csci-370/eeng-480 computer networks
DESCRIPTION
CSCI-370/EENG-480 Computer Networks. Khurram Kazi. IPv6. Around 1990 IETF started to get worried that the IPv4 address space was too small The situation was exacerbated both by the success of the Internet and by the dramatic growth of the PCs in the home and the office. - PowerPoint PPT PresentationTRANSCRIPT
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 1
CSCI-370/EENG-480
Computer Networks
Khurram Kazi
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 2
IPv6 Around 1990 IETF started to get worried that the IPv4 address space was too
small The situation was exacerbated both by the success of the Internet and by the
dramatic growth of the PCs in the home and the office. Routers were becoming sophisticated and networks more complex IP addresses assigned to identify interfaces rather than the nodes was growing
at the square of the rate of the new routers People started to imagine that everything one can think of will be connected to
the “NET” Dream was that sitting in the office one can monitor and control the home
remotely using the Internet etc. (still a dream) Cell phones and mobile equipment usage has and continues to grow at a
tremendous/dramatic rate In 1994 IETF had projected that IPv4 addresses will run out somewhere
between 2005 to 2011 Hence need to have a next generation protocol that will at minimum increase
the size of the address space.
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 3
IPv6 RFC 1752 summarizes the requirements for next generation Internet
Protocol. This allowed the developers of the new protocol to consider all of the limitations of IPv4 at the same time. Some of the constraints were: Provide unreliable datagram service (as IPv4) Support unicast and multicast Ensure that addressing is adequate beyond the foreseeable future Be backward compatible with IPv4 so that existing networks do
not need to be renumbered or reinstalled, yet provide migration path from IPv4 to IPv6
Provide support for authentication and encryption There must be support for mobile hosts and networks, and
internetworks Allow users to build private networks on top of the basic internet
infrastructure
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 4
IPv6
Major difference between IPv4 and IPv6 is the address
IPv6 address is 128 bits (16 octets)This allows possibility of encoding all sorts of
additional and interesting information with the address
A 128-bit address allows 2128 distinct addressesRoughly 5*1028 addresses for every human on
earth today (whereas IPv4 has the scope for 2/3 of an address per person)
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 5
IPv6 datagram0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Octet 1 Octet 2 Octet 3 Octet 4
Versionv6
Prio. Flow Label
Payload Length Next Header Hop Limit
Source Address
Data (payload) portion of the
datagram
1st 32 bit word
2nd 32 bit word
3rd 32 bit word
4th 32 bit word
nth 32 bit word
5th 32 bit word
Source Address
Source Address
Source Address 6th 32 bit word
7th 32 bit word
8th 32 bit word
Destination Address
Destination Address
Destination Address
Destination Address
9th 32 bit word
10th 32 bit word
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 6
IPv6 Headers Explained (RFC 1883)
Version: Version 6 (v6) Priority: The source host can be use this 4-bit field to
indicate a desired priority for delivery of the datagram. It is similar to the IPv4 type of Service field
Flow Label: This field allows “flows” to be identified and efficiently processed and routed. RFC lists them as experimental, but states that flows might be used for special handling or real-time services that require sequential delivery. The flows label allows each packet to be labeled
Payload Length: This field indicates the length of the payload following the IPv6 header.
