Professional Documents
Culture Documents
V100R002
Feature Description
Issue 01
Date 2009-12-25
Website: http://www.huawei.com
Email: support@huawei.com
and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
3 Security Features........................................................................................................................3-1
3.1 ACL.................................................................................................................................................................3-3
3.1.1 ACL Definition......................................................................................................................................3-3
3.1.2 ACL Application....................................................................................................................................3-3
4 Internetworking..........................................................................................................................4-1
4.1 VLAN..............................................................................................................................................................4-2
4.1.1 Introduction............................................................................................................................................4-2
4.1.2 Advantages of VLAN.............................................................................................................................4-3
4.2 PPP..................................................................................................................................................................4-4
4.2.1 Introduction............................................................................................................................................4-4
4.2.2 PPP Authentication................................................................................................................................4-5
4.2.3 PPP Link Operation................................................................................................................................4-6
4.3 PPPoE..............................................................................................................................................................4-9
4.3.1 Introduction............................................................................................................................................4-9
4.3.2 PPPoE Discovery Period......................................................................................................................4-10
5 VPN...............................................................................................................................................5-1
5.1 Introduction.....................................................................................................................................................5-3
5.1.1 VPN Overview.......................................................................................................................................5-3
5.1.2 Basic VPN Technology..........................................................................................................................5-4
5.1.3 VPN Classification.................................................................................................................................5-7
5.2 L2TP................................................................................................................................................................5-8
5.2.1 VPDN Overview....................................................................................................................................5-8
5.2.2 L2TP Overview......................................................................................................................................5-9
5.3 IPSec..............................................................................................................................................................5-15
5.3.1 IPSec Overview....................................................................................................................................5-15
5.3.2 IKE Overview......................................................................................................................................5-16
5.3.3 IPSec Basic Concepts...........................................................................................................................5-19
5.3.4 NAT Traversal of IPSec.......................................................................................................................5-21
5.3.5 CA Authentication................................................................................................................................5-22
5.3.6 Realizing IPSec on the Eudemon.........................................................................................................5-25
5.4 GRE...............................................................................................................................................................5-27
5.4.1 GRE Overview.....................................................................................................................................5-27
6 Intrusion Detection....................................................................................................................6-1
6.1 Identification of Protocols Using Nonstandard Ports......................................................................................6-2
6.1.1 Overview................................................................................................................................................6-2
6.1.2 Supported Protocol Types......................................................................................................................6-2
6.1.3 Working Principles.................................................................................................................................6-3
6.2 Protocol Detection...........................................................................................................................................6-3
6.2.1 Overview................................................................................................................................................6-4
6.2.2 DNS Protocol Detection.........................................................................................................................6-5
6.2.3 HTTP Detection..................................................................................................................................... 6-5
6.2.4 FTP Detection........................................................................................................................................ 6-7
6.2.5 SMTP Detection.....................................................................................................................................6-9
6.2.6 IMAP/POP3 Detection.........................................................................................................................6-10
6.3 IPS Detection.................................................................................................................................................6-12
6.3.1 Overview..............................................................................................................................................6-12
6.3.2 Working Principles...............................................................................................................................6-13
6.3.3 IPS Rule................................................................................................................................................6-14
6.3.4 Upgrade of the IPS Rule.......................................................................................................................6-15
8 Mail Filtering..............................................................................................................................8-1
8.1 Overview.........................................................................................................................................................8-2
8.2 Concept............................................................................................................................................................8-2
8.3 Working Principles..........................................................................................................................................8-3
9 Reliability....................................................................................................................................9-1
9.1 VRRP Overview..............................................................................................................................................9-2
9.1.1 Introduction to the Traditional VRRP Protocol.....................................................................................9-2
9.1.2 Traditional VRRP on Eudemon Backup................................................................................................9-4
9.2 VGMP Overview.............................................................................................................................................9-6
9.2.1 VRRP Management Group Overview....................................................................................................9-6
9.2.2 Protocol Hierarchical Relation Between VRRP Management Groups and Backup Groups.................9-7
9.2.3 Functions of the VRRP Management Group.........................................................................................9-7
9.2.4 Relation Among a VRRP Management Group, Backup Group, and Interface......................................9-9
9.2.5 Backup Mode Classification................................................................................................................9-11
9.3 Introduction to Dual-System Hot Backup.....................................................................................................9-16
9.3.1 HRP Application..................................................................................................................................9-16
9.3.2 Master/Slave Configuration Device.....................................................................................................9-17
9.4 Hierarchical Protocol Relation Between VRRP Backup Group, Management Group, and HRP.................9-17
9.5 Checking the Configuration Consistency......................................................................................................9-18
9.6 IP-Link Auto-detection Overview.................................................................................................................9-19
A Glossary.....................................................................................................................................A-1
B Acronyms and Abbreviations.................................................................................................B-1
Figures
Tables
Purpose
This document introduces the features of Quidway Eudemon 200E-B, including introduction,
introduction to the Eudemon, and the principles and applications of security features, network
interconnection features, VPN features, UTM features and reliability of the Eudemon.
This document describes the functions, principles, and features of the Eudemon.
Related Versions
The following table lists the product versions related to this document.
Intended Audience
This document is intended for:
l Technical support engineer
l Network engineers
l Network administrators
l Network maintenance engineers
Organization
This document is organized as follows.
Chapter Description
2 Introduction to the Describes the working modes, working process, and the security
Eudemon zones of the Eudemon.
3 Security Features Describes the security features of the Eudemon, including ACL,
packet filter, attack defense, ASPF, blacklist, MAC and IP
address binding, port identification, NAT, IP-CAR, P2P traffic
limiting, IM blocking, TSM cooperation, SLB, authentication
and authorization.
B Acronyms and Lists the acronyms and abbreviations used in this document.
Abbreviations
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
General Conventions
The general conventions that may be found in this document are defined as follows.
Convention Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Convention Description
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Boldface Buttons, menus, parameters, tabs, window, and dialog titles are
in boldface. For example, click OK.
> Multi-level menus are in boldface and separated by the ">" signs.
For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format Description
Key Press the key. For example, press Enter and press Tab.
Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt
+A means the three keys should be pressed concurrently.
Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means the
two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action Description
Click Select and release the primary mouse button without moving the
pointer.
Double-click Press the primary mouse button twice continuously and quickly
without moving the pointer.
Drag Press and hold the primary mouse button and move the pointer
to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
1 Overview
This describes network security threats, types and implementation methods of network security
services, and importance, development history, advantages, functions, and locations on networks
of firewalls.
1.1 Introduction to the Product
Quidway Eudemon 200E-B (hereinafter referred to as the Eudemon) is a cost-effective security
defense product developed mainly for small and medium-sized enterprises. The Eudemon
provides security services, such as defense against attacks, secure access, encryption,
authentication, access control, route management, traffic management, backup management and
so on, to construct secure IT platforms for enterprises.
1.2 Introduction to Network Security
Currently, more and more enterprises begin to speed up their development through network
services. Enterprises are increasingly concerned about how to safeguard their confidential data
and resources in an open network application environment. Network security already becomes
a factor that cannot be ignored in network construction.
1.3 Introduction to Firewall
Similar to a partition wall used to prevent fire from spreading in a building, a firewall is a system
that implements one or a group of access control policies. A firewall can monitor the access
channels between the Trust zone (an internal network) and the Untrust zone (an external
network), preventing external hazard from damaging the internal network.
1.4 Functions and Features
The Eudemon supports such features as security defense, internetworking, service applications,
configuration management, maintenance, reliability, and system logs.
1.5 Location of the Eudemon
Typically, the Eudemon is deployed at the ingress of a protected zone to protect the zone based
on access control policies.
High Reliability
Software design takes the details of each type of attack into consideration. Multiple measures
such as priority scheduling and flow control are taken to endure system robustness.
The Eudemon supports dual-system state hot backup, which ensures service continuity during
switchover. In addition, the Eudemon supports dual-system hot backup load balancing, which
helps automatically switch traffic in case of a fault.
Besides diversified security defense functions and effective protection capabilities, the
Eudemon is integrated with certain routing capabilities:
l Static routing
l Routing Information Protocol (RIP) dynamic routing
l Open Shortest Path First (OSPF) dynamic routing
The transparent mode allows you to directly add a firewall without changing the original network
configuration. That simplifies the networking process.
l Unauthorized access
Resources are accessed by unauthorized users (illegal users) or in unauthorized manner
(exploiting behavior).
For example, an intruder may attempt to access a system and exploit resources by guessing
an account and a password.
l Denial of Service
A server denies legal users' requests for accessing data or resources.
For example, attackers can overload a server with a large number of request packets, thus
preventing the server from processing legal tasks.
l Information sniffing
Attackers do not directly access a destination system. Instead, they obtain critical data and
information by sniffing networks.
l Data juggle
Attackers damage data integrity by purposely modifying, deleting, delaying, or reordering
system data or message stream, or inserting fraud messages.
l Availability service
Ensure that information or services are accessible when required.
l Confidentiality service
Ensure that sensitive data or information is not disclosed or exposed to an unauthorized
entity.
l Integrality service
Ensure that data can be modified or destroyed with permission.
l Verification service
Ensure the legality of an entity ID.
l Authorization service
Protect system resources by controlling access permissions.
Encryption
Encryption is a process where a readable message is translated to an unreadable encrypted
message. Encryption not only ensures communication security, but also functions as the basis
of other security mechanisms.
Authentication
Authentication is used to verify the legality of user IDs when they attempt to access networks
or services.
For heterogeneous networks, the Remote Access Dial-In User Service (RADIUS), an open
standard, is widely used in authentication services.
Access Control
Access control is an enhanced authorization method. There are two types of access control:
Security Protocol
Network security protocols are an important part of network security. Following describes
widely used security protocols based on the TCP/IP layered model:
l Application layer security protocols
They provide end-to-end protection for applications on hosts connected through networks.
Application layer security mechanism depends on specific applications. An application
layer security protocol is a supplement of an application protocol. Therefore, there is no
general application layer security protocol.
l Transport layer security protocols
They provide security services for processes of one host or several hosts. Transport layer
security mechanism functions based on the security of Inter-Process Communication (IPC)
interface and applications.
