What is a Network?
A network consists of two or more computers that are linked in order to share resources (such as printers and CD-ROMs), exchange files, or allow electronic communications. The computers on a network may be linked through cables, telephone lines, radio waves, satellites, or infrared light beams.
The three basic types of networks include:- Local Area Network (LAN)
· Wide Area Network (WAN)
Local Area Network
A Local Area Network (LAN) is a network that is confined to a relatively small area. It is generally limited to a geographic area such as a writing lab, school, or building. Rarely are LAN computers more than a mile apart.
In a typical LAN configuration, one computer is designated as the file server. It stores all of the software that controls the network, as well as the software that can be shared by the computers attached to the network. Computers connected to the file server are called workstations. The workstations can be less powerful than the file server, and they may have additional software on their hard drives. On most LANs, cables are used to connect the network interface cards in each computer. See the Topology, Cabling, and Hardware sections of this tutorial for more information on the configuration of a LAN.
Wide Area Network
Wide Area Networks (WANs) connect larger geographic areas, such as Florida, the United States, or the world. Dedicated transoceanic cabling or satellite uplinks may be used to connect this type of network.
Using a WAN, schools in Florida can communicate with places like Tokyo in a matter of minutes, without paying enormous phone bills. A WAN is complicated. It uses multiplexers to connect local and metropolitan networks to global communications networks like the Internet. To users, however, a WAN will not appear to be much different than a LAN or a MAN.
Advantages of Installing a School Network
· Speed. Networks provide a very rapid method for sharing and transferring files. Without a network, files are shared by copying them to floppy disks, then carrying or sending the disks from one computer to another. This method of transferring files (referred to as sneaker-net) is very time-consuming.
· Cost. Networkable versions of many popular software programs are available at considerable savings when compared to buying individually licensed copies. Besides monetary savings, sharing a program on a network allows for easier upgrading of the program. The changes have to be done only once, on the file server, instead of on all the individual workstations.
· Security. Files and programs on a network can be designated as "copy inhibit," so that you do not have to worry about illegal copying of programs. Also, passwords can be established for specific directories to restrict access to authorized users.
· Centralized Software Management. One of the greatest benefits of installing a network at a school is the fact that all of the software can be loaded on one computer (the file server). This eliminates that need to spend time and energy installing updates and tracking files on independent computers throughout the building.
· Resource Sharing. Sharing resources is another area in which a network exceeds stand-alone computers. Most schools cannot afford enough laser printers, fax machines, modems, scanners, and CD-ROM players for each computer. However, if these or similar peripherals are added to a network, they can be shared by many users.
· Electronic Mail. The presence of a network provides the hardware necessary to install a system. E-mail aids in personal and professional communication for all school personnel, and it facilitates the dissemination of general information to the entire school staff. Electronic mail on a LAN can enable students to communicate with teachers and peers at their own school. If the LAN is connected to the Internet, students can communicate with others throughout the world.
· Flexible Access. School networks allow students to access their files from computers throughout the school. Students can begin an assignment in their classroom, save part of it on a public access area of the network, then go to the media center after school to finish their work. Students can also work cooperatively through the network.
· Workgroup Computing. Workgroup software (such as Microsoft BackOffice) allows many users to work on a document or project concurrently. For example, educators located at various schools within a county could simultaneously contribute their ideas about new curriculum standards to the same document and spreadsheets.
Disadvantages of Installing a School Network
· Expensive to Install. Although a network will generally save money over time, the initial costs of installation can be prohibitive. Cables, network cards, and software are expensive, and the installation may require the services of a technician.
· Requires Administrative Time. Proper maintenance of a network requires considerable time and expertise. Many schools have installed a network, only to find that they did not budget for the necessary administrative support.
· File Server May Fail. Although a file server is no more susceptible to failure than any other computer, when the files server "goes down," the entire network may come to a halt. When this happens, the entire school may lose access to necessary programs and files.
· Cables May Break. The Topology chapter presents information about the various configurations of cables. Some of the configurations are designed to minimize the inconvenience of a broken cable; with other configurations, one broken cable can stop the entire network
What is a Network Operating System?
Unlike operating systems, such as DOS and Windows, that are designed for single users to control one computer, network operating systems (NOS) coordinate the activities of multiple computers across a network. The network operating system acts as a director to keep the network running smoothly.
The two major types of network operating systems are:
· Peer-to-Peer
· Client/Server
Peer-to-Peer
Peer-to-peer network operating systems allow users to share resources and files located on their computers and to access shared resources found on other computers. However, they do not have a file server or a centralized management source (See fig. 1). In a peer-to-peer network, all computers are considered equal; they all have the same abilities to use the resources available on the network. Peer-to-peer networks are designed primarily for small to medium local area networks. AppleShare and Windows for Workgroups are examples of programs that can function as peer-to-peer network operating systems.
Fig. 1. Peer-to-peer network
Advantages of a peer-to-peer network:
· Less initial expense - No need for a dedicated server.
· Setup - An operating system (such as Windows XP) already in place may only need to be reconfigured for peer-to-peer operations.
Disadvantages of a peer-to-peer network:
· Decentralized - No central repository for files and applications.
· Security - Does not provide the security available on a client/server network.
Client/Server
Client/server network operating systems allow the network to centralize functions and applications in one or more dedicated file servers (See fig. 2). The file servers become the heart of the system, providing access to resources and providing security. Individual workstations (clients) have access to the resources available on the file servers. The network operating system provides the mechanism to integrate all the components of the network and allow multiple users to simultaneously share the same resources irrespective of physical location. Novell Netware and Windows 2000 Server are examples of client/server network operating systems.
Fig. 2. Client/server network
Advantages of a client/server network:
· Centralized - Resources and data security are controlled through the server.
· Scalability - Any or all elements can be replaced individually as needs increase.
· Flexibility - New technology can be easily integrated into system.
· Interoperability - All components (client/network/server) work together.
· Accessibility - Server can be accessed remotely and across multiple platforms.
Disadvantages of a client/server network:
· Expense - Requires initial investment in dedicated server.
· Maintenance - Large networks will require a staff to ensure efficient operation.
· Dependence - When server goes down, operations will cease across the network.
Examples of network operating systems
The following list includes some of the more popular peer-to-peer and client/server network operating systems.
· AppleShare
· Microsoft Windows Server
· Novell Netware
Unlike operating systems, such as DOS and Windows, that are designed for single users to control one computer, network operating systems (NOS) coordinate the activities of multiple computers across a network. The network operating system acts as a director to keep the network running smoothly.
The two major types of network operating systems are:
· Peer-to-Peer
· Client/Server
Peer-to-Peer
Peer-to-peer network operating systems allow users to share resources and files located on their computers and to access shared resources found on other computers. However, they do not have a file server or a centralized management source (See fig. 1). In a peer-to-peer network, all computers are considered equal; they all have the same abilities to use the resources available on the network. Peer-to-peer networks are designed primarily for small to medium local area networks. AppleShare and Windows for Workgroups are examples of programs that can function as peer-to-peer network operating systems.
Fig. 1. Peer-to-peer network
Advantages of a peer-to-peer network:
· Less initial expense - No need for a dedicated server.
· Setup - An operating system (such as Windows XP) already in place may only need to be reconfigured for peer-to-peer operations.
Disadvantages of a peer-to-peer network:
· Decentralized - No central repository for files and applications.
· Security - Does not provide the security available on a client/server network.
Client/Server
Client/server network operating systems allow the network to centralize functions and applications in one or more dedicated file servers (See fig. 2). The file servers become the heart of the system, providing access to resources and providing security. Individual workstations (clients) have access to the resources available on the file servers. The network operating system provides the mechanism to integrate all the components of the network and allow multiple users to simultaneously share the same resources irrespective of physical location. Novell Netware and Windows 2000 Server are examples of client/server network operating systems.
Fig. 2. Client/server network
Advantages of a client/server network:
· Centralized - Resources and data security are controlled through the server.
· Scalability - Any or all elements can be replaced individually as needs increase.
· Flexibility - New technology can be easily integrated into system.
· Interoperability - All components (client/network/server) work together.
· Accessibility - Server can be accessed remotely and across multiple platforms.
Disadvantages of a client/server network:
· Expense - Requires initial investment in dedicated server.
· Maintenance - Large networks will require a staff to ensure efficient operation.
· Dependence - When server goes down, operations will cease across the network.
Examples of network operating systems
The following list includes some of the more popular peer-to-peer and client/server network operating systems.
· AppleShare
· Microsoft Windows Server
· Novell Netware
What is Leased Line:
A leased line is a permanent fiber optic or telephone connection between two points set up by a telecommunications carrier. A leased line is also sometimes referred to as a dedicated line. They can be used for telephone, data, or Internet services. Oftentimes businesses will use a leased line to connect to geographically distant offices because it guarantees bandwidth for network traffic. For example, a bank may use a leased line in order to easily transfer financial information from one office to another. A leased line can span long or short distances and customers generally pay a flat monthly rate for the service depending on the distance between the two points.
