Networking Concept

IP SEC Short for IP Security, a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virutal Private Networks (VPNs) Introduction Internet Protocol Security (IPSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows 2000 operating system. This guide focuses on the fastest way to use IPSec transport mode to secure application traffic between a client and a server. It demonstrates how to enable security using IPSec default policies between two Windows 2000-based systems that belong to a Windows 2000 domain. Once the two computers have joined the domain, you should complete the first part of the walkthrough, which demonstrates default policies in 30 minutes or less. Notes are included on how to enable non-IPSec clients to communicate to the server. Steps are provided on how to use certificates, and how to build your own custom policy for further interoperability testing, or to demonstrate IPSec when a Windows 2000 domain is not available. Using Internet Protocol Security (IPSec), you can provide data privacy, integrity, authenticity, and anti-replay protection for network traffic in the following scenarios: Provide for end-to-end security from client-to-server, server-to-server, and client-toclient using IPSec transport mode. Secure remote access from client-to-gateway over the Internet using Layer Two Tunneling Protocol (L2TP) secured by IPSec. IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec tunnel mode is not designed to be used for virtual private network (VPN) remote access. The Windows 2000 Server operating system simplifies deployment and management of network security with Windows 2000 IP Security, a robust implementation of IP Security (IPSec). Designed by the Internet Engineering Task Force (IETF) as the security architecture for the Internet Protocol (IP), IPSec defines IP packet formats and related infrastructure to provide end-to-end strong authentication, integrity, anti-replay, and (optionally) confidentiality for network traffic. An on-demand security negotiation and automatic key management service is also provided using the IETF-defined Internet Key Exchange (IKE), RFC 2409. IPSec and related services in Windows 2000 have been jointly developed by Microsoft and Cisco Systems, Inc. Windows 2000 IP Security builds upon the IETF IPSec architecture by integrating with Windows 2000 domains and the Active Directory® services. Active Directory delivers policy-based, directory-enabled networking using Group Policy to provide IPSec policy assignment and distribution to Windows 2000 domain members. The implementation of IKE provides three IETF standards-based authentication methods to establish trust between computers:

1

Kerberos v5.0 authentication provided by the Windows 2000-based domain infrastructure, used to deploy secure communications between computers in a domain or across trusted domains. Public/Private Key signatures using certificates, compatible with several certificate systems, including Microsoft, Entrust, VeriSign, and Netscape. Passwords, termed pre-shared authentication keys, used strictly for establishing trust— not for application data packet protection. Once peer computers have authenticated each other, they generate bulk encryption keys for the purpose of encrypting application data packets IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates

IP FILTERING IP Filtering Options & Objectives Research Plan Topic The purpose of this white paper is to provide a general overview of IP filtering. The discussion focuses on the use of IP filters to block access to inappropriate sites. Scope The audience is presumed to have a general understanding of filtering software such as Cyber Patrol and Net Nanny and to be familiar with the term Internet blocking. This paper offers different options for implementing Internet blocking or IP filtering. The scope of this paper is driven by the need for educational institutions to protect minors from inappropriate material on the Internet. Filtering is used to provide content filtering, network security, and improved network performance. A variety of solutions will be discussed.

2

Research Objectives Discuss filtering needs. Discuss scalable options. Provide a list of software vendors. Probable Outcome Adoption of local solutions that may be scaled on a statewide basis. Addition to MOREnet's Product Support Matrix. Training and seminar presentations for the adopted solution. Informational documentation to assist customers with solving content filtering objectives. Introduction Although Internet access is an important mainstay in the education of our youth, much unregulated content can be found on the World Wide Web. Parents want to be assured that their children are safe from "bad influences." Because the Web is worldwide, it is impossible to create a global agreement on what material is inappropriate and how that material should be regulated. The problem we face is how to protect minors from inappropriate material on the Internet. What filtering solutions are available? How do we choose one that will work? Filtering allows you to control what sites your children can and cannot visit. There are a variety of ways to filter access to the Internet, but none of these methods claim to block 100% of the inappropriate sites. However, third party services claim to cover the vast majority. For this reason it is necessary to develop a local Acceptable Use Policy (AUP) to compliment your filtering solution. Your AUP and filtering are effective tools to protect your children. Several good AUP links are provided at the end of this paper for further reference. The following pages will describe a variety of filtering options, their uses and limitations. Filtering Needs Filtering is a tool that helps control access to the Internet. With the Internet bringing the world to you, it is easy to stumble across sites with questionable content. Parents expect the public library and school system to protect their children from such controversial material. They expect these institutions to protect their children with the assumption of minimum standards for what types of material a child might encounter. Some organizations do not have the space or staff to monitor the student every minute. Therefore it is necessary to implement an AUP in schools and libraries where minors have Internet access without the direct supervision of a parent or faculty/staff member. The impact of filtering is geared toward network administrators of large networked PCs, such as labs, libraries, and corporate offices. They need a tool that will protect their

3

network data from outsiders and control which sites are accessible to persons using their system. Filtering offers firewall access to protect data and to provide control of Internet access, limiting the users' access to the information needed and controlling what sites can and cannot be accessed. Filtering network access to certain sites is accomplished using a variety of methods: IP Filter Lists. IP filter lists in a router can block IP packets bound for a denied site and keep them from passing through the router. IP Forwarding. IP forwarding, or NAT (Network Address Translation), between your router and your network prevents outsiders' access to your network. It is a way to increase security on your network, but not necessarily secure your network. Web Proxy Server. A Web proxy server can be used to block access to certain sites, allowing access only to chosen sites. It also caches the webpages you download so the next time you visit that site you get the page from your Web cache and not from the Internet. Firewall. A firewall contains a variety of tools to secure your network from the outside Internet: NAT, IP filtering, encryption, and authentication, to name a few. Content Filtering Services. Content filtering or third-party filtering services are for sale as server-based, stand-alone, or packaged online services. They are continually updated but do not promise to block 100%. Filtering Options Router Filters and Access Lists Filtering IP addresses can be managed using a Cisco router. You can create a filter list that will deny access to a site and then apply that list to one of the router's interfaces. This is fine for static lists and blocking IP packets from accessing certain ports on your network; i.e. to block access for certain machines to port 21 (FTP uses port 21). If you want to maintain a list on a daily or weekly basis, this is not a good solution. Use this for static access lists that are not likely to change much or to block unwanted services, like FTP, access to your network. Firewall This is an excellent solution for adding security to your network and preventing outsiders from accessing your internal devices. Firewalls come in a variety of packages, from server-based software applications to a stand-alone appliance with a turnkey installation. Early firewalls supported IP filtering and NAT. Currently most firewall providers offer tiered pricing for additional features like encryption, user authentication, web-proxy and dynamic packet filtering, to name a few. Web Proxy Cache A Web proxy cache allows your users to pool their Web browser cache on one server. With this tool, when a second user downloads the same file you just spent 20 minutes

4

downloading, the file is retrieved from the Web-caching server and not the Internet. This method, integrated with third-party software that provides ongoing updates, is a complete and scalable solution. It allows a single point of management and provides a selection of filter categories to meet your needs. IP Forwarding (NAT) IP forwarding for Unix or NAT (Network Address Translation) by other vendors allows one server to act as the IP address for all the devices on your network. The device provides a gateway service for all devices on the network at the IP layer and hides your network from the outside world. Some NAT devices may include other services like static filtering or web proxy caching. Third-party Filtering Software This software solution involves a third-party developer who maintains and updates a sitecontent database, and continually provides the updated information to its customers for use in denying sites based on the content found on the site. Filtering software supports a wide range of platforms. You can run this filtering software on a stand-alone workstation or as a server-based solution. A server-based solution gives you a central point of control and offers the best solution for reducing expenses for support staff. Since third-party software provides ongoing updates, expect a yearly subscription fee. Caveats Contrary to the misconceptions of some critics, few (if any) of these products filter based on keywords alone. For example, blocking based on the term "sex" blocks out any sites that mention Middlesex, England as well as erotic websites. Several companies now provide keyword searching by parsing documents on the fly, based on options selected by the customer. One approach lets users filter a site based on a list of forbidden words, then categorize the site based on criteria they have developed for acceptable use. This is not 100% reliable but has improved greatly from the early stages of this paper. Another approach permits users to create their own Web search engine by restricting access to a strict list of acceptable sites. This guarantees quality searches but limits user searches to a finite set of sites. The administrator does have the ability to override the rule set to allow more exhaustive unprotected searches. Scalable Options There are two popular content-filtering options. The most popular is the integration of a third-party filtering list and a Web proxy caching service. A second option is a turnkey, stand-alone box that sits on the local area network (LAN) and listens to the IP traffic. If the destination of the IP packet is in a list of denied sites,

5

the filter box will deny access to the site and notify the client that the request has been denied. Hierarchical Web Caching Some web caching devices support the cascading of several caching servers in a hierarchical fashion. This allows a site to group their Web caching to better utilize their Internet traffic. Summary The tools we have discussed here are all very powerful. Managing a static IP access list may be an inexpensive approach, but this approach does not provide up-to-date lists for your network. It is also time consuming and prone to human error. Filtering solutions that integrate with third-party filtering software work the best and scale well on a large network. They do not promise 100% protection, but they have made significant progress on filtering constantly changing Internet websites. The AUP is a tool that should be included in any filtering strategy. It communicates a reasonable expectation to the user and sets boundaries for use of the Web. It should not be the only tool used, since enforcement requires constant supervision that may not be practical in all situations. Managing your filtering solution from a single point should be considered. This solution should be server-based for larger networks and may be workstation-based for smaller businesses and libraries. Integrating IP filtering with third-party filtering software provides the ability to filter Web access to certain sites with a variety of options. Your AUP will compliment these filtering tools to provide a scalable solution for your system.

What Is Network Management? The process and techniques of remotely or locally monitoring and configuring networks. Under the OSI model network management takes account of five key areas: configuration management, fault management, performance management, accounting management, and security management. A major challenge and often a headache to users because there are no complete answers today, only a patchwork of systems covering different parts of the subject. Vendors either concentrate on the physical (hardware) elements or logical (control and management of interprocess communications) sides. The ITU-TS is slowly considering standards for public networks. A Historical background The early 1980s saw tremendous expansion in the area of network deployment. As companies realized the cost benefits and productivity gains created by network technology, they began to add networks and expand existing networks almost as rapidly as new network technologies and products were introduced. By the mid-1980s, certain

6

companies were experiencing growing pains from deploying many different (and sometimes incompatible) network technologies. The problems associated with network expansion affect both day-to-day network operation management and strategic network growth planning. Each new network technology requires its own set of experts. In the early 1980s, the staffing requirements alone for managing large, heterogeneous networks created a crisis for many organizations. An urgent need arose for automated network management (including what is typically called network capacity planning) integrated across diverse environments. ISO Network Management Model The ISO has contributed a great deal to network standardization. Its network management model is the primary means for understanding the major functions of network management systems. This model consists of five conceptual areas, as discussed in the next sections. Performance Management The goal of performance management is to measure and make available various aspects of network performance so that internetwork performance can be maintained at an acceptable level. Examples of performance variables that might be provided include network throughput, user response times, and line utilization. Performance management involves three main steps. First, performance data is gathered on variables of interest to network administrators. Second, the data is analyzed to determine normal (baseline) levels. Finally, appropriate performance thresholds are determined for each important variable so that exceeding these thresholds indicates a network problem worthy of attention. Management entities continually monitor performance variables. When a performance threshold is exceeded, an alert is generated and sent to the network management system. Each of the steps just described is part of the process to set up a reactive system. When performance becomes unacceptable because of an exceeded user-defined threshold, the system reacts by sending a message. Performance management also permits proactive methods: For example, network simulation can be used to project how network growth will affect performance metrics. Such simulation can alert administrators to impending problems so that counteractive measures can be taken. Configuration Management The goal of configuration management is to monitor network and system configuration information so that the effects on network operation of various versions of hardware and software elements can be tracked and managed. Each network device has a variety of version information associated with it. An engineering workstation, for example, may be configured as follows:

7

Operating system, Version 3.2 Ethernet interface, Version 5.4 TCP/IP software, Version 2.0 NetWare software, Version 4.1 NFS software, Version 5.1 Serial communications controller, Version 1.1 X.25 software, Version 1.0 SNMP software, Version 3.1 Configuration management subsystems store this information in a database for easy access. When a problem occurs, this database can be searched for clues that may help solve the problem. Accounting Management The goal of accounting management is to measure network utilization parameters so that individual or group uses on the network can be regulated appropriately. Such regulation minimizes network problems (because network resources can be apportioned based on resource capacities) and maximizes the fairness of network access across all users. As with performance management, the first step toward appropriate accounting management is to measure utilization of all important network resources. Analysis of the results provides insight into current usage patterns, and usage quotas can be set at this point. Some correction, of course, will be required to reach optimal access practices. From this point, ongoing measurement of resource use can yield billing information as well as information used to assess continued fair and optimal resource utilization. Security Management The goal of security management is to control access to network resources according to local guidelines so that the network cannot be sabotaged (intentionally or unintentionally) and sensitive information cannot be accessed by those without appropriate authorization. A security management subsystem, for example, can monitor users logging on to a network resource and can refuse access to those who enter inappropriate access codes. Security management subsystems work by partitioning network resources into authorized and unauthorized areas. For some users, access to any network resource is inappropriate, mostly because such users are usually company outsiders. For other (internal) network users, access to information originating from a particular department is inappropriate. Access to Human Resource files, for example, is inappropriate for most users outside the Human Resources department.

8

Fault Management The goal of fault management is to detect, log, notify users of, and (to the extent possible) automatically fix network problems to keep the network running effectively. Because faults can cause downtime or unacceptable network degradation, fault management is perhaps the most widely implemented of the ISO network management elements. Fault management involves first determining symptoms and isolating the problem. Then the problem is fixed and the solution is tested on all-important subsystems. Finally, the detection and resolution of the problem is recorded.

Every Ethernet device has a built-in unique identification number supplied by the manufacturer. An Ethernet Hardware Address (also known as an adapter address, hardware address, EHA, or MAC address) is six bytes long, but it is normally written as 12 characters using hexadecimal notation, where the digits 0-9 are supplemented by the letters A-F. Some utilities present all 12 characters together, while others separate each pair of numbers (representing one of the six bytes) by a colon or dash. The same address might be displayed in any of the following formats: aa-00-04-00-06-d4 AA:00:04:00:06:D4 AA00040006D4

FTP FTP allows files to be transferred over the Internet and is still the most popular and quickest way to transfer large amounts of files on the Internet. An FTP address looks a lot like an HTTP, or Website, address except it uses the prefix ftp:// instead of http://. FTP is part of the application layer of the ISO/OSI network model and is the most popular way web site owners / webmasters upload their web site files to the Internet. There is a range of FTP programs on the market which are both free or cost very little. Below is a list of some of the most popular FTP programs, The Internet File Transfer Protocol (FTP) is defined by RFC 959 published in 1985. It provides facilities for transferring to and from remote computer systems. Usually the user transferring a file needs authority to login and access files on the remote system. The common facility known as anonymous FTP actually works via a special type of public guest account implemented on the remote system.