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 7
IPv6 Headers Explained (RFC 1883)
Next Header: This 8-bit field indicates what kind of header follows “this” header. This maybe the type of protocol used in the payload (e.g. TCP, or UDP). It may also be used to indicate IPv6 extension headers
Hop Limit: This 8-bit field, similar in function to the Time to Live field in IPv4, is more formally defined as maximum of times a packet maybe forwarded. The value is decremented by 1 by each node that forwards the packet. Packet is discarded if the Hop Limit is decremented to zero
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 8
IPv6 Address Representation
Full address 2033:0000:0123:00FD:000A:0000:0000:0C67:
Omitting leading zeros
2033:0:123:FDA:A:0:0:C67
Omitting whole zero words
2033::123:FDA:A::C67
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 9
Ethernet Services Over Metro and Wide Area Networks: Standards Activities
Special Topics and Recent Trends in Networking
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 10
What is so special about Ethernet
Why Ethernet, what not anything else! Major driving factor is human mentality Familiarity breeds desire to keep using it until there is no other
choice Build on the existing know how and extend its capabilities to meet
future needs Reduced capital expenditure (economies of scale) and operational
costs: Is it reality or perception
Will have more feedback in near future as carriers have started to deploy these services
Connect multiple enterprise campuses via Ethernet Services using the Public WAN Infra-structure, may they be across the street in the same metro area or across the globe
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 11
Who is defining Ethernet standards
IEEE has been the pioneering standards body in defining (wired and wireless) Ethernet standards, primarily for Enterprise applications. They are working on defining Metro Wireless standards along with last mile Ethernet Solutions
Metro Ethernet Forum (MEF) took the initiative to bring Carrier Class Ethernet Services across the Metro networks building on IEEE work MEF defined the Ethernet services in such a way that they are transport
technology agnostic Internet Engineering Task Force (IETF)
MPLS as the foundation of defining such services International Telecommunication Union (ITU)
Defining Ethernet Services over SONET/G.709 (OTH): Virtual Concatenation, Link Capacity Adjustment Scheme (LCAS), Generic Framing Procedure (GFP)
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 12
Are SONET and SDH that different?
For all practical purposes at a high level of abstraction there is hardly any difference between SONET and SDH
Both support similar data ratesSTS-1 => STM-0STS-3 => STM-1 etc
So the SONET/SDH term will be used interchangeably in this presentation
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 13
Fundamentals of Services definition
Services are defined in observable terms with clear demarcation points between the subscriber and the Service Provider’s equipment
Subscriber equipment is called the Customer Edge (CE) At the CE, the observable parameters
are defined which become the basis for Service Level Agreements (SLAs)
Physical demarcation point between the subscriber and the Service Provider is termed as User-to-Network Interface (UNI)
Hence all the services are defined between the two or more UNIs Underlying Networking technology is
invisible to the subscriber These simple yet power definitions have
allowed almost 100 million Ethernet compliant devices to take advantage of these services
Metro Network Cloud
Service Attributes
Customer Edge (e.g router or Multi-Service Provisioning Platform,
MSPP)
UNI (User-to-Network Interface)
UNI (User-to-Network Interface)
Customer Edge (e.g router or Multi-Service Provisioning Platform,
MSPP)
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 14
Non abstract meaning of UNI (User to Network Interface)
UNI can be envisioned as a physical RJ-45 socket which can reside on an Ethernet Switch or a patch panel provided by the Service Provider
The physical aspect of turning on an Ethernet Service can be simply plugging in the right equipment at this Ethernet jack
The connection can be at 10 Mb/s, 100 Mb/s, 1 Gb/s or 10 Gb/s if Ethernet is used as the physical layer between the subscriber or the Service Provider If the subscriber initially wants 10 Mb/s and later requires 100 Mb/s,
only the provisioning of the service is changed and not the physical link: making it future growth friendly
