IP Routing for Next Generation Network Services Thesis Report

7/31/2019 IP Routing for Next Generation Network Services Thesis Report

1/70

MEE07:25

IPRoutingforNextGenerationNetworkServices

OsagieIghodaloSolomonIghagbonOziegbe

ThisthesisispresentedaspartofDegreeof

MasterofScienceinElectricalEngineering

BlekingeInstituteofTechnology

June2007

BlekingeInstituteofTechnology

SchoolofEngineering

DepartmentofAppliedSignalProcessingSupervisor:DocentAdrianPopescu

Examiner:DocentAdrianPopescu


2/70

2


3/70

3

Abstract

AsthemarketforhighspeedInternetandcellularcommunicationservicesreachesmaturity,

communicationserviceshaveshownalimittogrowthbasedonthenumberofsubscribers.

NextGenerationNetworksservicesbasedonIPRoutingformthebeginningofanewageofinnovativeandaffordableserviceswhereconsumerswillwitnesssubstantialnewservice

offeringsandalsosavingsintheirconsumptionbillsforsuchservices.Therequirementof

theseapplicationschallengesthelimitationsofthenetworktechnologiesthatareinplacetoday.NextGenerationNetworksarebasedoninternettechnologiesincludingInternet

Protocol(IP)andMulti-protocolLabelSwitching(MPLS).

ThethesisthereforepresentsanoverviewoftheconvergedIPNetworkservices,focusingonopportunitiesforservicedifferentiationandintroducingcurrentserviceorientedtechnology

tomeetupthedemandsofconsumers.Thesetechnologiesallowserviceproviderstobuildandoperatenetworksthatcanbeabletoprovidelocal,longdistance,global,mobile,data,

voiceandinternetservicestoconsumers.Inmeetingthedemandsofthesenewerservicesto

itscustomersadequatelywithhighQualityofService(QoS),Speed,TrafficEngineeringandScalability,InternetServiceProvidershaveengagedNextGenerationNetworksusingthe

morereliableMulti-ProtocolLabelSwitchinginthecoreoftheirnetworkswhilealso

deliveringsuchservicesthroughasecuremeansoverthepublicinternetbyusingVirtual

PrivateNetworks.


4/70

4


5/70

5

Acknowledgement

Wewouldliketoexpressourimmersegratitudeandwholeheartedappreciationtoour

SupervisorDocentAdrianPopescuforhisinvaluableguidance,patienceandencouragementtowardsthecompletionofourthesiswork.

Specialthanksgotoouruniversity,BlekingeInstituteofTechnologyforopeninganewdoor

regardingourtomorrow.

Wewouldalsoliketothankourparentsfortheirsupportandprayersandalsoourcolleagues

inthedepartment,especiallyourfriendswhohavecontributedonewayortheothertothe

successofthiswork.Godblessyouall.


6/70

6


7/70

7

TableofContents

Abstract 3

Acknowledgement 5

ListofFigures 9

Chapter1 11

Introduction 11

Chapter2 13

NextGenerationNetworksOverview 132.1Introduction 132.2NextGenerationNetworksArchitecture 14

2.2.1TheAccessLayer 16

2.2.2TheTransportandSwitchingLayer 162.2.3TheApplicationandServiceLayer 17

2.3BuildingblocksforNextGenerationNetworks 19

2.3.1NextGenerationNetworkSwitches 20

2.3.2IPNetworks 212.4UsingNextGenerationNetworkServices 22

Chapter3 23

UnderlyingTechnologiesComponents 23

3.1IPRouting 233.1.1RoutingTable 23

3.1.2Autonomoussystems 24

3.1.3RoutingMechanisms 25

3.2Multi-ProtocolLabelSwitching 263.2.1BackgroundofMPLS 263.2.2HowMPLSworks 27

3.2.3MPLSArchitecture 31

3.2.4HowMPLSpathsareinstalledandRemoved 35

3.2.5ComparingIPandATMandthenMPLSandATMtechnologies 373.2.6MisconceptionsaboutMPLStechnology 38


8/70

8

Chapter4 39

VirtualPrivateNetworks 39

4.1Introduction 39

4.2InternetProtocolVPNs 394.3IPSecProtocolsfordataIntegrity 40

4.4AccessVirtualPrivateNetworks 41

4.5IPSecVPNsforRemoteAccess 41

4.6SSLVPNsforRemoteAccess 434.7MPLSVPNsforRemoteAccess 45

Chapter5 49

WirelessApplicationProtocol 49

5.1Introduction 495.2WAPArchitectureOverview 515.3WAPProtocolStack 54

5.3.1WirelessApplicationEnvironment 55

5.3.2WirelessSessionProtocol 555.3.3WirelessTransactionProtocol 55

5.3.4WirelessTransportLayerSecurity 56

5.3.5WirelessDatagramProtocol 565.4HowServiceProviders,OperatorsandSubscribersbenefitfromusing 57

WAP-basedSolutions

Chapter659

PerformanceManagementforNextGenerationNetworks59

6.1Definition 59

6.2WhyPerformanceManagementbyServiceProviders596.3TheFutureofPerformanceManagementandExpectedBenefitsinNext 60GenerationNetworks

6.4PerformanceManagementkeyfunctionalareainNextGenerationNetworks 60

6.5ChallengesofIntegratingPerformanceManagementSolutions 616.5.1Scalability 61

6.5.2Flexibility 62Chapter7 65

Conclusion 65

ReferenceList 67

Appendix 69


9/70

9

ListofFigures

2.1ThePublicSwitchedTelephoneNetworkandPublicSwitchedDataNetwork

2.2ThenewNextGenerationNetworkArchitecture

2.3TheSeparationofcontrolandconnection

2.4MediaGatewayPrinciple

3.1MPLSfunctioningbetweenthelayer2andlayer3Protocol

3.2MPLSgenericlabelformat

3.3PositionoftheMPLSlabelinalayer2frame

3.4MPLSlabelheader(Shimheader)

3.5MPLSarchitectureperformingtraditionalIProuting

3.6MPLSarchitectureperforminglabelswitchingrouting

3.7ServiceproviderMPLSnetwork

4.1RemoteaccesstoIPSecVPNs

4.2RemoteaccesstoSSLVPNs

4.3RemoteaccesstoMPLSVPNs

5.1TheWorldWideWebprogrammingmodel

5.2TheWAPprogrammingmodel

5.3AtypicalWAPnetwork

5.4WAParchitectureandreferencemodel

6.1ScalabilityRequirement


10/70

10


11/70

11

Chapter1

Introduction

TheInternettodayhadbecomeanevermorecriticalpartoftheworldscommunicationinfrastructurethusmakingInternetServiceProviders(ISPs)tobeunderincreasingpressure

toprovidegood,predictableperformance,highQualityofService(QoS),scalability,Traffic

Engineeringandspeedtoawiderangeofolderandnewerapplicationstoitsconsumers.AglobaltechnologyinfusionInternetProtocolandwirelessmobilityhaspresentedgreat

opportunitiesfortheservicedeliveryofdata,voiceandvideoforcommunicationsandalso

computinginrealtime.Thefutureoftelecommunicationshasalreadybeentremendously

changedandhasalsobeenshownthatNextGenerationNetworkServicesarecapableofreachingmarketsandcustomersworldwideinrealtime,inthiserawherebyserviceproviders

arewrestlingformindandmarketsharesastheyrestructuretheirnetworkstoattractan

increasinglydiversesetofclients.NextGenerationNetworksisabroadtermtodescribesomekeyarchitecturalevolutionsintelecommunicationscoreandaccessnetworksthatwill

bedeployedoverthenextfivetotenyears.ThegeneralideabehindthisNextGeneration

Networks,isthatonenetworkcantransportallinformationandservices(Voice,dataandothermediasuchasVideostreaming),byencapsulatingtheseintopackets,likeitsthecase

ontheinternet.IthasalsobeenshownthatNextGenerationNetworkServicesaresimply

morethanjustconnectivity,communicationandcollaborationbuttheyarealsoabouttechnologyleveraged,servicecentricplatformscombinedwithaservicevaluemind,thatis

setforthepurposeofengagingcustomersonanimmersive,interactivelevel,thoughnotonly

solvingtheirchallengesbutalsoanticipatingtheirfuturedreamsregardingbusinessandpersonalcommunications.[1]

Inthisthesiswork,themainobjectiveistogiveageneraloverviewofwhymostInternet

ServiceProvidersofferingNextgenerationnetworkserviceshavemostrecentlybeenemployingMPLSinthecoreoftheirnetworksbasedonnewerservicesthathavetobe

offeredtotheircustomers,thattheconventionalIProutingcouldnotfullysupportandalso

whytheyhavebeenusingVirtualPrivateNetworksasasecuredwayinofferingsuchservicesoverapublicnetwork.

Inthefollowingchapters,wewilldiscusstheNextGenerationNetworkarchitecture,itsbuildingblocks,switches,usesandthenfollowedbyabriefdescriptionofIProutingand

thenMulti-ProtocolLabelSwitching,whichisacentralelementofNextGeneration

Networks.ThenextchapterwouldbeVirtualPrivateNetworks,givingageneraldescriptionandvarioustypesofVPNsandthenfollowedbyWirelessApplicationProtocol,whichisa

communicationprotocolsthatenablewirelessdevicestohaveeasyaccesstotheinternetand

othertelephonyservicesandthenwetalkaboutPerformanceManagementforNextGenerationNetworkServicesandfinallyendwithconclusion.


12/70

12


13/70

13

Chapter2

NextGenerationNetworksOverview

2.1Introduction

Thelasteightyearsormorehavewitnessedanincreasinglyspeedyintegrationofcomputers

andtelephonybothequipmentandnetworks.Theoldpublicnetworkoperators(PNOs)have

witnessed a decrease in telephony traffic on their public switched telecommunicationsnetworks (PSTNs)duelargelytotheincreasingly popularityof mobiletelephonesandthe

movementofservicesfromtelephonenetworkstothepublicinternet.

A customer of telephone networks prefers the unregulated but large content of

communicationsprovidedbytheirnetworkproviderwhichhascommunicationpossibilities;

thisisofferedbythepublicinternet.Fixednetworkoperatorsresponsetomeetthisdemandwastodeploybroadband,whilethissolutionsatisfiesthecustomersdemandithasdonelittle

to ensure the continued development of global communications networks as the fixed

networkoperatorisleftmerelyprovidingaccesstothepublicinternet(orworseaccesstoaninternet service provider, ISP) While content and service are provided without any

associationwithnetworkingcosts.Customersdonotbuytechnologybuttheybuyservices.

Sofromthenetworkoperatorspointofview,it istheabilitytoofferservicesthatcantake

advantageofbroadbandwhichisimportant.

Thisnewconceptofanintegratedbroadbandnetworkhasdevelopedoverthelastfewyearsand has being labeled Next Generation Networks (NGN)This term is used to describe

some architecturalevolutionsin telecommunication core and accessnetwork, which meetstheneedsofatechnologyenabledculture,morespecificallyitisaninventiveoptimizationof

technologyandserviceplatformstomeetaneweraofIPcentricnetworkingrequirementsand customers opportunities. Next Generation Networks are commonly built around the

internetprotocol.ItenablesmultipleservicessuchasVoice,Video,andDatatobeintegrated

andefficientlycarriedoverasingleinfrastructure.[1]

The next generation network seamlessly blends the public switched telephone network

(PSTN) and the public switched data network (PSDN), creating a single multiservice

network.Insteadoflarge,centralized,proprietaryswitchinfrastructures,thisnextgeneration

architecturepushescentral-office(CO)functionalitytotheedgeofthenetwork.Whatresultsfrom this is a distributednetworkinfrastructure that influences new, open technologies to

reduce the cost of market entry dramatically, increase flexibility, and accommodate both

circuit-switchedvoiceandpacket-switcheddata.[26]


14/70

14

Figure2.1thePublicSwitchedTelephoneNetworkandPublicSwitchedDataNetwork

Todaysnetworkisdividedintotwoelements:thePSTNandthePSDN(seefigure1).The

PSTN consists of large, centralized, propriety class-5 switches with remote switching

modules(RSMs)anddigitalloopcarriers(DLCs).whileincontrastthesubstantiallysmaller

PSDN-consistingofnetworkpointsofpresence(POPs)andremoteaccessdevise-isgrowingatadramaticrate.ThegrowthofthePSDNisdrivenbytheinternet,intranets,virtualprivate

networks(VPNs)andtheremoteaccess.However,thePSTNcontinuestobetheprincipal

meansofdeliveringdataservices.

