Beruflich Dokumente
Kultur Dokumente
STUDENT GUIDE
1. Safety Warning
Switch to notes view!
Both lethal and dangerous voltages may be present within the products used herein. The user is strongly advised not to wear
conductive jewelry while working on the products. Always observe all safety precautions and do not work on the equipment
alone.
The equipment used during this course may be electrostatic sensitive. Please observe correct anti-static precautions.
2. Trade Marks
Alcatel-Lucent and MainStreet are trademarks of Alcatel-Lucent.
All other trademarks, service marks and logos (“Marks”) are the property of their respective holders, including Alcatel-Lucent.
Users are not permitted to use these Marks without the prior consent of Alcatel-Lucent or such third party owning the Mark. The
absence of a Mark identifier is not a representation that a particular product or service name is not a Mark.
Alcatel-Lucent assumes no responsibility for the accuracy of the information presented herein, which may be subject to change
without notice.
3. Copyright
This document contains information that is proprietary to Alcatel-Lucent and may be used for training purposes only. No other
use or transmission of all or any part of this document is permitted without Alcatel-Lucent’s written permission, and must
include all copyright and other proprietary notices. No other use or transmission of all or any part of its contents may be used,
copied, disclosed or conveyed to any party in any manner whatsoever without prior written permission from Alcatel-Lucent.
Use or transmission of all or any part of this document in violation of any applicable legislation is hereby expressly prohibited.
User obtains no rights in the information or in any product, process, technology or trademark which it includes or describes, and
is expressly prohibited from modifying the information or creating derivative works without the express written consent of
Alcatel-Lucent.
All
2 rights reserved © Alcatel-Lucent 2008 All Rights Reserved © Alcatel-Lucent @@YEAR
Technology
IP for mobile networks
4. Disclaimer
In no event will Alcatel-Lucent be liable for any direct, indirect, special, incidental or consequential damages, including lost
profits, lost business or lost data, resulting from the use of or reliance upon the information, whether or not Alcatel-Lucent has
been advised of the possibility of such damages.
Mention of non-Alcatel-Lucent products or services is for information purposes only and constitutes neither an endorsement, nor
a recommendation.
This course is intended to train the student about the overall look, feel, and use of Alcatel-Lucent products. The information
contained herein is representational only. In the interest of file size, simplicity, and compatibility and, in some cases, due to
contractual limitations, certain compromises have been made and therefore some features are not entirely accurate.
Please refer to technical practices supplied by Alcatel-Lucent for current information concerning Alcatel-Lucent equipment and
its operation, or contact your nearest Alcatel-Lucent representative for more information.
The Alcatel-Lucent products described or used herein are presented for demonstration and training purposes only. Alcatel-
Lucent disclaims any warranties in connection with the products as used and described in the courses or the related
documentation, whether express, implied, or statutory. Alcatel-Lucent specifically disclaims all implied warranties, including
warranties of merchantability, non-infringement and fitness for a particular purpose, or arising from a course of dealing, usage
or trade practice.
Alcatel-Lucent is not responsible for any failures caused by: server errors, misdirected or redirected transmissions, failed
internet connections, interruptions, any computer virus or any other technical defect, whether human or technical in nature
5. Governing Law
The products, documentation and information contained herein, as well as these Terms of Use and Legal Notices are governed by
the laws of France, excluding its conflict of law rules. If any provision of these Terms of Use and Legal Notices, or the
application thereof to any person or circumstances, is held invalid for any reason, unenforceable including, but not limited to,
the warranty disclaimers and liability limitations, then such provision shall be deemed superseded by a valid, enforceable
provision that matches, as closely as possible, the original provision, and the other provisions of these Terms of Use and Legal
Notices shall remain in full force and effect.
1. TCP/IP Basics
2. Ethernet technology
1. TCP/IP
1. Basic Concepts
3. Point to Point transport
2. Ethernet technology
4. IP Layer
1. Bridges and Switches
2.5. Virtual LANs
Transport Layer
6. Application
3. Point Services
to Point transport
1. PPP/ML-PPT
7. Quality of Service
4. IP Layer
1.8. IPMPLS Services
addressing
2. Routing principles
9. Introduction to IPSEC
3. Redundancy (HSRP/VRRP)
5. Transport Layer
3 1. User Datagram protocol (UDP) All Rights Reserved © Alcatel-Lucent @@YEAR
Technology
2. Transmission Control Protocol (TCP)
IP for mobile networks
3. SIGTRAN
6. Application Services
1. Synchronization (NTP)
2. FTP/ SFTP
3. Voice over IP (VoIP)
7. Quality of Service
1. QoS problems
2. Mechanisms of the QoS
8. MPLS overview
1. Label switching
2. Traffic engineering
3. MPLS services
9. IPSEC Introduction
1. Security association
2. Tunnel setup
3. IKE
Conventions used
Switch to notes in this guide
view!
Note
Provides you with additional information about the topic being discussed.
Although this information is not required knowledge, you might find it useful or
interesting.
Technical Reference
(1) 24.348.98 – Points you to the exact section of Alcatel-Lucent Technical
Practices where you can find more information on the topic being discussed.
Warning
Alerts you to instances where non-compliance could result in equipment damage or
personal injury.
1
Section 1
TCP/IP Overview
Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Section 1 Page 1
Module Objectives
Section 1 Page 2
1.1 Basic Concepts
Section 1 Page 3
1 Basic Concepts
Network Categories
LAN MAN
WAN
Networks generally fall into three categories, depending on their size and geographical coverage:
Local Area Network (LAN): coverage is limited to a university campus, company premises, etc.
Metropolitan Area Network (MAN): coverage extends to a geographical area, the size of a town. MANs
provide high-speed links between several LANs in the same geographical area (less than one hundred
kilometers).
Section 1 Page 4
1 Basic Concepts
Network Topologies
Bus
Star
Central
Ring
An IT system is made up of computers connected to each other by communication links (network cables, etc.)
and hardware devices (network boards and other equipment that enables data to circulate properly). The
physical layout of the network (the spatial configuration) is known as the physical topology. Topologies
generally fall into the following categories:
bus topology: in a bus topology, all the computers are connected to the same transmission link.
star topology: in a star topology, the computers in the network are connected to a central equipment
system.
ring topology: in a network with ring topology, the computers are connected to each other in a ring and
communicate in turn.
Section 1 Page 5
1 Basic Concepts
Connectionless Communication Mode
P3 P2
P2
Connectionless network P1
P1 P2 P3
P1
P3
P3 P1
P3 P2 P1 P2
In a connectionless network:
No connection is established: flows to the same destination can travel along different routes.
Section 1 Page 6
1 Basic Concepts
Connection-Oriented Communication Mode
P3
P2 Connection-oriented network
P1
P3
P2 P1 P1
P2
Connectionless
3
network P3 P2
P P2
P1 P2 P1 P3
P3 P2 P1
P1
P3
P3 P1
P3 P2 P1 P2
Path establishment
Data transfer
Path release
All Rights Reserved © Alcatel-Lucent 2009
TCP/IP Overview
Technology IP for Mobile Networks
In a connection-oriented network, a connection must be established when two devices wish to communicate.
The intermediate nodes must preserve the context of this connection.
Section 1 Page 7
1 Basic Concepts
Network Interconnection
LAN
WAN
TCP/IP
network
interconnection
LAN
LAN
Indeed, connecting networks can involve local business networks based on the following types of topology:
bus
ring
star
Connecting networks can also involves long-haul mesh networks such as:
ATM
Frame Relay
Public Switched Telephone Networks
The role of TCP/IP is therefore to provide universal communication services over diverse physical networks.
Section 1 Page 8
1 Basic Concepts
Communication Needs
Network interconnection also brings into play different operating systems, the main ones being:
DOS
Unix
Linux
These operating systems function on machines built by different equipment manufacturers.
Rules therefore had to be defined to enable dialog. These communication rules are known as protocols.
Additional software also had to be developed and integrated in the TCP/IP protocol stack to make it easier for
users wishing to:
transfer files,
exchange e-mails,
surf the internet,
perform many other tasks.
Section 1 Page 9
1 Basic Concepts
TCP/IP Model
Application
7
Presentation
6
Session
5
HTTP TELNET FTP SMTP DNS TFTP SNMP
Transport
4 TCP UDP
Network
IP ICMP ARP
3
Link IEEE 802.2 (LLC)/802.1 (Bridging)
2 ATM,
IEEE 802.3 (CSMA/CD) PPP/ML PPP,
Physical HDLC...
1 1000Base-SX1000Base-LX1000Base-CX 100BaseT 1000Base-T
When people refer to communication software, they generally mean the Open Systems Interconnection (OSI) architecture,
which was developed by International Standards Organization (ISO) between 1977 and 1984. The OSI model is broken down
into 7 layers. Each layer plays a specific role: the physical layer is responsible for the transmission of bits over the
transmission medium; the data link layer is responsible for the transmission of frames between devices that are
interconnected physically; the network layer is responsible for routing packets within the network; the transport layer is
responsible for end-to-end message transmission; the session layer is responsible for dialog synchronization; the
presentation layer is responsible for data representation and format conversion; and the application layer is responsible
for hosting network-oriented utilities and applications.
TCP/IP does not follow exactly the same pattern as OSI. The lower-level TCP/IP protocols do not fulfill the role defined by
OSI for the physical and data link layers. At level 3, IP complies with the OSI model. You will discover other very
important network-layer protocols such ARP and ICMP. At level 4, two transport protocols are used: TCP and UDP. Finally,
services are integrated in the three upper layers of the OSI model.
Here are a few examples: HTTP for surfing the internet; Telnet for remote control of a device; FTP for file transfer; SMTP
for e-mail exchange; DNS for internet addressing; TFTP for file transfer, SNMP for network administration.
When people refer to TCP/IP layers or protocols, they are referring not only to these two protocols but to all the
protocols in the stack, which includes TCP and IP.
The TCP/IP sources are available free of charge and were developed independently of any particular architecture,
operating system, or proprietary structure. They can therefore be transported over any type of platform. They form an
open system that is continually evolving and therefore highly popular.
TCP/IP operates over a diverse range of media and technologies such as serial links, coaxial cables, optical fiber, radio
links, ADSL, ATM networks, etc.
The addressing mode is shared by all TCP/IP users regardless of the platform they use. If the address is unique,
communication can take place even if the hosts are on different sides of the world.
The higher protocols are standardized to allow for wide-ranging developments over all types of machines.
Section 1 Page 10
1 Basic Concepts
Standardization
ISOC
IAB
Internet Architecture Board
Internet
Corporation
Internet Engineering Task Force for
www.icann.org Assigned
IESG Names and
Internet Engineering Steering Group Numbers
WG WG
Working Group
RFC editor
Working Group
http://www.rfc-
http://www.rfc-editor.org/rfcsearch.html
TCP/IP Standardization
The organization responsible for standardization is the "Internet Society". It is made up of individual members
as well as organizations and industrial companies.
The Internet Society is headed by the IAB, which comprises twelve members elected for 2 years.
The IAB is supported by the IETF for studies into new standards and the IANA, which is mainly charged with
assigning official values to certain fields of various protocols and allocating Internet IP addresses.
The IETF is managed by the IESG.
The IETF is divided into Areas. Working Groups are set up within the Areas.
Each Area specializes in a particular Internet field:
one Area is responsible for applications.
another for the Internet.
another for routing.
another for security issues.
another for transport protocols.
the final Area for performance.
It should be noted that the IANA, which was originally formed under the auspices of the American
government, now answers to the ICANN, a non-governmental organization. The new organization has not
affected the responsibilities of the IANA, which continues performing the same functions.
The standards are issued in the form of Request For Comments (RFCs) and are free of charge and available
online.
Section 1 Page 11
1 Basic Concepts
Use of Layers in a TCP/IP Communication
When two users wish to communicate, one is the Client because in the IP world the client is defined as the
user requesting the service while the other is the Server because that user provides the service.
Here, the Server is capable of providing various services but the Client wishes to request one service only.
The transport layer is charged with targeting the required service. For this, each application is allocated an
official number known as a "port number". (N.B. the IANA is responsible for allocating a port number to every
new service.) The transport layer sends the datagram to the lower-layer IP. This IP packet must be sent to the
remote server. For this reason, every machine connected to the IP network is therefore assigned a logical
address called an IP address. One of IP jobs is to insert a header. The main fields in this header are the packet
source and destination addresses. The packet is then sent to the data link layer, which encapsulates it in a
frame with a header containing the physical source and destination addresses. Finally, the frame is
transferred to the transmission medium.
All the machines connected to this transmission medium analyze the frame header but because only the
router interface recognizes its physical address it extracts the contents of the frame and transmits them to
the upper-layer IP. The router’s network layer analyzes the packet header, especially its destination IP
address. Its routing table indicates the outgoing interface and the next physically connected device the
packet must pass through to reach its final destination. The IP packet is transferred to the data link layer,
which encapsulates it in a frame. This time, the physical source address is the source router interface address
and the physical destination address is the address of the next router interface. Once again, only the router
recognizes its physical address in the frame transported by the transmission medium. It therefore extracts the
packet from the frame and sends its contents to its network layer. The network layer routes the packet to the
outgoing interface using its routing table.
Finally, the frame is transferred to the last link. The destination machine recognizes its physical address in
the header and sends the contents to its IP. The IP of the final destination machine recognizes its own IP
address in the destination IP field of the packet received. The contents of the packet are then sent to the
transport layer, which examines the header. Thanks to the destination port number contained in the layer-4
protocol header, the data is routed to the service chosen by the Client.
Section 1 Page 12
Answer the Questions
The OSI reference model is quite similar to TCP/IP, with one major
exception. Where does the difference come from?
Layer 1
Layer 3
Section 1 Page 13
Answer the Questions [cont.]
What are the attributes of protocol layering that are used by TCP/IP?
Section 1 Page 14
Blank page
Section 1 Page 15
End of Section
Section 1 Page 16
Do not delete this graphic elements in here:
2
Section 2
Ethernet technology
Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Section 2 Page 1
Module Objectives
Section 2 Page 2
1. Ethernet principles
Section 2 Page 3
1 Ethernet principles
CSMA/CD mechanism
Rec R
Collision Loopback Note: The Hub does not
Internal
detection 4-port HUB forward the signal
loopback Trans T on the input port
R
R
2 3
1 T
T
RJ45 connector
R
R
T
T HUB = multiport repeater
<100m
All Rights Reserved © Alcatel-Lucent 2009
Ethernet Technology
Technology IP for Mobile Networks
It should be noted that the Hub that receives signals on the receive pair of one of its ports routes these
signals to the transmission pairs of all the other ports, except the port that received the signals (ingress port).
To ensure collision detection, each 10/100Base-T network interface board (NIC) has internal loopback.
Section 2 Page 4
1 Ethernet principles
10/100Base-T: Link Status
Transmission 5 hub
Listening R
? (busy)
2 T 1
(free) Collision
Transmission 7 R
T 6
T
R
Link broken 4
16.8ms
Link Test Pulse
Normal Link Pulse
R LED
Link
T 16.8ms
LED
Link
R T
All Rights Reserved © Alcatel-Lucent 2009
Ethernet Technology
Technology IP for Mobile Networks
A machine that does not realize it has a faulty transceiver may start transmitting despite CSMA and cause
collisions. To prevent such a situation from arising, a signal is emitted (when the segment is inactive) to
validate the link. This signal is known as the "Link Test Pulse" or "Normal Link Pulse" and is a 5MHz pulse
emitted every 16.8ms.
In general, a LED is associated with the signal. If the "Link" LEDs on the two interconnected devices are on,
the segment is functioning correctly.
When there are no frames to transmit, each device emits a series of test signals (link test pulses),
interspersed with silences, over the transmit pair. The receive pair of the transceiver at the other end of the
link waits for this signal in order to check the integrity of the line or rather of its receive pair (pair 2).
Section 2 Page 5
1 Ethernet principles
10/100/1000 Base T: Cables
Twisted
Base band pair
UTP category 5
STP category 5
RJ45
Section 2 Page 6
1 Ethernet principles
10Base-T: Hub Connection
100m
HUB
m 10Base-T
100
100m
m
100
HUB
10Base-T
10 m
0m
100
0m
100
m
10
HUB
10Base-T
HUB
10Base-T
10
0m 0m
10
≤ 500m 100
m
≤ 4 repeaters HUB
10Base-T
0m
10
To increase the number of ports on a 10Base-T LAN, several Hubs can be cascaded. The distance between 2
Hubs is also limited to 100 meters.
The maximum distance between 2 stations is limited to 500m and there can be no more than 4 Hubs between
2 stations.
Section 2 Page 7
1 Ethernet principles
Fast Ethernet 100Base-T: Hub Connection
100
m 100m
HUB 100m
100Base-T
m
100
20m
100m
HUB
100Base-T
≤ 220m
≤ 2 repeaters 10
0m
0m
10
10
0m
Althoughthe maximum distance between the stations and the Hub is still 100 meters, the maximum distance
between Hubs has fallen to around 20 meters.
The number of Hubs between 2 stations must not exceed 2, which means that the maximum distance
between 2 stations falls to 220 meters.
Section 2 Page 8
1 Ethernet principles
Logical Address and Physical Address
xz
The Medium Access Control (MAC) is part of the data link layer and is responsible for transmitting blocks of
bits (i.e. frames) between devices that are connected to each other physically.
Before looking in detail at the format of a MAC frame, let’s consider the different addressing methods in
TCP/IP.
The logical address could be compared to the people’s names, and the physical address to the telephone
numbers.
When a person, let’s say Alice, wishes to communicate with Bob, her first thought is:
"I’m going to call Bob." However, when she actually makes the call, she will probably have to look in a phone
directory and dial Bob’s telephone number.
The principle is the same in TCP/IP. A station wishes to send a data packet to another station. It indicates the
logical IP address of the remote station. But, in practice, this IP packet will be transported in a frame using
physical addresses. Later on, you will see that the routing tables in TCP/IP are generated automatically by
means of the Address Resolution Protocol (ARP).
Section 2 Page 9
1 Ethernet principles
Unicast MAC Address
00.35.d6.39.cb.0a 00.6f.66.32.0b.08
MAC MAC
There are different types of MAC addresses. First of all, the unicast address: this type of address is assigned
to each Ethernet card and is globally unique.
It should be noted that a station with n interfaces will have n MAC addresses.
Unicast addressing is used when a frame needs to be sent to a single, specific station.
The frame placed on the transmission medium can be read by all the stations connected to the LAN.
All of the station interface cards decode the destination MAC address field.
But only the station whose address matches with the MAC address interrupts its processor to deliver it the
contents of the frame. The other stations ignore the frame.
Section 2 Page 10
1 Ethernet principles
Broadcast MAC Address
Dest: ff.ff.ff.ff.ff.ff
00.35.d6.39.cb.0a 00.6f.66.32.0b.08
MAC MAC
This time, a station wishes to send data to all the stations connected to the LAN. Rather than sending n
frames in unicast mode, the transmit station (egress station) uses broadcast addressing. This means that the
destination MAC address field contains only 1s.
Section 2 Page 11
1 Ethernet principles
Multicast MAC Address
00.35.d6.39.cb.0a 00.6f.66.32.0b.08
MAC MAC 01.00.5e.00.00.09
Certain stations can join a group and receive a second address, known as a multicast address, that is shared
by all stations in the group.
A station wishing to send a frame solely to the stations in the group puts the multicast address in the
destination address field of the frame.
All interfaces connected to the link decode the frame but only stations with the multicast address interrupt
their processors to deliver them the frame data.
Section 2 Page 12
1 Ethernet principles
MAC Address - Details
0: Universal,
Universal, unique address
U/L: Bit
1: Local, local meaning
0: Individual (or Unicast), associated to only one equipment
I/G: Bit
1: Group (or Multicast), associated to a group of equipment
• Examples: CISCO: 0 0 .1 0 .7 B . x x . x x . x x
ALU: 0 0 .8 0 . 9 F . x x . x x . x x
managed by manufacturer
All Rights Reserved © Alcatel-Lucent 2009
Ethernet Technology
Technology IP for Mobile Networks
Some people may wonder whether, with the explosion of Internet, 48 bits is enough to cover current, and
indeed future, requirements.
In fact, 48 bits is well over enough since it offers a capacity of around 281 thousand billion combinations.
Even if the first 2 bits have special functions, there is still enough capacity to provide every man, woman and
child on the planet 12,000 Ethernet cards.
Let’s look at it from another angle: if industry produced 100 million interface cards a day, every day of the
year (i.e. 500 times more than is currently produced), it would take 2,000 years to use up the address space
available.
Section 2 Page 13
1 Ethernet principles
Ethernet frame format
1518 ≥ length ≥ 64
Bytes 7 1 6 6 2 46 to 1500 4
Preamble SFD MAC @ dest. MAC @ src. Ether Data Padding FCS
7 x ‘AA’ Ethernet frame
type
>5DC
Synchronization Control
Indicate the higher-level protocol
Value > 5DCH or 1500D.
Start Frame Delimiter Examples: IP: 0800H Max Trans. Unit (MTU): 1500
10101011 ARP: 0806H Mini. size: 46 (possibly padding)
IPv6:86DDH MTU: Maximum Transmission Unit
IP: Internet Protocol
ARP: Address Resolution Protocol
FCS: Frame Check Sequence
Section 2 Page 14
1 Ethernet principles
Other Ethernet frame formats
IP packet
Bytes 3
≤ 1492
2
O. U. I PID Data
0 0 . 0 0 . 0 0 0800
SNAP
Bytes 1 1 1 ≤1497
Ether
MAC @ MAC @ type Data Padding FCS MAC@ dest. MAC@ src. Long. data
Padding
FCS
dest. src. ≤1500
0800
Eth II frame 802.3 frame
All Rights Reserved © Alcatel-Lucent 2009
Ethernet Technology
Technology IP for Mobile Networks
In Ethernet II, an IP packet is directly encapsulated in the MAC frame. The maximum packet length is 1500
bytes. Encapsulation is described in RFC 894.
In 1983, IEEE decided to standardize this protocol. In IEEE, the packet first goes through the Subnetwork
Access Protocol (SNAP) where 5 bytes are added. The main one is the Protocol Identification (PID) byte, which
indicates the encapsulated protocol.
Next, it goes through a Logical Link Control (LLC) where:
the DSAP and LSAP fields contain the value "AA", which indicates that LLC encapsulates SNAP,
the Control field contains the value "03", which signifies "Unnumbered Information".
And finally, IEEE 802.3 formats the frame. The format of the IEEE 802.3 frames for Ethernet is identical to the
Ethernet II format except for one field: the Ethertype field from Ethernet II has been replaced by a payload
length field, which necessarily takes a value less than or equal to 1500 in decimal or 5DC in hexadecimal.
Encapsulation is described in RFC 1042.
N.B. When using SNAP encapsulation, the maximum size for IP packets is 1492 bytes.
Section 2 Page 15
Answer the Questions
Section 2 Page 16
Answer the Questions [cont.]
802.2 Ethernet
IP Network Address
Section 2 Page 17
2. Bridges and Switches
Section 2 Page 18
2. Bridges and Switches
Repeaters
•Media adaptation
•Signal Amplifier
Repeater
Segment Segment
All Rights Reserved © Alcatel-Lucent 2009
Ethernet Technology
Technology IP for Mobile Networks
You saw earlier that the length of Ethernet segments is limited and that to extend a LAN, repeaters are
needed to regenerate the signals.
Certain repeaters can also work as adapters enabling transfer from 10Base2 to 10Base5 or 10Base-T.
Repeaters are just signal amplifier devices. They are not intelligent devices.
So, when a station transmits a frame to another station located on the same segment, the repeater
propagates the signals over the other segments. This means that any station located on another segment is
prevented from accessing the transmission medium until the operation is complete.
Lining stations up on the same LAN is the first simple, low-cost step for a local area network. The downside
with this type of architecture is that the number of collisions increases rapidly as traffic increases, which
means a significant reduction in the speed at which data is exchanged.
It would be useful to have devices capable of filtering. An initial solution could be the use of bridges.
Section 2 Page 19
2. Bridges and Switches
Bridges _ Frame Forwarding
LAN 1 d
a
b
e
Eth 1 f
Eth0
c→a
c bridge
c→f
MAC@ Port
a eth0 LAN 2
b eth0
c eth0
d eth1
e eth1
f eth1
The filtering configuration can be defined manually by storing in the bridge memory the MAC addresses of the
stations associated with each of these ports.
When a frame is moving along a segment, the bridge analyzes the destination MAC address. If the address is
on the same port as the one that detected the frame, the bridge blocks the frame.
If this is not the case, the bridge propagates the frame to the port that corresponds to the destination MAC
address.
It should be noted that bridges do not filter broadcasts and multicasts.
Section 2 Page 20
2. Bridges and Switches
Self-Learning Bridge
a 1
a 2
a b
filter
!!! MAC@:
b
2 1 MAC@ Port
2/1
a
?
a b
filter
MAC@ Port a b
a 2 2 1
2 1
a b
All Rights Reserved © Alcatel-Lucent 2009
Ethernet Technology
Technology IP for Mobile Networks
As you have seen, the "Self-Learning Bridge" mechanism has its limits: it can only function if there are no
loops in the network.
Section 2 Page 21
2. Bridges and Switches
Spanning Tree Protocol
Loop 234
109
Loop 175 447
562
114
447
To overcome this problem but still maintain the automatic mechanism, a special protocol known as the
Spanning Tree Protocol (STP) is implemented in the bridges.
This relatively complex protocol uses Bridge Protocol Data Unit (BPDU) messages to establish specific dialog
between the bridges.
The bridges represent the network topology in the form of a tree. They select a bridge to be the root bridge
and then draw in the connections to form a tree structure. The nodes represent the bridges and the leaves on
the tree are the stations.
The bridges detect loops and remove them. This means there is only one path for getting from one station to
another station, as with a tree for getting from one leaf to another.
Section 2 Page 22
2. Bridges and Switches
Switch: Principle
Simultaneous
4 x 10Mb/s-port switch communications
Switching fabric
R R
T 1 T
1’
R
R
T
T
When a station transmits a frame, the Switch, just like a bridge, analyzes the destination MAC address and,
based on the information in its filter memory, sends the frame to the appropriate link(s).
At the same time, another station can also transmit a frame that will be routed by the Switch to the right
output port(s).
So, unlike the Hub, the Switch makes it possible to increase transmission-medium bandwidth by performing
several operations simultaneously.
Section 2 Page 23
2. Bridges and Switches
Switch: Full and Half Duplex
Full duplex
HUB Switch
Transmit Transmit Receive Buffer
Receive
Collision
Receive Buffer
Transmit
Loopback Collision
Collision Loopback
detection
detection
Transmit Buffer
Receive
Half duplex
Segmentation
On a segment with several stations, various mechanisms must be implemented:
A mechanism for accessing the transmission medium i.e. listening to the link to determine whether it is
available or unavailable,
A mechanism for detecting collisions.
Correct communication is always in half-duplex mode. Indeed, at any given time, a single station transmits
while the others listen.
Collisions can occur in cases where frames transmitted by several stations are mixed up on the receive pair.
Generally, therefore, both the station side and the switch side can be configured to function in half-duplex or
full-duplex mode.
Micro-segmentation
In the case of micro-segmentation, where a single station is connected to a switch port, collisions cannot
occur. Indeed, there is only one transmitter on a pair.
Consequently, the station wishing to transmit does not need to use the collision-detection mechanism.
Moreover, the station should function in full-duplex mode if it has that capability.
By default, the NICs of stations wishing to transmit listen to the transmission medium beforehand. If they
detect traffic, they postpone transmission to avoid causing a collision.
So, if on a micro segment this mechanism is not disabled, the station (or the port of the Switch in the other
direction) will continue to function in half-duplex mode and delay transmission for fear of causing a collision.
The NIC internal loopback mechanism must therefore be disabled. This can be configured manually or via the
auto-negotiation mechanism.
Section 2 Page 24
2. Bridges and Switches
Switch: Auto-Negotiation
Auto-
Auto-negotiation 2ms Fast Link Pulse
17..33 pulses
Auto-Negotiation
Most Ethernet interfaces, such as adapters (NICs) for PCs or workstations and Switches, are capable of
adapting their transmission speed (10/100) and mode (Half or Full Duplex).
This is done at start-up by exchanging the Fast Link Pulse (FLP), which is the equivalent of the Normal Link
Pulse (NLP) used for the 10Base-T integrity test.
This means that two devices with auto-negotiation capability can define the best method for working
together from the options specified below (in order of preference):
1. Full-duplex 100Base-TX
2. 100Base-T4
3. 100Base-TX
4. Full-duplex 10Base-T
5. 10Base-T
Section 2 Page 25
2. Bridges and Switches
Switch: Full-Duplex Mode Advantage
Segmentation Micro-
Micro-segmentation
hub Switch Independent rate for each station
10
Mb/s
100 Mb/s Switch 10 Mb/s
Shared bandwidth
10 Mb/s 100 Mb/s
Half duplex
Access contention
Extended length Full Bw
free
medium no Full duplex
?
No need for No need for
Collision detection access contention collision detection
free Transmission no
Transmission no medium =
= reception
reception ? delay
delay
With segmentation, transmission speed is the same for all stations; with micro-segmentation, transmission
speed is independent between stations.
With segmentation, the bandwidth is shared between all the stations; with micro-segmentation, each
station uses the full bandwidth.
With segmentation, the medium-control mechanism must be implemented, implying operation in half-
duplex mode; with micro-segmentation, this mechanism isn’t required and full-duplex mode is therefore
possible.
Finally, with segmentation, the maximum distance between 2 stations is limited to enable collision
detection; with micro segmentation, there is no limit since collisions are no longer possible. The limit is solely
dependent on the signal transmission technique. Repeaters can always be installed.
Section 2 Page 26
2. Bridges and Switches
Network design (1) _ Hubs
HUB
Sale
s
1 Wiring R&D rt t
2 m po men
Fina I rt
HUB nce
s pa
2 Communication de
Sale
s
rt
R&D
x po ent
Fina
E rtm
nce pa
s de
Let’s now consider a scenario in which a building is cabled using Hubs and how communication takes place
between two stations.
The frames exchanged are broadcast over the whole LAN, preventing other exchanges from taking place
simultaneously and also bothering stations that are not concerned by the transaction.
