASBR routers, otherwise they will not be able to select the best route for egress fromthe ISP network.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 201/294
3.48 © wray castle limited
ASxxxx
eBGP
iBGPpeering Into
serviceprovider
IGP
Corerouters
Distributionrouters
myISP
ASBRs
0.0.0.0
via me
0.0.0.0.
via me
0.0.0.0.
via me
eBGP
ASyyyy
Figure 23
The Use of Default Routes in Service Provider Networks
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 202/294
IP2300/S3/v2.13.49 © wray castle limited
4.5 Route Reflectors and BGP Confederations for Scaling iBGP
4.5.1 Route Reflectors
The operation of iBGP can place considerable strain on routers participating in BGPpeering. The basic operation of BGP prevents one BGP peer from passing on routeslearnt by another, so normally a full mesh topology is required. The use of BGP RouteReflectors converts this topology from a full mesh to a hub and spoke topology, whereeach iBGP router peers with a central iBGP peer; as a result the number of peeringsessions is greatly reduced.
Route reflectors consider the routers that peer with them as clients, although theclients themselves need no special configuration. Even a simple topology with alliBGP handled through a route reflector should have logical and physical redundancyincorporated into the design, as shown in Figure 24.
4.5.2 Confederations
A BGP confederation is an alternative approach to scaling the iBGP process. In thiscase, the original AS is divided into sub-ASs, and each is typically allocated a privateAS number.
Within each sub-AS, iBGP is used in a full mesh topology. Between the sub-ASs,eBGP is used, and the private AS numbers are used in these sessions. Peeringbetween the confederation and other public ASs is via eBGP, using the (public)confederation AS number.
Both route reflectors and confederations are methods of scaling iBGP. Confederationscan also be used when networks are combined or consolidated into a larger AS.Neither approach need affect the external appearance or peering behaviour of thenetwork.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 203/294
3.50 © wray castle limited
AS1234Client
Client
Client
Client
iBGP Route Reflectors
BGP route reflectors
eBGP
AS1234
eBGP
AS1234
AS1234
AS65100
AS65101
iBGP Confederation
eBGP
AS1234
e B G P
A S 6 5 1 0 0
A S 6 5 1 0 1
eBGP
AS1234
Figure 24
Route Reflectors and Confederations
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 204/294
IP2300/S3/v2.13.51 © wray castle limited
4.6 IP Traffic Management using BGP4 Techniques
BGP has several techniques to allow the flow of traffic towards and across an eBGPpeering point to be modified. Reachability is carried in the AS_PATH attributes forroutes, and so most tuning of traffic flows using BGP involves altering the pathattributes between ASs. Path attributes can be modified before being sent, or afterreceipt. There are three common techniques used. By removing particular ASnumbers from the AS path before sending it across an eBGP session, an AS canavoid offering transit for this traffic from other ASs. The other two, path pre-pendingand specific route injection are discussed overleaf.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 205/294
3.52 © wray castle limited
192.168.1.0/24AS_PATH 1 AS2
AS1
192.168.1.0
AS4
All traffic
192.168.1.0/24AS_PATH 1
192.168.1.0/24AS_PATH 2 1
192.168.1.0/24AS_PATH 3 2 1
192.168.1.0/24AS_PATH 4 1
AS3
Internet
Figure 25
BGP Traffic Engineering Techniques
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 206/294
IP2300/S3/v2.13.53 © wray castle limited
4.6.1 Path Pre-pending
By pre-pending the BGP path to particular networks with its own AS number, an ISPcan negatively bias the ISPs receiving these announcements against sending trafficfor this ISP via them. This approach can modify the flow of ingress traffic at thispeering point, but can make Internet routing very sub-optimal.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 207/294
3.54 © wray castle limited
192.168.1.0/24AS_PATH 1 AS2
AS1
192.168.1.0
AS4
A l l t r a f f i c
192.168.1.0/24AS_PATH 2 1
192.168.1.0/24AS_PATH 3 2 1
192.168.1.0/24AS_PATH 1 1 1
192.168.1.0/24AS_PATH 4 1 1 1
AS3
Internet
Figure 25 (continued)
BGP Traffic Engineering Techniques
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 208/294
IP2300/S3/v2.13.55 © wray castle limited
4.6.2 Specific Route Injection
BGP route calculation always prefers a longer prefix match over the AS path length.Therefore by injecting a more specific route into eBGP announcements, it is possibleto attract traffic for this destination network across the peering point. This approachhas a high administrative overhead, however, and works against address aggregationand CIDR.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 209/294
3.56 © wray castle limited
AS2
AS1
192.168.1.0
AS4
R e m a
i n i n g
1 9 2 . 1
6 8 . 1 . 0 / 2
4 t r a f f i c
1 9 2 . 1 6 8 . 1 . 8 / 2 9 t r a f f i c
192.168.1.8/29AS_PATH 2 1
192.168.1.8/29AS_PATH 1 192.168.1.8/29
AS_PATH 3 2 1
192.168.1.0/24AS_PATH 1
192.168.1.0/24AS_PATH 4 1
AS3
Internet
Figure 25 (continued)
BGP Traffic Engineering Techniques
IP2300/S3/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 210/294
IP2300/S3/v2.13.57 © wray castle limited
1 Describe the main functions carried out in the core, distribution and access
layers of a service provider IP network.
2 An IXP mainly offers:
a the ability to host application servers to smaller ISPsb the ability to outsource network operationsc the ability to interconnect with other ISPs in a shared facilityd the ability to access the overall Internet backbone, operated by the NSF
3 Routing tables may be populated:
a staticallyb dynamicallyc neither, routes are learnt from routing protocols running in the networkd both a and b
4 OSPF is an example of:
a a traditional IGP, which does not scale wellb a traditional EGP, which does not scale wellc a modern IGP, which scales welld a modern EGP, which scales well
5 BGP4 is an example of:
a a protocol that exchanges reachability information between autonomoussystems
b a protocol that allows policy control across peering pointsc a protocol that allows the control of traffic flows through tuning of its
routing metricsd all of the above
5 SECTION 3 QUESTIONS
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 211/294
IP2300/S3/v2.1 3.58 © wray castle limited
6 Routing across the customer/service provider routing domain should adhere to
the following principles:
a use a dynamic routing protocol where possible across thecustomer/service provider interface, to minimize administrative work
b avoid dynamic routing across the customer/service provider interface,unless the size or complexity of the customer network demands it
c always import and export the maximum number of routes between thecustomer and service provider, so that customer routers can alwaysforwards packets successfully
d always allocate a private AS number to customer networks, so that eBGP
can operate across the customer/service provider interface
7 BGP implementations within an AS can be made more scalable by the use of:
a BGP path pre-pendingb BGP route filteringc OSPF areasd BGP route reflectors
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 212/294
IP2300/S3/v2.13.59 © wray castle limited
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 213/294
© wray castle limited
SECTION 4
FUTURE DIRECTIONS IN IP
ENGINEERING
i
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 214/294
© wray castle limitedii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 215/294
© wray castle limited
1 IP QoS Technologies 4.11.1 What is Quality of Service (QoS)? 4.11.2 Why QoS is Important 4.31.3 What Causes Poor QoS? 4.31.4 Where do Packet Loss and Delay Occur? 4.31.5 QoS Approaches in IP Networks 4.5
1.6 The Overcapacity Approach 4.51.7 IETF Approach to IP QoS 4.71.8 Integrated Services Model 4.71.9 Resource Reservation Protocol (RSVP) 4.91.10 Differentiated Services Model (DiffServ) 4.111.11 IP over ATM QoS 4.131.12 QoS in MPLS Networks 4.15
2 IP Virtual Private Networks (VPN) 4.172.1 What is a VPN? 4.172.2 Tunnelling 4.17
2.3 VPN Applications: Intranets, Extranets and Remote Access 4.192.4 Types of VPN 4.212.5 MPLS-based IP-VPN Motivation 4.232.6 Architecture of MPLS-based IP-VPNs 4.252.7 MPLS VPN Operation 4.272.8 Motivation for Encryption-based IP-VPNs 4.292.9 Secret Key Cryptography 4.312.10 Public Key Cryptography (PKC) 4.312.11 IPSec Operation 4.332.12 IPSec Gateway Location 4.35
2.13 Products Supporting IPSec 4.35
SECTION CONTENTS
iii
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 216/294
© wray castle limitediv
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 217/294
© wray castle limited
3 Security Engineering 4.393.1 The Basics 4.393.2 Quantifying the Risk 4.413.3 Basic Countermeasures 4.433.4 Other Countermeasures – Security Appliances 4.453.5 Other Countermeasures – Software Solutions 4.47
3.6 Proportionality of Countermeasures 4.493.7 Case Study 1 – Enabling B2B and B2C Communications 4.513.8 Case Study 2 – Enabling B2C Transactions 4.533.9 Case Study 3 – Mobile Computing 4.55
4 IPv6 4.574.1 Motivation for IPv6 Development 4.574.2 IPv4/IPv6 Co-existence 4.594.3 IPv6 Product Availability 4.59
5 Mobility 4.61
5.1 Public Service Wireless LANs 4.615.2 The IETF Architecture for Mobile IP 4.63
6 Section 4 Questions 4.65
SECTION CONTENTS
v
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 218/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 219/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 220/294
© wray castle limited
1.1 What is Quality of Service (QoS)?
The ITU has defined both Quality of Service (QoS) and Network Performance asimportant measures of communications effectiveness. In their model QoS isconcerned with the experience of users of the service, while network performance isconcerned purely with the network, rather than end equipments or subjectivemeasures. However, the general models have not been well developed forconnectionless networks such as IP, for the reasons discussed below. QoS measurescan be applied to aspects such as the availability of a service on a long-term basis.The focus in this section will be on the short-term performance of the network for aparticular flow of traffic.
