Sdn 101 And More Ie Stuff

Transcript

SDN 101 and more IE stuff For: static snow Contents 1 2 3 Software-defined networking 1 1.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 The need for a new network architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.4 Architectural components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.5 SDN Control Plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.6 SDN flow forwarding(sdn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.7 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.7.1 SDMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.7.2 SD-WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.7.3 SD-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.7.4 Security using the SDN paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.8 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.10 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 OpenFlow 9 2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.2 Security concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Cisco Systems 3.1 3.2 History 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1.1 1984–1995: Origins and initial growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1.2 1996–2005: Internet and silicon intelligence . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.1.3 2006–2012: The Human Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.1.4 Present day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Corporate structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.2.1 15 Acquisitions and subsidiaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i ii CONTENTS 3.3 3.4 4 5 16 3.3.1 VoIP services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.3.2 Hosted Collaboration Solution (HCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.3.3 Network Emergency Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.3.4 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Corporate affairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4.1 Awards and accolades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4.2 Controversies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.5 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.7 Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.8 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Network virtualization platform 24 4.1 Server virtualization history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.2 Network virtualization history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.3 Network virtualization platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.5 Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 SD-WAN 26 5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.3 Required characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.4 Form factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5.1 Resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5.2 Quality of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5.4 Application optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5.5 Deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5.6 Administration and troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Complementary technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.6.1 SD-WAN versus WAN Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.6.2 WAN edge routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.6.3 SD-WAN versus hybrid WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.7 Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.6 6 Products and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wide area network 29 6.1 Design options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6.2 Connection technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 CONTENTS iii 6.3 List of WAN types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.4 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.6 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 7 8 9 Northbound interface 31 7.1 Typical use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 7.2 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 OSI model 32 8.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 8.2 Description of OSI layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.2.1 Layer 1: Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.2.2 Layer 2: Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.2.3 Layer 3: Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.2.4 Layer 4: Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 8.2.5 Layer 5: Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 8.2.6 Layer 6: Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 8.2.7 Layer 7: Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8.3 Cross-layer functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8.4 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8.6 Comparison with TCP/IP model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8.7 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 8.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 8.9 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Open vSwitch 38 9.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 9.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 9.3 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 9.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 9.5 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 10 Application-specific integrated circuit 41 10.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 10.2 Standard-cell designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 10.3 Gate-array design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 10.4 Full-custom design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 10.5 Structured design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 10.6 Cell libraries, IP-based design, hard and soft macros . . . . . . . . . . . . . . . . . . . . . . . . . 44 10.7 Multi-project wafers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 10.8 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 iv CONTENTS 10.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 10.10Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 11 Content-addressable memory 45 11.1 Hardware associative array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 11.2 Standards for content-addressable memories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 11.3 Semiconductor implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 11.4 Alternative implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 11.5 Ternary CAMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 11.6 Example applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 11.7 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 11.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 11.9 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 11.10External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 12 Software-defined mobile network 12.1 History 48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 12.2 Limitations of Hardware-Based Mobile Networks . . . . . . . . . . . . . . . . . . . . . . . . . . 48 12.3 Characteristics of SDMN Designs 48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3.1 Use of Software-Defined Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 12.3.2 Commodity Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 12.3.3 Software Switching and Transcoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 12.3.4 Centralized, Distributed, or Hybrid? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 12.4 Advantages of SDMN 12.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 13 Core network 50 13.1 Primary functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 13.2 Other functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 13.3 Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 14 Radio access network 14.1 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Multiprotocol Label Switching 52 52 53 15.1 Role and functioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 15.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 15.3 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 15.3.1 Label switch router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 15.3.2 Label edge router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 15.3.3 Provider router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 15.3.4 Label Distribution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 15.3.5 Label-switched paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 CONTENTS v 15.3.6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 15.3.7 Installing and removing paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 15.3.8 Multicast addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 15.4 Relationship to Internet Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 15.4.1 MPLS local protection (fast reroute) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 15.5 Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 15.5.1 Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 15.5.2 ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 15.6 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 15.7 Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 15.8 Competitor protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 15.9 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 15.10Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 15.11References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 15.12Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 15.13External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 16 Local area network 60 16.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 16.2 Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 16.3 Wireless media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 16.4 Technical aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 16.5 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 16.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 16.7 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 17 Active networking 63 17.1 What does it offer? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 17.2 How it relates to other networking paradigms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 17.2.1 Active networking and software-defined networking . . . . . . . . . . . . . . . . . . . . . 63 17.3 Fundamental challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 17.4 Nanoscale active networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 17.5 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 17.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 17.7 Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 17.8 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 18 ONOS 18.1 History 65 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 18.2 Technology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 18.3 Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 18.4 Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 vi CONTENTS 18.5 Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 18.6 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 18.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 18.8 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 19 OpenDaylight Project 19.1 History 67 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 19.2 Technology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 19.3 Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 19.4 Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 19.5 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 19.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 19.7 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 20 Software-defined data center 69 20.1 Description and core components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 20.2 Origins and development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 20.3 Potential impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 20.4 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 20.5 Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 20.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 20.7 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 21 Software-defined protection 72 21.1 Enforcement Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 21.2 Control Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 21.3 Management Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 21.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 22 Network function virtualization 73 22.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 22.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 22.3 NFV Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 22.4 Practical aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 22.5 Distributed NFV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 22.6 NFV modularity benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 22.7 Relationship to SDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 22.8 Industry impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 22.9 Management and orchestration (MANO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 22.10See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 22.11References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 22.12External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 CONTENTS vii 23 List of SDN controller software 78 24 Data Plane Development Kit 79 24.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 24.2 Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 24.2.1 Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 24.3 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 24.4 Ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 24.5 Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 24.5.1 Opensource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 24.5.2 Platforms and solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 24.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 25 IEEE 802.1aq 82 25.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 25.2 Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 25.3 Operations and management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 25.4 High level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 25.4.1 Shortest Path Bridging-VID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 25.4.2 Shortest Path Bridging-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 25.4.3 Failure recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 25.4.4 Animations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 25.5 Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 25.5.1 Equal Cost Multi Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 25.5.2 Traffic placement/engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 25.5.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 25.6 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 25.6.1 Tie-breaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 25.7 Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 25.8 Competitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 25.9 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 25.10Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 25.11See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 25.12Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 25.13References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 25.14Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 25.15External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 26 Frenetic (programming language) 97 26.1 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 26.2 Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 26.3 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 viii CONTENTS 27 Network layer 98 27.1 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 27.2 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 27.3 Relation to TCP/IP model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 27.4 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 27.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 27.6 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 28 Virtualization 100 28.1 Hardware virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 28.1.1 Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 28.1.2 Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 28.1.3 Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 28.1.4 Video game console emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 28.1.5 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 28.2 Desktop virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 28.3 Other types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 28.4 Nested virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 28.5 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 28.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 28.7 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 29 Computer network 29.1 History 104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 29.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 29.3 Network packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 29.4 Network topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 29.4.1 Network links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 29.4.2 Network nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 29.4.3 Network structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 29.5 Communications protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 29.5.1 IEEE 802 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 29.5.2 Internet Protocol Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 29.5.3 SONET/SDH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 29.5.4 Asynchronous Transfer Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 29.6 Geographic scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 29.7 Organizational scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 29.7.1 Intranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 29.7.2 Extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 29.7.3 Internetwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 29.7.4 Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 29.7.5 Darknet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 CONTENTS ix 29.8 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 29.9 Network service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 29.10Network performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 29.10.1 Quality of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 29.10.2 Network congestion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 29.10.3 Network resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 29.11Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 29.11.1 Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 29.11.2 Network surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 29.11.3 End to end encryption 29.12Views of networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 29.13See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 29.14References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 29.15Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 29.16External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 30 Router (computing) 119 30.1 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 30.1.1 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 30.1.2 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 30.1.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 30.1.4 Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 30.1.5 Internet connectivity and internal use 30.2 Historical and technical information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 30.3 Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 30.4 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 30.5 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 30.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 30.7 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 31 Communications protocol 125 31.1 Communicating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 31.2 Basic requirements of protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 31.3 Protocols and programming languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 31.4 Universal protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 31.5 Protocol design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 31.5.1 A basis for protocol design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 31.5.2 Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 31.5.3 Formal specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 31.6 Protocol development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 31.6.1 The need for protocol standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 31.6.2 Standards organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 x CONTENTS 31.6.3 The standardization process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 31.6.4 Future of standardization (OSI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 31.7 Taxonomies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 31.8 Examples of protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 31.9 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 31.10Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 31.11References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 31.12Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 31.13External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 32 Cloud computing 138 32.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 32.1.1 Origin of the term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 32.1.2 1970s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 32.1.3 1990s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 32.1.4 2000s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 32.2 Similar concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 32.3 Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 32.4 Service models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 32.4.1 Infrastructure as a service (IaaS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 32.4.2 Platform as a service (PaaS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 32.4.3 Software as a service (SaaS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 32.4.4 Mobile “backend” as a service (MBaaS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 32.4.5 Serverless computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 32.5 Cloud clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 32.6 Deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 32.6.1 Private cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 32.6.2 Public cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 32.6.3 Hybrid cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 32.6.4 Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 32.7 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 32.7.1 Cloud engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 32.8 Security and privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 32.9 Limitations and Disadvantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 32.10Emerging trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 32.11See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 32.12References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 32.13Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 32.14External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 33 Virtual private network 152 33.1 Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 CONTENTS xi 33.2 Security mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 33.2.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 33.3 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 33.3.1 Provider-provisioned VPN building-blocks . . . . . . . . . . . . . . . . . . . . . . . . . . 153 33.4 User-visible PPVPN services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 33.4.1 OSI Layer 2 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 33.4.2 OSI Layer 3 PPVPN architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 33.4.3 Unencrypted tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 33.5 Trusted delivery networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 33.6 VPNs in mobile environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 33.7 VPN on routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 33.8 Networking limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 33.9 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 33.10Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 33.11References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 34 Quality of service 158 34.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 34.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 34.3 Qualities of traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 34.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 34.5 Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 34.5.1 Over-provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 34.5.2 IP and Ethernet efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 34.5.3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 34.6 End-to-end quality of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 34.7 Circumvention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 34.8 Doubts about quality of service over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 34.9 Mobile (cellular) QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 34.10Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 34.11Open source software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 34.12See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 34.13References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 34.14Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 34.15External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 35 Network switch 166 35.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 35.1.1 Network design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 35.1.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 35.1.3 Microsegmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 35.2 Role of switches in a network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 xii CONTENTS 35.3 Layer-specific functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 35.3.1 Layer 1 (hubs vs. higher-layer switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 35.3.2 Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 35.3.3 Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 35.3.4 Layer 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 35.3.5 Layer 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 35.4 Types of switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 35.4.1 Form factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 35.4.2 Configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 35.5 Traffic monitoring on a switched network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 35.6 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 35.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 35.8 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 36 Frame Relay 172 36.1 Technical description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 36.1.1 Protocol data unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 36.1.2 Congestion control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 36.2 Origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 36.2.1 Relationship to X.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 36.3 Virtual circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 36.4 Local management interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 36.5 Committed information rate (CIR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 36.6 Market reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 36.7 FRF.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 36.8 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 36.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 36.10External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 37 IPsec 177 37.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 37.2 Security architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 37.2.1 Authentication Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 37.2.2 Encapsulating Security Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 37.2.3 Security association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 37.3 Modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 37.3.1 Transport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 37.3.2 Tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 37.4 Cryptographic algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 37.5 Software implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 37.6 Standards status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 37.7 Alleged NSA interference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 CONTENTS xiii 37.8 IETF documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 37.8.1 Standards Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 37.8.2 Experimental RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 37.8.3 Informational RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 37.8.4 Best Current Practice RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 37.8.5 Obsolete/Historic RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 37.9 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 37.10References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 37.11External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 38 Data link layer 185 38.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 38.2 Sublayers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 38.2.1 Logical link control sublayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 38.2.2 Media access control sublayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 38.3 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 38.4 Error detection and correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 38.5 Protocol examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 38.6 Relation to the TCP/IP model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 38.7 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 38.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 38.9 External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 39 Forwarding plane 189 39.1 Issues in router forwarding performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 39.1.1 Benchmarking performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 39.2 Forwarding information base design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 39.2.1 Cache miss issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 39.2.2 FIB design alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 39.3 Distributed forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 39.3.1 Early distributed forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 39.3.2 Shared paths become bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 39.4 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 39.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 40 Access control list 40.1 Implementations 193 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 40.1.1 Filesystem ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 40.1.2 Networking ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 40.1.3 SQL implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 40.2 Comparing with RBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 40.3 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 xiv CONTENTS 40.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 40.5 Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 41 Transmission Control Protocol 195 41.1 Historical origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 41.2 Network function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 41.3 TCP segment structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 41.4 Protocol operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 41.4.1 Connection establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 41.4.2 Connection termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 41.4.3 Resource usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 41.4.4 Data transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 41.4.5 Maximum segment size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 41.4.6 Selective acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 41.4.7 Window scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 41.4.8 TCP timestamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 41.4.9 Out-of-band data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 41.4.10 Forcing data delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 41.5 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 41.5.1 Denial of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 41.5.2 Connection hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 41.5.3 TCP veto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 41.6 TCP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 41.7 Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 41.8 TCP over wireless networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 41.9 Hardware implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 41.10Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 41.11Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 41.12Checksum computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 41.12.1 TCP checksum for IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 41.12.2 TCP checksum for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 41.12.3 Checksum offload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 41.13See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 41.14References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 41.15Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 41.16External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 41.16.1 RFC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 41.16.2 Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 42 Transport Layer Security 209 42.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 42.2 History and development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 CONTENTS xv 42.2.1 Secure Network Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 42.2.2 SSL 1.0, 2.0 and 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 42.2.3 TLS 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 42.2.4 TLS 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 42.2.5 TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 42.2.6 TLS 1.3 (draft) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 42.3 Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 42.3.1 Certificate authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 42.4 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 42.4.1 Key exchange or key agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 42.4.2 Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 42.4.3 Data integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 42.5 Applications and adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 42.5.1 Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 42.5.2 Web browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 42.5.3 Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 42.5.4 Other uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 42.6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 42.6.1 SSL 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 42.6.2 SSL 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 42.6.3 TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 42.6.4 Attacks against TLS/SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 42.6.5 Forward secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 42.6.6 Dealing with man-in-the-middle attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 42.7 Protocol details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 42.7.1 TLS handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 42.7.2 TLS record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 42.8 Support for name-based virtual servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 42.9 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 42.9.1 Primary standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 42.9.2 Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 42.9.3 Informational RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 42.10See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 42.11References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 42.12Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 42.13External links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 43 Open Networking Foundation 242 43.1 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 43.2 Text and image sources, contributors, and licenses . . . . . . . . . . . . . . . . . . . . . . . . . . 243 43.2.1 Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 43.2.2 Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 xvi CONTENTS 43.2.3 Content license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Chapter 1 Software-defined networking Not to be confused with ISDN (Integrated Services GeoPlex did not concern itself with operating systems Digital Network). running on networking hardware switches, and routers. AT&T wanted a “soft switch” that could reconfigure Software-defined networking (SDN) is an approach to physical switches in the network and load them with new services from an operations support system (OSS). Howcomputer networking that allows network administrators to manage network services through abstraction of lower- ever, when provisioning services GeoPlex could not reach deeply into the physical devices to perform reconfiguralevel functionality. SDN is meant to address the fact that the static architecture of traditional networks doesn't sup- tion. The operating systems running on networked devices in the physical network therefore became a barrier port the dynamic, scalable computing and storage needs of more modern computing environments such as data to early SDN-like service delivery. centers. This is done by decoupling or disassociating the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane). In 1998, Mark Medovich, a senior scientist of Sun Microsystems and Javasoft, left Sun to launch a Silicon Valley soft switch startup WebSprocket. Medovich designed a new network operating system, and an object oriented structured runtime model that could be modified by a networked compiler and class loader in real time. With this approach, applications could be written with Java threads that inherited WebSprocket kernel, network, and device classes and later modified by the networked compiler/class-loader. WebSprocket’s platform was designed such that devices had the ability to instantiate network stack(s), interfaces, and protocols as multiple threads.[9] SDN was commonly associated with the OpenFlow protocol (for remote communication with network plane elements for the purpose of determining the path of network packets across network switches) since the latter’s emergence in 2011. Since 2012,[1][2] however, many companies have moved away from OpenFlow, and have embraced different techniques. These include Cisco Systems' Open Network Environment and Nicira's network virtualization platform. SD-WAN applies similar technology to a wide area net- In July 2000, WebSprocket released VMFoundry, the Java to bare metal structured runtime compiler, and VMwork (WAN).[3] Server, a networked device compiler/classloader application server.[10] Custom networked devices were preloaded with images created by VMFoundry then deployed on 1.1 History the network and connected to VMServer via UDP or TCP services plane, which could proactively or reactively The origins of software-defined networking began shortly load or extend network protocol methods and classes on the target system. WebSprocket’s version of SDN, after Sun Microsystems released Java in 1995.[4][5][6] [7] therefore was not confined to a set of limited actions One of the first SDN projects was AT&T's GeoPlex. managed by an SDN controller. Rather, WebSprocket’s AT&T Labs Geoplex project members Michah Lerner, “control plane” contained code that could change, overGeorge Vanecek, Nino Vidovic, and Dado Vrsalovic ride, extend, or enhance Network protocols on operatleveraged the network APIs and dynamic aspects of the ing networked systems.[11] Bill Yount (Stanford UniverJava language as a means to implement middleware netsity Network) visited WebSprocket’s Sunnyvale lab to see works. “GeoPlex is not an operating system, nor does it a demonstration and expressed great enthusiasm about attempt to compete with one. It is networking middlethe entire concept, especially the VMServer (SDN Conware that uses one or more operating systems running on troller) and prophetically stated SDN (WebSprocket) as computers, connected to the Internet. GeoPlex is a ser“10 years ahead of its time”. In Summer of 2000, Ericsvice platform that manages networks and on-line services. son’s advanced network research engineers saw an immeGeoPlex maps all of the IP network activities into one or diate need and visited WebSprocket to design and archi[8] more services.” 1 2 CHAPTER 1. SOFTWARE-DEFINED NETWORKING tect features of a next generation soft switch thus taking SDN was again moved ahead in work done at UC Berkefirst steps to build the world’s first commercial soft switch. ley and Stanford University around 2008.[17] Sometime during 2000, the Gartner Group introduced the "Supranet", the fusion of the physical and the digital (virtual) worlds as “internet of things,” and by October 2000 the Gartner Group selected WebSprocket as one of the top emerging technologies.[12] The Open Networking Foundation was founded in 2011 to promote SDN and OpenFlow. At the 2014 Interop and Tech Field Day, software-defined networking was demonstrated by Avaya using shortest path bridging and OpenStack as an automated camIn early 2001, Ericsson and WebSprocket entered into a pus, extending automation from the data center to the license contract to create the first commercial soft switch. end device, removing manual provisioning from service An international consortium was formed to develop stan- delivery.[18][19] dards for the “Supranet”. In March 2001, Kurt De- By 2016, some in the industry thought that SDN had bewitt, Supranet Consortium Chairman and Business De- come a meaningless marketing term.[20] velopment Director for Ericsson’s Data Broadband and Optical Networks Division, announced the selection of WebSprocket as the enabling technology of the Supranet Transaction Server (STS), a comprehensive framework to 1.2 Concept deliver any networked service.[13] In April and May 2001, Ohio State University and OARnet, collaboratively ran the first SDN test and developed the first practical SDN use case for Internet2. After successful completion of tests, OARnet issued the following statement on May 8, 2001: “We have witnessed the successful first step to the fulfillment of smart, interoperable networks through the deployment of Supranet Transaction Server. A technology first was accomplished as a new set of instructions was dynamically transmitted across the network, changing the behavior of the requesting computer. There was no need to take down any part of the system and there was no interruption of service. Our testing will continue and we anticipate further advancement of the next generation Internet through our partnership with Websprocket” – Pankaj Shah (Managing Director, OARnet)[14] The telecom market deflated in 2001 and Ericsson’s soft switch development program came to an end, thus stalling the only known commercial SDN soft switch R&D effort at that time. Software-defined networking was continued with work done in 2003 by Bob Burke and Zac Carman developing the Content Delivery Control Network patent application that eventually was issued as two US patents: 8,122,128[15] and 8,799,468.[16] In this seminal inception, SDN, named service preference architecture (SPA) in their patent, was described as a collection of network embedded computing techniques used to control the operation of Network Elements, namely content servers, routers, switches and gateways, with the objective being to safeguard content from theft (P2P) or unwanted interception and to efficiently deliver content for paid services. CableLabs later specified Digital Cable and CableCARD using what we now know as SDN, which debuted in 2007. Software-defined networking (SDN) is an architecture purporting to be dynamic, manageable, cost-effective, and adaptable, seeking to be suitable for the highbandwidth, dynamic nature of today’s applications. SDN architectures decouple network control and forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services.[21] The OpenFlow protocol can be used in SDN technologies. The SDN architecture is: • Directly programmable: Network control is directly programmable because it is decoupled from forwarding functions. • Agile: Abstracting control from forwarding lets administrators dynamically adjust network-wide traffic flow to meet changing needs. • Centrally managed: Network intelligence is (logically) centralized in software-based SDN controllers that maintain a global view of the network, which appears to applications and policy engines as a single, logical switch. • Programmatically configured: SDN lets network managers configure, manage, secure, and optimize network resources very quickly via dynamic, automated SDN programs, which they can write themselves because the programs do not depend on proprietary software. • Open standards-based and vendor-neutral: When implemented through open standards, SDN simplifies network design and operation because instructions are provided by SDN controllers instead of multiple, vendor-specific devices and protocols. 1.4. ARCHITECTURAL COMPONENTS 1.3 The need for a new network architecture The explosion of mobile devices and content, server virtualization, and advent of cloud services are among the trends driving the networking industry to re-examine traditional network architectures.[22] Many conventional networks are hierarchical, built with tiers of Ethernet switches arranged in a tree structure. This design made sense when client-server computing was dominant, but such a static architecture is ill-suited to the dynamic computing and storage needs of today’s enterprise data centers, campuses, and carrier environments. Some of the key computing trends driving the need for a new network paradigm include: 3 from a common viewpoint and with a common suite of tools. “Big data” means more bandwidth Handling today’s “big data” or mega datasets requires massive parallel processing on thousands of servers, all of which need direct connections to each other. The rise of mega datasets is fueling a constant demand for additional network capacity in the data center. Operators of hyperscale data center networks face the daunting task of scaling the network to previously unimaginable size, maintaining any-to-any connectivity without going broke. 1.4 Architectural components Changing traffic patterns Within the enterprise data center, traffic patterns have changed significantly. In contrast to client-server applications where the bulk of the communication occurs between one client and one server, today’s applications access different databases and servers, creating a flurry of “east-west” machine-to-machine traffic before returning data to the end user device in the classic “north-south” traffic pattern. At the same time, users are changing network traffic patterns as they push for access to corporate content and applications from any type of device (including their own), connecting from anywhere, at any time. Finally, many enterprise data centers managers are contemplating a utility computing model, which might include a private cloud, public cloud, or some mix of both, A high-level overview of the software-defined networking archiresulting in additional traffic across the wide area tecture network. The following list defines and explains the architectural [23] The “consumerization of IT” Users are increasingly components: employing mobile personal devices such as smartphones, tablets, and notebooks to access the cor- SDN Application SDN Applications are programs that porate network. IT is under pressure to accommoexplicitly, directly, and programmatically comdate these personal devices in a fine-grained manmunicate their network requirements and desired ner while protecting corporate data and intellectual network behavior to the SDN Controller via a property and meeting compliance mandates. northbound interface (NBI). In addition they may consume an abstracted view of the network for their internal decision making purposes. An SDN AppliThe rise of cloud services Enterprises have enthusiascation consists of one SDN Application Logic and tically embraced both public and private cloud serone or more NBI Drivers. SDN Applications may vices, resulting in unprecedented growth of these themselves expose another layer of abstracted netservices. Enterprise business units now want the work control, thus offering one or more higher-level agility to access applications, infrastructure, and NBIs through respective NBI agents. other IT resources on demand and à la carte. To add to the complexity, IT’s planning for cloud services must be done in an environment of increased SDN Controller The SDN Controller is a logically centralized entity in charge of (i) translating the resecurity, compliance, and auditing requirements, quirements from the SDN Application layer down along with business reorganizations, consolidations, to the SDN Datapaths and (ii) providing the SDN and mergers that can change assumptions overnight. Applications with an abstract view of the network Providing self-service provisioning, whether in a (which may include statistics and events). An SDN private or public cloud, requires elastic scaling of Controller consists of one or more NBI Agents, the computing, storage, and network resources, ideally 4 CHAPTER 1. SOFTWARE-DEFINED NETWORKING SDN Control Logic, and the Control to Data-Plane Interface (CDPI) driver. Definition as a logically centralized entity neither prescribes nor precludes implementation details such as the federation of multiple controllers, the hierarchical connection of controllers, communication interfaces between controllers, nor virtualization or slicing of network resources. SDN Datapath The SDN Datapath is a logical network device that exposes visibility and uncontested control over its advertised forwarding and data processing capabilities. The logical representation may encompass all or a subset of the physical substrate resources. An SDN Datapath comprises a CDPI agent and a set of one or more traffic forwarding engines and zero or more traffic processing functions. These engines and functions may include simple forwarding between the datapath’s external interfaces or internal traffic processing or termination functions. One or more SDN Datapaths may be contained in a single (physical) network element—an integrated physical combination of communications resources, managed as a unit. An SDN Datapath may also be defined across multiple physical network elements. This logical definition neither prescribes nor precludes implementation details such as the logical to physical mapping, management of shared physical resources, virtualization or slicing of the SDN Datapath, interoperability with non-SDN networking, nor the data processing functionality, which can include OSI layer 4-7 functions. The implementation of the SDN control plane can follow a centralized, hierarchical, or decentralized design. Initial SDN control plane proposals focused on a centralized solution, where a single control entity has a global view of the network. While this simplifies the implementation of the control logic, it has scalability limitations as the size and dynamics of the network increase. To overcome these limitations, several approaches have been proposed in the literature that fall into two categories, hierarchical and fully distributed approaches. In hierarchical solutions,[24][25] distributed controllers operate on a partitioned network view, while decisions that require network-wide knowledge are taken by a logically centralized root controller. In distributed approaches,[26][27] controllers operate on their local view or they may exchange synchronization messages to enhance their knowledge. Distributed solutions are more suitable for supporting adaptive SDN applications. Controller Placement A key issue when designing a distributed SDN control plane is to decide on the number and placement of control entities. An important parameter to consider while doing so is the propagation delay between the controllers and the network devices,[28] especially in the context of large networks. Other objectives that have been considered involve control path reliability,[29] fault tolerance,[30] and application requirements.[31] 1.6 SDN flow forwarding(sdn) SDN Control to Data-Plane Interface (CDPI) The SDN CDPI is the interface defined between an SDN Proactive vs Reactive vs Hybrid[32][33] OpenFlow uses TCAM tables to route packet sequences Controller and an SDN Datapath, which provides (flows). If flows arrive at a switch, a flow table at least (i) programmatic control of all forwarding lookup is performed. Depending on the flow table operations, (ii) capabilities advertisement, (iii) implementation this is done in a software flow table statistics reporting, and (iv) event notification. One if a vSwitch is used or in an ASIC if it’s implevalue of SDN lies in the expectation that the CDPI mented in hardware. In the case when no matching is implemented in an open, vendor-neutral and flow is found a request to the controller for further interoperable way. instructions is sent. This is handled in one of three different modes. In reactive mode the controller SDN Northbound Interfaces (NBI) SDN NBIs are inacts after these requests and creates and installs a terfaces between SDN Applications and SDN Conrule in the flow table for the corresponding packet trollers and typically provide abstract network views if necessary. In proactive mode the controller and enable direct expression of network behavior populates flow table entries for all possible traffic and requirements. This may occur at any level of abmatches possible for this switch in advance. This straction (latitude) and across different sets of funcmode can be compared with typical routing table tionality (longitude). One value of SDN lies in the entries today, where all static entries are installed expectation that these interfaces are implemented in ahead of time. Following this no request is sent to an open, vendor-neutral and interoperable way. the controller since all incoming flows will find a matching entry. A major advantage in proactive mode is that all packets are forwarded in line rate 1.5 SDN Control Plane (considering all flow table entries in TCAM) and no delay is added. The third mode, hybrid mode, Centralized - Hierarchical - Distributed follows the flexibility of a reactive mode for a set 1.8. SEE ALSO 5 of traffic and the low-latency forwarding (proactive with different aims in mind. Distributed Denial of Sermode) for the rest of the traffic. vice (DDoS) detection and mitigation,[44][45] as well as botnet[46] and worm propagation,[47] are some concrete use-cases of such applications: basically, the idea consists in periodically collecting network statistics from the 1.7 Applications forwarding plane of the network in a standardized manner (e.g. using Openflow), and then apply classification algo1.7.1 SDMN rithms on those statistics in order to detect any network anomalies. If an anomaly is detected, the application inSoftware-defined mobile networking (SDMN)[34] is structs the controller how to reprogram the data plane in an approach to the design of mobile networks where all order to mitigate it. protocol-specific features are implemented in software, Another kind of security application leverages the SDN maximizing the use of generic and commodity hardcontroller by implementing some moving target defense ware and software in both the core network and radio (MTD) algorithms. MTD algorithms are typically used to access network.[35] It is proposed as an extension of make any attack on a given system or network more difSDN paradigm to incorporate mobile network specific ficult than usual by periodically hiding or changing key functionalities.[36] properties of that system or network. In traditional networks, implementing MTD algorithms is not a trivial task since it is difficult to build a central authority able of de1.7.2 SD-WAN termining - for each part of the system to be protected which key properties are hid or changed. In an SDN netAn SD-WAN is a Wide Area Network (WAN) managed work, such tasks become more straightforward thanks to using the principles of software-defined networking.[37] the centrality of the controller. One application can for The main driver of SD-WAN is to lower WAN costs us- example periodically assign virtual IPs to hosts within the ing less expensive leased lines, as an alternative or par- network, and the mapping virtual IP/real IP is then pertial replacement of more expensive MPLS lines. Con- formed by the controller.[48] Another application can simtrol and management is separated from the hardware, ulate some fake opened/closed/filtered ports on random with central controllers allowing easier configuration and hosts in the network in order to add significant noise duradministration.[38] ing reconnaissance phase (e.g. scanning) performed by an attacker.[49] 1.7.3 SD-LAN A SD-LAN is a Local area network (LAN) built around the principles of software-defined networking, though there are key differences in topology, network security, application visibility and control, management and quality of service.[39] SD-LAN decouples control management, and data planes to enable a policy driven architecture for wired and wireless LANs. SD-LANs are characterized by their use of a cloud management system and wireless connectivity without the presence of a physical controller.[40] 1.7.4 Security using the SDN paradigm SDN architecture may enable, facilitate or enhance network-related security applications due to the controller’s central view of the network, and its capacity to reprogram the data plane at any time. While security of SDN architecture itself remains an open question that has already been studied a couple of times in the research community,[41][42][43] the following paragraphs only focus on the security applications made possible or revisited using SDN. Several research works on SDN have already investigated security applications built upon the SDN controller, Additional value regarding security in SDN enabled networks can also be gained using FlowVisor[50] and FlowChecker[51] respectively. The former tries to use a single hardware forwarding plane sharing multiple separated logical networks. Following this approach the same hardware resources can be used for production and development purposes as well as separating monitoring, configuration and internet traffic, where each scenario can have its own logical topology which is called slice. In conjunction with this approach FlowChecker[50] realizes the validation of new OpenFlow rules that are deployed by users using their own slice. SDN controller applications are mostly deployed in largescale scenarios, which requires comprehensive checks of possible programming errors. A system to do this called NICE was described in 2012.[52] Introducing an overarching security architecture requires a comprehensive and protracted approach to SDN. Since it was introduced, designers are looking at possible ways to secure SDN that do not compromise scalability. One architecture called SN-SECA (SDN+NFV) Security Architecture.[53] 1.8 See also • Active networking 6 CHAPTER 1. SOFTWARE-DEFINED NETWORKING • Frenetic (programming language) • IEEE 802.1aq • Intel Data Plane Development Kit (DPDK) • List of SDN controller software • Network functions virtualization • ONOS • OpenDaylight Project • SD-WAN • Software-defined data center • Software-defined mobile network • Software-defined protection 1.9 References [1] [2] [3] “Predicting SD-WAN Adoption”. gartner.com. 2015-1215. Retrieved 2016-06-27. [14] “Software Defined Network SDN”. Scribd.com. Retrieved 26 October 2014. [15] “United States Patent: 8122128”. Patft.uspto.gov. Retrieved 26 October 2014. [16] “United States Patent: 8799468”. Patft.uspto.gov. Retrieved 26 October 2014. [17] “Prof. Scott Shenker - Gentle Introduction to SoftwareDefined Networking - Technion lecture”. YouTube. 2012-06-26. Retrieved 2014-01-23. [18] “Interop 2014: Avaya to showcase Automated Campus part of SDN initiative”. Info Tech Lead. 26 March 2014. Retrieved 25 June 2014. [19] “Avaya Software Defined Data Center”. Tech Field Day. Feb 2014. Retrieved 25 June 2014. [20] Elizabeth Miller Coyne (23 September 2016). “Huawei Exec: SDN’s Become a 'Completely Meaningless Term'". Light Reading. Retrieved 25 September 2016. [21] “Software-Defined Networking (SDN) Definition”. Opennetworking.org. Retrieved 26 October 2014. [22] “White Papers”. Opennetworking.org. Retrieved 26 October 2014. [4] “The History of Java Technology”. Retrieved October 6, 2012. [23] “SDN Architecture Overview” (PDF). Opennetworking.org. Retrieved 22 November 2014. [5] Sun Pegs Telecom with JTONE [24] S.H. Yeganeh, Y. Ganjali, “Kandoo: A Framework for Efficient and Scalable Offloading of Control Applications,” proceedings of HotSDN, Helsinki, Finland, 2012. [6] Sun facilitates Java use for public network operators [7] “CERIAS : GeoPlex: Universal Service Platform for IP Network-based Services - 10/17/1997”. Cerias.purdue.edu. Retrieved 26 October 2014. [8] “Middleware Networks”. Dl.acm.org. Retrieved 26 October 2014. [9] “Design Automation of Supranet Systems: Benefits for Hardware Design and Bringup” (PDF). S3us-west2.amazonaws.com. Retrieved 22 November 2014. [10] “Websprocket Announces VMServer - World’s First Proxy Java Virtual Machine; Enables 1,000’s of Connected Clients To Use Single Java Virtual Machine.”. Thefreelibrary.com. Retrieved 26 October 2014. [11] “Installation Guide”. Web.archive.org. Archived from the original on February 4, 2002. Retrieved 22 November 2014. [12] “Top Emerging Technologies Announced During Gartner Symposium/ITxpo 2000; New Emerging Technologies Research Highlights Trends in Wearable Computing, Profiling and Privacy.”. Thefreelibrary.com. Retrieved 26 October 2014. [13] “Websprocket Selected By Supranet Consortium to Enable the Internet With Smart Packet Technology; Platform Unifies Supranet Management Through Java and Oracle.”. Thefreelibrary.com. Retrieved 26 October 2014. [25] R. Ahmed, R. Boutaba, “Design considerations for managing wide area software defined networks,” Communications Magazine, IEEE, vol. 52, no. 7, pp. 116–123, July 2014. [26] T. Koponen et al, “Onix: A Distributed Control Platform for Large scale Production Networks,” proceedings USENIX, ser. OSDI’10, Vancouver, Canada, 2010. [27] D. Tuncer, M. Charalambides, S. Clayman, G. Pavlou, “Adaptive Resource Management and Control in Software Defined Networks,” Network and Service Management, IEEE Transactions on, vol. 12, no. 1, pp. 18–33, March 2015. [28] B. Heller, R. Sherwood, and N. McKeown, “The Controller Placement Problem,” proceedings of HotSDN’12, 2012. [29] Y.N. Hu, W.D. Wang, X.Y. Gong, X.R. Que, S.D. Cheng, “On the placement of controllers in softwaredefined networks,” Journal of China Universities of Posts and Telecommunications, vol. 19, Supplement 2, no. 0, pp. 92 – 171, 2012. [30] F.J. Ros, P.M. Ruiz, “Five nines of southbound reliability in software defined networks,” proceedings of HotSDN’14, 2014. 1.10. EXTERNAL LINKS [31] D. Tuncer, M. Charalambides, S. Clayman, G. Pavlou, “On the Placement of Management and Control Functionality in Software Defined Networks,” proceedings of 2nd IEEE International Workshop on Management of SDN and NFV Systems (ManSDN/NFV), Barcelona, Spain, November 2015. [32] “OpenFlow: Proactive vs Reactive”. NetworkStatic.net. Retrieved 2014-07-01. [33] “Reactive, Proactive, Predictive: SDN Models | F5 DevCentral”. Devcentral.f5.com. Retrieved 2016-06-30. [34] Liyanage, Madhusanka (2015). Software Defined Mobile Networks (SDMN): Beyond LTE Network Architecture. UK: John Wiley. pp. 1–438. ISBN 978-1-118-90028-4. [35] Jose Costa-Requena, Jesús Llorente Santos, Vicent Ferrer Guasch, Kimmo Ahokas, Gopika Premsankar, Sakari Luukkainen, Ijaz Ahmed, Madhusanka Liyanage, Mika Ylianttila, Oscar López Pérez, Mikel Uriarte Itzazelaia, Edgardo Montes de Oca, SDN and NFV Integration in Generalized Mobile Network Architecture , in Proc. of European Conference on Networks and Communications (EUCNC), Paris, France. June 2015. [36] Madhusanka Liyanage, Mika Ylianttila, Andrei Gurtov, Securing the Control Channel of Software-Defined Mobile Networks , in Proc. of IEEE 15th International Symposium on World of Wireless, Mobile and Multimedia Networks (WoWMoM), Sydney, Australia. June 2014. [37] Haranas, Mark (8 October 2016). “16 Hot Networking Products Putting The Sizzle In SD-WAN”. CRN. Retrieved 1 November 2016. [38] “SD-WAN: What it is and why you'll use it one day”. networkworld.com. 2016-02-10. Retrieved 2016-06-27. [39] Serries, William (12 September 2016). “SD-LAN et SDWAN : Deux Approches Différentes pour le Software Defined Networking”. ZDNet. Retrieved 1 November 2016. [40] Kerravala, Zeus (13 September 2016). “Aerohive Introduces the Software-defined LAN”. Network World. Retrieved 1 November 2016. [41] Kreutz, Diego; Ramos, Fernando; Verissimo, Paulo (2013). “Towards secure and dependable softwaredefined networks”. Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. pp. 50–60. [42] Scott-Hayward, Sandra; O'Callaghan, Gemma; Sezer, Sakir (2013). “SDN security: A survey”. Future Networks and Services (SDN4FNS), 2013 IEEE SDN for. pp. 1–7. [43] Benton, Kevin; Camp, L Jean; Small, Chris (2013). “Openflow vulnerability assessment”. Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. pp. 151–152. [44] Giotis, K; Argyropoulos, Christos; Androulidakis, Georgios; Kalogeras, Dimitrios; Maglaris, Vasilis (2014). “Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments”. Computer Networks. 62: 122–136. 7 [45] Braga, Rodrigo; Mota, Edjard; Passito, Alexandre (2010). “Lightweight DDoS flooding attack detection using NOX/OpenFlow”. Local Computer Networks (LCN), 2010 IEEE 35th Conference on. pp. 408–415. [46] Feamster, Nick (2010). “Outsourcing home network security”. Proceedings of the 2010 ACM SIGCOMM workshop on Home networks. pp. 37–42. [47] Jin, Ruofan & Wang, Bing (2013). “Malware detection for mobile devices using software-defined networking”. Research and Educational Experiment Workshop (GREE), 2013 Second GENI. 81-88. [48] Jafarian, Jafar Haadi; Al-Shaer, Ehab; Duan, Qi (2012). “Openflow random host mutation: transparent moving target defense using software defined networking”. Proceedings of the first workshop on Hot topics in software defined networks. pp. 127–132. [49] Kampanakis, Panos; Perros, Harry; Beyene, Tsegereda. SDN-based solutions for Moving Target Defense network protection (PDF). Retrieved 23 July 2014. [50] Sherwood, Rob; Gibb, Glen; Yap, Kok-Kiong; Appenzeller, Guido; Casado, Martin; McKeown, Nick; Parulkar, Guru (2009). “Flowvisor: A network virtualization layer”. OpenFlow Switch Consortium, Tech. Rep. [51] Al-Shaer, Ehab & Al-Haj, Saeed (2010). “FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures”. Proceedings of the 3rd ACM workshop on Assurable and usable security configuration. pp. 37–44. [52] Canini, Marco; Venzano, Daniele; Peresini, Peter; Kostic, Dejan; Rexford, Jennifer; et al. (2012). A NICE Way to Test OpenFlow Applications. NSDI. pp. 127–140. [53] Bernardo and Chua (2015). Introduction and Analysis of SDN and NFV Security Architecture (SA-SECA). 29th IEEE AINA 2015. pp. 796–801. • Nadeau, Thomas D.; Gray, W. Ken. SDN: Software Defined Networks. ISBN 1-449342302. 1.10 External links • Open Networking Foundation’s definition of SDN • Coursera Course on SDN, by Nick Feamster • OpenFlow-enabled SDN and Network Functions Virtualization • SDN Security Considerations in the Data Center • Floodlight, an open source Java based OpenFlow controller • Network Function Virtualization (NFV) • Decoding SDN 8 CHAPTER 1. SOFTWARE-DEFINED NETWORKING • Software-defined networking (SDN) for the nontechnical • Operational Opportunities and Challenges of SDN/NFV Programmable Infrastructure – a report from the ATIS Technology and Operations Council • What is Software Defined Networking – an introduction • Cherry, an open source OpenFlow controller written in Go • Faucet, an open source OpenFlow controller written in Python based on Ryu for Production networks Chapter 2 OpenFlow OpenFlow is a communications protocol that gives ac- 2.2 History cess to the forwarding plane of a network switch or router over the network.[1] The Open Networking Foundation (ONF), a userled organization dedicated to promotion and adoption of software-defined networking (SDN),[4] manages the OpenFlow standard.[5] ONF defines OpenFlow as the first standard communications interface defined between the control and forwarding layers of an SDN architecture. OpenFlow allows direct access to and manipulation of the 2.1 Description forwarding plane of network devices such as switches and routers, both physical and virtual (hypervisor-based). It is OpenFlow enables network controllers to determine the the absence of an open interface to the forwarding plane path of network packets across a network of switches. that has led to the characterization of today’s networkThe controllers are distinct from the switches. This sepa- ing devices as monolithic, closed, and mainframe-like. A ration of the control from the forwarding allows for more protocol like OpenFlow is needed to move network consophisticated traffic management than is feasible using trol out of proprietary network switches and into control access control lists (ACLs) and routing protocols. Also, software that’s open source and locally managed.[6] OpenFlow allows switches from different vendors — of- A number of network switch and router vendors have ten each with their own proprietary interfaces and script- announced intent to support or are shipping supported ing languages — to be managed remotely using a single, switches for OpenFlow, including Alcatel-Lucent,[7] open protocol. The protocol’s inventors consider Open- Big Switch Networks,[8] Brocade Communications,[9] Flow an enabler of software defined networking (SDN). Radisys,[10] Arista Networks, Pica8, NoviFlow, Huawei, Cisco, Dell Force10, Extreme Networks, IBM, Juniper Networks, Digisol, Larch Networks, Hewlett-Packard, NEC, and MikroTik.[11] Some network control plane implementations use the protocol to manage the network forwarding elements.[12] OpenFlow is mainly used between the switch and controller on a secure channel. A fairly comprehensive list of OpenFlow-related products may be found on the ONF website and the SDNCentral website. OpenFlow allows remote administration of a layer 3 switch’s packet forwarding tables, by adding, modifying and removing packet matching rules and actions. This way, routing decisions can be made periodically or ad hoc by the controller and translated into rules and actions with a configurable lifespan, which are then deployed to a switch’s flow table, leaving the actual forwarding of matched packets to the switch at wire speed for the duration of those rules. Packets which are unmatched by the switch can be forwarded to the controller. The controller can then decide to modify existing flow table rules on one or more switches or to deploy new rules, to prevent a structural flow of traffic between switch and controller. It could even decide to forward the traffic itself, provided that it has told the switch to forward entire packets instead of just their header. 2.2.1 Development Version 1.1 of the OpenFlow protocol was released on 28 February 2011, and new development of the standard was managed by the Open Networking Foundation (ONF).[13] The OpenFlow protocol is layered on top of the In December 2011, the ONF board approved OpenFlow 2012.[14] The Transmission Control Protocol (TCP), and prescribes version 1.2 and published it in February [15] the use of Transport Layer Security (TLS). Controllers current version of OpenFlow is 1.4. should listen on TCP port 6653 for switches that want to In May 2011, Marvell and Larch Networks announced set up a connection. Earlier versions of the OpenFlow the availability of an OpenFlow-enabled, fully featured protocol unofficially used port 6633.[2][3] switching solution based on Marvell’s networking control 9 10 CHAPTER 2. OPENFLOW stack and the Prestera family of packet processors.[16][17] Indiana University in May 2011 launched a SDN Interoperability Lab in conjunction with the Open Networking Foundation to test how well different vendors’ Software-Defined Networking and OpenFlow products work together.[18] In June 2012, Infoblox released LINC, an open-source OpenFlow version 1.2 and 1.3 compliant software switch.[19] In February 2012, Big Switch Networks released Project Floodlight, an Apache-licensed open-source software OpenFlow Controller,[20] and announced its OpenFlowbased SDN Suite in November of that year, which contains a commercial controller, and virtual switching and tap monitoring applications.[21] [4] Kate Greene (March–April 2009). “TR10: SoftwareDefined Networking”. MIT Technology Review. Retrieved 7 October 2011. [5] “Open Networking Foundation: SDN Defined”. Open Networking Foundation. [6] “Software-Defined Networking (SDN): The New Norm for Networks”. Open Networking Foundation. [7] Solomon, Howard (2013-12-11). “Alcatel Now Supports OpenFlow, OpenStack on Switches”. IT World Canada. [8] Metz, Cade (26 March 2013). “You Can't Have Google’s Pluto Switch, But You Can Have This”. Wired. [9] Pavel Radda (2011-03-22). “Brocade Leads OpenFlow Adoption to Accelerate Network Virtualization and Cloud Application Development”. Reuters. Retrieved 2011-1129. In February 2012, HP said it is supporting the standard [10] "FlowEngine:Intelligent Flow Management”. on 16 of its Ethernet switch products.[22] 20 Feb 2016. In April 2012, Google’s Urs Hölzle described how the company’s internal network had been completely re- [11] “MikroTik Manual:OpenFlow". 16 Jun 2015. designed over the previous two years to run under Open[12] Teemu Koponen et. al (2010-10-04). “Onix: A DisFlow with substantial efficiency improvement.[23] tributed Control Platform for Large-scale Production Net- works”. USENIX OSDI 2010. Retrieved 2010-10-01. In January 2013, NEC unveiled a virtual switch for Microsoft's Windows Server 2012 Hyper-V hypervisor, [13] “Open Networking Foundation Press Release”. 2011-03which is designed to bring OpenFlow-based software20. defined networking and network virtualisation to those [24] Microsoft environments. [14] “Open Networking Foundation - OpenFlow v1.2” (PDF). [15] “Open Networking Foundation - OpenFlow v1.4” (PDF). 2.2.2 Security concerns [16] “Marvell Introduces OpenFlow-enabled Switches”. 10 May 2011. Retrieved 28 June 2015. • Man-in-the middle • Potential single point of attack and failure [25][26] • Programming and Communication Channel Issues (w.r.t security) - OpenFlow Deployment Experience [27] 2.3 See also • Software-defined networking 2.4 References [17] “OpenFlow – Innovate in Your Network”. 6 May 2011. Retrieved 28 June 2015. [18] SDN Interoperability Lab [19] [20] Cole, Bernard (2 February 2012). “Big Switch releases open source controller for OpenFlow”. EE Times. Retrieved 2012-02-02. [21] Sean Michael Kerner (2012-11-13). “Big Switch Emerges with Commercial SDN Portfolio”. Enterprise Networking Planet. [22] Neagle, Colin (2 February 2012). “HP takes giant first step into OpenFlow: HP is announcing its first effort to support OpenFlow standard on its Ethernet switches”. Network World. Retrieved 28 April 2013. [1] Nick McKeown; et al. (April 2008). “OpenFlow: Enabling innovation in campus networks”. ACM Communications Review. Retrieved 2009-11-02. [23] Levy, Steven, “Going With the Flow: Google’s Secret Switch to the Next Wave of Networking”, Wired, 17 April 2012. Retrieved 2012-04-17. [2] “OpenFlow Switch Errata v1.0.2-rc1” (PDF). Open Networking Foundation. 2013-10-04. [24] Duffy, Jim (22 January 2013). “NEC rolls out OpenFlow for Microsoft Hyper-V: NEC virtual switch adds IPv6 support to SDN controller”. Network World. Retrieved 28 April 2013. [3] “Service Name and Transport Protocol Port Number Registry”. IANA. [25] “OpenFlow Vulnerability Assessment” (PDF). 2.5. EXTERNAL LINKS [26] “OpenFlow security: Does OpenFlow secure software-defined networks?url=http: //searchsecurity.techtarget.com/answer/ OpenFlow-security-Does-OpenFlow-secure-software-defined-networks". [27] Sriram Natarajan; et al. “A Software defined CloudGateway automation system using OpenFlow”. 2.5 External links • Floodlight project website • Open Networking Foundation website • OpenDaylight project website • OpenFlow project website • Cherry, an open source OpenFlow controller written in Go 11 Chapter 3 Cisco Systems “Cisco” redirects here. For other uses, see Cisco (disambiguation). Cisco Systems, Inc. (known as Cisco) is an American multinational technology conglomerate headquartered in San José, California, that develops, manufactures, and sells networking hardware, telecommunications equipment, and other high-technology services and products.[4] Through its numerous acquired subsidiaries, such as OpenDNS, Cisco Meraki, and Cisco Jasper, Cisco specializes into specific tech markets, such as Internet of Things (IoT), domain security, and energy management. Cisco is the largest networking company in the world. The stock was added to the Dow Jones Industrial Average on June 8, 2009, and is also included in the S&P 500 Index, the Russell 1000 Index, NASDAQ-100 Index and the Russell 1000 Growth Stock Index.[5] Cisco Systems was founded in December 1984 by Leonard Bosack and Sandy Lerner, two Stanford University computer scientists, who pioneered the concept of a local area network (LAN) being used to connect geographically disparate computers over a multiprotocol router system, which was unheard of technology at the time. By the time the company went public in 1990, when it was listed on the NASDAQ, Cisco had a market cap- Leonard Bosack (pictured) and Sandy Lerner, two Stanford Uniitalization of $224 million. Cisco was the most valuable versity computer scientists, founded Cisco in 1984. company in the world by 2000, with a more than $500 billion market capitalization.[6] first product. It consisted of exact replicas of Stanford’s “Blue Box” router and a stolen[8] copy of the University’s multiple-protocol router software. The software was originally written some years earlier at Stanford med3.1 History ical school by research engineer William Yeager. Bosack and Lougheed adapted it into what became the foundation 3.1.1 1984–1995: Origins and initial for Cisco IOS. On July 11, 1986, Bosack and Lougheed growth were forced to resign from Stanford and the university contemplated filing criminal complaints against Cisco Cisco Systems was founded in December 1984 by and its founders for the theft of its software, hardware deLeonard Bosack, who was in charge of the Stanford Uni- signs and other intellectual properties. In 1987, Stanford versity computer science department’s computers, and his licensed the router software and two computer boards to wife Sandy Lerner, who managed the Graduate School of Cisco. Business’ computers.[7] In addition to Bosack, Lerner and Lougheed, Greg Satz, Despite founding Cisco in 1984, Bosack, along with a programmer, and Richard Troiano, who handled sales, Kirk Lougheed, continued to work at Stanford on Cisco’s completed the early Cisco team. The company’s first 12 3.1. HISTORY 13 CEO was Bill Graves, who held the position from 1987 to 1988.[9] In 1988, John Morgridge was appointed CEO. The name “Cisco” was derived from the city name San Francisco, which is why the company’s engineers insisted on using the lower case “cisco” in its early years. The logo is intended to depict the two towers of the Golden Gate Bridge.[10] On February 16, 1990, Cisco Systems went public (with a market capitalization of $224 million) and was listed on the NASDAQ stock exchange. On August 28, 1990, Lerner was fired. Upon hearing the news, her husband Bosack resigned in protest. The couple walked away from Cisco with $170 million, 70% of which was committed John T. Chambers led Cisco as its CEO between 1995 and to their own charity.[11] 2015. (Pictured at 2010 World Economic Forum, in Davos, Although Cisco was not the first company to develop and sell dedicated network nodes,[12] it was one of the first to sell commercially successful routers supporting multiple network protocols.[13] Classical, CPU-based architecture of early Cisco devices coupled with flexibility of operating system IOS allowed for keeping up with evolving technology needs by means of frequent software upgrades. Some popular models of that time (such as Cisco 2500) managed to stay in production for almost a decade virtually unchanged—a rarity in high-tech industry. Although Cisco was strongly rooted in the enterprise environment, the company was quick to capture the emerging service provider environment, entering the SP market with new, high-capacity product lines such as Cisco 7000 and Cisco 8500. Switzerland). ble, Cisco became the most valuable company in the world, with a market capitalization of more than US$500 billion.[15][16] In July 2014, with a market cap of about US$129 billion,[17] it is still one of the most valuable companies.[18] Meanwhile, the growth of Internet bandwidth requirements kept challenging traditional, software-based packet processing architectures. The perceived complexity of programming routing functions in silicon, led to formation of several startups determined to find new ways to process IP and MPLS packets entirely in hardware and blur boundaries between routing and switching. One of them, Juniper Networks, shipped their first product in 1999 and by 2000 chipped away about 30% from Cisco SP Market share. Cisco answered the challenge with homegrown ASICs and fast processing cards for GSR routers and Catalyst 6500 switches. In 2004, Cisco also started migration to new high-end hardware CRS-1 and software architecture IOS-XR. Between 1992 and 1994, Cisco acquired several companies in Ethernet switching, such as Kalpana, Grand Junction, and most notably, Mario Mazzola's Crescendo Communications which together formed the Catalyst business unit. At the time, the company envisioned layer 3 routing and layer 2 (Ethernet, Token Ring) switching as complementary functions of different intelligence and architecture—the former was slow and complex, the latter was fast but simple. This philosophy dominated the 3.1.3 company’s product lines throughout the 1990s. 2006–2012: The Human Network In 1995, John Morgridge was succeeded by John Chambers.[14] 3.1.2 1996–2005: Internet and silicon intelligence The phenomenal growth of the Internet in mid-to-late 1990s quickly changed the telecom landscape. As the Internet Protocol (IP) became widely adopted, the importance of multi-protocol routing declined. Nevertheless, Cisco managed to catch the Internet wave, with products ranging from modem access shelves (AS5200) to core GSR routers that quickly became vital to Internet service Russian President Dmitry Medvedev and California Governor providers and by 1998 gave Cisco de facto monopoly in Arnold Schwarzenegger at Cisco, 2010.[19] this critical segment. In late March 2000, at the height of the dot-com bub- As part of a massive rebranding campaign in 2006, Cisco 14 CHAPTER 3. CISCO SYSTEMS Systems adopted the shortened name “Cisco” and created “The Human Network” advertising campaign.[20] These efforts were meant to make Cisco a “household” brand—a strategy designed to support the low-end Linksys products and future consumer products (such as Flip Video camera acquired by Cisco in 2009). On the more traditional business side, Cisco continued to develop its extensive enterprise-focused routing, switching and security portfolio. The quickly growing importance of Ethernet also influenced the company’s product lines, prompting the company to morph the successful Catalyst 6500 Ethernet switch into all-purpose Cisco 7600 routing platform.[21] However, limits of IOS and aging Crescendo architecture also forced Cisco to look at merchant silicon in the carrier Ethernet segment. This resulted in a new ASR9000 product family intended to consolidate company’s carrier ethernet and subscriber management business around EZChip-based hardware and IOS-XR. Cisco also expanded into new markets by acquisition—one example being a 2009 purchase of mobile specialist Starent Networks that resulted in ASR5000 product line. Throughout the mid-2000s, Cisco also built a significant presence in India, establishing its Globalization Centre Portuguese President Aníbal Cavaco Silva, John T. Chambers, East in Bengaluru for $1 billion, and planning that 20% and Senior Director of Corporate Innovation Helder Antunes, 2011. of Cisco’s leaders would be based there.[22] However, Cisco continued to be challenged by both domestic Alcatel-Lucent, Juniper Networks and overseas competitors Huawei. Due to lower-than-expected profit in 2011, Cisco was forced to reduce annual expenses by $1 billion. The company cut around 3,000 employees with an early-retirement program who accepted buyout and planned to eliminate as many as 10,000 jobs (around 14 percent of the 73,400 total employees before curtailment).[23][24] During the 2011 analyst call, Cisco’s CEO John Chambers called out several competitors by name,[25] including Juniper and HP. In April, 2014, Cisco Systems announced $150 million to fund early-stage firms around the globe to focus on the Internet of Everything. The investment fund was allocated to investments in IoT accelerators and startups such as The Alchemist Accelerator, Ayla Networks and EVRYTHNG. After the announcement, The Alchemist Accelerator announced Cisco as a strategic partner and launched an individual program specifically focused on advancing the growth of IoT startups. This new funding increased Cisco Investments’ thematic investing to $250 On 24 July 2012, Cisco received approval from the EU million total, adding to the previously announced $100 to acquire NDS (a TV software developer) for USD 5 million commitment to startups focused on the emerging billion.[26] This acquisition signaled the end of the “The Internet of Everything (IoE) market opportunity. Human Network” strategy as Cisco found itself backing On August 13, 2014, the company announced it was layoff from household hardware like Linksys[27] and Flip ing off another 6,000 workers or 8% of its global workinto the cloud and software market. force, as part of a second restructuring.[31] On May 4, 2015, Cisco announced CEO and Chairman John Chambers would step down as CEO on July 26, 3.1.4 Present day 2015, but remain chairman. Chuck Robbins, senior vice president of worldwide sales & operations and 17-year On July 23, 2013, Cisco Systems announced a definitive Cisco veteran, will become CEO.[32] agreement to acquire Sourcefire for $2.7 billion.[28] On July 23, 2015, Cisco announced the divesture of On August 14, 2013, Cisco Systems announced it would its television set-top-box and cable modem business to cut 4,000 jobs from its workforce, which was roughly 6% Technicolor SA for $600 million, a division originally starting in 2014.[29] formed by Cisco’s $6.9 billion purchase of Scientific AtAt the end of 2013, Cisco announced poor revenue due to lanta. The deal came as part of Cisco’s gradual exit from depressed sales in emerging markets, caused by economic the consumer market, and as part of an effort by Cisco’s uncertainty and by fears of the National Security Agency new leadership to focus on cloud-based products in enplanting backdoors in its products.[30] terprise segments. Cisco indicated that it would still col- 3.2. CORPORATE STRUCTURE 15 laborate with Technicolor on video products.[33] form Webex and home networking. The latter came as result of Cisco acquiring Linksys in 2003 and in 2010 On November 19, 2015, Cisco, alongside ARM Holdwas supplemented with new product line dubbed Cisco ings, Dell, Intel, Microsoft, and Princeton University, Valet. founded the OpenFog Consortium, to promote interests and development in fog computing.[34] Cisco Sr. Cisco announced on January 12, 2005, that it would acManaging-Director Helder Antunes became the consor- quire Airespace for US$450 million to reinforce the wiretium’s first chairman.[35] less controller product lines.[42] In January 2016, Cisco invested in VeloCloud, a software-defined WAN (SD-WAN) start-up with a cloud offering for configuring and optimizing branch office networks. Cisco contributed to VeloCloud’s $27 million Series C round, led by March Capital Partners. Cisco is one of two strategic investors.[36] 3.2 Corporate structure Cisco announced on January 4, 2007, that it would buy IronPort in a deal valued at US$830 million[43][44] and completed the acquisition on June 25, 2007.[45] IronPort was best known for its IronPort AntiSpam, its SenderBase email reputation service and its email security appliances. Accordingly, IronPort was integrated into the Cisco Security business unit.[46] Ironport’s Senderbase was renamed as Sensorbase to take account of the input into this database that other Cisco devices provide. SensorBase allows these devices to build a risk profile on IP addresses, therefore allowing risk profiles to be dynamically created on http sites and SMTP email sources.[47] Cisco announced on March 15, 2012, that it would acquire NDS Group for $5bn.[48][49] The transaction was completed on July 30, 2012.[4][50] Cisco Jasper, a Cisco IoT and cloud business platform subsidiary. Cisco Meraki, a Cisco network security and connectivity subsidiary. CloudLock, Cisco cloud computing security subsidiary. 3.2.1 a Acquisitions and subsidiaries In more recent merger deals, Cisco bought Starent Networks (a mobile packet core company) and Moto Development Group, a product design consulting firm that helped develop Cisco’s Flip video camera.[51][52] Also in 2010, Cisco became a key stakeholder in e-Skills Week. In March 2011, Cisco completed the acquisition of privately held network configuration and change management software company Pari Networks.[53] Although many buy-ins (such as Crescendo Networks in 1993, Tandberg in 2010) resulted in acquisition of flagship technology to Cisco, many others have failed—partially or completely.[54] For instance, in 2010 Cisco occupied a meaningful share of the packet-optical market,[55] revenues were still not on par with US$7 billion price tag paid in 1999 for Cerent. Some of acquired technologies (such as Flip from Pure Digital) saw their product lines terminated.[56][57] Main article: List of acquisitions by Cisco Systems Cisco acquired a variety of companies to spin products and talent into the company. In 1995–1996 the company completed 11 acquisitions.[37] Several acquisitions, such as Stratacom, were the biggest deals in the industry when they occurred.[38] During the Internet boom in 1999, the company acquired Cerent Corporation, a start-up company located in Petaluma, California, for about US$7 billion.[39] It was the most expensive acquisition made by Cisco to that date, and only the acquisition of Scientific Atlanta has been larger.[40] In 1999 Cisco also acquired stake for $1 Billion in KPMG Consulting to enable establishing Internet firm Metrius founded by Keyur Patel of Fuse.[41] Several acquired companies have grown into $1Bn+ business units for Cisco, including LAN switching, Enterprise Voice over Internet Protocol (VOIP) plat- campuses in Bangalore, India (top), Berlin, Germany (middle), and Oslo, Norway (bottom). In January 2013, Cisco Systems acquired Israeli software maker Intucell for around $475 million in cash, a move to expand its mobile network management offerings.[58][59] In the same month, Cisco Systems acquired Cognitive Security, a company focused on Cyber Threat Protec- 16 CHAPTER 3. CISCO SYSTEMS tion. Cisco also acquired SolveDirect (cloud services) in already owns an undisclosed stake in the hyper-converged March 2013[60] and Ubiquisys (mobile software) in April provider.[73] 2013. Cisco acquired cyber-security firm Sourcefire, in October 2013.[61] On June 16, 2014, Cisco announced that 3.3 Products and services it has completed the acquisition of ThreatGRID, a company that provided dynamic malware analysis and threat Main article: List of Cisco products intelligence technology.[62] On June 17, 2014, Cisco announced its intent to acquire privately held Tail-f Systems, a leader in multi-vendor network service orchestration solutions for traditional and virtualized networks.[63] On April 2, 2015, Cisco announced plans to buy Embrane, a software-defined networking startup. The deal will give Cisco Embrane’s software platform, which provides layer 3–7 network services for things such as firewalls, VPN termination, server load balancers and SSL SG300-28 Rackmount switch (top) and Cisco EPC-3010 offload.[64] router (bottom). On May 7, 2015 Cisco announced plans to buy Tropo, a cloud API platform that simplifies the addition of Cisco’s products and services focus upon three market real-time communications and collaboration capabilities segments—enterprise and service provider, small busiwithin applications.[65] ness and the home. On June 30, 2015, Cisco acquired privately held Cisco has grown increasingly popular in the Asia-Pacific OpenDNS, the company best known for its DNS service region over the last three decades and is the dominant that adds a level of security by monitoring domain name vendor in the Australian market with leadership across all requests.[66] market segments. It uses its Australian office as one of On August 6, 2015, Cisco announced that it has com- the main headquarters for the Asia-Pacific region, offerpleted the acquisition of privately held MaintenanceNet, ing a diverse product portfolio for long-term[74] stability, the US-based company best known for its cloud-based and integration is a sustainable competitive advantage. contract management platform ServiceExchange.[67] On the same month, Cisco acquired Pawaa, a privately held company in Bangalore, India that provides secure on- 3.3.1 VoIP services premises and cloud-based file-sharing software.[68] On September 30, 2015, Cisco announced its intent to acquire privately held Portcullis Computer Security, a UKbased company that provides cybersecurity services to enterprise clients and the government sectors.[69] On October 26, 2015, Cisco announced its intent to acquire ParStream, a privately held company based in Cologne, Germany, that provides an analytics database that allows companies to analyze large amounts of data and store it in near real time anywhere in the network.[70] Cisco became a major provider of Voice over IP to enterprises, and is now moving into the home user market through its acquisitions of Scientific Atlanta and Linksys. Scientific Atlanta provides VoIP equipment to cable service providers such as Time Warner, Cablevision, Rogers Communications, UPC and others; Linksys has partnered with companies such as Skype, Microsoft and Yahoo! to integrate consumer VoIP services with wireless and cordless phones. On October 27, 2015, Cisco announced that it would acquire Lancope, a company that focuses on detecting 3.3.2 threat activity, for $452.5 million in a cash-and-equity deal.[71] On June 28, 2016, Cisco announced its intent to acquire CloudLock, a privately held cloud security company, for $293 million.[72] The deal is expected to close in the first quarter of 2017. Hosted (HCS) Collaboration Solution Cisco partners can offer cloud-based services based on Cisco’s virtualized Unified Computing System (UCS). A part of the Cisco Unified Services Delivery Solution that includes hosted versions of Cisco Unified CommunicaIn August 2016, Cisco announced it is getting closer to tions Manager (UCM), Cisco Unified Contact Center, making a deal to acquire Springpath, the startup whose Cisco Unified Mobility, Cisco Unified Presence, Cisco technology is used in Cisco’s HyperFlex Systems. Cisco Unity Connection (unified messaging) and Cisco Webex Meeting Center.[75] 3.4. CORPORATE AFFAIRS 3.3.3 17 Network Emergency Response Cisco headquarters in San José, California in Silicon Valley. A Cisco 8851 IP Phone As part of its Tactical Operations initiative, Cisco maintains several Network Emergency Response Vehicles (NERV)s.[76] The vehicles are maintained and deployed by Cisco employees during natural disasters and other public crises. The vehicles are self-contained and provide wired and wireless services including voice and radio interoperability, voice over IP, network-based video surveillance and secured high-definition videoconferencing for leaders and first responders in crisis areas with up to 3 Mbit/s of bandwidth (up and down) via a 1.8-meter satellite antenna.[77] five levels of certification: Entry (CCENT), Associate (CCNA/CCDA), Professional (CCNP/CCDP), Expert (CCIE/CCDE) and recently Architect, as well as nine different paths, Routing & Switching, Design, Industrial Network, Network Security, Service Provider, Service Provider Operations, Storage Networking, Voice, Datacenter and Wireless. A number of specialist technician, sales and datacenter certifications are also available. Cisco also provides training for these certifications via a portal called the Cisco Networking Academy. QualifyNERVs are based at Cisco headquarters sites in San ing schools can become members of the Cisco NetworkJosé, California and at Research Triangle Park, North ing Academy and then provide CCNA level or other level Carolina, allowing strategic deployment in North Amer- courses. Cisco Academy Instructors must be CCNA cerica. They can become fully operational within 15 min- tified to be a CCAI certified instructor. utes of arrival. High-capacity diesel fuel-tanks allow the largest vehicles to run for up to 72 hours continuously.[78] Cisco often finds itself involved with technical education. [85] The NERV has been deployed to incidents such as the With over 10,000 partnerships in over 65 countries October 2007 California wildfires; hurricanes Gustav, Ike Cisco Academy program operates in many exotic locaand Katrina; the 2010 San Bruno gas pipeline explo- tions. For example, in March 2013, Cisco announced its sion, tornado outbreaks in North Carolina and Alabama interest in Myanmar by investing in two Cisco Networking Academies in Yangon and Mandalay and a channel in 2011; and Hurricane Sandy in 2012.[79][80] partner network.[86] The Tactical Operations team maintains and deploys smaller, more portable communication kits to emergencies outside of North America. In 2010, the team deployed to assist in earthquake recovery in Haiti and in 3.4 Corporate affairs Christchurch (New Zealand). In 2011, they deployed to flooding in Brazil, as well as in response to the 2011 earth- 3.4.1 Awards and accolades quake and tsunami in Japan.[81][82] In 2011, Cisco received the Innovation Preparedness Cisco products, most notably IP phones and Telepres[87] award from the American Red Cross Silicon Valley ence, are frequently sighted in movies and TV series. Chapter for its development and use of these vehicles in The company itself and its history was featured in the documentary film Something Ventured which premiered disasters.[83] in 2011. Cisco was a 2002–03 recipient of the Ron Brown Award,[88][89] a U.S. presidential honor to recognize companies “for the exemplary quality of their relationships Main article: Cisco certifications with employees and communities”. Cisco commonly Cisco Systems also sponsors a line of IT profes- stays on top of Fortune “100 Best Companies to work sional certifications for Cisco products.[84] There are for”, with position No. 20 in 2011.[90] 3.3.4 Certifications 18 CHAPTER 3. CISCO SYSTEMS involvement in censorship in the People’s Republic of China.[96] According to author Ethan Gutmann, Cisco and other telecommunications equipment providers supplied the Chinese government with surveillance and Internet infrastructure equipment that is used to block Internet websites and track online activities in China.[97] Cisco says that it does not customize or develop specialized or unique filtering capabilities to enable governments to block access to information and that it sells the same equipment in China as it sells worldwide.[98] In 2010, Secretary of State Hillary Clinton awarded Cisco the Secretary of State’s Award for Corporate Excellence, which was presented in Jerusalem by Ambassador James B. Cunningham to Cisco Senior Manager Zika Abzuk. According to a report by technology consulting firm LexInnova, Cisco is one of the leading recipients of network security-related patents with the largest portfolio within other companies (6,442 security-related patents).[91] 3.4.2 Controversies Wired News had uncovered a leaked, confidential Cisco PowerPoint presentation that details the commercial opportunities of the Golden Shield Project of Internet control.[99] In her article, journalist Sarah Stirland accuses Cisco of marketing its technology “specifically as a tool of repression.” In May 2011, a group of Falun Gong practitioners filed the lawsuit under the Alien Tort Statute alleging that Cisco knowingly developed and customized its product to assist the Chinese government in prosecution and abuse of Falun Gong practitioners.[100] The presentation leaked from Cisco lists “Combat “Falun Gong” evil religion and other hostiles” as one of the benefits of the Cisco system.[99] The lawsuit was dismissed in September 2014[101] by the United States District Court for the Northern District of California, which decision was appealed to United States Court of Appeals for the Ninth Circuit[102] in September 2015. Tax fraud investigation On October 16, 2007, the Brazilian Federal Police and Brazilian Receita Federal (equivalent to the American IRS), under the “Persona Operation”, uncovered an alleged tax fraud scheme employed by Cisco Systems Brazil Chief Carlos Roberto Carnevali since 2002 that exempted the company from paying over R$1.5 billion (US$824 million) in taxes.[103][104] Cisco Live 2007 in Anaheim, California. Cisco Live is the company’s annual exposition and conference. Shareholder relations A class action lawsuit filed on April 20, 2001, accused Cisco of making misleading statements that “were relied on by purchasers of Cisco stock” and of insider trading.[92] While Cisco denied all allegations in the suit, on August 18, 2006, Cisco’s liability insurers, its directors and officers paid the plaintiffs US$91.75 million to settle the suit.[93] Intellectual property disputes On December 11, 2008, the Free Software Foundation filed suit against Cisco regarding Cisco’s failure to comply with the GPL and LGPL license models and make the applicable source code publicly available.[94] On May 20, 2009, Cisco settled this lawsuit by complying with FSF licensing terms and making a monetary contribution to the FSF.[95] Censorship in China Cisco has been criticized for its Antitrust lawsuit On December 1, 2008, Multiven filed an antitrust lawsuit[105][106][107][108][109][110] against Cisco Systems, Inc. in an effort to open up the network maintenance services marketplace for Cisco equipment, promote competition and ensure consumer choice and value. Multiven’s complaint alleges that Cisco harmed Multiven and consumers by bundling and tying bug fixes/patches and updates for its operating system software to its maintenance services (SMARTnet) and through a series of other illegal exclusionary and anticompetitive acts designed to maintain Cisco’s alleged monopoly in the network maintenance services market for Cisco networking equipment. In May 2010 Cisco has accused the person who filed the antitrust suit, British-Nigerian technology entrepreneur Peter Alfred-Adekeye, with hacking and pressured the US government to extradite him from Canada. Alfred-Adekeye was arrested while in the middle of testifying against Cisco in an anti-trust hearing.[111] Although he was released after 28 days on bail, the case has stretched for a year, because the U.S. Attorney’s of- 3.5. SEE ALSO fice was unable to present the evidence required for the extradition.[112] The antitrust lawsuit has been settled 2 months after Alfred-Adekeye’s arrest.