Providing security services at the transport layer is to strengthen the IPC interface, such as
Berkeley Software Distribution (BSD) socket. The following are specific process methods:
– Two-end entity authentication
– Exchange of data encrypted keys
Based on this idea, Secure Socket Layer (SSL) is developed on the basis of reliable
transmission service.
l Network layer security protocols
Even if no security mechanism is implemented at the upper layer, network layer security
protocols can still ensure the security of user information. IP security is the basis of the
whole TCP/IP security and the core of Internet security.
At present, the most important security protocol at the network layer is the IP Security
Protocol (IPSec). IPSec is a generic term for a series of network security protocols,
including security protocols and encryption protocols.
IPSec can provide communication parties with the following services:
– Access control
– Connectionless integrality
– Data source authentication
– Anti-replay
– Encryption
– Classified data stream encryption
l Data link layer security protocols
They provide point-to-point security services. Data link layer security mechanism is
implemented by a dedicated devices to perform encryption and decryption at each end of
a link.
In a security defense system, firewalls are usually the first line of defense against most of the
external attacks.
1.3.2 Development of Firewalls
Up to now, there have been three generations of firewalls. The first generation firewalls are
packet-filtering firewalls, the second generation proxy firewalls, and the third generation stateful
firewalls.
In actual practice, a single security defense technology can hardly establish a secure network
system. The combined application of multiple technologies can effectively limit security hazard
to the least level. Typically, the first step to implement security defense is to construct a barrier,
namely a firewall, between an internal network and external networks to defend against most
external attacks.
The basic working principle of a packet filtering firewall is that it filters packets based on the
configured access control lists (ACLs). Be specific, a firewall matches information contained
in a packet such as the source and destination IP address, the source and destination port number,
IP identifier, and packet delivery direction with ACL entries.
The first generation of firewalls features simple design, easy implementation, and low price.
l As the complexity and length of ACLs increase, its filtering performance degrades
exponentially.
l Static ACL rules can hardly meet dynamic security demands.
l The packet filtering mechanism neither checks session state nor analyzes data. Thus, it
cannot filter packets based on user levels. That may be exploited by hackers. For example,
attackers may spoof a firewall by disguising their IP addresses as supposedly legal ones,
which can easily pass through a filter.
A proxy firewall can provide more effective protection for networks and users because it can
completely control network information exchange and session process.
l Low processing speed due to software restriction, and prone to DoS attacks
l Hard to implement upgrade because protocol-specific application layer proxy is required
l The stateful firewall uses various status tables to trace activated the Transmission Control
Protocol (TCP) sessions and the User Datagram Protocol (UDP) pseudo sessions. Then the
ACLs determine which sessions can be set up. Only those packets that are related to the
permitted sessions can be forwarded.
NOTE
A UDP pseudo-session is a session process during which a virtual connection is set up to process UDP-
based protocol packets and monitor the status of the UDP connection process.
l The stateful firewall can capture packets at the network layer. Then the firewall extracts
state information required by the security policies from the application layer, and keeps it
in the dynamic status tables. By analyzing the status tables and subsequent connection
requests related to the packets, the firewall determines whether to forward the packets or
not.
For external networks, a stateful firewall acts as a proxy system, and all outward service requests
seemingly come from the same host.
For internal networks, a stateful firewall acts as a packet-filtering system, all internal users
seemingly directly communicate with external networks.
l High speed
A stateful firewall can record packet connection state while performing ACL check on
packets. Therefore, when subsequent packets reach the firewall, it checks the connection
record according to the status table without performing ACL check. If these packets pass
through the check, the firewall refreshes the connection record. In this case, packets with
the same connection status are not checked. Different from the fixed arrangement of ACLs,
the records in the connection status table can be arranged randomly. The firewall can
quickly search the records using algorithms such as binary tree or hash, thus improving the
transmission efficiency of the system.
l Higher security
Connection status tables are managed dynamically. When a session is over, the temporary
return packet entry created on the firewall is closed immediately, thus ensuring the security
of internal networks in real time. In addition, with the real-time connection status
monitoring technology, a stateful firewall can identify the connection status elements in
the status table. That effectively enhances the system security.
Working Mode
The Eudemon supports the following working modes:
l Route mode
l Transparent mode
l Composite mode
Packet Filtering
The following describes the packet filtering of the Eudemon:
NAT
The following describes the NAT of the Eudemon:
Attack Defense
The Eudemon supports the following attack defense:
l Defends against multiple Denial of Service (DoS) attacks, such as SYN Flood, ICMP Flood,
UDP Flood, Fraggle, Smurf, WinNuke, IP Spoofing, ICMP redirection and unreachable
packet, and Land.
l Defends against scanning and snooping attacks, such as address sweeping, port scanning,
IP source routing option, IP routing record option, ICMP snooping packet, and time-stamp.
l Defends malformed packet attacks, such as TCP-flag attack, IP fragment attack, ping of
death attack, and teardrop attack.
l Defends ARP attacks, such as ARP spoofing attack, and ARP flood attack.
TSM Cooperation
The Eudemon can cooperate with TSM terminal security management systems to control users'
access to networks.
Traffic Monitoring
The following describes the traffic monitoring of the Eudemon:
l Supports the limit to connection rate and connection number based on the specific source
IP address, destination IP address, and inbound and outbound directions of the zone.
l Supports Committed Access Rate (CAR).
l Supports real time traffic statistics and attack packet statistics.
l Supports global statistics on IP packets and bandwidth management based on IP packet
types.
l Supports the P2P traffic limiting function.
l Supports the IM traffic blocking function.
IP Service
The Eudemon provides the following IP services:
l IP
l ICMP
l Tracert
l UDP
l TCP
l Socket
l Address Resolution Protocol (ARP)
l Ping
l Dynamic Host Configuration Protocol (DHCP) Relay, DHCP Client, DHCP Server
Routing Protocol
The Eudemon supports the following routing features:
l Static routing
l Dynamic routing such as RIP, OSPF
l Policy-based routing
l Route iteration, route policy, and route management
AAA
The following describes the AAA service application of the Eudemon:
l Supports AAA, Remote Authentication Dial in User Service (RADIUS), and Huawei
Terminal Access Controller Access Control System (HWTACACS).
l Supports AAA domains.
l Supports local user management.
VPN
The following describes the VPN service application of the Eudemon:
QoS
The following describes the QoS service application of the Eudemon:
IPS Function
With the Intrusion Prevention System (IPS) function, the Eudemon can detect both the quintuple
(source address, source port number, destination address, source port number, and protocol type)
and the payload of the application layer data. Thus, various vulnerability exploits can be
prevented, such as worm viruses, Trojan, Denial of Service (DoS) attacks, and code attacks.
The IPS rule file of the Eudemon saves the feature information on network attacks that are
identified. The Eudemon supports the intrusion defense through the IPS rule file to protect the
internal network. The IPS rule file is developed and maintained by Huawei. In addition, the IPS
rule file is periodically updated by Huawei. The latest version provides the latest feature
information.
To diminish impacts of the entertainment functions, the Eudemon provides the surfing behavior
management function to control applications of QQ, MSN, Peer to Peer (P2P) traffic, stock, and
games by enterprise users.
Email Filtering
The email filtering function detects emails transferred through SMTP and identifies whether
they should be filtered or not. The Eudemon supports email filtering through the Real-time
Blackhole List (RBL).
System Management
The following describes the system management of the Eudemon:
Terminal Service
The following describes the terminal service of the Eudemon:
Reliability
The following describes the reliability of the Eudemon:
System Management
The following describes the system management of the Eudemon:
l Supports the standard network management protocol (SNMP) v1, v2c, v3.
l Supports private data file management.
l Supports private MIB management.
Alarm Management
The following describes the alarm management of the Eudemon:
Before introducing the specific features of the Eudemon, this describes the working modes and
security zones of the Eudemon.
2.1 Working Mode
This describes the working modes of the Eudemon and the working process in each working
mode.
2.2 Security Zone
This describes the concept and division of security zones, the relationships between security
zones and interfaces and between security zones and networks, and the definition of the inbound
and outbound directions of data streams between security zones.
Route Mode
In the scenario where the Eudemon is connected to external networks through Network Layer
(the interface is configured with an IP address), the Eudemon works in route mode.
When the Eudemon is deployed between an internal network and an external network, you need
to configure the Eudemon interfaces connecting respectively with the internal network and
external network with IP addresses in different segments. In addition, you need to replan the
network topology. The Eudemon fulfills the routing function in internal networks and external
networks. It functions as a router.
As shown in Figure 2-1, the Eudemon is connected to the internal network through an interface
segmented to the Trust zone, and connected to the external network through an interface
segmented to the Untrust zone. The two interfaces respectively in the Trust zone and the Untrust
zone are segmented to different subnets.
10.110.1.254/24 202.10.0.1/24
Eudemon Router
Server
Trust Untrust
Internal network External network
Server
When working in route mode, the Eudemon can implement functions such as ACL packet
filtering, ASPF dynamic filtering, and NAT. When you configure a Eudemon to work in route
mode, you need to change the topology of the existing network. For example, internal network
users need to change their gateway settings and the route configuration of the router should be
changed as well. Reconstructing a network is time and resource consuming. It is recommended
that you weigh the advantages and disadvantages in selecting this mode.
Transparent Mode
In the scenario where the Eudemon is connected to external networks through Data Link layer
(the interface is not configured with an IP address), the Eudemon works in transparent mode.
Letting the Eudemon to work in transparent mode saves you from the trouble in changing
network topology.
To adopt the transparent mode, you only need to deploy the Eudemon on the network just like
placing a bridge. That saves you from the trouble in changing any current configuration. Similar
to the transaction in route mode, the Eudemon checks and filters IP packets, protecting internal
users against threats.
202.10.0.2/24 202.10.0.1/24
Router Router
Eudemon
Server Trust Untrust
Internal network External network Server
In transparent mode, the Eudemon can perform packet forwarding only. The two connected
networks must be in the same network segment. The Eudemon is connected with the internal
network through an interface in the Trust zone, and connected with the external network through
an interface in the Untrust zone.
