module 2: tcp/ip as a solution for networking. overview introducing tcp/ip designing a functional...
TRANSCRIPT
Module 2: TCP/IP As a Solution for Networking
Overview
Introducing TCP/IP
Designing a Functional TCP/IP Solution
Securing a TCP/IP Solution
Enhancing a TCP/IP Design for Availability
Optimizing a TCP/IP Design for Performance
Organizations are facing a growing need for Internet connectivity, and connectivity between dissimilar operating systems and hardware platforms spread over large geographic distances. Because Transmission Control Protocol/Internet Protocol (TCP/IP) operates on a wide variety of physical networks and can be scaled to suit small to large networks, it is the only protocol that can meet the requirements of these organizations.
At the end of this module, you will be able to:
Identify the features of TCP/IP in Microsoft® Windows® 2000 and the functionality provided by those features.
Recognize the IP address structure appropriate for private or public network TCP/IP functionality.
Describe methods available to secure TCP/IP data traffic.
Describe strategies to improve the availability of TCP/IP routing structures.
Describe strategies for efficient use of IP traffic data transmission.
Introducing TCP/IP
TCP/IP Protocol Suite
Design Decisions for a TCP/IP Solution
TCP/IP Features
TCP/IP operates on a wide variety of physical networks and can be scaled to suit small to large networks. IP is the protocol used for communications on public networks such as the Internet.
To design a TCP/IP network infrastructure, you need to:
Describe the components of the TCP/IP protocol suite.
Determine the design decisions influencing a TCP/IP solution.
Describe the features and functionality provided by TCP/IP in Windows 2000.
TCP/IP Protocol Suite
OSI Model TCP/IP Model TCP/IP Protocol Suite
7
6
5
4
3
21
ApplicationApplication
TransportLayer
TransportLayer
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data linkData link
PhysicalPhysical
TelnetTelnet FTPFTP SMTPSMTP DNSDNS RIPRIP SNMPSNMP
TCPTCP UDPUDP
IPIPARPICMPIGMP
EthernetEthernet TokenRing
TokenRing
FrameRelay
FrameRelay ATMATM
NetworkNetwork
Data linkData link
PhysicalPhysical
The TCP/IP suite of protocols allows the design of a logical peer network by using an underlying physical network infrastructure. These vendor-independent protocols can be used to implement IP networks ranging from small local area networks (LANs) to large enterprise networks.
The Internet Engineering Task Force (IETF) continues to revise and improve the TCP/IP suite of protocols. Microsoft continuously updates the TCP/IP implementation to comply with the latest IETF standards.
The preceding illustration shows the mapping of the Open Systems Interconnection (OSI) seven-layer model to the TCP/IP four-layer model, and the major components of the TCP/IP suite. The OSI layer one and two infrastructure is considered to be in place for any design considerations in this module.
Design Decisions for a TCP/IP Solution
Number of Hosts?
Addressing Structure Needs?
Number of Subnets and Routers?
Underlying Network Configuration?
MicrosoftWindows 98
MicrosoftWindows NT®
Network Printer
Windows 2000
Windows 2000–based Router
Internet
IBM Mainframe
UNIX SystemRouter
Windows 2000 uses TCP/IP for authentication processes, file and print services, information replication, and other common network functions such as communication in heterogeneous, multiple-vendor networks. Before you design a TCP/IP solution, you must identify the design decisions that influence the design.
To design a TCP/IP solution, you need to analyze:
The number of hosts requiring IP connectivity.
The requirement for public and/or private IP addressing.
The number of physical subnets and routers.
The OSI layer 1 and 2 network configuration.
TCP/IP Features
Security
Bandwidth Management
Automatic Private Automatic Private IP AddressingIP Addressing
ICMP Router ICMP Router DiscoveryDiscovery
Disabling NetBIOS Disabling NetBIOS over TCP/IPover TCP/IP
TCP/IPTCP/IP
Performance Performance ImprovementImprovement
To design an effective TCP/IP solution, you must understand the features of TCP/IP and how these features solve the connectivity requirements of your organization.
TCP/IP Features
Security
TCP/IP allows enhanced data and connection security by supporting a number of IETF-proposed standards for data encryption, authentication, and filtering. The Windows 2000 implementation of TCP/IP supports Internet Protocol Security (IPSec) and TCP/IP filtering for packet-level authentication and data encryption, and for filtering data.
Bandwidth Management
Time-sensitive IP traffic streams such as streaming multimedia require connection protocols that provide bandwidth reservation within a network. TCP/IP supports bandwidth reservation by using Quality of Service (QoS) mechanisms, which allow IP traffic to be prioritized.
Automatic Private IP Addressing
Automatic Private IP Addressing (APIPA) automates TCP/IP address configuration for hosts on a single-subnet network that has no DHCP server. APIPA eliminates IP address configuration for simple networks not connected to the Internet. The IP addresses for APIPA are allocated from 169.254.0.0/16, which is reserved by the Internet Assigned Numbers Authority (IANA).
Performance Improvement
The following features of TCP/IP have been enhanced to improve the performance of TCP/IP solutions.
Large TCP Windows. TCP window size reflects the maximum number of packets that can be sent without waiting for positive acknowledgment. TCP window scaling (RFC 1323) improves TCP/IP performance when a large amount of data is in transit between the sender and receiver, such as in wide area network (WAN) environments.
TCP Selective Acknowledgment. A selective acknowledgment (SACK) is a TCP option (RFC 2018) that allows the receiver to selectively notify and request that the sender resend only data that is actually missing. This results in smaller amounts of data requiring retransmission and in better use of network bandwidth.
ICMP Router Discovery
Windows 2000-based computers running Routing and Remote Access support Internet Control Message Protocol (ICMP) router discovery (RFC 1256). This allows a host to discover the router automatically, although a default gateway is not configured for the host. ICMP router discovery is disabled by default on TCP/IP for Windows 2000 hosts, and is managed by using DHCP.
Disabling NetBIOS over TCP/IP
Windows 2000 allows you to disable network basic input/output system (NetBIOS) over TCP/IP (NetBT) for computers that use only DNS name registration and resolution. These computers can browse resources only on those computers that:
Have NetBT disabled.