9

An FTP session normally involves the interaction of five software elements. User Interface This provides a user interface and drives the client protocol interpreter. Client PI This is the client protocol interpreter. It issues commands to the remote server protocol interpreter and it also drives the client data transfer process. Server PI This is the server protocol interpreter which responds to commands issued by the client protocol interpreter and drives the server data transfer process. Client DTP This is the client data transfer process responsible for communicating with the server data transfer process and the local file system. Server DTP This is the server data transfer process responsible for communicating with the client data transfer process and the remote file system. RFC 959 refers to the user rather than the client. RFC 959 defines the means by which the two PIs talk to each other and by which the two DTPs talk to each other. The user interface and the mechanism by which the PIs talk to the DTPs are not part of the standard. It is common practice for the PI and DTP functionalities to be part of the same program but this is not essential. During an FTP session there will be two separate network connections one between the PIs and one between the DTPs. The connection between the PIs is known as the control connection. The connection between the DTPs is known as the data connection. The control and data connections use TCP. In normal Internet operation the FTP server listens on the well-known port number 21 for control connection requests. The choice of port numbers for the data connection depends on the commands issued on the control connection. Conventionally the client sends a control message which indicates the port number on which the client is prepared to accept an incoming data connection request. The use of separate connections for control and data offers the advantages that the two connections can select different appropriate qualities of service e.g. minimum delay for the control connection and maximum throughput for the data connection, it also avoids problems of providing escape and transparency for commands embedded within the data stream. When a transfer is being set up it always initiated by the client, however either the client or the server may be the sender of data. As well as transferring user requested files, the data transfer mechanism is also used for transferring directory listings from server to client. Command Choices When a transfer is being set up there are normally four aspects of the transfer that need to be specified. These are

10

File type This specifies the way the data of the file is mapped into a form suitable for transmission. There are four possible choices ASCII file type. At the sending end the file is converted from a local text file to NVT ASCII with end of lines indicated by a CR/LF pair. At the receiving this is converted into local text file form. This explains why text file transfers between Unix hosts always indicate more bytes transferred than the actual file size. Note also that if one or both systems do not use ASCII text encodings it is the responsibility of the data transfer processes to convert between NVT ASCII and the local encodings. EBCDIC file type Similar to ASCII only EBCDIC character codings are used. Image (or binary) file type The file is transmitted exactly as stored at the sending end and stored exactly as received at the receiving end. Local file type Used in environments where the byte size is not eight. The number of bits per byte is specified by the sender. Only ASCII and Image are likely to be encountered in practice. Format Control This is associated with text files being transferred ultimately to printing devices. There are various ways in which vertical format information can be encoded within a file. This includes indicating the way a start of page is indicated. The choices are No printing controls. This is the default. Telnet printing controls. Control characters as specified in the telnet protocol are included within the data stream. Fortran printing controls. The first character of each line controls vertical spacing. These are rarely used in practice. Structure Files can have internal structure which is preserved on transfer. It is the responsibility of the data transfer processes to map between transmitted structures and local structures. There are three possibilities.

11

File structure. This actually means that the file is seen as a contiguous stream of bytes with no internal structure. Record structure. The file is structured as a series of records. This only really applies to text files. Page structure. This would be better called block structure. Each page is transmitted with a page number so that they can be transmitted in any order. Page structure is unlikely to be encountered in practice. Record structure is also comparatively uncommon as using ASCII file type will achieve the same effect with text files. Transmission mode There are three choices Stream mode. The file is simply transferred as a series of bytes. Block mode. The file is transferred block by bock with a header at the start of each block. Compressed mode. A simple run length encoding scheme is used to compress sequences of identical bytes. Only stream mode is likely to be encountered in practice. Compression is normally achieved using various utility programs. When a transfer is being set up the client may specify one or more of the options described above, if the server cannot support that option there will be an error response reflected back, ultimately, to the user. There is no negotiation mechanism. There are a substantial number of commands available for users to establish their bonafides on remote systems and to navigate the remote system's file system. Command formats Commands are transmitted as NVT ASCII strings starting with three or four upper case NVT ASCII characters followed by optional arguments and a CR/LF pair at the end of the command. Replies start with 3 digit NVT ASCII numbers with an optional message. A long reply may be sent as several messages with a dash after the three digits on the first message and no dash after the three digits on the last message. Intermediate lines need

12

not have any initial digits but if they do (and many implementations prefer this) they should be the same three digits followed by a dash. Here is a list of all commands. The ones marked with an asterisk are rare and rarely implemented. String Meaning ABOR Abort transfer. *ACCT Some systems associate both accounts and users with file system objects. *ALLO Allocate space for file about to be sent. Parameter specifies number of bytes. *APPE Append file to existing file. CDUP Change to parent directory on remote system. CWD Change working directory on remote system. DELE Delete file on remote system. HELP Elicit "helpful" information from the server. E.g. a list of commands supported. LIST Send a list of file names in the current directory on the remote system on the data connection. MKD Make directory. MODE Specifies transfer mode. Parameter is S,B or C. NLST Send a "full" directory listing of the current directory on the remote system on the data connection. NOOP Do nothing. PASS Supplies a user password. Must occur immediately after the USER command. *PASV Specifies that the server data transfer process is to listen for a connection request from the client data transfer process. PORT Specify the client port number on which the data transfer process is listening for a connection request. PWD Show current directory name on remote system. QUIT Logout or break the connection. *REIN Reinitialize. Logout without breaking connection. A new USER command for a different user would follow. *REST Restart transfer from server marker. RETR Get file from remote system. RMD Remove directory. *RNFR Specifies old path name of file to be renamed. Follow with RNTO command. *RNTO Specifies new path name of file to be renamed. *SITE Site specific server services. *SMNT Structure mount. Supplies the remote system path name of a file system structure. *STAT Elicit status information. STOR Store file on remote system over-writing the file if it already exists. *STOU Store unique. Does not over-write existing files. STRU Specifies file structure. Parameter is F,R or P. *SYST Report operating system type on remote system. TYPE Specifies representation (file) type. Parameter is one of the characters A,E,I,L for

13

file type followed by N,T or C for format control or a number specifying the local byte size. Only TYPE A and TYPE I are common. The control connection commands are of the following forms Type Description 1yz Positive preliminary reply. Expect another reply before sending another command. 2yz Positive completion reply. The last command completed successfully. 3yz Positive intermediate reply. A further command must be sent. 4yz Transient negative completion reply. The requested action did not take place but can be retried. 5yz Permanent negative completion reply. The requested action did not take place and should not be retried. The "y" digit encodes further information Digit Meaning 0 Syntax error 1 Information 2 Connection status. 3 Authentication and accounting. 4 Unspecified 5 File system status Here are some typical messages. Number Meaning 125 Data connection open. Transfer starting. 200 Command OK 331 User name OK, Password Required. 425 Can't open data connection 452 Error writing file 500 Syntax error - unrecognised command There are defined responses for all commands fully specified in RFC 959. FTP utilities There are very many different FTP utility programs and FTP is often incorporated within utilities such as WWW browsers. On Unix systems the basic utility is called ftp and it includes facilities to allow users to see the various commands. Here is an example of it in action. Local prompts are shown in bold. This session took place at 08:52 on June 4th, 1996. bash$ ftp plaza.aarnet.edu.au Connected to plaza.aarnet.edu.au.

14

220 plaza.aarnet.EDU.AU FTP server (Version wu-2.4(2) Fri Apr 15 14:04:20 EST 1994) ready. Name (plaza.aarnet.edu.au:jphb): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230230- This is the AARNet Archive Server, Melbourne, Australia. 230230230-The disk that failed back in September is still not back on-line. 230-As a consequence of this, we are only shadowing files modified in 230-the last 100 days on many of the more popular archives. We apologise 230-for this inconvenience. 230230-Local time is Tue Jun 4 17:46:00 1996 230230-Please read the file /info/welcome-ftpuser 230- it was last modified on Fri Apr 22 14:47:05 1994 - 774 days ago 230 Guest login ok, access restrictions apply. ftp> pwd 257 "/" is current directory. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. lost+found usr etc java pub micros wais bin ACS usenet X11 rfc graphics info gnu archie aarnet .cap projects ls-lRt.Z .cache talk-radio

15

gopher security NetWorkshop Weather lib .symlinks 226 Transfer complete. 214 bytes received in 0.018 seconds (11 Kbytes/s) ftp> cd rfc 250 CWD command successful. ftp> get rfc1048.txt.gz 200 PORT command successful. 150 Opening ASCII mode data connection for rfc1048.txt.gz (5141 bytes). 226 Transfer complete. local: rfc1048.txt.gz remote: rfc1048.txt.gz 5161 bytes received in 1.6 seconds (3.2 Kbytes/s) ftp> quit 221 Goodbye. The following replies will be noted. The descriptions are taken from RFC 959. 220 Service ready for new user. A standard banner message from the FTP server program. The date probably refers to the date the server program was compiled. 331 Use name OK, password required. ftp is a special user name understood by many FTP servers, any string is acceptable as a password. anonymous may be used with exactly the same effect. 230 User logged in, proceed. Evrything is OK, many FTP servers use this as an opportunity to display a welcoming message. Note the use of continuations (the 230- messages). 257 "PATHNAME" created is the RFC 959 interpretation of this message, here it simply means that the CD command worked OK as the explanatory text clearly indicates. 200 Command okay. The command was to indicate the port number on which the client will be listening for the server's data connection for the directory listing. 150 File status okay, about to open data connection. This is fairly self-explanatory. The server has established communication with the client's listening data connection port and is

16

about to transfer the named file. In this case "list" actually means a directory listing rather than a file called "list". The client displays the incoming data on the standard output device rather than copying to a local file. 226 Closing data connection. Requested file action successful (for example, file transfer or file abort). In this case the transfer has been successful. 214 This isn't actually a message at all. It is statistics produced by the client for user information. 250 Requested file action okay, completed. The CWD command completed OK. 200 A PORT command for the data connection for the file transfer was received satisfactorily. 150 Data connection established from server to client. 226 Transfer completed. Followed by the client side generated statistics. 221 Service closing control connection.

Network Address Let us tell you what you already know: TCP/IP is rapidly becoming the protocol of choice for networks everywhere. All of the major NOS vendors are backing it in one form or another, the Internet requires it, and users want it now. Although self-contained networks can use any IP addresses they wish, sites looking to connect to the Internet or other remote networks must use Internet-legal addresses for applications to function properly. While you'll be able to send packets from a system with an illegal address, the destination will not be able to return packets if the address you used points to another network on the Internet. Whether or not you're able to deploy Internet-legal IP addresses across your network is another issue altogether. Maybe you have too many systems, making it difficult (or even impossible) to get enough legal IP address blocks to support all of your devices. Or perhaps you have legacy installations or applications that use invented IP addresses,

17

requiring that you re-visit entire departments before you can implement "real" addresses across your network. There lies the dilemma: Sites that use their own addressing schemes must use externally accessible addresses to access remote systems, but not all network administrators have the luxury of being able to use fully compliant, Internet-legal addresses. IP gateways provide a solution by hiding the IP addresses of the internal devices, making internally generated packets appear as though they are coming from another device that does have an Internet-legal address. The IP gateway provides external connectivity without requiring that Internet-legal addresses be deployed across the internal networks. IP gateways come in two basic form-factors: hardware-based firewalls/routers and IPover-IPX protocol converters. For example, Secure Computing Corp.'s BorderWare firewall uses application proxies at the core of its architecture, providing IP gateway services to internal clients that connect to external resources. To the internal systems, the firewall looks like a router that sits between the internal and external networks. Clients send outbound packets to the gateway, rather than simply forwarding the packets like a "normal" router would, so they appear to be originating from the gateway itself. Packets returning to the gateway then are redirected to the appropriate internal systems. Another commonly found implementation is in WINSOCK.DLL replacements, typically used in IP-over-IPX protocol conversion products such as the Novell Internet Access Server (NIAS) bundled with IntranetWare. Internal devices do not have "real" IP stacks, but instead use a WINSOCK.DLL that provides IP transport services over IPX. The clients share the NetWare server's IP stack directly and use the server's port management services for their applications. In essence, the IPX-based client IP stacks become extensions of the server's IP stack. Rather than build maps of internal and external IP addresses and ports, NIAS assembles an address map that correlates internal IPX addresses to external IP addresses and port numbers. The clients use an IPX-based WINSOCK.DLL for local TCP and UDP applications, creating virtual IP connections on behalf of the server. IPX is used to deliver the virtual IP packets to the server, which in turn uses its local IP stack to deliver the packets to their destinations. Architecturally, this is similar to Systems Network Architecture (SNA) gateways of yore, which also used a central system for providing SNA transport services over IPX and other protocols. The same sorts of limitations that SNA gateways have historically faced also apply here. First among these is the devices themselves are not full-fledged IP clients. Since the systems do not have their own specific IP addresses, they cannot have individual IP identities, even on the local network. Clients can't even ping each other, because the Internet Control Message Protocol (ICMP) packets will end up pointing to the NetWare server hosting the IP stack. Low Maintenance Vs. High Functionality

18

The architectural differences between these two implementations generate a variety of management implications. For example, because NIAS uses a single IP stack for services, client applications only need to allocate a port on the server's stack to run IP applications. The server simply creates an entry in its map that points the allocated port number back to the IPX client that requested it. It does not have to rewrite address headers or anything else; it only has to redirect packets to the proper destination, whether internal via IPX or external via IP. Conversely, BorderWare introduces high levels of packet management overhead by having to completely rewrite every IP packet that is transmitted. Not only does the firewall have to rewrite the IP addresses of the packets that it tracks, but it also has to rewrite the IP packet's checksum and TCP and UDP checksums, addresses found inside of packets and TCP sequencing numbers whenever the application addresses are changed. NIAS avoids this issue entirely, since the clients simply allocate ports from the NetWare server's IP stack directly. Whenever an NIAS-based FTP client wants to download a file, it simply allocates the next available socket (using normal WINSOCK.DLL calls) and issues the PORT command referencing the allocated socket. The NIAS server sees the allocation request and begins to redirect incoming data to the requesting client. If this scenario were limited only to FTP, it wouldn't be that big an issue. However, there are several applications that embed client addresses and port numbers in their packets. Most of the ICMP services (used for ping and traceroute, for example) also store client information directly in the packet, as do most of the popular client/server database agents. Unless the IP gateway is explicitly aware of these services--and knows how to adjust the packets accordingly--then these applications will not work outside of the local network. Also, rewriting the application-specific data isn't always enough. If the "size" of the addresses being replaced are not identical, then the entire packet's sequencing will need to be spoofed. TCP uses special fields to inform end-systems of the number of bytes transmitted- and received-to-date, providing the connection services that TCP-specific applications depend on. If the gateway replaces the client's address of "10.0.0.1" with "192.155.15.10" in an FTP PORT command, then the physical size of the packet will increase by five bytes. This in turn will require the gateway to increment the external TCP counter for that session by five. Not only must the gateway track this information for the external portion of the connection, it must also track it for the internal connection, providing the client with appropriate byte-counter acknowledgments. Secure Computing has done an admirable job of providing application-sensitive proxy services for BorderWare, and continues to develop new ones as needed. Indeed, the entire firewall architecture is built around the concept of "smart" proxies that provide these services on an application-specific basis. Conversely, NIAS does not conduct any address rewrites, meaning all applications work without special requirements. Virtual Firewalls And Application Servers

