Transcript
Resource Management and Access Control in ISDN Remote Access Environments Herbert Leitold and Reinhard Posch Institute for Applied Information Processing and Communications Technology (IAIK) Graz University of Technology Klosterwiesgasse 32/I, A-8010 Graz, Austria E-Mail:
[email protected],
[email protected]
ABSTRACT: The integrated services digital network (ISDN) is one of the most promoted telecommunication services of the 1990’s. As being the natural evolutionary path of the public switched telephone network (PSTN), ISDN has reached a high acceptance in many countries. Even though broadband networks such as asynchronous transfer mode (ATM) promise to offer transmission rates in the multi-megabit area, ISDN has still its legitimacy for computer-based wide area network (WAN) communication. This is mainly due to its almost global availability and its low-cost components. This paper presents an Internet-based ISDN remote access solution, using a scheme known as Ethernet emulation. With the introduction of a novel approach, the so-called strategic modules, the remote access is controlled dynamically. Thus, user specific requirements can be implemented easily. This is assumed to be the main advantage of the solution. On the basis of the strategic modules sophisticated resource management and access control mechanisms are discussed and presented. Thus, the important topics of increasing remote access security as well as optimizing the overall utilization are addressed. Keywords: ISDN, Internet access, remote access, resource management, access control.
1 INTRODUCTION For more than a decade computer-based dial-up wide area internetworking has been dominated by the use of modems operating at line rates up to 28.8 kb/s. However, the bandwidth requirements of today’s multimedia applications together with the increasing quantity of data to be transmitted demands for a higher quality of such dial-up schemes. With
the introduction of ISDN as an integrated communication system for voice, facsimile, audio, and digital data, an alternative became possible. Due to its capacity of two data channels —the so-called B-channels— operating at a transmission rate of 64 kb/s each, the ISDN basic rate interface (BRI) represents an important improvement. ISDN, therefore, provides an adequate opportunity to remote access or link local area networks (LANs) and, thus, to build a WAN infrastructure. The main advantages of ISDN for computer-based dial-up communication can be generalized by the transmission capability and the signaling scheme, as follows: • Digital transmission: With a capacity of 64 kb/s per B-channel the ISDN BRI offers a total, full-duplex transmission rate of 128 kb/s. The ISDN primary rate interface (PRI) can handle up to 30 B-channels simultaneously. Thus, transmission rates of up to 1920 kb/s can be achieved. • Digital signaling: Any ISDN access has a digital outband signaling channel —the socalled D-channel— separated from the data channels (B-channels). This allows short ISDN set-up times ranging from 0.4 to one second. In addition, the D-channel supports for supplementary information elements which can be used to increase the functionality of ISDN remote accesses, such as the calling party number. Above stated advantages have been recognized soon and first solutions were proposed and developed almost together with the installation of the first ISDN pilot networks in the late 1980’s and early 1990’s [1] [2]. In this paper we present a ISDN remote access solution basing on the de-facto standard transmission control protocol, internet protocol (TCP/IP) [3]. The solution has its main advantage in being modular extendible to enhanced requirements, such as sophisticated resource management and access control schemes. This becomes possible with a novel approach, the so-called strategic interface, which allows for controlling the remote access solution dynamically by network management stations. The remainder of this paper is structured as follows: In section 2 a brief overview of solutions to embed ISDN into the TCP/IP family is given. In addition, the requirements which led to an own solution are addressed. Section 3 describes the basics of the router-based remote access solution which is based on the commonly used packet driver approach. Based on the introduction of the strategic interface, section 4 describes the ability to modularly extend the ISDN packet driver to user-specific requirements. In section 5 the enhanced resource management and access control scheme is discussed and, finally, the paper is concluded.
2 EMBEDDING OF ISDN INTO TCP/IP BASED NETWORKS To apply new communication technologies like ISDN to existing network environments, the differences in the protocol architectures have to be overcome. This paper aims to embed ISDN into a TCP/IP-based environment. With the standard “TCP/IP over ISDN” [4] the internet engineering task force (IETF) proposed the utilization of X.25 packet switching. However, in most national ISDN implementations, packet switching can only be used on the D-channel. Thus, the available transmission rate is limited to the capacity of the D-channel which is 16 kbit/s in the case of an ISDN BRI. The ISDN PRI supports one D-channel capable of transmitting 64 kbit/s.
