RAID — which stands for Redundant Array of Inexpensive Disks [1], or alternatively

Redundant Array of Independent Disks (a less specific name, and thus now the
generally accepted one[2]) — is a technology that employs the simultaneous use of two or
more hard disk drives to achieve greater levels of performance, reliability, and/or larger
data volume sizes.

"RAID" is now used as an umbrella term for computer data storage schemes that can
divide and replicate data among multiple hard disk drives. RAID's various designs all
involve two key design goals: increased data reliability and increased input/output
performance. When several physical disks are set up to use RAID technology, they are
said to be in a RAID array. This array distributes data across several disks, but the array is
seen by the computer user and operating system as one single disk. RAID can be set up to
serve several different purposes.

Some arrays are "redundant" in a way that writes extra data derived from the original data
across the array organized so that the failure of one (sometimes more) disks in the array
will not result in loss of data; the bad disk is replaced by a new one, and the data on it
reconstructed from the remaining data and the extra data. A redundant array allows less
data to be stored. For instance, a 2-disk RAID 1 array loses half of the total capacity that
would have otherwise been available using both disks independently, and a RAID 5 array
with several disks loses the capacity of one disk.

Other RAID arrays are arranged so that they are faster to write to and read from than a
single disk.

There are various combinations of these approaches giving different trade offs of
protection against data loss, capacity, and speed. RAID levels 0, 1, and 5 are the most
commonly found, and cover most requirements.

• RAID 0 (striped disks) distributes data across several disks in a way that gives
improved speed and full capacity, but all data on all disks will be lost if any one
disk fails.

• RAID 1 (mirrored disks) could be described as a backup solution, using two

(possibly more) disks that each store the same data so that data is not lost as long
as one disk survives. Total capacity of the array is just the capacity of a single
disk. The failure of one drive, in the event of a hardware or software malfunction,
does not increase the chance of a failure nor decrease the reliability of the
remaining drives (second, third, etc).

• RAID 5 (striped disks with parity) combines three or more disks in a way that
protects data against loss of any one disk; the storage capacity of the array is
reduced by one disk.

• RAID 6 (less common) can recover from the loss of two disks.
 • RAID 10 (or 1+0) uses both striping and mirroring.

RAID involves significant computation when reading and writing information. With true
RAID hardware the controller does all of this computation work. In other cases the
operating system or simpler and less expensive controllers require the host computer's
processor to do the computing, which reduces the computer's performance on processor-
intensive tasks (see "Software RAID" and "Fake RAID" below). Simpler RAID
controllers may provide only levels 0 and 1, which require less processing.

RAID systems with redundancy continue working without interruption when one, or
sometimes more, disks of the array fail, although they are vulnerable to further failures.
When the bad disk is replaced by a new one the array is rebuilt while the system
continues to operate normally. Some systems have to be shut down when removing or
adding a drive; others support hot swapping, allowing drives to be replaced without
powering down. RAID with hot-swap drives is often used in high availability systems,
where it is important that the system keeps running as much of the time as possible.

RAID is not a good alternative to backing up data. Data may become damaged or
destroyed without harm to the drive(s) on which it is stored. For example, part of the data
may be overwritten by a system malfunction; a file may be damaged or deleted by user
error or malice and not noticed for days or weeks; and of course the entire array is at risk
of catastrophes such as theft, flood, and fire.

Principles
RAID combines two or more physical hard disks into a single logical unit by using either
special hardware or software. Hardware solutions often are designed to present
themselves to the attached system as a single hard drive, and the operating system is
unaware of the technical workings. Software solutions are typically implemented in the
operating system, and again would present the RAID drive as a single drive to
applications.

There are three key concepts in RAID: mirroring, the copying of data to more than one
disk; striping, the splitting of data across more than one disk; and error correction, where
redundant data is stored to allow problems to be detected and possibly fixed (known as
fault tolerance). Different RAID levels use one or more of these techniques, depending
on the system requirements. The main aims of using RAID are to improve reliability,
important for protecting information that is critical to a business, for example a database
of customer orders; or to improve speed, for example a system that delivers video on
demand TV programs to many viewers.

The configuration affects reliability and performance in different ways. The problem with
using more disks is that it is more likely that one will go wrong, but by using error
checking the total system can be made more reliable by being able to survive and repair
the failure. Basic mirroring can speed up reading data as a system can read different data
from both the disks, but it may be slow for writing if the configuration requires that both
disks must confirm that the data is correctly written. Striping is often used for
performance, where it allows sequences of data to be read from multiple disks at the same
time. Error checking typically will slow the system down as data needs to be read from
several places and compared. The design of RAID systems is therefore a compromise and
understanding the requirements of a system is important. Modern disk arrays typically
provide the facility to select the appropriate RAID configuration. PC Format Magazine
claims that "in all our real-world tests, the difference between the single drive
performance and the dual-drive RAID 0 striped setup was virtually non-existent. And in
fact, the single drive was ever-so-slightly faster than the other setups, including the RAID
5 system that we'd hoped would offer the perfect combination of performance and data
redundancy"[3].

[edit] Standard levels

Main article: Standard RAID levels

A number of standard schemes have evolved which are referred to as levels. There were
five RAID levels originally conceived, but many more variations have evolved, notably
several nested levels and many non-standard levels (mostly proprietary).

Following is a brief summary of the most commonly used RAID levels.[4]

Minimum #
Level Description Image
of disks

"Striped set without parity" or "Striping". Provides

improved performance and additional storage but no fault
tolerance. Any disk failure destroys the array, which
becomes more likely with more disks in the array. A single
disk failure destroys the entire array because when data is
written to a RAID 0 drive, the data is broken into fragments.
RAID The number of fragments is dictated by the number of disks
2
0 in the array. The fragments are written to their respective
disks simultaneously on the same sector. This allows
smaller sections of the entire chunk of data to be read off the
drive in parallel, giving this type of arrangement huge
bandwidth. RAID 0 does not implement error checking so
any error is unrecoverable. More disks in the array means
higher bandwidth, but greater risk of data loss.

RAID 'Mirrored set without parity' or 'Mirroring'. Provides 2

1 fault tolerance from disk errors and failure of all but one of
 the drives. Increased read performance occurs when using a
multi-threaded operating system that supports split seeks,
very small performance reduction when writing. Array
continues to operate so long as at least one drive is
functioning. Using RAID 1 with a separate controller for
each disk is sometimes called duplexing.

Hamming code parity. Disks are synchronised and striped

RAID in very small stripes, often in single bytes/words. Hamming
3
2 codes error correction is calculated across corresponding
bits on disks, and is stored on multiple parity disks.

Striped set with dedicated parity or bit interleaved

parity or byte level parity. This mechanism provides an
improved performance and fault tolerance similar to RAID
5, but with a dedicated parity disk rather than rotated parity
RAID
stripes. The single parity disk is a bottle-neck for writing 3
3
since every write requires updating the parity data. One
minor benefit is the dedicated parity disk allows the parity
drive to fail and operation will continue without parity or
performance penalty.

Block level parity. Identical to RAID 3, but does block-

level striping instead of byte-level striping. In this setup,
files can be distributed between multiple disks. Each disk
RAID operates independently which allows I/O requests to be
3
4 performed in parallel, though data transfer speeds can suffer
due to the type of parity. The error detection is achieved
through dedicated parity and is stored in a separate, single
disk unit.

Striped set with distributed parity or interleave parity.

Distributed parity requires all drives but one to be present to
operate; drive failure requires replacement, but the array is
not destroyed by a single drive failure. Upon drive failure,
RAID
any subsequent reads can be calculated from the distributed 3
5
parity such that the drive failure is masked from the end
user. The array will have data loss in the event of a second
drive failure and is vulnerable until the data that was on the
failed drive is rebuilt onto a replacement drive.
 Striped set with dual distributed parity. Provides fault
tolerance from two drive failures; array continues to operate
with up to two failed drives. This makes larger RAID
groups more practical, especially for high availability
systems. This becomes increasingly important because
large-capacity drives lengthen the time needed to recover
RAID
from the failure of a single drive. Single parity RAID levels 4
6
are vulnerable to data loss until the failed drive is rebuilt:
the larger the drive, the longer the rebuild will take. Dual
parity gives time to rebuild the array without the data being
at risk if one drive, but no more, fails before the rebuild is
complete. RAID 6 is sometimes referred to as Advanced
Data Guarding (ADG).

[edit] Nested levels

Main article: Nested RAID levels

Many storage controllers allow RAID levels to be nested: the elements of a RAID may be
either individual disks or RAIDs themselves. Nesting more than two deep is unusual.

As there is no basic RAID level numbered larger than 9, nested RAIDs are usually
unambiguously described by concatenating the numbers indicating the RAID levels,
sometimes with a "+" in between. For example, RAID 10 (or RAID 1+0) consists of
several level 1 arrays of physical drives, each of which is one of the "drives" of a level 0
array striped over the level 1 arrays. It is not called RAID 01, to avoid confusion with
RAID 1, or indeed, RAID 01. When the top array is a RAID 0 (such as in RAID 10 and
RAID 50) most vendors omit the "+", though RAID 5+0 is clearer.

• RAID 0+1: striped sets in a mirrored set (minimum four disks; even number of
disks) provides fault tolerance and improved performance but increases
complexity. The key difference from RAID 1+0 is that RAID 0+1 creates a
second striped set to mirror a primary striped set. The array continues to operate
with one or more drives failed in the same mirror set, but if drives fail on both
sides of the mirror the data on the RAID system is lost.

• RAID 1+0: mirrored sets in a striped set (minimum four disks; even number of
disks) provides fault tolerance and improved performance but increases
complexity. The key difference from RAID 0+1 is that RAID 1+0 creates a
striped set from a series of mirrored drives. In a failed disk situation, RAID 1+0
performs better because all the remaining disks continue to be used. The array can
sustain multiple drive losses so long as no mirror loses all its drives.

• RAID 5+0: stripe across distributed parity RAID systems.

 • RAID 5+1: mirror striped set with distributed parity (some manufacturers label
this as RAID 53).

[edit] Non-standard levels

Main article: Non-standard RAID levels

Many configurations other than the basic numbered RAID levels are possible, and many
companies, organizations, and groups have created their own non-standard
configurations, in many cases designed to meet the specialised needs of a small niche
group. Most of these non-standard RAID levels are proprietary.

Some of the more prominent modifications are:

• Storage Computer Corporation uses RAID 7, which adds caching to RAID 3 and
RAID 4 to improve I/O performance.
• EMC Corporation offered RAID S as an alternative to RAID 5 on their Symmetrix
systems (which is no longer supported on the latest releases of Enginuity, the
Symmetrix's operating system).
• The ZFS filesystem, available in Solaris, OpenSolaris, FreeBSD and Mac OS X,
offers RAID-Z, which solves RAID 5's write hole problem.
• NetApp's Data ONTAP uses RAID-DP (also referred to as "double", "dual" or
"diagonal" parity), which is a form of RAID 6, but unlike many RAID 6
implementations, does not use distributed parity as in RAID 5. Instead, two
unique parity disks with separate parity calculations are used. This is a
modification of RAID 4 with an extra parity disk.
• Accusys Triple Parity (RAID TP) implements three independent parities by
extending RAID 6 algorithms on its FC-SATA and SCSI-SATA RAID controllers
to tolerate three-disk failure.
• Linux MD RAID10 (RAID10) implements a general RAID driver that defaults to
a standard RAID 1+0 with 4 drives, but can have any number of drives. MD
RAID10 can run striped and mirrored with only 2 drives with the f2 layout
(mirroring with striped reads, normal Linux software RAID 1 does not stripe
reads, but can read in parallel) [5].
• Infrant (Now part of Netgear) X-RAID offers dynamic expansion of a RAID5
volume without having to backup/restore the existing content. Just add larger
drives one at a time, let it resync, then add the next drive until all drives are
installed. The resulting volume capacity is increased without user downtime.
• BeyondRAID created by Data Robotics and used in the Drobo series of products,
implements both mirroring and striping simultaneously or individually dependent
on disk and data context. BeyondRAID is more automated and easier to use than
many standard RAID levels. It also offers instant expandability without
reconfiguration, the ability to mix and match drive sizes and the ability to reorder
disks. It is a block-level system and thus file system agnostic although today
support is limited to NTFS, HFS+, FAT32, and EXT3. It also utilizes thin
 provisioning to allow for single volumes up to 16TB depending on the host
operating system support.

[edit] Implementations

(Specifically, the section comparing hardware / software raid)

The distribution of data across multiple drives can be managed either by dedicated
hardware or by software. When done in software the software may be part of the
operating system or it may be part of the firmware and drivers supplied with the card.

[edit] Operating system based ("software RAID")

Software implementations are now provided by many operating systems. A software

layer sits above the (generally block-based) disk device drivers and provides an
abstraction layer between the logical drives (RAIDs) and physical drives. Most common
levels are RAID 0 (striping across multiple drives for increased space and performance)
and RAID 1 (mirroring two drives), followed by RAID 1+0, RAID 0+1, and RAID 5
(data striping with parity) are supported.

Microsoft's server operating systems support 3 RAID levels; RAID 0, RAID 1, and RAID
5. Some of the Microsoft desktop operating systems support RAID such as Windows XP
Professional which supports RAID level 0 in addition to spanning multiple disks but only
if using dynamic disks and volumes.

Apple's Mac OS X Server supports RAID 0, RAID 1, and RAID 1+0.[6]

FreeBSD supports RAID 0, RAID 1, RAID 3, and RAID 5.

NetBSD supports RAID 0, RAID 1, RAID 4 and RAID 5 (and any nested combination of
those like 1+0) via its software implementation, named raidframe.

OpenSolaris and Solaris 10 supports RAID 0, RAID 1, RAID 5, and RAID 6 (and any
nested combination of those like 1+0) via ZFS and now has the ability to boot from a
ZFS volume on x86. Through SVM, Solaris 10 and earlier versions support RAID 0,
RAID 1, and RAID 5 on both system and data drives

The software must run on a host server attached to storage, and server's processor must
dedicate processing time to run the RAID software. This is negligible for RAID 0 and
RAID 1, but may be significant for more complex parity-based schemes. Furthermore all
the busses between the processor and the disk controller must carry the extra data
required by RAID which may cause congestion.
Another concern with operating system-based RAID is the boot process, it can be
difficult or impossible to set up the boot process such that it can failover to another drive
if the usual boot drive fails and therefore such systems can require manual intervention to
make the machine bootable again after a failure. Finally operating system-based RAID
usually uses formats specific to the operating system in question so it cannot generally be
used for partitions that are shared between operating systems as part of a multi-boot
setup.

Most operating system-based implementations allow RAIDs to be created from partitions

rather than entire physical drives. For instance, an administrator could divide an odd
number of disks into two partitions per disk, mirror partitions across disks and stripe a
volume across the mirrored partitions to emulate a RAID 1E configuration.[citation needed]
Using partitions in this way also allows mixing reliability levels on the same set of disks.
For example, one could have a very robust RAID-1 partition for important files, and a
less robust RAID-5 or RAID-0 partition for less important data. (Some controllers offer
similar features, e.g. Intel Matrix RAID.) Using two partitions on the same drive in the
same RAID is, however, dangerous. If, for example, a RAID 5 array is composed of four
drives 250 + 250 + 250 + 500 GB, with the 500-GB drive split into two 250 GB
partitions, a failure of this drive will remove two partitions from the array, causing all of
the data held on it to be lost.