Section 2 Page 27
2. Bridges and Switches
Network design (2) _ Bridge and hubs
HUB
Sale
s
Filtering Bridge R&D rt t
po men
Fina m
I art
HUB nce p
s de
Sale
s
rt
R&D
x po ent
Fina
E rtm
nce pa
s de
Compared with a cable set-up based on segmentation, you can see that communication is more effective
when the stations are on the same segment.
Section 2 Page 28
2. Bridges and Switches
Network design (2) _ Bridge and hubs
HUB
Sale
s
Bridge R&D rt t
Fina m po men
nce
I art
HUB s p
de
Sale
s
rt
R&D
x po ent
Fina
E rtm
nce pa
s de
But the same drawbacks exist for communications between stations located on different segments.
Section 2 Page 29
2. Bridges and Switches
Network design (3) _ Switches
Sale
s
1 Wiring R&D
p ort ent
nce 2 Im artm
Fina
s p
de
2 Communication
Sale rt
s R&D
x po ent
Fina E rtm
nce pa
Switch
s de
Micro-
Micro-segmentation
cabling, since the connections are centralized in a single technical location. A switch usually has a large
number of ports. Some of them can be stacked and interconnected using special links.
Section 2 Page 30
Answer the Questions
Simpler Management
Support of Voice
Section 2 Page 31
Answer the Questions [cont.]
Auto-negotiation
Full duplex
Half duplex
Spanning Tree
Section 2 Page 32
Answer the Questions [cont.]
Section 2 Page 33
Answer the Questions [cont.]
No matches Filter
Section 2 Page 34
Answer the Questions [cont.]
Ethernet Physical
Auto-negotiation Network
IP Transport
Section 2 Page 35
3. Virtual LAN
Section 2 Page 36
3. Virtual LANs
Problem
SW
F M F F M M
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
F _ Finances
M Marketing
Physical and logical topology :
a single networks
Broadcast traffic is seen and processed by all the users connected to the switch, independently of the
fact that they might not be concerned by the content of the message. Security is also weak in this
environment, a user with a packet sniffer will be able to see the content of many messages.
Section 2 Page 37
3. Virtual LANs
Solution
VLAN id Members
10 (Marketing) Ports 2, 5, 6
20 (Finances) Ports 1, 3, 4
SW
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
F M F F M M
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
The best solution available for simple broadcast contention is the use of VLAN. Even though users are still
physically connected to the same device, they will be isolated in different logical networks and no traffic
from a VLAN can be seen by a user of another VLAN.
The simplest way to create a VLAN in a switch is per port. Each port is explicitly assigned to a VLAN. The
association port –VLAN is stored by the switch in VLAN table. Each VLAN is identified with VLAN id.,
which is a number between 0 and 4095. Usually, VLANs are also given a label that is easier to remember
than a number. By default all ports in the switch are members of VLAN 1. Configuring a VLAN for a port
means removing the port from VLAN 1 and assigning it to a new VLAN.
After VLANs have been implemented, instead of forwarding broadcast traffic to every port, the switch
will forward a broadcast frame only to the ports that are members of the same VLAN as the port
originating it. Unicast traffic will be forwarded to the destination port only if it is a member of the same
VLAN as the source.
InterVLAN communication is not possible at layer 2. A layer 2 switch cannot switch frames between two
different VLANs
Other methods to implement VLAN: by MAC address, by protocol, LANE (LAN emulation for ATM
transport)
Section 2 Page 38
3. Virtual LANs
Access links
VLAN Members
10 (Marketing) Ports 2, 5, 6
20 (Finances) Ports 1, 3, 4
Ethernet Switch
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
F F F
An access port is a switch port that is connected to a terminal device eg. A PC or printer. It is a member
of a single VLAN.
As all the traffic originated on or destined for this port is for the same VLAN, no particular mechanism is
needed to mark the frames (the VLAN membership of the port is already known to the switch). In this
case, the port will be untagged. The untagged VLAN is also called the native VLAN.
Section 2 Page 39
3. Virtual LANs
VLAN spanning multiple switches _ Problem
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
Port 7
Port 7
VLAN Members
?
VLAN id Members
10 Marketing Ports 3, 6, 7
10 Marketing Ports 2, 5, 6, 7
11 Engineering Ports 2,5
20 Finances Ports 1, 3, 4, 7
20 Finances Ports 1, 4, 7
SW1 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 SW2 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
F M F F M M F E M F E M
Section 2 Page 40
3. Virtual LANs
VLAN tagging
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:ff
F M F F M M F E M F E M
To extend a VLAN to span several switches, the switches will be interconnected using trunks.
Unlike the access links, trunks can carry the traffic of multiple VLANs. To identify the VLAN a frame
Belongs to, a label or tag is added to the frame. It contains information about the VLAN originating the
frame. A frame carrying a VLAN tag is called a tagged frame.
In a trunk, only one VLAN can be untagged (the native VLAN). Frames originated in all the other VLANs
must be labelled before transport.
Section 2 Page 41
3. Virtual LANs
Trunking
Dest
Dest Src
Src 802.1q
802.1q tag
tag Ethertype
Ethertype Data
Data FCS
FCS
Port 7 Port 7
SW1 SW2
Port
Port77isismember
memberof:of:
VLAN
VLAN 10 ->tag
10 -> tag==10
10
VLAN
VLAN20 20->->tag
tag==20
20
VLAN 1 -> untagged
VLAN 1 -> untagged
In a trunk, only one VLAN can be untagged (the native VLAN). Frames originated in all the other VLANs
must be labelled before transport.
By default, a trunk carries all the VLANs configured in the switch. The process of removing unused VLANs
from the trunk is called “VLAN pruning”
Section 2 Page 42
3. Virtual LANs
802.1Q tagging
Destination Address
The next field contains a VLAN tag
Source Address
Ethertype = 0x8100
Length/Type
User Priority CFI
4 bytes (802.1p)
Tag Control Information
Data VID (VLAN ID) – 12 bits
Length/Type
PAD
Data User
User Priority
Priority (3
(3 bits)
bits) __ used
used for
for Class
Class of
of Service
Service
(CoS)
(CoS) marking
marking in in 802.1p
802.1p
FCS
CFI
CFI (1
(1 bit)
bit) __ Canonical
Canonical Format
Format Identifier
Identifier
Set
Set to
to 00 for
for Ethernet
Ethernet networks
networks
PAD
VLAN
VLAN id
id (12
(12 bits)
bits) __ VLAN
VLAN identifier.
identifier. It
It can
can
take
take values
values inin the
the range
range between
between 00 and
and 4095
4095
FCS Value
Value 11 is
is usually
usually assigned
assigned to
to the
the Default
Default
VLAN
VLAN
The tagging scheme proposed by the 802.3ac standard recommends the addition of the four octets after
the source MAC address. Their presence is indicated by a particular value of the EtherType field (called
TPID), which has been fixed to be equal to 0x8100. When a frame has the EtherType equal to 0x8100,
this frame carries the tag IEEE 802.1Q/802.1p. The tag is stored in the following two octets and it
contains 3 bits of user priority, 1 bit of Canonical Format Identifier (CFI), and 12 bits of VLAN ID (VID).
The 3 bits of user priority are used by the 802.1p standard; the CFI is used for compatibility reasons
between Ethernet-type networks and Token Ring-type networks. The VID is the identification of the
VLAN, which is basically used by the 802.1Q standard; being on 12 bits, it allows the identification of
4096 VLANs.
After the two octets of TPID and the two octets of the Tag Control Information field there are two octets
that originally would have been located after the Source Address field where there is the TPID. They
contain either the MAC length in the case of IEEE 802.3 or the EtherType in the case of Ethernet II.
Note _ Adding a tag in a frames implies that the FCS field has to be recomputed by the switch
Section 2 Page 43
3. Virtual LANs
Aggregation layer problem
Customer 1
40 VLAN 41
Customer 1
VLAN 40
? 40
Customer 1
VLAN 42
Dest
Dest Src
Src 802.1q
802.1q tag
tag Ethertype
Ethertype Data
Data FCS
FCS
A Service Provider that offers transport services to the clients must support the client VLANs e.g.
transparently transport the VLAN tag across the network. It means that all the provider customers are
sharing the VLAN space e.g. VLAN id range 1 to 4095.
Two customers configuring their networks independently might choose VLAN identifiers that are identical. In
that case, the provider egress switch cannot which customer network is the actual destination of the frame.
In this case, no overlapping can be allowed. Besides the maximum limit of 4095 VLAN is usually sufficient for
enterprise networks but might not be enough for a Provider network
Section 2 Page 44
3. Virtual LANs
Q in Q tagging
VLAN ID 10 -> Customer1->port 2
VLAN ID 20 -> Customer2->port 5
Customer 1
VLAN 41
Customer 140 10 40
VLAN 40
Customer 2 10 40
VLAN 40
Service Provider Network Customer 2
VLAN 30
Customer 1
VLAN 40
Dest
Dest Src
Src Customer
Customer ID
ID Site
Site ID
ID Ethertype
Ethertype Packet
Packet FCS
FCS
A solution to the problem in the previous slide might be the use of an additional VLAN tag. This tag could be
inserted by the provider or the remote CPE and it will identify the customer or service. This method of
encapsulation is called Q in Q.
With Q in Q encapsulation, every customer can potentially use the whole VLAN ids space.
Section 2 Page 45
4. LAN Authentication
Section 2 Page 46
4. LAN Authentication
Who are you ?
Authorized User
Protected resources
Unauthorized User
Section 2 Page 47
4. LAN Authentication
802.1x components
(2)
(3)
Network Access Server
Protected Network
Wireless association
Access Point
Supplicants Authenticators
1. Authenticator detects the presence of the client and sets port to “unauthorized state”. The authenticator sends an EAP-Request to the supplicant.
2. Supplicant responds and the authenticator forwards the response to the RADIUS server. The RADIUS will verify the client credentials.
3. If the authentication server accepts the request, the authenticator set the port to “authorized state” and normal traffic is forwarded
IEEE 802.1X is an IEEE standard for port-based Network Access Control. It provides an authentication
mechanism to devices wishing to attach to a LAN, either establishing a point-to-point connection or
preventing it if authentication fails. It is used for most wireless 802.11 access points and is based on the
Extensible Authentication Protocol (EAP).
802.1X involves communications between a supplicant, authenticator, and authentication server. The
supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet
switch or wireless access point, and an authentication server is generally a RADIUS database. The
authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not
allowed access through the authenticator to the protected side of the network until the supplicant’s
identity is authorized.
Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to
the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as dhcp and http, is
blocked at the data link layer. The authenticator sends out the EAP-Request identity to the supplicant, the
supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating
server. If the authenticating server accepts the request, the authenticator sets the port to the "authorized"
mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the
authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-
EAP traffic.
Note_ In wireless environments, instead of a physical link, the supplicant creates an association with an
access point.
Section 2 Page 48
4. LAN Authentication
EAP message format
1 byte 1 byte 2 byte
Data
Data
Code
Code Identifier
Identifier Total
Total packet
packet length
length Type Length Type-Data
1 Request 1 = Identify
2 = Notification
2 Response 3 = Nak (response only)
3 Success 4 = MD5-Challenge
4 Failure 5 = OTP (One Time Password)
9 = RSA Public Key Authentication
13 = EAP-TLS
EAP Request/Response Packet 17 = EAP-Cisco Wireless (LEAP)
21 = EAP-TTLS
22 = Remote Access Service
23 = UTMS Authentication and Key Agreement
25 = PEAP
26 = MS-EAP Authentication
…….
1 byte 1 byte 2 byte
Code
Code Code
Code Total
Total packet
packet length
length Data
Data
Section 2 Page 49
4. LAN Authentication
802.1x authentication
Presence detected
EAPOL
EAP - Identity Request
or or
EAPOL RADIUS Access-Reject
EAP- Failure EAP-Failure
The protocol used to carry the EAP method between in 802.1x is called EAP encapsulation over LANs (EAPOL).
It is currently defined for Ethernet-like LANs including 802.11 wireless, as well as token ring LANs such as
FDDI. A “type 0” EAPOL frame carries an EAP message. The “type 0” indicates to the receiver (either
supplicant or authenticator) that it should strip off the EAPOL encapsulation and process the EAP data.
EAP messages are encapsulated and transported within Ethernet frames with the Ethertype field set to the
value 0x88FE. EAPOL is an alternative to RADIUS or DIAMETER to carry the messages across the LAN between
the Authenticator and the supplicant.
Section 2 Page 50
Blank page
Section 2 Page 51
End of Section
Section 2 Page 52
Do not delete this graphic elements in here:
3
Section 3
Point to Point Transport
IP Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Document History
Flag
Flag Address
Address Control
Control Protocol
Protocol Payload
Payload FCS
FCS Flag
Flag
7E
7E FF
FF 03
03 22 bytes
bytes Maximum
Maximum 1500
1500 bytes
bytes 22 or
or 44 bytes
bytes 7E
7E
PPP Connection
Transport Network
Router (leased line, SDH/PDH, ISDN, PSTN, Router
L2TP/GRE tunnels, etc)
PPP is a connection-oriented protocol that enables layer two links over a variety of different physical
layer connections. It is supported on both synchronous and asynchronous lines, and can operate in half-
duplex or full-duplex mode. It was designed to carry IP traffic but is general enough to allow any type of
network layer datagram to be sent over a PPP connection. As its name implies, it is for point-to-point
connections between exactly two devices, and assumes that frames are sent and received in the same
order.
PPP is a complete link layer protocol suite for devices using TCP/IP, which provides framing,
encapsulation, authentication, quality monitoring and other features to enable robust operation of
TCP/IP over a variety of physical layer connections.
Flag: Indicates the start of a PPP frame. Always has the value “01111110” binary (0x7E)
Address: this field has no real meaning. It is thus always set to “11111111” (0xFF or 255 decimal), which
Is equivalent to a broadcast (it means “all stations”).
Control: in PPP it is set to “00000011” (3 decimal).
Protocol: Identifies the protocol of the datagram encapsulated in the Information field of the frame.
Information: Zero or more bytes of payload that contains either data or control information, depending
on the frame type. For regular PPP data frames the network-layer datagram is encapsulated here. For
control frames, the control information fields are placed here instead.
Padding: In some cases, additional dummy bytes may be added to pad out the size of the PPP frame.
Frame Check Sequence (FCS): A checksum computed over the frame to provide basic protection against
errors in transmission. This is a CRC code similar to the one used for other layer two protocol error
protection schemes such as the one used in Ethernet. It can be either 16 bits or 32 bits in size (default is
16 bits). The FCS is calculated over the Address, Control, Protocol, Information and Padding fields.
Flag: Indicates the end of a PPP frame. Always has the value “01111110” binary (0x7E)
All Rights Reserved © Alcatel-Lucent 2009
Data transfer
Even though PPP is called a “protocol” and even though it is considered part of TCP/IP—depending on
whom you ask—it is really more a protocol suite than a particular protocol. The operation of PPP is based
on procedures defined in many individual protocols.
PPP Encapsulation Method: The primary job of PPP is to take higher-layer messages such as IP datagrams
and encapsulate them for transmission over the underlying physical layer link. To this end, PPP defines a
special frame format for encapsulating data for transmission, based on the framing used in the HDLC
protocol. The PPP frame has been specially designed to be small in size and contain only simple fields, to
maximize bandwidth efficiency and speed in processing.
Link Control Protocol (LCP): The PPP Link Control Protocol (LCP) is responsible for setting up,
maintaining and terminating the link between devices. It is a flexible, extensible protocol that allows
many configuration parameters to be exchanged to ensure that both devices agree on how the link will
be used.
Network Control Protocols (NCPs): PPP supports the encapsulation of many different layer three
datagram types. Some of these require additional setup before the link can be activated. After the
general link setup is completed with LCP, control is passed to the PPP Network Control Protocol (NCP)
specific to the layer three protocol being carried on the PPP link. For example, when IP is carried over
PPP the NCP used is the PPP Internet Protocol Control Protocol (IPCP). Other NCPs are defined for
supporting the IPX protocol, the NetBIOS Frames (NBF) protocol, and so forth.
Network
IP IPX AppleTalk
Authentication Protocols
PPP
CHAP PAP
NCP
Link LCP
HDLC
LCP Support Protocols: Several protocols are included in the PPP suite that are used during the link
negotiation process, either to manage it or to configure options. Examples include the authentication
protocols CHAP and PAP, which are used by LCP during the optional authentication phase.
LCP Optional Feature Protocols: A number of protocols have been added to the basic PPP suite over the
years to enhance its operation after a link has been set up and datagrams are being passed between
devices. For example, the PPP Compression Control Protocol (CCP) allows compression of PPP data, the
PPP Encryption Control Protocol (ECP) enables datagrams to be encrypted for security, and the PPP
Multilink Protocol (ML/PPP) allows a single PPP link to be operated over multiple physical links. The use
of these features often also requires additional setup during link negotiation, so several define
extensions (such as extra configuration options) that are negotiated as part of LCP.
Request/Response nb
8 8
Set up:
Length = Type Length data
1: Configure Request
code+ Id+ Length+ Data
2: Configure Ack
3: Configure Nack Length= Type+ Length+ Data
4: Configure Reject
1. Link Configuration packets used to establish and configure a link (Configure-Request, Configure-
Ack, Configure-Nak and Configure-Reject).
2. Link Termination packets used to terminate a link (Terminate- Request and Terminate-Ack).
3. Link Maintenance packets used to manage and debug a link (Code-Reject, Protocol-Reject, Echo-
Request, Echo-Reply, and Discard-Request).
Maximum
Max Receive Unit 01 04 Receive Unit (Default 1500)
8 8 16
C023 (PAP) (Default no
Authentication Protocol 03 ≥04 C223 (CHAP) Data authentication)
8 8 32
Asynchronous Control Asynch Control Character Map
Character Map 02 06
(Default 0xffffffff)
Maximum-Receive-Unit
This Configuration Option may be sent to inform the peer that the implementation can receive
larger frames, or to request that the peer send smaller frames. If smaller frames are requested, an
implementation MUST still be able to receive 1500 octet frames in case link synchronization is lost.
Authentication-Protocol
On some links it may be desirable to require a peer to authenticate itself before allowing network-
layer protocol packets to be exchanged. This Configuration Option provides a way to negotiate the
use of a specific authentication protocol. By default, authentication is not necessary.
Quality-Protocol
On some links it may be desirable to determine when, and how often, the link is dropping data. This
process is called link quality monitoring.
This Configuration Option provides a way to negotiate the use of a specific protocol for link quality
monitoring. By default, link quality monitoring is disabled.
Async-Control-Character-Map
This Configuration Option provides a way to negotiate the use of control character mapping on
asynchronous links. By default, PPP maps all control characters into an appropriate two character
sequence. However, it is rarely necessary to map all control characters and often it is unnecessary
to map any characters.
(By default no
Protocol compression 07 02 compression)
Prot
1
3 9 All Rights Reserved © Alcatel-Lucent 2009
Point to Point Transport
IP Technology IP for Mobile Networks
Magic-Number
The Magic-Number field is four octets and aids in detecting links which are in the looped-back
condition
Protocol-Field-Compression
This Configuration Option provides a way to negotiate the compression of the Data Link Layer
Protocol field. By default, all implementations MUST transmit standard PPP frames with two octet
Protocol fields. However, PPP Protocol field numbers are chosen such that some values may be
compressed into a single octet form which is clearly distinguishable from the two octet form.
Address-and-Control-Field-Compression
This Configuration Option provides a way to negotiate the compression of the Data Link Layer
Address and Control fields. By default, all implementations MUST transmit frames with Address
and Control fields and MUST use the hexadecimal values 0xff and 0x03 respectively. Since these
fields have constant values, they are easily compressed. This Configuration Option is sent to
inform the peer that the implementation can receive compressed Address and Control fields.
Compressed Address and Control fields are formed by simply omitting them.
Callback
This Configuration Option provides a method for an implementation to request a dial-up peer to
call back. This option might be used for many diverse purposes, such as savings on toll charges.
Compound-Frames
This Configuration Option provides a method for an implementation to send multiple PPP
encapsulated packets within the same frame.
Configure-
Configure-Request/
Request Id: 20/ MRU: 1000; asyncmap : 0; MRU: 1000 (ack);
Auth: PAP;MagicNumber:2f 4e6a;Add/ctl-compression asyncmap : 0 (nack
(nack);
);
Auth: PAP (ack);
MagicNb: 2f 4e6a (ack);
Addr/ctl-compression(ack)
Configure-
Configure-Nack/
Nack Id: 20/ asyncmap :
0x2000;
‘A’ prefers
default
value of Configure-
Configure-Request/
Request Id: 21/ MRU: 1000; Auth: PAP;
MagicNumber: 2f 4e6a; Addr/ctl-compression MRU: 1000 (ack);
asyncmap Auth: PAP (ack);
MagicNb: 2f 4e6a (ack);
Addr/ctl-compression(ack)
Configure-
Configure-Ack/
Ack Id: 21/ MRU: 1000; Auth: PAP;
MagicNumber: 2f 4e6a; Addr/ctl-compression
The process starts with the initiating device e.g. A creating a Configure-Request frame that contains a
variable number of configuration options that it wants to see set up on the link. This is basically device
A's “wish list” for how it wants the link created.
The other device receives the Configure-Request and processes it. It then has three choices of how to
respond:
If all the options that device A sent are valid ones that device B recognizes and is capable of
negotiating, but it doesn't accept the values device A sent, then device B returns a Configure-Nak
(“negative acknowledge”) frame. This message includes a copy of each configuration option that B
found unacceptable.
If any of the options that A sent were either unrecognized by B, or represent ways of using the link
that B considers not only unacceptable but not even subject to negotiation, it returns a Configure-
Reject containing each of the objectionable options.
Even after receiving a reject, device A can retry the negotiation with a new Configure-Request.
c_map:0x00000000,
LCP Conf-Req Id:1 { MRU:1524, Asyn
r/ctl_comp}
Authent_prot:PAP, Prot_comp, Add
00 a0000,
{ Async_map:0x0
LCP Conf-Ack Id:2 p,
om Ad dr/ctl_comp}
00217cbb, Prot_c
Magic_number:0x
3 11 All Rights Reserved © Alcatel-Lucent 2009
Point to Point Transport
IP Technology IP for Mobile Networks
Connect To X
PAP Authenticate Request
User name Jack 2
Password secret 1 Jack + secret
4
::
=
PAP Authenticate Ack
The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its
identity using a 2-way handshake. This is done only upon initial link establishment.
PAP is not a strong authentication method. Passwords are sent over the circuit "in the clear", and there
is no protection from playback
When PAP is enabled, the remote router attempting to connect to the access server is required to send
an authentication request. If the username and password specified in the authentication request are
accepted, the Cisco IOS software sends an authentication acknowledgement.
After you have enabled CHAP or PAP, the access server will require authentication from remote devices
dialing in to the access server. If the remote device does not support the enabled protocol, the call will
be dropped.
To use CHAP or PAP, you must perform the following tasks:
1. Enable PPP encapsulation.
2. Enable CHAP or PAP on the interface.
3.For CHAP, configure host name authentication and the secret or password for each remote
system with which authentication is required.
PAP
C023 Code Ident Lenght Data
1: Authenticate Request
2: Authenticate Ack
3: Authenticate Nack ID length Peer ID PW length Password
1
1
length Message
RFC 1334
The Code field is one octet and identifies the type of PAP packet. PAP Codes are assigned as follows:
1 Authenticate-Request
2 Authenticate-Ack
3 Authenticate-Nak
Identifier
The Identifier field is one octet and aids in matching requests and replies.
Length
The Length field is two octets and indicates the length of the PAP packet including the Code,
Identifier, Length and Data fields. Octets outside the range of the Length field should be treated a
Data Link Layer padding and should be ignored on reception.
Data
The Data field is zero or more octets. The format of the Data field is determined by the Code
field.
Peer-ID
The Peer-ID field is zero or more octets and indicates the name of the peer to be
authenticated.
Password
The Password field is zero or more octets and indicates the password to be used for
authentication.
Message
The Message field is zero or more octets, and its contents are implementation
dependent. It is intended to be human readable, and MUST NOT affect operation of the
protocol. It is recommended that the message contain displayable ASCII characters
MD5 5
Non-reversible
algorithm 4
Response MD5
Jack +
6
7
Success =
::
Authentication succeeded
The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the
peer using a 3-way handshake.
When CHAP is enabled on an interface and a remote device attempts to connect to it, the access server
sends a CHAP packet to the remote device. The CHAP packet requests or "challenges" the remote
device to respond. The challenge packet consists of an ID, a random number, and the host name of the
local router.
When the remote device receives the challenge packet, it concatenates the ID, the remote device's
password, and the random number, and then encrypts all of it using the remote device's password. The
remote device sends the results back to the access server, along with the name associated with the
password used in the encryption process.
When the access server receives the response, it uses the name it received to retrieve a password stored
in its user database. The retrieved password should be the same password the remote device used in
its encryption process. The access server then encrypts the concatenated information with the newly
retrieved password—if the result matches the result sent in the response packet, authentication
succeeds.
The benefit of using CHAP authentication is that the remote device's password is never transmitted in
clear text. This prevents other devices from stealing it and gaining illegal access to the ISP's network.
CHAP transactions occur only at the time a link is established. The access server does not request a
password during the rest of the call. (The local device can, however, respond to such requests from
other devices during a call.)
After you have enabled CHAP, the access server will require authentication from remote devices dialing
in to the access server. If the remote device does not support the enabled protocol, the call will be
dropped.
CHAP
C223 Code Ident Lenght Data
3: Success
4: Failure Response Response value Name of system
length 128 bytes in MD5 transmitting
this packet
1
The Challenge packet is used to begin the Challenge-Handshake Authentication Protocol. The
authenticator MUST transmit a CHAP packet with the Code field set to 1 (Challenge).
A Challenge packet MAY also be transmitted at any time during the Network-Layer Protocol phase to
ensure that the connection has not been altered.
Whenever a Challengepacket is received, the peer MUST transmit a CHAP packet with the Code field set
to 2 (Response).
Whenever a Response packet is received, the authenticator compares the Response Value with its own
calculation of the expected value. Based on this comparison, the authenticator MUST send a Success or
Failure packet
The Challenge Value is a variable stream of octets. The importance of the uniqueness of the Challenge
Value. The Challenge Value MUST be changed each time a Challenge is sent.
The Response Value is the one-way hash calculated over a stream of octets consisting of the Identifier,
followed by (concatenated with) the "secret", followed by (concatenated with) the Challenge Value.
The Name field is one or more octets representing the identification of the system transmitting the
packet
The Message field is zero or more octets, and its contents are implementation dependent. It is intended
to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the
message contain displayable ASCII characters
Note: Because the Success might be lost, the authenticator MUST allow repeated Response packets after
completing the Authentication phase. To prevent discovery of alternative Names and Secrets, any
Response packets received having the current Challenge Identifier MUST return the same reply Code
returned when the Authentication phase completed(the message portion MAY be different). Any
Response packets received during any other phase MUST be silently discarded.
NCP-
NCP-IP
Request/Response nb
8 8
Release
5: Terminate Request 1: obsolete
6: Terminate Ack 2: IP compression protocol (RFC1332)
3: IP Address (RFC1332)
link management 4 : Mobile-IPv4 [RFC2290]
7: Code Reject 129: Primary DNS Server Address [RFC1877]
130: Primary NBNS Server Address [RFC1877]
131: Secondary DNS Server Address [RFC1877]
132: Secondary NBNS Server Address [RFC1877]
The IP Control Protocol (IPCP) is the NCP for IP and is responsible for configuring, enabling, and disabling
the IP protocol on both ends of the point-to-point link. The IPCP options negotiation sequence is the
same as for LCP, thus allowing the possibility of reusing the code.
IP-Address _ provides a way to negotiate the IP address to be used on the local end of the link. It allows
the sender of the Configure-Request to state which IP-address is desired, or to request that the peer
provide the information. The peer can provide this information by NAKing the option, and returning a
valid IP-address.
If negotiation about the remote IP-address is required, and the peer did not provide the option in its
Configure-Request, the option SHOULD be appended to a Configure-Nak. The value of the IP-address
given must be acceptable as the remote IP-address, or indicate a request that the peer provide the
information. By default, no IP address is assigned.
DNS Server Address _ defines a method for negotiating with the remote peer the address of the primary
and secondary DNS server to be used on the local end of the link. If local peer requests an invalid server
address (which it will typically do intentionally) the remote peer specifies the address by NAKing this
option, and returning the IP address of a valid DNS server. Default : No address is provided.
NBNS Server Address _ defines a method for negotiating with the remote peer the address of the
primary and secondary NBNS server to be used on the local end of the link. If local peer requests an
invalid server address (which it will typically do intentionally) the remote peer specifies the address by
NAK-ing this option, and returning the IP address of a valid NBNS server. By default, no primary NBNS
address is provided.
Client ISP
IPCP
Or wished IP@
Code=01 03 Length
8021 0.0.0.0
Req Ident Lenght=0A IP@ 06
2 1 1 2
Code=03
8021 Nack Ident Lenght=0A 03 06 194.1.2.3
valid IP@
Code=01 03 Length
8021 194.1.2.3
Req Ident Lenght=0A IP@ 06
2 1 1 2
Code=02
8021 03 06 194.1.2.3
Ack Ident Lenght=0A
IP-Address
This Configuration Option provides a way to negotiate the IP address to be used on the local end of the
link. It allows the sender of the Configure-Request to state which IP-address is desired, or to request
that the peer provide the information. The peer can provide this information by NAKing the option,
and returning a valid IP-address.
If negotiation about the remote IP-address is required, and the peer did not provide the option in its
Configure-Request, the option SHOULD be appended to a Configure-Nak. The value of the IP-address
given must be acceptable as the remote IP-address, or indicate a request that the peer provide the
information.
By default, no IP address is assigned.
Data Data
One important option used with IPCP is Van Jacobson Header Compression, which is used to reduce the
size of the combined IP and TCP headers from 40 bytes to approximately 4 by recording the states of a
set of TCP connections at each end of the link and replacing the full headers with encoded updates for
the normal case, where many of the fields are unchanged or are incremented by small amounts between
successive IP datagrams for a session. This compression is described in RFC 1144.