Leased lines do not have telephone numbers because each side of the line is always connected to one another, as opposed to telephone lines which reuse the same lines for numerous conversations through a process called "switching." The information sent through the leased line travels along dedicated secure channels, eliminating the congestion that occurs in shared networks. Connection speeds can range from 64 kbps (kilobits per second) to 45 mbps (megabits per second)and the bandwidth required is dictated by the quantity of data that will be sent and received.
Some individuals are also starting to use leased lines in order to obtain a faster, more reliable Internet connection. They also may save an individual money if he/she happens to spend a significantly large amount of time on the Internet. While most leased lines cost about $1,000/month, there are lines called Fractional T1 lines which start at 128 kbps and are less expensive. Installation is the same as for ordinary telephone lines.
Leased lines were used before the advent of the Internet and were actually utilized in 1950 by Project RAND (Research and Development) when collaborating across the country from Pennsylvania to California.
Some of the benefits of a leased line over other telephone and Internet connections are: faster download and upload speeds, a wide choice of bandwidths, guaranteed bandwidth for business usage, and suitability for web hosting.
Leased Line Definition:
A leased line is a telephone line that has been leased for private use. In some contexts, it's called a dedicated line. A leased line is usually contrasted with a switched line or dial-up line.
Typically, large companies rent leased lines from the telephone message carriers (such as AT&T) to interconnect different geographic locations in their company. The alternative is to buy and maintain their own private lines or, increasingly perhaps, to use the public switched lines with secure message protocols. (This is called tunneling.)
ISDN:
ISDN (Integrated Services Digital Network) is a system of digital phone connections that has been designed for sending voice, video, and data simultaneously over digital or ordinary phone lines, with a much faster speed and higher quality than an analog system can provide. ISDN is basically a set of protocol for making and breaking circuit switched connections as well as for advanced call features for the customers. ISDN is the international communication standard for data transmission along telephone lines and has transmission speeds up to 64 Kbps per channel.
ISDN uses two channels for communication which are the Bearer Channel or the B channel and the Delta Channel of the D Channel. The B channel is used for the data transmission and the D channel is used for signaling and control, though data can be transmitted through the D cannels as well. ISND has two access options, the Basic Rate Interface, also known as the BRI or the Basic Rate Access or BRA and Primary Rate Interface or Primary Rate Access. Basic Rate Interface is made up of two B channels with a bandwidth of 64 Kbit/s and a D channel with a bandwidth with 16 Kbit/s. The Basic Rate Interface is also known as 2B+D.
Primary Rate Interface has a greater number of B channels, which varies from nation to nation across the globe, and a D channel with a bandwidth of 64 Kbit/s. For example, in North America and Japan a PRI is represented as 23B+D (a total bit rate of 1.544 Mbit/s) while it is 30B+D in Australia and Europe (equivalent to a bit rate of 2.048 Mbit/s).
A technique called bipolar with eight-zero substitution technique is used to transfer calls through the data channels - the B channels - with the signaling channels (D channels) being exclusively used for call set up and management. Once the call had been set up, a 64 Kbit/s synchronous bidirectional B channel transfer the data between the ends, which lasts until the call ends. Theoretically, there can be as many calls as there are data channels, the choice of same or different end point not withstanding. Also, it is possible to multiplex a number of bearer channels (B channels) to produce a single higher bandwidth channel, using a process called B channel bonding.
ISDN has become a relatively old technology, but it isn't obsolete. ISDN is a technology that is often used behind the scenes as a component of more recent technology. Hopefully ISDN will continue to evolve so that it can continue to make an impact in the technological world.
ISDN BRI:
ISDN BRI (Basic Rate Interface) is a standard Integrated Services Digital Network (ISDN) service meant for residential and small scale business Internet connections. There is another type of ISDN configuration called the Primary Rate Interface (PRI) that is designed to provide higher bandwidth. The BRI configuration defined in the physical layer standard I.430 produced by the ITU.
Both the BRI and PRI are designed similarly. That is, both make use of the B and D channels for data communication, but in different combinations. B Channel or the Bearer Channel is used for data transmission - including voice - and D channel is meant for signaling and control (data can also be transmitted through D channels). The basic rate interface, BRI, is made up of two 64 Kbps B-channel and one 16 Kbps D-channel. Hence, it is also referred to as 2B+D. Bonding together the two B channels, BRI can provide a data rate up to 128 Kbps.
An ISDN BRI provides two 64 Kbps digital channels to the user, which are simultaneously capable of receiving or transmitting any digital signal - video, voice, or data. ISDN Terminal Adapters - instead of modems - function as the customer-premise connection to this service, enabling the user to make direct connections of data terminals and telephones.
ISDN PRI:
Digital Network PRI
v PRI is the "primary" extended ISDN network interface, which offers a larger capacity of digital channels and is transmitted on an improved path.
v PRI enables connection to private switchboards and a private network connection to decentralized organisations, access to ISPs and remote access to the organisational communications network, backup for data lines, etc.
v A two-way digital channel system, a fast clearance of trunks, priority setup of a call, fast call setup process and efficient redialling - all these give you correct and optimal usage of the communications trunks in your organisation according to load times
v PRI enables ISDN services throughout the organisation, varied applications and, of course, savings in costs - faster data transfer speed shortens the duration of the communication, thereby lowering the costs.
v Bezeq invites your organisation to work better by means of PRI, and to join the many organisations that have already begun to speed their businesses forward with an advanced ISDN technology interface.
Integrated Services Digital Network PRI
v PRI (Primary Rate Interface) is the "primary" extended ISDN network interface offering a larger capacity of digital channels at an overall rate of 2,048 Mbps.
v Unlike the basic interface (BRI), which is transmitted on a pair of copper wires, PRI is transmitted over an improved medium: a coaxial cable, microwave, two symmetrical pairs (one transmission pair and one reception pair) or optical fibre, similar to the PCM trunks in existence today.
v PRI contains thirty 64 Kbps channels for data transfer and another 64 Kbps channel for signals (30B+D).
PSTN Definition
The public switched telephone network (PSTN) is the worldwide collection of interconnected public telephone networks that was designed primarily for voice traffic.
The PSTN is a circuit-switched network. That is, a dedicated circuit (also referred to as a channel) is established for the duration of a transmission, such as a telephone call. This contrasts with packet switching networks, in which messages are divided into small segments called packets and each packet is sent individually. The Internet is based on a packet-switching protocol, TCP/IP.
Originally only an analog system, the PSTN is now almost entirely digital, even though most subscribers are connected via analog circuits, and it now includes mobile phones in addition to fixed-line phones. Only the very oldest and most backward parts of the PSTN still use analog technology for anything other than the final mile connections to individual homes and other end users. In recent years digital connections have been increasingly been made available to end users through such services such as ISDN (integrated services digital network), DSL (digital subscriber line) and cable.
There are numerous private telephone networks that are not linked to the PSTN, typically for military use. There are also many corporate networks that are linked to the PSTN only through limited gateways.
The roots of the PSTN can be traced back to 1876, when Alexander Graham Bell was awarded the first patent for the telephone, and the start of telephone service soon thereafter. Before the rise of the Internet, it was well understood that the PSTN would become increasingly important for data transmission, but it was thought that such transmission would occur using circuit switching, just as it is used by voice communications.
In recent years, however, it has become increasingly apparent that the long-term future of the PSTN is to become just another application of the Internet. That is, the voice traffic that is currently carried by the PSTN will be shifted to VoIP (voice over Internet protocol), thus allowing the PSTN infrastructure to be converted from circuit switching to packet switching. However, it will be necessary to make additional progress on improving the quality of VoIP before this can become a reality.
The PSTN is sometimes referred to as the plain old telephone system (POTS). However, the latter implies the older, analog system and the former is more inclusive.
MPLS:
In computer networking and telecommunications, Multi Protocol Label Switching (MPLS) refers to a highly scalable, protocol agnostic, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. The primary benefit is to eliminate dependence on a particular Data Link Layer technology, such as ATM, frame relay, SONET or Ethernet, and eliminate the need for multiple Layer 2 networks to satisfy different types of traffic. MPLS belongs to the family of packet-switched networks.
MPLS operates at an OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (Data Link Layer) and Layer 3 (Network Layer), and thus is often referred to as a "Layer 2.5" protocol. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic, including IP packets, as well as native ATM, SONET, and Ethernet frames.
A number of different technologies were previously deployed with essentially identical goals, such as frame relay and ATM. MPLS technologies have evolved with the strengths and weaknesses of ATM in mind. Many network engineers agree that ATM should be replaced with a protocol that requires less overhead, while providing connection-oriented services for variable-length frames. MPLS is currently replacing some of these technologies in the marketplace. It is highly possible that MPLS will completely replace these technologies in the future, thus aligning these technologies with current and future technology needs.[1]
In particular, MPLS dispenses with the cell-switching and signaling-protocol baggage of ATM. MPLS recognizes that small ATM cells are not needed in the core of modern networks, since modern optical networks (as of 2008) are so fast (at 40 Gbit/s and beyond) that even full-length 1500 byte packets do not incur significant real-time queuing delays (the need to reduce such delays — e.g., to support voice traffic — was the motivation for the cell nature of ATM).
At the same time, MPLS attempts to preserve the traffic engineering and out-of-band control that made frame relay and ATM attractive for deploying large-scale networks.