To use the B-channel, the main challenge is to overcome the protocol differences of connectionless internet protocol (IP) and connection oriented ISDN. Therefore, several approaches have been made: First solutions applied the serial line internet protocol (SLIP) [5] —a protocol developed for modems operating on serial lines. However, the SLIP approach suffers from several deficiencies, such as demanding one emulated serial line interface for each remote user. Consequently, the SLIP approach has not reached a high acceptance in the ISDN remote access area. Point-to-point protocol (PPP) [6] [7] —a protocol based on high level data link control protocol (HDLC) — improves SLIP and is, for instance, used by Cisco routers or the Microsoft remote access service (RAS) [8]. However, due to the popularity of Ethernet in building LANs, the Ethernet emulation approach is supposed to support the most flexible access scheme. This approach is based on the precondition that the networking software should have the scope of an attached Ethernet, even if it operates on an ISDN BRI or an ISDN PRI. Thus, almost any available networking software can be used. Unfortunately, most of the products available are developed for the BRI and the utilization of a PRI would exceed their capacity. In addition, most solutions do not provide for dial on demand, which means that the B-channels are to be established automatically in periods of communication activity and closed after a certain period of inactivity on the link. Due to the low set-up times of ISDN, this can be done transparently to the user and allows for adapting the remote access solution to the dynamics of TCP/IP WAN communication which is generally bursty and has increasing quantity characteristics [9] [10]. In addition, the application of user specific demands is difficult to handle, as the source code of most solutions is not available, respectively modifying the source codes demands a great effort. These facts led to the implementation of a special Ethernet class ISDN packet driver [11]. In the following section 3 the functions of the ISDN packet driver are described and embedding ISDN into a TCP/IP-based LAN is discussed.
3 THE ROUTER BASED REMOTE ACCESS SOLUTION When offering a TCP/IP-based remote access two different scenarios occur: On the one hand, single stations which might be mobile ones can access the LAN. On the other hand, several users can share a single B-channel by connecting their LANs using ISDN dial-up lines. Figure 1 shows both scenarios. Actually, figure 1 gives a schematic view to the institute’s network accessed by conventional modem accesses using the university’s private branch exchange (PBX). The institute’s ISDN PRI is used to offer an Internet access to students, university’s staff, and guest users. In addition, several LANs of student hostels and schools are embedded into the university’s domain. A router connects networks at the network layer, terminates datalink layers of each connected LAN, and permits translation between different address domains. As an Ethernet class ISDN packet driver has to transform the datalink layer termination of the router software to the network layer termination of the underlying ISDN, the embedding into the open system interconnection (OSI) reference model, as defined by the international standards organisation (ISO) [12], is damaged. To deal with this problem, the Ethernet class ISDN packet driver has to support a transparent datalink layer access to the router software
Fig. 1. The remote access scenario and, therefore, perform routing functions itself. As the packet driver has to assign Ethernet packets to certain remote stations, the packet driver’s routing functions lead to two assignment decisions: • Broadcast packets: When circuit switched lines are used, broadcasting these packets creates additional costs. Thus, during the address resolution protocol (ARP) [13] sequence, the packet driver evaluates the IP address [14] to determine the requested station. The Ethernet media access control (MAC) address delivered with the ARP response is assigned to the ISDN subscriber. This is called the IP-routing function of the ISDN packet driver. • Non-broadcast packets: The Ethernet specification demands unique MAC addresses to perform logical point-to-point communication between two nodes in a subnetwork [15]. This fact is used to assign a non-broadcast packet to a requested remote station evaluating the destination MAC address. As the assignment of the packets is performed at the datalink layer, this is called the Ethernet-bridging function of the packet driver. To obtain the required uniqueness of the MAC address, each packet driver computes its MAC address using the unique ISDN subscriber number. The routing scheme is limited to the ARP sequence, as IP addresses are only evaluated when IP-routing is performed. Because the packet driver’s integrated IP-routing and Ethernetbridging functions can unequivocally determine the ISDN subscriber to be addressed, the packet driver can decide, whether or not the packet has to be sent to a station belonging to the same subnetwork, or whether an ISDN router has to be addressed. Therefore, all possible ISDN connections are kept in a table which consists of the ISDN subscriber number, its MAC address, IP address, and other status information.