2.2NextGenerationNetworkArchitecture

ThereisaspeedofchangeintheTelecommunicationmarketplacethatwasinconceivable

someyearsback.Liberalizationhasleadtoanincreaseincompetitionandvariousnewbusinessopportunitiesfornumerousplayers.Societalchangesandworkhabitsimposedon

people,therequirementtobepracticallyalwaysconnected.Newtechnologiesoffermore

capacityandflexibilityforfasterandcheaperimplementationsofnewfeatures.Theintroductionanddeploymentofvariousnewservicesinthenetworkmustbecarriedoutat

thespeedrequiredbythemarket.Itisthereforeapparentthatthenewnetworkarchitecture

mustbeanevolutionoftodaysnetworkswithstepwiseapproachtointroducingthenew

technologies


15/70

15

Servers(INTERNET,ISDN/PSTNNETWORK,

Gateways(BSC,BTS,RNS)

Database(HLR,OSS/NMS,MSC/GMSC,SGSN/GGSN,TL/TG

Figure2.2:ThenewNextGenerationNetworkarchitecture

ThenewNextGenerationNetworkarchitectureconsistsof

AnAccesslayer Atransportandswitchinglayer Anapplicationandservicelayer(figure2.2)

The access layer consists of wireline and wireless technologies, while the switching andtransportbackboneprovidesbasicconnectivity.Theapplicationandservicelayercomprises

servers and databases that provide the intelligence required to manage subscribers and

servicesandcontroltheconnections.Inthe1980s,almostsimilarstructurewasintroducedintermsoftheintelligentnetwork(IN)

architecture, recent advances in technology has made the architecture largely accepted as

well as suitable for implementation on a broader scale, especially in microelectronics foraccess and transport enabling flexible extension of existing infrastructure as well as new


16/70

16

softwareandprotocolsallowingamigrationofexistingapplicationsandcontrolfunctionsonmewflexibleplatforms.[28]

2.2.1TheAccessLayer

Existingcopperaccessnetworkwasdeemedoutdatedonlyafewyearsago,andfuturebroadbandserviceswereexpectedtorequirefiberallthewaytothehome.Ithasbeingshownthatcurrent advances in digital subscriber loop (XDSL) technology demonstrate that existing

copperloopscanprovideseveralmegabitspersecond(M/S)downstreamindataspeed,high

enough to handle the majority of foreseeable services delivered by the current and Next-generationInternet.

Withtheadvancesinaccesstechnology,newaccessproductstakeadvantageontherebirth

ofexistingsubscriberloops,providea varietyofenduseraccesses, integratedservicesand

open interfaces. The V 5.2 isan exampleof such technology; itis usedfor connecting tobackbone andswitching networks in a way most suitable forthenetwork operator. There

have being tremendousinvestmentin thedevelopment ofradio technology,the successof

secondgenerationdigitalwirelessnetworksmostimportantlytheGlobalsystemformobilecommunication (GSM) has secured this feet. Narrow band capacity of digital radio is

continuouslybeingincreasedthroughmoreflexiblenetworksimplementationsolutionssuch

as hierarchical cell structures and adaptive antennas. The introduction of General PacketRadio Service (GPRS) in GSM, further improved by Enhanced Data rates for Global

Evolution[EDGE],utilizesthescarceradioresourceswithinfrequencyrangesexistingmore

effectively,especiallyfordataservices.

The evolutionary approach associatedwithGPRS where existing infrastructureinthebase

station system [BSS] can be reused, allows for introduction of mobile data services on abroad scale. With the universal mobile Telecommunications systems [UMTS] Terrestrial

radioaccessnetwork[UTRAN],anewspectrumefficientradiotechnologywidebandcodedivisionmultipleaccess[WCDMA]isintroducedtocontinuetheevolutionofGSMtoward

Third generation capabilities. Although UTRAN is based on a new radio technology, itsflexibilitiesintransportallowssignificantsavingsinradioaccessinvestments.[28]

2.2.2TheTransportandSwitchingLayer Inthenextgenerationnetworkbasicopticaltransmissiontechnologyhasanimportantrole.

In the last two years the area of wavelength division multiplexing [WDM] has shown

opportunitiestoincreasethe capacity ofexisting transmission networksbya factorof 100.

Henceperceivedbottleneckforfuturenetworkapplicationhaseffectivelybeenremoved.Withinthebackbonetransportnetworkthediscussiononthecostbenefitsofpacket-oriented

technologiesVstheQualityofservice[QoS]offeredbycircuitswitchednetworkscontinues.

AdvancesinroutercapacityandVoice-over-IP[VoIP]applicationshaveconvincedanumberof new entrants in the operator market to introduce overlay networks targeting selected

customers groups. Several established network operators have also launched networks

evolution programs introducing packet switching in a controlled way on the existingnetworks. Asynchronous transfer mode [ATM], as a packet-switchingtechnology offering


17/70

17

QoSandgoodnetworksmanagementmechanisms,playsanimportantroleinfacilitatingthisevolution .With ATM inter working closelywiththeexistingcircuit-switched call control

infrastructure, it is possible to flexibly introduce packet switching as a basic for new

applications in parallel with the current public switched telephone network/integrated

servicesdigitalnetwork[PSTN/ISDN].ThisensuresretainedQoSandreuseoftheexisting

functionalityfortelephony.[28]

Figure2.3theseparationofcontrolandconnection

2.2.3TheApplicationandServiceLayer

Anissuewhichisimportantinthenextgenerationnetworkarchitectureistheindependenceofapplicationsandservicesfrom basicswitching and transportTechnologies.A separationof applications and control mechanisms from the access and transport layers is the

fundamental feature of the next generation architecture. On the application layer severaltrendsarevisible,pertainingtothedifferentsegmentsofthemarket.Intelligentnetwork(IN)

still plays an important role for well specified services, especially mass market services

requiring high capacity and good management control; examples of this are number

portability and prepaid services.A lotof futureservices requiremoreflexibilityand smallscaleeconomicsintheirintroduction.Dedicatedservicesandstandalonenodesalreadyoffer

thesecapabilitiesformanynewservicestoday,especiallywithinthewirelessnetworks.[28]


18/70

18

Howeveritisbecomingmorecomplexbythedaytomanagecurrentimplementationoftheapplication structure. It nowrequires a new approach, thenext significant step towardthe

newarchitectureinvolvesthetrueseparationofcontrolandconnectionasshownin[Figure

2.3].Thisispossiblethroughthemigrationofapplicationsandcallcontrolfunctionsonopen

platforms,theintroductionofCommoncontrolprotocolstosupportcommunicationbetween

control function and network resources and especially through the introduction of mediagateway[MGW]nodes.MGWnodesprovideconversationbetweendifferentcommunication

media, protocol adaptations, and pooling of devices such as codec and announcementequipment [Figure 2.3].The implementations of the gateway nodes is based on the

applications and developed in different configurations but they should fulfill

telecommunication specific design requirements and reuse network infrastructure whenapplicable.

Figure2.4MediaGatewayPrinciple

AnMGWisalogicalnode:

TheMGWperformsprotocolconversionoftheuserplanebetweentwonetworks. TheMGWiscontrolledbyserversusingthex-cpprotocol TheMGWperformsbearercontrol TheMGWshallownitsownresources,enablingseveralserverstocontrol


19/70

19

Themaincharacteristicsoftheabovedescribednetworkarchitectureareasfollows:

Service-differentiated:TheneedtooffernewapplicationatarateexpectedbythedifferentmarketsegmentsaswellassupportdifferentlevelsofQoS,dependingon

thepriceendcustomersarepreparedtopay.

ApplicationDriven:Separationofcontrolandconnectionandbusinessaspects

drivingthespeedofimplementation.

Server-oriented:TheopportunitiestointroducenewservicesboththroughserversconnectedtothenetworkandbyportingexistingTelecommunicationlogicon

openserversplatforms.

Softwaredominated:Duetotheexpectedincreaseofhigher-levelprogrammingandamountofsourcecodeusedand/orreusedforimplementingtheapplication

layerandcorrespondingprotocols.

2.3BuildingblocksforNextGenerationNetworks

Internet protocol [IP] starts the fundamental building blocks of Next GenerationNetworks, applications and services. It is the networking massager between data

computingapplications,IPtelephonyconversationsand IPvideosessionsat layer3. IP

successhasbeenbeneficialtotheriseofEthernettechnologyatlayer2.Inthebeginningof the early 1970s Ethernet has withstood all layer 2 competitions defeating the

technology push of all deterministic layer 2 challengers with the pull of Ethernets

simplicity,adaptability andinteroperability withall layer 1 mediums. Where IP is thelayer3packaging,Ethernetisthelayer2conveyorbeltthatleadstothedigitalversions

ofmailbags(wireline),photoniclocomotives(optical),andstealthjetplanes(wireless)

allatlayer1.InternetProtocol,Ethernet,Opticalandwirelessnetworksarethemusthave

networkinglayersinessence, thenew-era building blockswithwhichtoconstruct andenhance networkthat areflexible, fast andservice rich. WiththeseTechnologyinuse

providers are adapting their networks towards architectures that better support Data,

VoiceandVideo

Convergence,providingavarietyofaccessinterfacestodealwithcustomerschoiceand

augmenting theiroptionsto offernext generationbroadbandservices that find success

withcustomers.[1]

This servicevalued technologies within the contextof general classifications or rather

typesofprovidernetworksencompass

IPNetwork Virtualprivatenetworks Wirelessnetworks


20/70

20

Depending upon various business plan providers might use one classification of network

exclusively or they might incorporate several network classifications while considering

relativestrength,customersneedsandmarketopportunities.

2.3.1NextGenerationNetworkSwitches

Next generation switches are the most flexible platforms available. Combining extremescalability,anopenservicecreationenvironment(SCE),remotemanagementanddiagnostics

andthehighestavailability,nextgenerationswitchesprovideamigrationpathfromtodays

switching architecture to a more cost effective, efficient, next generation network

architecture.Thisnextgenerationswitchingarchitecturerepresentsanentirelynewapproachtodeliveringservicesthatisspecificallydesignedtoaccomplishthefollowingservices:

Distributeswitchingfunctionalitytotheedgeofthenetwork Deliverrobustswitchingfunctionality ata costthatisanorderofmagnitudelower

thantraditional,proprietyclass-5switches

Protectexisting investmentsby supporting all currentanalogy anddigitalnetworkstandards,interfaces,media,andserviceselements.

Reduce the number of network elements by combining a range of telephony,applicationandservicedeliveryfunctions

Through programmability and the flexibility of an open application programminginterface(API)enablenewservicecreation

Provide a high degree of scalability, enabling network operators to expand theirsubscriberbaserapidlyandcosteffectively

Take advantage of future technological advances which promoted extensibilitythroughopenarchitecturedesign

Redefinetrue,carrier-classdesignformaximumfaulttoleranceandzerodowntime Reduceoperatingcostsbyemployingadvancedremotemaintenanceanddiagnostics

capabilities.