While the traffic management benefits of migrating to MPLS are quite valuable (better reliability, increased performance), there is a significant loss of visibility and access into the MPLS cloud for IT departments.[2]
MPLS Layer
Contents
[hide]
1 History
2 How MPLS works
3 Installing and removing MPLS paths
4 Comparison of MPLS versus IP
4.1 MPLS local protection (Fast Reroute)
5 Comparison of MPLS versus Frame Relay
6 Comparison of MPLS versus ATM
7 Comparison of MPLS VPN versus IPSec VPN
8 MPLS deployment
9 Competitors to MPLS
10 Access to MPLS networks
11 Benefits of MPLS
12 See also
13 Major Vendors of MPLS equipment
13.1 MPLS test equipment vendors
14 References
15 Books
16 External links
//
[edit] History
MPLS was originally proposed by a group of engineers from Ipsilon Networks, but their "IP Switching" technology, which was defined only to work over ATM, did not achieve market dominance. Cisco Systems, Inc. introduced a related proposal, not restricted to ATM transmission, called "Tag Switching". It was a Cisco proprietary proposal, and was renamed "Label Switching". It was handed over to the IETF for open standardization. The IETF work involved proposals from other vendors, and development of a consensus protocol that combined features from several vendors' work.
One original motivation was to allow the creation of simple high-speed switches, since for a significant length of time it was impossible to forward IP packets entirely in hardware. However, advances in VLSI have made such devices possible. Therefore the advantages of MPLS primarily revolve around the ability to support multiple service models and perform traffic management. MPLS also offers a robust recovery framework[3] that goes beyond the simple protection rings of synchronous optical networking (SONET/SDH)..
[edit] How MPLS works
MPLS works by prefixing packets with an MPLS header, containing one or more 'labels'. This is called a label stack. Each label stack entry contains four fields:
A 20-bit label value.
a 3-bit field for QoS (Quality of Service) priority (experimental).
a 1-bit bottom of stack flag. If this is set, it signifies that the current label is the last in the stack.
an 8-bit TTL (time to live) field.
These MPLS-labeled packets are switched after a Label Lookup/Switch instead of a lookup into the IP table. As mentioned above, when MPLS was conceived, Label Lookup and Label Switching were faster than a RIB lookup because they could take place directly within the switched fabric and not the CPU.
The entry and exit points of an MPLS network are called Label Edge Routers (LER), which, respectively, push an MPLS label onto an incoming packet and pop it off the outgoing packet. Routers that perform routing based only on the label are called Label Switch Routers (LSR). In some applications, the packet presented to the LER already may have a label, so that the new LSR pushes a second label onto the packet. For more information see Penultimate Hop Popping.
Labels are distributed between LERs and LSRs using the “Label Distribution Protocol” (LDP)[4]. Label Switch Routers in an MPLS network regularly exchange label and reachability information with each other using standardized procedures in order to build a complete picture of the network they can then use to forward packets. Label Switch Paths (LSPs) are established by the network operator for a variety of purposes, such as to create network-based IP Virtual Private Networks or to route traffic along specified paths through the network. In many respects, LSPs are not different fromPVCs in ATM or Frame Relay networks, except that they are not dependent on a particular Layer 2 technology.[5]
In the specific context of an MPLS-based Virtual Private Network (VPN), LSRs that function as ingress and/or egress routers to the VPN are often called PE (Provider Edge) routers. Devices that function only as transit routers are similarly called P (Provider) routers. See RFC 2547.[6] The job of a P router is significantly easier than that of a PE router, so they can be less complex and may be more dependable because of this.
When an unlabeled packet enters the ingress router and needs to be passed on to an MPLS tunnel, the router first determines the forwarding equivalence class (FEC) the packet should be in, and then inserts one or more labels in the packet's newly-created MPLS header. The packet is then passed on to the next hop router for this tunnel.
When a labeled packet is received by an MPLS router, the topmost label is examined. Based on the contents of the label a swap, push (impose) or pop (dispose) operation can be performed on the packet's label stack. Routers can have prebuilt lookup tables that tell them which kind of operation to do based on the topmost label of the incoming packet so they can process the packet very quickly.
In a swap operation the label is swapped with a new label, and the packet is forwarded along the path associated with the new label.
In a push operation a new label is pushed on top of the existing label, effectively "encapsulating" the packet in another layer of MPLS. This allows hierarchical routing of MPLS packets. Notably, this is used by MPLS VPNs.
In a pop operation the label is removed from the packet, which may reveal an inner label below. This process is called "decapsulation". If the popped label was the last on the label stack, the packet "leaves" the MPLS tunnel. This is usually done by the egress router, but see PHP below.
During these operations, the contents of the packet below the MPLS Label stack are not examined. Indeed transit routers typically need only to examine the topmost label on the stack. The forwarding of the packet is done based on the contents of the labels, which allows "protocol-independent packet forwarding" that does not need to look at a protocol-dependent routing table and avoids the expensive IP longest prefix match at each hop.
At the egress router, when the last label has been popped, only the payload remains. This can be an IP packet, or any of a number of other kinds of payload packet. The egress router must therefore have routing information for the packet's payload, since it must forward it without the help of label lookup tables. An MPLS transit router has no such requirement.
In some special cases, the last label can also be popped off at the penultimate hop (the hop before the egress router). This is called Penultimate Hop Popping (PHP). This may be interesting in cases where the egress router has lots of packets leaving MPLS tunnels, and thus spends inordinate amounts of CPU time on this. By using PHP, transit routers connected directly to this egress router effectively offload it, by popping the last label themselves.
MPLS can make use of existing ATM network infrastructure, as its labeled flows can be mapped to ATM virtual circuit identifiers, and vice versa.
[edit] Installing and removing MPLS paths
There are two standardized protocols for managing MPLS paths: CR-LDP (Constraint-based Routing Label Distribution Protocol) and RSVP-TE, an extension of the RSVP protocol for traffic engineering. As of February 2003, as documented in RFC 3468,[7] defined in RFC 3209.
Extensions of the BGP protocol, starting with RFC 2547, can be used to manage an MPLS path, including RFC 3107 and RFC 4781. [8] [9].
An MPLS header does not identify the type of data carried inside the MPLS path. If one wants to carry two different types of traffic between the same two routers, with different treatment from the core routers for each type, one has to establish a separate MPLS path for each type of traffic.
[edit] Comparison of MPLS versus IP
MPLS cannot be compared to IP as a separate entity because it works in conjunction with IP and IP's IGP routing protocols. MPLS gives IP networks simple traffic engineering, the ability to transport Layer 3 (IP) VPNs with overlapping address spaces, and support for Layer 2 pseudowires (with Any Transport Over MPLS, or ATOM - see Martini draft). Routers with programmable CPUs and without LSP can either be (a) explicitly configured hop by hop, (b) dynamically routed by the Constrained Shortest Path First CSPF algorithm, or (c) configured as a loose route that avoids a particular IP or that is partly explicit and partly dynamic. In a pure IP network, the shortest path to a destination is chosen even when it becomes more congested. Meanwhile, in an IP network with MPLS Traffic Engineering CSPF routing, constraints such as the RSVP bandwidth of the traversed links can also be considered, such that the shortest path with available bandwidth will be chosen. MPLS Traffic Engineering relies upon the use of TE extensions to OSPF or IS-IS and RSVP. Besides the constraint of RSVP bandwidth, users can also define their own constraints by specifying link attributes and special requirements for tunnels to route (or to not route) over links with certain attributes. [10]
[edit] MPLS local protection (Fast Reroute)
Main article: MPLS local protection
In the event of a network element failure when recovery mechanisms are employed at the IP layer, restoration may take several seconds which is unacceptable for real-time applications (such as VoIP)[11] [12][13]. In contrast, MPLS local protection meets the requirements of real-time applications with recovery times comparable to those of SONET rings (up to 50ms).[11][13][14]
[edit] Comparison of MPLS versus Frame Relay
Frame relay aimed to make more efficient use of existing physical resources, which allow for the underprovisioning of data services by telecommunications companies (telcos) to their customers, as clients were unlikely to be utilizing a data service 100 percent of the time. In more recent years, frame relay has acquired a bad reputation in some markets because of excessive bandwidth overbooking by these telcos.
Telcos often sell frame relay to businesses looking for a cheaper alternative to dedicated lines; its use in different geographic areas depended greatly on governmental and telecommunication companies' policies.
AT&T is currently (as of June 2007) the largest frame relay service provider in the United States, with local networks in 22 states, plus national and international networks. This number is expected to change between 2007 and 2009 when most of these frame relay contracts expire. Many customers are likely to migrate from frame relay to MPLS over IP or Ethernet within the next two years, which in many cases will reduce costs and improve manageability and performance of their wide area networks.[15] [16]
[edit] Comparison of MPLS versus ATM
While the underlying protocols and technologies are different, both MPLS and ATM provide a connection-oriented service for transporting data across computer networks. In both technologies, connections are signaled between endpoints, connection state is maintained at each node in the path, and encapsulation techniques are used to carry data across the connection. Excluding differences in the signaling protocols (RSVP/LDP for MPLS and PNNI:Private Network-to-Network Interface for ATM) there still remain significant differences in the behavior of the technologies.