Fig. 2. The protocol stack of the ISDN packet driver In figure 2 the protocol stack involved in the solution is displayed. On the left hand side of figure 2, the ISDN protocol stack is shown. ISDN terminates the network layer of the control plane, i.e. the D-channel. For the user plane, i.e. the B-channel, the physical layer is defined. To provide a manufacturer independent solution the ISDN packet driver accesses the ISDN adapter using the common ISDN application program interface (CAPI) [16], a standard supported by almost any ISDN card manufacturer. CAPI extends the ISDN user plane to the network layer by adding several datalink layer and network layer protocols. On the right hand side of figure 2, the well known TCP/IP protocol stack is displayed. As providing for a low cost solution was one of the main goals, KA9Q [17], a public domain router software, is used for MSDOS environments. KA9Q accesses the ISDN packet driver using the packet driver specification (PDS) [18]. For Windows NT environments the operating system’s TCP/IP protocol stack and routing functionality is used and the ISDN driver is accessed using the network device interface standard (NDIS) [19]. Thus, the ISDN packet driver (CAPIPKT), respectively the ISDN NDIS driver (CAPIPKT_NT), performs the protocol transformation between the TCP/IP protocol stack and CAPI by using commonly used, standardized interfaces. Using this approach, interoperability with similar shareware and public domain ISDN remote access solutions is given. Thus, there is almost no restriction to the platform used, except for the fact that Ethernet packets are to be transmitted over the B-channel. Due to the availability of TCP/IP solutions for almost any operating system like UNIX, Windows95, OS/2, etc., the router-based solution to link LANs allows for maximum flexibility. Even for single stations dialing up to the institute’s ISDN router directly, there are several solutions available for almost any operating system.
Fig. 3. The strategic module approach The ISDN packet driver provides for the basic functionality of handling 30 B-channels simultaneously, i.e. each remote user or remote LAN is addressed using the integrated IP-routing and Ethernet-bridging functions. In addition, some useful functions are provided, such as a call-back feature that allows for reverse charging an incoming call, evaluation of the calling party number to restrict the access to a well-defined set of remote locations, a channel bundling feature that allows to establish additional B-channels to already established ones in periods of higher bandwidth requirements, denial of dialing out to avoid accesses charged to the access provider, etc. However, if the number of users exceeds the number of available links, or if a variety of different users with different access rights are using the system, enhanced features are to be supported. This becomes possible due to the introduction of an open interface, the so-called strategic interface that is presented in the following section 4.
4 THE STRATEGIC INTERFACE Providing for the basic functionality of an ISDN remote access is sufficient at the service consuming remote station, i.e. a residential user or a school’s respectively a small or medium enterprise’s (SME) LAN accessing the Internet. Nevertheless, at the service provider site, both resource management, and network security are of high importance. E.g., to increase the overall utilization of the system, a user currently inactive might be exchanged dynamically against a user that requests communication resources. To provide such functions, consider a module that can be added to the remote access system in a modular way without changing the remote access system. If such a module can control the call-control functions of the ISDN packet driver, the module which we call a strategic module can invoke call-control functions itself. If the strategic module can, in addition, control the data communication on different protocol levels of the TCP/IP protocol stack by monitoring, modifying, or by
generating protocol data units (PDUs) itself, it is obvious, that a multitude of management functions can be mapped to such a module. This scenario is schematically depicted in figure 3. To provide for such strategic modules an open interface the so-called strategic interface has been introduced. It mainly consists of three function groups: • Adminstrative functions: This function group consists of the tasks needed to register or disconnect strategic modules. In addition, functions to allow for adding and removing users to the system dynamically, and to account or log the activities are provided. • Call control functions: The call control functions provide for invoking ISDN call control functions, such as to establish or to close a B-channel, to accept or to reject an incoming call, or applying channel bundling in order to increase the bandwidth offered. • Communication control functions: The communication control functions are used to monitor the communication and allow for discarding packets. For instance, this is used to apply a dynamically configurable packet filtering mechanism which allows for a security system providing for per-user based access sets. In addition, the transmitted data can be modified by the strategic module. This allows for confidential communication by adding encryption modules. The strategic module gains full control over the remote access, whereas the ISDN packet driver continues in providing for the basic remote access functionality, such as performing the TCP/IP-to-ISDN protocol transformation and assigning a certain data link layer PDU to the addressed remote station. The following section 5 consolidates the strategic module approach by giving two case studies.