Increase revenues by shortening time to market, reducing upfront costs, andprovidingremotemanagementcapabilities

Obviouslythis methodor approachrepresentsa dramaticdeparture from traditionalswitch

architecture.Onsidebysidecomparison,theimmediatedifferencesareclear.Seefigure2.1.

Nextgenerationswitchesarepurpose-builttoscaletomeettheneedsofanysubscriberbase.

In designing these systems small start up cost and a linear incremental cost is taken intoconsideration. This architecture allows carriers to make better use of their capital by

purchasingonlythecapacitythattheirnetworkrequires,ascarriersneedadditionalcapacity,additional cards can be inserted. In competing and wining in a competitive environment,

carriers must offer revenue generating enhanced services ahead of the competition. Other

benefitsofnextgenerationswitchesistheirlargeservicecreationenvironment(SCE).Thisismainlya graphical user interface, these SCEs allows carriers to develop,deploy and most

importantly pay onlyfor the services that theircustomers require [26]. In an era of next


21/70

21

generationswitches,carrierswillnolongerneedtowaitforavendorsnextgenericreleaseoffeature software. Thecarriersorthird party developerscan quickly andcost effectively

develops their ownapplications.Doingsowillprovide yet another competitive advantage.

Thecarrierwillownitsnewapplications,therebylimitingacompetitorsabilitytoofferthe

same service. Nextgeneration switches enablecarriers toconnect a distributednetwork of

intelligentswitchestogetherandmanagethemasasinglevirtualswitch.Italsogivescarriersthe ability to gain access to a specific resource on a specific card via a host computer

connected to the next generation network. This possibility greatly reduces a networkoperatorscostsby eliminating expensivetruckrollsand costlyservicecalls.Newfeatures

are introducewith next generation switches, carriers can introducefeatures andservicesin

realtime,ratherthanwaituntilnetworktrafficgoestothelowestpossible.NGNswitchescanservethefollowing:

Analternativetotraditionalclass-5,endofficeswitches

Analternativetotraditionalclass-4,tandem-officeswitches

Enhancedservicesplatforms

Wirelesslocalaccessswitchesandthebasestationcontrollers

Cabletelephonyheadendswitches.

2.3.2IPNetworks

IPisuniquelypositionedasthecentralthemeintheneweraofnetworkingandanimportantpoint ofconvergence fornetworks,service and applications.Alltypesof serviceproviders

nowuse IPnetworks; this allowsproviders tointerface directly with thetype ofnetworks

mostfamiliartotheircustomers.

IP networks a layer 3 protocol stitch together various purpose built networks and are the

fundamental accesslayer to theinternet. IPis themost preferred networkinginterface foradvanced application because it can reach the largest customer markets and it is moving

centerstage into carrier class networking.Data, voice, video and internet data must come

together. Bystandardizing varioustypesofdataformerlyassociatedwithentirely separate

technologiesIPprovidesapowerfulsolution.IPnetworkconvergenceprovidesafoundationfor greater collaboration, opening new ways to work and interact, simplifying network

managementandreducingoperatingcosts.[1]

Today,convergednetworksarefuelingthedevelopmentofanarrayofdynamicapplicationsexamples include E-learning, unified messaging and integrated call center and customers

supportsystems is unifying theconvergence of networks while facilitating thepurposeful

andappropriatecombinationofData.MoreonIPnetworksisonchapterthree.


22/70

22

2.4UsingNextGenerationNetworkServices

Innovative technology, process and a companys culture each have part and parcel in thedelivery of a next generation network service. This services leap from a service-valued

emphasis made possible by appropriate applicationof next generationnetworktechnologyalongwithprocessoptimizationandculturalshift.ExamplesofNextgenerationservicesare:

Internetaccessservices VPNservicesatbothlayer2andlayer3 EthernetasmetroareaandwideareaLANextensions IPservicesincludinglayer3Datarouting,IPvoice,andIPvideo OpticalwavelengthServices Content,Database,andapplicationdeliveryservices Storageandsecurityservices Managednetworkservices

Manyoftheseservicesresideatnetworkinglayers2and3andalsoatlayers4-7forhostedapplications.Thisistheessentialdistinction:nextgenerationnetworkservicestranscendthe

physicallayeratlayer1,traditionallyconsideredtheheartoftheprovidertransportmodel

and move upscaleinto layers2, 3 and beyond. Services aredecoupledfrom transport asaresultofIP based any toanynetworking. Service ismore than Technology. It isin fact a

uniqueblendoftechnology,processandculture.Themeasurementofservicevaluewillbe

increasingly calculated as a success ratio with the amount of time saved as the mostimportant factor and to thecustomer serviceis everything. Providers that are engaging in

next generation network services are doing so through the recognition and tailored

exploitation of convergence trends. Seeking to rapidly market an expanded catalog of

servicestheyareconvergingtheirTechnologyplatformsandnetworkinfrastructuresaswellasexploitingselectiveconvergenceofvariouscommunicationsservices.[1]


23/70

23

Chapter3

UnderlyingTechnologiesComponents

3.1IPRouting

IPRoutinginvolvestheprocessofmovingpacketsacrossaninternetfromasourcetoa

destinationandmakingthisroutingdecisionisachievedbyusingarouterwhichprovidesthephysicalconnectionbetweennetworks.Suchroutersmustbeconfiguredwithsometypeof

routingmechanismtoenablecommunicationbetweenhostsgobeyondtheirlocalsegments.

Theseroutingmechanismscouldbestaticordynamicinnatureorcouldalsobeacombinationofbothandtothinkofwhichofthechoicesischosendoesntmatterbecause

theybothhavethesameobjectiveoffacilitatingcommunicationbetweenremotehosts.

Routinginterfacesconnectnetworksandsubnetworksandalsoserveastheentry/exitpoint

forendsystemswithinthenetworksandsubnetworks.Localroutingtablesarebuiltandmaintainedbystaticordynamicroutingprotocolsandtheseroutingtablesrepresentthe

physicalnetworkinfrastructureidentifyingpathstonetworksandsubnetworks.Routersusetheroutingtablestodeterminethebestpathbetweensourceanddestinationafterthe

destinationaddresshasbeenidentified.Routingbasicallyconsistsoftwoseparatetasks

whicharealsorelatedbasedonapplicationsandtheyare:First,thepathsforthetransmissionofpacketsthroughtheinternetshouldbedefinedandsecondly,packetsarewillnowbe

forwardedbasedonthepathswhichhasbeendefined.[3]

3.1.1Routingtable

Routersuseacombinationofdifferentroutingmethodsnamelystatic,defaultordynamicto

buildaroutersroutingtablessinceallroutersmusthavealocalroutingtabletomakeits

routingdecisions.Routingtablesaregenerallyusedbyrouterstodeterminethebestpathbetweenasourceanddestinationwhendatagramarebeingforwarded.Itincludesalistofall

networksandsubnetworksknowntoarouterandalsotheIPaddressofthenexthoprouter.

Thenextquestionwillbehowtheseroutingtablesworks.Usually,whenarouterreceivesa

datagramthatneedstobeforwarded,thedestinationaddressisfirstdeterminedand

comparedwitheachroutewithintheroutingtableandthiswillcontinuouslybedone,untilanexactorbestroutematchisfoundandifanexactmatchisfoundwithintheroutingtable,the

routersimplyre-addressesthedatagrambyusingitsMACaddressasthesourceandthenexthoproutersaddressasthedestinationbutdoesnotinanyawaychangethelogicalnetworklayeraddresswithinthedatagram.Itfinallysendsthedatagramouttothelocalinterface

connectedtothelinkleadingtothenexthoprouter.Anotherquestionthatfollowsinthis

casewillbewhennospecificmatchisfoundwithintheroutingtable.Ifithappensthatthe

routerdoesntfindaspecificmatchwithinitsroutingtablewhiletryingtoforwardadatagram,therouterthenusesthedefaultrouteinforwardingthedatagramorthedatagramis

discardedwithaninternetcontrolmessageprotocol(ICMP)errormessagesentbacktothe


24/70

24

source.Wheninthealternativemultiplepathstoadestinationexist,thenitmeansthatmorethanoneroutemaybeincludedintheroutingtablebutonepathwillhavetobeselectedas

thebestbytheroutingprotocolandplacedintheroutingtable.However,somerouting

protocolsallowsforloadbalancingacrossmultiplepathsbymakingbothpathsactiveand

thenplacingthemintheroutingtabletherebymakingitpossibleforrouterstoalternatelyuse

bothactivepathsinforwardingdatagramandalsobalancingthetrafficloadacrossthepaths.Itisveryimportanttomaintaininformationintheroutingtableoncearouterhasbeenableto

buildoneandsuchmaintenancecanbeachievedbyeithermanualconfigurationorbytheuseofdynamicroutingprotocols.[3]

3.1.2AutonomousSystems(AS)

Anautonomoussystembasicallyconsistsofmultipleroutingdomains.Routingdomainsreferstoacollectionofnetworksandsubnetworksassociatedwithroutersrunningthesame

routingprotocol.Therearetwotypesofautonomousroutingprotocol:[3]

1:Intra-AutonomousRoutingProtocols:Theseroutingprotocolsareusedtoconfigureandmaintainroutingtableswithinanautonomoussystem(AS)andcouldalsobecalledIntra

domainrouting.Intra-AutonomousroutingprotocolsarealsoknownasInteriorGateway

Protocol(IGP).AnIGPusuallycalculatesrouteswithinasingleASanditalsoenablesdatatobeforwardedacrossanASfromingresstoegress,whentheASisprovidingtransit

services.

2.Inter-AutonomousRoutingProtocols:Theyareusedtoforwardpacketstoexterior

Autonomoussystems(ASs)andarealsocalledInter-domainroutingprotocol.Inter-domain

routingprotocolsarealsoknownasExteriorGatewayProtocols(EGPs).EGPallowsroutestobedistributedbetweenAssanditenablesrouterswithinanAStochoosethebestpointof

egressfromtheASforthedatatheyaretryingtoroute.

RoutingProtocolsfallintotwocategories,namely:InteriorandExteriorRoutingProtocols.a)InteriorRoutingProtocols:ThisisalsocalledInteriorGatewayProtocols(IGPs)andit

referstoanyroutingprotocolexclusivelyusedwithinanAS,therebyprovidingIntra-AS

routing.InteriorGatewayProtocolsimplydescribesanyroutingprotocoloperatingasaseparate

routingdomainwithanAS.Usually,allIPInteriorGatewayProtocolsmustbespecifiedwith

alistofassociatednetworksbeforeroutingactivitiescanstart.ExamplesofIGPsareRIP,OSPF,IGRP,EIGRP,IS-ISandHP.RIPandOSPFarealsoreferredtoasborderroutes

becausetheysitontheborderbetweentwoIGProutingdomains.

b)ExteriorRoutingProtocols(EGP):Theydescriberoutingprotocolsthatallowsfor

communicationbetweenseparateAutonomousSystems,therebyprovidingInter-ASrouting.

Usually,allIPExteriorgatewayprotocolrequiresknowingalistofneighborrouterswithwhichtoexchangeroutinginformation,alistofnetworkstoadvertiseasdirectlyreachable

andtheASnumberofthelocalrouterbeforeroutingcanstart.ExamplesofExteriorgateway

protocolsareBGP,EGP,GGPandIDRP.


25/70

25

3.1.3RoutingMechanisms

Therearedifferentroutingmechanismswhichroutersuseasacombinationofinputsources

tobeabletobuildtheirroutingtables.Themostimportantoftheseroutingmechanismsarestaticanddynamicrouting.[3]

1)StaticRouting:Staticroutingisperformedusingapreconfiguredroutingtablewhichwillcontinuetobeavailableunlessitismanuallychangedbytheuseri.e.theroutingtablesare

createdmanually.Thisisthemostbasicformofroutingandsincethisisstaticinnature,it

doesnothavethecapabilityofadjustingtochangesinthenetworkandassuch,ifthereisanyfailureorunavailabilityintherouterorinterfacethathasbeendefined,thentherouteto

thedestinationfailsandthisisoneofthenotgoodperformanceofstaticroutingbut

however,ithastheadvantageofeliminatingalltrafficrelatedtoroutingupdates.