QoS is easily measured and engineered in circuit-switched networks, partly becauseof many years of experience in doing it, but mainly because the circuit-switching isrelatively simple to analyze and measure. Generally the QoS is characterized for eachphase of a call, namely connection set-up, user information transfer and connectiontear-down. Measures such a Post Dial Delay (PDD) and Grade of Service (GoS) arewell-established and effective measures of the performance of a circuit-switchednetwork in the call-set-up phase, and because a hard resource reservation is madewhen a voice circuit is seized, performance in the user information transfer phase isdominated by the Bit Error Rate (BER) of the transmission system.
Virtual circuit technologies present additional challenges in measuring QoS. Thethree phases used in circuit-switching still apply, and so measures such as PDD andGoS can still be used to assess the quality of the call set-up phase in Broadband-ISDN networks, for example. However the packet-switched information transfer phaseintroduces new complications, such as lost packets, misdelivered packets, delay anddelay variation. The ATM model also makes hard resource reservations when avirtual circuit is established (at least for the higher priority services), and so bymaking the correct planning assumptions, and running effective ConnectionAdmission Control (CAC) in the network when calls are offered, an ATM network canmeet any necessary QoS performance required of it.
Connectionless technologies, such as IP, no longer have the set-up and tear-downphases that occur for real in virtual circuit switching. Because there is no concept of acircuit in an IP network, there can be no reservation of resources on a per-circuitbasis. Therefore traditional IP networks have been unable to offer any meaningfulQoS guarantees, because the techniques to engineer QoS were not available withinthe architecture.
1 IP QOS TECHNOLOGIES
IP2300/S4/v2.14.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 221/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 222/294
IP2300/S4/v2.14.3 © wray castle limited
1.2 Why QoS is Important
Different applications place different requirements upon the QoS available from anetwork as it carries user traffic. Real-time interactive applications such as voice andvideoconferencing require very low delay and delay variation, but will tolerentsignificant packet loss within the network. Non-real-time applications such as filetransfers will accept significant delay and delay variation but are intolerant of packetloss that is not recovered.
1.3 What Causes Poor QoS?
Lack of resources within the network to meet demand is the cause of poor QoS. Inthe circuit-switched case, insufficient call handling capacity or bearer capacity leadsto blocked calls.
In an IP network, congestion at the routers can cause increased delay, increaseddelay variation and dropped packets. If packets do not experience congestion, thenthey will achieve the best performance possible with the network.
1.4 Where do Packet Loss and Delay Occur?
In most cases, network congestion occurs at the edge of the network, rather than inthe core. It is typically at the edge of the network that bandwidth is most constrained.This may be because of the high cost of access bandwidth to the service providerPoint of Presence (PoP), or high contention ratios in the distribution network.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 223/294
4.4 © wray castle limited
User
Ok Ok
Droppedpackets
Low
bandwidthlink
High
contentionratios
Droppedpackets
OkOk
Increasing bandwidth
Increasing congestion
Customerrouter
Accessrouter
Distributionrouter
Corerouter
Figure 2
The Causes of Poor QoS
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 224/294
IP2300/S4/v2.14.5 © wray castle limited
1.5 QoS Approaches in IP Networks
There are three main approaches to avoiding congestion in IP networks:
• overcapacity
• integrated services
• differentiated services
1.6 The Overcapacity Approach
The overcapacity approach simply relies on planning to have excess capacity thatprovides headroom within the network, and so avoids congestion. Most Internetbackbones rely on this overcapacity approach to achieve very low packet loss, anddelay close to the physical propagation limits.
This approach has been strongly advocated by Internet ‘purists’, who dislike the moveaway from the dumb network , smart host model of IP networks, which other QoSapproaches represent. However there are issues with this approach:
• the overcapacity model works well when network demand is growing strongly; bycommissioning capacity a few months earlier than necessary, the networkmaintains the necessary headroom to operate without loss or delay
• conversely, when growth is not strong, this overcapacity is expensive
• overcapacity works well in the core of the network, but is difficult to provide onexpensive access circuits
• the overcapacity model works well with large numbers of independent trafficflows (as in the core), but works less well with a smaller number of flows, whichare not independent (as at the access layer)
• the over capacity model may work well in ‘normal’ operating conditions, but inextreme conditions, it is impossible to protect critical traffic, since there is noway to distinguish it from other traffic
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 225/294
4.6 © wray castle limited
Q1
2003
Q2 Q3 Q4 Q2 Q3 Q4Q1
2004
Q2 Time
Networkcapacity
Q1
2005
D e m a n d f
o r e c a s t
S u p p l y f o r
e c a s t
Figure 3
The Overcapacity QoS Model
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 226/294
IP2300/S4/v2.14.7 © wray castle limited
1.7 IETF Approach to IP QoS
Two methods of providing QoS on the Internet have been proposed by the IETF. Thefirst uses Resource Reservation Protocol (RSVP) and is known as the IntegratedServices (IntServ) architecture. The second is known as Differentiated Services(DiffServ). Both approaches rely upon altering the Per Hop Behaviours (PHBs) ofrouters forwarding IP traffic. However, whereas DiffServ simply sets up categories oftraffic in the routers, and classifies packets into one of these categories for properhandling, IntServ uses a signalling protocol to request the reservation of resources ona flow-by-flow basis.
1.8 Integrated Services Model
The Integrated Services Model uses a protocol called RSVP for a call set-up processin which users request bandwidth and QoS. The routers in the network respond as towhether they have sufficient resources. Processing is required within each router fromsource to destination and each packet sent by the source is monitored to ensure thatthe source does not exceed the agreed traffic specification. Each packet hasattached to it a flow identifier, which is analyzed by each router, which it traverses soas to identify the packet as one for which bandwidth has been reserved.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 227/294
4.8 © wray castle limited
Guaranteed
QoS
Destination
Resources
reserved
across
networks
Source
Individual
User
Controlled Load
Figure 4
The Integrated Services QoS Model
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 228/294
IP2300/S4/v2.14.9 © wray castle limited
1.9 Resource Reservation Protocol (RSVP)
RSVP has two fundamental RSVP message types for Reserving QoS. These are thePATH and RESV messages. The PATH messages are sent to the receiver in order tostore path state in each node along the way. The RESV messages are sent from thereceiver towards the sender following the reverse of the PATH message. They createand maintain reservation state in each node towards the sender.
1.9.1 PATH Message
The source sends out a PATH message requesting a certain Reserved Rate, R. Eachrouter and switch between source and destination examines the PATH message andestimates the delay that it would cause to traffic if the connection specified in thePATH message was established. These delays are accumulated as the PATHmessage traverses the network.
1.9.2 RESV Message
By the time the PATH message has reached the destination, it contains thecumulated total of all the nodal delays. The destination can then calculate the end-to-
end delay and send a RESV message back to the source with the requested QoS. Ifthe destination can accept a longer delay, it can inform the network about this bysetting a slack term, S, in seconds. In return, the destination would expect thenetwork operator to give a discounted price. The RESV message contains a flowspecwhich has two parameters, an Rspec and Tspec.
1.9.3 Have We Created a Virtual Circuit?
The IntServ model using RSVP mimics some of the behaviour of circuit switching. Itallows the path through the network to be established and stored for each signalledflow, and it makes a resource reservation for that flow at each router. The concept ofa connection has been imposed upon the connectionless IP network.
The main difference between this approach and a virtual circuit is that the path takenis still controlled by routing protocols in the IP network. Therefore if the networkdecides that traffic should be rerouted, the RSVP messages will request reservationson the new routers they cross. A reservation will expire if new messages are notreceived to renew it, hence the continuous flow of signalling that is required in theRSVP model¹.
¹ This approach is known as soft state, to distinguish it from the hard state of traditional circuit switching or virtual
circuit switching.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 229/294
4.10 © wray castle limited
134.199.200.20
134.199.200.1 158.20.2.1
Source
158.20.2.7
Receiver
PATH PATHPATHPATH
RESV RESVRESVRESV
PATH
Dest:158.20.2.7Source: 134.199.200.20UDP Port 1234Tspec
RESVUDP to 134.199.200.20
Flowspec (Rspec, Tspec)
RESVUDP to 134.199.200.1
Flowspec (Rspec, Tspec)
RESVUDP to 158.20.2.1
Flowspec (Rspec, Tspec)
PATH
Dest:158.20.2.7Source: 134.199.200.1UDP Port 1234Tspec
PATH
Dest:158.20.2.7Source: 158.20.2.1UDP Port 1234Tspec
Figure 5
RSVP Operation
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 230/294
IP2300/S4/v2.14.11 © wray castle limited
1.10 Differentiated Services Model (DiffServ)
The Diffserv architecture does not include a signalling mechanism such as RSVP,and does not reserve resources for individual flows. Instead a set of Class of Service(CoS) is designed for the network, and router resources are apportioned to theseclasses. So, for example, a network operator might implement a gold, silver andbronze CoS which can be sold to customers.