[113] In May 2011 the US extradition request has been denied. Canadian Supreme Court Justice Ronald McKinnon, who oversaw the extradition hearing, commented on the arrest saying “It is simply not done in a civilized jurisdiction that is bound by the rule of law”.[111] He also stated that the real reason for the extradition proceedings was because Alfred-Adekeye “dared to take on a multinational giant.” Judge McKinnon has also condemned the US prosecutor for hiding the fact that Alfred-Adekeye was in legal proceedings against Cisco Systems, for stating that AlfredAdekeye had left the USA in a time period when he had not and a formal request for extradition was not filed against Alfred-Adekeye when he was taken into custody. He described the information provided by Cisco and the US prosecutor as “full of innuendo, half-truths and falsehoods,” adding that “This speaks volumes for Cisco’s duplicity” and accused them of “unmitigated gall” in using such a heavy-handed move as an unsupportable arrest and jailing to pressure Alfred-Adekeye to drop or settle his civil antitrust complaint.[114] 19 Agency files released with Glenn Greenwald’s book No Place to Hide details how the agency’s Tailored Access Operations (TAO) unit and other NSA employees intercept servers, routers and other network gear being shipped to organizations targeted for surveillance and install covert firmware onto them before they’re delivered. These Trojan horse systems were described by an NSA manager as being “some of the most productive operations in TAO because they pre-position access points into hard target networks around the world.”[122] Cisco denied the allegations in a customer document[123] saying that no information was included about specific Cisco products, supply chain intervention or implant techniques, or new security vulnerabilities. Cisco’s General Counsel also claimed that Cisco does not work with any government, including the United States Government, to weaken its products.[124] The allegations are reported to have prompted the company’s CEO to express concern to the President of the United States.[125] Spherix patent suit In March 2014 Cisco Systems was sued for patent infringement. Spherix asserts that over $43 billion of Cisco’s sales infringe on old Nortel patents owned by Spherix. Officials with Spherix are claiming This case was eventually settled out of court and dis- that a wide range of Cisco products, from switches to missed with prejudice in February 2011. routers, infringe on 11 former Nortel patents that the In March 2013 Multiven has filed a complaint both in company now owns.[126] Switzerland and the US accusing Cisco of stealing thousands of its proprietary and copyrighted data files from its knowledge base. The attack has allegedly taken place 3.5 See also with the use of “automated cyber scraping software” with the perpetrating IPs assigned to Cisco. Cisco has denied • Cisco routers the claims.[115][116] • Cisco certifications On July 20, 2015, Multiven CEO, Peter Alfred-Adekeye filed a libel lawsuit against Cisco for (1) falsely claiming that ‘he or someone under his control at Multiven’ downloaded and ‘stole’ Cisco software five times in 2006 from cisco.com (2) using this lie to orchestrate his illegal arrest in Vancouver, Canada in 2010 and (3) continuing to knowingly propagate this falsehood till today.[117] Remotely monitoring users’ connections Cisco’s Linksys E2700, E3500, E4500 devices have been reported to be remotely updated to a firmware version that forces users to register for a cloud service, allows Cisco to monitor their network use and ultimately shut down the cloud service account and thus render the affected router unusable.[118][119] Firewall backdoor developed by NSA According to the German magazine Der Spiegel the NSA has developed JETPLOW for gaining access to ASA (series 5505, 5510, 5520, 5540 and 5550) and 500-series PIX Firewalls.[120] Cisco’s Chief Security Officer addressed the allegations publicly and denied working with any government to weaken Cisco products for exploitation or to implement security back doors.[121] A document included in the trove of National Security • Cisco IOS • Cisco Catalyst • Cisco Valet • Cisco Networking Academy • Cisco Unified Computing System • Cisco Express Forwarding • Cisco Discovery Protocol • Cisco Security Agent • Cisco Systems VPN Client 3.6 References [1] “Cisco Contacts”. November 19, 2011. November 19, 2011. Retrieved [2] “Cisco Systems, Inc. 2016 Annual Report Form (10-K)". EDGAR. United States Securities and Exchange Commission. February 27, 2016. Retrieved December 21, 2015. 20 CHAPTER 3. CISCO SYSTEMS [3] “Cisco Overview”. Cisco. [4] “Cisco, Form 10-K, Annual Report, Filing Date Sep 12, 2012” (PDF). secdatabase.com. Retrieved March 25, 2013. [5] Browning, E.S. (June 1, 2009). “Travelers, Cisco Replace Citi, GM in Dow”. Wall Street Journal. Dow Jones & Company, Inc. Retrieved June 2, 2009. [6] “Cisco pushes past Microsoft in market value”. CBS Marketwatch. March 25, 2000. Retrieved January 25, 2007. [7] Toscano, Paul (April 17, 2013). “Tech Companies Are Doing It Wrong: Cisco Co-Founder”. CNBC. Retrieved September 23, 2015. [8] Carey, Pete. “A start-up’s true tale”. San Jose Mercury News. Retrieved July 26, 2012. [9] “Cisco’s Acquisition Strategy”. Case Studies in Business Strategy. ICMR. IV: 2. January 2004. BSTR083. Retrieved December 21, 2009. [24] Vance, Ashlee. (2011-07-12) Cisco said to Plan Cutting Up to 10,000 Jobs to Buoy Profit. Bloomberg. Retrieved September 10, 2011. [25] “Cisco CEO: We Were Fat”. Retrieved January 5, 2016. [26] “Cisco Receives EU Approval to Acquires NDS”. BrightWire. [27] “Cisco Sells Linksys Home Router Unit to Belkin”. Bloomberg. [28] Worldwide. “Cisco Announces Agreement to Acquire Sourcefire Inc. – Cisco Systems”. Cisco.com. Retrieved July 24, 2013. [29] “Cisco to cut 4,000 jobs”. CNN Money. Retrieved August 14, 2013. [30] Stephen Lawson (November 13, 2013). “Cisco issues grim forecast after falling short on revenue”. PCWorld. Retrieved January 5, 2016. [10] Leung, Wendy (May 27, 2012). “Happy 85th birthday to our Golden Gate Bridge!". Retrieved March 26, 2014. [31] “Cisco to lay off 6,000 workers in second restructuring”. San Jose News.Net. 13 August 2014. Retrieved 14 August 2014. [11] “Does Pink Make You Puke?". Forbes. August 25, 1997. Retrieved June 28, 2011. [32] “Cisco’s Chambers to step down as CEO, to be executive chairman”. Reuters. 4 May 2015. Retrieved 4 May 2015. [12] “I, Cringely. NerdTV. Transcript | PBS”. Pbs.org. Retrieved November 13, 2008. [13] Pennell, Ian (June 14, 2004). “The Evolution of Access Routing; Cisco claim of first multi-protocol router” (Interview). Cisco. Retrieved January 4, 2009. [14] “Cisco, Form PRE 14A, Filing Date Sep 19, 1995”. secdatabase.com. Retrieved March 25, 2013. [15] “Cisco pushes past Microsoft in market value”. CBS Marketwatch. March 25, 2000. Retrieved January 25, 2007. [16] “Cisco replaces Microsoft as world’s most valuable company”. The Indian Express. India. Reuters. March 25, 2000. Retrieved January 25, 2007. [17] Cisco Systems Summary. Finance.yahoo.com. Retrieved November 26, 2011. [18] Fost, Dan (May 5, 2006). “Chron 200 Market capitalization”. San Francisco Chronicle. Retrieved January 25, 2007. [19] Kremlin - Presidential Visit to Cisco [20] “Welcome to the Human Network” (PDF). Cisco Systems. 2006. Retrieved February 12, 2014. [33] “Technicolor to Buy Cisco’s Set-Top Box Unit for About $600 Million”. The Wall Street Journal. July 22, 2015. Retrieved 25 July 2015. [34] Janakiram, MSV (18 April 2016). “Is Fog Computing the Next Big Thing in the Internet of Things”. Forbes Magazine. Retrieved 18 April 2016. [35] Open Fog Consortium - Board of Directors: Helder Antunes [36] Jim Duffy, Network World. “Cisco puts its money where the WAN is.” Jan 14, 2016. Jan 18, 2016. [37] Garza, George (January 9, 2011). “The History of Cisco”. Retrieved January 28, 2011. [38] “Cisco, Form 8-K, Current Report, Filing Date Apr 26, 1996”. secdatabase.com. Retrieved March 25, 2013. [39] “Cisco, Form 8-K, Current Report, Filing Date Aug 26, 1999”. secdatabase.com. Retrieved March 25, 2013. [40] “Cisco, Form 10-Q, Quarterly Report, Filing Date Nov 23, 2005” (PDF). secdatabase.com. Retrieved March 25, 2013. [41] “KPMG & Cisco”. August 8, 1999. [21] “Cisco clue—6500 and 7600 split page”. March 8, 2012. Retrieved [22] Segal, Adam (January 10, 2011). “Chapter 8 – Promoting Innovation at Home”. Advantage: How American Innovation Can Overcome the Asian Challenge. W. W. Norton. p. 191. ISBN 978-0-393-06878-8. [23] Svensson, Peter. Cisco to cut costs and jobs as profit stalls. 12 May 2011. Christian Science Monitor. Accessed 2012-08-02. [42] Hochmuth, Phil. “Cisco nets Airespace for $450 million”. Network World. Retrieved 2016-03-17. [43] “Cisco Announces Agreement to Acquire IronPort”. News release. Cisco. January 4, 2007. Retrieved November 8, 2013. [44] Keith Regan (January 4, 2007). “Cisco buys IronPort for $830 Million”. E-Commerce Times. Retrieved November 8, 2013. 3.6. REFERENCES [45] “Cisco launches Self-Defending Network v3.0”. News release. Cisco Systems. June 25, 2007. Retrieved November 8, 2013. [46] "About". Cisco IronPort. Accessed 8 November 2013. [47] Patrick Ogenstad (October 6, 2009). “What is Cisco SensorBase?". Retrieved November 8, 2013. [48] “Cisco, Form 8-K, Current Report, Filing Date Mar 15, 2012”. secdatabase.com. Retrieved March 25, 2013. [49] “Cisco to Acquire NDS for $5Bn”. [50] “Cisco India Overview”. Cisco. Retrieved April 14, 2013. [51] “Cisco, Form 8-K, Current Report, Filing Date Oct 14, 2009”. secdatabase.com. Retrieved March 25, 2013. [52] By Jim Duffy, NetworkWorld. "Cisco Buys Moto—no, not that Moto.” May 18, 2010. [53] “Cisco Completes Acquisition Of Pari Networks (Started By Former Cisco Execs)". TechCrunch. March 1, 2011. [54] “Cisco, Form 8-K, Current Report, Filing Date Oct 5, 2009”. secdatabase.com. Retrieved March 25, 2013. [55] “Alcatel-Lucent, Huawei continue tight race for leadership in optical network hardware market”. Infonetics Research. May 17, 2010. Retrieved September 5, 2011. [56] “Cisco, Form 10-Q, Quarterly Report, Filing Date Nov 18, 2009” (PDF). secdatabase.com. Retrieved March 25, 2013. [57] Ulanoff, Lance (April 6, 2011). “Cisco’s UMI Adventure Should End”. PCMag. Retrieved September 5, 2011. [58] “Cisco, Form 10-Q, Quarterly Report, Filing Date Feb 19, 2013” (PDF). secdatabase.com. Retrieved March 25, 2013. [59] Reuters (23 January 2013). “Cisco to buy Israel-based software maker for $475 million”. Reuters. [60] Goddard, Timothy. “Corum Group International Advises SolveDirect in Acquisition”. PRWeb. [61] “Acquisitions”. Retrieved 2013-10-07. [62] “Cisco Has Acquired ThreatGRID”. Cisco. Retrieved 11 August 2014. [63] “Cisco Announces Intent to Acquire Tail-f Systems”. 17 June 2014. [64] By Liam Tung, ZDNet. “Cisco to buy Embrane to boost datacenter SDN play.” April 2, 2015. April 7, 2015. [65] Diggz, Johnny. “Tropo joins Cisco to Power next-gen collaboration APIs”. Acquisition Summary. Tropo. [66] “Cisco Announces Intent to Acquire OpenDNS”. Retrieved 2015-10-12. [67] “Cisco Completes MaintenanceNet Acquisition”. Cisco. Retrieved 2015-10-12. [68] “Cisco has Acquired Pawaa”. Cisco. Retrieved 2015-1012. 21 [69] “Acquisitions”. Acquisition Summary. Cisco. [70] “Cisco Announces Intent to Acquire ParStream”. blogs@Cisco – Cisco Blogs. Retrieved 2015-10-27. [71] Lunden, Ingrid. “Cisco Beefs Up Security, Buys Lancope For $453M”. TechCrunch. Retrieved 2015-10-27. [72] “Cisco cracks open wallet for $293m CloudLock acquisition | Business Cloud News”. Retrieved 2016-07-26. [73] Mark Haranas, CRN. “Sources: Cisco Close To Making Bid TO Buy Springpath.” August 4, 2016. August 8, 2016. [74] “CCIE Security Cisco Certified Internetwork Expert”. [75] “Cisco Launches Hosted Collaboration Solution”. UCStrategies.com. July 2, 2010. [76] “Cisco Tactical Operations (TacOps)". Cisco. Retrieved 26 July 2016. [77] “Cisco Network Emergency Response YouTube. Retrieved July 24, 2013. Vehicle”. [78] “TACOPS — Emergency Response Vehicle Tour, learningatcisco on USTREAM. Conference”. Ustream.tv. Retrieved July 24, 2013. [79] 49 Days Later, Superstorm Sandy Relief Effort is Still Running on Cisco Technology. Cisco.com Retrieved January 15, 2013. [80] Cisco NERV: The ultimate first responder vehicle. TechRepublic. Retrieved September 10, 2011. [81] “Cisco Tactical Operations (TacOps)". Cisco. Retrieved 26 July 2016. [82] “Cisco TacOps”. YouTube. 2011-06-28. Retrieved July 24, 2013. [83] 2011 Innovative Preparedness—Cisco Tactical Operations. Youtube.com. Retrieved September 10, 2011. [84] “Cisco Certification and Career Paths”. [85] “About Network Academy”. [86] “Cisco Expands Commitment to Myanmar”. [87] Cisco on TV & in the Movies—About Cisco. Cisco Systems (May 15, 2008). Retrieved September 10, 2011. [88] Highbeam Research website Presidential Award For Corporate Leadership Presented to Cisco Systems. Retrieved April 10, 2011. [89] Cisco News website Cisco Systems Receives Presidential Award for Corporate Leadership. Retrieved April 10, 2011. [90] 100 Best Companies to Work For 2011: Cisco—CSCO. CNN. (February 7, 2011). Retrieved September 10, 2011. [91] David Braue (January 6, 2016). “Australia is world’s fourth-largest holder of network-security patents, analysis finds”. Retrieved January 5, 2016. 22 CHAPTER 3. CISCO SYSTEMS [92] “Cisco Shareholder Class Action Lawsuit Resolved” [110] “Lawsuit: Cisco blocks outsider gear maintenance”. (Press release). Cisco Systems, Inc. August 18, 2006. fiercetelecom. December 3, 2008. Retrieved December Retrieved January 25, 2007. 3, 2008. [93] “Cisco resolves class action lawsuit”. Silicon Valley/San [111] Rik Myslewski (3 June 2011). “Judge blasts Cisco’s 'unJose Business Journal. August 18, 2006. Retrieved Janmitigated gall' in ex-exec’s arrest”. The Register. uary 25, 2007. [112] Stephen Lawson (20 April 2011). “Cisco accused of or[94] “Free Software Foundation Files Suit Against Cisco chestrating engineer’s arrest”. Network World. For GPL Violations” (Press release). BOSTON, Massachusetts: Free Software Foundation. December 11, [113] Stephen Lawson (2 August 2010). “Cisco settles antitrust suit over software updates”. Computerworld. 2008. Retrieved January 4, 2009. [95] “FSF Settles Suit Against Cisco” (Press release). Free [114] Rik Myslewski (3 June 2011). “Judge blasts Cisco’s 'unSoftware Foundation. May 20, 2009. Retrieved May 20, mitigated gall' in ex-exec’s arrest”. The Channel. 2009. [115] David Meyer (13 March 2013). “Cisco accused of steal[96] “FRONTLINE: the tank man: the struggle to control ining data from Swiss services firm Multiven”. Gigaom. formation | PBS”. Pbs.org. Retrieved November 13, [116] Danielle Walker (15 March 2013). “Legal fight between 2008. Cisco and Swiss firm continues with latest data theft ac[97] Ethan Gutmann (May/June 2010) “Hacker Nation: cusations”. SC Magazine. China’s Cyber Assault”, World Affairs Journal [117] “Multiven CEO Peter Alfred-Adekeye Files Libel Lawsuit [98] Earnhardt, John (February 15, 2006). “Cisco TestiAgainst Cisco”. mony Before House International Relations Subcommittee”. Cisco Systems, Inc. Archived from the original on [118] “Cisco Pushing 'Cloud Connect' Router Firmware, Allows December 6, 2006. Retrieved January 25, 2007. Web History Tracking”. Slashdot. Retrieved December 26, 2013. [99] Stirland, Sarah (May 20, 2008). “Cisco Leak: 'Great Firewall' of China Was a Chance to Sell More Routers”. [119] “Cisco’s cloud vision: Mandatory, monetized and killed at Wired. Retrieved June 27, 2009. their discretion”. Extreme Tech. Retrieved December 26, 2013. [100] “Doe I et al v. Cisco Systems, Inc. et al”. Justia Dockets & Filings. [120] “Interactive graphics: the spy tools of the NSA are sitting [101] EDWARD J. DAVILA, District Judge. CISCO SYSTEMS, INC.”. “DOE I v. [102] “Doe I, et al v. Cisco Systems, Inc., et al :: Court of Appeals for the Ninth Circuit :: Case No. 15-16909”. here”. Der Spiegel. Retrieved January 11, 2014. [121] “Comment on Der Spiegel articles about NSA TAO Organization”. Cisco.com. Retrieved December 29, 2013. [122] “NSA “upgrade” factory show Cisco router getting implant”. [103] “Cisco offices raided, executives arrested in Brazil: reports”. NetworkWorld. October 16, 2007. Retrieved Oc[123] “Customer Recommendations: Securing Your Network”. tober 16, 2007. Cisco.com. Retrieved May 2014. Check date values in: |access-date= (help) [104] “Brazilian tax authorities raid, close Cisco System’s offices in São Paulo, Rio de Janeiro”. International Herald Tribune (Press release). October 17, 2007. Retrieved Oc- [124] “Internet Security Necessary for Global Technology Economy”. Cisco.com. Retrieved May 13, 2014. tober 17, 2007. [105] “Multiven Sues Cisco”. lightreading. December 1, 2008. [125] “In Letter to Obama, Cisco CEO Complains About NSA Allegations”. Re/Code. Retrieved May 18, 2014. Retrieved December 2, 2008. [106] “Net maintenance provider sues Cisco over allegedly mo- [126] Jeffrey Burt (27 March 2014). “Cisco Sued for Infringement of Old Nortel Patents”. eweek. nopolistic SMARTnet”. NetworkWorld. December 1, 2008. Retrieved December 2, 2008. [107] “Cisco Accused Of Monopoly In Antitrust Lawsuit”. ChannelWeb. December 2, 2008. Archived from the original on December 4, 2008. Retrieved December 2, 2008. [108] “Multiven Files Antitrust Lawsuit Against Cisco Systems, Inc.” (Press release). Multiven, Inc. December 1, 2008. Retrieved December 1, 2008. [109] “Cisco Systems hit with antitrust lawsuit”. SearchITChannel. December 4, 2008. Retrieved December 4, 2008. 3.7 Further reading • Bunnell, D. & Brate, A. (2001). Die Cisco Story (in German). Moderne Industrie. ISBN 3-478-359953. • Bunnell, D. (2000). Making the Cisco Connection: The Story Behind the Real Internet Superpower. Wiley. ISBN 0-471-35711-1. 3.8. EXTERNAL LINKS • Paulson, E. (2001). Inside Cisco: The Real Story of Sustained M&A Growth. Wiley. ISBN 0-47141425-5. • Slater, R. (2003). The Eye of the Storm: How John Chambers Steered Cisco Through the Technology Collapse. HarperCollins. ISBN 0-06-018887-1. • Stauffer, D. (2001). Nothing but Net Business the Cisco Way. Wiley. ISBN 1-84112-087-1. • Waters, J. K. (2002). John Chambers and the Cisco Way: Navigating Through Volatility. Wiley. ISBN 0-471-00833-8. • Young, J. S. (2001). Cisco Unauthorized: Inside the High-Stakes Race to Own the Future. Prima Lifestyles. ISBN 0-7615-2775-3. 3.8 External links • Official website (Mobile) • • Business data for Cisco Systems, Inc.: Google Finance • Yahoo! Finance • Reuters • SEC filings 23 Chapter 4 Network virtualization platform A network virtualization platform decouples the hardware plane from the software plane such that the host hardware plane can be administratively programmed to assign its resources to the software plane. This allows for the virtualization of CPU, memory, disk and most importantly network IO. Upon such virtualization of hardware resources, the platform can accommodate multiple virtual network applications such as firewalls, routers, Web filters, and intrusion prevention systems, all functioning much like standalone hardware appliances, but contained within a single hardware appliance. The key benefit to such technology is doing all of this while maintaining the network performance typically seen with that of standalone network appliances as well as enabling the ability to administratively or dynamically program resources at will. 4.2 Network virtualization history Network virtualization initially became a term that described the separation of the control plane and the forwarding plane (management and packet transmission) within networking devices such as switches but has started to become a term that not only describes that but also describes the separation of the software and hardware of the networking application as well. It has quickly become a term that describes the totality of virtualizing a network that includes how the network is programmed, administered and deployed, be it hardware or software and management and packet transmission. 4.3 Network virtualization platforms 4.1 Server virtualization history Server virtualization, a technology that has become mainstream, originally gained popularity when VMWare entered the market in 2001 with its GSX server software. This technology gave IT organizations the ability to reduce the amount of rack space required to accommodate multiple servers and reduced the cost of powering and cooling data centers by consolidating server based applications onto a single piece of hardware. One of the problems with server virtualization is in how applications are networked together. Within a server virtualization environment, applications are interconnected by what is Network virtualization platform architecture example referred to as a virtual switch, which is very different from high-performing hardware-based network switches • 6WIND Virtual Accelerator – Provides high peroffered by the likes of Juniper Networks and Cisco Sysformance virtual networks from the underlying tems. Virtual switches are software-based switches and hardware acceleration and was pioneered on using rely on the movement of packets up and down a softfast path software and DPDK technologies ware stack which relies on the same CPUs which are being used to drive the applications. Because of this • VMWare / Nicira NVP – Separates virtual netsoftware approach to switching, networking applications works from the underlying hardware and was pisuch as firewalls and routers, which require high levels oneered by Nick McKeown, Scott Shenker, and of throughput and low levels of latency, were not ideal Martin Casado in 2007. to operate within a server virtualized environment, while • Embrane Heleos – Virtual appliances that leverapplications less sensitive to throughput and latency such age a distributed architecture and was pioneered by as email and file sharing were ideal. 24 4.5. SOURCES Dante Malagrinò and Marco Di Benedetto in 2009. • Cisco Nexus Virtual Services Appliance – A dedicated hardware platform for the deployment of services critical to virtualization infrastructure • Juniper Networks JunosV App Engine - Unifies application management, optimizes the network for application provisioning and performance • Barracuda Networks eoN – Powers software defined virtual appliances without performance drag. 4.4 References 4.5 Sources • 6WIND Virtual Accelerator from SDxCentral • Barracuda Introduces Network Virtualization Platform • Nicira’s Network Virtualization Platform Release Raises Questions • Embrane’s virtual network appliances for an SDN world • Cisco Nexus 1010 and 1010-X Virtual Services Appliance Data Sheet • Juniper fortifies network edge with new routers 25 Chapter 5 SD-WAN SD-WAN is an acronym for software-defined networking in a wide area network (WAN). An SD-WAN simplifies the management and operation of a WAN by decoupling (separating) the networking hardware from its control mechanism. This concept is similar to how softwaredefined networking implements virtualization technology to improve data center management and operation.[1] are placed in small remote and branch offices, larger offices, corporate data centers, and increasingly on cloud platforms.[7] A centralized controller is used to set policies and prioritize traffic. The SD-WAN takes into account these policies and the availability of network bandwidth to route traffic. This helps ensure that application performance A key application of an SD-WAN is allowing compa- meets service level agreements (SLAs).[9] nies to build higher performance WANs using lower cost leased lines, enabling businesses to partially or wholly replace more expensive private WAN connection technolo- 5.2 History gies such as MPLS.[1] American marketing research firm Gartner predicted in SD-WAN consists of several technologies combined with 2015 that by the end of 2019 30% of enterprises will de- newer enhancements. Redundant telecommunication ploy SD-WAN technology in their branches.[2] links connecting remote sites date back to the 1970s with X.25 links used for remote mainframe terminal access.[10] Central management of those links with a greater focus on application delivery across the WAN 5.1 Overview started to become popular in the mid-2000s.[11] SDWAN combines the two, and adds the ability to dyWANs allow companies to extend their computer net- namically share network bandwidth across the connec[1] works over large distances, to connect remote branch tion points. Additional enhancements include central offices to data centers and each other, and deliver controllers, integrated analytics and on-demand circuit the applications and services required to perform busi- provisioning, with some network intelligence based in ness functions. When companies extend networks over the cloud, allowing centralized policy management and [12] greater distances and sometimes across multiple carri- security. ers’ networks, they face operational challenges including Networking publications started using the term SD-WAN network congestion, jitter,[3] packet loss,[4] and even ser- to describe this new networking trend as early as 2014.[7] vice outages. Modern applications such as VoIP calling, videoconferencing, streaming media, and virtualized applications and desktops require low latency.[5] Bandwidth 5.3 Required characteristics requirements are also increasing, especially for applications featuring high-definition video.[6] It can be expensive and difficult to expand WAN capability, with corre- Research firm Gartner has defined an SD-WAN as having [1] sponding difficulties related to network management and four required characteristics: troubleshooting.[1] • The ability to support multiple connection types, SD-WAN products are designed to address these netsuch as MPLS, frame relay and higher speed LTE [7] work problems. By enhancing or even replacing tradiwireless communications tional branch routers with virtualization appliances that can control application-level policies and offer a network overlay, less expensive consumer-grade Internet links can act more like a dedicated circuit. This simplifies the setup process for branch personnel.[8] SD-WAN products can be physical appliances or virtual appliances, and 26 • The ability to do dynamic path selection, for load sharing and resiliency purposes • A simple interface that is easy to configure and manage 5.6. COMPLEMENTARY TECHNOLOGY 27 • The ability to support VPNs, and third party services from corporate servers to cloud based services such as such as WAN optimization controllers, firewalls and Salesforce.com and Google apps.[13] web gateways 5.5.6 Administration and troubleshooting 5.4 Form factors Management simplicity is a key requirement for SDWANs, per Gartner. As with network equipment in genSD-WAN products can be physical appliances or software eral, GUIs are preferred to command line interface (CLI) based.[13] methods of configuration and control.[17] Other beneficial administrative features include automatic path selection, the ability to centrally configure each end appliance by 5.5 Features pushing configuration changes out, and even a true software defined networking approach that allows all appliFeatures of SD-WANs include resilience, security and ances and virtual appliances to be configured centrally application needs rather than the underlying quality of service (QoS), with flexible deployment options based on [1] hardware. and simplified administration and troubleshooting. 5.5.1 Resilience 5.6 Complementary technology A resilient SD-WAN reduces network downtime. The technology must feature real time detection of outages 5.6.1 SD-WAN versus WAN Optimization and automatic switch over to working links.[14] There are some similarities between SD-WAN and WAN optimization, the name given to the collection of techniques used to increase data-transfer efficiencies across 5.5.2 Quality of service WANs. The goal of each is to accelerate application deSD-WAN technology supports quality of service by hav- livery between branch offices and data centers, but SDing application level awareness, giving bandwidth priority WAN technology focuses additionally on cost savings and to the most critical applications. This may include dy- efficiency, specifically by allowing lower cost network namic path selection, sending an application on a faster links to perform the work of more expensive leased lines, link, or even splitting an application between two paths to whereas WAN Optimization focuses squarely on improving packet delivery. A SD-WAN utilizing virtualization improve performance by delivering it faster.[14] techniques assisted with WAN Optimization traffic control allows network bandwidth to dynamically grow or shrink as needed. SD-WAN technology and WAN opti5.5.3 Security mization can be used separately or together,[18] and some SD-WAN communication is usually secured using IPsec, SD-WAN vendors are adding WAN optimization features to their products.[16][19] a staple of WAN security.[15] 5.5.4 Application optimization 5.6.2 WAN edge routers SD-WANs can improve application delivery using A WAN edge router is a device that routes data packets caching, storing recently accessed information in mem- between different locations of a WAN, giving an enterprise access to a carrier network. Also called a boundory to speed future access.[16] ary router, it is contrasted with a core router which only sends packets within a single network.[20] SD-WANs can 5.5.5 Deployment options work as an overlay to simplify the management of existing WAN edge routers, by lowering dependence on routing Most SD-WAN products are available as pre-configured protocols.[7] SD-WAN can also potentially be an alternaappliances, placed at the network edge in data centers, tive to WAN Edge routers.[8] branch offices and other remote locations. There are also virtual appliances that can work on existing network hardware, or the appliance can be deployed as a virtual appli- 5.6.3 SD-WAN versus hybrid WAN ance on the cloud in environments such as Amazon Web Services (AWS). This allows enterprises to benefit from SD-WANs are similar to hybrid WANs, and sometimes SD-WAN services as they migrate application delivery the terms are used interchangeably, but they are not iden- 28 CHAPTER 5. SD-WAN tical. A hybrid WAN consists of different types of con- [16] “List of SD-WAN Vendors”. packetpushers.net. Retrieved 2016-06-29. nection types, and may have a software defined network (SDN) component, but doesn't have to.[21] [17] “Difference Between GUI and Command Line”. differencebtw.com. 2015-05-29. Retrieved 2016-06-29. 5.7 Marketplace [18] “Why SD-WAN is the next breed of WAN optimization”. techtarget.com. Retrieved 2016-06-29. IT website Network World divides the SD-WAN vendor [19] “Citrix Combines SD-WAN, WAN Optimization In Single Appliance”. packetpushers.com. 2016-03-16. Remarket into three groups: established networking ventrieved 2016-06-29. dors who are adding SD-WAN products to their offerings, WAN specialists who are starting to integrate SD[20] “Definition: edge router”. techtarget.com. Retrieved WAN functionality into their products, and startups fo2016-06-29. [1] cused specifically on the SD-WAN market. [21] “Definition hybrid WAN”. techtarget.com. Retrieved 2016-08-22. 5.8 References [1] “SD-WAN: What it is and why you'll use it one day”. networkworld.com. 2016-02-10. Retrieved 2016-06-27. [2] “Predicting SD-WAN Adoption”. gartner.com. 2015-1215. Retrieved 2016-06-27. [3] “How to address WAN jitter issues for real-time applications”. networkworld.com. 2012-10-22. Retrieved 201606-27. [4] “What’s slowing down your network and how to fix it”. computerweekly.com. 2015-04-01. Retrieved 2016-0627. [5] “Low-latency networks aren't just for Wall Street anymore”. gigaom.com. 2012-04-06. Retrieved 2016-0627. [6] “How fast should my Internet connection be to watch streaming HD movies?". HowStuffWorks.com. 2011-1031. Retrieved 2016-06-27. [7] “Software-Defined WAN: A Primer”. networkcomputing.com. 2014-09-09. Retrieved 2016-06-27. [8] “SD-What? Understanding SD-WAN”. techtarget.com. Retrieved 2016-06-28. [9] “SD-WAN Vendors Making A Splash”. networkcomputing.com. 2015-08-27. Retrieved 2016-06-28. [10] “A Brief History of the Enterprise WAN”. networkworld.com. 2012-04-06. Retrieved 2016-06-28. [11] “Managing the WAN”. networkworld.com. 2006-03-13. Retrieved 2016-06-28. [12] “SD-WAN: The Killer App For Enterprise SDN?". networkcomputing.com. 2015-07-22. Retrieved 2016-0628. [13] “SD-WAN: Bringing WAN Sexy Back”. nojitter.com. 2015-11-02. Retrieved 2016-06-29. [14] “Do wide area networks need to get software-defined?". techtarget.com. Retrieved 2015-05-13. [15] “How IPsec provides secure communications”. techtarget.com. Retrieved 2016-06-29. Chapter 6 Wide area network ernet or Wifi) are often designed for physically proximal networks, and thus cannot transmit data over tens, hundreds or even thousands of miles or kilometres. WANs do not just necessarily connect physically disparate LANs. A CAN, for example, may have a localised backbone of a WAN technology, which connects different LANs within a campus. This could be to facilitate higher bandwidth applications, or provide better functionality for users in the CAN. LAN WAN A wide area network (WAN) is a telecommunications network or computer network that extends over a large geographical distance. Wide area networks are often established with leased telecommunication circuits. Business, education and government entities use wide area networks to relay data among staff, students, clients, buyers, and suppliers from various geographical locations. In essence, this mode of telecommunication allows a business to effectively carry out its daily function regardless of location. The Internet may be considered a WAN.[1] WANs are used to connect LANs and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations. Many WANs are built for one particular organization and are private. Others, built by Internet service providers, provide connections from an organization’s LAN to the Internet. WANs are often built using leased lines. At each end of the leased line, a router connects the LAN on one side with a second router within the LAN on the other. Leased lines can be very expensive. Instead of using leased lines, WANs can also be built using less costly circuit switching or packet switching methods. Network protocols including TCP/IP deliver transport and addressing functions. Protocols including Packet over SONET/SDH, MPLS, ATM and Frame Relay are often used by service providers to deliver the links that are used in WANs. X.25 was an important early WAN protocol, and is often considered to be the “grandfather” of Frame Relay as many of the underlying protocols and functions of X.25 are still in use today (with upgrades) by Frame Relay. Related terms for other types of networks are personal area networks (PANs), local area networks (LANs), campus area networks (CANs), or metropolitan area networks (MANs) which are usually limited to a room, building, campus or specific metropolitan area respectively. Academic research into wide area networks can be broken down into three areas: mathematical models, network emulation and network simulation. 6.1 Design options Performance improvements are sometimes delivered via wide area file services or WAN optimization. The textbook definition of a WAN is a computer network spanning regions, countries, or even the world. However, in terms of the application of computer networking protocols and concepts, it may be best to view WANs as computer networking technologies used to transmit data over long distances, and between different LANs, MANs and other localised computer networking architectures. This distinction stems from the fact that common LAN technologies operating at Layer 1/2 (such as the forms of Eth- 6.2 Connection technology Many technologies are available for wide area network links. Examples include circuit switched telephone lines, radio wave transmission, and optic fiber. New developments in technologies have successively increased trans- 29 30 mission rates. In ca. 1960, a 110 bit/s (bits per second) line was normal on the edge of the WAN, while core links of 56 kbit/s to 64 kbit/s were considered fast. As of 2014, households are connected to the Internet with ADSL, Cable, Wimax, 4G or fiber at speeds ranging from 1 Mbit/s to 1 Gbit/s and the connections in the core of a WAN can range from 1 Gbit/s to 100 Gbit/s. 6.3 List of WAN types • ATM • Cable modem • Dial-up • DSL • Frame relay • ISDN • Leased line • SONET • X.25 • SD-WAN 6.4 See also • Metropolitan area network (MAN) • Storage area network (SAN) • Internet area network (IAN) • ISDN • Packet switching • Cell switching • Label Switching • X.25 • Frame Relay • Asynchronous Transfer Mode • SONET/SDH • Wireless wide area network • Low Power Wide Area Network (LPWAN) • Wide area file services • Wide area application services CHAPTER 6. WIDE AREA NETWORK 6.5 References [1] Groth, David and Skandler, Toby (2005). Network+ Study Guide, Fourth Edition. Sybex, Inc. ISBN 0-7821-4406-3. 6.6 External links • Cisco - Introduction to WAN Technologies Chapter 7 Northbound interface In computer networking and computer architecture, a northbound interface of a component is an interface that conceptualizes the lower level details (e.g., data or functions) used by, or in, the component. A northbound interface is used to interface with higher level layers using the southbound interface of the higher level component(s). In architectural overviews, the northbound interface is normally drawn at the top of the component it is defined in, hence the name northbound interface. A southbound interface decomposes concepts in the technical details, mostly specific to a single component of the architecture. Southbound interfaces are drawn at the bottom of an architectural overview. Northbound interfaces normally talk to southbound interfaces of higher level components and vice versa. 7.1 Typical use These terms are generic in the sense that they are uniformly used over all layers of a computer application, i.e. independent of the fact that the computer system is about hardware, GUI, middleware, etc. A northbound interface is typically an output-only interface (as opposed to one that accepts user input) found in carrier-grade network and telecommunications network elements. The languages or protocols commonly used include SNMP and TL1. For example, a device that is capable of sending out syslog messages but that is not configurable by the user is said to implement a northbound interface. Other examples include SMASH, IPMI, WSMAN, SOAP, etc. 7.2 External links • Northbound interface / Southbound interface (Tech Target) • Difference between NorthBound Interface and SouthBound Interface 31 Chapter 8 OSI model The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers. These two international standards bodies each developed a document that defined similar networking models. In 1983, these two documents were merged to form a standard called The Basic Reference Model for Open Systems Interconnection. The standard is usually referred to as the Open Systems Interconnection Reference Model, the OSI Reference Model, or simply the OSI model. It was published in 1984 by both the ISO, as standard ISO 7498, and the renamed CCITT (now called the A layer serves the layer above it and is served by the Telecommunications Standardization Sector of the Interlayer below it. For example, a layer that provides error- national Telecommunication Union or ITU-T) as stanfree communications across a network provides the path dard X.200. needed by applications above it, while it calls the next OSI had two major components, an abstract model of netlower layer to send and receive packets that comprise the working, called the Basic Reference Model or seven-layer contents of that path. Two instances at the same layer are model, and a set of specific protocols. visualized as connected by a horizontal connection in that The concept of a seven-layer model was provided by layer. the work of Charles Bachman at Honeywell InformaThe model is a product of the Open Systems Inter- tion Services. Various aspects of OSI design evolved connection project at the International Organization for from experiences with the ARPANET, NPLNET, EIN, Standardization (ISO), maintained by the identification CYCLADES network and the work in IFIP WG6.1. The ISO/IEC 7498-1. new design was documented in ISO 7498 and its various addenda. In this model, a networking system was divided into layers. Within each layer, one or more entities implement its functionality. Each entity interacted directly only with the layer immediately beneath it, and provided facilities for use by the layer above it. Protocols enable an entity in one host to interact with a corresponding entity at the same layer in another host. Service definitions abstractly described the functionality provided to an (N)-layer by an (N-1) layer, where N was one of the seven layers of protocols operating in the local host. The OSI standards documents are available from the ITUT as the X.200-series of recommendations.[1] Some of the protocol specifications were also available as part of the ITU-T X series. The equivalent ISO and ISO/IEC standards for the OSI model were available from ISO, not all are free of charge.[2] Communication in the OSI-Model (example with layers 3 to 5) 8.1 History In the late 1970s, one project was administered by the International Organization for Standardization (ISO), while another was undertaken by the International Telegraph and Telephone Consultative Committee, or CCITT (the abbreviation is from the French version of the name). 32 8.2. DESCRIPTION OF OSI LAYERS 33 8.2 Description of OSI layers The physical layer of Parallel SCSI operates in this layer, as do the physical layers of Ethernet and other local-area The recommendation X.200 describes seven layers, la- networks, such as token ring, FDDI, ITU-T G.hn, and IEEE 802.11 (Wi-Fi), as well as personal area networks beled 1 to 7. Layer 1 is the lowest layer in this model. such as Bluetooth and IEEE 802.15.4. At each level N, two entities at the communicating devices (layer N peers) exchange protocol data units (PDUs) The physical layer is the layer of low-level networking by means of a layer N protocol. Each PDU contains a equipment, such as some hubs, cabling, and repeaters. payload, called the service data unit (SDU), along with The physical layer is never concerned with protocols or other such higher-layer items. Examples of hardware in protocol-related headers and/or footers. this layer are network adapters, repeaters, network hubs, Data processing by two communicating OSI-compatible modems, and fiber media converters. devices is done as such: 1. The data to be transmitted is composed at the top- 8.2.2 Layer 2: Data Link Layer most layer of the transmitting device (layer N) into a protocol data unit (PDU). The data link layer provides node-to-node data transfer— a link between two directly connected nodes. It detects 2. The PDU is passed to layer N-1, where it is known and possibly corrects errors that may occur in the physias the service data unit (SDU). cal layer. It, among other things, defines the protocol to 3. At layer N-1 the SDU is concatenated with a header, establish and terminate a connection between two physa footer, or both, producing a layer N-1 PDU. It is ically connected devices. It also defines the protocol for flow control between them. then passed to layer N-2. [5] 4. The process continues until reaching the lowermost IEEE 802 divides the data link layer into two sublayers: level, from which the data is transmitted to the receiving device. 5. At the receiving device the data is passed from the lowest to the highest layer as a series of SDUs while being successively stripped from each layer’s header and/or footer, until reaching the topmost layer, where the last of the data is consumed. Some orthogonal aspects, such as management and security, involve all of the layers (See ITU-T X.800 Recommendation[4] ). These services are aimed at improving the CIA triad - confidentiality, integrity, and availability - of the transmitted data. In practice, the availability of a communication service is determined by the interaction between network design and network management protocols. Appropriate choices for both of these are needed to protect against denial of service. • Media Access Control (MAC) layer - responsible for controlling how devices in a network gain access to medium and permission to transmit it. • Logical Link Control (LLC) layer - responsible for identifying Network layer protocols and then encapsulating them and controls error checking and frame synchronization. The MAC and LLC layers of IEEE 802 networks such as 802.3 Ethernet, 802.11 Wi-Fi, and 802.15.4 ZigBee, operate at the data link layer. The Point-to-Point Protocol (PPP) is a data link layer that can operate over several different physical layers, such as synchronous and asynchronous serial lines. The ITU-T G.hn standard, which provides high-speed local area networking over existing wires (power lines, phone lines and coaxial cables), includes a complete data 8.2.1 Layer 1: Physical Layer link layer that provides both error correction and flow control by means of a selective-repeat sliding-window The physical layer defines the electrical and physical spec- protocol. ifications of the data connection. It defines the relationship between a device and a physical transmission medium (e.g., a copper or fiber optical cable, radio fre- 8.2.3 Layer 3: Network Layer quency). This includes the layout of pins, voltages, line impedance, cable specifications, signal timing and simi- The network layer provides the functional and procedular characteristics for connected devices and frequency (5 ral means of transferring variable length data sequences GHz or 2.4 GHz etc.) for wireless devices. It is respon- (called datagrams) from one node to another connected sible for transmission and reception of unstructured raw to the same “network”. A network is a medium to which data in a physical medium. It may define transmission many nodes can be connected, on which every node has mode as simplex, half duplex, and full duplex. It defines an address and which permits nodes connected to it to the network topology as bus, mesh, or ring being some of transfer messages to other nodes connected to it by merely the most common. providing the content of a message and the address of 34 CHAPTER 8. OSI MODEL the destination node and letting the network find the way to deliver the message to the destination node, possibly routing it through intermediate nodes. If the message is too large to be transmitted from one node to another on the data link layer between those nodes, the network may implement message delivery by splitting the message into several fragments at one node, sending the fragments independently, and reassembling the fragments at another node. It may, but need not, report delivery errors. however, that a post office manages the outer envelope of mail. Higher layers may have the equivalent of double envelopes, such as cryptographic presentation services that can be read by the addressee only. Roughly speaking, tunneling protocols operate at the transport layer, such as carrying non-IP protocols such as IBM's SNA or Novell's IPX over an IP network, or end-to-end encryption with IPsec. While Generic Routing Encapsulation (GRE) might seem to be a network-layer protocol, if the Message delivery at the network layer is not necessarily encapsulation of the payload takes place only at endpoint, GRE becomes closer to a transport protocol that uses IP guaranteed to be reliable; a network layer protocol may provide reliable message delivery, but it need not do so. headers but contains complete frames or packets to deliver to an endpoint. L2TP carries PPP frames inside A number of layer-management protocols, a function de- transport packet. fined in the management annex, ISO 7498/4, belong to the network layer. These include routing protocols, mul- Although not developed under the OSI Reference Model ticast group management, network-layer information and and not strictly conforming to the OSI definition of the error, and network-layer address assignment. It is the transport layer, the Transmission Control Protocol (TCP) function of the payload that makes these belong to the and the User Datagram Protocol (UDP) of the Internet Protocol Suite are commonly categorized as layer-4 pronetwork layer, not the protocol that carries them.[6] tocols within OSI. 8.2.4 Layer 4: Transport Layer 8.2.5 Layer 5: Session Layer The transport layer provides the functional and procedural means of transferring variable-length data sequences The session layer controls the dialogues (connections) befrom a source to a destination host via one or more net- tween computers. It establishes, manages and terminates works, while maintaining the quality of service functions. the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operAn example of a transport-layer protocol in the standard ation, and establishes checkpointing, adjournment, terInternet stack is Transmission Control Protocol (TCP), mination, and restart procedures. The OSI model made usually built on top of the Internet Protocol (IP). this layer responsible for graceful close of sessions, which The transport layer controls the reliability of a given link is a property of the Transmission Control Protocol, and through flow control, segmentation/desegmentation, and also for session checkpointing and recovery, which is not error control. Some protocols are state- and connection- usually used in the Internet Protocol Suite. The session oriented. This means that the transport layer can keep layer is commonly implemented explicitly in application track of the segments and retransmit those that fail. The environments that use remote procedure calls. transport layer also provides the acknowledgement of the successful data transmission and sends the next data if no errors occurred. The transport layer creates packets 8.2.6 Layer 6: Presentation Layer out of the message received from the application layer. Packetizing is a process of dividing the long message into The presentation layer establishes context between smaller messages. application-layer entities, in which the application-layer entities may use different syntax and semantics if the preOSI defines five classes of connection-mode transport protocols ranging from class 0 (which is also known as sentation service provides a mapping between them. If a TP0 and provides the fewest features) to class 4 (TP4, mapping is available, presentation service data units are designed for less reliable networks, similar to the Inter- encapsulated into session protocol data units, and passed net). Class 0 contains no error recovery, and was designed down the protocol stack. for use on network layers that provide error-free connections. Class 4 is closest to TCP, although TCP contains functions, such as the graceful close, which OSI assigns to the session layer. Also, all OSI TP connection-mode protocol classes provide expedited data and preservation of record boundaries. Detailed characteristics of TP0-4 classes are shown in the following table:[7] This layer provides independence from data representation (e.g., encryption) by translating between application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats and encrypts data to be sent across a network. It is sometimes called the syntax layer.[8] The original presentation structure used the Basic EncodAn easy way to visualize the transport layer is to com- ing Rules of Abstract Syntax Notation One (ASN.1), with pare it with a post office, which deals with the dispatch capabilities such as converting an EBCDIC-coded text and classification of mail and parcels sent. Do remember, file to an ASCII-coded file, or serialization of objects and 8.4. INTERFACES 35 other data structures from and to XML. • ARP is used to translate IPv4 addresses (OSI layer 3) into Ethernet MAC addresses (OSI layer 2). 8.2.7 • Domain Name Service is an Application Layer service which is used to look up the IP address of a given domain name. Once a reply is received from the DNS server, it is then possible to form a Layer 3 connection to the third-party host. Layer 7: Application Layer The application layer is the OSI layer closest to the end user, which means both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. Applicationlayer functions typically include identifying communication partners, determining resource availability, and synchronizing communication. When identifying communication partners, the application layer determines the identity and availability of communication partners for an application with data to transmit. When determining resource availability, the application layer must decide whether sufficient network resources for the requested communication exist. In synchronizing communication, all communication between applications requires cooperation that is managed by the application layer. This layer supports application and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. Everything at this layer is application-specific. • Cross MAC and PHY Scheduling is essential in wireless networks because of the time varying nature of wireless channels. By scheduling packet transmission only in favorable channel conditions, which requires the MAC layer to obtain channel state information from the PHY layer, network throughput can be significantly improved and energy waste can be avoided.[9] 8.4 Interfaces Neither the OSI Reference Model nor OSI protocols specify any programming interfaces, other than deliberately abstract service specifications. Protocol specifications precisely define the interfaces between different computers, but the software interfaces inside computers, known as network sockets are implementation-specific. For example, Microsoft Windows' Winsock, and Unix's Berkeley sockets and System V Transport Layer Interface, are interfaces between applications (layer 5 and 8.3 Cross-layer functions above) and the transport (layer 4). NDIS and ODI are interfaces between the media (layer 2) and the network Cross-layer functions are services that are not tied to a protocol (layer 3). given layer, but may affect more than one layer. Examples Interface standards, except for the physical layer to meinclude the following: dia, are approximate implementations of OSI service specifications. • Security service (telecommunication)[4] as defined by ITU-T X.800 recommendation. • Management functions, i.e. functions that permit to 8.5 Examples configure, instantiate, monitor, terminate the communications of two or more entities: there is a spewith TCP/IP cific application-layer protocol, common manage- 8.6 Comparison ment information protocol (CMIP) and its corremodel sponding service, common management information service (CMIS), they need to interact with every The design of protocols in the TCP/IP model of the Inlayer in order to deal with their instances. ternet does not concern itself with strict hierarchical en[15] RFC 3439 contains a sec• Multiprotocol Label Switching (MPLS) operates at capsulation and layering. tion entitled “Layering considered harmful".[16] TCP/IP an OSI-model layer that is generally considered to lie between traditional definitions of layer 2 (data link does recognize four broad layers of functionality which layer) and layer 3 (network layer), and thus is often are derived from the operating scope of their contained referred to as a “layer-2.5” protocol. It was designed protocols: the scope of the software application; the endto provide a unified data-carrying service for both to-end transport connection; the internetworking range; of the direct links to other nodes on the circuit-based clients and packet-switching clients and the scope[17] local network. which provide a datagram-based service model. It can be used to carry many different kinds of traf- Despite using a different concept for layering than the fic, including IP packets, as well as native ATM, OSI model, these layers are often compared with the OSI SONET, and Ethernet frames. layering scheme in the following way: 36 CHAPTER 8. OSI MODEL • The Internet application layer includes the OSI application layer, presentation layer, and most of the session layer. [4] “ITU-T Recommendataion X.800 (03/91), Security architecture for Open Systems Interconnection for CCITT applications". ITU. Retrieved 14 August 2015. • Its end-to-end transport layer includes the graceful close function of the OSI session layer as well as the OSI transport layer. [5] “5.2 RM description for end stations”. IEEE Std 8022014, IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture. ieee. • The internetworking layer (Internet layer) is a subset of the OSI network layer. [6] International Organization for Standardization (1989-1115). “ISO/IEC 7498-4:1989 -- Information technology -Open Systems Interconnection -- Basic Reference Model: Naming and addressing”. ISO Standards Maintenance Portal. ISO Central Secretariat. Retrieved 2015-08-17. • The link layer includes the OSI data link layer and sometimes the physical layers, as well as some protocols of the OSI’s network layer. These comparisons are based on the original seven-layer protocol model as defined in ISO 7498, rather than refinements in such things as the internal organization of the network layer document. [7] “ITU-T Recommendation X.224 (11/1995) ISO/IEC 8073, Open Systems Interconnection - Protocol for providing the connection-mode transport service". ITU. [8] Grigonis, Richard (2000). Computer telephony- encyclopaedia. CMP. p. 331. ISBN 9781578200450. The presumably strict layering of the OSI model as it [9] Miao, Guowang; Song, Guocong (2014). Energy and spectrum efficient wireless network design. Cambridge is usually described does not present contradictions in University Press. ISBN 1107039886. TCP/IP, as it is permissible that protocol usage does not follow the hierarchy implied in a layered model. Such ex- [10] “ITU-T Recommendation Q.1400 (03/1993)], Architecamples exist in some routing protocols (e.g., OSPF), or ture framework for the development of signaling and OA&M protocols using OSI concepts". ITU. pp. 4, 7. in the description of tunneling protocols, which provide a link layer for an application, although the tunnel host protocol might well be a transport or even an application- [11] ITU Rec. X.227 (ISO 8650), X.217 (ISO 8649). layer protocol in its own right. [12] X.700 series of recommendations from the ITU-T (in particular X.711) and ISO 9596. 8.7 See also • Hierarchical internetworking model [13] “Internetworking Technology Handbook - Internetworking Basics [Internetworking]". Cisco. 15 January 2014. Retrieved 14 August 2015. • Management plane [14] “3GPP specification: 36.300”. 3gpp.org. Retrieved 14 August 2015. • Layer 8 [15] RFC 3439 • Protocol stack [16] “RFC 3439 - Some Internet Architectural Guidelines and Philosophy”. ietf.org. Retrieved 14 August 2015. • Service layer • WAP protocol suite • List of information technology acronyms • IBM Systems Network Architecture • Internet protocol suite 8.8 References [1] ITU-T X-Series Recommendations [17] Walter Goralski. The Illustrated Network: How TCP/IP Works in a Modern Network (PDF). Morgan Kaufmann. p. 26. ISBN 978-0123745415. 8.9 External links • Microsoft Knowledge Base: The OSI Model’s Seven Layers Defined and Functions Explained • ISO/IEC standard 7498-1:1994 (PDF document inside ZIP archive) (requires HTTP cookies in order to accept licence agreement) [2] “Publicly Available Standards”. Standards.iso.org. 201007-30. Retrieved 2010-09-11. • ITU-T X.200 (the same contents as from ISO) [3] “The OSI Model’s Seven Layers Defined and Functions Explained”. Microsoft Support. Retrieved 2014-12-28. • The ISO OSI Reference Model , Beluga graph of data units and groups of layers 8.9. EXTERNAL LINKS • Zimmermann, Hubert (April 1980). “OSI Reference Model — The ISO Model of Architecture for Open Systems Interconnection”. IEEE Transactions on Communications. 28 (4): 425–432. CiteSeerX 10.1.1.136.9497 . doi:10.1109/TCOM.1980.1094702. • Cisco Systems Internetworking Technology Handbook • Osi Model : 7 Layer Of The Network Communication 37 Chapter 9 Open vSwitch via its XAPI management toolstack.[10] It also supports Xen, Linux KVM, Proxmox VE and VirtualBox hypervisors, while a port to Hyper-V is also available.[11] Open vSwitch has also been integrated into various cloud computing software platforms and virtualization management systems, including OpenStack, openQRM, OpenNebula [5][6] Project’s source code is distributed under the terms of and oVirt. Apache License 2.0. Linux kernel's implementation of Open vSwitch was merged into the Linux kernel mainline in kernel version 3.3, which was released on March 18, 2012;[12][13] official Linux packages are available for Debian, 9.1 Overview Fedora and Ubuntu.[5] As of January 2014, FreeBSD and NetBSD implementations are also available, with the NetBSD’s implementation operating completely in Application Database Web server Web server server server userspace.[14][15][16] Open vSwitch, sometimes abbreviated as OVS, is a production-quality open-source implementation of a distributed virtual multilayer switch. The main purpose of Open vSwitch is to provide a switching stack for hardware virtualization environments, while supporting multiple protocols and standards used in computer networks.[4] Linux Linux Linux Linux vNIC vNIC vNIC vNIC The majority of the Open vSwitch source code is written in platform-independent C language, which provides easy portability to various environments. The source code is licensed under the Apache License 2.0.[5] Distributed virtual switch (Open vSwitch) Hypervisor Hypervisor Server Server 9.2 Features Open vSwitch deployed as a cross-server virtual network switch, transparently distributed across multiple physical servers.[4] Open vSwitch is a software implementation of a virtual multilayer network switch, designed to enable effective network automation through programmatic extensions, while supporting standard management interfaces and protocols such as NetFlow, sFlow, SPAN, RSPAN, CLI, LACP and 802.1ag. In addition, Open vSwitch is designed to support transparent distribution across multiple physical servers by enabling creation of cross-server switches in a way that abstracts out the underlying server architecture, similarly to the VMware vNetwork distributed vswitch or Cisco Nexus 1000V.[5][6][7] As of September 2015, features provided by Open vSwitch include the following:[17][18] Open vSwitch can operate both as a software-based network switch running within the virtual machine (VM) hypervisors, and as the control stack for dedicated switching hardware; as a result, it has been ported to multiple virtualization platforms, switching chipsets, and networking hardware accelerators.[8] Open vSwitch is the default network switch in the XenServer virtualization platform since its version 6.0,[9] and in the Xen Cloud Platform 38 • Exposed communication between virtual machines, via NetFlow, sFlow, IP Flow Information Export (IPFIX), Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and port mirrors tunneled using Generic Routing Encapsulation (GRE) • Link aggregation through the Link Aggregation Control Protocol (LACP, IEEE 802.1AX−2008) • Standard 802.1Q virtual LAN (VLAN) model for network partitioning, with support for trunking • Support for multicast snooping using versions 1, 2 and 3 of the Internet Group Management Protocol (IGMP) • Support for the Shortest Path Bridging Media Access Control (SPBM) and associated basic support for the Link Layer Discovery Protocol (LLDP) 9.4. REFERENCES • Support for the Bidirectional Forwarding Detection (BFD) and 802.1ag link monitoring • Support for the Spanning Tree Protocol (STP, IEEE 802.1D−1998) and Rapid Spanning Tree Protocol (RSTP, IEEE 802.1D-2004) • Fine-grained quality of service (QoS) control for different applications, users, or data flows • Support for the hierarchical fair-service curve (HFSC) queuing discipline (qdisc) • Traffic policing at the level of virtual machine interface 39 9.4 References [1] “A complete list of Open vSwitch releases”. vswitch.org. Retrieved April 2, 2014. open- [2] Justin Pettit (February 27, 2016). "[ovs-announce] Open vSwitch 2.5.0 Available”. openvswitch.org. Retrieved March 11, 2016. [3] “NEWS file for Open vSwitch 2.5.0”. openvswitch.org. February 26, 2016. Retrieved March 11, 2016. [4] M. Tim Jones (October 27, 2010). “Virtual networking in Linux”. IBM. Retrieved April 9, 2014. [5] “Open vSwitch: An Open Virtual Switch”. vswitch.org. Retrieved November 24, 2013. open- • Network interface controller (NIC) bonding, with load balancing by source MAC addresses, active backups, and layer 4 hashing [6] Thomas Graf (April 24, 2013). “Underneath OpenStack Quantum: Software Defined Networking with Open vSwitch” (PDF). Red Hat. Retrieved April 9, 2014. • Support for the OpenFlow protocol, including various virtualization-related extensions [7] Ralf Spenneberg. “Virtual switching with Open vSwitch”. admin-magazine.com. Retrieved April 2, 2014. • Complete IPv6 (Internet Protocol version 6) support [8] “Tilera Launches Open Virtual Switch Solution (OVS) to Accelerate NFV and SDN”. Marketwired. February 24, 2014. Retrieved June 22, 2015. • Support for multiple tunneling protocols, including GRE, Virtual Extensible LAN (VXLAN), Stateless Transport Tunneling (STT) and Geneve, with additional support for layering over Internet Protocol Security (IPsec) • Remote configuration protocol, with existing bindings for the C and Python programming languages • Implementation of the packet forwarding engine in kernel space or userspace, allowing additional flexibility as well as providing performance improvements by processing the majority of forwarded packets without leaving the kernel space and by using multithreaded kernel space and userspace components[19][20] • Multi-table forwarding pipeline with a flow-caching engine [9] “XenServer 6.0 Release Notes”. Citrix Systems. March 8, 2012. Retrieved January 22, 2015. [10] “XAPI: Open source software to build private and public clouds”. xenproject.org. 2013. Retrieved January 22, 2015. [11] Alessandro Pilotti (May 22, 2014). “Open vSwitch on Hyper-V”. cloudbase.it. Retrieved June 22, 2015. [12] “Linux kernel 3.3, Section 1.3. Open vSwitch”. kernelnewbies.org. March 18, 2012. Retrieved April 2, 2014. [13] Jonathan Corbet (November 30, 2011). “Routing Open vSwitch into the mainline”. LWN.net. Retrieved April 2, 2014. [14] “FreshPorts – net/openvswitch”. freshports.org. December 30, 2013. Retrieved April 2, 2014. [15] Gaetano Catalli (November 7, 2011). “Open vSwitch: performance improvement and porting to FreeBSD” (PDF). ucl.ac.be. Retrieved June 22, 2015. • Forwarding layer abstraction, making it easier to port Open vSwitch to new software and hardware [16] “openvswitch/ovs: ovs/INSTALL.NetBSD at master”. platforms github.com. January 11, 2014. Retrieved April 9, 2014. 9.3 See also • Distributed Overlay Virtual Ethernet (DOVE) • LAN switching • Network functions virtualization (NFV) • Overlay transport virtualization (OTV) • Software-defined networking (SDN) [17] “Open vSwitch: Features”. openvswitch.org. Retrieved September 17, 2015. [18] Jesse Gross (September 2013). “Programmable Networking with Open vSwitch” (PDF). linuxfoundation.org. LinuxCon. Retrieved November 24, 2013. [19] Justin Pettit; Ben Pfaff; Ethan Jackson (November 13, 2014). “Accelerating Open vSwitch to 'Ludicrous Speed'". networkheresy.com. Retrieved May 26, 2015. [20] Jesse Gross (August 21, 2014). “The Evolution of Open vSwitch” (PDF). events.linuxfoundation.org. LinuxCon. pp. 6, 13–17. Retrieved May 28, 2015. 40 9.5 External links • Official website and source code on GitHub • Introduction to Open vSwitch on YouTube, December 15, 2013 • Open vSwitch: Deep Dive The Virtual Switch for OpenStack on YouTube, November 8, 2013 • OVN, Bringing Native Virtual Networking to OVS, January 13, 2015, by Justin Pettit, Ben Pfaff, Chris Wright and Madhu Venugopal • Open Virtual Network (OVN) Proposed Architecture, January 13, 2015, by Ben Pfaff • 6WIND Announces Open vSwitch Acceleration for Red Hat Enterprise Linux OpenStack Platform, PRWeb, April 16, 2014 • Going With the Flow: Google’s Secret Switch to the Next Wave of Networking, Wired, April 17, 2012, by Steven Levy • Performance Characteristics of Virtual Switching, IEEE, 2014, by Paul Emmerich, Daniel Raumer, Florian Wohlfart and Georg Carle CHAPTER 9. OPEN VSWITCH Chapter 10 Application-specific integrated circuit “ASIC” redirects here. For other uses, see ASIC (disam- grammable interconnects allow the same FPGA to be biguation). used in many different applications. For smaller designs An application-specific integrated circuit (ASIC) or lower production volumes, FPGAs may be more cost effective than an ASIC design even in production. The non-recurring engineering (NRE) cost of an ASIC can run into the millions of dollars. 10.1 History The initial ASICs used gate array technology. An early successful commercial application was the gate array circuitry found in the 8-bit ZX81 and ZX Spectrum low-end personal computers, introduced in 1981 and 1982. These were used by Sinclair Research (UK) essentially as a lowcost I/O solution aimed at handling the computer’s graphics. A tray of application-specific integrated circuit (ASIC) chips Customization occurred by varying the metal interconnect mask. Gate arrays had complexities of up to a few thousand gates. Later versions became more generalized, with different base dies customised by both metal and polysilicon layers. Some base dies include RAM elements. /ˈeɪsɪk/, is an integrated circuit (IC) customized for a particular use, rather than intended for general-purpose use. For example, a chip designed to run in a digital voice 10.2 Standard-cell designs recorder or a high-efficiency Bitcoin miner is an ASIC. Application-specific standard products (ASSPs) are inter- Main article: Standard cell mediate between ASICs and industry standard integrated circuits like the 7400 or the 4000 series. In the mid-1980s, a designer would choose an ASIC manAs feature sizes have shrunk and design tools improved ufacturer and implement their design using the design over the years, the maximum complexity (and hence tools available from the manufacturer. While third-party functionality) possible in an ASIC has grown from 5,000 design tools were available, there was not an effective gates to over 100 million. Modern ASICs often include link from the third-party design tools to the layout and entire microprocessors, memory blocks including ROM, actual semiconductor process performance characterisRAM, EEPROM, flash memory and other large building tics of the various ASIC manufacturers. Most designers blocks. Such an ASIC is often termed a SoC (system-on- ended up using factory-specific tools to complete the imchip). Designers of digital ASICs often use a hardware plementation of their designs. A solution to this probdescription language (HDL), such as Verilog or VHDL, lem, which also yielded a much higher density device, to describe the functionality of ASICs. was the implementation of standard cells. Every ASIC Field-programmable gate arrays (FPGA) are the modern- manufacturer could create functional blocks with known day technology for building a breadboard or prototype electrical characteristics, such as propagation delay, cafrom standard parts; programmable logic blocks and pro- pacitance and inductance, that could also be represented 41 42 CHAPTER 10. APPLICATION-SPECIFIC INTEGRATED CIRCUIT in third-party tools. Standard-cell design is the utilization of these functional blocks to achieve very high gate density and good electrical performance. Standard-cell design fits between Gate Array and Full Custom design in terms of both its non-recurring engineering and recurring component cost. mapped into delay information, from which the circuit performance can be estimated, usually by static timing analysis. This, and other final tests such as design rule checking and power analysis (collectively called signoff) are intended to ensure that the device will function correctly over all extremes of the process, voltage and temperature. When this testing is complete the photomask information is released for chip fabrication. By the late 1990s, logic synthesis tools became available. Such tools could compile HDL descriptions into a gate-level netlist. Standard-cell integrated circuits (ICs) are designed in the following conceptual stages, although These steps, implemented with a level of skill common these stages overlap significantly in practice: in the industry, almost always produce a final device that 1. A team of design engineers starts with a non-formal correctly implements the original design, unless flaws are understanding of the required functions for a new later introduced by the physical fabrication process. ASIC, usually derived from requirements analysis. 2. The design team constructs a description of an ASIC (application specific integrated circuits) to achieve these goals using an HDL. This process is analogous to writing a computer program in a high-level language. This is usually called the RTL (registertransfer level) design. 3. Suitability for purpose is verified by functional verification. This may include such techniques as logic simulation, formal verification, emulation, or creating an equivalent pure software model (see Simics, for example). Each technique has advantages and disadvantages, and often several methods are used. The design steps (or flow) are also common to standard product design. The significant difference is that standard-cell design uses the manufacturer’s cell libraries that have been used in potentially hundreds of other design implementations and therefore are of much lower risk than full custom design. Standard cells produce a design density that is cost effective, and they can also integrate IP cores and SRAM (Static Random Access Memory) effectively, unlike Gate Arrays. 10.3 Gate-array design 4. Logic synthesis transforms the RTL design into a large collection of lower-level constructs called standard cells. These constructs are taken from a standard-cell library consisting of pre-characterized collections of gates (such as 2 input nor, 2 input nand, inverters, etc.). The standard cells are typically specific to the planned manufacturer of the ASIC. The resulting collection of standard cells, plus the needed electrical connections between them, is called a gate-level netlist. 5. The gate-level netlist is next processed by a placement tool which places the standard cells onto a region representing the final ASIC. It attempts to find a placement of the standard cells, subject to a variety of specified constraints. 6. The routing tool takes the physical placement of the standard cells and uses the netlist to create the electrical connections between them. Since the search space is large, this process will produce a “sufficient” rather than “globally optimal” solution. The output is a file which can be used to create a set of photomasks enabling a semiconductor fabrication facility (commonly called a 'fab') to produce physical ICs. Microscope photograph of a gate-array ASIC showing the predefined logic cells and custom interconnections. This particular design uses less than 20% of available logic gates. Gate-array design is a manufacturing method in which the diffused layers, i.e. transistors and other active devices, are predefined and wafers containing such devices are held in stock prior to metallization—in other words, 7. Given the final layout, circuit extraction computes unconnected. The physical design process then defines the parasitic resistances and capacitances. In the the interconnections of the final device. For most ASIC case of a digital circuit, this will then be further manufacturers, this consists of from two to as many as 10.5. STRUCTURED DESIGN 43 nine metal layers, each metal layer running perpendicular to the one below it. Non-recurring engineering costs are much lower, as photolithographic masks are required only for the metal layers, and production cycles are much shorter, as metallization is a comparatively quick process. Gate-array ASICs are always a compromise as mapping a given design onto what a manufacturer held as a stock wafer never gives 100% utilization. Often difficulties in routing the interconnect require migration onto a larger array device with consequent increase in the piece part price. These difficulties are often a result of the layout software used to develop the interconnect. Pure, logic-only gate-array design is rarely implemented by circuit designers today, having been replaced almost entirely by field-programmable devices, such as fieldprogrammable gate arrays (FPGAs), which can be programmed by the user and thus offer minimal tooling charges non-recurring engineering, only marginally increased piece part cost, and comparable performance. Today, gate arrays are evolving into structured ASICs that consist of a large IP core like a CPU, DSP unit, peripherals, standard interfaces, integrated memories SRAM, and a block of reconfigurable, uncommited logic. This shift is largely because ASIC devices are capable of integrating such large blocks of system functionality and “system-on-a-chip” requires far more than just logic blocks. Microscope photograph of custom ASIC (486 chipset) showing gate-based design on top and custom circuitry on bottom Automated layout tools are quick and easy to use and also offer the possibility to “hand-tweak” or manually optimize any performance-limiting aspect of the design. This is designed by using basic logic gates, circuits or layout specially for a design. In their frequent usages in the field, the terms “gate array” and “semi-custom” are synonymous. Process engi- 10.5 Structured design neers more commonly use the term “semi-custom”, while “gate-array” is more commonly used by logic (or gateMain article: Structured ASIC platform level) designers. Structured ASIC design (also referred to as “platform ASIC design”), is a relatively new term in the industry, 10.4 Full-custom design resulting in some variation in its definition. However, the basic premise of a structured ASIC is that both manufacturing cycle time and design cycle time are reduced comMain article: Full custom By contrast, full-custom ASIC design defines all the pho- pared to cell-based ASIC, by virtue of there being pretolithographic layers of the device. Full-custom design is defined metal layers (thus reducing manufacturing time) used for both ASIC design and for standard product de- and pre-characterization of what is on the silicon (thus reducing design cycle time). One definition states that sign. The benefits of full-custom design usually include reduced area (and therefore recurring component cost), performance improvements, and also the ability to integrate analog components and other pre-designed — and thus fully verified — components, such as microprocessor cores that form a system-on-chip. The disadvantages of full-custom design can include increased manufacturing and design time, increased nonrecurring engineering costs, more complexity in the computer-aided design (CAD) system, and a much higher skill requirement on the part of the design team. For digital-only designs, however, “standard-cell” cell libraries, together with modern CAD systems, can offer considerable performance/cost benefits with low risk. In a “structured ASIC” design, the logic masklayers of a device are predefined by the ASIC vendor (or in some cases by a third party). Design differentiation and customization is achieved by creating custom metal layers that create custom connections between predefined lower-layer logic elements. “Structured ASIC” technology is seen as bridging the gap between field-programmable gate arrays and “standard-cell” ASIC designs. Because only a small number of chip layers must be custom-produced, “structured ASIC” designs have much smaller non-recurring expenditures (NRE) than “standard-cell” or “full-custom” 44 CHAPTER 10. APPLICATION-SPECIFIC INTEGRATED CIRCUIT chips, which require that a full mask set be produced for every design. This is effectively the same definition as a gate array. What makes a structured ASIC different is that in a gate array, the predefined metal layers serve to make manufacturing turnaround faster. In a structured ASIC, the use of predefined metallization is primarily to reduce cost of the mask sets as well as making the design cycle time significantly shorter. For example, in a cell-based or gate-array design the user must often design power, clock, and test structures themselves; these are predefined in most structured ASICs and therefore can save time and expense for the designer compared to gate-array. Likewise, the design tools used for structured ASIC can be substantially lower cost and easier (faster) to use than cell-based tools, because they do not have to perform all the functions that cell-based tools do. In some cases, the structured ASIC vendor requires that customized tools for their device (e.g., custom physical synthesis) be used, also allowing for the design to be brought into manufacturing more quickly. to migrate (port) to a different process or manufacturer. 10.7 Multi-project wafers Some manufacturers offer multi-project wafers (MPW) as a method of obtaining low cost prototypes. Often called shuttles, these MPW, containing several designs, run at regular, scheduled intervals on a “cut and go” basis, usually with very little liability on the part of the manufacturer. The contract involves the assembly and packaging of a handful of devices. The service usually involves the supply of a physical design database (i.e. masking information or pattern generation (PG) tape). The manufacturer is often referred to as a “silicon foundry” due to the low involvement it has in the process. 10.8 See also • Application-specific (ASIP) instruction-set processor • Complex programmable logic device (CPLD) 10.6 Cell libraries, IP-based design, hard and soft macros Cell libraries of logical primitives are usually provided by the device manufacturer as part of the service. Although they will incur no additional cost, their release will be covered by the terms of a non-disclosure agreement (NDA) and they will be regarded as intellectual property by the manufacturer. Usually their physical design will be predefined so they could be termed “hard macros”. What most engineers understand as "intellectual property" are IP cores, designs purchased from a third-party as sub-components of a larger ASIC. They may be provided as an HDL description (often termed a “soft macro”), or as a fully routed design that could be printed directly onto an ASIC’s mask (often termed a hard macro). Many organizations now sell such pre-designed cores — CPUs, Ethernet, USB or telephone interfaces — and larger organizations may have an entire department or division to produce cores for the rest of the organization. Indeed, the wide range of functions now available is a result of the phenomenal improvement in electronics in the late 1990s and early 2000s; as a core takes a lot of time and investment to create, its re-use and further development cuts product cycle times dramatically and creates better products. Additionally, organizations such as OpenCores are collecting free IP cores, paralleling the open source software movement in hardware design. Soft macros are often process-independent (i.e. they can be fabricated on a wide range of manufacturing processes and different manufacturers). Hard macros are processlimited and usually further design effort must be invested • Electronic design automation (EDA or ECAD) • Field-programmable gate array (FPGA) • Multi-project chip (MPC) • Very-large-scale integration (VLSI) • System-on-a-chip (SoC) 10.9 References 10.10 Sources • Barr, Keith (2007). ASIC Design in the Silicon Sandbox: A Complete Guide to Building Mixed-Signal Integrated Circuits. McGraw Hill Professional. ISBN 9780071481618. • Kevin Morris (23 November 2003). “CostReduction Quagmire: Structured ASIC and Other Options”. FPGA and Programmable Logic Journal. • Anthony Cataldo (26 March 2002). “Xilinx looks to ease path to custom FPGAs”. EE Times. CMP Media, LLC. • “Xilinx intros next-gen EasyPath FPGAs priced below structured ASICs”. EDP Weekly’s IT Monitor. Millin Publishing, Inc. 18 October 2004. • Golshan, K. (2007). Physical design essentials: an ASIC design implementation perspective. New York: Springer. ISBN 0-387-36642-3. Chapter 11 Content-addressable memory Content-addressable memory (CAM) is a special type of computer memory used in certain very-high-speed searching applications. It is also known as associative memory, associative storage, or associative array, although the last term is more often used for a programming data structure.[1] It compares input search data (tag) against a table of stored data, and returns the address of matching data (or in the case of associative memory, the matching data).[2] Several custom computers, like the Goodyear STARAN, were built to implement CAM, and were designated associative computers. 11.1 Hardware associative array 11.3 Semiconductor implementations Because a CAM is designed to search its entire memory in a single operation, it is much faster than RAM in virtually all search applications. There are cost disadvantages to CAM however. Unlike a RAM chip, which has simple storage cells, each individual memory bit in a fully parallel CAM must have its own associated comparison circuit to detect a match between the stored bit and the input bit. Additionally, match outputs from each cell in the data word must be combined to yield a complete data word match signal. The additional circuitry increases the physical size of the CAM chip which increases manufacturing cost. The extra circuitry also increases power dissipation since every comparison circuit is active on every clock cycle. Consequently, CAM is only used in specialized applications where searching speed cannot be accomplished using a less costly method. One successful early implementation was a General Purpose Associative Processor IC and System.[4] Unlike standard computer memory (random access memory or RAM) in which the user supplies a memory address and the RAM returns the data word stored at that address, a CAM is designed such that the user supplies a data word and the CAM searches its entire memory to see if that data word is stored anywhere in it. If the data word is found, the CAM returns a list of one or more storage addresses where the word was found (and in some architectures, it also returns the contents of that storage address, 11.4 Alternative implementations or other associated pieces of data). Thus, a CAM is the hardware embodiment of what in software terms would To achieve a different balance between speed, memory be called an associative array. The data word recognition size and cost, some implementations emulate the funcunit was proposed by Dudley Allen Buck in 1955.[3] tion of CAM by using standard tree search or hashing designs in hardware, using hardware tricks like replication or pipelining to speed up effective performance. These 11.2 Standards for content- designs are often used in routers. addressable memories An alternative approach to implementation is based on Superimposed Code Words or Field Encoded Words which are used for more efficient database operations, A major interface definition for CAMs and other network information retrieval and logic programming, with hardsearch engines (NSEs) was specified in an interoperabilware implementations based on both RAM and headity agreement called the Look-Aside Interface (LA-1 and monitoring disk technology.[5][6] LA-1B) developed by the Network Processing Forum, which later merged with the Optical Internetworking Forum (OIF). Numerous devices have been produced by Integrated Device Technology, Cypress Semiconductor, 11.5 Ternary CAMs IBM, Broadcom and others to the LA interface agreement. On December 11, 2007, the OIF published the Binary CAM is the simplest type of CAM which uses data search words consisting entirely of 1s and 0s. serial lookaside (SLA) interface agreement. 45 46 Ternary CAM (TCAM)[7] allows a third matching state of “X” or “don't care” for one or more bits in the stored dataword, thus adding flexibility to the search. For example, a ternary CAM might have a stored word of “10XX0” which will match any of the four search words “10000”, “10010”, “10100”, or “10110”. The added search flexibility comes at an additional cost over binary CAM as the internal memory cell must now encode three possible states instead of the two of binary CAM. This additional state is typically implemented by adding a mask bit (“care” or “don't care” bit) to every memory cell. Holographic associative memory provides a mathematical model for “don't care” integrated associative recollection using complex valued representation. CHAPTER 11. CONTENT-ADDRESSABLE MEMORY translation lookaside buffers • Database engines • Data compression hardware • Artificial neural networks • Intrusion Prevention System 11.7 See also • Associative array • Content addressable network 11.6 Example applications Content-addressable memory is often used in computer networking devices. For example, when a network switch receives a data frame from one of its ports, it updates an internal table with the frame’s source MAC address and the port it was received on. It then looks up the destination MAC address in the table to determine what port the frame needs to be forwarded to, and sends it out on that port. The MAC address table is usually implemented with a binary CAM so the destination port can be found very quickly, reducing the switch’s latency. Ternary CAMs are often used in network routers, where each address has two parts: the network address, which can vary in size depending on the subnet configuration, and the host address, which occupies the remaining bits. Each subnet has a network mask that specifies which bits of the address are the network address and which bits are the host address. Routing is done by consulting a routing table maintained by the router which contains each known destination network address, the associated network mask, and the information needed to route packets to that destination. Without CAM, the router compares the destination address of the packet to be routed with each entry in the routing table, performing a logical AND with the network mask and comparing it with the network address. If they are equal, the corresponding routing information is used to forward the packet. Using a ternary CAM for the routing table makes the lookup process very efficient. The addresses are stored using “don't care” for the host part of the address, so looking up the destination address in the CAM immediately retrieves the correct routing entry; both the masking and comparison are done by the CAM hardware. This works if (a) the entries are stored in order of decreasing network mask length, and (b) the hardware returns only the first matching entry; thus, the match with the longest network mask (longest prefix match) is used. [8] Other CAM applications include: • CPU fully associative cache controllers and • Content Addressable Parallel Processor • Content addressable storage, or file system • Sparse Distributed Memory • Tuple space 11.8 References [1] Hannum et al. (2004) [2] Pagiamtzis and Sheikholeslami (2006), pp. 712–713 [3] TRW Computer Division Archived August 5, 2011, at the Wayback Machine., 1963, p. 17. [4] Storman et al. (1992) [5] Wise, Michael J; Powers, David M W (1984). “Indexing Prolog Clauses via Superimposed Code Words and Field Encoded Words.”. International Symposium on Logic Programming: 203-210. [6] Colomb, Robert M (1991). “Enhancing unification in PROLOG through clause indexing”. Journal of Logic Programming. 1 (10): 23-44. doi:10.1016/07431066(91)90004-9. [7] https://books.google.com/books?id=-rnt_ik0mSYC& pg=PA71&dq=TCAM& [8] Varghese, George, Network Algorithmics: An Interdisciplinary Approach to Designing Fast Networked Devices, Morgan Kaufmann, 2005 11.9 Bibliography • Anargyros Krikelis, Charles C. Weems (editors) (1997). Associative Processing and Processors, IEEE Computer Science Press. ISBN 0-81867661-2 11.10. EXTERNAL LINKS • Hannum et al.. (2004). System and method for resetting and initializing a fully associative array to a known state at power on or through machine specific state. U.S. Patent 6,823,434. Available by searching at http://patft.uspto.gov/netahtml/PTO/ search-bool.html • Pagiamtis, K.; Sheikholeslami, A. (2006). “Content-Addressable Memory (CAM) Circuits and Architectures: A Tutorial and Survey” (PDF). IEEE J. of Solid-State Circuits. 41 (3): 712–727. • Stormon, C.D.; Troullinos, N.B.; Saleh, E.M.; Chavan, A.V.; Brule, M.R.; Oldfield, J.V.; A generalpurpose CMOS associative processor IC and system, Coherent Research Inc., East Syracuse, NY, USA, IEEE Micro, Dec. 1992, Volume: 12 Issue:6. • TRW Computer Division. (1963). First interim report on optimum utilization of computers and computing techniques in shipboard weapons control systems. (BuWeps-Project RM1004 M88-3U1). Alexandria, Virginia:Defence Documentation Center for Scientific and Technical Information. 11.10 External links • CAM Primer • Content-addressable memory (CAM) circuits and architectures: A tutorial and survey • Aspex - Computer architecture built around associative memory • Initiation of Serial Lookaside specification effort (near bottom of page 1) • OIF Serial Lookaside interface agreement • Arithmetic Processing using Associative memory • SimpleRBM a very small Restricted_Boltzmann_machine, including training algorithm, which is a kind of Content Addressable Memory of bit vectors. 47 Chapter 12 Software-defined mobile network Software-defined mobile networking (SDMN) is an approach to the design of mobile networks where all protocol-specific features are implemented in software, maximizing the use of generic and commodity hardware and software in both the core network and radio access network. 12.1 History • Specialized hardware systems are usually supported and serviced by a single vendor, resulting in vendor lock-in. 12.3 Characteristics of SDMN Designs 12.3.1 Use of Software-Defined Radio Through the 20th century, telecommunications technology was driven by hardware development, with most functions implemented in special-purpose equipment. In the early 2000s, generally available CPU’s became cheap enough to enable commercial software defined radio (SDR) technology and softswitches. SDMN extends these trends into the design of mobile networks, moving nearly all network functions into software. SDR is an important element of SDMN, because it replaces protocol-specific radio hardware with protocolagnostic digital transceivers. While many earlier digital radio systems used field-programmable gate arrays (FPGAs) or special-purposed digital signal processors (DSPs) for calculations on baseband radio waveforms, the SDMN approach moves all of the baseband processing into general-purpose CPUs. SDMN radio systems also The term “software-defined mobile network” first ap- use hardware with publicly-documented interfaces that is peared in public literature in early 2014, used indepen- designed to be readily reproducible by multiple manufacdently by Lime Microsystems [1] and researchers from turers. University of Oulu, Finland.[2] 12.3.2 Commodity Components 12.2 Limitations of HardwareBased Mobile Networks Mobile networks based on special-purpose hardware suffer from the following limitations: SDMN designs avoid the use of components that are specialized as to their functions or that are available from only a single vendor. This is true of both the hardware and software elements of the network. 12.3.3 Software Switching and Transcoding • They have limited provisions for upgrades and usually must be replaced entirely when new standards The telephony switches of SDMN networks are softwareare introduced. based, including software transcoding for speech codecs. • The individual components are not scalable in terms of performance and capacity, because the capacity of a component is fixed by the hardware implemen- 12.3.4 Centralized, Distributed, or Hytation. brid? • Specialized equipment and its associated specialized In [3] a new SDN architecture for WDNs is explored that software require vendor-specific training for the mo- eliminates the need for multi-hop flooding of route inbile operator’s staff. formation and therefore enables WDNs to easily expand. 48 12.5. REFERENCES The key idea is to split network control and data forwarding by using two separate frequency bands. The forwarding nodes and the SDN controller exchange link-state information and other network control signaling in one of the bands, while actual data forwarding takes place in the other band. 12.4 Advantages of SDMN The SDMN approach has many advantages over hardware-based mobile network designs. • Because SDMN hardware is protocol-agnostic, upgrades are software-only, even across technology generations. In the radio network, these changes can even be made on a site-by-site basis. • Because SDMN hardware is designed to be easily sourced and reproduced: • SDMN equipment can be serviced by a wider range of vendors, lowering maintenance costs. • SDMN equipment can be manufactured anywhere in the world, lowering production costs. • Because SDMN software is based on commodity operating systems and development tools: • Support staff can be trained more quickly because they are already familiar with the underlying software systems. • Many aspects of the SDMN can be monitored and managed with pre-existing tools, because they are already available in the commodity operating systems. • Because SDMN network components run on general purpose computers, the network components can be scaled up in capacity by adding more computing power. 12.5 References [1] http://secure.marketwatch.com/story/ lime-microsystems-bladerf-legba-partner-on-first-software-defined-mobile-network-2014-04-30 Lime Microsystems: bladeRF, Legba partner on first software defined mobile network [2] https://sites.google.com/site/callforchapterssdmn/ Call for Chapters (WILEY Publishers) Software Defined Mobile Networks (SDMN): Beyond LTE Network Architecture [3] http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber= 7166188 49 Chapter 13 Core network A core network, or network core, is the central part of a telecommunications network that provides various services to customers who are connected by the access network. One of the main functions is to route telephone calls across the PSTN. hierarchy under the core nodes is the distribution networks and then the edge networks. Customerpremises equipment (CPE) do not normally connect to the core networks of a large service provider. 2. Authentication: The function to decide whether the user requesting a service from the telecom network is authorized to do so within this network or not. Typically the term refers to the high capacity communication facilities that connect primary nodes. A core/backbone network provides paths for the exchange of information between different sub-networks. For enterprise private networks serving one organization, the term backbone is more commonly used, while for service providers, the term core network is more common. 3. Call Control/Switching: call control or switching functionality decides the future course of call based on the call signalling processing. E.g. switching functionality may decide based on the "called number" that the call be routed towards a subscriber within this operator’s network or with number portability more prevalent to another operator’s network. In the United States, local exchange core networks are linked by several competing interexchange networks; in the rest of the world, the core network has been extended to national boundaries. 4. Charging: This functionality handles the collation and processing of charging data generated by various network nodes. Two common types of charging mechanisms found in present-day networks are prepaid charging and postpaid charging. See Automatic Message Accounting Core/backbone networks usually have a mesh topology that provides any-to-any connections among devices on the network. Many main service providers would have their own core/backbone networks that are interconnected. Some large enterprises have their own core/backbone network, which are typically connected to the public networks. 5. Service Invocation: Core network performs the task of service invocation for its subscribers. Service invocation may happen based on some explicit action (e.g. call transfer) by user or implicitly (call waiting). Its important to note however that service “execution” may or may not be a core network functionality as third party network/nodes may take part in actual service execution. The devices and facilities in the core / backbone networks are switches and routers. The trend is to push the intelligence and decision making into access and edge devices and keep the core devices dumb and fast. As a result, switches are more and more often used in the core/backbone network facilities. Technologies used in the core and backbone facilities are data link layer and network layer technologies such as SONET, DWDM, ATM, IP, etc. For enterprise backbone network, Gigabit Ethernet or 10 Gigabit Ethernet technologies are also often used. 6. Gateways: Gateways shall be present in the core network to access other networks. Gateway functionality is dependent on the type of network it interfaces with. 13.1 Primary functions Physically, one or more of these logical functionalities may simultaneously exist in a given core network node. Core networks typically provide the following functionality: 13.2 Other functions 1. Aggregation: The highest level of aggregation in Besides above mentioned functionalities, the following a service provider network. The next level in the also form part of a core network: 50 13.3. MOBILE • O&M: Operations & Maintenance centre or Operations Support Systems to configure and provision the core network nodes. Number of subscribers, peak hour call rate, nature of services, geographical preferences are some of the factors which impact the configuration. Network statistics collection, alarm monitoring and logging of various network nodes actions also happens in the O&M centre. These stats, alarms and traces form important tools for a network operator to monitor the network health and performance and improvise on the same. • Subscriber Database: Core network also hosts the subscribers database (e.g. HLR in GSM systems). Subscriber database is accessed by core network nodes for functions like authentication, service invocation etc. 13.3 Mobile There exist basically two core network types for mobile telephony: • The Mobile Application Part (MAP) used for GSM and UMTS • The IS-41 core network used for D-AMPS (TDMA), cdmaOne and CDMA2000. Both variants have evolved over time to integrate new services and air interfaces. 51 Chapter 14 Radio access network A radio access network (RAN) is part of a mobile telecommunication system. It implements a radio access technology. Conceptually, it resides between a device such as a mobile phone, a computer, or any remotely controlled machine and provides connection with its core network (CN). Depending on the standard, mobile phones and other wireless connected devices are varyingly known as user equipment (UE), terminal equipment, mobile station (MS), etc. RAN functionality is typically provided by a silicon chip residing in both the core network as well as the user equipment. See the following diagram: CN / \ / \ RAN RAN / \ / \ UE UE UE UE Examples of radio access network types are: • GRAN: GSM radio access network • GERAN: essentially the same as GRAN but specifying the inclusion of EDGE packet radio services • UTRAN: UMTS radio access network • E-UTRAN: The Long Term Evolution (LTE) high speed and low latency radio access network It is also possible for a single handset/phone to be simultaneously connected to multiple radio access networks. Handsets capable of this are sometimes called dual-mode handsets. For instance it is common for handsets to support both GSM and UMTS (a.k.a. “3G”) radio access technologies. Such devices seamlessly transfer an ongoing call between different radio access networks without the user noticing any disruption in service. 14.1 See also • IP Connectivity Access Network 52 Chapter 15 Multiprotocol Label Switching “MPLS” redirects here. Minneapolis. For the U.S. city, see move frames or cells throughout a network. The header of the Frame Relay frame and the ATM cell refers to the virtual circuit that the frame or cell resides on. The simMultiprotocol Label Switching (MPLS) is a type ilarity between Frame Relay, ATM, and MPLS is that at each hop throughout the network, the “label” value in the of data-carrying technique for high-performance This is different from the forwarding telecommunications networks that directs data from one header is changed. of IP packets.