Staticroutestendstobeidealwherethelinkistemporaryorbandwidthisanissuebecause

theyconservebandwidthsincetheydonotcauserouterstogeneraterouteupdatetrafficbutit

howeverconsumesalotoftimewhentherouteupdatesneedstobemanuallydoneeachtimetherearechangesinthenetwork.

2)DynamicRouting:Theroutingtablesarecreatedautomaticallybydynamicrouting.Itusesspecialroutinginformationprotocolstoautomaticallyupdatetheroutingtablewithroutes

knownbypeerroutersandtheseprotocolsareeithergroupedasInteriorgatewayprotocolsor

Exteriorgatewayprotocols.IGPsareusedtodistributeroutinginformationinsideanASwhileEGPsareusedforInter-ASrouting,sothateachASmaybeawareofhowtoreach

othersthroughouttheinternet.

Whensuchroutingprotocolsasaboveareusedinexchangingmessageswitheachother,then

bestroutesarethuscomputed.Dynamicroutingisadvantageousbecauseofthechoicetoselectbestroutesbasedonaspecificroutingmetrice.g.Bandwidth,linkcost,delay,number

ofhops,reliability,loadetcandalsohasadisadvantageofcreatingsomediverseproblemssuchasloops,instabilityetc.

Routingprotocolsbasicallyfallintotwomaincategories,namelyDistancevectorandLink

state.[3]

1)DistanceVector:Distancevectorroutingprotocolsusuallydeterminesthebestpathonhowfaristhedestinationanddistancecanbehopsoracombinationofmetricscalculatedto

representadistancevalue.ExamplesofdistancevectorroutingprotocolsareRIPv1,RIPv2

andIGRP.WhileRIPv1andRIPv2usehopsasthemetrictodeterminethebestpath,IGRPontheotherhandusesacombinedmetricofbandwidthanddelay.

Thereareseveraldistancevectorcharacteristicsindeterminingthebestpathandthey

include:Routeupdates,metrics(hops,bandwidthanddelay),Variablelengthsubnetmasks


26/70

26

(VLSM),ToS,loadbalancing,maximumnetworkdiameterandthenauthentication.Distancevectorroutingprotocolshasroutingloopsproblemswhichoccursinnetworkswhenoldroute

informationexistsinaroutingtableandthisproblemoriginatesfromtheperiodicscheduled

routeupdatesthatresultinslowconvergence(convergenceisusuallyattainedwhenall

routerswithinaroutingdomainagreeonreachabilityinformation).

Thereareseveraltechniquesthatcanbeusedtominimizeroutingloopsonanetworkand

theyincludecounttoinfinity,splithorizon,holddowntimersandPoissonreverse.

2)LinkStateRouting:Linkstateroutingprotocolsgenerallyprovidegreaterflexibilitythan

distancevectorrouting.TheyreduceoverallbroadcasttrafficandmakebetterdecisionsaboutroutingbytakingcharacteristicssuchasBandwidth,delay,reliabilityandloadinto

considerationinsteadofbasingtheirdecisionsonlyondistanceorhopcount.Examplesof

LinkstateroutingprotocolsareOSPFandIS-IS.

Linkstateroutingprotocolsareabletoreducebroadcasttrafficbecausetheydonotsendout

periodicbroadcastsortheirentireroutingtableswitheachbroadcast.AllLinkstateroutingprotocolmustbeabletobuildandmaintainthreeseparatetablesandtheseincludesthe

neighbortable(alsocalledAdjacencydatabase),topologymap(Linkstatedatabase)and

routingtable(Forwardingdatabase).Linkstateroutingprotocolcharacteristicstodetermine

thebestpathincludesrouteupdates,databasesandtables,metrics,VLSM,ToS,LoadbalancingandAuthentication.However,thereisadisadvantageintheamountofCPU

overheadinvolvedincalculatingroutechangesandmemoryresourcesthatarerequiredto

storeneighbortables,routingtablesandacompletetopologymap.

3.2.1BackgroundofMPLSTherelativeandfastgrowingtrendoftheinternetoverthepastyearshasplacedahighdemandonserviceprovidernetworkstomeasureupwiththeincreaseinthenumberofusers,

increaseinconnectionspeeds,backbonetraffic,increaseinbandwidthandtheemergenceof

newerapplicationsthatincorporatesvoiceandmultimediaservices(e.g.VoIP)whichrequirehigherbandwidthandbetterguarantees,irrespectiveofanydynamicchangesordisruptions

inthenetworks.[1]

Though,thereareanumberofdifferenttechnologiese.g.Asynchronoustransfermode

(ATM)andFrameRelay,thatweredeployedtomeetupwithsuchdemandsbutanewer

technologycalledMultiprotocolLabelSwitching(MPLS)isnowgraduallyreplacingthembecauseofsomeproblemsimminentwiththoseoldertechnologiesandsomeofsuch

problemsincludeSpeed,Scalability,TrafficEngineeringandQualityofService(QoS)

management.MPLSthusaddressestheseproblemsandhasalsobeenpositionedtoalignwithcurrentandfuturetechnologyneedsbutitcanexistoverexistingATMandFR,thereforenot

completelyreplacingthem.MPLSisanevolvingtechnologythatenablesserviceprovidersto

offeradditionalservicesfortheircustomersbyscalingtheircurrentofferingsandexercising

morecontrolovertheirgrowingnetworksbyusingitstrafficengineeringcapabilitiesand


27/70

27

thereforemostnetworkoperatorshaveconsidereditasthebesttechnologyforthemtoconvergealloftheirbackbonetransport,whilestilldeliveringthequalityofservicerequired

bymultipletraffictypes.

Therefore,basedonthecapabilitiesofMPLS,itwillplayavitalroleintherouting,

switchingandforwardingofpacketsthroughthenextgenerationnetworkssoastobeabletomeetincreasingservicedemandsofthenetworkusers.MPLShasaprimarygoalof

integratinglabelswappingforwardingparadigmwithnetworklayerroutingandthislabelswappingisexpectedtoimprovethepriceandperformanceofnetworklayerrouting,

improvethescalabilityofthenetworklayerandprovidegreaterflexibilityinthedeliveryof

newerroutingservicesbyallowingnewroutingservicestobeaddedwithoutachangetotheforwardingparadigm.MPLShasproventobeatechnologythatcombinesboththegood

attributesofthecircuit-switchedandpacket-switchednetworkstherebymakingithave

diversefunctionalitiesbutitisindependentofthelayer2andlayer3protocolswhileexercisingitsfunctionsandalsohasawiderangeapplicationsinserviceproviderand

enterprisenetworksbackbone.[2,7]

Figure3.1MPLSfunctioningbetweentheLayer2andLayer3Protocol

3.2.2HowMPLSworks

TherearesomeMPLSterminologiescommonlyusedandthusneedstobeexplainedhere

beforeexplaininghowMPLSworks.Theterminologiesinclude[2,7,11,13]1.)ForwardEquivalenceClass(FEC):isdefinedasagroupofIPpacketswhicharegenerally

forwardedthroughthesamepathandusuallyallsuchpacketsinthisgrouparesubjectto

sametypeoftreatmentastheyareforwardedtotheirdestination.Theallocationofa

MPLS

SDH,ODH,WDN,CSMA

IP

ATM,FR,Ethernet,PPP

Layer3

Layer2

Layer1


28/70

28

particularpackettoaparticularFECisusuallydoneonceasthepacketentersthenetworkandtheFECwhichthisparticularpacketisassignedisthenencodedasashortfixed-length

identifierknownaslabel.

2.)LabelsandLabelbindings:Labelsareusedtoidentifytheforwardingpathofapacket

andisusuallyencapsulatedorcarriedinalayer2headeralongwiththepacket.Theforwardingofapacketthroughthebackboneisusuallybasedonlabelswitchingandthisis

doneoncethepackethasbeenlabeledandthenexthopdetermined.Alabelisusuallyassignedtoapacket,onceithasbeenclassifiedasaneworexistingFECandthelabelis

boundtothisFECduetosomeeventorpolicywhichspecifiestheneedforsuchbinding.

[11]

Thegenericlabelformatisasshownbelow:

Figure3.2MPLSGenericLabelformat


29/70

29

Thelabelcanbeembeddedintheheaderofthedatalinklayer,framerelayDLCIorintheshimi.e.betweenthelayer-2datalinkheaderandlayer-3networklayerheader.

Figure3.3PositionoftheMPLSlabelinalayer-2frame

TheMPLSlabelisinsertedbetweenthelayer-2headerandthelayer-3contentsofthelayer-2frameasshowninthefigureabove.[2]

3.)MPLSLabelheader:itisalsocalledMPLSShimheader.Itconsistsof32bitsandhasthe

followingfields:

a)TheLabelfield(20bits):ThisisthefieldthatusuallycarriestheactualvalueoftheMPLSlabel.

b)TheClassofService(CoS)field(3bits):ThisisalsocalledExperimentalbitsaccordingtodocumentationbytheIETFMPLS.Itcanmaintaineight(8)distinctserviceclassessincethe

CoSfieldhas3bits.

c)TheTime-to-Live(TTL)field(8bits):TheTTLfieldhasanidenticalfunctionastheIP

TTLfieldbasicallyinloopdetection.TheTTLisnormallydecrementedbyoneeachtimethe

packetpassesthrougharouterandthenthepacketisdiscardedwhentheTTLfieldreaches

zero.

d)TheBottom-of-Stack(S)field(1-bit):ThisfieldusuallyperformsanMPLSlabelstack

whichMPLSapplications,includingMPLSbasedVirtualPrivateNetworksorMPLSTrafficEngineeringuses.SincetheMPLSlabelstackheader(Shimheader)isinsertedbetweenthe

layer2andthelayer3payloads,theroutersendingthepacketshouldinformtherouter

receivingitthatthepacketbeingtransmittedisnotapureIPdatagrambutalabeledpacketi.e.anMPLSdatagram.TheMPLSlabelstackisusedforroutingpacketsthroughLSP

tunnels.TheS-bitisusuallysettooneforthelastentryandzeroforallotherlabelstack

entries.

Layer3data(IPPacket) Layer2header

Layer2frame

Layer2frame

MPLSlabel

Shimheader

Layer3data(IPPacket)Layer3data(IPPacket) Layer2header

Unlabeledpacket

inlayer2frame

beledIPpacket

ayer2frame


30/70

30

Figure3.4MPLSLabelheader(Shimheader)

e)LabelSwitchRouters(LSR):ThelabelSwitchRoute(LSR)formsthecoreoftheMPLS

network.LSRtakesactivepartintheforwardingofpacketstootherMPLSroutersandalso

intheformationoflabelswitchedpaths.Theyanalyzelabelsandthenforwardpacketsdependingonthecontentsofthelabelbutthisisonlypossibleiftheyhavealreadyreceived

packetsfromtheLabelEdgeRouters(LER).ThreedifferenttypesofLSRexistinanMPLS

networkandtheyinclude:[2]

1)Edge-LSR:ThistypeofLabelSwitchRouterhasseveralfunctionalitiesthatinclude

receivinganIPpacket,performinglayer3lookupsandthenimposingalabelstackbeforeforwardingthepacketintotheLSRdomainandasafollowuptoreceivingIPpacket,itcan

alsoreceivealabeledpacket,removelabels,performlayer3lookupsandthenforwardtheIP

packettowardsitsnexthop.

2)ATM-LSR:ThistypeofLSRrunsMPLSinthecontrolplanetosetupATMvirtualcircuitsanditalsoforwardslabeledpacketsasATMcells.