The most significant difference is in the transport and encapsulation methods. MPLS is able to work with variable length packets while ATM transports fixed-length (53 byte) cells. Packets must be segmented, transported and re-assembled over an ATM network using an adaption layer, which adds significant complexity and overhead to the data stream. MPLS, on the other hand, simply adds a label to the head of each packet and transmits it on the network.
Differences exist, as well, in the nature of the connections. An MPLS connection (LSP) is uni-directional - allowing data to flow in only one direction between two endpoints. Establishing two-way communications between endpoints requires a pair of LSPs to be established. Because 2 LSPs are required for connectivity, data flowing in the forward direction may use a different path from data flowing in the reverse direction. ATM point-to-point connections (Virtual Circuits), on the other hand, are bi-directional, allowing data to flow in both directions over the same path (bi-directional are only SVC ATM connections; PVC ATM connections are uni-directional).
Both ATM and MPLS support tunneling of connections inside connections. MPLS uses label stacking to accomplish this while ATM uses Virtual Paths. MPLS can stack multiple labels to form tunnels within tunnels. The ATM Virtual Path Indicator (VPI) and Virtual Circuit Indicator (VCI) are both carried together in the cell header, limiting ATM to a single level of tunnelling.
The biggest single advantage that MPLS has over ATM is that it was designed from the start to be complementary to IP. Modern routers are able to support both MPLS and IP natively across a common interface allowing network operators great flexibility in network design and operation. ATM's incompatibilities with IP require complex adaptation, making it comparatively less suitable for today's predominantly IP networks.
[edit] Comparison of MPLS VPN versus IPSec VPN
MPLS is more reliable than IPSec VPNs as there is less complication in the tunnelling and firewall configuration. Network intrusions are a greater concern with IPSec VPN tunnels since they are run through an Internet circuit, which is open to connections from around the world. A misconfigured firewall can open the VPN network to security threats of the Internet.
[edit] MPLS deployment
MPLS is currently in use in large "IP Only" networks, and is standardized by IETF in RFC 3031.
In practice, MPLS is mainly used to forward IP datagrams and Ethernet traffic. Major applications of MPLS are Telecommunications traffic engineering and MPLS VPN.
[edit] Competitors to MPLS
MPLS can exist in both IPv4 environment (IPv4 routing protocols) and IPv6 environment (IPv6 routing protocols). The major goal of MPLS development - the increase of routing speed - is no longer relevant because of the usage of ASIC, TCAM and CAM-based switching. Therefore the major usage of MPLS is to implement limited traffic engineering and Layer 3/Layer 2 “service provider type” VPNs over existing IPv4 networks. The main competitors to MPLS are Provider Backbone Bridges (PBB), and MPLS-TP that also provide services such as service provider Layer 2 and Layer 3 VPNs. L2TPv3 has been suggested as a competitor, but has not reached any wider success.
IEEE 1355 is a completely unrelated technology that does something similar in hardware.
IPv6 references: Grossetete, Patrick, IPv6 over MPLS, Cisco Systems 2001; Juniper Networks IPv6 and Infranets White Paper; Juniper Networks DoD's Research and Engineering Community White Paper.
[edit] Access to MPLS networks
MPLS supports a range of access technologies, including T1, ATM and frame relay. In April 2008, New Edge Networks announced traffic prioritization on its MPLS network available via less expensive DSL access. Previously, traffic prioritization was not possible across DSL connections.
[edit] Benefits of MPLS
MPLS provides networks with a more efficient way to manage applications and move information between locations. With the convergence of voice, video and data applications, business networks face increasing traffic demands. MPLS enables class of service (CoS) tagging and prioritization of network traffic, so administrators may specify which applications should move across the network ahead of others. This function makes an MPLS network especially important to firms that need to ensure the performance of low-latency applications such as VoIP and their other business-critical functions. MPLS carriers differ on the number of classes of service they offer and in how these CoS tiers are priced.
VPN:
A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) as opposed to running across a single private network. The link-layer protocols of the virtual network are said to be tunneled through the larger network. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.VPN service providers may offer best-effort performance, or may have a defined service level agreement (SLA) with their VPN customers. Generally, a VPN has a topology more complex than point-to-point.A VPN allows computer users to access a network via an IP address other than the one that actually connects their computer to the Internet.ontents
[hide]
1 Categorization by user administrative relationships
2 Routing
2.1 Building blocks
3 User-visible PPVPN services
3.1 Layer 1 services
3.1.1 Virtual private wire and private line services (VPWS and VPLS)
3.2 Layer 2 services
3.2.1 Virtual LAN
3.2.2 Virtual private LAN service (VPLS)
3.2.3 Pseudo wire (PW)
3.2.4 IP-only LAN-like service (IPLS)
3.3 L3 PPVPN architectures
3.3.1 BGP/MPLS PPVPN
3.3.2 Virtual router PPVPN
4 Categorizing VPN security models
4.1 Authentication before VPN connection
4.2 Trusted delivery networks
4.3 Security mechanisms
4.4 Security and mobility
5 See also
6 References
7 External links
//
[edit] Categorization by user administrative relationships
The Internet Engineering Task Force (IETF) has categorized a variety of VPNs, some of which, such as Virtual LANs (VLAN) are the standardization responsibility of other organizations, such as the Institute of Electrical and Electronics Engineers (IEEE) Project 802, Workgroup 802.1 (architecture). Originally, Wide Area Network (WAN) links from a telecommunications service provider interconnected network nodes within a single enterprise. With the advent of LANs, enterprises could interconnect their nodes with links that they owned. While the original WANs used dedicated lines and layer 2 multiplexed services such as Frame Relay, IP-based layer 3 networks, such as the ARPANET, Internet, military IP networks (NIPRNET, SIPRNET, JWICS, etc.), became common interconnection media. VPNs began to be defined over IP networks [1]. The military networks may themselves be implemented as VPNs on common transmission equipment, but with separate encryption and perhaps routers.
It became useful first to distinguish among different kinds of IP VPN based on the administrative relationships (rather than the technology) interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service.
When an enterprise interconnects a set of nodes, all under its administrative control, through a LAN network, that is termed an Intranet[2]. When the interconnected nodes are under multiple administrative authorities but are hidden from the public Internet, the resulting set of nodes is called an extranet. A user organization can manage both intranets and extranets itself, or negotiate a service as a contracted (and usually customized) offering from an IP service provider. In the latter case, the user organization contracts for layer 3 services — much as it may contract for layer 1 services such as dedicated lines, or multiplexed layer 2 services such as frame relay.
The IETF distinguishes between provider-provisioned and customer-provisioned VPNs [3]. Just as an interconnected set of providers can supply conventional WAN services, so a single service provider can supply provider-provisioned VPNs (PPVPNs), presenting a common point-of-contact to the user organization.
[edit] Routing
Tunneling protocols can be used in a point-to-point topology that would generally not be considered a VPN, because a VPN is expected to support arbitrary and changing sets of network nodes. Since most router implementations support software-defined tunnel interface, customer-provisioned VPNs often comprise simply a set of tunnels over which conventional routing protocols run. PPVPNs, however, need to support the coexistence of multiple VPNs, hidden from one another, but operated by the same service provider.
[edit] Building blocks
Depending on whether the PPVPN runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combinations of the two. MPLS functionality blurs the L2-L3 identity.
While RFC 4026 generalized these terms to cover L2 and L3 VPNs, they were introduced in RFC 2547. [4]
Customer edge device (CE)
In general, a CE is a device, physically at the customer premises, that provides access to the PPVPN service. Some implementations treat it purely as a demarcation point between provider and customer responsibility, while others allow customers to configure it.
Provider edge device (PE)
A PE is a device or set of devices, at the edge of the provider network, which provides the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and which maintain VPN state.
Provider device (P)
A P device operates inside the provider's core network, and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provide.
[edit] User-visible PPVPN services
This section deals with the types of VPN currently considered active in the IETF; some historical names were replaced by these terms.
[edit] Layer 1 services
[edit] Virtual private wire and private line services (VPWS and VPLS)
In both of these services, the provider does not offer a full routed or bridged network, but components from which the customer can build customer-administered networks. VPWS are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated circuits with no data link structure.
The customer determines the overall customer VPN service, which can involve routing, bridging, or host network elements.
An unfortunate acronym confusion can occur between Virtual Private Line Service and Virtual Private LAN Service; the context should make it clear whether "VPLS" means the layer 1 virtual private line or the layer 2 virtual private LAN.
[edit] Layer 2 services
[edit] Virtual LAN
A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).
[edit] Virtual private LAN service (VPLS)
Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. The former[clarification needed] is a layer 1 technology that supports emulation of both point-to-point and point-to-multipoint topologies. The method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet.
As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional Local Area Network (LAN). From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN.
In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service.
[edit] Pseudo wire (PW)
PW is similar to VPWS, but it can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as ATM or Frame Relay. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.
[edit] IP-only LAN-like service (IPLS)
A subset of VPLS, the CE devices must have L3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.