19

Not only are there client-side application considerations, but server-side issues as well. To most users, having the ability to run application servers on the internal network for external systems to access is probably just as important as the client-side connectivity support. Products such as BorderWare that are firewalls by design offer much more functionality than the IP-over-IPX gateways such as NIAS. Client applications typically use port numbers above 1024, while servers typically use port numbers below 1024. For example, when you open a telnet session to a remote system, your telnet client will allocate a random port number above 1024 and connect to the well-known Port 23 on the remote system. For these products, the port number allocated for the external connection is essentially irrelevant, since the external servers don't care which port number the request is coming from. However, internal servers do care which port numbers they are listening on. Since servers work by listening to well-known ports (like TCP Port 23 for telnet servers), they cannot be changed to random numbers. For external clients to connect to your internal servers, the IP gateways must forward inbound requests to these ports on to specific systems inside your network. BorderWare lets you define destination systems for server ports, allowing you to have systems dedicated to FTP, HTTP or other services on your internal network. Also, these inward connections are processed through the same IP gateway services as the outward client connections. This provides some protection against outside hackers, since external systems do not connect to the internal servers directly; instead, they connect to the firewall's proxy servers, which rewrite the packets before sending them on to the internal system. NIAS offers this same basic service, although using a completely different implementation. Since the IPX-based clients are essentially extensions of the server's IP stack, they can allocate any port number they wish, including server-specific ones. If, for example, users load an HTTP server on their PC, then their WINSOCK.DLL will explicitly request that TCP Port 80 be placed in a "listen" state. The NetWare server will oblige if it is able to (it will not be able to if another PC has already allocated Port 80 for another Web server). This allows any internal system to load any server service they choose, although to the outside world, it appears that the server is running on the NetWare server, and not on the client. This can be considered a fairly severe security hole. Allowing users to run any server application they wish is a dangerous way to run a network. You can get around this by using the native IP filtering NetWare Loadable Modules (NLMs) that ship with IntranetWare, thereby blocking access to these ports from outside networks--although this is not a complete firewall solution either. Users could load the Web server on Port 8000 if they wanted, thereby exposing your network again. In larger installations, a true firewall that blocks the entire network is needed for complete protection. Other Considerations

20

Apart from the technical aspects, there are managerial issues that will affect your implementation decisions. Most of these result from the implications that arise from the two distinct product architectures. For example, while NIAS offers easy deployment across a network of PCs, it is limited only to PCs. Most IP-over-IPX WINSOCK.DLL replacement products only provide dynamic linked libraries (DLLs) for the Windows 3.x and Windows95 desktop markets, and do not provide similar services to Macintosh, OS/2, Unix, Windows NT or other operating systems. There are also quite a few compatibility problems with many of the WINSOCK.DLLbased implementations. For example, Microsoft's native network services rely on the Transport Driver Interface (TDI) layer to provide transport-independent file and print services. Few products--including NIAS--support TDI in their implementations, meaning that users cannot take advantage of these services when using these products. Additionally, the WinSock 1.x specification does not provide support for ICMP, meaning that users cannot use Microsoft's ping or traceroute, requiring the gateway provider to bundle these utilities with their product. The primary advantage to these implementations is their low cost of ownership; you don't have to manage TCP/IP stacks on every system, and can implement a single shared WINSOCK.DLL on a file server that the Windows clients on your network can access as needed. You don't have to mess with managing Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP) entries for the clients on your network, or track address conflicts, or do any of the other management tasks incurred from running fullbore IP stacks on every desktop. This makes these kinds of products a perennial favorite, especially in sites that don't rely on Microsoft's networking service. Meanwhile, BorderWare offers better protection against outside intrusion, simply because it provides the IP gateway services as part of its overall firewall design. Since no system has direct access to any systems on the other side of the firewall, this type of product brings high levels of security and control to demanding environments. However, there is also a high cost of ownership associated with this type of solution, since it assumes that IP is installed on all internal systems. In reality, there is no reason why you could not use both products simultaneously. If you have a large group of NetWare users, but cannot obtain enough addresses for them to use, then look to the IP-over-IPX gateways to provide you with connectivity between them and the rest of the organization. But, rather than use Internet-legal addresses on the NetWare servers that provide this gateway, use products like BorderWare to provide the address translation services between your internal and external network. In theory, you could support several thousand NetWare users with this combination, while only using a handful of IP addresses, whether legal or not. Whichever mechanism you choose, remember that having legal addresses is the best route of all, since you are least likely to have duplicated addressing problems. If you

21

cannot obtain enough addresses for all of your systems, then at least try to implement addresses from the "private" pools set aside in RFC 1918. Legacy issues preventing their use is one of the only acceptable excuses for not using legal IP addressing. While using an illegal address may seem like an option, be prepared for the inevitable denial-ofservice when you try connecting to the site that "owns" the addresses you are using. Internet Working Routers use information within each packet to route it from one LAN to another, and communicate with each other and share information that allows them to determine the best route through a complex network of many LANs. To do this, routers build and maintain "routing tables", which contain various items of route information - depending on the particular routing algorithm used. For example, destination/next hop associations tell a router that a particular destination can be gained optimally by sending the packet to a particular router representing the "next hop" on the way to the final destination. When a router receives an incoming packet, it checks the destination address and attempts to associate this address with a next hop. Routing achieved commercial popularity in the mid-1980s - at a time when large-scale internetworking began to replace the fairly simple, homogeneous environments that had been the norm hitherto. Routing is the act of moving information across an internetwork from a source to a destination. It is often contrasted with bridging, which performs a similar function. The primary difference between the two is that bridging occurs at Layer 2 (the link layer) of the OSI reference model, whereas routing occurs at Layer 3 (the network layer). This distinction provides routing and bridging with different information to use in the process of moving information from source to destination, so the two functions accomplish their tasks in different ways. Routing in the Internet Routing is the technique by which data finds its way from one host computer to another. In the Internet context there are three major aspects of routing Physical Address Determination Selection of inter-network gateways Symbolic and Numeric Addresses The first of these is necessary when an IP datagram is to be transmitted from a computer. It is necessary to encapsulate the IP datagram within whatever frame format is in use on the local network or networks to which the computer is attached. This encapsulation clearly requires the inclusion of a local network address or physical address within the frame. The second of these is necessary because the Internet consists of a number of local networks interconnected by one or more gateways. Such gateways, generally known as routers, sometimes have physical connections or ports onto many networks. The determination of the appropriate gateway and port for a particular IP datagram is called routing and also involves gateways interchanging information in standard ways.

22

The third aspect which involves address translation from a reasonably human friendly form to numeric IP addresses is performed by a system known as the Domain Name System or DNS for short. It is not considered further at this stage. Physical Address Determination If a computer wishes to transmit an IP datagram it needs to encapsulate in a frame appropriate to the physical medium of the network it is attached to. For the successful transmission of such a frame it is necessary to determine the physical address of the destination computer. This can be achieved fairly simply using a table that will map IP addresses to physical addresses, such a table may include addresses for IP nets and a default address as well as the physical addresses corresponding to the IP addresses of locally connected computers. Such a table could be configured into a file and read into memory at boot up time. However it is normal practice for a computer to use a protocol known as ARP (Address Resolution Protocol) and defined by RFC 826. This operates dynamically to maintain the translation table known as the ARP cache. On most Unix systems the contents of the ARP cache can be displayed using the command arp -a. Here is typical output from the arp -a command scitsc16.wlv.ac.uk (134.220.4.16) at 8:0:20:b:ca:2 scitsc17.wlv.ac.uk (134.220.4.17) at 8:0:20:c:41:70 ccuf.wlv.ac.uk (134.220.4.202) at 8:0:20:10:e6:6 scit-sun-gw1.wlv.ac.uk (134.220.4.203) at 0:0:c0:fd:80:a4 scitsd.wlv.ac.uk (134.220.4.205) at 8:0:20:77:cf:18 scitsc31.wlv.ac.uk (134.220.4.31) at 8:0:20:4:96:83 This was obtained on the scitsc.wlv.ac.uk host at 0845 on May 7th 1996. A computer determines its own physical address at boot up by examining the hardware and its own IP address by reading a configuration file at boot up time but it is necessary to fill the ARP cache. This is done by the computer making ARP request broadcasts whenever it encounters an IP address that cannot be mapped to a physical address by consulting the cache. The format of an ARP request on an Ethernet is General Use Size in bytes Typical values Ethernet Header Ethernet Destination Address 6 A broadcast address Ethernet Source Address 6 Identifies computer making request Frame Type 2 Set to 0x0806 for ARP request and 0x8035 for an ARP reply ARP request/reply Hardware Type 2 Set to 1 for an Ethernet Protocol Type 2 Set to 0x0800 for IP addresses

23

Hardware Address Size in bytes 1 Set to 6 for Ethernet Protocol Address Size in bytes 1 Set to 4 for IP Operation 2 1 for request, 2 for reply Sender Ethernet Address 6 Sender IP Address 4 Destination Ethernet Address 6 Not filled in on ARP request Destination IP Address 4 By making such requests a host can fill up the ARP cache. ARP cache entries will eventually time-out and a new query will have to be made. This allows a computer to respond to changing topology. Typical timeouts are about 20 minutes. An ARP request to a non-existent computer may be repeated after a few seconds up to a modest maximum number of times. If a computer is connected to more than one network via separate ports then a separate ARP cache will be maintained for each interface. Alternatively there will be a further entry in the ARP cache associating an entry with a particular interface. It may be thought that ARP requests will be made for every Internet computer a computer wishes to contact. This is not true, a reference to an IP address not on a local or directly connected network will be re-directed to an IP router computer with an IP address that is on a local directly connected network. Since ARP requests are broadcast, any computer maintaining an ARP cache can monitor all such broadcasts and extract the sending computer's physical and IP address and update its own ARP cache as necessary. When a computer boots up it can send an ARP request (perhaps to itself !) as a means of announcing its presence on the local network. It is possible to associate more than one IP address with a single physical address. Note that the ARP request format is designed to be capable of supporting protocols other than IP and Ethernet as long as it is possible to broadcast on the local network. Reverse Address Resolution Protocol Discless workstations were once widely used. These had a local processor and RAM but all disc space was supplied from a server using NFS or some similar system. In the absence of local configuration files, boot-up involved the use of a very simple file transfer protocol known as TFTP, however before this could be used the workstation needed to know its IP address. In order to determine this Reverse Address Resolution Protocol (RARP) described in RFC 903 was used. This used the same message format as ARP but used operation types 3 and 4 for requests and responses. Only suitably configured RARP servers would reply to such requests. RARP may still be encountered in conjunction with devices such as laser printers.

24

Internet Routing - Internal Routing Tables Within any host there will be a routing table that the host uses to determine which physical interface address to use for outgoing IP datagrams. Once this table has been consulted the ARP cache(s) will be consulted to determine the physical address. If a computer receives an IP datagram on any interface there are two possibilities, one is that the datagram is intended for that computer in which case it will be passed to the relevant application. The other is that the datagram is addressed to some other computer in which case the computer will attempt to re-transmit on one or other of the available interfaces. On Unix systems the command netstat -nr can usually be used to display the state of the routing table. Here is typical output from the netstat -nr command Routing tables Destination Gateway Flags Refcnt Use Interface 127.0.0.1 127.0.0.1 UH 6 1748676 lo0 default 134.220.4.203 UG 74 17345705 le0 134.220.40.0 134.220.4.203 UG 0 0 le0 134.220.32.0 134.220.4.203 UG 0 15516 le0 134.220.8.0 134.220.4.203 UG 0 359006 le0 134.220.17.0 134.220.4.203 UG 0 0 le0 134.220.1.0 134.220.4.203 UG 3 1346065 le0 134.220.18.0 134.220.4.203 UG 0 4708 le0 134.220.10.0 134.220.4.203 UG 0 103836 le0 134.220.35.0 134.220.4.203 UG 0 0 le0 134.220.3.0 134.220.4.203 UG 0 643 le0 134.220.19.0 134.220.4.203 UG 0 469 le0 134.220.11.0 134.220.4.203 UG 0 211689 le0 134.220.20.0 134.220.4.203 UG 0 6525 le0 134.220.12.0 134.220.4.203 UG 0 107309 le0 134.220.4.0 134.220.4.1 U 114 28841321 le0 134.220.13.0 134.220.4.203 UG 0 8748 le0 134.220.37.0 134.220.4.204 UG 0 567 le0 134.220.6.0 134.220.4.203 UG 0 1202340 le0 134.220.15.0 134.220.4.203 UG 0 2566 le0 134.220.7.0 134.220.4.203 UG 7 1207070 le0 134.220.39.0 134.220.4.203 UG 0 0 le0 This was obtained on the scitsc.wlv.ac.uk host at 0859 on May 7th, 1996. So if, for example, the host wanted to send an IP datagram to 134.220.6.12, it would use the above table to determine that it had to go via 134.220.4.203 (a gateway) and then use

25

the ARP cache to determine the physical address of the gateway (it was 0:0:c0:fd:80:a4). The datagram is then sent to the gateway which uses a similar table to the physical interface for the datagram and then uses it's ARP cache to determine the physical address for the datagram. There are four basic items of information in such a table A destination IP address. A gateway IP address. This will be the same as the destination IP address for directly connected destinations. Various flags usually displayed as U, G, H and sometimes D and M. U means the route is up. G means the route is via a gateway. H means the destination address is a host address as distinct from a network address. The physical interface identification. The destination address may appear as "default". The host operation is to first look for the destination address as a host address in the routing table, if it is not found then look for the destination net address in the routing table and if that is not found then use one of the default addresses (there may be several). A host dedicated to providing a gateway service between several networks is known as a router and may have a very large routing table (64 MB is not unknown) and will run special protocols to interchange routing information with other hosts and routers. A general purpose host may have connections to at most two or three networks and a correspondingly simple table. Communication between routers The complete Internet consists of a large number of interconnected autonomous systems (ASs) each of which constitutes a distinct routing domain. Such autonomous systems are usually run by a single organisation such as a company or university. Within an AS, routers communicate with each other using one of several possible intra-domain routing protocols also known as interior gateway protocols. ASs are connected via gateways, these exchange information using inter domain routing protocol also known as exterior gateway protocols. The commonest interior gateway protocols are the Routing Information Protocol (RIP) defined in RFC 1058 and the more recent Open Shortest Path First (OSPF) protocol defined in RFC 1247. The purpose of these protocols is to enable routers to exchange locally obtained information so that all routers within an AS have a coherent and up to date picture of how to reach any host within the AS.