Request/Response nb
8 8
Release 0: OUI
5: Terminate Request 1: Predictor type 1
6: Terminate Ack 2: Predictor type 2
3: Puddle Jumper
Link management 4:-15: unassigned
7: Code Reject 16: Hewlett Packard PPC
14: Reset-request 17: Stac Electronic LZS
15: Reset-Ack 18: Microsoft PPC
19: Gandalf FZA
20: V42bis compression
21: BSD LZW Compress
IP IP datagram
IP
Flag Address Control Protocol CRC Flag
PPP 7E FF 03 0021 7E
1 1 1 2 2 1
Could be compressed
3 20 All Rights Reserved © Alcatel-Lucent 2009
Point to Point Transport
IP Technology IP for Mobile Networks
Transport Layer
Protocol Transport Layer Protocol
Network Layer
Protocol Network Layer Protocol
Multilink PPP
PPP
PPP PPP PPP
Multilink PPP is an optional feature of PPP, so it must be designed to integrate seamlessly into regular
PPP operation. To accomplish this, MP is implemented as a new architectural “sublayer” within PPP. In
essence, an Multilink PPP sublayer is inserted between the “regular” PPP mechanism and any network
layer protocols using PPP. This allows MP to take all network layer data to be sent over the PPP link and
spread it over multiple physical connections, without causing either the normal PPP mechanisms or the
network layer protocol interfaces to PPP to “break”.
It works by fragmenting whole PPP frames and sending the fragments over different physical links.
Ack
LCP Configure F2-3A}
d-Point Disc = 00-00-10-0B-
RU = 1490; En
{MRU = 1490; MR
To use Multilink PPP , both devices must have it implemented as part of their PPP software and must
negotiate its use. This is done by LCP as part of the negotiation of basic link parameters in the Link
Establishment phase. Three new configuration options are defined to be negotiated to enable Multilink
PPP:
Multilink Maximum Received Reconstructed Unit: Provides the basic indication that the device
starting the negotiation supports MP and wants to use it. The option contains a value specifying the
maximum size of PPP frame it supports. If the device receiving this option does not support Multilink
PPP it must respond with a Configure-Reject LCP message.
Multilink Short Sequence Number Header Format: Allows devices to negotiate use of a shorter
sequence number field for MP frames, for efficiency.
Endpoint Discriminator: Uniquely identifies the system; used to allow devices to determine which links
go to which other devices.
Before MP can be used, a successful negotiation of at least the Multilink Maximum Received Reconstructed
Unit option must be performed on each of the links between the two devices. Once this is done and an LCP
link exists for each of the physical links, a virtual bundle is made of the LCP links and Multilink PPP is
enabled.
PPP Frame
PPP Frame
Frag.1
Frag.3 Frag.2 Frag.1 PPP PPP
Line 1 Line 1
Frag.2
PPP PPP
Line 2 Line 2
MP
Multilink PPP
Sublayer Frag.3
PPP PPP
Line 3 Line 3
Multilink PPP basically sits between the network layer and the regular PPP links and acts as a “middleman”:
Transmission: Multilink PPP accepts datagrams received from any of the network layer protocols configured
using appropriate NCPs. It first encapsulates them into a modified version of the regular PPP frame. It then
takes that frame and decides how to transmit it over the multiple physical links. Typically, this is done by
dividing the frame into fragments that are evenly spread out over the set of links. These are then
encapsulated and sent over the physical links. However, an alternate strategy can also be implemented as
well, such as alternating full-sized frames between the links. Also, smaller frames are typically not
fragmented, nor are control frames such as those used for link configuration.
Reception: Multilink PPP takes the fragments received from all physical links and reassembles them into
the original PPP frame. That frame is then processed like any PPP frame, by looking at its Protocol field and
passing it to the appropriate network layer protocol.
The fragmenting of data in MP introduces a number of complexities that the protocol must handle. For
example, since fragments are being sent simultaneously, we need to identify them with a sequence
number to facilitate reassembly. We also need some control information to identify the first and last
fragments of a frame.
IP Data IP Header
Network Layer
MP Sub-Layer 1 byte
PPP
CRC Frag.1 Prot.
0x21
Sequence MP Protocol Ctrl. Add. Flag
Number Flags 0x003D 0x03 0xFF 0x7E Line 1
Several of the fields that normally appear in a “whole” PPP frame aren’t needed if that frame is going to
then be divided and placed into other PPP Multilink frames, so when fragmentation is to occur, they are
omitted when the original PPP frame is constructed for efficiency’s sake. Specifically:
The Flag fields at the start and end are used only for framing for transmission and aren’t needed in the
logical frame being fragmented.
The FCS field is not needed, because each fragment has its own FCS field.
The compression options that are possible for any PPP frame are used when creating this original frame:
Address and Control Field Compression and Protocol Compression. This means that there are no Address
or Control fields in the frame, and the Protocol field is only one byte in size.
These changes save a full eight bytes on each PPP frame to be fragmented. As a result, the original PPP
frame has a very small header, consisting of only a one-byte Protocol field. The Protocol value of each
fragment is set to 0x003D to indicate a MP fragment, while the Protocol field of the original frame becomes
the first byte of “data” in the first fragment.
Beginning Fragment Flag _ When set to 1, flags this fragment as the first of the split-up PPP frame. It is
set to 0 for other fragments.
Ending Fragment Flag _ When set to 1, flags this fragment as the last of the split-up PPP frame. It is set
to 0 for other fragments.
Reserved (2 or 6 bits) _ Not used, set to zero.
Sequence Number (12 or 24 bits) _ When a frame is split up, the fragments are given consecutive sequence
numbers so the receiving device can properly reassemble them.
Fragment Data: The actual fragment from the original PPP frame.
4
Section 4
IP Layer
IP Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Document History
Telephone dialing
French RTC Finnish RTC
Country code= 33 Country code= 358
To understand the IP addressing format, an analogy can be drawn with the telephone numbering system.
Various countries have telephone networks.
Each country has a country code. Some codes comprise only one figure, some 2, others 3, etc.
So, to reach a particular telephone, you need to dial a number made up of:
a country code,
a designation number.
The boundary between the two fields varies according to the size of the country.
The total number of figures cannot exceed a certain limit. This means that small countries with 4-figure
country codes have less capacity in terms of number of subscribers possible than large countries with
single-figure country codes.
This is also the case with IP addressing where there are:
a few large networks,
a few more medium-sized networks,
a large number of small networks.
A device IP address is divided into two parts:
the Network Identifier (or Net ID),
the station identifier known as the Host ID.
The boundary between these 2 fields also varies.
The boundary can be placed in one of 3 positions and thus determines three types of network:
class-A networks,
class-B networks,
class-C networks.
Net ID
0
(7bits) Host Id (24bits)
8 9 16 17 24 25 32
110 Host Id
Net ID (21bits)
Class-C (8bits)
network Number of networks: 2 097 152
Number of Hosts: 254
Net Id from: 192.0.0.0
192.0.0.0 to 223.255.255.0
223.255.255.0
4 5 All Rights Reserved © Alcatel-Lucent 2009
IP Protocol
IP Technology IP for Mobile Networks
The Class-A network type, which uses 7 bits for the Net ID, enables the creation of only 126 networks.
Obviously, 128 combinations are possible with 7 bits but, as you will see later on, certain values are
reserved. The 24-bit Host ID means that a large number of stations can be connected per network (up to
16,777,214). So, Net IDs for Class-A networks can range from 1.0.0.0 to 126.0.0.0
The Class-B network type, which uses 14 bits for the Net ID, enables the creation of 16,384 networks. The
16-bit Host ID means that a maximum of 65,534 stations can be connected per network. So, Net IDs for
Class-B networks can range from 128.0.0.0 to 191.255.0.0
The Class-C network type, which uses 21 bits for the Net ID, enables the creation of up to 2,097,152
networks. However, with only 8 bits for the Host ID no more than 254 stations can be connected per
network. So, Net IDs for Class-C networks can range from 192.0.0.0 to 223.255.255.0
The IP addresses, which are made up of 32 bits, enable over 4 billion combinations. This would seem to be
enough capacity to satisfy the world’s IP-address requirements.
So why is there a lack of IP addresses at the moment?
Because of this class-based organization.
Because Class-C networks allow a maximum of only 254 hosts, they severely restrict the development
potential of a business’s network. So much so that in the 80s, even small businesses were asking for Class-B
Net IDs, which enable the connection of 65,000 hosts.
In reality, few Class-B networks actually use all the IP-address potential available.
If a Class-B Net ID is assigned to a network and only 2,000 addresses are used, the other 63,000 addresses
are unusable and therefore completely wasted.
Indeed, the same Net ID cannot be used elsewhere in the world. You will see later on that the routers
analyze the destination address of IP packets and first try to reach the network (i.e. the Net ID) of the
destination station. If several networks located in different areas have the same Net ID, you can imagine
the confusion at router level.
Destination
IP@ 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
IP IP src IP dest
An IP-level broadcast → 255.255.255.255 data
172.245.0.1→
triggers an Ethernet-level
broadcast MAC MAC@dest MAC@src Type
FCS
ff:ff:ff:ff:ff:ff 01:00:2a:01:22:11 0800
Network
172.245.0.0
We have seen that special multicast and broadcast addresses are used at MAC level. Similarly, special IP
addresses have also been defined at IP level.
A station wishing to transmit an IP packet to all stations connected to the same network uses a broadcast.
In such cases, all the IP-address bits are set to 1.
An IP-level broadcast, which has the destination address 255.255.255.255, automatically triggers a MAC-
level broadcast, which has a destination MAC address in which all the bits are set to "f".
3
MAC MAC@dest MAC@src Type
FCS
ff:ff:ff:ff:ff:ff 00:01:2a:01:22:11 0800
MAC: 01:00:2a:01:22:11
4
5
@ pool
DHCP server
(IP@ server)
The station addresses can be provided dynamically by a server. This server can be a "bootp" server or a
"DHCP" server.
Therefore, a station without an IP address that wishes to communicate over the network first sends an IP-
address request to a server.
The station does this by generating an IP packet with the source address 0.0.0.0 (signifying unknown
address) and a broadcast destination address (because the station doesn’t know the server address).
This packet is returned to the MAC protocol, which encapsulates it in a broadcast frame.
The server will take an available address from its address pool.
The special address 0.0.0.0 is used as the source address at start-up only.
Application 2 Application 1
IP @ : Y
The class-A network 127.0.0.0 is defined as the loopback network. Addresses from that network are
assigned to interfaces that process data within the local system. These loopback interfaces do not access a
physical network.
200.98.76.2 192.100.17.2
200.98.76.3 192.100.17.3
200.98.76.253 192.100.17.253
Class-C network => 254 hosts maximum
4 9 All Rights Reserved © Alcatel-Lucent 2009
IP Protocol
IP Technology IP for Mobile Networks
Let’s now take the example of this router, which has 2 interfaces.
The same applies to the second network: the router interface is assigned an address on this network and all
the stations connected to the second network will have an address containing this network Net ID.
To conclude
A Class-C network has 254 addresses: Host IDs "0" and "255" are reserved.
IP@: 154.11.22.33
Public IP@
IP@: 195.51.63.1
IP@: 9.1.2.3
•Assigned by IANA
Internet
•Globally unique
•Cannot circulate on the Internet
IP@: 10.6.7.8
IP@: 10.6.7.8
Private network Private network
10.0.0.0 10.0.0.0
A public address is an official address assigned by the IANA, which is the body responsible for allocating
Internet IP addresses.
This type of address is globally unique.
The IANA has set aside certain blocks of addresses for private networks.
These addresses are never assigned to Internet stations and cannot circulate on the Internet.
Several private networks can use the same Net ID. There is no ambiguity as long as the networks are not
interconnected.
Private IP@
Private net.
Public IP@
class A: 10.0.0.0 à 10.255.255.255 (1 network)
Private Internet
networks
Private
networks
class C: 192.168.0.0 à 192.168.255.255 (256 networks)
10.10.10.8 194.5.3.12
IP@: data
10.10.10.8
1
Intranet 1
NetID: 10.10.10.0
2
Deleted Internet
packet 194.5.3.12
Private IP
addresses
Let’s assume that a private network administrator decides to connect his/her network to the Internet.
But private IP addresses are not allowed to circulate over the Internet. The Internet access router destroys
any packet with private addresses.
Private IP @ Public IP @
2 10.10.10.4 212.17.22.21 3
212.17.22.22
212.17.22.23
.3
NAT
.1
Private network
10.10.10.0
.4 Internet
194.5.3.12
.2
IPsrc: 212.17.22.21
IPsrc: 10.10.10.4 IPdest: 194.5.3.12
1 IPdest: 194.5.3.12
4
A solution does exist to enable private stations to communicate with other stations on the Internet: the
Network Address Translation (NAT) function.
The administrator asks the IANA to allocate a public address and configures the NAT function in the Internet
access router.
When a station from the private network sends a packet to a station on the Internet, the access router
intercepts the packet, stores the source IP address and replaces it with an available public IP address from
the pool.
The packet has been transformed and can now circulate over the Internet.
The Internet server can reply by exchanging the source and destination public addresses in the IP-packet
header.
The access router consults its table to restore the private IP address before sending the packet to the
private network.
The NAT function has its limits: at any given time, the number of stations surfing the internet must equal
the number of public addresses allocated by the IANA.
Other mechanisms can be used such as Port Address Translation (PAT) or proxies, which are beyond the
scope of the TCP/IP beginners course.
Client
Server 2 Server 1
Principle:
Several servers can reply to a request.
DHCP-Request: client accepts the server’s offer. Also used to extend the lease.
DHCP-Nack: this message can be sent back to the client when, for example, the server refuses to extend
the lease or the client was too slow to reply to the offer.
IP@src: 1.0.0.1
1 IP@dest: 2.0.0.2
IP level IP@: 2.0.0.2
Yes IP dest. 2 No
within local
net? Default gateway
=IP@: 1.0.0.254 Other network
9
ARP cache
IP@ MAC@ Router
1.0.0.2 405060
?????? 7
3 1.0.0.254 908070
5
MAC@ MAC@ Type Data FCS IP@:1. 0.0.254
dest. 0800 IP@src: 1.0.0.1 MAC@: 908070
IP@: 1.0.0.1 src. IP@dest: 2.0.0.2
MAC@: 102030 908070 102030 (IP)
8
4 6 ARP Response
ARP Request MAC@ : 908070 MAC@:405060
IP @ : 1.0.0.254 IP@:1.0.0.2
4 15 All Rights Reserved © Alcatel-Lucent 2009
IP Protocol
IP Technology IP for Mobile Networks
As you can imagine, if the destination IP address is the address of a station located on the other side of the globe, you
cannot use the broadcast mechanism as it will flood the Internet with messages. That’s precisely why routers never
propagate broadcasts. A broadcast is always restricted to the network in which it was generated. How, then, can
stations in different networks communicate with each other?
In fact, at the IP level of a station, when a packet needs to be sent, the first question IP considers is "Is the destination
address inside or outside the network?"
If the destination address is inside the same network, the usual procedure applies: consultation of the ARP table, ARP
procedure if necessary, etc.
If, however, the destination address is outside the network, the station configuration must indicate the address of the
default router through which the packet must be routed to reach the destination.
This parameter is often called the "default gateway". The transmit station must now transfer the packet as far as this
default gateway. The default gateway has an interface connected to the same network as the transmit station and
therefore has an IP address in the same network (with the same Net ID).
This station knows how to send a packet to another station connected to the same network. It consults its ARP table. If
the MAC address of the default gateway is not yet known, it initiates an ARP procedure by generating a request in the
form of a broadcast. This broadcast will not leave the network but will reach the interface of the router that is
connected to the same network.
The router will reply by sending its interface MAC address. This MAC address will be stored in the station ARP table.
And, finally, the IP packet intended for the remote station will be encapsulated in a frame whose destination MAC
address is the MAC address of the next router. This router is appropriately named "next hop".
It is now the router job to consult its routing table to establish which is the best outgoing interface to use to reach the
final destination. Once again, the routing table indicates the IP address of the next router that will move the packet
nearer to its final destination. A new ARP procedure might be initiated between these 2 routers to retrieve the MAC
address of the next router, and so on.
So, once again, you can see that the physical addresses are used constantly to move the IP packets through the network
to their final destination.
configuration Host
Default gateway:128.5.15.5
2 Host IP@: 128.5.4.1
4 class B 3
1 Dest IP@: 128.5.26.2
Same = ARP cache
network IP@ MAC@
5 128.5.26.2 908070 6
128.5.15.5 405060 IP@: 128.5.26.2
MAC@: 908070
MAC@: 405060
Internet IP@: 128.5.15.5
Once the station has been configured, when an IP packet needs to be sent to the address 128.5.26.2, the
station determines whether this IP address is inside or outside its network.
First of all, it analyzes its own IP address to determine which class its own network belongs to. In this
example, 128 indicates a Class-B network address.
Once the station knows the class, it knows where the boundary is between the Net ID and the Host ID for its
own network. Here, the Net ID is two bytes long.
The station therefore compares just the Net ID bytes of the source and destination addresses.
In this example, the Net IDs are identical, which means that the destination IP address is located in the
same network as the transmit station.
The station does not need to send the packet through the default gateway. It just needs to consult the ARP
table directly and possibly initiate an ARP procedure on its LAN if the corresponding MAC address is not yet
known. Here, the ARP table has been updated.
The transmit station can therefore encapsulate the packet in an Ethernet frame whose destination MAC
address will be the MAC address of the IP packet destination station.
configuration Host
Default gateway:128.5.15.5
128.5.15.5 6
2 Host IP@: 128.5.4.1
4 class B 3
≠ 1 Dest IP@: 128.6.6.6
5
Other
network ARP cache
IP@ MAC@
128.5.26.2 908070
128.5.15.5 405060
IP@: 128.5.26.2
7 MAC@: 908070
MAC@: 405060
Internet IP@: 128.5.15.5
Let’s now assume that this station wishes to send a packet to IP address 128.6.6.6
Once again, it analyzes its own IP address and determines that it’s a Class-B network address. It freezes the
2 Net ID bytes and compares them.
This time, the Net IDs are different and the destination station is therefore located in another network.
This means that the packet must go through a router, which will be the default gateway defined in the
station configuration.
The station knows the router’s IP address and now needs to find the corresponding MAC address.
The station consults its ARP cache. In this case, the cache contains the MAC address. If it had not contained
the address, the station would have launched an ARP procedure.
The packet is encapsulated in an Ethernet frame whose destination MAC address is the address of the next
router on the route leading to the final destination (rather than the MAC address of the final destination
station).
128.5.4.3 128.5.4.5
Internet
S/Net 128.5.4.0
128.5.4.2 128.5.4.4
128.5.4.1
Network 128.5.0.0
128.5.8.1 S/Net
128.5.8.3
128.5.8.0128.5.8.5
128.5.8.2 128.5.8.4
The class-based system for network classification lacks the flexibility needed to handle the explosion in the
number of IP networks and devices.
In 1984, to prevent too many stations from being connected to the same network and also because the
distance between sites was increasing, the decision was taken to introduce the "subnetwork" or "subnet"
concept in the aim of offering administrators of large networks an extra hierarchical level.
The Net IDs of these subnetworks borrow a few bits from the Host ID to ensure that the subnetworks are
clearly identified.
Here, the Class-B network 128.5.0.0, which had a capacity of around 16 million host stations, has been
divided into 2 subnetworks with Net IDs 128.5.4.0 and 128.5.8.0 respectively.
So three bytes are used for the Net ID in these subnetworks.
And, of course, all the stations belonging to network 128.5.4.0 have IP addresses starting with 128.5.4 and
all the stations connected to network 128.5.8.0 have IP addresses starting with 128.5.8
Yes IP dest. 2 No
within local Router
net?
Default gateway
=IP@: 128.5.4.1
Mac@: 304050
IP@: 128.5.4.1
IP@: 128.5.4.3
MAC@: 102030
MAC@:708090
IP@:128.5.4.5
Since the introduction of the subnetwork concept, a new parameter has also been developed: the "Subnet
Mask".
24 2322 21 20
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
Let’s look at Subnet Mask and at the mechanism for determining whether a destination IP address is "inside"
or "outside" the transmit station network.
There are two IP addresses: a source address and a destination address. The question is: Are these two
addresses in the same subnetwork?
If the Net ID is 3 bytes long, the answer is no.
If the Net ID is 2 bytes long, the answer is yes.
It is clear that an additional parameter is required to indicate the length of the Net ID. This parameter is
the Subnet Mask.
You will see that the difficulty in processing addresses lies in the fact that they are expressed as decimal
numbers.
To make things completely clear, let’s convert the mask into binary, then apply the mask to both the
source and destination address.
The Net ID of the source IP address now appears clearly and can be compared to the corresponding bits of
the destination address.
You can now see clearly that the 2 addresses are in the same subnetwork.
What is the Net ID of this subnetwork? Once again, there is a slight difficulty concerning translation of the
third byte.
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
Prefix notation
@ IP: 138 5 19 37 22
Dotted decimal
prefix
PC configuration
5 Default gateway:128.5.4.1
gateway:128.5.4.1
Host IP@: 128. 5 . 4 .3 4
ARP cache 1 Subnet Mask: 255.255.255.0
IP @ MAC@ ≠
128.5.4.5 708090 2 IP@ dest: 128. 5 . 8 .4
128.5.4.1 304050
3
IP@: 128.5.4.3
Mac@: 102030
6
MAC@ MAC@ Type IP Packet F
dest. src. 0800 IPdest:
IPdest: 128.5.8.4 C IP@: 128.5.4.5
304050 102030 (IP) IPsrc:
IPsrc: 128.5.4.3 S Mac@: 708090
IP@: 128.5.8.4
IP@: 128.5.8.1 Subnet 128.5.8.0 Mac@: aabbcc
Let’s now consider whether the mask has solved the problem of communicating between subnetworks.
The subnet mask must be included in all station configurations along with the default gateway and the IP
address.
Thanks to previous traffic, the ARP cache already contains the MAC addresses of the stations in the same
network.
This station wishes to transmit a packet to the station with the address 128.5.8.4.
From now on, it’s the mask rather than the class that determines the Net ID of the source network.
This time, then, the transmit station discovers that the destination address is outside the network and so
sends the packet to the default gateway using the address in the configuration.
The station consults its ARP cache, which contains the corresponding MAC address.
A frame can therefore be transmitted to the router. The frame contains the IP packet intended for the
remote station.
"Classful" addressing
Which class of network is to be selected?
Waste of IP addresses
"Classless" addressing
Network aggregation
Historically, IP addresses were assigned within classes: Class A (8 bits of network address, 24 bits of host
address), Class B (16 bits of network address, 16 bits of host address) and Class C (24 bits of network
address, 8 bits of host address). With the advent of CIDR, address space is now allocated on a bit boundary
basis.
Network: 201 . 78 . 48 . 0
1 1 0 0 1 0 0 1 0 1 0 0 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0
≡ 2 class-C networks
201.78.48.0/23
500 hosts
Historically, IP addresses were assigned within classes: Class A (8 bits of network address, 24 bits of host
address), Class B (16 bits of network address, 16 bits of host address) and Class C (24 bits of network
address, 8 bits of host address). With the advent of CIDR, address space is now allocated on a bit boundary
basis.
Net1:
Net1: 201 . 78 . 48 . 0 / 23
1 1 0 0 1 0 0 1 0 1 0 0 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0
Net2:
Net2: 201 . 78 . 50 . 0 / 23
1 1 0 0 1 0 0 1 0 1 0 0 1 1 1 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0
Net3:
Net3: 201 . 78 . 52 . 0 / 22
1 1 0 0 1 0 0 1 0 1 0 0 1 1 1 0 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0
Net4:
Net4: 201 . 78 . 56 . 0 / 21
1 1 0 0 1 0 0 1 0 1 0 0 1 1 1 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0
201.78.50.0/23
Destination
Next hop 201.78.52.0/22 Net2: 510 hosts
201.78.48.0/22 IP@2 Net3:1022 hosts
Static
Generates no traffic and saves bandwidth
Easy to create for simple networks
Manual programming
No re-routing in case of default
Risk of error occurring
Dynamic
Automatically re-routes the traffic in case of failure
Ideal for large networks
Generates traffic on the network
Leads to a processing overload in the routers
4 28 All Rights Reserved © Alcatel-Lucent 2009
IP Protocol
IP Technology IP for Mobile Networks
Static Routing
Static routing is carried out manually by the network administrator. The administrator is responsible for
detecting and propagating routes throughout the network. The administrator enters the routes manually in
the configuration of each of the network’s routing devices.
Once the router has been configured, it simply transfers the packets using the predetermined ports. There
is no communication between the routers concerning the actual network topology.
In small networks with little redundancy, the static routing process is quite easy to manage. However, this
method has certain drawbacks as far as the management of IP routing tables is concerned:
the static routes require a high level of coordination and maintenance in complex network environments,
the static routes do not adapt dynamically to the operating state of the network. When a destination
subnetwork becomes unreachable, the static routes leading to this network remain in the routing table.
Traffic continues to be transmitted to this destination. Until the network administrator updates the static
routes in line with the new network topology, traffic cannot be routed along other existing routes.
Dynamic Routing
Dynamic routing algorithms enable routers to detect and adapt automatically to the routes in the network.
Routing algorithm
•RIP •OSPF
•BGP (path Vector) •IS-IS
•EIGRP
RIP: Routing Information Protocol
IS-IS: Intermediate System to Intermediate System
OSPF: Open Shortest Path First
EIGRP: Enhanced Internet Gateway Routing Protocol
BGP: Border Gateway Protocol
Several dynamic routing protocols are currently used for automatic route detection. The difference
between these protocols lies in the way they detect and calculate new routes to destination networks.
They can be divided into two main categories:
(IS-IS)Janet Autonomous
system
INTERNET
Sphinx
(OSPF)
BGP (OSPF)
Sprint
DFN
(IGRP)
Autonomous
system (EIGRP)
Renater
2 classes of protocols:
Interior Gateway Protocol (RIP, IGRP, OSPF, IS-IS, etc.)
Exterior Gateway Protocol (EGP, BGP)
Autonomous Systems (ASs) are logical portions of a larger IP network. ASs are usually networks inside
organizations. They are controlled by a single administration authority.
Certain routing protocols are used to determine routing paths within an AS while others are used to
interconnect several ASs:
Interior Gateway Protocols: enable routers to exchange information within an AS. Examples: OSPF and
RIP.
Exterior Gateway Protocols: enable ASs to exchange information with other ASs. Example: BGP.
The interior protocols are used to manage routing information within each AS. The figure also shows the
exterior protocols, which manage information on routing between ASs.
Numerous interior routing processes can be used within an AS. When this arises, the AS must present itself
to the other ASs with a single, coherent routing plan. The AS must provide a coherent view of its internal
destinations.
204.92.75.0
204.92.75.0
.8 .6 .9
.3 .12
.13
.25 .2
.1 e2 .2 .1
.1 e1 e0 .7
e1 e0 1/1/2
204.92.77.0
204.92.77.0 204.92.76.0
204.92.76.0 R1 192.168.201.0
192.168.201.0
R2
#interface e1
Network Mask Next hop If
ip address 204.92.76.2 255.255.255.0 204.92.76.0 255.255.255.0 e1
# interface e0_ 192.168.201.0 255.255.255.0 e0
ip address 192.168.201.1 255.255.255.0
0.0.0.0(default) 0.0.0.0 204.92.76.1 e1
Let’s now look at what a routing plan is by means of the following example.
There are 4 networks:
the network with Net ID 204.92.77.0
the network 204.92.75.0
the network 204.92.76.0
the network 192.168.201.0
As usual, each router interface has an IP address in the network it belongs to.
Let’s now look at the R1 routing table, or rather let’s construct the R1 routing table.
The routing table will not include routes to every station as it would be enormous. Instead, it will include
the routes needed to reach each network. A network is represented by its Net ID, that is, an IP address
associated with a mask.
First route: to reach the stations in network 204.92.76, traffic doesn’t need to go through another router as
Ethernet interface 1 (e1) is connected directly to this network.
Similarly, to reach the stations in network 192.168.201, traffic can go through Ethernet interface 0 (e0).
We could then continue to describe all the other networks. But, let’s imagine that all the world’s other
internet networks are located on the left of R1. Describing all the networks would be tedious and the
routing table would be huge. So, to make the task easier, a default route can be included in the routing
table. This default route would be used solely when no other route in the table can be used to route the
packet.
So, here, any IP packet whose destination address doesn’t begin with 204.92.76 or 192.168.201 must be
sent to router R2, which is known as the "next hop". The routing table therefore contains the IP address of
the router R2 interface that shares the same network as R1. It also contains router R1 outgoing interface.
204.92.75.0/24
204.92.75.0/24
.8 .6 .9
.3
.2 .13 .12
.25 .1 e2 e .1 .2 .1
e1 e0 .7
e1
0
204.92.77.0/24
204.92.77.0/24 204.92.76.0/24
204.92.76.0/24 R1 192.168.201.0/24
192.168.201.0/24
R2
Network Mask Next hop If
204.92.76.0 255.255.255.0 e1
192.168.201.0 255.255.255.0 e0
0.0.0.0(default) 0.0.0.0 204.92.76.1 e1
Fill in this table
Exercise
Try and fill in the routing table for router R2.
Several solutions are possible.
204.92.75.0/24
204.92.75.0/24
.8 .6 .9
.3
.13
.2 .12
.25 .1 e2 .1 .2 .1
e0 e1 e0 .7
e1
204.92.77.0/24
204.92.77.0/24 R2 204.92.76.0/24
204.92.76.0/24 R1 192.168.201.0/24
192.168.201.0/24
You can start by adding the routes to the networks connected directly to router R2.
To reach network 204.92.76, go through Ethernet interface 0.
To reach network 204.92.77, go through Ethernet interface 1.
To reach network 204.92.75, go through Ethernet interface 2.
The preference here is for the Net ID. So, to reach network 192.168.201, go to the next hop (i.e. router R1)
via Ethernet interface 0.
.2
R2
e2 .1 .2 .1
.1 e1 e0
e1 e0 e2
204.92.76.0 .2
R1
Let’s now alter the diagram so that there are several routes leading to a destination. The routing table
must be updated. So, in R1 there is now a second direct route to 204.92.77 through Ethernet interface 2.