Use Client for Microsoft Networks, and File and Print Sharing for Microsoft Networks components
Disabling NetBIOS over TCP/IP (continued)
Disabling NetBIOS over TCP/IP (continued)
Tip: When creating custom templates, select function-based names for the templates. Function-based names allow users to easily select the proper certificates based on the tasks that the user is performing at that time.
Designing a Functional TCP/IP Solution
Reviewing IP Addressing
IP Addressing for a Private Network
IP Address Subnet Requirements
IP Configuration Methodology
Discussion: Evaluating TCP/IP Functional Requirements
To determine the appropriate TCP/IP infrastructure, you must evaluate your Internet accessibility needs, the use of routers, and public address availability. To allow peer-to-peer communication, all hosts in a TCP/IP network require unique IP addresses. IP supports a 32-bit address structure, publicly administered by a standards body (IETF), which can be used to implement both public and private address structures.
In designing a functional IP network, you need to consider:
The IP address and mask configuration.
The addressing structures for private network operation.
The addressing structures to allow subnet routing.
A methodology for a consistent design of IP networks.
Reviewing IP Addressing
SubnetNetwork Host
172 100 10 1Class B Address
255 255 0 0Class B Default Mask
255 255 240 0Subnet Mask
(Classless 172.100.10.1/20)
Addressing Structures
Subnet Masks
Each TCP/IP host is identified by a logical IP address. This address is unique for each host that communicates by using TCP/IP. Because IP addresses identify devices on a network, you must assign a unique IP address to each device on the network. The standard for IP addressing is referred to as IP version 4 (v4). The standard uses a 32-bit address field and 32-bit mask field.
Addressing Structures
Depending on the routing protocols used, you can specify IP addresses based on:
Classes (A, B, C) with an associated default mask.
Classes with variable length subnet masks (VLSM).
Classless Inter-Domain Routing (CIDR) with a specified prefix length.
Class-based networks support a single subnet mask, and are suitable for networks routed by using Routing Information Protocol (RIP) version 1. VLSM and CIDR support multiple masks or prefixes per network. Both VLSM and CIDR require routers that support more advanced interior routing protocols such as RIP version 2 and Open Shortest Path First (OSPF).
Reviewing IP Addressing - Class-based addresses
The following table lists the class-based addresses.
AddressAddress ClassClass
Address RangeAddress Range Default MaskDefault Mask PurposePurpose
A 1-126.xxx.xxx.xxx 255.000.000.000 Host/Network
B 128-191.xxx.xxx.xxx 255.255.000.000 Host/Network
C 192-223.xxx.xxx.xxx 255.255.255.000 Host/Network
D 224-239.xxx.xxx.xxx None Multicast groups
E 240-255.xxx.xxx.xxx None Experimental
Subnet Masks
Class-based IP addresses are split into two portions-the network and host address fields. The subnet mask allows the derivation of network and host fields of the IP address. The network field is required to make routing decisions.
Note: When using class-based addresses and VLSM, you cannot decrease the number of bits that determine the network address below the number that is assigned to the default subnet mask.
IP Addressing for a Private Network
SchemeSchemeSchemeScheme PublicPublicPublicPublic PrivatePrivatePrivatePrivate
UseUse
• Large number of hosts require direct Internet access
• Sufficient number of registered public addresses exist for private network hosts
• Large number of hosts require direct Internet access
• Sufficient number of registered public addresses exist for private network hosts
• Few hosts require direct Internet access• Sufficient number of registered public addresses do not exist for private network hosts
• Few hosts require direct Internet access• Sufficient number of registered public addresses do not exist for private network hosts
ProsPros• Addresses are owned• All hosts are Internet accessible
• Addresses are owned• All hosts are Internet accessible
• Inexpensive• Unrestricted growth• Secure
• Inexpensive• Unrestricted growth• Secure
ConsCons
• Costly to lease• Restricted growth• Can be insecure
• Costly to lease• Restricted growth• Can be insecure
• Requires a network filtering device for public access• Still requires some public addresses
• Requires a network filtering device for public access• Still requires some public addresses
When designing an IP network, you must determine whether a public or a private address strategy is best for the majority of network hosts. Hosts that are not directly connected to the Internet can be assigned either a public or private address, but if connection to the Internet is required, at least one public IP address is essential.
Public Addressing Schemes
Hosts connected directly to the Internet require a public, globally unique IP address. Any network connected to the Internet has a minimum of one public address for Internet connectivity.
To enhance security, a private network that uses public addresses, and is connected to the Internet, requires isolation from the Internet by a firewall, a screened subnet, or a packet-filtering router.
Use a public addressing scheme if the organization has:
A large number of hosts that require direct Internet access.
A sufficient number of registered public addresses that can be assigned to all network hosts.
If the network design requires that a large number of IP addresses be accessible from the Internet, you must obtain a suitable range of public IP addresses. You can apply for public IP addresses from an Internet service provider (ISP) or Internet registry. Acquiring a large number of public addresses is expensive to maintain and in most cases unnecessary.
Organizations that use a public addressing scheme must also anticipate their network growth. The total number of addresses available can restrict network growth. After you assign all of the public addresses, you cannot add additional devices to the network unless more public addresses are acquired.
Private Addressing Schemes
Most organizations do not require each host to be accessible from the Internet. Network security is improved by preventing direct Internet access for hosts on the private network.
Use a private addressing scheme if the organization has:
Few hosts that require direct Internet access. Insufficient public addresses for all private network hosts.
Using a private addressing scheme for the intranet is inexpensive and can be designed to accommodate virtually unlimited network growth.
In your network design, include a firewall and a network address translation (NAT) device to act as an intermediary between the organization's private network and the Internet. The only IP address directly addressable from the Internet is the external IP address of the NAT device.
RFC 1918 lists the IP address ranges that are reserved by the IETF and available for use in private addressing schemes.
In addition to the addresses in RFC 1918, IANA allows the use of 169.254.0.0/16 for private addressing.
Note: Any IP address may be used on a private network that is isolated from the Internet by the use of a NAT device. The use of the addresses shown in RFC 1918 is recommended because these addresses are not routed on the Internet.