[edit] Hardware-based

Hardware RAID controllers use different, proprietary disk layouts, so it is not usually
possible to span controllers from different manufacturers. They do not require processor
resources, the BIOS can boot from them, and tighter integration with the device driver
may offer better error handling.

A hardware implementation of RAID requires at least a special-purpose RAID controller.

On a desktop system this may be a PCI expansion card, PCI-e expansion card or built
into the motherboard. Controllers supporting most types of drive may be used -
IDE/ATA, SATA, SCSI, SSA, Fibre Channel, sometimes even a combination. The
controller and disks may be in a stand-alone disk enclosure, rather than inside a
computer. The enclosure may be directly attached to a computer, or connected via SAN.
The controller hardware handles the management of the drives, and performs any parity
calculations required by the chosen RAID level.

Most hardware implementations provide a read/write cache, which, depending on the I/O
workload, will improve performance. In most systems the write cache is non-volatile (i.e.
battery-protected), so pending writes are not lost on a power failure.

Hardware implementations provide guaranteed performance, add no overhead to the local

CPU complex and can support many operating systems, as the controller simply presents
a logical disk to the operating system.
Hardware implementations also typically support hot swapping, allowing failed drives to
be replaced while the system is running.

[edit] Firmware/driver-based RAID

Operating system-based RAID cannot easily be used to protect the boot process and is
generally impractical on desktop versions of Windows (as described above). Hardware
RAID controllers are expensive. To fill this gap, cheap "RAID controllers" were
introduced that do not contain a RAID controller chip, but simply a standard disk
controller chip with special firmware and drivers. During early stage bootup the RAID is
implemented by the firmware; when a protected-mode operating system kernel such as
Linux or a modern version of Microsoft Windows is loaded the drivers take over.

These controllers are described by their manufacturers as RAID controllers, and it is

rarely made clear to purchasers that the burden of RAID processing is borne by the host
computer's central processing unit, not the RAID controller itself, thus introducing the
aforementioned CPU overhead. Before their introduction, a "RAID controller" implied
that the controller did the processing, and the new type has become known in technically
knowledgeable circles as "fake RAID" even though the RAID itself is implemented
correctly.

[edit] Network-attached storage

Main article: Network-attached storage

While not directly associated with RAID, Network-attached storage (NAS) is an

enclosure containing disk drives and the equipment necessary to make them available
over a computer network, usually Ethernet. The enclosure is basically a dedicated
computer in its own right, designed to operate over the network without screen or
keyboard. It contains one or more disk drives; multiple drives may be configured as a
RAID.

[edit] Hot spares

Both hardware and software RAIDs with redundancy may support the use of hot spare
drives, a drive physically installed in the array which is inactive until an active drive fails,
when the system automatically replaces the failed drive with the spare, rebuilding the
array with the spare drive included. This reduces the mean time to recovery (MTTR),
though it doesn't eliminate it completely. A second drive failure in the same RAID
redundancy group before the array is fully rebuilt will result in loss of the data; rebuilding
can take several hours, especially on busy systems.

Rapid replacement of failed drives is important as the drives of an array will all have had
the same amount of use, and may tend to fail at about the same time rather than
randomly. RAID 6 without a spare uses the same number of drives as RAID 5 with a hot
spare and protects data against simultaneous failure of up to two drives, but requires a
more advanced RAID controller.

[edit] Reliability terms

Failure rate
The mean time to failure (MTTF) or the mean time between failure (MTBF) of a
given RAID is the same as those of its constituent hard drives, regardless of what
type of RAID is employed.
Mean time to data loss (MTTDL)
In this context, the average time before a loss of data in a given array.[7]. Mean
time to data loss of a given RAID may be higher or lower than that of its
constituent hard drives, depending upon what type of RAID is employed.
Mean time to recovery (MTTR)
In arrays that include redundancy for reliability, this is the time following a failure
to restore an array to its normal failure-tolerant mode of operation. This includes
time to replace a failed disk mechanism as well as time to re-build the array (i.e.
to replicate data for redundancy).
Unrecoverable bit error rate (UBE)
This is the rate at which a disk drive will be unable to recover data after
application of cyclic redundancy check (CRC) codes and multiple retries.
Write cache reliability
Some RAID systems use RAM write cache to increase performance. A power
failure can result in data loss unless this sort of disk buffer is supplemented with a
battery to ensure that the buffer has enough time to write from RAM back to disk.
Atomic write failure
Also known by various terms such as torn writes, torn pages, incomplete writes,
interrupted writes, non-transactional, etc.

[edit] Problems with RAID

[edit] Correlated failures

The theory behind the error correction in RAID assumes that failures of drives are
independent. Given these assumptions it is possible to calculate how often they can fail
and to arrange the array to make data loss arbitrarily improbable.

In practice, the drives are often the same ages, with similar wear. Since many drive
failures are due to mechanical issues which are more likely on older drives, this violates
those assumptions and failures are in fact statistically correlated. In practice then, the
chances of a second failure before the first has been recovered is not nearly as unlikely as
might be supposed, and data loss can in practice occur at significant rates.[8]

[edit] Atomicity
This is a little understood and rarely mentioned failure mode for redundant storage
systems that do not utilize transactional features. Database researcher Jim Gray wrote
"Update in Place is a Poison Apple" [9]during the early days of relational database
commercialization. However, this warning largely went unheeded and fell by the wayside
upon the advent of RAID, which many software engineers mistook as solving all data
storage integrity and reliability problems. Many software programs update a storage
object "in-place"; that is, they write a new version of the object on to the same disk
addresses as the old version of the object. While the software may also log some delta
information elsewhere, it expects the storage to present "atomic write semantics,"
meaning that the write of the data either occurred in its entirety or did not occur at all.

However, very few storage systems provide support for atomic writes, and even fewer
specify their rate of failure in providing this semantic. Note that during the act of writing
an object, a RAID storage device will usually be writing all redundant copies of the
object in parallel, although overlapped or staggered writes are more common when a
single RAID processor is responsible for multiple drives. Hence an error that occurs
during the process of writing may leave the redundant copies in different states, and
furthermore may leave the copies in neither the old nor the new state. The little known
failure mode is that delta logging relies on the original data being either in the old or the
new state so as to enable backing out the logical change, yet few storage systems provide
an atomic write semantic on a RAID disk.

While the battery-backed write cache may partially solve the problem, it is applicable
only to a power failure scenario.

Since transactional support is not universally present in hardware RAID, many operating
systems include transactional support to protect against data loss during an interrupted
write. Novell Netware, starting with version 3.x, included a transaction tracking system.
Microsoft introduced transaction tracking via the journaling feature in NTFS. NetApp
WAFL file system solves it by never updating the data in place, as does ZFS.

[edit] Unrecoverable data

This can present as a sector read failure. Some RAID implementations protect against this
failure mode by remapping the bad sector, using the redundant data to retrieve a good
copy of the data, and rewriting that good data to the newly mapped replacement sector.
The UBE (Unrecoverable Bit Error) rate is typically specified at 1 bit in 1015 for
enterprise class disk drives (SCSI, FC, SAS) , and 1 bit in 1014 for desktop class disk
drives (IDE/ATA/PATA, SATA). Increasing disk capacities and large RAID 5
redundancy groups have led to an increasing inability to successfully rebuild a RAID
group after a disk failure because an unrecoverable sector is found on the remaining
drives. Double protection schemes such as RAID 6 are attempting to address this issue,
but suffer from a very high write penalty.

[edit] Write cache reliability

The disk system can acknowledge the write operation as soon as the data is in the cache,
not waiting for the data to be physically written. However, any power outage can then
mean a significant data loss of any data queued in such cache.

Often a battery is protecting the write cache, mostly solving the problem. If a write fails
because of power failure, the controller may complete the pending writes as soon as
restarted. This solution still has potential failure cases: the battery may have worn out, the
power may be off for too long, the disks could be moved to another controller, the
controller itself could fail. Some disk systems provide the capability of testing the battery
periodically, however this leaves the system without a fully charged battery for several
hours.

An additional concern about write cache reliability exists, and that is that a lot of them
are write-back cache; a caching system which reports the data as written as soon as it is
written to cache, as opposed to the non-volatile medium [10]. The safer cache technique is
write-through, which reports transactions as written when they are written to the non-
volatile medium.

[edit] Equipment compatibility

The disk formats on different RAID controllers are not necessarily compatible, so that it
may not be possible to read a RAID on different hardware. Consequently a non-disk
hardware failure may require using identical hardware, or a data backup, to recover the
data. Software RAID however, such as implemented in the Linux kernel, alleviates this
concern, as the setup is not hardware dependent, but runs on ordinary disk controllers.
Additionally, Software RAID1 disks can be read like normal disks, so no RAID system is
required to retrieve the data.

[edit] History
Norman Ken Ouchi at IBM was awarded a 1978 U.S. patent 4,092,732[11] titled "System
for recovering data stored in failed memory unit." The claims for this patent describe
what would later be termed RAID 5 with full stripe writes. This 1978 patent also
mentions that disk mirroring or duplexing (what would later be termed RAID 1) and
protection with dedicated parity (that would later be termed RAID 4) were prior art at
that time.

The term RAID was first defined by David A. Patterson, Garth A. Gibson and Randy
Katz at the University of California, Berkeley in 1987. They studied the possibility of
using two or more drives to appear as a single device to the host system and published a
paper: "A Case for Redundant Arrays of Inexpensive Disks (RAID)" in June 1988 at the
SIGMOD conference.[1]

This specification suggested a number of prototype RAID levels, or combinations of

drives. Each had theoretical advantages and disadvantages. Over the years, different
implementations of the RAID concept have appeared. Most differ substantially from the
original idealized RAID levels, but the numbered names have remained. This can be
confusing, since one implementation of RAID 5, for example, can differ substantially
from another. RAID 3 and RAID 4 are often confused and even used interchangeably.

Their paper formally defined RAID levels 1 through 5 in sections 7 to 11:

• First level RAID: mirrored drives

• Second level RAID: Hamming code for error correction
• Third level RAID: single check disk per group
• Fourth level RAID: independent reads and writes
• Fifth level RAID: spread data/parity over all drives (no single check disk)

Fields
The four octets that make up an IP address are conventionally represented by a, b, c, and
d respectively. The following table shows how the octets are distributed in classes A, B,
and C.

Class IP Address Network ID Host ID

A a.b.c.d a b.c.d
B a.b.c.d a.b c.d
C a.b.c.d a.b.c D

Class A: Class A addresses are specified to networks with large number of total hosts.
Class A allows for 126 networks by using the first octet for the network ID. The first bit
in this octet, is always set and fixed to zero. And next seven bits in the octet is all set to
one, which then complete network ID. The 24 bits in the remaining octets represent the
hosts ID, allowing 126 networks and approximately 17 million hosts per network. Class
A network number values begin at 1 and end at 127.

Class B: Class B addresses are specified to medium to large sized of networks. Class B
allows for 16,384 networks by using the first two octets for the network ID. The two bits
in the first octet are always set and fixed to 1 0. The remaining 6 bits, together with the
next octet, complete network ID. The 16 bits in the third and fourth octet represent host
ID, allowing for approximately 65,000 hosts per network. Class B network number
values begin at 128 and end at 191.

Class C: Class C addresses are used in small local area networks (LANs). Class C allows
for approximately 2 million networks by using the first three octets for the network ID. In
class C address three bits are always set and fixed to 1 1 0. And in the first three octets 21
bits complete the total network ID. The 8 bits of the last octet represent the host ID
allowing for 254 hosts per one network. Class C network number values begin at 192 and
end at 223.
Class D and E: Classes D and E are not allocated to hosts. Class D addresses are used
for multicasting, and class E addresses are not available for general use: they are reserved
for future purposes.

Virtual private network

From Wikipedia, the free encyclopedia

Jump to: navigation, search

"VPN" redirects here. For other uses, see VPN (disambiguation).

A virtual private network (VPN) is a computer network in which some of the links
between nodes are carried by open connections or virtual circuits in some larger network
(e.g., the Internet) instead of by physical wires. The link-layer protocols of the virtual
network are said to be tunneled through the larger network when this is the case. One
common application is secure communications through the public Internet, but a VPN
need not have explicit security features, such as authentication or content encryption.
VPNs, for example, can be used to separate the traffic of different user communities over
an underlying network with strong security features.

A VPN may have best-effort performance, or may have a defined service level agreement
(SLA) between the VPN customer and the VPN service provider. Generally, a VPN has a
topology more complex than point-to-point.

[edit] Categorization by user administrative

relationships
The Internet Engineering Task Force (IETF) categorized a variety of VPNs, some of
which, such as Virtual LANs (VLAN) are the standardization responsibility of other
organizations, such as the Institute of Electrical and Electronics Engineers (IEEE) Project
802, Workgroup 802.1 (architecture). Originally, network nodes within a single
enterprise were interconnected with Wide Area Network (WAN) links from a
telecommunications service provider. With the advent of LANs, enterprises could
interconnect their nodes with links that they owned. While the original WANs used
dedicated lines and layer 2 multiplexed services such as Frame Relay, IP-based layer 3
networks, such as the ARPANET, Internet, military IP networks
(NIPRNET,SIPRNET,JWICS, etc.), became common interconnection media. VPNs
began to be defined over IP networks [1]. The military networks may themselves be
implemented as VPNs on common transmission equipment, but with separate encryption
and perhaps routers.

It became useful first to distinguish among different kinds of IP VPN based on the
administrative relationships, not the technology, interconnecting the nodes. Once the
relationships were defined, different technologies could be used, depending on
requirements such as security and quality of service.

When an enterprise interconnected a set of nodes, all under its administrative control,
through an LAN network, that was termed an Intranet [2]. When the interconnected nodes
were under multiple administrative authorities, but were hidden from the public Internet,
the resulting set of nodes was called an extranet. Both intranets and extranets could be
managed by a user organization, or the service could be obtained as a contracted offering,
usually customized, from an IP service provider. In the latter case, the user organization
contracted for layer 3 services much as it had contracted for layer 1 services such as
dedicated lines, or multiplexed layer 2 services such as frame relay.

The IETF distinguishes between provider-provisioned and customer-provisioned VPNs

[3]
. Much as conventional WAN services can be provided by an interconnected set of
providers, provider-provisioned VPNs (PPVPNs) can be provided by a single service
provider that presents a common point of contact to the user organization.

[edit] Routing
Tunneling protocols can be used in a point-to-point topology that would generally not be
considered a VPN, because a VPN is expected to support arbitrary and changing sets of
network nodes. Since most router implementations support software-defined tunnel
interface, customer-provisioned VPNs are often simply a set of tunnels over which
conventional routing protocols run. PPVPNs, however, need to support the coexistence of
multiple VPNs, hidden from one another, but operated by the same service provider.

[edit] Building blocks

Depending on whether the PPVPN is layer 2 or layer 3, the building blocks described
below may be L2 only, L3 only, or combinations of the two. MPLS functionality blurs
the L2-L3 identity.

While these terms were generalized to cover L2 and L3 VPNs in RFC 4026, they were
introduced in RFC 2547. [4]

Customer edge device (CE)

In general, a CE is a device, physically at the customer premises, that provides access to

the PPVPN service. Some implementations treat it purely as a demarcation point between
provider and customer responsibility, while others allow it to be a customer-configurable
device.
Provider edge device (PE)

A PE is a device or set of devices, at the edge of the provider network, which provides
the provider's view of the customer site. PEs are aware of the VPNs that connect through
them, and do maintain VPN state.