The question that now arises is "Which one of the 2 routes will R1 choose to reach network 204.92.77?". This
is the role of another routing-table parameter known as the "metric".
Here, for example, the metric corresponds to the number of hops to the destination station. It is 0 when
the network is connected directly. The router chooses the lowest-cost route.
The routing table is not quite up to date. At the moment, it shows only one route for reaching network
204.92.75 (the route that goes through network 204.92.75) when, in fact, another route via Ethernet 2 and
the next hop 204.92.77.1 can be used.
The type of routing just constructed is static routing, which means that it is set up by an operator.
You can see that:
static routing is relatively complex to set up in a large network,
design errors, route omissions and even typing errors can easily occur in the routing tables.
But, on top of that, this type of routing is not self-adjusting. This means that it cannot adjust to events
that occur in the network such as link breakage, router failure, etc.
It is for these reasons that dynamic routing protocols such as RIP, OSPF, BGP, etc. were developed.
The levels of performance and sophistication of these protocols vary and they all offer certain advantages
and disadvantages.
Similarly, static routing can also offer advantages in certain specific circumstances.
192.168.0.0 /16 R4
194.1.0.0 /16 R1
192.168.1.17
194.1.16.0 /20 R2
192.168.1.0/24 R3
Problem:
which of the 2 entries must use the datagram 192.168.1.17? A priori one does not know because the
datagram does not carry the size of the prefix (mask)
Rule:
One retains the entry which has the longest prefix.
It is thus necessary :
to scan the whole routing table,
to retain all the possible prefixes, and
to choose among those, that which has the longest mask. Here, they is 192.168.1/24.
Data
4 TTL=61
5
TTL=60
1 TTL=32
2
TTL=0
3
Data
Higher-
Higher-level protocols 1 6 17
Version Header
length ToS Datagram length
Identification Flag Datagram Offset
Data
Type
MAC MAC@ dest. MAC@ src. 0800 Data FCS
(IP)
When the destination station of a MAC frame receives the frame, it is the EtherType field that indicates
which higher-level protocol the contents must be sent to.
This is also the case for IP. The "protocol" field indicates which higher-level protocol is the destination of
the packet data.
The IANA assigns the official codes for this field.
The protocols encapsulated in IP are ICMP, UDP and TCP.
The TCP and UDP protocols will be studied during this training module.
Transport IP Transport
data Network data
Network@IPa Network @IPb
IP@ a→
→b IP@ a→
→b IP@ a→
→b IP@ a→
→b
Link Link
Phys@ 8→
→7 Phys@4→
→15
Phys@ 1→→2 Phys@ s4→d15
Phys@: 1 Phys@ Phys@ Phys@ Phys@ Phys@
2 6 8 7 4 Phys@: 15
Host Phys@ s1→d2 Phys@ s8→d7 Phys@ s4→d15 Host
When two users wish to communicate, one is the Client because in the IP world the client is defined as the
user requesting the service while the other is the Server because that user provides the service.
Here, the Server is capable of providing various services but the Client wishes to request one service only.
The transport layer is charged with targeting the required service. For this, each application is allocated an
official number known as a "port number". (N.B. the IANA is responsible for allocating a port number to
every new service.) The transport layer sends the datagram to the lower-layer IP. This IP packet must be
sent to the remote server. For this reason, every machine connected to the IP network is therefore assigned
a logical address called an IP address. One of IP jobs is to insert a header. The main fields in this header are
the packet source and destination addresses. The packet is then sent to the data link layer, which
encapsulates it in a frame with a header containing the physical source and destination addresses. Finally,
the frame is transferred to the transmission medium.
All the machines connected to this transmission medium analyze the frame header but because only the
router interface recognizes its physical address it extracts the contents of the frame and transmits them to
the upper-layer IP. The router’s network layer analyzes the packet header, especially its destination IP
address. Its routing table indicates the outgoing interface and the next physically connected device the
packet must pass through to reach its final destination. The IP packet is transferred to the data link layer,
which encapsulates it in a frame. This time, the physical source address is the source router interface
address and the physical destination address is the address of the next router interface. Once again, only
the router recognizes its physical address in the frame transported by the transmission medium. It
therefore extracts the packet from the frame and sends its contents to its network layer. The network layer
routes the packet to the outgoing interface using its routing table.
Finally, the frame is transferred to the last link. The destination machine recognizes its physical address in
the header and sends the contents to its IP. The IP of the final destination machine recognizes its own IP
address in the destination IP field of the packet received. The contents of the packet are then sent to the
transport layer, which examines the header. Thanks to the destination port number contained in the layer-
4 protocol header, the data is routed to the service chosen by the Client.
Not reliable
But what does
IP provide?
No error recovery
Best effort
Connectionless-oriented
IP is not reliable. This means that it cannot guarantee that the data it sends will be routed correctly. In the
event that a packet is lost, IP does not perform error recovery.
IP offers a connectionless service. This means that it does not communicate with the other remote IP
layers. Each datagram is managed independently from the other datagrams even when a large file is being
transferred between remote entities. This implies that the datagrams can be mixed up, duplicated, lost or
altered.
IP just tries to deliver the datagrams and provides a "Best effort" service.
10.1.1.10¡20.20.20.4 10.1.1.2
Router B
Router A is the default gateway responsible for handling packets for network 10.1.1.0/24. If the
connection between Router A and the network goes down or if the router becomes unavailable, fast
converging routing protocols, such as the Enhanced Interior Gateway Routing Protocol (Enhanced IGRP)
and Open Shortest Path First (OSPF) can respond within seconds so that Router B is prepared to transfer
packets that would otherwise have gone through Router A.
However, in spite of fast convergence, if Router A goes down, the users in network 10.1.1.0 might not be
able to communicate with the external segments even after the routing protocol has converged. That's
because IP hosts, usually do not participate in routing protocols. Instead, they are configured statically
with the address of a single router, such as Router A. Until someone manually modifies the configuration
of machine to use the address of Router B instead of Router A, the user cannot communicate with the
other network segments.
Some IP hosts use proxy Address Resolution Protocol (ARP) to select a router. If the user’s workstation
was running proxy ARP, it would send an ARP request for the IP address 20.20.20.4. Router A would reply
on behalf of that station and would offer its own media access control (MAC) address With proxy ARP,
stations in external segments are seen as if they were connected to the same segment . If Router A fails,
machine 10.1.1.10 will continue to send packets destined for 20.20.20.4 to the MAC address of Router A
even though those packets have nowhere to go and are lost. The user either waits for ARP to acquire the
MAC address of Router B by sending another ARP request or reboots the workstation to force it to send an
ARP request. In either case, for a significant period of time, it will not be able to communicate with any
external destination , even when routing protocols have converged and Router B is ready to forward
packets.
Some IP hosts use the Routing Information Protocol (RIP) to discover routers. The drawback of using RIP is
that it is slow to adapt to changes in the topology. If stations in network 10.1.1.0 were configured to use
RIP, 3 to 10 minutes might elapse before RIP makes another router available.
Some newer IP hosts use the ICMP Router Discovery Protocol (IRDP) to find a new router when a route
becomes unavailable. A host that runs IRDP listens for hello multicast messages from its configured
router and uses an alternate router when it no longer receives those hello messages. If the station was
running IRDP, it would detect that Router A is no longer sending hello messages and would start sending
its packets to Router B. However, for legacy devices that do not support IRDP, it is not an option.
Virtual Router
Router A (active)
Interface IP @:10.1.1.2
MAC @: 00:10:7B:81:9C:EC
Standby group number to which
participating physical
interfaces belong
Router B (standby)
4 43 All Rights Reserved © Alcatel-Lucent 2009
IP Protocol
IP Technology IP for Mobile Networks
One way to achieve high availability is to use HSRP, which provides network redundancy for IP networks,
ensuring that user traffic is forwarded immediately and transparently recovers from first hop failures in
router interfaces
By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single "virtual"
router. The members of the virtual router group continually exchange status messages. This way, one
router can assume the routing responsibility of another, should it go out of commission for either planned
or unplanned reasons. Hosts continue to forward IP packets to a consistent IP and MAC address, and the
changeover of devices doing the routing is transparent.
Using HSRP, a set of routers works in concert to present the illusion of a single virtual router to the hosts
on the LAN. This set is known as an HSRP group or a standby group. A single router elected from the
group is responsible for forwarding the packets that hosts send to the virtual router. This router is known
as the Active router. Another router is elected as the Standby router. In the event that the Active router
fails, the Standby assumes the packet-forwarding duties of the Active router. Although an arbitrary
number of routers may run HSRP, only the Active router forwards the packets sent to the virtual router.
To minimize network traffic, only the Active and Standby routers send periodic HSRP messages once the
protocol has completed the election process. If the Active router fails, the Standby router takes over as
the Active router. If the Standby router fails or becomes the Active router, then another router is
elected as the Standby router.
On a particular LAN, multiple hot standby groups may coexist and overlap. Each standby group emulates
a single virtual router. The individual routers may participate in multiple groups. In this case, the router
maintains separate state and timers for each group.
Each standby group has a single, well-known MAC address, as well as an IP address.
In most cases when you configure routers to be part of an HSRP group, they listen for the HSRP MAC
address for that group as well as their own burned-in MAC address. The exception is routers whose
Ethernet controllers only recognize a single MAC address (for example, the Lance controller on the Cisco
2500 and Cisco 4500 routers). These routers use the HSRP MAC address when they are the Active router,
and their burned-in address when they are not.
HSRP uses the following MAC address on all media except Token Ring:
0000.0c07.ac** (where ** is the HSRP group number)
All Rights Reserved © Alcatel-Lucent 2009
Virtual Router
Router A Router
(no more hellos)
A (active)
10.1.1.1¡224.0.0.2 Hello
10.1.1.2¡224.0.0.2 Hello
Routeractive
Router B enters B (standby)
mode
The routers in an HSRP group send and receive keepalives using the multicast address of 224.0.0.2 and
UDP port 1985. By default the hello interval is 3 seconds. Once 3 hello intervals pass without hearing
from the active router, the standby router automatically becomes the active router. Each router is
configured with a priority number, the router with the highest priority number in a standby group is the
active router
Preemption
The HSRP preemption feature enables the router with highest priority to immediately become the Active
router. Priority is determined first by the priority value that you configure, and then by the IP address. In
each case a higher value is of greater priority.
When a higher priority router preempts a lower priority router, it sends a coup message. When a lower
priority active router receives a coup message or hello message from a higher priority active router, it
changes to the speak state and sends a resign message.
Preempt Delay
The preempt delay feature allows preemption to be delayed for a configurable time period, allowing the
router to populate its routing table before becoming the active router.
By BGP-4
By UDP
5
Section 5
Transport Layer
IP Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Document History
ICMP
IP
Network
ARP
SNAP
LLC
802.2
Link
Optical Shield
Physical 10Base-T 10Base2 10Base5
fiber twisted pair
P1
P3
P3 P1
P3 P2 P1 P2
You have already seen that IP offers service in connectionless mode only.
This means that the IP network does not ensure that all the packets from the same flow follow the same
route and therefore cannot guarantee that these packets will arrive in the same order they were
transmitted.
UDP also functions in connectionless mode and therefore does not offer mechanisms for reordering
packets.
User
User
Not reliable
You know that IP is not a reliable protocol. Does UDP increase reliability?
For example, a user sends a letter and requests a reply. If a reply has not been received after n days, the
user can send the letter again.
every 10s
IP network Conversation
Conversation
Co nv er sa ti on
Internet
DNS UDP
application not UDP DNS
wishing reliable not application
reliability reliable wishing
reliability
What is the IP@
of "alcatel.com"?
.06
tel.com" = 169.109.33
alcate
"alca
Other applications are based on UDP even though they need a good level of reliability.
These are generally applications that need to perform extremely simple exchanges such as "request-
reply" exchanges.
Take the case of the Domain Name System (DNS), which uses a "name server" to translate domain names
such as "alcatel.com" into IP addresses.
This is done using a dialog protocol that runs on top of UDP.
When a Client asks for a translation, it obviously wishes to receive a result. However, this level of
reliability is not guaranteed with UDP.
So, the DNS application asks a name server to translate a domain name. This request is made using non-
reliable UDP and IP.
As it happens, the packet is destroyed in the network but there is no reaction from IP or UDP.
It is therefore up to the application to recover the error.
How does it do this?
Quite simply, by triggering a reply Timer when the request is sent.
If, at timeout, a reply has not been received, the Client simply resends the request.
And, hopefully, this time the exchange will proceed as planned.
Data
Now you have seen the UDP applications, let’s look at the fields that make up the UDP header.
You are now familiar with the role of the source and destination port fields.
No flow control
Application
2
Application Application
No error recovery 1 3
Electronic mail
File transfer
Voice over IP
For what does the Real-time Transport Control Protocol (RTCP) provide
a performance monitoring channel?
An IP packet
An RTP flow
Connectionless
Unreliable service
Yes
No
Packet retransmission
ICMP
IP
Network
ARP
SNAP
LLC
802.2
Link
MAC FDDI token Ring Ethernet ISO Ethernet V2
802.3
Optical
Physical fiber 10Base-T 10Base2 10Base5
Illustrating the position of TCP in the TCP/IP stack obviously shows that TCP is located in the transport
layer but, more particularly, it presents the main applications that run over this protocol:
HTTP, which enables users to surf the internet.
FTP, which enables effective file transfer.
TELNET, which enables systems to be remote controlled.
SMTP, which enables the sending of electronic mail.
DNS, which is used for translating domain names into IP addresses and which has the particular feature
of functioning over both UDP, as seen previously, and over TCP. In fact, it uses TCP solely to update
databases between name servers.
P1
P3
P3 P1
P3 P2 P1 P2
Although TCP is installed over IP, which is a connectionless protocol, it offers a connection-oriented
service. This means that TCP ensures that packets sent in a particular order over an IP network will be
delivered to the applications in the order they were sent. To make this possible, TCP must insert
sequence numbers in the datagrams.
Application
Withdrawal: 50€
Application
Withdrawal: 50€
TCP P1 P1-
P1-OK
TCP is reliable TCP P1
IP
IP
2
1
Cash er
ens
Central Bank
disp
IP network
(not reliable)
Data (optional)
As in UDP, certain ports are used for particular services such as Discard, Echo, Time, etc.
Data (optional)
Several fields are used to ensure that packets are sequenced correctly and errors recovered:
sequence number of the first byte in this packet.
acknowledgement number that indicates which is the next byte expected by the other station.
Connect-Response
.= x + 1 )
Connect-Confirm ) / ACK ( Ack
SYN (Seq.= y
ACK ( Ack.= y
+ 1 ) /(Seq.=
X + 1)
Communication between 2 applications operating over TCP therefore begins with a connection
establishment procedure called the "three-way handshake".
The Client application sends TCP a Connect-Request primitive with the destination port, the IP address,
etc.
TCP on the Client side starts by selecting a sequence number at random. It inserts it in the TCP header
and sets the SYN (synchronization) flag.
TCP on the Server side (the remote station) uses the primitive Connect-Indication to notify the
application corresponding to the port number and provides certain parameters such as the calling IP
address.
The Server application uses the primitive Connect-Response to ask TCP to accept the connection.
The TCP on the Server side then chooses a random sequence number.
It sends back its own sequence number along with the SYN flag and indicates that the request has been
received by setting the ACK flag and sending back the sequence number received incremented by 1.
When TCP on the Server side sends this header back, it is not sure that the information will reach its
destination. For this reason, the other station acknowledges receipt of the message by incrementing its
sequence number and sending back the sequence number received plus 1.
In the meantime, TCP on the Client side uses the primitive Connect-Confirm to inform its application
that the session connection has been established.
Establishment phase
Seq.: 40 Transfer phase
Data-Request (Seq.= 40
abcd")
("abcd ) / Data "a
bcd"
Data-Request (Seq.= 44 Data-Indication
) / Data " ("abcd
abcd")
efg")
("efg efg" ACK=44
K 44
Data-Request (Seq.= 47
hi")
("hi ) / Data "h
i"
Data-Request (Seq.= 49
("jkl
jkl") ) / Data "
jkl"
Data-Indication
ACK=52
K 52 efghijkl")
("efghijkl
Once the session has been established between the 2 applications, data can be exchanged in both
directions.
To make this example easier to understand, the data will be transferred in one direction only.
It should be noted that TCP must ensure that the data is passed on to the applications in the same order
it was sent.
Let’s assume that the sequence number is currently 40. The application uses the Data-Request primitive
to ask its TCP to transmit the 4 characters "abcd". TCP therefore sends this data with its current
sequence number, that is, 40.
The remote station passes this data on to its application. But TCP itself acknowledges receipt of the data
by sending back an acknowledgement number equal to the sequence number received incremented by
the number of bytes received, which in this case is 4.
In the meantime, the sender wishes to send 3 more characters, "efg". Unlike with UDP, TCP doesn’t wait
for acknowledgement of receipt of the previous data before transmitting the new data.
TCP therefore transmits this data immediately. The sequence number of the first byte in the segment is
now 44.
This segment may be carried over another route, which will mean a longer transmission delay.
Next, 2 other characters, "hi", are transmitted with the sequence number 47. This time, the route taken
by the segment is a lot quicker and the segment even reaches its destination before the previous
segment.
Next, another 3 characters, "jkl", with the sequence number 49 are sent along the same faster route.
This segment also overtakes the segment that is still being transported over the longer route.
On the receive side, this data is not passed on to the application because it is no longer in the order in
which it was sent. Only when the middle segment is received all the data waiting in TCP is passed on to
the application. And only then is the acknowledgement sent back to the sender.
This example shows how TCP uses sequence numbers to ensure that data is delivered in the same order it
was sent.
All Rights Reserved © Alcatel-Lucent 2009
window size
So, you have seen how TCP offers a connection-oriented service that:
draws on procedures for opening and closing sessions and transferring data.
defines mechanisms for reordering data.
Each station transmits and receives data but the receive function grants the other station transmit
function a credit that represents the number of incoming bytes the receive function is willing to accept.
The amount of credit varies dynamically and is defined via the "Window size" field in the TCP header.
INTERNET
SYN
_ x β=Retransmit
TimeOOut segment
Waiting
for ack
TCP uses various Timers. The main one, the Retransmit Timeout, is used for the waiting-for-
acknowledgement period.
The problem, of course, lies in assigning the right value to this timer since the time taken to
acknowledge a segment depends are numerous parameters:
distance between the stations,
link speed,
system processing time,
traffic in the network,
etc.
Instead of assigning a set value to the timer, TCP sets the timer according to a parameter known as RTT
or Round Trip Time. This parameter measures the time between when a segment is sent and when an
acknowledgement is received.
The Retransmit Timeout is then set based on this RTT.
Emitter Receiver
Example
cwnd: 1 : 512 by
t tes
=x
c k , Wi ndow size
A
cwnd: 2 Segments
20
15
10
5
cwnd: 4
(Round Trip Time)
Exponential
increase
You have seen the flow-control mechanisms that use the "Window size" field in the TCP header. This field
is set by the end stations, implying that the flow control is end-to-end flow control.
But how does flow control work when there is, say, congestion in the network?
Routers, of course, only process data up to level 3. They do not intervene in level 4 TCP and therefore do
not modify parameters in the segment.
It is therefore TCP that implements a congestion-control algorithm. It is not based on another protocol or
particular fields in the messages exchanged but consists in analyzing network behavior and, in particular,
the network’s ability to return acknowledgements.
If an acknowledgement is not returned, you could assume that the segment has been destroyed during
transmission because a particular interface has changed one of the bits in the frame. In practice, this
type of error is relatively uncommon and accounts for less than 1% of messages transmitted. When an
acknowledgement is not returned, it is usually due to congestion in the network.
TCP implements an algorithm known as "slow start".
The transmit station starts by subjecting the network to a kind of test that consists in transmitting a
segment to the remote station.
If the transmit station receives an acknowledgement, it tests the network again by this time transmitting
two consecutive segments.
If it receives the corresponding acknowledgements, it then transmits 4 consecutive segments and waits
for the acknowledgements and so on, exponentially, until a segment or acknowledgement is lost, in
which case another "slow start" process begins.
Numerous algorithms have been suggested over recent years and engineers are continuing to look for
other solutions.
New TCP implementations generally use a combination of the 4 basic internet standard algorithms:
the "slow-start" algorithm that you have just seen,
the "congestion avoidance" algorithm,
the "fast retransmit" algorithm,
the "fast recovery" algorithm.
Segments
25
ssthreshold: slow start threshold
Congestion
detection
20
Congestion avoidance
15
incre ase
10 Lin e ar
Threshold= 16/2= 8
ssthreshold
5 slow start
Synthesis
TCP provides:
Flow control
Reliability
Error recovery
Multiplexing/
demultiplexing
Connection-
Connection-oriented
service
You have now seen the basics of TCP. A more extensive examination of TCP could include:
a more detailed look at flow-control algorithms with the "Nagle" and "fast retransmit" algorithms,
an analysis of selective acknowledgement mechanisms,
etc.
However, this would require much more time and would only really be useful for developers.
To summarize and conclude, it can be said that TCP offers applications a large number of services:
Firstly, it provides reliability thanks to the use of sequence numbers and acknowledgement
mechanisms.
It also implements error recovery.
It provides full-duplex flow-control mechanisms, which optimize communication.
Although it operates on a datagram network, it provides connection-oriented service, which ensures
that data is delivered in the order it was transmitted.
And finally, it enables the multiplexing of several data flows.
You now have a solid grasp of the basics of transport-level TCP/IP and are capable of identifying the
advantages and disadvantages of TCP compared with UDP.
What are the two TCP fields which are used to assure reliable delivery
of data.
What are the possible actions that a receiver can take to slow down the
pace at which a sender transmits segments.
40 2 MB
File size = _____?
30
20
10
0 Window size
8 16 32 64
in kBytes
? ? ? ?
5 34 All Rights Reserved © Alcatel-Lucent 2009
Transport Layer
IP Technology IP for Mobile Networks
M2PA M2UA
MTP-2
SCTP
IP MTP-1
IP Network IP Network
Service Service
To reliably transport SS7 messages over IP networks, the IETF SIGTRAN working group devised the Stream
Control Transmission Protocol (SCTP). SCTP allows the reliable transfer of signaling messages between
signaling endpoints in an IP network. To establish an association between SCTP endpoints, one endpoint
provides the other endpoint with a list of its transport addresses (multiple IP addresses in combination
with an
SCTP port). These transport addresses identify the addresses which will send and receive SCTP packets.
SCTP Endpoint _ An SCTP endpoint is a logical sender or receiver of SCTP segments. This endpoint is a
combination of one or more IP addresses and a port number.
Association _ SCTP works by establishing a relationship between SCTP endpoints. Such a relationship is
known
as an association and is defined by the SCTP endpoints involved and the current protocol state.
Segments and Chunks _ When SCTP wishes to send a piece of information to the remote end, it sends a
SCTP
segment to the IP layer and IP routes the packet to the destination.
A number of chunks follow the common SCTP header, and each chunk is comprised of a chunk header
plus
some chunk-specific content. This content can be either SCTP control information or SCTP user
information.
Streams _ A stream is a one-way logical channel between SCTP endpoints. A stream is a sequence of user
messages between two SCTP users. During association establishment the number of streams from SCTP
endpoint A to B and from SCTP endpoint B to A are specified.
file
file 11
record
record 00
file
file 11
record
record 11 file
file 33 file
file 33 file
file 22 file
file 22 file
file 11 file
file 11
file
file 22 TCP record
record 11 record
record 00 record
record 11 record
record 00 record
record 11 record
record 00 TCP
record
record 00
file
file 22
Endpoint Endpoint
TCP connection
record
record 11 A B
file
file 33
record
record 00
file
file 33
record
record 11
buffered received
file
file 11 file
file 11
record
record 11 record
record 00
Stream 0
file
file 11
record
record 00
file
file 11
record
SCTP file
file 22
record
record 11
file
file 22
record
record 00
SCTP file
file 22
record 11 record
record 00
Endpoint Stream 1 Endpoint file
file 22
record
record 11
A B file
file 33
record
record 00
Stream 2 file
file 33
SCTP file record
record 11
file 33 file
file 33
buffered association record
record 11 record
record 00 received
IP signaling traffic is usually composed of many independent message sequences between many different
signalling endpoints.
SCTP allows signaling messages to be independently ordered within multiple streams (unidirectional
logical
channels established from one SCTP endpoint to another) to ensure in-sequence delivery between
associated
endpoints. By transferring independent message sequences in separate SCTP streams, it is less likely that
the
retransmission of a lost message will affect the timely delivery of other messages in unrelated sequences
(called head-of-line blocking). Because TCP does enforce head-of-line blocking, the SIGTRAN Working
Group
recommends SCTP rather than TCP for the transmission of signalling messages over IP networks.
SS7 IP network
MTP1 MTP1 IP IP
Signalling relationship
An Application Server contains a set of one or more unique Application Server Processes (ASP). Normally,
one or more of these ASP must be actively processing traffic.
MTP3 user
(e.g. ISUP)
M2UA is not
ASP symmetrical:
MTP3
M2UA/SCTP/IP ISUP
SGW
IP network Primitives
M2UA IP
M2UA/SCTP/IP
SGW MTP2
SGW
MTP1 ISUP
Document History
6
Section 6
Application Services
IP Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Document History
Stratum 1 NTP
NTP NTP
NTP
Server
Server Server
Server
Stratum 2 Client
Client // Server
Server Peer
relationship
Client
Client // Server
stratum
Server Client
Client // Server
Server Client
Client
stratum
stratum 22 stratum 22 stratum
stratum 22 Stratum
Stratum 22
Stratum 3 Client
Stratum 3
Client / Server
stratum 3
Client / Server
stratum 3
Peer
relationship
Client
Stratum 3
…… …… …… ……
NTP is a protocol designed to synchronize the clocks of computers over a network. This protocol has been specifically
designed for Internet environments and uses a client/server model to provide service. NTP version 3 is an internet draft
standard, formalized in RFC 1305. NTP version 4 is a significant revision of the NTP standard, and is the current
development version, but has not been formalized in an RFC.
At the top of any NTP hierarchy are one or more reference clocks. These are electronic clocks synchronized to a
common time reference, for instance, GPS signals, radio signals or extremely accurate frequency control. The accuracy
of the other clocks is judged according to how “close” that clock is to the reference clock (stratum), the network
latency to the clock and its claimed accuracy.
NTP uses the UDP protocol on port 123 for communication between clients and servers. Attempts are made at
designated intervals until the server responds. The interval ranges from once every minute up to 17 minutes depending
on a number of factors.
NTP works on a hierarchical model in which a small number of servers give time to a large number of clients. The client
on each level, or stratum, are in turn, potential servers to an even larger number of clients of a higher numbered
stratum. Stratum numbers increase from the primary (stratum 1) servers to the low numbered strata at the leaves of
the tree. Clients can use time information from multiple servers to automatically determine the best source of time
and prevent bad sources from corrupting their own time.
Servers that are directly connected to the reference clock are termed stratum 1. A reference clock connected to a
stratum 1 server is referred to as stratum 0 server. Clients never communicate directly with a stratum 0 server, they
always go through a stratum 1 server synchronized to a stratum 0 server.
Clients of stratum 1 servers are referred to as stratum 2 clients. If they serve time to clients, they are also referred as
stratum 2 servers and the clients they serve are known as stratum 3 clients. This continues to higher numbered strata.
The maximum NTP stratum number for a client is 15; however, in practice, it is rare to find clients with a stratum
number above 4 or 5, for most real-world configurations.
Device B
Device A (sync source)
Offset (Device A) = ((T2 -T1)-(T3 –T4))/2 =( 10:14:00 – 10:00:00) – (10:14:01 – 10:00:03) = 13m29s
1. Device_A sends an NTP packet to Device_B, with the timestamp identifying the time when it is sent
(that is, 10:00:00, noted as T1) carried.
2. When the packet arrives, Device_B inserts its own timestamp, which identifies 10:14:00 (noted as T2)
into the packet.
3. Before this NTP packet leaves, Device_B inserts its own timestamp once again, which identifies 10:14:01
(noted as T3).
4. When receiving the response packet, Device_A inserts a new timestamp, which identifies 10:00:03am
(noted as T4), into it.
At this time, Device_A has enough information to calculate the following two parameters:
The delay for an NTP packet to make a round trip between Device_B A and Device_B :
(T4 -T1)-(T3 -T2)
Device_A can then set its own clock according to the above information to synchronize its clock to that of
Device_B
NTP NTP
Server Client 1
Periodical
broadcast or
multicast
NTP
Client 2
NTP
NTP est (1) Client 1
NTP Requ
Server
onse (2)
NTP Resp
NTP
Client 2
The bandwidth requirements for NTP are also minimal. Unencrypted NTP Ethernet packets are 90 bytes long
(76 bytes long at the IP layer). A broadcast server sends out a packet about every 64 seconds. A non-
broadcast client/server requires 2 packets per transaction. When first started, transactions occur about
once per minute, increasing gradually to once per 17 minutes under normal conditions. Poorly synchronized
clients will tend to poll more often than well synchronized clients. In NTP version 4 implementations, the
minimum and maximum intervals can be extended beyond these limits, if necessary
A unicast client sends a request to a designated server at its unicast address and expects a reply from which
it can determine the time and, optionally, the roundtrip delay and local clock offset relative to the
server.
A multicast server periodically sends a unsolicited message to a designated IPv4 or IPv6 local broadcast
address or multicast group address and ordinarily expects no requests from clients. A multicast client
listens on this address and ordinarily sends no requests.
For IPv4, the IANA has assigned the multicast group address 224.0.1.1 for NTP, which is used both by
multicast servers and anycast clients.
3 9
12
TCP/IP Network
10 Get "file1" 7 Data port: 1955
FTP is a standardized protocol (STD 9). It is described in the standard RFC 959 – File Transfer Protocol (FTP)
and the update RFC 2228 – FTP Security Extensions.
To access files on a remote station, the user must provide the server with user identification information.
The server is responsible for authenticating the information before authorizing access to the files.
FTP uses TCP as its transport protocol in order to offer reliable end-to-end connections.