26

Whenever a host receives routing information it is expected to revise its routing tables in the light of the new information. This update may cause the host to send new routing information to further hosts so that changes will propagate across the network. The RIP (RFC 1058) protocol Using RIP hosts will periodically broadcast (or send to all neighbour routers if there is no broadcast facility) its entire routing table or those parts that have changed recently. RIP information is transmitted using UDP/IP using messages of the form field bytes typical values command 1 Request Reply Obsolete Obsolete Poll Poll Entry Version 1 1 or 2 Reserved 2 Must be zero Address Family 2 2 for IP addresses Reserved 2 Must be zero IP Address 4 Address of host Reserved 8 Must be Zero Metric 4 a number in the range 1 to 16 The metric is the hop-count to the host whose IP address is quoted. A value of 16 implies the host is unreachable. The 20 bytes specifying address family, IP address and metric may be repeated up to 25 times. An IP address of 0.0.0.0 is regarded as a default address. Routers will receive RIP information and will use it to determine their shortest route to a particular host. RIP information is sent to neighbours or broadcast every 30 seconds. RIP information is processed by daemon processes (either routed or gated on Unix hosts) listening on the well known port number 520. RIP suffers from very slow convergence in the face of topology changes because routers are not under any obligation to identify failed links and, more importantly, their consequences and propagate the facts to other routers. RIP is an example of a distance vector protocol. The OSPF (RFC 1247) Protocol The O means open, i.e. non-proprietary protocol. OSPF is a link state protocol (LSP). This means that each router maintains link status information and this is exchanged between routers wishing to build routing tables. Unlike

27

RIP OSPF uses IP directly, OSPF packets being identified by a special value in the IP datagram protocol field. All OSPF messages have a common initial 8 bytes Field Bytes Typical values Version 1 2 Packet Type 1 Hello Database Description Link state request Link state update link state acknowledgment Packet Length 2 Packet length in bytes Router ID 4 IP address of sending host Area ID 4 ID of area to which packet belongs Checksum 2 As for IP datagram Authentication type 2 No authentication Simple password Authentication data 8 For type 1 only Hello Packets These are used between routers to identify each other and establish common operating procedures. Database description packets These are used to enable routers to transmit a complete database of link states. Link states are expressed in terms of source and destination addresses and the type of service bits used in IP datagrams. These specify a low delay link state, a high throughput link state and a high reliability link state. There are proposals to include a low monetary cost link state. The individual link status information records are known as link state advertisements. LSP requests These enable a router to request specific link information from a neighbour LSP Update At any time a router may transmit new link state advertisements. Link state acknowledgment These acknowledge receipt of advertisements. They consist of just the advertisement headers.

28

Allocation of IP addresses IP addresses are allocated via the Network Information Center. When the Internet was young a message to the Network Information Center was all that was necessry to obtain a block of IP addresses. Today it is more usual to obtain a block of addresses from your Internet Service Provider or direct from one of several regional registries. All the regional registries maintain databases that can be queried using the whois command, however it is sometimes necessary to try several registries. Here's an example of a registry being queried to determine the ownership of an IP network. RIPE is the European Internet registry. bash$ whois -h whois.ripe.net 194.62.148 % Rights restricted by copyright. See http://www.ripe.net/db/dbcopyright.html inetnum: 194.62.148.0 - 194.62.151.0 netname: BILSTONCC descr: Bilston Community College country: GB admin-c: Martin George tech-c: Martin George changed: [email protected] 941117 source: RIPE route: 194.62.148.0/24 descr: BILSTONCC-1 origin: AS786 mnt-by: JIPS-NOSC changed: [email protected] 951116 source: RIPE person: Martin George address: Bilston Community College address: Westfield Rd address: Bilston address: Wv14 6ER address: United Kingdom phone: +44 902 353 877 x213 fax-no: +44 902 401 897 e-mail: [email protected] changed: [email protected] 941117 source: RIPE The full list of whois servers is

29

whois.arin.net whois.apnic.net whois.nic.mil rs.internic.net whois.ripe.net Details of the physical locations and ownership of IP networks are available on the World Wide Web in the IP Network Index. Autonomous Systems The key to high level internet routing is the grouping of Internet hosts into autonomous systems which usually correspond to commercial or administrative entities. All autonomous systems have a distinctive and unique number. Details of autonomous systems are available from the whois servers in the same way as details of IP networks. Unfortunately the syntax of such queries differs between the various servers, the ripe server requires ASnnnn whereas the arin server requires just the number. Here is a brief list of some autonomous system numbers Number Network 786 JANET 1849 UUnet UK (was Pipex) 2529 Demon 3300 ATT Unisource (Netherlands) 5413 Xara 6453 Teleglobe Montreal 6683 DANTE 8297 Teleglobe Virginia Protocols An agreed-upon format for transmitting data between two devices. The protocol determines the following: the type of error checking to be used data compression method, if any how the sending device will indicate that it has finished sending a message how the receiving device will indicate that it has received a message. There are a variety of standard protocols from which programmers can choose. Each has particular advantages and disadvantages; for example, some are simpler than others, some are more reliable, and some are faster. From a user's point of view, the only interesting aspect about protocols is that your computer or device must support the right ones if you want to communicate with other computers. The protocol can be implemented either in hardware or in software. Packets

30

It turns out that everything you do on the Internet involves packets. For example, every Web page that you receive comes as a series of packets, and every e-mail you send leaves as a series of packets. Networks that ship data around in small packets are called packet switched networks. On the Internet, the network breaks an e-mail message into parts of a certain size in bytes. These are the packets. Each packet carries the information that will help it get to its destination -- the sender's IP address, the intended receiver's IP address, something that tells the network how many packets this e-mail message has been broken into and the number of this particular packet. The packets carry the data in the protocols that the Internet uses: Transmission Control Protocol/Internet Protocol (TCP/IP). Each packet contains part of the body of your message. A typical packet contains perhaps 1,000 or 1,500 bytes. Each packet is then sent off to its destination by the best available route -- a route that might be taken by all the other packets in the message or by none of the other packets in the message. This makes the network more efficient. First, the network can balance the load across various pieces of equipment on a millisecond-by-millisecond basis. Second, if there is a problem with one piece of equipment in the network while a message is being transferred, packets can be routed around the problem, ensuring the delivery of the entire message. Depending on the type of network, packets may be referred to by another name: frame block cell segment Most packets are split into three parts: header - The header contains instructions about the data carried by the packet. These instructions may include: Length of packet (some networks have fixed-length packets, while others rely on the header to contain this information) Synchronization (a few bits that help the packet match up to the network) Packet number (which packet this is in a sequence of packets) Protocol (on networks that carry multiple types of information, the protocol defines what type of packet is being transmitted: e-mail, Web page, streaming video) Destination address (where the packet is going) Originating address (where the packet came from) payload - Also called the body or data of a packet. This is the actual data that the packet is delivering to the destination. If a packet is fixed-length, then the payload may be padded with blank information to make it the right size. trailer - The trailer, sometimes called the footer, typically contains a couple of bits that tell the receiving device that it has reached the end of the packet. It may also have some type of error checking. The most common error checking used in packets is Cyclic Redundancy Check (CRC). CRC is pretty neat. Here is how it works in certain computer

31

networks: It takes the sum of all the 1s in the payload and adds them together. The result is stored as a hexadecimal value in the trailer. The receiving device adds up the 1s in the payload and compares the result to the value stored in the trailer. If the values match, the packet is good. But if the values do not match, the receiving device sends a request to the originating device to resend the packet. As an example, let's look at how an e-mail message might get broken into packets. Let's say that you send an e-mail to a friend. The e-mail is about 3,500 bits (3.5 kilobits) in size. The network you send it over uses fixed-length packets of 1,024 bits (1 kilobit). The header of each packet is 96 bits long and the trailer is 32 bits long, leaving 896 bits for the payload. To break the 3,500 bits of message into packets, you will need four packets (divide 3,500 by 896). Three packets will contain 896 bits of payload and the fourth will have 812 bits. Here is what one of the four packets would contain: Each packet's header will contain the proper protocols, the originating address (the IP address of your computer), the destination address (the IP address of the computer where you are sending the e-mail) and the packet number (1, 2, 3 or 4 since there are 4 packets). Routers in the network will look at the destination address in the header and compare it to their lookup table to find out where to send the packet. Once the packet arrives at its destination, your friend's computer will strip the header and trailer off each packet and reassemble the e-mail based on the numbered sequence of the packets.

Load Balancing Distributing processing and communications activity evenly across a computer network so that no single device is overwhelmed. Load balancing is especially important for networks where it's difficult to predict the number of requests that will be issued to a server. Busy Web sites typically employ two or more Web servers in a load balancing scheme. If one server starts to get swamped, requests are forwarded to another server with more capacity. Load balancing can also refer to the communications channels themselves. One of the biggest issues in parallel and distributed operating environments is the development of effective techniques for the distribution of the processes of a parallel program on multiple processors. The problem is to schedule the processes among processing elements to achieve some performance goal(s), such as minimizing communication delays and execution time and/or maximizing resource utilization. Local scheduling performed by the OS of a processor consists of the assignment of the processes to the time-slices of the processor. Global scheduling is the process of deciding where to execute a process in a multiprocessor system. It may be carried out by a single authority or it may be distreibuted among processing elements. Static Scheduling

32

In static scheduling, the assignment of the proceesors is done before the program execution begins. Info regarding the task execution times and resources are assumed to be known at compile time itself. These methods are processor nonpreemptive. The approach here is to minimize the execution time of the concurrent program while minimizing the communication delay. Thus methods aim at Predict the program exec. behaviour at compile time Perform a partitioning of smaller tasks into coarser grain processes to reduce communication delays. Allocate processes to processors. Perhaps one of the most critical drawbacks of this approach, is that generating optimal schedules is an NP-complete problem, hence only restricted solutions can be given. Heuristic methods rely on the rules of the thumb to guide the scheduling processes in the proper track for a near optimal solution. For example, the length of the critical path for a task is the length of one of the several longest possible paths from the task, till the end of the program. Thus using this heuristic method, we give priority to the process with the longer critical path, allowing us to schedule other paths of less length around them. Dynamic Scheduling This method is based on redistribution of processes at execution time. This is achieved by transferring the tasks from heavily loaded processors to the lightly loaded ones called Load Balancing . The definition of a typical algorithm for load balancing has the three inherent policies: Information policy : Specifies the amount of load information made available to the placement decision makers. Transfer policy : Specifies the conditionsunder which a job is transferred, i.e. the current load of the host and size of the job. In addition, task migration may also be considered where relevant. Placement policy : Involves allocation of processes to the different processing elements. The load balancing operations may be centralized in a single processor or distributed among all processing elements. Combined policies where information policy is centralized but the transfer and placement policies may be redistributed. In a distributed environment, each processing element has its own image of the system load. We can have a cooperative scheduling arrangement, where gradient distribution of the load is performed, or in a nocooperative setup, we use random scheduling which is especially useful, when the load for all the processing elements is high. The main advanteage of the dynamic approach over the static approach is the inherent flexibility allowing for adaptation to the unforeseen application requirements at run-time, though at the cost of communication overheads. The disadvantages are mainly due to communication delays, load information transfer and decision making overheads. Future research areas could encompass new concepts for Hybrid dynamic/static scheduling Effective load index measures

33

Hierarchical system organizations with local load information distribution and local load balancing policies Incorporation of a set of primitive tools at the distributed OS level Introduction In static scheduling, the assignment of processes to the various PE's is done at compile time itself, withh the goal of minimizing execution time, while minimizing the communication delays. In static scheduling, there are 2 predominant models for representation of a concurrent program : Static task Graphs(STG) Directed acyclic Graphs(DAG) In a (STG) model, a concurrent program is represented by an undirected connected graph, with the vertices as tasks and the edges indicating which tasks communicate. Source nodes represent starting points where program begins execution, while sink nodes represent termination. Between the two we have a set of interior nodes connected with weighted edges which correspond to the communication delay. In a DAG model, the nodes are tasks, while the directed edges give both the precedence and the communication among the tasks. In the recent times, a hybrid representation has been developed integrating the above two schemes into a Temporal Communication Graph (TCG), allowing one to identify logically synchronous phases of communication and computation. Classification of Static Scheduling Methods Since the optimal scheduling problem is NP-complete the focus is on the Special case optimal scheduling Locally optimal solutions Suboptimal methods Locally Optimal Solutions : Locally optimal scheduling methods rely on efficient search techniques using algorithms such as simulted annealing methods, mathematical programming methods and state space seacrh methods. The simulated annealing methods perform the following steps : Make small random changes to an initital schedule Evaluating the new schedule Continuing the process iteratively until no further improvements can be made. Mathematical programming methods use linear, integer or non-linear programming methods to resolve task scheduling problems. The process consists of : Definition of an objective function to be imnimized, say the prog. execution time as an aggregate of task exec. times and comm.delays

34

Definition of a set of constraints to preserve properties, such as task precedence relations, comm. delay constraints guaranteeing each task is assigned only once. The application of a method for solving complex constrained optimization problems, such as dynamic programming or heuristic techniques. The state space search methods rely on branch and bound search search techniques to conduct a search of the solution space for scheduling of an app. on a given architecture. This is realized by building a search tree of possible schedules, defining a cost evaluation function and searching the tree for the best schedule. All these methods are time consuming and computation intensitive. Sub-optimal solutions : These methods rely on the rules-of-thumb and heuristics to guide a scheduling process. List schedulingis the most popular technique inspite of poor performance in high communication delay situations. There are two simple steps: Provide a priority list of tasks to be assigned to the PE's Repeatedly remove the top task on the priority list and allocate it to the most suitable PE for execution. We can use different heuristics to prioritize tasks : Precedence relationships and execution time of the tasks Critical Path length Aggregates of several factors such a critical path lengths, task execution times and number succesor tasks. Prognosis and future directions in Static Scheduling Development of a DAG generator tool Development of an execution time estimation tool using User Estimates Simulation based Estimates Profile based Estimates Development of a performance profiler tool Development of a data distribution tool

File Server A computer or device on a network that manages network resources. For example, a file server is a computer and storage device dedicated to storing files. Any user on the network can store files on the server. A print server is a computer that manages one or moreprinters, and a network server is a computer that manages network traffic. A database server is a computer system that processes database queries. Servers are often dedicated, meaning that they perform no other tasks besides their server tasks. On multiprocessing operating systems, however, a single computer can execute several programs at once. A server in this case could refer to theprogramthat is managing resources rather than the entire computer.