5 RESOURCE MANAGEMENT AND ACCESS CONTROL The objective of this section is to give an overview to the powerful capabilities that can be addressed using strategic modules. This section refers to the important aspects of dynamic resource management and access control when using ISDN as a public dial-up network to remote access LANs. 5.1 Resource Management The packet driver’s ability to handle ISDN connections is limited to the number of 30, due to the naturally given limitation of B-channels when an ISDN PRI is used. The ISDN packet driver holds a table consisting of the connection parameters of up to 30 remote access clients —the packet driver’s connection table. Obviously, there are two basic flaws in this approach: On the one hand, it is unlikely that any of the 30 clients requires the same resources, in terms of necessary bandwidth or periods of activity. On the other hand, limiting the number of users able to access the system to a fixed maximum is undesirable, as this reduces the flexibility of the ISDN remote access. To deal with the problem of resource allocation, the strategic module separates the physical ISDN connection from the logical one. The logical connection is bound to the physical one, only when there is activity on that link, as a physical connection has to be established in that case. Even if IP is defined as a connectionless service, the term logical connection is
admissible in this context, as it means the ability to reach a station. To perform the separation of logical and physical connections, the strategic module holds the parameters of all possible clients. Thus, it has the global scope of reachable stations. When a client requests resources —i.e. a packet has to be transmitted or a remote station dials in— the strategic module loads the client’s parameters either to a free entry of the packet driver’s connection table or replaces a currently inactive one. Thus, the packet driver has the scope of all currently active clients. By replacing currently inactive logical links —think of interactive applications, where periods of activity take turns with idle ones like world wide web (WWW) browsers with locally cached data— the number of users accessing the system “at the same time” can exceed the number of available physical links. Another aspect of resource allocation is that LAN traffic tends to come in bursts, i.e. periods of high traffic take turns with periods of low traffic or even idle periods. With the capacity of at least two separated B-channels (BRI), ISDN allows the transmission time to be traded off with communication costs by establishing multiple channels between two stations. This is referred to as channel bundling or bandwidth on demand [20]. However, due to both the ISDN provider’s charging granularity and the resources currently available, the decision on whether to add a B-channel cannot be made without monitoring the load on the established links and a sophisticated estimation of the amount of data to be transmitted. This might be performed by monitoring upper layer protocols (e.g. file transfer protocol FTP). Consider the case where n is the number of B-channels established at the beginning of a file transfer session. The quotient q —built by the charges resulting from using n channels and the charges when only one link is used— will converge to q=1, if the session is long compared to the charging granularity and if the n links are heavily loaded. However, in the case of very small files to be transmitted, or in the case where established links are weakly loaded because of other bottlenecks, q will reach the value of n. These considerations emphasize the term “strategic”, as the decision on when to use channel bundling should not only be driven by checking free resources or by demanding higher throughput. 5.2 Access Control When public dial-up lines like ISDN are used to link LANs, it is desirable to control who uses these lines to avoid unintended or deliberate misuse. There are two basic approaches to control a remote access, depending on the mobility and the trust value of the remote stations: • Trusted subscriber numbers: Due to the enhanced signaling mechanisms of ISDN, the subscriber number of the station calling is transmitted to the station called. In the case of trusted locations —e.g. the home location of institute personnel— this feature can be used to check whether a user is allowed to access the LAN. To reinforce the access security, the comparison of received subscriber numbers with known ones can be accompanied with a call-back feature. The use of cryptographic mechanisms might be added to attain strong security. • Mobile stations: Mobile access stations or low trust values —e.g. public accessible locations— demand additional authentication procedures. As passwords are assumed to be insecure, cryptographic methods have to be applied.
As the strategic module can access both the data to be transmitted, and the ISDN call control functions, both cases can be covered. In the first case, the strategic module is able to reject a suspicious incoming call. In the second case, monitoring of an authentication protocol and/or the en-/decryption of the data transmitted can be performed transparently to the upper layers. The case studies “resource management” and “access control” are part of a comprehensive ISDN network management project, which covers additional activities, like accounting, error management, network statistics, etc. To allow for a management solution independent of the platform used, simple network management protocol (SNMP) [21] is employed as a standardized management protocol.