Provider device (P)

A P device is inside the provider's core network, and does not directly interface to any
customer endpoint. It might, for example, be used to provide routing for many provider-
operated tunnels that belong to different customers' PPVPNs. While the P device is a key
part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN
state. Its principal role is allowing the service provider to scale its PPVPN offerings, as,
for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in
such a role, often are high-capacity optical links between major locations of provide.

[edit] User-visible PPVPN services

This section deals with the types of VPN currently considered active in the IETF; some
historical names were replaced by these terms.

[edit] Layer 1 services

[edit] Virtual private wire and private line services (VPWS and VPLS)

In both of these services, the provider does not offer a full routed or bridged network, but
components from which the customer can build customer-administered networks. VPWS
are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated
circuits with no data link structure.

It is the customer that determines the overall customer VPN service, which can involve
routing, bridging, or host network elements.

There is an unfortunate acronym collision between Virtual Private Line Service and
Virtual Private LAN Service; the context should make it clear whether the layer 1 virtual
private line or the layer 2 virtual private LAN is meant.

[edit] Layer 2 services

[edit] Virtual LAN

A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains,
interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking
protocols have been used but are obsolete, including Inter-Switch Link (ISL), IEEE
802.10 (originally a security protocol but a subset was introduced for trunking), and
ATM LAN Emulation (LANE).

[edit] Virtual private LAN service (VPLS)

Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking.
VLANs frequently are composed only of customer-owned facilities. The former is a layer
1 technology that supports emulation of both point-to-point and point-to-multipoint
topologies. The method discussed here is an extension of Layer 2 technologies such as
802.1d and 802.1q LAN trunking, extended to run over transports such as Metro
Ethernet.

As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating
the full functionality of a traditional Local Area Network (LAN). From a user standpoint,
a VPLS makes it possible to interconnect several LAN segments over a packet-switched,
or optical, provider core; a core transparent to the user, making the remote LAN segments
behave as one single LAN.

In a VPLS, the provider network emulates a learning bridge, which optionally may
include VLAN service.

[edit] Pseudo wire (PW)

PW is similar to VPWS, but it can provide different L2 protocols at both ends. Typically,
its interface is a WAN protocol such as ATM or Frame Relay. In contrast, when the goal
is to provide the appearance of a LAN contiguous between two or more locations, the
Virtual Private LAN service or IPLS would be appropriate.

[edit] IP-only LAN-like service (IPLS)

A subset of VPLS, the CE devices must have L3 capabilities; the IPLS presents packets
rather than frames. It may support IPv4 or IPv6.

[edit] L3 PPVPN architectures

This section discusses the main architectures for PPVPNs, one where the PE
disambiguates duplicate addresses in a single routing instance, and the other, virtual
router, in which the PE contains a virtual router instance per VPN. The former approach,
and its variants, have gained the most attention.

One of the challenges of PPVPNs is that different customers may use the same address
space, especially the IPv4 private address space[5]. The provider must be able to
disambiguate overlapping addresses in the multiple customers' PPVPNs.
[edit] BGP/MPLS PPVPN

In the method defined by RFC 2547, BGP extensions are used to advertise routes in the
IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-
byte Route Distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate
otherwise duplicate addresses in the same PE.

PEs understand the topology of each VPN, which are interconnected with MPLS tunnels,
either directly or via P routers. In MPLS terminology, the P routers are Label Switch
Routers without awareness of VPNs.

[edit] Virtual router PPVPN

The Virtual Router architecture [6], as opposed to BGP/MPLS techniques, requires no

modification to existing routing protocols such as BGP. By the provisioning of logically
independent routing domains, the customer operating a VPN is completely responsible
for the address space. In the various MPLS tunnels, the different PPVPNs are
disambiguated by their label, but do not need routing distinguishers.

Virtual router architectures do not need to disambiguate addresses, because rather than a
PE router having awareness of all the PPVPNs, the PE contains multiple virtual router
instances, which belong to one and only one VPN.

[edit] Categorizing VPN security models

From the security standpoint, either the underlying delivery network is trusted, or the
VPN must enforce security with mechanisms in the VPN itself. Unless the trusted
delivery network runs only among physically secure sites, both trusted and secure models
need an authentication mechanism for users to gain access to the VPN.

Some ISPs now offer managed VPN service for business customers who want the
security and convenience of a VPN but prefer not to undertake administering a VPN
server themselves. Managed VPNs go beyond PPVPN scope, and are a contracted
security solution that can reach into hosts. In addition to providing remote workers with
secure access to their employer's internal network, other security and management
services are sometimes included as part of the package. Examples include keeping anti-
virus and anti-spyware programs updated on each client's computer.

[edit] Authentication before VPN connection

A known trusted user, sometimes only when using trusted devices, can be provided with
appropriate security privileges to access resources not available to general users. Servers
may also need to authenticate themselves to join the VPN.
There are a wide variety of authentication mechanisms, which may be implemented in
devices including firewalls, access gateways, and other devices. They may use
passwords, biometrics, or cryptographic methods. Strong authentication involves
combining cryptography with another authentication mechanism. The authentication
mechanism may require explicit user action, or may be embedded in the VPN client or
the workstation.

[edit] Trusted delivery networks

Trusted VPNs (sometimes referred to APNs - Actual Private Networks)[citation needed] do not
use cryptographic tunneling, and instead rely on the security of a single provider's
network to protect the traffic. In a sense, these are an elaboration of traditional network
and system administration work.

• Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often

with quality of service control over a trusted delivery network.
• Layer 2 Tunneling Protocol (L2TP)[7] which is a standards-based replacement, and
a compromise taking the good features from each, for two proprietary VPN
protocols: Cisco's Layer 2 Forwarding (L2F) [8] (now obsolete) and Microsoft's
Point-to-Point Tunneling Protocol (PPTP) [9].

[edit] Security mechanisms in the VPN

Secure VPNs use cryptographic tunneling protocols to provide the intended

confidentiality (blocking snooping and thus Packet sniffing), sender authentication
(blocking identity spoofing), and message integrity (blocking message alteration) to
achieve privacy. When properly chosen, implemented, and used, such techniques can
provide secure communications over unsecured networks.

Secure VPN protocols include the following:

• IPsec (IP security) - commonly used over IPv4, and a "standard option" in IPv6.
• SSL/TLS used either for tunneling the entire network stack, as in the OpenVPN
project, or for securing what is, essentially, a web proxy. SSL is a framework
more often associated with e-commerce, but it has been built-upon by a number of
vendors to provide remote access VPN capabilities. A major practical advantage
of an SSL-based VPN is that it can be accessed from the locations that restrict
external access to SSL-based e-commerce websites only, thereby preventing VPN
connectivity using IPsec protocols. SSL-based VPNs are vulnerable to trivial
Denial of Service attacks mounted against their TCP connections because latter
are inherently unauthenticated.
• OpenVPN, an open standard VPN. It is a variation of SSL-based VPN that is
capable of running over UDP. Clients and servers are available for all major
operating systems.
• L2TPv3 (Layer 2 Tunneling Protocol version 3), a new release.
 • VPN Quarantine The client machine at the end of a VPN could be a threat and a
source of attack; this has no connection with VPN design and is usually left to
system administration efforts. There are solutions that provide VPN Quarantine
services which run end point checks on the remote client while the client is kept
in a quarantine zone until healthy. Microsoft ISA Server 2004/2006 together with
VPN-Q 2006 from Winfrasoft or an application called QSS (Quarantine Security
Suite) provide this functionality.
• MPVPN (Multi Path Virtual Private Network). MPVPN is a registered trademark
owned by Ragula Systems Development Company. See Trademark Applications
and Registrations Retrieval (TARR)

[edit] Security and mobility

Mobile VPNs are VPNs designed for mobile and wireless users. They integrate
standards-based authentication and encryption technologies to secure data transmissions
to and from devices and to protect networks from unauthorized users. Designed for
wireless environments, Mobile VPNs are designed as an access solution for users that are
on the move and require secure access to information and applications over a variety of
wired and wireless networks. Mobile VPNs allow users to roam seamlessly across IP-
based networks and in and out of wireless coverage areas without losing application
sessions or dropping the secure VPN session. For instance, highway patrol officers
require access to mission-critical applications in order to perform their jobs as they travel
across different subnets of a mobile network, much as a cellular radio has to hand off its
link to repeaters at different cell towers.

What Is the Global Catalog?

Updated: December 5, 2005

In this section

• Common Global Catalog Scenarios

• Global Catalog Dependencies and Interactions

• Related Information

The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory forest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through
multimaster replication. Searches that are directed to the global catalog are faster because they do not
involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain
directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an
object in a different domain would require the user or application to provide the domain of the requested
object.

The global catalog provides the ability to locate objects from any domain without having to know the
domain name. A global catalog server is a domain controller that, in addition to its full, writable domain
directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in
the forest. The additional domain directory partitions are partial because only a limited set of attributes is
included for each object. By including only the attributes that are most used for searching, every object in
every domain in even the largest forest can be represented in the database of a single global catalog
server.

Note

• A global catalog server can also store a full, writable replica of an application directory partition,

but objects in application directory partitions are not replicated to the global catalog as partial,
read-only directory partitions.

The global catalog is built and updated automatically by the Active Directory replication system. The
attributes that are replicated to the global catalog are identified in the schema as the partial attribute set
(PAS) and are defined by Microsoft. However, to optimize searching, you can edit the schema by adding or
removing attributes that are stored in the global catalog.

In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of
all attributes) of the global catalog. Windows Server 2003 reduces the impact of updating the global
catalog by replicating only the attributes that change.

In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not
store any partial replica. A global catalog server in a single-domain forest functions in the same manner as
a non-global-catalog server except for the processing of forestwide searches.

Common Global Catalog Scenarios

The following events require a global catalog server:

• Forestwide searches. The global catalog provides a resource for searching an Active Directory

forest. Forestwide searches are identified by the LDAP port that they use. If the search query
uses port 3268, the query is sent to a global catalog server.

• User logon. In a forest that has more than one domain, two conditions require the global catalog

during user authentication:

• In a Windows 2000 native mode domain or a Windows Server 2003 domain at either the

Windows 2000 native or Windows Server 2003 domain functional level, domain controllers
must request universal group membership enumeration from a global catalog server.

• When a user principal name (UPN) is used at logon and the forest has more than one

domain, a global catalog server is required to resolve the name.

• Universal Group Membership Caching: In a forest that has more than one domain, in sites that

have domain users but no global catalog server, Universal Group Membership Caching can be
 used to enable caching of logon credentials so that the global catalog does not have to be
contacted for subsequent user logons. This feature eliminates the need to retrieve universal
group memberships across a WAN link from a global catalog server in a different site.

Note

Universal groups are available only in a Windows 2000 Server native mode domain or a
Windows Server 2003 domain at either the Windows 2000 native or Windows Server 2003
domain functional level.

• Exchange Address Book lookups. Servers running Microsoft Exchange 2000 Server and

Exchange Server 2003 rely on access to the global catalog for address information. Users use
global catalog servers to access the global address list (GAL).

Search Requests
Because a domain controller that acts as a global catalog server stores objects for all domains in the
forest, users and applications can use the global catalog to locate objects in any domain within a
multidomain Active Directory forest without a referral to a different server.

When a forest consists of a single domain, every domain controller has a full, writable copy of every object
in the domain and forest. However, it is important to retain the global catalog on at least one domain
controller because many applications use port 3268 for searching. For example, if you do not have any
global catalog servers, the Search command on the Start menu of Windows 2000 Professional,
Windows 2000 Server, Windows XP Professional, and Windows Server 2003 cannot locate objects in Active
Directory.

The replicas that are replicated to the global catalog also include the access permissions for each object
and attribute. If you are searching for an object that you do not have permission to access, you do not
see the object in the list of search results. Users can find only objects to which they are allowed access.

User Logon Support

In addition to its role as a search provider, in a forest that has more than one domain, the global catalog
has a role as an identity source during the user logon process. Universal groups can provide access to
resources outside of the users domain. User principal names (UPNs) can specify a domain other than the
domain of the user. By making universal group membership and UPN domain-user mapping information
available on all global catalog servers, the global catalog provides the definitive source for groups that are
capable of providing access in more than one domain and names that do not unequivocally identify the
domain of the user.

Universal Group Membership

During the domain logon process, the user must be authenticated. During the authentication process, the
user is validated (the domain controller verifies the identity of the user) and the user receives
authorization data for access to resources. To provide authorization data of a user, the authenticating
domain controller retrieves the security identifiers (SIDs) for all security groups of which the user is a
member and adds these SIDs to the user’s access token. In a forest that has more than one domain, the
global catalog is the only location where memberships of all universal groups in that forest can be
ascertained. For this reason, access to a global catalog server is required for successful Active Directory
authentication in a domain that can have universal groups.

Note
 • Universal groups are available only in a Windows 2000 Server native mode domain or a Windows

Server 2003 domain at either the Windows 2000 native or Windows Server 2003 domain
functional level.

The global catalog stores the membership (the member attribute) of only universal groups. The
membership of other groups can be ascertained at the domain level.

Because a universal group can have members from domains other than the domain where the group
object is stored and can be used to provide access to resources in any domain, only a global catalog
server is guaranteed to have all universal group memberships that are required for authentication.

For example, a user might be a member of a universal group that has its group object stored in a different
domain but provides access to resources in the user’s domain. To ensure that the user can be authorized
to access resources appropriately in this domain, the domain controller must have access to the
membership of all universal groups in the forest.

If a global catalog server is not available, the user logon fails.

User Principal Name

A user principal name (UPN) is a logon name that takes the form of an e-mail address. A UPN specifies the
user ID followed by a DNS domain name, separated by an "@" character (for example,
jsmith@contoso.com). UPNs allow administrative management of the UPN suffix to provide logon names
that:

• Match the user’s e-mail name.

• Do not reveal the domain structure of the forest.

When a user account is created, the UPN suffix is generated by default as userName@DnsDomainName,
but it can be changed administratively. For example, in a forest that has four domains, the UPN suffix
might be configured to map to the external DNS name for the organization. The userPrincipalName
attribute of the user account identifies the UPN and is replicated to the global catalog.

When you use a UPN to log on to a domain, your workstation contacts a global catalog server to resolve
the name because the UPN suffix is not necessarily the domain for which the contacted domain controller
is authoritative. If the DNS domain name in the UPN suffix is not a valid DNS domain, the logon fails.
Assuming the UPN suffix is a valid DNS name, the global catalog server returns the name of the Active
Directory domain name to your workstation, which then queries DNS for a domain controller in that
domain.

If a company has more than one forest and uses trust relationships between the domains in the different
forests, a UPN cannot be used to log on to a domain that is outside the user’s forest because the UPN is
resolved in the global catalog of the user’s forest.

Universal Group Membership Caching

Universal Group Membership Caching is a new feature in Windows Server 2003 that eliminates the need
for a domain controller in a multidomain forest to contact a global catalog server during the logon process
in domains where universal groups are available. Caching group membership reduces WAN traffic, which
helps in sites where updating the cached group membership of security principals, including user and
computer accounts, generates less traffic than replicating the global catalog to the site.

Use the following criteria to determine if a site is a good candidate for Universal Group Membership
Caching:

• Number of users and computers in the site: The site has less than 500 combined users and

computers, including transient users who log on occasionally but not on a regular basis. The
cache of a user who logs on once continues to be updated periodically for 180 days after the first
logon. A general limit of 500 membership caches can be updated at a time. If greater than
500 security principals have cached group memberships, some caches might not be updated.

