Chapter-1: 1.1 What Is A Virtual Private Network?

CHAPTER-1 INTRODUCTION
Internet Protocol Security (Ipsec)Is A Protocol Suite For Securing Internet Protocol (Ip) Communications By Authenticating And Encrypting Each IP Packet Of A Communication Session .Ipsec Also Includes Protocols For Establishing Mutual Authentication Between Agents At The Beginningof The Session And Negotiation Of Cryptographic Keys To Be Usedduringthe Session. Ipsec Is An End To End Security Scheme Operating In The Internet Layer Of The Internet Protocol Suite.It Can Be Used In Protecting Data Flows Between A Pair Of Hosts (HostTo-Host),Between A Pair Of Secuirty Gateways (Network-To-Network),Or Between A Security Gateway And A Host (Network-To-Host).Ipsec Is Officially Specified By The Internet Engineering Task Force (IETF) In A Series Of Request For Comments Documents Addressing Various Components And Extensions. It Specifies The Spelling Of The Protocol Name To Be Ipsec. A virtual private network (VPN) is a technology for using the internet or another intermidiate network to connect computers to isolated remote computer networks that would otherwise be inaccessible. A VPN provides security so that traffic sent through the VPN connection stays isolated from other computers on the internidiate network. VPNs can connect individual users to a remote network or connect multiple networks together. For example, a user may use a VPN to connect to their work computer terminal from home and acess their email,images.etc.
1.1 What is a Virtual Private Network?

There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data. A VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access. The term VPN was originally used to describe a secure connection over the Internet. Today, however, VPN is also used to describe private networks,
JOGINPALLY BR ENGINEERING COLLEGE
such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS). A key aspect of data security is that the data flowing across the network is protected by encryption technologies. Private networks lack data security, which can allow data attackers to tap directly into the network and read the data. IPSec-based VPNs use encryption to provide data security, which increases the networks resistance to data tampering or theft. IPSec-based VPNs can be created over any type of IP network, including the Internet, Frame Relay, ATM, and MPLS, but only the Internet is ubiquitous and inexpensive.
1.2Intranets:
Intranets connect an organizations locations. These locations range from the headquarters offices, to branch offices, to a remote employees home. Often this connectivity is used for e mail and for sharing applications and files. While Frame Relay, ATM, and MPLS accomplish these tasks, the short comings of each limits connectivity. The cost of connecting home users is also very expensive compared to Internet-access technologies, such as DSL or cable. Because of this, organizations are moving their networks to the Internet, which is inexpensive, and using IPSec to create these networks.
1.3 Remote Access:

Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organizations modem pool is one method of access for remote workers, but it is expensive because the organization must pay the associated long distance telephone and service costs. Remote access VPNs greatly reduce expenses by enabling mobile workers to dial a local Internet connection and then set up a secure IPSec-based VPN communications to their organization.
1.4 Extranets:
Extranets are secure connections between two or more organizations. Common uses for extranets include supply-chain management, development partnerships, and subscription services. These undertakings can be difficult using legacy network technologies due to connection costs, time delays, and access availability. IPSec-based VPNs are ideal for extranet connections. IPSec-capable devices can be quickly and inexpensively installed on existing Internet connections.
JOGINPALLY BR ENGINEERING COLLEGE 2
CHAPTER-2 GENERAL THEORY

2.1 network elements :
Objectives The objectives of this chapter are to familiarize with the following: i) ii) iii) iv) v) vi) The LAN components and terminology Networking basics and topologies Hub Switch Router Gateway
2.2 lan components:

Local Area Network is a high speed, low error data network covering a relatively small geographic area. LAN connects workstations, peripherals, terminal and other devices in a single building or other geographically limited area. LAN standard specifies cabling and signaling at the physical and data link layers of the OSI model. Ethernet, FDDI and Token ring are widely used LAN technology. In LAN technology to solve the congestion problem and increase the networking performance single Ethernet segment is to be divided into multiple network segments. This is achieved through various network components. Physical segmentation, network-switching technology, using full duplex Ethernet devices, fast Ethernet and FDDI, available bandwidth may be maximized. 2.2.1 ethernet terminology: Ethernet follows a simple set of rules that govern its basic operation. To better understand these rules, it is important to understand the basics of Ethernet terminology.
Medium - Ethernet devices attach to a common medium that provides a path along which the electronic signals will travel. Historically, this medium has been coaxial copper cable, but today it is more commonly a twisted pair or fiber optic cabling.
Segment - We refer to a single shared medium as an Ethernet segment. Node - Devices that attach to that segment are stations or nodes. Frame - The nodes communicate in short messages called frames, which are variably sized chunks of information. The Ethernet protocol specifies a set of rules for constructing frames. There are explicit
minimum and maximum lengths for frames, and a set of required pieces of information that must appear in the frame. Each frame must include, for example, both a destination address and a source address, which identify the recipient and the sender of the message. The address uniquely identifies the node, just as a name identifies a particular person. No two Ethernet devices should ever have the same address.
Figure 2.1 A Small ethernet network
Since a signal on the Ethernet medium reaches every attached node, the destination address is critical to identify the intended recipient of the frame. For example, in the figure above, when computer B transmits to printer C, computers A and D will still receive and examine the frame. However, when a station first receives a frame, it checks the destination address to see if the frame is intended for itself. If it is not, the station discards the frame without even examining its contents.
One interesting thing about Ethernet addressing is the implementation of a broadcast address. A frame with a destination address equal to the broadcast address (simply called a broadcast, for short) is intended for every node on the network, and every node will both receive and process this type of frame.
2.3 networking basics:

Here are some of the fundamental parts of a network:
Figure 2.2 fundamentalparts of a network
Network - A network is a group of computers connected together in a way that allows information to be exch Microcontroller anged between the computers.
Node - A node is anything that is connected to the network. While a node is typically a computer, it can also be something like a printer or CD-ROM tower.
Segment - A segment is any portion of a network that is separated, by a switch, bridge or router, from other parts of the network.
Backbone - The backbone is the main cabling of a network that all of the segments connect to. Typically, the backbone is capable of carrying more information than the individual segments. For example, each segment may have a transfer rate of 10 Mbps (megabits per second), while the backbone may operate at 100 Mbps.
Topology - Topology is the way that each node is physically connected to the network. Common topologies include:
2.3.1 Bus topology: Bus - Each node is daisy-chained (connected one right after the other) along the same backbone. Information sent from a node travels along the backbone until it reaches its destination node. Each end of a bus network must be terminated with a resistor to keep the signal that is sent by a node across the network from bouncing back when it reaches the end of the cable.
Figure 2.3 Bus network topology 2.3.2 Ring topology: Ring - Like a bus network, rings have the nodes daisy-chained. The difference is that the end of the network comes back around to the first node, creating a complete circuit. In a ring network, each node takes a turn sending and receiving information through the use of a token. The token, along with any data, is sent from the first node to the second node, which extracts the data addressed to it and adds any data it wishes to send. Then, the second node passes the token and data to the third node, and so on until it comes back around to the first node again. Only the node with the token is allowed to send data. All other nodes must wait for the token to come to them.
Figure 2.4 Ring network topology
2.3.3 Star topology: Star - In a star network, each node is connected to a central device called a hub. The hub takes a signal that comes from any node and passes it along to all the other nodes in the network. A hub does not perform any type of filtering or routing of the data. It is simply a junction that joins all the different nodes together.
Figure 2.5 Star network topology 2.3.4 Star bus topology Star bus - Probably the most common network topology in use today, star bus combines elements of the star and bus topologies to create a versatile network environment. Nodes in particular areas are connected to hubs (creating stars), and the hubs are connected together along the network backbone (like a bus network). Quite often, stars are nested within stars, as seen in the example below:
Figure2.6 typical star bus network Unicast - A unicast is a transmission from one node addressed specifically to another node.
Multicast - In a multicast, a node sends a packet addressed to a special group address. Devices that are interested in this group register to receive packets addressed to the group. An example might be a Cisco router sending out an update to all of the other Cisco routers.
Broadcast - In a broadcast, a node sends out a packet that is intended for transmission to all other nodes on the network.
In the most basic type of network found today, nodes are simply connected together using hubs. As a network grows, there are some potential problems with this configuration:
Scalability - In a hub network, limited shared bandwidth makes it difficult to accommodate significant growth without sacrificing performance. Applications today need more bandwidth than ever before. Quite often, the entire network must be redesigned periodically to accommodate growth.
Latency - This is the amount of time that it takes a packet to get to its destination. Since each node in a hub-based network has to wait for an opportunity to transmit in order to avoid collisions, the latency can increase significantly as you add more nodes. Or, if someone is transmitting a large file across the network, then all of the other nodes have to wait for an opportunity to send their own packets. You have probably seen this before at work -- you try to access a server or the Internet and suddenly everything slows down to a crawl.
Network failure - In a typical network, one device on a hub can cause problems for other devices attached to the hub due to incorrect speed settings (100 Mbps on a 10-Mbps hub) or excessive broadcasts. Switches can be configured to limit broadcast levels.
Collisions - Ethernet uses a process called CSMA/CD (Carrier Sense Multiple Access with Collision Detection) to communicate across the network. Under CSMA/CD, a node will not send out a packet unless the network is clear of traffic. If two nodes send out packets at the same time, a collision occurs and the packets are lost. Then both nodes wait a random amount of time and retransmit the packets. Any part of the network where there is a possibility that packets from two or more nodes will interfere with each other is considered to be part of the same collision domain. A network with a large number of nodes on the same segment will often have a lot of collisions and therefore a large collision domain.
2.4 switches:
Switches are a fundamental part of most networks. They make it possible for several users to send information over a network at the same time without slowing each other down. Just like routers allow different networks to communicate with each other, switches allow different nodes (a network connection point, typically a computer) of a network to communicate directly with one another in a smooth and efficient manner.
Switches that provide a separate connection for each node in a company's internal network are called LAN switches. Essentially, a LAN switch creates a series of instant networks that contain only the two devices communicating with each other at that particular moment
While hubs provide an easy way to scale up and shorten the distance that the packets must travel to get from one node to another, they do not break up the actual network into discrete segments. That is where switches come in.
Figure.2.7 Imagine that each vehicle is a packet of data waiting for an opportunity to continue on its trip.
Think of a hub as a four-way intersection where everyone has to stop. If more than one car reaches the intersection at the same time, they have to wait for their turn to proceed. Now imagine what this would be like with a dozen or even a hundred roads intersecting at a single point. The amount of waiting and the potential for a collision increases significantly. But wouldn't it be amazing if you could take an exit ramp from any one of those roads to the road of your choosing? That is exactly what a switch does for network traffic. A switch is like a cloverleaf intersection -- each car can take an exit ramp to get to its destination without having to stop and wait for other traffic to go by.
A vital difference between a hub and a switch is that all the nodes connected to a hub share the bandwidth among themselves, while a device connected to a switch port has the full bandwidth all to itself. For example, if 10 nodes are communicating using a hub on a 10-Mbps network, then each node may only get a portion of the 10 Mbps if other nodes on the hub want to communicate as well. But with a switch, each node could possibly communicate at the full 10 Mbps. Think about our road analogy. If all of the traffic is coming to a common intersection, then each car it has to share that intersection with
every other car. But a cloverleaf allows all of the traffic to continue at full speed from one road to the next. 2.4.1 Switching Technologies: You can see that a switch has the potential to radically change the way nodes communicate with each other. But you may be wondering what makes it different from a router. Switches usually work at Layer 2 (Data or Datalink) of the OSI Reference Model, using MAC addresses, while routers work at Layer 3 (Network) with Layer 3 addresses (IP, IPX or Appletalk, depending on which Layer 3 protocols are being used). The algorithm that switches use to decide how to forward packets is different from the algorithms used by routers to forward packets. One of these differences in the algorithms between switches and routers is how broadcasts are handled. On any network, the concept of a broadcast packet is vital to the operability of a network. Whenever a device needs to send out information but doesn't know who it should send it to, it sends out a broadcast. For example, every time a new computer or other device comes on to the network, it sends out a broadcast packet to announce its presence. The other nodes (such as a domain server) can add the computer to their browser list (kind of like an address directory) and communicate directly with that computer from that point on. Broadcasts are used any time a device needs to make an announcement to the rest of the network or is unsure of who the recipient of the information should be.
Figure 2.8 The OSI Reference Model consists of seven layers that build from the wire (Physical) to the software
10
A hub or a switch will pass along any broadcast packets they receive to all the other segments in the broadcast domain, but a router will not. Think about our four-way intersection again: All of the traffic passed through the intersection no matter where it was going. Now imagine that this intersection is at an international border. To pass through the intersection, you must provide the border guard with the specific address that you are going to. If you don't have a specific destination, then the guard will not let you pass. A router works like this. Without the specific address of another device, it will not let the data packet through. This is a good thing for keeping networks separate from each other, but not so good when you want to talk between different parts of the same network. This is where switches come in. LAN switches rely on packet-switching. The switch establishes a connection between two segments just long enough to send the current packet. Incoming packets (part of an Ethernet frame) are saved to a temporary memory area (buffer); the MAC address contained in the frame's header is read and then compared to a list of addresses maintained in the switch's lookup table. In an Ethernet-based LAN, an Ethernet frame contains a normal packet as the payload of the frame, with a special header that includes the MAC address information for the source and destination of the packet.
2.5 routers:
Routers connect LANs at the Network layer of the OSI model Routers connect LANs that use the same Network-layer protocol, such as IPX-to-IPX and IP-to-IP. Because routers operate at the Network layer, they can be used to link dissimilar LANs, such as ARCNET, Ethernet, and Token Ring.
Figure 2.9 Routers
Two networks connected via a router are physically and logically separate networks. Network-layer protocols have their own addressing scheme separate from the addressing scheme
of MAC-layer protocols. This addressing scheme may or may not include the MAC-layer addresses of the network cards. Each network attached to a router must be assigned a logical identifier, or network address, to designate it as unique from other physical networks. For example, NetWares IPX routers (NetWare file servers or external NetWare routers using ROUTER.EXE) use each LAN cards MAC-layer address and a logical address for each network assigned by the router installer. A router can support single or multiple Network-layer protocols. Net Ware 2.2 File servers and Net Ware external routers, for example only support NetWares IPX protocol. NetWare 3.11 file servers on the other hand, can route IPX, IP and Apple Talk, if the proper routing software is loaded into the file server. Dedicated routers from Proteon, Cisco, Welfleet, and others can route a number of different protocols. Routers only forward traffic addressed to the other side. This means that local traffic on one LAN will not affect performance on another. Routers can be proprietary devices, or can be software and hardware residing in a general purpose computer, such as a PC. Like transparent bridges, routers maintain routing tables. A routers routing table, however, keeps track of network addresses and possible routes between networks, not individual node addresses. Using routers, redundant paths between networks can be established, and traffic will be routed between networks based on some algorithm to determine the best path. The simplest routers usually select the path with the fewest number of router hops as the best path. More intelligent routers consider other factors, such as the relative response times of various possible routes, when selecting the best path.
2.6 gateways:
A gateway is a fundamentally different type of device than a router or switch and can be used in conjunction with them. A gateway makes it possible for an application program, running on a system, confirming to network architecture, to communicate with an application program running on a system confirming to some other network architecture.
12
Figure 2.10 Architecture of gateways A gateway performs its function in the Application layer of the OSI model. The function of a gateway is to convert one set of communication protocols to some other set of communication protocols. Protocol conversion may include the following: Message Format Conversion- Different networks may employ different message format, maximum message size, or character codes. The gateway must be able to convert messages to appropriate format, size and coding. Address translation- Different networks may employ different addressing mechanism and network address structures. The gateway must be able to interpret network address in one network and convert them into network address in other network. Protocol conversion- When a message is prepared for transmission, each layer adds control information, unique to the protocol used in that layer. The gateway must be able to convert control information used by each layer so that the receiving system receives the control information in the format it expects. Services affected may include message segmentation and reassembly, data flow control, and error detection and recovery.
2.7 what is routing?