The FTP server waits for connection requests on ports 20 and 21. Two connections are used:
The first one, the control connection, is for the login and uses the TELNET protocol.
The second one, the data connection, is for data transfer.
SSH File Transfer Protocol (sometimes called Secure File Transfer Protocol or SFTP) is a network protocol
that provides file transfer and manipulation functionality over any . It is typically used with version two of
the SSH protocol (TCP port 22) to provide secure file transfer, but is intended to be usable with other
protocols as well.
The SFTP protocol allows for a range of operations on remote files – it is more like a remote file system
protocol. An SFTP client's extra capabilities compared to an SCP client include resuming interrupted
transfers, directory listings, and remote file removal.
SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH
working.
Note _ In Winscp, no mechanism is provided for keys generation. A program like puttygen.exe is necessary
to generate the key files.
Audio Video
RTP RTCP RTP RTCP RTP RTCP RTP RTCP
UDP RTP: Real-time Transport Protocol
IP RTCP: Real-time Transport Control Protocol
Real time
data OK
Real time <=>
data
Recover the time base
B L A Allow conference
B L A
RTP cannot
act at routers' level,
control the QoS – Quality of Service,
make resources reservation
Either guarantee packets delivery or retransmit missing ones.
1
2 Network
3
4 delay
5
6 1
7 2
8 3
9
Reconstruction
10 4 delay
11
12 6
13 7 1
14 8 2
15 3
16 10 4
17 11
18 12 6
19 7
20 14 8
9 9
15 10
Voice sample 11
18 12
17 14
15
19
13 17
20 18
19
16 20
In addition to this variable transmission delay, time is required to reorganize and reconstruct the flow.
When the flow is reconstructed in this example, it is considered that:
packet 5 has been lost,
packets 13 and 16 have arrived too late to be included in the reconstructed flow.
Timestamp
Identifies the source
Synchronization Source Identifier (SSRC) (important in
conference mode)
Contributing Source Identifier (CSRC)
Profile dependent Size
Data (payload)
The Version field, V: 2 bits. Indicates the version of the protocol (V=2).
The Padding field, P: 1 bit. If P equals 1, the packet contains additional padding bytes to complete the
last packet.
The Extension field, X: 1 bit. If X equals 1, the header is followed by an extension packet.
The CSRC count field, CC: 4 bits. Contains the number of CSRCs that follow the header.
The Marker field, M: 1 bit. Its meaning is defined by an application profile.
The Payload Type (PT) field: 7 bits. This field identifies the type of payload (audio, video, image, text,
html, etc.) See the IANA site “ASSIGNED NUMBERS” (http://www.iana.org/numbers.html) for the
various standardised codes (RTP Payload types (PT) for standard audio and video encodings).
The Sequence number field: 16 bits. Its initial value is random and increments by one each time a
packet is sent. It can be used to detect packet loss.
The Timestamp field: 32 bits. Reflects the sampling instant of the first byte in the RTP packet. The
sampling instant must be derived from a clock that increments monotonically and linearly in time to
allow synchronisation and jitter calculations.
The SSRC field: 32 bits. A unique synchronisation source identifier chosen randomly by the application.
The SSRC field identifies the synchronisation source (or more simply the “source”). This identifier is
chosen randomly and has the advantage of being unique amongst all the sources from the same session.
The list of CSRCs identifies the sources (SSRCs) which have contributed to obtaining data contained in
the packet that contains these identifiers. The number of identifiers is given in the CC field.
The CSRC field: 32 bits. Identifies the contributing sources (conference).
20 ms 40 ms
Sampling:
8 kHz
Unit: 125 µs
Timestamp Payload
0
160
1st sample Timestamp Payload
160
The 32-bit Timestamp field reflects the sampling instant of the first byte in the RTP packet. The
sampling instant must be derived from a clock that increments monotonically and linearly in time to
allow synchronization and jitter calculations.
Analog voice
Frequency: 8 kHz
8,000 samples per second t = 0.125ms
100
101
Amplitude: 3 bits 110
000
001
8 different values 010
011
Result: 101 100 100 101 000 010 011 011 011 001 110 101 100
Sampling
The method used to digitize an analog signal such as voice depends on 2 parameters: frequency and
amplitude.
Together these parameters determine the quality of the sample and the amount of information required to
reconstruct the message.
Decoding: 101 100 100 101 000 010 011 011 011 001 110 101 100 Original signal
100
101
110
000
001
010
011
Compression required
6 17 All Rights Reserved © Alcatel-Lucent 2009
Application Services
IP Technology IP for Mobile Networks
When an analog signal is reconstructed using digital information, the reconstructed signal differs from the
original one.
If we want to produce a digital signal that is closer to the original, the number of samples and the
amplitude must be increased. However, this means that the amount of information to be transported also
increases.
5 carrots
1 onion chopped
20 g butter
1 chicken stock cube
1 potato
150 g chicken
1 litre water
Salt and pepper
To illustrate the various compression families, let’s consider the example of 3 chefs who wish to write
down the list of ingredients required to make carrot soup.
First method
5 carrots
1 onion chopped
20 g butter
1 chicken stock cube
1 potato
150 g chicken
1 litre water
Ingredients:
Ingredients:
Salt and pepper
55 carrots
carrots
11 onion
onion chopped
chopped
20
20 gg butter
butter
11 chicken
chicken stock
stock cube
cube
11 potato
potato
150
150 gg chicken
chicken
11 litre
litre water
water
Salt
Salt and pepper
and pepper 92 characters
6 19 All Rights Reserved © Alcatel-Lucent 2009
Application Services
IP Technology IP for Mobile Networks
The first chef writes the list of ingredients as it is. He uses 92 characters.
Lexicon: Ingredients:
Ingredients:
C = carrot 55 CC
O = onion chopped 11 O O
B = butter 20
20 gg ofof BB
P = chicken stock cube 11 PP
T= potato 11 TT
PL = 150 g chicken 11 PLPL
E = water 11 EE
SP = salt and pepper SP
SP 21 characters
6 20 All Rights Reserved © Alcatel-Lucent 2009
Application Services
IP Technology IP for Mobile Networks
The second chef uses a standard lexicon from a recipe book and writes the list of ingredients using the
lexicon. He uses 21 characters.
The third chef uses a standard lexicon from a recipe book and, drawing on his experience, determines the
ingredients that do not add the least taste to the soup. He then writes the list of ingredients, leaving some
of them out because they don’t make much difference to the soup. He uses 13 characters.
Associate each chef with his method for writing the recipe.
13 charact.
No compression
Destructive compression
21 charact. with shared lexicon
Compression with
92 charact. shared lexicon
5 carrots 5 carrots
1 onion chopped 1 potato
20 g butter
1 chicken stock cube
1 potato
150 g chicken
≠ 150 g chicken
1 litre water
Salt and pepper
1 litre water
Salt and pepper
The chicken stock
cube and the
butter do not give The onion does not
this soup much give this soup
taste much taste
Ingredients:
Ingredients:
55 CC Ingredients:
Ingredients:
11 O O 55 CC
11 TT 11 TT
11 PLPL 11 PL
PL
11 EE 11 EE
SP
SP SP
SP
6 23 All Rights Reserved © Alcatel-Lucent 2009
Application Services
IP Technology IP for Mobile Networks
When a chef decides which ingredients must be removed, he changes the list of ingredients slightly. He
therefore changes the original recipe. Another chef may then read the recipe and also decide to change it.
The soup could end up tasting different from the original recipe.
They all make carrot soup but the quality of the soup is subjective…
The recipe has been changed so it must now be decided which is the nicest carrot soup.
R MOS
Factor (Mean Opinion Score)
100 5.0 More
reliable
Very satisfied
90 4.1
Satisfied
80 3.7
Some users dissatisfied
70 3.4
Many users dissatisfied
60 2.9 • The MOS terminology is
defined by ITU-T P.800.1
Nearly all users dissatisfied
50 2.4 • The PESQ (Perceptual
Evaluation of Speech
Not recommended Quality) MOS is defined
0 1 by ITU-T P.862
R Factor
The ITU–T has a defined a model for defining the quality of a codec. This benchmark can be used to
compare the quality of one codec with another.
The R factor is calculated on a scale of 0 to 100 (E-model) based on user perception. 100 is excellent and 0
poor. R factor calculation begins with a unimpaired signal. If there is no network or equipment, quality is
perfect.
This is expressed by the equation:
R = R0 (e.g. 93.2)
But the network and equipment impair the signal, thus reducing signal quality as it travels from one end to
the other:
R = R0 – Is -Id –Ie-eff + A where:
Ro: represents the basic signal-to-noise ratio, including noise sources such as circuit noise and room
noise.
Is: it is a combination of all impairments which occur more or less simultaneously with the voice
signal
Id: represents the impairments caused by delay and the effective equipment impairment
Ie-eff: represents impairments caused by low bit-rate codecs. It also includes impairment due to
packet-losses of random distribution.
A: this Advantage factor allows for compensation of impairment factors when there are other
advantages of access to the user.
8-bit
G.711 encoding amplitude
Sampling: 8 kHz
t = 0.125ms
Bit-rate 64 kbps
These codecs do not use the compression method. This means that the rate is calculated using the
following formula:
G.711 is the reference codec. It works as previously described with an amplitude of 8 bits and a sampling
frequency of 8 kHz.
G.726 Adaptive Differential Pulse Code Modulation (ADPCM) uses a compression whereby only the
difference between two samples is encoded. In this case, the amplitude can be reduced to 2 bits with an
acceptable loss of quality.
5
Absolute
sample value
4
3 6
G.726 ADPCM
2
Difference between
• Amplitude: 2 - 5 bits sample values
• Sampling: 8 kHz
6
t
no. 1 2 3 4 5
(usually
Rate 16… 40 kbps 32 kbps)
These codecs use compression methods, which means that the formula used for the previous codec is not
applicable.
G.726 ADPCM (Adaptive Differential Pulse Code Modulation) uses a compression whereby only the
difference between two samples is encoded. In this case, the amplitude can be reduced to 2 bits with an
acceptable loss of quality.
The information is then compressed using a lexicon and an algorithm which recreates the human body using
a mathematic model.
As soon as the receiver and the sender have agreed on the lexicon to be used, the model then sends the
vocal chord impulses only.
G.729
Rate 8 kbps
• Sampling: 8 kHz
• 20 bytes every 20 ms
Encoding delay 15 ms
• 2 bytes every 20 ms during
silences
AMR
Rate 4.75… 12.2 kbps
• Sampling: 8 kHz
• Between 95 and 244 bits
Encoding delay 20 ms
every 20 ms
• 39 bits every 160 ms
during silences
These codecs use compression methods, which means that the formula used for the previous codec is not
applicable.
The G.729 samples the voice using a similar method as G.711. The information is then compressed using a
lexicon, and an algorithm which recreates the human body using a mathematic model.
As soon as the receiver and the sender have agreed on the lexicon to be used, the model then sends the
vocal chord impulses only.
Adaptive Multiple Rate (AMR) uses a compression similar to the G729. However, the rate is not fixed but 8
levels of quality and data rate have been defined (from AMR 4.75 kbps to 12.2 kbps).
Frequencies
The encoding of the sound is based on human hearing. Among the principal properties, three will be used
to compress a sampled audio flow:
Sensitivities to certain frequencies: the human ear is not designed to hear certain frequencies.
Let us recall that the frequency of a sound indicates its tone, which is similar to the colour of an object
(the colour itself being due to a frequency). An acute sound will have a high frequency whereas a low
sound has a low frequency.
Certain sounds are too acute to be perceived by the human ear. In reality, ultrasounds can be perceived by
certain animals.
Other sounds are too loud to be heard. These are known as infrasound. Inaudible sounds do not require
encoding.
Frequency hiding: a strong sound will hide a lower-level sound with a close frequency.
Time
Temporal hiding: the ear also tends to mask sounds produced just before or after the emission of a
relatively strong noise.
This noise drowns out any sound emitted afterwards. These sounds are not perceived by the human ear and
therefore do not required encoding.
R MOS
Factor
100 5.0
Very satisfied
90 4.1 G711 (64 kbps)
Satisfied AMR (12.2 kbps)
80 3.7 G726 (32 kbps)
Some users dissatisfied
70 3.4 G729
Many users dissatisfied
60 2.9
Nearly all users dissatisfied
50 2.4
Not recommended
0 1
R factor MOS
20 ms 20 ms
Packet size
20 bytes
G.729 (8 kbps)
14 by.
(VAD) VAD: Voice Activity Detection (35% silence)
Voice over IP (VoIP) sends packet information. To understand the calculations of traffic over IP, imagine
that you are filling a cup from a jug. The flow from the jug is constant, but a drop leaves the cup every 20
ms.
To calculate the rate over IP we need to convert the codec rate into the number of bytes transferred
during 20 ms.
With AMR:
20 8 12 160
20 8 12 80
Useful bandwidth: 32 kbps
IP UDP RTP G.726
Used bandwidth: 50 kbps
20 8 12 4 30,5
Useful bandwidth: 12.2 kbps
NbUP
20 8 12 14
Useful bandwidth: 8 kbps
IP UDP RTP G.729
Used bandwidth: 23 kbps
RTP is a datagram protocol that is designed for real-time data such as streaming audio and video.
UDP is a connectionless datagram protocol. It is a "best effort" or "unreliable" protocol - not because it is
particularly unreliable, but because it does not verify that packets have reached their destination, and
gives no guarantee that they will arrive in order.
IP performs the basic task of getting packets of data from source to destination. IP can carry data for a
number of different higher level protocols; these protocols are each identified by a unique IP Protocol
Number.
95
7000
89.3
6511 90
6000 84.3
85
5546
5000 80
82.3
75
4000
70
3000
2995 68.9 65
2000 60
1848
Number of TDM calls 55
1000
(G.711) using STM-1
G.711 G.726 AMR G.729
= 1953 (63 x 31)
0
This diagram shows that with STM1 (149Mb/s), it is worth using voice over IP if you don’t use G711.
In fact, with STM1 you can transport 63 PCMs using G711, which means 31TSs x 63PCMs = 1,953 calls.
VoIP becomes viable with G726, AMR and G729, but with G729 quality decreases leading to the R factor
definition: “Many Users Dissatisfied”
7
Section 7
Quality of Service
IP Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Section 7 Page 1
Blank Page
Document History
Section 7 Page 2
1. QOS in IP networks
Section 7 Page 3
7. QoS in IP networks
Why to implement Quality of Service?
Broadcast TV VoIP
Audio/video Streaming
conference video
IP network
PBX
PSTN/ISDN
Up to now, IP networks was dedicated to transport dated and only best effort was provided to teh users.
As we converge the network and we put voice and video applications on IP network, delay affects
interactive conversation.
The ITU says that a packet delay of 150-200 msec degrades the interactivity in a conversation.
IP needs enough intelligence to differentiate one packet from another and provide different service levels
based on the requirements of the applications
Section 7 Page 4
7. QoS in IP networks What is Quality of Service?
delay
throughput
jitter Recommended
Section 7 Page 5
7. QoS in IP networks
Delay and jitter
Delay : amount of time it takes the packet to get through the network
Delay = ƒ ( route, line speed, queue size, network load)
t1
t1
Section 7 Page 6
7. QoS in IP networks
Causes of the delay
Serialization delay
High-speed link (10Gb/s)
Low-speed link (64kb/s)
Frame 1110010110001010111 Frame 1110010110001010111
1500 Bytes 1500 Bytes
187ms 1.2µ
µs
Propagation delay 1
5ms
1000 km
In advanced high-speed routers, the switching delay is of the order of tens of microseconds and is therefore
negligible. Thus, the one-way delay in a network is caused by three main components:
Serialization delay at each hop This is the time it takes to clock all the bits of the packet onto the wire.
This is very significant on a low-speed link (187 milliseconds (ms) for a 1500-byte packet on a 64-kbps
link) and is entirely negligible at high speeds (1.2 microseconds for a 1500-byte packet on a 10-Gbps link).
For a given link, this is clearly a fixed delay.
Propagation delay end-to-end This is the time it takes for the signal to physically propagate from one end
of the link to the other. This is constrained by the speed of light on fiber (or the propagation speed of
electrical signals on copper) and is about 5 ms per 1000 km. Again, for a given link, this is a fixed delay.
Queuing delay at each hop This is the time spent by the packet in an egress queue waiting for
transmission of other packets before it can be sent on the wire. This delay varies with queue occupancy,
which in turns depends on the packet arrival distribution and queue service rate.
Section 7 Page 7
7. QoS in IP networks
QoS requirements
Interactive applications
300ms < Delay <400ms
Jitter not really relevant
0.5%< Packet loss < 1% (involves rare retransmission)
Non-interactive applications
0.1%< Packet loss < 0.5% (drives the throughput via TCP)
Delay irrelevant
Jitter
Although many applications using a given network may each potentially have their own specific QoS
requirements, they can actually be grouped into a limited number of broad categories with similar QoS
requirements. These categories are called classes of service. The number and definition of such classes of
service is arbitrary and depends on the environment.
In the context of telephony, we'll call the delay between when a sound is made by a speaker and when that
sound is heard by a listener as the mouth-to-ear delay. Telephony users are very sensitive to this mouth-
to-ear delay because it might impact conversational dynamics and result in echo. A mouth-to-ear delay
below 150 ms results in very high-quality perception for the vast majority of telephony users. Hence, this
is used as the design target for very high-quality voice over IP (VoIP) applications. Less-stringent design
targets are also used in some environments where good or medium quality is acceptable.
Because the codec on the receiving VoIP gateway effectively needs to decode a constant rate of voice
samples, a de-jitter buffer is used to compensate for the delay variation in the received stream. This
buffer effectively turns the delay variation into a fixed delay. VoIP gateways commonly use an adaptive
de-jitter buffer that dynamically adjusts its size to the delay variation currently observed. This means
that the delay variation experienced by packets in the network directly contributes to the mouth-to-ear
delay.
Therefore, assuming a delay budget of 40 ms for the telephony application itself (packetization time, voice
activity detection, codec encoding, codec decoding, and so on), you see that the sum of the VoIP one-way
delay target and the delay variation target for the network for high-quality telephony is 110 ms end to
end (including both the core and access links).
Assuming random distribution of loss, a packet loss of 0.1- 0.5 % results in virtually undetectable, or very
tolerable, service degradation and is often used as the target for high-quality VoIP services.
For interactive mission-critical applications, an end-to-end RTT on the order of 300-400 ms is usually a
sufficient target to ensure that an end user can work without being affected by network-induced delay.
Delay variation is not really relevant. A loss ratio of about 0.5-1% may be targeted for such applications,
resulting in sufficiently rare retransmissions.
For noninteractive mission-critical applications, the key QoS element is to maintain a low loss ratio (with
a target in the range of 0.1-0.5 %) because this is what drives the throughput via the TCP congestion
avoidance mechanisms. Only loose commitments on delay are necessary for these applications, and delay
variation is irrelevant.
All Rights Reserved © Alcatel-Lucent 2009
Section 7 Page 8
7. QoS in IP networks
« Admission control » et « Queue management »
600
400
200
12:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00
In advanced high-speed routers, the switching delay is of the order of tens of microseconds and is therefore
negligible. Thus, the one-way delay in a network is caused by three main components:
Serialization delay at each hop This is the time it takes to clock all the bits of the packet onto the wire.
This is very significant on a low-speed link (187 milliseconds (ms) for a 1500-byte packet on a 64-kbps
link) and is entirely negligible at high speeds (1.2 microseconds for a 1500-byte packet on a 10-Gbps
link). For a given link, this is clearly a fixed delay.
Propagation delay end-to-end This is the time it takes for the signal to physically propagate from one
end of the link to the other. This is constrained by the speed of light on fiber (or the propagation speed
of electrical signals on copper) and is about 5 ms per 1000 km. Again, for a given link, this is a fixed
delay.
Queuing delay at each hop This is the time spent by the packet in an egress queue waiting for
transmission of other packets before it can be sent on the wire. This delay varies with queue
occupancy, which in turns depends on the packet arrival distribution and queue service rate.
In the absence of routing change, because the serialization delay and propagation delay are fixed by physics
for a given path, the delay variation in a network results exclusively from variation in the queuing delay
at every hop. In the event of a routing change, the corresponding change of the traffic path is likely to
result in a sudden variation in delay.
Section 7 Page 9
7. QoS in IP networks
Line speed and delay
1
1500 bytes
56kb/s
2 3
66 Bytes Voice Data
t0 214ms serialization delay!!
t0+ 10 µs
1
1500 bytes
1Gb/s
2 3
Voice
t0 1.2 µs serialization delay!!
t0+ 10 µs
7 10 All Rights Reserved © Alcatel-Lucent 2009
Quality of Service
IP Technology IP for Mobile Networks
Gigabit Ethernet changes the way you look at statistical multiplexing. Let me remind you that a standard
Ethernet frame is 1500 bytes. This means a 1500 byte packet can be transmitted in roughly 12
microseconds across a 1 Gbps link, assuming that the link actually delivers the full 1 Gbps. In reality,
8B/10B encoding reduces that a little, but not significantly. If a voice packet has to wait around for even
100 microseconds before it can be forwarded, who cares? You need to deliver voice packets in 150,000
microseconds, end to end to keep your voice users happy, otherwise, they will complain about delay.
Section 7 Page 10
7. QoS in IP networks
Control admission : SLA (Service Level Agreement)
IP network
Network
operator
Traffic shaping user
Legal contract
Performances Service
Level
Packet loss Agreement
xxxxxxxxx xxxxxxx
End-to-End delay
Availability
Guarantees
7 11 All Rights Reserved © Alcatel-Lucent 2009
Quality of Service
IP Technology IP for Mobile Networks
The operator of the network guarantees a certain quality of service. As it must check as the customer does
not exceed his rights. For this reason it sets up the functions of:
"Traffic admission control“ : Admission control describes how carriers control the traffic entering the
network.
"Traffic shaping" (or "traffic policing") Traffic shaping controls the rate that traffic enters into the
network. Typically carriers shape traffic to ensure that customer conforms to their Service level
agreement. For example, if the customer sends high priority traffic at 100 kb/s, the carrier “shape” it
at the network entry point to ensure that only 100 kb/s enters the network.
Section 7 Page 11
7. QoS in IP networks
Queue management
Switch
Router
Priority traffic Queue high high
Input port Output port
medium medium
•Multipriority queues
•Traffic covered by SLA
•Explicit admission control low low
•Shaping h
•Cost more expensive itc
Sw bric
high fa high
Flow Output port
Input port medium medium
low low
7 12 All Rights Reserved © Alcatel-Lucent 2009
Quality of Service
IP Technology IP for Mobile Networks
Today, the modern switches and the routers have "multi-priorities queues" by port for example:
High priority
Medium priority
Low priority
allowing to deposit the packets in the queues suitable in QoS wished.
Then the packets are extracted from the various tails according to the deadlines to respect.
The network device (Switch or router) receiving incoming packets selects the queue according to the
markings in the IP packet (the DiffServ CodePoints).
Tail drop management will impact the packets arriving after a queue reaches the maximum capacity.
Section 7 Page 12
7. QoS in IP networks
Stateful/stateless QoS
Info about
ATM/FR
Stateful QoS flow
ATM/FR
Info about Info about
flow flow
No info
Stateless QoS about flow
A flow is a sequence of packets of a source towards a destination which requires the same service network.
Example all packets of a conversation.
Stateless/stateful
With the difference of "Stateful" equipment (switches ATM, FR, X25), "Stateless" equipment does not store
an information on flow. The routers are stateless equipment, when they receive a packet, they treat it,
dispatch on the exit interface but do not store any information following this treatment. Another packet,
belonging however to the same flow, will have to undergo the same treatment.
Historically, QoS stateful "IntServ" had the favor in the networks of the type ATM, FR but on Internet public
network that poses problems of scale. Indeed how to memorize in each element of the network
information of QoS million connections?
For this reason the IETF, in the years 1990, moved on QoS stateless in the form of "Differentiated services"
(DiffServ).
The fields Type-of-Service (IPv4) or Class-of-Service (IPv6) will be used to manage QoS, their value will
determine the queue to borrow.
Section 7 Page 13
7. QoS in IP networks
Stateful QoS _ Integrated Services - RSVP
Resource
reservation
Resource
reservation
Resource
reservation
Resource
reservation
Section 7 Page 14
7. QoS in IP networks
Stateless QoS _ Type of Service
Service Type:
The service type is an indication of the quality of service requested for this IP datagram
The Type of Service is used to indicate the quality of the service desired. The type of service is an
abstract or generalized set of parameters which characterize the service choices provided in the
networks that make up the internet. This type of service indication is to be used by gateways to select
the actual transmission parameters for a particular network, the network to be used for the next hop,
or the next gateway when routing an internet datagram.
Section 7 Page 15
7. QoS in IP networks
ToS : Precedence (rfc791)
Precedence
Bits 0 1 2 3 4 5 6 7
Precedence:
is intended to denote the importance or priority of the datagram.
This field specifies the nature and priority of the datagram:
• 000: Routine
• 001: Priority
• 010: Immediate
• 011: Flash
• 100: Flash override
• 101: Critical
• 110: Internetwork control
• 111: Network control
Section 7 Page 16
7. QoS in IP networks
ToS : Precedence management
Router
Prec
4
Prec
3
Prec
2
Prec
1
Prec
0
IP
network
Congestion
Section 7 Page 17
7. QoS in IP networks
DiffServ
Version Header
Type Of
length Service Datagram length
Identification Flag Datagram Offset
TTL Protocol Checksum
Source IP address
Destination IP address
Options
Bits 0 1 2 3 4 5 6 7
Code
Class Selector Code point
Points pool
0: standard
1: experimental or local usage
Advantages:
No protocol of signaling, each package conveys its QoS
No information by flow to be memorized in each equipment network
No problem about dimensioning
Section 7 Page 18
7. QoS in IP networks
Diffserv : principle of operation
Traffic conditioning
Per-Hop-Behavior % of use
(Meter, Marker, Shaper/Dropper)
EF 65/100
AF2 20/100
Classifier BE 5/100
Output
Scheduler
Queue management
7 19 All Rights Reserved © Alcatel-Lucent 2009
Quality of Service
IP Technology IP for Mobile Networks
DiffServ is a flexible model. It is up to each operator to decide how many classes of service to support,
which PHBs to use, which traffic conditioning mechanisms to use, and how to allocate capacity to each
PHB to achieve the required QoS for each class of service.
The DiffServ Code Point determines the Per-Hop Behavior of the network nodes.
If all the traffic on an access link use the same Code Point, then the PHB depends upon load.
Traffic in the high priority queue should wait less time and experience better network quality of service.
First of all, the received packets on an interface will be classified according to their PHB.
There are 3 principal types of traffic correspondent to 3 types of PHB:
EF for "Expedited Forwarding", traffic having a weak time, few jitter and a guaranteed band-width
AF for "Assured Forwarding" whose band-width can be divided according to policies
And BE for "Best Effort" traffic for which the network will make despite everything possible its best
effort to convey it
But before being directed towards the interface of exit, the traffic passes in the process "traffic
conditioning" or it will be measured in order to control if it respects strictly the contract which was
subscribed in term of flow, volume, etc...
This traffic can be downgraded, i.e. marked with a weaker PHB of quality or even discarded according to
the adopted policy.
The process "Scheduler" has a policy of treatment of flows to convey the packages for the exit interface.
Another process the "tail management" also will be setup mainly in the event of congestion in order to
eliminate certain packets as of their entry in a router congested in order to avoid the aggravation of the
problem.
Section 7 Page 19
7. QoS in IP networks
Diffserv : encoding
Bits 0 1 2 3 4 5 6 7
DSCP (Differentiated Services Code Point)
Class Selector Code Code
point
Unused
Point pool
0 0 0 0 0 0 Best effort
0 0 1 X X 0 Class 1
0 1 0 X X 0 Class 2
Assured Forwarding
0 1 1 X X 0 Class 3
1 0 0 X X 0 Class 4
1 0 1 1 1 0 Expedited Forwarding
Best-effort forwarding behavior available in all routers (that aren't running DiffServ) for standard traffic
whose responsibility is simply to deliver as many packets as possible as soon as possible. This PHB is
intended for all traffic for which no special QoS commitments are contracted. The default PHB essentially
specifies that a packet marked with a DSCP value of 000000 receives the traditional best-effort service.
All Rights Reserved © Alcatel-Lucent 2009
Section 7 Page 20
7. QoS in IP networks
Diffserv : Assured Forwarding
Bits 0 2 1 3 4 5 6 7
DSCP (Differentiated Services Code Point)
Class Selector Code Code
point
Unused
Point pool
In a typical application, a company uses the Internet to interconnect its geographically distributed sites and
wants an assurance that IP packets within this intranet are forwarded with high probability as long as the
aggregate traffic from each site does not exceed the subscribed information rate
Assured Forwarding (AF) PHB group is a means for a provider to offer different levels of forwarding
assurances for IP packets received from a customer.
Four AF classes are defined, where each AF class is in each node allocated a certain amount of
forwarding resources (buffer space and bandwidth). IP packets that wish to use the services provided by
the AF PHB group are assigned by the customer or the provider into one or more of these AF classes
according to the services that the customer has subscribed to.
Within each AF class IP packets are marked (again by the customer or the provider) with one of three
possible drop precedence values. In case of congestion, the drop precedence of a packet determines the
relative importance of the packet within the AF class. A congested node tries to protect packets with a
lower drop precedence value from being lost by preferably discarding packets with a higher drop
precedence value.
Section 7 Page 21
7. QoS in IP networks
Diffserv : Control du trafic par Token Bucket
Token input at
constant rate
Token equivalent to
“In-profile” traffic
packet size are
removed if available
in bucket
Enough
tokens?
“Out-of-profile” traffic
•Packet discard or,
•Packet marked
The "policing" will be carried out by the equipment of access in edge of the network ("access edge"). The
method used is the "Token bucket".
Section 7 Page 22
7. QoS in IP networks
Queue management - FIFO
Switch / Router
Input port h Output port
itc
Sw bric
Input port fa Output port
Tail drop
Queing occurs at every swith or router between the source and the destination. Delay-sensitive traffic
requires queue management through the network to support end-to-end QoS requirements.