Note that the internal network and external network should be in the same subnet.
Composite Mode
In the scenario where some interfaces of the Eudemon are configured with IP addresses while
some not, the Eudemon works in composite mode.
Typically, the composite mode is applied when you require dual-system hot backup based on
the transparent mode. In this case, you need to configure an IP address for the interface on which
VRRP is enabled. It is not necessary to configure IP addresses for the other interfaces.
PC
PC PC
VRRP
External network
Internal network
202.10.0.0/24
202.10.0.0/24
Untrust
Trust
Server
Server
Eudemon (Backup)
The master and backup Eudemon are connected with the internal network through interfaces of
the Trust zone, and connected with the external network through interfaces of the Untrust zone.
In addition, the master and backup Eudemons perform hot standby through VRRP.
Note that the internal network and the external network must reside in the same subnet.
The working process in transparent mode has several phases, which are described in the
following sections:
l Obtaining an Address Table
l Forwarding or Filtering a Frame
Workstation A Workstation B
Destination Source
address address
00e0.fcbb.bbbb 00e0.fcaa.aaaa
Eudemon
00e0.fccc.cccc 00e0.fcdd.dddd
Interface 2
Workstation C Workstation D
Ethernet Segment 2
Workstations A, B, C, and D reside in two LANs. Ethernet segments 1 and 2 are respectively
connected with interfaces 1 and 2 on the Eudemon. For example, when workstation A sends
an Ethernet frame to workstation B, both the transparent Eudemon and workstation B
receive the frame.
2. Reversely learn the relationship between the MAC address of workstation A and the
interface.
After receiving the Ethernet frame, the transparent Eudemon knows that workstation A is
connected with interface 1 on the Eudemon because interface 1 receives the frame. Then
the Eudemon adds the relationship between the MAC address of workstation A and
interface 1 of workstation A to the MAC address table. Figure 2-5 shows the process.
Figure 2-5 Reversely learning the relationship between the MAC address of workstation
A and the interface
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Workstation A Workstation B
Destination Source
address address
00e0.fcbb.bbbb 00e0.fcaa.aaaa
Interface 2
Workstation C Workstation D
00e0.fccc.cccc 00e0.fcdd.dddd
Ethernet Segment 2
3. Reversely learn the relationship between the MAC address of workstation B and the
interface.
After workstation B responds to the Ethernet frame from workstation A, the transparent
Eudemon can detect the response Ethernet frame of workstation B. The transparent
Eudemon knows that it is connected with workstation B through interface 1, because
interface 1 receives the frame. Then the Eudemon adds the relationship between the MAC
address of workstation B and interface 1 to the MAC address table. Figure 2-6 shows the
process.
Figure 2-6 Reversely learning the relationship between the MAC address of workstation
B and the interface
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Workstation B
Workstation A
Destination Source
address address
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Interface 2 00e0.fcdd.dddd
Workstation C Workstation D
The reverse learning process continues until the transparent Eudemon obtains all
relationship between MAC addresses and interfaces.
Figure 2-7 Forwarding the frame after successfully obtaining corresponding information
from the address table
00e0.fcaa.aaaa
Workstation A 00e0.fcbb.bbbb
If the transparent Eudemon receives a broadcast frame or multicast frame from a interface,
it forwards the frame to other interfaces.
l When the transparent Eudemon successfully obtains corresponding information from the
address table, it does not forward the frame.
If workstation A sends an Ethernet frame to workstation B, the Eudemon does not forward
but filter the frame. That is because workstations B and A reside in the same physical
network segment. Figure 2-8 shows the process.
Figure 2-8 Filtering frames after successfully obtaining corresponding information from
the address table
00e0.fcaa.aaaa
Workstation A 00e0.fcbb.bbbb
Workstation B
Source Destination
address address
00e0.fcaa.aaaa 00e0.fcbb.bbbb
l When the transparent Eudemon fails to obtain corresponding information from the address
table, it forwards the frame.
When workstation A sends an Ethernet frame to workstation C and the Eudemon does not
obtain the relationship between the MAC address of workstation C and the interface from
the address table, the Eudemon forwards this frame to all the other interfaces but the source
interface of the frame. In this case, the Eudemon acts as a hub, ensuring the continuous
transfer of the frame. Figure 2-9 shows the process.
Figure 2-9 Forwarding the frame after failing to obtain corresponding information from
the address table
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Workstation A
Workstation B
Source Destination
address address
00e0.fcaa.aaaa 00e0.fcccc.cccc
Workstation C
00e0.fccc.cccc
Ethernet segment 2
l The security level is denoted by an integer in the range of 1 to 100. The greater the number,
the higher the security level.
l The security level of each zone is unique.
The security rule check function is triggered only when data is transmitted between zones
(including interfaces) of different security levels. When data flows between different interfaces
of the same security zone, no check is triggered.
NOTE
l DMZ refers to an intermediate zone between a severely controlled military zone and an open public
zone.
l For the Eudemon, DMZ indicates a zone that is isolated from internal networks and external networks
both logically and physically. Devices such as a WWW server and FTP server are usually deployed in
this zone to provide external services.
l If the preceding servers are deployed on external networks, the Eudemon can hardly ensure their
security; if they are deployed on the internal network, malicious users may exploit the vulnerability of
certain services to attack the internal network. The introduction of DMZ successfully solves this
dilemma.
CAUTION
The security level of a zone should be unique. Thus, one interface cannot be segmented into two
security zones.
Outbound
Trust Eudemon
Eth0/0/0 Local
Eth1/0/0 External
Internal network network
VT0 Untrust
Outbound
Outbound
Inbound
Inbound
Server
Server
DMZ
same interzone. The direction of the data stream determines which security check policy is
triggered.
For the Eudemon, the transmission direction of data is determined by the higher security zone.
The directions of data streams are as follows:
l From the Local zone to the Trust zone is outbound direction while from the Trust zone to
the Local zone is inbound direction.
l From the Local zone to the DMZ is outbound direction while from the DMZ to the Local
zone is inbound direction.
l From the Local zone to the Untrust zone is outbound direction while from the Untrust zone
to the Local is inbound direction.
l From the Trust zone to the DMZ zone is outbound direction while from the DMZ to the
Trust zone is inbound direction.
l From the Trust zone to the Untrust zone is outbound direction while from the Untrust zone
to the Trust zone is inbound direction.
l From the DMZ to the Untrust zone is outbound direction while from the Untrust zone to
the DMZ is inbound direction.
NOTE
l If you allow users in high security zone to access external networks, you can configure a default
interzone packet-filtering rule for the Eudemon, allowing packets to travel from a high-level security
zone to a low-level security zone.
l For a router, the transmission direction of data is determined by the interface. Data streams sent from
an interface is called outbound data stream while data streams received by an interface are called
inbound data streams. That is another important difference between a router and a firewall.
3 Security Features
The Eudemon supports security features such as ACL, security policies, NAT, authentication,
and authorization.
3.1 ACL
This describes the definition, applications, settings, and steps of ACLs on the Eudemon.
3.2 Security Policy
The Eudemon supports various security policies, including packet filtering, attack defense,
ASPF, and Blacklist.
3.3 NAT
NAT is mainly used to help internal network users (private IP addresses) to access external
networks (public IP addresses), and provides the internal server function.
3.4 Authentication and Authorization
The Eudemon delivers the authentication and authorization functions to enable centralized
management of network security. The Eudemon supports local authentication, standard Remote
Authentication Dial-In User Service (RADIUS) authentication, Huawei RADIUS+
authentication, Huawei Terminal Access Controller Access Control System (HWTACACS)
authentication, and local user management. It can authenticate users and grant authorities to
legal users to prevent access by illegal users.
3.5 P2P Traffic Limiting
Peer to Peer (P2P) protocols are widely used in downloading on the network. The constant
increase of P2P traffic affects normal operation of other network applications and increases the
costs of network operation, especially for enterprises and operators who are charged by traffic.
To address this problem, the Eudemon is designed with the P2P traffic limiting function.
3.6 IP-CAR
IP-CAR limits IP bandwidths and the number of IP connections.
3.7 TSM Cooperation
As a Security Access Control Gateway (SACG), the Eudemon cooperates with the TSM terminal
security management system to control terminal users' access to networks based on specific
classification of these users.
3.8 SLB
In the current network application, especially in Internet Data Center (IDC) and websites, the
processing capability of a single server has become the bottleneck of the network. The
Eudemon can solve the above problems through Server Load Balancing (SLB).
3.1 ACL
This describes the definition, applications, settings, and steps of ACLs on the Eudemon.
3.1.1 ACL Definition
An Access Control List (ACL) includes a series of ordered rules consisting of the permit or
deny statements. The rules are described mainly by source address, destination address, port
number, upper layer protocol, or other information.
3.1.2 ACL Application
ACLs can be used in other services or applications such as packet filtering, NAT, IP Security
(IPSec), QoS, and routing policy.
3.1.3 ACLs on the Eudemon
The Eudemon provides multiple types of ACLs and supports such ACL applications as time
range–based ACL applications.
3.1.4 ACL Step
Step is introduced to help users insert new rules between the sub-rules in the current ACL rule
group. Step means the difference between IDs automatically allocated to each sub-rule in the
ACL rule group.
Packet Filtering
Packet filtering, as a network protection mechanism, is used to control the inbound and outbound
data between networks of different security levels.
1. The Eudemon checks the packets received on the interfaces and extracts such information
as source/destination IP addresses, source/destination port numbers, and types of upper
layer protocols.
2. The Eudemon checks the extracted information against the filtering rules set for the
interface and then forwards or discards the corresponding packets based on the result of
the check.
To filter data packets, you need to configure a series of filtering rules. You can use ACLs to
define packet-filtering rules, and then apply ACLs to interzones of the Eudemon to filter packets
based on ACLs.
NAT
NAT translates an IP address contained in a packet header into another IP address. NAT is mainly
used to help internal networks (private IP addresses) to access external networks (public IP
addresses).
In actual practice, you may intend to allow only certain internal hosts (with private IP addresses)
to access Internet (external networks). In this case, you can associate ACLs with the NAT address
pool to realize access control. This association mechanism help only ACL-eligible packets to
translate IP addresses, thus effectively controlling the range of NAT use.