By configuring the queuing behaviour of the routers within the network, it is possibleto give priority to packets in the gold category over those in the silver, and to those inthe silver over those in the bronze. Queuing algorithms also allow a guaranteed
portion of the available output bandwidth on any port to be allocated to one of theCoS. So, for example, 20% of the available bandwidth might be guaranteed for thegold class. If more bandwidth is required, the non-guaranteed bronze bandwidth canbe taken. However if the gold class required more than 70% of the availablebandwidth, this could not be provided, because this would violate the silverguarantees (30%). All unused bandwidth is available for other classes as required.So in the example in Figure 6, when silver no longer needs its allocation, this isavailable for gold (or bronze) to use.
To allow routers to recognize which category a packet belongs to, it must be taggedas belonging to the gold, silver or bronze class. This is done as the packet enters the
DiffServ network, by packet classifiers. These classifiers are configured to recognizetraffic from particular addresses, or on particular TCP or UDP ports, as belonging toone of the three classes.
The DiffServ CoS for a packet is carried in the IPv4 datagram Type of Service (ToS)byte, which has been re-designated the Differentiated Services (DS) header for thispurpose.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 231/294
4.12 © wray castle limited
10
20
30
40
80
90
100
50
Time
% B
a n d w i d t h
Gold
bandwidth
utilization
Silver
bandwidth
utilization
Bronze
bandwidth
utilization
DiffServrouters
Site A
from to port CoS Comment
* .* .* .* * .* .* .* tcp/80 bronze Internet WWW
* .* .* .* * .* .* .* tcp/21 bronze Internet FTP
* .* .* .* * .* .* .* tcp/110 bronze Internet POP3 e-mail
tcp/80corp. site A corp. site B silver Intranet WWW
udp/rtpcorp. site A corp. site B gold Corporate VoIP.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Per hop behaviour
Per hop behaviour
Category Priority% Bandwidth
Gold High20 %
Silver Medium30 %
Bronze Lowunassigned
Site B
DiffServpacket
classifier
Figure 6
The Differentiated Services QoS Model
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 232/294
IP2300/S4/v2.14.13 © wray castle limited
1.11 IP over ATM QoS
1.11.1 ATM Class of Service (CoS)
ATM has CoS which allow predictable performance to be achieved for a wide range ofrequirements. Although other classes are available, most public service ATM networkslimit the CoS available to Constant Bit Rate, Variable Bit Rate, and Unassigned Bit Rate.
1.11.2 QoS mapping between IP and ATM
With the introduction of IntServ and DiffServ, IP and ATM each have QoS mechanisms.
ATM Permanent Virtual Circuits (PVC) allow traffic to be carried on trunk connections,without the need to set up connections through ATM signalling. Each PVC has a categoryof service, which defines the QoS to be expected from the connection.
ATM Switched Virtual Connections allow circuits to be set-up and disconnected ondemand using ATM signalling, and with a CoS to meet the QoS parameters of theconnection being requested.
The IP Diffserv architecture allows reservations of bandwidth to be made for each CoS
being carried by the network, without the need to signal each flow.
The IntServ architecture provides a signalling mechanism rather like ATM signalling, whichallows reservations to be set up on demand for particular flows through the network.
Public ATM networks almost unanimously use a PVC-only model of service, and do notsupport user-network signalling to set up ATM connections on demand. Furthermore, theIP network operators have unanimously preferred the DiffServ model to the IntServ modelfor providing QoS in IP networks. And finally, the signalling models of ATM and RSVP arefundamentally different; ATM assumes a sender-initiated connection, whereas RSVPassumes a received-initiated connection.
For these reasons, approaches that involve service interworking between Intserv and ATMsignalling have not been deployed, and IP over ATM approaches are based uponcombinations of DiffServ, ATM PVCs and packet classification.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 233/294
4.14 © wray castle limited
IWF
RSVP path
DS packets
Packetclassifier
ATM SVC
ATM PVC
ATM PVC and DiffServ Interworking
ATM SVC and IntServ Interworking
RSVP resv
IWF must provide signalling interworking
IWF provides Class of Serviceto Category of Service mapping
Packets containDS pattern
Packets containDS pattern
RSVP path
RSVP resv
IWF
IWF IWF
IWF Functions
DS code to ATM CoS mappings
IP to ATM adaptation functions
IP address to PVC mappings
(RSVP to ATM signalling mapping)
Figure 7
IP over ATM QoS Models
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 234/294
IP2300/S4/v2.14.15 © wray castle limited
1.12 QoS in MPLS Networks
MPLS technology was designed to support the IP QoS techniques. The MPLSheader has a section designed to carry the CoS field from IP packets.
MPLS allows Label Switched Paths (LSPs) to be set up in a variety of ways, includingby signalling using RSVP, and by manual configuration.
The manual configuration of MPLS LSPs is similar to the PVC approach of ATM andthe signalling approach of MPLS using RSVP is similar to the RSVP signallingapproach of the Intserv architecture, or the signalling approach of ATM.
Although an MPLS core network could establish LSPs for each flow of traffic ondemand (the equivalent of ATM Virtual circuits), instead it typically operates more likeDiffserv, by providing a trunk connection between the edges of the network, andguaranteeing the delay, delay variation and loss performance of that trunk for alltraffic carried across it.
Public network operators generally see MPLS technology as a way to provide reliable,controlled forwarding of IP traffic. Normally a separate trunk connection is providedbetween the edges of the MPLS network for each CoS being carried by the serviceprovider. When MPLS implements QoS in this way, then instead of one FEC for a set
of IP addresses, there are multiple FECs, one per CoS to this group of addresses.This also means that the MPLS Label Switched Routers (LSRs) do not need toconsider QoS when forwarding packets, making their operation simpler.
Packet classifiers in the LSRs at the edge of the network place traffic into the correctFEC (and hence trunk) within the MPLS network by classifying packets as in theDiffServ architecture. If the packets have already been classified (perhaps becauseDiffServ has operated at the edge of the network), then the DiffServ codes would bemapped into the appropriate FEC.
Effectively setting up and managing the MPLS trunks that provide this service is itselfa complex task, known as traffic engineering.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 235/294
4.16 © wray castle limited
corp. site A corp. site B
edge-LSR
MPLS‘packet
classifier’
LSR
.* .*192.168
bronze LSP
silver LSP
g o l d L S P
.* .*10.2
from to port CoS FEC
.* .* tcp/ ** bronze 24
tcp/21
corp. site A
192.168 .* .*10.2
corp. site B 25udp/rtp
corp. site A corp. site B
gold
silver 26.
.
.
.
.
.
LSR LSR
LSR
LSR
Figure 8
QoS in MPLS Networks
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 236/294
IP2300/S4/v2.14.17 © wray castle limited
2.1 What is a VPN?
The answer to the simple question ‘What is a VPN?’ is anything but simple, andleads to much of the confusion and debate surrounding the subject. AT&T coined theterm Virtual Private Network (VPN) to market a corporate voice service that ranacross their Public Switched Telephone Network (PSTN), but which provided the lookand feel of a leased line interconnection between Private Branch Exchanges (PBXs)by using a proprietary signalling protocol.
A good working definition of a VPN might be ‘A service with the behaviour and characteristics of a private, dedicated network, but constructed on a shared
infrastructure’ . Although this definition could include a private leased circuit as aLayer 1 VPN, we normally limit the definition to L2 services and above.
2.2 Tunnelling
VPNs normally require that user traffic be tunnelled across the shared infrastructure.This provides several benefits:
• it ensures that VPN traffic enters and exits the public network at the intendedpoints, rather than by some alternative route
• it ‘hides’ the private address scheme from the shared network, so that addressconflicts are avoided, and changes within the private network do not requirechanges to the public service
• it ‘hides’ the shared network architecture from the private network, so thatinternal architecture issues do not affect the service, and changes to it do notaffect the operation of the VPN
Figure 9 shows IP traffic being tunnelled within IP. The hosts communicating haveaddresses in the 192.168.1.0 network, but are connected through routers with
addresses in the 10.0.0.0 network. These interfaces on the routers are alsoconfigured to act as tunnel endpoints, and so they encapsulate the user traffic so thatit appears to originate and terminate on the routers. The original IP source anddestination addresses are now simply part of the payload of the tunnelled packet. Atthe far-end tunnel endpoint, the encapsulation is removed, and the original packet isrouted to the intended host at 192.168.1.2.
This example shows tunnelling of IP traffic within IP, but we can consider transport ofIP traffic across Layer 2 switched connection such as Frame Relay and ATM astunnelling also. The two main types of VPN we will consider in this section areMultiprotocol Label Switching (MPLS) VPNs and IP Security (IPSec) VPNs. MPLS
VPNs tunnel IP traffic across MPLS LSPs. IPSec VPNs tunnel IP traffic across IPSectunnels.