IP Address Subnet Requirements
Identify Number of Hosts per Subnet Limits Network design specifications Router or IP switch capacity Future growth
Identify Number of Subnet Limits Subnet for each remote connection Overloaded segments Future growth
Increase SubnetsIncrease Hosts
135 100 240 20Network Subnet Host
Subnet Mask
An IP-routed network design requires that you examine the interrelationship between the number of hosts per subnet and the number of subnets. An IP-switched network design evaluates only the number of WAN connections.
Your network design must optimize the number of subnets and the number of hosts per subnet. In designing an IP network and selecting the masks required to permit routing, you may be limited by:
The number of physical subnets that exist. The number of logical subnets that you can create. The host population on both physical and logical subnets.
A good subnet mask design does not restrict expected growth in either the number of subnets or the number of hosts per subnet. You need to adjust the subnet mask to provide for expected host population and network growth.
Limits on the Number of Hosts per Subnet
Consider the following in determining the number of hosts per subnet:
Network design specifications. Create your network design specifications to meet required performance goals. This requires analyzing the bandwidth utilization, broadcast domain size, routing configuration, distance vector delays, and application data flow requirements.
Router performance. Evaluate the number of hosts supported by any new or existing routers. To determine the maximum number of hosts supported per subnet, divide the total number of hosts on any LAN by the number of subnets supported by the router(s). If this number exceeds the host capacity of a subnet or limits performance, then redesign the network to increase the number of subnets.
Note: It may be necessary to test how many hosts you can support on a subnet before client performance is affected. These tests must use production applications.
Future growth. Examine the subnet mask to determine if the number of hosts per subnet provides for current needs, performance expectations, and future growth.
Limits on the Number of Subnets
Use the following options to determine the validity of a subnet mask in an IP-routed network:
Subnet for each WAN connection. Examine the network design for any remote connectivity. To support routing, each remote connection requires a subnet.
Overloaded segments. Evaluate the number of hosts supported by any new or existing router. To determine the minimum number of routers required at any single location, divide the total number of hosts by the number of hosts optimally supported by the router.
Future growth. Examine the subnet mask to determine if the number of subnets and the number of hosts per subnet provide for growth. If possible, design for an excess of subnets, because router technology usually limits the number of hosts per subnet.
IP Configuration Methodology
Manual Allocation
For non-DHCP hosts and/or hosts requiring fixed IP addresses DHCP Manual
For servers in a client/server relationship IP address must be a fixed address
DHCP Dynamic
For clients in a client/server relationship IP address can fall within an address range
APIPA
For small, single segment LANs where DHCP is unavailable
Windows 2000 automates the process for providing a host IP address by using DHCP manual assignment, DHCP dynamic assignment, or APIPA automatic assignment. Depending upon the type of network device or client in your network, you can use any of these IP configuration methods.
Manual Allocation
Some hosts on a network, such as special function servers, routers, and NAT devices, require manual configuration of the address, mask, and neighbor or gateway addresses. Server applications that assign IP addresses and resolve symbolic names to IP addresses require a fixed IP address, subnet mask, and default gateway.
Addresses are usually configured manually for DHCP servers, DNS servers, WINS servers, routers, and non-Microsoft hosts that do not support DHCP.
DHCP Manual Method
A system administrator configures the address for a host in the DHCP database. The address is then issued to the host by using the Dynamic Host Configuration Protocol (DHCP). Use the manual configuration method for devices that function primarily as servers in a client/server relationship and require fixed IP addresses.
DHCP Dynamic Method
DHCP leases addresses from a scope defined for each subnet. Use dynamic address allocation if the majority of clients on a network support this method and do not require fixed IP addresses.
Note: By setting the lease time to infinite, you can also use DHCP to configure clients with a permanent IP address. Setting the lease time to infinite provides flexibility in allocating permanent addresses where the host is DHCP-enabled.
Automatic Private IP Addressing
Automatic Private IP Addressing (APIPA) allows a computer running Windows 2000 in a small, single-segment network to select an IP address automatically when DHCP is not available.
Note: The APIPA address is selected from the IANA-reserved address block 169.254.0.0/16. APIPA does not provide a default gateway IP address to the client and as a result, the client cannot operate in a routed network.
Discussion: Evaluating TCP/IP Functional Requirements
1311 Hosts
655 Hosts129 Hosts
LocationCLocationC LocationDLocationD
808 Hosts
T1 Link
Fractional T1
T1 Link
Fractional T
1
PrivateNetwork
T1 Link
LocationBLocationBLocationALocationA Internet
To design a functional TCP/IP solution for connecting networks, you must decide on the number of subnets required for each location, and the number of public and private IP addresses required for the design.
The following scenario describes an organization's current network configuration.
Scenario
An organization has decided to restructure an existing TCP/IP network. You are assigned the task of evaluating the existing physical network and determining the design changes.
The current network configuration provides: Intranet access to all shared folders and Web-based applications at all
locations. Access to the Internet from all locations. Support for the existing networking infrastructure. Support for the number of hosts per location as shown in the
preceding diagram, which includes router interfaces and the proxy server intranetwork interface.
Support for a mission-critical Web-based application that requires 24-hours-a-day, 7-days-a-week operation.
Isolation of the organization's network from the Internet by using a combined firewall and proxy server.
Design Requirements
Your assessment of the existing network configuration, and your investigation of the future configuration requirements, reveal the following design requirements that you must meet in your solution:
Existing configuration information The configuration of the existing network is:
The network currently uses 172.20.0.0/16 as the private address block from which all host addresses are allocated.
The site routers private network interfaces are currently configured as 172.20.32.0, 172.20.64.0, 172.20.96.0 and 172.20.128.0/19.
Company policy mandates that client computers are turned off when not in use, but servers and other network-related devices are left on.
Future configuration requirements The required configuration for the future network is:
Private addressing will be used, based on the current private address block, and the site router interfaces will keep the same address and subnet mask.
New site routers are to be installed and these devices will restrict the host population per segment to 200 or less.
Securing a TCP/IP Solution
Protecting IP Traffic with Filters
Protecting Data with IPSec
IPSec Protection Levels
IPSec Internet Key Exchange
The security of a network design is measured by the ability of the design to prevent unauthorized access to data transmission and intranet-based resources.
TCP/IP incorporates security features that provide protection of the TCP/IP data as it is sent on the network, along with configuration of the types of local host traffic that are processed.
You can secure data traffic by:
Filtering IP packets within the TCP/IP protocol.
Encrypting data with IPSec.