[edit] L3 PPVPN architectures
This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention.
One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space[5]. The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.
[edit] BGP/MPLS PPVPN
In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-byte Route Distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.
PEs understand the topology of each VPN, which are interconnected with MPLS tunnels, either directly or via P routers. In MPLS terminology, the P routers are Label Switch Routers without awareness of VPNs.
[edit] Virtual router PPVPN
The Virtual Router architecture [6], as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label, but do not need routing distinguishers.
Virtual router architectures do not need to disambiguate addresses, because rather than a PE router having awareness of all the PPVPNs, the PE contains multiple virtual router instances, which belong to one and only one VPN.
[edit] Categorizing VPN security models
From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.
Some ISPs as of 2009[update] offer managed VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. Managed VPNs go beyond PPVPN scope, and are a contracted security solution that can reach into hosts. In addition to providing remote workers with secure access to their employer's internal network, other security and management services are sometimes included as part of the package. Examples include keeping anti-virus and anti-spyware programs updated on each client's computer.
[edit] Authentication before VPN connection
A known trusted user, sometimes only when using trusted devices, can be provided with appropriate security privileges to access resources not available to general users. Servers may also need to authenticate themselves to join the VPN.
A wide variety of authentication mechanisms exist. VPNs may implemented authentication in devices including firewalls, access gateways, and others. They may use passwords, biometrics, or cryptographic methods. Strong authentication involves combining cryptography with another authentication mechanism. The authentication mechanism may require explicit user action, or may be embedded in the VPN client or the workstation.
[edit] Trusted delivery networks
Trusted VPNs (sometimes referred to APNs - Actual Private Networks)[citation needed] do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic. In a sense, they elaborate on traditional network- and system-administration work.
Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality-of-service control over a trusted delivery network.
Layer 2 Tunneling Protocol (L2TP)[7] which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco's Layer 2 Forwarding (L2F) [8] (obsolete as of 2009[update]) and Microsoft's Point-to-Point Tunneling Protocol (PPTP) [9].
[edit] Security mechanisms
Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking snooping and thus Packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. When properly chosen, implemented, and operated, such techniques can provide secure communications over unsecured networks.
Secure VPN protocols include the following:
IPsec (IP security) - commonly used over IPv4, and a "standard option" in IPv6.
SSL/TLS, used either for tunneling the entire network stack, as in the OpenVPN project, or for securing what is, essentially, a web proxy. SSL, though a framework more often associated with e-commerce, has been built-upon by a number of vendors to provide remote access VPN capabilities. A major practical advantage of an SSL-based VPN is that it can be accessed from the locations that restrict external access to SSL-based e-commerce websites only, thereby preventing VPN connectivity using IPsec protocols. SSL-based VPNs are vulnerable to trivial Denial of Service attacks mounted against their TCP connections because latter are inherently unauthenticated.
OpenVPN, an open standard VPN. A variation of SSL-based VPN, it can run over UDP. Clients and servers are available for all major operating systems.
DTLS, used by Cisco for a next generation VPN product called Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS
L2TPv3 (Layer 2 Tunneling Protocol version 3), a new[update] release.
VPN Quarantine. The client machine at the end of a VPN could be a threat and a source of attack; this has no connection with VPN design and most VPN providers leave it to system administration to secure. There are solutions that provide VPN Quarantine services which run end point checks on the remote client while the client is kept in a quarantine zone until healthy. Microsoft ISA Server 2004/2006 together with VPN-Q 2006 from Winfrasoft or an application called QSS (Quarantine Security Suite) provide this functionality.
MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark "MPVPN".[10]
Cisco VPN, a proprietary VPN used by many Cisco hardware devices. Proprietary clients exist for all platforms; open-source clients also exist.
[edit] Security and mobility
Mobile VPNs are VPNs manufactured[by whom?] for mobile and wireless users. They integrate standards-based authentication and encryption technologies to secure data transmissions to and from devices and to protect networks from unauthorized users. Designed for wireless environments, Mobile VPNs provide an access solution for users on the move who require secure access to information and applications over a variety of wired and wireless networks. Mobile VPNs allow users to roam seamlessly across IP-based networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. For instance, highway patrol officers require access to mission-critical applications in order to perform their jobs as they travel across different subnets of a mobile network, much as a cellular radio has to hand off its link to repeaters at different cell towers.
A leased line is a permanent fiber optic or telephone connection between two points set up by a telecommunications carrier. A leased line is also sometimes referred to as a dedicated line. They can be used for telephone, data, or Internet services. Oftentimes businesses will use a leased line to connect to geographically distant offices because it guarantees bandwidth for network traffic. For example, a bank may use a leased line in order to easily transfer financial information from one office to another. A leased line can span long or short distances and customers generally pay a flat monthly rate for the service depending on the distance between the two points.
Leased lines do not have telephone numbers because each side of the line is always connected to one another, as opposed to telephone lines which reuse the same lines for numerous conversations through a process called "switching." The information sent through the leased line travels along dedicated secure channels, eliminating the congestion that occurs in shared networks. Connection speeds can range from 64 kbps (kilobits per second) to 45 mbps (megabits per second)and the bandwidth required is dictated by the quantity of data that will be sent and received.
Some individuals are also starting to use leased lines in order to obtain a faster, more reliable Internet connection. They also may save an individual money if he/she happens to spend a significantly large amount of time on the Internet. While most leased lines cost about $1,000/month, there are lines called Fractional T1 lines which start at 128 kbps and are less expensive. Installation is the same as for ordinary telephone lines.
Leased lines were used before the advent of the Internet and were actually utilized in 1950 by Project RAND (Research and Development) when collaborating across the country from Pennsylvania to California.
Some of the benefits of a leased line over other telephone and Internet connections are: faster download and upload speeds, a wide choice of bandwidths, guaranteed bandwidth for business usage, and suitability for web hosting.
Leased Line Definition:
A leased line is a telephone line that has been leased for private use. In some contexts, it's called a dedicated line. A leased line is usually contrasted with a switched line or dial-up line.
Typically, large companies rent leased lines from the telephone message carriers (such as AT&T) to interconnect different geographic locations in their company. The alternative is to buy and maintain their own private lines or, increasingly perhaps, to use the public switched lines with secure message protocols. (This is called tunneling.)
ISDN:
ISDN (Integrated Services Digital Network) is a system of digital phone connections that has been designed for sending voice, video, and data simultaneously over digital or ordinary phone lines, with a much faster speed and higher quality than an analog system can provide. ISDN is basically a set of protocol for making and breaking circuit switched connections as well as for advanced call features for the customers. ISDN is the international communication standard for data transmission along telephone lines and has transmission speeds up to 64 Kbps per channel.
ISDN uses two channels for communication which are the Bearer Channel or the B channel and the Delta Channel of the D Channel. The B channel is used for the data transmission and the D channel is used for signaling and control, though data can be transmitted through the D cannels as well. ISND has two access options, the Basic Rate Interface, also known as the BRI or the Basic Rate Access or BRA and Primary Rate Interface or Primary Rate Access. Basic Rate Interface is made up of two B channels with a bandwidth of 64 Kbit/s and a D channel with a bandwidth with 16 Kbit/s. The Basic Rate Interface is also known as 2B+D.
Primary Rate Interface has a greater number of B channels, which varies from nation to nation across the globe, and a D channel with a bandwidth of 64 Kbit/s. For example, in North America and Japan a PRI is represented as 23B+D (a total bit rate of 1.544 Mbit/s) while it is 30B+D in Australia and Europe (equivalent to a bit rate of 2.048 Mbit/s).
A technique called bipolar with eight-zero substitution technique is used to transfer calls through the data channels - the B channels - with the signaling channels (D channels) being exclusively used for call set up and management. Once the call had been set up, a 64 Kbit/s synchronous bidirectional B channel transfer the data between the ends, which lasts until the call ends. Theoretically, there can be as many calls as there are data channels, the choice of same or different end point not withstanding. Also, it is possible to multiplex a number of bearer channels (B channels) to produce a single higher bandwidth channel, using a process called B channel bonding.
ISDN has become a relatively old technology, but it isn't obsolete. ISDN is a technology that is often used behind the scenes as a component of more recent technology. Hopefully ISDN will continue to evolve so that it can continue to make an impact in the technological world.
ISDN BRI:
ISDN BRI (Basic Rate Interface) is a standard Integrated Services Digital Network (ISDN) service meant for residential and small scale business Internet connections. There is another type of ISDN configuration called the Primary Rate Interface (PRI) that is designed to provide higher bandwidth. The BRI configuration defined in the physical layer standard I.430 produced by the ITU.
Both the BRI and PRI are designed similarly. That is, both make use of the B and D channels for data communication, but in different combinations. B Channel or the Bearer Channel is used for data transmission - including voice - and D channel is meant for signaling and control (data can also be transmitted through D channels). The basic rate interface, BRI, is made up of two 64 Kbps B-channel and one 16 Kbps D-channel. Hence, it is also referred to as 2B+D. Bonding together the two B channels, BRI can provide a data rate up to 128 Kbps.