2 IP VIRTUAL PRIVATE NETWORKS (VPN)
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 237/294
4.18 © wray castle limited
Virtual Private Network
Conventional Connection
Tunnelled Connection
‘A service with the behaviour andcharacteristics of a private, dedicated
network, but constructed on ashared infrastructure’
192.168.1.1
(A)
10.0.0.1(C)
Tunnel established
10.0.0.2(D)
192.168.1.2
(B)
B A
B A D C
Payload header
B A
Payload header
B A
Payload header
192.168.1.1(A)
10.0.0.1(C)
10.0.0.2(D)
192.168.1.2(B)
B A
Payload header Payload header
B A
Payload header
Figure 9
Tunnelling
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 238/294
IP2300/S4/v2.14.19 © wray castle limited
2.3 VPN Applications: Intranets, Extranets and Remote Access
2.3.1 Intranet
An Intranet application connects separate sites within an organization across a publicinfrastructure. These connections are normally long-standing, and can be in a huband spoke, full mesh or hybrid configuration. Traditional L2 VPN technologies havefavoured hub and spoke arrangements, due to the higher cost of provisioning a meshof PVCs. In an intranet VPN, it is assumed that all sites are equally trusted withaccess to other sites across the VPN, and that users already have accounts andprivileges on the remote systems, hence implementing an intranet VPN and
integrating it with existing enterprise systems is normally fairly straightforward.
2.3.2 Extranet
An Extranet VPN application connects separate sites within separate organizationsacross a public infrastructure. Extranet VPNs allow businesses to permit access tocontrolled portions of their IT systems to partners, customers or suppliers on a long orshort-term basis. Establishing suitable access control mechanisms for extranet usersis typically a separate issue from the authentication of end-points and the security ofdata across the VPN, and can lead to difficult policy and practice issues. One of the
attractions of the Secure Socket Layer (SSL) protocol for extranet use is the ability toplace shared information and applications in a controlled zone away from the maincorporate network.
2.3.3 Remote Access
A Remote Access VPN provides access to the corporate intranet via some on-demand access technology , typically a dial-up modem or ISDN call across the circuit-switched network, or an ADSL connection for a home worker. Because theconnection is on demand and may be roaming, special care must be taken in mutualauthentication of the client and gateway, and to ensure that vulnerabilities of thelaptop or home system do not allow penetration of the corporate network across the‘trusted’ VPN connection. Once the VPN is established, remote workers typicallyhave the same access to facilities as they would have at their normal office location,although of course the end-to-end performance of the VPN connection will determinethe QoS experienced by the user.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 239/294
4.20 © wray castle limited
wraycastle UK
Intranet
ExtranetRemoteaccess
Public IPnetwork
wraycastle USA
Customersite
wraycastlehome worker
Figure 10
Intranets, Extranets and Remote Access VPNs
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 240/294
IP2300/S4/v2.14.21 © wray castle limited
2.4 Types of VPN
Various approaches to building VPNs have been developed:
• Layer 2 virtual leased line VPNs (for example Frame Relay and ATM)
• Layer 3 over native Layer 2 VPNs (for example Multiprotocol over ATM (MPOA)and LAN Emulation (LANE))
• transport layer VPNs (for example Secure Sockets Layer (SSL) and TransportLayer Security (TLS))
• application layer VPNs (for example Secure MIME (S/MIME) and Secure Shell
(SSH))
In this course, we concentrate on the two main approaches to implementing VPNs atthe IP layer. These are very different in their approach, but both are sold by a widerange of IP Service Providers as IP-VPNs.
2.4.1 Layer 3 Network Protocol-based VPNs
The IP networking community, led by the major equipment vendors, has developed
an MPLS-based VPN architecture, specified in RFC 2547. The MPLS architecturebuilds upon the basic technology of IP and MPLS. It can be viewed as a developmentof the traditional Layer 2 VPNs and the Layer 3 over native Layer 2 VPNs.
2.4.2 Layer 3 Encryption-based VPNs
The network security community has developed an IP VPN architecture based upona technology called IPSec, which is specified in RFCs 2401–2412. The IPSecarchitecture is driven by security, and it has much in common with protocols such asSecure Sockets Layer, in that its basic technology is encryption. However IPSec
operates exclusively at the IP layer, by encrypting packet payloads, and so is a true IPlayer VPN.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 241/294
4.22 © wray castle limited
Encryption-based VPNs
Application Layer: S/MIME
SSH
etc.Transport Layer: SSL
TLS
IP Layer: IPSec
Network Protocol-based VPNs
IP Layer overNative Layer 2: LAN emulation
MPOA
Link Layer: Virtual Leased Lines ATM Frame Relay
IP Layer: MPLS VPN
Reference
RFC 2401 – 2412
Reference
RFC 2547
Figure 11
Encryption and Network-Protocol-Based VPNs
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 242/294
IP2300/S4/v2.14.23 © wray castle limited
2.5 MPLS-based IP-VPN Motivation
MPLS integrates the label swapping approach of Frame Relay and ATM with a newcontrol plane model for setting up and tearing down ‘connections’ (LSPs in MPLSterminology) that moves away from the ITU-T signalling model, and towards IProuting for control.
This philosophy extends to the MPLS-VPN application also, and potentially deliverssome attractive benefits:
• A Layer 2 VPN requires configuration by the Network Operations Centre (NOC)
of the Customer Premises Equipment (CPE) router with virtual circuit identifiersand IP to Layer 2 mappings, however the MPLS VPN approach requires noCPE configuration; all provisioning is carried out on the Provider Edge (PE)routers within the service provider network.
• A Layer 2 VPN must be provisioned by the NOC through the core network byestablishing end-to-end virtual circuits for each customer. However, an MPLScore network holds no information concerning the MPLS-VPNs that run acrossit.
• A Layer 2 VPN has scalability limitations because all CPE routers are adjacentfrom a routing perspective, leading to processing overload as the number of
customer sites grows, unless some routing hierarchy is introduced. In an MPLSVPN, each CPE router has a single routing peer, and has no direct interactionwith the other CPE routers, therefore the processing load on customer routers ismuch reduced.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 243/294
4.24 © wray castle limited
Customerpremises
Customerpremises
Service providernetwork
Routers A and B arerouting peers
Provisioningof VPN
CPE CPE
NOC
Router BRouter A
Customerpremises
Conventional Frame Relay or ATM VPN Service
MPLS VPN Service
Customerpremises
Service providernetwork
Router A and serviceprovider router arerouting peers
Router B and serviceprovider router arerouting peers
Provisioningof VPNCPE CPE
NOC
Router BRouter A
LSR
LSR
LSR LSR
LSR
LSR
LSR
Figure 12
Motivation for MPLS VPNs
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 244/294
IP2300/S4/v2.14.25 © wray castle limited
2.6 Architecture of MPLS-based IP-VPNs
MPLS VPNs operate from a service perspective at the IP layer, and classify routers inthe customer and service provider network into one of four types, as shown in Figure13. Customer Edge (CE) and Provider Edge (PE) routers operate at the boundary ofthe customer and service provider networks respectively.
Unlike the L2 VPN model, the CE and PE routers are peers from a routingperspective. The VPN functionality is centred on the PE router. The CE routertypically requires no VPN-specific configuration, simply treating the PE router as thenext hop router in a ‘private’ network. The Provider routers (P) in the service provider
core also have no knowledge of the VPN address or routing information, and simplyprovide transport across the core network. The Customer (C) routers are conventionalenterprise routers, with no special relationship to the VPN service.
MPLS VPNs assume that the service provider operates an MPLS core between PErouters to which customers attach, and that this core has mechanisms for theestablishment of LSPs between these edge routers. The MPLS core LSPs may havebeen manually provisioned, or may have been established by one of the other MPLScontrol plane mechanisms. All of this is independent of the MPLS VPN service, butthis infrastructure is required for the MPLS VPN model of RFC 2457 to operate.
This separation of the core routing from the VPN functionality that MPLS VPNsachieve is possible because the MPLS VPN architecture uses label stacking totunnel a customer’s VPN traffic across the MPLS core. Decisions about how to switchthe traffic are made at the originating PE router, which understands both the customerVPN locations, and the LSPs in place across the core. Therefore it can apply a pair oflabels as traffic enters the network from customer sites.
The inner label is a VPN label, and allows the traffic to be routed to the correctcustomer site at the destination PE router. This label is not examined or changed bythe core routers.
The outer label is a conventional LSP label, which allows the packet to be switchedacross a trunk LSP through the network core which joins the PE routers. This label isexamined and modified at the core routers, and operates like a conventional virtualcircuit identifier.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 245/294
4.26 © wray castle limited
2
Provider routersPE
routerPE
router
PE – Provider Edge
1 = VPN label
2, 3, 4 = MPLS trunk labels
CE – Customer Edge
CErouter
CErouter
Customerrouter
ConventionalIP packet
from customer
ConventionalIP packet
to customer
IP packet within MPLSlabel stack
Customerrouter
IP IP1 31 41IP IP IP
LSR
LSR LSR
LSR
LSR LSR
Figure 13
Architecture of MPLS VPNs
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 246/294
IP2300/S4/v2.14.27 © wray castle limited
2.7 MPLS VPN Operation
To set up an MPLS VPN, a service provider provisions the service at the PE routersserving that customer’s sites only. No configuration of non-serving PE routers, or ofthe core routers, is required. Conventional Interior Gateway Protocols (IGP) runningbetween Provider and Provider Edge routers propagate reachability within the serviceprovider core, and conventional MPLS techniques are used to establish the trunkLSPs between PE routers. All of this is independent of the VPN service.