35

Print Server dot matrix printer One of the earliest mass-market attempts at reliable, high-speed printing, dot matrix printers used a set of pins that could be fired rapidly at an inked ribbon to form characters on an underlying sheet of paper. While speedy, these printers suffered from relatively poor print quality. Even higher-end models with as many as 48 pins could produce only near-letter-quality text. Lower-end, 9-pin models were suitable only for printing drafts. Ink jet printer Unlike daisy wheel and dot matrix printers, which rely on physical contact with the an inked ribbon and paper, ink jet printers simply spray ink in a series of dots to form characters. While early ink jets were prone to clogging, they were capable of delivering good print speeds and relatively high-quality text and graphics. Today's best ink jet printers have eliminated most of the clogging problems, rival laser printers for text quality, and can also produce color images with near-photographic quality--all for even less money than a low-end laser printer. laser printer While considerably more complex and expensive than most other common printer types, laser printers are capable of producing extremely high-quality text and graphics (including color) at fantastic speeds. At their most basic, laser printers apply an electrostatic charge to a drum inside the printer cartridge. A laser or a light-emitting diode then discharges portions of the drum to form the characters or graphics. Charged toner attaches itself to these discharged sections. A charged piece of paper is passed over the drum, transferring the toner. The toner is heated and fused to the sheet.

LOGICAL TOPOLOGY Also called signal topology. Every LAN has a topology, or the way that the devices on a network are arranged and how they communicate with each other. The way that the workstations are connected to the network through the actual cables that transmit data -the physical structure of the network -- is called the physical topology. The logical topology, in contrast, is the way that the signals act on the network media, or the way that the data passes through the network from one device to the next without regard to the physical interconnection of the devices. Logical topologies are bound to the network protocols that direct how the data moves across a network. The Ethernet protocol is a common logical bus topology protocol. LocalTalk is a common logical bus or star topology protocol. IBM's Token Ring is a common logical ring topology protocol. A network's logical topology is not necessarily the same as its physical topology. For example, twisted pair Ethernet is a logical bus topology in a physical star topology layout. While IBM's Token Ring is a logical ring topology, it is physically set up in a star topology.

36

QOS Short for Quality of Service, a networking term that specifies a guaranteed throughput level. One of the biggest advantages of ATM over competing technologies such as Frame Relay and Fast Ethernet, is that it supports QoS levels. This allows ATM providers to guarantee to their customers that end-to-end latency will not exceed a specified level. What does a Storage Area Network do? A networking concept in which the software has knowledge of the quantity and value of data stored in mass storage devices and the characteristics of those storage devices. In SAN systems, the software must act as an IT manager and know how the data travels and the backup strategy, data recovery, and specific attributes of the software to preserve and reconstruct the environment, in the event of a failure or system reconfiguration. A SAN is a dedicated network that is separate from LANs and WANs. It is generally used to connect all the storage resources connected to various servers. It consists of a collection of SAN Hardware and SAN software; the hardware typically has high interconnection rates between the various storage devices and the software manages, monitors and configures the SAN. From webopedia: Storage Area Network (SAN) is a high-speed subnetwork of shared storage devices. A storage device is a machine that contains nothing but a disk or disks for storing data. A SAN's architecture works in a way that makes all storage devices available to all servers on a LAN or WAN. As more storage devices are added to a SAN, they too will be accessible from any server in the larger network. In this case, the server merely acts as a pathway between the end user and the stored data From Enterprise Storage Forum: A SAN is a network of storage devices that are connected to each other and to a server...in some configurations a SAN is also connected to the network. ... it is forecast to become the data storage technology of choice in the coming years. IBM SANs originated to overcome the problems with network attached storage (NAS) devices, which - like ordinary servers - are difficult to manage and difficult to expand the capacity on. NAS devices also add to the traffic on the network and suffer from the delays introduced by the operating systems' network stacks.

37

A SAN is made up of a number of fabric switches connected in a network. The most common form of SAN uses the Fibre Channel fabric protocol (with Fibre Channel switches). Alternatively ISCSI could be used with IP switches. Connected to the SAN will be one or more Disk array controllers and one or more servers. The SAN allows the storage space on the hard disks in the Disk array controllers to be shared amongst the servers.

Simple Network Management Protocol Background The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. It is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. Two versions of SNMP exist: SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2). Both versions have a number of features in common, but SNMPv2 offers enhancements, such as additional protocol operations. Standardization of yet another version of SNMP—SNMP Version 3 (SNMPv3)—is pending. This chapter provides descriptions of the SNMPv1 and SNMPv2 protocol operations. Figure 56-1 illustrates a basic network managed by SNMP. SNMP Basic Components An SNMP-managed network consists of three key components: managed devices, agents, and network-management systems (NMSs). A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. An NMS executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network.

38

SNMP Basic Commands Managed devices are monitored and controlled using four basic SNMP commands: read, write, trap, and traversal operations. The read command is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices. The write command is used by an NMS to control managed devices. The NMS changes the values of variables stored within managed devices. The trap command is used by managed devices to asynchronously report events to the NMS. When certain types of events occur, a managed device sends a trap to the NMS. Traversal operations are used by the NMS to determine which variables a managed device supports and to sequentially gather information in variable tables, such as a routing table. SNMP Management Information Base A Management Information Base (MIB) is a collection of information that is organized hierarchically. MIBs are accessed using a network-management protocol such as SNMP. They are comprised of managed objects and are identified by object identifiers. A managed object (sometimes called a MIB object, an object, or a MIB) is one of any number of specific characteristics of a managed device. Managed objects are comprised of one or more object instances, which are essentially variables. Two types of managed objects exist: scalar and tabular. Scalar objects define a single object instance. Tabular objects define multiple related object instances that are grouped in MIB tables. An example of a managed object is atInput, which is a scalar object that contains a single object instance, the integer value that indicates the total number of input AppleTalk packets on a router interface. An object identifier (or object ID) uniquely identifies a managed object in the MIB hierarchy. The MIB hierarchy can be depicted as a tree with a nameless root, the levels of which are assigned by different organizations. Figure 56-3 illustrates the MIB tree. The top-level MIB object IDs belong to different standards organizations, while lowerlevel object IDs are allocated by associated organizations. Vendors can define private branches that include managed objects for their own products. MIBs that have not been standardized typically are positioned in the experimental branch.

39

The managed object atInput can be uniquely identified either by the object name— iso.identified-organization.dod.internet.private.enterprise.cisco.temporary variables.AppleTalk.atInput—or by the equivalent object descriptor, 1.3.6.1.4.1.9.3.3.1. SNMP and Data Representation SNMP must account for and adjust to incompatibilities between managed devices. Different computers use different data representation techniques, which can compromise the capability of SNMP to exchange information between managed devices. SNMP uses a subset of Abstract Syntax Notation One (ASN.1) to accommodate communication between diverse systems. SNMP Version 1 SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. It is described in Request For Comments (RFC) 1157 and functions within the specifications of the Structure of Management Information (SMI). SNMPv1 operates over protocols such as User Datagram Protocol (UDP), Internet Protocol (IP), OSI Connectionless Network Service (CLNS), AppleTalk Datagram-Delivery Protocol (DDP), and Novell Internet Packet Exchange (IPX). SNMPv1 is widely used and is the de facto networkmanagement protocol in the Internet community. SNMPv1 and Structure of Management Information The Structure of Management Information (SMI) defines the rules for describing management information, using Abstract Syntax Notation One (ASN.1). The SNMPv1 SMI is defined in RFC 1155. The SMI makes three key specifications: ASN.1 data types, SMI-specific data types, and SNMP MIB tables. SNMPv1 and ASN.1 Data Types The SNMPv1 SMI specifies that all managed objects have a certain subset of Abstract Syntax Notation One (ASN.1) data types associated with them. Three ASN.1 data types are required: name, syntax, and encoding. The name serves as the object identifier (object ID). The syntax defines the data type of the object (for example, integer or string). The SMI uses a subset of the ASN.1 syntax definitions. The encoding data describes how information associated with a managed object is formatted as a series of data items for transmission over the network. SNMPv1 and SMI-Specific Data Types The SNMPv1 SMI specifies the use of a number of SMI-specific data types, which are divided into two categories: simple data types and application-wide data types. Three simple data types are defined in the SNMPv1 SMI, all of which are unique values: integers, octet strings, and object IDs. The integer data type is a signed integer in the range of -2,147,483,648 to 2,147,483,647. Octet strings are ordered sequences of 0 to 65,535 octets. Object IDs come from the set of all object identifiers allocated according to the rules specified in ASN.1.

40

Seven application-wide data types exist in the SNMPv1 SMI: network addresses, counters, gauges, time ticks, opaques, integers, and unsigned integers. Network addresses represent an address from a particular protocol family. SNMPv1 supports only 32-bit IP addresses. Counters are non-negative integers that increase until they reach a maximum value and then return to zero. In SNMPv1, a 32-bit counter size is specified. Gauges are non-negative integers that can increase or decrease but that retain the maximum value reached. A time tick represents a hundredth of a second since some event. An opaque represents an arbitrary encoding that is used to pass arbitrary information strings that do not conform to the strict data typing used by the SMI. An integer represents signed integer-valued information. This data type redefines the integer data type, which has arbitrary precision in ASN.1 but bounded precision in the SMI. An unsigned integer represents unsigned integer-valued information and is useful when values are always nonnegative. This data type redefines the integer data type, which has arbitrary precision in ASN.1 but bounded precision in the SMI. SNMP MIB Tables The SNMPv1 SMI defines highly structured tables that are used to group the instances of a tabular object (that is, an object that contains multiple variables). Tables are composed of zero or more rows, which are indexed in a way that allows SNMP to retrieve or alter an entire row with a single Get, GetNext, or Set command. SNMPv1 Protocol Operations SNMP is a simple request/response protocol. The network-management system issues a request, and managed devices return responses. This behavior is implemented by using one of four protocol operations: Get, GetNext, Set, and Trap. The Get operation is used by the NMS to retrieve the value of one or more object instances from an agent. If the agent responding to the Get operation cannot provide values for all the object instances in a list, it does not provide any values. The GetNext operation is used by the NMS to retrieve the value of the next object instance in a table or a list within an agent. The Set operation is used by the NMS to set the values of object instances within an agent. The Trap operation is used by agents to asynchronously inform the NMS of a significant event. SNMP Version 2 SNMP version 2 (SNMPv2) is an evolution of the initial version, SNMPv1. Originally, SNMPv2 was published as a set of proposed Internet standards in 1993; currently, it is a draft standard. As with SNMPv1, SNMPv2 functions within the specifications of the Structure of Management Information (SMI). In theory, SNMPv2 offers a number of improvements to SNMPv1, including additional protocol operations. SNMPv2 and Structure of Management Information The Structure of Management Information (SMI) defines the rules for describing management information, using ASN.1. The SNMPv2 SMI is described in RFC 1902. It makes certain additions and enhancements to the SNMPv1 SMI-specific data types, such as including bit strings,

41

network addresses, and counters. Bit strings are defined only in SNMPv2 and comprise zero or more named bits that specify a value. Network addresses represent an address from a particular protocol family. SNMPv1 supports only 32-bit IP addresses, but SNMPv2 can support other types of addresses as well. Counters are non-negative integers that increase until they reach a maximum value and then return to zero. In SNMPv1, a 32-bit counter size is specified. In SNMPv2, 32-bit and 64-bit counters are defined. SMI Information Modules The SNMPv2 SMI also specifies information modules, which specify a group of related definitions. Three types of SMI information modules exist: MIB modules, compliance statements, and capability statements. MIB modules contain definitions of interrelated managed objects. Compliance statements provide a systematic way to describe a group of managed objects that must be implemented for conformance to a standard. Capability statements are used to indicate the precise level of support that an agent claims with respect to a MIB group. An NMS can adjust its behavior toward agents according to the capabilities statements associated with each agent. SNMPv2 Protocol Operations The Get, GetNext, and Set operations used in SNMPv1 are exactly the same as those used in SNMPv2. However, SNMPv2 adds and enhances some protocol operations. The SNMPv2 Trap operation, for example, serves the same function as that used in SNMPv1, but it uses a different message format and is designed to replace the SNMPv1 Trap. SNMPv2 also defines two new protocol operations: GetBulk and Inform. The GetBulk operation is used by the NMS to efficiently retrieve large blocks of data, such as multiple rows in a table. GetBulk fills a response message with as much of the requested data as will fit. The Inform operation allows one NMS to send trap information to another NMS and to then receive a response. In SNMPv2, if the agent responding to GetBulk operations cannot provide values for all the variables in a list, it provides partial results. SNMP Management SNMP is a distributed-management protocol. A system can operate exclusively as either an NMS or an agent, or it can perform the functions of both. When a system operates as both an NMS and an agent, another NMS might require that the system query manage devices and provide a summary of the information learned, or that it report locally stored management information. SNMP Security SNMP lacks any authentication capabilities, which results in vulnerability to a variety of security threats. These include masquerading occurrences, modification of information, message sequence and timing modifications, and disclosure. Masquerading consists of an unauthorized entity attempting to perform management operations by assuming the identity of an authorized management entity. Modification of information involves an unauthorized entity attempting to alter a message generated by an authorized entity so that the message results in unauthorized accounting management or configuration management operations. Message sequence and timing modifications occur when an

42

unauthorized entity reorders, delays, or copies and later replays a message generated by an authorized entity. Disclosure results when an unauthorized entity extracts values stored in managed objects, or learns of notifiable events by monitoring exchanges between managers and agents. Because SNMP does not implement authentication, many vendors do not implement Set operations, thereby reducing SNMP to a monitoring facility. SNMP Interoperability As presently specified, SNMPv2 is incompatible with SNMPv1 in two key areas: message formats and protocol operations. SNMPv2 messages use different header and protocol data unit (PDU) formats than SNMPv1 messages. SNMPv2 also uses two protocol operations that are not specified in SNMPv1. Furthermore, RFC 1908 defines two possible SNMPv1/v2 coexistence strategies: proxy agents and bilingual networkmanagement systems. Proxy Agents An SNMPv2 agent can act as a proxy agent on behalf of SNMPv1 managed devices, as follows: An SNMPv2 NMS issues a command intended for an SNMPv1 agent. The NMS sends the SNMP message to the SNMPv2 proxy agent. The proxy agent forwards Get, GetNext, and Set messages to the SNMPv1 agent unchanged. GetBulk messages are converted by the proxy agent to GetNext messages and then are forwarded to the SNMPv1 agent. The proxy agent maps SNMPv1 trap messages to SNMPv2 trap messages and then forwards them to the NMS. Bilingual Network-Management System Bilingual SNMPv2 network-management systems support both SNMPv1 and SNMPv2. To support this dual-management environment, a management application in the bilingual NMS must contact an agent. The NMS then examines information stored in a local database to determine whether the agent supports SNMPv1 or SNMPv2. Based on the information in the database, the NMS communicates with the agent using the appropriate version of SNMP. SNMP Reference: SNMPv1 Message Formats SNMPv1 messages contain two parts: a message header and a protocol data unit (PDU). Figure 56-4 illustrates the basic format of an SNMPv1 message.