An ISDN BRI provides two 64 Kbps digital channels to the user, which are simultaneously capable of receiving or transmitting any digital signal - video, voice, or data. ISDN Terminal Adapters - instead of modems - function as the customer-premise connection to this service, enabling the user to make direct connections of data terminals and telephones.
ISDN PRI:
Digital Network PRI
v PRI is the "primary" extended ISDN network interface, which offers a larger capacity of digital channels and is transmitted on an improved path.
v PRI enables connection to private switchboards and a private network connection to decentralized organisations, access to ISPs and remote access to the organisational communications network, backup for data lines, etc.
v A two-way digital channel system, a fast clearance of trunks, priority setup of a call, fast call setup process and efficient redialling - all these give you correct and optimal usage of the communications trunks in your organisation according to load times
v PRI enables ISDN services throughout the organisation, varied applications and, of course, savings in costs - faster data transfer speed shortens the duration of the communication, thereby lowering the costs.
v Bezeq invites your organisation to work better by means of PRI, and to join the many organisations that have already begun to speed their businesses forward with an advanced ISDN technology interface.
Integrated Services Digital Network PRI
v PRI (Primary Rate Interface) is the "primary" extended ISDN network interface offering a larger capacity of digital channels at an overall rate of 2,048 Mbps.
v Unlike the basic interface (BRI), which is transmitted on a pair of copper wires, PRI is transmitted over an improved medium: a coaxial cable, microwave, two symmetrical pairs (one transmission pair and one reception pair) or optical fibre, similar to the PCM trunks in existence today.
v PRI contains thirty 64 Kbps channels for data transfer and another 64 Kbps channel for signals (30B+D).
PSTN Definition
The public switched telephone network (PSTN) is the worldwide collection of interconnected public telephone networks that was designed primarily for voice traffic.
The PSTN is a circuit-switched network. That is, a dedicated circuit (also referred to as a channel) is established for the duration of a transmission, such as a telephone call. This contrasts with packet switching networks, in which messages are divided into small segments called packets and each packet is sent individually. The Internet is based on a packet-switching protocol, TCP/IP.
Originally only an analog system, the PSTN is now almost entirely digital, even though most subscribers are connected via analog circuits, and it now includes mobile phones in addition to fixed-line phones. Only the very oldest and most backward parts of the PSTN still use analog technology for anything other than the final mile connections to individual homes and other end users. In recent years digital connections have been increasingly been made available to end users through such services such as ISDN (integrated services digital network), DSL (digital subscriber line) and cable.
There are numerous private telephone networks that are not linked to the PSTN, typically for military use. There are also many corporate networks that are linked to the PSTN only through limited gateways.
The roots of the PSTN can be traced back to 1876, when Alexander Graham Bell was awarded the first patent for the telephone, and the start of telephone service soon thereafter. Before the rise of the Internet, it was well understood that the PSTN would become increasingly important for data transmission, but it was thought that such transmission would occur using circuit switching, just as it is used by voice communications.
In recent years, however, it has become increasingly apparent that the long-term future of the PSTN is to become just another application of the Internet. That is, the voice traffic that is currently carried by the PSTN will be shifted to VoIP (voice over Internet protocol), thus allowing the PSTN infrastructure to be converted from circuit switching to packet switching. However, it will be necessary to make additional progress on improving the quality of VoIP before this can become a reality.
The PSTN is sometimes referred to as the plain old telephone system (POTS). However, the latter implies the older, analog system and the former is more inclusive.
MPLS:
In computer networking and telecommunications, Multi Protocol Label Switching (MPLS) refers to a highly scalable, protocol agnostic, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. The primary benefit is to eliminate dependence on a particular Data Link Layer technology, such as ATM, frame relay, SONET or Ethernet, and eliminate the need for multiple Layer 2 networks to satisfy different types of traffic. MPLS belongs to the family of packet-switched networks.
MPLS operates at an OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (Data Link Layer) and Layer 3 (Network Layer), and thus is often referred to as a "Layer 2.5" protocol. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic, including IP packets, as well as native ATM, SONET, and Ethernet frames.
A number of different technologies were previously deployed with essentially identical goals, such as frame relay and ATM. MPLS technologies have evolved with the strengths and weaknesses of ATM in mind. Many network engineers agree that ATM should be replaced with a protocol that requires less overhead, while providing connection-oriented services for variable-length frames. MPLS is currently replacing some of these technologies in the marketplace. It is highly possible that MPLS will completely replace these technologies in the future, thus aligning these technologies with current and future technology needs.[1]
In particular, MPLS dispenses with the cell-switching and signaling-protocol baggage of ATM. MPLS recognizes that small ATM cells are not needed in the core of modern networks, since modern optical networks (as of 2008) are so fast (at 40 Gbit/s and beyond) that even full-length 1500 byte packets do not incur significant real-time queuing delays (the need to reduce such delays — e.g., to support voice traffic — was the motivation for the cell nature of ATM).
At the same time, MPLS attempts to preserve the traffic engineering and out-of-band control that made frame relay and ATM attractive for deploying large-scale networks.
While the traffic management benefits of migrating to MPLS are quite valuable (better reliability, increased performance), there is a significant loss of visibility and access into the MPLS cloud for IT departments.[2]
MPLS Layer
Contents
[hide]
1 History
2 How MPLS works
3 Installing and removing MPLS paths
4 Comparison of MPLS versus IP
4.1 MPLS local protection (Fast Reroute)
5 Comparison of MPLS versus Frame Relay
6 Comparison of MPLS versus ATM
7 Comparison of MPLS VPN versus IPSec VPN
8 MPLS deployment
9 Competitors to MPLS
10 Access to MPLS networks
11 Benefits of MPLS
12 See also
13 Major Vendors of MPLS equipment
13.1 MPLS test equipment vendors
14 References
15 Books
16 External links
//
[edit] History
MPLS was originally proposed by a group of engineers from Ipsilon Networks, but their "IP Switching" technology, which was defined only to work over ATM, did not achieve market dominance. Cisco Systems, Inc. introduced a related proposal, not restricted to ATM transmission, called "Tag Switching". It was a Cisco proprietary proposal, and was renamed "Label Switching". It was handed over to the IETF for open standardization. The IETF work involved proposals from other vendors, and development of a consensus protocol that combined features from several vendors' work.
One original motivation was to allow the creation of simple high-speed switches, since for a significant length of time it was impossible to forward IP packets entirely in hardware. However, advances in VLSI have made such devices possible. Therefore the advantages of MPLS primarily revolve around the ability to support multiple service models and perform traffic management. MPLS also offers a robust recovery framework[3] that goes beyond the simple protection rings of synchronous optical networking (SONET/SDH)..
[edit] How MPLS works
MPLS works by prefixing packets with an MPLS header, containing one or more 'labels'. This is called a label stack. Each label stack entry contains four fields:
A 20-bit label value.
a 3-bit field for QoS (Quality of Service) priority (experimental).
a 1-bit bottom of stack flag. If this is set, it signifies that the current label is the last in the stack.
an 8-bit TTL (time to live) field.
These MPLS-labeled packets are switched after a Label Lookup/Switch instead of a lookup into the IP table. As mentioned above, when MPLS was conceived, Label Lookup and Label Switching were faster than a RIB lookup because they could take place directly within the switched fabric and not the CPU.
The entry and exit points of an MPLS network are called Label Edge Routers (LER), which, respectively, push an MPLS label onto an incoming packet and pop it off the outgoing packet. Routers that perform routing based only on the label are called Label Switch Routers (LSR). In some applications, the packet presented to the LER already may have a label, so that the new LSR pushes a second label onto the packet. For more information see Penultimate Hop Popping.
Labels are distributed between LERs and LSRs using the “Label Distribution Protocol” (LDP)[4]. Label Switch Routers in an MPLS network regularly exchange label and reachability information with each other using standardized procedures in order to build a complete picture of the network they can then use to forward packets. Label Switch Paths (LSPs) are established by the network operator for a variety of purposes, such as to create network-based IP Virtual Private Networks or to route traffic along specified paths through the network. In many respects, LSPs are not different fromPVCs in ATM or Frame Relay networks, except that they are not dependent on a particular Layer 2 technology.[5]
In the specific context of an MPLS-based Virtual Private Network (VPN), LSRs that function as ingress and/or egress routers to the VPN are often called PE (Provider Edge) routers. Devices that function only as transit routers are similarly called P (Provider) routers. See RFC 2547.[6] The job of a P router is significantly easier than that of a PE router, so they can be less complex and may be more dependable because of this.
When an unlabeled packet enters the ingress router and needs to be passed on to an MPLS tunnel, the router first determines the forwarding equivalence class (FEC) the packet should be in, and then inserts one or more labels in the packet's newly-created MPLS header. The packet is then passed on to the next hop router for this tunnel.
When a labeled packet is received by an MPLS router, the topmost label is examined. Based on the contents of the label a swap, push (impose) or pop (dispose) operation can be performed on the packet's label stack. Routers can have prebuilt lookup tables that tell them which kind of operation to do based on the topmost label of the incoming packet so they can process the packet very quickly.
In a swap operation the label is swapped with a new label, and the packet is forwarded along the path associated with the new label.