The VPN service itself is controlled by a routing overlay that does not interact with thecore network routing and switching.
Once the VPN sites have been configured within the PE routers, the PE routers learnwhich customer networks are reachable at the directly connected customer site.These customer routes may be statically configured by the service provider, or learntthrough a conventional routing protocol running between the PE and CE routers. Thisinformation is stored in what are logically per-VPN routing tables, by attaching a VPNIdentifier to the routing entries that is unique to each customer VPN.
The per-VPN routing table entries held in the PE routers are propagated between allPE routers in the service provider network using Multiprotocol Border GatewayProtocol (MP-BGP). The PE routers therefore operate rather like conventional iBGP
peers advertising external reachability. As the number of PE routers and customersites grows, scalability of the MPLS/VPN approach can be improved by normal BGPmechanisms, such as use of BGP route reflectors.
Traffic is forwarded between PE routers serving different sites of a VPN by MPLSlabel stacking. The originating PE router attaches a label for the destination IPaddress within the relevant VPN, followed by a label for the LSP across the core tothe relevant PE router. The outer label is used to switch the packet across the serviceprovider core without the core network needing any awareness of customer VPNrouting. Subsequently at the destination PE router, the VPN-specific label is used todirect the packet to the appropriate local VPN site.
Moves and changes to sites on an existing VPN are automatically propagated oncethe PE router serving the affected sites has been configured.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 247/294
4.28 © wray castle limited
3. MP-BGP propagationof VPN routes and labels
4. Forwarding ofcustomer trafficin label stack
2.Customer/SP
routingprotocol
2.Customer/SP
routingprotocol
1. VPNconfiguration
1. VPNconfiguration
NOC
Figure 14
Operation of MPLS VPNs
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 248/294
IP2300/S4/v2.14.29 © wray castle limited
2.8 Motivation for Encryption-based IP-VPNs
Encryption-based VPNs achieve the separation of a customer’s traffic from that ofother customers and the shared network infrastructure by using the mathematics ofsecret and/or Public Key Cryptography (PKC). The basic building blocks ofcryptography are used to provide a set of security services in the encryption-basedVPN approach. IPSec technology was developed because there was a perceivedneed to be able to secure traffic at the IP layer that was travelling across a variety ofnetworks. VPNs are only one example of the use of IPSec, just as MPLS is used forother than VPN applications.
The IPSec VPN approach is typically attractive to organizations with a strong securityfocus, for example financial organizations, healthcare organizations and governmentdepartments.
IPSec VPNs can provide end-point authentication, data integrity, and dataconfidentiality services on a per-packet basis between two IPSec peers².
² It is common in the cryptographic community to use Alice and Bob as the intended communicators on a secure
channel. By convention, Eve is an eavesdropper, and Mallory is an active attacker.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 249/294
4.30 © wray castle limited
‘Alice’
IPSec VPNuser (source)
IPSec VPNuser (destination)
Intended communication
confidentiality
integrity
authenticity
masquerading
modification
interception
‘Bob’
‘Eve’ / ‘Mallory’
Figure 15
Encryption-based VPN Security Services
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 250/294
IP2300/S4/v2.14.31 © wray castle limited
2.9 Secret Key Cryptography
Traditionally secret key encryption has been used in military and government systemsto protect the confidentiality of data in transit.
The mathematics of secret key cryptography have changed very little in hundreds ofyears, but as processing power has increased, the cryptographic strength needed byan algorithm for it to be considered secure has increased dramatically.
Secret key cryptography uses a symmetrical algorithm and a secret key known onlyto the sender and recipient. A plaintext message to be sent across an insecurechannel is encrypted using the secret key and the algorithm. The receiver is able to
recover the plaintext message provided they have the ciphertext, the algorithm andthe secret key that was used to encrypt it.
Secret key cryptography is widely used in many systems, and there are variousalgorithms available, some of which are government approved and licensed.Examples include the Data Encryption Standard and the Advanced EncryptionStandard (AES).
Although secret key encryption is secure and efficient, the distribution of secret keysto the communicators has always been problematic. While government and militaryorganizations could achieve this through their highly structured organizations, secretkey encryption is extremely difficult to implement in less controlled environments.
2.10 Public Key Cryptography (PKC)
In the early 1970s, a new approach to cryptography called Public Key Cryptography was proposed and proved for the first time, and has subsequently revolutionized theuse of encryption.
Public key systems use an asymmetric encryption approach. Two matching keys are
generated, such that a message encrypted with one key of the pair can only bedecrypted using the other, matching key. While the public key is freely distributed, theprivate key is closely guarded. Because someone sending a secure message onlyneeds the recipient’s public key, the key distribution problem is much simplified.
Examples of public key algorithms include the Rivest, Shamir and Adleman (RSA)algorithm, and the Diffie-Helman (DH) algorithm.
The main role of public/private key encryption is in solving the key distributionproblem. It is computationally much less efficient than secret key encryption, and sohybrid systems combining both techniques are commonly developed.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 251/294
4.32 © wray castle limited
‘Alice’
Secret Key Cryptography
Public Key Cryptography
message
plaintext plaintextciphertext
secret key
algorithm
secret key
secret key
algorithm
secret key ‘Bob’
message
‘Alice’
message
plaintext plaintextciphertext
public/private
key algorithm
Bob’s
public key
public/private
key algorithm
Bob’s
private key‘Bob’
message
Figure 16
Secret and Public Key Cryptography
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 252/294
IP2300/S4/v2.14.33 © wray castle limited
2.11 IPSec Operation
IPSec is normally used with IKE, so that the negotiation and configuration of IPSectunnels can be largely automated.
In order to protect traffic between two IP devices using IPSec, an IPSec SecurityAssociation (SA) is established between the IPSec endpoints. This SA defines all ofthe parameters of the IPSec session, including:
• which modes of IPSec are to be used, including tunnel or transport, and ESP orAH
• which algorithms are to be used for key generation, encryption andauthentication
• various timers that control the regeneration of key material and expiry of the SA
• policy filters that specify whether particular traffic should bypass the IPSectunnel or is passed through IPSec
In order to establish an IPSec SA, a number of steps are necessary:
• the candidate end points for the association are configured with the policy
setting to be applied to any SA established, and the definition of traffic thatshould be passed through an IPSec association
• once a host has traffic that requires IPSec protection (based upon the trafficdefinition in the device), an IKE session is negotiated between the hosts. This isessentially a special IPSec tunnel used to carry IKE traffic only. This is knownas IKE Phase One
• once the IKE Phase One association is in place, an IPSec SA for the actualtraffic can be negotiated. This is known as IPIKE Phase Two
• once the IPSec tunnel is in place, traffic can flow across the tunnel. After a
period of inactivity, or when the SA lifetime parameter expires, the IPSec tunnelis cleared
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 253/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 254/294
IP2300/S4/v2.14.35 © wray castle limited
2.12 IPSec Gateway Location
The normal position for IPSec gateway devices is at the boundary between theprivate and public network. Where the enterprise builds and operates an IPSec VPNitself, gateways will normally be behind an Internet firewall. Where a service providerinstalls and operates the VPN gateway, this may be on the customer premises, or atthe local PoP.
IPSec capability is widely supported in network devices, in operating systems and inapplications. Because IPSec places no requirements on the network infrastructure(unlike the MPLS VPN approach), it can be deployed between any two devices that
can operate IPSec.
2.13 Products Supporting IPSec
In practice, IPSec is normally deployed on one of four types of platform
2.13.1 Routers
IPSec functionality is often included in the capabilities of routers, or provided as an
optional component in the software load. The border router connecting an enterpriseto the public network can be used as an IPSec endpoint for Intranet and Extranetconnections. These are typically not used to terminate dial-up users. Small accessrouters of the type used for home workers and branch offices increasingly have anIPSec VPN capability, and make effective branch office VPN endpoints, connecting toa VPN gateway at headquarters.
2.13.2 Firewalls
The main firewall vendors all support VPNs using IPSec on their products. Becausethese devices are already extensively tested from a security perspective, and arelocated at the boundary between the private and public network, they can provide aneffective VPN gateway for remote access, Intranet and Extranet VPNs. For remoteaccess, the firewall vendor may offer a remote access client application that is loadedon the PC connecting to the gateway.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 255/294
4.36 © wray castle limited
Intranet, extranet
Intranet, extranet
Remoteaccess
client
DedicatedVPN
gateway
DedicatedVPN
gateway
Softwareonly
Softwareonly
Firewall Firewall
Intranet, extranet
Intranet, extranet
Figure 18
VPN Platforms and Supported Applications
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 256/294
IP2300/S4/v2.14.37 © wray castle limited
2.13.3 Dedicated VPN Gateways
Dedicated VPN gateways typically have some routing and firewall functionality, butare primarily designed to make configuration and operation of VPNs using IPSec assimple and scalable as possible. These devices are typically deployed at theboundary of the corporate and public network, often in the De-Militarized Zone(DMZ), so that Intranet, Extranet and remote access VPN endpoints can access thegateway. The product vendor normally supplies a software VPN client for use inremote access applications.
2.13.4 Operating Systems
Since the launch of Windows 2000 Professional™ and Server™, Microsoft™ hasincluded IPSec VPN functionality in their operating system products. The Routing andRemote Access Server (RRAS) component of their server products can act as agateway for multiple remote access clients, and intranet and extranet configurationsbetween machines are also possible.