43

SNMPv1 Message Header SNMPv1 message headers contain two fields: Version Number and Community Name. The following descriptions summarize these fields: Version number—Specifies the version of SNMP used. Community name—Defines an access environment for a group of NMSs. NMSs within the community are said to exist within the same administrative domain. Community names serve as a weak form of authentication because devices that do not know the proper community name are precluded from SNMP operations. SNMPv1 Protocol Data Unit SNMPv1 PDUs contain a specific command (Get, Set, and so on) and operands that indicate the object instances involved in the transaction. SNMPv1 PDU fields are variable in length, as prescribed by ASN.1. Figure 56-5 illustrates the fields of the SNMPv1 Get, GetNext, Response, and Set PDUs transactions. PDU type—Specifies the type of PDU transmitted. Request ID—Associates SNMP requests with responses. Error status—Indicates one of a number of errors and error types. Only the response operation sets this field. Other operations set this field to zero. Error index—Associates an error with a particular object instance. Only the response operation sets this field. Other operations set this field to zero. Variable bindings—Serves as the data field of the SNMPv1 PDU. Each variable binding associates a particular object instance with its current value (with the exception of Get and GetNext requests, for which the value is ignored). Trap PDU Format Figure 56-6 illustrates the fields of the SNMPv1 Trap PDU. The following descriptions summarize the fields illustrated in Figure 56-6: Enterprise—Identifies the type of managed object generating the trap.

44

Agent address—Provides the address of the managed object generating the trap. Generic trap type—Indicates one of a number of generic trap types. Specific trap code—Indicates one of a number of specific trap codes. Time stamp—Provides the amount of time that has elapsed between the last network reinitialization and generation of the trap. Variable bindings—The data field of the SNMPv1 Trap PDU. Each variable binding associates a particular object instance with its current value. SNMP Reference: SNMPv2 Message Format SNMPv2 messages consist of a header and a PDU. Figure 56-7 illustrates the basic format of an SNMPv2 message. SNMPv2 Message Header SNMPv2 message headers contain two fields: Version Number and Community Name. The following descriptions summarize these fields: Version number—Specifies the version of SNMP that is being used. Community name—Defines an access environment for a group of NMSs. NMSs within the community are said to exist within the same administrative domain. Community names serve as a weak form of authentication because devices that do not know the proper community name are precluded from SNMP operations. SNMPv2 Protocol Data Unit SNMPv2 specifies two PDU formats, depending on the SNMP protocol operation. SNMPv2 PDU fields are variable in length, as prescribed by Abstract Syntax Notation One (ASN.1). The following descriptions summarize the fields illustrated in Figure 56-8: PDU type—Identifies the type of PDU transmitted (Get, GetNext, Inform, Response, Set, or Trap). Request ID—Associates SNMP requests with responses.

45

Error status—Indicates one of a number of errors and error types. Only the response operation sets this field. Other operations set this field to zero. Error index—Associates an error with a particular object instance. Only the response operation sets this field. Other operations set this field to zero. Variable bindings—Serves as the data field of the SNMPv2 PDU. Each variable binding associates a particular object instance with its current value (with the exception of Get and GetNext requests, for which the value is ignored). GetBulk PDU Format The following descriptions summarize the fields illustrated in Figure 56-9: PDU type—Identifies the PDU as a GetBulk operation. Request ID—Associates SNMP requests with responses. Non repeaters—Specifies the number of object instances in the variable bindings field that should be retrieved no more than once from the beginning of the request. This field is used when some of the instances are scalar objects with only one variable. Max repetitions—Defines the maximum number of times that other variables beyond those specified by the Non repeaters field should be retrieved. Variable bindings—Serves as the data field of the SNMPv2 PDU. Each variable binding associates a particular object instance with its current value (with the exception of Get and GetNext requests, for which the value is ignored). Review Questions Q—What are MIBs, and how are they accessed? A—A Management Information Base (MIB) is a collection of information that is organized hierarchically. MIBs are accessed using a network-management protocol such as SNMP. They are comprised of managed objects and are identified by object identifiers. Q—SNMP uses a series of _____ and ______to manage the network.

46

A—Gets and Puts. SNMP uses a Get object and a Put object to manage devices on a network such as get counters. Q—Name three of the seven fields of the SNMP v2 GETBULK. A—PDU Type, Request ID, Nonrepeaters, Max Repetitions, Variable Bindings (the variable bindings consists of variable object fields that make up the three remaining fields).

SLIP Short for Serial Line Internet Protocol, a protocol for connection to the Internet via a dialup connection. Developed in the 80s when modem communications typically were limited to 2400 bps, it was designed for simple communication over serial lines. SLIP can be used on RS-232 serial ports and supports asynchronous links. A more common protocol is PPP (Point-to-Point Protocol) because it is faster and more reliable and supports functions that SLIP does not, such as error detection, dynamic assignment of IP addresses and data compression. In general, Internet service providers offer only one protocol although some support both protocols. Telnet A terminal emulation program for TCP/IP networks such as the Internet. The Telnet program runs on your computer and connects your PC to a server on the network. You can then enter commands through the Telnet program and they will be executed as if you were entering them directly on the server console. This enables you to control the server and communicate with other servers on the network. To start a Telnet session, you must log in to a server by entering a valid username and password. Telnet is a common way to remotely control Web servers.

ROUTING PROTOCOLS A generic term that refers to a formula, or protocol, used by a router to determine the appropriate path over which data is transmitted. The routing protocol also specifies how routers in a network share information with each other and report changes. The routing protocol enables a network to make dynamic adjustments to its conditions, so routing decisions do not have to be predetermined and static. Routing, Routed and Non-Routable Protocols

47

ROUTING | ROUTED | NON-ROUTABLE ROUTING PROTOCOLS ROUTING PROTOCOLS are the software that allow routers to dynamically advertise and learn routes, determine which routes are available and which are the most efficient routes to a destination. Routing protocols used by the Internet Protocol suite include: · Routing Information Protocol (RIP and RIP II). · Open Shortest Path First (OSPF). · Intermediate System to Intermediate System (IS-IS). · Interrior Gateway Routing Protocol (IGRP). · Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP). · Border Gateway Protocol (BGP). Routing is the process of moving data across two or more networks. Within a network, all hosts are directly accessable because they are on the same ROUTED PROTOCOLS ROUTED PROTOCOLS are nothing more than data being transported across the networks. Routed protocols include: · Internet Protocol o Telnet o Remote Procedure Call (RPC) o SNMP o SMTP · Novell IPX · Open Standards Institute networking protocol · DECnet · Appletalk · Banyan Vines · Xerox Network System (XNS) Outside a network, specialized devices called ROUTES are used to perform the routing process of forwarding packets between networks. Routers are connected to the edges of two or more networks to provide connectivity between them. These devices are usually dedicated machines with specialized hardware and software to speed up the routing process. These devices send and receive routing information to each other about networks that they can and cannot reach. Routers examine all routes to a destination, determine which routes have the best metric, and insert one or more routes into the IP routing table on the router. By maintaining a current list of known routes, routers can quicky and efficiently send your information on it's way when received.

48

There are many companies that produce routers: Cisco, Juniper, Bay, Nortel, 3Com, Cabletron, etc. Each company's product is different in how it is configured, but most will interoperate so long as they share common physical and data link layer protocols (Cisco HDLC or PPP over Serial, Ethernet etc.). Before purchasing a router for your business, always check with your Internet provider to see what equipment they use, and choose a router, which will interoperate with your Internet provider's equipment. NON-ROUTABLE PROTOCOLS NON-ROUTABLE PROTOCOLS cannot survive being routed. Non-routable protocols presume that all computers they will ever communicate with are on the same network (to get them working in a routed environment, you must bridge the networks). Todays modern networks are not very tolerant of protocols that do not understand the concept of a multi-segment network and most of these protocols are dying or falling out of use. · NetBEUI · DLC · LAT · DRP · MOP RIP (Routing Information Protocol) RIP is a dynamic internetwork routing protocol primary used in interior routing environments. A dynamic routing protocol, as opposed to a static routing protocol, automatically discovers routes and builds routing tables. Interior environments are typically private networks (autonomous systems). In contrast, exterior routing protocols such as BGP are used to exchange route summaries between autonomous systems. BGP is used among autonomous systems on the Internet. RIP uses the distance-vector algorithm developed by Bellman and Ford (Bellman-Ford algorithm). Routing Information Protocol Background The Routing Information Protocol, or RIP, as it is more commonly called, is one of the most enduring of all routing protocols. RIP is also one of the more easily confused protocols because a variety of RIP-like routing protocols proliferated, some of which even used the same name! RIP and the myriad RIP-like protocols were based on the same set of algorithms that use distance vectors to mathematically compare routes to identify the best path to any given destination address. These algorithms emerged from academic research that dates back to 1957.

49

Today's open standard version of RIP, sometimes referred to as IP RIP, is formally defined in two documents: Request For Comments (RFC) 1058 and Internet Standard (STD) 56. As IP-based networks became both more numerous and greater in size, it became apparent to the Internet Engineering Task Force (IETF) that RIP needed to be updated. Consequently, the IETF released RFC 1388 in January 1993, which was then superceded in November 1994 by RFC 1723, which describes RIP 2 (the second version of RIP). These RFCs described an extension of RIP's capabilities but did not attempt to obsolete the previous version of RIP. RIP 2 enabled RIP messages to carry more information, which permitted the use of a simple authentication mechanism to secure table updates. More importantly, RIP 2 supported subnet masks, a critical feature that was not available in RIP. This chapter summarizes the basic capabilities and features associated with RIP. Topics include the routing update process, RIP routing metrics, routing stability, and routing timers. Routing Updates RIP sends routing-update messages at regular intervals and when the network topology changes. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. After updating its routing table, the router immediately begins transmitting routing updates to inform other network routers of the change. These updates are sent independently of the regularly scheduled updates that RIP routers send. RIP Routing Metric RIP uses a single routing metric (hop count) to measure the distance between the source and a destination network. Each hop in a path from source to destination is assigned a hop count value, which is typically 1. When a router receives a routing update that contains a new or changed destination network entry, the router adds 1 to the metric value indicated in the update and enters the network in the routing table. The IP address of the sender is used as the next hop. RIP Stability Features RIP prevents routing loops from continuing indefinitely by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. If a router receives a routing update that contains a new or changed entry, and if increasing the metric value by 1 causes the metric to be infinity (that is, 16), the network destination is considered unreachable. The downside of this stability feature is that it limits the maximum diameter of a RIP network to less than 16 hops.

50

RIP includes a number of other stability features that are common to many routing protocols. These features are designed to provide stability despite potentially rapid changes in a network's topology. For example, RIP implements the split horizon and holddown mechanisms to prevent incorrect routing information from being propagated. RIP Timers RIP uses numerous timers to regulate its performance. These include a routing-update timer, a route-timeout timer, and a route-flush timer. The routing-update timer clocks the interval between periodic routing updates. Generally, it is set to 30 seconds, with a small random amount of time added whenever the timer is reset. This is done to help prevent congestion, which could result from all routers simultaneously attempting to update their neighbors. Each routing table entry has a route-timeout timer associated with it. When the route-timeout timer expires, the route is marked invalid but is retained in the table until the route-flush timer expires. Packet Formats The following section focuses on the IP RIP and IP RIP 2 packet formats illustrated in Figures 44-1 and 44-2. Each illustration is followed by descriptions of the fields illustrated. RIP Packet Format · Command—Indicates whether the packet is a request or a response. The request asks that a router send all or part of its routing table. The response can be an unsolicited regular routing update or a reply to a request. Responses contain routing table entries. Multiple RIP packets are used to convey information from large routing tables. · Version number—Specifies the RIP version used. This field can signal different potentially incompatible versions. · Zero—This field is not actually used by RFC 1058 RIP; it was added solely to provide backward compatibility with prestandard varieties of RIP. Its name comes from its defaulted value: zero. · Address-family identifier (AFI)—Specifies the address family used. RIP is designed to carry routing information for several different protocols. Each entry has an addressfamily identifier to indicate the type of address being specified. The AFI for IP is 2. · Address—Specifies the IP address for the entry. · Metric—Indicates how many internetwork hops (routers) have been traversed in the trip to the destination. This value is between 1 and 15 for a valid route, or 16 for an unreachable route. Note: Up to 25 occurrences of the AFI, Address, and Metric fields are permitted in a single IP RIP packet. (Up to 25 destinations can be listed in a single RIP packet.)

51

RIP 2 Packet Format · Command—Indicates whether the packet is a request or a response. The request asks that a router send all or a part of its routing table. The response can be an unsolicited regular routing update or a reply to a request. Responses contain routing table entries. Multiple RIP packets are used to convey information from large routing tables. · Version—Specifies the RIP version used. In a RIP packet implementing any of the RIP 2 fields or using authentication, this value is set to 2. · Unused—Has a value set to zero. · Address-family identifier (AFI)—Specifies the address family used. RIPv2's AFI field functions identically to RFC 1058 RIP's AFI field, with one exception: If the AFI for the first entry in the message is 0xFFFF, the remainder of the entry contains authentication information. Currently, the only authentication type is simple password. · Route tag—Provides a method for distinguishing between internal routes (learned by RIP) and external routes (learned from other protocols). · IP address—Specifies the IP address for the entry. · Subnet mask—Contains the subnet mask for the entry. If this field is zero, no subnet mask has been specified for the entry. ·Next hop—Indicates the IP address of the next hop to which packets for the entry should be forwarded. · Metric—Indicates how many internetwork hops (routers) have been traversed in the trip to the destination. This value is between 1 and 15 for a valid route, or 16 for an unreachable route. Note: Up to 25 occurrences of the AFI, Address, and Metric fields are permitted in a single IP RIP packet. That is, up to 25 routing table entries can be listed in a single RIP packet. If the AFI specifies an authenticated message, only 24 routing table entries can be specified. Given that individual table entries aren't fragmented into multiple packets, RIP does not need a mechanism to resequence datagrams bearing routing table updates from neighboring routers. Summary Despite RIP's age and the emergence of more sophisticated routing protocols, it is far from obsolete. RIP is mature, stable, widely supported, and easy to configure. Its simplicity is well suited for use in stub networks and in small autonomous systems that do not have enough redundant paths to warrant the overheads of a more sophisticated protocol.