IPSec
The IPSec protocol suite is a series of protocols defined by Internet Engineering Task Force
(IETF). With encryption and data source authentication mechanism on the IP layer, IPSec
ensures the privacy, integrity, and authenticity of packets transmitted between the two
communicating nodes on Internet.
IPSec can provide different security protection measures for data streams. For example, IPSec
can adopt different security protocols, algorithms, and keys to protect different data streams. In
actual practice, a data stream is defined first by ACLs. Namely, traffic matching the same ACL
is logically regarded as one data stream. By referencing the ACL in the security policy, IPSec
confirms that the specified data streams is protected.
QoS
QoS is used to evaluate the collective effect of service performances which determine the degree
of satisfaction of a user of the service. An effective way to ensure QoS on Internet is to improve
traffic control and resource allocation on the IP layer so as to provide differentiated services.
Traffic classification is the premise and basis for providing differentiated services. In practice,
you need to do as follows:
1. Define traffic classification policies (rules).
Traffic classification rules are used to identify traffic with different priorities based on ToS
fields or define traffic classification policies based on ACLs. For example, you can classify
traffic based on the following information:
l Source address
l Destination address
l MAC address
l IP protocol
l Port number of application programs
2. Apply traffic classification policies or ACLs in traffic monitoring, traffic shaping,
congestion management, and congestion mitigation.
Routing Policy
A routing policy refers to a policy used during the process of sending and receiving routing
information. A routing policy filters routing information.
A routing policy has several ways to filter routes. ACLs, as an important filter, are widely used.
You can use ACLs to specify an IP address or subnet range as the destination address or the next
hop address of the matched route.
ACL Classification
Table 3-1 shows the types of ACLs that theEudemon supports.
When matching a packet to the ACL rules, you need to set the ACL match order. The
Eudemon matches the ACL rules in the following orders:
any means that all packets meet the match condition. Namely, any = 0.0.0.0 255.255.255.255.
An ACL rule that is described through the address set and port set shows as a traditional set of
rules with the same priority in application. The formula in the new set is described as follows:
The number of the rule elements with the same priority = the number of the elements in address
set 1 x the number of elements in address set 2 x the number of elements in port set 1 x the
number of elements in port set 2.
For example, configure two address sets and one port set, and each set respectively contains two
elements and is applied in ACL 3000.
<Eudemon> system-view
[Eudemon] ip address-set a1
[Eudemon-address-set-a1] address 1 1.1.1.1 0
[Eudemon-address-set-a1] address 2 2.2.2.1 0
[Eudemon-address-set-a1] quit
[Eudemon] ip address-set a2
[Eudemon-address-set-a2] address 1 3.3.3.1 0
[Eudemon-address-set-a2] address 2 4.4.4.1 0
[Eudemon-address-set-a2] quit
[Eudemon] ip port-set p1 protocol tcp
[Eudemon-tcp-port-set-p1] port 1 eq 21
[Eudemon-tcp-port-set-p1] port 2 eq 22
[Eudemon-tcp-port-set-p1] quit
[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule permit tcp source address-set a1 destination address-
set a2 destination-port port-set p1
The configuration effects of the above commands are the same as the following ACL rules:
[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 3.3.3.1 0
destination-port eq 21
[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 3.3.3.1 0
destination-port eq 22
[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 4.4.4.1 0
destination-port eq 21
[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 4.4.4.1 0
destination-port eq 22
[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 3.3.3.1 0
destination-port eq 21
[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 3.3.3.1 0
destination-port eq 22
[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 4.4.4.1 0
destination-port eq 21
[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 4.4.4.1 0
destination-port eq 22
For example, suppose that the step is set to 2, then the IDs of rules should be multiples of 2
beginning with 2, namely, 2, 4, 6 and so on. By default, the step of the ACL rule group is 5.
The step for an ACL rule group is set before the subrules. After the subrules are set, to change
the step, delete all the subrules and then reset the step.
Setting step is helpful for inserting new rules between subrules. For example, there are four rules,
and their subrule numbers are 5, 10, 15, and 20. To insert a rule after the first rule, you can use
the rule 6 xxxx command to insert a subrule numbered 6 between 5 and 10.
NOTE
l The value of the step influences the maintenance of the subrules in the ACL rule group. If the value is
too small, the number of subrules to be inserted is limited. A subrule may not be inserted for no number
can be assigned. Thus you are recommended to use the default step or larger step. The range of the step
is from 1 to 20.
l If a step is set, you need to delete the existing rules before using the step command or the undo step
command to change the step setting or restore the default step setting.
1. The Eudemon checks the packets received on the interfaces and extracts such information
as source/destination IP addresses, source/destination port numbers, and types of upper
layer protocols.
2. The Eudemon checks the extracted information against the filtering rules set for the
interface and then forwards or discards the corresponding packets based on the result of
the check.
To filter data packets, you need to configure a series of filtering rules. You can use ACLs to
define packet-filtering rules, and then apply ACLs to interzones of the Eudemon to filter packets
based on ACLs.
ACK messages to itself, which responds with ACK messages and then creates a null
connection. Each null connection is reserved until it times out. Different attacked targets
present different responses to Land attacks. UNIX hosts crash while Windows NT hosts
are seriously slowed down.
l Smurf attacks
Simple Smurf attacks intrude a network by sending ICMP requests to the broadcast address
of the target network. All the hosts on the network respond to requests, whose traffic can
amount to 10 or 100 times as large as the traffic of large ping packets. Network congestion
thus occurs.
Advanced Smurf attacks are mainly used to attack a target host by changing the source
address of the ICMP packet to the address of the target host. That results in the breakdown
of the target host. It takes certain traffic and time to send attack packets before these packets
finally form an attack. Theoretically, the larger the number of the hosts is, the more obvious
the effect will be. Another new form of the Smurf attack is Fraggle attack.
l WinNuke attack
WinNuke attacks cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB) data
packets to the NetBIOS port (139) of the specified target installed with the Windows
system. IGMP fragments are also used to launch an attack. Typically, IGMP packets are
not fragmented. Thus some systems are not efficient enough in dealing with IGMP
fragments. In this case, one they receive IGMP fragments, the systems are under attacks.
l SYN Flood attacks
Since resources are limited, TCP/IP stacks only permit a certain number of TCP
connections. SYN Flood attacks exploit this defect by forging an SYN packet with forged
or nonexisting source IP address and sending connection requests to the server. When the
server receives the connection requests, it responds with SYN-ACK packets. When the
SYN-ACK packets are sent out, the server does not received ACK packets. That results in
semi-connections. A large number of semi-connections will exhaust the network resources.
Users cannot access these resources until the semi-connections time out. The SYN Flood
attack also takes effect in the application whose connection number is not limited to
consume the system resources such as memories.
l ICMP and UDP Flood attacks
ICMP and UDP Flood attacks overload the target system with a large number of ICMP
messages (such as ping) and UDP packets in a short time. Thus, the target system is unable
to transmit valid packets.
l Address or port scanning attacks
Address or port scanning attacks use scanning tools to detect destination IP addresses and
ports. If a target system responds, attackers understand that the system is live. Then
attackers attempt to connect with live systems.
l Ping of Death attacks
The length field of an IP packet is 16 bits, which indicates that the maximum length of an
IP packet is 65535. Therefore, if the length of an ICMP request packet is greater than 65507,
the entire length of the ICMP packet (ICMP data + IP header 20 + ICMP header 8) will be
larger than 65535, which may cause some routers or systems crash, die, or reboot.
l ARP attacks
Common ARP attacks include ARP spoofing attacks and ARP Flood attacks.
– ARP spoofing attacks: The attacker sends a large amount of spoofing ARP requests and
response packets to attack network devices. ARP spoofing attacks mainly include ARP
buffer overflow attacks and ARP DDoS attacks.
– ARP Flood attacks (ARP scanning attacks): When the attacker scans hosts in its own
network segment or across network segments, the firewall checks the ARP entry before
sending the response message. If the MAC address of the destination IP address does
not exist, the ARP module of the firewall sends the ARP Miss message to the upper
layer software, asking the upper layer software to send an ARP request message to obtain
the MAC address. Massive scanning packets induce massive ARP Miss messages. As
a result, the firewall uses a lot of its resources to handle the ARP Miss messages and
thus cannot process other services properly. In this way, scanning attacks are launched.
3.2.3 ASPF
The Eudemon delivers the application layer–based packet filtering function, namely, the
application specific packet filter (ASPF) function, such as TCP/UDP tunnel and state check.
Introduction to ASPF
Application Specific Packet Filter (ASPF) is a packet filtering mechanism based on the
application layer. ASPF is status-based packet filter. It can cooperate with a common static
firewall to implement the security policies of an internal network. ASPF can detect the
application layer protocol sessions attempting to passing through the firewall and prevent
disqualified packets from passing through the firewall.
For the sake of network security, ACL-based packet filtering mechanism can detect packets on
the network layer and transmission layer to prevent intrusion. ASPF can detect application layer
protocols and monitor application traffic.
ASPF detects application layer protocols and defends against malicious attacks by maintaining
session status and checking session packet information such as protocols and port numbers.
The ASPF mechanism on the Eudemon can monitor the traffic of the following protocols:
l SQL.NET
l user-define
Triplet ASPF
The Eudemon is equivalent to a quintuple NAT device. In other words, the setup of each session
on the Eudemon requires five elements:
l Source IP address
l Source port
l Destination IP address
l Destination port
l Protocol number
To adapt to such type of communication mechanisms, the Eudemon is designed to support also
triplet process. Therefore, packets of QQ and MSN can traverse the Eudemon successfully.
Besides QQ and MSN, to help other sessions like TFTP, which uses the source IP address, the
source port, and the protocol number to traverse a NAT device, you need also configure the
Eudemon with triplet ASFP.
3.2.4 Blacklist
Blacklist is one of the important security features of firewalls. The Eudemon can dynamically
add or delete blacklist entries.
Compared with ACL-based packet filter, blacklist filter features high speed and efficiency,
because a blacklist matches only IP addresses. Therefore, blacklist filter can quickly and
effectively shield users with specified IP addresses.