Other operating systems typically do not include IPSec VPNs as standard, howeverproducts and open source software are available to implement these on mostvarieties of Unix.
Each type of platform has strengths and weaknesses, which will make it more or lesssuitable for a given set of requirements.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 257/294
4.38 © wray castle limited
Intranet, extranet
Intranet, extranet
Remoteaccess
client
DedicatedVPN
gateway
DedicatedVPN
gateway
Softwareonly
Softwareonly
Firewall Firewall
Intranet, extranet
Intranet, extranet
Figure 18 (repeated)
VPN Platforms and Supported Applications
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 258/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 259/294
4.40 © wray castle limited
‘Alice’
IPSec VPNuser (source)
IPSec VPNuser (destination)
Intended communication
confidentiality
integrity
authenticity
masquerading
modification
interception
‘Bob’
‘Eve’ / ‘Mallory’
Figure 19
Generic Security Services (revisited)
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 260/294
IP2300/S4/v2.14.41 © wray castle limited
3.2 Quantifying the Risk
Knowing there is a risk and being able to mitigate it with a proportionate responserequires an organization to quantify (at least to some degree) that risk. A commonview of risk is that it is a function of threat, vulnerability and impact.
Risk = f (threat, vulnerability, impact)
3.2.1 Threat
Threat can be considered to be the likelihood that some person or persons willattempt to compromise your information. Sources of threat may include competitors, journalists, internal staff and even activists.
3.2.2 Vulnerability
This is a measure of what potential vulnerabilities exist in the system that isprotecting the information you care about. What are the mechanisms that you rely onto protect your information and just how well designed and implemented are they?
3.2.3 Impact
If your information is compromised do you care? What are the outcomes (from afinancial perspective as well as reputation) to the business?
Some case studies are given later but it its simplest form, a business with anaggressive competitor, numerous ways for its data be compromised and a significantlikelihood of lost business and/or revenue if such a compromise took place has a lotto consider. A business that perceives no threat, is confident their information cannotbe compromised and cares little if it actually is, probably has little to worry about(apart from being extremely naive!).
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 261/294
4.42 © wray castle limited
Organizedcrime
Pastemployee
Competitor
Hacker
Investigative journalistBusiness network
lost customers and revenue
Removeable media e-mail WWW
fraud
bad publicity
business failure
Presentemployee
Figure 20
Security Threats, Vulnerabilities and Impacts
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 262/294
IP2300/S4/v2.14.43 © wray castle limited
3.3 Basic Countermeasures
3.3.1 Identification and Authentication
One of the most widely known security countermeasures is the ubiquitous logon. Toensure only those that are authorized to access information do so, mechanisms tocheck a user’s authenticity are employed. This can be something you know, have orare, but traditionally has been a username and password. However, increasing use isbeing made of tokens and smart cards (something you have) and a significantamount of research is being undertaken into technologies such as biometrics(something you are). This includes fingerprints, retina scanning and face recognition.
3.3.2 Access Control
Once authenticated, users may still want to ensure only certain individuals canaccess sensitive information and this is often enforced using access controls on filesand folders. It is usual for these controls to be Discretionary (i.e. the file/folder ownercan set access rights). Such controls are often implemented using a technique knowas Access Control Lists which allow the file/folder owner to list those with explicitallow and deny permissions.
3.3.3 Accounting and Audit
In order to detect when actual or potential breaches in security occur, accounting isoften performed and this data then audited at regular intervals to highlight anypotential breach. Information such as who has logged on, when, from where and theactions they undertook while online, e.g. sent an e-mail, tried to access a file theydidn’t have authorized access to. This data can be for a significant period of time andused at a later date to identify patterns over time or investigate users’ actions whenthey come under suspicion some time in the future.
Figure 21 shows examples of each of these functions from Microsoft Windows2000™, but similar functions are available in all multi-user operating systems.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 263/294
4.44 © wray castle limited
Figure 21
An Example of Security Services in Operation
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 264/294
IP2300/S4/v2.14.45 © wray castle limited
3.4 Other Countermeasures – Security Appliances
3.4.1 Firewalls
Firewalls are the most widely used security appliance. A firewall is a device thatprotects one network from another, offering a controlled path between the two andproviding a strong barrier to ensure that controlled path isn’t bypassed. Firewalls cancome in a number of varieties.
The simplest type of firewall is known as a stateless packet filter where individualpackets are compared against a set of rules and allowed based on those rules.
These devices are often the quickest as they only have to decode and examine the IPheader of each packet but they offer the least security.
More sophisticated is a stateful inspection firewall that allows more complex rulesand the ability to control access based on the type of application being allowed ordenied. These are perhaps the most common these days as they allow for somesophistication in the rule set but are still relatively quick.
The most comprehensive of firewalls is known as a proxy firewall. Rather thanconnecting to the actual destination host (be it a web server, mail server or otherdevice), a proxy firewall requires you to connect to it and allow it to act on your behalf
by forwarding your requests on to the intended server. Using proxy servers oftenrequires the client software (e.g. a web browser) to be aware of its existence and beconfigured accordingly although transparent proxies are becoming increasing popular,allowing client programs to be unaware that a proxy is acting on its behalf.
3.4.2 Intrusion Detection Systems (IDS)
Intrusion detection technologies are a relatively new security technology but arebecoming increasingly popular. The aim of IDS is to detect (and as the technologydevelops, defend) against network intrusions.
There are two types of IDS, host based and network based. As the name suggests,host-based systems protect a single host and monitor incoming and outgoing networkactivity for malicious activity. Network-based systems run as sensors on the networkitself, monitoring all network traffic for malicious activity.
The main underlying technology behind current IDS systems is signature based and(as with virus scanners), being able to detect the latest attacks relies on having thelatest signatures loaded. There are anomaly detection-based systems that try to learnthe normal activity on a network and then detect when activity diverts from that
profile. However, these systems are still in their infancy and tend to lead to asignificantly high false positive rate (i.e. highlighting problems which are in factinnocuous behaviour).
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 265/294
4.46 © wray castle limited
Corporatenetwork
Publicnetwork
Corporatenetwork
Publicnetwork
SMTP
HTTP(port 80)
IDSmonitoring
IDSprobe
Firewall configuration blocksinbound WWW connections inthis example
IDS monitors packets forsignature of hostile content
HTTP (port 80)
SMTP
Figure 22
Firewalls and Intrusion Detection Systems
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 266/294
IP2300/S4/v2.14.47 © wray castle limited
3.5 Other Countermeasures – Software Solutions
3.5.1 Virus Scanning
Virus scanners have been available for many years and the technology has changedlittle in that time. Their aim is to detect malicious software on a machine, either whenit is run, copied from one media to another, or just resident on the machine’s internalhard disk drive.
Virus scanners operate in two basic modes – signature and heuristic. Signaturemode means that files are scanned for known virus signatures. The major
disadvantage of this technique is that the signatures need constant updating if youare to be protected from the latest viruses. Heuristic mode offers the most potentialbut is still less than perfect. The idea behind this technique involves scanning forcertain code segments or operating system library calls within an executable andmaking assumptions about their intent. Unfortunately this is far from an exact scienceand has significantly less than a 100% success rate.
3.5.2 Content Scanning
This is a very similar technique to virus scanning but is done in a slightly different
way. As organizations have rushed to connect their corporate networks to the Internet,the risk from malicious attachments to e-mail or malicious content on web pages hasbecome a significant problem. Content scanners usually reside at the boundarybetween the Internet and a corporate network and filter all incoming e-mail and webcontent for malicious attachments, e.g. executables and feature-rich applicationdocuments, and malicious web pages, e.g. those containing malicious ActiveX, Javaand other active web content.
These devices are increasingly becoming integrated with firewall products offering acheaper single solution (although the security benefits over more traditionalarchitectures is limited).
There is also an increasing trend to outsource this functionality. Numerouscompanies are now offering to scan all incoming e-mails on an organization’s behalf.This can offer significant overhead savings (reduced cost of signature maintenancefor example) but care should be taken when choosing such a provider and there isalways a danger that you increase your risk in other areas by directing all incomingmail via another commercial company that has the potential at least to read it all!
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 267/294
4.48 © wray castle limited
Clientvirus
scanning
Topublic
network
Internet firewallwith content scanning
Mail servervirus scanning
File servervirus scanning
Figure 23
Virus Scanning and Content Scanning
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 268/294
IP2300/S4/v2.14.49 © wray castle limited
3.6 Proportionality of Countermeasures
We have considered a number of countermeasures that mitigate some of the riskshighlighted earlier. What is often hard to determine is which one (or combination) ofthese is appropriate and proportionate to the risk being considered.
When considering countermeasures always consider the cost to your business of thecompromise you are trying to prevent.
Example – firewalls don’t prevent content attacks
Organizations often deploy a firewall at the boundary of their corporate network andthe Internet expecting it to mitigate all the risks associated with such a connection.However, with modern attacks becoming more application orientated, firewalls offerlimited protection against such attacks and they can often leave organizations with afalse sense of security. Meanwhile, their corporate secrets may leak out as a result ofsome malicious mail attachment that goes through the corporate firewall(s)unchecked.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 269/294
4.50 © wray castle limited
Co n erme res
Countermeasures
must be
PROPORTIONATE
to
threats and impacts
Threatsandpact
Figure 24
Proportionality of Countermeasures
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 270/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 271/294
4.52 © wray castle limited
Internet
What are the security implications?