• Number of domain controllers: Each domain controller performs a refresh on every user in its site

once every eight hours. Depending on the number of domains in the forest, 500 security
principles and two domain controllers could generate more WAN traffic than placing a global
catalog server in the site. Therefore, you need to rationalize the WAN costs when exceeding
500 security principals and two domain controllers.

• Tolerance for high latency in group updates. Because domain controllers in the site where

Universal Group Membership Caching is enabled update the membership caches every eight
hours, and because credentials are always taken from the cache, updates to group memberships
are not reflected in the security principal’s credentials for up to eight hours.

Address Book Lookups

In Windows Server 2003 environments, Exchange 2000 Server and Exchange Server 2003 use the global
catalog to store mail recipient data that enables clients in a forest to send and receive e-mail messages.

Global Catalog Dependencies and Interactions

Global catalog servers have the following dependencies and interactions with other Windows Server
technologies:

• Active Directory installation. When Active Directory is installed on the first domain controller in a

forest, the installation application creates that domain controller as a global catalog server.

• Active Directory replication. The global catalog is built and maintained by Active Directory

replication:

• Subsequent to forest creation, when a domain controller is designated as a global

catalog server, Active Directory replication automatically transfers PAS replicas to the domain
controller, including the partial replica of every domain in the forest other than the local
domain.

• To facilitate intersite replication of global catalog server updates, Active Directory

replication selects global catalog servers as bridgehead servers whenever a global catalog
server is present in a site and domains that are not present in the site exist in other sites in
the forest.

• Domain Name System (DNS). Global catalog server clients depend on DNS to provide the IP

address of global catalog servers. DNS is required to advertise global catalog servers for domain
controller location.
 • Net Logon service. Global catalog advertisement in DNS depends on the Net Logon service to

perform DNS registrations. When replication of the global catalog is complete, or when a global
catalog server starts, the Net Logon service publishes service (SRV) resource records in DNS that
specifically advertise the domain controller as a global catalog server.

• Domain controller Locator: When a global catalog server is requested (by a user or application

that launches a search over port 3268, or by a domain controller that is authenticating a user
logon), the domain controller Locator queries DNS for a global catalog server.

In the following diagram, global catalog interactions include tracking a global catalog server through the
following interactions, which are indicated by boxes:

• Active Directory installation of a new forest: Global catalog creation occurs during Active

Directory installation of the first domain controller in the forest.

• Net Logon registration: Resource records are registered in DNS to advertise the domain

controller as a global catalog server.

• Active Directory replication:

• When a new domain controller (DC2) is created and an administrator designates it as a

global catalog server, replication of the PAS from DC1 occurs.

• DC1 in DomainA replicates changes for DomainA to DC2, and DC2 replicates updates to

data for DomainB to DC1.

• DC location: The dotted lines enclose the processes whereby two clients locate a global catalog

server by querying DNS:

• A through C: (A) ClientX sends a query to the global catalog, which prompts (B) a DNS

query to locate the closest global catalog server, and then (C) the client contacts the returned
global catalog server DC2 to resolve the query.

• 1 through 5: (1) ClientY logs on to the domain, which prompts (2) a DNS query for the

closest domain controllers. (3) ClientY contacts the returned domain controller DC3 for
authentication. (4) DC3 queries DNS to find the closest global catalog server and then (5)
contacts the returned global catalog server DC2 to retrieve the universal groups for the user.

Interactions with Other Windows Technologies

The global catalog solves the problem of how to locate domain data that is not stored on a domain
controller in the domain of the client that requires the information. By using different ports for standard
LDAP queries (port 389) and global catalog queries (port 3268), Active Directory effectively separates
forestwide queries that require a global catalog server from local, domainwide queries that can be serviced
by the domain controller in the user’s domain.

Related Information

• Active Directory Replication Topology Technical Reference

• DNS Support for Active Directory Technical Reference

• Active Directory Schema Technical Reference

Active Directory
From Wikipedia, the free encyclopedia

Jump to: navigation, search

Typically Active Directory is managed using the graphical Microsoft Management
Console.

Active Directory (AD) is a technology created by Microsoft that provides a variety of

network services, including:

• LDAP-like[1][2] Directory services

• Kerberos based authentication
• DNS based naming and other network information

Using the same database, for use primarily in Windows environments, Active Directory
also allows administrators to assign policies, deploy software, and apply critical updates
to an organization. Active Directory stores information and settings in a central database.
Active Directory networks can vary from a small installation with a few hundred objects,
to a large installation with millions of objects.

Active Directory was previewed in 1996, released first with Windows 2000 Server
edition, and revised to extend functionality and improve administration in Windows
Server 2003. Additional improvements were made in both Windows Server 2003 R2 and
Windows Server 2008.

Active Directory was called NTDS (NT Directory Service) in older Microsoft
documents. This name can still be seen in some AD binaries.

There is a common misconception that Active Directory provides software distribution.

Software distribution is run by a separate service that uses additional proprietary schema
attributes that work in conjunction with the LDAP protocol. Active Directory does not
automate software distribution, but provides a mechanism by which other services can
provide software distribution.

Contents [edit] Structure

[hide]

• 1 [edit] Objects
Structur
e Active Directory is a directory service used to store
o 1 information about the network resources across a domain and
 .
1 also centralize the network.

O An 'Active Directory' (AD) structure is a hierarchical

b framework of objects. The objects fall into three broad
j categories: resources (e.g., printers), services (e.g., email), and
e users (user accounts and groups). The AD provides information
c on the objects, organizes the objects, controls access and sets
t security.
s
Each object represents a single entity — whether a user, a
o 1 computer, a printer, or a group — and its attributes. Certain
. objects can also be containers of other objects. An object is
2 uniquely identified by its name and has a set of attributes — the
characteristics and information that the object can contain —
F defined by a schema, which also determines the kind of objects
o that can be stored in the AD.
r
e Each attribute object can be used in several different schema
s class objects. The schema object exists to allow the schema to
t be extended or modified when necessary. However, because
s each schema object is integral to the definition of AD objects,
, deactivating or changing these objects can have serious
t consequences because it will fundamentally change the structure
r of AD itself. A schema object, when altered, will automatically
e propagate through Active Directory and once it is created it can
e only be deactivated — not deleted. Changing the schema
s usually requires a fair amount of planning.[3]
,
a [edit] Forests, trees, and domains
n
d The AD framework that holds the objects can be viewed at a
number of levels. At the top of the structure is the forest. The
d forest is a collection of every object, its attributes, and rules
o (attribute syntax) in the AD. The forest, tree, and domain are the
m logical parts in an AD network.
a
i The AD forest contains one or more transitive, trust-linked
n trees. A tree is a collection of one or more domains and domain
s trees, again linked in a transitive trust hierarchy. Domains are
identified by their DNS name structure, the namespace.
• 2
FSMO The objects held within a domain can be grouped into containers
Roles called Organizational Units (OUs). OUs give a domain a
• 3 hierarchy, ease its administration, and can give a semblance of
Naming the structure of the AD's company in organizational or
• 4 Trust
o 4 geographical terms. OUs can contain OUs - indeed, domains are
. containers in this sense - and can hold multiple nested OUs.
1 Microsoft recommends as few domains as possible in AD and a
reliance on OUs to produce structure and improve the
T implementation of policies and administration. The OU is the
r common level at which to apply group policies, which are AD
u objects themselves called Group Policy Objects (GPOs),
s although policies can also be applied to domains or sites (see
t below). The OU is the level at which administrative powers are
s commonly delegated, but granular delegation can be performed
on individual objects or attributes as well.
i
n AD also supports the creation of Sites, which are physical,
rather than logical, groupings defined by one or more IP
W subnets. Sites distinguish between locations connected by low-
i speed (e.g., WAN, VPN) and high-speed (e.g., LAN)
n connections. Sites are independent of the domain and OU
d structure and are common across the entire forest. Sites are used
o to control network traffic generated by replication and also to
w refer clients to the nearest domain controllers. Exchange 2007
s also uses the site topology for mail routing. Policies can also be
applied at the site level.
2
0 The actual division of the company's information infrastructure
0 into a hierarchy of one or more domains and top-level OUs is a
0 key decision. Common models are by business unit, by
geographical location, by IT Service, or by object type. These
( models are also often used in combination. OUs should be
n structured primarily to facilitate administrative delegation, and
a secondarily, to facilitate group policy application. Although
t OUs form an administrative boundary, the only true security
i boundary is the forest itself and an administrator of any domain
v in the forest must be trusted across all domains in the forest.
e
Physically the Active Directory information is held on one or
m more equal peer domain controllers (DCs), replacing the NT
o PDC/BDC model. Each DC has a copy of the AD; changes on
d one computer being synchronized (converged) between all the
e DC computers by multi-master replication. Servers joined in to
) AD, which are not domain controllers, are called Member
• 5 Servers. The AD database is split into different stores or
ADAM/ partitions. Microsoft often refers to these partitions as 'naming
AD contexts'. The 'Schema' partition contains the definition of
LDS object classes and attributes within the Forest. The
• 6 'Configuration' partition, contains information on the physical
 Integrat
ing structure and configuration of the forest (such as the site
Unix topology). The 'Domain' partition holds all objects created in
into that domain. The first two partitions replicate to all domain
Active controllers in the Forest. The Domain partition replicates only to
Director Domain Controllers within its domain. A subset of objects in the
y domain partition are also replicated to domain controllers that
• 7 See are configured as global catalogs.
also
• 8 Notes Unlike earlier versions of Windows which used NetBIOS to
communicate, Active Directory is fully integrated with DNS
• 9 and TCP/IP — indeed DNS is required. To be fully functional,
Externa the DNS server must support SRV resource records or service
l links records.

AD replication is 'pull' rather than 'push'. The Knowledge

Consistency Checker (KCC) creates a replication topology of
site links using the defined sites to manage traffic. Intrasite
replication is frequent and automatic as a result of change
notification, which triggers peers to begin a pull replication
cycle. Intersite replication intervals are less frequent and do not
use change notification by default, although this is configurable
and can be made identical to intrasite replication. A different
'cost' can be given to each link (e.g., DS3, T1, ISDN etc.) and
the site link topology will be altered accordingly by the KCC.
Replication between domain controllers may occur transitively
through several site links on same-protocol site link bridges, if
the 'cost' is low, although KCC automatically costs a direct site-
to-site link lower than transitive connections. Site-to-site
replication can be configured to occur between a bridgehead
server in each site, which then replicates the changes to other
DCs within the site.

In a multi-domain forest the AD database becomes partitioned.

That is, each domain maintains a list of only those objects that
belong in that domain. So, for example, a user created in
Domain A would be listed only in Domain A's domain
controllers. Global catalog (GC) servers are used to provide a
global listing of all objects in the Forest. The Global catalog is
held on domain controllers configured as global catalog servers.
Global Catalog servers replicate to themselves all objects from
all domains and hence, provide a global listing of objects in the
forest. However, in order to minimize replication traffic and to
keep the GC's database small, only selected attributes of each
object are replicated. This is called the partial attribute set
(PAS). The PAS can be modified by modifying the schema and
 marking attributes for replication to the GC.

Replication of Active Directory uses Remote Procedure Calls

(RPC over IP [RPC/IP]). Between Sites you can also choose to
use SMTP for replication, but only for changes in the Schema or
Configuration. SMTP cannot be used for replicating the Domain
partition. In other words, if a domain exists on both sides of a
WAN connection, you must use RPCs for replication.

The AD database, the directory store, in Windows 2000 uses the

JET Blue-based Extensible Storage Engine (ESE98), limited to
16 terabytes and 1 billion objects in each domain controller's
database. Microsoft has created NTDS databases with more than
2 billion objects.[citation needed] (NT4's Security Account Manager
could support no more than 40,000 objects). Called NTDS.DIT,
it has two main tables: the data table and the link table. In
Windows 2003 a third main table was added for security
descriptor single instancing.[4]

Active Directory is a necessary component for many Windows

services in an organization such as Exchange.

[edit] FSMO Roles

Flexible Single Master Operations (FSMO, sometimes
pronounced "fizz-mo") roles are also known as operations
master roles. Although the AD domain controllers operate in a
multi-master model, i.e. updates can occur in multiple places at
once, there are several roles that are necessarily single instance:

Role Name

Controls updates to the Schema its a collection of objects and all

Schema
1 per object which comes under AD that care taken by schema
MasterScopeD
forest master. DC will update all the process which comes under to
escription
that DC.

Domain 1 per Controls the addition and removal of domains from the forest it
Naming Master forest present in root domain

PPDC Emulator
r
o
v
i
d
e
s

b
a
c
k
w
a
r
d
s

c
o
m
p
a
t
i
b
i
l
i
t
y

f
o
r
N
T
4

c
l
i
e
n
t
s
f
o
r
P
D
C

o
p
e
r
a
t
i
o
n
s

(
l
i
k
e

p
a
s
s
w
o
r
d

c
h
a
n
g
e
s
)
.
T
h
e
P
D
C
s

a
l
s
o

r
u
n

d
o
m
a
i
n

s
p
e
c
i
f
i
c

p
r
o
c
e
s
s
e
s

s
u
c
h
a
s

t
h
e

S
e
c
u
r
i
t
y

D
e
s
c
r
i
p
t
o
r
P
r
o
p
a
g
a
t
o
r
(
S
D
P
R
O
P
)
,
a
n
d

i
s

t
h
e

m
a
s
t
e
r
t
i
m
e

s
e
r
v
e
r
w
i
t
h
i
n

t
h
e

d
o
m
a
i
n
.
ARID Master
l
l
o
c
a
t
e
s
p
o
o
l
s
o
f
u
n
i
q
u
e
i
d
e
n
t
i
f
i
e
r
t
o

d
o
m
a
i
n

c
o
n
t
r
o
l
l
e
r
s
f
o
r
u
s
e
w
h
e
n

c
r
e
a
t
i
n
g

o
b
j
e
c
t
s
1

p
e
r
d
o
m
a
i
n
Infrastructure Synchronizes cross-domain group membership changes. The
1 per
Master1 per infrastructure master cannot run on a global catalog server
domain
domain (unless all DCs are also GCs.)

[edit] Naming
AD supports UNC (\), URL (/), and LDAP URL names for object access. AD internally
uses the LDAP version of the X.500 naming structure.

Every object has a Distinguished name (DN), so a printer object called HPLaser3 in the
OU Marketing and the domain foo.org, would have the DN:
CN=HPLaser3,OU=Marketing,DC=foo,DC=org where CN is common name and DC is
domain object class, DNs can have many more than four parts. The object can also have a
Canonical name, essentially the DN in reverse, without identifiers, and using slashes:
foo.org/Marketing/HPLaser3. To identify the object within its container the Relative
distinguished name (RDN) is used: CN=HPLaser3. Each object also has a Globally
Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD
for search and replication. Certain objects also have a User principal name (UPN), an
objectname@domain name form.