[1] MPLS technologies have evolved with network node to the next based on short path labels rather than long network addresses, avoiding complex lookups the strengths and weaknesses of ATM in mind. Many network engineers agree that ATM should be replaced with in a routing table. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS a protocol that requires less overhead, while providing can encapsulate packets of various network protocols, connection-oriented services for variable-length frames. hence its name “multiprotocol”. MPLS supports a range MPLS is currently replacing some of these technologies of access technologies, including T1/E1, ATM, Frame in the marketplace. It is highly possible that MPLS will completely replace these technologies in the future, thus Relay, and DSL. aligning these technologies with current and future technology needs.[2] 15.1 Role and functioning MPLS is a scalable, protocol-independent transport. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. The primary benefit is to eliminate dependence on a particular OSI model data link layer (layer 2) technology, such as Asynchronous Transfer Mode (ATM), Frame Relay, Synchronous Optical Networking (SONET) or Ethernet, and eliminate the need for multiple layer-2 networks to satisfy different types of traffic. MPLS belongs to the family of packet-switched networks. In particular, MPLS dispenses with the cell-switching and signaling-protocol baggage of ATM. MPLS recognizes that small ATM cells are not needed in the core of modern networks, since modern optical networks are so fast (as of 2015, at 100 Gbit/s and beyond) that even fulllength 1500 byte packets do not incur significant realtime queuing delays (the need to reduce such delays — e.g., to support voice traffic — was the motivation for the cell nature of ATM). At the same time, MPLS attempts to preserve the traffic engineering (TE) and out-of-band control that made Frame Relay and ATM attractive for deploying largescale networks. While the traffic management benefits of migrating to MPLS are quite valuable (better reliability, increased performance), there is a significant loss of visibility and acMPLS operates at a layer that is generally considered to cess into the MPLS cloud for IT departments. lie between traditional definitions of OSI Layer 2 (data link layer) and Layer 3 (network layer), and thus is often referred to as a layer 2.5 protocol. It was designed to provide a unified data-carrying service for both circuit- 15.2 History based clients and packet-switching clients which provide • 1994: Toshiba presented Cell Switch Router (CSR) a datagram service model. It can be used to carry many ideas to IETF BOF different kinds of traffic, including IP packets, as well as native ATM, SONET, and Ethernet frames. • 1996: Ipsilon, Cisco and IBM announced label A number of different technologies were previously deswitching plans ployed with essentially identical goals, such as Frame Re• 1997: Formation of the IETF MPLS working group lay and ATM. Frame Relay and ATM use “labels” to 53 54 CHAPTER 15. MULTIPROTOCOL LABEL SWITCHING • 1999: First MPLS VPN (L3VPN) and TE deploy- These MPLS-labeled packets are switched after a laments bel lookup/switch instead of a lookup into the IP table. As mentioned above, when MPLS was conceived, label • 2000: MPLS traffic engineering lookup and label switching were faster than a routing ta• 2001: First MPLS Request for Comments (RFCs) ble or RIB (Routing Information Base) lookup because they could take place directly within the switched fabric released and not the CPU. • 2002: AToM (L2VPN) The presence of such a label, however, has to be indicated to the router/switch. In the case of Ethernet • 2004: GMPLS; Large scale L3VPN frames this is done through the use of EtherType values • 2006: Large scale TE 0x8847 and 0x8848, for unicast and multicast connections respectively.[7] • 2007: Large scale L2VPN • 2009: Label Switching Multicast • 2011: MPLS transport profile In 1996 a group from Ipsilon Networks proposed a “flow management protocol”.[3] Their “IP Switching” technology, which was defined only to work over ATM, did not achieve market dominance. Cisco Systems introduced a related proposal, not restricted to ATM transmission, called “Tag Switching”.[4] It was a Cisco proprietary proposal, and was renamed “Label Switching”. It was handed over to the Internet Engineering Task Force (IETF) for open standardization. The IETF work involved proposals from other vendors, and development of a consensus protocol that combined features from several vendors’ work. One original motivation was to allow the creation of simple high-speed switches, since for a significant length of time it was impossible to forward IP packets entirely in hardware. However, advances in VLSI have made such devices possible. Therefore, the advantages of MPLS primarily revolve around the ability to support multiple service models and perform traffic management. MPLS also offers a robust recovery framework[5] that goes beyond the simple protection rings of synchronous optical networking (SONET/SDH). 15.3.1 Label switch router An MPLS router that performs routing based only on the label is called a label switch router (LSR) or transit router. This is a type of router located in the middle of an MPLS network. It is responsible for switching the labels used to route packets. When an LSR receives a packet, it uses the label included in the packet header as an index to determine the next hop on the label-switched path (LSP) and a corresponding label for the packet from a lookup table. The old label is then removed from the header and replaced with the new label before the packet is routed forward. 15.3.2 Label edge router A label edge router (LER, also known as edge LSR) is a router that operates at the edge of an MPLS network and acts as the entry and exit points for the network. LERs push an MPLS label onto an incoming packet[note 1] and pop it off an outgoing packet. Alternatively, under penultimate hop popping this function may instead be performed by the LSR directly connected to the LER. When forwarding an IP datagram into the MPLS domain, an LER uses routing information to determine the appropriate label to be affixed, labels the packet accordingly, and then forwards the labelled packet into the MPLS do15.3 Operation main. Likewise, upon receiving a labelled packet which is destined to exit the MPLS domain, the LER strips off the MPLS works by prefixing packets with an MPLS header, label and forwards the resulting IP packet using normal containing one or more labels. This is called a label stack. IP forwarding rules. Each entry in the label stack contains four fields: • A 20-bit label value. A label with the value of 1 represents the router alert label. 15.3.3 Provider router In the specific context of an MPLS-based virtual pri• a 3-bit Traffic Class field for QoS (quality of ser- vate network (VPN), LERs that function as ingress and/or vice) priority and ECN (Explicit Congestion Notifi- egress routers to the VPN are often called PE (Provider cation). Prior to 2009 this field was called EXP.[6] Edge) routers. Devices that function only as transit [8] • a 1-bit bottom of stack flag. If this is set, it signifies routers are similarly called P (Provider) routers. The job of a P router is significantly easier than that of a PE that the current label is the last in the stack. router, so they can be less complex and may be more de• an 8-bit TTL (time to live) field. pendable because of this. 15.3. OPERATION 15.3.4 Label Distribution Protocol Labels are distributed between LERs and LSRs using the Label Distribution Protocol (LDP).[9] LSRs in an MPLS network regularly exchange label and reachability information with each other using standardized procedures in order to build a complete picture of the network they can then use to forward packets. 55 During these operations, the contents of the packet below the MPLS Label stack are not examined. Indeed, transit routers typically need only to examine the topmost label on the stack. The forwarding of the packet is done based on the contents of the labels, which allows “protocol-independent packet forwarding” that does not need to look at a protocol-dependent routing table and avoids the expensive IP longest prefix match at each hop. At the egress router, when the last label has been popped, only the payload remains. This can be an IP packet, or 15.3.5 Label-switched paths any of a number of other kinds of payload packet. The egress router must therefore have routing information for Label-switched paths (LSPs) are established by the net- the packet’s payload, since it must forward it without the work operator for a variety of purposes, such as to cre- help of label lookup tables. An MPLS transit router has ate network-based IP virtual private networks or to route no such requirement. traffic along specified paths through the network. In many respects, LSPs are not different from permanent virtual In some special cases, the last label can also be popped off circuits (PVCs) in ATM or Frame Relay networks, ex- at the penultimate hop (the hop before the egress router). cept that they are not dependent on a particular layer-2 This is called penultimate hop popping (PHP). This may be interesting in cases where the egress router has lots of technology. packets leaving MPLS tunnels, and thus spends inordinate amounts of CPU time on this. By using PHP, transit routers connected directly to this egress router effectively 15.3.6 Routing offload it, by popping the last label themselves. When an unlabeled packet enters the ingress router and needs to be passed on to an MPLS tunnel, the router Label-switched path first determines the forwarding equivalence class (FEC) for the packet and then inserts one or more labels in the A label-switched path (LSP) is a path through an MPLS packet’s newly created MPLS header. The packet is then network, set up by a signaling protocol such as LDP, passed on to the next hop router for this tunnel. RSVP-TE, BGP or CR-LDP. The path is set up based The MPLS Header is added between the network layer on criteria in the FEC. header and link layer header of the OSI model.[10] The path begins at a label edge router (LER), which When a labeled packet is received by an MPLS router, the makes a decision on which label to prefix to a packet, topmost label is examined. Based on the contents of the based on the appropriate FEC. It then forwards the packet label a swap, push (impose) or pop (dispose) operation is along to the next router in the path, which swaps the performed on the packet’s label stack. Routers can have packet’s outer label for another label, and forwards it to prebuilt lookup tables that tell them which kind of oper- the next router. The last router in the path removes the ation to do based on the topmost label of the incoming label from the packet and forwards the packet based on packet so they can process the packet very quickly. the header of its next layer, for example IPv4. Due to the forwarding of packets through an LSP being opaque to • In a swap operation the label is swapped with a new higher network layers, an LSP is also sometimes referred label, and the packet is forwarded along the path as- to as an MPLS tunnel. sociated with the new label. • In a push operation a new label is pushed on top of the existing label, effectively “encapsulating” the packet in another layer of MPLS. This allows hierarchical routing of MPLS packets. Notably, this is used by MPLS VPNs. The router which first prefixes the MPLS header to a packet is called an ingress router. The last router in an LSP, which pops the label from the packet, is called an egress router. Routers in between, which need only swap labels, are called transit routers or label switch routers (LSRs). Note that LSPs are unidirectional; they enable a packet to be label switched through the MPLS network from one endpoint to another. Since bidirectional communication is typically desired, the aforementioned dynamic signaling protocols can set up an LSP in the other direction to compensate for this. • In a pop operation the label is removed from the packet, which may reveal an inner label below. This process is called “decapsulation”. If the popped label was the last on the label stack, the packet “leaves” the MPLS tunnel. This is usually done by the egress router, but see Penultimate Hop Popping (PHP) be- When protection is considered, LSPs could be categolow. rized as primary (working), secondary (backup) and ter- 56 CHAPTER 15. MULTIPROTOCOL LABEL SWITCHING tiary (LSP of last resort). As described above, LSPs are normally P2P (point to point). A new concept of LSPs, which are known as P2MP (point to multi-point), was introduced recently. These are mainly used for multicasting purposes. hop-by-hop configuration, or are dynamically routed by the constrained shortest path first (CSPF) algorithm, or are configured as a loose route that avoids a particular IP address or that is partly explicit and partly dynamic. An MPLS header does not identify the type of data carried inside the MPLS path. If one wants to carry two different types of traffic between the same two routers, with different treatment by the core routers for each type, one has to establish a separate MPLS path for each type of traffic. can be assumed when doing a traceroute: only nodes that do full ip routing are shown as hops in the path, thus not the MPLS nodes used in between, therefore when you see that a packet hops between two very distant nodes and hardly any other 'hop' is seen in that providers network (or AS) it is very likely that network uses MPLS. 15.3.8 15.4.1 MPLS local reroute) In a pure IP network, the shortest path to a destination is The hub&spoke multipoint LSP is also introduced by chosen even when the path becomes congested. MeanIETF, short as HSMP LSP. HSMP LSP is mainly used while, in an IP network with MPLS Traffic Engineerfor multicast, time synchronization and other purpose. ing CSPF routing, constraints such as the RSVP bandwidth of the traversed links can also be considered, such that the shortest path with available bandwidth will be chosen. MPLS Traffic Engineering relies upon the use 15.3.7 Installing and removing paths of TE extensions to Open Shortest Path First (OSPF) There are two standardized protocols for managing or Intermediate System To Intermediate System (IS-IS) MPLS paths: the Label Distribution Protocol (LDP) and RSVP. In addition to the constraint of RSVP bandand RSVP-TE, an extension of the Resource Reserva- width, users can also define their own constraints by spection Protocol (RSVP) for traffic engineering.[11][12] Fur- ifying link attributes and special requirements for tunthermore, there exist extensions of the Border Gateway nels to route (or not to route) over links with certain Protocol (BGP) that can be used to manage an MPLS attributes.[17] path.[8][13][14] For end-users the use of MPLS is not visible directly, but Multicast addressing Multicast was for the most part an after-thought in MPLS design. It was introduced by point-to-multipoint RSVPTE.[15] It was driven by service provider requirements to transport broadband video over MPLS. Since the inception of RFC 4875 there has been tremendous surge in interest and deployment of MPLS multicast and this has led to several new developments both in the IETF and in shipping products. protection (fast Main article: MPLS local protection In the event of a network element failure when recovery mechanisms are employed at the IP layer, restoration may take several seconds which may be unacceptable for real-time applications such as VoIP.[18][19][20] In contrast, MPLS local protection meets the requirements of The hub&spoke multipoint LSP is also introduced by real-time applications with recovery times comparable to IETF, short as HSMP LSP. HSMP LSP is mainly used those of shortest path bridging networks or SONET rings of less than 50 ms.[18][20][21] for multicast, time synchronization and other purpose. 15.4 Relationship to Internet Pro- 15.5 Comparisons tocol MPLS can make use of existing ATM network or Frame MPLS works in conjunction with the Internet Protocol (IP) and its routing protocols, such as the Interior Gateway Protocol (IGP). MPLS LSPs provide dynamic, transparent virtual networks with support for traffic engineering, the ability to transport layer-3 (IP) VPNs with overlapping address spaces, and support for layer-2 pseudowires using Pseudowire Emulation Edge-to-Edge (PWE3)[16] that are capable of transporting a variety of transport payloads (IPv4, IPv6, ATM, Frame Relay, etc.). MPLS-capable devices are referred to as LSRs. The paths an LSR knows can be defined using explicit Relay infrastructure, as its labeled flows can be mapped to ATM or Frame Relay virtual-circuit identifiers, and vice versa. 15.5.1 Frame Relay Frame Relay aimed to make more efficient use of existing physical resources, which allow for the underprovisioning of data services by telecommunications companies (telcos) to their customers, as clients were unlikely to be utilizing a data service 100 percent of the time. In 15.6. DEPLOYMENT 57 more recent years, Frame Relay has acquired a bad rep- it was designed from the start to be complementary to IP. utation in some markets because of excessive bandwidth Modern routers are able to support both MPLS and IP overbooking by these telcos. natively across a common interface allowing network opTelcos often sell Frame Relay to businesses looking for a erators great flexibility in network design and operation. cheaper alternative to dedicated lines; its use in different ATM’s incompatibilities with IP require complex adapgeographic areas depended greatly on governmental and tation, making it comparatively less suitable for today’s predominantly IP networks. telecommunication companies’ policies. Many customers are likely to migrate from Frame Relay to MPLS over IP or Ethernet within the next two 15.6 Deployment years, which in many cases will reduce costs and improve manageability and performance of their wide area MPLS is currently (as of March 2012) in use in IP-only networks.[22] networks and is standardized by the IETF in RFC 3031. It is deployed to connect as few as two facilities to very large deployments. 15.5.2 ATM While the underlying protocols and technologies are different, both MPLS and ATM provide a connectionoriented service for transporting data across computer networks. In both technologies, connections are signaled between endpoints, connection state is maintained at each node in the path, and encapsulation techniques are used to carry data across the connection. Excluding differences in the signaling protocols (RSVP/LDP for MPLS and PNNI:Private Network-to-Network Interface for ATM) there still remain significant differences in the behavior of the technologies. In practice, MPLS is mainly used to forward IP protocol data units (PDUs) and Virtual Private LAN Service (VPLS) Ethernet traffic. Major applications of MPLS are telecommunications traffic engineering, and MPLS VPN. 15.7 Evolution MPLS has been originally proposed to allow high performance traffic forwarding and traffic engineering in IP networks. However it evolved in Generalized MPLS (GMThe most significant difference is in the transport and en- PLS) to allow the creation of label-switched paths (LSPs) capsulation methods. MPLS is able to work with vari- also in non-native IP networks, such as SONET/SDH netable length packets while ATM transports fixed-length works and wavelength switched optical networks. (53 byte) cells. Packets must be segmented, transported and re-assembled over an ATM network using an adaptation layer, which adds significant complexity and over15.8 Competitor protocols head to the data stream. MPLS, on the other hand, simply adds a label to the head of each packet and transmits it on MPLS can exist in both an IPv4 and an IPv6 environthe network. ment, using appropriate routing protocols. The major Differences exist, as well, in the nature of the connec- goal of MPLS development was the increase of routing tions. An MPLS connection (LSP) is unidirectional— speed. This goal is no longer relevant because of the usallowing data to flow in only one direction between two age of newer switching methods, such as ASIC, TCAM endpoints. Establishing two-way communications beand CAM-based switching. Now, therefore, the main aptween endpoints requires a pair of LSPs to be established. plication of MPLS is to implement limited traffic engiBecause 2 LSPs are required for connectivity, data flowneering and layer 3 / layer 2 “service provider type” VPNs ing in the forward direction may use a different path over IPv4 networks. from data flowing in the reverse direction. ATM pointto-point connections (virtual circuits), on the other hand, Besides GMPLS, the main competitors to MPLS are bidirectional, allowing data to flow in both directions are Shortest Path Bridging (SPB), Provider Backbone over the same path (Both SVC and PVC ATM connec- Bridges (PBB), and MPLS-TP. These also provide services such as service provider layer 2 and layer 3 VPNs. tions are bidirectional. Check ITU-T I.150 3.1.3.1). L2TPv3 has been suggested as a competitor, but has Both ATM and MPLS support tunneling of connections not reached any wider success. Some internet providers inside connections. MPLS uses label stacking to accom- are offering different services to customers along with plish this while ATM uses virtual paths. MPLS can stack MPLS. These services mainly include National Private multiple labels to form tunnels within tunnels. The ATM Lease Circuit (NPLC), ILL, IPLC etc. As an example of virtual path indicator (VPI) and virtual circuit indicator NPLC, consider City A and City B. An organisation has (VCI) are both carried together in the cell header, limit- an office in each city. The organisation requires connecing ATM to a single level of tunnelling. tivity between these two offices. The ISP will have access The biggest advantage that MPLS has over ATM is that to a PoP in each city and therefore has a link between the 58 CHAPTER 15. MULTIPROTOCOL LABEL SWITCHING PoPs. To connect the offices to the PoPs, a connection [10] Savecall telecommunication consulting company Germany Savecall - MPLS via the local loop will be commissioned for each office. In this way, an NPLC is delivered. IEEE 1355 and Spacewire are a family of simplified physical-layer standards very similar in function at the hardware level to MPLS. 15.9 See also • Generalized Multi-Protocol Label Switching • MPLS VPN • Per-hop behavior • Virtual private LAN service • Label Information Base • IEEE 802.1aq - Shortest Path Bridging (SPB) 15.10 Notes [1] In some applications, the packet presented to the LER already may have a label, so that the new LER pushes a second label onto the packet. 15.11 References [1] MPLS Fundamentals, By Luc De Ghein Nov 21, 2006 (ISBN 1-58705-197-4) [2] Applied Data Communications (A Business-Oriented Approach) James E. Goldman & Phillip T. Rawles, 2004 (ISBN 0-471-34640-3) [3] P. Newman; et al. (May 1996). “Ipsilon Flow Management Protocol Specification for IPv4”. RFC 1953. IETF. [4] Y. Rekhter et al., Tag switching architecture overview, Proc. IEEE 82 (December 1997), 1973–1983. [11] L. Andersson; I. Minei; B. Thomas (October 2007), RFC 5036: LDP Specification, IETF [12] D. Awduche; L. Berger; D. Gan; T. Li; V. Srinivasan; G. Swallow (December 2001), RFC 3209: RSVP-TE: Extensions to RSVP for LSP Tunnels, IETF [13] Y. Rekhter; E. Rosen (May 2001), RFC 3107: Carrying Label Information in BGP-4, IETF [14] Y. Rekhter; R. Aggarwal (January 2007), RFC 4781: Graceful Restart Mechanism for BGP with MPLS, IETF [15] R. Aggarwal; D. Papadimitriou; S. Yasukawa (May 2007), RFC 4875: Extensions to Resource Reservation Protocol Traffic Engineering (RSVP-TE) for Point-to-Multipoint TE Label Switched Paths (LSPs), IETF [16] S. Bryant; P. Pate (March 2005), RFC 3985: Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture, IETF [17] de Ghein, Luc, MPLS Fundamentals, pp. 249–326 [18] Aslam; et al. (2005-02-02), NPP: A Facility Based Computation Framework for Restoration Routing Using Aggregate Link Usage Information, QoS-IP 2005 : quality of service in multiservice IP network, retrieved 2006-10-27. [19] Raza; et al., Online routing of bandwidth guaranteed paths with local restoration using optimized aggregate usage information (PDF), IEEE-ICC 2005, retrieved 2006-10-27. [20] Li Li; et al., Routing bandwidth guaranteed paths with local restoration in label switched networks (PDF), IEEE Journal on Selected Areas in Communications, retrieved 2006-10-27. [21] Kodialam; et al., Dynamic Routing of Locally Restorable Bandwidth Guaranteed Tunnels using Aggregated Link Usage Information (PDF), IEEE Infocom. pp. 376–385. 2001, retrieved 2006-10-27. [5] V. Sharma; F. Hellstrand (February 2003), RFC 3469: Framework for Multi-Protocol Label Switching (MPLS)based Recovery, IETF [22] “AT&T — Frame Relay and IP-Enabled Frame Relay Service (Product Advisor)", Research and Markets, June 2007. [6] L. Andersson; R. Asati (February 2009), Multiprotocol Label Switching (MPLS) Label Stack Entry: “EXP” Field Renamed to “Traffic Class” Field, IETF 15.12 Further reading [7] Ivan Pepelnjak; Jim Guichard (2002), MPLS and VPN Architectures, Volume 1, Cisco Press, p. 27, ISBN 1587050811 [8] E. Rosen; Y. Rekhter (February 2006), RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs), IETF [9] B. Thomas; E. Gray (January 2001), RFC 3037: LDP Applicability, IETF • “Deploying IP and MPLS QoS for Multiservice Networks: Theory and Practice” by John Evans, Clarence Filsfils (Morgan Kaufmann, 2007, ISBN 0-12-370549-5) • Rick Gallaher’s MPLS Training Guide (ISBN 1932266003) 15.13. EXTERNAL LINKS 15.13 External links • MPLS Working Group, IETF. • MPLS IP Specifications, Broadband Forum. • A brief history of MPLS, RIPE 59 Chapter 16 Local area network IBM Compatible Server iMac Ethernet in 1974.[4] Ethernet was developed at Xerox PARC in 1973–1975,[5] and filed as U.S. Patent 4,063,220. In 1976, after the system was deployed at PARC, Robert Metcalfe and David Boggs published a seminal paper, “Ethernet: Distributed Packet-Switching for Local Computer Networks”.[6] ARCNET was developed by Datapoint Corporation in 1976 and announced in 1977.[7] It had the first commercial installation in December 1977 at Chase Manhattan Bank in New York.[8] O X Y G E N ¡ ! ¡ " £ ! " % $ £ ^ * & % $ ^ ) ( * & - + + ) ( + - + + + + home The development and proliferation of personal computers using the CP/M operating system in the late 1970s, and later DOS-based systems starting in 1981, meant that A conceptual diagram of a local area network using 10BASE5 many sites grew to dozens or even hundreds of computEthernet ers. The initial driving force for networking was generally to share storage and printers, which were both expensive “LAN” redirects here. For other uses, see LAN (disam- at the time. There was much enthusiasm for the concept and for several years, from about 1983 onward, computer biguation). industry pundits would regularly declare the coming year to be, “The year of the LAN”.[9][10][11] A local area network (LAN) is a computer network that interconnects computers within a limited area such as a In practice, the concept was marred by proliferation of residence, school, laboratory, university campus or office incompatible physical layer and network protocol implebuilding[1] and has its network equipment and intercon- mentations, and a plethora of methods of sharing renects locally managed. By contrast, a wide area network sources. Typically, each vendor would have its own type (WAN), not only covers a larger geographic distance, but of network card, cabling, protocol, and network operalso generally involves leased telecommunication circuits ating system. A solution appeared with the advent of Novell NetWare which provided even-handed support for or Internet links. dozens of competing card/cable types, and a much more Ethernet and Wi-Fi are the two most common transmissophisticated operating system than most of its competision technologies in use for local area networks. Histors. Netware dominated[12] the personal computer LAN torical technologies include ARCNET, Token ring, and business from early after its introduction in 1983 until AppleTalk. the mid-1990s when Microsoft introduced Windows NT Advanced Server and Windows for Workgroups. ctrl Q ctrl W A | ctrl E X T R D S Z Y G F C V I U H B M P O K J N L < { } @ : > ? pgup ~ ^ pgdn end fn Laptop computer 16.1 History IBM Compatible Of the competitors to NetWare, only Banyan Vines had comparable technical strengths, but Banyan never gained a secure base. Microsoft and 3Com worked together to create a simple network operating system which formed the base of 3Com’s 3+Share, Microsoft’s LAN Manager and IBM’s LAN Server - but none of these was particularly successful. The increasing demand and use of computers in universities and research labs in the late 1960s generated the need to provide high-speed interconnections between computer systems. A 1970 report from the Lawrence Radiation Laboratory detailing the growth of their “OctoDuring the same period, Unix workstations were using pus” network gave a good indication of the situation.[2][3] TCP/IP based networking. Although this market segA number of experimental and early commercial LAN ment is now much reduced, the technologies developed technologies were developed in the 1970s. Cambridge in this area continue to be influential on the Internet and Ring was developed at Cambridge University starting 60 16.5. SEE ALSO in both Linux and Apple Mac OS X networking—and the TCP/IP protocol has now almost completely replaced IPX, AppleTalk, NBF, and other protocols used by the early PC LANs. 16.2 Cabling Early LAN cabling had generally been based on various grades of coaxial cable. Shielded twisted pair was used in IBM’s Token Ring LAN implementation, but in 1984, StarLAN showed the potential of simple unshielded twisted pair by using Cat3 cable—the same simple cable used for telephone systems. This led to the development of 10BASE-T (and its successors) and structured cabling which is still the basis of most commercial LANs today. While fiber-optic cabling is common for links between switches, use of fiber to the desktop is rare.[13] 16.3 Wireless media Many LANs are now based partly or wholly on wireless technologies. Smartphones, tablet computers and laptops typically have wireless networking support built-in. In a wireless local area network, users may move unrestricted in the coverage area. Wireless networks have become popular in residences and small businesses, because of their ease of installation. Guests are often offered Internet access via a hotspot service. 16.4 Technical aspects Network topology describes the layout of interconnections between devices and network segments. At the Data Link Layer and Physical Layer, a wide variety of LAN topologies have been used, including ring, bus, mesh and star, but the most common LAN topology in use today is switched Ethernet. At the higher layers, NetBEUI, IPX/SPX, AppleTalk and others were once common, but the Internet Protocol Suite (TCP/IP) is now the standard. 61 virtual private network technologies. Depending on how the connections are established and secured, and the distance involved, such linked LANs may also be classified as a metropolitan area network (MAN) or a wide area network (WAN). 16.5 See also • LAN messenger • LAN party • Network interface controller 16.6 References [1] Gary A. Donahue (June 2007). O'Reilly. p. 5. Network Warrior. [2] Samuel F. Mendicino (1970-12-01). “Octopus: The Lawrence Radiation Laboratory Network”. Rogerdmoore.ca. Archived from the original on 2010-10-11. [3] “THE LAWRENCE RADIATION LABORATORY OCTOPUS”. Courant symposium series on networks. Osti.gov. 29 Nov 1970. OSTI 4045588. [4] “A brief informal history of the Computer Laboratory”. University of Cambridge. 20 December 2001. Archived from the original on 2010-10-11. [5] “Ethernet Prototype Circuit Board”. Smithsonian National Museum of American History. Retrieved 2007-0902. [6] “Ethernet: Distributed Packet-Switching For Local Computer Networks”. Acm.org. Retrieved 2010-10-11. [7] “ARCNET Timeline”. ARCNETworks magazine. Fall 1998. Archived from the original (PDF) on 2010-10-11. [8] Lamont Wood (2008-01-31). “The LAN turns 30, but will it reach 40?". Computerworld.com. Retrieved 201606-02. [9] "'The Year of The LAN' is a long-standing joke, and I freely admit to being the comedian that first declared it in 1982...”, Robert Metcalfe, InfoWorld Dec 27, 1993 Simple LANs generally consist of cabling and one or more switches. A switch can be connected to a router, cable modem, or ADSL modem for Internet access. A [10] "...you will remember numerous computer magazines, over LAN can include a wide variety of other network denumerous years, announcing 'the year of the LAN.'", vices such as firewalls, load balancers, and sensors;[14] and Quotes in 1999 more complex LANs are characterized by their use of redundant links with switches using the spanning tree pro- [11] "...a bit like the Year of the LAN which computer industry pundits predicted for the good part of a decade...”, Christotocol to prevent loops, their ability to manage differing pher Herot traffic types via quality of service (QoS), and to segregate traffic with VLANs. LANs can maintain connections with other LANs via leased lines, leased services, or across the Internet using [12] Wayne Spivak (2001-07-13). “Has Microsoft Ever Read the History Books?". VARBusiness. Archived from the original on 2010-10-11. 62 [13] “Big pipe on campus: Ohio institutions implement a 10Gigabit Ethernet switched-fiber backbone to enable highspeed desktop applications over UTP copper”, Communications News, 2005-03-01, As alternatives were considered, fiber to the desk was evaluated, yet only briefly due to the added costs for fiber switches, cables and NICs. “Copper is still going to be a driving force to the desktop for the future, especially as long as the price for fiber components remains higher than for copper.” [14] “A Review of the Basic Components of a Local Area Network (LAN)". NetworkBits.net. Retrieved 2008-04-08. 16.7 External links CHAPTER 16. LOCAL AREA NETWORK Chapter 17 Active networking This article is about the network architecture. For 17.2.1 the technology company, see ACTIVE Network, LLC (company). Active networking and softwaredefined networking Active networking places computation within packets Active networking is a communication pattern that al- traveling through the network. Software-defined netlows packets flowing through a telecommunications net- working decouples the system that makes decisions about work to dynamically modify the operation of the network. where traffic is sent (the control plane) from the underlyActive network architecture is composed of execution en- ing systems that forward traffic to the selected destination vironments (similar to a unix shell that can execute active (the data plane). packets), a node operating system capable of supporting one or more execution environments. It also consists of active hardware, capable of routing or switching as well as executing code within active packets. This differs from the traditional network architecture which seeks robustness and stability by attempting to remove complexity and the ability to change its fundamental operation from underlying network components. Network processors are one means of implementing active networking concepts. Active networks have also been implemented as overlay networks. 17.1 What does it offer? Active networking allows the possibility of highly tailored and rapid “real-time” changes to the underlying network operation. This enables such ideas as sending code along with packets of information allowing the data to change its form (code) to match the channel characteristics. The smallest program that can generate a sequence of data can be found in the definition of Kolmogorov complexity. The use of real-time genetic algorithms within the network to compose network services is also enabled by active networking. 17.2 How it relates to other networking paradigms 17.3 Fundamental challenges Active network research addresses the nature of how best to incorporate extremely dynamic capability within networks.[1] In order to do this, active network research must address the problem of optimally allocating computation versus communication within communication networks.[2] A similar problem related to the compression of code as a measure of complexity is addressed via algorithmic information theory. One of the challenges of active networking has been the inability of information theory to mathematically model the active network paradigm and enable active network engineering. This is due to the active nature of the network in which communication packets contain code that dynamically change the operation of the network. Fundamental advances in information theory are required in order to understand such networks.[3] 17.4 Nanoscale active networks As the limit in reduction of transistor size is reached with current technology, active networking concepts are being Active networking relates to other networking paradigms explored as a more efficient means accomplishing comprimarily based upon how computing and communication putation and communication.[5][6] More on this can be are partitioned in the architecture. found in nanoscale networking. 63 64 CHAPTER 17. ACTIVE NETWORKING J., ACM Journal on Emerging Technologies in Computing Systems (JETC), ACM Journal on Emerging Technologies in Computing Systems) Vol. 2, No. 1, Pages 1–30, January 2006, 3, 1–31. Active Channel Transmitter Message Carrier Receiver [6] Nanoscale Communication Networks, Bush, S. F., ISBN 978-1-60807-003-9, Artech House, 2010 http://www.amazon.com/ Nanoscale-Communication-Networks-Stephen-Bush/ dp/1608070034 { Medium Medium' An active network channel uses executable code in the packet to impact the channel controlling the relationship between the transmitted sequence X and the received sequence Y . X is composed of a data portion X data and a code portion X code . Upon incorporation of X code , the channel medium may change its operational state and capabilities.[4] 17.5 See also • Nanoscale networking • Network processing • Software-defined networking (SDN) 17.7 Further reading • Towards an Active Network Architecture (1996), David L. Tennenhouse, et al., Computer Communication Review • Active Networks and Active Network Management: A Proactive Management Framework by Stephen F. Bush and Amit Kulkarni, Kluwer Academic/Plenum Publishers, New York, Boston, Dordrecht, London, Moscow, 2001, 196 pp. Hardbound, ISBN 0-30646560-4. • Programmable Networks for IP Service Deployment” by Galis, A., Denazis, S., Brou, C., Klein, C.Artech House Books, London, June 20;, 450 pp., ISBN 1-58053-745-6 • Communication complexity • Kolmogorov complexity 17.8 External links • Introduction to Active Networks (video) 17.6 References [1] Bush, S. F., A Simple Metric for Ad Hoc Network Adaptation IEEE Journal on Selected Areas in Communications Journal, 2005, 23, 2272–2287 “Archived copy” (PDF). Archived from the original (PDF) on 2011-07-11. Retrieved 2009-05-10. [2] Active Virtual Network Management Prediction: Complexity as a Framework for Prediction, Optimization, and Assurance, Bush, S. F., IEEE Computer Society Press, Proceedings of the 2002 DARPA Active Networks Conference and Exposition (DANCE 2002), 2002, 534– 553 “Archived copy” (PDF). Archived from the original (PDF) on 2011-07-11. Retrieved 2009-05-10. [3] Bush, Stephen F. (2011). “Toward in vivo nanoscale communication networks: utilizing an active network architecture”. Front. Comput. Sci. 5: 316–326. doi:10.1007/s11704-011-0116-9. [4] Bush, Stephen F. (2011). “Toward in vivo nanoscale communication networks: utilizing an active network architecture”. Front. Comput. Sci. 5: 316–326. doi:10.1007/s11704-011-0116-9. [5] ``NANA: A Nanoscale Active Network Architecture by Patwardhan, J. P.; Dwyer, C. L.; Lebeck, A. R. & Sorin, D. Chapter 18 ONOS The ONOS (Open Network Operating System) project is an open source community hosted by The Linux Foundation. The goal of the project is to create a software-defined networking (SDN) operating system for communications service providers that is designed for scalability, high performance and high availability. 18.1 History high-level abstractions, through which the applications can learn about the state of the network and through which they can control the flow of traffic through the network. The network graph abstraction provides information about the structure and topology of the network. The flow objective is a device-centric abstraction that allows applications to direct flow of traffic through a specific device without the need to be aware of the device table pipeline. Similarly, the intent is a network-centric abstraction that gives application programmers the ability to control network by specifying what they wish to accomplish rather than specifying how they want to accomplish it. This simplifies application development and at the same time provides the platform with added degrees of freedom to resolve what would normally be considered conflicting requests. On December 5, 2014, the Open Networking Lab (ON.Lab) along with other industry partners including AT&T and NTT Communications released the ONOS source code to start the open source community.[1] On October 14, 2015, the Linux Foundation announced that ONOS had joined the organization as one of its collaboApplications (core extensions) can be loaded and unrative projects.[2] loaded dynamically, via REST API or GUI, and without the need to restart the cluster or its individual nodes. ONOS application management subsystem assumes the responsibility for distributing the application artifacts 18.2 Technology Overview throughout the cluster to assure that all nodes are running The software is written in Java and provides a distributed the same application software. SDN applications platform atop Apache Karaf OSGi The system provides REST API, CLI and an extensible, container. The system is designed to operate as a clus- dynamic web-based GUI. ter of nodes that are identical in terms of their software stack and can withstand failure of individual nodes without causing disruptions in its ability to control the network 18.3 Use Cases operation. While ONOS leans heavily on standard protocols and models, e.g. OpenFlow, NETCONF, OpenConfig, its system architecture is not directly tied to them. Instead, ONOS provides its own set of high-level abstractions and models, which it exposes to the application programmers. These models can be extended by the applications at runtime. To prevent the system from becoming tied to a specific configuration or control protocol, any software in direct contact with protocol-specific libraries and engaging in direct interactions with network environment is deliberately isolated into its own tier referred to as a provider or a driver. Likewise, any software in direct contact with intra-cluster communication protocols is deliberately isolated into its own tier referred to as a store. The ONOS software has been used as a platform that applications have been written on top of or has been integrated into other projects. A number of use cases demonstrate how the software is being used today—including global research networking deployments, multilayer network control, and central office re-designed as a datacenter. 18.4 Releases The following lists the different ONOS releases that are all named after different types of birds in alphabetical The platform provides applications with a number of order: 65 66 18.5 Members There are two tiers of membership for ONOS: Partner and Collaborator, with varying levels of commitment. 18.6 See also • List of SDN controller software 18.7 References [1] “ON.Lab Delivers Software for New Open Source SDN Network Operating System - ONOS™". PR Newswire. 2014-12-04. Retrieved 2016-06-08. [2] Talbot, Chris (2015-10-14). “ONOS becomes a Linux Foundation collaborative project”. FierceWireless. Retrieved 2016-06-08. 18.8 External links • Official website CHAPTER 18. ONOS Chapter 19 OpenDaylight Project Warning: Page using Template:Infobox company with into that category.[7] unknown parameter “programming language” (this message is shown only in preview). 19.2 Technology Overview The OpenDaylight Project is a collaborative open source project hosted by The Linux Foundation. The goal of the project is to accelerate the adoption of softwaredefined networking (SDN) and create a solid foundation for Network Functions Virtualization (NFV). The software is written in Java. 19.1 History On February 8, 2013, the Software Defined Networking site “SDN Central” broke news of an industry coalition forming around SDN. The goal of the coalition was not known at the time, with most information consisting of rumors and insider discussions.[1] By supporting open standards such as the OpenFlow Networking Standard, OpenDaylight will deliver a common open source framework and platform for SDN across the industry for customers, partners and developers. The first code from the OpenDaylight Project, named Hydrogen, was released in February 2014.[8][9] Expected donations and projects for Hydrogen include an open controller, a virtual overlay network, protocol plug-ins and switch device enhancements.[10] A source code repository includes contributed source code from Big Switch Networks, Cisco and NEC.[11] There is a dedicated Open Daylight wiki, and a mailing list available.[10][12] These resources appear to currently be aimed at developers wishing to contribute to the project. On April 8, 2013, The Linux Foundation announced the founding of the OpenDaylight Project as a community- The software is written in Java. led and industry-supported open source framework to accelerate adoption, foster new innovation and create a more open and transparent approach to Software-Defined 19.3 Releases Networking (SDN) and Network Functions Virtualization (NFV).[2] The project’s founding members—Arista Networks, Big Switch Networks, Brocade, Cisco, Citrix, The following lists the different OpenDaylight releases: Ericsson, HP, IBM, Juniper Networks, Microsoft, NEC, Nuage Networks, PLUMgrid, Red Hat and VMware— committed to donating software and engineering re- 19.4 Members sources for OpenDaylight’s open source framework to help define the future of an open source SDN platform.[3] There are three tiers of membership for OpenDaylight: Reaction to the goals of open architecture and admin- Platinum, Gold and Silver, with varying levels of commitistration by the Linux Foundation have been mostly ment. Each Platinum member must contribute 10 develpositive.[4][5] While initial criticism centered on concerns opers to the project while Gold members must contribute that this group could be used by incumbent technol- 3 developers.[13][14] By 2015 April, Juniper and VMWare ogy vendors to stifle innovation, most of the companies changed its contribution level to silver. signed up as members do not actually sell incumbent networking technology.[6] Of the Platinum members, Ericsson, Intel, IBM, Microsoft, VMware, Red Hat, and Citrix would not be considered “incumbent” technology 19.5 See also providers in the networking segment. Only Brocade, • List of SDN controller software Cisco and Hewlett Packard Enterprise would typically fall 67 68 19.6 References [1] Palmer,Matthew “Exclusive: Shining the Spotlight on OpenDaylight-What you MUST know about the new open-source SDN Controller” (2013) [2] “OpenDaylight: A big step toward the software-defined data center”. InfoWorld. April 8, 2013. Retrieved November 18, 2013. CHAPTER 19. OPENDAYLIGHT PROJECT • McGillicuddy, Shamus (2013-03-18). “Daylight project: Big bucks to contribute to open source controller”. TechTarget. Retrieved 2013-04-23. • “OpenDaylight Project”. IBM. Retrieved 2013-0423. • “A Closer Look at OpenDaylight”. Cisco. Retrieved 2013-06-05. [3] “Industry Leaders Collaborate on OpenDaylight Project, Donate Key Technologies to Accelerate Software-Defined Networking” (Press release). April 8, 2013. Retrieved November 18, 2013. • “OpenDaylight Members”. Retrieved 2015-05-28. [4] Hinkle, Mark “The Linux Foundation’s Collaboration – OpenDaylight Project – Open Source SDN” (4/08/2013) • Seetharaman, Srini (2014-11-03). “Introduction to OpenDaylight and its Helium Release”. OpenDaylight. Retrieved 2014-10-03. [5] McNickle, Michelle “SDN blog roundup: Open Daylight, Cisco’s networking truths, OpenStack” (2013) [6] Duffy, Jim “Skepticism follows Cisco-IBM led OpenDaylight SDN consortium” (4/10/2013) [7] McGillicuddy, Shamus “Keeping OpenDaylight truly open: Q&A with Brocade’s Dave Meyer” (5/3/2013) [8] “OpenDaylight SDN opens the curtains on its initial release”. ZDNet. September 12, 2013. Retrieved November 18, 2013. [9] First release (Hydrogen) announcement [10] Open Daylight Wiki [11] Gerrit Code Review. Git.opendaylight.org. Retrieved on 2014-05-23. [12] Open Daylight Developer’s Mailing List [13] SearchOracle accessdate=2014-08-19 [14] Open Daylight Members accessdate=2014-03-11 • “Open Daylight Website”. 2013-04-08. Retrieved 2013-04-13. • Ehrman, Doug (2013-04-15). “Cisco Joins the Open Daylight Project”. Motley Fool. Retrieved 2013-04-23. • Scott, Jennifer (2013-04-08). “Vendors form OpenDaylight Project for SDN”. Computer Weekly. Retrieved 2013-04-23. • Novet, Jordan (2013-04-08). “Network vendors launch open-source OpenDaylight Project to standardize SDN”. GigaOM. Retrieved 2013-04-23. • Hardy, Quentin (2013-04-08). “The OpenDaylight Project Is Open Source Networking, Corporate Style”. New York Times Blog. Retrieved 2013-0423. • Duffy, Jim (2013-04-17). “Run from Daylight”. Network World. Retrieved 2013-04-23. • Aurora, Sumit (2014-11-11). “OpenDaylight SDN Controller”. OpenDaylight. Retrieved 2014-11-12. • Kudo, Masashi (2013-03-18). “Unveil Lithium: Upcoming OpenDaylight Release”. OpenDaylight. Retrieved 2015-06-03. 19.7 External links • Official website Chapter 20 Software-defined data center Software-defined data center (SDDC) (also: virtual • software-defined storage (SDS), which includes data center (VDC)) is a marketing term that extends storage virtualization, suggests a service interface to virtualization concepts such as abstraction, pooling, and provision capacity and SLAs (Service Level Agreeautomation to all data center resources and services to ments) for storage, including performance and duraachieve IT as a service (ITaaS).[1] In a software-defined bility data center, “all elements of the infrastructure — net• management and automation software, enabling an working, storage, CPU and security – are virtualized and administrator to provision, control, and manage all delivered as a service.”[2] While ITaaS may represent an software-defined data-center components[7] outcome of SDDC, SDDC is differently cast toward integrators and datacenter builders rather than toward tenants. Software awareness in the infrastructure is not visi- A software-defined data center differs from a private ble to tenants. cloud, since a private cloud only has to offer virtualSDDC support can be claimed by a wide variety of ap- machine self-service, beneath which it could use tradiproaches. Critics see the software-defined data center as tional provisioning and management. Instead, SDDC a marketing tool and “software-defined hype”, noting this concepts imagine a data center that can encompass private, public, and hybrid clouds.[8] variability.[3] In 2013, an analyst projected that at least some softwaredefined data center components would experience market growth. The software-defined networking market is ex- 20.2 Origins and development pected to be valued at about USD $3.7 billion by 2016, compared to USD $360 million in 2013.[3] IDC estimates Data centers traditionally lacked the capacity to accomthat the software-defined storage market is poised to ex- modate total virtualization.[9] pand faster than any other storage market.[3] By 2013, companies began laying the foundation for software-defined data centers with virtualization.[3] Ben Cherian of Midokura considers Amazon Web Services 20.1 Description and core compo- as a catalyst for the move toward software-defined data centers because it nents The software-defined data center encompasses a variety of concepts and data-center infrastructure components, with each component potentially provisioned, operated, and managed through an application programming interface (API).[4] Core architectural components that comprise the software-defined data center[5] include the following: convinced the world that the data center could be abstracted into much smaller units and could be treated as disposable pieces of technology, which in turn could be priced as a utility. Vendors watched Amazon closely and saw how this could apply to the data center of the future.[4] • computer virtualization,[6] - a software implementation of a computer 20.3 Potential impact • software-defined networking (SDN), which includes network virtualization - the process of merging hardware and software resources and networking functionality into a software-based virtual network[5] In 2013, the software-defined data center term was promoted as a paradigm shift.[4][10] The promise of the software-defined data center was that companies would no longer need to rely on specialized hardware or hire 69 70 consultants to install and program hardware in its specialized language.[11] Rather, IT will define applications and all of the resources they require—including compute, storage, networking, security, and availability—and group all of the required components to create a “logical application.”[11] CHAPTER 20. SOFTWARE-DEFINED DATA CENTER sources and includes an interface for configuring virtual switches.[9][16] The software-defined data center approach will force IT organizations to adapt. Software-defined environments require rethinking many IT processes—including automation, metering, and billing—and executing service Commonly cited benefits of software-defined data centers delivery, service activation, and service assurance.[13] A include improved efficiency[12] from extending virtualiza- widespread transition to the SDDC could take years.[5] tion throughout the data center; increased agility[13] from provisioning applications quickly; improved control[13] over application availability and security through policy- 20.5 Vendors based governance; and the flexibility[12][13] to run new and existing applications in multiple platforms and VMware acquired Pune-based software-defined data cenclouds. ter security and operations firm Arkin, in 2016.[17] Other In addition, a software-defined data center implemen- vendors are developed components and standards that entation could reduce a company’s energy usage by en- able a software-defined data center. The OpenDaylight abling servers and other data center hardware to run at Project attracted support from vendors including Avaya, decreased power levels or be turned off.[13] Some be- H3C, 6Wind,[18] Arista Networks, Big Switch Netlieve that software-defined data centers improve security works, Brocade, Cisco, Citrix, Dell, Ericsson, Fujitsu, by giving organizations more control over their hosted Hewlett Packard Enterprise (HPE), IBM, Intel, Juniper data and security levels, compared to security provided Networks, Microsoft, NEC, Nuage Networks, Plexxi, by hosted-cloud providers.[13] PLUMgrid, and Red Hat.[19] The software-defined data center was marketed to drive Large-scale service providers such as Amazon and Savvis, down prices for data center hardware and challenge tra- which could potentially benefit from improved efficienditional hardware vendors to develop new ways to differ- cies through automation, are considered to be the organientiate their products through software and services.[14] zations that are most likely to deploy full-scale softwaredefined data center implementations.[14] For companies that have already deployed a SDN in the data center many are now looking to expand those benefits to the WAN. A buzzword “software defined WAN” was used by vendors like CloudGenix.,[20] VeloCloud and The concepts of software-defined in general, and Viptela. software-defined data centers in particular, have been dismissed by some as “nonsense,” “marketecture,” and “software-defined hype.”[3] Some critics believe that only a minority of companies with “completely homogeneous 20.6 References IT systems’” already in place, such as Yahoo! and Google, can transition to software-defined data centers.[3] [1] Davidson, Emily A. “The Software-Defined-Data-Center 20.4 Challenges According to some observers, software-defined data centers won’t necessarily eliminate challenges that relate to handling the differences between development and production environments; managing a mix of legacy and new applications; or delivering service-level agreements (SLAs).[3] Software-defined networking was seen as essential to the software-defined data center, but it is also considered to be the “least mature technology” required to enable the software-defined data center.[9] However, companies, including VMware, Cypherpath,[15] Arista Networks, Cisco, and Microsoft, market products to enable virtual networks that are provisioned, extended, and moved across existing physical networks.[9] Several competing network virtualization standards already existed by 2012.[9] Neutron, the networking component of the open-source software OpenStack project, provides an application-level abstraction of network re- (SDDC): Concept Or Reality? [VMware]". Softchoice Advisor Article. Softchoice Advisor. Retrieved 28 June 2013. [2] Rouse, Margaret. “Definition: Software Defined Datacenter”. Retrieved 25 February 2014. [3] Kovar, Joseph F. (13 May 2013). “Software-Defined Data Centers: Should You Jump On The Bandwagon?". CRN. Retrieved 10 February 2014. [4] Cherian, Ben. “What Is the Software Defined Data Center and Why Is It Important?". All Things D post. All Things D. Retrieved 28 June 2013. [5] Volk, Torsten. “The Software-Defined Datacenter: Part 2 of 4 – Core Components”. EMA Blogs. EMA. Retrieved 28 June 2013. [6] “The software defined data center - part 2: compute”. CohesiveFT Blog post. CohesiveFT Blog. Retrieved 28 June 2013. 20.7. EXTERNAL LINKS [7] Marshall, David. “VMware’s software-defined data center will include NSX network virtualization”. InfoWorld article. InfoWorld. Retrieved 28 June 2013. [8] Otey, Michael (29 May 2013). “Moving Toward the Software-Defined Datacenter”. WindowsITPro. Retrieved 28 June 2013. [9] Knorr, Eric (13 August 2012). “What the softwaredefined data center really means”. InfoWorld. Retrieved 28 June 2013. [10] Paul Shread (25 July 2013). “Software-Defined Data Centers Could Change the IT Landscape”. Datamation. Retrieved 22 August 2016. [11] Herrod, Steve. “Interop and the Software-Defined Datacenter”. VMware blog post. VMware. Retrieved 28 June 2013. [12] Earls, Alan. “Is the software-defined data center ready for the mainstream?". SearchDataCenter article. SearchDataCenter. Retrieved 28 June 2013. [13] Venkatraman, Archana. “Software-defined datacentres demystified”. ComputerWeekly.com. ComputerWeekly.com. Retrieved 28 June 2013. [14] Manca, Pete (29 May 2013). “Software-Defined Data Centers: What’s the Buzz All About?". Wired. Retrieved 28 June 2013. [15] Jennifer van der Kleut (13 September 2013). “Gov. McDonnell Announces Mach 37’s First Round of Cyber Start-Ups”. Herndon Patch. Retrieved 22 August 2016. [16] “Neutron’s developer documentation”. OpenStack. Retrieved 22 August 2016. [17] “VMWare to acquire Arkin net”. Economic Times. 13 June 2016. Retrieved 15 June 2016. [18] Jeffrey Burt (2 May 2014). “Avaya, H3C, 6Wind Join OpenDaylight SDN Effort”. eWeek. eWeek. Retrieved 1 Feb 2015. [19] Knorr, Eric (8 April 2013). “OpenDaylight: A big step toward the software-defined data center”. InfoWorld. Retrieved 28 June 2013. [20] “Startup CloudGenix Aims to Bring SDN to WAN”. eWeek. 2014-05-01. Retrieved 2014-05-01., 20.7 External links • Software-Defined Cloud Computing: Architectural Elements and Open Challenges • Software-Defined Data Centers: What’s the Buzz All About? • What Is the Software Defined Data Center and Why Is It Important? • What the software-defined data center really means 71 Chapter 21 Software-defined protection Software-defined Protection (SDP) is a computer network security architecture and methodology that combines network security devices and defensive protections which leverage both internal and external intelligence sources.[1] An SDP[2] infrastructure is designed to be modular, scalable, and secure. The SDP architecture partitions the security infrastructure into three interconnected layers. The Enforcement Layer inspects traffic and enforces protection within well-defined network segments. The Control Layer generates security policies and deploys those protections to enforcement points. The Management Layer orchestrates the infrastructure and integrates security with business processes. The SDP architecture supports traditional network security and access control policy requirements, as well as the threat prevention required for enterprises implementing technologies such as mobile computing and Software-defined Networking (SDN). 21.2 Control Layer The Control Layer is the core of the SDP architecture. Its role is to generate protections and deploy them for execution at the appropriate enforcement points within the Enforcement Layer. To develop the appropriate protections, the Control Layer relies upon repositories of data that include knowledge of the organization and its information systems (Access Control), knowledge of data assets and their classifications (Data Protection) and knowledge of threats (Threat Prevention). Security Solutions commonly implemented within the Control layer include Firewall, Anti-Virus, Application Control, Threat Emulation, Anti-Bot, Anti-Spam and email security, Data Loss Prevention (DLP), and Intrusion Prevention Systems (IPS). Through systematic mapping of these protective controls to the associated risk for each segment and its assets within the Enforcement Layer, organizations can deliver multi-layer protection against attacks. 21.3 Management Layer 21.1 Enforcement Layer The Enforcement Layer of SDP enables organizations to design segmented networks, implement physical and virtual security enforcement points based upon that segmentation, and execute the protection logic for the prescribed network segments. SDP incorporates the principal of segmentation into the Enforcement Layer. Segmentation divides a network into compartments that have different security characteristics. Based upon segment requirements, security controls are established for threat containment and recovery. Enforcement points, or platforms for executing protections, must then be implemented at the boundaries of the segments to enforce the defined protection logic. Enforcement points may be implemented as network security gateways, host-based software, mobile device applications, or virtual machines in the cloud. The Management Layer serves as the interface between network administrators and the other two layers of the SDP infrastructure. This layer supports the enterprise segmentation and enables the definition of access and data control policies and the activation of threat prevention separately. The Management Layer also provides the ability to delegate management to specific administrators who can work with them simultaneously. The Management Layer provides visibility into what is happening in the network, supports proactive incident response, and provides the intelligence required to tailor security controls for the organization. 21.4 References 72 [1] “Check Point unveils security architecture for threatintelligence sharing”. [2] “Check Point Unveils 'Software-Defined Protection' Security Architecture”. Chapter 22 Network function virtualization Network functions virtualization (NFV) is a network architecture concept that uses the technologies of IT virtualization to virtualize entire classes of network node functions into building blocks that may connect, or chain together, to create communication services. NFV relies upon, but differs from, traditional servervirtualization techniques, such as those used in enterprise IT. A virtualized network function, or VNF, may consist of one or more virtual machines running different software and processes, on top of standard high-volume servers, switches and storage devices, or even cloud computing infrastructure, instead of having custom hardware appliances for each network function. working (SDN) and OpenFlow.[4] The group, part of the European Telecommunications Standards Institute (ETSI), was made up of representatives from the telecommunication industry from Europe and beyond.[5][6] Since the publication of the white paper, the group has produced several more in-depth materials, including a standard terminology definition[7] and use cases for NFV that act as references for vendors and operators considering . 22.3 NFV Framework For example, a virtual session border controller could be The NFV framework consists of three main deployed to protect a network without the typical cost and components:[8] complexity of obtaining and installing physical network protection units. Other examples of NFV include virtual1. Virtualized network functions (VNFs) are software ized load balancers, firewalls, intrusion detection devices implementations of network functions that can be and WAN accelerators.[1] deployed on a network functions virtualization infrastructure (NFVI). 22.1 Background Product development within the telecommunication industry has traditionally followed rigorous standards for stability, protocol adherence and quality, reflected by the use of the term carrier grade to designate equipment demonstrating this reliability.[2] While this model worked well in the past, it inevitably led to long product cycles, a slow pace of development and reliance on proprietary or specific hardware, e.g., bespoke application-specific integrated circuits (ASICs). The rise of significant competition in communication services from fast-moving organizations operating at large scale on the public Internet (such as Google Talk, Skype, Netflix) has spurred service providers to look for ways to disrupt the status quo. 2. Network functions virtualization infrastructure (NFVI) is the totality of all hardware and software components that build the environment where VNFs are deployed. The NFV infrastructure can span several locations. The network providing connectivity between these locations is considered as part of the NFV infrastructure. 3. Network functions virtualization management and orchestration architectural framework (NFVMANO Architectural Framework) is the collection of all functional blocks, data repositories used by these blocks, and reference points and interfaces through which these functional blocks exchange information for the purpose of managing and orchestrating NFVI and VNFs. The building block for both the NFVI and the NFVMANO is the NFV platform. In the NFVI role, it consists 22.2 History of both virtual and physical processing and storage resources, and virtualization software. In its NFV-MANO In October 2012, a specification group, “Network Func- role it consists of VNF and NFVI managers and virtualtions Virtualisation”,[3] published a white paper at a con- ization software operating on a hardware controller. The ference in Darmstadt, Germany on software-defined net- NFV platform implements carrier-grade features used to 73 74 CHAPTER 22. NETWORK FUNCTION VIRTUALIZATION manage and monitor the platform components, recover customer-edge D-NFV equipment running Fortinet’s from failures and provide effective security - all required Next Generation Firewall (NGFW) and Certes Networks’ for the public carrier network. virtual encryption/decryption engine as Virtual Network Functions (VNFs) with Cyan’s Blue Planet system orchestrating the entire ecosystem.[12] RAD’s D-NFV solution, a Layer 2/Layer 3 network termination unit (NTU) 22.4 Practical aspects equipped with a D-NFV X86 server module that functions as a virtualization engine at the customer edge, beA service provider that follows the NFV design implecame commercially available by the end of that month.[13] ments one or more virtualized network functions, or During 2014 RAD also had organized a D-NFV Alliance, VNFs. A VNF by itself does not automatically provide a an ecosystem of vendors and international systems inteusable product or service to the provider’s customers. To grators specializing in new NFV applications.[14] build more complex services, the notion of service chaining is used, where multiple VNFs are used in sequence to deliver a service. Another aspect of implementing NFV is the orchestration process. To build highly reliable and scalable services, NFV requires that the network be able to instantiate VNF instances, monitor them, repair them, and (most important for a service provider business) bill for the services rendered. These attributes, referred to as carrier-grade[9] features, are allocated to an orchestration layer in order to provide high availability and security, and low operation and maintenance costs. Importantly, the orchestration layer must be able to manage VNFs irrespective of the underlying technology within the VNF. For example, an orchestration layer must be able to manage an SBC VNF from vendor X running on VMware vSphere just as well as an IMS VNF from vendor Y running on KVM. 22.5 Distributed NFV The initial perception of NFV was that virtualized capability should be implemented in data centers. This approach works in many – but not all – cases. NFV presumes and emphasizes the widest possible flexibility as to the physical location of the virtualized functions. Ideally, therefore, virtualized functions should be located where they are the most effective and least expensive. That means a service provider should be free to locate NFV in all possible locations, from the data center to the network node to the customer premises. This approach, known as distributed NFV, has been emphasized from the beginning as NFV was being developed and standardized, and is prominent in the recently released NFV ISG documents.[10] For some cases there are clear advantages for a service provider to locate this virtualized functionality at the customer premises. These advantages range from economics to performance to the feasibility of the functions being virtualized.[11] The first ETSI NFV ISG-approved public multi-vendor proof of concept (PoC) of D-NFV was conducted by Cyan, Inc., RAD, Fortinet and Certes Networks in Chicago in June, 2014, and was sponsored by CenturyLink. It was based on RAD’s dedicated 22.6 NFV modularity benefits When designing and developing the software that provides the VNFs, vendors may structure that software into software components (implementation view of a software architecture) and package those components into one or more images (deployment view of a software architecture). These vendor-defined software components are called VNF Components (VNFCs). VNFs are implemented with one or more VNFCs and it is assumed, without loss of generality, that VNFC instances map 1:1 to VM Images. VNFCs should in general be able to scale up and/or scale out. By being able to allocate flexible (virtual) CPUs to each of the VNFC instances, the network management layer can scale up (i.e., scale vertically) the VNFC to provide the throughput/performance and scalability expectations over a single system or a single platform. Similarly, the network management layer can scale out (i.e., scale horizontally) a VNFC by activating multiple instances of such VNFC over multiple platforms and therefore reach out to the performance and architecture specifications whilst not compromising the other VNFC function stabilities. Early adopters of such architecture blueprints have already implemented the NFV modularity principles.[15] 22.7 Relationship to SDN SDN, or software-defined networking, is a concept related to NFV, but they refer to different domains. In essence, software-defined networking (SDN) is an approach to build data networking equipment and software that separates and abstracts elements of these systems. It does this by decoupling the control plane and data plane from each other, such that the control plane resides centrally and the forwarding components remain distributed. The control plane interacts both northbound and southbound. In the northbound direction the control plane provides a common abstracted view of the network to higher-level applications and programs using APIs. 22.9. MANAGEMENT AND ORCHESTRATION (MANO) In the southbound direction the control plane programs the forwarding behavior of the data plane, using device level APIs of the physical network equipment distributed around the network. 75 nines availability (99.999%),[25] and of computing resource without compromising performance predictability. The NFV platform is the foundation for achieving efficient carrier-grade NFV solutions.[26] It is a software platform running on standard multi-core hardware and built using open source software that incorporates carriergrade features. The NFV platform software is responsible for dynamically reassigning VNFs due to failures and changes in traffic load, and therefore plays an important role in achieving high availability. There are numerous initiatives underway to specify, align and promote NFV carrier-grade capabilities such as ETSI NFV Proof of Concept,[27] ATIS[28] Open Platform for NFV Project,[29] Awards[30] and various An NFV infrastructure needs a central orchestration and Carrier Network Virtualization [31] management system that takes operator requests associ- supplier ecosystems. ated with a VNF, translates them into the appropriate The vSwitch, a key component of NFV platforms, is processing, storage and network configuration needed to responsible for providing connectivity both VM-to-VM bring the VNF into operation. Once in operation, the (between VMs) and between VMs and the outside netVNF potentially must be monitored for capacity and uti- work. Its performance determines both the bandwidth of lization, and adapted if necessary.[17] the VNFs and the cost-efficiency of NFV solutions. The standard Open vSwitch's (OVS) performance has shortAll these functions can be accomplished using SDN conmust be resolved to meet the needs of NFVI cepts and NFV could be considered one of the primary comings that solutions.[32] Significant performance improvements are SDN use cases in service provider environments. It is OVS and Acalso apparent that many SDN use-cases could incorpo- being reported by NFV suppliers for both celerated Open vSwitch (AVS) versions.[33][34] rate concepts introduced in the NFV initiative. Examples include where the centralized controller is controlling a Virtualization is also changing the way availability is distributed forwarding function that could in fact be also specified, measured and achieved in NFV solutions. As virtualized on existing processing or routing equipment. VNFs replace traditional function-dedicated equipment, there is a shift from equipment-based availability to a service-based, end-to-end, layered approach.[35][36] Virtualizing network functions breaks the explicit coupling 22.8 Industry impact with specific equipment, therefore availability is defined by the availability of VNF services. Because NFV techNFV has proven a popular standard even in its infancy. Its nology can virtualize a wide range of network function immediate applications are numerous, such as virtualiza- types, each with their own service availability expectation of mobile base stations, platform as a service (PaaS), tions, NFV platforms should support a wide range of fault content delivery networks (CDN), fixed access and home tolerance options. This flexibility enables CSPs to optienvironments.[18] The potential benefits of NFV is antic- mize their NFV solutions to meet any VNF availability ipated to be significant. Virtualization of network func- requirement. tions deployed on general purpose standardized hardware is expected to reduce capital and operational expenditures, and service and product introduction times.[19][20] Many major network equipment vendors have announced 22.9 Management and orchestrasupport for NFV.[21] This has coincided with NFV antion (MANO) nouncements from major software suppliers who provide the NFV platforms used by equipment suppliers to build ETSI has already indicated that an important part of their NFV products.[22][23] controlling the NFV environment be done through auHowever, to realize the anticipated benefits of virtual- tomation and orchestration. There is a separate stream ization, network equipment vendors are improving IT MANO within NFV outlining how flexibility should be virtualization technology to incorporate carrier-grade at- controlled.[37] tributes required to achieve high availability, scalability, performance, and effective network management capabilities.[24] To minimize the total cost of ownership (TCO), carrier-grade features must be implemented as 22.10 See also efficiently as possible. This requires that NFV solutions • OASIS TOSCA make efficient use of redundant resources to achieve fiveThus, NFV is not dependent on SDN or SDN concepts. It is entirely possible to implement a virtualized network function (VNF) as a standalone entity using existing networking and orchestration paradigms. However, there are inherent benefits in leveraging SDN concepts to implement and manage an NFV infrastructure, particularly when looking at the management and orchestration of VNFs, and that’s why multivendor platforms are being defined that incorporate SDN and NFV in concerted ecosystems.[16] 76 CHAPTER 22. NETWORK FUNCTION VIRTUALIZATION • Hardware virtualization • Software-defined networking • Network virtualization • Network management • Shortest Path Bridging • Open Platform for NFV 22.11 References [1] “Network Functions Virtualisation (NFV); Use Cases” (PDF). Retrieved 6 June 2014. [2] “How Low-Cost Telecom Killed Five 9s in Cloud Computing”. wired.com. Retrieved 2016-06-27. [3] “Network Functions Virtualisation”. ISG web portal. Retrieved 20 June 2013. [4] “Network Functions Virtualisation— Introductory White Paper” (PDF). ETSI. 22 October 2012. Retrieved 20 June 2013. [5] Ray Le Maistre (22 October 2012). “Tier 1 Carriers Tackle Telco SDN”. Light Reading. Retrieved 20 June 2013. [6] “Latest Agenda at SDN & OpenFlow World Congress”. Layer123.com. Archived from the original on October 14, 2012. Retrieved 20 June 2013. [7] Mulligan, Ultan. “ETSI Publishes First Specifications for Network Functions Virtualisation”. Retrieved 5 December 2013. [16] Platform to Multivendor Virtual and Physical Infrastructure [17] Liyanage, Madhusanka (2015). Software Defined Mobile Networks (SDMN): Beyond LTE Network Architecture. UK: John Wiley. pp. 1–438. ISBN 978-1-118-90028-4. [18] Network Functions Virtualization (NFV) Use Cases, ETSI GS NFV 001 v1.1.1 (2013-10) [19] What’s NFV – Network Functions Virtualization?, SDN Central [20] Carrier Network Virtualization, ETSI news [21] “Openwave Exec Discusses the Benefits, Challenges of NFV & SDN”. Article. 12 November 2013. Retrieved 22 November 2013. [22] Middleware for the NFV Generation, Service, Lee Doyle [23] Wind River Launches NFV Ecosystem Program with Five Industry Leaders, PCC Mobile Broadband, Ray Sharma [24] 'Carrier-Grade Reliability—A “Must-Have” for NFV Success’, Electronic Design, Charlie Ashton, January 2015 [25] '5 must-have attributes of an NFV platform', Techzine, Alcatel-Lucent, Andreas Lemke, November 2014 [26] 'Why Service Providers Need an NFV Platform', Intel Strategic paper [27] NFV Proof of Concept [28] 'New NFV Forum Focused on Interoperability', Light Reading, Carol Wilson, September 16, 2015 [29] OPNFV, Linux Foundation Collaborative Projects Foundation webpage [8] Network-Functions Virtualization (NFV) Proofs of Concept; Framework, GS NFV-PER 002 v1.1.1 (2013-10), [30] Carrier Network Virtualization Awards 2014, December 2015 [9] Don’t Confuse ‘High Availability’ with Carrier Grade, Embedded Community, Charlie Ashton, April, 2014 [31] 'Wind River’s Ecosystemic Solution to NFV and Orchestration', CIMI Corporation Public Blog, Tom Nolle, June 2014 [10] Tom Nolle (18 September 2013). “Is “Distributed NFV” Teaching Us Something?". CIMI Corporation’s Public Blog. Retrieved 2 January 2014. [11] Carol Wilson (3 October 2013). “RAD Rolls Out Distributed NFV Strategy”. Light Reading. Retrieved 2 January 2014. [12] “4 Vendors Bring Distributed NFV to BTE”. Light Reading. June 11, 2014. Retrieved March 3, 2015. [13] “RAD launches customer-edge distributed NFV solution based on ETX NTU platform”. Optical Keyhole. June 16, 2014. Retrieved March 3, 2015. [14] “RAD adds new partners to D-NFV Alliance”. Telecompaper. December 9, 2014. Retrieved March 3, 2015. [15] TMCnet News (26 June 2014). “Qosmos Awarded a 2014 INTERNET TELEPHONY NFV Pioneer Award”. TMC. Retrieved 26 June 2014. [32] 'Accelerating Open vSwitch to “Ludicruos Speed”, Network Heresy: Tales of the network reformation, Justin D Pettit, November 13, 2014 [33] 'Wind River Delivers Breakthrough Performance for Accelerated vSwitch Optimized for NFV' Wind River News Room, May, 2014 [34] '6WIND Announces Open vSwitch Acceleration for Red Hat Enterprise Linux OpenStack Platform', PRweb, April, 2014 [35] 'NETWORK FUNCTIONS VIRTUALIZATION CHALLENGES AND SOLUTIONS', TMCNET webpage, Alcalet-Lucent Strategic paper [36] 'NFV: The Myth of Application-Level High Availability', Wind River White Paper, May 2015 [37] Mano at network-functions-virtualization.com 22.12. EXTERNAL LINKS 22.12 External links • NFV basics • Open Platform for NFV (OPNFV) 77 Chapter 23 List of SDN controller software SDN (Software-defined networking) is a new paradigm • OpenContrail to configure and operate computer networks (especially data center networks) through a centralized software con- Vendor specific initiatives: troller that dictates how the network behaves. The core of this new paradigm is the SDN controller. • Nuage Virtualized Services Controller (VSC) by There are typically two sets of SDN controllers: Alcatel-Lucent • SDN controllers for the NFV Intrastucture of a datacenter, • Historical SDN controllers for managing the programmable switches of the network. In case of SDN controllers for the NFV Infrastructure of a datacenter, they are mostly designed to provide some policy and centralized managements for the Openstack Neutron networking layer that shall provide inter-working between the virtual ports created by Nova. The defacto technology of the SDN controllers is to manage the Linux kernel features made of L3 IP routing, Linux bridges, iptables or ebtables, network namespaces and Open vSwitch. Open and community driven initiatives: • Open Daylight (controller baseline project upon which many other controllers are built) • ONOS • Project Calico • The Fast Data Project • Project Floodlight • Beacon • NOX/POX • Open vSwitch • vneio/sdnc (SDN Controller from vne.io) • Ryu Controller (supported by NTT Labs) • Cherry • Faucet (Python based on Ryu for production networks) 78 • VortiQa Open Network Director by Freescale Semiconductor Chapter 24 Data Plane Development Kit • A queue manager implements lockless queues The Data Plane Development Kit (DPDK) is a set of data plane libraries and network interface controller drivers for fast packet processing. The DPDK provides a programming framework for Intel x86 processors and enables faster development of high speed data packet networking applications.[1][2] It scales from Intel Atom processors to Intel Xeon processors and support for other processor architectures like IBM POWER8 are under progress.[3] It is provided and supported under the open source[4] BSD license. • A buffer manager pre-allocates fixed size buffers • A memory manager allocates pools of objects in memory and uses a ring to store free objects; ensures that objects are spread equally on all DRAM channels • Poll mode drivers (PMD) are designed to work without asynchronous notifications, reducing overhead • A packet framework – set of libraries that are helpers to develop packet processing 24.1 Overview The DPDK framework creates a set of libraries for specific hardware/software environments through the creation of an Environment Abstraction Layer (EAL).[5] The EAL hides the environmental specific and provides a standard programming interface to libraries, available hardware accelerators and other hardware and operating system (Linux, FreeBSD) elements. Once the EAL is created for a specific environment, developers link to the library to create their applications. For instance, EAL provides the frameworks to support Linux, FreeBSD, Intel IA 32- or 64-bit or IBM Power8. All libraries are stored in the dpdk/lib/librte_* directories 24.2.1 Plugins The EAL allows loading some plugins using the -d file.so option without recompiling any applications that use the DPDK libraries. The following plugins are available: • librte_pmd_virtio.so – provides PMD Ethernet layer supporting Virtio paravirtualized NIC • librte_pmd_vmxnet3.so – provides PMD Ethernet layer supporting Vmxnet3 paravitualized NIC The EAL also provides additional services including time references, PCIe bus access, trace and debug functions and alarm operations. • librte_pmd_memnic_copy.so – provides a Virtual PMD Ethernet layer through shared memory based on 2 memory copies of packets The DPDK implements a low overhead run-tocompletion model for fast data plane performance and accesses devices via polling to eliminate the performance overhead of interrupt processing. • librte_pmd_mlx4.so – provides PMD Ethernet layer for Mellanox ConnectX-3 40G NIC The DPDK also includes software examples that highlight best practices for software architecture, tips for data structure design and storage, application profiling and performance tuning utilities and tips that address common network performance deficits. 24.2 Libraries • librte_crypto_nitrox.so – provides cryptography layer for Cavium Nitrox PCI boards • librte_crypto_quickassist.so – provides cryptography layer for Intel Cave Creek PCI boards. 24.3 Environment The DPDK includes data plane libraries and optimized The DPDK was originally designed to run using a bareNIC drivers for the following:[6] metal mode which is currently deprecated. Actually, 79 80 CHAPTER 24. DATA PLANE DEVELOPMENT KIT DPDK’s EAL provides support for Linux or FreeBSD 24.5.2 Platforms and solutions userland application. Since DPDK was launched, very quickly many platforms EAL can be extended in order to support any processors. have integrated this userland library for some IOs. The platforms are: 24.4 Ecosystem Beside Intel which is a contributor to the DPDK, several other vendors also support the DPDK within their products and some offer additional training, support and professional services. The list of vendors who have announced DPDK support includes: • 6WIND 6WINDGate, Virtual Accelerator and their Turbo Series which provide the highest performance and the widest set of features leveraging the DPDK. • OVS-DPDK from OVS which provides a subset of OVS support. • TRex that can be used to turn Scapy into a high performance traffic generator. • 6WIND[7] • ALTEN Calsoft Labs[8] • Advantech[9] • Brocade[10] • BigSwitch Networks • Radisys[11] • Tieto [12] • Wind River[13] • Lanner[14] 24.5 Projects 24.5.1 Opensource 24.6 References [1] Simon Stanley,All Change for Packet Processing, Heavy Reading, 2013 [2] Shamus McGillicudy, Intel DPDK, switch and server ref designs push SDN ecosystem forward, SearchSDN, April 2013 [3] “DPDK: Data Plane Development Kit – What it is”. dpdk.org. dpdk.org. Retrieved 16 March 2015. [4] Simon Stanley,DPDK Goes Open-Source, Intel Embedded Community, May 2013 [5] Intel Corporation, Intel® Data Plane Development Kit: Programmers Guide, November 2012 [6] Intel Communications Infrastructure Division, Intel® Data Plane Development Kit Overview, December 2012 [7] PRWeb, 6WIND Extends Portable Packet Processing Software to Support Intel® Data Plane Development Kit, September 2011 The pfSense project published a road map on 25 Febru- [8] Calsoft Labs to offer professional services and support ary 2015, in which developer Jim Thompson announced for Intel® Data Plane Development Kit, ALTEN Calsoft the rewriting of the pfSense core—including pf, network Labs, 18 February 2014, retrieved 2014-10-28 packet forwarding and shaping, link bonding, IPsec— using Intel’s DPDK: “We have a goal of being able to for- [9] COTS Journal, ATCA Blade Serves Up Xeon E5-2600 Processor, June 2012 ward, with packet filtering at rates of at least 14.88Mpps. This is 'line rate' on a 10Gbps interface. There is simply [10] Brocade vRouter no way to use today’s FreeBSD (or linux) in-kernel stacks [11] MarketWatch, Radisys Delivers Industry’s First 40G Sofor this type of load.”[15] lution for Intel(R) Data Plane Development Kit, Septem- OVS has a limited set of feature running userland that ber 2012 can be leveraged to bypass the Linux kernel OVS processing. This use case of OVS with DPDK userland is [12] Tieto, Tieto provides professional software services and support for the Intel® Data Plane Development Kit, usually named OVS-DPDK. It is mostly deployed with February 2012 Openstack Neutron but it assumes that many features and SDN capabilities of Openstack are disabled. For in- [13] Reuters, Wind River Delivers Support and Services for stance, when OVS-DPDK is used, Neutron provides a Intel Data Plane Development Kit for High-Performance lower lever of security than when OVS kernel is used (no Packet Processing, May 2012 stateful firewalling, less security group). It has been estimated that more than 20 opensource projects are now using DPDK in various fashions. [14] Get Flying with the Intel Data Plane Development Kit, Lanner Electronics Inc., 20 February 2013, retrieved 201307-11 24.6. REFERENCES [15] Thompson, Jim. “Further (a roadmap for pfSense)". blog.pfsense.org. Electric Sheep Fencing LLC. Retrieved 21 April 2015. 81 Chapter 25 IEEE 802.1aq Shortest Path Bridging (SPB), specified in the IEEE one of the most significant enhancements in Ethernet’s 802.1aq standard, is a computer networking technology history.[13] intended to simplify the creation and configuration of net- In May 2013 the first public multi-vendor interoperabilworks, while enabling multipath routing.[1][2][3] ity was demonstrated as SPB served as the backbone for It is the replacement for the older spanning tree proto- Interop 2013 in Las Vegas.[14] cols: IEEE 802.1D, IEEE 802.1w, IEEE 802.1s. These The 2014 Winter Olympics were the first “fabricblocked any redundant paths that could result in a layer enabled” Games using Shortest Path Bridging (SPB) 2 loop, whereas SPB allows all paths to be active with “IEEE 802.1aq” technology.[15][16] During the games multiple equal cost paths, provides much larger layer 2 this fabric network was capable of handling up to topologies,[4] supports faster convergence times, and im- 54,000 Gbit/s (54 Tbit/s) of traffic.[17] In 2013 and proves the efficiency by allowing traffic to load share 2014 SPB was used to build the InteropNet backbone across all paths of a mesh network.[5][6][7][8] It is designed with only 1/10 the resources of prior years.[18] During to virtually eliminate human error during configuration Interop 2014 SPB was used as the backbone protocol and preserves the plug-and-play nature that established which can enable Software-defined networking (SDN) Ethernet as the de facto protocol at Layer 2. functionalities.[19][20] The technology provides logical Ethernet networks on native Ethernet infrastructures using a link state protocol to advertise both topology and logical network membership. Packets are encapsulated at the edge either in media access control-in-media access control (MAC-inMAC) 802.1ah or tagged 802.1Q/802.1ad frames and transported only to other members of the logical network. Unicast, multicast, and broadcast are supported and all routing is on a symmetric shortest paths. 25.2 Benefits Shortest Path Bridging - VID (SPBV) and Shortest Path Bridging - MAC (SPBM) are two operating modes of 802.1aq, and are described in more detail below. Both inherit key benefits of link state routing: The control plane is based on the Intermediate System to Intermediate System (IS-IS), leveraging a small number of extensions defined in RFC 6329[9] • the ability to use all available physical connectivity, because loop avoidance uses a Control Plane with a global view of network topology • fast restoration of connectivity after failure, again because of Link State routing’s global view of network topology 25.1 History On 4 March 2006 the working group posted 802.1aq draft 0.1.[10] In December 2011 Shortest path bridging (SPB) was evaluated by the JITC and approved for deployment within the US Department of Defense (DoD) because of the ease in integrated OA&M and interoperability with current protocols.[11] On March 2012 the IEEE approved the 802.1aq standard.[12] In 2012, it was stated by David Allan and Nigel Bragg, in 802.1aq Shortest Path Bridging Design and Evolution: The Architect’s Perspective that shortest path bridging is 82 • under failure, the property that only directly affected traffic is impacted during restoration; all unaffected traffic just continues • rapid restoration of broadcast and multicast connectivity, because IS-IS floods all of the required information in the SPB extensions to IS-IS, thereby allowing unicast and multicast connectivity to be installed in parallel, with no need for a second phase signaling process to run over the converged unicast topology to compute and install multicast trees 25.3. OPERATIONS AND MANAGEMENT Virtualisation is becoming an increasingly important aspect of a number of key applications, in both Carrier and Enterprise space, and SPBM, with its MAC-in-MAC datapath providing complete separation between Client and Server layers, is uniquely suitable for these. “Data Centre virtualisation” articulates the desire to flexibly and efficiently harness available compute resources in a way that may rapidly be modified to respond to varying application demands, without the need to dedicate physical resources to a specific application. One aspect of this is server virtualisation. The other is connectivity virtualisation, because a physically distributed set of server resources must be attached to a single IP subnet, and modifiable in an operationally simple and robust way. SPBM delivers this; because of its client-server model, it offers a perfect emulation of a transparent Ethernet LAN segment, which is the IP subnet seen at Layer 3. A key component of how it does this is implementing VLANs with scoped multicast trees, which means no egress discard of broadcast/unknown traffic, a feature common to approaches that use a small number of shared trees, hence the network does not simply degrade with size as the percentage of frames discarded goes up. It also supports “single touch” provisioning, so that configuration is simple and robust; the port of a virtual server must simply be bound locally to the SPBM I-SID identifying the LAN segment, after which IS-IS for SPB floods this binding, and all nodes that need to install forwarding state to implement the LAN segment do so automatically. The Carrier-space equivalent of this application is the delivery of Ethernet VPN services to Enterprises over common Carrier infrastructure. The required attributes are fundamentally the same; complete transparency for customer Ethernet services (both point-to-point and LAN), and complete isolation between one customer’s traffic and that of all other customers. The multiple virtual LAN segment model provides this, and the single-touch provisioning model eases carrier operations. Furthermore, the MAC-in-MAC datapath allows the carrier to deploy the “best in class” Ethernet OAM suit (IEEE 802.1ag, etc.), entirely transparently and independently from any OAM which a customer may choose to run. A further consequence of SPBM’s transparency in both dataplane and control plane is that it provides a perfect, “no compromise” delivery of the complete MEF 6.1 service set. This includes not only E-LINE and E-LAN constructs, by also E-TREE (hub-and-spoke) connectivity. This latter is clearly very relevant to Enterprises customers of Carrier VPN services which have this network structure internally. It also provides the carrier with the toolkit to support geo-redundant broadband backhaul; in this applications, many DSLAMs or other access equipments must be backhauled to multiple BNG sites, with application-determined binding of sessions to a BNG. However, DSLAMs must not be allowed to communicate with each other, because carriers then lose the ability to control peer-to-peer connectivity MEF E-TREE does 83 just this, and further provides an efficient multicast fabric for the distribution of IP-TV. SPBM offers both the ideal multicast replication model, where packets are replicated only at fork points in the shortest path tree that connects members, and also the less state intensive head end replication model where in essence serial unicast packets are sent to all other members along the same shortest path first tree. These two models are selected by specifying properties of the service at the edge which affect the transit node decisions on multicast state installation. This allows for a trade-off to be made between optimum transit replication points (with their larger state costs) v.s. reduced core state (but much more traffic) of the head end replication model. These selections can be different for different members of the same Individual Service ID (I-SID) allowing different trade-offs to be made for different members. Figure 5 below is a quick way to understand what SPBM is doing on the scale of the entire network. Figure 5 shows how a 7-member E-LAN is created from the edge membership information and the deterministic distributed calculation of per source, per service trees with transit replication. Head end replication is not shown as it is trivial and simply uses the existing unicast FIBs to forward copies serially to the known other receivers. 25.3 Operations and management 802.1aq builds on all existing Ethernet Operations, administration and management (OA&M). Since 802.1aq ensures that its unicast and multicast packets for a given virtual lan (VLAN) follow the same forward and reverse path and use completely standard 802 encapsulations, all of the methods of 802.1ag and Y.1731 operate unchanged on an 802.1aq network. See IEEE 802.1ag and ITU-recommendation Y.1731 (external link below). 25.4 High level See also: Data center bridging § Other groups 802.1aq is the Institute of Electrical and Electronics Engineers (IEEE) sanctioned link state Ethernet control plane for all IEEE VLANs covered in IEEE 802.1Q.[21] Shortest Path Bridging virtual local area network identifier (VLAN ID) or Shortest Path Bridging VID or (SPBV) provides capability that is backwards compatible with spanning tree technologies. Shortest Path Bridging Media Access Control (MAC) or (SPBM), (previously known as Provider Backbone Bridge (SPBB) provides additional values which capitalize on Provider Backbone Bridge (PBB) capabilities. SPB (the generic term for both) combines an Ethernet data path (either IEEE 802.1Q 84 in the case of SPBV, or Provider Backbone Bridges (PBBs) IEEE 802.1ah in the case of SPBM) with an IS-IS link state control protocol running between Shortest Path bridges (network-to-network interface (NNI) links). The link state protocol is used to discover and advertise the network topology and compute shortest path trees (SPT) from all bridges in the SPT Region. In SPBM, the Backbone MAC (B-MAC) addresses of the participating nodes and also the service membership information for interfaces to non-participating devices (user network interface (UNI) ports) is distributed. Topology data is then input to a calculation engine which computes symmetric shortest path trees based on minimum cost from each participating node to all other participating nodes. In SPBV these trees provide a shortest path tree where individual MAC address can be learned and Group Address membership can be distributed. In SPBM the shortest path trees are then used to populate forwarding tables for each participating node’s individual B-MAC addresses and for Group addresses; Group multicast trees are sub trees of the default shortest path tree formed by (Source, Group) pairing. Depending on the topology several different equal cost multi path trees are possible and SPB supports multiple algorithms per ISIS instance. In SPB as with other link state based protocols, the computations are done in a distributed fashion. Each node computes the Ethernet compliant forwarding behavior independently based on a normally synchronized common view of the network (at scales of about 1000 nodes or less) and the service attachment points (user network interface (UNI) ports). Ethernet filtering Database (or forwarding) tables are populated locally to independently and deterministically implement its portion of the network forwarding behavior. The two different flavors of data path give rise to two slightly different versions of this protocol. One (SPBM) is intended where complete isolation of many separate instances of client LANs and their associated device MAC addresses is desired, and it therefore uses a full encapsulation (MAC-in-MAC a.k.a. IEEE 802.1ah). The other (SPBV) is intended where such isolation of client device MAC addresses is not necessary, and it reuses only the existing VLAN tag a.k.a. IEEE 802.1Q on participating network-to-network interface (NNI) links. CHAPTER 25. IEEE 802.1AQ dardization has progressed, some of the detailed mechanisms proposed by PLSB have been replaced by functional equivalents, but all of the key concepts embodied in PLSB are being carried forward into the standard. The two flavors (SPBV and SPBM) will be described separately although the differences are almost entirely in the data plane. 25.4.1 Shortest Path Bridging-VID Shortest Path bridging enables shortest path trees for VLAN Bridges all IEEE 802.1 data planes and SPB is the term used in general. Recently there has been a lot of focus on SPBM as explained due to its ability to control the new PBB data plane and leverage certain capabilities such as removing the need to do B-MAC learning and automatically creating individual (unicast) and group (multicast) Trees. SPBV was actually the original project that endeavored to enable Ethernet VLANs to better utilize mesh networks. A primary feature of Shortest Path bridging is the ability to use Link State IS-IS to learn network topology. In SPBV the mechanism used to identify the tree is to use a different Shortest Path VLAN ID (VID) for each source bridge. The IS-IS topology is leveraged both to allocate unique SPVIDs and to enable shortest path forwarding for individual and group addresses. Originally targeted for small low configuration networks SPB grew into a larger project encompassing the latest provider control plane for SPBV and harmonizing the concepts of Ethernet data plane. Proponents of SPB believe that Ethernet can leverage link state and maintain the attributes that have made Ethernet one of the most encompassing data plane transport technologies. When we refer to Ethernet it is the layer 2 frame format defined by IEEE 802.3 and IEEE 802.1. Ethernet VLAN bridging IEEE 802.1Q is the frame forwarding paradigm that fully supports higher level protocols such as IP. SPB defines a shortest path Region which is the boundary of the shortest path topology and the rest of the VLAN topology (which may be any number of legacy bridges.) SPB operates by learning the SPB capable bridges and growing the Region to include the SPB capable bridges that have the same Base VID and MSTID configuration Chronologically SPBV came first, with the project orig- digest (Allocation of VIDs for SPB purposes). inally being conceived to address scalability and converSPBV builds shortest path trees that support Loop Pregence of MSTP. vention and optionally support loop mitigation on the At the time the specification of Provider Backbone bridg- SPVID. SPBV still allows learning of Ethernet MAC ading was progressing and it became apparent that leverag- dresses but it can distribute multicast address that can be ing both the PBB data plane and a link state control plane used to prune the shortest path trees according to the mulwould significantly extend Ethernet’s capabilities and ap- ticast membership either through Multiple MAC Regisplications. Provider Link State Bridging (PLSB) was a tration Protocol (MMRP) or directly using IS-IS distristrawman proposal brought to the IEEE 802.1aq Shortest bution of multicast membership. Path Bridging Working Group, in order to provide a conSPBV builds shortest path trees but also interworks with crete example of such a system. As IEEE 802.1aq stanlegacy bridges running Rapid Spanning Tree Protocol and 25.4. HIGH LEVEL 85 Multiple Spanning Tree Protocol. SPBV uses techniques from MSTP Regions to interwork with non-SPT regions behaving logically as a large distributed bridge as viewed from outside the region. able properties with respect to time distribution protocols such as Precision Time Protocol (PTP Version 2). Also existing Ethernet loop prevention is augmented by loop mitigation to provide fast data plane convergence. SPBV supports shortest path trees but SPBV also builds a spanning tree which is computed from the link state database and uses the Base VID. This means that SPBV can use this traditional spanning tree for computation of the Common and Internal Spanning Tree (CIST). The CIST is the default tree used to interwork with other legacy bridges. It also serves as a fall back spanning tree if there are configuration problems with SPBV. Group address and unknown destination individual frames are optimally transmitted to only members of the same Ethernet service. IEEE 802.1aq supports the creation of thousands of logical Ethernet services in the form of E-LINE, E-LAN or E-TREE constructs which are formed between non participating logical ports of the IEEE 802.1aq network. These group address packets are encapsulated with a PBB header which indicates the source participating address in the SA while the DA indicates the locally significant group address this frame should be forwarded on and which source bridge originated the frame. The IEEE 802.1aq multicast forwarding tables are created based on computations such that every bridge which is on the shortest path between a pair of bridges which are members of the same service group will create proper forwarding database (FDB) state to forward or replicate frames it receives to that members of that service group. Since the group address computation produce shortest path trees, there is only ever one copy of a multicast packet on any given link. Since only bridges on a shortest path between participating logical ports create forwarding database (FDB) state the multicast makes the efficient use of network resources. SPBV has been designed to manage a moderate number of bridges. SPBV differs from SPBM in that MAC addresses are learned on all bridges that lie on the shortest path and a shared VLAN learning is used since destination MACs may be associated with multiple SPVIDs. SPBV learns all MACs it forwards even outside the SPBV region. 