Hozzáférési hálózatok – gyakorlat Moldován István Forrás: Peter.Vetter@alcatel.be Francois.Fredricx@alcatel.be MUSE Winter School
Network architecture Definitions (2): Nodes RGW BRAS Terminals Ethernet aggregation network Access EN RGW AN Service First Aggregation EN Mile Networks Customer Premise Regional Service Networks Network Network Access Network Tutorial Access Architecture — 2
Network architecture Definitions (3): Business roles Network Access Provider Service Providers Packager Connectivity Provider Regional Network Provider NAP RNP User NSP ASP e Nod Edge ss Acce ISP Node ss Acce Customer Service Premise First Aggregation Regional Network Networks Mile Networks Network Tutorial Access Architecture — 3
Issues when using Ethernet in Access Ethernet LAN (trusted Ethernet in Access (public environment) network) No authentication AAA Configurable MAC@ Anti-spoofing mechanism • Conflicts, spoofing Secure and scalable Bridge learning - Broadcast of connectivity models some initialisation messages (ARP, DHCP, PPPoE) • Model 1 (L2 forwarding) • DOS attacks • Model 2 (L3 forwarding) Confidential info to other users • or competing providers No QoS QoS framework Tutorial Access Architecture — 4
Definitions Auto configuration and AAA Autoconfiguration: process of establishing a connection AAA Authentication – process of determining whether someone or something is, in fact, who or what it is declared to be. – based on identifiers and security attributes. – part of an actual access to a network/service in the context of a SLA or contract, and often is linked with a fee (Accounting) Authorization – process of giving individuals access to system objects based on their identity. Accounting – recording, classifying, summarizing, and interpreting of events of a financial character in a significant manner Tutorial Access Architecture — 5
Autoconfiguration: PPP model Characteristics : • PPP = Point-to-Point Protocol • PPP session performs (between CP modem - PPP peer) – Link establishment (LCP packets) – Authentication (optional, PAP or CHAP) – Network-layer protocol (NCP packets : eg IPCP: CP gets its IP@) • PPP encapsulation stays during session Origin of PPP for Internet Access via voice band modems (fig.) • Continued to be used in DSL Modem RAS Internet Modem PSTN bank Tutorial Access Architecture — 6
Autoconfiguration : PPP model PPP in access network • PPP can start at : – CPE Modem (router) – Host (PC) • PPP can end at : – (IP) DSLAM – BRAS (NAP) Switch L2TP – BRAS (NSP) via L2TP tunnel NAP NSP Tutorial Access Architecture — 7
PPPoE PPPoE needed when PPP transported over Ethernet: allows – transport over shared medium IP IP – PPP session multiplexing PPP PPP Autoconfig Procedure : PPPoE PPPoE - Detection of server(s): PPPoE Active Discovery Initiation (PADI) 802.3 MAC 802.3 MAC - Server(s) reply : RFC 2684 PPPoE Active Discovery Offer (PADO) AAL5 - Choice of server : PPPoE Active Discovery Request (PADR) ATM - Server confirmation : PPPoE PPPoEoA PPPoE Active Discovery Session-confirmation (PADS) Tutorial Access Architecture — 8
PPPoE initialisation PPPoE Modem Access Node Ethernet PPPoE Client Terminator Switch Server in Edge Node <PADI> <PADI> <PADI> Ethernet: <PADI> Ethernet: - DA: Broadcast Ethernet: - SA: User MAC@ - DA: Broadcast Ethernet: - S-VLAN ID PPPoE: - SA: User MAC@ - S-VLAN ID - (C-VLAN ID) - ISP-Name PPPoE: - (C-VLAN ID) - DA: Unicast/Multicast - ISP-Name - DA: Unicast/Multicast - SA: User MAC@ - SA: User MAC@ PPPoE: - ISP-Name PPPoE: - ISP-Name <PADO> <PADO> <PADO> Ethernet: Ethernet: <PADO> - S-VLAN ID - S-VLAN ID Ethernet: - (C-VLAN ID) Ethernet: - DA: User MAC@ - (C-VLAN ID) - DA: User MAC@ - DA: User MAC@ - SA: Server MAC@ - DA: User MAC@ - SA: Server MAC@ - SA: Server MAC@ PPPoE: - SA: Server MAC@ PPPoE: PPPoE: PPPoE: - ISP-Name - ISP-Name - ISP-Name - ISP-Name <PADR> <PADR> <PADR> <PADR> Ethernet: Ethernet: Ethernet: Ethernet: - DA: Server MAC@ - DA: Server MAC@ - S-VLAN ID - S-VLAN ID - SA: User MAC@ - SA: User MAC@ - (C-VLAN ID) - (C-VLAN ID) - DA: Server MAC@ - DA: Server MAC@ - SA: User MAC@ - SA: User MAC@ <PADS> <PADS> <PADS> <PADS> Tutorial Access Architecture — 9
Non-PPP autoconfiguration PPP is tunnel for each connection Disadvantages of PPP: • Separate tunnel per QoS class • No support multicast streams • Dataplane process • Not supported by all types of terminals Non-PPP: => DHCP • LCP ? DHCP • Authentication ? IP IP • NCP ? 802.3 MAC 802.3 MAC Config Data Tutorial Access Architecture — 10
Authentication in Non-PPP model Portal based authentication EAP IEEE 802.1X PANA (Protocol for carrying Authentication for Network Access) DCHP option 90 Tutorial Access Architecture — 11
IEEE 802.1X 802.1X compliant port RADIUS, of a NAP DIAMETER Port Authentication Other Authentication Entity Port Server (PAE) Services Controlled Uncontrolled Port Port Port 802.1x Authorize Suplicant LAN Tutorial Access Architecture — 12
Autoconfiguration : DHCP model Characteristics : • DHCP = Dynamic Host Configuration Protocol DHCP • DHCP works in client/server mode IP IP • DHCP is carried over IP, only during config phase 802.3 MAC 802.3 MAC • DHCP session (host - server) : – delivers host-specific config parameters Config Data – allocates NW addresses to host – automatic : permanent IP@ – dynamic : leased IP@ (limited time) – manual Autoconfig procedure : • Discovery of DHCP server (DHCPDISCOVER) • Replies of server(s) (DHCPOFFER) • Host selects server (DHCPREQUEST) • Server acks and sets config (DHCPACK) Tutorial Access Architecture — 13
Autoconfiguration messages Autoconfiguration message sequence Tutorial Access Architecture — 14
One step autoconfiguration One-step Authentication Exercise (Ethereal read-out): 1. What is the protocol used for autoconfiguration ? 2. Identify the main message groups as explained in the course ? 3. What is the IP-address assigned after autoconfiguration ? 4. What is the IP address of the DNS server ? 5. What is the hexadecimal code for a Broadcast MAC@ ? Tutorial Access Architecture — 15
Köszönöm a figyelmet! • Kérdések? Tutorial Access Architecture — 16
Recommend
More recommend