[edit] Trust
To allow users in one domain to access resources in another, AD uses trusts. Trusts inside
a forest are automatically created when domains are created. The forest sets the default
boundaries of trust, not the domain, and implicit, transitive trust is automatic for all
domains within a forest. As well as two-way transitive trust, AD trusts can be shortcut
(joins two domains in different trees, transitive, one- or two-way), forest (transitive, one-
or two-way), realm (transitive or nontransitive, one- or two-way), or external
(nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

[edit] Trusts in Windows 2000 (native mode)

• One-way trust - One domain allows access to users on another domain, but the
other domain does not allow access to users on the first domain.
• Two-way trust - Two domains allow access to users on the other domain.
• Trusting domain - The domain that allows access to users from a trusted domain.
• Trusted domain - The domain that is trusted; whose users have access to the
trusting domain.
• Transitive trust - A trust that can extend beyond two domains to other trusted
domains in the tree.
• Intransitive trust - A one way trust that does not extend beyond two domains.
• Explicit trust - A trust that an admin creates. It is not transitive and is one way
only.
 • Cross-link trust - An explicit trust between domains in different trees or in the
same tree when a descendant/ancestor (child/parent) relationship does not exist
between the two domains.

Windows 2000 - supports the following types of trusts:-

• Two-way transitive trusts.

• One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be:

• Shortcut

Windows 2003 offers a new trust type - the forest root trust. This type of trust can be
used to connect Windows 2003 forests if they are operating at the 2003 forest functional
level. Authentication across this type of trust is Kerberos based (as opposed to NTLM).
Forest trusts are also transitive for all the domains in the forests that are trusted.

[edit] ADAM/AD LDS

Active Directory Application Mode (ADAM) is a light-weight implementation of
Active Directory. ADAM is capable of running as a service, on computers running
Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code
base with Active Directory and provides the same functionality as Active Directory,
including an identical API, but does not require the creation of domains or domain
controllers.

Like Active Directory, ADAM provides a Data Store, which is a hierarchical datastore
for storage of directory data, a Directory Service with an LDAP Directory Service
Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the
same server, with each instance having its own and required by applications making use
of the ADAM directory service.

In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory
Services).

[edit] Integrating Unix into Active Directory

Varying levels of interoperability with Active Directory can be achieved on most unix
like operating systems through standards compliant LDAP clients, but these systems
usually lack the automatic interpretation of many attributes, associated with windows
components such as Group Policy, and support for one-way trusts.

There are also third-party vendors who offer Active Directory integration for Unix
platforms (including UNIX, Linux, Mac OS X, and a number of Java- and UNIX-based
applications). Some of these vendors include Thursby Software Systems (ADmitMac),
Quest Software (Vintela Authentication Services), Centrify (DirectControl), and
Likewise Software (Likewise Open and Likewise Enterprise). Microsoft is also in this
market with their free Microsoft Windows Services for UNIX product.

The schema additions shipped with Windows Server 2003 release 2 include attributes that
map closely enough to RFC 2307 to be generally usable. The reference implementation
of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, contains support for using
these attributes directly, provided they have been populated. The default Active Directory
schema for group membership complies with the proposed extension, RFC 2307bis.
RFC2307bis specifies storing Unix group membership using LDAP member attributes as
opposed to the base RFC 2307 which specified storing group membership as a comma-
separate list of user IDs (as was done in the Unix group file). Windows 2003R2 includes
an MMC snap-in that creates and edits the attributes.

An alternate option is to use another directory service such as Fedora Directory Server
(formerly Netscape Directory Server) or Sun Microsystems Sun Java System Directory
Server, which can perform a two-way synchronization with Active Directory and thus
provide a "deflected" integration with Active Directory as Unix and Linux clients will
authenticate to FDS and Windows Clients will authenticate to Active Directory. Another
option is to use OpenLDAP with its translucent overlay, which can extend entries in any
remote LDAP server with additional attributes stored in a local database. Clients pointed
at the local database will see entries containing both the remote and local attributes, while
the remote database remains completely untouched.

Samba 4, still in testing state as of August 8, 2008, plans to include an Active Directory
compatible server.

Domain Name System

The Domain Name System (DNS) is a hierarchical naming system for computers,
services, or any resource participating in the Internet. It associates various information
with domain names assigned to such participants. Most importantly, it translates humanly
meaningful domain names to the numerical (binary) identifiers associated with
networking equipment for the purpose of locating and addressing these devices world-
wide. An often used analogy to explain the Domain Name System is that it serves as the
"phone book" for the Internet by translating human-friendly computer hostnames into IP
addresses. For example, www.example.com translates to 208.77.188.166.

The Domain Name System makes it possible to assign domain names to groups of
Internet users in a meaningful way, independent of each user's physical location. Because
of this, World-Wide Web (WWW) hyperlinks and Internet contact information can
remain consistent and constant even if the current Internet routing arrangements change
or the participant uses a mobile device. Internet domain names are easier to remember
than IP addresses such as 208.77.188.166(IPv4) or
2001:db8:1f70::999:de8:7648:6e8 (IPv6). People take advantage of this when they
recite meaningful URLs and e-mail addresses without having to know how the machine
will actually locate them.

The Domain Name System distributes the responsibility for assigning domain names and
mapping them to Internet Protocol (IP) networks by designating authoritative name
servers for each domain to keep track of their own changes, avoiding the need for a
central register to be continually consulted and updated.

In general, the Domain Name System also stores other types of information, such as the
list of mail servers that accept email for a given Internet domain. By providing a world-
wide, distributed keyword-based redirection service, the Domain Name System is an
essential component of the functionality of the Internet.

Other identifiers such as RFID tags, UPC codes, International characters in email
addresses and host names, and a variety of other identifiers could all potentially utilize
DNS [1].

The Domain Name System also defines the technical underpinnings of the functionality
of this database service. For this purpose it defines the DNS protocol, a detailed
specification of the data structures and communication exchanges used in DNS, as part of
the Internet Protocol Suite (TCP/IP). The context of the DNS within the Internet
protocols may be seen in the following diagram. The DNS protocol was developed and
defined in the early 1980's and published by the Internet Engineering Task Force (cf.
History).

T •
h
e

p
r
a
c
t
i
c
e

o
f

u
s
i
n
g

n
a
m
e

a
s

m
o
r
e

h
u
m
a
n
-
l
e
g
i
b
l
e

a
b
s
t
r
a
c
t
i
o
n

o
f

m
a
c
h
i
n
e
'
s

n
u
m
e
r
i
c
a
l

a
d
d
r
e
s
s

o
n

t
h
e

n
e
t
w
o
r
k
p
r
e
d
a
t
e
s

e
v
e
n

T
C
P
/
I
P
.

T
h
i
s

p
r
a
c
t
i
c
e

d
a
t
e
s

b
a
c
k

t
o

t
h
e

A
R
P
A
n
e
t

e
r
a
.

B
a
c
k

t
h
e
n
,

d
i
f
f
e
r
e
n
t

s
y
s
t
e
m

w
a
s

u
s
e
d
.

T
h
e

D
N
S

w
a
s

i
n
v
e
n
t
e
d

i
n

1
9
8
3
,
s
h
o
r
t
l
y

a
f
t
e
r

T
C
P
/
I
P

w
a
s

d
e
p
l
o
y
e
d
.

W
i
t
h

t
h
e

o
l
d
e
r

s
y
s
t
e
m
,

e
a
c
h

c
o
m
p
u
t
e
r

o
n

t
h
e

n
e
t
w
o
r
k

r
e
t
r
i
e
v
e
d

f
i
l
e

c
a
l
l
e
d

H
O
S
T
S
.
T
X
T

f
r
o
m

c
o
m
p
u
t
e
r

a
t

S
R
I

(
n
o
w

S
R
I

I
n
t
e
r
n
a
t
i
o
n
a
l
)
[
2
]
[
3
]

T
h
e

H
O
S
T
S
.
T
X
T

f
i
l
e

m
a
p
p
e
d

n
u
m
e
r
i
c
a
l

a
d
d
r
e
s
s
e
s

t
o

n
a
m
e
s
.
A

h
o
s
t
s

f
i
l
e

s
t
i
l
l

e
x
i
s
t
s

o
n

m
o
s
t

m
o
d
e
r
n

o
p
e
r
a
t
i
n
g

s
y
s
t
e
m
s
,

e
i
t
h
e
r

b
y

d
e
f
a
u
l
t

o
r

t
h
r
o
u
g
h

c
o
n
f
i
g
u
r
a
t
i
o
n
,

a
n
d

a
l
l
o
w
s

u
s
e
r
s

t
o

s
p
e
c
i
f
y

a
n

I
P
a
d
d
r
e
s
s

(
e
g
.

2
0
8
.
7
7
.
1
8
8
.
1
6
6
)

t
o

u
s
e

f
o
r

h
o
s
t
n
a
m
e

(
e
g
.

w
w
w
.
e
x
a
m
p
l
e
.
n
e
t
)

w
i
t
h
o
u
t

c
h
e
c
k
i
n
g

D
N
S
.

S
y
s
t
e
m
s

b
a
s
e
d

o
n

h
o
s
t
s

f
i
l
e

h
a
v
e

i
n
h
e
r
e
n
t

l
i
m
i
t
a
t
i
o
n
s
,

b
e
c
a
u
s
e

o
f

t
h
e

o
b
v
i
o
u
s

r
e
q
u
i
r
e
m
e
n
t

t
h
a
t

e
v
e
r
y

t
i
m
e

g
i
v
e
n

c
o
m
p
u
t
e
r
'
s

a
d
d
r
e
s
s
c
h
a
n
g
e
d
,

e
v
e
r
y

c
o
m
p
u
t
e
r

t
h
a
t

s
e
e
k
s

t
o

c
o
m
m
u
n
i
c
a
t
e

w
i
t
h

i
t

w
o
u
l
d

n
e
e
d

a
n

u
p
d
a
t
e

t
o

i
t
s

h
o
s
t
s
f
i
l
e
.

T
h
e

g
r
o
w
t
h

o
f
n
e
t
w
o
r
k
i
n
g

r
e
q
u
i
r
e
d

m
o
r
e
s
c
a
l
a
b
l
e

s
y
s
t
e
m

t
h
a
t
r
e
c
o
r
d
e
d

c
h
a
n
g
e

i
n

h
o
s
t
'
s

a
d
d
r
e
s
s

i
n

o
n
e

p
l
a
c
e

o
n
l
y
.
O
t
h
e
r
h
o
s
t
s

w
o
u
l
d

l
e
a
r
n

a
b
o
u
t
t
h
e

c
h
a
n
g
e

d
y
n
a
m
i
c
a
l
l
y

t
h
r
o
u
g
h
a

n
o
t
i
f
i
c
a
t
i
o
n

s
y
s
t
e
m
,
t
h
u
s

c
o
m
p
l
e
t
i
n
g

g
l
o
b
a
l
l
y

a
c
c
e
s
s
i
b
l
e

n
e
t
w
o
r
k

o
f
a
l
l
h
o
s
t
s
'
n
a
m
e
s

a
n
d
t
h
e
i
r
a
s
s
o
c
i
a
t
e
d

I
P

A
d
d
r
e
s
s
e
s
.

A
t
t
h
e

r
e
q
u
e
s
t
o
f
J
o
n

P
o
s
t
e
l
,
P
a
u
l
M
o
c
k
a
p
e
t
r
i
s

i
n
v
e
n
t
e
d

t
h
e

D
o
m
a
i
n

N
a
m
e

s
y
s
t
e
m

i
n

1
9
8
3

a
n
d

w
r
o
t
e

t
h
e

f
i
r
s
t
i
m
p
l
e
m
e
n
t
a
t
i
o
n
.
T
h
e

o
r
i
g
i
n
a
l
s
p
e
c
i
f
i
c
a
t
i
o
n
s

a
p
p
e
a
r
i
n

R
F
C

8
8
2

a
n
d

R
F
C

8
8
3
.
I
n

N
o
v
e
m
b
e
r
1
9
8
7
,
t
h
e

p
u
b
l
i
c
a
t
i
o
n

o
f
R
F
C

1
0
3
4

a
n
d

R
F
C

1
0
3
5

u
p
d
a
t
e
d

t
h
e
D
N
S

s
p
e
c
i
f
i
c
a
t
i
o
n

a
n
d

m
a
d
e

R
F
C

8
8
2

a
n
d

R
F
C

8
8
3

o
b
s
o
l
e
t
e
.
S
e
v
e
r
a
l
m
o
r
e
-
r
e
c
e
n
t
R
F
C
s

h
a
v
e

p
r
o
p
o
s
e
d

v
a
r
i
o
u
s

e
x
t
e
n
s
i
o
n
s

t
o

t
h
e

c
o
r
e

D
N
S

p
r
o
t
o
c
o
l
s
.

I
n

1
9
8
4
,
f
o
u
r
B
e
r
k
e
l
e
y

s
t
u
d
e
n
t
s
—
D
o
u
g
l
a
s

T
e
r
r
y
,
M
a
r
k

P
a
i
n
t
e
r
,
D
a
v
i
d

R
i
g
g
l
e

a
n
d

S
o
n
g
n
i
a
n

Z
h
o
u
—
w
r
o
t
e

t
h
e

f
i
r
s
t
U
N
I
X

i
m
p
l
e
m
e
n
t
a
t
i
o
n
,
w
h
i
c
h

w
a
s

m
a
i
n
t
a
i
n
e
d

b
y

R
a
l
p
h

C
a
m
p
b
e
l
l
t
h
e
r
e
a
f
t
e
r
.
I
n

1
9
8
5
,
K
e
v
i
n

D
u
n
l
a
p

o
f
D
E
C

s
i
g
n
i
f
i
c
a
n
t
l
y

r
e
-
w
r
o
t
e
t
h
e

D
N
S

i
m
p
l
e
m
e
n
t
a
t
i
o
n

a
n
d

r
e
n
a
m
e
d

i
t
B
I
N
D
—
B
e
r
k
e
l
e
y

I
n
t
e
r
n
e
t
N
a
m
e

D
o
m
a
i
n
.
M
i
k
e

K
a
r
e
l
s
,
P
h
i
l
A
l
m
q
u
i
s
t
a
n
d

P
a
u
l
V
i
x
i
e

h
a
v
e

m
a
i
n
t
a
i
n
e
d

B
I
N
D

s
i
n
c
e

t
h
e
n
.
B
I
N
D

w
a
s

p
o
r
t
e
d

t
o

t
h
e

W
i
n
d
o
w
s

N
T

p
l
a
t
f
o
r
m

i
n

t
h
e

e
a
r
l
y

1
9
9
0
s
.

B
I
N
D

w
a
s

w
i
d
e
l
y

d
i
s
t
r
i
b
u
t
e
d
,
e
s
p
e
c
i
a
l
l
y

o
n

U
n
i
x

s
y
s
t
e
m
s
,
a
n
d

i
s

t
h
e
d
o
m
i
n
a
n
t
D
N
S

s
o
f
t
w
a
r
e

i
n

u
s
e

o
n

t
h
e

I
n
t
e
r
n
e
t
.
[
4
]

W
i
t
h

t
h
e

h
e
a
v
y

u
s
e

a
n
d

r
e
s
u
l
t
i
n
g

s
c
r
u
t
i
n
y
o
f
i
t
s

o
p
e
n
-
s
o
u
r
c
e

c
o
d
e
,
a
s

w
e
l
l
a
s

i
n
c
r
e
a
s
i
n
g
l
y
m
o
r
e

s
o
p
h
i
s
t
i
c
a
t
e
d

a
t
t
a
c
k

m
e
t
h
o
d
s
,
m
a
n
y

s
e
c
u
r
i
t
y

f
l
a
w
s

w
e
r
e

d
i
s
c
o
v
e
r
e
d

i
n

B
I
N
D
.
T
h
i
s

c
o
n
t
r
i
b
u
t
e
d

t
o

t
h
e

d
e
v
e
l
o
p
m
e
n
t
o
f
a

n
u
m
b
e
r
a
l
t
e
r
n
a
t
i
v
e
n
a
m
e
s
e
r
v
e
r
a
n
d

r
e
s
o
l
v
e
r
p
r
o
g
r
a
m
s
.
B
I
N
D

i
t
s
e
l
f
w
a
s

r
e
-
w
r
i
t
t
e
n

f
r
o
m

s
c
r
a
t
c
h

i
n

v
e
r
s
i
o
n

9
,
w
h
i
c
h
h
a
s

s
e
c
u
r
i
t
y

r
e
c
o
r
d

c
o
m
p
a
r
a
b
l
e

t
o

o
t
h
e
r
m
o
d
e
r
n

I
n
t
e
r
n
e
t
s
o
f
t
w
a
r
e
.