If SONET is used, the physical link rates can be multiples of STS-1s or at lower sub-rates of STS-1 (based on VT structure)
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 15
Service Frames and Frame Delivery
Service frames are similar to the Ethernet frames without the preamble and the Start of Frame Delimiter
It starts with the Destination address and ends with the Frame Check Sequence
Frame is considered ingress frame when it enters the Metro Ethernet Network and egress frame when it exits the network
Service frame transparency is maintained between the two UNIs, as it traverses the Metro Network with some exceptions Egress service frame may have a 802.1Q tag when the corresponding
ingress frame did not have it Likewise the egress frame may not have the tag, while the ingress had
it The tag values between the ingress frame and the egress frame are
different
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 16
Fundamentals of Services definition:Ethernet Virtual Connection (EVC )
EVC is defined as “an instance of an association of two or more UNIs
Why EVC needed to be defined? Metro Ethernet Network (MEN) can be visualized as a shared
medium where ingress frame is replicated and delivered to all the UNIsConcept works OK within the LAN as it belongs to the same
organization or entityNot a good idea when the data traverses the public network
Traffic IsolationMethodology need to be devised so that subscriber data is only
transport and/or replicated to authorized UNIs and not to any other UNIs sharing the same MEN
Hence the concept of “VIRTUALIZATION of the Connection” to provide traffic isolation
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 17
Example illustrating EVC Concepts: Two Services instantiations
EVC1 => defined between 2 UNIs, HQ and the backup center Point to Point service All the ingress frames will be exchanged
between the 2 UNIs with the exception of control messages (terminated by the MEN)
EVC2 => defined between the HQ, Engineering facility and the 2 sales regions Multipoint to multipoint service Supports unicast and multicast traffic
between the UNIs defined in the EVC group Generally speaking there can be more than one
service instance More than one EVC defined for a virtual
network
Metro Network Cloud
HQ
Engineering Facilty
Sales Support Region 1
Sales Support Region 2
Backup/Disaster Recovery Center
Multipoint to Multipoint EVC
Point to Point EVC
EVC1
EVC2
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 18
CE-VLAN ID There are 4095 CE-VLAN (Virtual Local Area Network) IDs and the ID
numbers vary from 1,2 …4095 The VLAN ID is extracted from the content of the Service Frame in the
following manner For a Service Frame that has an IEEE 802.1Q Tag and the 12 bit VLAN ID in
the Tag is not zero, the CE-VLAN ID is equal to the VLAN ID in the Tag. Untagged and priority tagged Service Frames have the same CE-VLAN ID
and the CE-VLAN ID value is configurable to any value in the range 1, …, 4094 at each UNI.
An Ethernet frame with an IEEE 802.1Q Tag that has zero as the VLAN ID is called priority tagged.
Untagged priority frames are handled as if they belong to a default VLAN and the default VLAN is configured appropriately on each port of the Network Element, which can be an Ethernet Switch
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 19
CE-VLAN ID/EVC Mapping
At each UNI, the CE-VLAN ID has to be associated with an EVC ID EVC ID is an arbitrary string
administered by the Service Provider
VLAN ID of 2 is delivered through the MEN according the properties of the Red EVC
VLAN ID of 1 is delivered through the MEN according to the properties of Blue EVC
Any Service Frame with Tag ID other than 1, 2 or 4094 will dropped by the MEN as there is not EVC associated with them
Service Frame Format
UntaggedTagged VID = 1Tagged VID = 2Tagged VID = 3
.
.
Tagged VID = 4094Tagged VID = 4095
CE -VLAN ID
123
.
.
40944095
EVC
Red
Green
Blue
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 20
CE-VLAN ID Significance
CE-VLAN ID MAY only have relevance at a given UNI 47 (@UNI A) => EVC1 < = 47 (@ UNI B) 1343(@ UNI A) => EVC 2 <= but untagged (@ UNI B) 187 (@ UNI A)=> EVC3 <= 1343 (@ UNI B)
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 21
Traffic Engineering: Bandwidth profile attributes Different subscribers will have different bandwidth needs. Some might require 100
Mb/s, others less than 20 Mb/s while some might require 1 Gb/s Some may prefer pay as they use for the bandwidth needs; they may start with 20 Mb/s