3)ATMedge-LSR:ThisLSRtypecanreceivelabeledorunlabeledpackets,segmentthem

intoATMcellsbeforeforwardingthecellstowardthenext-hopATM-LSRoralternatively,itcanfirstandforemostreceiveATMcellsfromanadjacentATM-LSR,reassemblestheminto

theoriginalpacketbeforeforwardingthepacketasalabeledorunlabeledpacket.


31/70

31

f)LabelEdgeRouters(LERs):LERoperatesattheedgeofanMPLSnetworkandcontains

interfacestodissimilarnetworkslikeATM,EthernetandFrameRelay.Theyroutetrafficand

arethereforeusedasaninterfacebetweenlayer2networksandanMPLScorenetwork.

Usually,whenanLERreceivesapacketfromlayer2networks,alabelisattachedandthe

newpacketsubsequentlysentintotheMPLScorenetworksandnormallyalso,thepacketwillfollowaspecificpathcalledaLabelSwitchedPath(LSP),goingfromoneLERto

anotherandwhenanLERreceivesapacketfromtheMPLSnetwork,thelabelisremovedandthepacketsenttotheappropriatenetwork.LERsthatsendpacketsintotheMPLS

networkarereferredtoasingressLERswhiletheLERsthatsendspacketsintothelayer2

networksarereferredtoasegressLERsandtheyalltakepartintheestablishmentofLSPspriortoexchangingpackets.

g)LabelSwitchedPath(LSP):ThisisaspecifictrafficpaththroughanMPLSnetworkthat

hastheabilitytomapincomingMPLSlabeledpacketstosomeoutgoingaction.Thecreation

ofanLSPisconnection-orientedbasedbecausethepathissetuppriortodatatransmission.MPLSprovideshop-by-hoproutingorexplicitroutingoptionstosetupanLSP.Itisalso

importanttonotethatinanLSPmechanism,eachpacketenterstheMPLSnetworkatthe

ingressLSRandexitsthenetworkattheegressLSR.TheLSPsetupforanFECis

unidirectionalinnaturewhichsimplymeansthatthereturntrafficfromaparticularFECmusttakeanotherLSP.

3.2.3MPLSArchitectureTheMPLSarchitectureisdividedintotwocomponentsnamelydataplanecomponentandcontrolplanecomponent.[2]

1)DataPlane:Thisisalsocalledtheforwardingcomponent.Itcarriesoutdatapackets

forwardingbasedonlabelscarriedbypacketsbysimplyusingalabelforwardingdatabasemaintainedbyalabelswitch.

2)ControlPlane:Thisisalsocalledthecontrolcomponent.Ithastheresponsibilitytocreateandmaintainlabelforwardinginformationalsoreferredtoasbindingsamongagroupof

interconnectedlabelswitches.Thecontrolplanealsotakesresponsibilityforpathselection

byusinghop-by-hoporexplicitroutingtodeterminethebestpaththroughanetworkandalsopathestablishmentbyaddingasignalingprotocoltoinformalltheroutersinthepath

thatanewlabelswitchingpath(LSP)isrequiredoncethepathhasbeendetermined.


32/70

32

Figure3.5MPLSarchitectureperformingtraditionalIProuting

IntraditionalIProuters,theIProutingtableisusedtobuildtheIPforwardingtableandtoexchangeIProutinginformationwitheachotherMPLSnodesinanetwork,theMPLSnode

mustberunononeormoreIProutingprotocolswhiletheMPLSIProutingcontrolprocessuseslabelsexchangedwithadjacentMPLSnodestobuildthelabelforwardingtableusedto

forwardlabeledpacketsthroughtheMPLSnetwork.


33/70

33

Figure3.6MPLSArchitectureperforminglabelswitchrouting

TraditionalIPforwardingtableextendedwithlabelinginformationareusedtoeitherlabelIPpacketsortoremovelabelsfromlabeledpacketsbeforesendingthemtonon-MPLSnodes

andincominglabeledpacketscanbeforwardedaslabeledtootherMPLSnodes.Whenthe

destinationofaparticularlabeledpacketisanon-MPLSnode,thenthefirstthingtodo,isto

removethelabelandperformalayer3lookuptobeabletolocatethenon-MPLSdestination.


34/70

34

MPLSOperation:

Figure3.7ServiceproviderMPLSnetwork

ThefigureshowsatypicalMPLSnetwork.ThecentralcloudrepresentstheMPLSnetworkitselfandalltrafficbetweenthecloudandcustomernetworksisnotMPLSlabeled.Theother

componentsofthenetworkareLabelEdgeRouters(LERs),LabelSwitchRouters(LSRs)

andLabelSwitchedPaths(LSPs).

IntheMPLSnetwork,LERsaddMPLSlabelstopacketsattheingress(in-coming)while

theyremovethelabelsattheegress(out-going)side.TheLSRsswitchtraffichop-by-hopbasedonMPLSlabelwithintheMPLScloud.

TheflowofdatathroughtheMPLSnetworkcanbesummarizedinthefollowingstepsbelow:[7]

1)ThePEroutersfirstcreateLSPsthroughtheMPLSnetworktootherremoteLERsbeforetrafficisforwardedontheMPLSnetwork.

2)Thennon-MPLStraffic(likeFrameRelay,ATMandEthernet)issentfromacustomer

networkthroughitsCEroutertotheingressPErouterwhichisoperatingattheedgeofthe

providersMPLSnetwork.


35/70

35

3)ThePErouternowperformsalookup(i.e.IPforwarding)oninformationinthepacket,soastoassociateitwithaFECandthenaddstherelevantMPLSlabel(s)tothepacket.

4)ThepacketnowmovesalongitsLSPwitheachadjoiningProuterperforminglabel

swappingtodirectthepackettothenexthop.

5)Andthen,attheegressPE,thelastMPLSlabelisremovedandthepacketsubsequently

forwardedbytraditionalroutingmechanisms.

6)Finally,thepacketproceedstothedestinationCEandthenintotheCustomersnetwork

whichisthefinaldestinationforthepacket.

LabeldistributionProtocol(LDP):Thisisaprotocolthatallowslabelbindinginformationto

bedistributedamonglabelswitchroutersinanMPLSnetwork.LDPsarealsousedtomap

FECstolabelswhicharethenusedtocreateLSPs.TherearedifferenttypesofLDP

messageswhichcanbeexchangedbetweenLDPpeersandtheyinclude:[11]a)DiscoveryMessages:ThepresenceofanLSRinanetworkcanbeannouncedand

maintainedbyusingdiscoverymessages.

b)SessionMessages:DifferentLDPpeerssessionscanbeestablishedmaintainedand

terminatedbyusingsessionmessages.

c)AdvertisementMessages:LabelmappingsfordifferentFECscanbecreated,changedand

deletedusingadvertisementmessages.

d)NotificationMessages:ThistypeofLDPmessagesallowssignalerrorandadvisory

informationtobeprovided.

3.2.4HowMPLSPathsareInstalledandRemoved

TherearetwobasicsignalingprotocolsthatperformsimilarfunctionsinMPLSnetworksand

whicharebasicallyusedtomanageMPLSpathsthathavebeencreatedandthisincludeConstraint-basedRoutingLabeldistributionprotocol(CR-LDP)andResourceReservation

ProtocolTrafficEngineering(RSVP-TE).[11,14,15]

1)Constraint-basedRoutingLabeldistributionProtocol(CR-LDP):CR-LDPisanextension

ofLabeldistributionProtocol(LDP).ItcontainsextensionsforLDPtoextenditscapabilities

suchassetuppathsbeyondwhatisavailablefortheroutingprotocol.LSPcanbesetupbasedonexplicitrouteconstraints,QoSconstraintsetc.Constraint-basedroutingisamechanism


36/70

36

usedtomeetTErequirementsandtheserequirementsaremetbyextendingLDPforsupportofconstraint-basedroutedLSPs(CR-LSPs).

CR-LDPisasimple,scalable,open,non-proprietary,TEsignalingprotocolforMPLSIP

networksanditprovidesmechanismsforestablishingandmaintainingexplicitlyroutedlabel

switchedpaths(LSPs).ItisdesignedtoadequatelysupportthevariousmediatypesthatMPLSwasdesignedtosupport(ATM,FrameRelay,andEthernet).CR-LDPisapplicablein

thoseportionsoftheinternetwhereverylargenumbersofLSPsmayneedtobeswitchedateachLSR.TheycanbeusedforTEandhop-by-hopLSPsandCR-LDPmessagesare

reliablydeliveredbytheunderlyingTCPandtheyalsousesUDPfordiscovery.SinceCR-

LDPusesTCP/IPconnection,itthereforeoffersareliableandmoresecureconnectionbetweenpeers.ItisalsogoodtonotethatTCP/IPconnectioncapabilitiesalsooffertimely

errornotification,ifthereisacommunicationfailurebetweenpeers.CR-LDPisalsoreferred

toashard-stateprotocol.

2)ResourceReservationProtocolTrafficEngineering(RSVP-TE):ThissignalingprotocolperformssamefunctionastheCR-LDPinanMPLSnetwork.Itusesdownstream-on-

demandlabeldistributionandsupportsexplicitroutingcapability.Theadvantageofusing

thisprotocoltoestablishLSPtunnelsisthatitenablestheallocationofresourcesalongthe

path.TherearesomefeaturesassociatedwiththisprotocolandtheyarethecapabilitytoestablishLSPtunnelswithorwithoutQoSrequirements,thecapabilitytodynamically

rerouteanestablishedLSPtunnel,thecapabilitytoobservetheactualroutetransversesbyan

establishedLSPtunnel,thecapabilitytoidentifyanddiagnoseLSPtunnel,thecapabilitytoperformdownstream-on-demandlabelallocation,distributionandbinding.Inestablishing

LSPsusingRSVP-TE,therearesomenetworkconstraintparametersthatneedtobe

consideredsuchasexplicithopsandbandwidth.

BothCR-LDPandRSVP-TEcreateLSPsbyfirstsendinglabelrequeststhroughthenetwork

hop-by-hoptotheegresspointandateachhop,theMPLS-enabledrouterusesthelabelanditscorrespondingIPheaderinformationtoprogramthehardwaretoswitchtheframetoits

nexthop.RSVPusesUDPandrawIPdatagramtocommunicatebetweenpeers,thereby

raisingtwoconcernsofvulnerabilitytosecurityattacksandfastrecovery.

CR-LDPandRSVP-TEallowsforroutepinning,thatistheabilitytoforceanLSPtostayin

placeaftersetupandnotreroutedbypreemptandbyusingexplicitlyroutedLSPs,anodeat

theingressedgeofanMPLSdomaincancontrolthepaththroughwhichtraffictransversesfromitself,throughtheMPLSnetworktoanegressnode.OneadvantageofusingRSVPto

establishLSPtunnelsisthatitenablestheallocationofresourcesalongthepath.RSVP-TEis

alsoreferredtoassoft-stateprotocol.


37/70

37

3.2.5ComparingInternetProtocol(IP)andAsynchronousTransferMode

(ATM)MPLSworkswithIPbygivingIPnetworkssimpleTEandabilitytotransportlayer2and

layer3(IP)VPNswithoverlappingaddressspace.