CONCLUSIONS ISDN is an emerging technology that promises to overcome the disadvantages of conventional modem lines when building computer-based LAN/WAN infrastructures. This is mainly due to higher transmission rates of 64 kb/s per communication channel and the sophisticated signaling scheme used. The TCP/IP family has met with great acceptance in the last decade. Thus, it is in fact the most commonly used standard of wide-area internetworking. Several issues arise when embedding ISDN into a TCP/IP environment. Problems like handling broadcast packets in connection oriented ISDN, minimizing the costs of an ISDN connection, mobility of remote stations, increasing the transmission rate when high performance is needed, etc., have to be solved. The paper has presented an Ethernet class ISDN packet driver which is supposed to give maximum flexibility to the remote access. A router-based, low-cost solution has been described. As ISDN is a public dial-up infrastructure, additional requirements meeting enhanced network security demands and resource management needs have been discussed. Due to the separation of an open interface, these user specific requirements can be added in a modular way by implementing strategic modules.
REFERENCES [1] Thachenkary, C. S, “Integrated Service Digital Network (ISDN): six case study assessments of a commercial implementation”, Computer Networks and ISDN Systems, North-Holland, vol. 25, no. 8, March 1993, pp. 921-932. [2] Roy, R., “ISDN Applications at Tenneco Gas”, IEEE Communications Magazine, vol. 28, no. 4, 1990. [3] Postel, J., B., “DARPA Internet Program Protocol Description”, USC/Information Sciences Institute, RFC 791, September 1981. [4] Mallis, A., Robinson, D., Ullmann, R., “Multiprotocol Interconnect on X.25 and ISDN in the Packet Mode”, BBN Communications, RFC1356, September 1992.
[5] Romkey, J., “A Nonstandard for Transmission of IP Datagrams over Serial Lines: SLIP”, USC/Information Sciences Institute, RFC 1055, June 1988. [6] Simpson, P., “Point-to-Point Protocol (PPP)”, USC/Information Sciences Institute, RFC 1331, May 1992. [7] Simpson, P., “PPP over ISDN”, Daydreamer, RFC 1618, May 1994. [8] Awuah, P., Lazar, D., “Microsoft® Windows NT™ Server 3.5: Remote Access Service (RAS)”, Microsoft Whitepaper, 1994. [9] Paxton, V., “Growth Trends in Wide Area TCP Connections”, IEEE Network, vol. 8, no. 4, 1994. [10]Cáceres, R., Danzig, P. B., Jamin, S., Mitzel, D. J., “Characteristics of Wide-Area TCP/IP Conversations”, Proc. ACM SIGCOMM, 1991, pp. 101-112. [11]Leitold, H., Posch, R., Pucher, F., “A Special ISDN Packet Driver, CAPIPKT Version 1.1” IIG Report Series, Report 415, June 1995. [12]ISO 7498, “Open Systems Interconnection, Base Reference Model”, International Standards Organisation, 1984. [13]Plummer, D., C., “An Ethernet Address Resolution Protocol”, USC/Information Sciences Institute, RFC 826, November 1982. [14]Hornig, C., “A Standard for the Transmission of IP Datagrams over Ethernet Networks”, Symbolics Cambridge Research Center, RFC 894, April 1984 [15]Tsuchiya, P., “On the Assignment of Subnet Numbers”, Bellcore, RFC 1219, April 1991 [16]ETSI, “Integrated Services Digital Network (ISDN), Harmonized Programming Communication Interface (PCI) for ISDN; Profile B: Common-ISDN-API Specification”, European Telecommunication Standard, ETS TC-TE, Final Draft prETS 300 325, June 1995. [17]Karn, P., “Amateur Packet Radio and TCP/IP”, ConneXions, vol. 2, no. 9, 1988. [18]VanBokkelen, J., B., “Packet Driver Specification, Revision 1.09”, FTP Software, Inc., ftp://ftp.ftp.com/pub/packetd/, 1989. [19]Microsoft® “Windows NT™, Device Driver Kit, Network Drivers”, Microsoft Corporation, 1993. [20]Bonding Consortium, “Bonding: Interoperability Requirements for Nx56/64 kbit/s Calls, Version 1.0”, Bonding Consortium, September 1992. [21]Case, J., Fedor, M., Schoffstall, M., Davin, J., “A Simple Network Management Protocol (SNMP)”, SNMP Research, RFC 1157, May 1990.