25.4.2 Shortest Path Bridging-MAC SPBM reuses the PBB data plane which does not require that the Backbone Core Bridges (BCB) learn encapsulated client addresses. At the edge of the network the C-MAC (client) addresses are learned. SPBM is very The actual group address forwarding operation opersimilar to PLSB (Provider Link State Bridging) using the ates more or less identically to classical Ethernet, the same data and control planes but the format and contents backbone destination address (B-DA)+ backbone VLAN of the control messages in PLSB are not compatible. identifier (B-VID) combination are looked up to find the Individual MAC frames (unicast traffic) from an Ether- egress set of next hops. The only difference compared net attached device that are received at the SPBM edge with classical Ethernet is that reverse learning is disabled are encapsulated in a PBB (mac-in-mac) IEEE 802.1ah for participating bridge backbone media access control header and then traverse the IEEE 802.1aq network un- (B-MAC) addresses and is replaced with an ingress check changed until they are stripped of the encapsulation as and discard (when the frame arrives on an incoming inthey egress back to the non participating attached network terface from an unexpected source). Learning is however at the far side of the participating network. implemented at the edges of the SPBM multicast tree to Ethernet destination addresses (from UNI port attached learn the B-MAC to MAC address relationship for cordevices) perform learning over the logical LAN and are rect individual frame encapsulation in the reverse direcforwarded to the appropriate participating B-MAC ad- tion (as packets arrive over the Interface). dress to reach the far end Ethernet destination. In this manner Ethernet MAC addresses are never looked up in the core of an IEEE 802.1aq network. When comparing SPBM to PBB, the behavior is almost identical to a PBB IEEE 802.1ah network. PBB does not specify how BMAC addresses are learned and PBB may use a spanning tree to control the B-VLAN. In SPBM the main difference is that B-MAC address are distributed or computed in the control plane, eliminating the B-MAC learning in PBB. Also SPBM ensures that the route followed is shortest path tree. The forward and reverse paths used for unicast and multicast traffic in an IEEE 802.1aq network are symmetric. This symmetry permits the normal Ethernet Continuity Fault Messages (CFM) IEEE 802.1ag to operate unchanged for SPBV and SPBM and has desir- Properly implemented an IEEE 802.1aq network can support up to 1000 participating bridges and provide tens of thousands of layer 2 E-LAN services to Ethernet devices. This can be done by simply configuring the ports facing the Ethernet devices to indicate they are members of a given service. As new members come and go, the ISIS protocol will advertise the I-SID membership changes and the computations will grow or shrink the trees in the participating node network as necessary to maintain the efficient multicast property for that service. IEEE 802.1aq has the property that only the point of attachment of a service needs configuration when a new attachment point comes or goes. The trees produced by the computations will automatically be extended or pruned as necessary to maintain connectivity. In some existing im- 86 CHAPTER 25. IEEE 802.1AQ plementations this property is used to automatically (as opposed to through configuration) add or remove attachment points for dual-homed technologies such as rings to maintain optimum packet flow between a nonparticipating ring protocol and the IEEE 802.1aq network by activating a secondary attachment point and deactivating a primary attachment point. is not seen by the control plane and is handled locally resulting in sub 50ms recovery times. 25.4.3 The first of these gifs, shown in Figure 5, demonstrates the routing in a 66 node network where we have created a 7-member E-LAN using ISID 100. In this example we show the ECT tree created from each member to reach all of the other members. We cycle through each member to show the full set of trees created for this service. We pause at one point to show the symmetry of routing between two of the nodes and emphasize it with a red line. In each case the source of the tree is highlighted with a small purple V. Failure recovery Failure recovery is as per normal IS-IS with the link failure being advertised and new computations being performed, resulting in new FDB tables. Since no Ethernet addresses are advertised or known by this protocol, there is no re-learning required by the SPBM core and its learned encapsulations are unaffected by a transit node or link failure. Fast link failure detection may be performed using IEEE 802.1ag Continuity Check Messages (CCMs) which test link status and report a failure to the IS-IS protocol. This allows much faster failure detection than is possible using the IS-IS hello message loss mechanisms. 25.4.4 Animations Following are three animated GIFs which help to show the behavior of 802.1aq. The second of these animated gifs, shown in Figure 6, demonstrates 8 ECT paths in the same 66 node network as Figure 4. In each subsequent animated frame the same source is used (in purple) but a different destination is shown (in yellow). For each frame, all of the shortest paths are shown superimposed between the source and destination. When two shortest paths traverse the same hop, the thickness of the lines being drawn is increased. In addition to the 66 node network, a small multi level Data Center style network is also shown with sources and destinations both within the servers (at the bottom) and from servers to the router layer at the top. This animation helps to show the diversity of the ECT being produced. Both SPBV and SPBM inherit the rapid convergence of a link state control plane. A special attribute of SPBM is its ability to rebuild multicast trees in a similar time to unicast convergence, because it substitutes computation for signaling. When an SPBM bridge has performed the computations on a topology database, it knows whether it is on the shortest path between a root and one or more leaves of the SPT and can install state accordingly. Convergence is not gated by incremental discovery of a The last of these animated gifs, shown in Figure 7, bridge’s place on a multicast tree by the use of separate demonstrates source destination ECT paths using all 16 signaling transactions. However, SPBM on a node does of the standard algorithms currently defined. not operate completely independently of its peers, and enforces agreement on the current network topology with its peers. This very efficient mechanism uses exchange of a single digest of link state covering the entire network view, and does not need agreement on each path to each root individually. The result is that the volume of messaging exchanged to converge the network is in proportion to the incremental change in topology and not the number of multicast trees in the network. A simple link event that • Figure 5 - Animated E-LAN may change many trees is communicated by signaling the example in a 66 node 802.1aq network with 7 link event only; the consequent tree construction is permembers formed by local computation at each node. The addition of a single service access point to a service instance involves only the announcement of the I-SID, regardless of the number of trees. Similarly the removal of a bridge, which might involve the rebuilding of hundreds to thousands of trees, is signaled only with a few link state updates. Commercial offerings will likely offer SPB over multichassis lag. In this environment multiple switch chassis appear as a single switch to the SPB control plane, and multiple links between pairs of chassis appear as an aggregate link. In this context a single link or node failure • Figure 6 - Animated ECT example in a 66 node 802.1aq network with 8 ECT 25.5. DETAILS 87 groups within a tree “branch” segment where some form of hashing occurs. This symmetric and end to end ECMT behavior gives IEEE 802.1aq a highly predictable behavior and off line engineering tools can accurately model exact data flows. The behavior is also advantageous to networks where one • Figure 7 - Animated ECT way delay measurements are important. This is because the one way delay can be accurately computed as 1/2 the example 36 node 802.1aq network with 16 ECT round trip delay. Such computations are used by time distribution protocols such as IEEE 1588 for frequency and time of day synchronization as required between precision clock sources and wireless base stations. 25.5 Details 25.5.1 Equal Cost Multi Tree Shown below are three figures [5,6,7] which show 8 and 16 equal cost tree (ECT) behavior in different network topologies. These are composites of screen captures of an 802.1aq network emulator and show the source in purple, the destination in yellow, and then all the computed and available shortest paths in pink. The thicker the line, the more shortest paths use that link. The animations shows three different networks and a variety of source and destination pairs which continually change to help visualize what is happening. Sixteen equal cost multi tree (ECMT) paths are initially defined, however there are many more possible. ECMT in an IEEE 802.1aq network is more predictable than with internet protocol (IP) or multiprotocol label switching (MPLS) because of symmetry between the forward and reverse paths. The choice as to which ECMT path will be used is therefore an operator assigned head end deThe equal cost tree (ECT) algorithms can be almost excision while it is a local / hashing decision with IP/MPLS. tended through the use of OPAQUE data which allows IEEE 802.1aq, when faced with a choice between two extensions beyond the base 16 algorithms more or less equal link cost paths, uses the following logic for its first infinitely. It is expected that other standards groups or ECMT tie breaking algorithm: first, if one path is shorter vendors will produce variations on the currently defined than the other in terms of hops, the shorter path is cho- algorithms with behaviors suited for different networks sen, otherwise, the path with the minimum Bridge Iden- styles. It is expected that numerous shared tree models tifier { BridgePriority concatenated with (IS-IS SysID) } will also be defined, as will hop by hop hash based equalis chosen. Other ECMT algorithms are created by simply cost multi-path (ECMP) style behaviors .. all defined by using known permutations of the BridgePriority||SysIds. a VID and an algorithm that every node agrees to run. For example, the second defined ECMT algorithm uses the path with the minimum of the inverse of the BridgeIdentifier and can be thought of as taking the path with 25.5.2 Traffic placement/engineering the maximum node identifier. For SPBM, each permutation is instantiated as a distinct B-VID. The upper limit of multipath permitations is gated by the number 802.1aq does not spread traffic on a hop by hop basis. Instead, 802.1aq allows assignment of an Service ID (ISID) of B-VIDs delegated to 802.1aq operation, a maximum of 4094, although the number of useful path permuta- to a Vlan ID (VID) at the edge of the network. A VID will correspond to exactly one of the possible sets of shortest tions would only require a fraction of the available B-VID space. Fourteen additional ECMT algorithms are defined paths in the network and will never stray from that routing. If there are 10 or so shortest paths between different with different bit masks applied to the BridgeIdentifiers. Since the BridgeIdentfier includes a priority field, it is nodes, it is possible to assign different services to differpossible to adjust the ECMT behavior by changing the ent paths and to know that the traffic for a given service will follow exactly the given path. In this manner traffic BridgePriority up or down. can easily be assigned to the desired shortest path. In the A service is assigned to a given ECMT B-VID at the edge event that one of the paths becomes overloaded it is posof the network by configuration. As a result, non partic- sible to move some services off those shortest paths by ipating packets associated with that service are encapsu- reassigning the services ISID to a different, less loaded, lated with the VID associated with the desired ECMT VID at the edges of the network. end to end path. All individual and group address traffic associated with this service will therefore use the proper The deterministic nature of the routing makes offline ECMT B-VID and be carried symmetrically end to end prediction/computation/experimentation of the network on the proper equal cost multi path. Essentially the op- loading much simpler since actual routes are not depenerator decides which services go in which ECMT paths, dent on the contents of the packet headers with the exunlike a hashing solution used in other systems such as ception of the VLAN identifier. IP/MPLS. Trees can support link aggregation (LAG) Figure 4 shows four different equal cost paths between 88 Figure 4 - Equal Cost Shortest Path: assignment to services CHAPTER 25. IEEE 802.1AQ Figure 1 - example nodes, links and interface indexes nodes 7 and 5. An operator can achieve relatively good balance of traffic across the cut between nodes [0 and 2] and [1 and 3] by assigning the services at nodes 7 and 5 to one of the four desired VIDs. Using more than 4 equal cost tree (ECT) paths in the network will likely allow all 4 of these paths to be used. Balance can also be achieved between nodes 6 and 4 in a similar manner. bered 1..5. These would likely correspond to interface indexes, or possibly port numbers. Since 802.1aq does not support parallel interfaces each interface corresponds to an adjacency. The port / interface index numbers are of course local and are shown because the output of the computations produce an interface index (in the case of unicast) or a set of interface indexes (in the case of mulIn the event that an operator does not wish to manually ticast) which are part of the forwarding information base assign services to shortest paths it is a simple matter for a (FIB) together with a destination MAC address and backswitch vendor to allow a simple hash of the ISID to one bone VID. of the available VIDS to give a degree of non-engineered spreading. For example, the ISID modulo the number of The network has a fully meshed inner core of four nodes ECT-VIDs could be used to decide on the actual relative (0..3) and then four outer nodes (4,5,6 and 7), each dualhomed onto a pair of inner core nodes. VID to use. In the event that the ECT paths are not sufficiently diverse Normally when nodes come from the factory they have the operator has the option of adjusting the inputs to the a MAC address assigned which becomes a node idendistributed ECT algorithms to apply attraction or repul- tifier but for the purpose of this example we will assion from a given node by adjusting that node’s Bridge sume that the nodes have MAC addresses of the form Priority. This can be experimented with via offline tools 00:00:00:00:N:00 where N is the node id (0..7) from until the desired routes are achieved at which point the Figure 1. Therefore, node 2 has a MAC address of bias can be applied to the real network and then ISIDs 00:00:00:00:02:00. Node 2 is connected to node 7 (00:00:00:00:07:00) via node 2’s interface/5. can be moved to the resulting routes. Looking at the animations in Figure 6 shows the diversity available for traffic engineering in a 66 node network. In this animation there are 8 ECT paths available from each highlighted source to destination and therefore services could be assigned to 8 different pools based on the VID. One such initial assignment in Figure 6 could therefore be (ISID modulo 8) with subsequent fine tuning as required. The IS-IS protocol runs on all the links shown since they are between participating nodes. The IS-IS hello protocol has a few additions for 802.1aq including information about backbone VIDs to be used by the protocol. We will assume that the operator has chosen to use backbone VIDs 101 and 102 for this instance of 802.1aq on this network. The node will use their MAC addresses as the IS-IS SysId and joing a single IS-IS level and exchange link state 25.5.3 Example packets (LSPs in IS-IS terminology). The LSPs will contain node information and link information such that evWe will work through SPBM behavior on a small exam- ery node will learn the full topology of the network. Since ple, with emphasis on the shortest path trees for unicast we have not specified any link weights in this example, the and multicast. IS-IS protocol will pick a default link metric for all links, The network shown in Figure 1 consists of 8 participating therefore all routing will be minimum hop count. nodes numbered 0 through 7. These would be switches or After topology discovery the next step is distributed calrouters running the IEEE 802.1aq protocol. Each of the culation of the unicast routes for both ECMP VIDs and 8 participating nodes has a number of adjacencies num- population of the unicast forwarding tables (FIBs). 25.5. DETAILS 89 • MAC 00:00:00:05:00 / vid 102 the next hop is interface/2. And Node 2 will have entries as follows: • MAC 00:00:00:05:00 / vid 101 the next hop is interface/2. • MAC 00:00:00:05:00 / vid 102 the next hop is interface/3. • MAC 00:00:00:07:00 / vid 101 the next hop is interface/5. Figure 2 - two ECMP paths between nodes 7 and 5 Consider the route from Node 7 to Node 5: there are a number of equal cost paths. 802.1aq specifies how to choose two of them: the first is referred to as the Low PATH ID path. This is the path which has the minimum node id on it. In this case the Low PATH ID path is the 7>0->1->5 path (as shown in red in Figure 2). Therefore, each node on that path will create a forwarding entry toward the MAC address of node five using the first ECMP VID 101. Conversely, 802.1aq specifies a second ECMP tie breaking algorithm called High PATH ID. This is the path with the maximum node identifier on it and in the example is the 7->2->3->5 path (shown in blue in Figure 2). • MAC 00:00:00:07:00 / vid 102 the next hop is interface/5. If we had an attached non participating device at Node 7 talking to a non participating device at Node 5 (for example Device A talks to Device C in Figure 3), they would communicate over one of these shortest paths with a MAC-in-MAC encapsulated frame. The MAC header on any of the NNI links would show an outer source address of 00:00:00:70:00, an outer destination address of 00:00:00:50:00 and a BVID of either 101 or 102 depending on which has been chosen for this set of non participating ports/vids. The header once inserted at node 7 when received from node A, would not change on any of the links until it egressed back to non participating Device C at Node 5. All participating devices would do a simNode 7 will therefore have a FIB that among other things ple DA+VID lookup to determine the outgoing interface, and would also check that incoming interface is the proper indicates: next hop for the packet’s SA+VID. The addresses of the participating nodes 00:00:00:00:00:00 ... 00:00:00:07:00 • MAC 00:00:00:05:00 / vid 101 the next hop is inare never learned but are advertised by IS-IS as the node’s terface/1. SysId. • MAC 00:00:00:05:00 / vid 102 the next hop is in- Unicast forwarding to a non-participating client (e.g. A, terface/2. B, C, D from Figure 3) address is of course only possible when the first hop participating node (e.g. 7) is able Node 5 will have exactly the inverse in its FIB: to know which last hop participating node (e.g. 5) is attached to the desired non participating node (e.g. C). • MAC 00:00:00:07:00 / vid 101 the next hop is in- Since this information is not advertised by IEEE 802.1aq it has to be learned. The mechanism for learning is identerface/1. tical to IEEE 802.1ah, in short, the corresponding outer • MAC 00:00:00:07:00 / vid 102 the next hop is in- MAC unicast DA, if not known is replaced by a multiterface/2. cast DA and when a response is received, the SA of that response now tells us the DA to use to reach the non parThe intermediate nodes will also produce consistent re- ticipating node that sourced the response. e.g. node 7 sults so for example node 1 will have the following en- learns that C is reached by node 5. tries. Since we wish to group/scope sets of non participating ports into services and prevent them from multicasting to • MAC 00:00:00:07:00 / vid 101 the next hop is in- each other, IEEE 802.1aq provides mechanism for per terface/5. source, per service multicast forwarding and defines a • MAC 00:00:00:07:00 / vid 102 the next hop is in- special multicast destination address format to provide this. Since the multicast address must uniquely identify terface/4. the tree, and because there is a tree per source per unique • MAC 00:00:00:05:00 / vid 101 the next hop is in- service, the multicast address contains two components, a terface/2. service component in the low order 24 bits and a network 90 CHAPTER 25. IEEE 802.1AQ 25.6 Implementation notes 802.1aq takes IS-IS topology information augmented with service attachment (I-SID) information, does a series of computations and produces a forwarding table (filtering table) for unicast and multicast entries. The IS-IS extensions that carry the information required by 802.1aq are given in the isis-layer2 IETF document listed below. Figure 3 - per source, per service multicast for E-LAN wide unique identifier in the upper 22 bits. Since this is a multicast address the multicast bit is set, and since we are not using the standard OUI space for these manufactured addresses, the Local 'L' bit is set to disambiguate these addresses. In Figure 3 above, this is represented with the DA=[7,O] where the 7 represents packets originating from node 7 and the colored O represents the E-LAN service we are scoped within. An implementation of 802.1aq will first modify the ISIS hellos to include an NLPID (network layer protocol identifier) of 0xC01 in their Protocols-Supported Typelength-value (TLV) (type 129) which has been reserved for 802.1aq. The hellos also must include an MSTID (which gives the purpose of each VID) and finally each ECMT behavior must be assigned to a VID and exchanged in the hellos. The hellos would normally run untagged. Note that NLPID of IP is not required to form an adjacency for 802.1aq but also will not prevent an adjacency when present. The links are assigned 802.1aq specific metrics which travel in their own TLV (Type Length Value) which is more or less identical to the IP link metrics. The calculations will always use the maximum of the two unidirectional link metrics to enforce symmetric route weights. The node is assigned a mac address to identify it globally and this is used to form the IS-IS SYSID. A box mac would normally serve this purpose. The Area-Id is not directly used by 802.1aq but should of course be the Prior to creating multicast forwarding for a service, nodes same for nodes in the same 802.1aq network. Multiple with ports that face that service must be told they are areas/levels are not yet supported. members. For example, nodes 7,4,5 and 6 are told they are members of the given service, for example service The node is further assigned an SPSourceID which is a 200, and further that they should be using bvid 101. This 20 bit network wide unique identifier. This can often be is advertised by ISIS and all nodes then do the SPBM the low 20 bits of the SYSID (if unique) or can be dycomputation to determine if they are participating either namically negotiated or manually configured. as a head end or tail end, or a tandem point between other The SPSourceID and the ECMT assignments to B-VIDs head and tail ends in the service. Since node 0 is a tan- are then advertised into the IS-IS network in their own dem between nodes 7 and 5 it creates a forwarding entry 802.1aq TLV. for packets from node 7 on this service, to node 5. Likewise, since it is a tandem between nodes 7 and 4 it creates The 802.1aq computations are restricted to links between nodes that have an 802.1aq link weight and which supforwarding state from node 7 for packets in this service to node 4 this results in a true multicast entry where the port the NLPID 0xC01. As previously discussed the link DA/VID have outputs on two interfaces 1 and 2. Node 2 weights are forced to be symmetric for the purpose of on the other hand is only on one shortest path in this ser- computation by taking the min of two dissimilar values. vice and only creates a single forwarding entry from node When a service is configured in the form of an I-SID as7 to node 6 for packets in this service. signment to an ECMT behavior that I-SID is then adverFigure 3 only shows a single E-LAN service and only the tised along with the desired ECMT behavior and an intree from one of the members, however very large num- dication of its transmit, receive properties (a new Typebers of E-LAN services with membership from 2 to every length-value is used for this purpose of course). node in the network can be supported by advertising the membership, computing the tandem behaviors, manufacturing the known multicast addresses and populating the FIBs. The only real limiting factors are the FIB table sizes and computational power of the individual devices both of which are growing yearly in leaps and bounds. When an 802.1aq node receives an IS-IS update it will compute the unique shortest path to all other IS-IS nodes that support 802.1aq. There will be one unique (symmetric) shortest path per ECMT behavior. The tie breaking used to enforce this uniqueness and ECMT is described below. 25.6. IMPLEMENTATION NOTES 91 The unicast FDB/FIB will be populated based on this first that they are symmetric. This is done by simply taking shortest path computation. There will be one entry per the MIN of the two values at both ends prior to doing any ECMT behavior/B-VID produced. computations. This alone does not guarantee symmetry The transit multicast computation (which only applies however. when transit replication is desired and not applicable to services that have chosen head end replication) can be implemented in many ways, care must be taken to keep this efficient, but in general a series of shortest path computations must be done. The basic requirement is to decide 'am I on the shortest path between two nodes one of which transmits an I-SID and the other receives that I-SID.' Rather poor performing pseudo-code for this computation looks something like this: for each NODE in network which originates at least one transmit ISID do { SPF = compute the shortest path trees from NODE for all ECMT B-VIDs. for each ECMT behavior { for each NEIGHBOR of NODE { if NEIGHBOR is on the SPF towards NODE for this ECMT { T = NODE’s transmit ISIDs unioned with all receive ISIDs below us on SPF for each ISID in T { create/modify multicast entry where [MAC-DA = NODE.SpsourceID: 20||ISID:24||LocalBit:1||MulticastBit:1 B-VID = VID associated with this ECMT out port = interface to NEIGHBOR in port = port towards NODE on the SPF for this ECMT] } } } } } Figure 7 - Tie Breaking and path identifiers The 802.1aq standard describes a mechanism called a PATHID which is a network-wide unique identifier for a path. This is a useful logical way to understand how to deterministically break ties but is not how one would implement such a tie-breaker in practice. The PATHID is defined as just the sequence of SYSIDs that make up the The above pseudo code computes many more SPF’s than path (not including the end points).. sorted. Every path in strictly necessary in most cases and better algorithms are the network therefore has a unique PATHID independent known to decide if a node is on a shortest path between of where in the network the path is discovered. two other nodes. A reference to a paper presented at the IEEE which gives a much faster algorithm that drastically 802.1aq simply always picks the lowest PATHID path reduces the number of outer iterations required is given when a choice presents itself in the shortest path computations. This ensures that every node will make the same below. decision. In general though even the exhaustive algorithm above is more than able to handle several hundred node networks For example, in Figure 7 above, there are four equal-cost in a few 10’s of milliseconds on the 1 GHz or greater com- paths between node 7 and node 5 as shown by the colors blue, green, pink and brown. The PATHID for these mon CPUs when carefully crafted. paths are as follows: For ISIDs that have chosen head end replication the computation is trivial and involves simply finding the other • PATHID[brown] = {0,1} attachment points that receive that ISID and creating a serial unicast table to replicate to them one by one. • PATHID[pink] = {0,3} 25.6.1 Tie-breaking 802.1aq must produce deterministic symmetric downstream congruent shortest paths. This means that not only must a given node compute the same path forward and reverse but all the other nodes downstream (and upstream) on that path must also produce the same result. This downstream congruence is a consequence of the hop by hop forwarding nature of Ethernet since only the destination address and VID are used to decide the next hop. It is important to keep this in mind when trying to design other ECMT algorithms for 802.1aq as this is an easy trap to fall into. It begins by taking the unidirectional link metrics that are advertised by ISIS for 802.1aq and ensuring • PATHID[green] = {1,2} • PATHID[blue] = {2,3} The lowest PATHID is therefore the brown path {0,1}. This low PATHID algorithm has very desirable properties. The first is that it can be done progressively by simply looking for the lowest SYSID along a path and secondly because an efficient implementation that operates stepwise is possible by simply back-tracking two competing paths and looking for the minimum of the two paths minimum SYSIDs. The low PATHID algorithm is the basis of all 802.1aq tie breaking. ECMT is also based on the low PATHID 92 CHAPTER 25. IEEE 802.1AQ algorithm by simply feeding it different SYSID permu- 5 vendors and 6 implementations,[23] at 2013’s Interop tations – one per ECMT algorithm. The most obvious event at Las Vegas where an SPBM network was used permutation to pass is a complete inversion of the SYSID as a backbone.[24][25] by XOR-ing it with 0xfff... prior to looking for the min of two minimums. This algorithm is referred to as high PATHID because it logically chooses the largest PATHID 25.8 Competitors path when presented with two equal-cost choices. In the example in figure 7, the path with the highest PATHID is therefore the blue path whose PATHID is {2,3}. Simply inverting all the SYSIDs and running the low PATHID algorithm will yield same result. MC-LAG, VXLAN, and QFabric have all been proposed, but the IETF TRILL standard (Transparent Interconnect of Lots of Links) is considered the major competitor of IEEE 802.1aq, and: “the evaluation of relaThe other 14 defined ECMT algorithms use different per- tive merits and difference of the two standards proposmutations of the SYSID by XOR-ing it with different bit als is currently a hotly debated topic in the networking masks which are designed to create relatively good distri- industry.”[26] bution of bits. It should be clear that different permutations will result in the purple and green paths being lowest in turn. 25.9 Deployments The 17 individual 64-bit masks used by the ECT algorithm are made up of the same byte value repeated eight Deployment considerations and interoperability best times to fill each 64-bit mask. These 17 byte values are practices are documented in an IETF document titled as follows: “SPB Deployment Considerations”[27] ECT-MASK[17] = { 0x00, 0x00, 0xFF, 0x88, 0x77, 0x44, 0x33, 0xCC, 0xBB, 0x22, 0x11, 0x66, 0x55, • 2013 Interop: Networking Leaders Demo Shortest 0xAA, 0x99, 0xDD, 0xEE }; Path Bridging[28] ECT-MASK[0] is reserved for a common spanning • 2014 Interop: InteropNet Goes IPv6, Includes tree algorithm, while ECT-MASK[1] creates the Low Shortest Path Bridging[29] PATHID set of shortest path first trees, ECT-MASK[2] creates the High PATHID set of shortest path trees and the other indexes create other relatively diverse permuta- Avaya is currently the leading exponent of SPB-based deployments; their enhanced and extended implementation tions of shortest path first trees. of SPB - including integrated Layer 3 IP Routing and In addition the ECMT tie-breaking algorithms also perIP Multicast functionality - is marketed under the banmit some degree of human override or tweaking. This ner of the "Avaya VENA Fabric Connect" technology. is accomplished by including a BridgePriority field toAdditionally, Avaya is supporting an IETF Internet Draft gether with the SYSID such that the combination, called that defines a means of extended SPBM-based services to a BridgeIdentfier, becomes the input to the ECT algoend-devices via conventional Ethernet Switches, leveragrithm. By adjusting the BridgePriority up or down a ing an 802.1AB LLDP-based communications protocol; path’s PATHID can be raised or lowered relative to others this capability - marketing by Avaya as "Fabric Attach" and a substantial degree of tunability is afforded. technology - allows for the automatic attachment of endThe above description gives an easy to understand way to dvices, and includes dynamic configuration of VLAN/Iview the tie breaking; an actual implementation simply SID (VSN) mappings.[30][31] backtracks from the fork point to the join point in two Avaya have deployed SPB/Fabric Connect solutions competing equal-cost paths (usually during the Dijkstra for businesses operating across a number of industry shortest path computation) and picks the path traversing verticals:[32] the lowest (after masking) BridgePriority|SysId. 25.7 Interoperability The first public interoperability tests of IEEE 802.1aq were held in Ottawa in October 2010. Two vendors provided SPBM implementations and a total of 5 physical switches and 32 emulated switches were tested for control/data and OA&M.[22] Further events were held in Ottawa in January 2011 with • Education, examples include: Leeds Metropolitan University,[33] Macquaire University,[34] Pearland Independent School District,[35] Ajman University of Science & Technology[36] • Transportation, examples include: Schiphol Telematics,[37] Rheinbahn,[38] Sendai City Transportation Bureau,[39] NSB[40] • Banking & Finance, examples Fiducia,[41] Sparebanken Vest[42] include: 25.12. NOTES • Major Events, examples include: 2013 & 2014 Interop (InteropNet Backbone),[43] 2014 Sochi Winter Olympics,[44] Dubai World Trade Center[45][46] • Healthcare, examples include: Oslo University Hospital,[47][48] Concord Hospital,[49] Franciscan Alliance,[50] Sydney Adventist Hospital[51] • Manufacturing, examples include: Fujitsu Technology Solutions[52] • Media, examples include: Schibsted,[30] Medienhaus Lensing,[53] Sanlih Entertainment Television[54] • Government, examples include: City of Redondo Beach,[55] City of Breda,[56] Bezirksamt Neukölln[57] 25.10 Product Support • Alcatel-Lucent 7750-SR, OmniSwitch 6900,[58] OmniSwitch 10K[59] • Avaya VSP 9000 Series[60] • Avaya VSP 8000 Series • Avaya VSP 7000 Series[61] • Avaya VSP 4000 Series[62][63][64][65] (VSP 4450GSX-PWR+, VSP 4850GTS, VSP 4850GTSPWR+, VSP 4850GTS-DC)[66] • Avaya ERS 8800 Series / ERS 8600 Series[67] • Avaya ERS 4800 Series[68] • Enterasys Networks S140 and S180[69][70][71] • Huawei S9300 (prototype only at the moment) • Solana[72] • Spirent[73] • HP 5900, 5920, 5930, 11900,[74][75] 12500,[24] 12900 • IP Infusion’s ZebOS network platform[76] • IXIA[77] • JDSU[78] 25.11 See also • Provider Backbone Bridge Traffic Engineering (PBB-TE) 93 25.12 Notes [1] “Alcatel-Lucent, Avaya, Huawei, Solana and Spirent Showcase Shortest Path Bridging Interoperability”. Huawei. 7 September 2011. Retrieved 11 September 2011. [2] An improved shortest path bridging protocol for Ethernet backbone network. IEEE Xplore. 3 March 2011. doi:10.1109/ICOIN.2011.5723169. ISBN 978-1-61284661-3. ISSN 1976-7684. Retrieved 11 September 2011. [3] “Lab Testing Summary Report; Data Center Configuration with SPB” (PDF). Miercom. September 2011. Retrieved 25 December 2011. [4] Shuang Yu. “IEEE approves new IEEE 802.1aq™ Shortest path bridging”. IEEE Standards Association. Retrieved 19 June 2012. Using the IEEE’s next-generation VLAN, called a Service Interface Identifier (I-SID), it is capable of supporting 16 million unique services compared to the VLAN limit of four thousand. [5] Peter Ashwood-Smith (24 February 2011). “Shortest Path Bridging IEEE 802.1aq Overview” (PDF). Huawei. Retrieved 11 May 2012. [6] Jim Duffy (11 May 2012). “Largest Illinois healthcare system uproots Cisco to build $40M private cloud”. PC Advisor. Retrieved 11 May 2012. Shortest Path Bridging will replace Spanning Tree in the Ethernet fabric. [7] “IEEE Approves New IEEE 802.1aq Shortest Path Bridging Standard”. Tech Power Up. 7 May 2012. Retrieved 11 May 2012. [8] D. Fedyk, Ed.,; P. Ashwood-Smith, Ed.,; D. Allan, A. Bragg,; P. Unbehagen (April 2012). “IS-IS Extensions Supporting IEEE 802.1aq”. IETF. Retrieved 12 May 2012. [9] “IS-IS Extensions Supporting IEEE 802.1aq Shortest Path Bridging”. IETF. April 2012. Retrieved 2 April 2012. [10] “802.1aq - Shortest Path Bridging”. [11] JITC (DoD) (16 December 2011). “Special Interoperability Test Certification of the Avaya Ethernet Routing Switch (ERS)8800” (PDF). DISA. Retrieved 20 December 2011. [12] “Shortest Path Bridging 802.1aq - IEEE REVCOM approval today”. 29 March 2012. Retrieved 2 April 2012. [13] Allan, David; Bragg, Nigel (2012). 802.1aq Shortest Path Bridging Design and Evolution : The Architects’ Perspective. New York: Wiley. ISBN 978-1-118-14866-2. [14] Interop: Networking Leaders Demo Shortest Path Bridging • Virtual Enterprise Network Architecture [15] “Sochi 2014 Olympic Winter Games” (PDF). Avaya. 2013. Retrieved 10 December 2013. • Connection-oriented Ethernet [16] “Avaya at Sochi 2014”. Avaya. Retrieved 1 May 2014. 94 [17] James Careless (16 December 2013). “Avaya builds massive Wi-Fi net for 2014 Winter Olympics”. Network World. Archived from the original on 7 April 2015. Retrieved 11 August 2016. [18] “Avaya Extends the Automated Campus to End the Network Waiting Game”. Avaya. 1 April 2014. Retrieved 18 April 2014. [19] “Avaya Networking Solutions Close the Gap between Data Center and End Devices”. Avaya. 26 Mar 2014. Retrieved 18 April 2014. [20] “Can I use Shortest Path Bridging hardware to build my SDN network”. 8 April 2014. Retrieved 18 April 2014. [21] “802.1aq - Shortest Path Bridging”. Retrieved 20 July 2011. [22] Ashwood-Smith, Peter; Keesara, Srikanth. “Brief Update on 802.1aq SPB (M) First Interop” (PDF). Retrieved 20 July 2011. [23] Ashwood-Smith, Peter; Vargas, Edgard. “Brief Update on 802.1aq SPB (M) Third Interop” (PDF). Retrieved 20 July 2011. [24] Kline, Deb (1 May 2013). “Networking Industry Leaders to Showcase Shortest Path Bridging Interoperability at Interop 2013”. Avaya. Retrieved 1 February 2015. [25] Smith, Sue (7 May 2013). “Interop: Networking Leaders Demo Shortest Path Bridging”. NewsFactor Network. Retrieved 1 February 2015. [26] Borivoje Furht; Armando Escalante (2011). Handbook of Data Intensive Computing. Springer. p. 16. ISBN 978-14614-1415-5. [27] Roger Lapuh; Paul Unbehagen; Peter Ashwood-Smith; Phillip Taylor (23 March 2012). “SPB Deployment Considerations”. IETF. Retrieved 29 May 2012. [28] “Interop: Networking Leaders Demo Shortest Path Bridging”. May 2013. Retrieved 30 May 2013. [29] Sean Michael Kerner (7 April 2014). “InteropNet Goes IPv6, Includes Shortest Path Bridging”. Enterprise Networking Planet. Retrieved 18 April 2014. CHAPTER 25. IEEE 802.1AQ [36] “Avaya’s Fabric Connect solution helps University transition to next-generation technology-enabled learning methods”. Avaya Inc. May 2013. [37] “Avaya Network Powers New Luggage Handling System at Schiphol Airport”. Avaya Inc. 25 April 2012. [38] “Transport company gets data communications moving” (PDF). Avaya Inc. October 2013. [39] “Transportation Bureau Sendai City Enhancing the passenger experience” (PDF). Avaya Inc. July 2014. [40] “Rapid Transit” (PDF). Avaya Inc. June 2014. [41] “Avaya Announces Software-Defined Data Center Framework and Roadmap”. Avaya Inc. 21 August 2013. [42] “Sparebanken Vest Banks on Avaya for Future-Proofed Network Infrastructure Upgrade”. Avaya Inc. 8 May 2012. [43] “InteropNet 2013: Unbreakable! Avaya Fabric Connect Delivers on All Fronts”. Avaya Inc. 15 May 2013. [44] “US firm Avaya named as Sochi 2014 network equipment supplier”. Inside the Games. 30 November 2011. [45] “Dubai World Trade Centre to deploy conferencing solution based on Avaya’s Virtual Enterprise Network Architecture”. TCM. 23 October 2013. [46] “Perfectly provisioned” (PDF). Avaya Inc. July 2014. [47] “Avaya Networking Transforms Oslo University Hospital Network”. Avaya Inc. 8 May 2012. [48] “Avaya Networking Transforms Oslo University Hospital Network”. Firmenpresse. 8 May 2012. [49] “Concord Hospital Boosts Bandwidth and Reduces Costs with Avaya’s Virtual Enterprise Network Architecture Solutions”. Avaya Inc. 8 May 2012. [50] “Franciscan Alliance & Fabric Connect: Redefining the Delivery of Healthcare Services” (PDF). Avaya Inc. May 2013. [51] “Strong, Stable Network Underpins Sydney Adventist Hospital” (PDF). Avaya Inc. May 2012. [30] “Avaya Networking Solutions Close the Gap between Data Center and End Devices”. Avaya Inc. 26 March 2014. [52] “Avaya Extends the Automated Campus to End the Network Waiting Game”. Avaya Inc. 1 April 2014. [31] “Avaya Fabric Connect extends SPB to wiring closets”. 8 April 2014. [53] “Good news for data communication”. Avaya 2014. May 2014. [32] “Avaya – Considerations for Turning your Network into an Ethernet Fabric”. Packet Pushers. 18 February 2013. [54] “Enabling Sanlih Entertainment Television New Digital Broadcasting System” (PDF). Avaya Inc. Jun 2012. [33] “Network Downtime Results in Job, Revenue Loss”. Avaya Inc. 5 March 2014. [55] “Coastal Californian Community Deploys Avaya Network to Enable Mission-Critical Applications” (PDF). Avaya Inc. June 2014. [34] “Macquarie University Delivers Enhanced Student Collaboration and Services with Avaya Networking Solutions”. Avaya Inc. 8 November 2012. [35] “Texas School District Embraces Avaya Networking Infrastructure to Enable 21st-Century Learning Models” (PDF). Avaya Inc. May 2014. [56] “Breda City Council looks forward to a more agile future with Avaya VENA Fabric Connect”. Avaya Inc. December 2013. [57] “On their own initiative forward-looking”. Avaya Inc. February 2014. 25.13. REFERENCES 95 [58] “Alcatel-Lucent OmniSwitch 6900 Data Sheet” (PDF). Retrieved 7 January 2013. [59] “Alcatel-Lucent OmniSwitch 10K Data Sheet” (PDF). Retrieved 7 January 2013. [60] “Avaya rolls out networking blueprint for data centre”. 11 November 2010. Retrieved 20 July 2011. [61] “Avaya Virtual Service Platform 7000 Switch Delivers Real Performance”. Retrieved 20 July 2011. The VSP is a 10 GbE top-of-rack switch that supports Shortest Path Bridging (SPB), Edge Virtual Bridging (EVB), and Fiber Channel over Ethernet (FCoE) networking standards. [62] “Avaya aims to boost IP multicast methods with new network fabric”. Retrieved 13 April 2013. [63] “Avaya Announces New Innovations in Fabric-Enabled Networking”. Retrieved 17 April 2013. 25.13 References • “Avaya and the Magic of SPB”. The Networking Nerd. 14 October 2013. Retrieved 14 October 2013. • “Paul Unbehagen talks SPB”. Interop New york 2013 Tech Field Day. 3 October 2013. Retrieved 3 October 2013. • “Show 158: Avaya Software-Defined Data Center and Fabric Connect”. Packet Pushers Podcast. 21 August 2013. Retrieved 21 August 2013. • “Show 147: Avaya Fabric Connect Makes Multicast Simple (Really)". Packet Pushers Podcast. 13 May 2013. Retrieved 13 May 2013. [64] “Avaya unveils new offerings for fabric-enabled networking”. Retrieved 17 April 2013. • “Show 136: Avaya - Consideration For Turning Your Network Into An Ethernet Fabric”. Packet Pushers Podcast. 18 February 2013. Retrieved 18 February 2013. [65] “Avaya’s new network fabric supports tens of thousands of video streams for IP multicasting”. Retrieved 18 April 2013. • “Show 44: The Case for Shortest Path Bridging”. Packet Pushers Podcast. 15 May 2011. Retrieved 15 May 2011. [66] “Virtual Services Platform 4000”. Avaya. [67] “Configuration — Shortest Path Bridging MAC-in-MAC (SPBM)". Retrieved 20 July 2011. • Ashwood-Smith, Peter (24 February 2011). "( ASIA PACIFIC CONFERENCE )". Retrieved 20 July 2011. [68] “Avaya Networking Solutions Close the Gap between Data Centre and End Devices”. SDN Zone. Retrieved 26 March 2014. • Ashwood-Smith, Peter (3 October 2010). “Shortest Path Bridging IEEE 802.1aq Tutorial Video” (WMV). NANOG 50. Retrieved 20 July 2011. [69] Enterasys enhances data center offerings [70] Shamus McGillicuddy (9 May 2012). “Shortest Path Bridging: The interoperable alternate to spanning tree”. Alcatel-Lucent and Huawei also support SPB and Enterasys Networks has SPB in its roadmap. [71] unknown (9 May 2012). “Shortest Not all Unified Network Architectures are really so simple”. Retrieved 5 May 2013. Shortest Path Bridging IEEE 802.1aq [72] “Alcatel-Lucent, Avaya, Huawei, Solana and Spirent Showcase Shortest Path Bridging Interoperability”. IT News Link. Retrieved 13 May 2012. [73] “SPIRENT TESTCENTER SHORTEST PATH BRIDGING TEST PACKAGE”. Spirent N. Retrieved 13 May 2012. [74] HP FlexFabric 11900 Switch Series [75] “HP Discover 2012”. HP. Retrieved 15 June 2012. [76] Shortest Path Bridging (SPB) [77] “IX Network Specifications”. IXIA. Retrieved 25 July 2013. [78] “QT-600 Ethernet Probe”. 2013. JDSU. Retrieved 26 Aug • Ashwood-Smith, Peter (3 October 2010). “Shortest Path Bridging IEEE 802.1aq Tutorial Slides” (PDF). NANOG 50. Retrieved 20 July 2011. • Ashwood-Smith, Peter (15 June 2010). “Shortest Path Bridging IEEE 802.1aq Video” (WMV). NANOG 49. Retrieved 20 July 2011. • Ashwood-Smith, Peter (15 June 2010). “Shortest Path Bridging IEEE 802.1aq Slides” (PDF). NANOG 49. Retrieved 20 July 2011. • Fedyk, Don; Ashwood-Smith, Peter (2 April 2012). “RFC 6329 - IS-IS Extensions Supporting IEEE 802.1aq Shortest Path Bridging”. IETF. Retrieved 2 April 2012. • Ashwood-Smith, Peter (7 September 2010). “Shortest Path Bridging IEEE 802.1aq Overview & Applications” (PDF). UK Network Operators Forum. Retrieved 20 July 2011. • Fedyk, Don (12 July 2010). “Shortest Path Bridging IEEE 802.1aq Overview” (PDF). Retrieved 20 July 2011. • “Shortest Path Bridging IEEE 802.1aq - Insightful Technology Talk”. 14 July 2010. Retrieved 20 July 2011. 96 • Allan, David (August 2010). “Shortest Path Bridging: A Novel Control Plane for Ethernet” (PDF). ONTC PRISM Newsletter. 1 (3). Retrieved 20 July 2011. • “802.1aq Shortest Path Bridging Work Group”. IEEE. Retrieved 20 July 2011. • Chiabaut, Jérôme; Bragg, Nigel (November 2009). “Speeding up the SPB Computation” (PDF). Retrieved 20 July 2011. • Ashwood-Smith, Peter (November 2009). “IEEE 802.1aq Equal Cost Tree (ECT) Framework Proposal”. Retrieved 20 July 2011. • Fedyk, Don; Bottorff, Paul (January 2007). “Provider Link State Bridging (PLSB)" (PDF). Retrieved 20 July 2011. • Fedyk, Don. “Provider Link State Bridging” (PDF). • Allan, D.; Ashwood-Smith, P.; Bragg, N.; Fedyk, D. (12 September 2008). “Provider link state bridging”. IEEE Communications Magazine. 46 (= 9): 110–117. doi:10.1109/MCOM.2008.4623715. ISSN 0163-6804. 25.14 Further reading • Howard Solomon (7 September 2011). “Tests shows SPB ready, say network equipment makers”. IT World Canada. Retrieved 11 September 2011. • “Alcatel, Avaya, Huawei, Spirent trial SPB interoperability”. Telecom Paper. 8 September 2011. • Allan, David; Bragg, Nigel. 802.1aq Shortest Path Bridging Design and Evolution: The Architects’ Perspective. John Wiley & Sons Inc. ISBN 978-1-11814866-2. • “Introduction to Shortest Path Bridging” (PDF). Avaya. Sep 2009. Retrieved 5 January 2011. • The Great Debate: TRILL Versus 802.1aq (SBP), NANOG 50 session (October 2010) 25.15 External links • 802 Committee website • ITU-T Recommendation Y.1731 OAM functions and mechanisms for Ethernet based networks • Avaya Alcatel-Lucent Huawei Solana and Sprient Showcase Shortest Path Bridging Interoperability; Marketwatch, 7 September 2011 - Retrieved 7 September 2011 CHAPTER 25. IEEE 802.1AQ Chapter 26 Frenetic (programming language) Frenetic is a domain-specific language for programming software-defined networks (SDNs). This domain-specific programming language allows network operators, rather than manually configuring each connected network device, to program the network as a whole.[1] Frenetic is designed to solve major OpenFlow/NOX programming problems. In particular, Frenetic introduces a set of purely functional abstractions that enable modular program development, defines high-level, programmercentric packet-processing operators, and eliminates many of the difficulties of the two-tier programming model by introducing a see-every-packet programming paradigm. Hence Frenetic is a functional reactive programming language operating at a packet level of abstraction.[2] 26.3 External links 26.1 References [1] Voellmy, Andreas; et al. (July 10, 2010). “Don't Configure the Network, Program It” (PDF). cs.yale.edu. Retrieved February 22, 2011. [2] Voellmy, Andreas; Hudak, Paul (2011). “Nettle: Taking the Sting Out of Programming Network Routers” (PDF). Practical Aspects of Declarative languages. 6359/2011: 235–249. doi:10.1007/978-3-642-18378-2_19. Retrieved 14 February 2011. 26.2 Further reading • Foster, Nate; Harrison, Rob; Meola, Matthew L.; Freedman, Michael J.; Rexford, Jennifer; Walker, David (November 30, 2010). “Frenetic: A HighLevel Language for OpenFlow Networks” (PDF). ACM PRESTO 2010. ACM. • Nate Foster, Rob Harrison, Michael J. Freedman, Jennifer Rexford, and David Walker (December 6, 2010). Frenetic: A High-Level Language for OpenFlow Networks, Technical report. Cornell University. Retrieved February 22, 2011. 97 • Official website Chapter 27 Network layer “layer 3” redirects here. For the MPEG-1 Audio format, see MP3. For the layer in the cerebral cortex, see Cerebral cortex § Layered_structure. to people anywhere in the world. On the Internet, addresses are known as Internet Protocol (IP) addresses. • Message forwarding In the seven-layer OSI model of computer networking, the network layer is layer 3. The network layer is responsible for packet forwarding including routing through intermediate routers, since it knows the address of neighboring network nodes, and it also manages quality of service (QoS), and recognizes and forwards local host domain messages to the Transport layer (layer 4).[1] The data link layer (layer 2) is responsible for media access control, flow control and error checking. Since many networks are partitioned into subnetworks and connect to other networks for wide-area communications, networks use specialized hosts, called gateways or routers, to forward packets between networks. This is also of interest to mobile applications, where a user may move from one location to another, and it must be arranged that his messages follow him. Version 4 of the Internet Protocol (IPv4) was not designed with this feature in mind, although mobility extensions exist. IPv6 has a better designed solution. 27.1 Functions The network layer provides the functional and procedural means of transferring variable-length data sequences Within the service layering semantics of the OSI network from a source to a destination host via one or more netarchitecture, the network layer responds to service reworks, while maintaining the quality of service functions. quests from the transport layer and issues service requests Functions of the network layer include: to the data link layer. • Connection model: connectionless communication 27.2 Protocols For example, IP is connectionless, in that a datagram can travel from a sender to a recipient without the recipient having to send an acknowledgement. Connection-oriented protocols exist at other, higher layers of the OSI model. • DDP, Datagram Delivery Protocol • DVMRP, Distance Vector Multicast Routing Protocol • ICMP, Internet Control Message Protocol • IGMP, Internet Group Management Protocol • Host addressing • IPsec, Internet Protocol Security • IPv4/IPv6, Internet Protocol Every host in the network must have a unique address that determines where it is. This address is normally assigned from a hierarchical system. For example, you can be “Fred Murphy” to people in your house, “Fred Murphy, 1 Main Street” to Dubliners, or “Fred Murphy, 1 Main Street, Dublin” to people in Ireland, or “Fred Murphy, 1 Main Street, Dublin, Ireland” • IPX, Internetwork Packet Exchange • PIM-DM, Protocol Independent Multicast Dense Mode • PIM-SM, Protocol Independent Multicast Sparse Mode 98 27.6. EXTERNAL LINKS • RIP, Routing Information Protocol • RSMLT Routed-SMLT 27.3 Relation to TCP/IP model The TCP/IP model describes the protocols used by the Internet.[2] The TCP/IP model has a layer called the Internet layer, located above the link layer. In many textbooks and other secondary references, the TCP/IP Internet layer is equated with the OSI network layer. However, this comparison is misleading, as the allowed characteristics of protocols (e.g., whether they are connectionoriented or connection-less) placed into these layers are different in the two models. The TCP/IP Internet layer is in fact only a subset of functionality of the network layer. It describes only one type of network architecture, the Internet. 27.4 See also • Datakit • Router • DECnet • AppleTalk • LAN Switches 27.5 References [1] “Layer 3”. techtarget.com. Retrieved 2016-02-29. [2] RFC 1122 • Tanenbaum, Andrew S. (2003). Computer networks. Upper Saddle River, New Jersey: Prentice Hall. ISBN 0-13-066102-3. 27.6 External links • OSI Reference Model—The ISO Model of Architecture for Open Systems Interconnection, Hubert Zimmermann, IEEE Transactions on Communications, vol. 28, no. 4, April 1980, pp. 425 – 432. (PDF-Datei; 776 kB) 99 Chapter 28 Virtualization • Paravirtualization – a hardware environment is not simulated; however, the guest programs are executed in their own isolated domains, as if they are running on a separate system. Guest programs need to be specifically modified to run in this environment. In computing, virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms, operating systems, storage devices, and computer network resources. Virtualization began in the 1960s, as a method of logically dividing the system resources provided by mainframe computers between different applications. Since then, the meaning of the term has broadened.[1] Hardware-assisted virtualization is a way of improving overall efficiency of virtualization. It involves CPUs that provide support for virtualization in hardware, and other hardware components that help improve the performance of a guest environment. 28.1 Hardware virtualization Main article: Hardware virtualization See also: Mobile virtualization Hardware virtualization or platform virtualization refers to the creation of a virtual machine that acts like a real computer with an operating system. Software executed on these virtual machines is separated from the underlying hardware resources. For example, a computer that is running Microsoft Windows may host a virtual machine that looks like a computer with the Ubuntu Linux operating system; Ubuntu-based software can be run on the virtual machine.[2][3] In hardware virtualization, the host machine is the actual machine on which the virtualization takes place, and the guest machine is the virtual machine. The words host and guest are used to distinguish the software that runs on the physical machine from the software that runs on the virtual machine. The software or firmware that creates a virtual machine on the host hardware is called a hypervisor or Virtual Machine Manager. Different types of hardware virtualization include: Hardware virtualization can be viewed as part of an overall trend in enterprise IT that includes autonomic computing, a scenario in which the IT environment will be able to manage itself based on perceived activity, and utility computing, in which computer processing power is seen as a utility that clients can pay for only as needed. The usual goal of virtualization is to centralize administrative tasks while improving scalability and overall hardwareresource utilization. With virtualization, several operating systems can be run in parallel on a single central processing unit (CPU). This parallelism tends to reduce overhead costs and differs from multitasking, which involves running several programs on the same OS. Using virtualization, an enterprise can better manage updates and rapid changes to the operating system and applications without disrupting the user. “Ultimately, virtualization dramatically improves the efficiency and availability of resources and applications in an organization. Instead of relying on the old model of “one server, one application” that leads to underutilized resources, virtual resources are dynamically applied to meet business needs without any excess fat” (ConsonusTech). • Full virtualization – almost complete simulation of the actual hardware to allow software, which typ- Hardware virtualization is not the same as hardware emically consists of a guest operating system, to run ulation. In hardware emulation, a piece of hardware imitates another, while in hardware virtualization, a hyperunmodified. visor (a piece of software) imitates a particular piece of • Partial virtualization – some but not all of the target computer hardware or the entire computer. Furthermore, environment attributes are simulated. As a result, a hypervisor is not the same as an emulator; both are comsome guest programs may need modifications to run puter programs that imitate hardware, but their domain of in such virtual environments. use in language differs. 100 28.2. DESKTOP VIRTUALIZATION 28.1.1 Snapshots Main article: Snapshot (computer storage) 101 failover allows the VM to continue operations if the host fails. However, in this case, the VM continues operation from the last-known coherent state, rather than the current state, based on whatever materials the backup server was last provided with. A snapshot is the state of a virtual machine, and generally its storage devices, at an exact point in time. A snapshot enables the virtual machine’s state at the time 28.1.4 Video game console emulation of the snapshot to be restored later, effectively undoing any changes that occurred afterwards. This capability is Main article: Video game console emulator useful as a backup technique, for example, prior to performing a risky operation. A video game console emulator is a program that allows Virtual machines frequently use virtual disks for their a personal computer or video game console to emulate storage; in a very simple example, a 10-gigabyte hard a different video game console’s behavior. Video game disk drive is simulated with a 10-gigabyte flat file. Any console emulators and hypervisors both perform hardrequests by the VM for a location on its physical disk are ware virtualization; words like “virtualization”, “virtual transparently translated into an operation on the corre- machine”, “host” and “guest” are not used in conjunction sponding file. Once such a translation layer is present, with console emulators. however, it is possible to intercept the operations and send them to different files, depending on various criteria. Every time a snapshot is taken, a new file is created, 28.1.5 Licensing and used as an overlay for its predecessors. New data are written to the topmost overlay; reading existing data, Virtual machines running proprietary operating systems however, needs the overlay hierarchy to be scanned, re- require licensing, regardless of the host machine’s operatsulting in accessing the most recent version. Thus, the en- ing system. For example, installing Microsoft Windows tire stack of snapshots is virtually a single coherent disk; into a VM guest requires its licensing requirements to be in that sense, creating snapshots works similarly to the satisfied. incremental backup technique. Other components of a virtual machine can also be included in a snapshot, such as the contents of its random- 28.2 Desktop virtualization access memory (RAM), BIOS settings, or its configuration settings. "Save state" feature in video game console Main article: Desktop virtualization emulators is an example of such snapshots. Restoring a snapshot consists of discarding or disregard- Desktop virtualization is the concept of separating the ing all overlay layers that are added after that snapshot, logical desktop from the physical machine. and directing all new changes to a new overlay. One form of desktop virtualization, virtual desktop infrastructure (VDI), can be thought of as a more advanced form of hardware virtualization. Rather than interacting 28.1.2 Migration with a host computer directly via a keyboard, mouse, and monitor, the user interacts with the host computer using Main article: Migration (virtualization) another desktop computer or a mobile device by means of a network connection, such as a LAN, Wireless LAN or The snapshots described above can be moved to another even the Internet. In addition, the host computer in this host machine with its own hypervisor; when the VM is scenario becomes a server computer capable of hosting temporarily stopped, snapshotted, moved, and then re- multiple virtual machines at the same time for multiple sumed on the new host, this is known as migration. If users.[4] the older snapshots are kept in sync regularly, this opAs organizations continue to virtualize and converge their eration can be quite fast, and allow the VM to provide data center environment, client architectures also conuninterrupted service while its prior physical host is, for tinue to evolve in order to take advantage of the preexample, taken down for physical maintenance. dictability, continuity, and quality of service delivered by their converged infrastructure. For example, companies like HP and IBM provide a hybrid VDI model with a 28.1.3 Failover range of virtualization software and delivery models to improve upon the limitations of distributed client comMain article: Failover puting.[5] Selected client environments move workloads from PCs and other devices to data center servers, creSimilarly to the migration mechanism described above, ating well-managed virtual clients, with applications and 102 CHAPTER 28. VIRTUALIZATION client operating environments hosted on servers and storentire components, it virtualizes only specific slices age in the data center. For users, this means they can acof dependent behavior critical to the execution of cess their desktop from any location, without being tied development and testing tasks. to a single client device. Since the resources are centralized, users moving between work locations can still access Memory the same client environment with their applications and data.[5] For IT administrators, this means a more central• Memory virtualization, aggregating random-access ized, efficient client environment that is easier to maintain memory (RAM) resources from networked systems and able to more quickly respond to the changing needs into a single memory pool of the user and business.[6][7] • Virtual memory, giving an application program the Another form, session virtualization, allows multiple impression that it has contiguous working memory, users to connect and log into a shared but powerful comisolating it from the underlying physical memory puter over the network and use it simultaneously. Each implementation is given a desktop and a personal folder in which they store their files.[4] With multiseat configuration, session virtualization can be accomplished using a single PC with Storage multiple monitors keyboards and mice connected. • Storage virtualization, the process of completely abThin clients, which are seen in desktop virtualization, stracting logical storage from physical storage are simple and/or cheap computers that are primarily designed to connect to the network. They may lack signif• Distributed file system, any file system that allows icant hard disk storage space, RAM or even processing access to files from multiple hosts sharing via a compower, but many organizations are beginning to look at puter network the cost benefits of eliminating “thick client” desktops that are packed with software (and require software li• Virtual file system, an abstraction layer on top of a censing fees) and making more strategic investments.[8] more concrete file system, allowing client applicaDesktop virtualization simplifies software versioning and tions to access different types of concrete file syspatch management, where the new image is simply uptems in a uniform way dated on the server, and the desktop gets the updated ver• Storage hypervisor, the software that manages storsion when it reboots. It also enables centralized control age virtualization and combines physical storage reover what applications the user is allowed to have access sources into one or more flexible pools of logical to on the workstation. storage[10] Moving virtualized desktops into the cloud creates hosted virtual desktops (HVDs), in which the desktop images are • Virtual disk drive, a computer program that emucentrally managed and maintained by a specialist hostlates a disk drive such as a hard disk drive or optical ing firm. Benefits include scalability and the reduction of disk drive (see comparison of disc image software) capital expenditure, which is replaced by a monthly operational cost.[9] Data 28.3 Other types Software • Operating system-level virtualization, hosting of multiple virtualized environments within a single OS instance. • Data virtualization, the presentation of data as an abstract layer, independent of underlying database systems, structures and storage. • Database virtualization, the decoupling of the database layer, which lies between the storage and application layers within the application stack over all. • Application virtualization and workspace virtualization, the hosting of individual applications in an en- Network vironment separated from the underlying OS. Ap• Network virtualization, creation of a virtualized netplication virtualization is closely associated with the work addressing space within or across network subconcept of portable applications. nets • Service virtualization, emulating the behavior of de• Virtual private network (VPN), a network protocol pendent (e.g., third-party, evolving, or not implethat replaces the actual wire or other physical memented) system components that are needed to exdia in a network with an abstract layer, allowing a ercise an application under test (AUT) for development or testing purposes. Rather than virtualizing network to be created over the Internet 28.7. EXTERNAL LINKS 28.4 Nested virtualization Nested virtualization refers to the ability of running a virtual machine within another, having this general concept extendable to an arbitrary depth. In other words, nested virtualization refers to running one or more hypervisors inside another hypervisor. Nature of a nested guest virtual machine does not need not be homogenous with its host virtual machine; for example, application virtualization can be deployed within a virtual machine created by using hardware virtualization.[11] Nested virtualization becomes more necessary as widespread operating systems gain built-in hypervisor functionality, which in a virtualized environment can be used only if the surrounding hypervisor supports nested virtualization; for example, Windows 7 is capable of running Windows XP applications inside a built-in virtual machine. Furthermore, moving already existing virtualized environments into a cloud, following the Infrastructure as a Service (IaaS) approach, is much more complicated if the destination IaaS platform does not support nested virtualization.[12][13] 103 [2] Turban, E; King, D; Lee, J; Viehland, D (2008). “Chapter 19: Building E-Commerce Applications and Infrastructure”. Electronic Commerce A Managerial Perspective. Prentice-Hall. p. 27. [3] “Virtualization in education” (PDF). IBM. October 2007. Retrieved 6 July 2010. A virtual computer is a logical representation of a computer in software. By decoupling the physical hardware from the operating system, virtualization provides more operational flexibility and increases the utilization rate of the underlying physical hardware. [4] “Strategies for Embracing Consumerization” (PDF). Microsoft Corporation. April 2011. p. 9. Retrieved 22 July 2011. [5] Chernicoff, David, “HP VDI Moves to Center Stage,” ZDNet, August 19, 2011. [6] Baburajan, Rajani, “The Rising Cloud Storage Market Opportunity Strengthens Vendors,” infoTECH, August 24, 2011. It.tmcnet.com. 2011-08-24. [7] Oestreich, Ken, “Converged Infrastructure,” CTO Forum, November 15, 2010. Thectoforum.com. [8] “Desktop Virtualization Tries to Find Its Place in the En- The way nested virtualization can be implemented on a terprise”. Dell.com. Retrieved 2012-06-19. particular computer architecture depends on supported hardware-assisted virtualization capabilities. In case a [9] “HVD: the cloud’s silver lining” (PDF). Intrinsic Technology. Retrieved 30 August 2012. particular architecture does not provide hardware support required for nested virtualization, various software [10] “Enterprise Systems Group White paper, Page 5” (PDF). techniques are employed to enable it.[12] Over time, more Enterprise Strategy Group White Paper written and pubarchitectures gain required hardware support; for examlished on August 20, 2011 by Mark Peters. ple, since the Haswell microarchitecture (announced in 2013), Intel started to include VMCS shadowing as a [11] Orit Wasserman, Red Hat (2013). “Nested virtualization: Shadow turtles” (PDF). KVM forum. Retrieved 2014-04technology that accelerates nested virtualization.[14] 07. 28.5 See also • Timeline of virtualization development • Network Functions Virtualization • Emulation (computing) • Computer simulation • Numeronym (explains that “V12N” is an abbreviation for “virtualization”) • Consolidation ratio • I/O virtualization • Application checkpointing 28.6 References [1] Graziano, Charles. “A performance analysis of Xen and KVM hypervisors for hosting the Xen Worlds Project”. Retrieved 2013-01-29. [12] Muli Ben-Yehuda; Michael D. Day; Zvi Dubitzky; Michael Factor; Nadav Har’El; Abel Gordon; Anthony Liguori; Orit Wasserman; Ben-Ami Yassour (2010-0923). “The Turtles Project: Design and Implementation of Nested Virtualization” (PDF). usenix.org. Retrieved 2014-12-16. [13] Alex Fishman; Mike Rapoport; Evgeny Budilovsky; Izik Eidus (2013-06-25). “HVX: Virtualizing the Cloud” (PDF). rackcdn.com. Retrieved 2014-12-16. [14] “4th-Gen Intel Core vPro Processors with Intel VMCS Shadowing” (PDF). Intel. 2013. Retrieved 2014-12-16. 28.7 External links • An Introduction to Virtualization, January 2004, by Amit Singh Chapter 29 Computer network A computer network or data network is a telecommunications network which allows nodes to share resources. In computer networks, networked computing devices exchange data with each other using a data link. The connections between nodes are established using either cable media or wireless media. The best-known computer network is the Internet. Network computer devices that originate, route and terminate the data are called network nodes.[1] Nodes can include hosts such as personal computers, phones, servers as well as networking hardware. Two such devices can be said to be networked together when one device is able to exchange information with the other device, whether or not they have a direct connection to each other. Computer networks differ in the transmission medium used to carry their signals, communications protocols to organize network traffic, the network’s size, topology and organizational intent. Computer networks support an enormous number of applications and services such as access to the World Wide Web, digital video, digital audio, shared use of application and storage servers, printers, and fax machines, and use of email and instant messaging applications as well as many others. In most cases, applicationspecific communications protocols are layered (i.e. carried as payload) over other more general communications protocols. 29.1 History of the control of the Soviet armed forces and of the Soviet economy on the basis of a network of computing centres.[2] • In 1960, the commercial airline reservation system semi-automatic business research environment (SABRE) went online with two connected mainframes. • In 1962, J.C.R. Licklider developed a working group he called the "Intergalactic Computer Network", a precursor to the ARPANET, at the Advanced Research Projects Agency (ARPA). • In 1964, researchers at Dartmouth College developed the Dartmouth Time Sharing System for distributed users of large computer systems. The same year, at Massachusetts Institute of Technology, a research group supported by General Electric and Bell Labs used a computer to route and manage telephone connections. • Throughout the 1960s, Leonard Kleinrock, Paul Baran, and Donald Davies independently developed network systems that used packets to transfer information between computers over a network. • In 1965, Thomas Marill and Lawrence G. Roberts created the first wide area network (WAN). This was an immediate precursor to the ARPANET, of which Roberts became program manager. • Also in 1965, Western Electric introduced the first widely used telephone switch that implemented true computer control. See also: History of the Internet The chronology of significant computer-network developments includes: • In the late 1950s, early networks of computers included the military radar system Semi-Automatic Ground Environment (SAGE). • In 1969, the University of California at Los Angeles, the Stanford Research Institute, the University of California at Santa Barbara, and the University of Utah became connected as the beginning of the ARPANET network using 50 kbit/s circuits.[3] • In 1959, Anatolii Ivanovich Kitov proposed to the Central Committee of the Communist Party of the Soviet Union a detailed plan for the re-organisation • In 1972, commercial services using X.25 were deployed, and later used as an underlying infrastructure for expanding TCP/IP networks. 104 29.4. NETWORK TOPOLOGY • In 1973, Robert Metcalfe wrote a formal memo at Xerox PARC describing Ethernet, a networking system that was based on the Aloha network, developed in the 1960s by Norman Abramson and colleagues at the University of Hawaii. In July 1976, Robert Metcalfe and David Boggs published their paper “Ethernet: Distributed Packet Switching for Local Computer Networks”[4] and collaborated on several patents received in 1977 and 1978. In 1979, Robert Metcalfe pursued making Ethernet an open standard.[5] 105 Computer communication links that do not support packets, such as traditional point-to-point telecommunication links, simply transmit data as a bit stream. However, most information in computer networks is carried in packets. A network packet is a formatted unit of data (a list of bits or bytes, usually a few tens of bytes to a few kilobytes long) carried by a packet-switched network. In packet networks, the data is formatted into packets that are sent through the network to their destination. Once the packets arrive they are reassembled into their original message. With packets, the bandwidth of the transmis• In 1976, John Murphy of Datapoint Corporation sion medium can be better shared among users than if created ARCNET, a token-passing network first the network were circuit switched. When one user is not sending packets, the link can be filled with packets from used to share storage devices. other users, and so the cost can be shared, with relatively • In 1995, the transmission speed capacity for Eth- little interference, provided the link isn't overused. ernet increased from 10 Mbit/s to 100 Mbit/s. By 1998, Ethernet supported transmission speeds of a Packets consist of two kinds of data: control informaGigabit. Subsequently, higher speeds of up to 100 tion, and user data (payload). The control information Gbit/s were added (as of 2016). The ability of Eth- provides data the network needs to deliver the user data, ernet to scale easily (such as quickly adapting to sup- for example: source and destination network addresses, port new fiber optic cable speeds) is a contributing error detection codes, and sequencing information. Typically, control information is found in packet headers and factor to its continued use.[5] trailers, with payload data in between. 29.2 Properties Often the route a packet needs to take through a network is not immediately available. In that case the packet is queued and waits until a link is free. Computer networking may be considered a branch of electrical engineering, telecommunications, computer science, information technology or computer engineer- 29.4 Network topology ing, since it relies upon the theoretical and practical application of the related disciplines. Main article: Network topology A computer network facilitates interpersonal communications allowing users to communicate efficiently and The physical layout of a network is usually less imporeasily via various means: email, instant messaging, chat tant than the topology that connects network nodes. Most rooms, telephone, video telephone calls, and video con- diagrams that describe a physical network are therefore ferencing. Providing access to information on shared topological, rather than geographic. The symbols on storage devices is an important feature of many networks. these diagrams usually denote network links and network A network allows sharing of files, data, and other types of nodes. information giving authorized users the ability to access information stored on other computers on the network. A network allows sharing of network and computing re- 29.4.1 Network links sources. Users may access and use resources provided by devices on the network, such as printing a document on a The transmission media (often referred to in the litshared network printer. Distributed computing uses com- erature as the physical media) used to link devices puting resources across a network to accomplish tasks. to form a computer network include electrical caA computer network may be used by computer crackers ble (Ethernet, HomePNA, power line communication, to deploy computer viruses or computer worms on de- G.hn), optical fiber (fiber-optic communication), and vices connected to the network, or to prevent these de- radio waves (wireless networking). In the OSI model, vices from accessing the network via a denial of service these are defined at layers 1 and 2 — the physical layer attack. and the data link layer. 29.3 Network packet Main article: Network packet A widely adopted family of transmission media used in local area network (LAN) technology is collectively known as Ethernet. The media and protocol standards that enable communication between networked devices over Ethernet are defined by IEEE 802.3. Ethernet transmits data over both copper and fiber cables. Wireless 106 LAN standards (e.g. those defined by IEEE 802.11) use radio waves, or others use infrared signals as a transmission medium. Power line communication uses a building’s power cabling to transmit data. Wired technologies CHAPTER 29. COMPUTER NETWORK consist of copper wires that are twisted into pairs. Ordinary telephone wires consist of two insulated copper wires twisted into pairs. Computer network cabling (wired Ethernet as defined by IEEE 802.3) consists of 4 pairs of copper cabling that can be utilized for both voice and data transmission. The use of two wires twisted together helps to reduce crosstalk and electromagnetic induction. The transmission speed ranges from 2 million bits per second to 10 billion bits per second. Twisted pair cabling comes in two forms: unshielded twisted pair (UTP) and shielded twisted-pair (STP). Each form comes in several category ratings, designed for use in various scenarios. 2007 map showing submarine optical fiber telecommunication cables around the world. Fiber optic cables are used to transmit light from one computer/network node to another The orders of the following wired technologies are, roughly, from slowest to fastest transmission speed. • Coaxial cable is widely used for cable television systems, office buildings, and other work-sites for local area networks. The cables consist of copper or aluminum wire surrounded by an insulating layer (typically a flexible material with a high dielectric constant), which itself is surrounded by a conductive layer. The insulation helps minimize interference and distortion. Transmission speed ranges from 200 million bits per second to more than 500 million bits per second. • An optical fiber is a glass fiber. It carries pulses of light that represent data. Some advantages of optical fibers over metal wires are very low transmission loss and immunity from electrical interference. Optical fibers can simultaneously carry multiple wavelengths of light, which greatly increases the rate that data can be sent, and helps enable data rates of up to trillions of bits per second. Optic fibers can be used for long runs of cable carrying very high data rates, and are used for undersea cables to interconnect continents. Price is a main factor distinguishing wired- and wirelesstechnology options in a business. Wireless options command a price premium that can make purchasing wired computers, printers and other devices a financial benefit. Before making the decision to purchase hard-wired technology products, a review of the restrictions and limitations of the selections is necessary. Business and employee needs may override any cost considerations.[6] Wireless technologies • ITU-T G.hn technology uses existing home wiring (coaxial cable, phone lines and power lines) to create Main article: Wireless network a high-speed (up to 1 Gigabit/s) local area network • Twisted pair wire is the most widely used medium for all telecommunication. Twisted-pair cabling • Terrestrial microwave – Terrestrial microwave communication uses Earth-based transmitters and re- 29.4. NETWORK TOPOLOGY 107 • Extending the Internet to interplanetary dimensions via radio waves, the Interplanetary Internet.[8] Both cases have a large round-trip delay time, which gives slow two-way communication, but doesn't prevent sending large amounts of information. 29.4.2 Network nodes Main article: Node (networking) Computers are very often connected to networks using wireless links Apart from any physical transmission medium there may be, networks comprise additional basic system building blocks, such as network interface controller (NICs), repeaters, hubs, bridges, switches, routers, modems, and firewalls. ceivers resembling satellite dishes. Terrestrial microwaves are in the low-gigahertz range, which limits all communications to line-of-sight. Relay sta- Network interfaces tions are spaced approximately 48 km (30 mi) apart. • Communications satellites – Satellites communicate via microwave radio waves, which are not deflected by the Earth’s atmosphere. The satellites are stationed in space, typically in geosynchronous orbit 35,400 km (22,000 mi) above the equator. These Earth-orbiting systems are capable of receiving and relaying voice, data, and TV signals. • Cellular and PCS systems use several radio communications technologies. The systems divide the region covered into multiple geographic areas. Each area has a low-power transmitter or radio relay antenna device to relay calls from one area to the next An ATM network interface in the form of an accessory card. A area. • Radio and spread spectrum technologies – Wireless local area networks use a high-frequency radio technology similar to digital cellular and a low-frequency radio technology. Wireless LANs use spread spectrum technology to enable communication between multiple devices in a limited area. IEEE 802.11 defines a common flavor of open-standards wireless radio-wave technology known as Wifi. lot of network interfaces are built-in. A network interface controller (NIC) is computer hardware that provides a computer with the ability to access the transmission media, and has the ability to process lowlevel network information. For example, the NIC may have a connector for accepting a cable, or an aerial for wireless transmission and reception, and the associated circuitry. • Free-space optical communication uses visible or in- The NIC responds to traffic addressed to a network advisible light for communications. In most cases, dress for either the NIC or the computer as a whole. line-of-sight propagation is used, which limits the In Ethernet networks, each network interface controller physical positioning of communicating devices. has a unique Media Access Control (MAC) address— usually stored in the controller’s permanent memory. Exotic technologies To avoid address conflicts between network devices, the Institute of Electrical and Electronics Engineers (IEEE) There have been various attempts at transporting data maintains and administers MAC address uniqueness. over exotic media: The size of an Ethernet MAC address is six octets. The three most significant octets are reserved to identify NIC • IP over Avian Carriers was a humorous April fool’s manufacturers. These manufacturers, using only their asRequest for Comments, issued as RFC 1149. It was signed prefixes, uniquely assign the three least-significant implemented in real life in 2001.[7] octets of every Ethernet interface they produce. 108 Repeaters and hubs A repeater is an electronic device that receives a network signal, cleans it of unnecessary noise and regenerates it. The signal is retransmitted at a higher power level, or to the other side of an obstruction, so that the signal can cover longer distances without degradation. In most twisted pair Ethernet configurations, repeaters are required for cable that runs longer than 100 meters. With fiber optics, repeaters can be tens or even hundreds of kilometers apart. CHAPTER 29. COMPUTER NETWORK normally have numerous ports, facilitating a star topology for devices, and cascading additional switches. Multi-layer switches are capable of routing based on layer 3 addressing or additional logical levels. The term switch is often used loosely to include devices such as routers and bridges, as well as devices that may distribute traffic based on load or based on application content (e.g., a Web URL identifier). Routers A repeater with multiple ports is known as a hub. Repeaters work on the physical layer of the OSI model. Repeaters require a small amount of time to regenerate the signal. This can cause a propagation delay that affects network performance. As a result, many network architectures limit the number of repeaters that can be used in a row, e.g., the Ethernet 5-4-3 rule. Hubs have been mostly obsoleted by modern switches; but repeaters are used for long distance links, notably undersea cabling. Bridges A network bridge connects and filters traffic between two network segments at the data link layer (layer 2) of the OSI model to form a single network. This breaks the network’s collision domain but maintains a unified broadcast domain. Network segmentation breaks down a large, congested network into an aggregation of smaller, more efficient networks. A typical home or small office router showing the ADSL telephone line and Ethernet network cable connections A router is an internetworking device that forwards packets between networks by processing the routing information included in the packet or datagram (Internet protocol information from layer 3). The routing information is often processed in conjunction with the routing Bridges come in three basic types: table (or forwarding table). A router uses its routing table to determine where to forward packets. A destination in • Local bridges: Directly connect LANs a routing table can include a “null” interface, also known as the “black hole” interface because data can go into it, • Remote bridges: Can be used to create a wide however, no further processing is done for said data, i.e. area network (WAN) link between LANs. Remote the packets are dropped. bridges, where the connecting link is slower than the end networks, largely have been replaced with routers. Modems • Wireless bridges: Can be used to join LANs or conModems (MOdulator-DEModulator) are used to connect nect remote devices to LANs. network nodes via wire not originally designed for digital network traffic, or for wireless. To do this one or Switches more carrier signals are modulated by the digital signal to produce an analog signal that can be tailored to give the A network switch is a device that forwards and filters OSI required properties for transmission. Modems are comlayer 2 datagrams (frames) between ports based on the monly used for telephone lines, using a Digital Subscriber destination MAC address in each frame.[9] A switch is Line technology. distinct from a hub in that it only forwards the frames to the physical ports involved in the communication rather than all ports connected. It can be thought of as a multi- Firewalls port bridge.[10] It learns to associate physical ports to MAC addresses by examining the source addresses of re- A firewall is a network device for controlling network seceived frames. If an unknown destination is targeted, the curity and access rules. Firewalls are typically configured switch broadcasts to all ports but the source. Switches to reject access requests from unrecognized sources while 29.4. NETWORK TOPOLOGY 109 allowing actions from recognized ones. The vital role fire- Note that the physical layout of the nodes in a network walls play in network security grows in parallel with the may not necessarily reflect the network topology. As an constant increase in cyber attacks. example, with FDDI, the network topology is a ring (actually two counter-rotating rings), but the physical topology is often a star, because all neighboring connections can be routed via a central physical location. 29.4.3 Network structure Network topology is the layout or organizational hierarchy of interconnected nodes of a computer network. Dif- Overlay network ferent network topologies can affect throughput, but reliability is often more critical. With many technologies, such as bus networks, a single failure can cause the network to fail entirely. In general the more interconnections there are, the more robust the network is; but the more expensive it is to install. A sample overlay network Common layouts Ring Mesh Line Star Tree Fully Connected Bus Common network topologies Common layouts are: An overlay network is a virtual computer network that is built on top of another network. Nodes in the overlay network are connected by virtual or logical links. Each link corresponds to a path, perhaps through many physical links, in the underlying network. The topology of the overlay network may (and often does) differ from that of the underlying one. For example, many peer-to-peer networks are overlay networks. They are organized as nodes of a virtual system of links that run on top of the Internet.[11] Overlay networks have been around since the invention of networking when computer systems were connected over telephone lines using modems, before any data network existed. The most striking example of an overlay network is the Internet itself. The Internet itself was initially built as an overlay on the telephone network.[11] Even today, each Internet node can communicate with virtually any other through an underlying mesh of sub-networks of wildly different topologies and technologies. Address resolution • A star network: all nodes are connected to a special and routing are the means that allow mapping of a fully central node. This is the typical layout found in a connected IP overlay network to its underlying network. Wireless LAN, where each wireless client connects Another example of an overlay network is a distributed to the central Wireless access point. hash table, which maps keys to nodes in the network. In • A bus network: all nodes are connected to a common medium along this medium. This was the layout used in the original Ethernet, called 10BASE5 and 10BASE2. • A ring network: each node is connected to its left and right neighbour node, such that all nodes are connected and that each node can reach each other node by traversing nodes left- or rightwards. The Fiber Distributed Data Interface (FDDI) made use of such a topology. this case, the underlying network is an IP network, and the overlay network is a table (actually a map) indexed by keys. Overlay networks have also been proposed as a way to improve Internet routing, such as through quality of service guarantees to achieve higher-quality streaming media. Previous proposals such as IntServ, DiffServ, and IP • A mesh network: each node is connected to an arbi- Multicast have not seen wide acceptance largely because trary number of neighbours in such a way that there they require modification of all routers in the network. is at least one traversal from any node to any other. On the other hand, an overlay network can be incrementally deployed on end-hosts running the overlay proto• A fully connected network: each node is connected col software, without cooperation from Internet service providers. The overlay network has no control over how to every other node in the network. packets are routed in the underlying network between two • A tree network: nodes are arranged hierarchically. overlay nodes, but it can control, for example, the se- 110 CHAPTER 29. COMPUTER NETWORK quence of overlay nodes that a message traverses before cipal reasons. Firstly, abstracting the protocol stack in it reaches its destination. this way may cause a higher layer to duplicate functionFor example, Akamai Technologies manages an overlay ality of a lower layer, a prime example being error recov[14] network that provides reliable, efficient content delivery ery on both a per-link basis and an end-to-end basis. (a kind of multicast). Academic research includes end Secondly, it is common that a protocol implementation at system multicast,[12] resilient routing and quality of ser- one layer may require data, state or addressing information that is only present at another layer, thus defeating vice studies, among others. the point of separating the layers in the first place. For example, TCP uses the ECN field in the IPv4 header as an indication of congestion; IP is a network layer protocol 29.5 Communications protocols whereas TCP is a transport layer protocol. TCP/IP - model HTTP POP3 Application UDP There are many communication protocols, a few of which are described below. Transport TCP Communication protocols have various characteristics. They may be connection-oriented or connectionless, they may use circuit mode or packet switching, and they may use hierarchical addressing or flat addressing. Internet IP Network interface Ethernet protocol The TCP/IP model or Internet layering scheme and its relation to common protocols often layered on top of it. A B R 29.5.1 IEEE 802 IEEE 802 is a family of IEEE standards dealing with local area networks and metropolitan area networks. The complete IEEE 802 protocol suite provides a diverse set of networking capabilities. The protocols have a flat addressing scheme. They operate mostly at levels 1 and 2 of the OSI model. For example, MAC bridging (IEEE 802.1D) deals with the routing of Ethernet packets using a Spanning Tree Protocol. IEEE 802.1Q describes VLANs, and IEEE 802.1X defines a port-based Network Access Control protocol, which forms the basis for the authentication mechanisms used in VLANs (but it is also found in WLANs) – it is what the home user sees when the user has to enter a “wireless access key”. Ethernet Figure 4. Message flows (A-B) in the presence of a router (R), red flows are effective communication paths, black paths are the actual paths. A communications protocol is a set of rules for exchanging information over network links. In a protocol stack (also see the OSI model), each protocol leverages the services of the protocol below it. An important example of a protocol stack is HTTP (the World Wide Web protocol) running over TCP over IP (the Internet protocols) over IEEE 802.11 (the Wi-Fi protocol). This stack is used between the wireless router and the home user’s personal computer when the user is surfing the web. Ethernet, sometimes simply called LAN, is a family of protocols used in wired LANs, described by a set of standards together called IEEE 802.3 published by the Institute of Electrical and Electronics Engineers. Wireless LAN Wireless LAN, also widely known as WLAN or WiFi, is probably the most well-known member of the IEEE 802 protocol family for home users today. It is standarized by IEEE 802.11 and shares many properties with wired Ethernet. 29.5.2 Internet Protocol Suite Whilst the use of protocol layering is today ubiquitous across the field of computer networking, it has been his- The Internet Protocol Suite, also called TCP/IP, is torically criticized by many researchers[13] for two prin- the foundation of all modern networking. It offers 29.6. GEOGRAPHIC SCALE connection-less as well as connection-oriented services over an inherently unreliable network traversed by datagram transmission at the Internet protocol (IP) level. At its core, the protocol suite defines the addressing, identification, and routing specifications for Internet Protocol Version 4 (IPv4) and for IPv6, the next generation of the protocol with a much enlarged addressing capability. 29.5.3 SONET/SDH 111 communication extends communication to very small sensors and actuators such as those found in biological systems and also tends to operate in environments that would be too harsh for classical communication.[16] Personal area network A personal area network (PAN) is a computer network used for communication among computer and different information technological devices close to one person. Some examples of devices that are used in a PAN are personal computers, printers, fax machines, telephones, PDAs, scanners, and even video game consoles. A PAN may include wired and wireless devices. The reach of a PAN typically extends to 10 meters.[17] A wired PAN is usually constructed with USB and FireWire connections while technologies such as Bluetooth and infrared communication typically form a wireless PAN. Synchronous optical networking (SONET) and Synchronous Digital Hierarchy (SDH) are standardized multiplexing protocols that transfer multiple digital bit streams over optical fiber using lasers. They were originally designed to transport circuit mode communications from a variety of different sources, primarily to support real-time, uncompressed, circuit-switched voice encoded in PCM (Pulse-Code Modulation) format. However, due to its protocol neutrality and transport-oriented features, SONET/SDH also was the obvious choice for transport- Local area network ing Asynchronous Transfer Mode (ATM) frames. 29.5.4 Asynchronous Transfer Mode Asynchronous Transfer Mode (ATM) is a switching technique for telecommunication networks. It uses asynchronous time-division multiplexing and encodes data into small, fixed-sized cells. This differs from other protocols such as the Internet Protocol Suite or Ethernet that use variable sized packets or frames. ATM has similarity with both circuit and packet switched networking. This makes it a good choice for a network that must handle both traditional high-throughput data traffic, and realtime, low-latency content such as voice and video. ATM uses a connection-oriented model in which a virtual circuit must be established between two endpoints before the actual data exchange begins. A local area network (LAN) is a network that connects computers and devices in a limited geographical area such as a home, school, office building, or closely positioned group of buildings. Each computer or device on the network is a node. Wired LANs are most likely based on Ethernet technology. Newer standards such as ITU-T G.hn also provide a way to create a wired LAN using existing wiring, such as coaxial cables, telephone lines, and power lines.[18] The defining characteristics of a LAN, in contrast to a wide area network (WAN), include higher data transfer rates, limited geographic range, and lack of reliance on leased lines to provide connectivity. Current Ethernet or other IEEE 802.3 LAN technologies operate at data transfer rates up to 100 Gbit/s, standarized by IEEE in 2010.[19] Currently, 400 Gbit/s Ethernet is being developed. While the role of ATM is diminishing in favor of nextgeneration networks, it still plays a role in the last mile, A LAN can be connected to a WAN using a router. which is the connection between an Internet service provider and the home user.[15] Home area network A home area network (HAN) is a residential LAN used for communication between digital devices typically deployed in the home, usually a small number of personal A network can be characterized by its physical capacity or computers and accessories, such as printers and mobile its organizational purpose. Use of the network, including computing devices. An important function is the sharing of Internet access, often a broadband service through a user authorization and access rights, differ accordingly. cable TV or digital subscriber line (DSL) provider. 