You can create blacklist entries in two ways:
l Through command lines
l Through attack defense modules, login authentication modules
When the Eudemon senses the attack attempt by checking the signature of packets from a
specific IP address, the Eudemon initiatively adds the IP address to the blacklist, thus
filtering packets sent from this IP address. This mechanism helps the Eudemon ensure
network security.
For a packet with the supposed source IP address, if its MAC address is not the one as specified
in the binding relation, the Eudemon drops the packet. Packets with this destination IP address
are forcibly sent to the MAC address associated with IP address after passing through the
Eudemon. Thus this mechanism helps the Eudemon effectively protect users.
Application layer protocols usually use common ports (standard ports) for communication. Port
identification allows you to define a group of application-specific new port numbers in addition
to the system-defined port numbers. Port identification provides certain mechanisms for
maintaining and applying user-defined port configurations.
The port identification function on the Eudemon supports two identification mechanisms:
3.3 NAT
NAT is mainly used to help internal network users (private IP addresses) to access external
networks (public IP addresses), and provides the internal server function.
3.3.1 Introduction to NAT
As defined by RFC 1631, Network Address Translation (NAT) is to translate the IP address
contained in an IP data packet header into another IP address. NAT is mainly used to help internal
network users (private IP addresses) to access external networks (public IP addresses).
In actual practice, private networks usually use private IP addresses. RFC 1918 defines three IP
address blocks for private and internal networks:
IP addresses of the three classes are not assigned on Internet. Therefore, they can be used in the
intranet of a company or enterprise without registering with the Internet Service Provider (ISP)
or register center.
NAT is mainly used to help private networks to access external networks. It helps slow down
the IP address space depletion by using several public IP addresses to represent multiple private
IP addresses.
A NAT server such as the Eudemon is deployed at the joint between a private network and a
public network. All interactive packets between an internal PC and an external server pass
through the NAT server.
1. When packet 1 sent by the internal PC at 192.168.1.3 to the external server at 202.120.10.2
reaches the NAT server, the server checks the head of packet 1, discovering that the packet
is destined for an external network.
2. The NAT server translates the source address 192.168.1.3 of the packet 1 into a valid public
address 202.169.10.1, which can select routes on Internet, and then forwards the packet to
the external server, recording address translation mapping in the NAT list.
3. After the external server receives packet 1', it sends a response packet to the internal PC,
that is, packet 2' with destination address 202.169.10.1.
4. After packet 2' reaches the NAT server, the NAT server checks its head and searches the
NAT list, replaces the destination address with 192.168.1.3, and then sends packet 2' to the
internal PC.
The preceding NAT transaction is transparent to PCs and external servers. The internal PC knows
of no transaction with the NAT server during the process of exchanging packets with an external
server. The external server determines that the IP address of the internal PC is 202.169.10.1 and
does not know the existence of 192.168.1.3.
This process translates between <private address + port> and <public address + port>.
When a data stream moves from one security zone to another, the Eudemon checks the packet
to determine whether to perform NAT. If necessary, the Eudemon performs NAT based on the
following principles:
l At the egress of the IP layer, the Eudemon translates the source address (private address)
of a packet into a public address and then sends the packet to the external network.
l At the ingress of the IP layer, the Eudemon translates the destination address (public
address) of the packet into a private address and then sends the packet to the internal
network.
to access the external network, the NAT server assigns another public address, namely, IP 2 to
it. In this case, NAT realizes many-to-many address translation.
NOTE
l Since not all internal hosts require to access an extranet simultaneously, typically, the number of public
IP addresses on a NAT server is far less than that of hosts in an intranet.
l The number of public IP addresses is determined according to the maximum number of intranet hosts
accessing the external network at the rush hour.
In actual practice, you may need to grant Internet access permissions to only some internal hosts.
That is, you need to control address translation. For example, if the NAT process finds that an
source IP address is not allowed to access external networks, the NAT server does not perform
address translation.
The Eudemon realizes many-to-many NAT by defining an address pool. In addition, the
Eudemon can use ACLs to control address translation. The detail is as follows:
l Address pool
An address pool is a collection of public IP addresses used for NAT. You need to configure
an appropriate address pool by considering the following cases:
– The number of your valid IP addresses
– The number of your internal hosts
– Actual application requirements
The NAT server selects one IP address as the post-translated source IP address during the
process of address translation.
l ACL-based NAT
The Eudemon can use ACLs to control NAT.
The NAT server does not translate addresses unless the packets meet the requirements of
ACL rules. That can effectively control the use of address translation and enable only
specified hosts to access Internet.
PC Eudemon Untrust
192.168.1.3/24
Trust Eth0/0/0 Eth1/0/0
192.168.1.1/24 202.169.10.1/24
Server
192.168.1.2/24
Data packet 3 Data packet 3'
Source: 192.168.1.1/24 Source: 202.169.10.1/24 Server
Source port: 11111 Source port: 11111 202.130.10.3/24
Data packet 4 Data packet 4'
Source: 192.168.1.2/24 Source: 202.169.10.1/24
Source port: 11111 Source port: 22222
As shown in Figure 3-2, four packets with internal addresses reach the NAT server. Where:
l Packet 1 and packet 2 have the same internal address but different source port numbers.
l Packet 3 and packet 4 have different internal addresses but the same source port number.
After NAT mapping, all the four packets have the same external address but different source
port numbers, so they still can be distinguished.
When the response packets reach the Eudemon, the NAT process can also differentiate them
based on their destination addresses and port numbers and then forward them to the desired
internal hosts.
Internal Server
NAT can shield internal hosts by hiding the architecture of the internal network. In actual
practice, however, you may need to allow external users to access internal hosts in some cases.
For example, you may provide a WWW server or FTP server to external users. NAT offers you
with more flexibility to add internal servers. The Eudemon provides two methods for you to
specify external addresses for internal servers.
For example:
l You can use 100.1.1.1 as the external address of the WWW server.
l You can use 100.1.1.3:8080 as the external address of the WWW server.
NAT on the Eudemon provides internal servers for external users to access. The Eudemon
performs as follows when external users access an internal server:
l The Eudemon translates the destination addresses contained in the request packets of
external users into private addresses of the internal server.
l The Eudemon translates the source addresses (private addresses) contained in the response
packets of internal servers into public addresses.
Moreover, the Eudemon can provide multiple servers of the same type to external users, such
as Web servers.
NOTE
The internal servers accessible for external users are usually deployed in the DMZ of the Eudemon.
Typically, devices in the DMZ are not allowed to initiatively initiate external connection requests.
Eudemon supports security zone-based internal servers. For example, you can configure multiple
public IP addresses for a security zone-based internal server. By correlating security zones of
different levels with different external network segments and configuring an internal server with
multiple public IP addresses respectively corresponding to the security zones of different levels,
you can enable a specific external network segment to access the internal server with its
corresponding public IP address pre-configured.
NAT ALG
CAUTION
l The Encapsulating Security Payload NAT (ESP NAT) function translates the addresses of
ESP packets. This function works only when there are ESP packets transmitted through a
tunnel.
l Different from the NAT of common packets, ESP NAT performs address translation based
on IP addresses and port numbers.
l ESP NAT is realized on a NAT device.
NAT and NAPT can translate the address contained in the IP packet header and the port number
in the TCP/UDP packet header only. However, for some special protocols like ICMP and FTP,
the data fields of their packets may include IP address or port information. Because the type of
information cannot be effectively translated by the NAT server, some problems may occur.
For example, an FTP server sends its internal IP address to an external host during the process
of establishing a session. Since address information is contained by the data part of an IP packet,
the NAT server cannot translate it. When the external host receives and uses the untranslated
private address, the FTP server is unreachable.
To solve the problem with NAT of special protocols, you can apply the Application Level
Gateway (ALG) during NAT implementation. The ALG is the translation proxy of certain
application protocols. It interacts with NAT to change certain data encapsulated in the IP packet
based on the NAT state information and helps the application protocols to function in various
ranges through other necessary processes.
For example, the data part of a destination unreachable ICMP packet contains the header of
packet A which causes the error. Note that since the IP address of packet A has been translated
before the NAT sends it, the current source address is not the real address of the internal host.
If the ICMP ALG function is enabled, the ICMP ALG interacts with the NAT server to open
the ICMP packet before the NAT server forwards the packet. After the ICMP packet is opened,
the NAT server translates the address contained in the header of packet A into the accurate format
of the internal host address and forwards the ICMP packet after other necessary processes are
complete.
The Eudemon provides a perfect NAT ALG mechanism with good scalability, which can support
various special application protocols without modifying the NAT platform.
The Eudemon can implement the ALG function of the following common application protocols:
l DNS
l ESP
l FTP
l H.323
l HWCC
l ICMP
l ILS
l MGCP
l MMS
l MSN
l NetBIOS
l PPTP
l QQ
l RTSP
l SIP
l SQL.NET
l user-define
Bi-directional NAT
The Eudemon supports outbound NAT that conceals private IP addresses of users in high-level
security zones or private IP addresses of accessed internal servers. Also, the Eudemon supports
NAT that conceals private IP addresses of users in low-level security zones and private IP
addresses of users when they access servers in the same security zone. The bi-directional NAT
can be used in the following two situations:
l To conceal IP addresses of users in low-level security zones when they access servers in
higher-level security zones, you need to configure inbound NAT.
l To conceal IP addresses of users when they access servers in the same security zone, you
need to configure NAT within a zone.
If the inbound NAT and the internal server function are both configured, or NAT within the zone
and the internal server function are both configured, the NAT is bi-directional.
As shown in Figure 3-3, when a user in the Untrust zone accesses the FTP server in the DMZ,
with the internal service configured, inbound NAT can also be configured to hide the actual IP
address of the user.
DMZ Untrust
Eudemon
When users in the Untrust zone access the FTP server in the DMZ zone, the Eudemon carries
out NAT as follows:
l The Eudemon converts the destination address of the request packet from the external users
to the private IP address of the internal server. The Eudemon converts the source IP address
to the address in the address pool (private IP address).
l The Eudemon converts the source address (private IP address) of the response packets from
the internal server to the public IP address. The Eudemon converts the destination IP address
(private IP address) to the public IP address.