[
e
d
i
t
]
S
t
r
u
c
t
u
r
e
[
e
d
i
t
]
T
h
e

d
o
m
a
i
n

n
a
m
e

s
p
a
c
e

D
o
m
a
i
n

n
a
m
e
s
,
a
r
r
a
n
g
e
d

i
n

t
r
e
e
,
c
u
t
i
n
t
o

z
o
n
e
s
,
e
a
c
h

s
e
r
v
e
d
b
y

n
a
m
e
s
e
r
v
e
r
.

T
h
e

d
o
m
a
i
n

n
a
m
e

s
p
a
c
e

c
o
n
s
i
s
t
s

o
f
a

t
r
e
e

o
f
d
o
m
a
i
n

n
a
m
e
s
.
O
n
l
y

o
n
e

n
o
d
e

o
r
l
e
a
f
i
n

t
h
e

t
r
e
e

h
a
s

z
e
r
o

o
r
m
o
r
e

r
e
s
o
u
r
c
e

r
e
c
o
r
d
s
,
w
h
i
c
h

h
o
l
d

i
n
f
o
r
m
a
t
i
o
n

a
s
s
o
c
i
a
t
e
d

w
i
t
h

t
h
e

d
o
m
a
i
n

n
a
m
e
.
T
h
e

t
r
e
e

s
u
b
-
d
i
v
i
d
e
s

i
n
t
o

z
o
n
e
s

b
e
g
i
n
n
i
n
g

a
t
t
h
e

r
o
o
t
z
o
n
e
.
A

D
N
S

z
o
n
e

c
o
n
s
i
s
t
s

o
f
a

c
o
l
l
e
c
t
i
o
n

o
f
c
o
n
n
e
c
t
e
d

n
o
d
e
s

a
u
t
h
o
r
i
t
a
t
i
v
e
l
y

s
e
r
v
e
d

b
y

a
n

a
u
t
h
o
r
i
t
a
t
i
v
e

n
a
m
e
s
e
r
v
e
r
.
(
N
o
t
e
t
h
a
t
a

s
i
n
g
l
e

n
a
m
e
s
e
r
v
e
r
c
a
n

h
o
s
t
s
e
v
e
r
a
l
z
o
n
e
s
.
)

A
d
m
i
n
i
s
t
r
a
t
i
v
e

r
e
s
p
o
n
s
i
b
i
l
i
t
y

o
v
e
r
a
n
y

z
o
n
e
m
a
y

b
e

d
i
v
i
d
e
d
,
t
h
e
r
e
b
y

c
r
e
a
t
i
n
g

a
d
d
i
t
i
o
n
a
l
z
o
n
e
s
.
A
u
t
h
o
r
i
t
y

i
s

s
a
i
d

t
o

b
e

d
e
l
e
g
a
t
e
d

f
o
r
a

p
o
r
t
i
o
n

o
f
t
h
e

o
l
d

s
p
a
c
e
,
u
s
u
a
l
l
y

i
n

f
o
r
m

o
f
s
u
b
-
d
o
m
a
i
n
s
,
t
o

a
n
o
t
h
e
r
n
a
m
e
s
e
r
v
e
r
a
n
d

a
d
m
i
n
i
s
t
r
a
t
i
v
e
e
n
t
i
t
y
.
T
h
e

o
l
d

z
o
n
e

c
e
a
s
e
s

t
o

b
e

a
u
t
h
o
r
i
t
a
t
i
v
e

f
o
r
t
h
e

n
e
w

z
o
n
e
.

[
e
d
i
t
]
P
a
r
t
s

o
f
a

d
o
m
a
i
n

n
a
m
e

d
o
m
a
i
n

n
a
m
e

u
s
u
a
l
l
y

c
o
n
s
i
s
t
s

o
f
t
w
o

o
r
m
o
r
e

p
a
r
t
s

(
t
e
c
h
n
i
c
a
l
l
y

l
a
b
e
l
)
,
w
h
i
c
h

i
s

c
o
n
v
e
n
t
i
o
n
a
l
l
y

w
r
i
t
t
e
n

s
e
p
a
r
a
t
e
d

b
y

d
o
t
s
,
s
u
c
h

a
s

e
x
a
m
p
l
e
.
c
o
m
.

•
Th

•
Ea

•
A

•
[

•
ain
article
:
Name
server
•
Th

•
[

•
ee
also:
resolv.
conf
•
Th

•
A
•
A

•
A

•
Th

•
Re

•
[

•
This
descri
ption
delibe
rately
uses
the
fiction
al
.exam
ple
TLD
in
accor
dance
with
the
DNS
guidel
ines.)
•
In

•
A

•
As

1.
the

2.
qu

3.
qu

4.
rep

5.
Th

6.
Th

7.
[

8.
Na

9.
Fo

10.
[
11.
W

12.
[

13.
Be

14.
[

15.
As

16.
No

17.
So

18.
M

19.
[

20.

21.

22.
D

23.
Us

24.
Th

25.
[

26.
An

27.
As

28.
[

29.
Th

•
Ho

•
Th

•
Se

•
To

•
[

•
D

•
[

•
E

[
•
ain
article
:
of
DNS
record
types
•
W
•

Field Description Length (octets)

NAME Name of the node to which this record pertains. (variable)

TYPE Type of RR. For example, MX is type 15. 2

CLASS Class code. 2

TTL Signed time in seconds that RR stays valid. 4

RDLENGTH Length of RDATA field. 2

RDATA Additional RR-specific data. (variable)

The type of the record indicates what the format of the data is, and gives a hint of its
intended use; for instance, the A record is used to translate from a domain name to an
IPv4 address, the NS record lists which name servers can answer lookups on a DNS zone,
and the MX record is used to translate from a name in the right-hand side of an e-mail
address to the name of a machine able to handle mail for that address.

Many more record types exist and be found in the complete List of DNS record types.

[edit] Internationalized domain names

Main article: Internationalized domain name

While domain names technically have no restrictions on the characters they use and can
include non-ASCII characters, the same is not true for host names.[8] Host names are the
names most people see and use for things like e-mail and web browsing. Host names are
restricted to a small subset of the ASCII character set known as LDH, the Letters A–Z in
upper and lower case, Digits 0–9, Hyphen, and the dot to separate LDH-labels; see RFC
3696 section 2 for details. This prevented the representation of names and words of many
languages natively. ICANN has approved the Punycode-based IDNA system, which
maps Unicode strings into the valid DNS character set, as a workaround to this issue.
Some registries have adopted IDNA.

[edit] Security issues

DNS was not originally designed with security in mind, and thus has a number of security
issues.

One class of vulnerabilities is DNS cache poisoning, which tricks a DNS server into
believing it has received authentic information when, in reality, it has not.

DNS responses are traditionally not cryptographically signed, leading to many attack
possibilities; DNSSEC modifies DNS to add support for cryptographically signed
responses. There are various extensions to support securing zone transfer information as
well.

Even with encryption, a DNS server could become compromised by a virus (or for that
matter a disgruntled employee) that would cause IP addresses of that server to be
redirected to a malicious address with a long TTL. This could have far-reaching impact to
potentially millions of Internet users if busy DNS servers cache the bad IP data. This
would require manual purging of all affected DNS caches as required by the long TTL
(up to 68 years).

Some domain names can spoof other, similar-looking domain names. For example,
"paypal.com" and "paypa1.com" are different names, yet users may be unable to tell the
difference when the user's typeface (font) does not clearly differentiate the letter l and the
number 1. This problem is much more serious in systems that support internationalized
domain names, since many characters that are different, from the point of view of ISO
10646, appear identical on typical computer screens. This vulnerability is often exploited
in phishing.

Techniques such as Forward Confirmed reverse DNS can also be used to help validate
DNS results.

[edit] Domain registration

The right to use a domain name is delegated by domain name registrars which are
accredited by the Internet Corporation for Assigned Names and Numbers (ICANN), the
organization charged with overseeing the name and number systems of the Internet. In
addition to ICANN, each top-level domain (TLD) is maintained and serviced technically
by a sponsoring organization, the TLD Registry. The registry is responsible for
maintaining the database of names registered within the TLDs they administer. The
registry receives registration information from each domain name registrar authorized to
assign names in the corresponding TLD and publishes the information using a special
service, the whois protocol.

Registrars usually charge an annual fee for the service of delegating a domain name to a
user and providing a default set of name servers. Often this transaction is termed a sale or
lease of the domain name, and the registrant is called an "owner", but no such legal
relationship is actually associated with the transaction, only the exclusive right to use the
domain name. More correctly authorized users are known as "registrants" or as "domain
holders".

ICANN publishes a complete list of TLD registries and domain name registrars in the
world. One can obtain information about the registrant of a domain name by looking in
the WHOIS database held by many domain registries.

For most of the more than 240 country code top-level domains (ccTLDs), the domain
registries hold the authoritative WHOIS (Registrant, name servers, expiration dates, etc.).
For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a .DE domain
name. Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) have adopted this
so-called "thick" registry approach, i.e. keeping the authoritative WHOIS in the central
registries instead of the registrars.

For .COM and .NET domain names, a "thin" registry is used: the domain registry (e.g.
VeriSign) holds a basic WHOIS (registrar and name servers, etc.). One can find the
detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars.

Some domain name registries, also called Network Information Centres (NIC), also
function as registrars, and deal directly with end users. But most of the main ones, such
as for .COM, .NET, .ORG, .INFO, etc., use a registry-registrar model. There are
hundreds of Domain Name Registrars that actually perform the domain name registration
with the end user (see lists at ICANN or VeriSign). By using this method of distribution,
the registry only has to manage the relationship with the registrar, and the registrar
maintains the relationship with the end users, or 'registrants' -- in some cases through
additional layers of resellers.

In the process of registering a domain name and maintaining authority over the new name
space created, registrars store and use several key pieces of information connected with a
domain:

• Administrative contact. A registrant usually designates an administrative contact

to manage the domain name. The administrative contact usually has the highest
level of control over a domain. Management functions delegated to the
administrative contacts may include management of all business information,
such as name of record, postal address, and contact information of the official
registrant of the domain and the obligation to conform to the requirements of the
domain registry in order to retain the right to use a domain name. Furthermore the
 administrative contact installs additional contact information for technical and
billing functions.
• Technical contact. The technical contact manages the name servers of a domain
name. The functions of a technical contact include assuring conformance of the
configurations of the domain name with the requirements of the domain registry,
maintaining the domain zone records, and providing continuous functionality of
the name servers (that leads to the accessibility of the domain name).
• Billing contact. The party responsible for receiving billing invoices from the
domain name registrar and paying applicable fees.
• Name servers. Domains usually need at least two authoritative name servers that
perform name resolution for the domain. If they are not automatically provided by
the registrar, the domain holder must specify domain names and IP addresses for
these servers.

[edit] Abuse and regulation

Critics often claim abuse of administrative power over domain names. Particularly
noteworthy was the VeriSign Site Finder system which redirected all unregistered .com
and .net domains to a VeriSign webpage. For example, at a public meeting with VeriSign
to air technical concerns about SiteFinder [9], numerous people, active in the IETF and
other technical bodies, explained how they were surprised by VeriSign's changing the
fundamental behavior of a major component of Internet infrastructure, not having
obtained the customary consensus. SiteFinder, at first, assumed every Internet query was
for a website, and it monetized queries for incorrect domain names, taking the user to
VeriSign's search site. Unfortunately, other applications, such as many implementations
of email, treat a lack of response to a domain name query as an indication that the domain
does not exist, and that the message can be treated as undeliverable. The original
VeriSign implementation broke this assumption for mail, because it would always resolve
an erroneous domain name to that of SiteFinder. While VeriSign later changed
SiteFinder's behaviour with regard to email, there was still widespread protest about
VeriSign's action being more in its financial interest than in the interest of the Internet
infrastructure component for which VeriSign was the steward.

Despite widespread criticism, VeriSign only reluctantly removed it after the Internet
Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its
contract to administer the root name servers. ICANN published the extensive set of letters
exchanged, committee reports, and ICANN decisions [10].

There is also significant disquiet regarding the United States' political influence over
ICANN. This was a significant issue in the attempt to create a .xxx top-level domain and
sparked greater interest in alternative DNS roots that would be beyond the control of any
single country.[citation needed]

Additionally, there are numerous accusations of domain name "front running", whereby
registrars, when given whois queries, automatically register the domain name for
themselves. Recently, Network Solutions has been accused of this.[11]
[edit] Truth in Domain Names Act

Main article: Anticybersquatting Consumer Protection Act

In the United States, the "Truth in Domain Names Act" (actually the "Anticybersquatting
Consumer Protection Act"), in combination with the PROTECT Act, forbids the use of a
misleading domain name with the intention of attracting people into viewing a visual
depiction of sexually explicit conduct on the Internet.

Windows Server domain

From Wikipedia, the free encyclopedia

Jump to: navigation, search

A Windows Server domain is a logical group of computers running versions of the

Microsoft Windows operating system that share a central directory database. This central
database (known as Active Directory starting with Windows 2000[1], also referred to as
NT Directory Services on Windows NT Server operating systems, or NTDS) contains the
user accounts and security information for the resources in that domain. Each person who
uses computers within a domain receives his or her own unique account, or user name.
This account can then be assigned access to resources within the domain.

In a domain, the directory resides on computers that are configured as "domain

controllers." A domain controller is a server that manages all security-related aspects
between user and domain interactions, centralizing security and administration. A
Windows Server domain is normally more suitable for moderately larger businesses
and/or organizations.

Windows Workgroups, by contrast, is the other model for grouping computers running
Windows in a networking environment which ships with Windows. Workgroup
computers are considered to be 'standalone' - i.e. there is no formal membership or
authentication process formed by the workgroup. A workgroup does not have servers and
clients, and as such, it represents the Peer-to-Peer (or Client-to-Client) networking
paradigm, rather than the centralised architecture constituted by Server-Client.
Workgroups are considered difficult to manage beyond a dozen clients, and lack single
sign on, scalability, resilience/disaster recovery functionality, and many security features.
Windows Workgroups are more suitable for small or home-office networks.

A domain does not refer to a single location or specific type of network configuration.
The computers in a domain can share physical proximity on a small LAN or they can be
located in different parts of the world. As long as they can communicate, their physical
position is irrelevant.
Computers inside an Active Directory domain can be assigned into organizational units
according to location, organizational structure, or other factors. In the original Windows
Server Domain system (shipped with Windows NT 3.x/4) machines could only be viewed
in two states from the administration tools, 1) computers detected (on the network), and
2) computers that actually belonged to the domain. Active Directory makes it easier for
administrators to manage and deploy network changes and policies (see Group Policy) to
all of the machines connected to the domain.