29.6 Geographic scale Nanoscale network Storage area network A nanoscale communication network has key components implemented at the nanoscale including message A storage area network (SAN) is a dedicated network that carriers and leverages physical principles that differ from provides access to consolidated, block level data storage. macroscale communication mechanisms. Nanoscale SANs are primarily used to make storage devices, such as 112 disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the operating system. A SAN typically has its own network of storage devices that are generally not accessible through the local area network by other devices. The cost and complexity of SANs dropped in the early 2000s to levels allowing wider adoption across both enterprise and small to medium-sized business environments. CHAPTER 29. COMPUTER NETWORK media such as telephone lines, cables, and air waves. A WAN often makes use of transmission facilities provided by common carriers, such as telephone companies. WAN technologies generally function at the lower three layers of the OSI reference model: the physical layer, the data link layer, and the network layer. Enterprise private network An enterprise private network is a network that a single organization builds to interconnect its office locations (e.g., production sites, head offices, remote offices, A campus area network (CAN) is made up of an inter- shops) so they can share computer resources. connection of LANs within a limited geographical area. The networking equipment (switches, routers) and trans- Virtual private network mission media (optical fiber, copper plant, Cat5 cabling, etc.) are almost entirely owned by the campus tenant / A virtual private network (VPN) is an overlay network owner (an enterprise, university, government, etc.). in which some of the links between nodes are carried by For example, a university campus network is likely to link open connections or virtual circuits in some larger neta variety of campus buildings to connect academic col- work (e.g., the Internet) instead of by physical wires. The leges or departments, the library, and student residence data link layer protocols of the virtual network are said to be tunneled through the larger network when this is halls. the case. One common application is secure communications through the public Internet, but a VPN need not Backbone network have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to A backbone network is part of a computer network infras- separate the traffic of different user communities over an tructure that provides a path for the exchange of informa- underlying network with strong security features. tion between different LANs or sub-networks. A backVPN may have best-effort performance, or may have a bone can tie together diverse networks within the same defined service level agreement (SLA) between the VPN building, across different buildings, or over a wide area. customer and the VPN service provider. Generally, a For example, a large company might implement a back- VPN has a topology more complex than point-to-point. bone network to connect departments that are located around the world. The equipment that ties together the Global area network departmental networks constitutes the network backbone. When designing a network backbone, network perfor- A global area network (GAN) is a network used for supmance and network congestion are critical factors to take porting mobile across an arbitrary number of wireless into account. Normally, the backbone network’s capacity LANs, satellite coverage areas, etc. The key challenge is greater than that of the individual networks connected in mobile communications is handing off user commuto it. nications from one local coverage area to the next. In Campus area network Another example of a backbone network is the Internet IEEE Project 802, this involves a succession of terrestrial backbone, which is the set of wide area networks (WANs) wireless LANs.[20] and core routers that tie together all networks connected to the Internet. 29.7 Organizational scope Metropolitan area network Networks are typically managed by the organizations that A Metropolitan area network (MAN) is a large computer own them. Private enterprise networks may use a combination of intranets and extranets. They may also provide network that usually spans a city or a large campus. network access to the Internet, which has no single owner and permits virtually unlimited global connectivity. Wide area network A wide area network (WAN) is a computer network that 29.7.1 Intranet covers a large geographic area such as a city, country, or spans even intercontinental distances. A WAN uses An intranet is a set of networks that are under the control a communications channel that combines many types of of a single administrative entity. The intranet uses the IP 29.8. ROUTING protocol and IP-based tools such as web browsers and file transfer applications. The administrative entity limits use of the intranet to its authorized users. Most commonly, an intranet is the internal LAN of an organization. A large intranet typically has at least one web server to provide users with organizational information. An intranet is also anything behind the router on a local area network. 113 Protocol Suite. It is the successor of the Advanced Research Projects Agency Network (ARPANET) developed by DARPA of the United States Department of Defense. The Internet is also the communications backbone underlying the World Wide Web (WWW). Participants in the Internet use a diverse array of methods of several hundred documented, and often standardized, protocols compatible with the Internet Protocol Suite and an addressing system (IP addresses) administered by the 29.7.2 Extranet Internet Assigned Numbers Authority and address registries. Service providers and large enterprises exchange An extranet is a network that is also under the administrainformation about the reachability of their address spaces tive control of a single organization, but supports a limited through the Border Gateway Protocol (BGP), forming a connection to a specific external network. For example, redundant worldwide mesh of transmission paths. an organization may provide access to some aspects of its intranet to share data with its business partners or customers. These other entities are not necessarily trusted 29.7.5 Darknet from a security standpoint. Network connection to an extranet is often, but not always, implemented via WAN A darknet is an overlay network, typically running on the technology. internet, that is only accessible through specialized software. A darknet is an anonymizing network where connections are made only between trusted peers — some29.7.3 Internetwork times called “friends” (F2F)[21] — using non-standard protocols and ports. An internetwork is the connection of multiple computer networks via a common routing technology using routers. Darknets are distinct from other distributed peer-to-peer networks as sharing is anonymous (that is, IP addresses are not publicly shared), and therefore users can communicate with little fear of governmental or corporate 29.7.4 Internet interference.[22] 29.8 Routing Partial map of the Internet based on the January 15, 2005 data found on opte.org. Each line is drawn between two nodes, representing two IP addresses. The length of the lines are indicative of the delay between those two nodes. This graph represents less than 30% of the Class C networks reachable. Routing calculates good paths through a network for information to take. For example, from node 1 to node 6 the best routes are likely to be 1-8-7-6 or 1-8-10-6, as this has the thickest routes. The Internet is the largest example of an internetwork. It is a global system of interconnected governmental, academic, corporate, public, and private computer networks. Routing is the process of selecting network paths to carry It is based on the networking technologies of the Internet network traffic. Routing is performed for many kinds 114 CHAPTER 29. COMPUTER NETWORK of networks, including circuit switching networks and System) give names for IP and MAC addresses (people packet switched networks. remember names like “nm.lan” better than numbers like [24] the equipIn packet switched networks, routing directs packet for- “210.121.67.18”), and DHCP to ensure that [25] ment on the network has a valid IP address. warding (the transit of logically addressed network packets from their source toward their ultimate destination) through intermediate nodes. Intermediate nodes are typically network hardware devices such as routers, bridges, gateways, firewalls, or switches. Generalpurpose computers can also forward packets and perform routing, though they are not specialized hardware and may suffer from limited performance. The routing process usually directs forwarding on the basis of routing tables, which maintain a record of the routes to various network destinations. Thus, constructing routing tables, which are held in the router’s memory, is very important for efficient routing. Services are usually based on a service protocol that defines the format and sequencing of messages between clients and servers of that network service. 29.10 Network performance 29.10.1 Quality of service Depending on the installation requirements, network performance is usually measured by the quality of service of a telecommunications product. The parameters that afThere are usually multiple routes that can be taken, and to fect this typically can include throughput, jitter, bit error choose between them, different elements can be consid- rate and latency. ered to decide which routes get installed into the routing The following list gives examples of network perfortable, such as (sorted by priority): mance measures for a circuit-switched network and one type of packet-switched network, viz. ATM: 1. Prefix-Length: where longer subnet masks are preferred (independent if it is within a routing protocol • Circuit-switched networks: In circuit switched netor over different routing protocol) works, network performance is synonymous with the grade of service. The number of rejected calls 2. Metric: where a lower metric/cost is preferred (only is a measure of how well the network is performing valid within one and the same routing protocol) under heavy traffic loads.[26] Other types of performance measures can include the level of noise and 3. Administrative distance: where a lower distance is echo. preferred (only valid between different routing protocols) • ATM: In an Asynchronous Transfer Mode (ATM) network, performance can be measured by line rate, Most routing algorithms use only one network path at a quality of service (QoS), data throughput, connect time. Multipath routing techniques enable the use of multime, stability, technology, modulation technique tiple alternative paths. and modem enhancements.[27] Routing, in a more narrow sense of the term, is often contrasted with bridging in its assumption that network There are many ways to measure the performance of a addresses are structured and that similar addresses im- network, as each network is different in nature and deply proximity within the network. Structured addresses sign. Performance can also be modelled instead of meaallow a single routing table entry to represent the route sured. For example, state transition diagrams are often to a group of devices. In large networks, structured ad- used to model queuing performance in a circuit-switched dressing (routing, in the narrow sense) outperforms un- network. The network planner uses these diagrams to anstructured addressing (bridging). Routing has become alyze how the network performs in each state, ensuring the dominant form of addressing on the Internet. Bridg- that the network is optimally designed.[28] ing is still widely used within localized environments. 29.10.2 Network congestion 29.9 Network service Network services are applications hosted by servers on a computer network, to provide some functionality for members or users of the network, or to help the network itself to operate. Network congestion occurs when a link or node is carrying so much data that its quality of service deteriorates. Typical effects include queueing delay, packet loss or the blocking of new connections. A consequence of these latter two is that incremental increases in offered load lead either only to small increase in network throughput, or to an actual reduction in network throughput. The World Wide Web, E-mail,[23] printing and network file sharing are examples of well-known network ser- Network protocols that use aggressive retransmissions to vices. Network services such as DNS (Domain Name compensate for packet loss tend to keep systems in a state 29.11. SECURITY of network congestion—even after the initial load is reduced to a level that would not normally induce network congestion. Thus, networks using these protocols can exhibit two stable states under the same level of load. The stable state with low throughput is known as congestive collapse. 115 29.11.2 Network surveillance Network surveillance is the monitoring of data being transferred over computer networks such as the Internet. The monitoring is often done surreptitiously and may be done by or at the behest of governments, by corporations, Modern networks use congestion control and congestion criminal organizations, or individuals. It may or may not avoidance techniques to try to avoid congestion collapse. be legal and may or may not require authorization from a These include: exponential backoff in protocols such as court or other independent agency. 802.11's CSMA/CA and the original Ethernet, window Computer and network surveillance programs are reduction in TCP, and fair queueing in devices such as widespread today, and almost all Internet traffic is routers. Another method to avoid the negative effects or could potentially be monitored for clues to illegal of network congestion is implementing priority schemes, activity. so that some packets are transmitted with higher priSurveillance is very useful to governments and law enority than others. Priority schemes do not solve netforcement to maintain social control, recognize and monwork congestion by themselves, but they help to alleviitor threats, and prevent/investigate criminal activity. ate the effects of congestion for some services. An exWith the advent of programs such as the Total Inforample of this is 802.1p. A third method to avoid netmation Awareness program, technologies such as high work congestion is the explicit allocation of network respeed surveillance computers and biometrics software, sources to specific flows. One example of this is the use and laws such as the Communications Assistance For Law of Contention-Free Transmission Opportunities (CFTXEnforcement Act, governments now possess an unpreceOPs) in the ITU-T G.hn standard, which provides highdented ability to monitor the activities of citizens.[31] speed (up to 1 Gbit/s) Local area networking over existing home wires (power lines, phone lines and coaxial cables). However, many civil rights and privacy groups—such as Reporters Without Borders, the Electronic Frontier For the Internet RFC 2914 addresses the subject of conFoundation, and the American Civil Liberties Union— gestion control in detail. have expressed concern that increasing surveillance of citizens may lead to a mass surveillance society, with limited political and personal freedoms. Fears such 29.10.3 Network resilience as this have led to numerous lawsuits such as Hepting v. AT&T.[31][32] The hacktivist group Anonymous has Network resilience is “the ability to provide and maintain hacked into government websites in protest of what it conan acceptable level of service in the face of faults and siders “draconian surveillance”.[33][34] challenges to normal operation.”[29] 29.11.3 End to end encryption 29.11 Security End-to-end encryption (E2EE) is a digital communications paradigm of uninterrupted protection of data travMain article: Computer security eling between two communicating parties. It involves the originating party encrypting data so only the intended recipient can decrypt it, with no dependency on third parties. End-to-end encryption prevents interme29.11.1 Network security diaries, such as Internet providers or application service providers, from discovering or tampering with commuNetwork security consists of provisions and policies nications. End-to-end encryption generally protects both adopted by the network administrator to prevent and confidentiality and integrity. monitor unauthorized access, misuse, modification, or denial of the computer network and its network- Examples of end-to-end encryption include PGP for accessible resources.[30] Network security is the autho- email, OTR for instant messaging, ZRTP for telephony, rization of access to data in a network, which is con- and TETRA for radio. trolled by the network administrator. Users are assigned Typical server-based communications systems do not inan ID and password that allows them access to informa- clude end-to-end encryption. These systems can only tion and programs within their authority. Network se- guarantee protection of communications between clients curity is used on a variety of computer networks, both and servers, not between the communicating parties public and private, to secure daily transactions and com- themselves. Examples of non-E2EE systems are Google munications among businesses, government agencies and Talk, Yahoo Messenger, Facebook, and Dropbox. Some such systems, for example LavaBit and SecretInk, have individuals. 116 even described themselves as offering “end-to-end” encryption when they do not. Some systems that normally offer end-to-end encryption have turned out to contain a back door that subverts negotiation of the encryption key between the communicating parties, for example Skype or Hushmail. The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves, such as the technical exploitation of clients, poor quality random number generators, or key escrow. E2EE also does not address traffic analysis, which relates to things such as the identities of the end points and the times and quantities of messages that are sent. CHAPTER 29. COMPUTER NETWORK addresses, transparently to users, via the directory function of the Domain Name System (DNS). Over the Internet, there can be business-to-business (B2B), business-to-consumer (B2C) and consumer-toconsumer (C2C) communications. When money or sensitive information is exchanged, the communications are apt to be protected by some form of communications security mechanism. Intranets and extranets can be securely superimposed onto the Internet, without any access by general Internet users and administrators, using secure Virtual Private Network (VPN) technology. 29.13 See also 29.12 Views of networks Users and network administrators typically have different views of their networks. Users can share printers and some servers from a workgroup, which usually means they are in the same geographic location and are on the same LAN, whereas a Network Administrator is responsible to keep that network up and running. A community of interest has less of a connection of being in a local area, and should be thought of as a set of arbitrarily located users who share a set of servers, and possibly also communicate via peer-to-peer technologies. Network administrators can see networks from both physical and logical perspectives. The physical perspective involves geographic locations, physical cabling, and the network elements (e.g., routers, bridges and application layer gateways) that interconnect via the transmission media. Logical networks, called, in the TCP/IP architecture, subnets, map onto one or more transmission media. For example, a common practice in a campus of buildings is to make a set of LAN cables in each building appear to be a common subnet, using virtual LAN (VLAN) technology. Both users and administrators are aware, to varying extents, of the trust and scope characteristics of a network. Again using TCP/IP architectural terminology, an intranet is a community of interest under private administration usually by an enterprise, and is only accessible by authorized users (e.g. employees).[35] Intranets do not have to be connected to the Internet, but generally have a limited connection. An extranet is an extension of an intranet that allows secure communications to users outside of the intranet (e.g. business partners, customers).[35] Unofficially, the Internet is the set of users, enterprises, and content providers that are interconnected by Internet Service Providers (ISP). From an engineering viewpoint, the Internet is the set of subnets, and aggregates of subnets, which share the registered IP address space and exchange information about the reachability of those IP addresses using the Border Gateway Protocol. Typically, the human-readable names of servers are translated to IP • Comparison of network diagram software • Cyberspace • History of the Internet • Network simulation • Network planning and design 29.14 References [1] Computer network definition, retrieved 2011-11-12 [2] "История о том, как пионер кибернетики оказался не нужен СССР" [The story of how a cybernetics pioneer became unnecessary to the USSR]. ria.ru (in Russian). МИА «Россия сегодня». 2010-08-09. Retrieved 2015-03-04. Главным делом жизни Китова, увы, не доведенным до практического воплощения, можно считать разработку плана создания компьютерной сети (Единой государственной сети вычислительных центров - ЕГСВЦ) для управления народным хозяйством и одновременно для решения военных задач. Этот план Анатолий Иванович предложил сразу в высшую инстанцию, направив в январе 1959 года письмо генсеку КПСС Никите Хрущеву. Не получив ответа (хотя начинание на словах было поддержано в различных кругах), осенью того же года он заново направляет на самый верх письмо, приложив к нему 200-страничный детальный проект, получивший название 'Красной книги'. [One can regard the magnum opus of Kitov’s career as his elaboration of the plan – unfortunately never brought into practical form – for the establishment of a computer network (the Unified State Network of Computer Centres – EGSVTs) for the control of the national economy and simultaneously for the resolution of military tasks. Anatolii Ivanovich presented this plan directly to the highest levels, sending a letter in January 1959 to the General Secretary of the Communist Party of the Soviet Union Nikita Khrushchev. Not receiving a reply (although supported in various circles), in the autumn of the same year he again sent a letter to the very top, appending a 200-page detailed project plan, called the 'Red Book'] 29.15. FURTHER READING 117 [3] Chris Sutton. “Internet Began 35 Years Ago at UCLA with First Message Ever Sent Between Two Computers”. UCLA. Archived from the original on March 8, 2008. [4] Ethernet: Distributed Packet Switching for Local Computer Networks, Robert M. Metcalfe and David R. Boggs, Communications of the ACM (pp 395–404, Vol. 19, No. 5), July 1976. [5] Spurgeon, Charles E. (2000). Ethernet The Definitive Guide. O'Reilly & Associates. ISBN 1-56592-660-9. [6] , The Disadvantages of Wired Technology, Laura Acevedo, Demand Media. [7] “Bergen Linux User Group’s CPIP Implementation”. Blug.linux.no. Retrieved 2014-03-01. [8] A. Hooke (September 2000), Interplanetary Internet (PDF), Third Annual International Symposium on Advanced Radio Technologies, archived from the original (PDF) on 2012-01-13, retrieved 2011-11-12 [9] “Define switch.”. April 8, 2008. WWW.Wikipedia.com. Retrieved [10] http://compnetworking.about.com/cs/internetworking/g/ bldef_bridge.htm [11] D. Andersen; H. Balakrishnan; M. Kaashoek; R. Morris (October 2001), Resilient Overlay Networks, Association for Computing Machinery, retrieved 2011-11-12 [12] “End System Multicast”. project web site. Carnegie Mellon University. Retrieved May 25, 2013. [13] Wakeman, I (Jan 1992). “Layering considered harmful”. IEEE Network: 20–24. [14] Kurose, James; Ross, Kieth (2005). Computer Networking: A Top-Down Approach. Pearson. [15] For an interesting write-up of the technologies involved, including the deep stacking of communications protocols used, see.Martin, Thomas. “Design Principles for DSLBased Access Solutions” (PDF). Retrieved 18 June 2011. [16] Nanoscale Communication Networks, Bush, S. F., ISBN 978-1-60807-003-9, Artech House, 2010. [17] “personal area network (PAN)". Retrieved January 29, 2011. [18] New global standard for fully networked home, ITU-T, 2008-12-12, retrieved 2011-11-12 [19] IEEE P802.3ba 40Gb/s and 100Gb/s Ethernet Task Force, retrieved 2011-11-12 [20] “Mobile Broadband Wireless connections (MBWA)". Retrieved 2011-11-12. [23] rfc5321 [24] RFC 1035, Domain names – Implementation and Specification, P. Mockapetris (November 1987) [25] Peterson LL, Davie BS. (2011). Computer Networks: A Systems Approach. [26] Teletraffic Engineering Handbook (PDF), ITU-T Study Group 2, archived from the original (PDF) on 2007-0111 [27] Telecommunications Magazine Online, Americas January 2003, Issue Highlights, Online Exclusive: Broadband Access Maximum Performance, Retrieved on February 13, 2005. [28] “State Transition Diagrams”. Retrieved July 13, 2003. [29] “Definitions: Resilience”. ResiliNets Research Initiative. Retrieved 2011-11-12. [30] Simmonds, A; Sandilands, P; van Ekert, L (2004). “An Ontology for Network Security Attack”. Lecture Notes in Computer Science. Lecture Notes in Computer Science. 3285: 317–323. doi:10.1007/978-3-540-301769_41. ISBN 978-3-540-23659-7. [31] “Is the U.S. Turning Into a Surveillance Society?". American Civil Liberties Union. Retrieved March 13, 2009. [32] “Bigger Monster, Weaker Chains: The Growth of an American Surveillance Society” (PDF). American Civil Liberties Union. January 15, 2003. Retrieved March 13, 2009. [33] “Anonymous hacks UK government sites over 'draconian surveillance' ", Emil Protalinski, ZDNet, 7 April 2012, retrieved 12 March 2013 [34] Hacktivists in the frontline battle for the internet retrieved 17 June 2012 [35] RFC 2547 This article incorporates public domain material from the General Services Administration document “Federal Standard 1037C”. 29.15 Further reading • Shelly, Gary, et al. “Discovering Computers” 2003 Edition. • Wendell Odom, Rus Healy, Denise Donohue. (2010) CCIE Routing and Switching. Indianapolis, IN: Cisco Press [21] Mansfield-Devine, Steve (December 2009). “Darknets”. Computer Fraud & Security. 2009 (12): 4–6. doi:10.1016/S1361-3723(09)70150-2. • Kurose James F and Keith W. Ross : Computer Networking: A Top-Down Approach Featuring the Internet, Pearson Education 2005. [22] Wood, Jessica (2010). “The Darknet: A Digital Copyright Revolution” (PDF). Richmond Journal of Law and Technology. 16 (4). Retrieved 25 October 2011. • William Stallings, Computer Networking with Internet Protocols and Technology, Pearson Education 2004. 118 • Important publications in computer networks • Network Communication Architecture and Protocols: OSI Network Architecture 7 Layers Model • Dimitri Bertsekas, and Robert Gallager, “Data Networks,” Prentice Hall, 1992. 29.16 External links • Networking at DMOZ • IEEE Ethernet manufacturer information • A computer networking acronym guide CHAPTER 29. COMPUTER NETWORK Chapter 30 Router (computing) This article is about the network device. For the wood- A router is connected to two or more data lines from difworking tool, see Router (woodworking). ferent networks.[lower-alpha 2] When a data packet comes in [lower-alpha 1] A router is a networking device that forwards on one of the lines, the router reads the address information in the packet to determine the ultimate destination. Then, using information in its routing table or routing policy, it directs the packet to the next network on its journey. This creates an overlay internetwork. A typical home or small office router showing the ADSL telephone line and Ethernet network cable connections The most familiar type of routers are home and small office routers that simply pass IP packets between the home computers and the Internet. An example of a router would be the owner’s cable or DSL router, which connects to the Internet through an Internet service provider (ISP). More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, software-based routers also exist. 30.1 Applications When multiple routers are used in interconnected networks, the routers can exchange information about destination addresses using a dynamic routing protocol. Each router builds up a routing table listing the preferred routes between any two systems on the interconnected networks.[3] A router has interfaces for different physical types of network connections, such as copper cables, fibre optic, or wireless transmission. It also contains firmware for different networking communications protocol standards. Each network interface uses this specialized computer software to enable data packets to be forwarded from one protocol transmission system to another. Routers may also be used to connect two or more logical groups of computer devices known as subnets, each with A Cisco ASM/2-32EM router deployed at CERN in 1987 a different network prefix. The network prefixes recorded in the routing table do not necessarily map directly to the data packets between computer networks. Routers perphysical interface connections.[4] form the traffic directing functions on the Internet. A data packet is typically forwarded from one router to another A router has two stages of operation called planes:[5] through the networks that constitute the internetwork until it reaches its destination node.[2] • Control plane: A router maintains a routing ta119 120 CHAPTER 30. ROUTER (COMPUTING) ble that lists which route should be used to forward a data packet, and through which physical interface connection. It does this using internal pre-configured directives, called static routes, or by learning routes using a dynamic routing protocol. Static and dynamic routes are stored in the Routing Information Base (RIB). The control-plane logic then strips non essential directives from the RIB and builds a Forwarding Information Base (FIB) to be used by the forwarding-plane. free Linux-based firmwares like Tomato, OpenWrt or DD-WRT.[9] 30.1.2 Distribution Distribution routers aggregate traffic from multiple access routers, either at the same site, or to collect the data streams from multiple sites to a major enterprise location. Distribution routers are often responsible for enforcing quality of service across a wide area network (WAN), so • Forwarding plane: The router forwards data pack- they may have considerable memory installed, multiple ets between incoming and outgoing interface con- WAN interface connections, and substantial onboard data nections. It routes them to the correct network type processing routines. They may also provide connectivity using information that the packet header contains. It to groups of file servers or other external networks. uses data recorded in the routing table control plane. Routers may provide connectivity within enterprises, between enterprises and the Internet, or between internet service providers' (ISPs) networks. The largest routers (such as the Cisco CRS-1 or Juniper T1600) interconnect the various ISPs, or may be used in large enterprise networks.[6] Smaller routers usually provide connectivity for typical home and office networks. Other networking solutions may be provided by a backbone Wireless Distribution System (WDS), which avoids the costs of introducing networking cables into buildings. All sizes of routers may be found inside enterprises.[7] The most powerful routers are usually found in ISPs, academic and research facilities. Large businesses may also need more powerful routers to cope with ever increasing demands of intranet data traffic. A three-layer model is in common use, not all of which need be present in smaller networks.[8] 30.1.1 Access 30.1.3 Security See also: Universal Plug and Play § Problems with UPnP, and Wi-Fi Protected Setup § Vulnerabilities External networks must be carefully considered as part of the overall security strategy. A router may include a firewall, VPN handling, and other security functions, or these may be handled by separate devices. Many companies produced security-oriented routers, including Cisco PIX series, Juniper NetScreen and WatchGuard. Routers also commonly perform network address translation, (which allows multiple devices on a network to share a single public IP address[10][11][12] ) and stateful packet inspection. Some experts argue that open source routers are more secure and reliable than closed source routers because open source routers allow mistakes to be quickly found and corrected.[13] 30.1.4 Core In enterprises, a core router may provide a “collapsed backbone” interconnecting the distribution tier routers from multiple buildings of a campus, or large enterprise locations. They tend to be optimized for high bandwidth, but lack some of the features of edge routers.[14] 30.1.5 Internet connectivity and internal use A screenshot of the LuCI web interface used by OpenWrt. This page configures Dynamic DNS. Access routers, including 'small office/home office' (SOHO) models, are located at customer sites such as branch offices that do not need hierarchical routing of their own. Typically, they are optimized for low cost. Some SOHO routers are capable of running alternative Routers intended for ISP and major enterprise connectivity usually exchange routing information using the Border Gateway Protocol (BGP). RFC 4098 standard defines the types of BGP routers according to their functions:[15] • Edge router: Also called a provider edge router, is placed at the edge of an ISP network. The router uses External BGP to EBGP routers in other ISPs, or a large enterprise Autonomous System. 30.2. HISTORICAL AND TECHNICAL INFORMATION 121 • Subscriber edge router: Also called a Customer Edge router, is located at the edge of the subscriber’s network, it also uses EBGP to its provider’s Autonomous System. It is typically used in an (enterprise) organization. • Inter-provider border router: Interconnecting ISPs, is a BGP router that maintains BGP sessions with other BGP routers in ISP Autonomous Systems. • Core router: A core router resides within an Autonomous System as a back bone to carry traffic between edge routers.[16] • Within an ISP: In the ISP’s Autonomous System, a router uses internal BGP to communicate with other ISP edge routers, other intranet core routers, or the ISP’s intranet provider border routers. • “Internet backbone:" The Internet no longer has a clearly identifiable backbone, unlike its predecessor networks. See default-free zone (DFZ). The major ISPs’ system routers make up what could be considered to be the current Internet backbone core.[17] ISPs operate all four types of the BGP routers described here. An ISP “core” router is used to inter- Avaya ERS 8600 (2010) connect its edge and border routers. Core routers may also have specialized functions in virtual private networks based on a combination of BGP and idea for a router (called "gateways" at the time) initially Multi-Protocol Label Switching protocols.[18] came about through an international group of computer networking researchers called the International Network • Port forwarding: Routers are also used for port Working Group (INWG). Set up in 1972 as an informal forwarding between private Internet connected group to consider the technical issues involved in con[7] servers. necting different networks, later that year it became a • Voice/Data/Fax/Video Processing Routers: Com- subcommittee of the International Federation for Infor[19] monly referred to as access servers or gateways, mation Processing. These devices were different from these devices are used to route and process voice, most previous packet switching schemes in two ways. data, video and fax traffic on the Internet. Since First, they connected dissimilar kinds of networks, such 2005, most long-distance phone calls have been pro- as serial lines and local area networks. Second, they were cessed as IP traffic (VOIP) through a voice gateway. connectionless devices, which had no role in assuring that Use of access server type routers expanded with the traffic was delivered reliably, leaving that entirely to the [lower-alpha 3] advent of the Internet, first with dial-up access and hosts. another resurgence with voice phone service. The idea was explored in more detail, with the intention • Larger networks commonly use multilayer switches, to produce a prototype system as part of two contempowith layer 3 devices being used to simply intercon- raneous programs. One was the initial DARPA-initiated which created the TCP/IP architecture in use nect multiple subnets within the same security zone, program, [20] The other was a program at Xerox PARC to extoday. and higher layer switches when filtering, translation, plore new networking technologies, which produced the load balancing or other higher level functions are rePARC Universal Packet system; due to corporate intelquired, especially between zones. lectual property concerns it received little attention outside Xerox for years.[21] Some time after early 1974, the first Xerox routers became operational. The first true IP 30.2 Historical and technical infor- router was developed by Virginia Strazisar at BBN, as part of that DARPA-initiated effort, during 1975-1976. mation By the end of 1976, three PDP-11-based routers were in [22] The very first device that had fundamentally the same service in the experimental prototype Internet. functionality as a router does today was the Interface The first multiprotocol routers were independently creMessage Processor (IMP); IMPs were the devices that ated by staff researchers at MIT and Stanford in 1981; made up the ARPANET, the first TCP/IP network. The the Stanford router was done by William Yeager, and 122 CHAPTER 30. ROUTER (COMPUTING) the MIT one by Noel Chiappa; both were also based on PDP-11s.[23][24][25][26] Virtually all networking now uses TCP/IP, but multiprotocol routers are still manufactured. They were important in the early stages of the growth of computer networking, when protocols other than TCP/IP were in use. Modern Internet routers that handle both IPv4 and IPv6 are multiprotocol, but are simpler devices than routers processing AppleTalk, DECnet, IP and Xerox protocols. provider. The default route can be manually configured (as a static route), or learned by dynamic routing protocols, or be obtained by DHCP.[lower-alpha 5][28] From the mid-1970s and in the 1980s, general-purpose mini-computers served as routers. Modern high-speed routers are highly specialized computers with extra hardware added to speed both common routing functions, such as packet forwarding, and specialised functions such as IPsec encryption. There is substantial use of Linux and Unix software based machines, running open source routing code, for research and other applications. Cisco’s operating system was independently designed. Major router operating systems, such as those from Juniper Networks and Extreme Networks, are extensively modified versions of Unix software. Besides making a decision as to which interface a packet is forwarded to, which is handled primarily via the routing table, a router also has to manage congestion when packets arrive at a rate higher than the router can process. Three policies commonly used in the Internet are tail drop, random early detection (RED), and weighted random early detection (WRED). Tail drop is the simplest and most easily implemented; the router simply drops new incoming packets once the length of the queue exceeds the size of the buffers in the router. RED probabilistically drops datagrams early when the queue exceeds a pre-configured portion of the buffer, until a predetermined max, when it becomes tail drop. WRED requires a weight on the average queue size to act upon when the traffic is about to exceed the pre-configured size, so that short bursts will not trigger random drops. 30.3 Forwarding A router can run more than one routing protocol at a time, particularly if it serves as an autonomous system border router between parts of a network that run different routing protocols; if it does so, then redistribution may be used (usually selectively) to share information between the different protocols running on the same router.[29] Another function a router performs is to decide which packet should be processed first when multiple queues exist. This is managed through QoS, which is critical when The main purpose of a router is to connect multiple net- Voice over IP is deployed, so as not to introduce excessive works and forward packets destined either for its own latency. networks or other networks. A router is considered a Yet another function a router performs is called policylayer-3 device because its primary forwarding decision is based routing where special rules are constructed to overbased on the information in the layer-3 IP packet, specifride the rules derived from the routing table when a packet ically the destination IP address. When a router receives forwarding decision is made.[30] a packet, it searches its routing table to find the best match between the destination IP address of the packet Router functions may be performed through the same and one of the addresses in the routing table. Once a internal paths that the packets travel inside the router. match is found, the packet is encapsulated in the layer- Some of the functions may be performed through an 2 data link frame for the outgoing interface indicated in application-specific integrated circuit (ASIC) to avoid the table entry. A router typically does not look into overhead of scheduling CPU time to process the packthe packet payload, but only at the layer-3 addresses to ets. Others may have to be performed through the CPU make a forwarding decision, plus optionally other infor- as these packets need special attention that cannot be hanmation in the header for hints on, for example, quality dled by an ASIC. of service (QoS). For pure IP forwarding, a router is designed to minimize the state information associated with individual packets.[27] Once a packet is forwarded, the 30.4 See also router does not retain any historical information about the packet.[lower-alpha 4] • DECbit Further information: Routing and IP forwarding The routing table itself can contain information derived from a variety of sources, such as a default or static routes that are configured manually, or dynamic routing protocols where the router learns routes from other routers. A default route is one that is used to route all traffic whose destination does not otherwise appear in the routing table; this is common – even necessary – in small networks, such as a home or small business where the default route simply sends all non-local traffic to the Internet service • Mobile broadband modem • Modem • Residential gateway • TCAM Content addressable memory (hardware acceleration of route-search) • Wireless router 30.7. EXTERNAL LINKS 30.5 Notes [1] Router is pronounced /ˈruːtər/ in British English and is typically pronounced /ˈraʊdər/ American and Australian English.[1] [2] As opposed to a network switch, which connects data lines from one single network [3] This particular idea had been previously pioneered in the CYCLADES network. [4] The forwarding action can be collected into the statistical data, if so configured. [5] A router can serve as a DHCP client or as a DHCP server. 30.6 References [1] “router”. Oxford English Dictionary (3rd ed.). Oxford University Press. September 2005. (Subscription or UK public library membership required.) [2] “Overview Of Key Routing Protocol Concepts: Architectures, Protocol Types, Algorithms and Metrics”. Tcpipguide.com. Retrieved 15 January 2011. [3] “Cisco Networking Academy’s Introduction to Routing Dynamically”. Cisco. Retrieved August 1, 2015. [4] Requirements for IPv4 Routers,RFC 1812, F. Baker, June 1995 [5] Requirements for Separation of IP Control and Forwarding,RFC 3654, H. Khosravi & T. Anderson, November 2003 [6] “Setting uo Netflow on Cisco Routers”. MY-Technet.com date unknown. Retrieved 15 January 2011. 123 [15] H. Berkowitz; et al. (June 2005), Terminology for Benchmarking BGP Device Convergence in the Control Plane, RFC 4098 [16] “M160 Internet Backbone Router” (PDF). Juniper Networks Date unknown. Retrieved 15 January 2011. [17] “Virtual Backbone Routers” (PDF). IronBridge Networks, Inc. September, 2000. Retrieved 15 January 2011. [18] BGP/MPLS VPNs,RFC 2547, E. Rosen and Y. Rekhter, April 2004 [19] Davies, Shanks, Heart, Barker, Despres, Detwiler and Riml, “Report of Subgroup 1 on Communication System”, INWG Note No. 1. [20] Vinton Cerf, Robert Kahn, “A Protocol for Packet Network Intercommunication”, IEEE Transactions on Communications, Volume 22, Issue 5, May 1974, pp. 637 648. [21] David Boggs, John Shoch, Edward Taft, Robert Metcalfe, “Pup: An Internetwork Architecture”, IEEE Transactions on Communications, Volume 28, Issue 4, April 1980, pp. 612- 624. [22] Craig Partridge, S. Blumenthal, “Data networking at BBN”; IEEE Annals of the History of Computing, Volume 28, Issue 1; January–March 2006. [23] Valley of the Nerds: Who Really Invented the Multiprotocol Router, and Why Should We Care?, Public Broadcasting Service, Accessed August 11, 2007. [24] Router Man, NetworkWorld, Accessed June 22, 2007. [25] David D. Clark, “M.I.T. Campus Network Implementation”, CCNG-2, Campus Computer Network Group, M.I.T., Cambridge, 1982; pp. 26. [7] “Windows Home Server: Router Setup”. Microsoft Technet 14 Aug 2010. Retrieved 15 January 2011. [26] Pete Carey, “A Start-Up’s True Tale: Often-told story of Cisco’s launch leaves out the drama, intrigue”, San Jose Mercury News, December 1, 2001. [8] Oppenheimer, Pr (2004). Top-Down Network Design. Indianapolis: Cisco Press. ISBN 1-58705-152-4. [27] Roberts, Lawrence (22 July 2003). “The Next Generation of IP - Flow Routing”. Retrieved 22 February 2015. [9] “Windows Small Business Server 2008: Router Setup”. Microsoft Technet Nov 2010. Retrieved 15 January 2011. [28] David Davis (Apr 19, 2007). “Cisco administration 101: What you need to know about default routes”. [10] See “Network Address Translation (NAT) FAQ”. [11] Cf. “RFC 3022 – Traditional IP Network Address Translator (Traditional NAT)". [12] But see “Security Considerations Of NAT” (PDF). University of Michigan. Archived from the original (PDF) on October 18, 2014., which argues that NAT is not a security feature. [13] Global Internet Experts Reveal Plan for More Secure, Reliable Wi-Fi Routers - and Internet [14] “Core Network Planning”. Microsoft Technet May 28, 2009. Retrieved 15 January 2011. [29] Diane Teare (Mar 2013). Implementing Cisco IP Routing (ROUTE): Foundation Learning Guide. Cisco Press. pp. 330–334. [30] Diane Teare (Mar 2013). “Chapter 5: Implementing Path Control”. Implementing Cisco IP Routing (ROUTE): Foundation Learning Guide. Cisco Press. pp. 330–334. 30.7 External links • African Region Internet Registry • Asia-Pacific Network Information Center 124 • Internet Engineering Task Force, the Routing Area last checked 21 January 2011. • Internet Corporation for Assigned Names and Numbers • Network Router Analyzer • North American Network Operators Group • Réseaux IP Européens (European IP Networks) • American Registry for Internet Numbers • Router Default IP and Username Database • Router clustering • Latin American and the Caribbean Network Information Center CHAPTER 30. ROUTER (COMPUTING) Chapter 31 Communications protocol In telecommunications, a communication protocol is a system of rules that allow two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. These are the rules or standard that defines the syntax, semantics and synchronization of communication and possible error recovery methods. Protocols may be implemented by hardware, software, or a combination of both.[1] by algorithms and data structures. Expressing the algorithms in a portable programming language makes the protocol software operating-system independent. Communicating systems use well-defined formats (protocol) for exchanging various messages. Each message has an exact meaning intended to elicit a response from a range of possible responses pre-determined for that particular situation. The specified behavior is typically independent of how it is to be implemented. Communications protocols have to be agreed upon by the parties involved.[2] To reach agreement, a protocol may be developed into a technical standard. A programming language describes the same for computations, so there is a close analogy between protocols and programming languages: protocols are to communications what programming languages are to computations.[3] In contrast, because there is no common memory, communicating systems have to communicate with each other using a shared transmission medium. Transmission is not necessarily reliable, and individual systems may use different hardware or operating systems. Operating systems usually contain a set of cooperating processes that manipulate shared data to communicate with each other. This communication is governed by well-understood protocols, which can be embedded in the process code itself.[4][5] To implement a networking protocol, the protocol software modules are interfaced with a framework implemented on the machine’s operating system. This framework implements the networking functionality of the operating system.[6] The best known frameworks are the TCP/IP model and the OSI model. At the time the Internet was developed, layering had Multiple protocols often describe different aspects of a proven to be a successful design approach for both comsingle communication. A group of protocols designed to piler and operating system design and, given the similarwork together are known as a protocol suite; when imple- ities between programming languages and communications protocols, layering was applied to the protocols as mented in software they are a protocol stack. well.[7] This gave rise to the concept of layered protocols Most recent protocols are assigned by the IETF for which nowadays forms the basis of protocol design.[8] Internet communications, and the IEEE, or the ISO organizations for other types. The ITU-T handles telecom- Systems typically do not use a single protocol to hanmunications protocols and formats for the PSTN. As the dle a transmission. Instead they use a set of cooperating PSTN and Internet converge, the two sets of standards protocols, sometimes called a protocol family or protocol suite.[9] Some of the best known protocol suites include: are also being driven towards convergence. IPX/SPX, X.25, AX.25, AppleTalk and TCP/IP. 31.1 Communicating systems The information exchanged between devices through a network, or other media is governed by rules and conventions that can be set out in technical specifications called communications protocol standards. The nature of a communication, the actual data exchanged and any state-dependent behaviors, is defined by these specifications. The protocols can be arranged based on functionality in groups, for instance there is a group of transport protocols. The functionalities are mapped onto the layers, each layer solving a distinct class of problems relating to, for instance: application-, transport-, internet- and network interface-functions.[10] To transmit a message, a protocol has to be selected from each layer, so some sort of multiplexing and demultiplexing takes place. The selection of the next protocol is accomplished by extending the message with a protocol selector for each layer.[11] In digital computing systems, the rules can be expressed 125 126 31.2 Basic requirements of protocols Getting the data across a network is only part of the problem for a protocol. The data received has to be evaluated in the context of the progress of the conversation, so a protocol has to specify rules describing the context. These kind of rules are said to express the syntax of the communications. Other rules determine whether the data is meaningful for the context in which the exchange takes place. These kind of rules are said to express the semantics of the communications. Messages are sent and received on communicating systems to establish communications. Protocols should therefore specify rules governing the transmission. In general, much of the following should be addressed:[12] • Data formats for data exchange. Digital message bitstrings are exchanged. The bitstrings are divided in fields and each field carries information relevant to the protocol. Conceptually the bitstring is divided into two parts called the header area and the data area. The actual message is stored in the data area, so the header area contains the fields with more relevance to the protocol. Bitstrings longer than the maximum transmission unit (MTU) are divided in pieces of appropriate size.[13] • Address formats for data exchange. Addresses are used to identify both the sender and the intended receiver(s). The addresses are stored in the header area of the bitstrings, allowing the receivers to determine whether the bitstrings are intended for themselves and should be processed or should be ignored. A connection between a sender and a receiver can be identified using an address pair (sender address, receiver address). Usually some address values have special meanings. An all-1s address could be taken to mean an addressing of all stations on the network, so sending to this address would result in a broadcast on the local network. The rules describing the meanings of the address value are collectively called an addressing scheme.[14] • Address mapping. Sometimes protocols need to map addresses of one scheme on addresses of another scheme. For instance to translate a logical IP address specified by the application to an Ethernet hardware address. This is referred to as address mapping.[15] • Routing. When systems are not directly connected, intermediary systems along the route to the intended receiver(s) need to forward messages on behalf of the sender. On the Internet, the networks are connected using routers. This way of connecting networks is called internetworking. CHAPTER 31. COMMUNICATIONS PROTOCOL • Detection of transmission errors is necessary on networks which cannot guarantee error-free operation. In a common approach, CRCs of the data area are added to the end of packets, making it possible for the receiver to detect differences caused by errors. The receiver rejects the packets on CRC differences and arranges somehow for retransmission.[16] • Acknowledgements of correct reception of packets is required for connection-oriented communication. Acknowledgements are sent from receivers back to their respective senders.[17] • Loss of information - timeouts and retries. Packets may be lost on the network or suffer from long delays. To cope with this, under some protocols, a sender may expect an acknowledgement of correct reception from the receiver within a certain amount of time. On timeouts, the sender must assume the packet was not received and retransmit it. In case of a permanently broken link, the retransmission has no effect so the number of retransmissions is limited. Exceeding the retry limit is considered an error.[18] • Direction of information flow needs to be addressed if transmissions can only occur in one direction at a time as on half-duplex links. This is known as Media Access Control. Arrangements have to be made to accommodate the case when two parties want to gain control at the same time.[19] • Sequence control. We have seen that long bitstrings are divided in pieces, and then sent on the network individually. The pieces may get lost or delayed or take different routes to their destination on some types of networks. As a result, pieces may arrive out of sequence. Retransmissions can result in duplicate pieces. By marking the pieces with sequence information at the sender, the receiver can determine what was lost or duplicated, ask for necessary retransmissions and reassemble the original message.[20] • Flow control is needed when the sender transmits faster than the receiver or intermediate network equipment can process the transmissions. Flow control can be implemented by messaging from receiver to sender.[21] 31.3 Protocols and programming languages Protocols are to communications what algorithms or programming languages are to computations.[3][22] This analogy has important consequences for both the design and the development of protocols. One has to consider the fact that algorithms, programs and protocols are 31.5. PROTOCOL DESIGN 127 just different ways of describing expected behavior of interacting objects. A familiar example of a protocolling language is the HTML language used to describe web pages which are the actual web protocols. The notion of a universal networking protocol provides a rationale for standardization of networking protocols; assuming the existence of a universal networking protocol, development of protocol standards using a consensus In programming languages the association of identifiers model (the agreement of a group of experts) might be a to a value is termed a definition. Program text is struc- viable way to coordinate protocol design efforts. tured using block constructs and definitions can be local Networking protocols operate in very heterogeneous ento a block. The localized association of an identifier to a vironments consisting of very different network technolovalue established by a definition is termed a binding and gies and a (possibly) very rich set of applications, so a sinthe region of program text in which a binding is effective gle universal protocol would be very hard to design and is known as its scope.[23] The computational state is kept implement correctly. Instead, the IETF decided to reduce using two components: the environment, used as a record complexity by assuming a relatively simple network arof identifier bindings, and the store, which is used as a chitecture allowing decomposition of the single universal record of the effects of assignments.[24] networking protocol into two generic protocols, TCP and In communications, message values are transferred using IP, and two classes of specific protocols, one dealing with transmission media. By analogy, the equivalent of a store the low-level network details and one dealing with the would be a collection of transmission media, instead of high-level details of common network applications (rea collection of memory locations. A valid assignment mote login, file transfer, email and web browsing). ISO in a protocol (as an analog of programming language) choose a similar but more general path, allowing other could be Ethernet:='message' , meaning a message is to network architectures, to standardize protocols. be broadcast on the local ethernet. On a transmission medium there can be many receivers. For instance a mac-address identifies an ether network 31.5 Protocol design card on the transmission medium (the 'ether'). In our imaginary protocol, the assignment ethernet[macaddress]:=message value could therefore make sense.[25] Systems engineering principles have been applied to creBy extending the assignment statement of an existing pro- ate a set of common network protocol design principles. gramming language with the semantics described, a pro- Communicating systems operate in parallel. The protocolling language could easily be imagined. gramming tools and techniques for dealing with parallel Operating systems provide reliable communication and processes are collectively called concurrent programming. synchronization facilities for communicating objects con- Concurrent programming only deals with the synchrofined to the same system by means of system libraries. A nization of communication. The syntax and semantics of programmer using a general purpose programming lan- the communication governed by a low-level protocol usuguage (like C or Ada) can use the routines in the libraries ally have modest complexity, so they can be coded with to implement a protocol, instead of using a dedicated pro- relative ease. High-level protocols with relatively large complexity could however merit the implementation of tocolling language. language interpreters. An example of the latter case is the HTML language. 31.4 Universal protocols Despite their numbers, networking protocols show little variety, because all networking protocols use the same underlying principles and concepts, in the same way. So, the use of a general purpose programming language would yield a large number of applications only differing in the details.[27] A suitably defined (dedicated) protocolling language would therefore have little syntax, perhaps just enough to specify some parameters or optional modes of operation, because its virtual machine would have incorporated all possible principles and concepts making the virtual machine itself a universal protocol. The protocolling language would have some syntax and a lot of semantics describing this universal protocol and would therefore in effect be a protocol, hardly differing from this universal networking protocol. In this (networking) context a protocol is a language. Concurrent programming has traditionally been a topic in operating systems theory texts.[28] Formal verification seems indispensable, because concurrent programs are notorious for the hidden and sophisticated bugs they contain.[29] A mathematical approach to the study of concurrency and communication is referred to as Communicating Sequential Processes (CSP).[30] Concurrency can also be modelled using finite state machines like Mealy and Moore machines. Mealy and Moore machines are in use as design tools in digital electronics systems, which we encounter in the form of hardware used in telecommunications or electronic devices in general.[31] This kind of design can be a bit of a challenge to say the least, so it is important to keep things simple. For the Internet protocols, in particular and in retrospect, this meant a basis for protocol design was needed to allow decomposition of protocols into much simpler, cooperating protocols. 128 CHAPTER 31. COMMUNICATIONS PROTOCOL 31.5.1 A basis for protocol design using a layering scheme as a basis. Instead of using a single universal protocol to handle all transmission tasks, a set of cooperating protocols fitting the layering scheme is used.[34] The layering scheme in use on the Internet is called the TCP/IP model. The actual protocols are collectively called the Internet protocol suite. The Internet Engineering Task Force (IETF) is responsible for this design. Systems do not use a single protocol to handle a transmission. Instead they use a set of cooperating protocols, sometimes called a protocol family or protocol suite.[9] To cooperate the protocols have to communicate with each other, so some kind of conceptual framework is needed to make this communication possible. Also note that software is needed to implement both the 'xfer-mechanism' Another reference model used for layering is the OSI and a protocol (no protocol, no communication). seven layer model, which can be applied to any protoIn literature there are numerous references to the analo- col, not just the OSI protocols. In particular, the Internet gies between computer communication and program- Protocol can be analysed using the OSI model. ming. By analogy we could say that the aforemen- Typically, a hardware delivery mechanism layer is used tioned 'xfer-mechanism' is comparable to a cpu; a to build a connectionless packet delivery system on top of 'xfer-mechanism' performs communications and a cpu which a reliable transport layer is built, on top of which is performs computations and the 'framework' introduces the application software. Layers below and above these something that allows the protocols to be designed in- can be defined, and protocols are very often stacked to dependent of one another by providing separate execu- give tunnelling, for example the internet protocol can be tion environments for them. Furthermore, it is repeatedly tunnelled across an ATM network protocol to provide stated that protocols are to computer communication what connectivity by layering the internet protocol on top of programming languages are to computation.[32][33] the ATM protocol transport layer. 31.5.2 Layering TCP/IP - model HTTP POP3 UDP TCP IP Ethernet protocol Application Transport Internet Network interface Figure 2. The TCP/IP model or Internet layering scheme and its relation to some common protocols. The number of layers of a layering scheme and the way the layers are defined can have a drastic impact on the protocols involved. This is where the analogies come into play for the TCP/IP model, because the designers of TCP/IP employed the same techniques used to conquer the complexity of programming language compilers (design by analogy) in the implementation of its protocols and its layering scheme.[35] For example, one layer might describe how to encode text (with ASCII, say), while another describes how to inquire for messages (with the Internet’s simple mail transfer protocol, for example), while another may detect and retry errors (with the Internet’s transmission control protocol), another handles addressing (say with IP, the Internet Protocol), another handles the encapsulation of that data into a stream of bits (for example, with the point-to-point protocol), and another handles the electrical encoding of the bits, (with a V.42 modem, for example). In modern protocol design, protocols are “layered”. Layering is a design principle which divides the protocol design into a number of smaller parts, each of which ac- Protocol layering complishes a particular sub-task, and interacts with the other parts of the protocol only in a small number of well- Protocol layering now forms the basis of protocol defined ways. design.[8] It allows the decomposition of single, complex Layering allows the parts of a protocol to be designed protocols into simpler, cooperating protocols, but it is and tested without a combinatorial explosion of cases, also a functional decomposition, because each protocol keeping each design relatively simple. Layering also per- belongs to a functional class, called a protocol layer.[34] mits familiar protocols to be adapted to unusual circum- The protocol layers each solve a distinct class of commustances. For example, the mail protocol above can be nication problems. The Internet protocol suite consists adapted to send messages to aircraft. Just change the of the following layers: application-, transport-, internetV.42 modem protocol to the INMARS LAPD data pro- and network interface-functions.[10] Together, the layers tocol used by the international marine radio satellites. make up a layering scheme or model. The communications protocols in use on the Internet are In computations, we have algorithms and data, and in designed to function in very diverse and complex settings. communications, we have protocols and messages, so the To ease design, communications protocols are structured analog of a data flow diagram would be some kind of mes- 31.5. PROTOCOL DESIGN A 129 B the reverse is to happen on the receiving side. The result is that at the lowest level the piece looks like this: 'Header1,Header2,Header3,data' and in the layer directly above it: 'Header2,Header3,data' and in the top layer: 'Header3,data', both on the sending and receiving side. This rule therefore ensures that the protocol layering principle holds and effectively virtualizes all but the lowest transmission lines, so for this reason some message flows are coloured red in figure 3. To ensure both sides use the same protocol, the pieces also carry data identifying the protocol in their header. The design of the protocol layering and the network (or Internet) architecture are interrelated, so one cannot be designed without the other.[39] Some of the more important features in this respect of the Internet architecture and the network services it provides are described next. Figure 3. Message flows using a protocol suite. Black loops show the actual messaging loops, red loops are the effective communications between layers enabled by the lower layers. sage flow diagram.[22] To visualize protocol layering and protocol suites, a diagram of the message flows in and between two systems, A and B, is shown in figure 3. The systems both make use of the same protocol suite. The vertical flows (and protocols) are in system and the horizontal message flows (and protocols) are between systems. The message flows are governed by rules, and data formats specified by protocols. The blue lines therefore mark the boundaries of the (horizontal) protocol layers. The vertical protocols are not layered because they don't obey the protocol layering principle which states that a layered protocol is designed so that layer n at the destination receives exactly the same object sent by layer n at the source. The horizontal protocols are layered protocols and all belong to the protocol suite. Layered protocols allow the protocol designer to concentrate on one layer at a time, without worrying about how other layers perform.[33] The vertical protocols need not be the same protocols on both systems, but they have to satisfy some minimal assumptions to ensure the protocol layering principle holds for the layered protocols. This can be achieved using a technique called Encapsulation.[36] Usually, a message or a stream of data is divided into small pieces, called messages or streams, packets, IP datagrams or network frames depending on the layer in which the pieces are to be transmitted. The pieces contain a header area and a data area. The data in the header area identifies the source and the destination on the network of the packet, the protocol, and other data meaningful to the protocol like CRC’s of the data to be sent, data length, and a timestamp.[37][38] The rule enforced by the vertical protocols is that the pieces for transmission are to be encapsulated in the data area of all lower protocols on the sending side and • The Internet offers universal interconnection, which means that any pair of computers connected to the Internet is allowed to communicate. Each computer is identified by an address on the Internet. All the interconnected physical networks appear to the user as a single large network. This interconnection scheme is called an internetwork or internet.[40] • Conceptually, an Internet addresses consists of a netid and a hostid. The netid identifies a network and the hostid identifies a host. The term host is misleading in that an individual computer can have multiple network interfaces each having its own Internet address. An Internet Address identifies a connection to the network, not an individual computer.[41] The netid is used by routers to decide where to send a packet.[42] • Network technology independence is achieved using the low-level address resolution protocol (ARP) which is used to map Internet addresses to physical addresses. The mapping is called address resolution. This way physical addresses are only used by the protocols of the network interface layer.[43] The TCP/IP protocols can make use of almost any underlying communication technology.[44] Physical networks are interconnected by routers. Routers forward packets between interconnected networks making it possible for hosts to reach hosts on other physical networks. The message flows between two communicating system A and B in the presence of a router R are illustrated in figure 4. Datagrams are passed from router to router until a router is reached that can deliver the datagram on a physically attached network (called direct delivery).[45] To decide whether a datagram is to be delivered directly or is to be sent to a router closer to the destination, a table called the IP routing table is consulted. The table consists of pairs of networkids and the paths to be taken to reach known networks. The 130 CHAPTER 31. COMMUNICATIONS PROTOCOL A B R programs residing in the layer above it, called the application services, can make use of TCP.[52] Programs wishing to interact with the packet delivery system itself can do so using the user datagram protocol (UDP).[53] Software layering Having established the protocol layering and the protocols, the protocol designer can now resume with the software design. The software has a layered organization and its relationship with protocol layering is visualized in figure 5. • Figure 4. Message flows in the presence of a router path can be an indication that the datagram should be delivered directly or it can be the address of a router known to be closer to the destination.[46] A special entry can specify that a default router is chosen when there are no known paths.[47] A B A B • All networks are treated equal. A LAN, a WAN or a point-to-point link between two computers are all considered as one network.[48] • A Connectionless packet delivery (or packetswitched) system (or service) is offered by the Internet, because it adapts well to different hardware, including best-effort delivery mechanisms like the ethernet. Connectionless delivery means that the messages or streams are divided into pieces that are multiplexed separately on the high speed intermachine connections allowing the connections to be used concurrently. Each piece carries information identifying the destination. The delivery of packets is said to be unreliable, because packets may be lost, duplicated, delayed or delivered out of order without notice to the sender or receiver. Unreliability arises only when resources are exhausted or underlying networks fail.[49] The unreliable connectionless delivery system is defined by the Internet Protocol (IP). The protocol also specifies the routing function, which chooses a path over which data will be sent.[50] It is also possible to use TCP/IP protocols on connection oriented systems. Connection oriented systems build up virtual circuits (paths for exclusive use) between senders and receivers. Once built up the IP datagrams are sent as if they were data through the virtual circuits and forwarded (as data) to the IP protocol modules. This technique, called tunneling, can be used on X.25 networks and ATM networks.[51] • A reliable stream transport service using the unreliable connectionless packet delivery service is defined by the transmission control protocol (TCP). The services are layered as well and the application Figure 5: Protocol and software layering The software modules implementing the protocols are represented by cubes. The information flow between the modules is represented by arrows. The (top two horizontal) red arrows are virtual. The blue lines mark the layer boundaries. To send a message on system A, the top module interacts with the module directly below it and hands over the message to be encapsulated. This module reacts by encapsulating the message in its own data area and filling in its header data in accordance with the protocol it implements and interacts with the module below it by handing over this newly formed message whenever appropriate. The bottom module directly interacts with the bottom module of system B, so the message is sent across. On the receiving system B the reverse happens, so ultimately (and assuming there were no transmission errors or protocol violations etc.) the message gets delivered in its original form to the topmodule of system B.[54] On protocol errors, a receiving module discards the piece it has received and reports back the error condition to the original source of the piece on the same layer by handing the error message down or in case of the bottom module sending it across.[55] The division of the message or stream of data into pieces and the subsequent reassembly are handled in the layer that introduced the division/reassembly. The reassembly 31.5. PROTOCOL DESIGN 131 is done at the destination (i.e. not on any intermediate imposing the same layering on the software framework. routers).[56] This can be seen in the TCP/IP layering by considering the translation of a pascal program (message) that is com[57] TCP/IP software is organized in four layers. piled (function of the application layer) into an assembler program that is assembled (function of the transport • Application layer. At the highest layer, the services layer) to object code (pieces) that is linked (function of the available across a TCP/IP internet are accessed by Internet layer) together with library object code (routing application programs. The application chooses the table) by the link editor, producing relocatable machine style of transport to be used which can be a sequence code (datagram) that is passed to the loader which fills in of individual messages or a continuous stream of the memory locations (ethernet addresses) to produce exbytes. The application program passes data to the ecutable code (network frame) to be loaded (function of transport layer for delivery. the network interface layer) into physical memory (trans• Transport layer. The transport layer provides com- mission medium). To show just how closely the analogy munication from one application to another. The fits, the terms between parentheses in the previous sentransport layer may regulate flow of information and tence denote the relevant analogs and the terms written provide reliable transport, ensuring that data arrives cursively denote data representations. Program translawithout error and in sequence. To do so, the re- tion forms a linear sequence, because each layer’s outceiving side sends back acknowledgments and the put is passed as input to the next layer. Furthermore, the sending side retransmits lost pieces called packets. translation process involves multiple data representations. The stream of data is divided into packets by the We see the same thing happening in protocol software module and each packet is passed along with a des- where multiple protocols define the data representations [35] tination address to the next layer for transmission. of the data passed between the software modules. The layer must accept data from many applications The network interface layer uses physical addresses and concurrently and therefore also includes codes in the all the other layers only use IP addresses. The boundpacket header to identify the sending and receiving ary between network interface layer and Internet layer is application program. called the high-level protocol address boundary.[58] The • Internet layer. The Internet layer handles the com- modules below the application layer are generally conmunication between machines. Packets to be sent sidered part of the operating system. Passing data beare accepted from the transport layer along with an tween these modules is much less expensive than passing identification of the receiving machine. The packets data between an application program and the transport transare encapsulated in IP datagrams and the datagram layer. The boundary between application layer and[59] port layer is called the operating system boundary. headers are filled. A routing algorithm is used to determine if the datagram should be delivered directly or sent to a router. The datagram is passed to the appropriate network interface for transmission. Incoming datagrams are checked for validity and the routing algorithm is used to decide whether the datagram should be processed locally or forwarded. If the datagram is addressed to the local machine, Strict layering the datagram header is deleted and the appropriate transport protocol for the packet is chosen. ICMP error and control messages are handled as well in Strictly adhering to a layered model, a practice known as strict layering, is not always the best approach to this layer. networking.[60] Strict layering, can have a serious impact • Network interface layer. The network interface layer on the performance of the implementation, so there is at is responsible for accepting IP datagrams and trans- least a trade-off between simplicity and performance.[61] mitting them over a specific network. A network in- Another, perhaps more important point can be shown by terface may consist of a device driver or a complex considering the fact that some of the protocols in the subsystem that uses its own data link protocol. Internet Protocol Suite cannot be expressed using the TCP/IP model, in other words some of the protocols beProgram translation has been divided into four subprob- have in ways not described by the model.[62] To improve lems: compiler, assembler, link editor, and loader. As a on the model, an offending protocol could, perhaps be result, the translation software is layered as well, allowing split up into two protocols, at the cost of one or two extra the software layers to be designed independently. Noting layers, but there is a hidden caveat, because the model is that the ways to conquer the complexity of program trans- also used to provide a conceptual view on the suite for lation could readily be applied to protocols because of the the intended users. There is a trade-off to be made here analogy between programming languages and protocols, between preciseness for the designer and clarity for the the designers of the TCP/IP protocol suite were keen on intended user.[63] 132 31.5.3 CHAPTER 31. COMMUNICATIONS PROTOCOL Formal specification Formal ways for describing the syntax of the communications are Abstract Syntax Notation One (an ISO standard) or Augmented Backus-Naur form (an IETF standard). Finite state machine models[64][65] and communicating finite-state machines[66] are used to formally describe the possible interactions of the protocol. 31.6 Protocol development For communication to take place, protocols have to be agreed upon. Recall that in digital computing systems, the rules can be expressed by algorithms and datastructures, raising the opportunity for hardware independence. Expressing the algorithms in a portable programming language, makes the protocol software operating system independent. The source code could be considered a protocol specification. This form of specification, however is not suitable for the parties involved. For one thing, this would enforce a source on all parties and for another, proprietary software producers would not accept this. By describing the software interfaces of the modules on paper and agreeing on the interfaces, implementers are free to do it their way. This is referred to as source independence. By specifying the algorithms on paper and detailing hardware dependencies in an unambiguous way, a paper draft is created, that when adhered to and published, ensures interoperability between software and hardware. Such a paper draft can be developed into a protocol standard by getting the approval of a standards organization. To get the approval the paper draft needs to enter and successfully complete the standardization process. This activity is referred to as protocol development. The members of the standards organization agree to adhere to the standard on a voluntary basis. Often the members are in control of large market-shares relevant to the protocol and in many cases, standards are enforced by law or the government, because they are thought to serve an important public interest, so getting approval can be very important for the protocol. tended to be used in a multinode network, but doing so revealed several deficiencies of the protocol. In the absence of standardization, manufacturers and organizations felt free to 'enhance' the protocol, creating incompatible versions on their networks. In some cases, this was deliberately done to discourage users from using equipment from other manufacturers. There are more than 50 variants of the original bi-sync protocol. One can assume, that a standard would have prevented at least some of this from happening.[6] In some cases, protocols gain market dominance without going through a standardization process. Such protocols are referred to as de facto standards. De facto standards are common in emerging markets, niche markets, or markets that are monopolized (or oligopolized). They can hold a market in a very negative grip, especially when used to scare away competition. From a historical perspective, standardization should be seen as a measure to counteract the ill-effects of de facto standards. Positive exceptions exist; a 'de facto standard' operating system like GNU/Linux does not have this negative grip on its market, because the sources are published and maintained in an open way, thus inviting competition. Standardization is therefore not the only solution for open systems interconnection. 31.6.2 Standards organizations Some of the standards organizations of relevance for communications protocols are the International Organization for Standardization (ISO), the International Telecommunication Union (ITU), the Institute of Electrical and Electronics Engineers (IEEE), and the Internet Engineering Task Force (IETF). The IETF maintains the protocols in use on the Internet. The IEEE controls many software and hardware protocols in the electronics industry for commercial and consumer devices. The ITU is an umbrella organization of telecommunication engineers designing the public switched telephone network (PSTN), as well as many radio communications systems. For marine electronics the NMEA standards are used. The World Wide Web Consortium (W3C) produces protocols and standards for Web technologies. It should be noted though that in some cases protocol standards are not sufficient to gain widespread acceptance i.e. sometimes the source code needs to be disclosed and enforced by law or the government in the interest of the public. International standards organizations are supposed to be more impartial than local organizations with a national or commercial self-interest to consider. Standards organizations also do research and development for standards of the future. In practice, the standards organizations mentioned, cooperate closely with each other.[67] 31.6.1 31.6.3 The standardization process The need for protocol standards The need for protocol standards can be shown by looking at what happened to the bi-sync protocol (BSC) invented by IBM. BSC is an early link-level protocol used to connect two separate nodes. It was originally not in- The standardization process starts off with ISO commissioning a sub-committee workgroup. The workgroup issues working drafts and discussion documents to interested parties (including other standards bodies) in order 31.6. PROTOCOL DEVELOPMENT to provoke discussion and comments. This will generate a lot of questions, much discussion and usually some disagreement on what the standard should provide and if it can satisfy all needs (usually not). All conflicting views should be taken into account, often by way of compromise, to progress to a draft proposal of the working group. The draft proposal is discussed by the member countries’ standard bodies and other organizations within each country. Comments and suggestions are collated and national views will be formulated, before the members of ISO vote on the proposal. If rejected, the draft proposal has to consider the objections and counter-proposals to create a new draft proposal for another vote. After a lot of feedback, modification, and compromise the proposal reaches the status of a draft international standard, and ultimately an international standard. The process normally takes several years to complete. The original paper draft created by the designer will differ substantially from the standard, and will contain some of the following 'features’: 133 In the OSI model, communicating systems are assumed to be connected by an underlying physical medium providing a basic (and unspecified) transmission mechanism. The layers above it are numbered (from one to seven); the nth layer is referred to as (n)-layer. Each layer provides service to the layer above it (or at the top to the application process) using the services of the layer immediately below it. The layers communicate with each other by means of an interface, called a service access point. Corresponding layers at each system are called peer entities. To communicate, two peer entities at a given layer use an (n)-protocol, which is implemented by using services of the (n-1)-layer. When systems are not directly connected, intermediate peer entities (called relays) are used. An address uniquely identifies a service access point. The address naming domains need not be restricted to one layer, so it is possible to use just one naming domain for all layers.[71] For each layer there are two types of standards: protocol standards defining how peer entities at a given layer communicate, and service standards defining how a given layer communicates with the layer above it. In the original version of RM/OSI, the layers and their • Various optional modes of operation, for example functionality are (from highest to lowest layer): to allow for setup of different packet sizes at startup time, because the parties could not reach consensus • The application layer may provide the following on the optimum packet size. services to the application processes: identification • Parameters that are left undefined or allowed to take of the intended communication partners, establishon values of a defined set at the discretion of the ment of the necessary authority to communicate, implementor. This often reflects conflicting views determination of availability and authentication of of some of the members. the partners, agreement on privacy mechanisms for the communication, agreement on responsibility for • Parameters reserved for future use, reflecting that error recovery and procedures for ensuring data inthe members agreed the facility should be provided, tegrity, synchronization between cooperating applibut could not reach agreement on how this should be cation processes, identification of any constraints on done in the available time. syntax (e.g. character sets and data structures), de• Various inconsistencies and ambiguities will intermination of cost and acceptable quality of serevitably be found when implementing the standard. vice, selection of the dialogue discipline, including required logon and logoff procedures.[72] International standards are reissued periodically to han• The presentation layer may provide the following dle the deficiencies and reflect changing views on the services to the application layer: a request for the subject.[68] establishment of a session, data transfer, negotiation of the syntax to be used between the application lay31.6.4 Future of standardization (OSI) ers, any necessary syntax transformations, formatting and special purpose transformations (e.g. data A lesson learned from ARPANET (the predecessor of compression and data encryption).[73] the Internet) is that standardization of protocols is not • The session layer may provide the following serenough, because protocols also need a framework to opvices to the presentation layer: establishment and reerate. It is therefore important to develop a generallease of session connections, normal and expedited purpose, future-proof framework suitable for structured data exchange, a quarantine service which allows the protocols (such as layered protocols) and their standardsending presentation entity to instruct the receiving ization. This would prevent protocol standards with oversession entity not to release data to its presentation lapping functionality and would allow clear definition of entity without permission, interaction management the responsibilities of a protocol at the different levels so presentation entities can control whose turn it is to (layers).[69] This gave rise to the OSI Open Systems Interconnection reference model (RM/OSI), which is used as a perform certain control functions, resynchronization framework for the design of standard protocols and serof a session connection, reporting of unrecoverable vices conforming to the various layer specifications.[70] exceptions to the presentation entity.[74] 134 CHAPTER 31. COMMUNICATIONS PROTOCOL • The transport layer provides reliable and transparent data transfer in a cost-effective way as required by the selected quality of service. It may support the multiplexing of several transport connections on to one network connection or split one transport connection into several network connections.[75] protocols are used on connection-oriented networks and connectionless networks respectively. For an example of function consider a tunneling protocol, which is used to encapsulate packets in a high-level protocol, so the packets can be passed across a transport system using the highlevel protocol. • The network layer does the setup, maintenance and release of network paths between transport peer entities. When relays are needed, routing and relay functions are provided by this layer. The quality of service is negotiated between network and transport entities at the time the connection is set up. This layer is also responsible for network congestion control.[76] A layering scheme combines both function and domain of use. The dominant layering schemes are the ones proposed by the IETF and by ISO. Despite the fact that the underlying assumptions of the layering schemes are different enough to warrant distinguishing the two, it is a common practice to compare the two by relating common protocols to the layers of the two schemes.[81] For an example of this practice see: List of network protocols. • The data link layer does the setup, maintenance and release of data link connections. Errors occurring in the physical layer are detected and may be corrected. Errors are reported to the network layer. The exchange of data link units (including flow control) is defined by this layer.[77] • The physical layer describes details like the electrical characteristics of the physical connection, the transmission techniques used, and the setup, maintenance and clearing of physical connections.[78] The layering scheme from the IETF is called Internet layering or TCP/IP layering. The functionality of the layers has been described in the section on software layering and an overview of protocols using this scheme is given in the article on Internet protocols. The layering scheme from ISO is called the OSI model or ISO layering. The functionality of the layers has been described in the section on the future of standardization and an overview of protocols using this scheme is given in the article on OSI protocols. In contrast to the TCP/IP layering scheme, which assumes a connectionless network, RM/OSI assumed a 31.8 Examples of protocols connection-oriented network. Connection-oriented networks are more suitable for wide area networks and conMain article: Lists of network protocols nectionless networks are more suitable for local area networks. Using connections to communicate implies some form of session and (virtual) circuits, hence the Protocol stacks or families include multiple interacting (in the TCP/IP model lacking) session layer. The con- protocols: stituent members of ISO were mostly concerned with wide area networks, so development of RM/OSI concen• PARC Universal Packet trated on connection oriented networks and connection• Internet protocol suite less networks were only mentioned in an addendum to RM/OSI.[79] At the time, the IETF had to cope with this • AppleTalk and the fact that the Internet needed protocols which simply were not there. As a result, the IETF developed its • DECnet own standardization process based on “rough consensus • IPX/SPX and running code”.[80] The standardization process is described by RFC2026. • Open Systems Interconnection (OSI) Nowadays, the IETF has become a standards organiza• Systems Network Architecture (SNA) tion for the protocols in use on the Internet. RM/OSI has extended its model to include connectionless services and The Internet Protocol is used in concert with other probecause of this, both TCP and IP could be developed into tocols within the Internet protocol suite, notable compointernational standards. nents of which include: 31.7 Taxonomies Classification schemes for protocols usually focus on domain of use and function. As an example of domain of use, connection-oriented protocols and connectionless • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP) • Internet Control Message Protocol (ICMP) • Hypertext Transfer Protocol (HTTP) 31.10. NOTES • Post Office Protocol (POP) • File Transfer Protocol (FTP) • Internet Message Access Protocol (IMAP) Other instances of high level interaction protocols are: • General Inter-ORB Protocol (GIOP) • Java remote method invocation (RMI) • Distributed Component Object Model (DCOM) • Dynamic Data Exchange (DDE) • SOAP 31.9 See also • Application programming interface 31.10 Notes [1] Licesio J. Rodríguez-Aragón: Tema 4: Internet y Teleinformática. retrieved 2013-04-24. (Spanish) [2] Protocol, Encyclopedia Britannica, retrieved 2012-09-24 135 [13] Comer 2000, Sect. 7.7.4 - Datagram Size, Network MTU, and Fragmentation, p. 104, Explains fragmentation and the effect on the header of the fragments. [14] Comer 2000, Chapter 4 - Classful Internet Addresses, p. 64-67;71. [15] Marsden 1986, Section 14.3 - Layering concepts and general definitions, p. 187, explains address mapping. [16] Marsden 1986, Section 3.2 - Detection and transmission errors, p. 27, explains the advantages of backward error correction. [17] Marsden 1986, Section 3.3 - Acknowledgement, p. 2833, explains the advantages of positive only acknowledgement and mentions datagram protocols as exceptions. [18] Marsden 1986, Section 3.4 - Loss of information - timeouts and retries, p. 33-34. [19] Marsden 1986, Section 3.5 - Direction of information flow, p. 34-35, explains master/slave and the negotiations to gain control. [20] Marsden 1986, Section 3.6 - Sequence control, p. 35-36, explains how packets get lost and how sequencing solves this. [21] Marsden 1986, Section 3.7 - Flow control, p. 36-38. [22] Comer 2000, Sect. 1.3 - Internet Services, p. 3, “Protocols are to communication what algorithms are to computation” [3] Comer 2000, Sect. 11.2 - The Need For Multiple Protocols, p. 177, “They (protocols) are to communication what programming languages are to computation” [23] Tennent 1981, Section 2.3.1 - Definitions, p.15, defines scope and binding. [4] Ben-Ari 1982, chapter 2 - The concurrent programming abstraction, p. 18-19, states the same. [24] Tennent 1981, Section 2.3.2 Environments and stores, p.16, the semantics of blocks and definitions are described using environments and stores. [5] Ben-Ari 1982, Section 2.7 - Summary, p. 27, summarizes the concurrent programming abstraction. [6] Marsden 1986, Section 6.1 - Why are standards necessary?, p. 64-65, uses BSC as an example to show the need for both standard protocols and a standard framework. [7] Comer 2000, Sect. 11.2 - The Need For Multiple Protocols, p. 177, explains this by drawing analogies between computer communication and programming languages. [8] Sect. 11.10 - The Disadvantage Of Layering, p. 192, states: layering forms the basis for protocol design. [9] Comer 2000, Sect. 11.2 - The Need For Multiple Protocols, p. 177, states the same. [25] Hoare (1985), Ch. 4 - Communication, p. 133, In the introduction: a communication is an event described by a pair c.v where c is the name of the communication channel and v is the value of the message. [26] Tanenbaum, Andrew S. (2003). Computer networks. Prentice Hall Professional. p. 235. ISBN 978-0-13066102-9. Retrieved 22 June 2011. [27] Comer 2000, Foreword To The First Edition By The Late Jon Postel, xxv, “The principles of architecture, layering, multiplexing, encapsulation, addressing and address mapping, routing, and naming are quite similar in any protocol suite, though of course, different in detail.”. [28] Ben-Ari 1982, in his preface, p. xiii. [10] Comer 2000, Sect. 11.3 - The Conceptual Layers Of Protocol Software, p. 178, “Each layer takes responsibility for handling one part of the problem.” [11] Comer 2000, Sect. 11.11 - The Basic Idea Behind Multiplexing And Demultiplexing, p. 192, states the same. [12] Marsden 1986, Chapter 3 - Fundamental protocol concepts and problem areas, p. 26-42, explains much of the following. [29] Ben-Ari 1982, in his preface, p. xiv. [30] Hoare 1985, Chapter 4 - Communication, p. 133, deals with communication. [31] S. Srinivasan, NPTEL courses:::: Electronics & Communication Engineering :: Digital Circuits and Systems, available online: http://nptel.iitm.ac.in/video.php? courseId=1005&p=3 136 [32] Comer 2000, Sect. 11.2 - The Need For Multiple Protocols, p. 177, states more or less the same, using other analogies. [33] Comer 2000, Sect. 11.7 - The Protocol Layering Principle, p. 187, explains layered protocols. CHAPTER 31. COMMUNICATIONS PROTOCOL [53] Comer 2000, Sect. 12.10 - Summary, p. 206, explains UDP. [54] Comer 2000, Sect. 11.3 - The Conceptual Layers Of Protocol Software, p. 179, the first two paragraphs describe the sending of a message through successive layers. [34] Comer 2000, Sect. 11.2 - The Need For Multiple Protocols, p. 177, introduces the decomposition in layers. [55] Comer 2000, Sect. 9.3 - Error Reporting vs. Error Correction, p. 131, describes the ICMP protocol that is used to handle datagram errors. [35] Comer 2000, Sect. 11.2 - The need for multiple protocols, p. 178, explains similarities protocol software and compiler, assembler, linker, loader. [56] Comer 2000, Sect. 7.7.5 - Reassembly Of Fragments, p. 104, describes reassembly of datagrams. [36] Comer 2000, Glossary of Internetworking terms, p.686: term encapsulation. [57] Comer 2000, Sect. 11.5.1 - The TCP/IP 5-Layer Reference Model, p. 184, explains functionality of the layers. [37] Comer 2000, Sect. 11.5.1 - The TCP/IP 5-Layer Reference Model, p. 184, Describes the transformations of messages or streams that can be observed in the protocol layers. [58] Comer 2000, Sect. 11.9.1 - High-Level Protocol Boundary, p. 191, describes the boundary. [38] Comer 2000, Sect. 2.4.10 - Ethernet Frame Format, p. 30, Ethernet frames are used as an example for administrative data for the protocol itself. [39] Comer 2000, Sect. 11.4 - Functionality Of The Layers, p. 181, states the same about the software organization. [40] Comer 2000, Sect. 3.3 - Network-Level Interconnection, p. 55, explains universal interconnection and internetworking. [41] Comer 2000, Sect. 4.4 - Addresses Specify Network Connections, p. 86, explains this. [42] Comer 2000, Sect. 4.3 - The Original Classful Addressing Scheme, p. 64, explains the address scheme, netid and routing. [43] Comer 2000, Sect. 5.13 - Summary, p. 86, explains ARP. [44] Comer 2000, Sect. 2.11 - Other Technologies Over Which TCP/IP Has Been Used, p. 46, states the same. [59] Comer 2000, Sect. 11.9.1 - Operating System Boundary, p. 192, describes the operating system boundary. [60] IETF 1989, Sect 1.3.1 - Organization, p. 15, 2nd paragraph: many design choices involve creative “breaking” of strict layering. [61] Comer 2000, Sect. 11.10 - The Disadvantage Of Layering, p. 192, explains why “strict layering can be extremely inefficient” giving examples of optimizations. [62] IETF 1989, Sect 1.3.1 - Organization, p. 15, 2nd paragraph, explaining why “strict layering is an imperfect model” [63] IETF 1989, Sect 1.3.1 - Organization, p. 15, states: This layerist organization was chosen for simplicity and clarity. [64] Bochmann, G. (1978). “Finite state description of communication protocols”. Computer Networks (1976). 2 (4– 5): 361–201. doi:10.1016/0376-5075(78)90015-6. [65] Comer 2000, Glossary of Internetworking Terms and Abbreviations, p. 704, term protocol. [45] Comer 2000, Sect. 8.3.2 - Indirect Delivery, p. 118, states the same. [66] Brand, Daniel; Zafiropulo, Pitro (1983). “On Communicating Finite-State Machines”. Journal of the ACM. 30 (2): 323. doi:10.1145/322374.322380. [46] Comer 2000, Sect. 8.5 - Next-Hop Routing, p. 120, gives details on the routing table. [67] Marsden 1986, Section 6.3 - Advantages of standardisation, p. 66-67, states the same. [47] Comer 2000, Sect. 8.6 - Default Routes, p. 121, explains default routing and its use. [68] Marsden 1986, Section 6.4 - Some problems with standardisation, p. 67, follows HDLC to illustrate the process. [48] Comer 2000, Sect. 3.8 - All Networks Are Equal, p. 59, states the same. [69] Marsden 1986, Section 6.1 - Why are standards necessary?, p. 65, explains lessons learned from ARPANET. [49] Comer 2000, Sect. 7.5 - Connectionless Delivery System, p. 97, explains the delivery system. [70] Marsden 1986, Section 14.1 - Introduction, p. 181, introduces OSI. [50] Comer 2000, Sect. 7.6 - Purposes Of The Internet Protocol, p. 97, states the same. [71] Marsden 1986, Section 14.3 - Layering concepts and general definitions, p. 183-185, explains terminology. [51] Comer 2000, Sect. 2.11.1 - X25NET And Tunnels, p. 46-47, explains tunneling X.25 and mentions ATM. [72] Marsden 1986, Section 14.4 - The application layer, p. 188, explains this. [52] Comer 2000, Sect. 13.1 - Introduction, p. 209, introduces TCP. [73] Marsden 1986, Section 14.5 - The presentation layer, p. 189, explains this. 31.12. FURTHER READING [74] Marsden 1986, Section 14.6 - The session layer, p. 190, explains this. [75] Marsden 1986, Section 14.7 - The transport layer, p. 191, explains this. [76] Marsden 1986, Section 14.8 - The network layer, p. 192, explains this. [77] Marsden 1986, Section 14.9 - The data link layer, p. 194, explains this. 137 • R.D. Tennent (1981): Principles of programming languages 10th Print. Prentice Hall International, ISBN 0-13-709873-1. • Brian W Marsden (1986): Communication network protocols 2nd Edition. Chartwell Bratt, ISBN 086238-106-1. • Andrew S. Tanenbaum (1984): Structured computer organization 10th Print. Prentice Hall International, ISBN 0-13-854605-3. [78] Marsden 1986, Section 14.10 - The physical layer, p. 195, explains this. [79] Marsden 1986, Section 14.11 - Connectionless mode and RM/OSI, p. 195, mentions this. [80] Comer 2000, Section 1.9 - Internet Protocols And Standardization, p. 12, explains why the IETF did not use existing protocols. [81] Comer 2000, Sect. 11.5.1 - The TCP/IP 5-Layer Reference Model, p. 183, states the same. 31.11 References • Radia Perlman: Interconnections: Bridges, Routers, Switches, and Internetworking Protocols. 