IP Transmission Technologies

Hourglass of TCP/IP Protocols

Transmission TechnologiesEthernet (LAN)CopperFiberWirelessSatellite DVB-RCSPoint-to-point Leased LineE1, SDH, DSL,...Packet-switchedX.25, Frame Relay ATMMPLSQoS

Types of Point to Point ProtocolsSLIP over asyncVery simpleIP onlyUnreliable - no checksumHDLC over syncvarious proprietary versionsframes have checksumPPP

Leased LineV.35V.35

PPPSLIP done rightUsed for synchronous and asynchronous transmissionExtended negotiation mechanismMultiple protocol support

PPP and OSI modelSynchronous or Asynchronous Physical MediaLCP - Link Control ProtocolPPPNetwork Control ProtocolIPCP IPXCP othersPhysical LayerData Link LayerNetwork Layer

LCP Configuration Options

Feature

Protocol

Authentication

PAP, CHAP

Compression

Stacker, ..

Error Detection

Quality

Multilink

MPPP

PAP/CHAPPAPPassword requiredUnencrypted password sent via the linkAllows storage of encrypted passwordsCHAPChallenge handshakeNo passwords sent via the linkNeed for storing unencrypted secrets

Selecting a PPP Authentication ProtocolPasswords sent in cleartextPeer in control of attemptsRemote Router(SantaCruz)Central-Site Router (HQ)Hostname: santacruzPassword: boardwalk username santacruzpassword boardwalk PAP 2-Way Handshake"santacruz, boardwalk"Accept/Reject

Selecting a PPP Authentication ProtocolUse secret known only to authenticator and peerRemote Router(SantaCruz)Central-Site Router (HQ)Hostname: santacruzPassword: boardwalk username santacruzpassword boardwalk CHAP3-Way HandshakeChallengeResponseAccept/Reject

Multilink PPPCombining physical links into one logical bundleResult: higher speed and lower latency MPPP / BondingMPPP assembles/disassembles frames on the Data Link LayerMPPP used for synchronous and asynchronous physical linksBonding assembles/disassembles on the bit level

Show ppp multilink

X.25

X.251970sData Terminal Equipment (DTE)Data Circuit-terminating Equipment (DCE) Packet Switching Exchange (PSE)DCE provides clock

X.25 topology

Packet Assembler/Disassembler

X.25 Stack

LAPB Frame

X.25 Data Link ControlPoint to point full duplex data linksCorrection of errors and congestion controlEncapsulation of data in variable length frames delimited by flagsRedundant error correction bitsSliding window (8 or 128 frames)

X.121 address

X.121 addressData Network Identification Code (DNIC) National Terminal Number (NTN)

Packet Level ProtocolSeveral circuits multiplexedSliding window error and congestion control for every VCCall restriction, charging, QoS, ...

VC SetupPVC: permanent entry in routing table (static), substitute to leased linesSVC: dynamic entry in routing table triggered by an open packet and torn down by close packet

Frame Relay

CharacteristicsIntroduced in 1984 but only (significantly) deployed in the late 1980sL1 and 2Packet Switched technology: PVCs and SVCsConnection-oriented data link layer communicationX.25 lite

Differences with X.25Less robustAssumes more reliable medium => No retransmission of lost dataNo windowingError control handled by higher layersHigher performance and transmission efficiency

Frame Relay Topology

DLCIData Link Connection IdentifierUniquely identify circuitsAssigned by service providerLocal significance only (except with LMI)

DLCI

Frame Format

CIRWhat you buy with a FR connectionCommitted Information RateCIR= Committed Burst/Committed TimeAlso Maximum Rate

Frame RelayRTR1s0.2-DLCI=110s0.3-DLCI=120s0.1-DLCI=120s0.2-DLCI=130s0.1-DLCI=110s0.3-DLCI=130

ATMAsynchronous Transfer Mode

CharacteristicsOriginally designed to transmit voice, video and data over the same networkCell switchingEach communication is assigned a timeslotTimeslots are assigned on a demand-basis => asynchronous (as opposed to TDM)