to begin with and at a future date increase their requirements to 100 Mb/s To accommodate such requirements, there are bandwidth profile parameters that MEF
defined Committed Information Rate (CIR) expressed as bits per second Committed Burst Size (CBS) expressed as bytes Excess Information Rate (EIR) expressed as bits per second Excess Burst Size (EBS) expressed as bytes Coupling flag (CF) must have either value of 1 or a 0 Code Mode (CM) must have only one of the two possible values
Color Blind Color Aware
These profile attributes form the basis of the Service Level Agreements
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 22
Bandwidth Profiles defined in three ways
UNIUNI
EVCEVC11
EVCEVC22
CECE--VLAN CoS 0,1,2,3VLAN CoS 0,1,2,3
CECE--VLAN CoS 4,5VLAN CoS 4,5
CECE--VLAN CoS 6,7VLAN CoS 6,7
BandwidthBandwidthProfileProfile
Bandwidth Profile defined on per Ingress UNI
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 23
Bandwidth Profiles defined in three ways
Bandwidth Profile defined on per EVC basis
UNIUNI
EVCEVC11
EVCEVC22
CECE--VLAN CoS 0,1,2,3VLAN CoS 0,1,2,3
CECE--VLAN CoS 4,5VLAN CoS 4,5
CECE--VLAN CoS 6,7VLAN CoS 6,7
BandwidthBandwidthProfile 1Profile 1
BandwidthBandwidthProfile Profile 22
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 24
Bandwidth Profiles defined in three ways
Bandwidth Profile defined on per EVC and CE-VLAN CoS:
The most granular defined attributes allowed
UNIUNI
EVCEVC11
EVCEVC22
CECE--VLAN CoS 0,1,2,3VLAN CoS 0,1,2,3
CECE--VLAN CoS 4,5VLAN CoS 4,5
CECE--VLAN CoS 6,7VLAN CoS 6,7
Bandwidth Profile 1Bandwidth Profile 1
Bandwidth Profile 2Bandwidth Profile 2
Bandwidth Profile 3Bandwidth Profile 3
Bandwidth Profile 4Bandwidth Profile 4
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 25
Ethernet Services over public WAN:Work being done at ITU-T
SONET/SDH/PDH/OTN
Carrier Network
Customer AEquipment
EthernetPHY
CarrierEquipment
CarrierEquipment
Customer AEquipment
EthernetPHY
Customer BEquipment
Customer BEquipment
SONET/SDH/PDH/OTH
Carrier Network
Customer AEquipment
EthernetPHY
CarrierEquipment
CarrierEquipment
Customer AEquipment
EthernetPHY
Customer BEquipment
Customer BEquipment
a) EPL for two customers, each with their own TDM channel
b) EVPL for two customers where they share a TDM channel for increasedefficiency
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 26
Summary of Ethernet types of Services
Connectivity Resource sharing Service type
Point-to-point Dedicated EPL (Ethernet Private Line)
Shared EVPL (Ethernet Virtual Private Line)
Multipoint Dedicated EPLAN (Ethernet Private LAN)
Shared EVPLAN (Ethernet Virtual Private LAN)
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 27
Ethernet Private Line (EPL) Service
EPL is the simplest service that existing SONET/SDH transport network can support
Desired dedicated bandwidth is allocated enabled by VCAT, LCAS and GFP
Mimics a virtual wire connectivity between two CEs
SONET/SDH/PDH/OTH
(or ATM/MPLS CIR)
Carrier NetworkCustomerEquipment
EthernetPHY
CarrierEquipment
CarrierEquipment
CustomerEquipment
EthernetPHY
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 28
Ethernet Private LAN (EPLAN) Service
Multiple sites either across the street or across the globe connected virtually
Mesh connectivity using Multi-service Provisioning Platform type Network Elements
Carrier Network
CustomerEquipment
CustomerEquipment
CustomerEquipment
EthernetPHY
EthernetPHY
EthernetPHY
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 29
Ethernet Private LAN (EPLAN) Service
LAN connectivity made by using centralized switch, i.e. the traffic is hauled to a centralized switch and then forwarded to the respective UNI
CarrierNetwork
CustomerEquipment
CustomerEquipment
CustomerEquipment
EthernetPHY
EthernetPHY
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 30
Ethernet Private LAN (EPLAN) Service
Edge node serves as a bridge or a switch to provide connectivity between the respective UNIs
Carrier Network
CustomerEquipment
CustomerEquipment
CustomerEquipment
EthernetPHY
EthernetPHY
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 31
Reference architecture of a Network Element for EPL
Ethernet Phy (including
MAC)
GFP Encapsulation
SONET/SDH Mapper
SONET/SDH Framer
Optics
Subscriber Interface
WAN Interface
With present state of the art VLSI technology most of these functional blocks can fit in a single VLSI device (minus the optics)
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 32
How is Ethernet affecting our lives in some other ways!