2nd Edition. Addison-Wesley 1999, ISBN 0-201-634481. In particular Ch. 18 on “network design folklore”, which is also available online at http://www. informit.com/articles/article.aspx?p=20482 • Gerard J. Holzmann: Design and Validation of Computer Protocols. Prentice Hall, 1991, ISBN 0-13539925-4. Also available online at http://spinroot. com/spin/Doc/Book91.html • Douglas E. Comer (2000). Internetworking with TCP/IP - Principles, Protocols and Architecture (4th ed.). Prentice Hall. ISBN 0-13-018380-6. In particular Ch.11 Protocol layering. Also has a RFC guide and a Glossary of Internetworking Terms and Abbreviations. • Internet Engineering Task Force abbr. IETF (1989): RFC1122, Requirements for Internet Hosts -- Communication Layers, R. Braden (ed.), Available online at http://tools.ietf.org/html/rfc1122. Describes TCP/IP to the implementors of protocolsoftware. In particular the introduction gives an overview of the design goals of the suite. • M. Ben-Ari (1982): Principles of concurrent programming 10th Print. Prentice Hall International, ISBN 0-13-701078-8. • C.A.R. Hoare (1985): Communicating sequential processes 10th Print. Prentice Hall International, ISBN 0-13-153271-5. Available online via http: //www.usingcsp.com 31.12 Further reading • Radia Perlman, Interconnections: Bridges, Routers, Switches, and Internetworking Protocols (2nd Edition). Addison-Wesley 1999. ISBN 0-201-63448-1. In particular Ch. 18 on “network design folklore”. • Gerard J. Holzmann, Design and Validation of Computer Protocols. Prentice Hall, 1991. ISBN 0-13539925-4. Also available online at http://spinroot. com/spin/Doc/Book91.html 31.13 External links • Javvin’s Protocol Dictionary • Overview of protocols in telecontrol field with OSI Reference Model • List of Data Communication Protocols • PDF-Chart showing the Protocols and the OSI reference layer • Blog to discuss ideas about modeling and testing of communication protocols Chapter 32 Cloud computing ogy (IT) teams to more rapidly adjust resources to meet fluctuating and unpredictable business demand.[4][5][6] Cloud providers typically use a “pay as you go” model. This will lead to unexpectedly high charges if administrators do not adapt to the cloud pricing model.[7] Servers Application Laptops 50 5 4 3 2 1 0 67 8 40 60 Desktops 70 80 90 30 100 20 F E 110 10 0 120 NE WS 12345 Monitoring Collaboration Communication Content Finance Platform Identity Object Storage Runtime Queue Database Infrastructure Compute Phones Block Storage Network Tablets Cloud computing Cloud computing metaphor: For a user, the network elements representing the provider-rendered services are invisible, as if obscured by a cloud. Cloud computing is a type of Internet-based computing that provides shared computer processing resources and data to computers and other devices on demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources (e.g., computer networks, servers, storage, applications and services),[1][2] which can be rapidly provisioned and released with minimal management effort. Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in third-party data centers[3] that may be located far from the user–ranging in distance from across a city to across the world. Cloud computing relies on sharing of resources to achieve coherence and economy of scale, similar to a utility (like the electricity grid) over an electricity network. Advocates claim that cloud computing allows companies to avoid up-front infrastructure costs (e.g., purchasing servers). As well, it enables organizations to focus on their core businesses instead of spending time and money on computer infrastructure.[4] Proponents also claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance, and enables Information technol- In 2009, the availability of high-capacity networks, low-cost computers and storage devices as well as the widespread adoption of hardware virtualization, serviceoriented architecture, and autonomic and utility computing led to a growth in cloud computing.[8][9][10] Companies can scale up as computing needs increase and then scale down again as demands decrease.[11] In 2013, it was reported that cloud computing had become a highly demanded service or utility due to the advantages of high computing power, cheap cost of services, high performance, scalability, accessibility as well as availability. Some cloud vendors are experiencing growth rates of 50% per year,[12] but being still in a stage of infancy, it has pitfalls that need to be addressed to make cloud computing services more reliable and user friendly.[13][14] 32.1 History 32.1.1 Origin of the term The origin of the term cloud computing is unclear. The word “cloud” is commonly used in science to describe a large agglomeration of objects that visually appear from a distance as a cloud and describes any set of things whose details are not further inspected in a given context.[15] Another explanation is that the old programs that drew network schematics surrounded the icons for servers with a circle, and a cluster of servers in a network diagram had several overlapping circles, which resembled a cloud.[16] In analogy to the above usage, the word cloud was used as a metaphor for the Internet and a standardized cloudlike shape was used to denote a network on telephony schematics. Later it was used to depict the Internet in computer network diagrams. With this simplification, the implication is that the specifics of how the end points of a network are connected are not relevant for the purposes of understanding the diagram. The cloud symbol was used to represent networks of computing equipment in 138 32.1. HISTORY 139 the original ARPANET by as early as 1977,[17] and the well as the network infrastructure.[23] As computers beCSNET by 1981[18] —both predecessors to the Internet came more diffused, scientists and technologists explored itself. ways to make large-scale computing power available to The term cloud has been used to refer to platforms more users through time-sharing. They experimented for distributed computing. In Wired’s April 1994 fea- with algorithms to optimize the infrastructure, platform, prioritize CPUs and increase effiture “Bill and Andy’s Excellent Adventure II” on the and applications to [24] ciency for end users. Apple spin-off General Magic, Andy Hertzfeld commented on General Magic’s distributed programming language Telescript that: “The beauty of Telescript ... is that now, instead of just having a device to program, we now have the entire Cloud out there, where a single program can go and travel to many different sources of information and create sort of a virtual service. No one had conceived that before. The example Jim White [the designer of Telescript, X.400 and ASN.1] uses now is a date-arranging service where a software agent goes to the flower store and orders flowers and then goes to the ticket shop and gets the tickets for the show, and everything is communicated to both parties.” — [19] References to “cloud computing” in its modern sense appeared as early as 1996, with the earliest known mention in a Compaq internal document.[20] The popularization of the term can be traced to 2006 when Amazon.com introduced its Elastic Compute Cloud.[21] 32.1.2 1970s During the 1960s, the initial concepts of time-sharing became popularized via RJE (Remote Job Entry);[22] this terminology was mostly associated with large vendors such as IBM and DEC. Full time-sharing solutions were available by the early 1970s on such platforms as Multics (on GE hardware), Cambridge CTSS, and the earliest UNIX ports (on DEC hardware). Yet, the “data center” model where users submitted jobs to operators to run on IBM mainframes was overwhelmingly predominant. 32.1.3 1990s In the 1990s, telecommunications companies, who previously offered primarily dedicated point-to-point data circuits, began offering virtual private network (VPN) services with comparable quality of service, but at a lower cost. By switching traffic as they saw fit to balance server use, they could use overall network bandwidth more effectively. They began to use the cloud symbol to denote the demarcation point between what the provider was responsible for and what users were responsible for. Cloud computing extended this boundary to cover all servers as 32.1.4 2000s Since 2000, cloud computing has come into existence. In early 2008, NASA's OpenNebula, enhanced in the RESERVOIR European Commission-funded project, became the first open-source software for deploying private and hybrid clouds, and for the federation of clouds.[25] In the same year, efforts were focused on providing quality of service guarantees (as required by real-time interactive applications) to cloud-based infrastructures, in the framework of the IRMOS European Commission-funded project, resulting in a real-time cloud environment.[26][27] By mid-2008, Gartner saw an opportunity for cloud computing “to shape the relationship among consumers of IT services, those who use IT services and those who sell them”[28] and observed that “organizations are switching from company-owned hardware and software assets to per-use service-based models” so that the “projected shift to computing ... will result in dramatic growth in IT products in some areas and significant reductions in other areas.”[29] In August 2006 Amazon introduced its Elastic Compute Cloud.[21] Microsoft Azure was announced as “Azure” in October 2008 and was released on 1 February 2010 as Windows Azure, before being renamed to Microsoft Azure on 25 March 2014.[30] For a time, Azure was on the TOP500 supercomputer list, before it dropped off it.[31] In July 2010, Rackspace Hosting and NASA jointly launched an open-source cloud-software initiative known as OpenStack. The OpenStack project intended to help organizations offering cloud-computing services running on standard hardware. The early code came from NASA’s Nebula platform as well as from Rackspace’s Cloud Files platform. On March 1, 2011, IBM announced the IBM SmartCloud framework to support Smarter Planet.[32] Among the various components of the Smarter Computing foundation, cloud computing is a critical part. On June 7, 2012, Oracle announced the Oracle Cloud.[33] While aspects of the Oracle Cloud are still in development, this cloud offering is poised to be the first to provide users with access to an integrated set of IT solutions, including the Applications (SaaS), Platform (PaaS), and Infrastructure (IaaS) layers.[34][35][36] 140 32.2 Similar concepts Cloud computing is the result of the evolution and adoption of existing technologies and paradigms. The goal of cloud computing is to allow users to take benefit from all of these technologies, without the need for deep knowledge about or expertise with each one of them. The cloud aims to cut costs, and helps the users focus on their core business instead of being impeded by IT obstacles.[37] The main enabling technology for cloud computing is virtualization. Virtualization software separates a physical computing device into one or more “virtual” devices, each of which can be easily used and managed to perform computing tasks. With operating system–level virtualization essentially creating a scalable system of multiple independent computing devices, idle computing resources can be allocated and used more efficiently. Virtualization provides the agility required to speed up IT operations, and reduces cost by increasing infrastructure utilization. Autonomic computing automates the process through which the user can provision resources ondemand. By minimizing user involvement, automation speeds up the process, reduces labor costs and reduces the possibility of human errors.[37] Users routinely face difficult business problems. Cloud computing adopts concepts from Service-oriented Architecture (SOA) that can help the user break these problems into services that can be integrated to provide a solution. Cloud computing provides all of its resources as services, and makes use of the well-established standards and best practices gained in the domain of SOA to allow global and easy access to cloud services in a standardized way. Cloud computing also leverages concepts from utility computing to provide metrics for the services used. Such metrics are at the core of the public cloud pay-per-use models. In addition, measured services are an essential part of the feedback loop in autonomic computing, allowing services to scale on-demand and to perform automatic failure recovery. Cloud computing is a kind of grid computing; it has evolved by addressing the QoS (quality of service) and reliability problems. Cloud computing provides the tools and technologies to build data/compute intensive parallel applications with much more affordable prices compared to traditional parallel computing techniques.[37] CHAPTER 32. CLOUD COMPUTING puter' is composed of a cluster of networked, loosely coupled computers acting in concert to perform very large tasks.” • Fog computing—Distributed computing paradigm that provides data, compute, storage and application services closer to client or near-user edge devices, such as network routers. Furthermore, fog computing handles data at the network level, on smart devices and on the end-user client side (e.g. mobile devices), instead of sending data to a remote location for processing. • Dew computing—In the existing computing hierarchy, the Dew computing is positioned as the ground level for the cloud and fog computing paradigms. Compared to fog computing, which supports emerging IoT applications that demand real-time and predictable latency and the dynamic network reconfigurability, Dew computing pushes the frontiers to computing applications, data, and low level services away from centralized virtual nodes to the end users.[39] • Mainframe computer—Powerful computers used mainly by large organizations for critical applications, typically bulk data processing such as: census; industry and consumer statistics; police and secret intelligence services; enterprise resource planning; and financial transaction processing. • Utility computing—The “packaging of computing resources, such as computation and storage, as a metered service similar to a traditional public utility, such as electricity.”[40][41] • Peer-to-peer—A distributed architecture without the need for central coordination. Participants are both suppliers and consumers of resources (in contrast to the traditional client–server model). • Green computing • Cloud sandbox—A live, isolated computer environment in which a program, code or file can run without affecting the application in which it runs. Cloud computing shares characteristics with: • Client–server model—Client–server computing 32.3 Characteristics refers broadly to any distributed application that distinguishes between service providers (servers) Cloud computing exhibits the following key characterisand service requestors (clients).[38] tics: • Computer bureau—A service bureau providing computer services, particularly from the 1960s to • Agility for organizations may be improved, as cloud 1980s. computing may increase users’ flexibility with re• Grid computing—"A form of distributed and parprovisioning, adding, or expanding technological inallel computing, whereby a 'super and virtual comfrastructure resources. 32.3. CHARACTERISTICS • Cost reductions are claimed by cloud providers. A public-cloud delivery model converts capital expenditures (e.g., buying servers) to operational expenditure.[42] This purportedly lowers barriers to entry, as infrastructure is typically provided by a third party and need not be purchased for one-time or infrequent intensive computing tasks. Pricing on a utility computing basis is “fine-grained”, with usagebased billing options. As well, less in-house IT skills are required for implementation of projects that use cloud computing.[43] The e-FISCAL project’s state-of-the-art repository[44] contains several articles looking into cost aspects in more detail, most of them concluding that costs savings depend on the type of activities supported and the type of infrastructure available in-house. • Device and location independence[45] enable users to access systems using a web browser regardless of their location or what device they use (e.g., PC, mobile phone). As infrastructure is off-site (typically provided by a third-party) and accessed via the Internet, users can connect to it from anywhere.[43] • Maintenance of cloud computing applications is easier, because they do not need to be installed on each user’s computer and can be accessed from different places (e.g., different work locations, while travelling, etc.). 141 • Scalability and elasticity via dynamic (“ondemand”) provisioning of resources on a finegrained, self-service basis in near real-time[52][53] (Note, the VM startup time varies by VM type, location, OS and cloud providers[52] ), without users having to engineer for peak loads.[54][55][56] This gives the ability to scale up when the usage need increases or down if resources are not being used.[57] • Security can improve due to centralization of data, increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels. Security is often as good as or better than other traditional systems, in part because service providers are able to devote resources to solving security issues that many customers cannot afford to tackle or which they lack the technical skills to address.[58] However, the complexity of security is greatly increased when data is distributed over a wider area or over a greater number of devices, as well as in multi-tenant systems shared by unrelated users. In addition, user access to security audit logs may be difficult or impossible. Private cloud installations are in part motivated by users’ desire to retain control over the infrastructure and avoid losing control of information security. The National Institute of Standards and Technology's • Multitenancy enables sharing of resources and definition of cloud computing identifies “five essential costs across a large pool of users thus allowing for: characteristics": • centralization of infrastructure in locations with lower costs (such as real estate, electricity, etc.) • peak-load capacity increases (users need not engineer and pay for the resources and equipment to meet their highest possible load-levels) • utilisation and efficiency improvements for systems that are often only 10–20% utilised.[46][47] • Performance is monitored by IT experts from the service provider, and consistent and loosely coupled architectures are constructed using web services as the system interface.[43][48][49] • Productivity may be increased when multiple users can work on the same data simultaneously, rather than waiting for it to be saved and emailed. Time may be saved as information does not need to be re-entered when fields are matched, nor do users need to install application software upgrades to their computer.[50] • Reliability improves with the use of multiple redundant sites, which makes well-designed cloud computing suitable for business continuity and disaster recovery.[51] On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear unlimited and can be appropriated in any quantity at any time. Measured service. Cloud systems automatically control and optimize resource use by 142 CHAPTER 32. CLOUD COMPUTING leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. — National Institute of Standards and Technology[2] 32.4 Service models Though service-oriented architecture advocates “everything as a service” (with the acronyms EaaS or XaaS or simply aas),[59] cloud-computing providers offer their “services” according to different models, of which the three standard models per NIST are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).[2] These models offer increasing abstraction; they are thus often portrayed as a layers in a stack: infrastructure-, platform- and software-as-aservice,[60] but these need not be related. For example, one can provide SaaS implemented on physical machines (bare metal), without using underlying PaaS or IaaS layers, and conversely one can run a program on IaaS and access it directly, without wrapping it as SaaS. (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). 32.4.1 Infrastructure as a service (IaaS) See also: Category:Cloud infrastructure According to the Internet Engineering Task Force (IETF), the most basic cloud-service model is that of providers offering computing infrastructure – virtual machines and other resources – as a service to subscribers. Infrastructure as a service (IaaS) refers to online services that abstract the user from the details of infrastructure like physical computing resources, location, data partitioning, scaling, security, backup etc. A hypervisor, such as Xen, Oracle VirtualBox, Oracle VM, KVM, VMware ESX/ESXi, or Hyper-V, runs the virtual maCloud computing service models arranged as layers in a stack chines as guests. Pools of hypervisors within the cloud operational system can support large numbers of virtual The NIST’s definition of cloud computing defines the sermachines and the ability to scale services up and down acvice models as follows:[2] cording to customers’ varying requirements. Linux containers run in isolated partitions of a single Linux kerSoftware as a Service (SaaS). The capanel running directly on the physical hardware. Linux bility provided to the consumer is to use the cgroups and namespaces are the underlying Linux kerprovider’s applications running on a cloud innel technologies used to isolate, secure and manage frastructure. The applications are accessible the containers. Containerisation offers higher perforfrom various client devices through either a mance than virtualization, because there is no hypervisor thin client interface, such as a web browser overhead. Also, container capacity auto-scales dynami- 32.4. SERVICE MODELS 143 cally with computing load, which eliminates the problem of over-provisioning and enables usage-based billing.[61] IaaS clouds often offer additional resources such as a virtual-machine disk-image library, raw block storage, file or object storage, firewalls, load balancers, IP addresses, virtual local area networks (VLANs), and software bundles.[62] ment and execution of data solutions by building tailored data applications for the customer. dPaaS users retain transparency and control over data through datavisualization tools.[74] Platform as a Service (PaaS) consumers do not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but have control over the deployed IaaS-cloud providers supply these resources on-demand applications and possibly configuration settings for the application-hosting environment. from their large pools of equipment installed in data centers. For wide-area connectivity, customers can use A recent specialized PaaS is the Blockchain as a Service either the Internet or carrier clouds (dedicated virtual (BaaS), that some vendors such as Microsoft Azure have private networks). To deploy their applications, cloud already included in their PaaS offering.[75] users install operating-system images and their application software on the cloud infrastructure.[63] In this model, the cloud user patches and maintains the operating systems and the application software. Cloud providers 32.4.3 Software as a service (SaaS) typically bill IaaS services on a utility computing basis: cost reflects the amount of resources allocated and Main article: Software as a service consumed.[64][65][66][67] 32.4.2 Platform as a service (PaaS) Main article: Platform as a service See also: Category:Cloud platforms PaaS vendors offer a development environment to application developers. The provider typically develops toolkit and standards for development and channels for distribution and payment. In the PaaS models, cloud providers deliver a computing platform, typically including operating system, programming-language execution environment, database, and web server. Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers. With some PaaS offers like Microsoft Azure and Google App Engine, the underlying computer and storage resources scale automatically to match application demand so that the cloud user does not have to allocate resources manually. The latter has also been proposed by an architecture aiming to facilitate real-time in cloud environments.[68] Even more specific application types can be provided via PaaS, such as media encoding as provided by services like bitcodin.com[69] or media.io.[70] Some integration and data management providers have also embraced specialized applications of PaaS as delivery models for data solutions. Examples include iPaaS (Integration Platform as a Service) and dPaaS (Data Platform as a Service). iPaaS enables customers to develop, execute and govern integration flows.[71] Under the iPaaS integration model, customers drive the development and deployment of integrations without installing or managing any hardware or middleware.[72] dPaaS delivers integration—and data-management—products as a fully managed service.[73] Under the dPaaS model, the PaaS provider, not the customer, manages the develop- In the software as a service (SaaS) model, users gain access to application software and databases. Cloud providers manage the infrastructure and platforms that run the applications. SaaS is sometimes referred to as “on-demand software” and is usually priced on a payper-use basis or using a subscription fee.[76] In the SaaS model, cloud providers install and operate application software in the cloud and cloud users access the software from cloud clients. Cloud users do not manage the cloud infrastructure and platform where the application runs. This eliminates the need to install and run the application on the cloud user’s own computers, which simplifies maintenance and support. Cloud applications differ from other applications in their scalability—which can be achieved by cloning tasks onto multiple virtual machines at run-time to meet changing work demand.[77] Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user, who sees only a single access-point. To accommodate a large number of cloud users, cloud applications can be multitenant, meaning that any machine may serve more than one cloud-user organization. The pricing model for SaaS applications is typically a monthly or yearly flat fee per user,[78] so prices become scalable and adjustable if users are added or removed at any point.[79] Proponents claim that SaaS gives a business the potential to reduce IT operational costs by outsourcing hardware and software maintenance and support to the cloud provider. This enables the business to reallocate IT operations costs away from hardware/software spending and from personnel expenses, towards meeting other goals. In addition, with applications hosted centrally, updates can be released without the need for users to install new software. One drawback of SaaS comes with storing the users’ data on the cloud provider’s server. As a result, there could be unauthorized access to the data. For this reason, users are increasingly adopting intelligent thirdparty key-management systems to help secure their data. 144 32.4.4 CHAPTER 32. CLOUD COMPUTING Mobile “backend” as a service legacy applications (line of business applications that until now have been prevalent in thin client computing) are (MBaaS) delivered via a screen-sharing technology. Main article: Mobile backend as a service In the mobile “backend” as a service (mBaaS) model, also known as backend as a service (BaaS), web app and mobile app developers are provided with a way to link their applications to cloud storage and cloud computing services with application programming interfaces (APIs) exposed to their applications and custom software development kits (SDKs). Services include user management, push notifications, integration with social networking services[80] and more. This is a relatively recent model in cloud computing,[81] with most BaaS startups dating from 2011 or later[82][83][84] but trends indicate that these services are gaining significant mainstream traction with enterprise consumers.[85] 32.6 Deployment models Hybrid Private/ Internal Public/ External The Cloud On Premises / Internal Off Premises / Third Party Cloud Computing Types CC-BY-SA 3.0 by Sam Johnston Cloud computing types 32.4.5 Serverless computing Main article: Serverless computing Serverless computing is a cloud computing code execution model in which the cloud provider fully manages starting and stopping virtual machines as necessary to serve requests, and requests are billed by an abstract measure of the resources required to satisfy the request, rather than per virtual machine, per hour.[86] Despite the name, it does not actually involve running code without servers.[86] Serverless computing is so named because the business or person that owns the system does not have to purchase, rent or provision servers or virtual machines for the back-end code to run on. 32.5 Cloud clients See also: Category:Cloud clients and Cloud API Users access cloud computing using networked client devices, such as desktop computers, laptops, tablets and smartphones and any Ethernet enabled device such as Home Automation Gadgets. Some of these devices— cloud clients—rely on cloud computing for all or a majority of their applications so as to be essentially useless without it. Examples are thin clients and the browserbased Chromebook. Many cloud applications do not require specific software on the client and instead use a web browser to interact with the cloud application. With Ajax and HTML5 these Web user interfaces can achieve a similar, or even better, look and feel to native applications. Some cloud applications, however, support specific client software dedicated to these applications (e.g., virtual desktop clients and most email clients). Some 32.6.1 Private cloud Private cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party, and hosted either internally or externally.[2] Undertaking a private cloud project requires a significant level and degree of engagement to virtualize the business environment, and requires the organization to reevaluate decisions about existing resources. When done right, it can improve business, but every step in the project raises security issues that must be addressed to prevent serious vulnerabilities. Self-run data centers[87] are generally capital intensive. They have a significant physical footprint, requiring allocations of space, hardware, and environmental controls. These assets have to be refreshed periodically, resulting in additional capital expenditures. They have attracted criticism because users “still have to buy, build, and manage them” and thus do not benefit from less hands-on management,[88] essentially "[lacking] the economic model that makes cloud computing such an intriguing concept”.[89][90] 32.6.2 Public cloud A cloud is called a “public cloud” when the services are rendered over a network that is open for public use. Public cloud services may be free.[91] Technically there may be little or no difference between public and private cloud architecture, however, security consideration may be substantially different for services (applications, storage, and other resources) that are made available by a service provider for a public audience and when communication is effected over a non-trusted network. Generally, public cloud service providers like Amazon Web Services (AWS), Microsoft and Google own and operate 32.6. DEPLOYMENT MODELS the infrastructure at their data center and access is generally via the Internet. AWS and Microsoft also offer direct connect services called “AWS Direct Connect” and “Azure ExpressRoute” respectively, such connections require customers to purchase or lease a private connection to a peering point offered by the cloud provider.[43] 32.6.3 Hybrid cloud Hybrid cloud is a composition of two or more clouds (private, community or public) that remain distinct entities but are bound together, offering the benefits of multiple deployment models. Hybrid cloud can also mean the ability to connect collocation, managed and/or dedicated services with cloud resources.[2] Gartner, Inc. defines a hybrid cloud service as a cloud computing service that is composed of some combination of private, public and community cloud services, from different service providers.[92] A hybrid cloud service crosses isolation and provider boundaries so that it can't be simply put in one category of private, public, or community cloud service. It allows one to extend either the capacity or the capability of a cloud service, by aggregation, integration or customization with another cloud service. Varied use cases for hybrid cloud composition exist. For example, an organization may store sensitive client data in house on a private cloud application, but interconnect that application to a business intelligence application provided on a public cloud as a software service.[93] This example of hybrid cloud extends the capabilities of the enterprise to deliver a specific business service through the addition of externally available public cloud services. Hybrid cloud adoption depends on a number of factors such as data security and compliance requirements, level of control needed over data, and the applications an organization uses.[94] Another example of hybrid cloud is one where IT organizations use public cloud computing resources to meet temporary capacity needs that can not be met by the private cloud.[95] This capability enables hybrid clouds to employ cloud bursting for scaling across clouds.[2] Cloud bursting is an application deployment model in which an application runs in a private cloud or data center and “bursts” to a public cloud when the demand for computing capacity increases. A primary advantage of cloud bursting and a hybrid cloud model is that an organization pays for extra compute resources only when they are needed.[96] Cloud bursting enables data centers to create an in-house IT infrastructure that supports average workloads, and use cloud resources from public or private clouds, during spikes in processing demands.[97] The specialized model of hybrid cloud, which is built atop heterogeneous hardware, is called “Cross-platform Hybrid Cloud”. A cross-platform hybrid cloud is usually powered by different CPU architectures, for example, x86-64 and ARM, underneath. Users can transparently deploy and scale applications without knowledge of the cloud’s 145 hardware diversity.[98] This kind of cloud emerges from the raise of ARM-based system-on-chip for server-class computing. 32.6.4 Others Community cloud Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party, and either hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized.[2] Distributed cloud A cloud computing platform can be assembled from a distributed set of machines in different locations, connected to a single network or hub service. It is possible to distinguish between two types of distributed clouds: publicresource computing and volunteer cloud. • Public-resource computing—This type of distributed cloud results from an expansive definition of cloud computing, because they are more akin to distributed computing than cloud computing. Nonetheless, it is considered a sub-class of cloud computing, and some examples include distributed computing platforms such as BOINC and Folding@Home. • Volunteer cloud—Volunteer cloud computing is characterized as the intersection of public-resource computing and cloud computing, where a cloud computing infrastructure is built using volunteered resources. Many challenges arise from this type of infrastructure, because of the volatility of the resources used to built it and the dynamic environment it operates in. It can also be called peerto-peer clouds, or ad-hoc clouds. An interesting effort in such direction is Cloud@Home, it aims to implement a cloud computing infrastructure using volunteered resources providing a businessmodel to incentivize contributions through financial restitution.[99] Intercloud Main article: Intercloud The Intercloud[100] is an interconnected global “cloud of clouds”[101][102] and an extension of the Internet “network of networks” on which it is based. The focus is on direct 146 CHAPTER 32. CLOUD COMPUTING interoperability between public cloud service providers, 32.8 Security and privacy more so than between providers and consumers (as is the case for hybrid- and multi-cloud).[103][104][105] Main article: Cloud computing issues Multicloud Main article: Multicloud Multicloud is the use of multiple cloud computing services in a single heterogeneous architecture to reduce reliance on single vendors, increase flexibility through choice, mitigate against disasters, etc. It differs from hybrid cloud in that it refers to multiple cloud services, rather than multiple deployment modes (public, private, legacy).[106][107][108] 32.7 Architecture Cloud Service (eg Queue) Cloud Platform (eg Web Frontend) Cloud Infrastructure (eg Billing VMs) Cloud Storage (eg Database) Cloud computing sample architecture Cloud architecture,[109] the systems architecture of the software systems involved in the delivery of cloud computing, typically involves multiple cloud components communicating with each other over a loose coupling mechanism such as a messaging queue. Elastic provision implies intelligence in the use of tight or loose coupling as applied to mechanisms such as these and others. 32.7.1 Cloud engineering Cloud engineering is the application of engineering disciplines to cloud computing. It brings a systematic approach to the high-level concerns of commercialization, standardization, and governance in conceiving, developing, operating and maintaining cloud computing systems. It is a multidisciplinary method encompassing contributions from diverse areas such as systems, software, web, performance, information, security, platform, risk, and quality engineering. Cloud computing poses privacy concerns because the service provider can access the data that is in the cloud at any time. It could accidentally or deliberately alter or even delete information.[110] Many cloud providers can share information with third parties if necessary for purposes of law and order even without a warrant. That is permitted in their privacy policies, which users must agree to before they start using cloud services. Solutions to privacy include policy and legislation as well as end users’ choices for how data is stored.[110] Users can encrypt data that is processed or stored within the cloud to prevent unauthorized access.[3][110] According to the Cloud Security Alliance, the top three threats in the cloud are Insecure Interfaces and API’s, Data Loss & Leakage, and Hardware Failure—which accounted for 29%, 25% and 10% of all cloud security outages respectively. Together, these form shared technology vulnerabilities. In a cloud provider platform being shared by different users there may be a possibility that information belonging to different customers resides on same data server. Therefore, Information leakage may arise by mistake when information for one customer is given to other.[111] Additionally, Eugene Schultz, chief technology officer at Emagined Security, said that hackers are spending substantial time and effort looking for ways to penetrate the cloud. “There are some real Achilles’ heels in the cloud infrastructure that are making big holes for the bad guys to get into”. Because data from hundreds or thousands of companies can be stored on large cloud servers, hackers can theoretically gain control of huge stores of information through a single attack—a process he called “hyperjacking”. Some examples of this include the Dropbox security breach, and iCloud 2014 leak.[112] Dropbox had been breached in October 2014, having over 7 million of its users passwords stolen by hackers in an effort to get monetary value from it by Bitcoins (BTC). By having these passwords, they are able to read private data as well as have this data be indexed by search engines (making the information public).[112] There is the problem of legal ownership of the data (If a user stores some data in the cloud, can the cloud provider profit from it?). Many Terms of Service agreements are silent on the question of ownership.[113] Physical control of the computer equipment (private cloud) is more secure than having the equipment off site and under someone else’s control (public cloud). This delivers great incentive to public cloud computing service providers to prioritize building and maintaining strong management of secure services.[114] Some small businesses that don't have expertise in IT security could find that it’s more secure for them to use a public cloud. There is the risk that end users do not understand the issues involved when signing on to a cloud service (persons sometimes don't read the 32.11. SEE ALSO many pages of the terms of service agreement, and just click “Accept” without reading). This is important now that cloud computing is becoming popular and required for some services to work, for example for an intelligent personal assistant (Apple’s Siri or Google Now). Fundamentally, private cloud is seen as more secure with higher levels of control for the owner, however public cloud is seen to be more flexible and requires less time and money investment from the user.[115] 147 32.11 See also • Category: Cloud computing providers • Category: Cloud platforms • Cloud computing security • Cloud computing comparison • Cloud management • Cloud research 32.9 Limitations and Disadvantages • Cloud storage • Edge computing • eScience According to Bruce Schneier, “The downside is that you will have limited customization options. Cloud computing is cheaper because of economics of scale, and — like any outsourced task — you tend to get what you get. A restaurant with a limited menu is cheaper than a personal chef who can cook anything you want. Fewer options at a much cheaper price: it’s a feature, not a bug.” He also suggests that “the cloud provider might not meet your legal needs” and that businesses need to weigh the benefits of cloud computing against the risks.[116] In cloud computing, the control of the back end infrastructure is limited to the cloud vendor only. Cloud providers often decide on the management policies, which moderates what the cloud users are able to do with their deployment.[117] Cloud users are also limited to the control and management of their applications, data and services.[118] This includes data caps, which are placed on cloud users by the cloud vendor allocating certain amount of bandwidth for each customer and are often shared among other cloud users.[119] 32.10 Emerging trends Cloud computing is still as much a research topic, as it is a market offering.[120] What is clear through the evolution of cloud computing services is that the chief technical officer (CTO) is a major driving force behind cloud adoption.[121] The major cloud technology developers continue to invest billions a year in cloud R&D; for example: in 2011 Microsoft committed 90% of its US$9.6bn R&D budget to its cloud.[122] Centaur Partners also predict that SaaS revenue will grow from US$13.5B in 2011 to $32.8B in 2016.[123] This expansion also includes Finance and Accounting SaaS.[124] Additionally, more industries are turning to cloud technology as an efficient way to improve quality services due to its capabilities to reduce overhead costs, downtime, and automate infrastructure deployment.[125] • Mobile cloud computing • Personal cloud • Robot as a Service • Service-Oriented Architecture • Ubiquitous computing • Web computing 32.12 References [1] Hassan, Qusay (2011). “Demystifying Cloud Computing” (PDF). The Journal of Defense Software Engineering. CrossTalk. 2011 (Jan/Feb): 16–21. Retrieved 11 December 2014. [2] Peter Mell and Timothy Grance (September 2011). The NIST Definition of Cloud Computing (Technical report). National Institute of Standards and Technology: U.S. Department of Commerce. doi:10.6028/NIST.SP.800-145. Special publication 800-145. [3] M. Haghighat, S. Zonouz, & M. Abdel-Mottaleb (2015). CloudID: Trustworthy Cloud-based and Cross-Enterprise Biometric Identification. Expert Systems with Applications, 42(21), 7905–7916. [4] “What is Cloud Computing?". Amazon Web Services. 2013-03-19. Retrieved 2013-03-20. [5] Baburajan, Rajani (2011-08-24). “The Rising Cloud Storage Market Opportunity Strengthens Vendors”. It.tmcnet.com. Retrieved 2011-12-02. [6] Oestreich, Ken, (2010-11-15). “Converged Infrastructure”. CTO Forum. Thectoforum.com. Retrieved 201112-02. [7] “Where’s The Rub: Cloud Computing’s Hidden Costs”. 2014-02-27. Retrieved 2014-07-14. [8] “Cloud Computing: Clash of the clouds”. The Economist. 2009-10-15. Retrieved 2009-11-03. 148 [9] “Gartner Says Cloud Computing Will Be As Influential As E-business”. Gartner. Retrieved 2010-08-22. [10] Gruman, Galen (2008-04-07). “What cloud computing really means”. InfoWorld. Retrieved 2009-06-02. [11] Dealey, C. “Cloud Computing Working Group”, Network Centric Operations Industry Consortium - NCOIC, 2013 [12] “The economy is flat so why are financials Cloud vendors growing at more than 90 percent per annum?". FSN. March 5, 2013. [13] “Realization of Interoperability & Portability Among Open Clouds by Using Agent’s Mobility & Intelligence - TechRepublic”. TechRepublic. Retrieved 2015-10-24. [14] “Interoperability and Portability among Open Clouds Using FIPA Agent / 978-3-659-24863-4 / 9783659248634 / 3659248630”. www.lap-publishing.com. Retrieved 2015-10-24. [15] Hassan, Qusay F.; Riad, laa M.; Hassan, Ahmed E. (2012). “Software reuse in the emerging cloud computing era”. In Yang, Hongji; Liu, Xiaodong. Understanding Cloud Computing (PDF). Hershey, PA: Information Science Reference. pp. 204–227. doi:10.4018/978-1-46660897-9.ch009. ISBN 978-1-4666-0897-9. Retrieved 11 December 2014. [16] Schmidt, Eric; Rosenberg, Jonathan (2014). How Google Works. Grand Central Publishing. p. 11. ISBN 978-14555-6059-2. [17] “Internet History 1977”. [18] “National Science Foundation, “Diagram of CSNET,” 1981”. [19] Steven Levy (April 1994). “Bill and Andy’s Excellent Adventure II”. Wired. [20] Antonio Regalado (31 October 2011). “Who Coined 'Cloud Computing'?". Technology Review. MIT. Retrieved 31 July 2013. [21] “Announcing Amazon Elastic Compute Cloud (Amazon EC2) - beta”. Amazon.com. 2006-08-24. Retrieved 2014-05-31. [22] White, J.E. “Network Specifications for Remote Job Entry and Remote Job Output Retrieval at UCSB”. tools.ietf.org. Retrieved 2016-03-21. [23] “July, 1993 meeting report from the IP over ATM working group of the IETF”. CH: Switch. Retrieved 2010-08-22. [24] Corbató, Fernando J. “An Experimental Time-Sharing System”. SJCC Proceedings. MIT. Retrieved 3 July 2012. [25] Rochwerger, B.; Breitgand, D.; Levy, E.; Galis, A.; Nagin, K.; Llorente, I. M.; Montero, R.; Wolfsthal, Y.; Elmroth, E.; Caceres, J.; Ben-Yehuda, M.; Emmerich, W.; Galan, F. “The Reservoir model and architecture for open federated cloud computing”. IBM Journal of Research and Development. 53 (4): 4:1–4:11. doi:10.1147/JRD.2009.5429058. CHAPTER 32. CLOUD COMPUTING [26] Kyriazis, D; A Menychtas; G Kousiouris; K Oberle; T Voith; M Boniface; E Oliveros; T Cucinotta; S Berger (November 2010). “A Real-time Service Oriented Infrastructure”. International Conference on Real-Time and Embedded Systems (RTES 2010). Singapore. [27] Gogouvitis, Spyridon; Konstanteli, Kleopatra; Waldschmidt, Stefan; Kousiouris, George; Katsaros, Gregory; Menychtas, Andreas; Kyriazis, Dimosthenis; Varvarigou, Theodora (2012). “Workflow management for soft realtime interactive applications in virtualized environments”. Future Generation Computer Systems. 28 (1): 193–209. doi:10.1016/j.future.2011.05.017. ISSN 0167-739X. [28] Keep an eye on cloud computing, Amy Schurr, Network World, 2008-07-08, citing the Gartner report, “Cloud Computing Confusion Leads to Opportunity”. Retrieved 2009-09-11. [29] Gartner (2008-08-18). “Gartner Says Worldwide IT Spending On Pace to Surpass Trillion in 2008”. [30] “Windows Azure General Availability”. The Official Microsoft Blog. Microsoft. 2010-02-01. Retrieved 201505-03. [31] “Faenov - Cluster Platform SL230s Gen8, Xeon E5-2670 8C 2.600GHz, Infiniband QDR - TOP500 Supercomputer Sites”. [32] “Launch of IBM Smarter Computing”. March 2011. Retrieved 1 [33] “Launch of Oracle Cloud”. Retrieved 28 February 2014. [34] “Oracle Cloud, Enterprise-Grade Cloud Solutions: SaaS, PaaS, and IaaS”. Retrieved 12 October 2014. [35] “Larry Ellison Doesn't Get the Cloud: The Dumbest Idea of 2013”. Forbes.com. Retrieved 12 October 2014. [36] “Oracle Disrupts Cloud Industry with End-to-End Approach”. Forbes.com. Retrieved 12 October 2014. [37] HAMDAQA, Mohammad (2012). Cloud Computing Uncovered: A Research Landscape (PDF). Elsevier Press. pp. 41–85. ISBN 0-12-396535-7. [38] “Distributed Application Architecture” (PDF). Sun Microsystem. Retrieved 2009-06-16. [39] Skala, Karolj; Davidović, Davor; Afgan, Enis; Sović, Ivan; Šojat, Zorislav (2015-12-31). “Scalable Distributed Computing Hierarchy: Cloud, Fog and Dew Computing”. Open Journal of Cloud Computing. RobPub. 2 (1): 16– 24. ISSN 2199-1987. [40] “It’s probable that you've misunderstood 'Cloud Computing' until now”. TechPluto. Retrieved 2010-09-14. [41] Danielson, Krissi (2008-03-26). “Distinguishing Cloud Computing from Utility Computing”. Ebizq.net. Retrieved 2010-08-22. [42] “Recession Is Good For Cloud Computing – Microsoft Agrees”. CloudAve. Retrieved 2010-08-22. [43] “Defining 'Cloud Services’ and “Cloud Computing"". IDC. 2008-09-23. Retrieved 2010-08-22. 32.12. REFERENCES [44] “e-FISCAL project state of the art repository”. [45] Farber, Dan (2008-06-25). “The new geek chic: Data centers”. CNET News. Retrieved 2010-08-22. [46] “Jeff Bezos’ Risky Bet”. Business Week. [47] He, Sijin; Guo, L.; Guo, Y.; Ghanem, M. “Improving Resource Utilisation in the Cloud Environment Using Multivariate Probabilistic Models”. 2012 2012 IEEE 5th International Conference on Cloud Computing (CLOUD): 574–581. doi:10.1109/CLOUD.2012.66. ISBN 978-14673-2892-0. [48] He, Qiang, et al. “Formulating Cost-Effective Monitoring Strategies for Service-based Systems.” (2013): 1-1. [49] A Self-adaptive hierarchical monitoring mechanism for Clouds Elsevier.com [50] Heather Smith (23 May 2013). Xero For Dummies. John Wiley & Sons. pp. 37–. ISBN 978-1-118-57252-8. [51] King, Rachael (2008-08-04). “Cloud Computing: Small Companies Take Flight”. Bloomberg BusinessWeek. Retrieved 2010-08-22. [52] Mao, Ming; M. Humphrey (2012). “A Performance Study on the VM Startup Time in the Cloud”. Proceedings of 2012 IEEE 5th International Conference on Cloud Computing (Cloud2012): 423. doi:10.1109/CLOUD.2012.103. ISBN 978-1-4673-2892-0. [53] Dario Bruneo, Salvatore Distefano, Francesco Longo, Antonio Puliafito, Marco Scarpa: Workload-Based Software Rejuvenation in Cloud Systems. IEEE Trans. Computers 62(6): 1072–1085 (2013) [54] “Defining and Measuring Cloud Elasticity”. KIT Software Quality Departement. Retrieved 13 August 2011. [55] “Economies of Cloud Scale Infrastructure”. Cloud Slam 2011. Retrieved 13 May 2011. [56] He, Sijin; L. Guo; Y. Guo; C. Wu; M. Ghanem; R. Han. “Elastic Application Container: A Lightweight Approach for Cloud Resource Provisioning”. 2012 IEEE 26th International Conference on Advanced Information Networking and Applications (AINA): 15–22. doi:10.1109/AINA.2012.74. ISBN 978-1-4673-0714-7. [57] Marston, Sean; Li, Zhi; Bandyopadhyay, Subhajyoti; Zhang, Juheng; Ghalsasi, Anand (2011-04“Cloud computing — The business perspec01). tive”. Decision Support Systems. 51 (1): 176–189. doi:10.1016/j.dss.2010.12.006. [58] Mills, Elinor (2009-01-27). “Cloud computing security forecast: Clear skies”. CNET News. Retrieved 2010-0822. [59] Kurdi, Heba; Li, Maozhen; Al-Raweshidy, H. S. (2010). “Taxonomy of Grid Systems”. In Antonopoulos, Nick. Handbook of Research on P2P and Grid Systems for Service-Oriented Computing: Models, Methodologies and Applications. IGI Global research collection. IGI Global. p. 34. ISBN 978-1-61520-687-2. Retrieved 2015-0729. Nowadays Service-Oriented Architecture (SOA) has 149 become as [sic] the main architectural model of many IT initiatives including grid, cloud and everything as a service (Essa\XaaS\aas) computing. [60] Alcaraz Calero, Jose M.; König, Benjamin; Kirschnick, Johannes (2012). “Cross-Layer Monitoring in Cloud Computing”. In Rashvand, Habib F.; Kavian, Yousef S. Using Cross-Layer Techniques for Communication Systems. Premier reference source. IGI Global. p. 329. ISBN 978-1-4666-0961-7. Retrieved 2015-07-29. Cloud Computing provides services on a stack composed of three service layers (Hurwitz, Bloor, Kaufman, & Halper, 2009): Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). [61] “ElasticHosts Blog”. Elastichosts. 2014-04-01. Retrieved 2016-06-02. [62] Amies, Alex; Sluiman, Harm; Tong, Qiang Guo; Liu, Guo Ning (July 2012). "Infrastructure as a Service Cloud Concepts". Developing and Hosting Applications on the Cloud. IBM Press. ISBN 978-0-13-306684-5. [63] Ananich, Anthony. “What is IaaS?". ananich.pro. Retrieved 2016-02-20. [64] “Amazon EC2 Pricing”. Retrieved 7 July 2014. [65] “Compute Engine Pricing”. Retrieved 7 July 2014. [66] “Microsoft Azure Virtual Machines Pricing Details”. Retrieved 7 July 2014. [67] “cloud.ca”. [68] Boniface, M.; et al. (2010), Platform-as-a-Service Architecture for Real-Time Quality of Service Management in Clouds, 5th International Conference on Internet and Web Applications and Services (ICIW), Barcelona, Spain: IEEE, pp. 155–160, doi:10.1109/ICIW.2010.91 [69] “bitcodin – cloud based transcoding and streaming”. Retrieved 22 April 2015. [70] media.io [71] Gartner. “Gartner IT Glossary”. Retrieved 6 July 2015. [72] Gartner; Massimo Pezzini; Paolo Malinverno; Eric Thoo. “Gartner Reference Model for Integration PaaS”. Retrieved 16 January 2013. [73] Loraine Lawson. “IT Business Edge”. Retrieved 6 July 2015. [74] Enterprise CIO Forum; Gabriel Lowy. “The Value of Data Platform-as-a-Service (dPaaS)". Retrieved 6 July 2015. [75] “Blockchain as a Service (BaaS) | Microsoft Azure”. azure.microsoft.com. Retrieved 2016-08-22. [76] “Definition of: SaaS”. PC Magazine Encyclopedia. Ziff Davis. Retrieved 14 May 2014. [77] Hamdaqa, Mohammad. A Reference Model for Developing Cloud Applications (PDF). 150 [78] Chou, Timothy. Introduction to Cloud Computing: Business & Technology. [79] “HVD: the cloud’s silver lining” (PDF). Intrinsic Technology. Retrieved 30 August 2012. CHAPTER 32. CLOUD COMPUTING [99] Vincenzo D. Cunsolo, Salvatore Distefano, Antonio Puliafito, Marco Scarpa: Volunteer Computing and Desktop Cloud: The Cloud@Home Paradigm. IEEE International Symposium on Network Computing and Applications, NCA 2009, pp 134–139 [80] Carney, Michael. “AnyPresence partners with Heroku to [100] Bernstein, David; Ludvigson, Erik; Sankar, Krishna; beef up its enterprise mBaaS offering”. PandoDaily. ReDiamond, Steve; Morrow, Monique (2009-05-24). trieved 24 June 2013. “Blueprint for the Intercloud – Protocols and Formats for Cloud Computing Interoperability”. IEEE Computer So[81] Alex Williams (11 October 2012). “Kii Cloud Opens ciety: 328–336. doi:10.1109/ICIW.2009.55. ISBN 978Doors For Mobile Developer Platform With 25 Million 1-4244-3851-8. End Users”. TechCrunch. Retrieved 16 October 2012. [101] “Kevin Kelly: A Cloudbook for the Cloud”. Kk.org. Re[82] Aaron Tan (30 September 2012). “FatFractal ups the ante trieved 2010-08-22. in backend-as-a-service market”. Techgoondu.com. Retrieved 16 October 2012. [102] “Intercloud is a global cloud of clouds”. Samj.net. 200906-22. Retrieved 2010-08-22. [83] Dan Rowinski (9 November 2011). “Mobile Backend As A Service Parse Raises $5.5 Million in Series A Funding”. [103] “Vint Cerf: Despite Its Age, The Internet is Still Filled ReadWrite. Retrieved 23 October 2012. with Problems”. Readwriteweb.com. Retrieved 2010-0822. [84] Pankaj Mishra (7 January 2014). “MobStac Raises $2 Million In Series B To Help Brands Leverage Mobile [104] “SP360: Service Provider: From India to Intercloud”. Commerce”. TechCrunch. Retrieved 22 May 2014. Blogs.cisco.com. Retrieved 2010-08-22. [85] “built.io Is Building an Enterprise MBaas Platform for [105] Canada (2007-11-29). “Head in the clouds? Welcome IoT”. programmableweb. Retrieved 3 March 2014. to the future”. The Globe and Mail. Toronto. Retrieved 2010-08-22. [86] Miller, Ron (24 Nov 2015). “AWS Lambda Makes Serverless Applications A Reality”. TechCrunch. Re- [106] Rouse, Margaret. “What is a multi-cloud strategy”. trieved 10 July 2016. SearchCloudApplications. Retrieved 3 July 2014. [87] “Self-Run Private Cloud Computing Solution — Gov- [107] King, Rachel. “Pivotal’s head of products: We're moving Connection”. govconnection.com. 2014. Retrieved April to a multi-cloud world”. ZDnet. Retrieved 3 July 2014. 15, 2014. [108] Multcloud manage multiple cloud accounts. Retrieved on [88] Foley, John. “Private Clouds Take Shape”. Information06 August 2014 Week. Retrieved 2010-08-22. [109] “Building GrepTheWeb in the Cloud, Part 1: Cloud Ar[89] Haff, Gordon (2009-01-27). “Just don't call them private chitectures”. Developer.amazonwebservices.com. Reclouds”. CNET News. Retrieved 2010-08-22. trieved 2010-08-22. [90] “There’s No Such Thing As A Private Cloud”. Informa[110] “Cloud Computing Privacy Concerns on Our Doorstep”. tionWeek. 2010-06-30. Retrieved 2010-08-22. [111] Chhibber, A (2013). “SECURITY ANALYSIS OF CLOUD COMPUTING” (PDF). International Journal of Advanced Research in Engineering and Applied Sciences. 2 (3): 2278–6252. Retrieved 27 February 2015. [92] “Mind the Gap: Here Comes Hybrid Cloud – Thomas Bittman”. Thomas Bittman. Retrieved 22 April 2015. [112] “Google Drive, Dropbox, Box and iCloud Reach the Top 5 Cloud Storage Security Breaches List”. psg.hitachi[93] “Business Intelligence Takes to Cloud for Small Busisolutions.com. Retrieved 2015-11-22. nesses”. CIO.com. 2014-06-04. Retrieved 2014-06-04. [91] Rouse, Margaret. “What is public cloud?". Definition from Whatis.com. Retrieved 12 October 2014. [94] Désiré Athow. “Hybrid cloud: is it right for your busi- [113] Maltais, Michelle (26 April 2012). “Who owns your stuff in the cloud?". Los Angeles Times. Retrieved 2012-12-14. ness?". TechRadar. Retrieved 22 April 2015. [95] Metzler, Jim; Taylor, Steve. (2010-08-23) “Cloud com- [114] “Security of virtualization, cloud computing divides IT and security pros”. Network World. 2010-02-22. Reputing: Reality vs. fiction”, Network World. trieved 2010-08-22. [96] Rouse, Margaret. “Definition: Cloudbursting”, May [115] “The Bumpy Road to Private Clouds”. Retrieved 20142011. SearchCloudComputing.com. 10-08. [97] “How Cloudbursting “Rightsizes” the Data Center”. [116] “Should Companies Do Most of Their Computing in the [98] Kaewkasi, Chanwit (3 May 2015). “Cross-Platform HyCloud? (Part 1) - Schneier on Security”. www.schneier. brid Cloud with Docker”. com. Retrieved 2016-02-28. 32.14. EXTERNAL LINKS [117] “Disadvantages of Cloud Computing (Part 1) - Limited control and flexibility”. www.cloudacademy.com. Retrieved 2016-11-03. [118] “The real limits of cloud computing”. www.itworld.com. Retrieved 2016-11-03. [119] “The real limits of cloud computing”. www.itworld.com. Retrieved 2016-11-03. [120] Smith, David Mitchell. “Hype Cycle for Cloud Computing, 2013”. Gartner. Retrieved 3 July 2014. [121] “The evolution of Cloud Computing”. Retrieved 22 April 2015. [122] “Microsoft Says to Spend 90% of R&D on Cloud Strategy”. Retrieved 22 April 2015. [123] “Roundup Of Cloud Computing Forecasts And Market Estimates, 2014”. Forbes. Retrieved 2015-11-22. [124] “The 2016 Top New Products”. Accounting Today News. Retrieved 2016-02-05. [125] Attardi, Jim. “Cloud Technology and Its Implication for Quality Service”. Retrieved 27 July 2015. 32.13 Further reading • Millard, Christopher (2013). Cloud Computing Law. Oxford University Press. ISBN 978-0-19967168-7. • Singh, Jatinder; Powles, Julia; Pasquier, Thomas; Bacon, Jean (July 2015). “Data Flow Management and Compliance in Cloud Computing”. IEEE Cloud Computing. 2 (4): 24–32. doi:10.1109/MCC.2015.69. • Armbrust, Michael; Stoica, Ion; Zaharia, Matei; Fox, Armando; Griffith, Rean; Joseph, Anthony D.; Katz, Randy; Konwinski, Andy; Lee, Gunho; Patterson, David; Rabkin, Ariel (1 April 2010). “A view of cloud computing”. Communications of the ACM. 53 (4): 50. doi:10.1145/1721654.1721672. • Hu, Tung-Hui (2015). A Prehistory of the Cloud. MIT Press. ISBN 978-0-262-02951-3. • Mell, P. (2011, September 31). The NIST Definition of Cloud Computing. Retrieved November 1, 2015, from National Institute of Standards and Technology website: http://csrc.nist.gov/publications/ nistpubs/800-145/SP800-145.pdf 32.14 External links 151 Chapter 33 Virtual private network “VPN” redirects here. For other uses, see VPN (disam- broadcast domains, so services such as Microsoft Winbiguation). dows NetBIOS may not be fully supported or work as they A virtual private network (VPN) extends a private net- would on a local area network (LAN). Designers have developed VPN variants, such as Virtual Private LAN Internet VPN Service (VPLS), and layer-2 tunneling protocols, to overcome this limitation. Internet Regional Office 33.1 Types Head-office Early data networks allowed VPN-style remote connectivity through dial-up modem or through leased line connections utilizing Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits, provisioned through a network owned and operated by telecommunication carriers. These networks are not considered true VPNs because they passively secure the data being transmitted by the creation of logical data streams.[3] They have been replaced by VPNs based on IP and IP/Multi-protocol Label Switching (MPLS) Networks, due to significant costreductions and increased bandwidth[4] provided by new technologies such as Digital Subscriber Line (DSL)[5] and fiber-optic networks. Regional Office Remote / roaming users VPN connectivity overview work across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.[1] VPNs can be either remote-access (connecting a comVPNs may allow employees to securely access a corpo- puter to a network) or site-to-site (connecting two netrate intranet while located outside the office. They are works). In a corporate setting, remote-access VPNs alused to securely connect geographically separated offices low employees to access their company’s intranet from of an organization, creating one cohesive network. In- home or while travelling outside the office, and site-todividual Internet users may secure their wireless transac- site VPNs allow employees in geographically disparate tions with a VPN, to circumvent geo-restrictions and cen- offices to share one cohesive virtual network. A VPN can sorship, or to connect to proxy servers for the purpose of also be used to interconnect two similar networks over a example, two IPv6 netprotecting personal identity and location. However, some dissimilar middle network; for [6] IPv4 network. works over an Internet sites block access to known VPN technology to prevent the circumvention of their geo-restrictions. VPN systems may be classified by: A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely.[2] Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect 152 • The protocols used to tunnel the traffic • The tunnel’s termination point location, e.g., on the customer edge or network-provider edge • The type of topology of connections, such as site-tosite or network-to-network • The levels of security provided 33.3. ROUTING • The OSI layer they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity • The number of simultaneous connections 33.2 Security mechanisms VPNs cannot make online connections completely anonymous, but they can usually increase privacy and security. To prevent disclosure of private information, VPNs typically allow only authenticated remote access using tunneling protocols and encryption techniques. The VPN security model provides: 153 several compatible implementations on other platforms. • Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL 3.0 channel. (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1.) • Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registered trademark “MPVPN”.[10] • Secure Shell (SSH) VPN – OpenSSH offers VPN tunneling (distinct from port forwarding) to secure remote connections to a network or to inter-network links. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.[11][12][13] • Confidentiality such that even if the network traffic is sniffed at the packet level (see network sniffer and Deep packet inspection), an attacker would only see 33.2.1 encrypted data Authentication • Sender authentication to prevent unauthorized users Tunnel endpoints must be authenticated before sefrom accessing the VPN cure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, • Message integrity to detect any instances of tampertwo-factor authentication or other cryptographic mething with transmitted messages ods. Network-to-network tunnels often use passwords or digital certificates. They permanently store the key to alSecure VPN protocols include the following: low the tunnel to establish automatically, without intervention from the administrator. • Internet Protocol Security (IPsec) as initially developed by the Internet Engineering Task Force (IETF) for IPv6, which was required in all standards- 33.3 Routing compliant implementations of IPv6 before RFC 6434 made it only a recommendation.[7] This Tunneling protocols can operate in a point-to-point standards-based security protocol is also widely used network topology that would theoretically not be conwith IPv4 and the Layer 2 Tunneling Protocol. Its sidered as a VPN, because a VPN by definition is exdesign meets most security goals: authentication, inpected to support arbitrary and changing sets of network tegrity, and confidentiality. IPsec uses encryption, nodes. But since most router implementations support a encapsulating an IP packet inside an IPsec packet. software-defined tunnel interface, customer-provisioned De-encapsulation happens at the end of the tunnel, VPNs often are simply defined tunnels running convenwhere the original IP packet is decrypted and fortional routing protocols. warded to its intended destination. • Transport Layer Security (SSL/TLS) can tunnel an entire network’s traffic (as it does in the OpenVPN project and SoftEther VPN project[8] ) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from locations where IPsec runs into trouble with Network Address Translation and firewall rules. 33.3.1 Provider-provisioned building-blocks VPN Depending on whether a provider-provisioned VPN (PPVPN) operates in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combine them both. Multi-protocol label switching (MPLS) functionality blurs the L2-L3 identity. • Datagram Transport Layer Security (DTLS) – used RFC 4026 generalized the following terms to cover L2 in Cisco AnyConnect VPN and in OpenConnect and L3 VPNs, but they were introduced in RFC 2547.[14] [9] VPN to solve the issues SSL/TLS has with tunMore information on the devices below can also be found neling over UDP. in Lewis, Cisco Press.[15] • Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in Customer (C) devices 154 CHAPTER 33. VIRTUAL PRIVATE NETWORK A device that is within a customer’s network and not di- topologies, the method discussed here extends Layer 2 rectly connected to the service provider’s network. C de- technologies such as 802.1d and 802.1q LAN trunking vices are not aware of the VPN. to run over transports such as Metro Ethernet. As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional local area network (LAN). From a user A device at the edge of the customer’s network which standpoint, a VPLS makes it possible to interconnect sevprovides access to the PPVPN. Sometimes it’s just a de- eral LAN segments over a packet-switched, or optical, marcation point between provider and customer respon- provider core; a core transparent to the user, making the sibility. Other providers allow customers to configure it. remote LAN segments behave as one single LAN.[16] Customer Edge device (CE) Provider edge device (PE) In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service. A PE is a device, or set of devices, at the edge of the Pseudo wire (PW) provider network which connects to customer networks through CE devices and presents the provider’s view of the customer site. PEs are aware of the VPNs that con- PW is similar to VPLS, but it can provide different L2 protocols at both ends. Typically, its interface is a WAN nect through them, and maintain VPN state. protocol such as Asynchronous Transfer Mode or Frame Relay. In contrast, when aiming to provide the appearProvider device (P) ance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be A P device operates inside the provider’s core network appropriate. and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different cus- Ethernet over IP tunneling tomers’ PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and EtherIP (RFC 3378) is an Ethernet over IP tunneling does not maintain VPN state. Its principal role is allowing protocol specification. EtherIP has only packet encapthe service provider to scale its PPVPN offerings, for ex- sulation mechanism. It has no confidentiality nor mesample, by acting as an aggregation point for multiple PEs. sage integrity protection. EtherIP was introduced in the P-to-P connections, in such a role, often are high-capacity FreeBSD network stack[17] and the SoftEther VPN[18] optical links between major locations of providers. server program. 33.4 User-visible PPVPN services IP-only LAN-like service (IPLS) 33.4.1 A subset of VPLS, the CE devices must have Layer 3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6. OSI Layer 2 services Virtual LAN A Layer 2 technique that allow for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE). Virtual private LAN service (VPLS) 33.4.2 OSI Layer 3 PPVPN architectures This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention. One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 Developed by Institute of Electrical and Electronics Enprivate address space.[19] The provider must be able to gineers, VLANs allow multiple tagged LANs to share disambiguate overlapping addresses in the multiple cuscommon trunking. VLANs frequently comprise only tomers’ PPVPNs. customer-owned facilities. Whereas VPLS as described in the above section (OSI Layer 1 services) supports emulation of both point-to-point and point-to-multipoint BGP/MPLS PPVPN 33.6. VPNS IN MOBILE ENVIRONMENTS In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8byte Route Distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE. PEs understand the topology of each VPN, which are interconnected with MPLS tunnels, either directly or via P routers. In MPLS terminology, the P routers are Label Switch Routers without awareness of VPNs. Virtual router PPVPN The virtual router architecture,[20][21] as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label, but do not need routing distinguishers. 155 From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN. 33.6 VPNs in mobile environments Mobile virtual private networks are used in settings where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple WiFi access points.[29] Mobile VPNs have been widely used in public safety, where they give law enforcement officers access to mission-critical applications, such as computerassisted dispatch and criminal databases, while they travel between different subnets of a mobile network.[30] They are also used in field service management and by healthcare organizations,[31] among other industries. Increasingly, mobile VPNs are being adopted by mobile professionals who need reliable connections.[31] They are 33.4.3 Unencrypted tunnels used for roaming seamlessly across networks and in and out of wireless coverage areas without losing application Main article: Tunneling protocol sessions or dropping the secure VPN session. A conventional VPN can not withstand such events because the Some virtual networks do not use encryption to protect network tunnel is disrupted, causing applications to dis[29] the privacy of data. While VPNs often provide security, connect, time out, or fail, or even cause the computing [31] device itself to crash. an unencrypted overlay network does not neatly fit within the secure or trusted categorization. For example, a tun- Instead of logically tying the endpoint of the network tunnel set up between two hosts with Generic Routing En- nel to the physical IP address, each tunnel is bound to a capsulation (GRE) is a virtual private network, but nei- permanently associated IP address at the device. The mother secure nor trusted.[22][23] bile VPN software handles the necessary network authentication and maintains the network sessions in a manner transparent to the application and the user.[29] The Host Identity Protocol (HIP), under study by the Internet Engineering Task Force, is designed to support mobility of hosts by separating the role of IP addresses for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections 33.5 Trusted delivery networks established via the host identity identifier while associating with different IP addresses when roaming between Trusted VPNs do not use cryptographic tunneling, and access networks. instead rely on the security of a single provider’s network to protect the traffic.[25] Native plaintext tunneling protocols include Layer 2 Tunneling Protocol (L2TP) when it is set up without IPsec and Point-to-Point Tunneling Protocol (PPTP) or Microsoft Point-to-Point Encryption (MPPE).[24] 33.7 VPN on routers • Multi-Protocol Label Switching (MPLS) often overlays VPNs, often with quality-of-service conWith the increasing use of VPNs, many have started detrol over a trusted delivery network. ploying VPN connectivity on routers for additional secu• Layer 2 Tunneling Protocol (L2TP)[26] which is rity and encryption of data transmission by using various a standards-based replacement, and a compromise cryptographic techniques.[32] Setting up VPN support on taking the good features from each, for two pro- a router and establishing a VPN allows any networked prietary VPN protocols: Cisco’s Layer 2 Forward- device to have access to the entire network—all devices ing (L2F)[27] (obsolete as of 2009) and Microsoft’s look like local devices with local addresses. Supported Point-to-Point Tunneling Protocol (PPTP).[28] devices are not restricted to those capable of running a 156 VPN client.[33] Many router manufacturers, including Asus, Cisco, Draytek,[33] Linksys, Netgear, and Yamaha, supply routers with built-in VPN clients. Some use open-source firmware such as DD-WRT, OpenWRT and Tomato, in order to support additional protocols such as OpenVPN. Setting up VPN services on a router requires a deep knowledge of network security and careful installation. Minor misconfiguration of VPN connections can leave the network vulnerable. Performance will vary depending on the ISP. 33.8 Networking limitations One major limitation of traditional VPNs is that they are point-to-point, and do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a real LAN. Variants on VPN, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation. 33.9 See also CHAPTER 33. VIRTUAL PRIVATE NETWORK 33.11 References [1] Mason, Andrew G. (2002). Cisco Secure Virtual Private Network. Cisco Press. p. 7. [2] Microsoft Technet. “Virtual Private Networking: An Overview”. [3] Cisco Systems, et al. Internet working Technologies Handbook, Third Edition. Cisco Press, 2000, p. 232. [4] Lewis, Mark. Comparing, Designing. And Deploying VPNs. Cisco Press, 2006, p. 5 [5] International Engineering Consortium. Digital Subscriber Line 2001. Intl. Engineering Consortium, 2001, p. 40. [6] Technet Lab. “IPv6 traffic over VPN connections”. [7] RFC 6434, “IPv6 Node Requirements”, E. Jankiewicz, J. Loughney, T. Narten (December 2011) [8] SoftEther VPN: Using HTTPS Protocol to Establish VPN Tunnels [9] “OpenConnect”. Retrieved 2013-04-08. OpenConnect is a client for Cisco’s AnyConnect SSL VPN [...] OpenConnect is not officially supported by, or associated in any way with, Cisco Systems. It just happens to interoperate with their equipment. [10] Trademark Applications and Registrations Retrieval (TARR) [11] OpenBSD ssh manual page, VPN section • Anonymizer [12] Unix Toolbox section on SSH VPN • Dynamic Multipoint Virtual Private Network [13] Ubuntu SSH VPN how-to • Geo-blocking • Internet privacy • Mediated VPN • OpenVPN • Opportunistic encryption • Split tunneling • Tinc (protocol) • UT-VPN • Virtual Private LAN Service • Virtual private server • VPNBook 33.10 Further reading • Kelly, Sean (August 2001). “Necessity is the mother of VPN invention”. Communication News: 26–28. ISSN 0010-3632. Archived from the original on 2001-12-17. [14] E. Rosen & Y. Rekhter (March 1999). “RFC 2547 BGP/MPLS VPNs”. Internet Engineering Task Force (IETF). [15] Lewis, Mark (2006). Comparing, designing, and deploying VPNs (1st print. ed.). Indianapolis, Ind.: Cisco Press. pp. 5–6. ISBN 1587051796. [16] Ethernet Bridging (OpenVPN) [17] Glyn M Burton: RFC 3378 EtherIP with FreeBSD, 03 February 2011 [18] net-security.org news: Multi-protocol SoftEther VPN becomes open source, January 2014 [19] Address Allocation for Private Internets, RFC 1918, Y. Rekhter et al., February 1996 [20] RFC 2917, A Core MPLS IP VPN Architecture [21] RFC 2918, E. Chen (September 2000) [22] “Overview of Provider Provisioned Virtual Private Networks (PPVPN)". Secure Thoughts. Retrieved 29 August 2016. [23] RFC 1702: Generic Routing Encapsulation over IPv4 networks. October 1994. 33.11. REFERENCES [24] IETF (1999), RFC 2661, Layer Two Tunneling Protocol “L2TP” [25] Cisco Systems, Inc. (2004). Internetworking Technologies Handbook. Networking Technology Series (4 ed.). Cisco Press. p. 233. ISBN 9781587051197. Retrieved 201302-15. [...] VPNs using dedicated circuits, such as Frame Relay [...] are sometimes called trusted VPNs, because customers trust that the network facilities operated by the service providers will not be compromised. [26] Layer Two Tunneling Protocol “L2TP”, RFC 2661, W. Townsley et al., August 1999 [27] IP Based Virtual Private Networks, RFC 2341, A. Valencia et al., May 1998 [28] Point-to-Point Tunneling Protocol (PPTP), RFC 2637, K. Hamzeh et al., July 1999 [29] Phifer, Lisa. “Mobile VPN: Closing the Gap”, SearchMobileComputing.com, July 16, 2006. [30] Willett, Andy. “Solving the Computing Challenges of Mobile Officers”, www.officer.com, May, 2006. [31] Cheng, Roger. “Lost Connections”, The Wall Street Journal, December 11, 2007. [32] “Encryption and Security Protocols in a VPN”. Retrieved 2015-09-23. [33] “VPN”. Draytek. Retrieved 19 October 2016. 157 Chapter 34 Quality of service Quality of service (QoS) is the overall performance of a telephony or computer network, particularly the performance seen by the users of the network. To quantitatively measure quality of service, several related aspects of the network service are often considered, such as error rates, bit rate, throughput, transmission delay, availability, jitter, etc. of service guarantees are important if the network capacity is insufficient, especially for real-time streaming multimedia applications such as voice over IP, multiplayer online games and IPTV, since these often require fixed bit rate and are delay sensitive, and in networks where the capacity is a limited resource, for example in cellular data communication. In the field of computer networking and other packetswitched telecommunication networks, quality of service refers to traffic prioritization and resource reservation control mechanisms rather than the achieved service quality. Quality of service is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. A network or protocol that supports QoS may agree on a traffic contract with the application software and reserve capacity in the network nodes, for example during a session establishment phase. During the session it may monitor the achieved level of performance, for example the data rate and delay, and dynamically control scheduling priorities in the network nodes. It may release the reQuality of service is particularly important for the trans- served capacity during a tear down phase. port of traffic with special requirements. In particular, A best-effort network or service does not support quality developers have introduced technology to allow computer of service. An alternative to complex QoS control mechnetworks to become as useful as telephone networks for anisms is to provide high quality communication over a audio conversations, as well as supporting new applica- best-effort network by over-provisioning the capacity so tions with even stricter service demands. that it is sufficient for the expected peak traffic load. The resulting absence of network congestion reduces or eliminates the need for QoS mechanisms. 34.1 Definitions In the field of telephony, quality of service was defined by the ITU in 1994.[1] Quality of service comprises requirements on all the aspects of a connection, such as service response time, loss, signal-to-noise ratio, crosstalk, echo, interrupts, frequency response, loudness levels, and so on. A subset of telephony QoS is grade of service (GoS) requirements, which comprises aspects of a connection relating to capacity and coverage of a network, for example guaranteed maximum blocking probability and outage probability.[2] In the field of computer networking and other packetswitched telecommunication networks, teletraffic engineering refers to traffic prioritization and resource reservation control mechanisms rather than the achieved service quality. Quality of service is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. For example, a required bit rate, delay, jitter, packet loss or bit error rates may be guaranteed. Quality QoS is sometimes used as a quality measure, with many alternative definitions, rather than referring to the ability to reserve resources. Quality of service sometimes refers to the level of quality of service, i.e. the guaranteed service quality.[3] High QoS is often confused with a high level of performance or achieved service quality, for example high bit rate, low latency and low bit error probability. An alternative and disputable definition of QoS, used especially in application layer services such as telephony and streaming video, is requirements on a metric that reflects or predicts the subjectively experienced quality. In this context, QoS is the acceptable cumulative effect on subscriber satisfaction of all imperfections affecting the service. Other terms with similar meaning are the quality of experience (QoE) subjective business concept, the required “user perceived performance”,[4] the required “degree of satisfaction of the user” or the targeted “number of happy customers”. Examples of measures and measurement methods are mean opinion score (MOS), perceptual speech quality measure (PSQM) and 158 34.4. APPLICATIONS 159 perceptual evaluation of video quality (PEVQ). See also Errors Sometimes packets are corrupted due to bit erSubjective video quality. rors caused by noise and interference, especially in wireless communications and long copper wires. The receiver has to detect this and, just as if the packet was dropped, may ask for this information 34.2 History to be retransmitted. Conventional Internet routers and LAN switches oper- Latency It might take a long time for each packet to reach its destination, because it gets held up in long ate on a best effort basis. This equipment is less exqueues, or it takes a less direct route to avoid congespensive, less complex and faster and thus more popution. This is different from throughput, as the delay lar than competing more complex technologies that procan build up over time, even if the throughput is alvided QoS mechanisms. There were four “Type of sermost normal. In some cases, excessive latency can vice” bits and three “Precedence” bits provided in each render an application such as VoIP or online gaming IP packet header, but they were not generally respected. unusable. These bits were later re-defined as Differentiated services code points (DSCP). Jitter Packets from the source will reach the destination With the advent of IPTV and IP telephony, QoS mechawith different delays. A packet’s delay varies with nisms are increasingly available to the end user. its position in the queues of the routers along the path between source and destination and this posiA number of attempts for layer 2 technologies that add tion can vary unpredictably. This variation in delay QoS tags to the data have gained popularity in the past. is known as jitter and can seriously affect the quality Examples are frame relay, asynchronous transfer mode of streaming audio and/or video. (ATM) and multiprotocol label switching (MPLS) (a technique between layer 2 and 3). Despite these network Out-of-order delivery When a collection of related technologies remaining in use today, this kind of network packets is routed through a network, different packlost attention after the advent of Ethernet networks. Toets may take different routes, each resulting in a difday Ethernet is, by far, the most popular layer 2 techferent delay. The result is that the packets arrive in nology. Ethernet uses 802.1p to signal the priority of a a different order than they were sent. This problem frame. requires special additional protocols responsible for rearranging out-of-order packets to an isochronous state once they reach their destination. This is especially important for video and VoIP streams where 34.3 Qualities of traffic quality is dramatically affected by both latency and lack of sequence. In packet-switched networks, quality of service is affected by various factors, which can be divided into “human” and “technical” factors. Human factors include: stability of service, availability of service, delays, user 34.4 Applications information. Technical factors include: reliability, scalability, effectiveness, maintainability, grade of service, A defined quality of service may be desired or required for certain types of network traffic, for example: etc.[5] Many things can happen to packets as they travel from origin to destination, resulting in the following problems as seen from the point of view of the sender and receiver: Low throughput Due to varying load from disparate users sharing the same network resources, the bit rate (the maximum throughput) that can be provided to a certain data stream may be too low for realtime multimedia services if all data streams get the same scheduling priority. Dropped packets The routers might fail to deliver (drop) some packets if their data loads are corrupted, or the packets arrive when the router buffers are already full. The receiving application may ask for this information to be retransmitted, possibly causing severe delays in the overall transmission. • Streaming media specifically • Internet protocol television (IPTV) • Audio over Ethernet • Audio over IP • IP telephony also known as Voice over IP (VoIP) • Videoconferencing • Telepresence • Storage applications such as iSCSI and FCoE • Circuit Emulation Service • Safety-critical applications such as remote surgery where availability issues can be hazardous 160 CHAPTER 34. QUALITY OF SERVICE • Network operations support systems either for the connection to a different ISP. Under high load condinetwork itself, or for customers’ business critical tions, however, VoIP may degrade to cell-phone quality needs or worse. The mathematics of packet traffic indicate that network requires just 60% more raw capacity under con• Online games where real-time lag can be a factor servative assumptions.[6] • Industrial control systems protocols such as The amount of over-provisioning in interior links reEthernet/IP which are used for real-time control of quired to replace QoS depends on the number of users machinery and their traffic demands. This limits usability of overprovisioning. Newer more bandwidth intensive applicaThese types of service are called inelastic, meaning that tions and the addition of more users results in the loss of they require a certain minimum bit rate and a certain over-provisioned networks. This then requires a physical maximum latency to function. By contrast, elastic ap- update of the relevant network links which is an expenplications can take advantage of however much or little sive process. Thus over-provisioning cannot be blindly bandwidth is available. Bulk file transfer applications that assumed on the Internet. rely on TCP are generally elastic. 34.5.2 IP and Ethernet efforts 34.5 Mechanisms Circuit switched networks, especially those intended for voice transmission, such as Asynchronous Transfer Mode (ATM) or GSM, have QoS in the core protocol and do not need additional procedures to achieve it. Shorter data units and built-in QoS were some of the unique selling points of ATM for applications such as video on demand. When the expense of mechanisms to provide QoS is justified, network customers and providers can enter into a contractual agreement termed a service level agreement (SLA) which specifies guarantees for the ability of a network/protocol to give guaranteed performance/throughput/latency bounds based on mutually agreed measures, usually by prioritizing traffic. In other approaches, resources are reserved at each step on the network for the call as it is set up. 34.5.1 Over-provisioning An alternative to complex QoS control mechanisms is to provide high quality communication by generously overprovisioning a network so that capacity is based on peak traffic load estimates. This approach is simple for networks with predictable peak loads. The performance is reasonable for many applications. This might include demanding applications that can compensate for variations in bandwidth and delay with large receive buffers, which is often possible for example in video streaming. Overprovisioning can be of limited use, however, in the face of transport protocols (such as TCP) that over time exponentially increase the amount of data placed on the network until all available bandwidth is consumed and packets are dropped. Such greedy protocols tend to increase latency and packet loss for all users. Commercial VoIP services are often competitive with traditional telephone service in terms of call quality even though QoS mechanisms are usually not in use on the user’s connection to their ISP and the VoIP provider’s Unlike single-owner networks, the Internet is a series of exchange points interconnecting private networks.[7] Hence the Internet’s core is owned and managed by a number of different network service providers, not a single entity. Its behavior is much more stochastic or unpredictable. Therefore, research continues on QoS procedures that are deployable in large, diverse networks. There are two principal approaches to QoS in modern packet-switched IP networks, a parameterized system based on an exchange of application requirements with the network, and a prioritized system where each packet identifies a desired service level to the network. • Integrated services (“IntServ”) implements the parameterized approach. In this model, applications use the Resource Reservation Protocol (RSVP) to request and reserve resources through a network. • Differentiated services (“DiffServ”) implements the prioritized model. DiffServ marks packets according to the type of service they desire. In response to these markings, routers and switches use various queueing strategies to tailor performance to expectations. Differentiated services code point (DSCP) markings use the first 6 bits in the ToS field (now renamed as the DS Byte) of the IP(v4) packet header. Early work used the integrated services (IntServ) philosophy of reserving network resources. In this model, applications used the Resource reservation protocol (RSVP) to request and reserve resources through a network. While IntServ mechanisms do work, it was realized that in a broadband network typical of a larger service provider, Core routers would be required to accept, maintain, and tear down thousands or possibly tens of thousands of reservations. It was believed that this approach would not scale with the growth of the Internet, and in any event was antithetical to the notion of designing networks so that Core routers do little more than simply switch packets at the highest possible rates. 34.6. END-TO-END QUALITY OF SERVICE 161 In response to these markings, routers and switches use various queuing strategies to tailor performance to requirements. At the IP layer, DSCP markings use the 6 bits in the IP packet header. At the MAC layer, VLAN IEEE 802.1Q and IEEE 802.1p can be used to carry essentially the same information. • RSVP-TE Routers supporting DiffServ configure their network scheduler to use multiple queues for packets awaiting transmission from bandwidth constrained (e.g., wide area) interfaces. Router vendors provide different capabilities for configuring this behavior, to include the number of queues supported, the relative priorities of queues, and bandwidth reserved for each queue. • Asynchronous Transfer Mode (ATM) In practice, when a packet must be forwarded from an interface with queuing, packets requiring low jitter (e.g., VoIP or videoconferencing) are given priority over packets in other queues. Typically, some bandwidth is allocated by default to network control packets (such as Internet Control Message Protocol and routing protocols), while best effort traffic might simply be given whatever bandwidth is left over. • HomePNA Home networking over coax and phone wires At the Media Access Control (MAC) layer, VLAN IEEE 802.1Q and IEEE 802.1p can be used to distinguish between Ethernet frames and classify them. Queueing theory models have been developed on performance analysis and QoS for MAC layer protocols.[8][9] • Frame relay • X.25 • Some ADSL modems • IEEE 802.1p • IEEE 802.1Q • IEEE 802.11e • The ITU-T G.hn standard provides QoS by means of “Contention-Free Transmission Opportunities” (CFTXOPs) which are allocated to flows which require QoS and which have negotiated a “contract” with the network controller. G.hn also supports nonQoS operation by means of “Contention-based Time Slots”. • Audio Video Bridging Cisco IOS NetFlow and the Cisco Class Based QoS 34.6 End-to-end quality of service (CBQoS) Management Information Base (MIB) are marketed by Cisco Systems. [10] End-to-end quality of service can require a method of coOne compelling example of the need for QoS on the ordinating resource allocation between one autonomous Internet relates to congestion collapse. The Internet system and another. The Internet Engineering Task relies on congestion avoidance protocols, as built into Force (IETF) defined the Resource Reservation Protoreservation, as a proposed Transmission Control Protocol (TCP), to reduce traf- col (RSVP) for bandwidth [12] standard in 1997. RSVP is an end-to-end bandwidth fic under conditions that would otherwise lead to “meltreservation protocol. The traffic engineering version, down”. QoS applications such as VoIP and IPTV, beRSVP-TE, is used in many networks to establish trafficcause they require largely constant bitrates and low laengineered Multiprotocol Label Switching (MPLS) labeltency, so they cannot use TCP and cannot otherwise reswitched paths. The IETF also defined Next Steps in Sigduce their traffic rate to help prevent congestion. QoS [13] naling (NSIS) with QoS signalling as a target. NSIS is contracts limit traffic that can be offered to the Intera development and simplification of RSVP. net and thereby enforce traffic shaping that can prevent it from becoming overloaded, and are hence an indispens- Research consortia such as “end-to-end quality of serable part of the Internet’s ability to handle a mix of real- vice support over heterogeneous networks” (EuQoS, from time and non-real-time traffic without meltdown. 2004 through 2007)[14] and fora such as the IPsphere Forum[15] developed more mechanisms for handshaking QoS invocation from one domain to the next. IPsphere 34.5.3 Protocols defined the Service Structuring Stratum (SSS) signaling bus in order to establish, invoke and (attempt to) assure • The type of service (ToS) field in the IP(v4) header network services. EuQoS conducted experiments to inte(now superseded by DiffServ) grate Session Initiation Protocol, Next Steps in Signaling and IPsphere’s SSS with an estimated cost of about 15.6 • Differentiated services (DiffServ) million Euro and published a book.[16][17] • Integrated services (IntServ) A research project Multi Service Access Everywhere (MUSE) defined another QoS concept in a first phase from January 2004 through February 2006, and a sec• Multiprotocol Label Switching (MPLS) provides ond phase from January 2006 through 2007.[18][19][20] eight QoS classes[11] Another research project named PlaNetS was proposed • Resource Reservation Protocol (RSVP) 162 for European funding circa 2005.[21] A broader European project called “Architecture and design for the future Internet” known as 4WARD had a budgest estimated at 23.4 million Euro and was funded from January 2008 through June 2010.[22] It included a “Quality of Service Theme” and published a book.[23][24] Another European project, called WIDENS (Wireless Deployable Network System) [25] proposed a bandwidth reservation approach for mobile wireless multirate adhoc networks.[26] In the services domain, end-to-end Quality of Service has also been discussed in the case of composite services (consisting of atomic services) or applications (consisting of application components).[27][28] Moreover, in cloud computing end-to-end QoS has been the focus of various research efforts aiming at the provision of QoS guarantees across the cloud service models.[29] 34.7 Circumvention CHAPTER 34. QUALITY OF SERVICE Bachula’s testimony has been cited by proponents of a law banning quality of service as proof that no legitimate purpose is served by such an offering. This argument is dependent on the assumption that over-provisioning isn't a form of QoS and that it is always possible. Cost and other factors affect the ability of carriers to build and maintain permanently over-provisioned networks. 34.9 Mobile (cellular) QoS Main article: Mobile QoS Mobile cellular service providers may offer mobile QoS to customers just as the fixed line PSTN services providers and Internet Service Providers (ISP) may offer QoS. QoS mechanisms are always provided for circuit switched services, and are essential for non-elastic services, for example streaming multimedia. Mobility adds complication to the QoS mechanisms, for Strong cryptography network protocols such as Secure several reasons: Sockets Layer, I2P, and virtual private networks obscure the data transferred using them. As all electronic com• A phone call or other session may be interrupted afmerce on the Internet requires the use of such strong crypter a handover, if the new base station is overloaded. tography protocols, unilaterally downgrading the perforUnpredictable handovers make it impossible to give mance of encrypted traffic creates an unacceptable hazan absolute QoS guarantee during a session initiaard for customers. Yet, encrypted traffic is otherwise untion phase. able to undergo deep packet inspection for QoS. • The pricing structure is often based on per-minute Protocols like ICA and RDP may encapsulate other trafor per-megabyte fee rather than flat rate, and may be fic (e.g. printing, video streaming) with varying requiredifferent for different content services. ments that can make optimization difficult. • A crucial part of QoS in mobile communications is Grade of Service, involving outage probability (the probability that the mobile station is outside the service coverage area, or affected by co-channel in34.8 Doubts about quality of serterference, i.e. crosstalk), blocking probability (the vice over IP probability that the required level of QoS can not be offered) and scheduling starvation. These performance measures are affected by mechanisms such The Internet2 project found, in 2001, that the QoS protoas mobility management, radio resource managecols were probably not deployable inside its Abilene Netment, admission control, fair scheduling, channelwork with equipment available at that time.[30] Equipdependent scheduling etc. ment available at the time relied on software to implement QoS. The group also predicted that “logistical, financial, and organizational barriers will block the way toward any bandwidth guarantees” by protocol modifica- 34.10 Standards tions aimed at QoS.[31] They believed that the economics would encourage network providers to deliberately erode Quality of service in the field of telephony, was first the quality of best effort traffic as a way to push customers defined in 1994 in the ITU-T Recommendation E.800. to higher priced QoS services. Instead they proposed This definition is very broad, listing 6 primary compoover-provisioning of capacity as more cost-effective at the nents: Support, Operability, Accessibility, Retainability, time.[30][31] Integrity and Security.[1] A 1995 recommendation X.902 The Abilene network study was the basis for the testimony of Gary Bachula to the US Senate Commerce Committee's hearing on Network Neutrality in early 2006. He expressed the opinion that adding more bandwidth was more effective than any of the various schemes for accomplishing QoS they examined.[32] included a definition is the OSI reference model.[33] In 1998 the ITU published a document discussing QoS in the field of data networking. X.641 offers a means of developing or enhancing standards related to QoS and provide concepts and terminology that will assist in maintaining the consistency of related standards.[34] 34.13. REFERENCES 163 Some QoS-related IETF Request For Comments (RFC)s are Definition of the Differentiated services Field (DS Field) in the IPv4 and IPv6 Headers, RFC 2474 , and Resource ReSerVation Protocol (RSVP), RFC 2205 ; both these are discussed above. The IETF has also published two RFCs giving background on QoS: Next Steps for the IP QoS Architecture, RFC 2990 , and IAB Concerns Regarding Congestion Control for Voice Traffic in the Internet, RFC 3714 . • Quality of experience (QoE) The IETF has also published Configuration Guidelines for DiffServ Service Classes, RFC 4594 as an informative or “best practices” document about the practical aspects of designing a QoS solution for a DiffServ network. They try to identify which types of applications are commonly run over an IP network to group them into traffic classes, study what treatment do each of these classes need from the network, and suggest which of the QoS mechanisms commonly available in routers can be used to implement those treatments. • Traffic shaping • Linux Advanced Routing & Traffic Control (from 2000 to 2005)[35] Arbitrator (2003 through • Zero Shell[37] • mod_qos adding QoS to the Apache HTTP Server 34.12 See also • Application service architecture • Best-effort • BSSGP • Bufferbloat • Class of service • Deep packet inspection (DPI) • Grade of service (GoS) • LEDBAT • Low Latency Queuing (LLQ) • Mean opinion score (MOS) • Micro Transport Protocol • Network neutrality • QPPB • Streaming media • Subjective video quality • Tiered Internet • Traffic classification 34.13 References [1] “E.800: Terms and definitions related to quality of service and network performance including dependability”. ITUT Recommendation. August 1994. Retrieved October 14, 2011. Updated September 2008 as Definitions of terms related to quality of service [2] Teletraffic Engineering Handbook Archived January 11, 2007, at the Wayback Machine. ITU-T Study Group 2 (350 pages, 4·48MiB)(It uses abbreviation GoS instead of QoS) 34.11 Open source software • Linux Bandwidth 2005)[36] • Series of tubes [3] Real-time reconfiguration for guaranteeing QoS provisioning levels in Grid environments Future Generation Computer Systems, Volume 25, Issue 7, July 2009, Pages 779–784, Elsevier [4] Leonard Franken. Quality of Service Management: A Model-Based Approach. PhD thesis, Centre for Telematics and Information Technology, 1996. [5] Peuhkuri M., IP Quality of Service, Helsinki University of Technology, Laboratory of Telecommunications Technology, 1999. [6] Yuksel, M.; Ramakrishnan, K. K.; Kalyanaraman, S.; Houle, J. D.; Sadhvani, R. (2007). “IEEE International Workshop on Quality of Service (IWQoS'07)" (PDF). Evanston, IL, USA: 109–112. doi:10.1109/IWQOS.2007.376555. ISBN 1-4244-11858. |contribution= ignored (help) [7] An Evening With Robert Kahn Archived December 19, 2008, at the Wayback Machine., from Computer History Museum, 9 Jan 2007 [8] Bianchi, Giuseppe (2000). “Performance analysis of the IEEE 802.11 distributed coordination function”. IEEE Journal on Selected Areas in Communications. 18 (3): 535. doi:10.1109/49.840210. [9] Shi, Zhefu; Beard, Cory; Mitchell, Ken (2009). “Analytical Models for Understanding Misbehavior and MAC Friendliness in CSMA Networks”. Performance Evaluation. 66 (9–10): 469. doi:10.1016/j.peva.2009.02.002. [10] Ben Erwin (December 16, 2008). “How To Manage QoS In Your Environment, Part 1 of 3”. Network Performance Daily video. NetQoS. Retrieved October 15, 2011. 164 [11] “VoIP on MPLS”. Search Unified Communications. Retrieved 12 March 2012. [12] Bob Braden ed. L. Zhang, S. Berson, S. Herzog, S. Jamin (September 1997), Resource ReSerVation Protocol (RSVP), IETF, RFC 2205 [13] “Next Steps in Signaling” Charter [14] “EuQoS - End-to-end Quality of Service support over heterogeneous networks”. Project website. 