As shown in Figure 3-4, the FTP server and the PC are both in the Trust zone. All interaction
packets between the PC and the FTP server are supposed to pass through the Eudemon so that
security checks such as attack detection can be performed on these packets. In this case, the
internal server and NAT (within one zone) both need be configured.
PC FTP server
Trust
LAN switch
When users in the Trust zone access the server in the same zone, the Eudemon carries out NAT
as follows:
l The Eudemon converts the destination IP address of the request packet from the external
users to the private IP address of the internal server. The Eudemon converts the source IP
address to the public IP address in the address pool.
l The Eudemon converts the private source IP address of the response packet in the internal
server to the public IP address. The Eudemon converts the destination address (public IP
address) to the address of the public network.
Destination NAT
NOTE
You cannot configure the destination NAT function and the internal server function in the same security
zone.
At present, a large number of mobile terminal users use mobile phones that are purchased directly
abroad. The Wireless Application Protocol (WAP) gateway addresses set on these foreign
mobile phones are not in tune with local WAP gateway addresses. In addition, users cannot
modify these settings by themselves. As a result, some users cannot enjoy the mobile Internet
access services.
To meet Internet access requirements of these users, you can configure the destination NAT on
the Eudemon which is between the WAP gateway and the mobile phones. When packets whose
destination address is the address of the WAP gateway of these mobile phones arrive at the
Eudemon, the Eudemon translates this destination address into the real address of the WAP
gateway according to ACL rules. Therefore, users of these mobile phones can access the WAP
gateway normally.
Figure 3-5 shows the networking diagram of destination NAT.
manage a large number of dispersed users who use the serial ports and modems for network
access in the earlier years. Now, the RADIUS protocol is widely applied to the Network Access
Server (NAS) system.
3.4.3 Introduction to HWTACACS Protocol
The HWTACACS protocol is an enhanced security protocol developed based on TACACS (RFC
1492). Similar to the RADIUS protocol, HWTACACS adopts the client/server mode to realize
multiple authentication and authorization functions. HWTACACS can be used for
authenticating, authorizing, and accounting PPP user, Virtual Private Dial Network (VPDN)
access user, and login users.
3.4.4 Introduction to Domain
The Eudemon manages users by domains. In a domain, you can configure the default
authorization, RADIUS or HWTACACS templates, and authentication and accounting schemes.
3.4.5 Introduction to Local User Management
You can not only create a local user database on the Eudemon for user information maintenance
and user management, but also perform local authentication.
Authentication
The Eudemon supports the following authentication modes:
l None authentication
The users are considered as reliable and no legality check is performed to them. For the
sake of security, this mode is not recommended.
l Local authentication
Users are authenticated according to the information kept locally on the Network Access
Server (NAS) when they access the network. The local information includes user name,
password, and other attributes.
l Remote authentication
This authentication mode supports authentication based on the Remote Authentication Dial
In User Service (RADIUS) protocol or the HWTACACS protocol. NAS, as the client,
communicates with the RADIUS server or the HWTACACS server. For remote
authentication, both the standard RADIUS protocol and the extended RADIUS protocol of
Huawei can work jointly with devices such as iTELLIN/CAMS to implement
authentication.
Authorization
The Eudemon supports the following authorization modes:
l Direct authorization
The users are considered as reliable and directly granted with access permissions.
l Local authorization
Users are authorized according to the local account-specific attributes configured on the
NAS.
l HWTACACS authorization
The HWTACACS server authorizes the users.
l If-authenticated authorization
If a user passes the local or remote authentication, the user is granted with certain access
permissions.
l Post-RADIUS authentication authorization
If a user passes the authentication performed by the RADIUS server, the user is granted
with certain access permissions. That is because the authentication and authorization of the
RADIUS protocol are bound together and the RADIUS protocol cannot be used for
authorization only.
The NAS is responsible for transmitting the authentication and authorization information of a
user to the RADIUS server. RADIUS defines how user information is transmitted between the
NAS and the RADIUS server. The RADIUS server is responsible for:
l Receiving user connection requests
l Completing authentication
l Transmitting required configuration information to the NAS
Transactions between the NAS and the RADIUS server are identified through keys that are never
transmitted on networks. Any passwords between the NAS and the RADIUS server are
transmitted after encryption to prevent theft of passwords on insecure networks.
Username/Password Request
User RADIUS
Access server
server
Response
When a user logs in to a network device, such as the Eudemon or an access server, the message
exchanging procedure includes the following steps:
1. The user sends the username and password to the Eudemon or the access server.
2. The RADIUS client on the Eudemon or the access server sends an authentication request
to the RADIUS server after receiving the username and password.
3. The RADIUS server authenticates the username as well as password and sends the required
authentication information to the client.
The login user can be a Point-to-Point Protocol (PPP) user who access network resources or an
administrator who configures or maintains network devices.
Authenticator
Attribute
It indicates the content body of the message, including username, password, NAS IP address
and various attributes relative to the user.
RADIUS Features
The RADIUS protocol presents the following features:
l Excellent real-time quality brought by using the User Datagram Protocol (UDP) as a
transport protocol
l Higher reliability brought by supporting both the retransmission mechanism and the backup
server mechanism
l Easy to implement and suitable for the multithreading structure on the server
l Standard RADIUS protocol and its extended attributes, including RFC 2865 and RFC 2866
l Extended RADIUS+1.1 protocol of Huawei
l Proactive detection of the RADIUS server status
If the current status of the RADIUS server is Down, the broadband access server starts the
detection process upon receiving an authentication message, converts the message into a
detection packet, and then sends the packet to the RADIUS server. If the RADIUS server
responds, the broadband access server regards the RADIUS server as available.
l Automatic switchover function of the RADIUS server
In the case that the waiting timer expires and the current server is in the Down state or the
number of the sending attempts exceeds the retransmission threshold, the system selects
another server from the configured server group for sending the packet.
Compared with the RADIUS protocol, HWTACACS features reliable transmission and
encryption; it, therefore, is more practical for security control.
Table 3-2 lists the differences between the HWTACACS and RADIUS protocols.
HWTACACS RADIUS
Encrypts the whole body of a packet besides a Encrypts only the password field of an
standard HWTACACS header. authentication packet.
HWTACACS RADIUS
Since the authentication and authorization of HWTACAS are separated, you can use the
RADIUS protocol for authentication, and use HWTACACS for authorization.
The authorization precedence configured within a domain is lower than that configured on an
authentication and authorization server, that is, the authorization attribute of the authentication
and authorization server is used preferentially. The domain authorization attribute is valid only
when the authentication and authorization server is not of this authorization or does not support
this authorization. This processing mechanism offers more flexibility in using domains to adding
services, thus eliminating the restriction of attributes provided by servers.
In the scenario where a domain and a user within the domain are configured with different
attributes, user-based configuration is used preferentially. Namely, the precedence of the user-
based configuration is higher than that of the domain-based configuration.
NOTE
Users with information kept on the local user database are local users.
The Eudemon supports two modes of detection, namely, in-depth detection and behavior
detection. At present, in-depth detection is mostly used. If in-depth detection is not satisfactory
enough, you can configure behavior detection. Behavior detection mainly detects encrypted data
traffic.
If you are to detect or limit P2P traffic for a specific interzone, you can configure only related detection
and limiting policies for this interzone to improve the performance. Then, the Eudemon does not detect or
limit P2P traffic in other interzones.
3.6 IP-CAR
IP-CAR limits IP bandwidths and the number of IP connections.
The IP-CAR function includes the following aspects:
l IP connection number restriction: limits the number of connections initiated or agreed by
a specific IP address.
IP connection number restriction can help prevent users from launching attacks and protect
certain users against attacks.
l IP bandwidth restriction: limits the session bandwidth of a specific IP address.
Bandwidth restriction can help average network traffic, ensure normal access rate, and
defend network against attacks.
The bandwidth and connection number restrictions of the Eudemon both present eight levels.
You can set a proper level for connection number restriction or bandwidth restriction by
considering ACL restriction on connection number or on bandwidth.
Networks have become an indispensable part for enterprises. However, they also expose
enterprises to various security threats, such as:
To solve these problems, the Eudemon cooperates with the TSM server to protect important
network resources. By working jointly with a TSM server, the Eudemon can classify internal
users and control their access to resources based on their permission classes. This mechanism
helps ensure that a user can access only authorized resources, thus preventing unauthorized
internal users from accessing confidential data or applications.
Agent 2
Service server A
TSM
manager
Eudemon(SACG)
Agent 1
TSM
SRS
controller
TSM security access control system
NOTE
For information about the functions of each part, refer to TSM server-related documents.
As shown in Figure 3-8, the Eudemon functions as the SACG and cooperates with the TSM to
control users' network access and provide terminal users with services through the service server.
NOTE
Terminal users can obtain the right to access network resources by means of either the TSM agent or Web. The
previous methods have the same operation procedure. The following describes the operation procedure of the
TSM agent.
To access network resources, a terminal user goes through the following steps:
1. The terminal user starts the TSM agent and enters the authentication information for the
TSM server to authenticate. The authentication modes are as follows:
l Domain authentication
l Username and password authentication
l MAC address authentication
l Other authentication modes
2. The TSM agent sends the information about the terminal user to the TSM server for
authentication and security checks.
l If the user is legitimate and the security policy meets the requirement of the enterprise,
the user can use the network.
l If the user is not legitimate or the security policy does not meet the requirement of the
enterprise, the TSM agent triggers an alarm to the user, and the Security Recover Server
(SRS) proposes corresponding recovery.
After recovery, the preceding process takes place again. The terminal user can obtain
certain network resources only when its security meets the requirement.
3. After the terminal user passes the authentication and security check, the TSM server asks
the Eudemon to grant the user certain access rights.
4. The Eudemon determines according to the access rights delivered by the TSM server
whether the terminal user can obtain specific network resources. If yes, the Eudemon allows
the user to obtain the resources; if not, the user cannot obtain the resources.
5. When the terminal user logs out, the TSM agent reports the logout to the TSM server. After
the user logs out, the TSM server asks the Eudemon to disable the user's access.