A queue holds packets awaiting access to a resource :
Input queue hold traffic awaiting access to the switch fabric
Output queue hold traffic awaiting transmission onto the link
The highest level of QoS appears when queues are empty, i.e. all controllable delay is controllable delay is
controlled, and only uncontrollable delay remains.
The method of managing the queue allows from some delay control.
Delay variation, or “jitter” is very important to the real-time applications. Transmitted real-time flows
must be played out by the destination at constant rate. If all the packets in a flow encounter the same
queue length, they wait about the same time. However, queue sizes vary overtime, resulting in packet
experiencing different delays through the network.
Using queue management techniques, we can try to eliminate or minimize jitter for delay sensitive traffic..
Fifo queuing :
The first packet that gets into the queue is the first one that gets out the queue.The device services the
packet at the front of the queue, arriving packets land at the tail of the queue.
Queue depth identifies, the size or maximum number of packets in the queue.
If the queue is full to capacity, then equipment simply drops arriving packets.
FIFO queuing contains some negative characteristics, especially when used in a traffic-prioritized network.
Devices do not process the packets based on established hierarchy. High-priority packets may be delayed
or discarded while the network devices process low-priority packets
Section 7 Page 23
7. QoS in IP networks
Multi-priority-queuing
Switch
Router
high high
Input port Output port
medium medium
low low
h
itc
Sw bric
high fa high
Flow Output port
Input port medium medium
low low
Multi-priority queuing uses a hierarchy to determine which packets to service first by defining a separate
queue for each priority level. The device analyze the packet to determine priority and places that packet
into the appropriate queue based on that determination.
Routers and switches using multi-priority queuing process high-priority first, then medium, then low priority
traffic.. Therefore, incoming high priority traffic delays medium priority traffic, which delays low priority
traffic..
Because the device services high priority packets regardless of medium or low priority network load,
medium and low priority packets may not be serviced at all and therefore discarded. This technique of
queue management is known as “head-of-line blocking”.
Class-based queuing
Network devices may employ a more sophisticated method of queuing to avoid head of line blocking. This
method is known as “class-based queuing”.
CBQ does not assign absolute priorities to traffic, but rather assigns a ratio of the resource (e.g. bandwidth)
to each class, or priority. If a particular class uses less than the allocated portion then, the other classes
use it.
Section 7 Page 24
7. QoS in IP networks
WFQ : Weight Fair Queue
WFQ
Queues
40%
30%
20%
10%
Weighted Fair Queuing allocates a certain ratio of the resource to each priority, but unlike CBQ, it
accommodate and manages traffic consisting of variably sized packets.
WFQ can give certain traffic priority without starving lower priority queue and maintain the resource
allocation ratio constantly over time. Computation complexity offers the major disadvantage to WFQ.
Assume we have 4 queues and we have strategically weighted the resource for each.
To make weighted factoring work, we must dynamically understand the traffic on the network and be
able to dynamically change the weight of the available resource in response to traffic pattern.
In this example, we want to maintain a ratio between the priority queues of 4 to 3 to 2 to 1, from the
highest to lowest.
If the switch or router sent 1500 byte packet from the lower priority queue, it will not serve that queue
again until it serves :
4 times that amount from the high priority queue,
3 times that amount from the medium priority queue,
And 2 times that amount from the low priority queue
If some queues are empty then, the device reallocates the resource to the non-empty queues in such a
way as to maintain the same ratios.
in the lower example, because the two higher priority queues are empty, the weighting between the
low and lower queues is 2 to1, so the low priority gets 67% of the resource and the lower queue gets
33% of the resource. WFQ constantly recalculates resource allocation.
Section 7 Page 25
7. QoS in IP networks
WFQ : Discard probability
Max depth
Queues
tail head
Probability of packet
being discarded
1.
Tail drop
Queue
50% 100% fill
Any queue with a maximum depth contains the potential to fill up thus causing the discard of arriving
packets.
Straight tail drop describes the process of dropping packets based solely on available space in the queue
when packets arrive.
An empty queue offer 0% probability of dropped packets and 100% probability of dropped packets once the
queue reaches capacity.
This probability shift cases the problem known as performance oscillation.
Section 7 Page 26
7. QoS in IP networks
Performance oscillation with WFQ
Queue
50% 100% fill
Dropped
packets from
many TCP
flows
An empty queue offer 0% probability of dropped packets and 100% probability of dropped packets once the
queue reaches capacity.
This probability shift cases the problem known as performance oscillation.
TCP offers some built in network congestion control mechanisms. If a given TCP flow experiences certain
pattern of packet loss (unacknowledged packets), it assumes network congestion. TCP very quickly
decreases the transmission rate for packets of that flow. TCP slowly builds up the transmission rate as
congestion eases.
However, the network drops packets from many TCP flows within a short period of time they will all slow
down and then build back up again.
This oscillation results in an inefficient use of network resources.
When many TCP flows slow down, throughput drops and the network operates with resources
underutilized.
When many TCP flows speed up, the network congests and drops packets and subsequently network
throughput.
Section 7 Page 27
7. QoS in IP networks
RED : Random Early Detection
Probability of packet
being discarded
Randomly
1.
A more efficient model allows traffic to build to a point supporting high throughput without experiencing
congestion. This efficiency is the goal of “Random Early Detection” (RED)
RED drops some packets before the queue fills. The probability of packet loss increases with the occupancy
of the queue.
In this way congestion only impact a small subset of the TCP flows. The affected flows slow their
transmission rate to reduce the load on the network enough to avoid full queues and oscillation yet
maintaining acceptable overload throughput.
RED strives to achieve “smoothed queue occupancy”. The average queued threshold describes the average
length of the queue maintained over some period of time. If the queue exceeds the average queue
threshold, then the probability of those packets being dropped increases and and we start randomly
dropping incoming packets. We don’t want to overreact and drop packets when we don’t really need to
do so.
Section 7 Page 28
7. QoS in IP networks
WRED : Weighted Random Early Detection
Queues
High-priority
low-priority
Probability of packet
being discarded
One threshold/queue
1.
Section 7 Page 29
Answer the questions
Section 7 Page 30
Answer the questions
Section 7 Page 31
Answer the questions
Section 7 Page 32
4 QoS
Answer the questions
Section 7 Page 33
End of Section
Section 7 Page 34
Do not delete this graphic elements in here:
8
Section 8
Multiprotocol Label Switching
(MPLS)
IP Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Section 8 Page 1
Blank Page
Document History
Section 8 Page 2
1. Label Switching Principles
Section 8 Page 3
Why MPLS?
A fast switchover to a backup path in case of failure (in the order of a few
milliseconds).
Section 8 Page 4
8. Multiprotocol Label Switching
MPLS location
7
to Applications
5
4 TCP UDP
IP Routing Table
Destination Next Hop
3
134.5.0.0/16 200.5.1.5
IP 134.5.1.0/24 200.2.3.4
MPLS Table
In Out
MPLS (2, 84) (4,12)
2 (2, 85) (3, 99)
1
Physical (Optical — Electrical)
Section 8 Page 5
8. Multiprotocol Label Switching
LSR : Label Switch Router
MPLS network
LSR
LSR LSR
LSR LSR
LSR
IP Label switching IP
Routing Routing
IP Router
A Label Switching Routeur(LSR): is a traditional router which has more processing capacity and having got
MPLS protocols. It knows, amongst other things, how to manage a second table, in addition to the
routing table : the labels switching table
A LSR can be:
An IP router
An ATM switch
A Frame Relay switch
A DWDM optical switch
The table of label depends completely of the traditional IP routing table
If the IP routing table is modified, the label table must be modified.
Section 8 Page 6
8. Multiprotocol Label Switching
LER : Label Edge Router
Transit LSR
processing traffic within the MPLS domain
•Forwards MPLS packets using label swapping (label swap)
LSR
Ingress
LER LER
MPLS network Egress
LSR
LSR LSR
LSR
LSR
LER : Label Edge Router
processing traffic as it enters the LER : Label Edge Router
MPLS domain : processing traffic as it leaves the
• examines inbound IP packets MPLS domain:
• classifies packet for QoS •Removes label (label pop)
• Assigns initial label (label push)
8 7 All Rights Reserved © Alcatel-Lucent 2009
Multiprotocol Label Switching
IP Technology IP for Mobile Networks
The LER converts both IP packets into MPLS packets and MPLS packets into IP packets.
On the ingress side, the LER examines the incoming packet to determine whether the packet should be
labeled. In an MPLS network, the LERs serve as quality of service (QoS) decision points.
The function of the LSR is to examine incoming packets. Provided that a label is present, the LSR will look
up and follow the label instructions and then forward the packet according to the instructions. The LSR
performs a label-swapping function.
Section 8 Page 7
8. Multiprotocol Label Switching
LSP : Label Switched Path
LSP
LSR
21
l:
La
be
be
La
l:
56
MPLS network LSR 2
l :3
be
LER La LER
LSR
LSR
A path through the network, known as a Label Switched Path (LSP), must be defined and the QoS
parameters along that path must be established. The QoS parameters determine
how many resources to commit to the path, and
what queuing and discarding policy to establish at each LSR for packets
Section 8 Page 8
8. Multiprotocol Label Switching
Principle of the “Label switching »
MPLS does not replace classical IP routing but optimizes it
Switching Table
In Out
(port, label) (port, label)
(1, 22) (2, 17)
(1, 24) (3, 17)
(1, 25) (4, 19)
IP packet Label
(2, 23) (3, 12)
Data IPs: 154.1.2.3
→IPd: 86.6.7.8 25
Port 1 Port 2
IP packet Label
Data IPs: 154.1.2.3
→IPd: 86.6.7.8 19
Port 3 Port 4
Label swapping is based on the accurate match and not the longer prefix like IP.
Section 8 Page 9
8. Multiprotocol Label Switching
Principle of FEC (Forward Equivalence Class)
LSP
→IP2
IP@2
IP@1
→IP1 23 6 6 14 →IP1
→IP2 →IP2
IP@2
The “Forwarding Equivalence Class” is an important concept in MPLS. An FEC is any subset of packets
that are treated the same way by a router. By “treated” this can mean, forwarded out the same
interface with the same next hop and label. It can also mean given the same class of service, output
on same queue, given same drop preference, and any other option available to the network operator.
When a packet enters the MPLS network at the ingress node, the packet is mapped into an FEC.
FECs also allow for greater scalability in MPLS. The limited flexibility and large numbers of (short lived)
flows in the Internet limits the applicability of both IP Switching and MPOA (Multi-Protocols Over Atm).
With MPLS, the aggregation of flows into FECs of variable granularity provides scalability that meets
the demands of the public Internet as well as enterprise applications.
Section 8 Page 10
8. Multiprotocol Label Switching
Flow aggregation
LSP
LSR
La
134.5.0.0/16 91
be
FEC 200.3.2.0/24 91 91
l:
l:
91 abe
56
56.42.1.0/24 L MPLS network
52 1
FEC 123.2.0.0/16 Lab el :2
el :
10.8.128.0/20 52 52 Lab l : 15
e LER
Lab
LER La
LSR be LSR
l: 88
Aggregation can also be done : 43 l:
a be
L
•By protocol
•By application (destination port) LSR
•By traffic priority LSP
•By source address
FEC : Forward Equivalence Class
•…
8 11 All Rights Reserved © Alcatel-Lucent 2009
Multiprotocol Label Switching
IP Technology IP for Mobile Networks
FEC = “A subset of packets that are all treated the same way by a router”
The concept of FECs provides for a great deal of flexibility and scalability
In conventional routing, a packet is assigned to a FEC at each hop (i.e. L3 look-up), in MPLS it is only
done once at the network ingress
The mapping can also be done on a wide variety of parameters, address prefix (or host),
source/destination address pair, or ingress interface. This greater flexibility adds functionality to
MPLS that is not available in traditional IP routing.
The FEC for a packet can be determined by one or more of a number of parameters, as specified by the
network manager. Among the possible parameters:
Source or destination IP addresses or IP network addresses
Source or destination port numbers
IP protocol ID
Differentiated services codepoint
IPv6 flow label
…..
Section 8 Page 11
8. Multiprotocol Label Switching
MPLS Forwarding — Example
Routing Table
Destination LSP
2 MPLS Table 134.5.6.1
134.5.0.0/16 LSP3 In Proc Out
9
200.3.2.0/24 LSP5 5 134.5.1.5
134.5.1.5
MPLS Table 2, 84 Swap 6,31
Dest Proc Out
3 Routing Table
LSP3 Push 2, 84 4 6 Destination Next Hop
LSP5 Push 3, 99 84
2 6 31
134.5.1.5 134.5.1.5
134.5.0.0/16 134.5.6.1 8
1 134.5.1.5
2 LSP3 1 200.3.2.0/24 200.3.1.1
MPLS Table
In Proc Out
200.3.2.7 3 LSP5 2
1, 3 Pop -- 7
200.3.2.7 99 1 2 3 5 200.3.2.7 31 2, 3 Pop --
200.3.2.7 56 200.3.2.7
200.3.1.1
The labels are imposed on the packets only once in periphery of network MPLS on the level of Ingress E-
LSR (Edge Label Switch Router) where a treatment is carried out on the datagram in order to assign a
specific label.
What is important here, is that this calculation is carried out only one time. The first time that the
datagram of a flow arrives at Ingress E-LSR.
This label is removed at the other end by Egress E-LSR.
Thus the mechanism is as follows:
Ingress LSR (E-LSR) receives the IP packet, carry out a classification of the packet, assigns a label and
transmits the labeled packet.
the transit LSR uses the label in the packet to switch it until the packet reaches the Egress LSR
The egress LSR removes the label and routes the packet to its final destination.
Section 8 Page 12
8. Multiprotocol Label Switching
Penultimate Hop Popping
The label at the top of the stack is removed (popped) by the upstream neighbor of the egress LSR
The egress LSR will not have to do a lookup and remove itself the label
• One lookup is saved in the egress LSR
Egress LSR needs to do an IP lookup for finding more specific route
Egress LSR need NOT receive a labelled packet
Section 8 Page 13
8. Multiprotocol Label Switching
Hierarchical LSP tunnels : Label stacking
MPLS Table
In Proc Out
LSPb 1
13 3 2 6 1 3 2
3 11 2
LSPc MPLS Table MPLS Table
In Proc Out In Proc Out
MPLS Table
In Proc Out MPLS Table
42 Swap 18 18 Swap 31
In Proc Out
LSPb Push 13
11 Pop
One of the most powerful features of MPLS is label stacking . A labelled packet may carry many labels,
organized as a last-in-first-out stack. Processing is always based on the top label. At any LSR, a label
may be added to the stack (push operation) or removed from the stack (pop operation). Label stacking
allows the aggregation of LSPs into a single LSP for a portion of the route through a network, creating a
tunnel . At the beginning of the tunnel, an LSR assigns the same label to packets from a number of
LSPs by pushing the label onto the stack of each packet. At the end of the tunnel, another LSR pops
the top element from the label stack, revealing the inner label. This is similar to ATM, which has one
level of stacking (virtual channels inside virtual paths), but MPLS supports unlimited stacking.
Label stacking provides considerable flexibility. An enterprise could establish MPLS-enabled networks at
various sites and establish numerous LSPs at each site. The enterprise could then use label stacking to
aggregate multiple flows of its own traffic before handing it to an access provider. The access provider
could aggregate traffic from multiple enterprises before handing it to a larger service provider. Service
providers could aggregate many LSPs into a relatively small number of tunnels between points of
presence. Fewer tunnels means smaller tables, making it easier for a provider to scale the network
core.
Section 8 Page 14
8. Multiprotocol Label Switching
MPLS shim label
1 2 3 4 5 6 7 8bit
TTL
Time To Live
Experimental use
bottom of stack
(explained in the following diagrams)
Exp : 3 bits reserved for experimental use; for example, these bits could communicate DS
(Differentiated Services) information or PHB (Per-Hop Behaviour) guidance
S : set to one for the oldest entry in the stack, and zero for all other entries
Time To Live (TTL): 8 bits used to encode a hop count, or time to live, value
Label value : locally significant 20-bit label
Labels 0 through 15 are reserved labels, as specified in draft-ietf-mpls-label-encaps-07.txt.
A value of 0 represents the "IPv4 Explicit NULL Label". This label value is only legal when it is the sole
label stack entry. It indicates that the label stack must be popped, and the forwarding of the packet
must then be based on the IPv4 header.
A value of 1 represents the "Router Alert Label". This label value is legal anywhere in the label stack
except at the bottom. When a received packet contains this label value at the top of the label
stack, it is delivered to a local software module for processing. The actual forwarding of the packet
is determined by the label beneath it in the stack. However, if the packet is forwarded further, the
Router Alert Label should be pushed back onto the label stack before forwarding. The use of this
label is analogous to the use of the "Router Alert Option" in IP packets. Since this label cannot occur
at the bottom of the stack, it is not associated with a particular network layer protocol.
A value of 2 represents the "IPv6 Explicit NULL Label".This label value is only legal when it is the sole
label stack entry. It indicates that the label stack must be popped, and the forwarding of the packet
must then be based on the IPv6 header.
A value of 3 represents the "Implicit NULL Label". This is a label that an LSR may assign and
distribute, but which never actually appears in the encapsulation. When an LSR would otherwise
replace the label at the top of the stack with a new label, but the new label is "Implicit NULL", the
LSR will pop the stack instead of doing the replacement. Although this value may never appear in
the encapsulation, it needs to be specified in the Label Distribution Protocol, so a value is reserved.
Values 4-15 are reserved for future use.
Section 8 Page 15
8. Multiprotocol Label Switching
Bottom of stack
MPLS Table
In Proc Out
Label:88 Label:88
LSPa Push 2,25 S=0 S=0
MPLS Table Label:42 Label:42
In Proc Out S=0 S=0
1,25 Push 3,42 Label:42 Label:13 Label:25
Label:42 S=1
2 2,13 Push 3,42 S=1
1 S=0 S=0
Label:25 Label:25 Label:13
LSPa S=1 S=1 S=1
2
1 3 4
LSPb 2
Label:13 5
3 S=1
LSPC
Section 8 Page 16
8. Multiprotocol Label Switching
Time to Live (TTL)
Shim label
Label
EXP S
TTL
MPLS network
LER LER
IP packet LSR LSR
Label = 25
TTL = 10
TTL= 9
ingress IP packet
TTL = 9
Label = 39
TTL= 8 IP packet
IP packet TTL = 5
TTL = 9
LER
Label = 21 IP packet
TTL= 7 TTL = 6
IP packet Egress
LSR TTL = 9 LSR
• A key field in the IP packet header is the TTL field (IPv4), or Hop Limit (IPv6). In an ordinary IP-based
internet, this field is decremented at each router and the packet is dropped if the count falls to zero. This is
done to avoid looping or having the packet remain too long in the internet because of faulty routing.
Because an LSR does not examine the IP header, the TTL field is included in the label so that the TTL
function is still supported. The rules for processing the TTL field in the label are as follows:
• When an IP packet arrives at an ingress edge LSR of an MPLS domain, a single label stack entry is added
to the packet. The TTL value of this label stack entry is set to the value of the IP TTL value. If the IP TTL
field needs to be decremented, as part of the IP processing, it is assumed that this has already been done.
• When an MPLS packet arrives at an internal LSR of an MPLS domain, the TTL value in the top label stack
entry is decremented. Then:
• If this value is zero, the MPLS packet is not forwarded. Depending on the label value in the label stack
entry, the packet may be simply discarded, or it may be passed to the appropriate "ordinary" network
layer for error processing (for example, for the generation of an Internet Control Message Protocol
[ICMP] error message).
• If this value is positive, it is placed in the TTL field of the top label stack entry for the outgoing MPLS
packet, and the packet is forwarded. The outgoing TTL value is a function solely of the incoming TTL
value, and is independent of whether any labels are pushed or popped before forwarding. There is no
significance to the value of the TTL field in any label stack entry that is not at the top of the stack.
• When an MPLS packet arrives at an egress edge LSR of an MPLS domain, the TTL value in the single
label stack entry is decremented and the label is popped, resulting in an empty label stack. Then:
• If this value is zero, the IP packet is not forwarded. Depending on the label value in the label stack entry,
the packet may be simply discarded, or it may be passed to the appropriate "ordinary" network layer for
error processing.
• If this value is positive, it is placed in the TTL field of the IP header, and the IP packet is forwarded using
ordinary IP routing. Note that the IP header checksum must be modified prior to forwarding.
Section 8 Page 17
8. Multiprotocol Label Switching
Transparent TTL
Label = 25
TTL= 255 2 10.3.3.3
80.1.2.3→209.8.7.6 80.1.2.3→209.8.7.6
TTL=3 TTL=2 LSR3
10.2.2.2
LSR2
1 LER1 25
ingress
10.1.1.1
LSR6
Label = 46 46
TTL= 254 3 80.1.2.3→209.8.7.6
TTL=1
80.1.2.3→209.8.7.6
TTL=2 LSR4
LER5
10.4.4.4 63
Label = 63 10.5.5.5
TTL= 253 4
MPLS network 80.1.2.3→209.8.7.6
(Private addressing) TTL=2
In transparent mode, the ingress routers sets the label TTL to 255, a value high enough to allow the
packet to cross the MPLS network in normal conditions (no loop). The IP TTL field will be decreased (-
1) by the ingress LER. When the MPLS label is removed by the egress LER, the IP TTL is not updated
with the value of the TTL in MPLS label. The egress LER will decrease the IP TTL of -1, just like a
normal router would do.
Section 8 Page 18
8. Multiprotocol Label Switching
EXPerimental : direct mapping
Mapping
Ethernet IP header
header Payload
ToS
LER Label EXP S TTL
Class DP DiffServ Code Point 3 bits
3 2 3
bits bits bits
Ethernet IP header
header ToS Payload
Prec Precedence
3 5
bits bits
The EXP field of the MPLS Shim Header is used by the LSR to determine the PHB to be applied to the
packet.
The Exp bits are set by creating an ingress policy on the ingress LSR. This ingress policy sets the Exp bits in
relation to values associated with the frames and packets traversing the LSP. For example, if a VLAN
trunk port is tunneled through the LSP, the EXP bits can be set by directly copying the values contained
within the three 802.1p priority bits of the 802.1Q headers. Once packets/frames have reached the egress
LSR, an egress policy can be created on the egress LSR that maps the Exp bits back into the bit values of
the packets or frames.
Section 8 Page 19
8. Multiprotocol Label Switching
Notion of Upstream and Downstream LSRs
A C Egress
LER 171.68.10/24
LER
Ingress
LS
P B
Upstream LSR Downstream
MPLS networks allocate labels from downstream direction toward the upstream routers, toward the
source of a packet flow.
The term “Downstream” refers to the direction of packets flow. Control messages usually flow
“Upstream”
Section 8 Page 20
8. Multiprotocol Label Switching
Label distribution method
Net_x
Net_x
Demand
FEC : net_x → label y FEC : net_x
Response
FEC : net_x → label y
Allows an LSR to distribute label bindings to LSRs that have not explicitly requested them
Both can be used in the same network at the same time; however, each LSR must be aware of the distribution
method used by its peer
Section 8 Page 21
8. Multiprotocol Label Switching
Label distribution control
Independent control Each router makes its switch table from its
routing table and informs neighbors
LSR LSR
LER 1 LER
Ingress 2 3 Egress
LSR LSR
LER 2 LER
Ingress 3 1 Egress
Both methods are supported in the standard and can be fully interoperable
Section 8 Page 22
8. Multiprotocol Label Switching
“Downstream unsolicited” and “Ordered control”
#99
LSR8
LSR4 #216 #99
FEC:171.68.10.0/24
Use label #216
216
3 LSR3 FEC:171.68.10.0/24
→#216 Use label #99
2 LSR1 171.68.10/24
LSR6 FEC:171.68.10.0/24
FEC:171.68.10.0/24 3
Use label #99
Use label #612
99
2’ 99
4 1
612 LSR5 LSR2
99 FEC:171.68.10.0/24
→#612 4’ 2” Use label #33
612 FEC:171.68.10.0/24
Use label #99
LSR7 FEC:171.68.10.0/24
Use label #612 #99 #33
#612 #99
→#612
LSR1 generates a label for the FEC and communicates the binding to LSR2
….
Section 8 Page 23
8. Multiprotocol Label Switching
“Downstream On-Demand” and “Ordered control”
→#216
Req label FEC: LSR8
LSR4 171.68.10.0/24 #216 #99
1
216
Use label #216 LSR3
6
2
Req label FEC:
171.68.10/24 Req label FEC:
5 171.68.10.0/24 LSR1 171.68.10/24
LSR6 Use label #99 3 3
99
4
LSR2
Use label #33
LSR5
#99 #33
LSR7
1- LSR4 recognizes LSR3 as its next-hop for an FEC. A request is made to LSR4 for a binding between
the FEC and a label
2- LSR3 recognizes LSR2 as its next-hop for an FEC. A request is made to LSR2 for a binding between
the FEC and a label
3- LSR2 recognizes LSR1 as its next-hop for an FEC. A request is made to LSR1 for a binding between
the FEC and a label
4- LSR1 is the ‘egress’ LSR to that particular FEC so, LSR1 replies to LSR2 with a label. LSR2 updates its
switching table.
5- Because a label binding has been received by LSR2 from upstream LSR3, LSR2 replies to LSR3 with a
label. LSR3 updates its switching table.
6- Because a label binding has been received by LSR3 from upstream LSR4, LSR3 replies to LSR4 with a
label. LSR4 updates its switching table.
7 – LSR6 recognizes LSR5 as its next-hop for an FEC. A request is made to LSR5 for a binding between
the FEC and a label
8 – LSR5 recognizes LSR2 as its next-hop for an FEC. A request is made to LSR2 for a binding between
the FEC and a label
9 - LSR2 recognizes the FEC and has a next hop for it, it creates a binding and replies to LSR5
….
Section 8 Page 24
8. Multiprotocol Label Switching
Label retention modes
LSR2
FEC:171.68.10/24
An LSR may receive Use label #33
FEC:171.68.10/24
label bindings from Use label #576
multiple LSRs
FEC:171.68.10/24
LSR5 Use label #33 LSR1
171.68.10/24
FEC:171.68.10/24
FEC:171.68.10/24 Use label #33
Use label #63 LSR4
LSR3
FEC:171.68.10/24
Use label #45
Label Retention method trades off between label capacity and speed of adaptation to routing changes
Section 8 Page 25
8. Multiprotocol Label Switching
Label Distribution Protocols
LDP protocol
Automatically Based on existing IP routing tables
MP-BGP protocol
By supplying explicitly the path that the LDPs must follow and the quality of service they must ensure.
These solutions are based on two protocols:
The ReSerVation Protocol – Traffic Engineering (RSVP-TE) is a modification of RSVP which is already
present in the equipment of lot of manufacturers.
LDP is the hop-by-hop distribution protocol defined by the MPLS working group of IETF. It is totally
independent of the pre-existing protocols. The operation mode of LDP is based on the model of the IP
routing protocols. LDP uses the routing table generated by these protocols to build the MPLS switching
tables. The principle of LDP is simple: each LSR attributes a label to each of the neighbor LSRs for each
equivalence class recognized in its routing table. Then the neighbor will use this label for all the
packets of this equivalence class that the LSR sends to it.
Section 8 Page 26
8. Multiprotocol Label Switching
LDP: Functions
LSR LSR
•Neighbors management
LDP is the hop-by-hop distribution protocol defined by the MPLS working group of IETF. It is totally
independent of the pre-existing protocols.
The Label Distribution Protocol (LDP) is entirely automatic. This protocol builds, on the basis of the
information contained in the IP routing tables, the LSPs for each of the equivalence classes recognized
in the routing tables. With this approach, paths are built hop by hop with an operation principle similar
to that of the IP routing protocols.
It uses the routing table to build the MPLS switching tables. It establishes automatically a path (LSP) for
each equivalence class. It offers different modes of distribution and of conservation of labels, thanks
to which it can adapt to different uses.
In order LDP works, all the internal LSRs of a domain must imperatively know the same FECs. For that, it
is possible to aggregate the inputs of the IP routing tables inside an MPLS domain. The border LSRs are
the only ones that can aggregate the prefixes. If prefixes could be aggregated inside a domain,
downstream LSRs would not be able anymore to de-aggregate the packets that, although intended to
different networks, would have the same label.
Section 8 Page 27
8. Multiprotocol Label Switching
LDP: Association Exchange
NetID y NetID x
Label mapping
FEC: NetID y → #L22
Label mapping
FEC: NetID x → #L63
Label Release Downstream LSR
FEC: NetID x → #L63
Upstream LSR Label Withdraw
FEC: NetID y → #L22
Once an LDP session is established, several types of message are used to exchange Label/FEC
associations:
Label Request (F): this message is sent by the upstream LSR to ask which label must be used for the
packets belonging to the FEC.
Label Mapping (F, L): the downstream LSR uses this message to attribute the upstream LSR a label to
be used for the packets corresponding to the FEC. This message can be spontaneous or can be sent on
receipt of a label request.
Label Withdraw (F, {L, *}): the downstream LSR informs the upstream LSR that the L label/F FEC
association is no more valid and that this label must not be used anymore. When the label is omitted
(*), all the associations corresponding to the F FEC are invalidated. The downstream LSR uses this
message for example in case of routing change or when it cannot route the F FEC anymore.
Label Release (F, L): the upstream LSR informs the downstream LSR that it does not need any F/L
association. The upstream LSR can manage this message because the routing has just changed or
because it received an unsolicited and unnecessary label attribution.
Section 8 Page 28
8. Multiprotocol Label Switching
LDP _ Label Distribution Protocol
8 7
In In FEC Out Out In In FECOut Out
10
FEC if label if label if label if label
In In Out Out
if label if label 1 25 138.120 3 33 1 33 138.120 - -
- - 138.120 3 25
3
5
1 B 3
1
4
138.120
LSR 2 6 1
Label Mapping (LSP-id: x) C
3 9 (label 33)
3
A Label Mapping (LSP-id: x)
2
LSR
1 192.168
2 (label 25)
LSR
3
2
LSR
LDP defines a set of procedures and messages by which one LSR (Label Switched Router) informs another
of the label bindings it has made. The LSR uses this protocol to establish label switched paths through a
network by mapping network layer routing information directly to data-link layer switched paths.