Computers can connect to a domain easily via LAN, or via WAN using a VPN
connection. Users of a domain are able to use enhanced security for their VPN
connection due to the support for a certification authority which is gained when a domain
is added to a network, and as a result smart cards and digital certificates can be used to
confirm identities and protect stored information.

Router
From Wikipedia, the free encyclopedia

Jump to: navigation, search

This article is about a computer networking device. For the kind of rotating cutting tool,
see wood router. For the type of network router found in many homes, see residential
gateway. For the software used in electronic design automation, see routing (Electronic
Design Automation).

Cisco 1800 Router

Nortel ERS 8600

Cisco 7600 Routers

A router (pronounced /'rautər/ in the USA, pronounced /'ru:tər/ in the UK and

Ireland, or either pronunciation in Australia and Canada) is a computer whose software
and hardware are usually tailored to the tasks of routing and forwarding information.
Routers generally contain a specialized operating system (e.g. Cisco's IOS or Juniper
Networks JUNOS and JUNOSe or Extreme Networks XOS), RAM, NVRAM, flash
memory, and one or more processors, as well as two or more network interfaces. High-
end routers contain many processors and specialized Application-specific integrated
circuits (ASIC) and do a great deal of parallel processing. Chassis based systems like the
Nortel MERS-8600 or ERS-8600 routing switch, (pictured right) have multiple ASICs on
every module and allow for a wide variety of LAN, MAN, METRO, and WAN port
technologies or other connections that are customizable. Much simpler routers are used
where cost is important and the demand is low, for example in providing a home internet
service. With appropriate software (such as Untangle, SmoothWall, XORP or Quagga), a
standard PC can act as a router.

Routers connect two or more logical subnets, which do not necessarily map one-to-one to
the physical interfaces of the router.[1] The term layer 3 switch often is used
interchangeably with router, but switch is really a general term without a rigorous
technical definition. In marketing usage, it is generally optimized for Ethernet LAN
interfaces and may not have other physical interface types.

Routers operate in two different planes [2]:

• Control Plane, in which the router learns the outgoing interface that is most
appropriate for forwarding specific packets to specific destinations,
• Forwarding Plane, which is responsible for the actual process of sending a packet
received on a logical interface to an outbound logical interface.

It has
been
suggest
ed that
some of
the
informa
tion in
this
article's
Criticis
m or
Contro
versy
section(
s) be
merged
into
other
sections
to
achieve
a more
neutral
present
ation.
(Discus
s) [edit]
History
A
netwo
rk
bridge
,
operat
ing at
the
Media
Acces
s
Contr
ol
(MAC
)
sublay
er of
the
data
link
layer,
may
interc
onnect
a
small
numb
er of
device
s in a
home
or
office.
This
is a
trivial
case
of
bridgi
ng, in
which
the
bridge
learns
the
MAC
addres
s of
each
conne
cted
device
.
Single
bridge
s also
can
provid
e
extre
mely
high
perfor
mance
in
specia
lized
applic
ations
such
as
storag
e area
netwo
rks.Co
ntents

The
first
versio
n of
H.323
was
publis
hed
by the
ITU
in
Nove
mber
1996[1]
with
an
empha
sis of
enabli
ng
videoc
onfere
ncing
capabi
lities
over a
Local
Area
Netwo
rk
(LAN
), but
was
quickl
y
adopte
d by
the
indust
ry as a
means
of
trans
mittin
g
voice
comm
unicat
ion
over a
variet
y of
IP
netwo
rks,
includ
ing
WAN
s and
the
Intern
et (see
VoIP)
.

Over
the
years,
H.323
has
been
revise
d and
re-
publis
hed
with
enhan
cemen
ts
necess
ary to
better-
enable
both
voice
and
video
functi
onalit
y over
Packet
-
switch
ed
netwo
rks,
with
each
versio
n
being
backw
ard-
compa
tible
with
the
previo
us
versio
n.[2]
Recog
nizing
that
H.323
was
being
used
for
comm
unicat
ion,
not
only
on
LANs
, but
over
WAN
s and
within
large
carrier
netwo
rks,
the
title of
H.323
was
chang
ed
when
publis
hed in
1998.
[3]
The
title,
which
has
since
remai
ned
uncha
nged,
is
"Pack
et-
Based
Multi
media
Com
munic
ations
Syste
ms."
The
curren
t
versio
n of
H.323
,
comm
only
referre
d to as
"H.32
3v6",
was
publis
hed in
2006.
[4]

One
streng
th of
H.323
was
the
relativ
ely
early
availa
bility
of a
set of
standa
rds,
not
only
defini
ng the
basic
call
model
, but
also
the
supple
menta
ry
servic
es
neede
d to
addres
s
busine
ss
comm
unicat
ion
expect
ations.
[citation
needed]

H.323
was
the
first
VoIP
standa
rd to
adopt
the
Intern
et
Engin
eering
Task
Force
(IETF
)
standa
rd
Real-
time
Trans
port
Protoc
ol
(RTP)
to
transp
ort
audio
and
video
over
IP
netwo
rks.
[citation
needed]

[edi
t
]

P
r
o
t
o
c
o
l
s
H.323
is a
syste
m
specifi
cation
that
descri
bes
the
use of
severa
l ITU-
T and
IETF
protoc
ols.
The
protoc
ols
that
compr
ise the
core
of
almost
any
H.323
syste
m are:
[5]

•
H.

•
H.

•
H.

•
Re

•
M
 •
H.

•
H.

•
H.

•
H.

•
In

H.323
utilize
s both
ITU-
define
d
codec
s and
codec
s
define
d
outsid
e the
ITU.
Codec
s that
are
widel
y
imple
mente
d by
H.323
equip
ment
includ
es:

•
A

•
Te

•
Vi

[
The
H.323
syste
m
define
s
severa
l
netwo
rk
eleme
nts
that
work
togeth
er in
order
to
delive
r rich
multi
media
comm
unicat
ion
capabi
lities.
Those
eleme
nts are
Termi
nals,
Multi
point
Contr
ol
Units
(MCU
s),
Gatew
ays,
Gatek
eepers
, and
Borde
r
Eleme
nts.
Collec
tively,
termin
als,
multip
oint
contro
l units
and
gatew
ays
are
often
referre
d to as
endpo
ints.

While
not all
eleme
nts are
requir
ed, at
least
two
termin
als are
requir
ed in
order
to
enable
comm
unicat
ion
betwe
en
two
people
. In
most
H.323
deplo
yment
s, a
gateke
eper is
emplo
yed in
order
to,
amon
g
other
things
,
facilit
ate
addres
s
resolu
tion.

[edit]

[edit]
Figure
1-A
compl
ete,
sophis
ticated
protoc
ol
stack

Termi
nals in
an
H.323
netwo
rk are
the
most
funda
menta
l
eleme
nts in
any
H.323
syste
m, as
those
are
the
device
s that
users
would
norma
lly
encou
nter.
They
might
exist
in the
form
 • [edit] Control PlaneThis section is missing citations or needs footnotes.
Using inline citations helps guard against copyright violations and factual inaccuracies. (August
2008)Passwords and file contents are sent in clear text, which can be intercepted by
eavesdroppers. There are protocol enhancements that remedy this, for instance by using SSL, TLS
or Kerberos.
• Multiple TCP/IP connections are used, one for the control connection, and one for
each download, upload, or directory listing. Firewalls may need additional logic
and/or configuration changes to account for these connections.
• It is hard to filter active mode FTP traffic on the client side by using a firewall,
since the client must open an arbitrary port in order to receive the connection.
This problem is largely resolved by using passive mode FTP.
• It is possible to abuse the protocol's built-in proxy features to tell a server to send
data to an arbitrary port of a third computer; see FXP.
• FTP is a high latency protocol due to the number of commands needed to initiate
a transfer.
• No integrity check on the receiver side. If a transfer is interrupted, the receiver has
no way to know if the received file is complete or not. Some servers support
undocumented extensions to calculate for example a file's MD5 sum (e.g. using
the SITE MD5 command), XCRC, XMD5, XSHA or CRC checksum, however
even then the client has to make explicit use of them. In the absence of such
extensions, integrity checks have to be managed externally.
• No date/timestamp attribute transfer. Uploaded files are given a new current
timestamp, unlike other file transfer protocols such as SFTP, which allow
attributes to be included. There is no way in the standard FTP protocol to set the
time-last-modified (or time-created) datestamp that most modern filesystems
preserve. There is a draft of a proposed extension that adds new commands for
this, but as of yet, most of the popular FTP servers do not support it.

[edit] Security problems

The original FTP specification is an inherently insecure method of transferring files
because there is no method specified for transferring data in an encrypted fashion. This
means that under most network configurations, user names, passwords, FTP commands
and transferred files can be "sniffed" or viewed by anyone on the same network using a
packet sniffer. This is a problem common to many Internet protocol specifications written
prior to the creation of SSL such as HTTP, SMTP and Telnet. The common solution to
this problem is to use either SFTP (SSH File Transfer Protocol), or FTPS (FTP over
SSL), which adds SSL or TLS encryption to FTP as specified in RFC 4217.

[edit] FTP return codes

Main article: List of FTP server return codes

FTP server return codes indicate their status by the digits within them. A brief
explanation of various digits' meanings are given below:
 • 1xx: Positive Preliminary reply. The action requested is being initiated but there
will be another reply before it begins.
• 2xx: Positive Completion reply. The action requested has been completed. The
client may now issue a new command.
• 3xx: Positive Intermediate reply. The command was successful, but a further
command is required before the server can act upon the request.
• 4xx: Transient Negative Completion reply. The command was not successful, but
the client is free to try the command again as the failure is only temporary.
• 5xx: Permanent Negative Completion reply. The command was not successful
and the client should not attempt to repeat it again.
• x0x: The failure was due to a syntax error.
• x1x: This response is a reply to a request for information.
• x2x: This response is a reply relating to connection information.
• x3x: This response is a reply relating to accounting and authorization.
• x4x: Unspecified as yet
• x5x: These responses indicate the status of the Server file system vis-a-vis the
requested transfer or other file system action.

[edit] Anonymous FTP

A host which provides an FTP service may additionally provide Anonymous FTP access
as well. Under this arrangement, users do not strictly need an account on the host. Instead
the user typically enters 'anonymous' or 'ftp' when prompted for username. Although
users are commonly asked to send their email address as their password, little to no
verification is actually performed on the supplied data.

As modern FTP clients typically hide the anonymous login process from the user, the ftp
client will supply dummy data as the password (since the user's email address may not be
known to the application). For example, the following ftp user agents specify the listed
passwords for anonymous logins:

• Mozilla Firefox (2.0) — mozilla@example.com

• KDE Konqueror (3.5) — anonymous@
• wget (1.10.2) — -wget@
• lftp (3.4.4) — lftp@

The Gopher protocol has been suggested as an alternative to anonymous FTP, as well as
Trivial File Transfer Protocol and File Service Protocol.[citation needed]

[edit] Data format

While transferring data over the network, several data representations can be used. The
two most common transfer modes are:

1. ASCII mode
 2. Binary mode: In "Binary mode", the sending machine sends each file byte for
byte and as such the recipient stores the bytestream as it receives it. (The FTP
standard calls this "IMAGE" or "I" mode)

In "ASCII mode", any form of data that is not plain text will be corrupted. When a file is
sent using an ASCII-type transfer, the individual letters, numbers, and characters are sent
using their ASCII character codes. The receiving machine saves these in a text file in the
appropriate format (for example, a Unix machine saves it in a Unix format, a Windows
machine saves it in a Windows format). Hence if an ASCII transfer is used it can be
assumed plain text is sent, which is stored by the receiving computer in its own format.
Translating between text formats might entail substituting the end of line and end of file
characters used on the source platform with those on the destination platform, e.g. a
Windows machine receiving a file from a Unix machine will replace the line feeds with
carriage return-line feed pairs. It might also involve translating characters; for example,
when transferring from an IBM mainframe to a system using ASCII, EBCDIC characters
used on the mainframe will be translated to their ASCII equivalents, and when
transferring from the system using ASCII to the mainframe, ASCII characters will be
translated to their EBCDIC equivalents.

By default, most FTP clients use ASCII mode. Some clients try to determine the required
transfer-mode by inspecting the file's name or contents, or by determining whether the
server is running an operating system with the same text file format.

The FTP specifications also list the following transfer modes:

1. EBCDIC mode - this transfers bytes, except they are encoded in EBCDIC rather
than ASCII. Thus, for example, the ASCII mode server
2. Local mode - this is designed for use with systems that are word-oriented rather
than byte-oriented. For example mode "L 36" can be used to transfer binary data
between two 36-bit machines. In L mode, the words are packed into bytes rather
than being padded. Given the predominance of byte-oriented hardware nowadays,
this mode is rarely used. However, some FTP servers accept "L 8" as being
equivalent to "I".

In practice, these additional transfer modes are rarely used. They are however still used
by some legacy mainframe systems.

The text (ASCII/EBCDIC) modes can also be qualified with the type of carriage control
used (e.g. TELNET NVT carriage control, ASA carriage control), although that is rarely
used nowadays.

Note that the terminology "mode" is technically incorrect, although commonly used by
FTP clients. "MODE" in RFC 959 refers to the format of the protocol data stream
(STREAM, BLOCK or COMPRESSED), as opposed to the format of the underlying file.
What is commonly called "mode" is actually the "TYPE", which specifies the format of
the file rather than the data stream. FTP also supports specification of the file structure
("STRU"), which can be either FILE (stream-oriented files), RECORD (record-oriented
files) or PAGE (special type designed for use with TENEX). PAGE STRU is not really
useful for non-TENEX systems, and RFC1123 section 4.1.2.3 recommends that it not be
implemented.

[edit] FTP and web browsers

Most recent web browsers and file managers can connect to FTP servers, although they
may lack the support for protocol extensions such as FTPS. This allows manipulation of
remote files over FTP through an interface similar to that used for local files. This is done
via an FTP URL, which takes the form ftp(s)://<ftpserveraddress> (e.g.,
ftp://ftp.gimp.org/). A password can optionally be given in the URL, e.g.:
ftp(s)://<login>:<password>@<ftpserveraddress>:<port>. Most web-browsers require
the use of passive mode FTP, which not all FTP servers are capable of handling. Some
browsers allow only the downloading of files, but offer no way to upload files to the
server.

[edit] FTP and NAT devices

The representation of the IPs and ports in the PORT command and PASV reply poses
another challenge for NAT devices in handling FTP. The NAT device must alter these
values, so that they contain the IP of the NAT-ed client, and a port chosen by the NAT
device for the data connection. The new IP and port will probably differ in length in their
decimal representation from the original IP and port. This means that altering the values
on the control connection by the NAT device must be done carefully, changing the TCP
Sequence and Acknowledgment fields for all subsequent packets.

For example: A client with an IP of 192.168.0.1, starting an active mode transfer on port
1025, will send the string "PORT 192,168,0,1,4,1". A NAT device masquerading this
client with an IP of 192.168.15.5, with a chosen port of 2000 for the data connection, will
need to replace the above string with "PORT 192,168,15,5,7,208".