Cells53 bytes: 5 byte header + 48 byte payloadTradeoff between voice world and data world:Voice needs small payloads and low delayData needs big payload and less overhead

ATM

ATM Adaptation Layer (AAL)Together with ATM layer, equivalent to Data Link layer in OSI modelAAL1: Connection Oriented => Voice and VideoAAL 3,4: Connection Oriented and Connectionless (similar to SMDS)AAL 5: Connection Oriented and Connectionless for CLIP and LANE

ATM AAL5

ATM Sources

ATM AddressesITU-T Standard: E.164 (Telephone #)ATM Forum defined 20-byte NSAP Addresses for use in private networksE.164 address used as prefix on NSAPMapped to IP addresses by ATM ARP (in CLIP)

ATM QoSTraffic Contract: peak bandwidth, average sustained bandwidth, burst size , Similar to FRTraffic Shaping (end device): Queuing, BufferingTraffic Policing (switches): Enforces contract

Path Establishment

MPLS TerminologyLDP: Label Distribution Protocol LSP: Label Switched PathFEC: Forwarding Equivalence ClassLSR: Label Switching RouterLER: Label Edge Router

MPLS: HOW DOES IT WORK ? TIME

MPLS BUILT ON STANDARD IP47.147.247.312312123 Destination based forwarding tables as built by OSPF, RIP, etc.

Dest

Out

47.1

1

47.2

2

47.3

3

Dest

Out

47.1

1

47.2

2

47.3

3

Dest

Out

47.1

1

47.2

2

47.3

3

MPLS Label Distribution47.147.247.3123121233

Intf

In

Label In

Dest

Intf Out

3

0.40

47.1

1

Intf

In

Label In

Dest

Intf Out

Label Out

3

0.50

47.1

1

0.40

Intf

In

Dest

Intf Out

Label Out

3

47.1

1

0.50

MPLS VPNsLayer 3 VPNs = BGP/MPLS VPNs (RFC 2547 bis)Layer 2 VPNs & AToM (Any Transport over MPLS)

Layer 2 Vs. Layer 3 VPNs:Depending on the type of customer payload, a VPN can be classified as L2 or L3 VPNs:Examples of L2VPN: ATM LAN Emulation (LANE),Ethernet over MPLS (Idraft-Martini, Idraft-KKompella, VPLS: Idraft-Lasserre-VKompella, IPLS: Idraft-Shah)Examples of L3VPN:RFC 1577: Classical IP over ATM IPSec Tunneling modeRFC 2547: BGP/MPLS-based VPNsIdraft-Declercq: BGP/IPSec VPNsIdraft-Knight: Virtual Router Based VPNs

Encapsulation of Customer Ethernet Frames in a L2 PPVPN Untagged or Tagged Ethernet Untagged or Tagged Customer Ethernet over MPLS Customer Ethernet Frames over Ethernet FramesUserEnetVLANUserEnetVLANUserEnetVLANMPLS-DomainUserEnetVLANUserEnetVLANVLANUserEnetUserEnetUserEnetUserEnetUserEnetUserEnetUserEnetORMPLSMPLSMPLSMPLSEnetEnetEnetProvider NetworkSupporting L2PPVPNCustomer or Other Ethernet Access NetworkCustomer or OtherEthernet Access NetworkVC LabelTunnel LabelEnetSingle Customer VLAN Domain

Example of a L2 PPVPN (VPLS)Customer A L2 Network, e.g. Ethernet

Customer BL2 Network, e.g. EthernetEthernet Frames with or without VLAN tags2 MPLS LABELS per frame:Tunnel Label = Outer Label for delivery to dest. PE

VC Label = Inner Label to identify L2VPN end-pts ;

802.1q VLANsMPLS LSP MESHCustomer A L2 Network, e.g. EthernetCustomer B L2 Network, e.g. Ethernet802.1q VLANsCustomer LAN switchProvider Network

Example of a L3 PPVPN (RFC2547bis)Customer A NetworkCustomer BNetworkCustomerIP packets carrying possibly Private IP addresses2 MPLS LABELS per frame:Tunnel Label = Outer Label for delivery to dest. PE