52

Review Questions Q—Name RIP's various stability features. A—RIP has numerous stability features, the most obvious of which is RIP's maximum hop count. By placing a finite limit on the number of hops that a route can take, routing loops are discouraged, if not completely eliminated. Other stability features include its various timing mechanisms that help ensure that the routing table contains only valid routes, as well as split horizon and holddown mechanisms that prevent incorrect routing information from being disseminated throughout the network. Q—What is the purpose of the timeout timer? A—The timeout timer is used to help purge invalid routes from a RIP node. Routes that aren't refreshed for a given period of time are likely invalid because of some change in the network. Thus, RIP maintains a timeout timer for each known route. When a route's timeout timer expires, the route is marked invalid but is retained in the table until the route-flush timer expires. Q—What two capabilities are supported by RIP 2 but not RIP? A—RIP 2 enables the use of a simple authentication mechanism to secure table updates. More importantly, RIP 2 supports subnet masks, a critical feature that is not available in RIP. Q—What is the maximum network diameter of a RIP network? A—A RIP network's maximum diameter is 15 hops. RIP can count to 16, but that value is considered an error condition rather than a valid hop count.

Transceiver Short for transmitter-receiver, a device that both transmits and receives analog or digital signals. The term is used most frequently to describe the component in local-area networks (LANs) that actually applies signals onto the network wire and detects signals passing through the wire. For many LANs, the transceiver is built into the network interface card (NIC). Some types of networks, however, require an external transceiver. In Ethernet networks, a transceiver is also called a Medium Access Unit (MAU). In radio communications, a transceiver is a two-way radio that combines both a radio transmitter and a receiver that exchanges information in half-duplex mode.

VOIP Voice over Internet Protocol (VoIP) technology is the wave of the future in terms of telephone communication via the Internet. VoIP has several advantages over circuit53

switched technology used by local phone companies. Circuit-switched technology uses a 'permanent' connection between the caller and callee, which requires a huge amount of bandwidth for each call. This type of technology can only carry certain types of calls, such as telephone to telephone. Also, the hardware circuit-switched networks need to run effectively are extremely expensive, mostly because voice and data services must be supported on different wires. Therefore, each service needs separate hardware to accommodate the voice and data types of traffic. Needless to say, your local phone company then passes the costs of building and maintaining a circuit-switched network to the you, the consumer. Unforturnately, this equals higher rates for your telephone services. VoIP - How Does it Work? VoIP technology is when phone calls travel networks using Internet Protocol (IP). What this means is that the calls are passed through the Internet or privately managed data networks that are using IP to send the calls from one location to the other. So whether the call is passed through the Internet or data networks, the voice stream is broken down into packets, compressed, and sent toward their final destination by several different routes. This is where circuit-switch technology and IP technology differ, in that circuit-switched technology uses a 'permanent' connection for the entire phone call. Once the call reaches the callee, the voice stream packets are reassembled, decompressed, and switched back into a voice stream by several hardware and software elements, depending on the call's final destination. The type of software and hardware needed to start and end a phone call is determined by where the call originated, such as a PC, phone, or an Integrated Access Device (IAD) and whether the call is going to be completed on a PC, telephone, or IAD. ADVANTAGES OF VoIP The following is a list of the numerous advantages for using VoIP: Voice and data can be sent over the same lines. 8 time the number of phone calls can be placed on those lines than in the circuitswitched environment. Quality of sound is excellent. Lower operating costs due to reduced hardware requirements and a more efficient network infrastructure. Lower cost structures enable lower rates than the traditional telephone companies. Use of different devices to talk to one another.

VLAN Introduction 54

The purpose of this document is to provide a better understanding of Virtual Local Area Networks (VLANs) and their use in the Network 21 architecture. In the following sections, we will define a VLAN and describe its benefits as well as some limitations. We will explain why it is important for a LAN administrator to understand VLANs, and give some basic instructions to determine how many VLANs a department would typically need. Lastly, contact information will be provided for any additional questions you might have. The main reasons for covering all of this is to further your understanding of the changes that will occur as part of Network 21 and to assist you in filling out the Network 21 Stage 3 Survey. Use of this information to determine a department’s VLAN needs will ease in the conversion process. If VLANs are well conceived in advance, the need to readdress devices and modify VLAN configurations more than once will not become an issue. This will save everyone involved a great deal of effort and minimize the amount of changes that will be needed following the initial conversion. What is a VLAN? To understand VLANs, it is first necessary to have an understanding of LANs. A Local Area Network (LAN) can generally be defined as a broadcast domain. Hubs, bridges or switches in the same physical segment or segments connect all end node devices. End nodes can communicate with each other without the need for a router. Communications with devices on other LAN segments requires the use of a router. Figure 1 illustrates a typical LAN environment connected by routers. In Figure 1, each LAN is separated from the other by a router. This represents the current UCDNet topology. The individual LANs and broadcast domains are represented by the areas bounded by the dotted lines and numbered 1 through 5 for future reference. Note that the router interface for each LAN is included as part of the LAN and broadcast domain. As networks expand, more routers are needed to separate users into broadcast and collision domains and provide connectivity to other LANs. In Figure 1, LANs 4 and 5 illustrate the use of a router to separate users in a single building into multiple broadcast domains. One drawback to this design is that routers add latency, which essentially delays the transmission of data. This is caused by the process involved in routing data from one LAN to another. A router must use more of the data packet to determine destinations and route the data to the appropriate end node. Virtual LANs (VLANs) can be viewed as a group of devices on different physical LAN segments which can communicate with each other as if they were all on the same physical LAN segment. VLANs provide a number of benefits over the network described in Figure 1, which we will discuss in the next section. In order to take advantage of the benefits of VLANs, a different network topology is needed. Using the same end nodes as in Figure 1, the switched network in Figure 2 provides the same connectivity as Figure 1. Although the network above has some distinct speed and latency advantages over the network in Figure 1, it also has some serious drawbacks. The

55

most notable of these for the purposes of this discussion is that all hosts (end nodes) are now in the same broadcast domain. This adds a significant amount of traffic to the network that is seen by all hosts on the network. As this network grows, the broadcast traffic has the potential impact of flooding the network and making it essentially unusable. Switches using VLANs create the same division of the network into separate broadcast domains but do not have the latency problems of a router. Switches are also a more costeffective solution. Figure 3 shows a switched network topology using VLANs. Notice that the initial logical LAN topology from Figure 1 has been restored, with the major changes being the addition of Ethernet switches and the use of only one router. Notice also that the LAN identifiers appear on the single router interface. It is still necessary to use a router when moving between broadcast domains, and in this example, the router interface is a member of all of the VLANs. There are a number of ways to do this, and most are still proprietary and vendor-based. By now you are probably wondering why someone would go to all this work to end up with what appears to be the same network (at least from a logical standpoint) as the original one. Consider Figure 4, where we begin to take advantage of some of the benefits of VLANs. In the previous examples, LANs have been grouped with physical location being the primary concern. In Figure 4, VLAN 1 has been built with traffic patterns in mind. All of the end devices in 1b, 1c, and 1d are primarily used for minicomputer access in 1a. Using VLANs, we are able to group these devices logically into a single broadcast domain. This allows us to confine broadcast traffic for this workgroup to just those devices that need to see it, and reduce traffic to the rest of the network. There is an increased connection speed due to the elimination of latency from router connections. An additional benefit of increased security could be realized if we made the decision to not allow access to the host from foreign networks, i.e., those that originate from another subnet beyond the router. Higher capacity Superior allocation and management of network capacity Easier management of the constantly changing LAN membership Access to multiple VLANs from the same physical interface Ease of evolution to new applications. Figure 6 gives us a look at VLANs in an ATM LANE environment. You’ll notice that nothing has changed at the edges of the network, and a little more detail has been added at the core. We will not discuss ATM LANE in detail here. For the purpose of this discussion, the picture above shows a high level view of an ATM VLAN environment and closely mirrors the Network 21 architecture.

56

VLAN Benefits As we have seen, there are several benefits to using VLANs. To summarize, VLAN architecture benefits include: Increased performance Improved manageability Network tuning and simplification of software configurations Physical topology independence Increased security options Increased performance Switched networks by nature will increase performance over shared media devices in use today, primarily by reducing the size of collision domains. Grouping users into logical networks will also increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. Additionally, less traffic will need to be routed, and the latency added by routers will be reduced. Improved manageability VLANs provide an easy, flexible, less costly way to modify logical groups in changing environments. VLANs make large networks more manageable by allowing centralized configuration of devices located in physically diverse locations. Network tuning and simplification of software configurations VLANs will allow LAN administrators to "fine tune" their networks by logically grouping users. Software configurations can be made uniform across machines with the consolidation of a department’s resources into a single subnet. IP addresses, subnet masks, and local network protocols will be more consistent across the entire VLAN. Fewer implementations of local server resources such as BOOTP and DHCP will be needed in this environment. These services can be more effectively deployed when they can span buildings within a VLAN. Physical topology independence VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain. If the physical infrastructure is already in place, it now becomes a simple matter to add ports in new locations to existing VLANs if a department expands or relocates. These assignments can take place in advance of the move, and it is then a simple matter to move devices with their existing configurations from one location to another. The old ports can then be "decommissioned" for future use, or reused by the department for new users on the VLAN. Increased security options VLANs have the ability to provide additional security not available in a shared media network environment. By nature, a switched network delivers frames only to the intended recipients, and broadcast frames only to other members of the VLAN. This allows the

57

network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location. In addition, monitoring of a port with a traffic analyzer will only view the traffic associated with that particular port, making discreet monitoring of network traffic more difficult. It should be noted that the enhanced security that is mentioned above is not to be considered an absolute safeguard against security infringements. What this provides is additional safeguards against "casual" but unwelcome attempts to view network traffic. VLAN Limitations There are a few limitations to using VLANs, some of the more notable being: Broadcast limitations Device limitations Port constraints Broadcast limitations In order to handle broadcast traffic in an ATM VLAN environment it is necessary to have a special server that is an integrated part of the ATM infrastructure. This server has limitations in the number of broadcasts that may be forwarded. Some network protocols that will be running within individual VLANs, such as IPX and AppleTalk, make extensive use of broadcast traffic. This has the potential of impacting thresholds on the switches or broadcast servers and may require special consideration when determining VLAN size and configuration. Device limitations The number of Ethernet addresses than can be supported by each edge device is 500. This represents a distribution of about 20 devices per Network 21 port. These numbers are actual technical limitations that could be further reduced due to performance requirements of attached devices. These limitations are above the recommended levels for high performance networking. From a pure performance standpoint, the ideal end-user device to Network 21 port ratio would be one device per port. From a practical point of view, a single Network 21 port could be shared by a number of devices that do not require a great deal of bandwidth and belong to the same VLAN. An example of this would be a desktop computer, printer, and laptop computer for an individual user. Port Constraints If a departmental hub or switch is connected to a Network 21 port, every port on that hub must belong to the same VLAN. Hubs do not have the capability to provide VLANs to individual ports, and VLANs can not be extended beyond the edge device ports even if a switch capable of supporting VLANs is attached. Preparation for VLANs Here are answers to some questions that you might have with regards to the implementation of Network 21 and VLANs.

58

How many VLANs do I need? The Network 21 Project can accomodate 300 - 400 VLANs. In the majority of cases a department should only need one VLAN. Given that there are 250 departments included in the project, departments should try to limit their VLANs to one or two. Each LAN Administrator will need to determine appropriate logical groups for their department. It is anticipated that most departments will obtain maximum benefits by consolidating the majority (if not all) of their users into a single large VLAN. Smaller VLANs would then be used if necessary to group together power users or those requiring special handling. What VLAN information is required by the survey? As part of the Network 21 Stage 3 survey you will be asked to identify both the number of VLANs your department requires and the individual NAMs that comprise each VLAN. A worksheet will be provided for each of these tasks. The Department VLAN Worksheet simply asks for the number (start with one and increment accordingly), a description or the purpose, the primary department owner, and the name of any other departments on the VLAN. The Department NAM Verification worksheet lists all of the department’s NAMs and their building and room number. You are asked to supply information as to which VLAN number (from the Department VLAN Worksheet) each NAM is to be connected to, and the number of devices served by that NAM. There are also check boxes to identify if any devices attached to each NAM are running AppleTalk, DECNET, or IPX. Detailed instructions and examples will be provided with the survey sheets to use for assistance in filling out these forms. Glossary ATM Asynchronous Transfer Mode. International standard for cell relay in which multiple service types (such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells allow cell processing to occur in hardware, thereby reducing delay. ATM is designed to take advantage of high-speed transmission media. Bridge A device that connects and passes packets between two network segments that use the same communications protocol. Bridges operate at the data link layer (Layer 2) of the OSI reference model. In general, a bridge will filter, forward, or flood an incoming frame based on the MAC address of that frame. BOOTP Bootstrap Protocol. A protocol that is used by a network node to determine the IP address of its Ethernet interfaces, in order to effect network booting. Broadcast Domain The set of all devices that will receive broadcast frames originating from any device within the set. Broadcast domains can be bounded by VLANs in a stand-alone environment. In an internetworking environment, they are typically bounded by routers because routers do not forward broadcast frames. Collision

59

In Ethernet, the result of two nodes that transmit simultaneously. The frames from each device impact and are damaged when they meet on the physical media. Collision Domain In Ethernet, the network area within which frames that have collided are propagated. Repeaters and hubs propagate collisions; LAN switches, bridges and routers do not. CSMA/CD Carrier Sense Multiple Access/Collision Detect. Media-access mechanism wherein devices ready to transmit data first check the channel for a carrier signal. If no carrier is sensed for a specific period, a device can transmit. A collision occurs if two devices transmit simultaneously, and the collision is detected by all colliding devices. This collision subsequently delays retransmissions from those devices for some random length of time. CSMA/CD access is used by Ethernet and IEEE 802.3. DHCP Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer needs them. Edge Device A physical device that is capable of forwarding packets between legacy interfaces (such as Ethernet and Token Ring) and ATM interfaces based on data-link and network layer information. An edge device does not participate in the running of any network layer routing protocol. Ethernet Baseband LAN specification invented by Xerox Corporation and developed jointly by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD and run over a variety of cable types at 10 Mbps. Ethernet is similar to the IEEE 802.3 series of standards. Fast Ethernet Any of a number of 100-Mbps Ethernet specifications, Fast Ethernet offers a speed increase ten times that of the 10BaseT Ethernet specification, while preserving such qualities as frame format, MAC mechanisms, and MTU. Such similarities allow the use of existing Ethernet applications and network management tools on Fast Ethernet networks. Fast Ethernet is based on an extension to the IEEE 802.3 specification. Frame The logical grouping of information sent as a data link layer unit over a transmission medium. Often refers to the header and trailer, used for synchronization and error control, which surround the user data contained in the unit. Hub Generally, a device that serves as the center of a star-topology shared network. Also describes a hardware or software device that contains multiple independent but connected modules of network and internetwork equipment. IEEE Institute of Electrical and Electronics Engineers. The IEEE is a professional organization whose activities include the development of communications and network standards. IEEE LAN standards are the predominant LAN standards today. IP