The new string is 23 characters long, compared to 20 characters in the original packet.
The Acknowledgment field by the server to this packet will need to be decreased by 3
bytes by the NAT device for the client to correctly understand that the PORT command
has arrived to the server. If the NAT device is not capable of correcting the Sequence and
Acknowledgement fields, it will not be possible to use active mode FTP. Passive mode
FTP will work in this case, because the information about the IP and port for the data
connection is sent by the server, which doesn't need to be NATed. If NAT is performed
on the server by the NAT device, then the exact opposite will happen. Active mode will
work, but passive mode will fail.

It should be noted that many NAT devices perform this protocol inspection and modify
the PORT command without being explicitly told to do so by the user. This can lead to
several problems. First of all, there is no guarantee that the used protocol really is FTP, or
it might use some extension not understood by the NAT device. One example would be
an SSL secured FTP connection. Due to the encryption, the NAT device will be unable to
modify the address. As result, active mode transfers will fail only if encryption is used,
much to the confusion of the user.

The proper way to solve this is to tell the client which IP address and ports to use for
active mode. Furthermore, the NAT device has to be configured to forward the selected
range of ports to the client's machine.

See also Application-level gateway

[edit] FTP over SSH (not SFTP)

FTP over SSH (not SFTP) refers to the practice of tunneling a normal FTP session over
an SSH connection.

Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still
in use), it is particularly difficult to tunnel over SSH. With many SSH clients, attempting
to set up a tunnel for the control channel (the initial client-to-server connection on port
21) will protect only that channel; when data is transferred, the FTP software at either end
will set up new TCP connections (data channels) which will bypass the SSH connection,
and thus have no confidentiality, integrity protection, etc.

If the FTP client is configured to use passive mode and to connect to a SOCKS server
interface that many SSH clients can present for tunneling, it is possible to run all the FTP
channels over the SSH connection.

Otherwise, it is necessary for the SSH client software to have specific knowledge of the
FTP protocol, and monitor and rewrite FTP control channel messages and autonomously
open new forwardings for FTP data channels. Version 3 of SSH Communications
Security's software suite, and the GPL licensed FONC are two software packages that
support this mode.

FTP over SSH is sometimes referred to as secure FTP; this should not be confused with
other methods of securing FTP, such as with SSL/TLS (FTPS). Other methods of
transferring files using SSH that are not related to FTP include SFTP and SCP; in each of
these, the entire conversation (credentials and data) is always protected by the SSH
protocol.

[edit] See also

Main article: Control Plane

Routers are like intersections whereas switches are like streets.

Control Plane processing leads to the construction of what is variously called a routing
table or routing information base (RIB). The RIB may be used by the Forwarding Plane
to look up the outbound interface for a given packet, or, depending on the router
implementation, the Control Plane may populate a separate Forwarding Information Base
(FIB) with destination information. RIBs are optimized for efficient updating with control
mechanisms such as routing protocols, while FIBs are optimized for the fastest possible
lookup of the information needed to select the outbound interface.

The Control Plane constructs the routing table from knowledge of the up/down status of
its local interfaces, from hard-coded static routes, and from exchanging routing protocol
information with other routers. It is not compulsory for a router to use routing protocols
to function, if for example it was configured solely with static routes. The routing table
stores the best routes to certain network destinations, the "routing metrics" associated
with those routes, and the path to the next hop router.

Routers do maintain state on the routes in the RIB/routing table, but this is quite distinct
from not maintaining state on individual packets that have been forwarded.

[edit] Forwarding Plane (a.k.a. Data Plane)

Main article: Forwarding Plane

For the pure Internet Protocol (IP) forwarding function, router design tries to minimize
the state information kept on individual packets. Once a packet is forwarded, the router
should no longer retain statistical information about it. It is the sending and receiving
endpoints that keeps information about such things as errored or missing packets.

Forwarding decisions can involve decisions at layers other than the IP internetwork layer
or OSI layer 3. Again, the marketing term switch can be applied to devices that have
these capabilities. A function that forwards based on data link layer, or OSI layer 2,
information, is properly called a bridge. Marketing literature may call it a layer 2 switch,
but a switch has no precise definition.

Among the most important forwarding decisions is deciding what to do when congestion
occurs, i.e., packets arrive at the router at a rate higher than the router can process. Three
policies commonly used in the Internet are Tail drop, Random early detection, and
Weighted random early detection. Tail drop is the simplest and most easily implemented;
the router simply drops packets once the length of the queue exceeds the size of the
buffers in the router. Random early detection (RED) probabilistically drops datagrams
early when the queue exceeds a configured size. Weighted random early detection
requires a weighted average queue size to exceed the configured size, so that short bursts
will not trigger random drops.
[edit] Types of routers
Routers may provide connectivity inside enterprises, between enterprises and the Internet,
and inside Internet Service Providers (ISP). The largest routers (for example the Cisco
CRS-1 or Juniper T1600) interconnect ISPs, are used inside ISPs, or may be used in very
large enterprise networks. The smallest routers provide connectivity for small and home
offices.

[edit] Routers for Internet connectivity and internal use

Routers intended for ISP and major enterprise connectivity will almost invariably
exchange routing information with the Border Gateway Protocol. RFC 4098[3] defines
several types of BGP-speaking routers:

• Provider Edge Router: Placed at the edge of an ISP network, it speaks external
BGP (eBGP) to a BGP speaker in another provider or large enterprise
Autonomous System (AS).
• Subscriber Edge Router: Located at the edge of the subscriber's network, it speaks
eBGP to its provider's AS(s). It belongs to an end user (enterprise) organization.
• Inter-provider Border Router: Interconnecting ISPs, this is a BGP speaking router
that maintains BGP sessions with other BGP speaking routers in other providers'
ASes.
• Core router: A router that resides within the middle or backbone of the LAN
network rather than at its periphery.
• Within an ISP: Internal to the provider's AS, such a router speaks internal
BGP (iBGP) to that provider's edge routers, other intra-provider core routers, or
the provider's inter-provider border routers.
• "Internet backbone:" The Internet does not have a clearly identifiable
backbone, as did its predecessors. See default-free zone (DFZ). Nevertheless, it is
the major ISPs' routers that make up what many would consider the core. These
ISPs operate all four types of the BGP-speaking routers described here. In ISP
usage, a "core" router is internal to an ISP, and used to interconnect its edge and
border routers. Core routers may also have specialized functions in virtual private
networks based on a combination of BGP and Multi-Protocol Label Switching
(MPLS)[4].
 [edit] Small Office Home Office (SOHO) connectivity

Main article: Residential gateway

Residential gateways (often called routers) are frequently used in homes to connect to a
broadband service, such as IP over cable or DSL. A home router may allow connectivity
to an enterprise via a secure Virtual Private Network.

While functionally similar to routers, residential gateways use port address translation in
addition to routing. Instead of connecting local computers to the remote network directly,
a residential gateway makes multiple local computers appear to be a single computer.
[edit] Enterprise Routers

All sizes of routers may be found inside enterprises. The most powerful routers tend to be
found in ISPs but academic and research facilities, as well as large businesses, may also
need large routers.

A three-layer model is in common use, not all of which need be present in smaller
networks [5].

[edit] Access

Access routers,including SOHO, are located at customer sites such as branch offices that
do not need hierarchical routing of their own. Typically, they are optimized for low cost.

[edit] Distribution

Distribution routers aggregate traffic from multiple access routers, either at the same site,
or to collect the data streams from multiple sites to a major enterprise location.
Distribution routers often are responsible for enforcing quality of service across a WAN,
so they may have considerable memory, multiple WAN interfaces, and substantial
processing intelligence.

They may also provide connectivity to groups of servers or to external networks. In the
latter application, the router's functionality must be carefully considered as part of the
overall security architecture. Separate from the router may be a Firewall or VPN
concentrator, or the router may include these and other security functions.

When an enterprise is primarily on one campus, there may not be a distinct distribution
tier, other than perhaps off-campus access. In such cases, the access routers, connected to
LANs, interconnect via core routers.

[edit] Core

In enterprises, core router may provide a "collapsed backbone" interconnecting the

distribution tier routers from multiple buildings of a campus, or large enterprise locations.
They tend to be optimized for high bandwidth.

When an enterprise is widely distributed with no central location(s), the function of core
routing may be subsumed by the WAN service to which the enterprise subscribes, and the
distribution routers become the highest tier.

[edit] History
Leonard Kleinrock and the first IMP. Taken from
http://www.lk.cs.ucla.edu/personal_history.html

A Cisco ASM/2-32EM router deployed at CERN in 1987.

The very first device that had fundamentally the same functionality as a router does
today, i.e a packet switch, was the Interface Message Processor (IMP); IMPs were the
devices that made up the ARPANET, the first packet switching network. The idea for a
router (although they were called "gateways" at the time) initially came about through an
international group of computer networking researchers called the International Network
Working Group (INWG). Set up in 1972 as an informal group to consider the technical
issues involved in connecting different networks, later that year it became a
subcommittee of the International Federation for Information Processing. [6]

These devices were different from most previous packet switches in two ways. First, they
connected dissimilar kinds of networks, such as serial lines and local area networks.
Second, they were connectionless devices, which had no role in assuring that traffic was
delivered reliably, leaving that entirely to the hosts (although this particular idea had been
previously pioneered in the CYCLADES network).

The idea was explored in more detail, with the intention to produce real prototype system,
as part of two contemporaneous programs. One was the initial DARPA-initiated program,
which created the TCP/IP architecture of today. [7] The other was a program at Xerox
PARC to explore new networking technologies, which produced the PARC Universal
Packet system, although due to corporate intellectual property concerns it received little
attention outside Xerox until years later. [8]

The earliest Xerox routers came into operation sometime after early 1974. The first true
IP router was developed by Virginia Strazisar at BBN, as part of that DARPA-initiated
effort, during 1975-1976. By the end of 1976, three PDP-11-based routers were in service
in the experimental prototype Internet. [9]

The first multiprotocol routers were independently created by staff researchers at MIT
and Stanford in 1981; the Stanford router was done by William Yeager, and the MIT one
by Noel Chiappa; both were also based on PDP-11s. [10] [11] [12] [13]

As virtually all networking now uses IP at the network layer, multiprotocol routers are
largely obsolete, although they were important in the early stages of the growth of
computer networking, when several protocols other than TCP/IP were in widespread use.
Routers that handle both IPv4 and IPv6 arguably are multiprotocol, but in a far less
variable sense than a router that processed AppleTalk, DECnet, IP, and Xerox protocols.

In the original era of routing (from the mid-1970s through the 1980s), general-purpose
mini-computers served as routers. Although general-purpose computers can perform
routing, modern high-speed routers are highly specialized computers, generally with extra
hardware added to accelerate both common routing functions such as packet forwarding
and specialised functions such as IPsec encryption.

Still, there is substantial use of Linux and Unix machines, running open source routing
code, for routing research and selected other applications. While Cisco's operating system
was independently designed, other major router operating systems, such as those from
Juniper Networks and Extreme Networks, are extensively modified but still have Unix
ancestry.

[edit] See also

A network switch is a broad and imprecise marketing term for a computer networking
device that connects network segments.

The term commonly refers to a Network bridge that processes and routes data at the Data
link layer (layer 2) of the OSI model. Switches that additionally process data at the
Network layer (layer 3) (and above) are often referred to as Layer 3 switches or
Multilayer switches.

The term Network switch does not generally encompass unintelligent or passive network
devices such as hubs and repeaters.

Function
As with hubs, Ethernet implementations of network switches support either
10/100 Mbit/s or 10/100/1000 Mbit/s ports Ethernet standards. Large switches may have
10 Gbit/s ports. Switches differ from hubs in that they can have ports of different speed.

The network switch, packet switch (or just switch) plays an integral part in most
Ethernet local area networks or LANs. Mid-to-large sized LANs contain a number of
linked managed switches. Small office, home office (SOHO) applications typically use a
single switch, or an all-purpose converged device such as gateway access to small
office/home office broadband services such as DSL router or cable, Wi-Fi router. In most
of these cases, the end user device contains a router and components that interface to the
particular physical broadband technology, as in the Linksys 8-port and 48-port devices.
User devices may also include a telephone interface to VoIP.

In simple terms, in the context of a standard 10/100 Ethernet switch, a switch operates at
the data-link layer of the OSI model to create a different collision domain per switch port.
This basically says that if you have 4 computers A/B/C/D on 4 switch ports, then A and B
can transfer data between them as well as C and D at the same time, and they will never
interfere with each others' conversations. That is the basic idea. In the case of a "hub"
then they would all have to share the bandwidth, run in half-duplex and there would be
collisions and retransmissions. Using a switch is called micro-segmentation - it allows
you to have dedicated bandwidth on point to point connections with every computer and
to therefore run in full duplex with no collisions.

[edit] Role of switches in networks

Network switch is a marketing term rather than a technical one. Switches may operate at
one or more OSI layers, including physical, data link, network, or transport (i.e., end-to-
end). A device that operates simultaneously at more than one of these layers is called a
multilayer switch, although use of the term is diminishing.

In switches intended for commercial use, built-in or modular interfaces make it possible
to connect different types of networks, for example Ethernet, Fibre Channel, ATM, and
802.11. This connectivity can be at any of the layers mentioned. While Layer 2
functionality is adequate for speed-shifting within one technology, interconnecting
technologies such as Ethernet and token ring are easier at Layer 3.

Again, "switch" is principally a marketing term; interconnection of different Layer 3

networks is done by routers. If there are any features that characterize "Layer-3 switches"
as opposed to general-purpose routers, it tends to be that they are optimized, in larger
switches, for high-density Ethernet connectivity.

In some service provider and other environments where there is a need for much analysis
of network performance and security, switches may be connected between WAN routers
as places for analytic modules. Some vendors provide firewall,[2][3] network intrusion
detection,[4] and performance analysis modules that can plug into switch ports. Some of
these functions may be on combined modules.[5]

In other cases, the switch is used to create a "mirror" image of data that can go to an
external device. Since most switch port mirroring provides only one mirrored stream,
network hubs can be useful for fanning out data to several read-only analyzers, such as
intrusion detection systems and packet sniffers.

[edit] Layer-specific functionality

A modular network switch with three network modules (a total of 24 Ethernet and 14
Fast Ethernet ports) and one power supply.

While switches may learn about topologies at many layers, and forward at one or more
layers, they do tend to have common features. Other than for computer-room very high
performance applications, modern commercial switches use primarily Ethernet interfaces,
which can have different input and output speeds of 10, 100, 1000 or 10,000 megabits per
second. Switch ports almost always default to full-duplex operation, unless there is a
requirement for interoperability with devices that are strictly half duplex. Half-duplex
means that the device can only send or receive at any given time, whereas full-duplex can
send and receive at the same time.

At any layer, a modern switch may implement power over Ethernet (PoE), which avoids
the need for attached devices, such as an IP telephone or wireless access point, to have a
separate power supply. Since switches can have redundant power circuits connected to
uninterruptible power supplies, the connected device can continue operating even when
regular office power fails.

[edit] Layer-1 hubs versus higher-layer switches

A network hub, or repeater, is a fairly unsophisticated cast device, and rapidly becoming
obsolete. Hubs do not manage any of the traffic that comes through them. Any packet
entering a port is broadcast out or "repeated" on every other port, except for the port of
entry. Since every packet is repeated on every other port, packet collisions result, which
slows down the network.

Hubs have actually become hard to find, due to the widespread use of switches[citation needed].
There are specialized applications where a hub can be useful, such as copying traffic to
multiple network sensors. High end switches have a feature which does the same thing
called port mirroring. There is no longer any significant price difference between a hub
and a low-end switch.

[edit] Layer 2