Authenticating and encrypting data with the IPSec protection levels.
Using the security keys negotiated by the IPSec Internet Key Exchange (IKE).
Protecting IP Traffic with Filters
Control Traffic to Dedicated Servers
Block All Inbound Traffic Unless Specified
Provide Filtering at the Application Layer
Minimizing the protocols and ports exposed on a host can reduce the risk of unauthorized access. By using a firewall, you can filter IP traffic to minimize the risks. This type of filtering may be difficult to manage, particularly if many hosts have different filtering requirements. The Windows 2000 implementation of TCP/IP supports application layer filtering of IP traffic by allowing you to set filters on a host-by-host basis.
TCP/IP filtering blocks the delivery of any IP packets that do not conform to the preset criteria. You can use TCP/IP filtering for dedicated servers that provide services on well-known protocols, TCP ports, and User Datagram Protocol (UDP) ports. TCP/IP filtering does not apply to routed traffic that is forwarded between interfaces.
Include TCP/IP filtering in your network design to:
Control traffic to dedicated servers.
Block all inbound traffic except that which you specifically list.
Provide filtering at the application layer.
Caution: For most situations, you permit the acceptance of all IP traffic. Evaluate the effect of any enabled TCP/IP filters to ensure proper computer operation. It is not recommended to enable filtering because it may restrict the operation of essential services.
You can filter IP packets based on the following criteria:
TCP port number.
UDP port number.
IP protocol type (except for TCP, UDP, ICMP, IGMP or IPSec).
Protecting Data with IPSec
IPSec Policies
Routing IPSec Traffic
Authentication and Encryption
Policy
TCP/IP StackTCP/IP Stack
Host A
TCP/IP StackTCP/IP Stack
Host B
SA NegotiationsInternet Key Exchange
SA
Encrypted IP Packets
Authentication and Encryption
Policy
SA
1. Check Policy2. Negotiate SA3. Exchange Data1
2
3
Data traffic on public and private IP networks may be confidential and require increased security. The security required can include both authentication of peers, and the encryption and authentication of data. You can use IPSec in your network design to provide data security. IPSec provides two functions to improve security:
Data integrity. Using an Authentication Header (AH) to provide source authentication and integrity without providing data encryption.
Data encryption. Using the Encapsulating Security Payload (ESP) to provide authentication and integrity, along with encryption.
You use IPSec with AH in the network design where only data integrity is required, or where the application layer already encrypts data. Use IPSec with ESP where both integrity and encryption are required.
IPSec AH and ESP headers support tunnel mode and transport mode. In tunnel mode, the endpoints of the tunnel are specified, and data is encapsulated to traverse the tunnel. Transport mode does not specify endpoints because it communicates with more than one computer at a time.
Note: You can use IPSec tunnels for interoperability with other routers, gateways, or end-systems that do not support Layer Two Tunneling Protocol (L2TP)/IPSec or Point-to-Point Tunneling Protocol (PPTP) Virtual Private Network (VPN) tunneling technology.
To exchange data between peers by using IPSec:
A policy must exist to define the IPSec parameters required.
An exchange between peers must occur to calculate security keys, called a security association (SA). This process is called Internet Key Exchange
Data is exchanged between peers by using the SA to control encryption for the session. The keys for the SA are recalculated based on the quantity of data exchanged or the time the connection is used.
IPSec policies
Windows 2000 provides a set of predefined IPSec policies that define integrity and encryption options for computers that are members of a Windows 2000 domain. For computers that are not part of a Windows 2000 domain, you must define local policies for each participating computer. The following policies are predefined:
Client (Respond Only). Use this policy for computers that do not require IPSec except when requested by another computer. When defined, this policy enables the computer to respond appropriately to requests for secured communications. Only the requested protocol and port traffic for the communication are secured.
Server (Request Security). Use this policy for computers that secure communications most of the time. In this policy, the computer accepts unsecured traffic, but always attempts to secure additional communications by requesting security from the original sender. This policy allows the entire communication to be unsecured if the other computer is not IPSec-enabled.
Secure Server (Require Security). Use this policy for computers that always require secure communications. This policy rejects unsecured incoming communications. The outgoing traffic is always secured. Unsecured communication is not allowed, even if a peer is not IPSec-enabled.
Only one of the policies may be assigned on a given computer, so your security plan must specify the required policy or define a custom policy. You can customize the predefined policies to meet the given security requirements.
Routing IPSec Traffic
IPSec traffic uses particular ports and protocol numbers that can be routed transparently. For a security gateway, firewall, proxy server, router, or any server that is an access point from the private network to a public network where traffic filtering may be applied, you must define filters to ensure that packets secured with IPSec are not rejected. Routers or switches in the path between communicating computers simply forward the encrypted IP packets to their destination. However, a firewall, security router, or proxy server in the path may not forward IPSec and IKE traffic.
IPSec cannot be configured to work across a network address translator (NAT). Security negotiations cannot pass through a NAT device. The encrypted or signed portion of IKE negotiation messages contains IP addresses. A NAT cannot change these addresses because the NAT does not have the shared, secret key to either change the encrypted address within the message or change the unencrypted address, without invalidating the integrity check value (ICV).
Define the following inbound and outbound filters for a public network interface if your design includes IPSec traffic through that interface:
IPSec Authentication Header traffic. Permit IP Protocol ID 51 (0x33).
IPSec Encapsulating Security Protocol traffic. Permit IP Protocol ID50 (0x32) and UDP port 500 (0x1F4) for Internet Security Association and Key Management Protocol (ISAKMP)/Oakley negotiation traffic.
IPSec Protection Levels
Protection Levels
IPSec Authentication Protocols
IPSec Encryption Algorithms
Diffie-Hellman Groups
If there is a risk of unauthorized interception, you must use integrity/HASH algorithms and data encryption to protect the data that is sent between peers. The options available for IPSec allow definition of the integrity/HASH algorithms and encryption protocols that are used to provide data protection.
Protection Levels
To reduce the CPU overhead associated with the provision of authentication and encryption, always select the lowest level of protection that meets your security requirements. The following table shows the relative protection for the supported integrity and encryption methods.