2004–2006. Archived from the original on April 30, 2007. Retrieved October 12, 2011. [15] IPSphere: Enabling Advanced Service Delivery Archived January 13, 2011, at the Wayback Machine. [16] “End-to-end quality of service support over heterogeneous networks”. Project description. European Community Research and Development Information Service. Retrieved October 12, 2011. CHAPTER 34. QUALITY OF SERVICE [28] Q. Sun, S. Wang, H. Zou, F. Yang, QSSA: A QoS-aware Service Selection Approach, International Journal of Web and Grid Services, pp.147 - 169, 2011 [29] D Kyriazis, A Menychtas, G Kousiouris, K Oberle, T Voith, M Boniface, E Oliveros, T Cucinotta, S Berger, A Real-time Service Oriented Infrastructure, International Conference on Real-Time and Embedded Systems (RTES 2010), Singapore, November 2010 [30] Benjamin Teitelbaum, Stanislav Shalunov (May 3, 2002). “Why Premium IP Service Has Not Deployed (and Probably Never Will)". Draft Informational Document. Internet2 QoS Working Group. Archived from the original on September 12, 2010. Retrieved October 15, 2011. [31] Andy Oram (June 11, 2002). “A Nice Way to Get Network Quality of Service?". Platform Independent column. O'Reilly. Archived from the original on September 12, 2010. Retrieved October 15, 2011. [17] Torsten Braun; Thomas Staub (2008). End-to-end quality of service over heterogeneous networks. Springer. ISBN 978-3-540-79119-5. [32] Gary Bachula (February 7, 2006). “Testimony of Gary R. Bachula, Vice President, Internet2” (PDF). pp. 2–3. Retrieved October 15, 2011. [18] “Multi Service Access Everywhere (MUSE)". Project website. Retrieved October 12, 2011. [33] “X.902:Information technology – Open Distributed Processing – Reference model: Foundations”. ITU-T Recommendation. November 1995. Retrieved October 14, 2011. Updated October 2009. [19] “Multi Service Access Everywhere”. Project description. European Community Research and Development Information Service. Retrieved October 12, 2011. [20] “Multi Service Access Everywhere”. Project description. European Community Research and Development Information Service. Retrieved October 12, 2011. [21] “PlaNetS QoS Solution”. Project website. Archived from the original on November 12, 2009. Retrieved October 12, 2011. [22] “4WARD: Architecture and design for the future Internet”. Project description. European Community Research and Development Information Service. Retrieved October 15, 2011. [23] “Going 4WARD” (PDF). Project newsletter. June 2010. Retrieved October 15, 2011. [24] Luís M. Correia; Joao Schwarz (FRW) da Silva (January 30, 2011). Architecture and Design for the Future Internet: 4WARD EU Project. Springer. ISBN 978-90-481-93455. [25] “Wireless Deployable Network System”. Project description. European Union. Retrieved May 23, 2012. [26] R. Guimaraes; L. Cerdà; J. M. Barcelo-Ordinas; J. GarciaVidal; M. Voorhaen; C. Blondia (March 2009). “Quality of Service through Bandwidth Reservation on Multirate Ad-doc Wireless Networks”. Ad Hoc Networks. 7 (2): 388–400. doi:10.1016/j.adhoc.2008.04.002. [27] D. Kyriazis, K. Tserpes, A. Menychtas, A. Litke, T. Varvarigou, An innovative Workflow Mapping Mechanism for Grids in the frame of Quality of Service, Elsevier Future Generation Computer Systems, Vol. 24, Iss. 6, pp. 498511, 2008 [34] “X.641: Information technology - Quality of service: framework”. ITU-T Recommendation. December 1997. [35] “Advanced Routing & Traffic Control HOWTO”. August 21, 2005. Retrieved October 14, 2011. [36] “Linux Bandwidth Arbitrator”. trieved October 14, 2011. APConnections. Re- [37] Fulvio Ricciardi. “QoS and Traffic Shaping in Transparent Bridge mode”. Router/Bridge Linux Firewall website. ZeroShell Net Services. Retrieved October 15, 2011. 34.14 Further reading • Deploying IP and MPLS QoS for Multiservice Networks: Theory and Practice by John Evans, Clarence Filsfils (Morgan Kaufmann, 2007, ISBN 0-12370549-5) • Lelli, F. Maron, G. Orlando, S. Client Side Estimation of a Remote Service Execution. 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, 2007. MASCOTS '07. • QoS Over Heterogeneous Networks by Mario Marchese (Wiley, 2007, ISBN 978-0-470-01752-4) • XiPeng Xiao (September 8, 2008). Technical, Commercial and Regulatory Challenges of QoS: An Internet Service Model Perspective. Morgan Kaufmann. ISBN 978-0-12-373693-2. 34.15. EXTERNAL LINKS • Integrated Services in the Internet Architecture: an Overview, RFC 1633 • An Architecture for Differentiated services, RFC 2475 • RSVP-TE: Extensions to RSVP for LSP Tunnels, RFC 3209 34.15 External links • Nate Hoy. “Implementing QoS”. Vonage Forum. Retrieved October 14, 2011. • Cisco’s Internetworking Technology Handbook • Henning Schulzrinne (January 9, 2008). “Network Quality of Service”. Columbia University faculty website. Retrieved October 14, 2011. • “Quality of Service”. Microsoft TechNet. March 31, 2011. Retrieved October 14, 2011. • “Web Camera QoS Analysis Tool”. FishyCam. October 31, 2012. Retrieved November 16, 2012. 165 Chapter 35 Network switch Avaya ERS 2550T-PWR, a 50-port Ethernet switch A network switch (also called switching hub, bridging hub, officially MAC bridge[1] ) is a computer networking device that connects devices together on a computer network, by using packet switching to receive, process and forward data to the destination device. Unlike less advanced network hubs, a network switch forwards data only to one or multiple devices that need to receive it, rather than broadcasting the same data out of each of its ports.[2] A switch is a device in a computer network that electrically and logically connects together other devices. Multiple data cables are plugged into a switch to enable communication between different networked devices. Switches manage the flow of data across a network by transmitting a received network packet only to the one or more devices for which the packet is intended. Each networked device connected to a switch can be identified by its network address, allowing the switch to regulate the flow of traffic. This maximizes the security and efficiency of the network. When a repeater hub is replaced with an Ethernet switch, the single large collision domain used by the hub is split up into smaller ones, reducing or eliminating the possibility and scope of collisions and, as a result, increasing the potential throughput. Because broadcasts are still beA network switch is a multiport network bridge that ing forwarded to all connected devices, the newly formed uses hardware addresses to process and forward data at network segment continues to be a broadcast domain. the data link layer (layer 2) of the OSI model. Some switches can also process data at the network layer (layer A switch is more intelligent than a repeater hub, which 3) by additionally incorporating routing functionality that simply retransmits packets out of every port of the hub most commonly uses IP addresses to perform packet for- excepting the port on which the packet was received, unwarding; such switches are commonly known as layer-3 able to distinguish different recipients, and achieving an overall lower network efficiency. switches or multilayer switches.[3] Switches for Ethernet are the most common form and the first Ethernet switch was introduced by Kalpana in 1990.[4] Switches also exist for other types of networks including Fibre Channel, Asynchronous Transfer Mode, 35.1.1 and InfiniBand. 35.1 Overview Network design An Ethernet switch operates at the data link layer (layer 2) of the OSI model to create a separate collision domain for each switch port. Each device connected to a switch port can transfer data to any of the other ones at a time, and the transmissions will not interfere – with the limitation that, in half duplex mode, each switch port can only either receive from or transmit to its connected device at a certain time. In full duplex mode, each switch port can simultaneously transmit and receive, assuming the connected device also supports full duplex mode.[5] In the case of using a repeater hub, only a single transCisco mission could take place at a time for all ports combined, small business SG300-28 28-port Gigabit Ethernet rack- so they would all share the bandwidth and run in half dumount switch and its internals plex. Necessary arbitration would also result in collisions, requiring retransmissions. 166 35.3. LAYER-SPECIFIC FUNCTIONALITY 35.1.2 Applications 35.1.3 Microsegmentation 167 switch port mirroring provides only one mirrored stream, network hubs can be useful for fanning out data to several The network switch plays an integral role in most modern read-only analyzers, such as intrusion detection systems Ethernet local area networks (LANs). Mid-to-large sized and packet sniffers. LANs contain a number of linked managed switches. Small office/home office (SOHO) applications typically use a single switch, or an all-purpose converged device 35.3 Layer-specific functionality such as a residential gateway to access small office/home broadband services such as DSL or cable Internet. In most of these cases, the end-user device contains a router Main article: Multilayer switch and components that interface to the particular physical While switches may learn about topologies at many laybroadband technology. User devices may also include a telephone interface for Voice over IP (VoIP) protocol. Segmentation involves the use of a bridge or a switch (or a router) to split a larger collision domain into smaller ones in order to reduce collision probability, and to improve overall network throughput. In the extreme case (i.e. microsegmentation), each device is located on a dedicated switch port. In contrast to an Ethernet hub, there is a separate collision domain on each of the switch ports. This allows computers to have dedicated bandwidth on pointto-point connections to the network and also to run in fullduplex without collisions. Full-duplex mode has only one transmitter and one receiver per “collision domain”, making collisions impossible. 35.2 Role of switches in a network A modular network switch with three network modules (a total of 24 Ethernet and 14 Fast Ethernet ports) and one power supply. Switches may operate at one or more layers of the OSI model, including the data link and network layers. A device that operates simultaneously at more than one of these layers is known as a multilayer switch. ers, and forward at one or more layers, they do tend to have common features. Other than for high-performance applications, modern commercial switches use primarily Ethernet interfaces. In switches intended for commercial use, built-in or modular interfaces make it possible to connect different types of networks, including Ethernet, Fibre Channel, RapidIO, ATM, ITU-T G.hn and 802.11. This connectivity can be at any of the layers mentioned. While the layer-2 functionality is adequate for bandwidth-shifting within one technology, interconnecting technologies such as Ethernet and token ring is performed easier at layer 3 or via routing.[6] Devices that interconnect at the layer 3 are traditionally called routers, so layer 3 switches can also be regarded as relatively primitive and specialized routers.[7] At any layer, a modern switch may implement power over Ethernet (PoE), which avoids the need for attached devices, such as a VoIP phone or wireless access point, to have a separate power supply. Since switches can have redundant power circuits connected to uninterruptible power supplies, the connected device can continue operating even when regular office power fails. Where there is a need for a great deal of analysis of network performance and security, switches may be connected between WAN routers as places for analytic modules. Some vendors provide firewall,[8][9] network intrusion detection,[10] and performance analysis modules that can plug into switch ports. Some of these functions may be on combined modules.[11] 35.3.1 Layer 1 (hubs vs. switches) higher-layer A network hub, or a repeater, is a simple network device that does not manage any of the traffic coming through it. Any packet entering a port is flooded out or “repeated” on every other port, except for the port of entry. Since every packet is repeated on every other port, packet collisions affect the entire network, limiting its overall capacity. In other cases, the switch is used to create a mirror im- A network switch creates the layer 1 end-to-end connecage of data that can go to an external device. Since most tion only virtually, while originally it was mandatory. The 168 CHAPTER 35. NETWORK SWITCH bridging function of a switch uses information taken from performance-increasing methods when used on “switch” layer 2 to select for each packet the particular port(s) it products with the same input and output port bandwidths: has to be forwarded to, removing the requirement that every node is presented with all traffic. As a result, the 1. Store and forward: the switch buffers and verifies connection lines are not “switched” literally, instead they each frame before forwarding it; a frame is received only appear that way on the packet level. in its entirety before it is forwarded. There are specialized applications in which a network hub can be useful, such as copying traffic to multiple network 2. Cut through: the switch starts forwarding after the sensors. High-end network switches usually have a feaframe’s destination address is received. When the ture called port mirroring that provides the same funcoutgoing port is busy at the time, the switch falls tionality. back to store-and-forward operation. There is no erBy the early 2000s, there was little price difference beror checking with this method. tween a hub and a low-end switch.[12] 35.3.2 Layer 2 A network bridge, operating at the data link layer, may interconnect a small number of devices in a home or the office. This is a trivial case of bridging, in which the bridge learns the MAC address of each connected device. Classic bridges may also interconnect using a spanning tree protocol that disables links so that the resulting local area network is a tree without loops. In contrast to routers, spanning tree bridges must have topologies with only one active path between two points. The older IEEE 802.1D spanning tree protocol could be quite slow, with forwarding stopping for 30 seconds while the spanning tree reconverged. A Rapid Spanning Tree Protocol was introduced as IEEE 802.1w. The newest standard Shortest path bridging (IEEE 802.1aq) is the next logical progression and incorporates all the older Spanning Tree Protocols (IEEE 802.1D STP, IEEE 802.1w RSTP, IEEE 802.1s MSTP) that blocked traffic on all but one alternative path. IEEE 802.1aq (Shortest Path Bridging SPB) allows all paths to be active with multiple equal cost paths, provides much larger layer 2 topologies (up to 16 million compared to the 4096 VLANs limit),[13] faster convergence, and improves the use of the mesh topologies through increased bandwidth and redundancy between all devices by allowing traffic to load share across all paths of a mesh network.[14][15][16][17] 3. Fragment free: a method that attempts to retain the benefits of both store and forward and cut through. Fragment free checks the first 64 bytes of the frame, where addressing information is stored. According to Ethernet specifications, collisions should be detected during the first 64 bytes of the frame, so frames that are in error because of a collision will not be forwarded. This way the frame will always reach its intended destination. Error checking of the actual data in the packet is left for the end device. 4. Adaptive switching: a method of automatically selecting between the other three modes.[18][19] While there are specialized applications, such as storage area networks, where the input and output interfaces are the same bandwidth, this is not always the case in general LAN applications. In LANs, a switch used for end user access typically concentrates lower bandwidth and uplinks into a higher bandwidth. 35.3.3 Layer 3 Within the confines of the Ethernet physical layer, a layer3 switch can perform some or all of the functions normally performed by a router. The most common layer3 capability is awareness of IP multicast through IGMP snooping. With this awareness, a layer-3 switch can inWhile layer 2 switch remains more of a marketing term crease efficiency by delivering the traffic of a multicast than a technical term, the products that were introduced group only to ports where the attached device has signaled as “switches” tended to use microsegmentation and full that it wants to listen to that group. duplex to prevent collisions among devices connected to Ethernet. By using an internal forwarding plane much faster than any interface, they give the impression of simultaneous paths among multiple devices. 'Non- 35.3.4 Layer 4 blocking' devices use a forwarding plane or equivalent method fast enough to allow full duplex traffic for each While the exact meaning of the term layer-4 switch is vendor-dependent, it almost always starts with a capabilport simultaneously. some Once a bridge learns the addresses of its connected nodes, ity for network address translation, but then adds [20] type of load distribution based on TCP sessions. it forwards data link layer frames using a layer 2 forwarding method. There are four forwarding methods a bridge The device may include a stateful firewall, a VPN concan use, of which the second through fourth method were centrator, or be an IPSec security gateway. 35.4. TYPES OF SWITCHES 35.3.5 Layer 7 Layer-7 switches may distribute the load based on uniform resource locators (URLs), or by using some installation-specific technique to recognize applicationlevel transactions. A layer-7 switch may include a web cache and participate in a content delivery network (CDN).[21] 35.4 Types of switches A rack-mounted 24-port 3Com switch 35.4.1 Form factors 169 Network Management Protocol (SNMP) agent allowing management from a remote console or management station, or a web interface for management from a web browser. Examples of configuration changes that one can do from a managed switch include: enabling features such as Spanning Tree Protocol or port mirroring, setting port bandwidth, creating or modifying virtual LANs (VLANs), etc. Two sub-classes of managed switches are marketed today: • Smart (or intelligent) switches – these are managed switches with a limited set of management features. Likewise “web-managed” switches are switches which fall into a market niche between unmanaged and managed. For a price much lower than a fully managed switch they provide a web interface (and usually no CLI access) and allow configuration of basic settings, such as VLANs, portbandwidth and duplex.[22] • Enterprise managed (or fully managed) switches – these have a full set of management features, including CLI, SNMP agent, and web interface. They may have additional features to manipulate configurations, such as the ability to display, modify, backup and restore configurations. Compared with smart switches, enterprise switches have more features that can be customized or optimized, and are generally more expensive than smart switches. Enterprise switches are typically found in networks with larger number of switches and connections, where centralized management is a significant savings in administrative time and effort. A stackable switch is a version of enterprise-managed switch. Switches are available in many form factors including: desktop units not mounted in an enclosure which are typically intended to be used in a home or office environment outside a wiring closet; rack-mounted switches for use in an equipment rack; large chassis units with swappable module cards; DIN rail mounted for use in industrial envi- Typical switch management features ronments; and small installation switches, mounted into a cable duct, floor box or communications tower, as found, • Turn particular port range on or off for example, in FTTO Infrastructures. • Link bandwidth and duplex settings 35.4.2 Configuration options • Unmanaged switches – these switches have no configuration interface or options. They are plug and play. They are typically the least expensive switches, and therefore often used in a small office/home office environment. Unmanaged switches can be desktop or rack mounted. • Managed switches – these switches have one or more methods to modify the operation of the switch. Common management methods include: a command-line interface (CLI) accessed via serial console, telnet or Secure Shell, an embedded Simple • Priority settings for ports • IP management by IP clustering • MAC filtering and other types of “port security” features which prevent MAC flooding • Use of Spanning Tree Protocol (STP) and Shortest Path Bridging (SPB) technologies • Simple Network Management Protocol (SNMP) monitoring of device and link health • Port mirroring (also known as: port monitoring, spanning port, SPAN port, roving analysis port or link mode port) 170 CHAPTER 35. NETWORK SWITCH 35.6 See also • Bridging (networking) • Console server • Energy-Efficient Ethernet • Fibre Channel switch • Fully switched network • LAN switching • Local area network A couple of managed D-Link Gigabit Ethernet rackmount switches, connected to the Ethernet ports on a few patch panels using Category 6 patch cables (all equipment is installed in a standard 19-inch rack) • Link aggregation (also known as bonding, trunking or teaming) allows the use of multiple ports for the same connection achieving higher data transfer rates • VLAN settings. Creating VLANs can serve security and performance goals by reducing the size of the broadcast domain • Packet switch • Router (computing) • Stackable switch • Telephone exchange • Turing switch • Wide area network 35.7 References • 802.1X network access control [1] IEEE 802.1D • IGMP snooping [2] “Hubs Versus Switches – Understand the Tradeoffs” (PDF). ccontrols.com. 2002. Retrieved 2013-12-10. 35.5 Traffic monitoring switched network on a Unless port mirroring or other methods such as RMON, SMON or sFlow are implemented in a switch,[23] it is difficult to monitor traffic that is bridged using a switch because only the sending and receiving ports can see the traffic. These monitoring features are rarely present on consumer-grade switches. Two popular methods that are specifically designed to allow a network analyst to monitor traffic are: • Port mirroring – the switch sends a copy of network packets to a monitoring network connection. • SMON – “Switch Monitoring” is described by RFC 2613 and is a protocol for controlling facilities such as port mirroring. [3] Thayumanavan Sridhar (September 1998). “Layer 2 and Layer 3 Switch Evolution”. cisco.com. The Internet Protocol Journal. Cisco Systems. Retrieved 2014-08-05. [4] Robert J. Kohlhepp (2000-10-02). “The 10 Most Important Products of the Decade”. Network Computing. Archived from the original on 2010-01-05. Retrieved 2008-02-25. [5] “Cisco Networking Academy’s Introduction to Basic Switching Concepts and Configuration”. Cisco Systems. 2014-03-31. Retrieved 2015-08-17. [6] Joe Efferson; Ted Gary; Bob Nevins (February 2002). “Token-Ring to Ethernet Migration” (PDF). IBM. p. 13. Retrieved 2015-08-11. [7] Thayumanavan Sridhar (September 1998). “The Internet Protocol Journal - Volume 1, No. 2: Layer 2 and Layer 3 Switch Evolution”. Cisco Systems. Retrieved 2015-0811. [8] Cisco Catalyst 6500 Series Firewall Services Module, Cisco Systems,2007 [9] Switch 8800 Firewall Module, 3Com Corporation, 2006 Another method to monitor may be to connect a layer1 hub between the monitored device and its switch port. [10] Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module, Cisco Systems,2007 This will induce minor delay, but will provide multiple interfaces that can be used to monitor the individual switch [11] Getting Started with Check Point Fire Wall-1, Checkpoint Software Technologies Ltd., n.d. port. 35.8. EXTERNAL LINKS [12] Matthew Glidden (October 2001). “Switches and Hubs”. About This Particular Macintosh blog. Retrieved June 9, 2011. [13] Shuang Yu. “IEEE APPROVES NEW IEEE 802.1aq™ SHORTEST PATH BRIDGING STANDARD”. IEEE Standards Association. Retrieved 19 June 2012. Using the IEEE’s next-generation VLAN, called a Service Interface Identifier (I-SID), it is capable of supporting 16 million unique services compared to the VLAN limit of four thousand. [14] Peter Ashwood-Smith (24 Feb 2011). “Shortest Path Bridging IEEE 802.1aq Overview” (PDF). Huawei. Retrieved 11 May 2012. [15] Jim Duffy (11 May 2012). “Largest Illinois healthcare system uproots Cisco to build $40M private cloud”. PC Advisor. Retrieved 11 May 2012. Shortest Path Bridging will replace Spanning Tree in the Ethernet fabric. [16] “IEEE Approves New IEEE 802.1aq Shortest Path Bridging Standard”. Tech Power Up. 7 May 2012. Retrieved 11 May 2012. [17] D. Fedyk, Ed.,; P. Ashwood-Smith, Ed.,; D. Allan, A. Bragg,; P. Unbehagen (April 2012). “IS-IS Extensions Supporting IEEE 802.1aq”. IETF. Retrieved 12 May 2012. [18] Dong, Jielin. Network Dictionary. Javvin Technologies Inc. p. 23. ISBN 9781602670006. Retrieved 25 June 2016. [19] “Cray makes its ethernet switches responsive to net conditions”. IDG Network World Inc. 1 July 1996. Retrieved 25 June 2016. [20] S. Sathaye (January 1999), The Ins and Outs of Layer 4+ Switching, NANOG 15, It usually means one of two things: - 1. Layer 4 information is used to prioritize and queue traffic (routers have done this for years) - 2. Layer 4 information is used to direct application sessions to different servers (next generation load balancing). [21] How worried is too worried? Plus, a Global Crossing Story., NANOG mailing list archives, S. Gibbard,October 2001 [22] Tech specs for a sample HP “web-managed” switch at the Wayback Machine (archived December 13, 2007) [23] Remote Network Monitoring Management Information Base, RFC 2819, S. Waldbusser,May 2000 35.8 External links • Five datacenter switches compared -- Network World, 2010 • Understanding the different types of Ethernet Switches - Cisco Blogs 171 Chapter 36 Frame Relay stores into their corporate WAN. 36.1 Technical description The designers of Frame Relay aimed to provide a telecommunication service for cost-efficient data transmission for intermittent traffic between local area networks (LANs) and between end-points in a wide area network (WAN). Frame Relay puts data in variable-size units called “frames” and leaves any necessary errorcorrection (such as retransmission of data) up to the endpoints. This speeds up overall data transmission. For most services, the network provides a permanent virtual A basic Frame Relay network circuit (PVC), which means that the customer sees a continuous, dedicated connection without having to pay for Frame Relay is a standardized wide area network tech- a full-time leased line, while the service-provider figures nology that specifies the physical and data link layers out the route each frame travels to its destination and can of digital telecommunications channels using a packet charge based on usage. switching methodology. Originally designed for transport An enterprise can select a level of service quality, priacross Integrated Services Digital Network (ISDN) in- oritizing some frames and making others less imporfrastructure, it may be used today in the context of many tant. Frame Relay can run on fractional T-1 or full Tother network interfaces. carrier system carriers (outside the Americas, E1 or full Network providers commonly implement Frame Relay E-carrier). Frame Relay complements and provides a for voice (VoFR) and data as an encapsulation technique mid-range service between basic rate ISDN, which ofused between local area networks (LANs) over a wide fers bandwidth at 128 kbit/s, and Asynchronous Transfer area network (WAN). Each end-user gets a private line Mode (ATM), which operates in somewhat similar fash(or leased line) to a Frame Relay node. The Frame Re- ion to Frame Relay but at speeds from 155.520 Mbit/s to lay network handles the transmission over a frequently 622.080 Mbit/s.[1] changing path transparent to all end-user extensively used Frame Relay has its technical base in the older X.25 WAN protocols. It is less expensive than leased lines and packet-switching technology, designed for transmitting that is one reason for its popularity. The extreme sim- data on analog voice lines. Unlike X.25, whose designers plicity of configuring user equipment in a Frame Relay expected analog signals with a relatively high chance of network offers another reason for Frame Relay’s popu- transmission errors, Frame Relay is a fast packet switchlarity. ing technology operating over links with a low chance With the advent of Ethernet over fiber optics, MPLS, VPN and dedicated broadband services such as cable modem and DSL, the end may loom for the Frame Relay protocol and encapsulation. However many rural areas remain lacking DSL and cable modem services. In such cases, the least expensive type of non-dial-up connection remains a 64-kbit/s Frame Relay line. Thus a retail chain, for instance, may use Frame Relay for connecting rural of transmission errors (usually practically lossless like PDH), which means that the protocol does not attempt to correct errors. When a Frame Relay network detects an error in a frame, it simply drops that frame. The end points have the responsibility for detecting and retransmitting dropped frames. (However, digital networks offer an incidence of error extraordinarily small relative to that of analog networks.) 172 36.1. TECHNICAL DESCRIPTION Frame Relay often serves to connect local area networks (LANs) with major backbones, as well as on public widearea networks (WANs) and also in private network environments with leased lines over T-1 lines. It requires a dedicated connection during the transmission period. Frame Relay does not provide an ideal path for voice or video transmission, both of which require a steady flow of transmissions. However, under certain circumstances, voice and video transmission do use Frame Relay. Frame Relay originated as an extension of integrated services digital network (ISDN). Its designers aimed to enable a packet-switched network to transport over circuitswitched technology. The technology has become a stand-alone and cost-effective means of creating a WAN. Frame Relay switches create virtual circuits to connect remote LANs to a WAN. The Frame Relay network exists between a LAN border device, usually a router, and the carrier switch. The technology used by the carrier to transport data between the switches is variable and may differ among carriers (i.e., to function, a practical Frame Relay implementation need not rely solely on its own transportation mechanism). The sophistication of the technology requires a thorough understanding of the terms used to describe how Frame Relay works. Without a firm understanding of Frame Relay, it is difficult to troubleshoot its performance. 173 (b) FECN, BECN, DE bits. These bits report congestion: • FECN=Forward Explicit Congestion Notification bit • BECN=Backward Explicit Congestion Notification bit • DE=Discard Eligibility bit 3. Information Field. A system parameter defines the maximum number of data bytes that a host can pack into a frame. Hosts may negotiate the actual maximum frame length at call set-up time. The standard specifies the maximum information field size (supportable by any network) as at least 262 octets. Since end-to-end protocols typically operate on the basis of larger information units, Frame Relay recommends that the network support the maximum value of at least 1600 octets in order to avoid the need for segmentation and reassembling by end-users. 4. Frame Check Sequence (FCS) Field. Since one cannot completely ignore the bit error-rate of the medium, each switching node needs to implement error detection to avoid wasting bandwidth due to the transmission of erred frames. The error detection mechanism used in Frame Relay uses the cyclic redundancy check (CRC) as its basis. Frame-relay frame structure essentially mirrors almost exactly that defined for LAP-D. Traffic analysis can dis- 36.1.2 Congestion control tinguish Frame Relay format from LAP-D by its lack of The Frame Relay network uses a simplified protocol at a control field. each switching node. It achieves simplicity by omitting link-by-link flow-control. As a result, the offered load 36.1.1 Protocol data unit has largely determined the performance of Frame Relay networks. When offered load is high, due to the bursts in Each Frame Relay protocol data unit (PDU) consists of some services, temporary overload at some Frame Relay the following fields: nodes causes a collapse in network throughput. Therefore, Frame Relay networks require some effective mech1. Flag Field. The flag is used to perform high-level anisms to control the congestion. data link synchronization which indicates the beCongestion control in Frame Relay networks includes the ginning and end of the frame with the unique patfollowing elements: tern 01111110. To ensure that the 01111110 pattern does not appear somewhere inside the frame, 1. Admission Control. This provides the principal bit stuffing and destuffing procedures are used. mechanism used in Frame Relay to ensure the guarantee of resource requirement once accepted. It 2. Address Field. Each address field may occupy also serves generally to achieve high network pereither octet 2 to 3, octet 2 to 4, or octet 2 formance. The network decides whether to accept a to 5, depending on the range of the address in new connection request, based on the relation of the use. A two-octet address field comprises the requested traffic descriptor and the network’s residEA=ADDRESS FIELD EXTENSION BITS and ual capacity. The traffic descriptor consists of a set the C/R=COMMAND/RESPONSE BIT. of parameters communicated to the switching nodes (a) DLCI-Data Link Connection Identifier Bits. at call set-up time or at service-subscription time, The DLCI serves to identify the virtual conand which characterizes the connection’s statistical nection so that the receiving end knows which properties. The traffic descriptor consists of three information connection a frame belongs to. elements: Note that this DLCI has only local signifi2. Committed Information Rate (CIR). The average cance. A single physical channel can multiplex several different virtual connections. rate (in bit/s) at which the network guarantees to 174 CHAPTER 36. FRAME RELAY transfer information units over a measurement in- sometimes as backbone for other services, such as X.25 terval T. This T interval is defined as: T = Bc/CIR. or IP traffic. Where FR was used in the USA also as carrier for TCP/IP traffic in Europe backbones for IP net3. Committed Burst Size (BC). The maximum number works often used ATM or PoS, later replaced by Carrier of information units transmittable during the inter- Ethernet[2] val T. 4. Excess Burst Size (BE). The maximum number of 36.2.1 Relationship to X.25 uncommitted information units (in bits) that the network will attempt to carry during the interval. X.25 provides quality of service and error-free delivery, whereas, Frame Relay was designed to relay data as Once the network has established a connection, the edge quickly as possible over low error networks. Frame Relay node of the Frame Relay network must monitor the con- eliminates a number of the higher-level procedures and nection’s traffic flow to ensure that the actual usage of net- fields used in X.25. Frame Relay was designed for use on work resources does not exceed this specification. Frame links with error-rates far lower than available when X.25 Relay defines some restrictions on the user’s information was designed. rate. It allows the network to enforce the end user’s infor- X.25 prepares and sends packets, while Frame Relay premation rate and discard information when the subscribed pares and sends frames. X.25 packets contain several access rate is exceeded. fields used for error checking and flow control, most of Explicit congestion notification is proposed as the congestion avoidance policy. It tries to keep the network operating at its desired equilibrium point so that a certain quality of service (QoS) for the network can be met. To do so, special congestion control bits have been incorporated into the address field of the Frame Relay: FECN and BECN. The basic idea is to avoid data accumulation inside the network. FECN means forward explicit congestion notification. The FECN bit can be set to 1 to indicate that congestion was experienced in the direction of the frame transmission, so it informs the destination that congestion has occurred. BECN means backwards explicit congestion notification. The BECN bit can be set to 1 to indicate that congestion was experienced in the network in the direction opposite of the frame transmission, so it informs the sender that congestion has occurred. 36.2 Origin Frame Relay began as a stripped-down version of the X.25 protocol, releasing itself from the error-correcting burden most commonly associated with X.25. When Frame Relay detects an error, it simply drops the offending packet. Frame Relay uses the concept of shared access and relies on a technique referred to as “besteffort”, whereby error-correction practically does not exist and practically no guarantee of reliable data delivery occurs. Frame Relay provides an industry-standard encapsulation, utilizing the strengths of high-speed, packetswitched technology able to service multiple virtual circuits and protocols between connected devices, such as two routers. Although Frame Relay became very popular in North America, it was never that popular in Europe. X.25 remained the primary standard until the wide availability of IP made packet switching almost obsolete. It was used which are not used by Frame Relay. The frames in Frame Relay contain an expanded link layer address field that enables Frame Relay nodes to direct frames to their destinations with minimal processing. The elimination of functions and fields over X.25 allows Frame Relay to move data more quickly, but leaves more room for errors and larger delays should data need to be retransmitted. X.25 packet switched networks typically allocated a fixed bandwidth through the network for each X.25 access, regardless of the current load. This resource allocation approach, while apt for applications that require guaranteed quality of service, is inefficient for applications that are highly dynamic in their load characteristics or which would benefit from a more dynamic resource allocation. Frame Relay networks can dynamically allocate bandwidth at both the physical and logical channel level. 36.3 Virtual circuits As a WAN protocol, Frame Relay is most commonly implemented at Layer 2 (data link layer) of the Open Systems Interconnection (OSI) seven layer model. Two types of circuits exist: permanent virtual circuits (PVCs) which are used to form logical end-to-end links mapped over a physical network, and switched virtual circuits (SVCs). The latter are analogous to the circuit-switching concepts of the public switched telephone network (PSTN), the global phone network. 36.4 Local management interface Main article: Local Management Interface Initial proposals for Frame Relay were presented to the Consultative Committee on International Telephone and 36.6. MARKET REPUTATION Telegraph (CCITT) in 1984. Lack of interoperability and standardization, prevented any significant Frame Relay deployment until 1990 when Cisco, Digital Equipment Corporation (DEC), Northern Telecom, and StrataCom formed a consortium to focus on its development. They produced a protocol that provided additional capabilities for complex inter-networking environments. These Frame Relay extensions are referred to as the local management interface (LMI). 175 36.6 Market reputation Frame Relay aimed to make more efficient use of existing physical resources, permitting the over-provisioning of data services by telecommunications companies to their customers, as clients were unlikely to be using a data service 45 percent of the time. In more recent years, Frame Relay has acquired a bad reputation in some markets because of excessive bandwidth overbooking. Datalink connection identifiers (DLCIs) are numbers that refer to paths through the Frame Relay network. They are only locally significant, which means that when device-A sends data to device-B it will most likely use a different DLCI than device-B would use to reply. Multiple virtual circuits can be active on the same physical end-points (performed by using subinterfaces). Telecommunications companies often sell Frame Relay to businesses looking for a cheaper alternative to dedicated lines; its use in different geographic areas depended greatly on governmental and telecommunication companies’ policies. Some of the early companies to make Frame Relay products included StrataCom (later acquired by Cisco Systems) and Cascade CommunicaThe LMI global addressing extension gives Frame Re- tions (later acquired by Ascend Communications and lay data-link connection identifier (DLCI) values global then by Lucent Technologies). rather than local significance. DLCI values become DTE As of June 2007, AT&T Inc. was the largest Frame Relay addresses that are unique in the Frame Relay WAN. The service provider in the USA, with local networks in 22 global addressing extension adds functionality and man- states, plus national and international networks. ageability to Frame Relay internetworks. Individual network interfaces and the end nodes attached to them, for example, can be identified by using standard address36.7 FRF.12 resolution and discovery techniques. In addition, the entire Frame Relay network appears to be a typical LAN to When multiplexing packet data from different virtual cirrouters on its periphery. cuits or flows, quality of service concerns often arise. LMI virtual circuit status messages provide communica- This is because a frame from one virtual circuit may oction and synchronization between Frame Relay DTE and cupy the line for a long enough period of time to disrupt DCE devices. These messages are used to periodically a service guarantee given to another virtual circuit. IP report on the status of PVCs, which prevents data from fragmentation is a method for addressing this. An incombeing sent into black holes (that is, over PVCs that no ing long packet is broken up into a sequence of shorter longer exist). packets and enough information is added to reassemble The LMI multicasting extension allows multicast groups that long frame at the far end. FRF.12 is a specificato be assigned. Multicasting saves bandwidth by allow- tion from the Frame Relay Forum which specifies how ing routing updates and address-resolution messages to to perform fragmentation on frame relay traffic primarily be sent only to specific groups of routers. The extension for voice traffic. The FRF.12 specification describes the also transmits reports on the status of multicast groups in method of fragmenting Frame Relay frames into smaller frames.[3][4][5][6][7] update messages. 36.8 See also 36.5 Committed information rate (CIR) Frame Relay connections are often given a committed information rate (CIR) and an allowance of burstable bandwidth known as the extended information rate (EIR). The provider guarantees that the connection will always support the C rate, and sometimes the PRa rate should there be adequate bandwidth. Frames that are sent in excess of the CIR are marked as discard eligible (DE) which means they can be dropped should congestion occur within the Frame Relay network. Frames sent in excess of the EIR are dropped immediately. • Multiprotocol label switching • List of device bit rates 36.9 References [1] “Definition of “Frame Relay” on SearchEnterpriseWAN”. Retrieved 9 April 2012. [2] The Network Encyclopedia about Frame Relay, visited 14 July 2012 [3] “Frame Relay Fragmentation for Voice”. Cisco. Retrieved 17 June 2016. 176 [4] “How to use FRF.12 to improve voice quality on Frame Relay networks | Other Collaboration, Voice, and Video Subjects | Cisco Support Community | 5791 | 11956”. supportforums.cisco.com. [5] “VoIP over Frame Relay with Quality of Service (Fragmentation, Traffic Shaping, LLQ / IP RTP Priority)". Cisco. Retrieved 17 June 2016. [6] Malis, Andrew G. “Frame Relay Fragmentation Implementation Agreement FRF.12” (PDF). www.broadband-forum.org. Retrieved 17 June 2016. [7] “FRF.12 Frame Relay Fragmentation section in Frame Relay". www.rhyshaden.com. Retrieved 17 June 2016. 36.10 External links • RFC 1490 – Multiprotocol Interconnect over Frame Relay • RFC 1973 – PPP in Frame Relay • RFC 2427 – Multiprotocol Interconnect over Frame Relay • Broadband Forum - IP/MPLS Forum, MPLS Forum, ATM, and Frame Relay Forum Specifications • Cisco Frame Relay Tutorial • Frame Relay animation • CCITT I.233 ISDN Frame Mode Bearer Services CHAPTER 36. FRAME RELAY Chapter 37 IPsec Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications that works by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (hostto-host), between a pair of security gateways (networkto-network), or between a security gateway and a host (network-to-host).[1] Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. mated device driver, known as plug-and-play today, in integrating with the hardware Crypto. After achieving the throughput much higher than a T1s, Wei Xu finally made the commercial product practically feasible, that was released as a part of the well-known Gauntlet firewall. In December 1994, it was deployed for the first time in production for securing some remote sites between east and west coastal states of the United States. Another IP Encapsulating Security Payload (ESP)[2] was researched at the Naval Research Laboratory as part of a DARPA-sponsored research project, with openly published by IETF SIPP[3] Working Group drafted in December 1993 as a security extension for SIPP. This ESP was originally derived from the US Department of Defense SP3D protocol, rather than being derived from the ISO Network-Layer Security Protocol (NLSP). The SP3D protocol specification was published by NIST, but designed by the Secure Data Network System project of the US Department of Defense. The Security Authentication Header (AH) is derived partially from previous IETF standards work for authentication of the Simple Network Management Protocol (SNMP) version 2. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite, while some other Internet security systems in widespread use, such as Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers at the Transport Layer (TLS) and the Application layer (SSH). Hence, only IPsec protects all application traffic over an IP network. Appli- In 1995, The IPsec working group in the IETF was started cations can be automatically secured by IPsec at the IP to create an open freely available and vetted version of layer. protocols that had been developed under NSA contract in the Secure Data Network System (SDNS) project. The SDNS project had defined a Security Protocol Layer 3 (SP3) that had been published by NIST and was also 37.1 History the basis of the ISO Network Layer Security Protocol [4] In December 1993, the Software IP Encryption protocol (NLSP). Key management for SP3 was provided by the swIPe (protocol) was researched at Columbia University Key Management Protocol (KMP) that provided a baseline of ideas for subsequent work in the IPsec committee. and AT&T Bell Labs by John Ioannidis and others. Based on the funding from the Clinton administration in hosting whitehouse.gov email (from June 1 of 1993 to January 20 of 1995) at Trusted Information Systems, Wei Xu started in July 1994 the research on IP Security, enhanced the IP protocols, developed the IPSec product on the BSDI platform, and quickly extended it on to Sun OS, HP UX, and other UNIX systems. Upon the success, Wei was facing another challenge by the slow performance of computing DES and Triple DES. The assembly software encryption was unable to support even a T1 speed under the Intel 80386 architecture. By exporting the Crypto cards from Germany, Wei further developed an auto- IPsec is officially standardised by the Internet Engineering Task Force (IETF) in a series of Request for Comments documents addressing various components and extensions. It specifies the spelling of the protocol name to be IPsec.[5] 37.2 Security architecture The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:[6][7] 177 178 CHAPTER 37. IPSEC • Authentication Headers (AH) provide connection- Payload Len (8 bits) The length of this Authentication less data integrity and data origin authentication for Header in 4-octet units, minus 2. For example, an IP datagrams and provides protection against replay AH value of 4 equals 3×(32-bit fixed-length AH attacks.[8][9] fields) + 3×(32-bit ICV fields) − 2 and thus an AH value of 4 means 24 octets. Although the size is • Encapsulating Security Payloads (ESP) provide measured in 4-octet units, the length of this header confidentiality, data-origin authentication, connecneeds to be a multiple of 8 octets if carried in an tionless integrity, an anti-replay service (a form of IPv6 packet. This restriction does not apply to an partial sequence integrity), and limited traffic-flow Authentication Header carried in an IPv4 packet. confidentiality.[1] Reserved (16 bits) Reserved for future use (all zeroes • Security Associations (SA) provide the bundle of aluntil then). gorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Parameters Index (32 bits) Arbitrary value which is used (together with the destination IP Security Association and Key Management Protoaddress) to identify the security association of the col (ISAKMP) provides a framework for authenreceiving party. tication and key exchange,[10] with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Ex- Sequence Number (32 bits) A monotonic strictly increasing sequence number (incremented by 1 for evchange (IKE and IKEv2), Kerberized Internet Neery packet sent) to prevent replay attacks. When gotiation of Keys (KINK), or IPSECKEY DNS replay detection is enabled, sequence numbers are [11][12][13][14] records. never reused, because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value.[9] 37.2.1 Authentication Header Integrity Check Value (multiple of 32 bits) Variable Authentication Header (AH) is a member of the IPsec length check value. It may contain padding to protocol suite. AH guarantees connectionless integrity align the field to an 8-octet boundary for IPv6, or a and data origin authentication of IP packets. Further, it 4-octet boundary for IPv4. can optionally protect against replay attacks by using the sliding window technique and discarding old packets (see below). 37.2.2 Encapsulating Security Payload • In IPv4, the AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those that might be altered in transit), and also IP options such as the IP Security Option (RFC 1108). Mutable (and therefore unauthenticated) IPv4 header fields are DSCP/ToS, ECN, Flags, Fragment Offset, TTL and Header Checksum.[9] • In IPv6, the AH protects most of the IPv6 base header, AH itself, non-mutable extension headers after the AH, and the IP payload. Protection for the IPv6 header excludes the mutable fields: DSCP, ECN, Flow Label, and Hop Limit.[9] AH operates directly on top of IP, using IP protocol number 51.[15] Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity and confidentiality protection of packets. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.[16][17][18] Unlike Authentication Header (AH), ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. ESP operates directly on top of IP, using IP protocol number 50.[15] The following ESP packet diagram shows how an ESP The following AH packet diagram shows how an AH packet is constructed and interpreted:[1][19] packet is constructed and interpreted:[8][9] Next Header (8 bits) Type of the next header, indicating what upper-layer protocol was protected. The value is taken from the list of IP protocol numbers. Security Parameters Index (32 bits) Arbitrary value used (together with the destination IP address) to identify the security association of the receiving party. 37.3. MODES OF OPERATION 179 Sequence Number (32 bits) A monotonically increasing sequence number (incremented by 1 for every packet sent) to protect against replay attacks. There is a separate counter kept for every security association. of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note Payload data (variable) The protected contents of the that the relevant standard does not describe how the assooriginal IP packet, including any data used to pro- ciation is chosen and duplicated across the group; it is astect the contents (e.g. an Initialisation Vector for sumed that a responsible party will have made the choice. the cryptographic algorithm). The type of content that was protected is indicated by the Next Header field. 37.3 Modes of operation Padding (0-255 octets) Padding for encryption, to extend the payload data to a size that fits the encryp- IPsec can be implemented in a host-to-host transport tion’s cipher block size, and to align the next field. mode, as well as in a network tunneling mode. Pad Length (8 bits) Size of the padding (in octets). Next Header (8 bits) Type of the next header. The 37.3.1 Transport mode value is taken from the list of IP protocol numbers. In transport mode, only the payload of the IP packet is Integrity Check Value (multiple of 32 bits) Variable usually encrypted or authenticated. The routing is intact, length check value. It may contain padding to since the IP header is neither modified nor encrypted; align the field to an 8-octet boundary for IPv6, or a however, when the authentication header is used, the IP 4-octet boundary for IPv4. addresses cannot be modified by network address translation, as this always invalidates the hash value. The transport and application layers are always secured by a 37.2.3 Security association hash, so they cannot be modified in any way, for example by translating the port numbers. Main article: Security association A means to encapsulate IPsec messages for NAT traversal The IP security architecture uses the concept of a security has been defined by RFC documents describing the NATassociation as the basis for building security functions T mechanism. into IP. A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direc- 37.3.2 Tunnel mode tion. Therefore, in normal bi-directional traffic, the flows Main article: Tunneling protocol are secured by a pair of security associations. Security associations are established using the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is implemented by manual configuration with pre-shared secrets, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), and the use of IPSECKEY DNS records.[14][20][21] RFC 5386 defines Better-ThanNothing Security (BTNS) as an unauthenticated mode of IPsec using an extended IKE protocol. In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-tonetwork communications (e.g. remote user access) and host-to-host communications (e.g. private chat).[22] Tunnel mode supports NAT traversal. In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index (SPI), an index to the security association database 37.4 Cryptographic algorithms (SADB), along with the destination address in a packet header, which together uniquely identify a security as- Cryptographic algorithms defined for use with IPsec insociation for that packet. A similar procedure is per- clude: formed for an incoming packet, where IPsec gathers decryption and verification keys from the security associa• HMAC-SHA1/SHA2 for integrity protection and tion database. authenticity. For multicast, a security association is provided for the • TripleDES-CBC for confidentiality group, and is duplicated across all authorized receivers 180 CHAPTER 37. IPSEC • AES-CBC for confidentiality. systems, IT systems, networks, and endpoint communications devices used by targets” as part of the Bullrun • AES-GCM providing confidentiality and authenti- program.[27] There are allegations that IPsec was a tarcation together efficiently. geted encryption system.[28] Refer to RFC 7321 for details. 37.5 Software implementations IPsec support is usually implemented in the kernel with key management and ISAKMP/IKE negotiation carried out from user space. The openly specified “PF_KEY Key Management API, Version 2” is often used to enable the application-space key management application to update the IPsec Security Associations stored within the kernelspace IPsec implementation.[23] Existing IPsec implementations usually include ESP, AH, and IKE version 2. Existing IPsec implementations on UNIX-like operating systems, for example, Solaris or Linux, usually include PF_KEY version 2. 37.6 Standards status IPsec was developed in conjunction with IPv6 and was originally required to be supported by all standardscompliant implementations of IPv6 before RFC 6434 made it only a recommendation.[24] IPsec is also optional for IPv4 implementations. IPsec is most commonly used to secure IPv4 traffic. IPsec protocols were originally defined in RFC 1825 through RFC 1829, which were published in 1995. In 1998, these documents were superseded by RFC 2401 and RFC 2412 with a few incompatible engineering details, although they were conceptually identical. In addition, a mutual authentication and key exchange protocol Internet Key Exchange (IKE) was defined to create and manage security associations. In December 2005, new standards were defined in RFC 4301 and RFC 4309 which are largely a superset of the previous editions with a second version of the Internet Key Exchange standard IKEv2. These third-generation documents standardized the abbreviation of IPsec to uppercase “IP” and lowercase “sec”. “ESP” generally refers to RFC 4303, which is the most recent version of the specification. The OpenBSD IPsec stack was the first implementation that was available under a permissive open-source license, and was therefore copied widely. In a letter which OpenBSD lead developer Theo de Raadt received on 11 Dec 2010 from Gregory Perry, it is alleged that Jason Wright and others, working for the FBI, inserted “a number of backdoors and side channel key leaking mechanisms” into the OpenBSD crypto code. In the forwarded email from 2010, Theo de Raadt did not at first express an official position on the validity of the claims, apart from the implicit endorsement from forwarding the email.[29] Jason Wright’s response to the allegations: “Every urban legend is made more real by the inclusion of real names, dates, and times. Gregory Perry’s email falls into this category. … I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF).”[30] Some days later, de Raadt commented that “I believe that NETSEC was probably contracted to write backdoors as alleged. … If those were written, I don't believe they made it into our tree.”[31] This was published before the Snowden leaks. An alternative explanation put forward by the authors of the Logjam attack suggests that the NSA compromised IPsec VPNs by undermining the Diffie-Hellman algorithm used in the key exchange. In their paper[32] they allege the NSA specially built a computing cluster to precompute multiplicative subgroups for specific primes and generators, such as for the second Oakley group defined in RFC 2409. As of May 2015, 90% of addressable IPsec VPNs supported the second Oakley group as part of IKE. If an organization were to precompute this group, they could derive the keys being exchanged and decrypt traffic without inserting any software backdoors. A second alternative explanation that was put forward was that the Equation Group used zero-day exploits against several manufacturers’ VPN equipment which were validated by Kaspersky Lab as being tied to the Equation Group[33] and validated by those manufacturers as being real exploits, some of which were zero-day exploits at the time of their exposure.[34][35][36] The Cisco PIX and ASA firewalls had vulnerabilities that were used for wiretapping by the NSA. Furthermore, IPsec VPNs using “Aggressive Mode” setSince mid-2008, an IPsec Maintenance and Extensions tings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline dictionary (ipsecme) working group is active at the IETF.[25][26] attacks.[37][38][39] 37.7 Alleged NSA interference In 2013, as part of Snowden leaks, it was revealed that the US National Security Agency had been actively working to “Insert vulnerabilities into commercial encryption 37.8 IETF documentation 37.8. IETF DOCUMENTATION 37.8.1 Standards Track • RFC 1829: The ESP DES-CBC Transform • RFC 2403: The Use of HMAC-MD5-96 within ESP and AH 181 • RFC 4555: IKEv2 Mobility and Multihoming Protocol (MOBIKE) • RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2 • RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH • RFC 4868: Using HMAC-SHA-256, HMACSHA-384, and HMAC-SHA-512 with IPsec • RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV • RFC 4945: The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX • RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec • RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile • RFC 2451: The ESP CBC-Mode Cipher Algorithms • RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AH • RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) • RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec • RFC 3686: Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) • RFC 3947: Negotiation of NAT-Traversal in the IKE • RFC 3948: UDP Encapsulation of IPsec ESP Packets • RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) • RFC 4301: Security Architecture for the Internet Protocol • RFC 4302: IP Authentication Header • RFC 4303: IP Encapsulating Security Payload • RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP) • RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) • RFC 4308: Cryptographic Suites for IPsec • RFC 5282: Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol • RFC 5386: Better-Than-Nothing Security: An Unauthenticated Mode of IPsec • RFC 5529: Modes of Operation for Camellia for Use with IPsec • RFC 5685: Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) • RFC 5723: Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption • RFC 5857: IKEv2 Extensions to Support Robust Header Compression over IPsec • RFC 5858: IPsec Extensions to Support Robust Header Compression over IPsec • RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2) • RFC 7321: Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) • RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation • RFC 7427: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) • RFC 7634: ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec • RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Secu37.8.2 rity Payload (ESP) • RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH Experimental RFCs • RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol 182 37.8.3 CHAPTER 37. IPSEC Informational RFCs • RFC 2367: PF_KEY Interface • RFC 2412: The OAKLEY Key Determination Protocol • RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers • RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements • RFC 4621: Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol • RFC 4809: Requirements for an IPsec Certificate Management Profile • RFC 5387: Problem and Applicability Statement for Better-Than-Nothing Security (BTNS) • RFC 5856: Integration of Robust Header Compression over IPsec Security Associations • RFC 5930: Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol • RFC 6027: IPsec Cluster Problem Statement • RFC 6071: IPsec and IKE Document Roadmap • RFC 6379: Suite B Cryptographic Suites for IPsec • RFC 6380: Suite B Profile for Internet Protocol Security (IPsec) • RFC 6467: Secure Password Framework for Internet Key Exchange Version 2 (IKEv2) 37.8.4 • RFC 2407: The Internet IP Security Domain of Interpretation for ISAKMP (obsoleted by RFC 4306) • RFC 2409: The Internet Key Exchange (obsoleted by RFC 4306) • RFC 4305: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) (obsoleted by RFC 4835) • RFC 4306: Internet Key Exchange (IKEv2) Protocol (obsoleted by RFC 5996) • RFC 4718: IKEv2 Clarifications and Implementation Guidelines (obsoleted by RFC 7296) • RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) (obsoleted by RFC 7321) • RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2) (obsoleted by RFC 7296) 37.9 See also • Dynamic Multipoint Virtual Private Network • Information security • NAT traversal • Opportunistic encryption • tcpcrypt Best Current Practice RFCs • RFC 5406: Guidelines for Specifying the Use of IPsec Version 2 37.8.5 • RFC 2406: IP Encapsulating Security Payload (ESP) (obsoleted by RFC 4303 and RFC 4305) Obsolete/Historic RFCs • RFC 1825: Security Architecture for the Internet Protocol (obsoleted by RFC 2401) • RFC 1826: IP Authentication Header (obsoleted by RFC 2402) • RFC 1827: IP Encapsulating Security Payload (ESP) (obsoleted by RFC 2406) • RFC 1828: IP Authentication using Keyed MD5 (historic) • RFC 2401: Security Architecture for the Internet Protocol (IPsec overview) (obsoleted by RFC 4301) 37.10 References [1] Kent, S.; Atkinson, R. (November 1998). IP Encapsulating Security Payload (ESP). IETF. RFC 2406. https: //tools.ietf.org/html/rfc2406. [2] “SIPP Encapsulating Security Payload”. Working Group. 1993. IETF SIPP [3] “Draft SIPP Specification”. IETF. 1993. p. 21. [4] http://www.toad.com/gnu/netcrypt.html [5] “RFC4301: Security Architecture for the Internet Protocol”. Network Working Group of the IETF. December 2005. p. 4. The spelling “IPsec” is preferred and used throughout this and all related IPsec standards. All other capitalizations of IPsec [...] are deprecated. [6] Thayer, R.; Doraswamy, N.; Glenn, R. (November 1998). IP Security Document Roadmap. IETF. RFC 2411. https: //tools.ietf.org/html/rfc2411. 37.11. EXTERNAL LINKS [7] Hoffman, P. (December 2005). Cryptographic Suites for IPsec. IETF. RFC 4308. https://tools.ietf.org/html/ rfc4308. 183 [26] “ipsecme status”. Retrieved 2015-10-26. [27] “Secret Documents Reveal N.S.A. Campaign Against Encryption”. New York Times. [8] Kent, S.; Atkinson, R. (November 1998). IP Authentication Header. IETF. RFC 2402. https://tools.ietf.org/ html/rfc2402. [28] John Gilmore. “Re: [Cryptography] Opening Discussion: Speculation on “BULLRUN"". [9] Kent, S. (December 2005). IP Authentication Header. IETF. RFC 4302. https://tools.ietf.org/html/rfc4302. [29] Theo de Raadt. IPSEC”. “Allegations regarding OpenBSD [10] The Internet Key Exchange (IKE), RFC 2409, §1 Abstract [30] Jason Wright. “Allegations regarding OpenBSD IPSEC”. [11] Harkins, D.; Carrel, D. (November 1998). The Internet Key Exchange (IKE). IETF. RFC 2409. https://tools.ietf. org/html/rfc2409. [31] Theo de Raadt. “Update on the OpenBSD IPSEC backdoor allegation”. [12] Kaufman, C., ed. IKE Version 2. IETF. RFC 4306. https: //tools.ietf.org/html/rfc4306. [13] Sakane, S.; Kamada, K.; Thomas, M.; Vilhuber, J. (November 1998). Kerberized Internet Negotiation of Keys (KINK). IETF. RFC 4430. https://tools.ietf.org/html/ rfc4430. [14] Richardson, M. (February 2005). A Method for Storing IPsec Keying Material in DNS. IETF. RFC 4025. https: //tools.ietf.org/html/rfc4025. [32] David Adrian; Karthikeyan Bhargavan; Zakir Durumeric; Pierrick Gaudry; Matthew Green; J. Alex Halderman; Nadia Heninger; Drew Springall; Emmanuel Thomé; Luke Valenta; Benjamin VanderSloot; Eric Wustrow; Santiago Zanella-Béguelink; Paul Zimmermann. “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice” (PDF). [33] Goodin, Dan (August 16, 2016). “Confirmed: hacking tool leak came from “omnipotent” NSA-tied group”. Ars Technica. Retrieved August 19, 2016. [15] “Protocol Numbers”. IANA. IANA. 2010-05-27. Archived from the original on 2010-07-27. [34] Thomson, Iain (August 17, 2016). “Cisco confirms two of the Shadow Brokers’ 'NSA' vulns are real”. The Register. Retrieved September 16, 2016. [16] Bellovin, Steven M. (1996). “Problem Areas for the IP Security Protocols” (PostScript). Proceedings of the Sixth Usenix Unix Security Symposium. San Jose, CA. pp. 1–16. Retrieved 2007-07-09. [35] Pauli, Darren (August 24, 2016). “Equation Group exploit hits newer Cisco ASA, Juniper Netscreen”. The Register. Retrieved September 16, 2016. [17] Paterson, Kenneth G.; Yau, Arnold K.L. (2006-04-24). “Cryptography in theory and practice: The case of encryption in IPsec” (PDF). Eurocrypt 2006, Lecture Notes in Computer Science Vol. 4004. Berlin. pp. 12–29. Retrieved 2007-08-13. [18] Degabriele, Jean Paul; Paterson, Kenneth G. (2007-0809). “Attacking the IPsec Standards in Encryption-only Configurations” (PDF). IEEE Symposium on Security and Privacy, IEEE Computer Society. Oakland, CA. pp. 335– 349. Retrieved 2007-08-13. [19] Kent, S. (December 2005). IP Encapsulating Security Payload (ESP). IETF. RFC 4303. https://tools.ietf.org/html/ rfc4303. [36] Chirgwin, Richard (August 18, 2016). “Fortinet follows Cisco in confirming Shadow Broker vuln”. The Register. Retrieved September 16, 2016. [37] https://weakdh.org/imperfect-forward-secrecy-ccs15. pdf [38] http://crypto.stackexchange.com/questions/27404/ what-are-the-problems-of-ikev1-aggressive-mode-compared-to-ikev1-main [39] https://nohats.ca/wordpress/blog/2014/12/29/ dont-stop-using-ipsec-just-yet/ 37.11 External links [20] RFC 2406, §1, page 2 • Computer Security at DMOZ [21] RFC 3129 • All IETF active security WGs [22] William, S., & Stallings, W. (2006). Cryptography and Network Security, 4/E. Pearson Education India. p. 492493 • IETF ipsecme WG (“IP Security Maintenance and Extensions” Working Group) [23] RFC 2367, PF_KEYv2 Key Management API, Dan McDonald, Bao Phan, & Craig Metz (July 1998) • IETF btns WG (“Better-Than-Nothing Security” Working Group) (chartered to work on unauthenticated IPsec, IPsec APIs, connection latching)] [24] RFC 6434, “IPv6 Node Requirements”, E. Jankiewicz, J. Loughney, T. Narten (December 2011) [25] “ipsecme charter”. Retrieved 2015-10-26. • Securing Data in Transit with IPsec WindowsSecurity.com article by Deb Shinder 184 CHAPTER 37. IPSEC • IPsec on Microsoft TechNet • Microsoft IPsec Diagnostic Tool on Microsoft Download Center • An Illustrated Guide to IPsec by Steve Friedl • Security Architecture for IP (IPsec) Data Communication Lectures by Manfred Lindner Part IPsec • Creating VPNs with IPsec and SSL/TLS Linux Journal article by Rami Rosen Chapter 38 Data link layer The data link layer or layer 2 is the second layer of the seven-layer OSI model of computer networking. This layer is the protocol layer that transfers data between adjacent network nodes in a wide area network (WAN) or between nodes on the same local area network (LAN) segment.[1] The data link layer provides the functional and procedural means to transfer data between network entities and might provide the means to detect and possibly correct errors that may occur in the physical layer. The data link layer is concerned with local delivery of frames between devices on the same LAN. Data-link frames, as these protocol data units are called, do not cross the boundaries of a local network. Inter-network routing and global addressing are higher-layer functions, allowing data-link protocols to focus on local delivery, addressing, and media arbitration. This way, the data link layer is analogous to a neighborhood traffic cop; it endeavors to arbitrate between parties contending for access to a medium, without concern for their ultimate destination. When devices attempt to use a medium simultaneously, frame collisions occur. Data-link protocols specify how devices detect and recover from such collisions, and may provide mechanisms to reduce or prevent them. Examples of data link protocols are Ethernet for local area networks (multi-node), the Point-to-Point Protocol (PPP), HDLC and ADCCP for point-to-point (dual-node) connections. In the Internet Protocol Suite (TCP/IP), the data link layer functionality is contained within the link layer, the lowest layer of the descriptive model. data-link protocols do not have acknowledgments of successful frame reception and acceptance, and some datalink protocols might not even have any form of checksum to check for transmission errors. In those cases, higherlevel protocols must provide flow control, error checking, and acknowledgments and retransmission. In some networks, such as IEEE 802 local area networks, the data link layer is described in more detail with media access control (MAC) and logical link control (LLC) sublayers; this means that the IEEE 802.2 LLC protocol can be used with all of the IEEE 802 MAC layers, such as Ethernet, token ring, IEEE 802.11, etc., as well as with some non-802 MAC layers such as FDDI. Other data-link-layer protocols, such as HDLC, are specified to include both sublayers, although some other protocols, such as Cisco HDLC, use HDLC’s low-level framing as a MAC layer in combination with a different LLC layer. In the ITU-T G.hn standard, which provides a way to create a high-speed (up to 1 Gigabit/s) local area network using existing home wiring (power lines, phone lines and coaxial cables), the data link layer is divided into three sub-layers (application protocol convergence, logical link control and media access control). Within the semantics of the OSI network architecture, the data-link-layer protocols respond to service requests from the network layer and they perform their function by issuing service requests to the physical layer. 38.2 Sublayers The data link layer has two sublayers: logical link control (LLC) and media access control (MAC).[2] 38.1 Overview A frame’s header contains source and destination addresses that indicate which device originated the frame and which device is expected to receive and process it. In contrast to the hierarchical and routable addresses of the network layer, layer-2 addresses are flat, meaning that no part of the address can be used to identify the logical or physical group to which the address belongs. 38.2.1 Logical link control sublayer The uppermost sublayer, LLC, multiplexes protocols running atop the data link layer, and optionally provides flow control, acknowledgment, and error notification. The LLC provides addressing and control of the data link. It specifies which mechanisms are to be used for addressing The data link thus provides data transfer across the physi- stations over the transmission medium and for controlling cal link. That transfer can be reliable or unreliable; many the data exchanged between the originator and recipient 185 186 CHAPTER 38. DATA LINK LAYER 38.3 Services machines. 38.2.2 Media access control sublayer MAC may refer to the sublayer that determines who is allowed to access the media at any one time (e.g. CSMA/CD). Other times it refers to a frame structure delivered based on MAC addresses inside. There are generally two forms of media access control: distributed and centralized.[3] Both of these may be compared to communication between people. In a network made up of people speaking, i.e. a conversation, we look for clues from our fellow talkers to see if any of them appear to be about to speak. If two people speak at the same time, they will each pause a random amount of time and then attempt to speak again, effectively establishing a long and elaborate game of saying “no, you first”. The Media Access Control sublayer also determines where one frame of data ends and the next one starts – frame synchronization. There are four means of frame synchronization: time based, character counting, byte stuffing and bit stuffing. • The time based approach simply puts a specified amount of time between frames. The major drawback of this is that new gaps can be introduced or old gaps can be lost due to external influences. • Character counting simply notes the count of remaining characters in the frame’s header. This method, however, is easily disturbed if this field gets faulty in some way, thus making it hard to keep up synchronization. • Byte stuffing precedes the frame with a special byte sequence such as DLE STX and succeeds it with DLE ETX. Appearances of DLE (byte value 0x10) have to be escaped with another DLE. The start and stop marks are detected at the receiver and removed as well as the inserted DLE characters. • Similarly, bit stuffing replaces these start and end marks with flag consisting of a special bit pattern (e.g. a 0, six 1 bits and a 0). Occurrences of this bit pattern in the data to be transmitted are avoided by inserting a bit. To use the example where the flag is 01111110, a 0 is inserted after 5 consecutive 1’s in the data stream. The flags and the inserted 0’s are removed at the receiving end. This makes for arbitrary long frames and easy synchronization for the recipient. Note that this stuffed bit is added even if the following data bit is 0, which could not be mistaken for a sync sequence, so that the receiver can unambiguously distinguish stuffed bits from normal bits. • Encapsulation of network layer data packets into frames • Frame synchronization • Logical link control (LLC) sublayer: • Error control (automatic repeat request,ARQ), in addition to ARQ provided by some transport-layer protocols, to forward error correction (FEC) techniques provided on the physical layer, and to error-detection and packet canceling provided at all layers, including the network layer. Data-link-layer error control (i.e. retransmission of erroneous packets) is provided in wireless networks and V.42 telephone network modems, but not in LAN protocols such as Ethernet, since bit errors are so uncommon in short wires. In that case, only error detection and canceling of erroneous packets are provided. • Flow control, in addition to the one provided on the transport layer. Data-link-layer error control is not used in LAN protocols such as Ethernet, but in modems and wireless networks. • Media access control (MAC) sublayer: • Multiple access protocols for channel-access control, for example CSMA/CD protocols for collision detection and re-transmission in Ethernet bus networks and hub networks, or the CSMA/CA protocol for collision avoidance in wireless networks. • Physical addressing (MAC addressing) • LAN switching (packet switching), including MAC filtering, Spanning Tree Protocol (STP) and Shortest Path Bridging (SPB) • Data packet queuing or scheduling • Store-and-forward switching or cut-through switching • Quality of Service (QoS) control • Virtual LANs (VLAN) 38.4 Error detection and correction Beside framing, data link layers also include mechanisms to detect and even recover from transmission errors. For a receiver to detect transmission error, the sender must add redundant information (in the form of bits) as an error detection code to the frame sent. When the receiver 38.6. RELATION TO THE TCP/IP MODEL 187 obtains a frame with an error detection code it recomputes it and verifies whether the received error detection code matches the computed error detection code. If they match the frame is considered to be valid. • LattisNet An error detection code can be defined as a function that computes the r (amount of redundant bits) corresponding to each string of N total number of bits. The simplest error detection code is the parity bit, which allows a receiver to detect transmission errors that have affected a single bit among the transmitted N + r bits. If there are two or more bits in error, the receiver may not be able to detect the transmission error. • LocalTalk A simple example of how this works using metadata is transmitting the word “HELLO”, by encoding each letter as its position in the alphabet. Thus, the letter A is coded as 1, B as 2, and so on as shown in the table on the right. Adding up the resulting numbers yields 8 + 5 + 12 + 12 + 15 = 52, and 5 + 2 = 7 calculates the metadata. Finally, the “8 5 12 12 15 7” numbers sequence is transmitted, which the receiver will see on its end if there are no transmission errors. The receiver knows that the last number received is the error-detecting metadata and that all data before is the message, so the receiver can recalculate the above math and if the metadata matches it can be concluded that the data has been received error-free. Though, if the receiver sees something like a “7 5 12 12 15 7” sequence, it can run the check by calculating 7 + 5 + 12 + 12 + 15 = 51 and 5 + 1 = 6, and discard the received data as defective since 6 does not equal 7. • Link Access Procedures, D channel (LAPD) • Link Layer Discovery Protocol (LLDP) • MIL-STD-1553 • Multiprotocol Label Switching (MPLS) • Nortel Discovery Protocol (NDP) • OpenFlow (SDN) • Point-to-Point Protocol (PPP) • Profibus • SpaceWire • Serial Line Internet Protocol (SLIP) (obsolete) • Split multi-link trunking (SMLT) • IEEE 802.1aq - Shortest Path Bridging • Spanning Tree Protocol • StarLan • Token ring • Unidirectional Link Detection (UDLD) • UNI/O • 1-Wire • and most forms of serial communication. 38.5 Protocol examples • Address Resolution Protocol (ARP) • ARCnet • ATM • Cisco Discovery Protocol (CDP) • Controller Area Network (CAN) • Econet • Ethernet • Ethernet Automatic Protection Switching (EAPS) • • • • • • 38.6 Relation to the TCP/IP model In the Internet Protocol Suite (TCP/IP), OSI’s data link layer functionality is contained within its lowest layer, the link layer. The TCP/IP link layer has the operating scope of the link a host is connected to, and only concerns itself with hardware issues to the point of obtaining hardware (MAC) addresses for locating hosts on the link and transmitting data frames onto the link. The link layer functionality was described in RFC 1122 and is defined differently than the Data Link Layer of OSI, and encompasses all methods that affect the local link. The TCP/IP model is not a top-down comprehensive design reference for networks. It was formulated for the Fiber Distributed Data Interface (FDDI) purpose of illustrating the logical groups and scopes of functions needed in the design of the suite of internetFrame Relay working protocols of TCP/IP, as needed for the operation High-Level Data Link Control (HDLC) of the Internet. In general, direct or strict comparisons of the OSI and TCP/IP models should be avoided, because IEEE 802.2 (provides LLC functions to IEEE 802 the layering in TCP/IP is not a principal design criterion MAC layers) and in general considered to be “harmful” (RFC 3439). In particular, TCP/IP does not dictate a strict hierarchical IEEE 802.11 wireless LAN sequence of encapsulation requirements, as is attributed I²C to OSI protocols. 188 38.7 See also • ODI • NDIS • SANA-II – Standard Amiga Networking Architecture, version 2 38.8 References [1] “What is layer 2, and Why Should You Care?". accelnetworks.com. Archived from the original on 2010-0218. Retrieved 2009-09-29. [2] Regis J. Bates and Donald W. Gregory (2007). Voice & data communications handbook (5th ed.). McGraw-Hill Professional. p. 45. ISBN 978-0-07-226335-0. [3] Guowang Miao; Guocong Song (2014). Energy and spectrum efficient wireless network design. Cambridge University Press. ISBN 1107039886. • S. Tanenbaum, Andrew (2005). Computer Networks (4th ed.). 482,F.I.E., Patparganj, Delhi 110 092: Dorling Kindersley(India)Pvt. Ltd.,licenses of Pearson Education in South Asia. ISBN 81-7758165-1. • Odom, Wendel (2013). CCENT/CCNA ICND1 100101, CCENT Official cert guide. Paul Boger, cisco press. ISBN 1-58714-385-2. 38.9 External links • DataLink layer simulation, written in C# • DataLink Layer, Part 2: Error Detection and Correction CHAPTER 38. DATA LINK LAYER Chapter 39 Forwarding plane In certain cases the table may specify that a packet is to be discarded. In such cases, the router may return an ICMP “destination unreachable” or other appropriate code. Some security policies, however, dictate that the router should drop the packet silently, in order that a potential attacker does not become aware that a target is being protected. The incoming forwarding element will also decrement the time-to-live (TTL) field of the packet, and, if the new value is zero, discard the packet. While the Internet Protocol (IP) specification indicates that an Internet Control Message Protocol (ICMP) time exceeded message should be sent to the originator of the packet (i.e. the node indicated by the source address), the router may be configured to drop the packet silently (again according to security policies). Cisco VIP 2-40, from an older generation of routers. Depending on the specific router implementation, the table in which the destination address is looked up could be the routing table (also known as the routing information base, RIB), or a separate forwarding information base (FIB) that is populated (i.e., loaded) by the routing control plane, but used by the forwarding plane for look-ups at much higher speeds. Before or after examining the destination, other tables may be consulted to make decisions to drop the packet based on other characteristics, such as the source address, the IP protocol identifier field, or Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. Performance Route Processor, from the high-end Cisco 12000 series. In routing, the forwarding plane, sometimes called the data plane or user plane, defines the part of the router architecture that decides what to do with packets arriving on an inbound interface. Most commonly, it refers to a table in which the router looks up the destination address of the incoming packet and retrieves the information necessary to determine the path from the receiving element, through the internal forwarding fabric of the router, and to the proper outgoing interface(s). The IP Multimedia Subsystem architecture uses the term transport plane to describe a function roughly equivalent to the routing control plane. Forwarding plane functions run in the forwarding element.[1] High-performance routers often have multiple distributed forwarding elements, so that the router increases performance with parallel processing. The outgoing interface will encapsulate the packet in the appropriate data link protocol. Depending on the router software and its configuration, functions, usually implemented at the outgoing interface, may set various packet fields, such as the DSCP field used by differentiated services. In general, the passage from the input interface directly to an output interface, through the fabric with minimum modification at the output interface, is called the fast path of the router. If the packet needs significant processing, such as segmentation or encryption, it may go onto a 189 190 CHAPTER 39. FORWARDING PLANE slower path, which is sometimes called the services plane of the router. Service planes can make forwarding or processing decisions based on higher-layer information, such as a Web URL contained in the packet payload. suggest, on operational measurement of services. Performance measurements on single routers, or narrowly defined systems of routers, are the province of the Benchmarking Working Group (BMWG). 39.1 Issues in router forwarding performance RFC 2544 is the key BMWG document.[2] A classic RFC 2544 benchmark uses half the router’s (i.e., the device under test (DUT)) ports for input of a defined load, and measures the time at which the outputs appear at the output ports. Vendors design router products for specific markets. Design of routers intended for home use, perhaps support39.2 Forwarding information base ing several PCs and VoIP telephony, is driven by keeping design the cost as low as possible. In such a router, there is no separate forwarding fabric, and there is only one active forwarding path: into the main processor and out of the Originally, all destinations were looked up in the RIB. main processor. Perhaps the first step in speeding routers was to have a Routers for more demanding applications accept greater separate RIB and FIB in main memory, with the FIB, cost and complexity to get higher throughput in their for- typically with fewer entries than the RIB, being organized for fast destination lookup. In contrast, the RIB was opwarding planes. timized for efficient updating by routing protocols. Several design factors affect router forwarding perforEarly uniprocessing routers usually organized the FIB as mance: a hash table, while the RIB might be a linked list. Depending on the implementation, the FIB might have fewer • Data link layer processing and extracting the packet entries than the RIB, or the same number. • Decoding the packet header • • • • When routers started to have separate forwarding processors, these processors usually had far less memory than Looking up the destination address in the packet the main processor, such that the forwarding processor header could hold only the most frequently used routes. On the early Cisco AGS+ and 7000, for example, the forwarding Analyzing other fields in the packet processor cache could hold approximately 1000 route entries. In an enterprise, this would often work quite well, Sending the packet through the “fabric” interconbecause there were fewer than 1000 server or other popnecting the ingress and egress interfaces ular destination subnets. Such a cache, however, was far Processing and data link encapsulation at the egress too small for general Internet routing. Different router designs behaved in different ways when a destination was interface not in the cache. Routers may have one or more processors. In a uniprocessor design, these performance parameters are affected not just by the processor speed, but by competition for the processor. Higher-performance routers invariably have multiple processing elements, which may be general-purpose processor chips or specialized application-specific integrated circuits (ASIC). Very high performance products have multiple processing elements on each interface card. In such designs, the main processor does not participate in forwarding, but only in control plane and management processing. 39.1.1 Benchmarking performance 39.2.1 Cache miss issues A cache miss condition might result in the packet being sent back to the main processor, to be looked up in a slow path that had access to the full routing table. Depending on the router design, a cache miss might cause an update to the fast hardware cache or the fast cache in main memory. In some designs, it was most efficient to invalidate the fast cache for a cache miss, send the packet that caused the cache miss through the main processor, and then repopulate the cache with a new table that included the destination that caused the miss. This approach is similar to an operating system with virtual memory, which keeps the most recently used information in physical memory. In the Internet Engineering Task Force, two working groups in the Operations & Maintenance Area deal with As memory costs went down and performance needs went aspects of performance. The Interprovider Performance up, FIBs emerged that had the same number of route enMeasurement (IPPM) group focuses, as its name would tries as in the RIB, but arranged for fast lookup rather than 39.4. SEE ALSO 191 fast update. Whenever a RIB entry changed, the router with hardware memory (e.g., static random access memchanged the corresponding FIB entry. ory (SRAM)) faster and more expensive than the FIB in main memory. Main memory was generally dynamic random access memory (DRAM). 39.2.2 FIB design alternatives High-performance FIBs achieve their speed with 39.3.1 Early distributed forwarding implementation-specific combinations of specialized Next, routers began to have multiple forwarding elealgorithms and hardware. ments, that communicated through a high-speed shared bus[7] or through a shared memory.[8] Cisco used Software shared busses until they saturated, while Juniper preferred shared memory.[9] Various search algorithms have been used for FIB lookup. While well-known general-purpose data structures were Each forwarding element had its own FIB. See, for exthe Versatile Interface Processor on the Cisco first used, such as hash tables, specialized algorithms, op- ample, [10] 7500 timized for IP addresses, emerged. They include: Eventually, the shared resource became a bottleneck, with the limit of shared bus speed being roughly 2 mil• Binary tree lion packets per second (Mpps). Crossbar fabrics broke through this bottleneck. • Radix tree • Four-way trie • Patricia tree[3] A multicore CPU architecture is commonly used to implement high-performance networking systems. These platforms facilitate the use of a software architecture in which the high-performance packet processing is performed within a fast path environment on dedicated cores, in order to maximize system throughput. A run-tocompletion model minimizes OS overhead and latency.[4] Hardware Various forms of fast RAM and, eventually, basic content addressable memory (CAM) were used to speed lookup. CAM, while useful in layer 2 switches that needed to look up a relatively small number of fixed-length MAC addresses, had limited utility with IP addresses having variable-length routing prefixes (see Classless InterDomain Routing). Ternary CAM (CAM), while expensive, lends itself to variable-length prefix lookups.[5] One of the challenges of forwarder lookup design is to minimize the amount of specialized memory needed, and, increasingly, to minimize the power consumed by memory.[6] 39.3 Distributed forwarding A next step in speeding routers was to have a specialized forwarding processor separate from the main processor. There was still a single path, but forwarding no longer had to compete with control in a single processor. The fast routing processor typically had a small FIB, 39.3.2 Shared paths become bottlenecks As forwarding bandwidth increased, even with the elimination of cache miss overhead, the shared paths limited throughput. While a router might have 16 forwarding engines, if there was a single bus, only one packet transfer at a time was possible. There were some special cases where a forwarding engine might find that the output interface was one of the logical or physical interfaces present on the forwarder card, such that the packet flow was totally inside the forwarder. It was often easier, however, even in this special case, to send the packet out the bus and receive it from the bus. While some designs experimented with multiple shared buses, the eventual approach was to adapt the crossbar switch model from telephone switches, in which every forwarding engine had a hardware path to every other forwarding engine. With a small number of forwarding engines, crossbar forwarding fabrics are practical and efficient for high-performance routing. There are multistage designs for crossbar systems, such as Clos networks. 39.4 See also • Network processor • Network Search Engine 39.5 References [1] Forwarding and Control Element Separation (ForCES) Framework, RFC 3746, Network Working Group, April 2004 192 [2] Methodology for Network Interconnect Devices, RFC 2544, S. Bradner & J. McQuade,March 1999 [3] Routing on Longest Matching Prefixes, ID, W. Doeringer 'et al.', IEEE/ACM Transactions on Networking,February 1996 [4] “6WINDGate Software Modules”. 6WIND. Retrieved 14 August 2015. [5] Efficient Mapping of Range Classifier into TernaryCAM, IEEE Symposium on High-Speed Interconnects, H. Liu,August 2002 [6] Reducing TCAM Power Consumption and Increasing Throughput, IEEE Symposium on High-Speed Interconnects, R Panigrahy & S. Sharma,August 2002 [7] High Performance IP Forwarding Using Host Interface Peering, J. Touch et al.,Proc. 9th IEEE Workshop on Local and Metropolitan Area Networks (LANMAN),May 1998 [8] Shared Memory Multiprocessor Architectures for Software IP Routers, Y. Luo et al.,IEEE Transactions on Parallel and Distributed Systems,2003 [9] Juniper Networks Router Architecture,Juniper Networks Reference Guide: JUNOS Routing, Configuration, and Architecture, T. Thomas, Addison-Wesley Professional, 2003 [10] Hardware Architecture of the Cisco 7500 Router,Inside Cisco IOS Software Architecture (CCIE Professional Development, V. Bollapragada et al.,Cisco Press, 2000 CHAPTER 39. FORWARDING PLANE Chapter 40 Access control list This article is about the computer permissions list. For NFSv4 ACLs support for Ext3 filesystem[6] and recent the ligament, see Anterior cruciate ligament. Richacls,[7] which brings NFSv4 ACLs support for Ext4 filesystem. An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.[1] Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it. 40.1 Implementations Many kinds of systems implement ACL, or have a historical implementation. 40.1.1 Filesystem ACLs In the 1990s the ACL and RBAC models were extensively tested and used to administrate file permissions. A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft Windows NT,[2] OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object. Most of the Unix and Unix-like operating systems (e.g. Linux,[3] BSD, or Solaris) support POSIX.1e ACLs, based on an early POSIX draft that was withdrawn in 1997. Many of them, for example AIX, FreeBSD,[4] Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem,[5] support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: 40.1.2 Networking ACLs On some types of proprietary computer hardware (in particular routers and switches), an access control list refers to rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access control lists based on network domain names, this is generally a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the access control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the access control list is protecting. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like firewalls, ACLs could be subject to security regulations and standards such as PCI DSS. 40.1.3 SQL implementations ACL algorithms have been ported to SQL and relational database systems. Many “modern” (2000’s and 2010’s) SQL based systems, like enterprise resource planning and content management systems, have used ACL model in their administration modules. 40.2 Comparing with RBAC The main alternative to the ACL model is the Rolebased access control (RBAC) model. A “minimal RBAC Model”, RBACm, can be compared with an ACL mechanism, ACLg, where only groups are permitted as entries in the ACL. Barkley (1997)[8] showed that RBACm and ACLg are equivalent. 193 194 In modern SQL implementations, ACL also manage groups and inheritance in a hierarchy of groups. So “modern ACLs” can express all that RBAC express, and are notably powerful (compared to “old ACLs”) in their ability to express access control policy in terms of the way in which administrators view organizations. For data interchange, and for “high level comparisons”, ACL data can be translated to XACML.[9] 40.3 See also • Cacls • Capability-based security • Confused deputy problem • DACL • Role-based access control (RBAC) 40.4 References [1] RFC 4949 [2] “Managing Authorization and Access Control”. Microsoft Technet. 2005-11-03. Retrieved 2013-04-08. [3] “Red Hat Enterprise Linux AS 3 Release Notes (x86 Edition)". Red Hat. 2003. Retrieved 2013-04-08. EA (Extended Attributes) and ACL (Access Control Lists) functionality is now available for ext3 file systems. In addition, ACL functionality is available for NFS. [4] “NFSv4 ACLs”. FreeBSD. 2011-09-12. Retrieved 201304-08. [5] “Chapter 8 Using ACLs and Attributes to Protect ZFS Files”. Oracle Corporation. 2009-10-01. Retrieved 2013-04-08. [6] Grünbacher, Andreas (May 2008). “Native NFSv4 ACLs on Linux”. SUSE. Archived from the original on 201306-20. Retrieved 2013-04-08. [7] Grünbacher, Andreas (July–September 2010). “Richacls - Native NFSv4 ACLs on Linux”. bestbits.at. Retrieved 2013-04-08. [8] J. Barkley (1997) "Comparing simple role based access control models and access control lists", In “Proceedings of the second ACM workshop on Role-based access control”, pages 127-132. [9] G. Karjoth, A. Schade and E. Van Herreweghen (2008) "Implementing ACL-based Policies in XACML", In “2008 Annual Computer Security Applications Conference”. CHAPTER 40. ACCESS CONTROL LIST 40.5 Further reading • Rhodes, Tom. “File System Access Control Lists (ACLs)". FreeBSD Handbook. Retrieved 2013-0408. • Michael Fox; John Giordano; Lori Stotler; Arun Thomas (2005-08-24). “SELinux and grsecurity: A Case Study Comparing Linux Security Kernel Enhancements” (PDF). University of Virginia. Retrieved 2013-04-08. • Hinrichs, Susan (2005). “Operating System Security”. CyberSecurity Spring 2005. University of Illinois. Retrieved 2013-04-08. • Mitchell, John. “Access Control and Operating System Security” (PDF). Stanford University. Retrieved 2013-04-08. • Clarkson, Michael. “Access Control”. Cornell University. Retrieved 2013-04-08. • Klein, Helge (2009-03-12). “Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained”. Retrieved 2013-04-08. • “Access Control Lists”. MSDN Library. 2012-1026. Retrieved 2013-04-08. • “How Permissions Work”. Microsoft Technet. 2003-03-28. Retrieved 2013-04-08. Chapter 41 Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets between applications running on hosts communicating by an IP network. Major Internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP. Applications that do not require reliable data stream service may use the User Datagram Protocol (UDP), which provides a connectionless datagram service that emphasizes reduced latency over reliability. 41.1 Historical origin During May 1974, the Institute of Electrical and Electronic Engineers (IEEE) published a paper titled "A Protocol for Packet Network Intercommunication."[1] The paper’s authors, Vint Cerf and Bob Kahn, described an internetworking protocol for sharing resources using packet-switching among the nodes. A central control component of this model was the Transmission Control Program that incorporated both connection-oriented links and datagram services between hosts. The monolithic Transmission Control Program was later divided into a modular architecture consisting of the Transmission Control Protocol at the connection-oriented layer and the Internet Protocol at the internetworking (datagram) layer. The model became known informally as TCP/IP, although formally it was henceforth termed the Internet Protocol Suite. 41.2 Network function The Transmission Control Protocol provides a communication service at an intermediate level between an application program and the Internet Protocol. It provides host-to-host connectivity at the Transport Layer of the Internet model. An application does not need to know the particular mechanisms for sending data via a link to another host, such as the required packet fragmentation on the transmission medium. At the transport layer, the protocol handles all handshaking and transmission details and just presents an abstraction of the network connection to the application. At the lower levels of the protocol stack, due to network congestion, traffic load balancing, or other unpredictable network behaviour, IP packets may be lost, duplicated, or delivered out of order. TCP detects these problems, requests re-transmission of lost data, rearranges out-oforder data and even helps minimise network congestion to reduce the occurrence of the other problems. If the data still remains undelivered, its source is notified of this failure. Once the TCP receiver has reassembled the sequence of octets originally transmitted, it passes them to the receiving application. Thus, TCP abstracts the application’s communication from the underlying networking details. TCP is used extensively by many applications available by internet, including the World Wide Web (WWW), Email, File Transfer Protocol, Secure Shell, peer-to-peer file sharing, and streaming media applications. TCP is optimised for accurate delivery rather than timely delivery. Therefore, TCP sometimes incurs relatively long delays (on the order of seconds) while waiting for out-of-order messages or re-transmissions of lost messages. It is not particularly suitable for real-time applications such as Voice over IP. For such applications, protocols like the Real-time Transport Protocol (RTP) operating over the User Datagram Protocol (UDP) are usually recommended instead.[2] TCP is a reliable stream delivery service which guarantees that all bytes received will be identical with bytes sent and in the correct order. Since packet transfer by many networks is not reliable, a technique known as 'positive acknowledgement with re-transmission' is used to guarantee reliability of packet transfers. This fundamental technique requires the receiver to respond with an acknowledgement message as it receives the data. The sender keeps a record of each packet it sends and maintains a timer from when the packet was sent. The sender re-transmits a packet if the timer expires before the message has been acknowledged. The timer is needed in case 195 196 CHAPTER 41. TRANSMISSION CONTROL PROTOCOL a packet gets lost or corrupted.