VC Label = Inner Label to identify L2VPN end-pts ;

MPLS LSP MESHCustomer ANetworkCustomer B NetworkCustomer Edge RouterProvider Network

Ethernet over MPLSPEPEMPLS NetworkPEPEEnterprise LANISP 1Enterprise LANPEPEISP 2ISP AISP 3ISP BISP CPoint to Point, Metro Ethernet ServiceDistributed NAPBased on draft-martiniVCs to VLANs => VCid maps to VLAN id

Ethernet 802.1q VLAN TransportMPLSVLAN 41VLAN 41VLAN 56VLAN 56PE1 1.0.0.4PE1 1.0.0.8802.1q to 802.1q VLAN TransportCustomer SiteCustomer SiteCustomer SiteCustomer SiteInterface GigabitEthernet0/0.2 encapsulation dot1q 41 mpls l2transport route 1.0.0.8 312 !Interface GigabitEthernet1/0.2 encapsulation dot1q 56 mpls l2transport route 1.0.0.8 313

AToM - MTU ConsiderationsPE2PE1Egress MTU Signalled using LDPIncoming PDU dropped if MTU exceededIngress PE checks Egress PE outbound interface MTU AND egress interface into MPLS backboneNO mechanism to check backbone MTUPDUProvider MUST dictate MTU or direct traffic away from low MTU linksCustomer SiteCustomer Site

IETF DiffServ Architecture (RFC-2475)The idea: different service levels for packetsThe service: some significant characteristics of packet transmission in one direction across the networkExamples: bandwidth and latency

Type-of-Service (RFC791)VersionLengthTotal Length801531PrecedenceUnusedDTRToS Field

01DNormal DelayLow DelayTNormal ThroughputHigh ThroughputRNormal ReliabilityHigh Reliability

IP Precedence Values

111Network Control110Internetwork Control101Critical100Flash Override011Flash010Immediate001Priority000Routine

Network-Layer BWM

Bandwidth Management functionsclassification, shapingdiscarding, queuing

Queuing DisciplinesFirst-In-First-Out (FIFO)no classesfast, easy to implementPriority Queuingall traffic in a high-priority class is sent before any in a lower priority oneClass-based Queuing (CBQ)a number of bytes is sent from each class before going to the next class

Priority Queuing

Class-Based Queuing

Queuing Disciplines (cont.)Weighted Fair Queuingtraffic is divided into a number of flowseach flow is given a share of the traffic (based on its weight)small packets are given priority over large ones (interactive and control traffic gets more priority)

Weighted Fair Queuing

Token Bucket ModelToken Bucket main parameters:Token Arrival Rate - vBucket Depth - BcTime Interval tcLink Capacity - CToken Bucket characterizes traffic sourcetc = Bc/v

Excess Burst (Be)Cisco ImplementationCARallows RED like behavior: traffic fitting into Bc always conformstraffic fitting into Be conforms with probability proportional to amount of tokens left in the buckettraffic not fitting into Be always exceeds CAR uses the following parameters:t time period since the last packet arrivalCurrent Debt (Dcur) Amount of debt during current time interval Compound Debt (Dcomp) Sum of all Dcur since the last dropActual Debt (Dact) Amount of tokens currently borrowed

Excess Burst (Be)Cisco ImplementationCAR AlgorithmPacket of length L arrivedBccur L > 0Conform ActionYDcur = L - BccurBccur = 0Dcomp = Dcomp + DcurDact = Dact + Dcur +vtNDact > BeYNExceed ActionDcomp > BeYNDcomp = 0Bccur = Bccur L

Policing Configuration Sampleip cefinterface serial 2/1ip unnumbered loopback 0rate-limit output access-group 100 64000 8000 16000 conform-action transmit excess-action drop!interface serial 2/2ip unnumbered loopback 0rate-limit input 128000 16000 32000 conform-action transmit excess-action drop!access-list 100 permit tcp host 10.0.0.1 any eq httpCAR Based

Random Early Detection (RED)Starts randomly dropping packets before actual congestion occursKeeps average queue depth lowIncreases average throughputDeveloped by Van Jacobson in 1993