ProtectionProtection IntegrityIntegrity EncryptionEncryption Diffie-Hellman GroupDiffie-Hellman Group
**** SHA-1 (160 bits) 3DES (3*56 bit) Medium (1,024 bits)
*** MD5 (128 bits) 3DES (3*56 bit) Medium (1,024 bits)
** SHA-1 (160 bits) DES (56 bit) Low (768 bits)
* (lowest) MD5 (128 bits) DES (56 bit) Low (768 bits)
Note: Because integrity and the subsequent ongoing encryption are CPU-intensive functions, the performance provided by any implementation is hardware-dependent.
IPSec Integrity/HASH Algorithms
IPSec supports the Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) Integrity/Hash Algorithms. The following table lists the IPSec algorithm protocols, their key lengths, and the reason to select these protocols in your design
AlgorithmAlgorithm Key lengthKey length Include this algorithm in your design ifInclude this algorithm in your design if
MD5 128-bit The security requirements allow you to use a shorter key length to provide security.An improvement in performance, due to shorter key length, is desirable.
SHA 160-bit The security requirements mandate a longer key length to provide stronger security.A reduction in performance, due to longer key length, is acceptable.Fulfilling U.S. government contracts that require adherence to the Federal Information Processing Standard (FIPS).
IPSec Encryption Algorithms
IPSec supports the Data Encryption Standard (DES) encryption algorithms. The following table lists the IPSec encryption algorithms, their key lengths, and the reason to select the algorithms in your design.
AlgorithmAlgorithm Key lengthKey length Include this algorithm in your design ifInclude this algorithm in your design if
40-bit DES 40-bit Security requirements mandate a short key length for data transmissions into or out of France.An improvement in performance, due to shorter key length, is desirable.
56-bit DES 56-bit Security requirements allow a longer key length for exported applications and low security business traffic, such as e-mail.An improvement in performance, due to shorter key length, is desirable.
Triple DES (3DES)
112-168-bit Security requirements mandate a longer key length to provide the strongest security.A reduction in performance, due to longer key length, is acceptable.
Diffie-Hellman Groups
The Diffie-Hellman group is configured as part of the key exchange settings and is considered a master key. Keys generated for data protection during key exchange are derived from the Diffie-Hellman master key material.
Group 1(low) provides 768 bits of keying material, whereas Group 2 (medium) provides 1,024 bits. If you specify mismatched groups on each peer, key negotiation fails.
A larger group (key length) results in a key that is harder to break, but requires more CPU cycles to calculate.
IPSec Internet Key Exchange
Authentication and Encryption
Policy
IPSec DriverIPSec Driver
ISAKMP/Oakley
ISAKMP/Oakley
TCP/UDPTransport Layer
TCP/UDPTransport Layer
Host A
IPSec DriverIPSec Driver
ISAKMP/Oakley
ISAKMP/Oakley
TCP/UDPTransport Layer
TCP/UDPTransport Layer
Host B
SA NegotiationsKey Exchange
SA SA
Internet Layer
Encrypted IP Packets
IPIPIPIP ESPESPESPESP TCP/UDPTCP/UDPDataData
TCP/UDPTCP/UDPDataData
ESPESPTRLTRLESPESPTRLTRL
EncryptedID 50
The exchange of authenticated and encrypted data between peers that use IPSec requires negotiation of the security algorithms. The negotiation between peers is a two-phase process called Internet Key Exchange.
IPSec Internet Key Exchange
With IPSec, only the sender and recipient know the negotiated security keys when a connection is established. IKE is the process used to calculate the security keys; it uses two IETF protocols, the Internet Security Association and Key Management Protocol (ISAKMP) and the Oakley key generation protocol. ISAKMP centralizes security association (SA) management, thereby reducing the connection time. Oakley generates and manages the authenticated keys used to secure the information.
IPSec communication between hosts requires that SAs be negotiated between peers. You can use the following peer authentication methods with IPSec:
The Kerberos version 5 security protocol. This is the default authentication technology used for any clients running the Kerberos V5 protocol that are members of a trusted domain.
Digital Certificates. These are used for authentication between computers that cannot run the Kerberos V5 security protocol. Examples of such interaction include Internet access, remote access to corporate resources, and communication with external business partners.
Preshared keys. This is a shared, secret key, previously agreed upon by two users. Both parties must manually configure IPSec to use this preshared key. This is a simple method for authenticating computers that is not based on Windows 2000-based stand-alone computers, or any clients not running the Kerberos V5 protocol.
Select Kerberos V5 if your design includes the Active Directory™ directory service or supports the Kerberos V5 protocol. Select certificate and shared key methods to use IPSec within untrusted domains and when Kerberos V5 cannot be supported.
Implementing IPSec by using a shared key can be a security risk when transferring keys. Kerberos V5 and digital certificates are recommended for best security practice.
Note: RFC 2401 provides an architectural overview of IPSec and the applicable RFCs required in implementation. These applicable RFCs provide detailed information on the available authentication options.
Enhancing a TCP/IP Design for Availability
Router
New York London Sydney
Seattle
Router Router Router
Redundant Links and Routers
Increase availability
Increase bandwidth
Dynamic routing protocols support
multiple paths
Dynamic routing protocols support
multiple paths
Router
Seattle
New York London Sydney
RouterRoutersRouter
The availability of a TCP/IP network design is measured by the percentage of time users are able to transfer data by using the TCP/IP network infrastructure.
To improve the availability of a routed network, your design must include redundant links and routers between locations where the highest availability is required. The inclusion of redundant routed paths in your design can improve both the availability and performance (bandwidth) of the network.
You can configure cost metrics for the routed paths to constrain traffic to a single link where the backup is a dial-on-demand interface, or allow concurrent use of multiple routes where they are available.
Set the link cost metric for each route to be equal if the links are available concurrently and there is no monetary cost penalty. Set different cost metrics if a link provides dial-on-demand backup and monetary costs prohibit running multiple links concurrently.
Routers can provide built-in load balancing across multiple links and paths if the routes are concurrently available and advanced routing protocols are used. Load balancing is possible with unequal cost metrics if protocols such as Interior Gateway Routing Protocol (IGRP) are used. The router uses the cost metrics to determine which paths the packets take, and the administrator can adjust the amount of load balancing. This is considered only if the speed of the redundant links differs greatly, and the links are concurrently available.