When the terminal user accesses the network resource again, it need be authenticated again.
In addition, a synchronization mechanism between the Eudemon and the TSM server ensures
that the Eudemon can synchronize the updates and changes of users' role information on the
TSM server.
NOTE
According to the rule of roles, the Eudemon determines whether a user has the authority to access the
service server. Terminal users can access network resources matching their authority.
NOTE
Based on its authority, the administrator can define different roles and grant access rights to roles. The
administrators with the same role enjoy the same operation rights. When creating an administrator account,
the administrator need only specify roles for the account, which automatically gain all the operation rights
of the roles. Granting rights in this way saves repeated operations and reduces the burden of account
management.
3.8 SLB
In the current network application, especially in Internet Data Center (IDC) and websites, the
processing capability of a single server has become the bottleneck of the network. The
Eudemon can solve the above problems through Server Load Balancing (SLB).
3.8.1 Introduction to SLB
Based on configured load balancing algorithm, the Eudemon can distribute traffic destined to
the same IP address to several servers.
3.8.2 Virtual Service Technology
The virtual service technology refers to sharing of one public IP address (the virtual IP address)
among multiple servers. By accessing the public IP address, users can access the contents on the
real server.
3.8.3 Server Health Check
Server health check is part of the SLB function. Through using server health check, the
Eudemon improves the availability of the system and ensures the effectiveness of each
connection. Thus, servers can offer services properly.
3.8.4 Traffic-based Forwarding
Through specifying the algorithm, the Eudemon sends data streams to each real server to process
them. So far, the Eudemon supports three SLB algorithms, that is, source address hash, round,
and weighted round.
Rserver1
Group1
Rserver2
Vserver1
Vserver2 Rserver3
PC
Group2
Rserver4
4 Internetworking
This describes the configurations of the routing function of the Eudemon by focusing on the
internetworking capability of the Eudemon. Here, the Eudemon can be considered as a router.
Terms and identifiers in the router field are used to describe the Eudemon. That is, the router
mentioned in the following part can be replaced by the Eudemon.
4.1 VLAN
4.2 PPP
4.3 PPPoE
4.4 DHCP
4.5 IP Static Route
4.6 RIP
4.7 OSPF
4.8 Introduction to Policy-Based Routing
4.9 QoS
4.1 VLAN
4.1.1 Introduction
4.1.2 Advantages of VLAN
4.1.1 Introduction
The above problems can be solved by using the Transparent Bridge or LAN switch to
interconnect the LANs.
Although the switch has solved the problem of severe collision caused by using hub, it still
cannot separate the broadcast. In fact, all the hosts (perhaps including many switches)
interconnected by switches are in one broadcast domain. For the broadcast packets with
"f" (0xffffffffffff) as their destination MAC address, such as the ARP request packet, the switch
will forward them to all the ports. In this case, the broadcast storm will be caused and the
performance of the entire network will be degraded.
LAN Switch
VLAN 10
LAN Switch
VLAN 20
Router
The buildup of VLAN is not restricted by physical locations, that is, one VLAN can be within
one switch or across switches, or even across routers.
l Port
l MAC address
l Protocol type
l IP address mapping
l Multicast
l Policy
At present, the VLAN is usually classified based on the port. In this manual, the VLANs are all
classified based on the port except special declaration.
l It can restrict broadcast packets (broadcast storm), save the bandwidth and thus improve
the performance of the network.
The Broadcast domain is restricted in one VLAN and the switch cannot directly send frames
from one VLAN to another except that it is a layer 3 switch.
l It can enhance the security of LAN.
VLANs cannot directly communicate with one another, that is, the users in one VLAN
cannot directly access those in other VLANs. They need help of such layer 3 devices as
routers and Layer 3 switches to fulfill the access.
l It provides the virtual workgroup.
VLAN can be used to group users to different workgroups. When the workgroups change,
the users need not change their physical locations. In the application, users of the same
workgroup usually cooperate with each other at the same place, and there are few cases
that users are in different places.
On a switch, the common ports can only belong to one VLAN, that is, they can only identify
and send packets of the VLAN they belong to. However, when the VLAN is across switches, it
is necessary that the ports (links) among the switches can identify and send packets of several
VLANs at the same time. The same problem exists among the switches and routers that support
VLAN.
The link of this type is called Trunk, which has two meanings:
l Trunking
Namely, the VLAN packets are transparently transmitted to the interconnected switches or
routers to extend the VLAN.
l Super trunk
Namely, several VLANs run on such a link.
The common protocol used to implement Trunk is IEEE 802.1Q (dot1q) that is a standard
protocol of IEEE. It identifies the VLAN by adding a 4-byte VLAN tag to the end of the source
address field in the original Ethernet packet.
VLANs cannot directly interconnect with each other. So routers supporting VLAN must be used
to connect each VLAN to implement the interconnection among VLANs. Usually, this is a kind
of layer 3 (IP layer) interconnection.
4.2 PPP
4.2.1 Introduction
4.2.2 PPP Authentication
4.2.3 PPP Link Operation
4.2.1 Introduction
The Point-to-Point Protocol (PPP) is one of the link layer protocols that bear network layer
packets over the point-to-point link.
PPP is located on the data link layers of both Open Systems Interconnection (OSI) and the TCP/
IP protocol stack. PPP supports synchronous and asynchronous full-duplex links in transmitting
data in a P2P way.
l The Link Control Protocol (LCP) suite: This protocol suite is responsible for establishing,
removing, and monitoring data links.
l The Network Control Protocol (NCP) suite: This protocol suite is responsible for
negotiating the format and type of packets transmitted over a data link.
l PPP extended protocol suite: This protocol suite such as PPPoE provides extended PPP
functions. With the development of network technologies, network bandwidth is no longer
a bottleneck. PPP extended protocol suite, therefore, is rarely used nowadays.
In addition, PPP provides the authentication protocols: Password Authentication Protocol (PAP)
and Challenge-Handshake Authentication Protocol (CHAP).
authentication with the authenticator being configured with the user name is recommended
because the user name of the authenticator can be confirmed.
l Process of the authentication with the authenticator being configured with the user name
The process of the authentication with the authenticator being configured with the user
name is as follows:
– The authenticator sends the authenticated the randomly generated Challenge packet and
the local host name.
– After receiving the Challenge packet, the authenticated searches the local user list for
the local password according to the user name of the authenticator. Based on the located
password and the Challenge packet, the authenticated obtains a value through the MD5
algorithm, and then sends the value and its own host name to the authenticator through
the Response packet.
– The authenticator receives the Response packet. According to the carried host name of
the authenticated, the authenticator searches the local user list for the password of the
authenticated. After locating the password, the authenticator uses the Challenge packet
and the password of the authenticated to obtain a value through the MD5 algorithm,
compares the value with that in the received Response packet, and then returns the
authentication result, that is, allow or deny.
l Process of the authentication with the authenticator being not configured with the user name
If the authenticator is not configured with the user name, the authenticator sends only the
Challenge packet to the authenticated. Based on the password set on the local interface and
the Challenge packet, the authenticated obtains a value through the MD5 algorithm, and
then sends the value and its own host name to the authenticator. The other procedures are
the same as those in the process of the authentication with the authenticator being
configured with the user name.
Figure 4-2 shows the setup process of a PPP session and the status transition in the whole process.
UP OPENED
Dead Establish Authenticate
FAIL
FAIL
SUCCESS
DOWN CLOSED
Terminate Network
PPP undergoes the following phases during the configuration, maintenance, and termination of
a P2P link.
l Dead Phase
l Establish Phase
l Authenticate Phase
l Network Phase
l Terminate Phase
Dead Phase
The Dead phase is also called the unavailable phase of the physical layer. Setup of a PPP link
begins with and terminates at the Dead phase.
After the communicating devices on both ends detect a physical link is activated, generally, the
carrier signal is detected on the link, and the devices enter the Establish phase.
In the Establish phase, link parameters are set mainly by using LCP. The state machine of LCP
changes according to the events. If a link is in the Dead phase, the status of the LCP state machine
is Initial or Starting. After the link becomes available, the status of the LCP state machine
changes.
After a link is torn down, the link returns to the Dead phase. In actual process, this state lasts
quite short and detects only the existence of the peer device.
Establish Phase
The Establish phase is the key and most complicated phase of PPP.
In this phase, packets used to configure data links are transmitted. Those configuration
parameters do not include the parameters needed for the network layer protocol. After the packets
are exchanged, the link between the communicating devices enters the next phase.
According to user configuration, the next phase can be either the Authenticate phase or the
Network phase.
l When the link status is unavailable, the status of the LCP state machine is Initial or Starting.
If the link is detected as available, the physical layer sends an Up event contained in a
packet to the link layer. After receiving the event, the link layer changes the status of the
LCP state machine to the Request-Sent state. Then LCP sends Configure-Request packets
to configure the data link.
l After one of the two ends receives the Configure-Ack packet, the status of the LCP state
machine changes to Opened. The link enters the next phase.
Note that the operation process of the link configuration on either end is mutually independent.
In the Establish phase, non-LCP packets are discarded after being received.
Authenticate Phase
Generally, authentication is performed before devices on both ends enter the Network phase.
By default, PPP does not involve authentication. If authentication is necessary, you must specify
the authentication protocol in the Establish phase.
l Links connected through the PPP server or dial-in access between hosts and routers in most
cases
l Private links occasionally
The authentication mode is determined by the outcome of the negotiation in the Establish phase.
The link-quality detection is also performed in the Establish phase. According to the PPP
protocol, the detection does not unlimitedly delay the authentication process.
This phase supports only the link control protocol, authentication protocol, and quality-detection
packet. Packets of other types are discarded. If a device receives the Configure-Request packet
in this phase, the link restores the Establish state.
Network Phase
In the Network phase, network protocols such as IP, IPX, and AppleTalk are negotiated through
corresponding NCPs, which can be enabled and disabled during any phase. After a NCP state
machine turns Opened, PPP links can transmit network-layer packets.
If a device receives a Configure-Request packet in this phase, the communicating devices return
to the Establish phase.