ItisimportanttoobservethedifferencesonhowMPLSandIProutingforwarddataacrossa

network.InthecaseoftraditionalIPpacketforwarding,theIPdestinationaddressinthe

packetsheaderisbasicallyusedateachrouterinthenetworktomakeanindependent

forwardingdecisionandsuchhop-by-hopdecisionsarebasedonnetworklayerroutingprotocolssuchasOpenShortestPathFirst(OSPF)orBorderGatewayProtocol(BGP).Itis

alsoworthknowing,thattheseroutingprotocolsonlyfindtheshortestpaththrougha

networkwithoutconsideringotherfactorsliketrafficcongestionwhileinthecaseofMPLS,itsimplycreatesaconnectionbasedmodelthatisoverlaidontothetraditionalconnectionless

frameworkofIProutednetworksandthisfeaturemakesitpossibletomanagetrafficonan

IPnetwork.Likeearliersaid,MPLSbuildsonIPbycombiningtheintelligenceofrouting

withitshighperformanceswitchingcapabilityandMPLSlearnsroutinginformationfrominteriorgatewayprotocol(IGP)e.g.OSPF,IS-ISetc[2,11]

MPLSandATM:

MPLSandATMco-exitinanetworktoeliminatecomplexitybymappingIPaddressingand

routinginformationdirectlyintoATMswitchingtable.Theyprovideaconnection-orientedserviceforthetransportationdifferforbothtechnologies,whileMPLSusesRSVPandLDP,

ATMusesUNI(User-NetworkInterface)andPNNI(PrivateNetwork-NetworkInterface).MPLScanberunonmostimportantmedium(ATM,FrameRelay,Ethernetetc)insteadofbeingtiedtoaspecificlayer2encapsulation.MPLSworkswithvariablelengthpackets

comparedtoATMthattransportsfixedlength(i.e.53bytecells).MPLSaddsalabeltothe

packetheaderandthentransmitsitonthenetworkwhileinanATM,thepacketneedstobesegmented,transportedandre-assembledoveranATMnetworkbyusingadaptationlayer

beforeitcanbetransmitted.TherearestillsomeotherdifferencesbetweenMPLSandATM,

whileanMPLSconnection(LSP)isuni-directionali.e.canonlyallowdatatoflowinonedirectionbetweentwoendpoints,ATM(Virtualcircuits:point-to-pointconnections),onthe

otherhandhasabi-directionalconnectiontherebyallowingdataflowinbothdirectionsover

thesamepath.[12,13]

Itshouldalsobenotedthatbothtechnologiespracticallysupporttunnelingofconnections

insideconnectionsandwhilstMPLSononehanduseslabelstackingtoachievethis,ATM

ontheotherhandusesvirtualpathsbutATMhasalimitingfactorbecauseitonlyhasasingleleveloftunnelingsincetheATMvirtualpathidentifier(VPI)andvirtualcircuit

indicator(VCI)arebothcarriedtogetherinthecellheader.IntermsofcompatibilitywithIP,

MPLShasabetteradvantageoverATMbecauseMPLSiscompatiblewithIPwhileATMdoesnot.


38/70

38

3.2.6MisconceptionsaboutMPLSTechnologyTherehavebeennumberofmisconceptionsabouttheroleofMPLSinthecoreofthe

internet.SomepartoftheinternetcommunitybelievesthatMPLSwasdevelopedtoprovideastandardthatallowedvendorstotransformATMstitchesintohighperformanceinternetbackbonerouters.Although,thatwasoneoftheoriginalgoalsofthetechnologybutrecent

advancesinsilicontechnologyallowsASICbasedIProutelookupenginestorunjustasfast

asMPLSorATMVPI/VCIlookupengines.ItwillalsobeinterestingtonoteherethatalthoughMPLScanenhancetheforwardingperformanceofprocessorbasedsystems,

acceleratingpacketforwardingperformancewasnottheprimaryideabehindthecreationof

theMPLSworkinggroup.

ItisalsobelievedbysomeotherpartoftheinternetcommunitythatMPLSwasdesignedto

completelyeliminatetheneedforconventional,longest-matchIProuting.Thiswasalso

neveranobjectiveoftheMPLSworkinggroupbecauseitsmembersactuallyunderstoodthattraditionalLayer3routingwouldalwaysberequiredintheinternetanditisunlikelythata

largenumberofhostsystemswillimplementMPLS.Thismeansthateachpackettransmitted

byahoststillneedstobeforwardedtoafirst-hopLayer3devicewherethepacketheadercanbeexaminedpriortoforwardingittowardsitsultimatedestination.Thefirst-hoprouter

cantheneitherforwardthepacketusingconventionallongest-matchroutingorprobably

assignalabelandthenforwardthepacketoveranLSPbutinacasewhereaLayer3devicealongthepathexaminestheIPheaderandthenassignsalabel,thelabelwillrepresentan

aggregateroutebecauseitisimpossibletomaintainlabelbindingsforeveryhostonthe

globalinternet.Thismeansthat,atsomepointalongthedeliverypath,theIPheadermustbeexaminedbyanotherLayer3devicetodetermineafinergranularitytocontinueforwarding

thepacket.Thisroutercanelecttoeitherforwardthepacketusingaconventionalroutingorassignalabelandthenforwardthepacketoveranewlabelswitchedpath.[8,13]]

MostInternetServiceProviders(ISPs)haverecentlyconsidereddeployingMPLSinthecore

oftheirnetworksbecauseitprovidesafoundationthatpermitsISPstodelivernewerservices

thatcannotbereadilysupportedbyconventionalIProutingtechniquesandsincethereisgrowingcompetitionintheglobalmarket,mostISPsnowfacethechallengesofnotonly

deliveringsuperiorbaselineservices,butalsoprovidingnewerservicesthatwould

distinguishthemfromtheircompetitorsinthemarketofdeliveringreliable,efficientandcosteffectiveservicestotheircustomersandMPLShasbeenabletoallowserviceprovidersto

controlcosts,providebetterlevelsofbaseserviceandalsoofferingnewrevenuegenerating

customerservices.[13]


39/70

39

Chapter4

VirtualPrivateNetworks

4.1Introduction

VirtualPrivateNetwork(VPN)isaprivatecommunicationsnetworkwidelyusedbyseveral

companiesororganizationsorwithinaparticularcompanytocommunicateconfidentiallyoveranon-privatenetwork.VPNsareimplementedwithawiderangeoftechnologiesandas

suchcanbeself-implementedormanagedbyaserviceproviderthusallowingtheend

customerstorealizethecostadvantagesofasharednetwork,whileenjoyingitsbenefitsof

security,qualityofservice(QoS),reliabilityandmanageability.AVPNusesvirtualconnectionsroutedthroughtheinternetfromthecompanysprivatenetworktotheremote

siteoremployee.ItisalsoworthknowingthatVPNtrafficcanbecarriedoverapublic

networkinginfrastructureliketheinternetbuthastobeontopofstandardprotocolsoroveraserviceprovidersprivatenetworkwithadefinedservicelevelagreementinplace.

VirtualPrivateNetworksusingtheinternethavethepotentialtosolvemanyoftodaysbusinessnetworkingproblemse.g.businessestodayarefindingthatpastsolutionstowide

arenetworkingbetweenthemaincorporatenetworkandbranchoffices,suchasdedicated

leasedlinesorframerelaycircuits,donoprovidetheflexibilityrequiredforquicklycreatingnewpartnerlinksorsupportingprojectteamsinthefield.VPNsthereforeallowmany

networkmanagerstoconnectremotebranchofficesandprojectteamstothemaincorporate

networkeconomicallyandprovideremoteaccesstoemployeeswhilealsoreducingtheinternalrequirementsforequipmentandsupport.VPNsalsoofferdirectcostsavingsover

othercommunicationsmethodssuchasleasedlinesandlongdistancecallsandalsoofferotheradvantagesincludingindirectcostsavingsasaresultofreducedtrainingrequirements

andequipment,increasedflexibilityandscalability.[2]

AwelldesignedVPNshouldbeabletohavethefollowingfeaturesinordertoachieveits

aim:Security,Scalability,Policymanagement,networkmanagementandreliability.Inadditionalso,VPNsaremostlynotlimitedtocorporatesitesandbranchofficesbutitrather

hasanadvantagealsoofprovidingsecureconnectivityformobileworkers.Therearevarious

typesofVPNthatwillbediscussedhereandtheyinclude:InternetProtocol(IPVPN),IPSecVPN,andSecuresocketlayer(SSLVPN),MPLSVPNetc.[1]

4.2InternetProtocolVPNs(IPVPNs)IP-basedVPNsenableenterprisestotakeadvantagetotheflexibilityofboththeinternetand

serviceproviderIPnetworkstocreate-to-anyWANcommunications.IPVPNsrequire

publiclyaddressedIProutingacrosssharednetworkinfrastructures.ThemajorgoalofIP


40/70

40

VPNistoadequatelyprovideIPconnectivityoverasharedIPinfrastructurewhilestillmaintainingthesecurityandservicefeaturesofadedicatedprivatenetwork.

ThereareanumberofessentialattributesofVPNsthatcanextendthecapabilitiesofa

privatenetworkandtheyinclude:[1]

1.QualityofService(QoS):Theytypicallyallowtheprioritizationofvoice,dataandvideo

applicationstravelingacrossthenetworks.

2.Security:Privacyfornetworktrafficmovingacrosspublicnetworksbothinthecoreand

networkedgesareprovidedbyusingsuchsecuritytechnologyasIPsecurity(IPSec).

3.Scalability:provisioningtimesaredecreasedandaccessspeedenhancedwhenthereis

accesstoavarietyofbroadbandnetworkconnectiontypessuchaspoint-to-pointprotocol(PPP),ATM,FrameRelay,DSLetc.

4.EaseofManagement:Serviceproviderstoday,havemorenetworkmanagementpointsandIPvisibilitythroughwhichtomonitorandreportondatatraversingtheirnetworks.

5.Highavailability:Networkavailabilityisincreasedbecausethecarriernetworkcontains

equipmentandcorelinkredundancy,broadbandbackbones,accesslinksandatwentyfourhourseverydaymanagement.

TherearethreebasicclassesofIPVPNsandtheyincludeAccessVPNs,IntranetVPNsandExtranetVPNs.SomeexamplesoftheseclassesofIPVPNwillbediscussedonthischapter.

4.3IPSecProtocolsfordataintegrityIPSecstandardappliestobothIPv4andIPv6environmentsandtheyhaveanopenstandard

thatensuresinteroperabilitybetweendifferentmanufacturersdevicesandalsorepresentsa

fundamentalbuildingblockformanytypesofVPNarchitectures.TheIPSecstandardemploysasetofprotocolsandtechnologiessuchasAuthenticationHeader(AH),

EncapsulatingSecurityPayload(ESP),InternetKeyExchange(IKE),DataEncryption

Standard(DES),AdvancedEncryptionStandard(AES)etc,intoacompletesystemthatprovidesconfidentialityandauthenticityofIPdata.[1,9]

IPSecachievesIPtrafficsecuritybysimplyaddingIPSecheaderstooriginalIPdatagramandthesenewIPheaderssuchasAuthenticationheaders(AH)andEncapsulatingSecurity

Payload(ESP),canbeusedeitherseparatelyorcombinedtogetherdependingonthedesired

degreeofsecurityrequirements.ItshouldalsobenotedthatforIPSectomaintaindata

integrityasitcrossespublicnetworks,theAHuseshashmethodssuchasMessageDigest5


41/70

41

(MD5)fromRSADatasecurityortheSecureHashAlgorithm1(SHA-1).ThesemethodsareappliedtotheoriginalpacketsIPheader,whichconcealsthingslikethehostIPaddressand

otherparametersfrompublicview.TheHashmethodisreversedatthedestinationendto

restoretheoriginalIPheadertofullviewsothatthepacketcanberoutedwithinthe

destinationIPPacketandtheextraprocessingofthesesecurityalgorithms.Whichis

necessaryforeverypacketisnormallyacceleratedtoincreaseIPSecperformance.