ACMEcorporation
Businesspartner
Supplier
1
Customer
2
Customer
1
Figure 25
Case Study 1: Opening up the Corporate Network
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 272/294
IP2300/S4/v2.14.53 © wray castle limited
3.8 Case Study 2 – Enabling B2C Transactions
ACME Corporation is keen to start selling their product via the Internet. What securityimplications are associated with such a plan?
3.8.1 Threats
• customers (wishing to get something for nothing)
• business rivals
• criminals• script kiddies
• others
3.8.2 Vulnerabilities
• attack against the web server
3.8.3 Impact
• loss of business
• loss of reputation with customers and business partners
• loss of money
• loss of customer information (e.g. credit card numbers)
3.8.4 Countermeasures
• authentication of customers
• encrypted communications channel
• firewall between Internet and the web server
• intrusion Detection System
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 273/294
4.54 © wray castle limited
Internet
What are the security implications?
ACMEcorporation
ACMEproduct databasecustomer databaseorder databaseinventory databaseinvoicing
ACMEe-commerceWWW server
e-commercecustomer
Figure 26
Case Study 2: Operating an E-commerce Site
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 274/294
IP2300/S4/v2.14.55 © wray castle limited
3.9 Case Study 3 – Mobile Computing
ACME Corporation would like to allow their staff to work while away from the office.This will entail staff being able to access the corporate network from home or whenworking away from home. They want their staff to able to either dial in via the PSTNand/or connect over the Internet. What security implications are associated with sucha plan?
3.9.1 Threats
• internal staff• competitors
• others
3.9.2 Vulnerabilities
• attack via the Internet connection itself
• attack via the dial-up connection
• attack via a trusted host
3.9.3 Impact
• loss of business
• compromise of proprietary information
3.9.4 Countermeasures
• firewall between Internet and corporate network
• VPN between staff PCs and corporate network
• Intrusion Detection System on corporate network
• security awareness training for staff
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 275/294
4.56 © wray castle limited
Internet
What are the security implications?
ACMEcorporation
ACMEinternal systems
MobileACMEemployee
Figure 27
Case Study 3: Allowing Remote Access to the Corporate Network
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 276/294
IP2300/S4/v2.14.57 © wray castle limited
4.1 Motivation for IPv6 Development
The current version of the IP protocol, IP version 4, has not changed significantlysince it was first developed and standardized in RFC 791. However, despite thesuccess of IPv4, there are some fundamental issues with the protocol in the currentInternet:
• the massive growth of the Internet has threatened to exhaust the IPv4 32-bitaddress space, despite efforts to mitigate this using Network AddressTranslation
• the same growth has made conventional Internet routing tables extremely largeand flat, despite attempts to make the address space more geographicallysignificant through new address allocation policies and CIDR
• the configuration of IP devices is still too complicated, despite the widespreaduse of Dynamic Host Configuration Protocol (DHCP) to assist in this
• IP QoS and security services are often mutually exclusive when IPSecencryption is applied to IPv4 packets
IPv6 addresses these issues by providing
• larger address space• more hierarchical addressing, supporting hierarchical routing
• more flexible address configuration
• improved support for security and QoS features
4 IPv6
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 277/294
4.58 © wray castle limited
IPv4
32-bit address space
Mixed flat and hierarchical
address space
Manual configuration or
DHCP configuration
IPSec support is optional
IPv6
128-bit address space
Hierarchical address space
Address autoconfiguration
link local, site local orglobal unicast
IPSec support is mandatory
Figure 28
Motivation for IPv6
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 278/294
IP2300/S4/v2.14.59 © wray castle limited
4.2 IPv4/IPv6 Co-existence
The migration of hosts and routers from IPv4 to IPv6 will take many years, and theoriginal designers of the IPv6 protocol specifically required that IPv4 and IPv6 shouldbe able to interoperate without requiring reconfiguration of other elements to supportthis. In other words, there should be excellent forwards and backwards compatibilitybetween IPv4 and IPv6.
While the migration from IPv4 to IPv6 continues, a host or router may have only anIPv4 protocol stack, only an IPv6 protocol stack, or it may have both. In order toassist with migration, the following components are typically required in network
devices and hosts.
• devices with a dual IP layer, so that communication with IPv4 and IPv6 hosts ispossible during migration
• devices that can provide a gateway function between IPv4 and IPv6
• IPv6 over IPv4 tunnelling, so that IPv6 traffic can be carried across an IPv4infrastructure
• an IPv4 and IPv6 DNS infrastructure, so that name resolution can be carried outfor both forms of address
4.3 IPv6 Product Availability
Although still not widely deployed in operational networks, IPv6 is now widelyavailable in production software for hosts and network devices.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 279/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 280/294
IP2300/S4/v2.14.61 © wray castle limited
5.1 Public Service Wireless LANs
The increasing use of Local Area Networks has generated a market in privatenetworks over the last five years for wireless access to the LAN, rather than use of aconventional structured wiring approach. The standards governing these wirelessaccess networks are in the IEEE 802.11 series. There are currently four specificationsin the family: 802.11, 802.11a, 802.11b, and 802.11g. All four use the ‘Ethernet’protocol and CSMA/CD (Carrier Sense Multiple Access with Collision Detection) forpath sharing.
The most recently approved standard, 802.11g, offers wireless transmission overrelatively short distances at up to 54 Mbit/s compared with the 11 megabits per
second of the 802.11b standard. Like 802.11b, 802.11g operates in the 2.4 GHzrange and is thus compatible with it. The key components of the architecture are:
• a Wireless LAN Access Point provides a base station and connectivity to thenetwork infrastructure
• a wireless LAN card in each host provides the client end of the wireless link
• a Service Set Identifier (SSID) is a sequence of characters that uniquely namesa wireless local area network. This name allows stations to connect to thedesired network when multiple independent networks operate in the same
physical areaPublic service WLAN Internet access has been offered for some time in North
America, and since 2002 in the UK, through WLAN ‘hot-spots’. To offer the service, anetwork operator installs a WLAN access point in a public location, such as airportdeparture lounge or coffee shops. Subscribers typically purchase the service on amonthly plan, which provides them with a username and password. They configurethe correct SSID for their service provider into their WLAN network card, and canthen connect to the nearest available access point for that service provider. To enablethe connection on each occasion, they typically browse to a login screen on a secureweb server, where they enter their username and password. This allows the user to
be authenticated to the network, and traffic from the MAC address of their networkinterface card will then be permitted through the access point for the duration of thisconnection. Some service providers allow casual use without a subscription, in whichcase the logon screen will include payment options for this session.
The security of WLAN has caused concern for some years. While the login approachdescribed here makes fraudulent use of the service more difficult, it does not protectthe user from a rogue access point, or their traffic from eavesdropping, or the usermachine from attacks through the Internet. Corporate users are normally advised tooperate an IP-VPN between their laptop and a corporate gateway to secure this typeof service, and the user machine should run a personal firewall and virus scanning,
as for any Internet-connected machine.
5 MOBILITY
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 281/294
4.62 © wray castle limited
Roaming user
WLANconnection
SSLconnection
Internetaccess
l o c at e ac c es s p o i nt ( S S I D )
Gener al I nt er net ac c es s
loca te mo b i le (SSID )
‘Acce p t tra f f ic
from t h is MAC a d dress ’
C o nnec t t o S S L s er v er
login/authen-tication
P r o v i d e s es s i o n k ey
MyISPwireless accesspoint
Authenticationserver andweb server
Authen-ticationdatabase
Pro v i de SS L cer t i f ica t
e
Sen d log in form
S ub mi t < us er name, p as s w o r d >
Log in success fu l
Figure 30
Operation of Public Service Wireless LANs
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 282/294
IP2300/S4/v2.14.63 © wray castle limited
5.2 The IETF Architecture for Mobile IP
In many situations, an IP host is physically mobile, and must connect to differentsubnets over time. Where the host effectively reboots or resets higher-layer protocolsbetween such moves, then DHCP is sufficient to provide a valid IP address on thecurrent subnet. If the host must be reachable from the public Internet on the currentIP address, then Dynamic DNS (DDNS) coupled with DHCP may be an acceptablesolution.
In some situations, notably in GSM, GPRS and UMTS networks, an IP host needstransparency in the higher-layer protocols while roaming. In this case, the IETF Mobile
IP architecture is appropriate. Mobile IP is intended to address ‘macro’ mobilityissues, in other words roaming away from the normal home location. It is not intendedto address ‘micro’ mobility issues, for example moving between base stationsattached to the same switching centre.
The mobile IP architecture provides mobile stations with a home IP address, which isunchanging. When the host is roaming, it obtains an IP address from the network it iscurrently attached to, and returns this ‘care-of’ address to a home mobility agent.This may be done directly, or through a mobility agent on the foreign network (aforeign mobility agent).
Traffic for the roaming host is always sent to its home address, and this is the onlyaddress advertised for the host. When this traffic arrives at the home network, thehome agent tunnels this traffic to the host at its ‘care of’ address. Traffic from theroaming host uses its home address as the sending address, so that return trafficalways flows through the home agent.