60

Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, security, and fragmentation and reassembly. IP Address 32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D, or E) and is written as four octets separated by periods (dotted decimal format). Each address consists of a network number, an optional subnetwork number, and a host number. The network and subnetwork numbers together are used for routing, while the host number is used to address an individual host within the network or subnetwork. A subnet mask is used to extract network and subnetwork information from the IP address. LAN Local-Area Network. High-speed, low-error data network covering a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the OSI model. Ethernet, FDDI, and Token Ring are widely used LAN technologies. LANE LAN emulation. Technology that allows an ATM network to function as a LAN backbone. The ATM network must provide multicast and broadcast support, address mapping (MAC-to-ATM), SVC management, and a usable packet format. LANE also defines Ethernet and Token Ring ELANs. Latency Delay between the time a device requests access to a network and the time it is granted permission to transmit. It is also the delay between the time when a device receives a frame and the time that frame is forwarded out the destination port. Node Endpoint of a network connection or a junction common to two or more lines in a network. Nodes can be processors, controllers, or workstations. Nodes, which vary in routing and other functional capabilities, can be interconnected by links, and serve as control points in the network. Node is sometimes used generically to refer to any entity that can access a network, and is frequently used interchangeably with device. OSI Model Open System Interconnection reference model. Network architectural model developed by ISO and ITU-T. The model consists of seven layers, each of which specifies particular network functions such as addressing, flow control, error control, encapsulation, and reliable message transfer. The lowest layer (the physical layer) is closest to the media technology. The lower two layers are implemented in hardware and software, while the upper five layers are implemented only in software. The highest layer (the application layer) is closest to the user. The OSI reference model is used universally as a method for teaching and understanding network functionality. Packet A logical grouping of information that includes a header containing control information and (usually) user data, packets are most often used to refer to network layer units of data. Router

61

Network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on network layer information. Occasionally called a gateway (although this definition of gateway is becoming increasingly outdated). Subnet Subnetwork. In IP networks, a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by a network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. Subnet Mask 32-bit address mask used in IP to indicate the bits of an IP address that are being used for the subnet address. The subnet mask is sometimes referred to simply as mask. Switch A network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model. VLAN Virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

ISDN This is the Abbreviation of integrated services digital network, an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. ISDN supports data transfer rates of 64 Kbps (64,000 bits per second). There are two types of ISDN: Basic Rate Interface (BRI) -- consists of two 64-Kbps B-channels and one D-channel for transmitting control information. Primary Rate Interface (PRI) -- consists of 23 B-channels and one D-channel (U.S.) or 30 B-channels and one D-channel (Europe). The original version of ISDN employs baseband transmission. Another version, called BISDN, uses broadband transmission and is able to support transmission rates of 1.5 Mbps. B- ISDN requires fiber optic cables and is not widely available. ISDN, which stands for Integrated Services Digital Network, is a system of digital phone connections which has been available for over a decade. This system allows voice and data to be transmitted simultaneously across the world using end-to-end digital connectivity. 62

ISDN (Integrated Services Digital Network) is a type of digital phone/data and Internet service that preceded ADSL (Asynchronous Digital Subscriber Line) and has for the most part been superseded by it. Normal telephone lines carry analog signals that must be amplified and converted to digital signals by the phone company. This process introduces not only a slight lag time, but also distortion in the signal. Dial-up modems and telephones are examples of equipment that use analog signals. ISDN makes use of digital signals running along existing copper lines to increase the data throughput, reduce line noise and enhance signal quality. In the mid 1990s, ADSL was very expensive not widely available. Companies and individuals wanted a faster way to connect to the Internet, but the technology behind dialup modems had reached its threshold. ISDN became a viable alternative to provide speeds of up to 128 kilobits per second (kbps), versus the standard connection of 30-53 kbps with a dial-up modem. The most common type of ISDN service for Internet connection is the Basic Rate Interface, or ISDN BRI. This technology creates two B-channels on the existing copper lines of 64 kbps each, along with a single 16 kbps D-channel for the phone line. This separates data channels from the voice channel, allowing telephone or fax use while online. While ISDN is inexpensive and about twice as fast as dial-up service, it has been largely replaced by affordable DSL service. An inexpensive ADSL service offers speeds up to 384 kbps, while more expensive versions are improving in speed all the time. As of fall 2005, standard ADSL speeds range between 1.5 and 3.0 mbps (megabits per second), or 1536-3072 kbps. Although ISDN may not be the best choice for packet-switching networks like the Internet, it is still widely used for professional audio and broadcast applications where digital clarity with integrated telephone services is specifically required. Small businesses that often use two voice lines, such as phone and fax, and only require limited Internet connectivity of, say, an hour or less per day, may prefer ISDN. ISDN might also be a better choice for high-speed connections to intranets for video-conferencing, or to remote networks other than the Internet. With ISDN, voice and data are carried by bearer channels (B channels) occupying a bandwidth of 64 kb/s (bits per second). Some switches limit B channels to a capacity of 56 kb/s. A data channel (D channel) handles signaling at 16 kb/s or 64 kb/s, depending on the service type. Note that, in ISDN terminology, "k" means 1000 (103), not 1024 (210) as in many computer applications (the designator "K" is sometimes used to represent this value); therefore, a 64 kb/s channel carries data at a rate of 64000 b/s. A new set of standard prefixes has recently been created to handle this. Under this scheme, "k" (kilo-)

63

means 1000 (103), "M" (mega-) means 1000000 (106), and so on, and "Ki" (kibi-) means 1024 (210), "Mi" (mebi-) means 1048576 (220), and so on. There are two basic types of ISDN service: Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI consists of two 64 kb/s B channels and one 16 kb/s D channel for a total of 144 kb/s. This basic service is intended to meet the needs of most individual users. PRI is intended for users with greater capacity requirements. Typically the channel structure is 23 B channels plus one 64 kb/s D channel for a total of 1536 kb/s. In Europe, PRI consists of 30 B channels plus one 64 kb/s D channel for a total of 1984 kb/s. It is also possible to support multiple PRI lines with one 64 kb/s D channel using NonFacility Associated Signaling (NFAS). H channels provide a way to aggregate B channels. They are implemented as: H0=384 kb/s (6 B channels) H10=1472 kb/s (23 B channels) H11=1536 kb/s (24 B channels) H12=1920 kb/s (30 B channels) - International (E1) only To access BRI service, it is necessary to subscribe to an ISDN phone line. Customer must be within 18000 feet (about 3.4 miles or 5.5 km) of the telephone company central office for BRI service; beyond that, expensive repeater devices are required, or ISDN service may not be available at all. Customers will also need special equipment to communicate with the phone company switch and with other ISDN devices. These devices include ISDN Terminal Adapters (sometimes called, incorrectly, "ISDN Modems") and ISDN Routers. The early phone network consisted of a pure analog system that connected telephone users directly by a mechanical interconnection of wires. This system was very inefficient, was very prone to breakdown and noise, and did not lend itself easily to long-distance connections. Beginning in the 1960s, the telephone system gradually began converting its internal connections to a packet-based, digital switching system. Today, nearly all voice switching in the U.S. is digital within the telephone network. Still, the final connection from the local central office to the customer equipment was, and still largely is, an analog Plain-Old Telephone Service (POTS) line. In the early 1990s, an industry-wide effort began to establish a specific implementation for ISDN in the U.S. Members of the industry agreed to create the National ISDN 1 (NI1) standard so that end users would not have to know the brand of switch they are connected to in order to buy equipment and software compatible with it. However, there were problems agreeing on this standard. In fact, many western states would not implement NI-1. Both Southwestern Bell and U.S. West (now Qwest) said that they did not plan to deploy NI-1 software in their central office switches due to incompatibilities with their existing ISDN networks.

64

Most recently, ISDN service has largely been displaced by broadband internet service, such as xDSL and Cable Modem service. These services are faster, less expensive, and easier to set up and maintain than ISDN. Still, ISDN has its place, as backup to dedicated lines, and in locations where broadband service is not yet available.

DNS DNS name structure In the early days of the Internet, all host names and their associated IP addresses were recorded in a single file called hosts.txt, maintained by the Network Information Centre in the USA. Not surprisingly, as the Internet grew so did this file, and by the mid-80's it had become impractically large to distribute to all systems over the network, and impossible to keep up to date. The Internet Domain Name System (DNS) was developed as a distributed database to solve this problem. It's primary goal is to allow the allocation of host names to be distributed amongst multiple naming authorities, rather than centralised at a single point. DNS names are constructed hierarchichally. The highest level of the hierarchy being the last component or label of the DNS address. Labels can be up to 63 characters long and are case insensitive. A maximum length of 255 characters is allowed. Labels must start with a letter and can only consist of letters, digits and hyphens. [Unfortunately some administrators construct names that start with digits. This is wrong and can easily cause problems with software that simply inspects the first character of a host address to determine whether a DNS name or an IP address has been quoted.] Note In the early days of the Internet users in at least one country (the United Kingdom) adopted a similar scheme with the highest hierarchical level appearing first rather than last. I.e. uk.ac.wlv.scit.sun rather than sunc.scit.wlv.ac.uk. This practice is, fortunately, obsolete. DNS addresses can be relative or fully qualified. A fully qualified address includes all the labels and is globally unique. A relative address can be converted by appending the local domain information. For example sunc.scit.wlv.ac.uk is a fully qualified name for the host sunc in the domain scit.wlv.ac.uk. Strictly there should be a stop at the end of a fully qualified name but this is often overlooked. The final most significant label of a fully qualified name can fall into one of three classes arpa This is a special facility used for reverse translation, i.e. going from IP address to fully qualified domain address. If everything is properly configured a suitably framed query for 1.4.220.134.in-addr.arpa will return sunc.scit.wlv.ac.uk. Details of this will be described later.

65

3 letter codes The DNS was orginally introduced in the United States of America and the final component of an address was intended to indicate the type of organisation hosting the computer. Some of the three letter final labels (edu, gov, mil) are still only used by organisations based in the USA, others can be used anywhere in the world. The three letter codes are code meaning com Commercial. Now international. edu Educational. gov Government. int International Organisiation. mil Military. net Network related. org Miscellaneous Organisation. Two letter codes The final two letter codes indicate the country of origin and are defined in ISO 3166 with the minor exception that uk is used for the United Kingdom rather than gb although there are some .gb sites. [This apparently happened because the ISO committee was unaware that Northern Ireland was part of the United Kingdom but not part of Great Britain.] The two letter code us is used by some sites in the United States of America. In some countries there are sub-domains indicating the type of organisation such as ac.uk, co.uk, sch.uk in the United Kingdom and edu.au and com.au in Australia. Most European countries have not adopted this useful practice. A fuller discussion of the United Kingdom DNS domains is provided by To obtain a domain address it is necessary to identify the administrator of the required domain and then all that is basically necessary is to send the administrator the required code and the associated IP address and they will, if they accept the request, include the details in their databases. Conditions for acceptance vary widely between administrators, the administrators for the com and org being, apparently, quite happy to accept anything from anywhere. A DNS server is just a computer that's running DNS software. Since most servers are Unix machines, the most popular program is BIND (Berkeley Internet Name Domain), but you can find software for the Mac and the PC as well. DNS software is generally made up of two elements: the actual name server, and something called a resolver. The name server responds to browser requests by supplying 66

name-to-address conversions. When it doesn't know the answer, the resolver will ask another name server for the information. To see how it works, let's go back to the domain-name-space inverted tree. When you type in a URL, your browser sends a request to the closest name server. If that server has ever fielded a request for the same host name (within a time period set by the administrator to prevent passing old information), it will locate the information in its cache and reply. If the name server is unfamiliar with the domain name, the resolver will attempt to "solve" the problem by asking a server farther up the tree. If that doesn't work, the second server will ask yet another - until it finds one that knows. (When a server can supply an answer without asking another, it's known as an authoritative server.) Once the information is located, it's passed back to your browser, and you're sent on your merry way. Usually this process occurs quickly, but occasionally it can take an excruciatingly long time (like 15 seconds). In the worst cases, you'll get a dialog box that says the domain name doesn't exist - even though you know damn well it does. This happens because the authoritative server is slow replying to the first, and your computer gets tired of waiting so it times-out (drops the connection). But if you try again, there's a good chance it will work, because the authoritative server has had enough time to reply, and your name server has stored the information in its cache.

DNS Structure The DNS is arranged as a hierarchy, both from the perspective of the structure of the names maintained within the DNS, and in terms of the delegation of naming authorities. At the top of the hierarchy is the root domain "." which is administered by the Internet Assigned Numbers Authority (IANA). Administration of the root domain gives the IANA the authority to allocate domains beneath the root. The process of assigning a domain to an organisational entity is called delegating, and involves the administrator of a domain creating a sub-domain and assigning the authority for allocating sub-domains of the new domain the subdomain's administrative entity. This is a hierarchical delegation, which commences at the "root" of the Domain Name Space ("."). A fully qualified domain name, is obtained by writing the simple names obtained by tracing the DNS hierarchy from the leaf nodes to the root, from left to right, separating each name with a stop ".", eg. fred.xxxx.edu.au. is the name of a host system (huxley) within the XXXX University (xxx), an educational (edu) institution within Australia (au). The sub-domains of the root are known as the top-level domains, and include the edu (educational), gov (government), and com (commercial) domains. Although an organisation anywhere in the world can register beneath these three-character top level domains, the vast majority that have are located within, or have parent companies based in, the United States. The top-level domains represented by the ISO two-character

67

country codes are used in most other countries, thus organisations in Australia are registered beneath au. The majority of country domains are sub-divided into organisational-type sub-domains. In some countries two character sub-domains are created (eg. ac.nz for New Zealand academic organisations), and in others three character sub-domains are used (eg. com.au for Australian commercial organisations). Regardless of the standard adopted each domain may be delegated to a separate authority. Organizations that wish to register a domain name, even if they do not plan to establish an Internet connection in the immediate short term, should contact the administrator of the domain which most closely describes their activities. Even though the DNS supports many levels of sub-domains, delegations should only be made where there is a requirement for an organization or organizational sub-division to manage their own name space. Any sub-domain administrator must also demonstrate they have the technical competence to operate a domain name server (described below), or arrange for another organization to do so on their behalf. Domain Name Servers The DNS is implemented as collection of inter-communicating name servers. At any given level of the DNS hierarchy, a name server for a domain has knowledge of all the immediate sub-domains of that domain. For each domain there is a primary name server, which contains authoritative information regarding Internet entities within that domain. In addition Secondary name servers can be configured, which periodically download authoritative data from the primary server. Secondary name servers provide backup to the primary name server when it is not operational, and further improve the overall performance of the DNS, since the name servers of a domain that respond to queries most quickly are used in preference to any others. Thus, in addition to having a primary name server on site, each organization should have at least one secondary on site, and another elsewhere on the Internet, preferably well connected. This is particularly important for entities with slow speed or dial-up Internet connections to reduce use of their link to support the DNS.

68