4.4AccessVirtualPrivatenetworks(VPNs)AnaccessVPNcanbedefinedasaschemethatallowssecureremoteaccesstoaninternal

corporateserver.Theyallowremotecorporateuserstohaveon-demandconnectivityinto

theircorporateintranetsthroughadhoctunnels.AccessVPNsactuallyallowscompaniestotakeworktotheworker,wherevertheyare.Therearesomecertainrequirementsthatneedto

befulfilledbysuchaschemeandtheyinclude:[1]

a)Userauthenticationandauthorization:Theschemeshouldbeabletoidentifytheuserandtoverifythatthisuserisauthorizedtoaccessthecontactedinternalserver.

b)DataPrivacy:Theschemeshouldbeabletoguaranteethattheexchangeddatais

encryptedandauthenticationatleastwhenitissentoverthepublicinternet.

c.)Privateaddressing:TheaccessVPNschemeshouldbeabletoassigntheremoteusera

privateIPaddresstakenfromthesamerangesincemanycorporationsuseprivateIP

addressesintheirintranets.

ThemainreasonforthewidevarietyofaccessVPNsolutionsandtheircomplexityisthatup

tofiveentitiescanbeactivelyinvolvedastunnelendpoints;theendhost(i.e.theusersPC),thebroadbandmodem,theoperatoraccessgateway,theISPaccessgatewayandthecorporateaccessgateway.

4.5IPSecVPNsforRemoteAccessTheIPSecVPNisatechnologythatworksattheOSIlayer3tocreateatunnelintothe

network,sothatasdeviceslogon,theyactasiftheyarephysicallyattachedtotheLocalAreaNetwork.AsthestandardizationofthesecurityarchitectureofIPprotocolwasachieved,IPSecstartedallowingsecureremoteaccessoverapubliclysharedIP

infrastructuresuchastheinternetandwhenthiswasdone,itwaspossibletodialorconnect

withlocalinternetaccessnumbersandthenbuildsecure,IPSectunnelsacrosstheinternet,

connectingtothecompanysIPSecVPNheadendconcentrator.TheVPNconcentratorwasresponsibleforauthenticatingandlogicallybridgingtheremoteusersworkstationintothe

enterprisecomputingenvironmentinatrustedbasisandtheseremovedmajorconcernswith


42/70

42

movingenterprisedatathroughpubliclysharedcommunicationsfacilities,becausealldatawasauthenticatedandoptionallyencrypted.[2]

TheIPSecopenstandardbenefitstheremoteaccessenvironment,helpingtoremovecostand

bandwidthconstraintsthroughtheuseoflowercost,flatratebroadbandinternetaccess

pricingandwithstrongerauthenticationandencryptionoptionsthananypreviouslyavailableremoteaccesstechnologies,IPSecremoteaccesssolutionsscalewellwithinternet

andISPbroadbandconnectivity,providingfasterperformance,quickerdeployment,andmoresecurecommunicationsformobileworkers,homeofficeworkersandsmallsites.

IPSecVPNcanbeimplementedassoftwareorfirmwareinsideanetworkfirewallhardwaredeviceanditpresentlyhasfouroptionsofimplementationswhichincludessoftwareIPSec

VPNclientonaremoteworkstation,IPSecVPNclientinaremote-accessfirewall,hardware

IPSecVPNclientdeviceataremotesiteandIPSecVPNclientfeatureinaremotesiterouter.[24]

Figure4.1RemoteaccesstoIPSecVPNs

Fromthediagram,AuserthathastheremoteVPNclientsoftwareinstalledcomesthrough

theinternettothefirewallorVPNgatewayandtheninitiatesakeyexchange(IKE)andonce

theuserhasbeenproperlyauthenticated,aVPNpipe/tunneliscreatedandtheVPNthenrunsineithertwomodes;tunnelandtransportwiththeformerbeingpreferredbecauseithasthe

entirepacketencryptedasagainstthatofthetransportmodewhichhasonlythetransport

layersegmentofthepacketbeenencrypted.[24]


43/70

43

IPSecVPNsstrengthcomesfromthefactthatifencryptspacketsofinformation,significantlyincreasingitsabilitytoprovidedataconfidentialityandintegrity.ItusesMD5

andSHAforencryptingdataandauthenticatingpackets.Although,IPSecVPNhasseveral

drawbacks,IPSecstillcurrentlyhasthemostsecureVPNsolutionavailable.

4.6SSLVPNsforRemoteAccess

SSLVPNtechnologyworksatthelayer4,theapplicationlayerandallowsusersaccesstoindividualapplicationsviaawebbrowserwhileadministratorscandetermineaccessby

applicationratherthanprovidingaccesstotheentirenetwork.SSL-basedVPNsareremote

connectionsacrosstheinternetorotherIPnetwork,usingthenativeSSLcapabilityof

popularbrowserstoprovideclientlessSSL-basedsecurecommunications.Theyallowremoteuserstoaccessthewebpagesandagrowingsetofweb-enabledservices,transfer

email,accessfilesandTCP/IPapplications,withouttheuseofVPNclientsoftwareonthe

remoteworkstation.SSLVPNsthusallowsforclientlessaccessanywherefromanyinternet-connectedPCwithanSSL-capablebrowserwhichmakesitabitdifferentfromwhatthe

IPSecVPNoffers.[1]

SSLVPNsusuallyrequirestheuseofawebbrowserastheaccessportaltoapplicationsand

applicationsusedbySSLusersneedtopresenttrafficthroughawebinterfaceandnot

throughanapplicationsnativegraphicaluserinterface(GUI),asisthecasewithmanyclient/serverapplicationsandthiscanrequiresomechangestoanapplicationsworkflowbut

addingweb-basedcapabilityincreasestheapplicationsaccessibilityforremoteusers.SSL

andIPSecVPNsarecomplementarytechnologiesthatmightbedeployedtogetherandassuchmostvendorssupportbothSSLandIPSecVPNswithintheirsameproductofferings.

SSLVPNstechnologyisfastgrowingandithasaprimeadvantageofcreatingsecureaccess

fromanysupportedwebbrowser,acrossanyinternetorISPconnectionanditbasicallydoesthiswithouttheVPNclientsoftwaremanagementattheremoteuserworkstationlevel.

Although,SSLVPNswhencomparedwithIPSecVPNshavemorelimitedapplication

availability,thetechnologycanstillbeappropriateformanyorganizationsremoteaccessrequirementsandsecuritypolicy.SuchorganizationsuseSSLVPNtechnologytosupporta

specificsetorsetofusers,whilealsousingIPSecforfullnetworkaccessorrobustsupport

formultimediaapplications.SSLVPNsemergencehasaddedanotherlevelofprice,performanceandsecuritygranularityforcompaniestoconsiderforremote-accessIPVPN

supportandthusmakesitthebestchoiceforanywhereaccesstousersasagainsttheIPSec

VPNthathasthebestchoicewhenitcomestoaccesstoanyapplication.[1]

SSLVPNsusessomeacceptedstandardsofencryptionandkeyexchangesuchas3DES,

MD5andSHA.Aswillbeseenfromthefigurebelow,SSLVPNsprovideaccesstowebbasedapplicationsandnottheinternalnetwork.Itisalsoshownthatthewebserversare

usuallysittingintheDMZzoneofthefirewallthusprotectingtheinternalnetworks.[24]


44/70

44

Figure4.2RemoteaccesstoSSLVPNs

InordertobeabletoaccessSSLVPNapplication,alevelofcontrolovertheusersis

requiredsoastoidentifywhotheyareandwheretheyarecomingfrom,sincetheyhave

steppedoverthelineofnetworkcontrolthattetherstheusertoitspolicy.Administratorscan

generallyusetheSSLVPNapplicationtoachievethefollowing:a)Identifywhoisaccessingwhatapplication

b)Controlwhatapplicationinformationispresentedtotheuserattheremotelocation

c)Determinehowtheuserisabletointeractwiththeapplication(i.e.whichpartsofthe

applicationtheycanaccess)


45/70

45

d)Securetheconnectionfromtheclientmachinebacktotheapplication

e)Avoidhavingusersleavetracesoftheapplicationanditsaccessontheclientmachine

SSLbrowserusesportTCP/443(HTTPsecuremode)whenitisconnectedtoaVPNconcentrator.TheportisnormallyalreadyopenedonthefirewalltotheDMZandthismeans

thatSSLhasthebenefitofnotrequiringanyconfigurationchangestofirewalls.SSLisbuiltintoalloftheleadingbrowsersandtheSSLVPNisoperatingsystemsandbrowser

independent,whichmeansthatuserscanaccesstheVPNregardlessoftheOperatingsystem

andbrowserbeingusede.g.UNIX,Linux,MicrosoftInternetExplorerorMozilla.[1,24]

4.7MPLSVPNsforRemoteAccess

MPLSVPNisatechnologythatallowsserviceproviderstohavecompletecontrolover

parametersthatarecriticaltoofferingitscustomersserviceguaranteeswithregardtobandwidththroughputs,latenciesandavailability.ThetechnologyenablessecureVPNstobe

builtandallowsscalabilitythatwillmakeitpossibleforserviceproviderstoofferassured

growthtoitscustomerswithouthavingtomakesignificantinvestments.Serviceproviderswouldnowbegearedtoprovidebandwidthondemand,videoconferencing,VoiceoverIP

(VoIP),multimediaservicesandahostofothervalueaddedservicesthatcouldrevolutionize

thewayacorporatebusinessworks.

MPLSbasedVPNsreducescustomernetworkingcomplexity,costsandtotallydoawaywith

therequirementofin-housetechnicalworkforce.Ratherthansettingupandmanagingindividualpoint-to-pointcircuitsbetweeneachofficeusingapairofleasedlines,MPLS

VPNcustomersneedtoprovideonlyoneconnectionfromtheirofficeroutertoaserviceprovideredgerouter.MPLSVPNsallowsserviceproviderstodeployscalableVPNsand

buildthefoundationtodelivervalueaddedservices.Suchservicesinclude:[1,2,6,17]

1)Connectionlessservice:MPLSVPNshastheadvantageofbeingconnectionlessandsince

TCP/IPisbuiltonpacket-based,connectionlessnetworkparadigm,itmeansthatnoprioractionisneededtoestablishcommunicationbetweenhoststherebymakingcommunications

easyforbothparties.CurrentVPNsolutionsimposeaconnection-oriented,point-to-point

overlayonthenetwork.

2)Centralizedservice:SinceaVPNshouldbeabletogiveserviceprovidersmorethana

mechanismforprivatelyconnectinguserstointranetservicesandalsoprovidingaflexiblewayofdeliveringvalue-addedservicestotargetedcustomers,buildingVPNsinlayer3

allowssuchdeliveryoftargetedservicestoagroupofusersrepresentedbyaVPN.

3)Scalability:MPLS-basedVPNsusethepeermodelandlayer3connectionlessarchitecture

toleverageahighlyscalableVPNsolution.Thepeermodelrequiresacustomersitetoonlya

peerwithoneprovideredge(PE)routerasopposedtoallothercustomeredge(CE)routers


46/70

46

thataremembersoftheVPN.TheconnectionlessarchitectureallowsthecreationofVPNsinlayer3thuseliminatingtheneedfortunnelsorvirtualcircuits(VCs).

4)Security:MPLSVPNsofferthesamelevelofsecurityasconnection-orientedVPNsand

assuchpacketsfromoneVPNdonotinadvertentlygotoanotherVPN.Securitycanbe

providedattheedgeofaprovidernetwork,ensuringpacketsreceivedfromacustomerareplacedonthecorrectVPNandcanalsobeprovidedatthebackbonewhereVPNtrafficis

keptseparatetherebymakinganymaliciousspoofing(i.e.anattempttogainaccesstoaPErouter),almostimpossiblebecausethepacketsreceivedfromcustomersareIPpacketsand

theseIPpacketsmustbereceivedonaparticularinterfaceorsub-interfacetobeuniquely

identifiedbyaVPNlabel.