Routing is the act of moving information across an inter-network from a source to a destination. Along the way, at least one intermediate node typically is encountered. Routing is often contrasted with bridging, which might seem to accomplish precisely the same thing to the casual observer. The primary difference between the two is that bridging occurs at Layer 2 (the link layer) of the OSI reference model, whereas routing occurs at Layer 3 (the network layer). This distinction provides routing and bridging with different information to use in the process of
13
moving information from source to destination, so the two functions accomplish their tasks in different ways. Routing is the act of moving information across an inter-network from a source to a destination. Along the way, at least one intermediate node typically is encountered. Routing is often contrasted with bridging, which might seem to accomplish precisely the same thing to the casual observer. The primary difference between the two is that bridging occurs at Layer 2 (the link layer) of the OSI reference model, whereas routing occurs at Layer 3 (the network layer). This distinction provides routing and bridging with different information to use in the process of moving information from source to destination, so the two functions accomplish their tasks in different ways. 2.7.1 Routing metrics: Routing metrics are a scoring system for routes used to indicate how good or bad the route is. metrics are calculated by routers to prioritize routes from best to worst. routers use the metrics to select the best possible route or routes to a given destination. metrics can include hop count (how many stops there are between source and the destination), media type (serial, fddi, token ring, ethernet, sonet etc.), bandwidth, reliability (whether the machine is up or down) and several other factors including some set by the network administrator. a lower metric generally indicates a better route. 2.7.2Routing Components: Routing involves two basic activities: determining optimal routing paths and transporting information groups (typically called packets) through an internet-work. In the context of the routing process, the latter of these is referred to as packet switching. Although packet switching is relatively straightforward, path determination can be very complex. Path Determination: Routing protocols use metrics to evaluate what path will be the best for a packet to travel. A metric is a standard of measurement, such as path bandwidth, that is used by routing algorithms to determine the optimal path to a destination. To aid the process of path determination, routing algorithms initialize and maintain routing tables, which contain route information. Route information varies depending on the routing algorithm used.
Routing algorithms fill routing tables with a variety of information. Destination/next hop associations tell a router that a particular destination can be reached optimally by sending the packet to a particular router representing the "next hop" on the way to the final destination. When a router receives an incoming packet, it checks the destination address and attempts to associate this address with a next hop. Routing tables also can contain other information, such as data about the desirability of a path. Routers compare metrics to determine optimal routes, and these metrics differ depending on the design of the routing algorithm used. A variety of common metrics will be introduced and described later in this chapter. Routers communicate with one another and maintain their routing tables through the transmission of a variety of messages. The routing update message is one such message that generally consists of all or a portion of a routing table. By analyzing routing updates from all other routers, a router can build a detailed picture of network topology. A link-state advertisement, another example of a message sent between routers, informs other routers of the state of the sender's links. Link information also can be used to build a complete picture of network topology to enable routers to determine optimal routes to network destinations. Switching: Switching algorithms is relatively simple; it is the same for most routing protocols. In most cases, a host determines that it must send a packet to another host. Having acquired a router's address by some means, the source host sends a packet addressed specifically to a router's physical (Media Access Control [MAC]-layer) address, this time with the protocol (network layer) address of the destination host. As it examines the packet's destination protocol address, the router determines that it either knows or does not know how to forward the packet to the next hop. If the router does not know how to forward the packet, it typically drops the packet. If the router knows how to forward the packet, however, it changes the destination physical address to that of the next hop and transmits the packet.
15
The next hop may be the ultimate destination host. If not, the next hop is usually another router, which executes the same switching decision process. As the packet moves through the internet-work, its physical address changes, but its protocol address remains constant. The preceding discussion describes switching between a source and a destination end system. The International Organization for Standardization (ISO) has developed a hierarchical terminology that is useful in describing this process. Using this terminology, network devices without the capability to forward packets between sub-networks are called end systems (ESs), whereas network devices with these capabilities are called intermediate systems (ISs). ISs are further divided into those that can communicate within routing domains (intra-domain ISs) and those that communicate both within and between routing domains (inter-domain ISs). A routing domain generally is considered a portion of an internet-work under common administrative authority that is regulated by a particular set of administrative guidelines. Routing domains are also called autonomous systems. With certain protocols, routing domains can be divided into routing areas, but intra-domain routing protocols are still used for switching both within and between areas. 2.7.3 Routing Algorithms: Routing algorithms can be differentiated based on several key characteristics. First, the particular goals of the algorithm designer affect the operation of the resulting routing protocol. Second, various types of routing algorithms exist, and each algorithm has a different impact on network and router resources. Finally, routing algorithms use a variety of metrics that affect calculation of optimal routes. The following sections analyze these routing algorithm attributes.
2.8 Types of Routing:

Static Routing Dynamic Routing Default Routing
2.8.1 Static Routing: Static routing is a data communication concept describing one way of configuring path selection of routers in computer networks. It is the type of routing characterized by the absence of communication between routers regarding the current of the network. This is
achieved by manually adding routes to the routing table. In these systems, routes through a data network are described by fixed paths (statically). The system administrator usually enters these routes into the router. An entire network can be configured using static routes, but this type of configuration is not fault tolerant. When there is a change in the network or a failure occurs between two statically defined nodes, traffic will not be rerouted. This means that anything that wishes to take an affected path will either have to wait for the failure to be repaired or the static route to be updated by the administrator before restarting its journey. Most requests will time out (ultimately failing) before these repairs can be made. There are, however, times when static routes can improve the performance of a network. Some of these include stub networks and default routes. Static Routing: a. Routes for each destination network have to be manually configured by the administrator. b. Requires destination network ID for the configuration c. Used in small networks. d. Administrative distance for static route is 1 Disadvantages of static routing: a. Topology changes cannot be dynamically updated b. Compulsory need of all destination network ID's c. Administrative work is more d. Used for only small organizations Syntax for Static Routing: Router (config)# ip route <destination network ID> <destination subnet mask> <next hop IP address> [Permanent] Or Router (config)# ip route <destination network ID> <destination subnet mask> <exit interface type> <interface number> [Permanent]
2.8.2 Default Routing: A default route, also known as the gateway of last resort, is the network route used by a router when no other known route exists for a given IP packets destination address. All the packets for destinations not known by the routers routing table are sent to the default route. This route generally leads to another router, which treats the packet the same way: If the route is known, the packet will get forwarded to the known route. If not, the packet is forwarded to the default-route of that router which generally leads to another router. And so on. Each router traversal adds a one-hop distance to the route. Once the router with a known route to a host destination is reached, the router determines which route is valid by finding the most specific match. The network with the longest subnet mask that matches the destination IP address wins. The default route in IPv4 (in CIDR notation) is 0.0.0.0/0, often called the quad-zero route. Since the subnet mask given is /0, it effectively specifies no network, and is the shortest match possible. A route lookup that doesnt match anything will naturally fall back onto this route. Similarly, in Ipv6 the default address is given by . Routers in an organization generally point the default route towards the router that has a connection to a network service provider. This way, packets with destinations outside the organizations local area network (LAN)typically to the Internet, WAN, or VPNwill be forwarded by the router with the connection to that provider. Once it is routed outside the network, if that router does not know the route of the destination, it will forward it to its own Default Route, which is usually a router connected to larger number of networks. Similarly, the packet will progress to internet backbone if still no route is known about the destination IP. It is then considered that the network does not exist, and the packet is discarded. Host devices in an organization generally refer to the default route as a default gateway which can be, and usually is, a filtration device such as a firewall or Proxy server.
18
Syntax for Default Routing: Router (config)# ip route 0.0.0.0 0.0.0.0 <next hop IP address> Or Router (config)# ip route 0.0.0.0 0.0.0.0 <exit interface type> <interface number> 2.8.3 dynamic routing: Dynamic routing protocols are supported by software applications running on the routing device (the router) which dynamically learn network destinations and how to get to the and also advertise those destinations to other routers. This advertisement function allows all the routers to learn about all the destination networks that exist and how to those networks. A router using dynamic routing will 'learn' the routes to all networks that are directly connected to the device. Next, the router will learn routes from other routers that run the same routing protocol (RIP, RIP2, EIGRP, OSPF, IS-IS, BGP etc). Each router will then sort through it's list of routes and select one or more 'best' routes for each network destination the router knows or has learned. Dynamic routing protocols will then distribute this 'best route' information to other routers running the same routing protocol, thereby extending the information on what networks exist and can be reached. This gives dynamic routing protocols the ability to adapt to logical network topology changes, equipment failures or network outages 'on the fly'. Types of Dynamic Routing Protocols: Distance-vector protocol (RIP - Routing Information Protocol)it is Open standard. Link State Protocol (OSPF - Open shortest path first)it is Open standard. Hybrid or Advanced distance vector Routing protocol ( EIGRP- Enhanced Interior Gateway Routing Protocol) it is a CISCO propeitory
2.8.4 OPEN SHORTEST PATH FIRST(OSPF): OSPF is a protocol that runs in the Transport Layer (OSPF runs over IP), and its protocol number in the IP datagram is 89.
19
OSPF is an Interior Gateway Protocol, which means that it is used by all the routers inside the same Autonomous System in order to route packets inside the AS. In an internet, which is divided into several AS's, the routing between 2 hosts on different AS's is done as follows: first, the packet is sent from the original host to some Border Router using the Interior Gateway Protocol (IGP). The Border Router uses Border Gateway Protocol (BGP) to route the packet to the AS of the destination. Inside that AS, the packet is routed through the IGP of that AS. OSPF can be described as follows: In OSPF, each router maintains a database that describes the current topology of the network. However, since OSPF is run inside ASs and since ASs can be very large, there is a division of ASs into small sets of networks which are called "Areas". The main idea is that each router should maintain a database of the topology of the area in which it resides. This database is maintained in the following way:
At first, when a router comes online, it uses some protocol (The Hello Protocol) to find his network neighbors and the cost it takes to reach each neighbor. This information is referred to as the link-state information of the router. When, this is done, each router floods his list of neighbors (Link State Advertisement) throughout the entire area until all the routers have received it. This is continued until all the routers in the area, have the list of neighbors from all the other routers. When this process is done, each router has in its database some representation of the topology of the area - each router has the list of neighbors of all other routers. This information is sufficient to know the exact topology of the area, and in addition, it can be used to build a routing table, to route packets inside the area using the best path (The path which is the most suitable for the Type Of Service needed by the packet which is to be delivered). Whenever a change in the topology occurs (A router goes down, a new router comes up), this change is quickly discovered using a protocol (Again, the use of the Hello Protocol), and the router who discovered this change, changed his database, and updates all the routers in the area
20
by flooding the update throughout the network. This ensures that all the routers in the same area have the same database. In order to flood link state information throughout the area, OSPF introduces the notion of Designated Routers. Once Designated Routers have been selected, whenever some router want to send link state information, he will transfer it to the Designated router in an exchange protocol. Next, the designated router will transfer the information to all the other routers. When all the routers are synchronized (All the routers have the same information in their database), they use the Dijkstra algorithm and build a shortest path tree, whereas shortest path means the least cost path (The quickest path to route a packet). In the case where there are more than one path to the same destination with the same cost, all the paths to the destination with the least cost are saved in the tree. This is later used for load balancing when routing packets. In addition, there can be a few such trees, each for a specified Type Of Service of packets, due to the fact that each Type Of Service, can have a different definition of a cost of a path. (For example, when routing packets of digital video, we would prefer a route with a very small delay). The shortest-path tree (or trees) is later used to build the routing table of each router. OSPF Features: Open standard (IETF) Successor of RIP SPF or Dijikstra algorithm Link-state routing protocol Classless Hello packets are sent every 10 seconds Supports FlSM, VLSM, CIDR and Manual Summary Incremental / trigged updates Updates are sent as multicast (224.0.0.5 & 224.0.0.6) Metric = Cost (cost = 10^8/bandwidth in bps) Administrative distance = 110
21
Load balancing via equal cost paths by default ( unequal cost load balancing not supported)
Link- state routing protocol: Auto neighbor discovery Hierarchical network design One area has to be designated as area 0 (backbone area) sends periodic updates, known as link-state refresh, for every 30 second Maintains similar database on all the routers within an area router ID is used to identify each router
Ospf configuration: Syntax Router (config)# ip routing Router (config)# router ospf<process id> Router (config-router)#network <network id> <wildcard mask> area <area id>
22
CHAPTER-3 BLCOK DIAGRAM

This Block Diagram Mainly Consist of Routers, Switches And End Devices like PC(personal computer) and Server. Routers are Mainly used in routing process, Switches are used to connect the end devices like pcs and servers, switches are in between routers and end devices. In this using class c ip address, and also used in Internet Service provider. Branch 1 and branch2 are located in different places The two routers are connected through isp(internet service provider). The block diagram shown below
Figure 3.1 Implemenation of IPsec VPN's & its configuration on ISP network
23
3.1 Router 2811:

Above block diagram for Router 2811 are used, Router 2811 Shown below figure
Figure 3.2 Router 2811
This section describes the new conventions for interface and line numbering. 1.The interface numbering scheme is the same for async interfaces and non-async interfaces. To configure the line associated with an async interface, use the interface number to specify the async line. For example, line 0/0/0 specifies the line associated with interface serial 0/0/0 on a WIC-2A/S in slot 0. Similarly, line 0/1/1 specifies the line associated with interface async 0/1/1 on a WIC2AM in slot 1. Note: This document uses the following words interchangeably: o Network-module-slot and slot. o Interface-card-slot and subslot. 2Ports on network modules are numbered like this: interface-number = network-module-slot/port OR interface-number = slot/port
24
2.Ports on interface cards (such as WICs, VWICs and HWICs) installed directly in chassis slots is given here: interface-number = 0/interface-card-slot/port OR interface-number = 0/subslot/port 3.This numbering convention is used for ports on interface cards that are installed in network module slots: interface-number = network-module-slot/interface-card-slot/port OR interface-number = slot/subslot/port Note: The slot/subslot/port format only applies to WIC interfaces. Interfaces that are native to the network modules still use only the slot/portformat. That is:
o
<interface-name> slot/port is used whenever the interfaces are native on the network module.
<interface-name> slot/subslot/port is used whenever the interfaces are on the WIC slot of a network module (NM).
4.Here is an example for numbering when the motherboard slot number is always 0. The native interfaces on the motherboard are numbered like this:
o o
Fa0/0, Fa0/1 on Cisco 2811. Gi0/0, and Gi0/1 on Cisco 2821 and Cisco 2851.
The Motherboard WIC slots are numbered from 0 to 3. The number increments from right to left, and from bottom to top. WIC 0 ports: <interface>0/0/0, <interface>0/0/1 WIC 1 ports: <interface>0/1/0, <interface>0/1/1 WIC 2 ports: <interface>0/2/0, <interface>0/2/1 WIC 3 ports: <interface>0/3/0, <interface>0/3/1 5.Slot numbers for other slots increase from bottom to top, then right to left. Subslot numbers and port numbers within a slot also increase from bottom to top, then right to left. Examples: Interfaces native to an extension network module (ENM): <interface>1/0, <interface>1/1
If the ENM carries WIC cards, the WIC slot numbers start from 0: WIC 0 ports: <interface> 1/0/0, <interface> 1/0/1 WIC 1 ports: <interface> 1/1/0, <interface> 1/1/1 The extension voice module (EVM) slot analog interfaces are numbered from voice-port 2/0/0 to voice-port 2/0/23, following the NM-HDA convention. Functionality: The above block diagram for branch-1 and branch-2 are located in different locations. Branch one and branch two are connected through isp(internet service provider) network steps for configuration of two branches shown below Configure the IP addresses as per the diagram ISP network
and hash function. -shared IKE key for the peer router whose address has to be mentioned. Configuring the IPSec policy: Create a transformation set with encryption and hash function properties and tunnel mode which should match the peer. -list to mark the interesting traffic to initiate VPN connection -set. he crypto map to the serial interface. After configuration of two branches the branches are communicated to each other and send packets one branch to another the transmission of packets are secure
3.2 Virtual private network(vpn):

A VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access. The term VPN was originally used to describe a secure connection over the Internet. Today, however, VPN is also used to describe private networks,
such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS). A key aspect of data security is that the data flowing across the network is protected by encryption technologies. Private networks lack data security, which can allow data attackers to tap directly into the network and read the data. IPSec-based VPNs use encryption to provide data security, which increases the networks resistance to data tampering or theft. IPSec-based VPNs can be created over any type of IP network, including the Internet, Frame Relay, ATM, and MPLS, but only the Internet is ubiquitous and inexpensive. Intranets: Intranets connect an organizations locations. These locations range from the headquarters offices, to branch offices, to a remote employees home. Often this connectivity is used for e-mail and for sharing applications and files. While Frame Relay, ATM, and MPLS accomplish these tasks, the shortcomings of each limits connectivity. The cost of connecting home users is also very expensive compared to Internet-access technologies, such as DSL or cable. Because of this, organizations are moving their networks to the Internet, which is inexpensive, and using IPSec to create these networks. Extranets: Extranets are secure connections between two or more organizations. Common uses for extranets include supply-chain management, development partnerships, and subscription services. These undertakings can be difficult using legacy network technologies due to connection costs, time delays, and access availability. IPSec-based VPNs are ideal for extranet connections. IPSec-capable devices can be quickly and inexpensively installed on existing Internet connections.
3.3 What Is ipsec and How Does It Work?

IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting data while in transit
27
3.3.1 IPSec Security Features: IPSec is the most secure method commercially available for connecting network sites. IPSec was designed to provide the following security features when transferring packets across networks: Authentication: Verifies that the packet received is actually from the claimed sender. Integrity: Ensures that the contents of the packet did not change in transit. Confidentiality: Conceals the message content through encryption
3.4 IPSec Components:

IPSec contains the following elements: Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. Authentication Header (AH): Provides authentication and integrity. Internet Key Exchange (IKE): Provides key management and Security Association (SA) management. 3.4.1Encapsulating Security Payload (ESP): ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection. IPSec provides an open framework for implementing industry standard algorithms, such as SHA and MD5. The algorithms IPSec uses produce a unique and unforgeable identifier for each packet, which is a data equivalent of a fingerprint. This fingerprint allows the device to determine if a packet has been tampered with. Furthermore, packets that are not authenticated are discarded and not delivered to the intended receiver. ESP also provides all encryption services in IPSec. Encryption translates a readable message into an unreadable format to hide the message content. The opposite process, called decryption, translates the message content from an unreadable format to a readable message. Encryption/ decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has an option to perform authentication, called ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the payload and not for the IP header.
28
Figure 3.3 IP header
The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication 3.4.2 Authentication Header (AH): AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP. AH also provides optional anti-replay protection, which protects against unauthorized retransmission of packets. The authentication header is inserted into the packet between the IP header and any subsequent packet contents. The payload is not touched. Although AH protects the packets origin, destination, and contents from being tampered with, the identity of the sender and receiver is known. In addition, AH does not protect the datas confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP protects data confidentiality. For added protection in certain cases, AH and ESP can be used together. In the following table, IP HDR represents the IP header and includes both source and destination IP addresses.
Figure 3.4 source and destination ip adresses

3.4.3 Security Association: IPSec introduces the concept of the Security Association (SA). An SA is a logical connection between two devices transferring data. An SA provides data protection for unidirectional traffic by using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs, which together provide a protected, full-duplex data channel. The SAs allow an enterprise to control exactly what resources may communicate securely, according to security policy. To do this an enterprise can set up multiple SAs to enable multiple secure VPNs, as well as define SAs within the VPN to support different departments and business partners 3.4.4 Mode: As operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, but transport mode is used for host-tohost IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly. A host is a device that sends and receives network traffic. Transport Mode: The transport mode IPSec implementation encapsulates only the packets payload. The IP header is not changed. After the packet is processed with IPSec, the new IP packet contains the old IP header (with the source and destination IP addresses unchanged) and the processed packet payload. Transport mode does not shield the information in the IP header; therefore, an attacker can learn where the packet is coming from and where it is going to. Figure 2-1 and Figure 2-2 above show a packet in transport mode. Tunnel Mode: The tunnel mode IPSec implementation encapsulates the entire IP packet. The entire packet becomes the payload of the packet that is processed with IPSec. A new IP header is created that contains the two IPSec gateway addresses. The gateways perform the encapsulation/decapsulation on behalf of the hosts. Tunnel mode ESP prevents an attacker from analyzing the data and deciphering it, as well as knowing who the packet is from and where it is going Note: .AH and ESP can be used in both transport mode and tunnel mode.
30
Figure 3.5 AH and ESP
3.4.5 Key Management: IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other. IKE manages the process of refreshing keys; however, a user can control the key strength and the refresh frequency. Refreshing keys on a regular basis ensures data confidentiality between sender and receiver.
3.5 vpn process:

Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics Network Interfaces and Addresses: The VPN gateway is aptly named because it functions as a gatekeeper for each of the computers connected on the Local Area Network behind it.In most cases, each gateway will have a public facing address (WAN side) and a private facing address (LAN side). These addresses are referred to as the network interface in documentation regarding the construction of VPN communication. Please note that the addresses used in the example. (Open shortest path first)it is Open standard.
3.6 IP addressing:
For any two systems to communicate, they must be able to identify and locate each other. A computer may be connected to more than one network. In this situation, the system must be
given more than one address. Each address will identify the connection of the computer to a different network. A device is not said to have an address, but that each of the connection points, or interfaces, on that device has an address to a network. This will allow other computers to locate the device on that particular network. The combination of letter (network address) and the number (host address) create a unique address for each device on the network. Each computer in a TCP/IP network must be given a unique identifier, or IP address. This address, operating at Layer 3, allows one computer to locate another computer on a network. All computers also have a unique physical address, known as a MAC address.These are assigned by the manufacturer of
Figure 3.6The network interface card. MAC addresses operate at Layer 2 of the OSI model. 3.6.1 IPv4 addressing: A router forwards packets from the originating network to the destination network using the IP protocol. The packets must include an identifier for both the source and destination networks. Using the IP address of destination network, a router can deliver a packet to the correct network. When the packet arrives at a router connected to the destination network, the router uses the IP address to locate the particular computer connected to that network. This system works in much the same way as the national postal system. When the mail is routed, it must first be delivered to the post office at the destination city using the zip code. That post office then must locate the final destination in that city using the street address. This is a two-step process. Accordingly, every IP address has two parts. One part identifies the network where the system is connected, and a second part identifies that particular system on network. This kind of address is called a hierarchical address, because it contains different levels. An IP address combines these two identifiers into one number. This number must be a unique number, because duplicate addresses would make routing impossible. The first part identifies the system's network
32
address. The second part, called the host part, identifies which particular machine it is on the network. IP addresses are divided into classes to define the large, medium, and small networks. Class A addresses are assigned to larger networks. Class B addresses are used for medium-sized networks and Class C for small networks. The first step in determining which part of the
address identifies the network and which part identifies the host is identifying the class of an IP address.
3.7 Class A, B, C, D, and E IP addresses:

To accommodate different size networks and aid in classifying these networks, IP addresses are divided into groups called classes. This is known as classful
addressing. Each complete 32-bit IP address is broken down into a network part and a host part. A bit or bit sequence at the start of each address determines the class of the address. There are five IP address classes as shown in the Figure below.
Figure 3.7 IP Addresses
33
The Class A address was designed to support extremely large networks, with more than 16 million host addresses available. Class A IP addresses use only the first octet to indicate the network address. The remaining three octets provide for host addresses. The first bit of a Class A address is always 0. With that first bit a 0, the lowest number that can be represented is 00000000, decimal 0. The highest number that can be represented is 01111111, decimal 127. The numbers 0 and 127 are reserved and cannot be used as network addresses. Any address that starts with a value between 1 and 126 in the first octet is a Class A address. The 127.0.0.0 network is reserved for loopback testing. Routers or local machines can use this address to send packets back to themselves. Therefore, this number cannot be assigned to a network. The Class B address was designed to support the needs of moderate to large-sized networks. A Class B IP address uses the first two of the four octets to indicate the network address. The other two octets specify host addresses. The first two bits of the first octet of a Class B address are always 10. The remaining six bits may be populated with either 1s or 0s. Therefore, the lowest number that can be represented with a Class B address is 10000000, decimal 128. The highest number that can be represented is 10111111, decimal 191. Any address that starts with a value in the range of 128 to 191 in the first octet is a Class B address. The Class C address space is the most commonly used of the original address classes.This address space was intended to support small networks with a maximum of 254 hosts. A Class C address begins with binary 110. Therefore, the lowest number that can be represented is 11000000, decimal 192. The highest number that can be represented is 11011111, decimal 223. If an address contains a number in the range of 192 to 223 in the first octet, it is a Class C address. The Class D address class was created to enable multicasting in an IP address. A multicast address is a unique network address that directs packets with that destination address to predefined groups of IP addresses. Therefore, a single station can simultaneously transmit a single stream of data to multiple recipients. The Class D address space, much like the other address spaces, is mathematically constrained.The first four bits of a Class D address must be 1110. Therefore, the first octet range
for Class D addresses is 11100000 to 11101111, or 224 to 239. An IP address that starts with a value in the range of 224 to 239 in the first octet is a Class D address. A Class E address has been defined. However, the Internet Engineering Task Force (IETF) reserves these addresses for its own research. Therefore, no Class E addresses have been released for use in the Internet. The first four bits of a Class E address are always set to 1s. Therefore, the first octet range for Class E addresses is 11110000 to 11111111, or 240 to 255. A Class E address has been defined. However, the Internet Engineering Task Force (IETF) reserves these addresses for its own research. Therefore, no Class E addresses have been released for use in the Internet. The first four bits of a Class E address are always set to 1s. Therefore, the first octet range for Class E addresses is 11110000 to 11111111, or 240 to 255.
Address Identifier
Network Address
Host Address
A B C D E
0 7 bits Network Address 10 110 1110 1111 14 bits Network Address
24 bits Host Address 16 bits Host Address 8 bits Host Address
21 bits Network Address
Multicast address (224.0.0.0-239.255.255.255) Reserved for future use
35
8 Bits 8 Bits 8 Bits 8 Bits

Class-A: Class-B: Class-C: Class-D: 00000000 10000000 11000000 11100000 01111111 10111111 11011111 11101111 0-127 128-191 192-223 224-239
Class-E:
11110000
11111111
240-255
Figure 3.8 Different types of classes and its range 3.8 reserved ip address: Certain host addresses are reserved and cannot be assigned to devices on a network.These reserved host addresses include the following:
Network address: Used to identify the network itself . In the below Figure, the section that is identified by the upper box represents the 198.150.11.0 network. Data that is sent to any host on that network (198.150.11.1- 198.150.11.254) will be seen outside of the local area network as 198.150.11.0. The only time that the host numbers matter is when the data is on the local area network. The LAN that is contained in the lower box is treated the same as the upper LAN, except that its network number is 198.150.12.0. Broadcast address: Used for broadcasting packets to all the devices on a network . In the Figure, the section that is identified by the upper box represents the 198.150.11.255broadcast address. Data that is sent to the broadcast address will be read by all hosts on that network (198.150.11.1- 198.150.11.254). The LAN that is contained in the lower box is treated the same as the upper LAN, except that its broadcast address is 198.150.12.255.
36
Figure 3.9 Example of Reserved IP Address An IP address that has binary 0s in all host bit positions is reserved for the network address. In a Class A network example, 113.0.0.0 is the IP address of the network, known as the network ID, containing the host 113.1.2.3. A router uses the network IP address when it forwards data on the Internet. In a Class B network example, the address 176.10.0.0 is a network address. In a Class B network address, the first two octets are designated as the network portion. The last two octets contain 0s because those 16 bits are for host numbers and are used to identify devices that are attached to the network. The IP address, 176.10.0.0, is an example of a network address. This address is never assigned as a host address. A host address for a device on the 176.10.0.0 network might be 176.10.16.1. In this example, 176.10 is the network portion and 16.1 is the host portion. To send data to all the devices on a network, a broadcast address is needed. A broadcast occurs when a source sends data to all devices on a network. To ensure that all the other devices on the network process the broadcast, the sender must use a destination IP address that they can recognize and process. Broadcast IP addresses end with binary 1s in the entire host part of the address. In the network example, 176.10.0.0, the last 16 bits make up the host field or host part of the address. The broadcast that would be sent out to all devices on that network would include a destination address of 176.10.255.255. This is because 255 is the decimal value of an octet containing 11111111.
37
3.9 Public and private IP addresses:

IANA has reserved the following three blocks of the IP address space for private internets (RFC 1918): 10.0.0.0 - 10.255.255.255 (10.0.0.0/8 prefix) o 24-bit block o Complete class-A network number 172.16.0.0 - 172.31.255.255 (172.16.0.0/12 prefix) o 20-bit block o Set of 16 contiguous class-B network numbers 192.168.0.0 - 192.168.255.255 (192.168.0.0/16 prefix) o 16-bit block The stability of the Internet depends directly on the uniqueness of publicly used network addresses. In the Figure below, there is an issue with the network addressing scheme. In looking at the networks, both have a network address of 198.150.11.0. The router in this illustration will not be able to forward the data packets correctly. Duplicate network IP addresses prevent the router from performing its job of best path selection. Unique addresses are required for each device on a network. Public ip address: Public IP addresses are unique. No two machines that connect to a public network can have the same IP address because public IP addresses are global and standardized. All machines connected to the Internet agree to conform to the system. Public IP addresses must be obtained from an Internet service provider (ISP) or a registry at some expense. Private ip address: Private IP addresses are another solution to the problem of the impending exhaustion of public IP addresses. As mentioned, public networks require hosts to have unique IP addresses. However, private networks that are not connected to the Internet may use any host addresses, as long as each host within the private network is unique. Many private networks exist alongside public networks. However, a private network using just any address is strongly discouraged because that network might eventually be connected to the Internet. RFC 1918 sets aside three
blocks of IP addresses for private, internal use. These three blocks consist of one Class A, a range of Class B addresses, and a range of Class C addresses. Addresses that fall within these ranges are not routed on the Internet backbone. Internet routers immediately discard private addresses. If addressing a non-public intranet, a test lab, or a home network, these private addresses can be used instead of globally unique addresses. Private IP addresses can be
intermixed with public IP addresses. This will conserve the number of addresses used for internal connections. Connecting a network using private addresses to the Internet requires translation of the private addresses to public addresses. This translation process is referred to as Network Address Translation (NAT). A router usually is the device that performs NAT.
3.10 subnetting:
Subnetting is another method of managing IP addresses. This method of dividing fullnetwork address classes into smaller pieces has prevented complete IP address exhaustion. It is important to understand subnetting as a means of dividing and identifying separate networks throughout the LAN. It is not always necessary to subnet a small network. However, for large or extremely large networks, subnetting is required. Subnetting a network means to use the subnet mask to divide the network and break a large network up into smaller, more efficient and manageable segments, or subnets. An example would be the U.S. telephone system which is broken into area codes, exchange codes, and local numbers. The system administrator must resolve these issues when adding and expanding the network. It is important to know how many subnets or networks are needed and how many hosts will be needed on each network. With subnetting, the network is not limited to the default Class A, B, or C network masks and there is more flexibility in the network design. Subnet addresses include the network portion, plus a subnet field and a host field. The subnet field and the host field are created from the original host portion for the entire network. The ability to decide how to divide the original host portion into the new subneT.
Figure 3.10 Subnetting
39
The minimum number of bits that can be borrowed is two. When creating a subnet, where only one bit was borrowed the network number would be the .0 network. The broadcast number would then be the .255 network. The maximum number of bits that can be borrowed can be any number that leaves at least two bits remaining, for the host number.
3.11 Features of ipv6:

The following are the features of the IPv6 protocol: New header format Large address space Efficient and hierarchical addressing and routing infrastructure Stateless and stateful address configuration Built-in security Better support for QoS New protocol for neighboring node interaction Extensibility
The following sections discuss each of these new features in detail. New Header Format: The IPv6 header has a new format that is designed to keep header overhead to a minimum. This is achieved by moving both non-essential fields and optional fields to extension headers that are placed after the IPv6 header. The streamlined IPv6 header is more efficiently processed at intermediate routers. IPv4 headers and IPv6 headers are not interoperable. A host or router must use an implementation of both IPv4 and IPv6 in order to recognize and process both header formats. The new IPv6 header is only twice as large as the IPv4 header, even though IPv6 addresses are four times as large as IPv4 addresses. Large Address Space: IPv6 has 128-bit (16-byte) source and destination IP addresses. Although 128 bits can express over 3.4x1038 possible combinations, the large address space of IPv6 has been designed to allow for multiple levels of subnetting and address allocation from the Internet backbone to
the individual subnets within an organization. Even though only a small number of the possible addresses are currently allocated for use by hosts, there are plenty of addresses available for future use. With a much larger number of available addresses, address-conservation techniques, such as the deployment of NATs, are no longer necessary. Efficient and Hierarchical Addressing and Routing Infrastructure: IPv6 global addresses used on the IPv6 portion of the Internet are designed to create an efficient, hierarchical, and summarizable routing infrastructure that is based on the common occurrence of multiple levels of Internet service providers. On the IPv6 Internet, backbone routers have much smaller routing tables, corresponding to the routing infrastructure of global ISPs. Stateless and Stateful Address Configuration: To simplify host configuration, IPv6 supports both stateful address configuration, such as address configuration in the presence of a DHCP server, and stateless address configuration (address configuration in the absence of a DHCP server). With stateless address configuration, hosts on a link automatically configure themselves with IPv6 addresses for the link (called linklocal addresses) and with addresses derived from prefixes advertised by local routers. Even in the absence of a router, hosts on the same link can automatically configure themselves with linklocal addresses and communicate without manual configuration. Built-in Security: Support for IPsec is an IPv6 protocol suite requirement. This requirement provides a standards-based solution for network security needs and promotes interoperability between different IPv6 implementations. Better Support for QoS: New fields in the IPv6 header define how traffic is handled and identified. Traffic identification using a Flow Label field in the IPv6 header allows routers to identify and provide special handling for packets belonging to a flow, a series of packets between a source and destination. Because the traffic is identified in the IPv6 header, support for QoS can be achieved even when the packet payload is encrypted through IPsec.
41
New Protocol for Neighboring Node Interaction: The Neighbor Discovery protocol for IPv6 is a series of Internet Control Message Protocol for IPv6 (ICMPv6) messages that manage the interaction of neighboring nodes (nodes on the same link). Neighbor Discovery replaces the broadcast-based Address Resolution Protocol (ARP), ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast Neighbor Discovery messages.Extensibility: IPv6 can easily be extended for new features by adding extension headers after the IPv6 header. Unlike options in the IPv4 header, which can only support 40 bytes of options, the size of IPv6 extension headers is only constrained by the size of the IPv6 packet
3.11.1 Differences Between IPv4 and IPv6: IPv4 IPv6
Source and destination addresses are 32 bits (4 Source and destination addresses are 128 bits bytes) in length. IPsec support is optional. (16 bytes) in length IPsec support is required
No identification of packet flow for QoS Packet flow identification for QoS handling handling by routers is present within the IPv4 by routers is included in the IPv6 header header. using the Flow Label field.
Fragmentation is done by both routers and the Fragmentation is not done by routers, only sending host. Header includes a checksum. Header includes options. by the sending host. Header does not include a checksum All optional data is moved to IPv6 extension headers Address Resolution Protocol (ARP) uses ARP Request frames are replaced with
broadcast ARP Request frames to resolve an multicast Neighbor Solicitation messages IPv4 address to a link layer address. Internet Group Management Protocol (IGMP) is IGMP is replaced with Multicast Listener used to manage local subnet group membership. Discovery (MLD) messages.
42
ICMP Router Discovery is used to determine the ICMP Router Discovery is replaced with IPv4 address of the best default gateway and is ICMPv6 Router Solicitation and Router optional. Advertisement messages and is required.
Broadcast addresses are used to send traffic to all There are no IPv6 broadcast addresses. nodes on a subnet. Instead, a link-local scope all-nodes
multicast address is used Must be configured either manually or through Does not require manual configuration or DHCP. DHCP.
Uses host address (A) resource records in the Uses host address (AAAA) resource records Domain Name System (DNS) to map host names in the Domain Name System (DNS) to map to IPv4 addresses. host names to IPv6 addresses.
Uses pointer (PTR) resource records in the IN- Uses pointer (PTR) resource records in the ADDR.ARPA DNS domain to map IPv4 IP6.INT DNS domain to map IPv6 addresses addresses to host names. to host names
Must support a 576-byte packet size (possibly Must support a 1280-byte packet size fragmented). (without fragmentation Table 3.1 Difference between IPv4 and IPv6
3.11.2 IPv6 Packets over LAN Media: A link layer frame containing an IPv6 packet consists of the following structure: Link Layer Header and Trailer The encapsulation placed on the IPv6 packet at the link layer. IPv6 Header The new IPv6 header. For more information, see IPv6 Header. Payload The payload of the IPv6 packet. For more information, see IPv6 Header.
43
Figure 3.11 IPv6 packets at the link layer For typical LAN technologies such as Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI), IPv6 packets are encapsulated in one of two wayswith either the Ethernet II header or a Sub-Network Access Protocol (SNAP) header used by IEEE 802.3 (Ethernet), IEEE 802.5(Token Ring), and FDDI.
3.12 Ethernet II Encapsulation:

With Ethernet II encapsulation, IPv6 packets are indicated by setting the EtherType field in the Ethernet II header to 0x86DD (IPv4 is indicated by setting the EtherType field to 0x800). With Ethernet II encapsulation, IPv6 packets can have a minimum size of 46 bytes and a maximum size of 1,500 bytes. Figure 2 shows Ethernet II encapsulation for IPv6 packets.
Figure 3.12 Ethernet II encapsulation 3.12.1 The IPv6 Address Space: The most obvious distinguishing feature of IPv6 is its use of much larger addresses. The size of an address in IPv6 is 128 bits, which is four times the larger than an IPv4 address. A 32bit address space allows for 232 or 4,294,967,296 possible addresses. A 128-bit address space allows for 2128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 (or 3.4x1038) possible
In the late 1970s when the IPv4 address space was designed, it was unimaginable that it could be exhausted. However, due to changes in technology and an allocation practice that did not anticipate the recent explosion of hosts on the Internet, the IPv4 address space was consumed to the point that by 1992 it was clear a replacement would be necessary. With IPv6, it is even harder to conceive that the IPv6 address space will be consumed. To help put this number in perspective,
23
128-bit
address
space
provides
655,570,793,348,866,943,898,599 (6.5x10 ) addresses for every square meter of the Earths surface. It is important to remember that the decision to make the IPv6 address 128 bits in length was not so that every square meter of the Earth could have 6.5x1023 addresses. Rather, the relatively large size of the IPv6 address is designed to be subdivided into hierarchical routing domains that reflect the topology of the modern-day Internet. The use of 128 bits allows for multiple levels of hierarchy and flexibility in designing hierarchical addressing and routing that is currently lacking on the IPv4-based Internet. The IPv6 addressing architecture is described in RFC 2373. 3.12.2 Current Allocation: Similar to the same way in which the IPv4 address space is divided, the IPv6 address space is divided based on the value of high order bits. The high order bits and their fixed values are known as a Format Prefix (FP). Allocation Format Prefix (FP) Reserved Unassigned Reserved for NSAP allocation Unassigned Unassigned Unassigned 0000 010 0000 011 0000 1 1/128 1/128 1/32
45
Fraction of the Address Space 1/256 1/256 1/128
0000 0000 0000 0001 0000 001
Unassigned Aggregatable global unicast addresses Unassigned Unassigned Unassigned Unassigned Unassigned Unassigned Unassigned Unassigned Unassigned Unassigned Link-local unicast addresses Site-local unicast addresses Multicast addresses
0001 001
1/16 1/8
010 011 100 101 110 1110 1111 0 1111 10 1111 110 1111 1110 0 1111 1110 10
1/8 1/8 1/8 1/8 1/8 1/16 1/32 1/64 1/128 1/512 1/1024
1111 1110 11
1/1024
1111 1111
1/256
Table 3.2 Current Allocation of the IPv6 Address Space The current set of unicast addresses that can be used with IPv6 nodes consists of aggregatable global unicast addresses, link-local unicast addresses, and site-local unicast addresses. These represent only 15 percent of the entire IPv6 address space. 3.12.3 IPv6 Address Syntax: IPv4 addresses are represented in dotted-decimal format. This 32-bit address is divided along 8-bit boundaries. Each set of 8 bits is converted to its decimal equivalent and separated by periods. For IPv6, the 128-bit address is divided along 16-bit boundaries, and each 16-bit block is converted to a 4-digit hexadecimal number and separated by colons. The resulting representation
is called colon-hexadecimal. The following is an IPv6 address in binary form: 0010000111011010000000001101001100000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010 The 128-bit address is divided along 16-bit boundaries: 0010000111011010 0000000011010011 0000000000000000 0010111100111011
0000001010101010 0000000011111111 1111111000101000 1001110001011010 Each 16-bit block is converted to hexadecimal and delimited with colons. The result is: 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A IPv6 representation can be further simplified by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes: 21DA:D3:0:2F3B:2AA:FF:FE28:9C5A 3.12.4 Compressing Zeros: Some types of addresses contain long sequences of zeros. To further simplify the representation of IPv6 addresses, a contiguous sequence of 16-bit blocks set to 0 in the colon hexadecimal format can be compressed to ::, known as double-colon. For example, the link-local address of FE80:0:0:0:2AA:FF:FE9A:4CA2 can be compressed to FE80::2AA:FF:FE9A:4CA2. The multicast address FF02:0:0:0:0:0:0:2 can be compressed to FF02::2. Zero compression can only be used to compress a single contiguous series of 16-bit blocks expressed in colon hexadecimal notation. You cannot use zero compression to include part of a 16-bit block. For example, you cannot express FF02:30:0:0:0:0:0:5 as FF02:3::5. To determine how many 0 bits are represented by the ::, you can count the number of blocks in the compressed address, subtract this number from 8, and then multiply the result by 16. For example, in the address FF02::2, there are two blocks (the FF02 block and the 2 lock.) The number of bits expressed by the :: is 96 (96 = (8 2)*16).
Zero compression can only be used once in a given address. Otherwise, you could not determine the number of 0 bits represented by each instance of ::.\ 3.12.5 IPv6 Prefixes and its types: IPv6 prefixes: The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the network identifier. Prefixes for IPv6 subnet identifiers, routes, and address ranges are expressed in the same way as Classless Inter-Domain Routing (CIDR) notation for IPv4. An IPv6 prefix is written in address/prefix-length notation. For example, 21DA:D3::/48 is a route prefix and 21DA:D3:0:2F3B::/64 is a subnet prefix. Types of IPv6 Addresses: There are three types of IPv6 addresses: 1.Unicast: A unicast address identifies a single interface within the scope of the type of unicast address. With the appropriate unicast routing topology, packets addressed to a unicast address are delivered to a single interface. To accommodate load-balancing systems, RFC 2373 allows for multiple interfaces to use the same address as long as they appear as a single interface to the IPv6 implementation on the host. 2.Multicast: A multicast address identifies multiple interfaces. With the appropriate multicast routing topology, packets addressed to a multicast address are delivered to all interfaces that are identified by the address. 3.Anycast: An anycast address identifies multiple interfaces. With the appropriate routing topology, packets addressed to an anycast address are delivered to a single interface, the nearest interface that is identified by the address. The nearest interface is defined as being closest in terms of routing distance. A multicast address is used for one-to-many communication, with delivery to multiple interfaces. An anycast address is used for one-to-one-of-many communication. In all cases, IPv6 addresses identify interfaces, not nodes. A node is identified by any unicast address assigned to one of its interfaces.
Special IPv6 Addresses: The following are special IPv6 addresses: Unspecified address: The unspecified address (0:0:0:0:0:0:0:0 or ::) is only used to indicate the absence of anaddress. It is equivalent to the IPv4 unspecified address of 0.0.0.0. The unspecified addressis typically used as a source address for packets attempting to verify the uniqueness of a tentative address. The unspecified address is never assigned to an interface or used as a destination address. Loop-back address: The loop-back address (0:0:0:0:0:0:0:1 or ::1) is used to identify a loop-back interface, enabling a node to send packets to itself. It is equivalent to the IPv4 loop-back address of 127.0.0.1. Packets addressed to the loop-back address must never be sent on a link or forwarded by an IPv6 router. 3.12.6 Compatibility Addresses: To aid in the migration from IPv4 to IPv6 and the coexistence of both types of hosts, the following addresses are defined: IPv4-compatible address: The IPv4-compatible address, 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z (where w.x.y.z is the dotted decimal representation of an IPv4 address), is used by IPv6/IPv4 nodes that are communicating using IPv6. IPv6/IPv4 nodes are nodes with both IPv4 and IPv6 protocols. When the IPv4-compatible address is used as an IPv6 destination, the IPv6 traffic is automatically encapsulated with an IPv4 header and sent to the destination using the IPv4 infrastructure. IPv4-mapped address: The IPv4-mapped address, 0:0:0:0:0:FFFF:w.x.y.z or ::FFFF:w.x.y.z, is used to represent anIPv4-only node to an IPv6 node. It is used only for internal representation. The IPv4-mapped address is never used as a source or destination address of an IPv6 packet. 6to4 address: The 6to4 address is used for communicating between two nodes running both IPv4 and
IPv6 over an IPv4 routing infrastructure. The 6to4 address is formed by combining the prefix 2002::/16 with the 32 bits of a public IPv4 address of the node, forming a 48-bit prefix. 6to4 is a tunneling technique described in RFC 3056. 3.12.7 Multicast IPv6 Addresses: In IPv6, multicast traffic operates in the same way that it does in IPv4. Arbitrarily located IPv6 nodes can listen for multicast traffic on an arbitrary IPv6 multicast address. IPv6 nodes can listen to multiple multicast addresses at the same time. Nodes can join or leave a multicast group at any time. IPv6 multicast addresses have the FP of 11111111. An IPv6 address is easy to classify as multicast because it always begins with FF. Multicast addresses cannot be used as source addresses or as intermediate destinations in a Routing header. Beyond the FP, multicast addresses include additional structure to identify their flags, scope, and multicast group. Figure 8 shows the IPv6 multicast addresses.
Figure 3.13 The IPv6 multicast address The fields in the multicast address are: Flags: Indicates flags set on the multicast address. The size of this field is 4 bits. As of RFC 2373, the only flag defined is the Transient (T) flag. The T flag uses the low-order bit of the Flags field. When set to 0, the T flag indicates that the multicast address is a permanently assigned (wellknown) multicast address allocated by the Internet Assigned Numbers Authority (IANA). When set to 1, the T flag indicates that the multicast address is a transient (non-permanently-assigned) multicast address.
50
Scope: Indicates the scope of the IPv6 internet-work for which the multicast traffic is intended. Thesize of this field is 4 bits. In addition to information provided by multicast routing protocols, routers use the multicast scope to determine whether multicast traffic can be forwarded
Value 0 1 2 5 8 E F
Scope Reserved Node-local scope Link-local scope Site-local scope Organization-local scope Global scope Reserved
Table 3.3 Defined Values for the Scope Field For example, traffic with the multicast address of FF02::2 has a link-local scope. An IPv6 router never forwards this traffic beyond the local link. Group ID : Identifies the multicast group and is unique within the scope. The size of this field is 112 bits.Permanently assigned group IDs are independent of the scope. Transient group IDs are only relevant to a specific scope. Multicast addresses from FF01:: through FF0F:: are reserved, wellknown addresses. To identify all nodes for the node-local and link-local scopes, the following addresses are defined: FF01::1 (node-local scope all-nodes multicast address) FF02::1 (link-local scope all-nodes multicast address)
To identify all routers for the node-local, link-local, and site-local scopes, the following addresses are defined: FF01::2 (node-local scope all-routers multicast address)
51
FF02::2 (link-local scope all-routers multicast address) FF05::2 (site-local scope all-routers multicast address)
With 112 bits for the Group ID, it is possible to have 2112 group IDs. However, because of the way in which IPv6 multicast addresses are mapped to Ethernet multicast MAC addresses, RFC 2373 recommends assigning the Group ID from the low order 32 bits of the IPv6 multicast address and setting the remaining original group ID bits to 0. By using only the low-order 32 bits, each group ID maps to a unique Ethernet multicast MAC address. Figure 9 shows the modified IPv6 multicast addresses.
Figure 3.14 The modified IPv6 multicast address using a 32-bit group ID Solicited-Node Address: The solicited-node address facilitates the efficient querying of network nodes during address resolution. In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the network segment, including those that are not running IPv4. IPv6 uses the Neighbor Solicitation message to perform address resolution. However, instead of using the local-link scope all-nodes multicast address as the Neighbor Solicitation message destination, which would disturb all IPv6 nodes on the local link, the solicited-node multicast address is used. The solicited-node multicast address is comprised of the prefix FF02::1:FF00:0/104 and the last 24bits of the IPv6 address that is being resolved. For example, Node A is assigned the link-local address of FE80::2AA:FF:FE28:9C5A and is also listening on the corresponding solicited-node multicast address of FF02::1:FF28:9C5A (the underline highlights the correspondence of the last six hexadecimal digits). Node B on the local link must resolve Node As link-local address FE80::2AA:FF:FE28:9C5A to its corresponding link-layer address. Node B sends a Neighbor Solicitation message to the solicited node multicast address of FF02::1:FF28:9C5A. Because Node A is listening on this multicast
address, it processes the Neighbor Solicitation message and sends a unicast Neighbor Advertisement message in reply. The result of using the solicited-node multicast address is that address resolutions, a common occurrence on a link, are not required to use a mechanism that disturbs all network nodes. By using the solicited-node address, very few nodes are disturbed during address resolution. In practice, due to the relationship between the Ethernet MAC address, the IPv6 interface ID, and the solicited-node address, the solicited-node address acts as a pseudo-unicast address for very efficient address resolution. Anycast IPv6 Addresses: An anycast address is assigned to multiple interfaces. Packets addressed to an anycast address are forwarded by the routing infrastructure to the nearest interface to which the anycast address is assigned. In order to facilitate delivery, the routing infrastructure must be aware of the interfaces assigned anycast addresses and their distance in terms of routing metrics. At present, anycast addresses are only used as destination addresses and are only assigned to routers. Anycast addresses are assigned out of the unicast address space and the scope of an anycast address is the scope of the type of unicast address from which the anycast address is assigned. The Subnet-Router anycast address is predefined and required. It is created from the subnet prefix for a given interface. To construct the Subnet-Router anycast address, the bits in the subnet prefix are fixed at their appropriate values and the remaining bits are set to 0. Figure 10 shows the Subnet-Router anycast address.
Figure 3.15 The Subnet-Router anycast address All router interfaces attached to a subnet are assigned the Subnet-Router anycast address for that subnet. The Subnet-Router anycast address is used for communication with one of multiple routers attached to a remote subnet.
53
3.12.8 IPv6 Header: The IPv6 header is a streamlined version of the IPv4 header. It eliminates fields that are un-needed or rarely used and adds fields that provide better support for real-time traffic. Structure of an IPv6 Packet: Figure 16 shows the structure of an IPv6 packet.
Figure 3.16 The structure of an IPv6 packet The IPv6 header is always present and is a fixed size of 40 bytes. The fields in the IPv6 header are described in detail later. Extension Headers: Zero or more extension headers can be present and are of varying lengths. A Next Header field in the IPv6 header indicates the next extension header. Within each extension header is a Next Header field that indicates the next extension header. The last extension header indicates the upper layer protocol (such as TCP, UDP, or ICMPv6) contained within the upper layer protocol data unit. The IPv6 header and extension headers replace the existing IPv4 IP header with options. The new extension header format allows IPv6 to be augmented to support future needs and capabilities. Unlike options in the IPv4 header, IPv6 extension headers have no maximum size and can expand to accommodate all the extension data needed for IPv6 communication. Upper Layer Protocol Data Unit: The upper layer protocol data unit (PDU) usually consists of an upper layer protocol header and its payload (for example, an ICMPv6 message, a UDP message, or a TCP segment). The IPv6 packet payload is the combination of the IPv6 extension headers and the upper layer PDU.Normally, it can be up to 65,535 bytes long. Payloads greater than 65,535 bytes in length can be sent using the Jumbo Payload option in the Hop-by-Hop Options extension header. Figure 17 shows the IPv6 header as defined in RFC 2460.
54
Figure 3.17 The IPv6 header The fields in the Ipv6 header are: Version: 4 bits are used to indicate the version of IP and is set to 6. Traffic Class: Indicates the class or priority of the IPv6 packet. The size of this field is 8 bits. The Traffic Class field provides similar functionality to the Ipv4 Type of Service field. In RFC 2460, the values of the Traffic Class field are not defined. However, an Ipv6 implementation is required to provide a means for an application layer protocol to specify the value of the Traffic Class field for experimentation. Flow Label: Indicates that this packet belongs to a specific sequence of packets between a source and destination, requiring special handling by intermediate IPv6 routers. The size of this field is 20 bits. The Flow Label is used for non-default quality of service connections, such as those needed by real-time data (voice and video). For default router handling, the Flow Label is set to 0. There can be multiple flows between a source and destination, as distinguished by separate non-zero Flow Labels. Payload Length: Indicates the length of the IPv6 payload. The size of this field is 16 bits. The Payload Length
field includes the extension headers and the upper layer PDU. With 16 bits, an IPv6 payload of up to 65,535 bytes can be indicated. For payload lengths greater than 65,535 bytes, the Payload Length field is set to 0 and the Jumbo Payload option is used in the Hop-by-Hop Options extension header. Next Header: Indicates either the first extension header (if present) or the protocol in the upper layer PDU (such as TCP, UDP, or ICMPv6). The size of this field is 8 bits. When indicating an upper layer protocol above the Internet layer, the same values used in the IPv4 Protocol field are used here. Hop Limit: Indicates the maximum number of links over which the IPv6 packet can travel before being discarded. The size of this field is 8 bits. The Hop Limit is similar to the IPv4 TTL field except that there is no historical relation to the amount of time (in seconds) that the packet is queued at the router. When the Hop Limit equals 0, an ICMPv6 Time Exceeded message is sent to the source address and the packet is discarded. Source Address: Stores the IPv6 address of the originating host. The size of this field is 128 bits. Destination Address: Stores the IPv6 address of the current destination host. The size of this field is 128 bits. In most cases the Destination Address is set to the final destination address. However, if a Routing extension header is present, the Destination Address might be set to the next router interface in the source route list. 3.12.9 Values of the Next Header Field: Value (in decimal) 0 6 17 41 Header Hop-by-Hop Options Header TCP UDP Encapsulated IPv6 Header
56
43 44 46 50 51 58 59 60 Table 3.4
Routing Header Fragment Header Resource ReSerVation Protocol Encapsulating Security Payload Authentication Header ICMPv6 No next header Destination Options Header Values of the Next Header Field
3.13 Comparing the ipv4 and ipv6 Headers:

IPv4 Header Field Version Internet Length Header IPv6 Header Field Same field but with different version numbers. Removed in IPv6. IPv6 does not include a Header Length field because the IPv6 header is always a fixed size of 40 bytes. Each extension header is either a fixed size or indicates its own size. Type of Service Total Length Replaced by the IPv6 Traffic Class field. Replaced by the IPv6 Payload Length field, which only indicates the size of the payload. Identification Fragmentation Flags Fragment Offset Time to Live Protocol Header Checksum Replaced by the IPv6 Hop Limit field. Replaced by the IPv6 Next Header field. Removed in IPv6. In IPv6, bit-level error detection for the entire IPv6 packet is performed by the link layer. Removed in IPv6. Fragmentation information is not included in the IPv6 header. It is contained in a Fragment extension header.
57
Source Address Destination Address Options
The field is the same except that IPv6 addresses are 128 bits in length. The field is the same except that IPv6 addresses are 128 bits in length.
Removed in IPv6. IPv4 options are replaced by IPv6 extension headers. Table 3.5 IPv4 Header Fields and Corresponding IPv6 Equivalents
The one new field in the IPv6 header that is not included in the IPv4 header is the Flow Label field.
3.14 IPv6 Extension Headers:

The IPv4 header includes all options. Therefore, each intermediate router must check for their existence and process them when present. This can cause performance degradation in the forwarding of IPv4 packets. With IPv6, delivery and forwarding options are moved to extension headers. The only extension header that must be processed at each intermediate router is the Hop-by-Hop Options extension header. This increases IPv6 header processing speed and improves forwarding process performance. RFC 2460 defines the following IPv6 extension headers that must be supported by all IPv6 nodes: Hop-by-Hop Options header Destination Options header Routing header Fragment header Authentication header Encapsulating Security Payload header In a typical IPv6 packet, no extension headers are present. If special handling is required by either the intermediate routers or the destination, one or more extension headers are added by the sending host. Objectives: The objective of the IPv6 migration plan proposal is to conduct a detailed study of network infrastructure and critical applications and prepare a report detailing
Roadmap Migration Approach Pilot project Test bed Timelines In the migration plan, we will consider the implementation proposals that have minimal
impact on day to day operations as well as additional costs. The work undertaken will involve: Study the network and gather information on network infrastructure, key network equipment, servers, appliances and computers, Gather information on critical applications, Prepare plan to migrate to a dual stack IPv4/IPv6 network with minimal impact on existing critical applications, and Prepare a set of strategies covering IT equipment acquisition, new critical applications, manpower resource planning and network policies to prepare for IPv6 compliance audits based on Global Standards. 3.14.1 Migration Approach: Prior to IPv6 deployment, we will consider these factors in organizations current environment: Inventory of current IPv4 addresses and time to address exhaustion. Identification of IPv4 assets including routers, applications, servers and hosts. Complexity of existing IPv4 networks.
The IPv4 to IPv6 migration planning focuses on identifying network assets and their interconnections, current IP addressing, and validating assumptions. It provides a starting point and initial road map followed by implementation in four distinct phases. Complete network visibility is of utmost importance throughout the migration process as each device as well as all networks in the enterprise must be identified. Once identified, a clear strategy can be formulated to ease this transition and assist IT personnel with the full scope of this endeavor.
3.14.2 Approach for Large Organization: Large Organizations would incur more or high costs when compared with medium or small enterprises. The level of costs again depends on the existing network infrastructure, the existing level of network expertise, exposure and understanding on IPv6 of the IT staff. Depending on the individual networks, some of the existing hardware equipments can be made to be IPv6 capable through software upgrades. To reap the full benefits of IPv6, most of the existing IPv4 based hardware, and software has to be upgraded for IPv6. Hardware upgrade includes high-end routers, switches, and firewalls, and software upgrades include server and desktop operating systems, server software, networked database software, business communications software and network application tools. Existing study says that the relative costs towards hardware and software expenditure would amount to 30% and labor intensive IPv6 application development and training costs would incur remaining 70% of the overall costs. Hardware and most of the software upgrades costs can be reduced over time if the upgrades are done as a part of their regular upgrade cycles. 3.14.3 Approach for Small to Medium Sized Organization: The relative costs for small to medium sized organization would also be high but slightly less than large organization. Much of the cost would be for their core network infrastructure, operations, and staff. Small to medium sized organizations that do not operate their own servers and network services will only need to upgrade their operating system, one or more routers and firewalls to be IPv6 enabled. These costs would be relatively low or small if the hardware and software upgrades are done through their regular upgrade cycles. Of the overall costs 30% would be for hardware and software acquisitions and the remaining 70% would be for the necessary human resource development. As said earlier much of the hardware and software upgrade costs can be reduced over time if the upgrades are done as a part of their regular upgrade cycles. 3.14.4 IPv6 Test bed: A test bed has the benefit that it allows creation of a scaled version of the network in an isolated and controlled environment. It offers an insight into how introducing IPv6 will affect existing network. Additionally, it allows technical and tech support personnel to apply all they have learned in the training in a safe environment without worrying about doing something adverse to the production network.
A well designed test bed should contain the following:Flexibility: The lab must support different types of testing i.e. components, software versions and even hardware to help us identify how comprehensive their support for IPv6 is. Isolation: The lab is intended as a learning platform only and should not be connected in any way to the production network. We do not want any unintended traffic to traverse to the production network causing potential mayhem. Partnerships: Use the lab that is already available to aid agencies or departments you already have a relationship with since it gives a win-win situation for you to evaluate their services and products and at the same time provides the staff with much needed experience in supporting the said services and products. Interoperability: IPv6 offers a multitude of rich features therefore it is wise to ensure different devices from different vendors work well with one another. Vendors tend to focus on being interoperable with their own range of products that they might inadvertently miss certain functionalities with products by other vendors. It is best to verify claims of support from vendors using this test bed. Network: Infrastructure: The design of the lab must mimic your production network as close as possible and therefore it should include at least a core or edge router, switches (that may or may not support VLAN) and a firewall. If possible, having an IDS is also advised. Operating systems As most environments are heterogeneous, it is best to make sure that different platforms are in use to communicate with one another. As of November 2008, all major Linux distributions meets requirement of the US DoD mandate IPv6 compliance. Windows Vista has a better support for IPv6 than Windows XP. The lab will allow us to consider the impact of each and every Operating Systems being used in the network Services
We should be aware of any changes (if there are any) to the services we are accustomed to using i.e. SSH, HTTP, SNMP.
3.15 IPv6 Training:

To get started with deploying IPv6 in any organization, it is best to start of with the network administrators who will be responsible for managing the organization's network. If possible it would also be beneficial to send the tech support personnel as well as they will be dealing with end users who might encounter problems with IPv6 on their workstations. a) Benefits of IPv6 especially to the organization concerned. b) Technical specifications of IPv6. c) Transition mechanisms available as well as their pros and cons. d) Routing schemes and algorithms and how do they differ from IPv4. e) Security benefits i.e. IPSec; its uses, benefits and how to set it up. f) Security considerations having both IPv4 and IPv6 on the network. g) Understanding risks that may have cropped into the upper layer protocols due to bugs introduced in them during the porting.
3.16 IPv6 Compliance and Certification:

It is also important to provide conformance services relating to evaluation of products and verification that a specific product and version number has complied with the IPv6 Compliance tests. The demand for such certification has increased substantially and should be mandated in the IPv6 Roadmap that new procurement of ICT equipment must be IPv6 complied. The compliance test of products on conformance to the standards set by the IPv6 Forum. In the proposed joint working arrangement, the respective roles and responsibilities are as follows: SOLUTION PROVIDER Provide startup consultancy to assist and setup the Lab and offer IPv6 Compliance Services Training and knowledge transfer on IPv6 compliance Audits to maintain quality assurance ORGANIZATION Build the IPv6 Compliance Lab Conduct the routine Compliance services such as product
evaluation and verification of the IPv6 test Certifying

62
Technical resource on IPv6 Ready matters Listing of products that have
Revenues(billings) and costs
successfully complied with IPv6 tests Liaison with IPv6 Forum
The key objective and benefits of these programs are to: Verify protocol implementation and validate interoperability of IPv6 products. Provide access to self-testing tools. Provide IPv6 Compliance testing laboratory to the organization
Auto configuration: Stateless autoconfiguration is performed in a number of steps. After initializing the physical interface,the IPV6 hosts: Creates its link-local address (LLA) using the FE80::/10 prefix and its MAC address encoded in EUI-64 format as shown in fig below:
Figure 3.18 Link Local Address Checks whether its LLA is unique using duplicate address detection procedure. Joins the all hosts multi-caste group FF02::1 Multicaste Listener Discovery protocol(MLD) If it hasnt joined the group during the LLA duplicate address detection step. IPv6 hosts must use MLD to join IPv6 multicast groups to ensure MLD-snooping L2 switches propagate L2 multicasts to all interested hosts. Sends router solicitation message (part of the neighbor discovery ND protocol) to allrouters multicast group (FF02::2).
63
Receives router advertisement messages from all directly-connected routers. The router(s) with The highest RA preference are used as the default gateways(default route:solved)
Figure 3.19 Router Advertisement Collects all valid prefixes advertised by adjacent routers and create a global IPv6 address within each advertised /64 IPv6 prefix, using either EUI-64 format or pseudo-random host ID as specified by RFC 4941. Perform duplicate address detection for every generated global IPV6 address (interface IPV6 address:solved) The router advertisement received during the auto configuration process might contain the managed address configuration flag (in which case the host uses DHCPv6 instead of stateless autoconfiguration) or other configuration flag that triggers an extra step: the IPv6 host sends a DHCPv6 information request query to receive additional configuration information like DNS server IPv6 address, domain search list, or SIP server IPv6 address (DNS server: solved). The list of all registered DHCPv6 option is available on IANAs website.
Figure 3.20 DHCPv6 Reply
64
CHAPTER-4 SOFTWARE DESCRIPTION

4.1 VPN BRANCH-1 CONFIG FOR IPSECURITY:
IPSec VPN Configuration 1. configure the IP addresses as per the diagram 2. Configuration of a default route towards ISP network VPN-BRANCH1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0 3. Step 3- Configuring IKE Phase-1 : configuring the ISAKMP policy with appropriate authentication, encryption and hash function. All these has to match on peer router too VPN-BRANCH1(config)#crypto ? dynamic-map Specify a dynamic crypto map template ipsec isakmp key map Configure IPSEC policy Configure ISAKMP policy Long term key operations Enter a crypto map
VPN-BRANCH1(config)#crypto isakmp ? client Set client configuration policy enable Enable ISAKMP key Set pre-shared key for remote peer
policy Set policy for an ISAKMP protection suite VPN-BRANCH1(config)#crypto isakmp policy ? <1-10000> Priority of protection suite VPN-BRANCH1(config)#crypto isakmp policy 1 VPN-BRANCH1(config-isakmp)#authentication ? pre-share Pre-Shared Key VPN-BRANCH1(config-isakmp)#authentication pre-share VPN-BRANCH1(config-isakmp)#encryption ? 3des Three key triple DES aes AES - Advanced Encryption Standard
des DES - Data Encryption Standard (56 bit keys). VPN-BRANCH1(config-isakmp)#encryption des VPN-BRANCH1(config-isakmp)#hash ? md5 Message Digest 5 sha Secure Hash Standard VPN-BRANCH1(config-isakmp)#hash sha VPN-BRANCH1(config-isakmp)#group ? 1 Diffie-Hellman group 1 2 Diffie-Hellman group 2 5 Diffie-Hellman group 5 VPN-BRANCH1(config-isakmp)#group 2 VPN-BRANCH1(config-isakmp)#ex 4. configure pre-shared IKE key for the peer router whose address has to be mentioned. Takecare that key has to be matched on both the routers. VPN-BRANCH1(config)#crypto isakmp ? client Set client configuration policy enable Enable ISAKMP key Set pre-shared key for remote peer
policy Set policy for an ISAKMP protection suite VPN-BRANCH1(config)#crypto isakmp key rttc123 ? address define shared key with IP address VPN-BRANCH1(config)#crypto isakmp key rttc123 address 71.0.0.2 5. Configure IKE-Phase 2 : Configuring the IPSec policy : Create a transformation set with encryption and hash function properties and tunnel mode which should match the peer. (In packet tracer no need to give the tunnel mode) VPN-BRANCH1(config)#crypto ipsec transform-set ? WORD Transform set tag VPN-BRANCH1(config)#crypto ipsec transform-set rttc ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform
esp-3des esp-aes esp-des
ESP transform using 3DES(EDE) cipher (168 bits) ESP transform using AES cipher ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth VPN-BRANCH1(config)#crypto ipsec transform-set rttc esp-des ? esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth VPN-BRANCH1(config)#crypto ipsec transform-set rttc esp-des esp-sha-hmac //VPN-BRANCH1(config)#mode tunnel// 6. Configure Access-list to mark the interesting traffic to initiate VPN connection VPN-BRANCH1(config)#access-list 100 permit ip 192.168.4.32 0.0.0.15 192.168.4.48 0.0.0.15 7. Create a crypto map to bind the interesting traffic to the transform-set. This means that any interesting traffic originated, initiate the VPN using the properties from the transformation set mentioned towards the montioned peer. VPN-BRANCH1(config)#crypto map ? WORD Crypto map tag VPN-BRANCH1(config)#crypto map vpnmap ? <1-65535> Sequence to insert into crypto map entry client isakmp Specify client configuration settings Specify isakmp configuration settings
VPN-BRANCH1(config)#crypto map vpnmap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. VPN-BRANCH1(config-crypto-map)#match address 100 VPN-BRANCH1(config-crypto-map)#set transform-set rttc VPN-BRANCH1(config-crypto-map)#set peer 71.0.0.2 VPN-BRANCH1(config-crypto-map)#ex 8. Mapping the crypto map to the serial interface VPN-BRANCH1(config)#interface serial 0/0/0 VPN-BRANCH1(config-if)#crypto map vpnmap
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON VPN-BRANCH1(config-if)#^Z VPN-BRANCH1# %SYS-5-CONFIG_I: Configured from console by console wr Building configuration... [OK] VPN-BRANCH1# -----------------------------------------------------------------------------------------------vERIFICATION COMMANDS ping the Branch-1 LAN pc to Brach-2 LAN PC and wait for the reply so that tunnel is created VPN-BRANCH-1#show crypto isakmp sa VPN-BRANCH-1#show crypto ipsec sa
4.2 VPN BRANCH-2 CONFIG FOR IPSECURITY:

IPSec VPN Configuration 1. configure the IP addresses as per the diagram 2. Configuration of a default route towards ISP network VPN-BRANCH2#conf t VPN-BRANCH2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 3. Step 3- Configuring IKE Phase-1 : configuring the ISAKMP policy with appropriate authentication, encryption and hash function. All these has to match on peer router too VPN-BRANCH2(config)#crypto ? dynamic-map Specify a dynamic crypto map template ipsec isakmp key map Configure IPSEC policy Configure ISAKMP policy Long term key operations Enter a crypto map
VPN-BRANCH2(config)#crypto isakmp policy 10

VPN-BRANCH2(config-isakmp)#authentication pre-share VPN-BRANCH2(config-isakmp)#hash sha VPN-BRANCH2(config-isakmp)#encryption des VPN-BRANCH2(config-isakmp)#group 2 VPN-BRANCH2(config-isakmp)#ex 4. configure pre-shared IKE key for the peer router whose address has to be mentioned. Takecare that key has to be matched on both the routers. VPN-BRANCH2(config)# VPN-BRANCH2(config)#crypto isakmp key rttc123 address 61.0.0.1 5. Configure IKE-Phase 2 : Configuring the IPSec policy : Create a transformation set with encryption and hash function properties and tunnel mode which should match the peer.(In packet tracer no need to give the tunnel mode) VPN-BRANCH2(config)#crypto ipsec transform-set bsnl esp-des esp-sha-hmac //VPN-BRANCH1(config)#mode tunnel// 6. Configure Access-list to mark the interesting traffic to initiate VPN connection VPN-BRANCH2(config)#access-list 110 permit ip 192.168.4.48 0.0.0.15 192.168.4.32 0.0.0.15 7. Create a crypto map to bind the interesting traffic to the transform-set. This means that any interesting traffic originated, initiate the VPN using the properties from the transformation set mentioned towards the montioned peer. VPN-BRANCH2(config)#crypto map rttcmap ? <1-65535> Sequence to insert into crypto map entry client isakmp Specify client configuration settings Specify isakmp configuration settings
VPN-BRANCH2(config)#crypto map rttcmap 5 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. VPN-BRANCH2(config-crypto-map)#match address 110 VPN-BRANCH2(config-crypto-map)#set transform-set bsnl VPN-BRANCH2(config-crypto-map)#set peer 61.0.0.1 VPN-BRANCH2(config-crypto-map)#ex 8. Mapping the crypto map to the serial interface
VPN-BRANCH2(config)#interface serial 0/0/0 VPN-BRANCH2(config-if)#crypto map rttcmap *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON VPN-BRANCH2(config-if)#^Z VPN-BRANCH2# %SYS-5-CONFIG_I: Configured from console by console wr Building configuration... [OK] VPN-BRANCH2# -----------------------------------------------------------------------------------------------vERIFICATION COMMANDS ping the Branch-2 LAN pc to Brach-1 LAN PC and wait for the reply so that tunnel is created VPN-BRANCH-2#show crypto isakmp sa VPN-BRANCH-2#show crypto ipsec sa -----------------------------------------------------------------------------------------------
.
CHAPTER-5 RESULT ANALYSIS

System Specifications:
Router power supply: AC 170 watts Internet Protocol Version4(IPV4) Adress:64bits Internet Protocol Version6(IPV6) Adress:128bits Source to destination minimum time:78ms Source to destination maximum time:125ms Source to destination Average time:113ms Source address:192.168.4.50 Destination address:192.168.1.33 A secure network starts with a strong security policy that defines the freedom of access to information and dictates the deployment of security in the network. Ipsec delivers a key technology component for providing a total security solution. Ipsec offers privacy, integrity, and authenticity for transmitting sensitive information over the Internet which lack in traditional network. We can simulate the network in software named CISCO Packet Tracer
Figure 5.1 Screenshot of sample network

The above figure shows a network between two branches connected by internet. Steps for configuration:
and hash function. -shared IKE key for the peer router whose address has to be mentioned. Configuring the IPSec policy: Create a transformation set with encryption and hash function properties and tunnel mode which should match the peer. -list to mark the interesting traffic to initiate VPN connection -set. pto map to the serial interface.
72
Figure 5.2 Router Command line interface I policy, authentication,encryption, hashing algorithms, Diffie Hellman groups we chose 10, preshared key, des, sha, group 2.
73
Implementation of IP sec VPN's & its configuration on ISP network
Figure 5.3 Router Command line interface II Configuring the PCs IP address at different ports of the switch. To establish the connection between two routers, assign the IP address of one router in the serial port of another router and vice versa.
74
To maintain one to one relationship encapsulate with point to point protocol Implementation of IP sec VPN's & its configuration on ISP network We can verify the network in three steps 1. Show crypto isakmp sa :This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers. 2.Ping the Branch-1 LAN pc to Brach-2 LAN PC and wait for the reply so that tunnel is created. verifying ipsec sa between peers: the ipsec security associations built between peers. this network, an encypted tunnel is built between 71.0.0.2 and 61.0.0.1 for traffic that goes between networks 192.168.4.48 to 192.168.4.32. and then displays information about all our security associations (SAs) Implementation of IP sec VPN's & its configuration on ISP network
Figure 5.4 verifying ipsec sa between peers

Similarly we can repeat the process from destination router to source router. Command Prompt of a pc:
Figure 5.5 Command Prompt of a pc connections between all the devices. used to check the connection in the particular line.
76
ADVANTAGES & DISADVANTAGES
Advantages:
1.Universality - IPSec is an international standard because of the flexibility and power of IP. It can provide security and communicate with a variety of different networks from around the world. 2.Scalability - Through IP, IPSec can be applied in networks of all sizes including LAN's to global networks. 3.Network Layer Security - Because IPSec functions at a low network level, factors such as users, applications, lower level data carrying protocols, and transport technology will not affect the performance of it. 4.Application Independence - IPSec is not limited to specific applications. There is no way to predict what applications will traverse a network However, it is guaranteed that they will be routed with IP, making them IPSec compatible
Disadvantages:
1.Small Packets - When transmitting small packets, the encryption process of IPSec generates a large overhead. This diminishes the performance of the network. 2.Complexity - Because IPSec has a great number of features and options, it is very complex. Complexity increases the probability of the presence of a weakness or hole. For example, IPSec is weak against replay attacks. 3.Firewall - The implementation of IPSec defeats the purpose of a firewall. This is because firewalls are based on preconfigured rules, which IPSec encrypts. This problem, however, can be avoided if the firewall is used along with the IPSec gateway, which is a decryption method
77
APPLICATIONS
1.Establishment of extranet and intranet connectivity with partners 2.encrypt or authenticate all traffic at the IP level 3.Enhancement of electronic commerce security .
78
CONCLUSIONS
The project Implementation of IP sec VPN's & its configuration on ISP network has been successfully designed and tested. It has been developed by integrating features of software used. Presence of every module has been reasoned out and used carefully thus contributing to the best working of the unit. Secondly, using highly advanced protocols and with the help of growing technology the project has been successfully implemented . The TCP/IP protocol works by exchanging packets/frames, usually no larger than 1500 bytes. Within a frame, theres a header and a payload. The payload contains the information were actually transmitting; the header contains all the information related to the protocol, including the source and destination IP address. Since IPv4 uses 32 bit addressing, the IPv4 TCP/IP protocol only reserves 32 bits for it. This means, there is no space for the 128 bits of IPv6. In other words, if a computer tried to talk IPv6 within the same protocol where the receiving computer expects IPv4, all the information would be displaced by 96 bits and thered be no way theyd understand each other
79
FUTURE SCOPE
The performance of network can be increased by decreasing the size of overhead during encryption process of IPSec while transmitting small packets. The implementation of IPSec defeats the purpose of a firewall. This is because firewalls are based on preconfigured rules, which IPSec encrypts. This problem, however, can be avoided if the firewall is used along with the IPSec gateway, which is a decryption method. Currently, standard IPsec does not provide support for multiprotocol and IP multicast traffic. Support for multiprotocol and IP multicast traffic can be provisioned using Generic Routing Encapsulation tunnels
80
REFERENCES
[1] H.Orman, The Oakley key determination protocol ,RFC 2412 ,NOV.1998. [2] S.Kent and R.Atkinson ,security architecture for the internet protocol, RFC 2401 ,NOV.1998., [3] D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet Security Association and Key Management Protocol (ISAKMP). [4] K. Ramakrishnan, S. Floyd, A Proposal to Add Explicit Congestion Notification (ECN) to IP, January 1999. [5] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, An Architecture for Differentiated Services, December 1998 [6] Building and Managing Virtual Private Networks, Dave Kosiur, Wiley & Sons; ISBN:0471295264. [7] http://web.mit.edu/tytso/www/ipsec/index.html [8] http://ietf.org/html.charters/ipsec-charter.html
81

Chapter-1: 1.1 What Is A Virtual Private Network?

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chapter-1: 1.1 What Is A Virtual Private Network?

Hochgeladen von

Copyright:

Verfügbare Formate

CHAPTER-1 INTRODUCTION

1.1 What is a Virtual Private Network?

JOGINPALLY BR ENGINEERING COLLEGE

1.3 Remote Access:

CHAPTER-2 GENERAL THEORY

2.2 lan components:

JOGINPALLY BR ENGINEERING COLLEGE

Figure 2.1 A Small ethernet network

JOGINPALLY BR ENGINEERING COLLEGE

2.3 networking basics:

Figure 2.2 fundamentalparts of a network

Figure 2.4 Ring network topology

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

Figure 2.9 Routers

JOGINPALLY BR ENGINEERING COLLEGE

2.7 what is routing?

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

2.8 Types of Routing:

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

CHAPTER-3 BLCOK DIAGRAM

JOGINPALLY BR ENGINEERING COLLEGE

3.1 Router 2811:

Figure 3.2 Router 2811

JOGINPALLY BR ENGINEERING COLLEGE

3.2 Virtual private network(vpn):

3.3 What Is ipsec and How Does It Work?

JOGINPALLY BR ENGINEERING COLLEGE

3.4 IPSec Components:

JOGINPALLY BR ENGINEERING COLLEGE

Figure 3.3 IP header

Figure 3.4 source and destination ip adresses

JOGINPALLY BR ENGINEERING COLLEGE

Figure 3.5 AH and ESP

3.5 vpn process:

JOGINPALLY BR ENGINEERING COLLEGE

3.7 Class A, B, C, D, and E IP addresses:

Figure 3.7 IP Addresses

JOGINPALLY BR ENGINEERING COLLEGE

0 7 bits Network Address 10 110 1110 1111 14 bits Network Address

24 bits Host Address 16 bits Host Address 8 bits Host Address

21 bits Network Address

Multicast address (224.0.0.0-239.255.255.255) Reserved for future use

JOGINPALLY BR ENGINEERING COLLEGE

8 Bits 8 Bits 8 Bits 8 Bits

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE

3.9 Public and private IP addresses:

Figure 3.10 Subnetting

JOGINPALLY BR ENGINEERING COLLEGE

3.11 Features of ipv6:

JOGINPALLY BR ENGINEERING COLLEGE

3.11.1 Differences Between IPv4 and IPv6: IPv4 IPv6

JOGINPALLY BR ENGINEERING COLLEGE

JOGINPALLY BR ENGINEERING COLLEGE