In a push operation a new label is pushed on top of the existing label, effectively "encapsulating" the packet in another layer of MPLS. This allows hierarchical routing of MPLS packets. Notably, this is used by MPLS VPNs.
In a pop operation the label is removed from the packet, which may reveal an inner label below. This process is called "decapsulation". If the popped label was the last on the label stack, the packet "leaves" the MPLS tunnel. This is usually done by the egress router, but see PHP below.
During these operations, the contents of the packet below the MPLS Label stack are not examined. Indeed transit routers typically need only to examine the topmost label on the stack. The forwarding of the packet is done based on the contents of the labels, which allows "protocol-independent packet forwarding" that does not need to look at a protocol-dependent routing table and avoids the expensive IP longest prefix match at each hop.
At the egress router, when the last label has been popped, only the payload remains. This can be an IP packet, or any of a number of other kinds of payload packet. The egress router must therefore have routing information for the packet's payload, since it must forward it without the help of label lookup tables. An MPLS transit router has no such requirement.
In some special cases, the last label can also be popped off at the penultimate hop (the hop before the egress router). This is called Penultimate Hop Popping (PHP). This may be interesting in cases where the egress router has lots of packets leaving MPLS tunnels, and thus spends inordinate amounts of CPU time on this. By using PHP, transit routers connected directly to this egress router effectively offload it, by popping the last label themselves.
MPLS can make use of existing ATM network infrastructure, as its labeled flows can be mapped to ATM virtual circuit identifiers, and vice versa.
[edit] Installing and removing MPLS paths
There are two standardized protocols for managing MPLS paths: CR-LDP (Constraint-based Routing Label Distribution Protocol) and RSVP-TE, an extension of the RSVP protocol for traffic engineering. As of February 2003, as documented in RFC 3468,[7] defined in RFC 3209.
Extensions of the BGP protocol, starting with RFC 2547, can be used to manage an MPLS path, including RFC 3107 and RFC 4781. [8] [9].
An MPLS header does not identify the type of data carried inside the MPLS path. If one wants to carry two different types of traffic between the same two routers, with different treatment from the core routers for each type, one has to establish a separate MPLS path for each type of traffic.
[edit] Comparison of MPLS versus IP
MPLS cannot be compared to IP as a separate entity because it works in conjunction with IP and IP's IGP routing protocols. MPLS gives IP networks simple traffic engineering, the ability to transport Layer 3 (IP) VPNs with overlapping address spaces, and support for Layer 2 pseudowires (with Any Transport Over MPLS, or ATOM - see Martini draft). Routers with programmable CPUs and without LSP can either be (a) explicitly configured hop by hop, (b) dynamically routed by the Constrained Shortest Path First CSPF algorithm, or (c) configured as a loose route that avoids a particular IP or that is partly explicit and partly dynamic. In a pure IP network, the shortest path to a destination is chosen even when it becomes more congested. Meanwhile, in an IP network with MPLS Traffic Engineering CSPF routing, constraints such as the RSVP bandwidth of the traversed links can also be considered, such that the shortest path with available bandwidth will be chosen. MPLS Traffic Engineering relies upon the use of TE extensions to OSPF or IS-IS and RSVP. Besides the constraint of RSVP bandwidth, users can also define their own constraints by specifying link attributes and special requirements for tunnels to route (or to not route) over links with certain attributes. [10]
[edit] MPLS local protection (Fast Reroute)
Main article: MPLS local protection
In the event of a network element failure when recovery mechanisms are employed at the IP layer, restoration may take several seconds which is unacceptable for real-time applications (such as VoIP)[11] [12][13]. In contrast, MPLS local protection meets the requirements of real-time applications with recovery times comparable to those of SONET rings (up to 50ms).[11][13][14]
[edit] Comparison of MPLS versus Frame Relay
Frame relay aimed to make more efficient use of existing physical resources, which allow for the underprovisioning of data services by telecommunications companies (telcos) to their customers, as clients were unlikely to be utilizing a data service 100 percent of the time. In more recent years, frame relay has acquired a bad reputation in some markets because of excessive bandwidth overbooking by these telcos.
Telcos often sell frame relay to businesses looking for a cheaper alternative to dedicated lines; its use in different geographic areas depended greatly on governmental and telecommunication companies' policies.
AT&T is currently (as of June 2007) the largest frame relay service provider in the United States, with local networks in 22 states, plus national and international networks. This number is expected to change between 2007 and 2009 when most of these frame relay contracts expire. Many customers are likely to migrate from frame relay to MPLS over IP or Ethernet within the next two years, which in many cases will reduce costs and improve manageability and performance of their wide area networks.[15] [16]
[edit] Comparison of MPLS versus ATM
While the underlying protocols and technologies are different, both MPLS and ATM provide a connection-oriented service for transporting data across computer networks. In both technologies, connections are signaled between endpoints, connection state is maintained at each node in the path, and encapsulation techniques are used to carry data across the connection. Excluding differences in the signaling protocols (RSVP/LDP for MPLS and PNNI:Private Network-to-Network Interface for ATM) there still remain significant differences in the behavior of the technologies.
The most significant difference is in the transport and encapsulation methods. MPLS is able to work with variable length packets while ATM transports fixed-length (53 byte) cells. Packets must be segmented, transported and re-assembled over an ATM network using an adaption layer, which adds significant complexity and overhead to the data stream. MPLS, on the other hand, simply adds a label to the head of each packet and transmits it on the network.
Differences exist, as well, in the nature of the connections. An MPLS connection (LSP) is uni-directional - allowing data to flow in only one direction between two endpoints. Establishing two-way communications between endpoints requires a pair of LSPs to be established. Because 2 LSPs are required for connectivity, data flowing in the forward direction may use a different path from data flowing in the reverse direction. ATM point-to-point connections (Virtual Circuits), on the other hand, are bi-directional, allowing data to flow in both directions over the same path (bi-directional are only SVC ATM connections; PVC ATM connections are uni-directional).
Both ATM and MPLS support tunneling of connections inside connections. MPLS uses label stacking to accomplish this while ATM uses Virtual Paths. MPLS can stack multiple labels to form tunnels within tunnels. The ATM Virtual Path Indicator (VPI) and Virtual Circuit Indicator (VCI) are both carried together in the cell header, limiting ATM to a single level of tunnelling.
The biggest single advantage that MPLS has over ATM is that it was designed from the start to be complementary to IP. Modern routers are able to support both MPLS and IP natively across a common interface allowing network operators great flexibility in network design and operation. ATM's incompatibilities with IP require complex adaptation, making it comparatively less suitable for today's predominantly IP networks.
[edit] Comparison of MPLS VPN versus IPSec VPN
MPLS is more reliable than IPSec VPNs as there is less complication in the tunnelling and firewall configuration. Network intrusions are a greater concern with IPSec VPN tunnels since they are run through an Internet circuit, which is open to connections from around the world. A misconfigured firewall can open the VPN network to security threats of the Internet.
[edit] MPLS deployment
MPLS is currently in use in large "IP Only" networks, and is standardized by IETF in RFC 3031.
In practice, MPLS is mainly used to forward IP datagrams and Ethernet traffic. Major applications of MPLS are Telecommunications traffic engineering and MPLS VPN.
[edit] Competitors to MPLS
MPLS can exist in both IPv4 environment (IPv4 routing protocols) and IPv6 environment (IPv6 routing protocols). The major goal of MPLS development - the increase of routing speed - is no longer relevant because of the usage of ASIC, TCAM and CAM-based switching. Therefore the major usage of MPLS is to implement limited traffic engineering and Layer 3/Layer 2 “service provider type” VPNs over existing IPv4 networks. The main competitors to MPLS are Provider Backbone Bridges (PBB), and MPLS-TP that also provide services such as service provider Layer 2 and Layer 3 VPNs. L2TPv3 has been suggested as a competitor, but has not reached any wider success.
IEEE 1355 is a completely unrelated technology that does something similar in hardware.
IPv6 references: Grossetete, Patrick, IPv6 over MPLS, Cisco Systems 2001; Juniper Networks IPv6 and Infranets White Paper; Juniper Networks DoD's Research and Engineering Community White Paper.
[edit] Access to MPLS networks
MPLS supports a range of access technologies, including T1, ATM and frame relay. In April 2008, New Edge Networks announced traffic prioritization on its MPLS network available via less expensive DSL access. Previously, traffic prioritization was not possible across DSL connections.
[edit] Benefits of MPLS
MPLS provides networks with a more efficient way to manage applications and move information between locations. With the convergence of voice, video and data applications, business networks face increasing traffic demands. MPLS enables class of service (CoS) tagging and prioritization of network traffic, so administrators may specify which applications should move across the network ahead of others. This function makes an MPLS network especially important to firms that need to ensure the performance of low-latency applications such as VoIP and their other business-critical functions. MPLS carriers differ on the number of classes of service they offer and in how these CoS tiers are priced.