Two LSRs (Label Switched Routers) which use LDP to exchange label mapping information are known as
LDP peers and they have an LDP session between them. In a single session, each peer is able to learn
about the others label mappings, in other words, the protocol is bi-directional.
Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not
required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for
establishing a full mesh of LSPs between all of the routers on the network.
Unsolicited mode, the egress routers broadcast label mappings for each external link to all of their
neighbors. These broadcasts are fanned across every link through the network until they reach the
ingress routers. Across each hop, they inform the upstream router of the label mapping to use for
each external link, and by flooding the network they establish LSPs between all of the external
links.
The main advantage of LDP over RSVP is the ease of setting up a full mesh of tunnels using unsolicited
mode, so it is most often used in this mode to set up the underlying mesh of tunnels needed by MPLS
enabled VPNs
Section 8 Page 29
2. MPLS Traffic Engineering
Section 8 Page 30
8. Multiprotocol Label Switching
Drawbacks of IP routing
Rerouting traffic by raising metrics along the current path has the desired effect of forcing the traffic via
another way.
Since interior gateway protocol (IGP) route calculation was topology driven and based on a simple
additive metric such as the hop count or an administrative value, the traffic patterns on the network
were not taken into account when the IGP calculated its forwarding table. As a result, traffic was not
evenly distributed across the network's links, causing inefficient use of expensive resources. Some links
became congested, while other links remained underutilized. This might have been satisfactory in a
sparsely-connected network, but in a richly-connected network (that is, bigger, more thickly meshed
and more redundant) it is necessary to control the paths that traffic takes in order to balance loads.
As Internet service provider (ISP) networks became more richly connected, it became more difficult to
ensure that a metric adjustment in one part of the network did not cause problems in another part of
the network. Traffic engineering based on metric manipulation offers a trial-and-error approach rather
than a scientific solution to an increasingly complex problem.
IGP metric manipulation has a “snap” effect when it comes to redirecting traffic… (not an “even”
distribution)
Section 8 Page 31
8. Multiprotocol Label Switching
Goal
Traffic engineering:
• Quick re-routing
Section 8 Page 32
8. Multiprotocol Label Switching
MPLS-TE
s
55 Mb/
2.
1
5
150 Mb/s
G
/s
b/
Gb
s
100 Mb/s
2.5
622
Mb
INGRESS LSR /s
b/s
500 Mb/s 45 M EGRESS LSR
Metric-based traffic controls continued to be an adequate traffic engineering solution until 1994 or 1995.
At this point, some ISPs reached a size at which they did not feel comfortable moving forward with
either metric-based traffic controls or router-based cores.
Traditional software-based routers had the potential to become traffic bottlenecks under heavy load
because their aggregate bandwidth and packet-processing capabilities were limited.
It became increasingly difficult to ensure that a metric adjustment in one part of a huge network did not
create a new problem in another part. And router-based cores did not offer the high-speed interfaces
or deterministic performance that ISPs required as they planned to grow their core networks.
Section 8 Page 33
8. Multiprotocol Label Switching
Constrained SPF
•Available Bandwidth
CSPF calculation OSPF-TE, IS-IS •Priority
•Attributes
Path Cost Available BW
•Administrative Weight
a-c 1 10
a-b-c 3 100
a-d-e-c 4 500
b
C=1 C=2 Y
200Mb/s 100Mb/s
a C=1 c
10Mb/s
Tunnel C=1
C=1
a→c : 200Mb/s 1Gb/s
1Gb/s
d C=2 e
500Mb/s
The ingress LSR determines the physical path for each LSP by applying a Constrained Shortest Path First
(CSPF) algorithm to the information in the TE-database . CSPF is a shortest-path-first algorithm that
has been modified to take into account specific restrictions when calculating the shortest path across
the network. Input into the CSPF algorithm includes:
Topology link-state information learned from the IGP and maintained in the TE-database
Attributes associated with the state of network resources (such as total link bandwidth, reserved link
bandwidth, available link bandwidth, and link color) that are carried by IGP extensions and stored in
the TE-database
Administrative attributes required to support traffic traversing the proposed LSP (such as bandwidth
requirements, maximum hop count, and administrative policy requirements) that are obtained from
user configuration
The output of the CSPF calculation is an explicit route consisting of a sequence of LSR addresses that
provides the shortest path through the network that meets the constraints. This explicit route is then
passed to the signaling component, which establishes forwarding state in the LSRs along the LSP. The
CSPF algorithm is repeated for each LSP that the ingress LSR is required to generate.
Network continuously keeps track of these constraints and floods them through IGP extensions. For a new LSP to be
launched in the network, operator configures LSP constraints at ingress LSR, network actively participates in
selecting an LSP path that meets the constraints and represents it as an explicit route
Section 8 Page 34
8. Multiprotocol Label Switching
MPLS-TE components
Destination
• Maximum,
Bandwidth • Reservable,
• Unreserved per priority
Affinities
Preemption
Optimized metric
8 35 All Rights Reserved © Alcatel-Lucent 2009
Multiprotocol Label Switching
IP Technology IP for Mobile Networks
Destination The source of the TE LSP is the head-end router where the TE LSP is configured, whereas its
destination must be explicitly configured.
Bandwidth One of the attributes of a TE LSP is obviously the bandwidth required for the TE LSP. The
traffic flow pattern between two points is rarely a constant and is usually a function of the time of
day, not to mention the traffic growth triggered by the introduction of new services in the network or
just an accrued use of existing services. Hence, it is the responsibility of the network administrator to
determine the bandwidth requirement between two points and how often it should be reevaluated.
You can adopt a very conservative approach by considering the traffic peak, X percent of the peak or
averaged bandwidth values. After you determine the bandwidth requirement, you can apply an
over/underbooking ratio, depending on the overall objectives. Another approach consists of relying on
the routers to compute the required bandwidth based on the observed traffic sent to a particular TE
LSP.
Affinities A field that must match the set of links a TE LSP traverses represents affinities.
Preemption The notion of preemption refers to the ability to define up to seven levels of priority. In the
case of resource contention, this allows a higher-priority TE LSP to preempt (and, consequently, tear
down) lower-priority TE LSP(s) if both cannot be accommodated due to lack of bandwidth resources on
a link.
Protection by Fast Reroute MPLS Traffic Engineering provides an efficient local protection scheme
called Fast Reroute to quickly reroute TE LSPs to a presignaled backup tunnel within tens of
milliseconds
Optimized Metric The notion of shortest path is always related to a particular metric. Typically, in an IP
network, each link has a metric, and the shortest path is the path such that the sum of the link metrics
along the path is minimal. MPLS TE also uses metrics to pick the shortest path for a tunnel that
satisfies the constraints specified. MPLS TE has introduced its own metric. When MPLS TE is configured
on a link, the router can flood two metrics for a particular link: the IGP and TE metrics (which may or
may not be the same).
Section 8 Page 35
8. Multiprotocol Label Switching
Explicit Paths
Path to Y
Hop Strict/loose Mandatory path
10.1.1.1 Strict
Loose path
10.2.2.2 Loose
10.3.3.3 Strict
g
c 10.3.3.3
b f
10.1.1.1
10.2.2.2
Tunnel
a→g a
d e
Section 8 Page 36
8. Multiprotocol Label Switching
RSVP-TE : LSP and path
l or LSP
e
Tunn
A Path 2 D E
Path
1
G
Section 8 Page 37
8. Multiprotocol Label Switching
RSVP-TE : Principle
3
2
Generic RSVP (Resource reSerVation Protocol) uses a message exchange to reserve resources across a
network for IP flows. The Extensions to RSVP for LSP Tunnels (RSVP-TE) enhances generic RSVP so that
it can be used to distribute MPLS labels.
RSVP-TE is a separate protocol at the IP level. It uses IP datagrams (or UDP at the margins of the
network) to communicate between LSR peers. It does not require the maintenance of TCP sessions,
but as a consequence of this it must handle the loss of control messages.
The basic flow for setting up an LSP using RSVP-TE for LSP Tunnels is :
1. The traffic parameters required for the session or administrative policies for the network enable LSR
A to determine that the route for the new LSP should go through LSR B, which might not be the same
as the hop-by-hop route to LSR-C. LSR A builds a Path message with an explicit route of (B,C) and
details of the traffic parameters requested for the new route.
2. LSR A then forwards the Path to LSR B as an IP datagram.
3. LSR B receives the Path request, determines that it is not the egress for this LSP, and forwards the
request along the route specified in the request. It modifies the explicit route in the Path message
and passes the message to LSR-C.
4. LSR C determines that it is the egress for this new LSP, determines from the requested traffic
parameters what bandwidth it needs to reserve and allocates the resources required. It selects a
label for the new LSP
5. LSR-C distributes the label to LSR B in a Resv message, which also contains actual details of the
reservation required for the LSP.
6. LSR B receives the Resv message and matches it to the original request using the LSP ID contained in
both the Path and Resv messages. (7) It determines what resources to reserve from the details in the
Resv message, allocates a label for the LSP, sets up the forwarding table.,
8. LSR-B passes the new label to LSR A in a Resv message.
9. The processing at LSR A is similar, but it does not have to allocate a new label and forward this to an
upstream LSR because it is the ingress LSR for the new LSP.
Path and Resv refresh unless suppressed
Section 8 Page 38
8. Multiprotocol Label Switching
Path Protection – Secondary/Standby LSP
5
Failure 1
Backup tunnel
The default mode of network recovery of MPLS Traffic Engineering, is a global restoration mechanism:
Global The node in charge of rerouting a TE LSP affected by a network element failure is the head-
end router.
Restoration When the head-end router is notified of the failure, a new path is dynamically
computed, and the TE LSP is signaled along the new alternate path (assuming one can be found).
A LSP is initially set up. The link fails. After a period of time (the fault detection time), the upstream
router detects the failure. This period of time essentially depends on the failure type and the Layer 1
or 2 protocol. If you assume a Packet over SONET (PoS) interface, the fault failure detection time is
usually on the order of a few milliseconds. In the absence of a hold-off timer, the router upstream of
the failure immediately sends the failure notification (RSVP-TE Path Error message) to the head-end
router.
Accurately quantifying the time required to perform the set of operations just described is particularly
difficult because of the many variables involved. These include the network topology (and hence the
number of nodes the failure notification and the new LSP signaling messages have to go through and
the propagation times of those through fiber), the number of TE LSPs affected by the failure, CPU
processor on the routers, and so on. We can provide an order of magnitude. On a significantly large and
loaded network, the CSPF time and RSVP-TE processing time per node are usually a few milliseconds.
Then the propagation delay must be taken into account in the failure notification time as well as in the
signaling time. So, on a continental network, MPLS TE head-end rerouting would be on the order of
hundreds of milliseconds.
MPLS TE Reroute is undoubtedly the simplest MPLS TE recovery mechanism because it does not require
any specific configuration and minimizes the required amount of backup state in the network. The
downside is that its rerouting time is not as fast and predictable as the other MPLS TE recovery
techniques that are discussed next. Indeed, the fault first has to be signaled to the headend router,
followed by a path computation and the signaling of a new TE LSP along another path, if any (thus with
some risks that no backup path can be found, or at least with equivalent constraints).
7750 SR : Up to seven secondary or standby LSPs can be specified for each primary LSP. All the
secondary paths are considered equal and the first available path is used.
Section 8 Page 39
8. Multiprotocol Label Switching
Fast Reroute
Protected LSP R2 R4
R1 R3
R5
R6 R9
R7 R8
R1’s backup: R1>R6>R7>R8>R3
Detour or Bypass LSP
R2’s backup: R2>R7>R8>R4
R3’s backup: R3>R8>R9>R5
R4’s backup: R4>R9>R5
Two different methods for local protection. In the one-to-one backup method, a PLR (Point of Local Repair)
computes a separate backup LSP, called a detour LSP, for each LSP that the PLR protects. In the facility
backup method, the PLR creates a single bypass tunnel that can be used to protect multiple LSPs.
The facility backup fast reroute method uses a facility backup tunnel, or bypass, to bypass a failed link
or a failed node. This method takes advantage of MPLS's label stacking capabilities, and all LSPs
protected using this method are protected using a single, common bypass tunnel. Their original labels
are left intact, and another label is pushed on top to direct it through the bypass tunnel. At the egress
end of the tunnel, the traffic is merged back into the original path by popping the outer label and
examining the inner label to find out where the packet should go.
One-
One-to-
to-One Backup:
Backup A local repair method in which a backup LSP is separately created for each protected
LSP at a Point of Local Repair .
Each upstream node sets up a detour LSP that avoids only the immediate downstream node, and merges
back on to the actual path of the LSP as soon as possible. If it is not possible to set up a detour LSP
that avoids the immediate downstream node, a detour can be set up to the downstream node on a
different interface.
The detour LSP may take one or more hops before merging back on to the main LSP path.
Section 8 Page 40
3. MPLS VPN Services
Section 8 Page 41
8. Multiprotocol Label Switching
Layer 2 VPN services
PE LAN
B
LAN
A PE
LAN
B
LAN
PE
PE LAN
C D
Point-to-Multipoint Service VPLS : Virtual Private LAN Service
8 42 All Rights Reserved © Alcatel-Lucent 2009
Multiprotocol Label Switching
IP Technology IP for Mobile Networks
Layer-3 VPNs worked well for a number of customers; however, there was a significant percentage of the
marketplace using legacy systems and networks for whom a Layer-2 VPN solution would be better suited.
Businesses in the marketplace found that Layer-3 VPNs met only part of the end users’ requirements.
Back in the early days of MPLS implementation, early adopters of the technology discovered that there
was a market demand for Layer-2 VPNs as well.
For MPLS carriers wishing to capture the FR and ATM market place, VPWS offers rapid service conversion.
Customers will be able to maintain their FR or ATM connection with the same equipment. The difference
is that traffic will now be carried encapsulated in an MPLS header and run over an MPLS network.
In VPWS, the service providers provide a pseudo-wire across the network. This overlay model provides
circuit emulation from customer to customer. It provides services similar to ATM and FR; however,
significant cost savings can be realized using MPLS
As these needs were identified, different architectures were suggested for MPLS Layer-2 VPNs, including:
PWE3 (Pseudo Wire Emulation Edge to Edge ≡ VLL (Virtual Leased Line) One of the important features
of this solution is that the configuration and management required in the provider network is much
simpler than that for leased lines or the MPLS and Martini solutions mentioned above – this makes it
cheaper for the provider to supply such a service.
In addition, this type of VPWS is more flexible than using leased lines.
Section 8 Page 42
3.1 Virtual Private Wire Service (VPWS)
Section 8 Page 43
8. Multiprotocol Label Switching
Point to Point VPN (Pseudowire) Principle
Site 1 Site 2
Blue PE1
P Blue
P
Site 1
Site 2
Green Green
LSP PE3
Pseudo-wire
LDP (RFC4447)
Signaling protocol (Pseudo-wire setup and control) MP-BGP (RFC 4761)
8 44 All Rights Reserved © Alcatel-Lucent 2009
Multiprotocol Label Switching
IP Technology IP for Mobile Networks
Section 8 Page 44
8. Multiprotocol Label Switching
Encapsulation – Ethernet
RFC 4448 : Encapsulation Methods for Transport of Ethernet over MPLS Networks FCS
QoS Considerations
The ingress PE may consider the user priority (PRI) field [802.1Q] of the VLAN tag header when determining
the value to be placed in a QoS field of the encapsulating protocol (e.g., the EXP fields of the MPLS label
stack). In a similar way, the egress PE may consider the QoS field of the MPLS (e.g., the EXP fields of the
MPLS label stack) protocol when queuing the frame for CE-bound.
Section 8 Page 45
8. Multiprotocol Label Switching
Signaling – LDP (TLDP)
If 1 PWID : 66
eth Remote PE : PE1
LDP : LABEL_MAPPING_Message VPN label : 18
PWID : 66 PW type : Ethernet
Remote PE : PE2 FEC : Virtual Circuit
•PWID : 66
VPN label : 23 •MTU : 1500 Manual
•Control Word : Present /not present configuration
Label : 18
Manual LDP : LABEL_MAPPING_Message
configuration
is required PW type : Ethernet
FEC : Virtual Circuit
•PWID : 66
•MTU : 1500
•Control Word : Present /not present
Label : 23
RFC 4447 : Pseudowire set up and maintenance using LDP
Section 8 Page 46
8. Multiprotocol Label Switching
Signaling – LDP/MP-BGP
VC100
FR network VC200
CE1 CE2
VC201
VC101
VC300 VC301
RED-CE2
RED-CE1
Local label mapping
Local label mapping CE3
L21 L21(CE1→→CE2)→VC200
VC100←L12(CE1←CE2) L12 L23(CE3→→CE2) →VC201
VC101←L13(CE1←CE3)
MPLS network PE VC200
PE CE2
VC100 VC201
CE1
VC101 L23
L13
PE
RED-CE3 LSP
Local label mapping L31 L32
VC300←L31(CE3←CE1 VC300 VC301
VC301←L32(CE3←CE2) CE3
RFC 4761 : Using BGP for Auto-Discovery and Signaling
8 47 All Rights Reserved © Alcatel-Lucent 2009
Multiprotocol Label Switching
IP Technology IP for Mobile Networks
Another solution is described in draft-kompella-ppvpn-l2vpn. This draft gives a mechanism for creating a
VPWS using MP-BGP as both an auto-discovery protocol and a signaling protocol.
In this solution, each PE devices uses Multi-Protocol BGP (MP-BGP) to advertise the CE devices and VPNs
connected to it, together with the MPLS labels used to route data to them. Consequently, when this
information is received by the other CE devices, they learn how to setup the VPWS.
Section 8 Page 47
8. Multiprotocol Label Switching
Data exchange
Label mapping
RED-CE1 L21 (CE1→
→CE2) → VC200
Local label mapping L12 (CE1←CE2) ← VC200 2
VC100←L12(CE1←CE2) 7 →CE2) → VC201
L23 (CE3→
VC101←L13(CE1←CE3) L32 (CE3←CE2) ← VC201
5 4
L54
L31 6
L35 3
L12 L12
L12 L12 1
8 LSP 35 PE
L12 54 VC200
PE 31 CE2
VC100 VC201
CE1
VC101 MPLS network L23
PE
RED-CE3
Local label mapping VC300 VC301
VC300←L31(CE3←CE1)
VC301←L32(CE3←CE2) CE3
Section 8 Page 48
8. Multiprotocol Label Switching
Lasserre-V.Kompella vs. K.Kompella
Lasserre-V.Kompella K.Kompella
Signaling or “auto-configuration”
(tunnels establishment and routing LDP MP-BGP
information exchanges)
Auto-discovery no MP-BGP
Learning which other PE routers are To do manually or using
proprietary solutions. Complex. Spends
participating in the VPLS.
bandwidth
Signaling also called “auto-configuration” : the mechanism by which tunnels are established and routing
information are exchanged
Auto-discovery : process by which one PE router learns which other PE routers are participating in the
VPLS.
The main difference between the two drafts is that Vach advocates using the LDP protocol for VPLS
signaling setup, while Kireeti says MP-BGP can do that and discover other VPLS nodes
Currently, Juniper is the only company supporting Kireeti's Draft Kompella. Most vendors planning on
offering VPLS are behind Vach’s solution, co-authored with Marc Lasserre
The two drafts have very similar names and both relate to how routers assign labels, but there are subtle
differences.
Alcatel supports an approach to label distribution specified in a draft named “Lasserre V Kompella”. This
specification use LDP protocol for assigning the label for a pseudo-wire LSP. This is convenient because
routers in a MPLS network already support LDP signaling for their LSPs. LDP has been designed to establish
signaling relationships with directly connected neighbors as well as indirectly connected neighbors and is
easily extensible.
Lasserre V Kompella draft does nor define an auto-discovery method, so there is a need for extension of
LDP or to do it manually or to develop proprietary solutions.
The alternative approach is supported by Juniper. It is named the “K. Kompella”. It uses MP-BGP for
signaling the assigned labels. Again, the routers in a MPLS network already use BGP and use MP-BGP for the
MPLS L3 VPN service, so this is convenient. However, since BGP is a broadcast protocol, it may not be
bandwidth efficient.
• K-Kompella Pros: K-Kompella Cons:
• Similar to L3VPNs (uses MP-BGP, like L3VPNs) . Not as widely supported as Lasserre-V.Kompella
• Easier to add PEs to a VPN . BGP is essentially a broadcast mechanism
• Don’t have to run LDP (wasted bandwidth, security)
Uses Auto-Discovery
All Rights Reserved © Alcatel-Lucent 2009
Section 8 Page 49
3.2 Virtual Private LAN Services (VPLS)
Section 8 Page 50
8. Multiprotocol Label Switching
VPLS : Virtual Private Lan Service
VPLS A
Point-to-Multipoint Service MTU : Multi Tenant Unit
One of the main differences between a VPWS and the VPLS described above is that the VPWS only provides
a point-to-point service, whereas the VPLS provides a point-to-multipoint service. This also means that
the requirements on the CE devices are quite different. In a VPWS, layer 2 switching must be carried out
by the CE routers, which have to choose which Virtual Wire to use to send data to another customer site.
In comparison, the CE routers in a VPLS simply send all traffic destined for other sites to the PE router.
Customers designated VPLS A and VPLS B are part of two independent Virtual Private LANs
Tunnels LSP are set up between PE’s
Layer 2 VC LSPs are set up in Tunnel LSPs
The CE at the ingress side simply reviews Layer-2 addresses and forwards information to the CE on the
egress side based upon Layer-2 switching or bridging tables.
All customer sites using VPLS appear to be on the same LAN, regardless their location. From customer edge
device point of view, the WAN is not visible.
Customer edge devices appear to each other as connected via single logical learning bridge with fully
meshed ports.
Defined in draft-lasserre-vkompella-vpls-l2vpn-08.txt
Section 8 Page 51
8. Multiprotocol Label Switching
VPLS : LAN emulation
MPLS
network Site B
P PE3
Site A
P
PE1 P
PE2
Site C
IEEE 802.1D
Bridging
(MAC learning) Switch
(LAN emulation)
VPLS Bridge Site B
Section 8 Page 52
8. Multiprotocol Label Switching
VPLS : Virtual Forwarding Instance
Red Blue
VFI table VFI table
Site 1
Red Blue LSP
Red Site 2
VFI table Red
VFI table
Eth e3
e1 PE Eth VLAN tag8
1
Site 1 Eth e2
Eth e Site 2
Blue PE
2 1 Blue
3
MPLS
VLAN tag 8 network
PE
LSP
Pseudo-wire
Eth Blue
Eth 2 e0 VFI table
Red
VFI table
VLAN tag8
Site 3
Site 3 Blue
Red
VFI : Virtual Forwarding Instance
Provider Edge routers track MAC addresses I VPLS networks by using Virtual Forwarding Instances (VFIs).
VFIs are table that contain MAC addresses for a given VPLS service or customer.
VFIs can be assigned to a physical port such as an Ethernet interface, or a VLAN.
VFIs separate one customer’s MAC addresses and VLANs from another.
Thus, PEs associate received frames to a particular Pseudo-Wire, using the VFI assigned to the port
Section 8 Page 53
8. Multiprotocol Label Switching
VPLS : Encapsulations
•Self-learning bridge
•Spanning Tree Prot. Red VFI table Red VFI table
VPN LSP VPN LSP
•… Mac if
Label Label Mac if
Label Label
a,b,c e1 - -
8 d,e,f e3 - -
2 d,e,f 1 34 56 a,b,c 0 34 12
b c g,h,i 3 65 42 g,h,i 2 23 44 f e
a Site 1 d
Red 1 VPN label 5 6 Site 2
a→d
34
3 L56
4 L25 L34
CW
9 Red
L34 L34 7
L34 CW
Eth CW CW a→d
e3
e1 3 0
l m
25 PE2 Eth VLAN tag8 p
56
Site 1 Eth e2 PE1 27 12
1 3 3’ 4’ 5’ 44 Eth e Site 2
n Blue 3 L56 L25 L12 2MPLS 1 Blue
n→p 2’ L12 CW network q r
VLAN tag 8 1’ L12 42 L12 CW 6’
CW CW
Blue VFI table VPN label
VPN LSP 65
Mac if
Label Label
l,m,n E2.8 - -
o,p,q 1 12 56 LSP PE1→PE2 : 56 –25-3
r,s,t 3 78 42 LSP PE2→PE1 : 12-27-3
These VFIs contain MAC addresses and/or VLAN tags as well as any QoS policies. They also contain inner
labels used for a given Pseudo-Wire or set of pseudo-Wires established for the customer.
Here we see the encapsulation of ethernet over MPLS network and VPLS service.
A standard Ethernet frame is received off the LAN on the customer edge switch. This can be also an MTU.
The frame is forwarded to PE. The PE then looks up the VFI assigned to the port. From information stored in
the VFI, the PE then adds the VPLS/MPLS headers that include :
A control word
A VPN label that represents the Pseudo-Wire
The network MPLS label that reaches the destination PE
Section 8 Page 54
8. Multiprotocol Label Switching
VPLS :Hierarchical VPLS (H-VPLS)
Flat Topology
VPLS scalability
problem
Hierarchical VPLS
VPLS requires a full mesh of pseudo-wires between all PE devices causing scalability problems.
It is beneficial to select one PE “Hub and spoke “ and to only set up the mesh of tunnels between this “Hub
and spoke” PE and the other PEs.
This architecture has a direct impact on the Signaling Overhead
This approach seems to be well established as a good solution to the core LSP scalability issue.
It reduces :
the number of connections
The replication requirement (In the basic model, when a frame is received whose destination MAC
address is unknown, the PE replicates the frame to all other PE routers in the network mesk. has to be
fooded)
However, it does not reduce the number of MAC addresses that need to be maintained. PE still does the
Ethernet bridging.
Section 8 Page 55
8. Multiprotocol Label Switching
VPLS : De-coupled VPLS
VLANs
MTU MTU
MTU
MTU
MTU MTU
MTU
hundreds MAC MTU
addresses MTU: Multi Tenant Unit
De-coupled VPLS distributes the VPLS functions between PEs and MTUs
De-coupled VPLS reduces the number of MAC addresses to maintain, and the number of signaling
connections but does not limit the number of pseudo-wires as the hierarchical VPLS does.
All Ethernet MAC functions (MAC switching, learning, aging, flooding, STP, etc) and Pseudo-wires
termination functions are performed in the MTU, while the auto-discovery and LSR (MPLS) functions are
performed in the PEs
The link between MTU and PE is able to maintain multiple virtual circuits implemented using VLAN tags (or
MPLS labels).
PE acts as an LSR/LER. It does not implement Ethernet bridging functions.
The result in this architecture is that MTUs perform all the replication and MAC functions and the PE’s
establish a Pseudo-Wire mesh for each MTU-to-MTU link necessary for connectivity using MPLS
provisioning and signaling.
Section 8 Page 56
3.3 Virtual Private Routed Network (VPRN)
Section 8 Page 57
8. Multiprotocol Label Switching
VRF : Virtual Routing and Forwarding
CE
PE
PE
VRF Blue
VRF Blue CE
Router
VRF Red PE
CE
CE VRF Red
VRF Yellow
CE
PE PE
VRF Yellow
VRF Yellow
CE
CE
In this architecture, each PE maintains a virtual router for each VPN forwarding table. Fully meshed tunnels
are advertised across the core using VR protocols. The core of the MPLS network does not combine data
from several sites. Since the data is kept separate, this design has the added benefit of additional
security in that a misconfiguration will not impact security of the data. The downside of this design could
prove to be one of scalability and the need for complex configuration.
Each VPN needs a separate Virtual routing and forwarding instance (VRF) in each PE router to :
Provides VPN isolation
Allows overlapping, private IP address space by different organizations
Section 8 Page 58
8. Multiprotocol Label Switching
PE to CE Router Connectivity
OSPF
RIP
CE1
MPLS CE3
network
PE
PE
CE2 MP-BGP
PE
eBGP CE4
Static
Note:
Customer routes need to be advertised between PE routers
Customer routes are not leaked into backbone IGP
Section 8 Page 59
8. Multiprotocol Label Switching
Overlapping VPN
Site 1 Site 2
Red VPN VRF Red Blue VPN
VRF Blue 10.5/16
10.1/16 MPLS
network
VRF Red
Site 4 VRF blue
Red VPN green Blue VPN
10.2/16 VRF Red
Site 6 Site 7
Green VPN
Green VPN 10.3/16
10.2/16
Green VPN
Section 8 Page 60
8. Multiprotocol Label Switching
CE-PE routing
At a PE, a VRF represents the context that is specific to an attached VPN; a VRF is primarily associated to
(is identified by) the one or more sub-interfaces through which the sites belonging to this VPN are
connected.
In this example :
PE 1 is configured to associate VRF Red with the interface (or subinterface) if_11 over which it learns
routes from CE 1. When CE 1 advertises the route for prefix 10.1/16 to PE 1, PE 1 installs a local route to
10.1/16 in VRF Red.
PE 2 is configured to associate VRF Green with the interface (or subinterface) if_13 over which it learns
routes from CE 2. When CE 2 advertises the route for prefix 10.1/16 to PE 1, PE 1 installs a local route to
10.1/16 in VRF Green.
Then, the routes has to be propagated through the MPLS network.
Section 8 Page 61
8. Multiprotocol Label Switching
Route Distinguisher and VPN-IPv4
10.1/16 CE1
If_11
PE1
Type Assigned
Site 3 CE3 If_13 00 00 ASN nb sub-field
Green VPN
Autonomous System Number Various
10.1/16 (ASN) assigned by IANA formats
Type IP address Assigned nb
00 01 sub-field
when MPLS/VPN network uses a private AS nb
(loopback@ of the PE router that originates the route)
Type Assigned nb
00 02 ASN sub-field
Autonomous System Number (ASN) assigned by IANA
A VPN-IPv4 address is a 12-byte quantity composed of an 8-byte RD followed by a 4-byte IPv4 address
prefix.
The service provider must ensure that each RD is globally unique. For this reason, the use of the public ASN
space or the public IP address space guarantees that each RD is globally unique.
Notes :
VPN-IPv4 addresses are used only within the service provider network.
VPN customers are not aware of the use of VPN-IPv4 addresses.
VPN-IPv4 addresses are carried only in routing protocols that run across the provider's backbone.