10mbps Ethernet10mbps EthernetVoice1500 Data BytesVoiceVoice1500 Data BytesVoiceVoice1500 Data BytesVoice~214ms Serialization DelayVoice Packet60 bytesEvery 20 msVoice Packet60 bytesEvery >214 msVoice Packet60 bytesEvery >214 msBenefit: reduce the jitter in voice callsImplemented via Multilink PPP (MLP) over FR, ATM, and leased lines Fragments are interleaved with the real-time packets, reducing the Serialization delay experienced by Voice packetsCisco AutoQoS Framework MLPPP Link Fragmentation & InterleavingProblem: large packets freeze out voice

Link Fragmentation and Interleaving (LFI)For links < 128kbps

Link Fragmentation and Interleaving (LFI)Supported interfaces:Multilink PPPFrame Relay DLCIATM VC

LFI Configuration Sampleinterface virtual-template 1ip unnumbered loopback 0ppp multilinkppp multilink interleaveppp multilink fragment-delay 30ip rtp interleave 16384 1024 512MLP version

FR Fragmentation and Prioritizationinterface Serial0/0 mtu 1600 encapsulation frame-relay frame-relay fragment 160 end-to-end frame-relay interface-queue priority!interface Serial0/0.116 point-to-point ip unnumbered Loopback0 frame-relay interface-dlci 116 class HI!map-class frame-relay HI frame-relay interface-queue priority high!map-class frame-relay LO frame-relay interface-queue priority low

I dont do that - negotiation protocolChallenge handshake authentication protocol (CHAP). Provides a 3-way handshake. Station sends challenge message to remote Remote replies with value using one-way hash function. If reply matches stations own calculation, authentication is acknowledge. Variable challenge for security. CHAP is preferred over PAP. The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the remote node using a three-way handshake. This is done upon initial link establishment and can be repeated any time after the link has been established. After the Point-to-Point Protocol (PPP) link establishment phase is complete, the access server sends a challenge message to the remote node. The remote node responds with a value calculated using a one-way hash function (typically MD5). The access server checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged. Otherwise, the connection is terminated immediately. CHAP provides protection against playback attack through the use of a variable challenge value that is unique and unpredictable. The use of repeated challenges is intended to limit the time of exposure to any single attack. The access server (or a third-party authentication server such as TACACS) is in control of the frequency and timing of the challenges. PAP (Password Authetication Protocol) sends passwords in the clear. CHAP (Challenge Handshake Authentication Protocol) sends a 64-bit signatureinstead of the password in the clear. PAP requires that 2 username entries be configured, ours and theirs (assuming both sides are performing PAP). Otherwise, they are similar except that opposite sides initiate.The Password Authentication Protocol (PAP) provides a simple method for a remote node to establish its identity using a two-way handshake. This is done only upon initial link establishment. After the PPP link establishment phase is complete, a username/password pair is repeatedly sent by the remote node to the access server until authentication is acknowledged, or the connection is terminated. PAP is not a strong authentication method. Passwords are sent across the link in clear text and there is no protection from playback or repeated trial-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.

RFC1334: The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a 2-way handshake. This is done only upon initial link establishment. After the Link Establishment phase is complete, an Id/Password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated. PAP is not a strong authentication method. Passwords are sent over the circuit "in the clear", and there is no protection from playback or repeated trial and error attacks. The peer is in control of the frequency and timing of the attempts. Any implementations which include a stronger authentication method (such as CHAP, described below) MUST offer to negotiate that method prior to PAP.PROPRIETARY VERSIONSTraffic can enter the DMX with or without VLAN tags; it could go from DMX to GEMs with 1 or 2 tags; the outer tag is translated to MPLS label.

At the other side of the GEMS network, MPLS label is removed and may be replaced with VLAN tag, "stacked" VLAN tag, or nothing.

Traffic can enter the DMX with or without VLAN tags; it could go from DMX to GEMs with 1 or 2 tags; the outer tag is translated to MPLS label.

At the other side of the GEMS network, MPLS label is removed and may be replaced with VLAN tag, "stacked" VLAN tag, or nothing.