A set of management messages is defined as part of the Mobile IP standards to allowthe roaming host and the home agent to maintain the necessary addressinginformation. Security services are included in this management protocol to preventmasquerading, replay or other attacks based upon exploiting IP mobility.
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 283/294
4.64 © wray castle limited
Foreignmobilityagent
Homemobility agent
– addressis IPhma
Mobile stationon home network
– home IP address
is IPhome Mobile stationon foreign network
– roamingIP addressis IProam
Internet host – address
is IPhost
Foreignnetwork
InternetHome
network
F r o m
I P home t o
I P h o s
t
T o I P
h o m
e from I P h o s t
To/from IPhma IProam
T o / f r o
m I P h o m e I P
h o s t
Figure 31
Mobile IP Architecture
IP2300/S4/v2.1
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 284/294
IP2300/S4/v2.14.65 © wray castle limited
1 Explain how QoS engineering differs between circuit-switched, virtual circuit,
and datagram networks.
2 RSVP is used as part of the IntServ architecture to:
a establish the path traffic will take through the networkb state the traffic requirements in terms of bandwidth, etcc request the reservation of resources within the network for a specific flowd do all of the above
3 Explain the difference between IntServ and DiffServ architectures. Which ismore common in service provider networks?
4 MPLS can support IP QoS by:
a mapping the DiffServ DS field into the MPLS equivalentb providing a separate MPLS LSP for each DiffServ CoSc MPLS cannot support IP QoSd the approaches in A and B are both possible
5 An IP-VPN can be used to implement:
a intranetsb extranetsc remote Access VPNsd all of the above
6 MPLS VPNs:
a require an MPLS core to operateb benefit from networks with an MPLS core, but it is not essentialc can operate across any core technology, including MPLS, ATM and Frame
Relayd require a private network for each customer, otherwise privacy cannot be
achieved
6 SECTION 4 QUESTIONS
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 285/294
IP2300/S4/v2.1 4.66 © wray castle limited
7 IPSec VPNs are based upon encryption services. For VPN users these
provide:
a data confidentialityb guaranteed service availabilityc prevention of denial of service attacksd virus checking, but at the VPN gateways only
8 MPLS and IPSec VPNs have different deployment possibilities:
a MPLS and IPSec are both widely built and operated by private enterprisesb IPSec is widely built by private enterprises, but MPLS solutions must beprovided by service providers
c MPLS can be built by private enterprises, but IPSec solutions must beprovided by service providers
d both IPSec and MPLS VPNs are pure service provider technologies, andcannot be implemented by private enterprises
9 Quantifying the risk in security terms is best expressed by:
a risk is a function of threat, vulnerability and impactb risk is a function of threat and vulnerabilityc risk is always there, so maximizing the countermeasures at each point in
the network is the best approachd risk is mainly from outsiders, so an effective firewall is the main precaution
that is necessary
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 286/294
IP2300/S4/v2.14.67 © wray castle limited
IP Engineering Overview
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 287/294
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 288/294
Glossary of Terms
IP2300/Glossary © wray castle limited
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 289/294
IP2300/Glossary G.1 © wray castle limited
AAL ATM Adaptation Layer
ABR Area Border RouterADSL Asymmetric Digital Subscriber LineAES Advanced Encryption StandardAH Authentication HeaderARPA Advanced Research Projects AgencyAS Autonomous SystemASBR Autonomous System Border RouterASN Autonomous System NumberASP Active Server PageATM Asynchronous Transfer Mode
AUP Acceptable Use Policies
B2B Business to BusinessB2C Business to CustomerBAS Broadband Access ServerBcc Blind carbon copyBDR Backup Designated RouterBER Bit Error RateBGP Border Gateway ProtocolBGP4 Border Gateway Protocol Version 4
CAC Connection Admission ControlCE Customer EdgeCGI Common Gateway InterfaceCHAP Challenge Handshake Authentication ProtocolCIDR Classless Interdomain RoutingCLEC Competitive Local Exchange CarrierCNAME Canonical NameCO Central OfficeCoS Class of ServiceCPE Customer Premises EquipmentCRC Cyclic Redundancy CheckingCSMA-CD Carrier Sense Multiple Access with Collision DetectionCSU/DSU Channel Service Unit/Data Service Unit
Glossary of Terms
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 290/294
IP2300/GlossaryG.2 © wray castle limited
DCA Defence Communications Agency
DDN Defence Data NetworkDDNS Dynamic Domain Name ServiceDH Diffie-HelmanDHCP Dynamic Host Configuration ProtocolDiffServ Differentiated ServicesDLCI Data Link Connection IdentifierDMZ De-Militarized ZoneDNS Domain Name ServerDNS Domain Name SystemDoS Denial of Service
DR Designated RouterDS Differentiated ServicesDSLAM DSL Access MultiplexerDTMF Dual Tone Multi Frequency
eBGP external BGPEGP Exterior Gateway ProtocolESP Encapsulating Security Payload
FDDI Fibre Distributed Data InterfaceFEC Forwarding Equivalence Class
FQDN Fully Qualified Domain NameFTP File Transfer Protocol
GoS Grade of ServiceGPRS General Packet Radio ServiceGSM Global System for Mobile communications
HDLC High-level Data Link ControlHSSI High-Speed Serial InterfaceHTTP Hypertext Transfer Protocol
Glossary of Terms
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 291/294
IP2300/Glossary G.3 © wray castle limited
IAD Integrated Access Device
IANA Internet Assigned Number AuthorityiBGP internal BGPICANN Internet Corporation for Assigned Names and NumbersIDS Intruder Detection SystemsIEEE Institute of Electrical and Electronics EngineersIETF Internet Engineering Task ForceIGP Interior Gateway ProtocolIGRP Interior Gateway Routing ProtocolIKE Internet Key ExchangeIMAP Interactive Mail Access Protocol
IMAP4rev1 Internet Message Access Protocol, Version 4 rev 1IntServ Integrated ServicesIP Internet ProtocolIPCP Internet Protocol Control ProtocolIPSec IP SecurityIPSP IP Service ProviderIPv4 Internet Protocol version 4IPv6 Internet Protocol version 6IP-VPN IP Virtual Private NetworkIR Internet RegistryISDN Integrated Services Digital Network
IS-IS Intermediate System to Intermediate SystemISP Internet Service ProviderITU International Telecommunication UnionIWF Interworking FunctionIXP Internet Exchange Point
LAN Local Area NetworkLANE LAN EmulationLCP Link Control ProtocolLDP Label Distribution ProtocolLE Local ExchangeLER Label Edge RouterLIB Label Information BaseLSA Link State AdvertisementLSP Label Switched PathLSR Label Switching Router
Glossary of Terms
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 292/294
IP2300/GlossaryG.4 © wray castle limited
MAC Medium Access Control
Mbit/s Megabits per secondMDA Mail Delivery AgentMDF Main Distribution FrameMIL STD Military StandardMIME Multipurpose Internet Mail ExtensionsMP-BGP Multiprotocol Border Gateway ProtocolMPLS Multiprotocol Label SwitchingMPOA Multiprotocol over ATMMTA Message Transfer AgentMUA Mail User Agent
MX Mail Exchanger
NAP Network Access PointNAPT Network Address Translation/Port Address TranslationNAS Network Access ServerNAT Network Address TranslationNBMA Non-Broadcast Multiple AccessNCP Network Control ProtocolNLPID Network Layer Protocol IdentificationNOC Network Operations CentreNS Name Server
NSF National Science FoundationNTP Network Termination PointNTS Number Translation Services
OS Origin ServerOSI Open Services InterconnectionOSPF Open Shortest Path First
Glossary of Terms
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 293/294
IP2300/Glossary G.5 © wray castle limited
PAP Password Authentication Protocol
PAT Port Address TranslationPBX Private Branch ExchangePDD Post Dial DelayPDU Protocol Data UnitPE Provider EdgePHB Per Hob BehaviourPHP Hypertext PreprocessorPKC Public Key CryptographyPoP Point of PresencePOP Post Office Protocol
POP3 Post Office Protocol Revision 3POTS Plain Old Telephone ServicePPP Point-to-Point ProtocolPRI Primary Rate InterfacePSTN Public Switched Telephone NetworkPVC Permanent Virtual Circuit
QoS Quality of Service
RADIUS Remote Authentication Dial-In User ServiceRFC Request for Comments
RIP Routing Information ProtocolRIPE Réseaux IP EuropéensRIR Regional Internet RegistriesRRAS Routing and Remote Access ServerRSA Rivest, Shamir and AdlemanRSVP Resource Reservation Protocol
S/MIME Secure MIMESA Security AssociationSCP Service Control PointSDH Synchronous Digital HierarchySLIP Serial Line IPSMTP Simple Mail Transfer ProtocolSNMP Simple Network Management ProtocolSOA Start of AuthoritySP Service ProviderSRI-NIC Stamford Research Institute Network Information CentreSS7 Signalling System No. 7SSH Secure ShellSSID Service Set IdentifierSSL Secure Socket Layer
SSP Service Switching PointSVC Switched Virtual Circuit
Glossary of Terms
8/18/2019 IP Engineering Overview
http://slidepdf.com/reader/full/ip-engineering-overview 294/294
Glossary of Terms