[2] of the actual first data byte and the acknowledged number in the corresponding ACK are then this sequence number plus 1. While IP handles actual delivery of the data, TCP keeps track of 'segments’ - the individual units of data trans• If the SYN flag is clear (0), then this is the mission that a message is divided into for efficient routaccumulated sequence number of the first data ing through the network. For example, when an HTML byte of this segment for the current session. file is sent from a web server, the TCP software layer of that server divides the sequence of file octets into segments and forwards them individually to the IP software Acknowledgment number (32 bits) if the ACK flag is set then the value of this field is the next sequence layer (Internet Layer). The Internet Layer encapsulates number that the sender is expecting. This acknowleach TCP segment into an IP packet by adding a header edges receipt of all prior bytes (if any). The first that includes (among other data) the destination IP adACK sent by each end acknowledges the other end’s dress. When the client program on the destination cominitial sequence number itself, but no data. puter receives them, the TCP layer (Transport Layer) reassembles the individual segments and ensures they are Data offset (4 bits) specifies the size of the TCP header correctly ordered and error-free as it streams them to an in 32-bit words. The minimum size header is 5 application. words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to 40 bytes of options in the 41.3 TCP segment structure header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data. Transmission Control Protocol accepts data from a data stream, divides it into chunks, and adds a TCP header Reserved (3 bits) for future use and should be set to creating a TCP segment. The TCP segment is then zero encapsulated into an Internet Protocol (IP) datagram, and [3] exchanged with peers. Flags (9 bits) (aka Control bits) contains 9 1-bit flags The term TCP packet appears in both informal and formal usage, whereas in more precise terminology segment refers to the TCP protocol data unit (PDU), datagram[4] to the IP PDU, and frame to the data link layer PDU: Processes transmit data by calling on the TCP and passing buffers of data as arguments. The TCP packages the data from these buffers into segments and calls on the internet module [e.g. IP] to transmit each segment to the destination TCP.[5] A TCP segment consists of a segment header and a data section. The TCP header contains 10 mandatory fields, and an optional extension field (Options, pink background in table). The data section follows the header. Its contents are the payload data carried for the application. The length of the data section is not specified in the TCP segment header. It can be calculated by subtracting the combined length of the TCP header and the encapsulating IP header from the total IP datagram length (specified in the IP header). • NS (1 bit) – ECN-nonce concealment protection (experimental: see RFC 3540). • CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header by RFC 3168). • ECE (1 bit) – ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates: • If the SYN flag is set (1), that the TCP peer is ECN capable. • If the SYN flag is clear (0), that a packet with Congestion Experienced flag set (ECN=11) in IP header received during normal transmission (added to header by RFC 3168). This serves as an indication of network congestion (or impending congestion) to the TCP sender. Source port (16 bits) identifies the sending port Destination port (16 bits) identifies the receiving port Sequence number (32 bits) has a dual role: • If the SYN flag is set (1), then this is the initial sequence number. The sequence number • URG (1 bit) – indicates that the Urgent pointer field is significant • ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. 41.4. PROTOCOL OPERATION • PSH (1 bit) – Push function. Asks to push the buffered data to the receiving application. • RST (1 bit) – Reset the connection • SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. • FIN (1 bit) – No more data from sender Window size (16 bits) the size of the receive window, which specifies the number of window size units (by default, bytes) (beyond the segment identified by the sequence number in the acknowledgment field) that the sender of this segment is currently willing to receive (see Flow control and Window Scaling) Checksum (16 bits) The 16-bit checksum field is used for error-checking of the header and data 197 • 1 (8 bits) – No operation (NOP, Padding) This may be used to align option fields on 32-bit boundaries for better performance. • 2,4,SS (32 bits) – Maximum segment size (see maximum segment size) [SYN] • 3,3,S (24 bits) – Window scale (see window scaling for details) [SYN][6] • 4,2 (16 bits) – Selective Acknowledgement permitted. [SYN] (See selective acknowledgments for details)[7] • 5,N,BBBB,EEEE,... (variable bits, N is either 10, 18, 26, or 34)- Selective ACKnowledgement (SACK)[8] These first two bytes are followed by a list of 1–4 blocks being selectively acknowledged, specified as 32-bit begin/end pointers. • 8,10,TTTT,EEEE (80 bits)- Timestamp and echo of previous timestamp (see TCP timestamps for details)[9] (The remaining options are historical, obsolete, experimental, not yet standardized, or unassigned) Urgent pointer (16 bits) if the URG flag is set, then this 16-bit field is an offset from the sequence number Padding The TCP header padding is used to ensure that indicating the last urgent data byte the TCP header ends and data begins on a 32 bit boundary. The padding is composed of zeros.[10] Options (Variable 0–320 bits, divisible by 32) The length of this field is determined by the data offset field. Options have up to three fields: Option-Kind (1 byte), Option-Length (1 byte), Option-Data 41.4 Protocol operation (variable). The Option-Kind field indicates the type of option, and is the only field that is not optional. Depending on what kind of option we are dealing with, the next two fields may be set: the Option-Length field indicates the total length of the option, and the Option-Data field contains the value of the option, if applicable. For example, an Option-Kind byte of 0x01 indicates that this is a No-Op option used only for padding, and does not have an Option-Length or Option-Data byte following it. An Option-Kind byte of 0 is the End Of Options option, and is also only one byte. An Option-Kind byte of 0x02 indicates that this is the Maximum Segment Size option, and will be followed by a byte specifying the length of the MSS field (should be 0x04). This length is the total length of the given options field, including A Simplified TCP State Diagram. See TCP EFSM diagram for Option-Kind and Option-Length bytes. So while a more detailed state diagram including the states inside the ESthe MSS value is typically expressed in two bytes, TABLISHED state. the length of the field will be 4 bytes (+2 bytes of TCP protocol operations may be divided into three kind and length). In short, an MSS option field phases. Connections must be properly established in a with a value of 0x05B4 will show up as (0x02 0x04 multi-step handshake process (connection establishment) 0x05B4) in the TCP options section. before entering the data transfer phase. After data transCONNECT/ SYN (Step 1 of the 3-way-handshake) unusual event client/receiver path server/sender path (Start) CLOSED LISTEN/- (Step 2 of the 3-way-handshake) SYN/SYN+ACK CLOSE/- CLOSE/- LISTEN SEND/SYN RST/- SYN RECEIVED SYN/SYN+ACK (simultaneous open) ACK/- Data exchange occurs ESTABLISHED SYN SENT SYN+ACK/ACK (Step 3 of the 3-way-handshake) CLOSE/ FIN FIN/ACK CLOSE/ FIN Active CLOSE Passive CLOSE FIN/ACK FIN WAIT 1 CLOSING CLOSE WAIT FIN+ACK/ACK ACK/- ACK/- FIN WAIT 2 TIME WAIT CLOSE/ FIN LAST ACK FIN/ACK Timeout (Go back to start) ACK/- CLOSED mission is completed, the connection termination closes Some options may only be sent when SYN is set; they established virtual circuits and releases all allocated reare indicated below as [SYN] . Option-Kind and stansources. dard lengths given as (Option-Kind,Option-Length). A TCP connection is managed by an operating system • 0 (8 bits) – End of options list through a programming interface that represents the local 198 CHAPTER 41. TRANSMISSION CONTROL PROTOCOL end-point for communications, the Internet socket. Dur- an active open. To establish a connection, the three-way ing the lifetime of a TCP connection the local end-point (or 3-step) handshake occurs: undergoes a series of state changes:[11] LISTEN (server) represents waiting for a connection request from any remote TCP and port. SYN-SENT (client) represents waiting for a matching connection request after having sent a connection request. SYN-RECEIVED (server) represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request. ESTABLISHED (both server and client) represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection. 1. SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment’s sequence number to a random value A. 2. SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B. 3. ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1. FIN-WAIT-1 (both server and client) represents waiting for a connection termination request from the At this point, both the client and server have received an remote TCP, or an acknowledgment of the connec- acknowledgment of the connection. The steps 1, 2 estion termination request previously sent. tablish the connection parameter (sequence number) for FIN-WAIT-2 (both server and client) represents wait- one direction and it is acknowledged. The steps 2, 3 esing for a connection termination request from the tablish the connection parameter (sequence number) for the other direction and it is acknowledged. With these, a remote TCP. full-duplex communication is established. CLOSE-WAIT (both server and client) represents waiting for a connection termination request from the 41.4.2 Connection termination local user. CLOSING (both server and client) represents waiting for a connection termination request acknowledgment from the remote TCP. LAST-ACK (both server and client) represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request). Receiver Initiator ESTABLISHED connection active close FIN_WAIT_1 FIN_WAIT_2 ESTABLISHED connection FIN TIME-WAIT (either server or client) represents waiting TIME_WAIT for enough time to pass to be sure the remote TCP ACK received the acknowledgment of its connection termination request. [According to RFC 793 a conCLOSED nection can stay in TIME-WAIT for a maximum of four minutes known as two MSL (maximum segment lifetime).] Connection termination ACK FIN CLOSE_WAIT passive close LAST_ACK CLOSED CLOSED (both server and client) represents no connecThe connection termination phase uses a four-way handtion state at all. shake, with each side of the connection terminating independently. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the 41.4.1 Connection establishment other end acknowledges with an ACK. Therefore, a typTo establish a connection, TCP uses a three-way ical tear-down requires a pair of FIN and ACK segments handshake. Before a client attempts to connect with a from each TCP endpoint. After the side that sent the first server, the server must first bind to and listen at a port to FIN has responded with the final ACK, it waits for a timeopen it up for connections: this is called a passive open. out before finally closing the connection, during which Once the passive open is established, a client may initiate time the local port is unavailable for new connections; 41.4. PROTOCOL OPERATION 199 this prevents confusion due to delayed packets being de- IP addresses. If an application fails to properly close unlivered during subsequent connections. required connections, a client can run out of resources A connection can be “half-open”, in which case one side and become unable to establish new TCP connections, has terminated its end, but the other has not. The side even from other applications. that has terminated can no longer send any data into the Both endpoints must also allocate space for unacknowlconnection, but the other side can. The terminating side edged packets and received (but unread) data. should continue reading the data until the other side terminates as well. 41.4.4 Data transfer It is also possible to terminate the connection by a 3-way handshake, when host A sends a FIN and host B replies There are a few key features that set TCP apart from User with a FIN & ACK (merely combines 2 steps into one) Datagram Protocol: and host A replies with an ACK.[12] Some host TCP stacks may implement a half-duplex close sequence, as Linux or HP-UX do. If such a host actively closes a connection but still has not read all the incoming data the stack already received from the link, this host sends a RST instead of a FIN (Section 4.2.2.13 in RFC 1122). This allows a TCP application to be sure the remote application has read all the data the former sent— waiting the FIN from the remote side, when it actively closes the connection. But the remote TCP stack cannot distinguish between a Connection Aborting RST and Data Loss RST. Both cause the remote stack to lose all the data received. Some application protocols using the TCP open/close handshaking for the application protocol open/close handshaking may find the RST problem on active close. As an example: s = connect(remote); send(s, data); close(s); • Ordered data transfer — the destination host rearranges according to sequence number[2] • Retransmission of lost packets — any cumulative stream not acknowledged is retransmitted[2] • Error-free data transfer[13] • Flow control — limits the rate a sender transfers data to guarantee reliable delivery. The receiver continually hints the sender on how much data can be received (controlled by the sliding window). When the receiving host’s buffer fills, the next acknowledgment contains a 0 in the window size, to stop transfer and allow the data in the buffer to be processed.[2] • Congestion control[2] Reliable transmission For a program flow like above, a TCP/IP stack like that described above does not guarantee that all the data ar- TCP uses a sequence number to identify each byte of data. rives to the other application if unread data has arrived at The sequence number identifies the order of the bytes sent from each computer so that the data can be reconstructed this end. in order, regardless of any packet reordering, or packet loss that may occur during transmission. The sequence number of the first byte is decided during the initial 341.4.3 Resource usage way handshake. This number can be arbitrary, and should in fact be unpredictable to defend against TCP sequence Most implementations allocate an entry in a table that prediction attacks. maps a session to a running operating system process. Acknowledgements (Acks) are sent by the receiver of Because TCP packets do not include a session identifier, data to tell the sender that data has been received. Acks both endpoints identify the session using the client’s ad- do not imply that the data has been delivered to the apdress and port. Whenever a packet is received, the TCP plication. They merely signify that it is now the receiver’s implementation must perform a lookup on this table to responsibility to deliver the data. In TCP Acks are cumufind the destination process. Each entry in the table is lative. That is, if the ith byte is acknowledged, it means known as a Transmission Control Block or TCB. It con- that all previous bytes have been received too. tains information about the endpoints (IP and port), status of the connection, running data about the packets that Reliability is achieved by the sender detecting lost data are being exchanged and buffers for sending and receiv- and retransmitting it. TCP uses two primary techniques to identify loss. Retransmission timeout (abbreviated as ing data. RTO) and duplicate cumulative acknowledgements (DuThe number of sessions in the server side is limited only pAcks). by memory and can grow as new connections arrive, but the client must allocate a random port before sending the first SYN to the server. This port remains allocated Dupack based retransmission If a single packet (say during the whole conversation, and effectively limits the packet 100) in a stream is lost, then the receiver cannot acnumber of outgoing connections from each of the client’s knowledge packets above 100 because it uses cumulative 200 CHAPTER 41. TRANSMISSION CONTROL PROTOCOL acks. Hence the receiver acknowledges packet 100 again on the receipt of another data packet. This duplicate acknowledgement is used as a signal for packet loss. That is, if the sender receives three duplicate acknowledgements, it retransmits the last unacknowledged packet. A threshold of three is used because the network may reorder packets causing duplicate acknowledgements. This threshold has been demonstrated to avoid spurious retransmissions due to reordering.[14] Sometimes selective acknowledgements (SACKs) are used to give more explicit feedback on which packets have been received. This greatly improves TCP’s ability to retransmit the right packets. Flow control TCP uses an end-to-end flow control protocol to avoid having the sender send data too fast for the TCP receiver to receive and process it reliably. Having a mechanism for flow control is essential in an environment where machines of diverse network speeds communicate. For example, if a PC sends data to a smartphone that is slowly processing received data, the smartphone must regulate the data flow so as not to be overwhelmed.[2] TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies in the receive window field the amount of additionally received data (in bytes) that it is willing to buffer for the connection. The sending host can send only up to that amount of data before it must Timeout based retransmission Whenever a packet is wait for an acknowledgment and window update from the sent, the sender sets a timer that is a conservative esti- receiving host. mate of when that packet will be acked. If the sender does not receive an ack by then, it transmits that packet again. The timer is reset every time the sender receives an Initial acknowledgement. This means that the retransmit timer sequence Sequence numbers number fires only when the sender has received no acknowledge(Circumference = 0 to 2^32 slots) ment for a long time. Typically the timer value is set to smoothedRT T + max(G, 4 ∗ RT T variation) where G is the clock granularity.[15] Further, in case a retransmit timer has fired and still no acknowledgement is received, the next timer is set to twice the previous value (up to a certain threshold). Among other things, this helps defend against a man-in-the-middle denial of service attack that tries to fool the sender into making so many retransmissions that the receiver is overwhelmed. d ge led n ow tio kn ca ac pli d, ap e o eiv d t rec re ta live Da d de an Data received, acknowledged, but not yet delivered to application Data re but n ceived , ot ack now le dged Un fille If the sender infers that data has been lost in the network using one of the two techniques described above, it retransmits the data. Error detection db uff er Window shifts Receiver's window (Allocation buffer) Up to 2^16-1 slots TCP sequence numbers and receive windows behave very much like a clock. The receive window shifts each time the receiver receives and acknowledges a new segment of data. Once it runs out of sequence numbers, the sequence number loops back to 0. Sequence numbers allow receivers to discard duplicate packets and properly sequence reordered packets. Acknowledgments allow senders to determine when to re- When a receiver advertises a window size of 0, the sender transmit lost packets. stops sending data and starts the persist timer. The persist To assure correctness a checksum field is included; see timer is used to protect TCP from a deadlock situation checksum computation section for details on checksum- that could arise if a subsequent window size update from ming. The TCP checksum is a weak check by modern the receiver is lost, and the sender cannot send more data standards. Data Link Layers with high bit error rates may until receiving a new window size update from the rerequire additional link error correction/detection capabil- ceiver. When the persist timer expires, the TCP sender ities. The weak checksum is partially compensated for attempts recovery by sending a small packet so that the by the common use of a CRC or better integrity check at receiver responds by sending another acknowledgement layer 2, below both TCP and IP, such as is used in PPP containing the new window size. or the Ethernet frame. However, this does not mean that the 16-bit TCP checksum is redundant: remarkably, introduction of errors in packets between CRC-protected hops is common, but the end-to-end 16-bit TCP checksum catches most of these simple errors.[16] This is the end-to-end principle at work. If a receiver is processing incoming data in small increments, it may repeatedly advertise a small receive window. This is referred to as the silly window syndrome, since it is inefficient to send only a few bytes of data in a TCP segment, given the relatively large overhead of the TCP header. 41.4. PROTOCOL OPERATION Congestion control The final main aspect of TCP is congestion control. TCP uses a number of mechanisms to achieve high performance and avoid congestion collapse, where network performance can fall by several orders of magnitude. These mechanisms control the rate of data entering the network, keeping the data flow below a rate that would trigger collapse. They also yield an approximately max-min fair allocation between flows. 201 ation”. Strictly speaking, the MSS is not “negotiated” between the originator and the receiver, because that would imply that both originator and receiver will negotiate and agree upon a single, unified MSS that applies to all communication in both directions of the connection. In fact, two completely independent values of MSS are permitted for the two directions of data flow in a TCP connection.[17] This situation may arise, for example, if one of the devices participating in a connection has an extremely limited amount of memory reserved (perhaps even smaller than the overall discovered Path MTU) for processing incoming TCP segments. Acknowledgments for data sent, or lack of acknowledgments, are used by senders to infer network conditions between the TCP sender and receiver. Coupled with timers, TCP senders and receivers can alter the behavior of the flow of data. This is more generally referred to as con41.4.6 gestion control and/or network congestion avoidance. Selective acknowledgments Modern implementations of TCP contain four inter- Relying purely on the cumulative acknowledgment twined algorithms: slow-start, congestion avoidance, fast scheme employed by the original TCP protocol can lead retransmit, and fast recovery (RFC 5681). to inefficiencies when packets are lost. For example, supIn addition, senders employ a retransmission timeout pose 10,000 bytes are sent in 10 different TCP packets, (RTO) that is based on the estimated round-trip time (or and the first packet is lost during transmission. In a pure RTT) between the sender and receiver, as well as the vari- cumulative acknowledgment protocol, the receiver canance in this round trip time. The behavior of this timer is not say that it received bytes 1,000 to 9,999 successfully, specified in RFC 6298. There are subtleties in the estima- but failed to receive the first packet, containing bytes 0 to tion of RTT. For example, senders must be careful when 999. Thus the sender may then have to resend all 10,000 calculating RTT samples for retransmitted packets; typi- bytes. cally they use Karn’s Algorithm or TCP timestamps (see To alleviate this issue TCP employs the selective acRFC 1323). These individual RTT samples are then av- knowledgment (SACK) option, defined in RFC 2018, eraged over time to create a Smoothed Round Trip Time which allows the receiver to acknowledge discontin(SRTT) using Jacobson's algorithm. This SRTT value is uous blocks of packets which were received correctly, what is finally used as the round-trip time estimate. in addition to the sequence number of the last contiguous Enhancing TCP to reliably handle loss, minimize errors, manage congestion and go fast in very high-speed environments are ongoing areas of research and standards development. As a result, there are a number of TCP congestion avoidance algorithm variations. 41.4.5 Maximum segment size The maximum segment size (MSS) is the largest amount of data, specified in bytes, that TCP is willing to receive in a single segment. For best performance, the MSS should be set small enough to avoid IP fragmentation, which can lead to packet loss and excessive retransmissions. To try to accomplish this, typically the MSS is announced by each side using the MSS option when the TCP connection is established, in which case it is derived from the maximum transmission unit (MTU) size of the data link layer of the networks to which the sender and receiver are directly attached. Furthermore, TCP senders can use path MTU discovery to infer the minimum MTU along the network path between the sender and receiver, and use this to dynamically adjust the MSS to avoid IP fragmentation within the network. byte received successively, as in the basic TCP acknowledgment. The acknowledgement can specify a number of SACK blocks, where each SACK block is conveyed by the starting and ending sequence numbers of a contiguous range that the receiver correctly received. In the example above, the receiver would send SACK with sequence numbers 1000 and 9999. The sender would accordingly retransmit only the first packet (bytes 0 to 999). A TCP sender can interpret an out-of-order packet delivery as a lost packet. If it does so, the TCP sender will retransmit the packet previous to the out-of-order packet and slow its data delivery rate for that connection. The duplicate-SACK option, an extension to the SACK option that was defined in RFC 2883, solves this problem. The TCP receiver sends a D-ACK to indicate that no packets were lost, and the TCP sender can then reinstate the higher transmission-rate. The SACK option is not mandatory, and comes into operation only if both parties support it. This is negotiated when a connection is established. SACK uses the optional part of the TCP header (see TCP segment structure for details). The use of SACK has become widespread — all popular TCP stacks support it. Selective acknowledgment is also used in Stream Control Transmission ProtoMSS announcement is also often called “MSS negoti- col (SCTP). 202 41.4.7 CHAPTER 41. TRANSMISSION CONTROL PROTOCOL Window scaling Main article: TCP window scale option For more efficient use of high-bandwidth networks, a larger TCP window size may be used. The TCP window size field controls the flow of data and its value is limited to between 2 and 65,535 bytes. Since the size field cannot be expanded, a scaling factor is used. The TCP window scale option, as defined in RFC 1323, is an option used to increase the maximum window size from 65,535 bytes to 1 gigabyte. Scaling up to larger window sizes is a part of what is necessary for TCP tuning. 41.4.9 Out-of-band data It is possible to interrupt or abort the queued stream instead of waiting for the stream to finish. This is done by specifying the data as urgent. This tells the receiving program to process it immediately, along with the rest of the urgent data. When finished, TCP informs the application and resumes back to the stream queue. An example is when TCP is used for a remote login session, the user can send a keyboard sequence that interrupts or aborts the program at the other end. These signals are most often needed when a program on the remote machine fails to operate correctly. The signals must be sent without waiting for the program to finish its current transfer.[2] TCP OOB data was not designed for the modern Internet. The urgent pointer only alters the processing on the remote host and doesn't expedite any processing on the network itself. When it gets to the remote host there are two slightly different interpretations of the protocol, which means only single bytes of OOB data are reliable. This is assuming it is reliable at all as it is one of the least commonly used protocol elements and tends to be poorly [19][20] Some routers and packet firewalls rewrite the window implemented. scaling factor during a transmission. This causes sending and receiving sides to assume different TCP window sizes. The result is non-stable traffic that may be very 41.4.10 Forcing data delivery slow. The problem is visible on some sites behind a deNormally, TCP waits for 200 ms for a full packet of data fective router.[18] to send (Nagle’s Algorithm tries to group small messages into a single packet). This wait creates small, but poten41.4.8 TCP timestamps tially serious delays if repeated constantly during a file transfer. For example, a typical send block would be 4 TCP timestamps, defined in RFC 1323, can help TCP KB, a typical MSS is 1460, so 2 packets go out on a 10 determine in which order packets were sent. TCP times- Mbit/s ethernet taking ~1.2 ms each followed by a third tamps are not normally aligned to the system clock and carrying the remaining 1176 after a 197 ms pause bestart at some random value. Many operating systems will cause TCP is waiting for a full buffer. increment the timestamp for every elapsed millisecond; In the case of telnet, each user keystroke is echoed back however the RFC only states that the ticks should be proby the server before the user can see it on the screen. This portional. delay would become very annoying. There are two timestamp fields: Setting the socket option TCP_NODELAY overrides the default 200 ms send delay. Application programs use this a 4-byte sender timestamp value (my timessocket option to force output to be sent after writing a tamp) character or line of characters. a 4-byte echo reply timestamp value (the most The RFC defines the PSH push bit as “a message to the recent timestamp received from you). receiving TCP stack to send this data immediately up to [2] TCP timestamps are used in an algorithm known as Pro- the receiving application”. There is no way to indicate sockets and it is tection Against Wrapped Sequence numbers, or PAWS (see or control it in user space using Berkeley [21] protocol stack only. controlled by RFC 1323 for details). PAWS is used when the receive The window scale option is used only during the TCP 3way handshake. The window scale value represents the number of bits to left-shift the 16-bit window size field. The window scale value can be set from 0 (no shift) to 14 for each direction independently. Both sides must send the option in their SYN segments to enable window scaling in either direction. window crosses the sequence number wraparound boundary. In the case where a packet was potentially retransmitted it answers the question: “Is this sequence number 41.5 Vulnerabilities in the first 4 GB or the second?" And the timestamp is used to break the tie. TCP may be attacked in a variety of ways. The results Also, the Eifel detection algorithm (RFC 3522) uses TCP of a thorough security assessment of TCP, along with timestamps to determine if retransmissions are occurring possible mitigations for the identified issues, were pubbecause packets are lost or simply out of order. lished in 2009,[22] and is currently being pursued within 41.6. TCP PORTS the IETF.[23] 41.5.1 Denial of service 203 packet is “vetoed” by the malicious packet. Unlike in connection hijacking, the connection is never desynchronized and communication continues as normal after the malicious payload is accepted. TCP veto gives the attacker less control over the communication, but makes the attack particularly resistant to detection. The large increase in network traffic from the ACK storm is avoided. The only evidence to the receiver that something is amiss is a single duplicate packet, a normal occurrence in an IP network. The sender of the vetoed packet never sees any evidence of an attack.[28] By using a spoofed IP address and repeatedly sending purposely assembled SYN packets, followed by many ACK packets, attackers can cause the server to consume large amounts of resources keeping track of the bogus connections. This is known as a SYN flood attack. Proposed solutions to this problem include SYN cookies and cryptographic puzzles, though SYN cookies come with Another vulnerability is TCP reset attack. their own set of vulnerabilities.[24] Sockstress is a similar attack, that might be mitigated with system resource management.[25] An advanced DoS attack involving the exploitation of the TCP Persist Timer was analyzed in Phrack #66.[26] 41.5.2 Connection hijacking 41.6 TCP ports Main article: TCP sequence prediction attack An attacker who is able to eavesdrop a TCP session and redirect packets can hijack a TCP connection. To do so, the attacker learns the sequence number from the ongoing communication and forges a false segment that looks like the next segment in the stream. Such a simple hijack can result in one packet being erroneously accepted at one end. When the receiving host acknowledges the extra segment to the other side of the connection, synchronization is lost. Hijacking might be combined with Address Resolution Protocol (ARP) or routing attacks that allow taking control of the packet flow, so as to get permanent control of the hijacked TCP connection.[27] Impersonating a different IP address was not difficult prior to RFC 1948, when the initial sequence number was easily guessable. That allowed an attacker to blindly send a sequence of packets that the receiver would believe to come from a different IP address, without the need to deploy ARP or routing attacks: it is enough to ensure that the legitimate host of the impersonated IP address is down, or bring it to that condition using denial-of-service attacks. This is why the initial sequence number is now chosen at random. TCP and UDP use port numbers to identify sending and receiving application end-points on a host, often called Internet sockets. Each side of a TCP connection has an associated 16-bit unsigned port number (0-65535) reserved by the sending or receiving application. Arriving TCP packets are identified as belonging to a specific TCP connection by its sockets, that is, the combination of source host address, source port, destination host address, and destination port. This means that a server computer can provide several clients with several services simultaneously, as long as a client takes care of initiating any simultaneous connections to one destination port from different source ports. Port numbers are categorized into three basic categories: well-known, registered, and dynamic/private. The wellknown ports are assigned by the Internet Assigned Numbers Authority (IANA) and are typically used by systemlevel or root processes. Well-known applications running as servers and passively listening for connections typically use these ports. Some examples include: FTP (20 and 21), SSH (22), TELNET (23), SMTP (25), HTTP over SSL/TLS (443), and HTTP (80). Registered ports are typically used by end user applications as ephemeral source ports when contacting servers, but they can also identify named services that have been registered by a 41.5.3 TCP veto third party. Dynamic/private ports can also be used by An attacker who can eavesdrop and predict the size of end user applications, but are less commonly so. Dythe next packet to be sent can cause the receiver to ac- namic/private ports do not contain any meaning outside cept a malicious payload without disrupting the existing of any particular TCP connection. connection. The attacker injects a malicious packet with Network Address Translation (NAT), typically uses dythe sequence number and a payload size of the next ex- namic port numbers, on the (“Internet-facing”) public pected packet. When the legitimate packet is ultimately side, to disambiguate the flow of traffic that is passing bereceived, it is found to have the same sequence number tween a public network and a private subnetwork, thereby and length as a packet already received and is silently allowing many IP addresses (and their ports) on the subdropped as a normal duplicate packet—the legitimate net to be serviced by a single public-facing address. 204 CHAPTER 41. TRANSMISSION CONTROL PROTOCOL 41.7 Development called T/TCP, which was not widely adopted due to security issues.[37] As of July 2012, it is an IETF Internet draft.[38] TCP is a complex protocol. However, while significant enhancements have been made and proposed over the years, its most basic operation has not changed significantly since its first specification RFC 675 in 1974, and the v4 specification RFC 793, published in September 1981. RFC 1122, Host Requirements for Internet Hosts, clarified a number of TCP protocol implementation requirements. A list of the 8 required specifications and over 20 strongly encouraged enhancements is available in RFC 7414. Among this list is RFC 2581, TCP Congestion Control, one of the most important TCP-related RFCs in recent years, describes updated algorithms that avoid undue congestion. In 2001, RFC 3168 was written to describe Explicit Congestion Notification (ECN), a congestion avoidance signaling mechanism. Proposed in May 2013, Proportional Rate Reduction (PRR) is a TCP extension developed by Google engineers. PRR ensures that the TCP window size after recovery is as close to the Slow-start threshold as possible.[39] The algorithm is designed to improve the speed of recovery and is the default congestion control algorithm in Linux 3.2+ kernels.[40] The original TCP congestion avoidance algorithm was known as “TCP Tahoe”, but many alternative algorithms have since been proposed (including TCP Reno, TCP Vegas, FAST TCP, TCP New Reno, and TCP Hybla). TCP Interactive (iTCP) [29] is a research effort into TCP extensions that allows applications to subscribe to TCP events and register handler components that can launch applications for various purposes, including applicationassisted congestion control. 41.8 TCP over wireless networks TCP was originally designed for wired networks. Packet loss is considered to be the result of network congestion and the congestion window size is reduced dramatically as a precaution. However, wireless links are known to experience sporadic and usually temporary losses due to fading, shadowing, hand off, interference, and other radio effects, that are not strictly congestion. After the (erroneous) back-off of the congestion window size, due to wireless packet loss, there may be a congestion avoidance phase with a conservative decrease in window size. This causes the radio link to be underutilized. Extensive research on combating these harmful effects has been conducted. Suggested solutions can be categorized as end-toend solutions, which require modifications at the client or server,[41] link layer solutions, such as Radio Link Protocol (RLP) in cellular networks, or proxy-based solutions which require some changes in the network without modifying end nodes.[41][42] Multipath TCP (MPTCP) [30][31] is an ongoing effort within the IETF that aims at allowing a TCP connection to use multiple paths to maximize resource usage and increase redundancy. The redundancy offered by Multipath TCP in the context of wireless networks [32] enables statistical multiplexing of resources, and thus increases A number of alternative congestion control algorithms, TCP throughput dramatically. Multipath TCP also brings such as Vegas, Westwood, Veno, and Santa Cruz, have performance benefits in datacenter environments.[33] The been proposed to help solve the wireless problem. reference implementation[34] of Multipath TCP is being developed in the Linux kernel.[35][36] TCP Cookie Transactions (TCPCT) is an extension proposed in December 2009 to secure servers against denialof-service attacks. Unlike SYN cookies, TCPCT does not conflict with other TCP extensions such as window scaling. TCPCT was designed due to necessities of DNSSEC, where servers have to handle large numbers of short-lived TCP connections. 41.9 Hardware implementations TCP Fast Open is an extension to speed up the opening of successive TCP connections between two endpoints. It works by skipping the three-way handshake using a cryptographic “cookie”. It is similar to an earlier proposal work link, can be useful in debugging networks, network stacks, and applications that use TCP by showing the user what packets are passing through a link. Some networking stacks support the SO_DEBUG socket option, which One way to overcome the processing power requirements of TCP is to build hardware implementations of it, widely known as TCP offload engines (TOE). The main problem of TOEs is that they are hard to integrate into computing systems, requiring extensive changes in the operating systcpcrypt is an extension proposed in July 2010 to provide tem of the computer or device. One company to develop transport-level encryption directly in TCP itself. It is desuch a device was Alacritech. signed to work transparently and not require any configuration. Unlike TLS (SSL), tcpcrypt itself does not provide authentication, but provides simple primitives down to the application to do that. As of 2010, the first tcpcrypt 41.10 Debugging IETF draft has been published and implementations exist for several major platforms. A packet sniffer, which intercepts TCP traffic on a net- 41.12. CHECKSUM COMPUTATION 205 can be enabled on the socket using setsockopt. That option dumps all the packets, TCP states, and events on that socket, which is helpful in debugging. Netstat is another utility that can be used for debugging. Multipurpose Transaction Protocol (MTP/IP) is patented proprietary software that is designed to adaptively achieve high throughput and transaction performance in a wide variety of network conditions, particularly those where TCP is perceived to be inefficient. 41.11 Alternatives 41.12 Checksum computation For many applications TCP is not appropriate. One prob- 41.12.1 TCP checksum for IPv4 lem (at least with normal implementations) is that the application cannot access the packets coming after a lost When TCP runs over IPv4, the method used to compute packet until the retransmitted copy of the lost packet is the checksum is defined in RFC 793: received. This causes problems for real-time applications such as streaming media, real-time multiplayer games and The checksum field is the 16 bit one’s comvoice over IP (VoIP) where it is generally more useful to plement of the one’s complement sum of all 16get most of the data in a timely fashion than it is to get all bit words in the header and text. If a segof the data in order. ment contains an odd number of header and text octets to be checksummed, the last octet is For historical and performance reasons, most storage area padded on the right with zeros to form a 16-bit networks (SANs) use Fibre Channel Protocol (FCP) over word for checksum purposes. The pad is not Fibre Channel connections. transmitted as part of the segment. While comAlso, for embedded systems, network booting, and puting the checksum, the checksum field itself is servers that serve simple requests from huge numbers of replaced with zeros. clients (e.g. DNS servers) the complexity of TCP can be a problem. Finally, some tricks such as transmitting data between two hosts that are both behind NAT (us- In other words, after appropriate padding, all 16-bit ing STUN or similar systems) are far simpler without a words are added using one’s complement arithmetic. The sum is then bitwise complemented and inserted as relatively complex protocol like TCP in the way. the checksum field. A pseudo-header that mimics the Generally, where TCP is unsuitable, the User Datagram IPv4 packet header used in the checksum computation Protocol (UDP) is used. This provides the application is shown in the table below. multiplexing and checksums that TCP does, but does not handle streams or retransmission, giving the application The source and destination addresses are those of the developer the ability to code them in a way suitable for IPv4 header. The protocol value is 6 for TCP (cf. List of the situation, or to replace them with other methods like IP protocol numbers). The TCP length field is the length of the TCP header and data (measured in octets). forward error correction or interpolation. Stream Control Transmission Protocol (SCTP) is another protocol that provides reliable stream oriented services 41.12.2 TCP checksum for IPv6 similar to TCP. It is newer and considerably more complex than TCP, and has not yet seen widespread deploy- When TCP runs over IPv6, the method used to compute ment. However, it is especially designed to be used in the checksum is changed, as per RFC 2460: situations where reliability and near-real-time considerations are important. Any transport or other upper-layer protocol that includes the addresses from the IP header in its Venturi Transport Protocol (VTP) is a patented checksum computation must be modified for use proprietary protocol that is designed to replace TCP over IPv6, to include the 128-bit IPv6 addresses transparently to overcome perceived inefficiencies instead of 32-bit IPv4 addresses. related to wireless data transport. TCP also has issues in high-bandwidth environments. A pseudo-header that mimics the IPv6 header for comThe TCP congestion avoidance algorithm works very well putation of the checksum is shown below. for ad-hoc environments where the data sender is not known in advance. If the environment is predictable, • Source address – the one in the IPv6 header a timing based protocol such as Asynchronous Transfer Mode (ATM) can avoid TCP’s retransmits overhead. • Destination address – the final destination; if the UDP-based Data Transfer Protocol (UDT) has better efIPv6 packet doesn't contain a Routing header, TCP ficiency and fairness than TCP in networks that have high uses the destination address in the IPv6 header, othbandwidth-delay product.[43] erwise, at the originating node, it uses the address in 206 CHAPTER 41. TRANSMISSION CONTROL PROTOCOL the last element of the Routing header, and, at the receiving node, it uses the destination address in the IPv6 header. • TCP length – the length of the TCP header and data • Next Header – the protocol value for TCP 41.12.3 Checksum offload Many TCP/IP software stack implementations provide options to use hardware assistance to automatically compute the checksum in the network adapter prior to transmission onto the network or upon reception from the network for validation. This may relieve the OS from using precious CPU cycles calculating the checksum. Hence, overall network performance is increased. This feature may cause packet analyzers detecting outbound network traffic upstream of the network adapter that are unaware or uncertain about the use of checksum offload to report invalid checksum in outbound packets. 41.13 See also • Connection-oriented communication • Karn’s algorithm • List of TCP and UDP port numbers (a long list of ports and services) 41.14 References [1] Vinton G. Cerf; Robert E. Kahn (May 1974). "A Protocol for Packet Network Intercommunication" (PDF). IEEE Transactions on Communications. 22 (5): 637– 648. doi:10.1109/tcom.1974.1092259. Archived from the original (PDF) on March 4, 2016. [2] Comer, Douglas E. (2006). Internetworking with TCP/IP: Principles, Protocols, and Architecture. 1 (5th ed.). Prentice Hall. ISBN 0-13-187671-6. [3] “TCP (Linktionary term)". [4] “RFC 791 – section 2.1”. [5] “RFC 793”. [6] “RFC 1323, TCP Extensions for High Performance, Section 2.2”. [7] “RFC 2018, TCP Selective Acknowledgement Options, Section 2”. [8] “RFC 2018, TCP Selective Acknowledgement Options, Section 3”. [9] “RFC 1323, TCP Extensions for High Performance, Section 3.2”. [10] RFC 793 section 3.1 [11] RFC 793 Section 3.2 [12] Tanenbaum, Andrew S. (2003-03-17). Computer Networks (Fourth ed.). Prentice Hall. ISBN 0-13-066102-3. [13] “TCP Definition”. Retrieved 2011-03-12. • Maximum segment lifetime • Maximum transmission unit • Micro-bursting (networking) • Nagle’s algorithm • Port (computer networking) • T/TCP variant of TCP • TCP congestion avoidance algorithms • TCP global synchronization • TCP pacing • TCP segment • TCP sequence prediction attack • TCP tuning for high performance networks • WTCP a proxy-based modification of TCP for wireless networks • Transport Layer § Comparison of transport layer protocols [14] Mathis; Mathew; Semke; Mahdavi; Ott (1997). “The macroscopic behavior of the TCP congestion avoidance algorithm”. ACM SIGCOMM Computer Communication Review. 27.3: 67–82. [15] Paxson, V.; Allman, M.; Chu, J.; Sargent, M. (June 2011). “The Basic Algorithm”. Computing TCP’s Retransmission Timer. IETF. p. 2. sec. 2. RFC 6298. https://tools. ietf.org/html/rfc6298#section-2. Retrieved October 24, 2015. [16] Stone; Partridge (2000). “When The CRC and TCP Checksum Disagree”. Sigcomm. [17] “RFC 879”. [18] “TCP window scaling and broken routers [LWN.net]". [19] Gont, Fernando (November 2008). “On the implementation of TCP urgent data”. 73rd IETF meeting. Retrieved 2009-01-04. [20] Peterson, Larry (2003). Computer Networks. Morgan Kaufmann. p. 401. ISBN 1-55860-832-X. [21] Richard W. Stevens (2006). November 2011 TCP/IP Illustrated. Vol. 1, The protocols Check |url= value (help). Addison-Wesley. pp. Chapter 20. ISBN 978-0-20163346-7. 41.15. FURTHER READING [22] Security Assessment of the Transmission Control Protocol (TCP) at the Wayback Machine (archived March 6, 2009) [23] Security Assessment of the Transmission Control Protocol (TCP) [24] Jakob Lell. “Quick Blind TCP Connection Spoofing with SYN Cookies”. Retrieved 2014-02-05. [25] Some insights about the recent TCP DoS (Denial of Service) vulnerabilities [26] “Exploiting TCP and the Persist Timer Infiniteness”. [27] “Laurent Joncheray, Simple Active Attack Against TCP, 1995”. [28] John T. Hagen; Barry E. Mullins (2013). “TCP veto: A novel network attack and its application to SCADA protocols”. Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES. [29] TCP Interactive (iTCP) 207 [43] Yunhong Gu, Xinwei Hong, and Robert L. Grossman. “An Analysis of AIMD Algorithm with Decreasing Increases”. 2004. 41.15 Further reading • Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. ISBN 0-201-63346-9. • Stevens, W. Richard; Wright, Gary R. TCP/IP Illustrated, Volume 2: The Implementation. ISBN 0-20163354-X. • Stevens, W. Richard. TCP/IP Illustrated, Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols. ISBN 0-201-63495-3.** 41.16 External links [30] RFC 6182 [31] RFC 6824 41.16.1 RFC [32] “TCP with feed-forward source coding for wireless downlink networks”. • RFC 675 – Specification of Internet Transmission Control Program, December 1974 Version [33] Raiciu; Barre; Pluntke; Greenhalgh; Wischik; Handley (2011). “Improving datacenter performance and robustness with multipath TCP”. Sigcomm. • RFC 793 – TCP v4 [34] “MultiPath TCP - Linux Kernel implementation”. • RFC 1122 – includes some error corrections for TCP [35] Barre; Paasch; Bonaventure (2011). “MultiPath TCP: From Theory to Practice”. IFIP Networking. • RFC 1323 – TCP Extensions for High Performance [Obsoleted by RFC 7323] [36] Raiciu; Paasch; Barre; Ford; Honda; Duchene; Bonaventure; Handley (2012). “How Hard Can It Be? Designing and Implementing a Deployable Multipath TCP”. USENIX NSDI. • RFC 1379 – Extending TCP for Transactions— Concepts [Obsoleted by RFC 6247] [37] Michael Kerrisk (2012-08-01). “TCP Fast Open: expediting web services”. LWN.net. [38] Y. Cheng, J. Chu, S. Radhakrishnan, A. Jain (2012-07-16). TCP Fast Open. IETF. I-D draftietf-tcpm-fastopen-01. https://tools.ietf.org/html/ draft-ietf-tcpm-fastopen-01. [39] "RFC 6937 - Proportional Rate Reduction for TCP”. http: //tools.ietf.org/html/rfc6937. External link in |website= (help); [40] Grigorik, Ilya (2013). High-performance browser networking (1. ed.). Beijing: O'Reilly. ISBN 1449344763. [41] “TCP performance over CDMA2000 RLP”. Retrieved 2010-08-30 [42] Muhammad Adeel & Ahmad Ali Iqbal (2004). “TCP Congestion Window Optimization for CDMA2000 International ConferPacket Data Networks”. ence on Information Technology (ITNG'07): 31–35. doi:10.1109/ITNG.2007.190. ISBN 978-0-7695-27765. • RFC 1948 – Defending Against Sequence Number Attacks • RFC 2018 – TCP Selective Acknowledgment Options • RFC 5681 – TCP Congestion Control • RFC 6247 - Moving the Undeployed TCP Extensions RFC 1072, RFC 1106, RFC 1110, RFC 1145, RFC 1146, RFC 1379, RFC 1644, and RFC 1693 to Historic Status • RFC 6298 – Computing TCP’s Retransmission Timer • RFC 6824 - TCP Extensions for Multipath Operation with Multiple Addresses • RFC 7323 - TCP Extensions for High Performance • RFC 7414 – A Roadmap for TCP Specification Documents 208 41.16.2 CHAPTER 41. TRANSMISSION CONTROL PROTOCOL Others • Oral history interview with Robert E. Kahn, Charles Babbage Institute, University of Minnesota, Minneapolis. Focuses on Kahn’s role in the development of computer networking from 1967 through the early 1980s. Beginning with his work at Bolt Beranek and Newman (BBN), Kahn discusses his involvement as the ARPANET proposal was being written, his decision to become active in its implementation, and his role in the public demonstration of the ARPANET. The interview continues into Kahn’s involvement with networking when he moves to IPTO in 1972, where he was responsible for the administrative and technical evolution of the ARPANET, including programs in packet radio, the development of a new network protocol (TCP/IP), and the switch to TCP/IP to connect multiple networks. • IANA Port Assignments • John Kristoff’s Overview of TCP (Fundamental concepts behind TCP and how it is used to transport data between two endpoints) • TCP fast retransmit simulation animated: slow start, sliding window, duplicated Ack, congestion window • TCP, Transmission Control Protocol • Checksum example • Engineer Francesco Buffa’s page about Transmission Control Protocol • TCP tutorial • Linktionary on TCP segments • TCP Sliding Window simulation animated (ns2) • Multipath TCP • TCP Technology and Testing methodologies Chapter 42 Transport Layer Security Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network.[1] Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Websites use TLS to secure all communications between their servers and web browsers. In addition to the properties above, careful configuration of TLS can provide additional privacy-related properties such as forward secrecy, ensuring that any future disclosure of encryption keys cannot be used to decrypt any TLS communications recorded in the past.[2] TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity (see Algorithm below). As a result, secure configuration of TLS involves many configurable parameThe Transport Layer Security protocol aims primarily to ters, and not all choices provide all of the privacy-related provide privacy and data integrity between two communi- properties described in the list above (see authentication cating computer applications.[1]:3 When secured by TLS, and key exchange table, cipher security table, and data connections between a client (e.g., a web browser) and a integrity table). server (e.g., wikipedia.org) have one or more of the fol- Attempts have been made to subvert aspects of the lowing properties: communications security that TLS seeks to provide and • The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session (see TLS handshake protocol). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see Algorithm below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected). the protocol has been revised several times to address these security threats (see Security). Developers of web browsers have also revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers.) The TLS protocol comprises two layers: the TLS record protocol and the TLS handshake protocol. TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999 and updated in RFC 5246 (August 2008) and RFC 6176 (March 2011). It builds on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications[3] for adding the HTTPS protocol to their Navigator web browser. 42.1 Description • The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally Client-server applications use the TLS protocol to comrequired for at least one of the parties (typically the municate across a network in a way designed to prevent eavesdropping and tampering. server). Since protocols can operate either with or without TLS • The connection ensures integrity because each mes- (or SSL), it is necessary for the client to indicate to the sage transmitted includes a message integrity check server the setup of a TLS connection. There are two main using a message authentication code to prevent ways of achieving this. One option is to use a different undetected loss or alteration of the data during port number for TLS connections (for example, port 443 for HTTPS). The other is for the client to use a protocoltransmission.[1]:3 209 210 CHAPTER 42. TRANSPORT LAYER SECURITY specific mechanism (for example, STARTTLS for mail and news protocols) to request that the server switch the connection to TLS. 42.2 History and development 42.2.1 Secure Network Programming Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure.[4] During this handshake, the client and server Early research efforts towards transport layer secuagree on various parameters used to establish the connec- rity included the Secure Network Programming (SNP) application programming interface (API), which in 1993 tion’s security: explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate • The handshake begins when a client connects to a retrofitting preexisting network applications with security TLS-enabled server requesting a secure connection measures.[5] and presents a list of supported cipher suites (ciphers and hash functions). • From this list, the server picks a cipher and hash function that it also supports and notifies the client 42.2.2 of the decision. SSL 1.0, 2.0 and 3.0 Netscape developed the original SSL protocols.[6] Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security flaws which ultimately led to the design of SSL version 3.0”.[7] • The client confirms the validity of the certificate be- Released in 1996, SSL version 3.0 represented a comfore proceeding. plete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan • To generate the session keys used for the secure con- Freier, with a reference implementation by Christonection, the client either: pher Allen and Tim Dierks of Consensus Development. Newer versions of SSL/TLS are based on SSL 3.0. The • encrypts a random number with the server’s 1996 draft of SSL 3.0 was published by IETF as a historpublic key and sends the result to the server ical document in RFC 6101. (which only the server should be able to decrypt with its private key); both parties then Dr. Taher Elgamal, chief scientist at Netscape Commuuse the random number to generate a unique nications from 1995 to 1998, is recognized as the “father session key for subsequent encryption and de- of SSL”.[8][9] cryption of data during the session As of 2014 the 3.0 version of SSL is considered insecure • The server usually then sends back its identification in the form of a digital certificate. The certificate contains the server name, the trusted certificate authority (CA) and the server’s public encryption key. • uses Diffie-Hellman key exchange to securely generate a random and unique session key for encryption and decryption that has the additional property of forward secrecy: if the server’s private key is disclosed in future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party. as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.[10] SSL 2.0 was deprecated (prohibited) in 2011 by RFC 6176. SSL 3.0 was deprecated in June 2015 by RFC 7568. This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the 42.2.3 TLS 1.0 above steps fail, the TLS handshake fails, and the connection is not created. TLS 1.0 was first defined in RFC 2246 in January 1999 as TLS and SSL are defined as 'operating over some reli- an upgrade of SSL Version 3.0, and written by Christoable transport layer', which places them as application pher Allen and Tim Dierks of Consensus Development. layer protocols in the TCP/IP reference model and as As stated in the RFC, “the differences between this propresentation layer protocols in the OSI model. The pro- tocol and SSL 3.0 are not dramatic, but they are signifitocols use a handshake with an asymmetric cipher to es- cant enough to preclude interoperability between TLS 1.0 tablish cipher settings and a shared key for a session; the and SSL 3.0”. TLS 1.0 does include a means by which rest of the communication is encrypted using a symmetric a TLS implementation can downgrade the connection to cipher and the session key. SSL 3.0, thus weakening security.[11]:1–2 42.3. DIGITAL CERTIFICATES 42.2.4 TLS 1.1 211 • Removing support for weak and lesser-used named elliptic curves (see Elliptic curve cryptography) TLS 1.1 was defined in RFC 4346 in April 2006.[12] It is an update from TLS version 1.0. Significant differences in this version include: • Removing support for MD5 and SHA-224 cryptographic hash functions • Added protection against cipher-block chaining (CBC) attacks. • Requiring digital signatures even when a previous configuration is used • The implicit initialization vector (IV) was replaced with an explicit IV. • Integrating HKDF and the semi-ephemeral DH proposal • Change in handling of padding errors. • Support for IANA registration of parameters.[11]:2 42.2.5 TLS 1.2 TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differences include: • The MD5-SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option to use cipher suite specified PRFs. • The MD5-SHA-1 combination in the finished message hash was replaced with SHA-256, with an option to use cipher suite specific hash algorithms. However the size of the hash in the finished message must still be at least 96 bits.[13] • The MD5-SHA-1 combination in the digitally signed element was replaced with a single hash negotiated during handshake, which defaults to SHA-1. • Enhancement in the client’s and server’s ability to specify which hash and signature algorithms they accept. • Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and CCM mode of Advanced Encryption Standard encryption. • TLS Extensions definition and Advanced Encryption Standard cipher suites were added.[11]:2 • Replacing resumption with PSK and tickets • Supporting 1-RTT handshakes and initial support for 0-RTT (see Round-trip delay time) • Dropping support for many unsecure or obsolete features including compression, renegotiation, nonAEAD ciphers, static RSA and static DH key exchange, custom DHE groups, point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers • Prohibiting SSL or RC4 negotiation for backwards compatibility • Integrating use of session hash • Deprecating use of the record layer version number and freezing the number for improved backwards compatibility • Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix • Addition of the ChaCha20 stream cipher with the Poly1305 message authentication code • Addition of the Ed25519 and Ed448 digital signature algorithms • Addition of the x25519 and x448 key exchange protocols All TLS versions were further refined in RFC 6176 in March 2011 removing their backward compatibility with 42.3 Digital certificates SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL) version 2.0. Main article: Public key certificate 42.2.6 TLS 1.3 (draft) A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates cerAs of July 2016, TLS 1.3 is a working draft, and de- tain expected usages of that key. This allows others (relytails are provisional and incomplete.[14][15] It is based on ing parties) to rely upon signatures or on assertions made the earlier TLS 1.2 specification. Major differences from by the private key that corresponds to the certified public TLS 1.2 include: key. 212 42.3.1 CHAPTER 42. TRANSPORT LAYER SECURITY Certificate authorities also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the Main article: Certificate authority security provided. In July 2013, Google announced that it would no longer use 1024 bit public keys and would security of TLS typically relies on a set of trusted third-party cer- switch instead to 2048 bit keys to increase the [22] the TLS encryption it provides to its users. tificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,[16] and can be mod- 42.4.2 Cipher ified by the relying party. According to Netcraft, who monitors active TLS certifi- See also: Cipher suite, Block cipher, and Cipher security cates, the market-leading CA has been Symantec since summary the beginning of their survey (or VeriSign before the authentication services business unit was purchased by Symantec). Symantec currently accounts for just under Notes a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted [1] RFC 5746 must be implemented to fix a renegotiation flaw by Netcraft.[17] that would otherwise break this protocol. As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more convenient than verifying the identities via a web of trust, the 2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks (MITM).[18][19] 42.4 Algorithm See also: Cipher suite 42.4.1 Key exchange or key agreement [2] If libraries implement fixes listed in RFC 5746, this violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Fortunately, most current libraries implement the fix and disregard the violation that this causes. [3] the BEAST attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client and/or the server. See #Web browsers. [4] The POODLE attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client and/or the server. See #Web browsers. [5] AEAD ciphers (such as GCM and CCM) can be used in only TLS 1.2. [6] CBC ciphers can be attacked with the Lucky Thirteen attack if the library is not written carefully to eliminate timing side channels. [7] Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,[31] which is below the recommended minimum of 128 bits.[32] Before a client and server can begin to exchange infor- [8] IDEA and DES have been removed from TLS 1.2.[33] mation protected by TLS, they must securely exchange [9] 40 bits strength of cipher suites were designed to operor agree upon an encryption key and a cipher to use ate at reduced key lengths to comply with US regulations when encrypting data (see Cipher). Among the methabout the export of cryptographic software containing cerods used for key exchange/agreement are: public and tain strong encryption algorithms (see Export of cryptogprivate keys generated with RSA (denoted TLS_RSA raphy from the United States). These weak suites are forin the TLS handshake protocol), Diffie-Hellman bidden in TLS 1.1 and later. (TLS_DH), ephemeral Diffie-Hellman (TLS_DHE), Elliptic Curve Diffie-Hellman (TLS_ECDH), ephemeral [10] Use of RC4 in all versions of TLS is prohibited by RFC 7465. (Due RC4 attacks weaken or break RC4 used in Elliptic Curve Diffie-Hellman (TLS_ECDHE), anonySSL/TLS) mous Diffie-Hellman (TLS_DH_anon),[1] pre-shared key (TLS_PSK)[20] and Secure Remote Password [11] authentication only, no encryption (TLS_SRP).[21] The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to Man-in-the-middle attack. Only TLS_DHE and TLS_ECDHE provide forward secrecy. 42.4.3 Data integrity Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of block ciphers and stream ciphers. AEAD is used for Authenticated enPublic key certificates used during exchange/agreement cryption such as GCM mode and CCM mode. 42.5. APPLICATIONS AND ADOPTION 42.5 Applications and adoption In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as HTTP, FTP, SMTP, NNTP and XMPP. Historically, TLS has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the term Datagram Transport Layer Security (DTLS). 42.5.1 Websites A prominent use of TLS is for securing World Wide Web traffic between a website and a web browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the HTTPS protocol.[35] Notes [1] see #Cipher table below [2] see #Web browsers and #Attacks against TLS/SSL sections 42.5.2 Web browsers Further information: Comparison of web browsers As of April 2016, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supported Microsoft operating systems support the latest version of IE. Additionally many operating systems currently support multiple versions of IE, but this will change according to Microsoft’s Internet Explorer Support Lifecycle Policy FAQ, “beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates.” The page then goes on to list the latest supported version of IE at that date for each operating system. The next critical date would be when an operating system reaches the end of life stage, which is in Microsoft’s Windows lifecycle fact sheet. There are still problems on several browser versions: • TLS 1.1 and 1.2 supported, but disabled by default: Internet Explorer 10 for Server 2012 • TLS 1.1 and 1.2 not supported: Internet Explorer 9 for Windows Vista and Server 2008 213 Mitigations against known attacks are not enough yet: • Mitigations against POODLE attack: Some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients, but also servers. Disabling SSL 3.0 itself, implementation of “anti-POODLE record splitting”, or denying CBC ciphers in SSL 3.0 is required. • Google Chrome: Complete (TLS_FALLBACK_SCSV is implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by default since version 40. Support of SSL 3.0 itself was dropped since version 44.) • Mozilla Firefox: Complete (SSL 3.0 itself is disabled by default and fallback to SSL 3.0 are disabled since version 34, TLS_FALLBACK_SCSV is implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3. Support of SSL 3.0 itself is dropped since version 39.) • Internet Explorer: Partial (Only in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still vulnerable against POODLE.) • Opera: Complete (TLS_FALLBACK_SCSV is implemented since version 20, “antiPOODLE record splitting”, which is effective only with client-side implementation, is implemented since version 25, SSL 3.0 itself is disabled by default since version 27. Support of SSL 3.0 itself will be dropped since version 31.) • Safari: Complete (Only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recommended as well. Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.) • Mitigation against RC4 attacks: • Google Chrome disabled RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48. • Firefox disabled RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default. • Opera disabled RC4 except as a fallback since version 30. RC4 is disabled since Opera 35. • Internet Explorer for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 have set 214 CHAPTER 42. TRANSPORT LAYER SECURITY the priority of RC4 to lowest and can also disable RC4 except as a fallback through registry settings. Internet Explorer 11 Mobile 11 for Windows Phone 8.1 disable RC4 except as a fallback if no other enabled algorithm works. Edge and IE 11 disable RC4 completely in August 2016. • Mitigation against FREAK attack: • The Android Browser of Android 4 and older are still vulnerable to the FREAK attack. • Internet Explorer 11 Mobile is still vulnerable to the FREAK attack. • Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (mobile) have FREAK mitigations in place. • Mozilla Firefox on all platforms and Google Chrome on Windows were not affected by FREAK. • view • talk • edit Notes [1] Does the browser have mitigations or is not vulnerable for the known attacks. Note actual security depends on other factors such as negotiated cipher, encryption strength etc (see #Cipher table). [2] Whether a user or administrator can choose the protocols to be used or not. If yes, several attacks such as BEAST (vulnerable in SSL 3.0 and TLS 1.0) or POODLE (vulnerable in SSL 3.0) can be avoided. [3] Whether EV SSL and DV SSL (normal SSL) can be distinguished by indicators (green lock icon, green address bar, etc.) or not. [4] e.g. 1/n-1 record splitting. [5] e.g. Disabling header compression in HTTPS/SPDY. [6] • Complete mitigations; disabling SSL 3.0 itself, “anti-POODLE record splitting”. “Anti-POODLE record splitting” is effective only with client-side implementation and valid according to the SSL 3.0 specification, however, it may also cause compatibility issues due to problems in server-side implementations. • Partial mitigations; disabling fallback to SSL 3.0, TLS_FALLBACK_SCSV, disabling cipher suites with CBC mode of operation. If the server also supports TLS_FALLBACK_SCSV, the POODLE attack will fail against this combination of server and browser, but connections where the server does not support TLS_FALLBACK_SCSV and does support SSL 3.0 will still be vulnerable. If disabling cipher suites with CBC mode of operation in SSL 3.0, only cipher suites with RC4 are available, RC4 attacks become easier. • When disabling SSL 3.0 manually, POODLE attack will fail. [7] • Complete mitigation; disabling cipher suites with RC4. • Partial mitigations to keeping compatibility with old systems; setting the priority of RC4 to lower. [8] Google Chrome (and Chromium) supports TLS 1.0, and TLS 1.1 from version 22 (it was added, then dropped from version 21). TLS 1.2 support has been added, then dropped from Chrome 29.[44][45][46] [9] Uses the TLS implementation provided by BoringSSL for Android, OS X, and Windows[47] or by NSS for Linux. Google is switching the TLS library used in Chrome to BoringSSL from NSS completely. [10] configure enabling/disabling of each protocols via setting/option (menu name is dependent on browsers) [11] configure the maximum and the minimum version of enabling protocols with command-line option [12] TLS_FALLBACK_SCSV is implemented.[55] Fallback to SSL 3.0 is disabled since version 39.[56] [13] In addition to TLS_FALLBACK_SCSV and disabling a fallback to SSL 3.0, SSL 3.0 itself is disabled by default.[56] fc5746">RFC 5746 must be implemented to fix a renegotiation flaw that would otherwise breaLowest priority If libraries implement fixes listed in RFCVulnerable (except Windows) which the IETF cannot change unlike TLS. Fortunately, most current libraries implemVulnerable and disregard the violation that this causes.the [Yes[n 14] [14] configure the minimum version of enabling protocols via chrome://flags[60] (the maximum version can be configured with command-line option) ta le">The [[#POODLE|POODLE]] attack breaks all 41, 42 iphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client and/or the serverNo ee [[#Web browsers]]. ! TLS 1.0
! TLS 1.2
! TLS 1.3
(Draft) |- ! rowspan="14"|[[Block cipher]]
withYes >[[Block cipher mode of operation|mode of operation]] ![[Advanced Encryption StandardYes ]] [[Galois/Counter Mode|GCM]]RFC 5288, RFC 5289[[AEAD block cipher modes of operation|AEAD]] ciphers (such as [[Galois/CYes (only desktop) ) can be used in only TLS 1.2. | rowspan="3"| 256, 128 | {{N/a}} || {{N/a}} || Yes a}} || {{N/a}} || {{Good|Secure}} || {{Good|Secure}} || rowspan="9"| Defined for TLS 1.2 ineeds ECC compatible OS[41] de|CCM]]RFC 6655, RFC 7251 | {{N/Not 42.5. APPLICATIONS AND ADOPTION affected } || {{N/a}} || {{N/a}} || {{Good|Secure}} || {{Good|Secure}} |- ![[Advanced EncryptiMitigated d|AES]] [[Cipher block chaining|CBC]] | {{N/a}} || {{NMitigated Depends|Depends on mitigations}} || {{Good|Secure}} || {{Good|Secure}} || {{N/a}} |- ![[CaLowest priority Camellia]] [[Galois/Counter Mode|GCM]]RFC 6367 | rowspan="2"| 256, 128 | {{N/a}} || {{N/a}} || {{N/a}} || {{N/a}} || {{GooVulnerable || {{Good|Secure}} |- ![[Camellia (cipher)|Camellia]] [[Cipher block chaining|CBC]] | {{N/a 43 | {{N/a}} || {{Depends|Depends on mitigations}} || {{Good|Secure}} || {{Good|Secure}}No {{N/a}} |- ![[ARIA (cipher)|ARIA]] [[Galois/Counter Mode|GCM]] | rowspan="2"| 256, 128 | {{N/a}} || {{N/a}} || {{N/a}} || {{N/a}} || {{Good|SecurYes || {{Good|Secure}} |- ![[ARIA (cipher)|ARIA]] [[Cipher block chaining|CBC]]RFC 6209 | {{N/a}} || {{N/a}} || {{Depends|DepeYes on mitigations}} || {{Good|Secure}} || {{Good|Secure}} || {{N/a}} |- ![[SEED (cipherNo EED]] [[Cipher block chaining|CBC]]RFC 4162{{cite web|url=http://csrc.nistMitigated cations/nistpubs/80057/sp800-57-Part1-revised2_Mar08-2007.pdf |title=NIST Special PublicaOnly as fallback [n 15][61] istpubs/800-57/sp800-57-Part1revised2_Mar08-2007.pdf |archivedate=June 6, 2014 }}{{cite web|uVulnerable www.ssllabs.com/ projects/best-practices/index.html|title=SSL/TLS Deployment Best PracYes[n 14] =2 une 2015}}}} | {{Bad|Insecure}} || { 44–47 secure}} || {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|Insecure}} || {{N/a}} |!No OST 28147-89]] [[Block cipher mode of operation#Counter (CTR)|CNT]]RFC 5469Yes 128 | {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|Insecure}} |Yes N/a}} || {{N/a}} || rowspan="2"| Removed from TLS 1.2 |- !rowspan="2"| [[Data EncryptYes Standard|DES]] [[Cipher block chaining|CBC]] | {{0}}56 | {{Bad|Insecure}} || {{Bad|Insecure}} || {Yes (only desktop) {{N/a}} || {{N/a}} |- | {{0}}4040 bits strength of ciphYes uites were designed to operate at reduced key lengths to comply with US regulations about needs ECC 215 compatible OS[41] strong encryption algorithms (see [[Export of cryptography from the United States]]).Not affected uites are forbidden in TLS 1.1 and later. | {{Bad|Insecure}} || {{Bad|Insecure}Mitigated |Insecure}} || {{N/a}} || {{N/a}} || {{N/a}} || rowspan="2"| Forbidden in TLS 1.1 andNot affected RC2]] [[Cipher block chaining|CBC]] | {{0}}40RFC 7905 | {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|InsecureNo || {{N/a}} || {{N/a}} || {{N/a}} |- ! None ! Nullauthentication only, Yes ncryption | - | {{N/a}} || {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|InsecuYes || {{Bad|Insecure}} || {{Bad|Insecure}} || Defined for TLS 1.2 in RFCs |} ;Notes {{rYes st|group="n"}} ===Data integrity=== [[Message authentication code]] (MAC) is used fNo data integrity. [[HMAC]] is used for [[Cipher block chaining|CBC]] mode of block ciphYes (only desktop) ipher modes of operation|AEAD]] is used for [[Authenticated encryption]] such as [[GaYes /Counter Mode|GCM mode]] and [[CCM mode]]. {{Anchor|integrity-table}} {| class="wikitable”needs ECC compatible OS[41] !! SSL 2.0 !! SSL 3.0 !! TLS 1.0 !! TLS 1.1 !! TLS 1.2 !! TLS 1.3
(DraftNot affected Status |- ! [[HMAC]][[MD5]] | {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} ||Mitigated n="4” | Defined for TLS 1.2 in RFCs |- ! [[HMAC]]-[[SHA-1|SHA1]] | {{No}} || {{Yes}} Not affected {{Yes}} || {{Yes}} || |- ! [[HMAC]]-[[SHA-2|SHA256/384]] | {{No}} || {{No}} || {{No}Disabled by default[n 16][64][65] ally implemented on top of [[Transport Layer]] protocols, encrypting all of the protoMitigated d data of protocols such as [[Hypertext Transfer Protocol|HTTP]], [[File Transfer ProMitigated ], [[Simple Mail Transfer Protocol|SMTP]], [[Network News Transfer Protocol|NNTP]] and [[ETemporary [n 11] st rically, TLS has been used primarily with 50–53 e transport protocols such as the [[Transmission Control Protocol]] (TCP). However, iNo as also been implemented with datagram-oriented transport protocols, such as the [[UsNo Datagram Protocol]] (UDP) and the [[Datagram Congestion Control Protocol]] (DCCP), usYes of which has been standardized independently using the term [[Datagram Transport LayeYes curity]] (DTLS). ===Websites=== A prominent use of TLS is for securing [[World Wide Yes ] traffic between a [[website]] and a [[web browser]] encoded with the HTTP protocolNo This use of TLS to secure HTTP traffic constitutes the [[https|HTTPS]] protocol.Yes (only desktop) .com/ssl-certificate-products/https.html |title= Http vs https |accessdate=2015-02-12Yes ref> {|class="wikitable” style="text-align: center;" |+Website 216 CHAPTER 42. TRANSPORT LAYER SECURITY protocol support |- !Yes ocol
version !Website
supportAs of OctobeNot affected cite web|url=https: //www.trustworthyinternet.org/ssl-pulse/|title=SSL Pulse: Survey oMitigated Implementation of the Most Popular Web Sites|accessdate=2016-10-03}} !Security{{cite web|url=https: //community.quDisabled by default[n 16][64][65] [#Web browsers]] and [[#Attacks against TLS/SSL]] sections}} |- !TLS 1.1 |78.3%Mitigated {{Depends|Depends on cipher and client mitigations}} |- !TLS 1.2 |80.7% (+0.7%) |{{Depends|Depends on cipher}} |- !T 54 .3
(Draft) 55 N/a}} | |} ;Notes {{reflist|group="n"}} ===Web browsers=== {{Further information|ComNo ison of web browsers}} {{As of|2016|04}}, the latest versions of all major web browseNo support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supYes ed Microsoft operating systems support the latest version of IE. Additionally many opYes ing systems currently support multiple versions of IE, but this will change accordingYes Microsoft’s [https://support.microsoft.com/ en-us/gp/microsoft-internet-explorer Internet EDisabled by default cycle Policy FAQ], “beginning January 12, 2016, only the most current version of InteYes (only desktop) d operating system will receive technical support and security updates.” The page thYes oes on to list the latest supported version of IE at that date for each operating sysYes The next critical date would be when an operating system reaches the end of life stNot affected in Microsoft’s [http://windows.microsoft.com/en-us/windows/lifecycle Windows lifecycMitigated eet]. There are still problems on several browser versions: * TLS 1.1 and 1.2 supporNot affected bled by default: Internet Explorer 10 for Server 2012 * TLS 1.1 and 1.2 not supportedDisabled by default[n 16][64][65] implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL Mitigated is disabled by default since version 40. Support of SSL 3.0 itself was dropped sinceMitigated 4.) ** Mozilla Firefox: Complete (SSL 3.0 itself is disabled by default and fallback to SSTemporary [n 11] V s implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3. Support of 56 3.0 itself is dropped since version 39.) ** Internet Explorer: Partial (Only in versNo 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still No nerable against POODLE.) ** Opera: Complete (TLS_FALLBACK_SCSV is implemented since vYes on 20, “anti-POODLE record splitting”, which is effective only with client-side impleYes ation, is implemented since version 25, SSL 3.0 itself is disabled by default since vYes on 27. Support of SSL 3.0 itself will be dropped since version 31.) ** Safari: CompleYes Only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is deniYes (only desktop) ich is not recommended as well. Support of SSL 3.0 itself is dropped on OS X 10.11 anYes ter and iOS 9.) * Mitigation against [[#RC4 attacks|RC4 attacks]]: ** Google Chrome dYes led RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48. ** FiNot affected d RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default. ** OMitigated led RC4 except as a fallback since version 30. RC4 is disabled since Opera 35. ** IntNot affected r for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 have set the prioritDisabled by default[n 16][64][65] * Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (mMitigated e FREAK mitigations in place. ** Mozilla Firefox on all platforms and Google Chrome oMitigated were not affected by FREAK. {{clear}} {{TLS/SSL support history of web browsers}} ===LibTemporary [n 11] ti ns}} Most SSL a Google Android OS Browser [66] tan]], a BSD-licensed cryptographic librar Android 1.0, 1.1, 1.5, 1.6, 2.0–2.1, 2.2–2.2.3 programmers may use a library called [[Internet Direct|Indy]] which utilizes [[OpenSSNo . * [[GnuTLS]]: a free implementation (LGPL licensed) * [[Java Secure Socket ExtensiEnabled by default gramming language)|Java]] implementation included in the [[Java Runtime Environment]]Yes ports TLS 1.1 and 1.2 from Java 7, although is disabled by default for client, and eNo led by default for server.{{cite web |author=Oracle |url=http://docs.oracle.comNo vase/7/docs/technotes/guides/security/SunProviders.html|title=Java Cryptography ArchNo cture Oracle Providers Documentation |accessdate=2012-08-16}} Java 8 supports TLS 1.1 and 1.2 enabled on both the client and server by dUnknown ref>{{cite web |author=Oracle |url=//docs.oracle.com/javase/8/docs/technotes/guides/ No urity/enhancements-8.html|title=JDK 8 Security Enhancements |accessdate=2015-02-25}}No ef> * [[LibreSSL]]: a fork of OpenSSL by OpenBSD project. * [[MatrixSSL]]: a dual licensed implementation * [[mbed TLS]] (previously PolarSSL)Unknown SSL library implementation for embedded devices that is designed for ease of use * [[Network Security Services]]: [[FIPS 140]] validated openUnknown library * [[OpenSSL]]: a free implementation (BSD license with some extensions) * [[Vulnerable pport Provider Interface|SChannel]]: an implementation of SSL and TLS [[Microsoft WiVulnerable part of its package. * [[Secure Transport]]: an implementation of SSL and TLS used Vulnerable and [[iOS]] as part of their packages. * [[wolfSSL]] (previously CyaSSL): Embedded Vulnerable rary with a strong focus on speed and size. {| class="wikitable” |+ Library supportNo r LS/SSL |- ! Implementation ! SSL 2.0 (inse Android 2.3–2.3.7, 3.0–3.2.6, 4.0–4.0.4 ng library)|Botan]] | {{Yes|No}} | {{yes|No}}{{cite web|urlNo tp://botan. randombit.net/relnotes/1_11_13.html|title=Version 1.11.13, 2015-01-11 — BEnabled by default 1|accessdate=2015-01-16}} | {{yes}} | {{yes}} | {{yes}} | |- ! [[cryptlib]] | {Yes |No}} | {{No|Enabled by default}} | {{yes}} | {{yes}} | {{yes}} | |- ! [[GnuTLS]] | No es|No}}{{cref2|group=protocollibrary-table|a}} | {{yes|Disabled by default}}{{cite web|url=http://lists.gnutls.org/pipermail/ gnutls-devel/2015-AprilNo 7535.html|title=[gnutlsdevel] GnuTLS 3.4.0 released|date=2015-04- 42.5. APPLICATIONS AND ADOPTION 08|accessdate=2015-04-16}} | {{yes}} | {{yes}} | {{yes}} | |- ! [[JavaUnknown Socket Extension]] | {{Yes|No}}{{cref2|group=protocollibrarytable|a}} | {{Yes|DisablYes[40] ite web|url=http: //www.oracle.com/technetwork/java/javase/ 8u31-relnotes-2389094.html|titlesince Android OS 3.0[67] 1486254309079&w=2|title=OpenBSD 5.6 Released|date=2014-11-01|accessdate=2015-0120}} | {{yes|No}}{{cite web| titlUnknown eSSL 2.3.0 Released| url = https://marc. info/?l=openbsd-announce&m=144304330731220| date = 2015-09-23| accessdate = 2015-09-24}} | {{yesUnknown es}} | {{yes}} | |- ! [[MatrixSSL]] | {{Yes|No}} | {{yes|Disabled by default at compVulnerable ref name=Matrix-POODLE>{{cite web|url=http: //www.matrixssl.org/news.html|title=MatriVulnerable |accessdate=2014-11-09}} | {{yes}} | {{yes}} | {{yes}} | |- ! [[mbed TLS]] (prVulnerable larSSL) | {{Yes|No}} | {{Yes|Disabled by default}}{{cite web | tiVulnerable TLS 2.0.0 released | url = https://tls.mbed.org/tech-updates/ releases/mbedtls-2.0.0-No ea ed | date = 2015-07-10 | accessdate = 2015 Android 4.1–4.3.1, 4.4–4.4.4 ervices]] | {{yes|No}}{{cref2|group=protocolsupport|b}} | {{Yes|Disabled by default}}No f name=NSS3.19>{{cite web|url=https://developer.mozilla. org/en-US/docs/Mozilla/ProjEnabled by default elease_notes|work=Mozilla Developer Network|title=NSS 3.19 release notes|publisher=MoYes a|accessdate=2015-05-06}} | {{yes}} | {{yes}}{{cite web|url=httpsDisabled by default[68] cite web|url=https: //developer.mozilla.org/en-US/docs/NSS/NSS_3. 15.1_release_notes|work=MoDisabled by default[68] tes|publisher=Mozilla|accessdate=2013-08-10}} | |- ! [[OpenSSL]] | {{Yes|No}}{{cite web|url=https://www.openssl.org/news/openssl-1. 1.0-notes.html|title=OpenSSL 1.1.0 Series Release Notes |accessdate=2016-10-02}} Unknown nabled by default}} | {{yes}} | {{yes}}{{cite web|title=Yes r changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012] |url=https://www.opeYes[41] −1.0.1-notes.html |date=2012-03-14 |accessdate=201501-20 |deadurl=yes |archiveurl=https://web.archive. org/web/20150120120428/https://www.openUnknown news/openssl-1.0.1-notes.html |archivedate=January 20, 2015 }} | {{yes}} | |- ! [[RSA BSAFE]]{{cite web| title = RSA BSAFE Technical Specification Comparison Tables| url = htVulnerable c.com/collateral/data-sheet/11433-bsafe-tech-table. pdf}} | {{yes|No}} | {{No|YVulnerable s}} | {{yes}} | {{yes}} | |- ! [[SChannel|SChannel XP / 2003]] | {{Partial|Disabled by default by MSIE 7}} No {N |Enabled by default}} | {{partial|Enabled Android 5.0-5.0.2 } | |- ! [[SChannel|SChannel Vista / 2008]][https://msdn.No rosoft.com/en-us/library/windows/desktop/ff468651% 217 28v=vs.85%29.aspx SChannel Cipher Enabled by default Windows Vista] | {{Yes|Disabled by default}} | {{No|Enabled by default}} | {{yYes | {{no}} | {{no}} | |- ! [[SChannel|SChannel 7 / 2008 R2]] | {{Yes|Disabled by default}} | {{No|Enabled by default}} | {{yes}} | {{No tial|Disabled by default}} | {{partial|Disabled by default}} | |- ! [[SChannel|SChannel 8.1 / 2012 R2, 10]] | {{YeUnknown ed by default}} | {{partial|Disabled by default in MSIE 11}} | {{yes}} | {{yes}} | {{Yes } | |- ! Secure Transport OS X 10.2-10.8 / iOS 1-4 | {{No|Yes}} | {{No|Yes}} | {{yes}Yes {{no}} | {{no}} | |- ! Secure Transport OS X 10.9-10.10 / iOS 5-8 | {{Yes|No}}{{cref2|group=protocollibrarytable|c}} | {{No|Yes}} | {{yes}} |Unknown {{cref2|group=protocollibrary-table|c}} | {{yes}}{{cref2|group=protocollibrary-table|c}} | |- ! Secure Transport OS X 10.11 / iOS 9 | {{Yes|NoUnknown es|No}}{{cref2|group=protocollibrary-table|c}} | {{yes}} | {{yes}} | {{yes}} | |- ! Vulnerable {{Yes|No}} | {{Yes|Disabled by default}} | {{yes}} | {{yes}} | {{yes}} | |- ! [[wolfVulnerable iously CyaSSL) | {{Yes|No}} | {{Yes|Disabled by default}}{{cVulnerable =http://wolfssl.com/wolfSSL/Blog/Entries/2015/8/ 24_wolfSSL_3.6.6_is_Now_Available.htVulnerable olfssl] wolfSSL 3.6.6 Released|date=2015-0820|accessdate=2015-08-25}} | {{yesNo | {yes}} | {{yes}} | |- class="sortbottom” Android 5.1-5.1.1 SSL 3.0 (insecure) ! TLS 1.0 ! TLS 1.1 ! TLS 1.2 ! TLS 1.3
(Draft)}} {{cnote2 | group=protocollibYes -table | c | Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was disYes inued in OS X 10.11 and iOS 9. TLS 1.1 and 1.2 are available on iOS 5.0 and later, aNo OS X 10.9 and later.{{cite web|url=http://developer. apple.com/library/ios/technotes/tn2287/|work=iOS Developer Library|title=Technical NoUnknown 7: iOS 5 and TLS 1.2 Interoperability Issues|publisher=Apple Inc.|accessdate=2012-05-Yes }}[https: //dev.ssllabs.com/ssltest/clients.html Qualys SSL Labs - ProjectsYes ser Agent Capabilities] {{cnote2 end}} A paper presented at the 2012 [[Association for Computing Machinery|Unknown Computer security conference|conference on computer and communications security]]{{cite book|author=Georgiev, Martin and Iyengar, Subodh Unknown , Suman and Anubhai, Rishita and Boneh, Dan and Shmatikov, Vitaly|title=The most dangNot affected the world: validating SSL certificates in non-browser software. Proceedings of the 2012 AOnly as fallback [n 15] r=2012|isbn=978-1-4503-1651-4|url=//www. cs.utexas.edu/~{}shmat/shmat_ccs12.pdf|pages= 38Mitigated > showed that few applications used some of these SSL libraries correctly, leading toMitigated 218 CHAPTER 42. TRANSPORT LAYER SECURITY lities. According to the authors

"the root cause of most of these vulnerNo li ies is the terrible design of the APIs to Android 6.0-6.0.1, 7.0-7.1.0 properties of network tunnels such as confidentiality and authentication, these APIs No ose low-level details of the SSL protocol to application developers. As a consequenceNo n entire network stack to create a [[virtual private network|VPN]], as is the case wiYes [OpenVPN]] and [[OpenConnect]]. Many vendors now marry TLS’s encryption and authenticYes n capabilities with authorization. There has also been substantial development since Yes late 1990s in creating client technology outside of the browser to enable support foNo lient/server applications. When compared against traditional [[IPsec]] VPN technologies, TLS has some inherent advantages in firewall and [[neUnknown dress translation|NAT]] traversal that make it easier to administer for large remote-Yes ss populations. TLS is also a standard method to protect [[Session Initiation ProtocYes (SIP) application signaling. TLS can be used to provide authentication and encryption of the SIP signaling associated with [[Voice over InterUnknown ocol|VoIP]] and other SIP-based applications.{{citation needed|date=December 2013}} ==Security== ===SSL 2.0=== SSL 2.0 is flawed in a varietUnknown s:{{cite journal|url=http://www. sciencedirect.com/science/article/pii/S016740480Not affected =On the Security of Today’s Online Electronic Banking Systems|author1=Joris ClaessensDisabled by default em |author3=Danny De Cock |author4=Bart Preneel |author5=Joos Vandewalle |journal=ComMitigated ecurity|volume=21|issue=3|year=2002|pages=253– 265|doi=10.1016/S0167-4048(02)00312-7}}Mitigated dentical cryptographic keys are used for [[message authentication]] and encryption. No - lease explain how this affects security -->Android 7.1.1 larger than encryption keys, so messages can remain tamper resistant even if encryptiNo keys are broken.) * SSL 2.0 has a weak MAC construction that usesNo , leaving the recipient unaware of an illegitimate end of data message (SSL 3.0 fixesYes s problem by having an explicit closure alert). * SSL 2.0 assumes a single service anYes fixed domain certificate, which clashes with the standard feature of virtual hosting Yes eb servers. This means that most websites are practically impaired from using SSL. No 2.0 is disabled by default, beginning with [[Internet Explorer 7]],{{cite web|url=http://blogs. msdn.com/ie/archive/2005/10/22/483795.aspUnknown IEBlog: Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2|accessdate=200711-Yes ast=Lawrence|first=Eric|date=200510-22|publisher=[[Microsoft Developer Network|MSDN]Yes ogs}} [[Mozilla Firefox]] 2,{{cite web|url=https://bugzilla.mozilla. org/show_bug.cgi?id=236933|title=Bugzilla@ Mozilla — Bug 23Unknown isable SSL2 and other weak ciphers|accessdate=2007-1125|publisher=[[Mozilla Corporation]]}} [[Opera (web browser)|Opera]] 9.5,[httUnknown opera.com/docs/changelogs/windows/950/ “Opera 9.5 for Windows Changelog"] at [[Opera.Not affected led SSL v2 and weak ciphers." and [[Safari (web browser)|Safari]]. After it senDisabled by default o”, if Mozilla Firefox finds that the server is unable to complete the handshake, it Mitigated pt to fall back to using SSL 3.0 with an SSL 3.0 “ClientHello” in SSL 2.0 format to mMitigated e likelihood of successfully handshaking with older servers.{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id= 454759|title=FireUnknown l e Browser handshake even Version h Platforms i SSL 2.0 (insecure) - SSL 3.0 (insecure) t TLS 1.0 2 TLS 1.1 e TLS 1.2 i TLS 1.3 (proposed) ] EV certificate e SHA-2 certificate d ECDSA certificate e BEAST f CRIME n POODLE (SSLv3) l RC4 1 FREAK e Logjam h Protocol selection by user .o era.com/docs/cha Mozilla Firefox (Firefox for mobile) [n 17] sl-in-opera |archivedate=October 12, 2007 1.0 ef> ===SSL 3.0= Windows (XP SP2+) OS X (10.9+) Linux Android (4.0.3+) iOS (8.2+) Firefox OS Maemo ESR only for: Windows (XP SP2+) OS X (10.6+) Linux ecure. Under TLS 1.0, the master key that is established depends on both MD5 and SHAEnabled by default [70] ogy |title=Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module VEnabled by default [70] nist.gov/groups/STM/cmvp/documents/fips140-2/ FIPS1402IG.pdf |deadurl=yes |archiveurl=Yes[70] 6130105/http://csrc.nist.gov/groups/STM/cmvp/ documents/fips140-2/FIPS1402IG.pdf |arcNo edate=November 6, 2010 }} In October 2014, the vulnerability in the design ofNo L 3.0 has been reported, which makes CBC mode of operation with SSL 3.0 vulnerable tNo he padding attack (see [[#POODLE attack]]). ===TLS=== TLS has a variety of securityNo asures: * Protection against a downgrade of the protocol to a previous (less secure) Yes[40] her suite. * Numbering subsequent Application records with a sequence number and usiNo this sequence number in the [[message authentication code]]s (MACs). * Using a messagNot affected [71] shake messages seen by both parties. * The [[pseudorandomness|pseudorandom]] functionNot affected nput data in half and processes each one with a different hashing algorithm ([[MD5]]Vulnerable 1]]), then [[exclusive or|XORs]] them together to create the MAC. This provides protVulnerable if one of these algorithms is found to be vulnerable. ===Attacks against TLS/SSL===Not affected attacks against TLS/SSL are listed below: Note: In February 2015, IETF issued an inVulnerable RFC{{cite web|title=RFC 7457 : Summarizing Known Attacks on Transport Layer SecYes[n 10] l= ttps://tools.ietf.org/html/rfc7457}} 1.5 arizing the various known attacks against TLS/SSL. ====Renegotiation attack==== A vEnabled by default renegotiation procedure was discovered in August 2009 that can lead to plaintext inEnabled by default inst SSL 3.0 and all current versions of 42.5. APPLICATIONS AND ADOPTION TLS.{{cite web|url=http://cve.mitre.orgYes bin/cvename.cgi?name=CVE-2009-3555|title=CVE CVE-2009-3555}} For example, iNo llows an attacker who can hijack an https connection to splice their own requests inNo the beginning of the conversation the client has with the web server. The attacker cNo t actually decrypt the client-server communication, so it is different from a typicaNo an-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotYes on, which typically will not require other changes unless [[client certificate]] autNo tication is used. To fix the vulnerability, a renegotiation indication extension was Not affected TLS. It will require the client and server to include and verify information about prNot affected akes in any renegotiation handshakes.{{cite web|author=Eric Rescorla|title=UndeVulnerable he TLS Renegotiation Attack|work=Educated Guesswork|accessdate=2009-11-27|date=2009Vulnerable ttp://www.educatedguesswork.org/2009/ 11/understanding_the_tls_renegoti.html}} TNot affected has become a proposed standard and has been assigned the number RFC 5746. The RFC hVulnerable lemented by several libraries.{{cite web|title=SSL_CTX_set_options 01 −11SECURE_RENEGOYes[n 10] 18|date=2010-02-25|url=https://www.ope 2 l.org/docs/ssl/SSL_CTX_set_options.html#SECURE_ RENEGOTIATION}}{{cite web|tDisabled by default [70][72] ease notes |accessdate=2011-07-24 |date=201003-03 |url=https://developer.mozilla.orEnabled by default e_notes |deadurl=yes |archiveurl=https: //web.archive.org/web/20120306184633/https://dYes oper.mozilla.org/NSS_3.12.6_release_notes |archivedate=March 6, 2012 }} ====PNo ocol downgrade attacks==== A protocol downgrade attacks (also called a version rollbNo attack) tricks a web server into negotiating connections with previous versions of No (such as SSLv2) that have long since been abandoned as insecure. Previous modificaNo ns to the original protocols, like '''False Start'''{{cite web|title=Transport LYes Security (TLS) False Start|url=//tools.ietf.org/ html/draft-bmoeller-tls-falsestart-0Yes[41] eering Task Force|publisher=IETF|accessdate=31 July 2013|author=A. Langley|author2=N.Not affected thor3=B. Moeller |date=2 June 2010}} (adopted and enabled by Google ChromeNot affected last = Wolfgang | first = Gruener | title = False Start: Google Proposes Faster Web,Vulnerable ports It Already | url = http://www.conceivablytech. com/3299/products/false-start-goVulnerable esfaster-web-chrome-supports-it-already|accessdate= 9 March 2011 |archiveurl= https:Not affected .org/web/20101007061707/http://www.conceivablytech. com/3299/products/false-start-gooVulnerable sfaster-web-chrome-supports-it-already/ |archivedate= October 7, 2010 }}) or 'Yes[n 10] l mited TLS protocol downgrade attacks{ 3–7 web|last= Brian|first=Smith|title= Limited rollback attacks in False Start and Snap Disabled by default w.ietf.org/mail-archive/web/tls/current/msg06933. html|accessdate= 9 March 2011}}{{cite web|last=Adrian|first=Dimcev|title=False Start|url=htNo //www.carbonwind.net/blog/post/ Random-SSLTLS-101-False-Start.aspx|work=Random SSL/TLSYes |accessdate=9 March 2011}}). A paper presented at an [[Association for ComputinYes chinery]] (ACM) [[Computer security conference|conference on computer and communicatiYes security]] in 2012 demonstrated that the False Start extension was at risk: in certaiNot affected es it could allow an attacker to recover the encryption keys offline and to access thNot affected ata.{{cite book|author=Mavrogiannopoulos, Nikos and Vercautern, Frederik and VeVulnerable sselin and Preneel, Bart|title=A cross-protocol attack on the TLS protocol. ProceediVulnerable 2012 ACM conference on Computer and communications security|year=2012|isbn=978-14503Not affected ttps://www.cosic.esat.kuleuven.be/ publications/article-2216.pdf|pages=62–72}} Vulnerable protocol attacks: DROWN==== {{Main article|DROWN attack}} The [[DROWN attack]] is an Yes[n 10] g ontemporary SSL/TLS protocol suites by exp 8–10 ESR 10 re, SSLv2 protocol to leverage an attack on connections using up-to-date protocols thNo[72] ecure.{{Cite web | url = http://www.theregister. co.uk/2016/03/01/drown_tls_protEnabled by default = One-third of all HTTPS websites open to DROWN attack | last = Leyden | first = JohnYes ate = 1 March 2016 | website = The Register | access-date = 2016-03-02 }}{{Cite web | url = http: //arstechnica.com/security/2016/03/more-than-13-No lion-https-websites-imperiled-by-new-decryption-attack/ | title = More than 11 milliNo HTTPS websites imperiled by new decryption attack | website = Ars Technica | access-dYes = 2016-03-02 }} DROWN exploits a vulnerability in the protocols used and the coYes uration of the server, rather than any specific implementation error. Full details ofYes WN were announced in March 2016, together with a patch for the exploit. As of March 2Not affected n 81,000 of the top 1 million most popular Web sites are among the TLS protected web Not affected e vulnerable to the DROWN attack. ===={{Anchor|BEAST}}BEAST atVulnerable September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a proof ofVulnerable lled '''BEAST''' ('''Browser Exploit Against SSL/TLS'''){{cite wNot affected //bug665814.bugzilla.mozilla.org/ attachment.cgi?id=540839|title=Here Come The ⊕ NinjVulnerable 1-05-13|author1=Thai Duong |author2=Juliano Rizzo |lastauthoramp=yes }} using Yes[n 10] ig n policy]] constraints, for a long-known [ 11–14 block chaining]] (CBC) vulnerability in TLS 1.0:{{cite web|url=hNo ://www.theregister.co.uk/2011/09/19/beast_exploits_ paypal_ssl/|title=Hackers break SEnabled by default by millions of sites|date=2011-09-19|author=Dan Goodin}}{{Yes 220 CHAPTER 42. TRANSPORT LAYER SECURITY web|url=http://news.ycombinator.com/item?id= 3015498|title=Y Combinator comments on No issue|date=2011-09-20}} an attacker observing 2 consecutive ciphertext blocksNo , C1 can test if the plaintext block P1 is equal to x by choosing the next plaintextNo ock P2 = x ^ C0 ^ C1; due to how CBC works C2 will be equal to C1 if x = P1. PracticaYes Exploit (computer security)|exploits]] had not been previously demonstrated for this Yes lnerability (computing)|vulnerability]], which was originally discovered by [[PhillipYes away]]{{cite web|url=http://www.openssl.org/ ~{}bodo/tls-cbc.txt|archiveurl=https:/Not affected org/web/20120630143111/http://www.openssl.org/ ~{}bodo/tls-cbc.txt|archivedate=2012-06-Vulnerable (SPDY)[50] easures|date=2004-05-20}} in 2002. The vulnerability of the attack had been fiVulnerable S 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstraVulnerable 4]] as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as aNot affected ate BEAST attack on the server side. However, in 2013, researchers found more weakneVulnerable . Thereafter enabling RC4 on server side was no longer recommended.{{cite web | Yes[n 10] /s curitylabs/2013/09/10/is-beast-still-a-thr 15–22 ESR 17.0–17.0.10 | accessdate=8 October 2014 | author=Ristic, Ivan}} Chrome and Firefox themselNo are not vulnerable to BEAST attack,{{cite web|url=http://googEnabled by default ogspot.jp/2011/10/chrome-stable-release.html| title=Chrome Stable Release|work=Chrome Yes ases|publisher=Google|date=2011-1025|accessdate=2015-02-01}}{{cite web|uNo https://blog.mozilla.org/security/2011/ 09/27/attack-against-tls-protected-communicatNo s/|title=Attack against TLS-protected communications|work=Mozilla Security Blog|publNo er=Mozilla|date=2011-09-27|accessdate=2015-0201}} however, Mozilla updated theYes [Network Security Services|NSS]] libraries to mitigate BEASTlike [[Attack (computingYes tacks]]. NSS is used by [[Mozilla Firefox]] and [[Google Chrome]] to implement SSL. SYes [[web server]]s that have a broken implementation of the SSL specification may stop wNot affected esult.{{cite web|url=https://bugzilla. mozilla.org/show_bug.cgi?id=665814|title=(Mitigated 389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websVulnerable |date=201109-30|author=Brian Smith}} [[Microsoft]] released Security BulletVulnerable on January 10, 2012, which fixed the BEAST vulnerability by changing the way that thNot affected ure Channel ([[SChannel]]) component transmits encrypted network packets from the seVulnerable ef>{{cite web|url=https://technet.microsoft. com/library/security/ms12-006|title=VulneYes[n 10] at on Disclosure (2643584)|date=2012-01-10}}< ESR 17.0.11 o version 11) that run on older versions of Windows ([[Windows 7]], [[Windows 8]] andNo Windows Server 2008|Windows Server 2008 R2]]z) can restrict use of TLS to 1.1 or higEnabled by default Apple]] fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by deYes t in [[OS X Mavericks]], released on October 22, 2013.{{cite web | url=https://No munity.qualys.com/blogs/securitylabs/ 2013/10/31/apple-enabled-beast-mitigations-in-oNo −109-mavericks | title=Apple Enabled BEAST Mitigations in OS X 10.9 Mavericks | dateNo t 31, 2013 | accessdate=8 October 2014 | author=Ristic, Ivan}} ===={{Anchor|CRYes attack|BREACH attack|CRIME|BREACH}} CRIME and BREACH attacks====