Examples of using Ethernet for “Virtual doctor’s” office servicePatients in a village from their homes can have a
video conference with their doctor (residing somewhere else) [example cited from Telenor, Norway’s Service Provider]
Doctors can monitor/see intricate operations being performed at a hospital across the globe
Distance Learning
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 33
Network Security Architecture
Customer’s responsibility or Service Provider’s
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 34
Security Issues Throughout History
Breaches in information security have translated into catastrophic losses and at times brought organizations or nations to their knees
As time progressed the techniques to transport sensitive information changed, however, the objectives of the sender and interested interceptor still remained the same
The sender always tries to ensure the message assurance The interceptor on the other hand has been trying to find
innovative ways to decipher the intercepted messages
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 35
Are Metro and Wide Area Networks Safe: A Myth or Reality
MS
PP
Office Building
Wiring Closet
Local Central Office
Network Cloud
Possible Vulnerable Spots
Physical Isolation Does not guarantee data security
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 36
Are Metro and Wide Area Networks Safe: A Myth or Reality
Virtual Isolation Data can be easily snooped at by unauthorized entities
Customer A’s Traffic
Customer B’s Traffic
Customer C’s Traffic
Customer N’s Traffic
Customer A’s Traffic
Customer B’s Traffic
Customer C’s Traffic
Customer N’s Traffic
Multiplexed Traffic
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 37
Are Metro and Wide Area Networks Safe: A Myth or Reality?
Tandem Connection Subscriber does not have any idea who all might be carrying its
data
User User
Operator A Operator BOperator N
Working
End-to-End Path
Data Traversing Multiple Domains
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 38
Are Metro and Wide Area Networks Safe: A Myth or Reality?
Snooping Subscriber’s Data by the CarriersCases have been reported where the Voice over IP
service provider’s data is being blocked by the carriers it uses.
There are tools available that make data snooping, filtering and recording possible
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 39
Overview of Access Transport Technologies SONET/SDH
Widely deployed and is being used for Ethernet services 1/10 Gigabit Ethernet
Used in green field applications Fibre Channel
Restricted to Storage Area Networks Native traffic over dark fiber
Typically used by large organizations for whom it is cheaper to manage their own networks
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 40
Encryption at Different OSI Layers
Three main high speed access protocols SONET/SDH, 1/10 Gigabit Ethernet and Fibre Channel
Client Mapping of signals over transport protocols
SONET/SDHSONET/SDH
ATMATM
PDH
SONET/SDHSONET/SDH
ATMATM
CBR IP
10 GbE GFPGFPGFPGFP
GFPGFPGFPFibre ChannelPDHPDHPDHDVBMPLS 1 GbE
SONET/SDHSONET/SDH
PDH
SONET/SDH1/10 Gigabit Ethernet
CBR IPMPLS
SONET/SDHSONET/SDHSONET/SDHFibre Channel
A B
C
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 41
Encryption at SONET/SDH Layer
Diverse Traffic Aggregation over SONET/SDH
Laptop
Server
Exchange Servers
Laptop
Server
Exchange Servers
LAN Switch (10/100 Mb/s
Ethernet)
LAN Switch (10/100 Mb/s
Ethernet)
LAN Switch (1 and/or 10 Gb/s
Ethernet)
WAN Connectivity (SONET/SDH)
MSPP
Storage/Fibre Channel Element
Traditional TDM traffic source (T1/T3 etc)
Encryption at SONET/SDH layer Bulk encryption of data of varied traffic
type Less number of Security Associations
(SAs) in SONET/SDH Generation of encryption keys and their
management easier (due to less SAs) For STS-768 (40 Gb/s) using STS-1
granularities, maximum number of SAs will be 768; for STS-192, there will be 192 SAs.
Due to the lower number of end nodes, the authentication of the networks elements or nodes is significantly lowered.
Ease of management of security infrastructure due to low number of SAs.
New York Institute of Technology
Engineering and Computer Sciences
Kazi Fall 2007 CSCI 370/EENG 480 42
Encryption of SAN Traffic Over SONET/SDH
Latency Sensitive traffic: Secure SAN extension example Guaranteed delivery: Fibre
Channel (FC) based SANs do not tolerate frame loss in the network beyond what might be expected from BER and availability
High Throughput: Storage applications are the largest drivers of traffic across a network.
Low Latency: Storage applications require quick response times or performance can suffer.
Zero Loss: Loss is unacceptable in a storage environment. Retransmissions significantly affect application performance
Fibre Channel
Fibre Channel
FCIP
TCP
IP
IPSEC
GFP
SONET/SDH
GFP
SONET/SDH
Storage Over IPStorage Over SONET/SDH