Optimizing a TCP/IP Design for Performance
Optimizing Subnet Designs
Optimizing IP Performance on the Network
Optimizing Remote Subnets
Ensuring Performance with QoS
QoS Connections
Discussion: Evaluating TCP/IP Availability and Performance Requirements
The performance of a TCP/IP network is set at a base level by the underlying physical network topology. In this lesson you will learn about enhancing the TCP/IP performance for particular applications by.
Optimizing the subnet designs.
Optimizing IP performance on the network.
Optimizing remote subnets.
Prioritizing traffic by using QoS.
Using QoS connections.
Optimizing Subnet Designs
Divide IP Ranges with Variable Length Subnets
Minimizes IP address waste
Requires RIP version 2, OSPF, or BGP routers
Combine IP Ranges by Supernets
Supported by CIDR
Requires RIP version 2, OSPF, or BGP routers
For most real-world enterprise networks, typical public IP addresses provide an address scheme that is either too large or too small. If the address scheme for a subnet is too large, IP addresses are unused and wasted. If the address scheme is too small, multiple address ranges and a more complicated routed path are required to achieve the goals of the network design.
Divide IP Ranges with Variable Length Subnetting
Variable length subnetting subdivides an existing subnet. The subnet mask is adjusted in a hierarchical fashion to allow for a varying number of hosts per subnet. Variable length subnetting is dependent on a hierarchical router design. Always attempt to minimize the number of routers in the hierarchy to improve the performance, but ensure that sufficient subnets and subnet addresses are available to support future expansion.
Before creating IP addressing designs that incorporate variable length subnetting, ensure that all routers support variable length subnetting. Any router that supports RIP for IP version 2, OSPF, or Border Gateway Protocol (BGP) can be used in a variable length subnetting design.
Combine IP Ranges by Supernetting
Supernetting allows a design to combine multiple IP address ranges into a large single range of addresses. For example, supernetting would allow a design to combine eight class C network addresses into a single IP address range.
Supernetting is supported by the CIDR specification, found in RFC 1519. Before creating IP addressing designs that incorporate supernetting and CIDR, ensure that all routers support CIDR. Any router that supports RIP for IP v2, OSPF, or BGP can be used in a supernetting design.
Optimizing IP Performance on the Network
Recognizing Traffic Patterns
TCP/IP Performance Factors
IP StackIP Stack
TCPConnection
TCPConnection
Receive Window Size
IP StackIP Stack
TCPConnection
TCPConnection
Delay and Latency
DataDataLinkLink
HeaderHeader
DataDataLinkLink
HeaderHeaderIPIPIPIP TCPTCPTCPTCP DataDataDataData
DataDataLinkLink
TrailerTrailer
DataDataLinkLink
TrailerTrailer
IP MTU
MSS
ACK
To optimize the flow of TCP/IP data within an internetwork requires the classification of the traffic flow to understand where configuring and tuning the TCP/IP implementation may allow performance gains.
Recognizing Traffic Patterns
The transactions involved between hosts across a network vary from simple datagram interactions with low packet counts to complex authenticated transfers with security and verifications involved. In general, you can categorize packet traffic into two major groups, both of which are sensitive to particular characteristics of a network.
Delay and Latency sensitive traffic. Consists mainly of single packet transfers that must be acknowledged before communications can continue. Logon, authentication, and encryption negotiations are extreme examples of this form of traffic.
Bandwidth sensitive traffic. Consists of principally unidirectional communications where a large amount of traffic flows in one direction and acknowledgments flow in the other. Client/server, thin client, and Web-based applications exhibit this type of traffic flow.
Many applications exhibit characteristics with hybrids of these traffic types, and must be designed to minimize performance limitations when used in a WAN environment.
TCP/IP Performance Factors
The TCP/IP implementation in Windows 2000 is largely self-tuning, but some design choices made for both the network infrastructure, and the software installation, can influence the performance that you can ultimately achieve. In particular, when WAN networks span large distances, the delay through a network becomes a significant factor in any design considerations.
Principal factors that influence TCP/IP performance are:
TCP/IP Receive Window Size. This is the buffer required to receive packets in a TCP stream before an acknowledgment is sent. For Ethernet-based TCP connections, the window is normally set to 17,520 bytes, or 16 KB rounded up to 12 Maximum Segment Size (MSS)-sized segments. Where network delay is high, you can increase the minimum Window size offered for a connection by modifying the registry.
Delay/Bandwidth product. High bandwidth/high delay networks, such as satellite links, require special consideration when both configuring the network transports and designing the applications being used. When network delay becomes significant, always select the largest bandwidth available for links to maximize performance.
Packet loss on the network. This is usually caused due to errors or congestion in routers.
There are certain factors that influence performance, but because they are part of the existing ISO layer one and two infrastructure, you may not be able to configure them. These factors are:
Maximum Transmission Unit (MTU). This is usually set by the underlying network technology. For example, Ethernet provides a 1,500 byte MTU, whereas Token Ring can support up to 17,914 bytes.
Maximum Segment Size (MSS). This is the TCP/UDP payload that can be carried in the MTU. For example, the MSS for an Ethernet MTU of 1,500 bytes is 1,460 bytes.
In network environments that include links with large delay components, your network design may be required to place network services, authentication, and application servers on both sides of the links to achieve acceptable client performance.
Optimizing Remote Subnets
Private Point-to-Point and Multi-point Connections
For point-to-point, assign a subnet for each connection
For multi-point, all connections share a common subnet
VPN Connections over the Internet
Require a public address for VPN server
Require an address from the VPN address pool
Remote networks require special consideration when you develop an IP addressing scheme to ensure that traffic is properly routed and that Internet access is maintained.
Private Point-to-Point and Multi-Point Connections
For private point-to-point connections, such as dedicated 56 kilobytes per second (Kbps) leased lines or T1 connections, a separate subnet is required for each point-to-point connection. Each point-to-point connection requires two IP addresses to support dynamic routing protocols. Unnumbered connections can be supported, but only static routing can be used.
For multi-point connections, such as an X.25 or other packet-switched private network, one subnet is sufficient for all connections. An IP address for each connection or virtual circuit is required in the multi-point connection.
Because no public addressing scheme can see point-to-point and multi-point connections, you can use private addressing to create each subnet. If the addresses used for point-to-point or multi-point subnets are allocated from the range of addresses used by other devices on the private network, VLSM or CIDR is recommended to conserve IP addresses.