MPLSVPNsareuniquebecauseyoucanbuildthemovermultiplenetworkarchitectures,includingIP,ATMandFrameRelaynetworksandsincetheyareconnectionless,itmeans

thatnospecificpoint-to-pointconnectionmapsortopologiesarerequired.Theyalsocreatea

robustplatformforconvergedservicesthatallowcost-effective,any-to-anyconnectivity.InMPLS-basedVPNs,eachVPNisassignedanidentifier,calledaRouteDistinguisher(RD),

whichisuniquewithinthenetwork.MPLS-enabledIPVPNnetworksprovidethefoundation

fordeliveringnextgenerationvalue-addedIPservices,suchasmultimediaandmulticast

applicationsupport,VoIPandintranetcontenthosting,whichallrequirespecificservicequalityandprivacy.SinceQoSandprivacyarebuiltin,theynolongerrequireseparate

engineeringforeachservice.Fromasingleaccesspoint,itisnowpossibletodeploymultiple

VPNs,eachofwhichdesignatesadifferentsetofservices.Thisflexiblewayofgroupingusersandservicesmakesitpossibletodelivernewservicesmorequicklyandatamuch

lowercost.InanMPLS-enabledVPN,BorderGatewayProtocoldistributesinformation

aboutVPNsonlytomembersofthesameVPN,providingnativesecuritythroughtrafficseparationandadditionalsecurityisassuredbecausealltrafficisforwardedusingLSPs,

whichdefineaspecificpaththroughthenetworkthatcannotbealtered.Thislabeled-based

paradigmisthesamepropertythatassuresprivacyinFrameRelayandATMconnections.ItshouldalsobenotedthataspecificVPNcanbeassociatedwitheachinterfacewhentheVPN

isprovisioned.[8]


47/70

47

Figure4.3RemoteaccesstoMPLSVPNs

AnMPLSVPNvirtualhomegateway(VGH)isessentiallyarouterfunctioningasanMPLS

provideredge(PE)router,withthisVGH/PEpositionedatthedemarcationbetweenthe

terminationofremote-accesssessionsandthebeginningoftheMPLSVPNcorenetwork.

BasedonVPN-aware,DHCPserver-assignedIPaddress,ordynamicallyassignedIPaddressspacefromaRADIUS-basedAAAserver,theVGH/PEiscapableofassigningtheproper

layer3IPaddressesandplacingtheremote-accessusersessionsintotheproperMPLS-

VPNs.ThisfunctionalityisbasedontrueIProutingprotocolsandIProuting,incontrasttothepoint-to-pointtunnelconceptusedforIPSecandSSL.[1]

ThefeaturesofMPLSVHG/PEallowremote-accessdesignflexibilityeitherforprovidersofMPLSVPNs.Forproviders,theyallowtheflexibilityofin-sourcingfunctionssuchas

DHCP,RADIUSauthenticationandIPaddressassignmentonapeer-customerorper-VPN

basis,yetallowsomecustomerstoremainthisfunctionalitywithintheirowncomputingsupportboundariesthroughtheuseofMPLSDHCPrelayandRADIUSproxyfeaturesand

forcustomers,theseadvancedfeaturesallowtheflexibilityofmaintainingcontroloverthesesecurityfunctionsoroutsourcingthesefunctionstotheMPLSVPNserviceproviderbecauseremoteaccessusersareconnectingtotheVHG/PEfromnon-businesslocations,itisprudent

toauthenticateandauthorizeapprovedusersviaAAAsolutions.Thecooperativedesignof

theMPLSVHG/PE,DHCPandRADIUS-basedAAAserversworktogethertofacilitatearobust,flexibleandsecureremote-accesssessiontoMPLSVPNcustomerdomains.Withthe

userauthenticatedandplacedintotheproperMPLSVPN,enterpriseapplicationresources


48/70

48

areavailabletotheremoteuser,whethertheyusedial-up,andcable,DSLorwirelessformsofaccess.[1]

Oneofthedistinctionswithremote-accesstoMPLSVPNsisthattheremoteuserconnection

seldomtransitionsthepublicinternetbutratherstayswithintheMPLSprovidersprivate

accessnetworkuntilitreachestheMPLSVPNserviceedgeofferedbytheprovider.Theseremote-accessuserscanthenestablishVPNaccesstoMPLScorenetworkswheretheyare.

ForcompaniesthatchoosetooutsourcetheirprivateWANnetworkstoprovider-managedMPLSVPNs,remoteaccesstoMPLSVPNsaccommodatethecompanysteleworker

populationbutincaseswhereaninternetconnectionisforremote-access,IPSecorSSLVPN

technologycanbeusedtosecurethispublicportionoftheaccesslink.[1,2]


49/70

49

Chapter5

WirelessApplicationProtocol

5.1Introduction

WirelessApplicationProtocol(WAP)isanapplicationenvironmentandsetof

communicationprotocolsforwirelessdevicesdesignedtoenablemanufacturer,vendorandtechnologyindependentaccesstotheinternetandadvancedtelephonyservices.WAPisa

globalstandardthataddssupportforstandardinternetcommunicationprotocolsandalsofor

protocolssuchasIP,TCPandHTTP.Itdoesthisbyaddingtheseinternetprotocolsand

standardsandthenprovidinginteroperableoptimizationssuitabletothewirelesstelecommunicationsenvironment.TheWAPspecificationsprovideanenvironmentthat

permitswirelessdevicestoutilizeexistinginternettechnologies;italsodefinesasetof

protocolsinapplication,session,transaction,securityandtransportlayers,whichenableoperators,manufacturersandapplicationproviderstomeetthechallengesinadvanced

wirelessservicedifferentiationandfast/flexibleservicecreation.WirelessApplication

Protocolenableseasyandfastdeliveryofrelevantinformationandservicestomobileuserswithwirelessterminalswithlimiteddisplaysanddatatransfercapabilities.Itisa

specificationforasetofcommunicationprotocolstostandardizethewayinwhichcellular

devicesuseInternetaccess.[16,20]

SomeoftheinitialgoalsfortheestablishmentofWAPincludes,bringinginternetbasedcontentandservicestohandheldwirelessdevices,workingacrossglobaltechnologies,

allowingthecreationofcontentthatworksacrossmanytypesoflinklayersanddevicetypesandalsotouseexistingstandardswhereverpossibleandithasbeenshownthatwithminimal

riskandinvestment,WAPenablesoperatorstodecreasechurn,cutcostsandincreaserevenuesbyimprovingexistingvalueaddedservicesandofferingexcitingnewerservices.It

shouldalsobenotedthatasbandwidthsincrease,thecostofthatbandwidthdoesnotfallto

zeroandthesecostsresultsfromhigherpowerusageintheterminals,highercostsintheradiosections,greateruseofRFspectrum,andincreasednetworkloading.Inaddition,the

originalconstraintsWAPwasdesignedfor-intermittentcoverage,smallscreens,lowpower

consumption,widescalabilityoverbearersanddevicesandonehandedoperation-arestillvalidin3Gnetworks.Inexpectation,thebandwidthrequiredbyapplicationusersshould

steadilyincreaseandtherefore,thereisstillaneedtooptimizethedeviceandnetwork

resourcesforwirelessenvironments,soastooptimizesupportformultimediaapplicationsthatcontinuetoberelevant.

AquestionofinterestwillbewhythechoiceofWAPwhenthereareothertechnologiesthatcouldhavethesamefunctionalitieslikeWAPbutitshouldbeknown,thatinthepast,

wirelessinternetaccesshasbeenlimitedbythecapabilitiesofhandhelddevicesandwireless

networks.WAPutilizesstandardssuchasXML,userdatagramprotocol(UDP),andInternet

protocol(IP)andmanyoftheprotocolsarebasedonInternetstandardssuchashypertext


50/70

50

transferprotocol(HTTP)andTLSbuthavebeenoptimizedfortheuniqueconstraintsofthewirelessenvironment:lowbandwidth,highlatency,andlessconnectionstability.The

technologyutilizesbinarytransmissionforgreatercompressionofdataandisoptimizedfor

longlatencyandlowbandwidth.WAPsessionscopewithintermittentcoverageandcan

operateoverawidevarietyofwirelesstransports.[16]

Likehavebeenmentionedabove,WAPpromisestodecreasechurn,cutcostsandincreasethesubscriberbasebothbyimprovingexistingservices,suchasinterfacestovoice-mailand

prepaidsystems,andfacilitatinganunlimitedrangeofnewvalue-addedservicesand

applicationssuchasaccountmanagementandbillinginquiries.Newapplicationscanbeintroducedquicklyandeasilywithouttheneedforadditionalinfrastructureormodifications

tothephone.Thiswillalsoallowoperatorstodifferentiatethemselvesfromtheircompetitors

withnew,customizedinformationservice.WAPisaninteroperableframework,enablingtheprovisionofend-endturnkeysolutionsthatwillcreatealastingcompetitiveadvantage,build

consumerloyaltyandincreaserevenues.

WAPapplicationscanbeinstalledonordinarywebserverstogetherwithotherwebapplications.GettingaWAPapplicationonlineentailsbuildingcontentandsupportingback-

endsystemsaswellasprovidingaccessibilitytotheapplication.ThelatestversionofWAP

calledWAP2.0isanextgenerationsetofspecificationsthatoptimizesusageofhigher

bandwidthsandpacket-basedconnectionsofwirelessnetworksworldwide.Whileutilizingandsupportingenhancementsinthecapabilitiesofthelatestwirelessdevicesandinternet

contenttechnologies,WAP2.0alsoprovidesmanagedbackwardscompatibilitytoexisting

WAPcontent,applicationsandservicesthatcomplywithpreviousWAPversions.

TherearesomemajorarchitecturalcomponentsofWAP2.0andtheseinclude:[16,18]

1.ProtocolStackSupport:InadditiontotheWAPStackintroducedinWAP1,WAP2.0

addssupportandservicesonastackbasedonthecommonInternetstackincludingsupport

forTCP,TLSandHTTP.Byencompassingbothstacks,WAP2.0providesaconnectivitymodelonabroaderrangeofnetworksandwirelessbearers.

2.WAPApplicationEnvironment:Nominallyviewedasthe'WAPBrowser',theWAP2.0ApplicationEnvironmenthasevolvedtoembracedevelopingstandardsforInternetbrowser

markuplanguage.ThishasledtothedefinitionoftheXHTMLMobileProfile

(XHTMLMP).XHTMLMPisbasedonthemodularityframeworkoftheeXtensible

HyperTextMarkupLanguage(XHTML)developedbytheWorldWideWebConsortium(W3C)toreplaceandenhancethecurrentlyusedHTMLlanguagecommontoday.Theuseof

InternettechnologiesisnotnewforWML,asWML1isafullyconformantXMLlanguagein

itsownright.

3.AdditionalServicesandCapabilities :TheWAPspecificationshavehaditemsthatwere

neitherpartofthe'WAPStack'northe'WAPBrowser'buthelpedtoenrichtheenvironmentdefinedintheWAPspecifications.WiththeWAP2.0,thereisaconsiderableincreaseinthe

numberoffeaturesavailabletodevelopers,operatorsandusers.


51/70

51

5.2WAPArchitectureOverview

WAPspecifiestwoessentialelementsofwirelesscommunication:anend-to-endapplication

protocolandanapplicationenvironmentbasedonabrowser.TheapplicationprotocolisalayeredcommunicationprotocolthatisembeddedineachWAPuseragent.Thenetworkside

includesaservercomponentimplementingtheotherendoftheprotocolthatiscapableof

communicatingwithanyWAPuseragents.Theroleoftheservercomponentisalsotoactas

agatewaytoroutetherequestofauseragenttoanapplicationserver.Physically,thegatewaycanbelocatedinatelecomorcomputernetwork,inordertobuildabridgebetween

thetwodifferentnetworks.Ausersaccesstointernetbasedservicesrequiresthatthe

informationtobedeliveredistransmittedbetweenaWAPclientandaWAPserver.Thewirelessapplicationprotocoltypica

Documents

IP Routing for Next Generation Network Services Thesis Report