VPN-IPv4 addresses are not carried in the packet headers of VPN data traffic as it crosses the provider's
backbone.
All Rights Reserved © Alcatel-Lucent 2009
Section 8 Page 62
8. Multiprotocol Label Switching
Route Distinguisher
The route distinguisher (RD) must be defined at VRF creation time . A Route Distinguisher makes non-
unique routes unique. It travels in MP-BGP_update
This parameter is used when the VPN private routes are distributed via the backbone to the other sites. The
RDs enable the overlapping of addresses between VPNs
Route distinguishers are not automatically set up at the PE router, instead each element requires manual
input based on the topology design of the VPN and therefore each VPN requires manual set up of VRFs.
The VRF tables have attributes. The network administrator configures these attributes with route
distinguisher to control the distribution of VPN routes to the VPN members.
All further Customer-relayed VPN operations are fully automated by MPLS network significantly simplifying
and reducing operational costs for the service provider.
Section 8 Page 63
8. Multiprotocol Label Switching
VPN labels exchange
In In FEC Proc Out Out In In Proc Out Out In In Proc Out Out In In FEC Proc Out Out
if label if label if label if label if label if label if label if label
- - PE2 Push If_a 12 a 12 Swap b 19 c 19 Pop d -- - - PE1 Push If_2a 21
b 29 Pop a -- d 21 swap c 29
VRF Red
Label: 21 VPN label: 2001
Label:1001 Label:1001
Label: 29
VRF Red Label:1001
VPN label: 1001 VRF
21
e Label:
Label:1001 29 P d If_2a PE2 2001
Label:
LSP c 3 VRF
1001 b
3 P 19 Label:2001
a LSP
a
If_1 Label: 19
VRF 12 Label:2001 Label:2002
PE1 Label: 12 VRF Blue
Label:2001 VPN label: 2002
VRF
Label: 19
Label:2002 Label:2002
Label: 12
Label:2002
VRF Blue
VPN label: 1002
Scalability is enhanced because PE routers are not required to maintain a dedicated VRF for all of the VPNs
supported by the provider's network. Each PE router is only required to maintain a VRF for each of its
directly connected sites.
Section 8 Page 64
8. Multiprotocol Label Switching
User data flow
19 2001 10.1.2.3
12 →10.2.4.2 Site 4
Site 1 2001 10.1.2.3 Red VPN
Red VPN
CE1 2001 →10.2.4.2 7 10.2/16
10.1.2.3 2001
10.1/16 10.1.2.3 →10.2.4.2 if_21 CE4
→10.2.4.2 5 VRF
Py
10.1.2.3 if_11 4 3 PE2
1 →10.2.4.2 3 Px 19 if_2a VRF 10.1.1.1
1001
2001 5’ 7’→10.4.4.4
VRF 4’ 2002 If_22
12 19
CE2 10.1.1.1 Site 5
Site 2 2002 Blue VPN
Blue VPN VRF PE1 if_1a 3’ →10.4.4.4 CE5 Green VPN
10.5/16 if_12 12 10.1.1.1
VRF →10.4.4.4 10.4/16
2002
if_13 2002
10.1.1.1 Output inner
outer
Site 3 CE3 →10.4.4.4 Output inner outer Route if label label
Green VPN Route if label label
10.1/16
6’ 10.4/16 If_22 2002 --
10.1/16 If_13 1003 -- 10.1/16 If_2a 1003 21
10.2/16 If_1b 3002 13 10.2/16 If_2b 3002 23
10.1.1.1 10.3/16 If_1b 3003 13 10.3/16 If_2b 3003 23
→10.4.4.4
1’ 2’ 10.4/16 If_1a 2002 12 10.5/16 If_2a 1002 21
Route distribution on the control plane has enabled the building of the VRFs and thus prepared the transfer
of IP traffic between sites. The above figure illustrates two simultaneous data transfers:
from a host at Site 1 to, for example, some server at Site 4 (with IP address 10.2.4.2) and,
from a host at Site 3 to some other server at Site 5 (with IP address 10.4.1.8).
When the IP packet with destination address 10.2.4.2 is received by PE1 from CE1, since all packets that
arrive on if_1 are associated with VRF Red, the Red VRF is interrogated and the entry corresponding to
10.2/16 route indicates if_1a as output interface, and a label stack:
Outer label (12) : which identifies the remote PE
Inner label (2001) : which identifies the remote CE
The label stack is inserted in front of the IP packet, the data link header is inserted in front of the label
stack and the resulting frame is queued on the output interface. Similarly, when the IP packet with
destination address 10.4.1.8 is received by PE1 from CE3, the Green VRF is interrogated and the entry
corresponding to 10.4/16 route indicates if_1a as output interface, 12+2002 as label stack, as well as
(not shown) a data link header. The label stack is inserted in front of the IP packet, the data link header
is inserted in front of the label stack and the resulting frame is queued on the output interface.
The two frames are sent on the LSP egress path (PE1’s output interface: if_1a); at Px router, the top labels
are swapped (19 replaces 12) and the labelled packets forwarded towards Py, which is the penultimate
hop in the LSP.
As a result, the outer labels are popped and the packets sent towards PE2 with only the inner label in front.
At egress PE2, the relevant VRF sub-interface is retrieved from the VPN label and the original IPv4 packet
is finally forwarded to the CE enabling you to reach the server within the site.
Section 8 Page 65
End of Section
Section 8 Page 66
Do not delete this graphic elements in here:
9 Section 9
IPSEC VPN Services
IP Technology
IP for Mobile Networks
TTP18031 D0 SG DEN I1.0
Section 9 Page 1
Blank Page
Document History
Section 9 Page 2
1. IPSEC Services
Section 9 Page 3
9 IPSEC VPN Services
Services Offered by IPSEC
Integrity check
Authentication of data
Name:
Chaplin
Confidentiality
The IP Security Protocol (IPsec) is a set of mechanisms intended to protect the traffic at the IP level (IPv4 or
IPv6).
A first release of the proposed mechanisms was published in the form of an RFC in 1995, but didn't deal with
key management. A second release, dealing with the IKE key management protocol, was published in
November 1998.
Section 9 Page 4
9 IPSEC VPN Services
Operating modes _ Transport Mode
IP packet
A→
→B src and dest.
addresses stay
visible
A→
→B A→
→B
Not entirely protected
IPsec IPsec
A Entirely protected
B
Internet
In transport mode, only the data coming from the higher-level protocol and carried by the IP datagram is
protected.
This mode can only be used with terminal devices. Indeed, when intermediate devices were used, the risk was
that, according to routing hazards, the packet reaches its final destination without going through the
gateway supposed to decryp it.
Section 9 Page 5
9 IPSEC VPN Services
Operating modes _Tunnel Mode (example 1)
x→
→y
Not entirely protected
IPsec
src and dest.
IP packet addresses are
A→
→B
hidden Entirely protected
A→
→B
A→
→B A→
→B
Internet
A x y B
Intranet Intranet
IPsec IPsec
gateway gateway
In tunnel mode, the IP header is also protected (authentication, integrity and/or confidentiality). All of it is
encapsulated in a new packet. The purpose of the header of this new packet is to transport the initial packet
up to the end of the tunnel, where the packet is de-encapsulated. Therefore, the tunnel mode can be used
by both terminal devices and security gateways.
This mode enables to ensure a greater protection against analysis of traffic because it hides the source and
final destination addresses.
Section 9 Page 6
9 IPSEC VPN Services
Operating modes _ Tunnel Mode for dial-in (example 2)
A→y
Not entirely protected
IPsec
IP packet A→
→B
Entirely protected
A→
→B
A→
→B
A Internet y B
Intranet
IPsec IPsec
gateway gateway
Section 9 Page 7
9 IPSEC VPN Services
confidentiality
9 8 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
In addition to standard IP processing, IPsec uses two security mechanisms to provide security for IP traffic:
Authentication Header (AH) and Encapsulating Security Payload (ESP).
AH
AH does not offer confidentiality, which means that widespread use of this standard is possible over the
Internet, including in places where exporting, importing and using encryption for confidentiality purposes is
restricted by law. This is one of the reasons why two distinct mechanisms are used.
In AH, integrity and authentication are provided together, using an additional block of data attached to
the message to be protected. This data block is called the Integrity Control Value (ICV), which refers
generically to:
either a Message Authentication Code (MAC),
or a digital signature.
For reasons of performance, the algorithms currently offered are all integrity check algorithms.
Anti-replay protection is provided using a sequence number. It is available only if Internet Key Exchange (IKE)
is used because in manual mode there is no "connection open" that enables the counter to be reset.
ESP
Confidentiality can be selected independently of the other services. However, using confidentiality without
integrity/authentication (directly in ESP or with AH) leaves traffic vulnerable to certain types of active
attack that could weaken the confidentiality service. As in AH, the authentication and integrity services go
hand-in-hand and are often referred to as "authentication". They are based on the use of an ICV (in practice,
a MAC). Anti-replay protection can only be selected if authentication has been selected and IKE is used. It is
provided using a sequence number that is checked by the recipient of the packets.
Unlike AH, where an additional header is simply added to the IP packet, ESP uses the encapsulation function:
the original data is encrypted then encapsulated in a trailer header.
Section 9 Page 8
9 IPSEC VPN Services
Authentication Header (AH)
Sequence number
Authentication data
(ICV: Integrity Control Value)
Next header: It identifies the type of payload that follows the AH header.
Length: It indicates the header length in words of 35 bits minus 2 (since AH is an extension of the IPv6
header).
Security Parameters Index (SPI): The SPI field is a 32-bit arbitrary value that when combined to the
destination IP address, defines the unique Security Association (SA) of this datagram.
Sequence number: This field gives the packet number and is incremented of 1 at each transmission. This
enables to prevent replay (Protection against replay) since this number is not authorized to "cycle" for a
given SA (a new SA must then be created after 232 packets). This field is mandatory for the emitter but it
cannot be taken into account by the recipient. In the latter case, the number is authorized to cycle.
Authentication data: It contains the Integrity Control Value (ICV) of the packet.
Section 9 Page 9
9 IPSEC VPN Services
AH: Next Header Field: Example
Next header:
It authenticates the type of payload that follows the AH header. The value of this field is chosen (see the site
http://www.iana.org/assignments/port-numbers).
AH can be used in transport or tunnel mode.
When used in transport mode, it must represent the value of the protected higher-level protocol, namely
UDP or TCP.
When used in tunnel mode:
The value 4 indicates, in IPv4, an IP-in-IP encapsulation.
The value 41 indicates an IPv6 encapsulation.
Section 9 Page 10
9 IPSEC VPN Services
AH: Authentication Data
Data Data
Authentication data:
This field contains the Integrity Control Value (ICV) of the packet.
The length of this field must be a multiple of 32 bits. All the implementations must respect this length and
therefore add padding data to this field if required.
Some fields may be modified by intermediate routers. Consequently, they must not be taken into account in
the calculation of authentication anymore. Thus, the fields excluded from the authentication are:
Type of Service (TOS)
Fragment Offset (always set to 0 since AH only applies to unfragmented packets)
Flags
Time To Live (TTL)
IP header checksum
Options
The default algorithms that are supplied for all implementations of IPsec for AH are HMAC and MD5 –96
[RFC2403] or HMAC and SHA1-96 [RFC2404].
Section 9 Page 11
9 IPSEC VPN Services
Encapsulation Security Protocol (ESP)
Sequence number
Authentication data
The fields SPI, Sequence number, Next header and Authentication data (optional) are defined as for AH.
The Payload data field contains encrypted data. The problems are then:
If the encryption algorithm (for example, DES-MAC) needs a cryptographic synchronization (Cipher Block
Chaining (CBC) mode) i.e., an Initialization Vector (IV), then it is possible that such a data is contained in
the Payload data field.
The Padding field enables to resort to padding for the following reasons:
In case of block-encryption, the algorithm may request a certain size of data to be encrypted. Therefore,
this enables the content has the size required by the algorithm.
Padding may also be required when the ESP packet is 4-byte long.
The main algorithms that can be used with ESP are:
Confidentiality:
triple DES (mandatory) (168-bit key),
DES (56-bit key),
RC5, AES, CAST, IDEA, IDEA triple, Blowfish, RC4,
NULL when there is no need of encryption.
Authentication:
HMAC-MD5 (mandatory),
HMAC-SHA-1 (mandatory),
DES-MAC, HMAC-RIPE-MD, KPDK-MD5
NULL when authenticity is not selected.
Section 9 Page 12
9 IPSEC VPN Services
ESP Format
Hd Datagram length
Example: Tunnel mode Vers leng ToS
Identification F Datagram offset
TTL Prot:50 Checksum
Source IP address: X
B Destination IP address:Y
Options
Intranet
Security Parameter Index (SPI) ESP
Sequence number header
y Hd
Ver4 leng ToS Datagram length
Identification F Datagram offset
Internet
TTL Protocol Checksum
Hd Auth.
Ver leng ToS Datagram length Source IP address: A
Identification F Datagram offset
x Destination IP address: B Encrypted
TTL Protocol Checksum Options
Source IP address: A
Destination IP address: B Intranet Data
Options Padding
A Padding
length
Next
header4
ESP trailer
Data
Authentication data ESP auth.
The emitter:
Encapsulates, in the Payload data field of ESP, the data carried by the original datagram and the IP header
in tunnel mode.
Adds if necessary a padding.
Encrypts the result (Data, Padding, Length and Next header fields).
Eventually, adds cryptographic synchronization data (initialization vector) at the beginning of the Payload
data field.
If the authentication has been selected, it is always applied after the data has been encrypted. This
enables to check the validity of the received datagram before performing the datagram decryption,
which is an expensive operation. Unlike AH, the authentication in ESP only applies to the ESP packet
(header + payload + trailer) and includes neither the IP header nor the Authentication data field.
Section 9 Page 13
9 IPSEC VPN Services
ESP Position in Transport Mode
Internet
In transport mode, only the data coming from the higher-level protocol and carried by the IP datagram is
protected.
Section 9 Page 14
9 IPSEC VPN Services
How to Find the Path Maximum Transmission Unit
Phase 1 Flag df
(don’t fragment) 2 4 MT
1
1500 MTU=1536
U=10 U=5
12
2 MT
3
ICMP
destination unreachable (Path MTU Discovery:1024)
Message ICMP
1 1 2 2 2
Type Code CRC MTU Data
3 4 0 next hop IP header+ first 64 bits
Need of fragmentation
Phase 2
Flag df 4
(don’t fragment) 102 MT
1024 MTU=1536 TU= U=5
4 M 6 7 12
5
ICMP
destination unreachable (Path MTU Discovery:512)
9 15 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
It is essential to know the Path Maximun Transmit Unit (PMTU) mainly when there is a large amount of data
to be transmitted. Indeed, if long packets are sent along the path, some routers will have to perform an
expensive fragmentation in terms of resources and longer processing time. The recipient will also have to
perform complex operations of re-assembly.
Generally, data transfer applications (FTP for example) prefer to determine the PMTU and to emit packets
that do not exceed this PMTU to get faster transfers.
The PMTU is known by emitting IP packets with the "don’t fragment" flag.
At first, the emitter transmits a packet of a maximum length.
A router that cannot forward a packet of such a length sends back in an ICMP message the value of the
next MTU.
The sender can then emit a new packet which length is equal to the received MTU. This packet is
emitted with the "don’t fragment" flag.
The previous 2 steps are repeated until a packet reaches the recipient.
The length of the last packet correctly transmitted is used as a reference for the rest of the traffic.
This way, the sender can find the MTU of a path (PMTU).
Section 9 Page 15
9 IPSEC VPN Services
Information Sent Back in the ICMP Message
Hd
Vers leng ToS Datagram length
Identification DF Datagram offset
IP header TTL Protocol Checksum
Source IP address A
TCP/UDP
header≈20bytes
Destination IP address B
The ICMP message sent back by the router that cannot forward the packet since fragmentation is
impossible, is the following:
Type = 3 (Destination uUnreachable )
Code = 4 (Need of fragmentation and of DF positioning)
Next-Hop MTU in the 16 weak bits of the second word of the ICMP header (called "unused" in RFC 792),
with the 16 heavy-weight bits set to zero.
Data: contains the IP header + 64bits of the packet that caused this ICMP message.
Thanks to these 64 bits, the sender is able to find the application that has initiated the transmission (source
and destination port numbers).
Section 9 Page 16
9 IPSEC VPN Services
"Don’t Frag" Flag
Hd Datagram length
Vers leng ToS
Identification DF Datagram offset
TTL Prot:50 Checksum
B Source IP address::X
Destination IP address:Y
Intranet Options
Must be
copied
Security Parameter Index (SPI)
FW
y Sequence number
Hd Datagram length
Internet Ver4 leng ToS
Identification DF Datagram offset
TTL Protocol Checksum
Hd
Vers leng ToS Datagram length
Source IP address: A
Identification DF Datagram offset
x 2
TTL Protocol Checksum FW Destination IP address: B
Source IP address A Options
Destination IP address B Intranet
Options Data
src port dest. port
1 A Padding
Padding Next
length header4
Application data Authentication data
Section 9 Page 17
9 IPSEC VPN Services
Information Sent Back in the ICMP Message if IPsec
Data A
9 18 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
PMTU calculation
The PMTU calculation that is sent back to the host must take into account that an IPsec header has been
added whichever it is -- AH transport, ESP transport, AH/ESP transport, ESP tunnel, AH tunnel.
Note: In certain situations, the addition of IPsec headers might result in the calculation of an effective
PMTU (as seen by the host or the application) but that is too small. To avoid this, the implementation can
set a threshold under which it would not register a reduced PMTU. The implementation would then apply
IPsec and would reduce by fragmenting the resulting packet according to the PMTU. As a consequence,
the use of the available bandwidth will be more effective.
Section 9 Page 18
9 IPSEC VPN Services
Reminder: NAT Function
The Network Address Translation (NAT) and Port Address Translation (PAT) functions allow several users to
access the Internet simultaneously.
Section 9 Page 19
9 IPSEC VPN Services
Several NAT Devices May Be Crossed
@B @B → @X
7 TCP 21 → 8901
6
Internet
@B → @X
@X →@B @X 8 TCP 21 → 8901
TCP 8901 →21 5
ISP Prot Private IP@ Port Public IP@ Port
NAT 4
TCP @1 4567 @X 8901
@B → @1
9 TCP 21 →4567
@1 → @B
TCP 4567 →21 3
@1 Prot Private IP@ Port Public IP@ Port
NAT 2 TCP @A 1234 @1 4567
Intranet @B → @A
@A→→@B
10 TCP 21 → 1234
TCP 1234→
→21
1
@A
9 20 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
Section 9 Page 20
9 IPSEC VPN Services
IPsec Problem Inherent to NAT
Intranet
FW
@Y
Internet
@X
ISP Prot Private IP@ Port Public IP@ Port
IP @1→→@Y NAT
PID: 50 @X
3 esp @1 ??? ???
ESP
2 @1
A→
→B
FW
Intranet
A→
→B
1 @A
Section 9 Page 21
9 IPSEC VPN Services
NAT Traversal
@B
IP @Y→→@X
IP @X→ →@Y Intranet PID: 17(UDP)
PID: 17(UDP) UDP
FW Src: 500 →Dest:4567
UDP 5
Src:4567→Dest:500 @Y
ESP
ESP @B→
→@A
Internet
@A→
→@B
4
@X Prot Private IP@ Port Public IP@ Port
IP @1→→@Y NAT Traversal
PID: 17(UDP) NAT 3 UDP 500 @X 4567
ISP @1
UDP IP @Y→→@1
Src:500 →Dest:500
@1 6 PID: 17(UDP)
ESP 2 UDP
@A→
→@B FW Src:500→Dest:500
Intranet ESP
@A→
→@B @B→
→@A
1 @A
The UDP header is a standard [RFC0768] header, where the Source Port and Destination Port MUST be the same
as that used by IKE traffic. The IPv4 UDP Checksum SHOULD be transmitted as a zero value, and receivers
MUST NOT depend on the UDP checksum being a zero value. The SPI field in the ESP header MUST NOT be a
zero value.
Section 9 Page 22
Answer the Questions
If two IPsec tunnels are set between the same pair of entities, which
parameter enables to identify a tunnel accurately?
Impossible at IPsec level as the packet is encrypted
The SPI field
The port number at transport level
The Authentication data field
9 23 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
Section 9 Page 23
Answer the Questions
Tunnel
Transport
Section 9 Page 24
2. IPSEC operation
Section 9 Page 25
9 IPSEC VPN Services
Security Association (SA)
Parameters:
•Encryption algorithm
•Prot: AH / ESP
•…..
dest IP@: X
Prot: ESP SA
Security Association identification
SPI: ….
Parameters:
•Encryption algorithm
•Prot: AH / ESP
•…..
9 26 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
The mechanisms mentioned previously have resort to cryptography and consequently use a certain amount of
parameters (encryption algorithms, keys, selected mechanisms, etc.) on which the communicating parties
must agree. IPsec uses the Security Association (SA) to manage these parameters.
An IPsec Security Association is a simplex connection that supplies security services to the traffic
transported by it. It can be considered as a structure of data enabling to store the set of parameters
associated to a given communication.
Section 9 Page 26
9 IPSEC VPN Services
Security Association Database (SAD)
•One-way SA
SAD •Several SAs towards several partners
outgoing traffic •Several SAs towards the same partner {ƒ(traffic type or destination)}
SA1
SA3 Internet
SA1
SA5 y IPsec
x SA2
gateway
IPsec SA3
gateway SA4
SA5
SAD
incoming traffic SA6
SA2
SA4 z IPsec
SA6 gateway
The Security Association Database (SAD) enables to manage the active security associations. It contains all
the parameters relative to each SA. The IPsec gateway looks up the SAD to know how to process each packet
in emission or in reception.
Indeed:
Several SAs may be set between several partners.
Several SAs may be set towards the same partner.
Different types of protection may be defined according to the types of the applications.
Different types of protection may be defined according to the direction.
Section 9 Page 27
9 IPSEC VPN Services
SAD: Synthesis
SAD
•Sequence number counter,
•Policy when the counter reaches the
maximum value,
SAx
•Anti-replay window for the incoming
traffic, •dest IP@
•Algorithms used, •AH / ESP
•Time To Live •SPI
•Mode (transport / tunnel)
•Information path MTU
•Sequence number counter,
•Policy when the counter reaches the
maximum value, SAy
•Anti-replay window for the incoming •dest IP@
traffic,
•Algorithms used, •AH / ESP
•SPI
•Time To Live
•Mode (transport / tunnel)
•Information path MTU
The IPsec processing between two partners requires the following parameters:
Sequence number counter,
Policy when the counter reaches the maximum value,
Anti-replay window for the incoming traffic,
Selection of the AH or ESP algorithm and of the associated parameters,
Time To Live (in seconds or amount of bytes),
Mode (transport or tunnel),
Information path MTU.
Section 9 Page 28
9 IPSEC VPN Services
Security Policy Database (SDP) (Example of Outgoing Traffic)
SPD
SA selection parameters:
3
Dest IP@ = 194.1.2.*
Src IP@ = 155.2.8.* SAD
4 outgoing traffic
Transport = TCP •ESP
Algo: …..
Dest port = 21 (ftp) •SA Id1 5 SA1 Time To Live:…
Action: apply transport/tunnel
……
IP packet Dest IP@ = 129.9.9.9 SA2
IPs:155.2.8.1 Src IP@ = 155.2.8.2
IPd:194.1.2.6 •AH
Prot: 6 (TCP) Transport = TCP
Portsrc: 1024 Dest port = any •SA Id2
.6
Portdest: 21(FTP) Action: apply
194.1.2.0
Data
1
2 6
y
.1 SA1
155.2.8.0 x Internet 129.9.9.9
.2 SA2
9 29 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
ToS
Transport protocol
(SA endpoint).
Some actions - discard (deletes the IP packet), - bypass IPSEC (lets the packet carry on) - apply IPSEC (applies the
security services contained into an SA or a group of SAs (SA Bundle).
Section 9 Page 29
9 IPSEC VPN Services
SPD and SAD Management
Administrator
Negotiates
1 modifies, 6
discards
Manual Application
Internet
configuration Keys
of policies Exchange HTTP,FTP,
SA (IKE) POP, …
SAD
creation
Points to Sockets
request
SPD Looks up 5 Transport (TCP, UDP)
4
IP / IPsec (AH, ESP) 2
Looks up 3
Link
Outgoing traffic:
When the IPsec "layer" receives data to be sent:
• At first, it looks up the Security Policy Database (SPD) to determine how to process this data.
• If this database indicates that security mechanisms must be applied to the traffic, it gets back the
characteristics required for the corresponding SA and looks up the SA Database (SAD):
– If the required SA already exists, it is used to process the concerned traffic.
– If not, IPsec uses IKE to set a new SA with the required characteristics.
Section 9 Page 30
9 IPSEC VPN Services
SA negotiation _ Key Management
Manual
Automatic
With "Certificates"
The distribution and the management of keys are critical operations. IPsec uses two methods of key distribution:
Manual
Automatic
Manual key exchange
The administrators at the end of a tunnel must configure all the security parameters. This principle can be applied in
small static networks. However, the key distribution may become problematic over long distances since the keys may
have been compromised during transit. Moreover, the keys must be regenerated regularly.
IKE supplies a method for:
Negotiating the protocols, algorithms and keys to be used.
Authenticating the parties, that is making sure that you are communicating with the good person from the beginning of
the exchange (primary authentication services).
Managing the keys once chosen (key management).
Supplying the mechanisms to manage the keys.
Section 9 Page 31
9 IPSEC VPN Services
Origins of IKE
ISAKMP
OAKLEY
defines the procedures of
defines the groups that authentication and SA
will be used for the Diffie- management
Hellman exchange
DOI
IKE IPSEC
SKEME IPSEC
Secure Key Exchange
Mechanism
IKE is drifted from a set of protocols. These protocols are ISAKMP, OAKLEY and SKEME. Actually, they constitute
a protocol stack enabling the automatic key exchange.
OAKLEY
OAKLEY defines the groups that will be used for the Diffie-Hellman exchange. There are 5 groups that are
called The OAKLEY Groups. Among these 5 groups, there are three groups of classical modular
exponentiation (MODP) and two groups of elliptical curves.
Section 9 Page 32
9 IPSEC VPN Services
IKE Phases
Aggressive mode: the same goes for this mode but the
the partners' identities are not
protected (simpler and faster)
IKE phases
IKE is a two-phase protocol:
Phase 1:
Both partners set up a secure channel (IKE SA) to execute IKE. They negotiate how to authenticate and
secure the channel.
Phase 2
Both partners negotiate the IPsec SA parameters.
IKE modes
Oakley supplies three modes of key exchange and of SA implementation.
Section 9 Page 33
9 IPSEC VPN Services
IKE Phase 1 _ Main Mode
Msg #1
Negotiation of basic and
hash algorithms Msg #2
Msg #
3 4
Exchange of public keys Msg #
and signature
Msg # 6
5 Msg #
Check of identities
(encrypted exchange)
IKE Main Mode consists of six messages that are exchanged between the initiator and the responder in order to
set up an IKE SA. The first 4 messages are legible and are used to determine the security parameters of
future exchanges.
In the first exchange (messages 1 and 2), both parties agree on the basic and hash algorithms:
Authentication (Preshared-key / RSA certificate).
Hash (MD5 / SHA-1 / …)
Encryption (DES / 3DES / AES / …)
DH groups (1 .. 5)
• In the third exchange, (messages 5 and 6), they check their identities.
Section 9 Page 34
9 IPSEC VPN Services
Parameters Used in the IKE SA Negotiation
Encryption algorithms
(DES, 3DES, AES)
Hash algorithms
(MD5, SHA)
Authentication method
(Preshared-Key or Certificate)
Section 9 Page 35
9 IPSEC VPN Services
IKE Phase 2 _ Messages
Msg #1
Negotiation of security
protocols for IPsec Msg #2
Authentication Msg #3
SPI: x SPI: y
Section 9 Page 36
9 IPSEC VPN Services
Negotiation of SAs for the Data
Hash algorithms
An authentication method
For the IPsec AH protocol, the transform algorithms which can be negotiated are MD5, SHA and DES (MD5 and
SHA mandatory to implement).
For the IPsec ESP protocol, the transform algorithms which can be negotiated as a basis for authentication are
MD5, SHA and DES. The possible encryption algorithms are DES, 3DES, RC5, IDEA, … (DES being mandatory for
support).
Section 9 Page 37
9 IPSEC VPN Services
Perfect Forward Secrecy (PFS)
Alice Bob
Network
When encrypted data goes through a public network, an attacker has many opportunities to intercept the
encrypted data. You can reduce the risk of interception by using larger and larger keys. But the larger the
keys, the slower and the more complex the encryption. This may alter the network performance.
A good compromise consists in using keys of a reasonable length, and to change them frequently. It also has
some problems. The new keys must not be generated from the old ones. Indeed, if a key is discovered, all
the traffic might be compromised.
So, it is necessary to implement a method to generate a new key which will not depend at all on the value of
the current key. Thereby, if someone intercepts your current key, this person can analyze only a small part
of the traffic. He/she will have to crack again another entirely independent key to analyze the other part of
traffic.
Two variants may be used to generate the keys that will be associated to the encryption, hash and
authentication of SAs specific to the negociatied application.
They can simply be generated from the ISAKMP SAs.
Some keys are generated again and are independent of the keys of ISAKMP SAs by exchanging new DH values.
This concept is called Perfect Forward Secrecy.
Section 9 Page 38
Answer the Questions
SPD
SAD
Source IP address
Destination IP address
Port number
ToS
Protocol
9 39 All Rights Reserved © Alcatel-Lucent 2009
IPSEC VPN Services
IP Technology IP for Mobile Networks
Section 9 Page 39
Answer the Questions
SPD
SAD
Section 9 Page 40
Answer the Questions
Main mode
Aggressive mode
Quick mode
Section 9 Page 41
Answer the Questions
The automatic management of IKE keys requires all the same, in the
Preshared key method, the manual introduction of a secret key. What is its
role?
To ensure authentication
To perform encryption
To perform a hash
Section 9 Page 42
Answer the Questions
Section 9 Page 43
End of Section
Section 9 Page 44