VPN Connections over the Internet
To connect to a VPN client, each VPN server requires a public address. This address becomes one end of the communications tunnel. The VPN client receives an address from the VPN server's address pool. When communicating over the VPN connection, the VPN client uses the issued address to access intranetwork resources.
Any IP addressing design must account for the public address and the range of private network addresses required by the VPN server design. A private network address is required for each VPN client that simultaneously accesses the intranetwork.
Ensuring Performance with QoS
Reserve Bandwidth for Particular Users or Data Types
Prioritize Access to Bandwidth Based on User Needs
Partition Bandwidth Between Traffic
Prevent Non-Adaptive Protocols from Overusing Network Resources
Data traffic routed across an IP network might have to travel through a series of routers. By default, each router in the path handles the traffic on a first-come, first-served (best-effort) basis. Time-sensitive streams of data such as video streaming, real-time audio, and video conferencing require immediate response to their data, or the receiving applications may fail.
The Windows 2000 implementation of QoS provides selectable bandwidth reservation and priority levels for traffic flows. QoS provides a unidirectional mechanism by which you can manage network resources, whether on the local LAN segment, the core network, or the WAN, to provide the required service levels. QoS can run on any network topology that supports TCP/IP.
Network designers can use QoS to:
Reserve bandwidth for particular users, services, or applications.
Prioritize access to bandwidth based on user needs.
Partition bandwidth between best-effort traffic, and higher or lower priority traffic.
Prevent non-adaptive protocols (such as UDP) from overusing network resources.
Note: All routers in the path between a sender and receiver must be able to support QoS, and must validate the bandwidth requirement before a QoS session can be established.
Include QoS in your design if:
Bandwidth allocation is required.
It is supported by your planned applications.
All intermediate routers support Resource Reservation Protocol (RSVP).
QoS Connections
Application
QoS API
QoS-EnabledIP Stack
QoS-EnabledIP Stack
Application
QoS API
QoS-EnabledIP Stack
QoS-EnabledIP Stack
RSVP-EnabledRSVP-EnabledRouterRouter
RSVP-EnabledRSVP-EnabledRouterRouter
WinSock2.0 API
111122223333
Flow Message
Receive Message
Media Stream
1111
2222
3333
LAN
LAN
QoS Mechanisms
Setting Up a QoS Connection
Implementing QoS enables real-time programs to make the most efficient use of network bandwidth. The goal of a QoS implementation is a guaranteed delivery system for network traffic, such as IP packets.
QoS Mechanisms
The set of mechanisms QoS uses to set up a delivery system for network traffic includes services and protocols. The Windows 2000 implementation of QoS includes:
QoS Admission Control Service (QoS ACS). Administers subnet bandwidth resources necessary to ensure QoS transmission of data for a server.
Subnet bandwidth management (SBM). A service that manages the use of network resources on a shared segment, or subnet.
Resource Reservation Protocol (RSVP). RSVP is a signaling protocol that enables the sender and receiver to set up a reserved QoS highway between them. The RSVP message carries the reservation request to each router and switch along the communication path between the sender and receiver.
Traffic Control. Traffic control chooses the traffic 'lane' across which the packets travel. The traffic control service has two components that work together to determine the traffic lane.
The traffic control service components are: Packet Classifier. The packet classifier separates packets into queues based
on their priority and tells the packet scheduler how fast to empty the queues. Packet Scheduler. The packet scheduler manages the queues set up by the
packet classifier. It retrieves the packets from the queues and sends them across the QoS-reserved highway.
Setting Up a QoS Connection
RSVP is the means by which end nodes communicate with each QoS-aware network device (included in the hop path between RSVP session members), and negotiate QoS parameters and network usage admission. The RSVP protocol is used to exchange PATH and RESV messages with the network. A PATH message, which the sender initiates, describes the QoS parameters of the traffic, the sender's address, and the destination address of the traffic. The RESV message, returned by the receiver, describes the QoS parameters of the traffic to be received. When the sender receives the RESV message, the QoS data flow begins.
The QoS Service Provider constructs and periodically updates the PATH and RESV messages on behalf of an application. You can also configure sending applications, such as those controlling multicast transmissions, to begin sending immediately on a best-effort basis, which is then upgraded to QoS on receipt of the RESV message.
For example, a sending host wanting to reserve bandwidth, sends path messages toward the intended recipient, through an RSVP-enabled Windows Sockets (WinSock) service provider. These path messages, which describe the bandwidth requirements and relevant parameters of the data to be sent, are propagated to all intermediate routers along the path.
A receiving host confirms the flow and network path by sending reserve messages back through the network, describing the bandwidth characteristics of data from the sender. As these reserve messages propagate back toward the sender, intermediate routers decide whether or not to accept the proposed reservation and commit bandwidth resources. If all routers commit the required resources, the sender can begin sending data.
Discussion: Evaluating TCP/IP Availability and Performance Requirements
1311 Hosts
655 Hosts129 Hosts
LocationALocationA
LocationCLocationC LocationDLocationD
LocationBLocationB
808 Hosts
1.544 Mbps
T1 Link
56Kbps Link
512 Kbps Fractional
T1 Link
1.544 Mbps T1 Link
Internet
To enhance the availability and performance of a TCP/IP solution, you must decide on the required bandwidth and how to improve the performance of TCP/IP-based solutions.
The following scenario describes an organization's current network configuration.
Scenario
An organization has decided to restructure an existing TCP/IP network. You are assigned the task of evaluating the existing physical network and determining the design changes.
The current network configuration provides: Intranet access to all shared folders and Web-based applications at
all locations. Access to the Internet from all locations. Support for the existing infrastructure. Support for the number of hosts per location, which includes router
interfaces and the proxy server intranetwork interface. Support for a mission-critical Web-based application that requires
24-hours-a-day, 7-days-a-week operation. Isolation of the organization's network from the Internet by using a
combined firewall and proxy server.
Design Requirements
Your assessment of the existing network configuration, and your investigation of the future configuration requirements, reveals the following design requirements, which you must meet in your solution.
Existing configuration information
The network currently uses 172.20.0.0/16 as the private address block from which all host addresses are allocated.
Company policy mandates that client computers are turned off when not in use, but servers and other network-related devices are left on.