VPN:
A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) as opposed to running across a single private network. The link-layer protocols of the virtual network are said to be tunneled through the larger network. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.VPN service providers may offer best-effort performance, or may have a defined service level agreement (SLA) with their VPN customers. Generally, a VPN has a topology more complex than point-to-point.A VPN allows computer users to access a network via an IP address other than the one that actually connects their computer to the Internet.ontents
[hide]
1 Categorization by user administrative relationships
2 Routing
2.1 Building blocks
3 User-visible PPVPN services
3.1 Layer 1 services
3.1.1 Virtual private wire and private line services (VPWS and VPLS)
3.2 Layer 2 services
3.2.1 Virtual LAN
3.2.2 Virtual private LAN service (VPLS)
3.2.3 Pseudo wire (PW)
3.2.4 IP-only LAN-like service (IPLS)
3.3 L3 PPVPN architectures
3.3.1 BGP/MPLS PPVPN
3.3.2 Virtual router PPVPN
4 Categorizing VPN security models
4.1 Authentication before VPN connection
4.2 Trusted delivery networks
4.3 Security mechanisms
4.4 Security and mobility
5 See also
6 References
7 External links
//
[edit] Categorization by user administrative relationships
The Internet Engineering Task Force (IETF) has categorized a variety of VPNs, some of which, such as Virtual LANs (VLAN) are the standardization responsibility of other organizations, such as the Institute of Electrical and Electronics Engineers (IEEE) Project 802, Workgroup 802.1 (architecture). Originally, Wide Area Network (WAN) links from a telecommunications service provider interconnected network nodes within a single enterprise. With the advent of LANs, enterprises could interconnect their nodes with links that they owned. While the original WANs used dedicated lines and layer 2 multiplexed services such as Frame Relay, IP-based layer 3 networks, such as the ARPANET, Internet, military IP networks (NIPRNET, SIPRNET, JWICS, etc.), became common interconnection media. VPNs began to be defined over IP networks [1]. The military networks may themselves be implemented as VPNs on common transmission equipment, but with separate encryption and perhaps routers.
It became useful first to distinguish among different kinds of IP VPN based on the administrative relationships (rather than the technology) interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service.
When an enterprise interconnects a set of nodes, all under its administrative control, through a LAN network, that is termed an Intranet[2]. When the interconnected nodes are under multiple administrative authorities but are hidden from the public Internet, the resulting set of nodes is called an extranet. A user organization can manage both intranets and extranets itself, or negotiate a service as a contracted (and usually customized) offering from an IP service provider. In the latter case, the user organization contracts for layer 3 services — much as it may contract for layer 1 services such as dedicated lines, or multiplexed layer 2 services such as frame relay.
The IETF distinguishes between provider-provisioned and customer-provisioned VPNs [3]. Just as an interconnected set of providers can supply conventional WAN services, so a single service provider can supply provider-provisioned VPNs (PPVPNs), presenting a common point-of-contact to the user organization.
[edit] Routing
Tunneling protocols can be used in a point-to-point topology that would generally not be considered a VPN, because a VPN is expected to support arbitrary and changing sets of network nodes. Since most router implementations support software-defined tunnel interface, customer-provisioned VPNs often comprise simply a set of tunnels over which conventional routing protocols run. PPVPNs, however, need to support the coexistence of multiple VPNs, hidden from one another, but operated by the same service provider.
[edit] Building blocks
Depending on whether the PPVPN runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combinations of the two. MPLS functionality blurs the L2-L3 identity.
While RFC 4026 generalized these terms to cover L2 and L3 VPNs, they were introduced in RFC 2547. [4]
Customer edge device (CE)
In general, a CE is a device, physically at the customer premises, that provides access to the PPVPN service. Some implementations treat it purely as a demarcation point between provider and customer responsibility, while others allow customers to configure it.
Provider edge device (PE)
A PE is a device or set of devices, at the edge of the provider network, which provides the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and which maintain VPN state.
Provider device (P)
A P device operates inside the provider's core network, and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provide.
[edit] User-visible PPVPN services
This section deals with the types of VPN currently considered active in the IETF; some historical names were replaced by these terms.
[edit] Layer 1 services
[edit] Virtual private wire and private line services (VPWS and VPLS)
In both of these services, the provider does not offer a full routed or bridged network, but components from which the customer can build customer-administered networks. VPWS are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated circuits with no data link structure.
The customer determines the overall customer VPN service, which can involve routing, bridging, or host network elements.
An unfortunate acronym confusion can occur between Virtual Private Line Service and Virtual Private LAN Service; the context should make it clear whether "VPLS" means the layer 1 virtual private line or the layer 2 virtual private LAN.
[edit] Layer 2 services
[edit] Virtual LAN
A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).
[edit] Virtual private LAN service (VPLS)
Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. The former[clarification needed] is a layer 1 technology that supports emulation of both point-to-point and point-to-multipoint topologies. The method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet.
As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional Local Area Network (LAN). From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN.
In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service.
[edit] Pseudo wire (PW)
PW is similar to VPWS, but it can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as ATM or Frame Relay. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.
[edit] IP-only LAN-like service (IPLS)
A subset of VPLS, the CE devices must have L3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.
[edit] L3 PPVPN architectures
This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention.
One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space[5]. The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.
[edit] BGP/MPLS PPVPN
In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-byte Route Distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.
PEs understand the topology of each VPN, which are interconnected with MPLS tunnels, either directly or via P routers. In MPLS terminology, the P routers are Label Switch Routers without awareness of VPNs.
[edit] Virtual router PPVPN
The Virtual Router architecture [6], as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label, but do not need routing distinguishers.
Virtual router architectures do not need to disambiguate addresses, because rather than a PE router having awareness of all the PPVPNs, the PE contains multiple virtual router instances, which belong to one and only one VPN.
[edit] Categorizing VPN security models
From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.
Some ISPs as of 2009[update] offer managed VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. Managed VPNs go beyond PPVPN scope, and are a contracted security solution that can reach into hosts. In addition to providing remote workers with secure access to their employer's internal network, other security and management services are sometimes included as part of the package. Examples include keeping anti-virus and anti-spyware programs updated on each client's computer.
[edit] Authentication before VPN connection
A known trusted user, sometimes only when using trusted devices, can be provided with appropriate security privileges to access resources not available to general users. Servers may also need to authenticate themselves to join the VPN.
A wide variety of authentication mechanisms exist. VPNs may implemented authentication in devices including firewalls, access gateways, and others. They may use passwords, biometrics, or cryptographic methods. Strong authentication involves combining cryptography with another authentication mechanism. The authentication mechanism may require explicit user action, or may be embedded in the VPN client or the workstation.
[edit] Trusted delivery networks
Trusted VPNs (sometimes referred to APNs - Actual Private Networks)[citation needed] do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic. In a sense, they elaborate on traditional network- and system-administration work.
Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality-of-service control over a trusted delivery network.
Layer 2 Tunneling Protocol (L2TP)[7] which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco's Layer 2 Forwarding (L2F) [8] (obsolete as of 2009[update]) and Microsoft's Point-to-Point Tunneling Protocol (PPTP) [9].
[edit] Security mechanisms
Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking snooping and thus Packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. When properly chosen, implemented, and operated, such techniques can provide secure communications over unsecured networks.
Secure VPN protocols include the following:
IPsec (IP security) - commonly used over IPv4, and a "standard option" in IPv6.
SSL/TLS, used either for tunneling the entire network stack, as in the OpenVPN project, or for securing what is, essentially, a web proxy. SSL, though a framework more often associated with e-commerce, has been built-upon by a number of vendors to provide remote access VPN capabilities. A major practical advantage of an SSL-based VPN is that it can be accessed from the locations that restrict external access to SSL-based e-commerce websites only, thereby preventing VPN connectivity using IPsec protocols. SSL-based VPNs are vulnerable to trivial Denial of Service attacks mounted against their TCP connections because latter are inherently unauthenticated.
OpenVPN, an open standard VPN. A variation of SSL-based VPN, it can run over UDP. Clients and servers are available for all major operating systems.
DTLS, used by Cisco for a next generation VPN product called Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS
L2TPv3 (Layer 2 Tunneling Protocol version 3), a new[update] release.
VPN Quarantine. The client machine at the end of a VPN could be a threat and a source of attack; this has no connection with VPN design and most VPN providers leave it to system administration to secure. There are solutions that provide VPN Quarantine services which run end point checks on the remote client while the client is kept in a quarantine zone until healthy. Microsoft ISA Server 2004/2006 together with VPN-Q 2006 from Winfrasoft or an application called QSS (Quarantine Security Suite) provide this functionality.
MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark "MPVPN".[10]
Cisco VPN, a proprietary VPN used by many Cisco hardware devices. Proprietary clients exist for all platforms; open-source clients also exist.
[edit] Security and mobility
Mobile VPNs are VPNs manufactured[by whom?] for mobile and wireless users. They integrate standards-based authentication and encryption technologies to secure data transmissions to and from devices and to protect networks from unauthorized users. Designed for wireless environments, Mobile VPNs provide an access solution for users on the move who require secure access to information and applications over a variety of wired and wireless networks. Mobile VPNs allow users to roam seamlessly across IP-based networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. For instance, highway patrol officers require access to mission-critical applications in order to perform their jobs as they travel across different subnets of a mobile network, much as a cellular radio has to hand off its link to repeaters at different cell towers.
Subscribe to:
Posts (Atom)