The average usage of network link from LocationB to LocationA is 70 percent.
The average usage of network link from LocationB to LocationC is 100 percent.
The average usage of network link from LocationB to LocationD is 60 percent.
Future configuration requirements
A WinSock II video conferencing application will be run between LocationA and LocationB. Each instance of the application requires sustained throughput of 48 Kbps in each direction for audio and video.
Private addressing will be used based on the current private address block used, and the site router interfaces will keep the same address and subnet mask.
New site routers are to be installed and these devices will restrict the host population per segment to 200 or less.
Lab A: Designing a TCP/IP Solution
Objectives
After completing this lab, you will be able to:
Evaluate a scenario to determine the requirements for a TCP/IP design.
Design a TCP/IP solution for the given scenario.
Exercise 1 Designing a TCP/IP Solution
In this exercise, you will design a TCP/IP solution for the given scenario. To design your solution, review the information provided in the scenario, study the diagram, and follow the design decisions. Make your design decisions based on the requirements provided and complete the design worksheet.
Scenario
An organization has decided to restructure their existing TCP/IP network. As a consultant, you have been assigned the task of redesigning the network. Information on the current configuration and status of the network has been gathered from interviews and written documentation.
The current network configuration provides: Intranet access to all shared folders and Web-based applications at
all locations. Access to the Internet from all locations. Support for all of the hosts, as shown in the preceding diagram. Support for a mission-critical Web-based application that requires
24-hours-a-day, 7-days-a-week availability. No provisions exist for high availability.
Isolation of the organization's network from the Internet by using a proxy server and a firewall, both situated at LocationA.
100 Mbps Ethernet local networks. Fractional T1 256 Kbps links between locations. Unacceptable performance for both local access and ISP/Internet
access. Tests indicate that links are often saturated.
High Level Network Design
The following diagram shows the existing high-level network design.
Design Requirements and Limitations
Investigation of the current network, user traffic patterns, and future network requirements reveals the following additional information that you must consider when making your design decisions:
Network Information
New routers, which are combined ISO layer 2 switches and routers, will be used in all locations. The routers support CIDR and VLSM. Each router can support four interfaces, where each interface represents one subnet supporting a maximum of 121 clients. Multiple routers can be stacked to create a single logical router.
Link upgrades must use one of the bandwidth options available that are fractional T1 of 256 Kbps, 384 Kbps, 512 Kbps, 768 Kbps, 1,024 Kbps, and Full T1 of 1.544 Mbps.
The links between locations are either T1 or Fractional T1 and support the full Ethernet MTU of 1,500 bytes. Therefore, you do not need to consider the possibility of routers fragmenting packets.
The links between locations will be resized to suit the required performance. Bandwidth options available are fractional T1 of 256 Kbps, 384 Kbps, 512 Kbps, 768 Kbps, 1,024 Kbps, and Full T1 of 1.544 Mbps
There is no significant delay between locations. Therefore, you do not need to consider the placement of authentication servers or the effect delay has on throughput for the clients.
The current network configuration uses a private address block that uses 172.16.0.0/16. You will reuse this private address block in the new design.
The current link to the ISP and the Internet is established, and the ISP has issued the organization one public IP address. This address will be used for the firewall interface (or proxy interface) to the ISP, and the Internet.
Client Information
The clients use a Web-based application to access their e-mail server, which is maintained by the ISP. The ISP also supplies Internet access.
The client data flows are analyzed. The data flows shown will result in a maximum of 50 percent average utilization.
The following table summarizes the data flow between locations.
TrafficTraffic Bandwidth requiredBandwidth required
LocationA only to the ISP/Internet 304 Kbps
LocationB only to the ISP/Internet 247 Kbps
LocationC only to the ISP/Internet 103 Kbps
LocationA, LocationB, and LocationC to the ISP/Internet
1,360 Kbps
LocationA to LocationB 1,360 Kbps
LocationA to LocationC 566 Kbps
The host counts given in the diagrams include all current IP address requirements.Investigations reveal that the client counts for each location, including the expected growth, are as follows:
LocationA will support 360 clients.
LocationB will support 293 clients.
LocationC will support 122 clients.
Services and Applications
There are file and print servers at each location. All clients store their data on local servers and print to local printers. Therefore, you do not need to allow for data flows between locations for file and print services.
There are DHCP and WINS servers at each location. Investigations reveal that replication of data between WINS servers will have no significant effect on the design. The operations group will configure and setup these services; therefore, do not consider them in your design.
The ISP maintains the organization's Internet Information Services (IIS) Web server and the server running Microsoft Exchange Server. Therefore, you do not need to consider DNS requirements in your design.
Instructions
Use the following guidelines to complete the tasks in the design worksheet: Select the new size for link 1, 2, and 3 by analyzing the client data flow
requirements of the TCP/IP network. Consider the impact of network path delay when using satellite or long distance links because this impacts the placement of services and the selection of link speeds within the network.
Review the number of physical subnets required and the client load to ensure adequate peer performance. Review the OSI layer one and layer two network structure, and bandwidth utilization to ensure TCP/IP can be supported while providing the required performance.
Plan, review, and record TCP/IP physical routing structure elements including routers, subnet IP addresses, and subnet masks. (Class, VLSM, and CIDR must be selected.)
Review and record boundaries where the MTU changes within the routed network. Note any routes where the MTU cannot be established, so that further investigation may occur.
Select the Interior Gateway Protocol (RIPv1, RIPv2, or OSPF) to be supported on the Windows 2000 network. Establish the basis on which you made your selection.
Design Worksheet
In the space provided below, list the required solution and/or actions that are necessary to meet the requirements.
1. Determine the capacities of the Links 1, 2, and 3.
2. Determine the number of routers and sub nets required for client populations in each location.
3. Select address ranges and subnet masks for all router. Show whether selected addresses require classbased, VLSM, or CIDR support in the routers. You do not need to calculat e the address range for every subnet; calculate only the base address for the routers.
4. Describe any MTU issues within the network.
5. Select the routing protocol you would implement in this design. Why?
Review
Introducing TCP/IP
Designing a Functional TCP/IP Solution
Securing a TCP/IP Solution
Enhancing a TCP/IP Design for Availability
Optimizing a TCP/IP Design for Performance