Terminate Phase
PPP can terminate links at any time. Except that the network administrator manually closes the
links, carrier lost, authentication failure, or link-quality detection failure can lead to the end of
a link. In the Establish phase, after the exchange of LCP Terminate frames, a link is torn down
physically. NCP cannot, and does not need to close a PPP link.
4.3 PPPoE
4.3.1 Introduction
4.3.2 PPPoE Discovery Period
4.3.3 PPPoE Session Period
4.3.1 Introduction
Point-to-Point Protocol over Ethernet (PPPoE) describes the method to set up PPPoE sessions
and encapsulate PPP datagram over Ethernet. These functions require a point-to-point (P2P)
relation between the peers instead of the multi-point relationships that are available in Ethernet
and other multi-access environments. PPPoE uses Ethernets to connect a large number of hosts.
PPPoE uses a remote client to access the Internet, and implements the controlling and accounting
functions over the access hosts. With the cost-effective feature, PPPoE is widely applied in a
series of applications such as community networks.
With this model, each host uses its own PPP stack and the user is presented with a familiar user
interface. Access control, billing, and type of services can be based on each user, rather than
each site.
The access control, payment, and Type of Service (ToS) functions supported by PPPoE are based
on individual users.
PPPoE is divided into two stages: Discovery stage and PPPoE Session stage.
When a host wants to initiate a PPPoE session, it must first perform Discovery to identify the
Ethernet MAC address of the peer and set up a PPPoE Session_ID.
Based on the network topology, the host may communicate with more than one AC. The
Discovery stage allows the host to discover all ACs and then select one.
When the Discovery stage is complete successfully, both the host and selected AC have the
information they use to set up P2P connection over Ethernet.
The Discovery stage remains stateless until a PPPoE session is set up. Once a PPPoE session is
set up, both the host and the AC that serves as an access server must allocate the resources for
a PPP virtual interface. After PPPoE sessions are set up successfully, the host and access server
can communicate.
When the host accesses the server through PPPoE, it should identify the MAC address of the
peer before setting up the PPPoE Session_ID. This is the function of the Discovery stage.
The Discovery stage consists of four steps. When the Discovery stage completes, both peers
know the PPPoE Session_ID and the peer Ethernet address, which together define the unique
PPPoE session.
1. The host broadcasts a PPPoE Active Discovery Initial (PADI) packet within the local
Ethernet. This packet contains the service information that the host needs.
Server A
PADI
PADI PADI
Server B
PC
PADI
Server C
2. After receiving this PADI packet, all the servers on the Ethernet compare the requested
services with services they can provide. Then, the servers that can provide the requested
services send back PPPoE Active Discovery Offer (PADO) packets.
As shown in Figure 4-4, both Server A and Server B can provide services, and send back
PADO packets to the host.
Server A
PADO-A
PADO-A PADO-B
Server B
PADO-B
PC
Server C
3. The host may receive more than one PADO packet from servers. The host looks through
the PADO packets and chooses a server. Then, the host sends a PPPoE Active Discovery
Request (PADR) packet to the server.
As shown in Figure 4-5, the host chooses Server A and sends a PADR packet to it.
Figure 4-5 Diagram of the host choosing a server and sending a PADR packet
Server A
PADR
PADR
Server B
PC
Server C
4. The server generates a unique session identifier to identify the PPPoE session with the host.
Then, the server sends this session identifier to the host through the PPPoE Active
Discovery Session-confirmation (PADS). If no error occurs, both the server and host enter
the PPPoE Session stage.
As shown in Figure 4-6, Server A sends a PADS packet to the host after receiving the
PADR packet.
Figure 4-6 Diagram of the server sending a PADS packet to the host
Server A
PADS
PADS
Server B
PC
Server C
After sending the PADS packet, the access server can enter the PPPoE Session stage. After
receiving this PADS packet, the host can enter the PPPoE Session stage.
Once a PPPoE session begins, PPP packets, as the PPPoE payload, are encapsulated in Ethernet
frames and sent to the peer. The session ID should be the ID determined in the Discovery stage.
The MAC address should be the MAC address of the peer. The PPP packets start with the protocol
ID. In the Session stage, either the host or the server can send a PPPoE Active Discovery
Terminate (PADT) packet to the peer to terminate the session.
After entering the PPPoE Session stage, either the host or access server can send a PADT packet
to notify the peer to end the PPPoE session.
4.4 DHCP
With the rapid growth in network scale and complexity, network configuration has become more
difficult. Because the number of hosts has exceeded that of the available IP addresses, Dynamic
Host Configuration Protocol (DHCP) is created.
The DHCP works in client/server mode. With the DHCP, a client can dynamically request
configuration information from a DHCP server, including the assigned IP address, the subnet
mask, and the default gateway. The DHCP server returns the corresponding configuration
information based on a certain configuration policy to the DHCP client.
l DHCP can get all the configuration information that a host needs by sending only two
messages.
l DHCP helps the computer to get an IP address fast and dynamically, instead of specifying
an IP address for each host statically.
Ethernet
Ethernet
Eudemon
DHCP client
l After the DHCP client starts up and begins to initialize the DHCP, the configuration request
packet is broadcast in the local network.
l If there is a DHCP server in the local network, the DHCP can be configured without need
of the DHCP relay.
l If there is no DHCP server in the local network, the network device with the DHCP relay,
which is connected with the local network, will forward the packets to the specific DHCP
servers in the other networks after it receives and processes the broadcast packets properly.
l Based on information offered by the client, the server sends configuration information to
the client via DHCP relay. Thus, dynamic configuration of client finishes. Actually, several
such interactive processes are needed from the start to the end of the configuration.
In nature, DHCP relay fulfills the transparent transmission of DHCP broadcast packets; that is,
transparently send broadcast packets of the DHCP client (or the DHCP server) to the DHCP
server (or the DHCP client) on other network segments.
In actual practice, the DHCP relay function is usually implemented on the specific interface of
a Eudemon. To realize the DHCP function on an interface, you need to assign an IP relay address
to the interface for specifying the DHCP server.
A typical DHCP application usually requires one DHCP server and multiple clients. The DHCP
clients exchange different information with the server in different phases to obtain the valid and
dynamic IP addresses. The following describes the common application scenarios in actual
practice.
l DHCP discovery: In this phase, the DHCP client looks for the DHCP server. When the
client starts and changes to the initialization status, it sends a DHCPDISCOVER broadcast
message to the DHCP server.
l DHCP offers: In this phase, the DHCP server provides an IP address. After the DHCP
server receives the DHCPDISCOVER message from the client, it extends an IP lease offer.
The DHCP server selects an available IP address (not assigned) from the IP address pool
and assigns the IP address to the client by sending a DHCPOFFER message to the client.
The message contains the IP address leased and other settings.
l DHCP requests: In this phase, the DHCP client selects an IP address. If several DHCP
servers send the DHCPOFFER messages to the client, the client accepts only the first
DHCPOFFER message. The client then broadcasts a DHCPREQUEST message to each
DHCP server and changes to the request status. The DHCPREQUEST message contains
the IP address of the DHCP server that made the offer.
l DHCP acknowledgement: In this phase, the DHCP server confirms the IP address. After
the DHCP server receives the DHCPREQUEST message from the client, it sends a
DHCPACK message to the client. The message includes the IP address and other settings.
Then, the DHCP client binds the TCP/IP components to the network adapter and then
changes to the binding status.
Except the server selected by the DHCP client, the other DHCP servers with unassigned IP
addresses can still offer IP addresses for other clients.
l When the Lease renewal timer expires, the DHCP client should renew the IP address. The
DHCP client automatically sends a DHCPREQUEST message to the DHCP server that
assigned the IP address, and then the client changes to the renewal status. If the IP address
is valid, the DHCP server responds to the client with a DHCPACK message, telling the
client that the new IP lease is granted. Then the client changes to the binding status again.
If the client receives a DHCPNAK message from the DHCP server, it changes to the
initialization status.
l After the client sends a DHCPREQUEST message for prolonging the lease duration, it
keeps in the renewal status, waiting for a response from the server. If the client does not
receive any response from the server till the Rebinding timer expires, the client assumes
that the original DHCP server is unaccessible and then sends a DHCPREQUEST broadcast
message.
Any DHCP server on the network can respond to the request of the client and send a
DHCPACK or DHCPNAK message to the client.
If the client receives a DHCPACK message, it changes to the binding status and re-sets the
Lease renewal and Rebinding timers.
If the messages received by the client are all DHCPNAK messages, it changes to the
initialization status. In this case, the client should stop using this IP address immediately
and change to the initialization status to apply for a new IP address.
l If the client does not receive any response before the Lease expiry timer expires, it should
stop using this IP address immediately and change to the initialization status to apply for
a new IP address.
l For point-to-point interfaces, the next hop address is specified implicitly in the specified
transmission interface. The address of the peer interface connected with this interface is
the next hop address. PPP, for example, the peer IP address is obtained through PPP
negotiation. In this case, you only need to specify the transmission interface without the
next hop address.
l For Non-Broadcast Multiple Access (NBMA) interfaces such as ATM interfaces, they
support point-to-multipoint networks. Therefore, in actual application, you need to not only
configure IP routing but also set up the secondary route at the link layer, that is, the mapping
between the IP address and the link layer address. In this case, you need to configure the
next hop IP address.
l In static route configuration, you should not specify the Ethernet interface as the
transmission interface. The Ethernet interface is a broadcast interface. As a result, many
next hops exist and a unique next hop cannot be determined. However if you have to specify
a broadcast interface (such as an Ethernet interface) as the transmission interface, the next
hop address should be specified at the same time.
Other Attributes
The static route has the following attributes:
l Reachable route
Normal routes belong to this case. IP packets are sent to the next hop according to the route
determined by the destination IP address. The static route is commonly used in this way.
l Unreachable route
When the static route of a certain destination IP address has the "reject" attribute, all IP
packets to the destination IP address are discarded and the source host is notified that the
destination IP address is unreachable.
l Blackhole route
When the static route of a certain destination IP address has the "blackhole" attribute, all
IP packets to the destination IP address are discarded and the source host is not notified.
The "reject" and "blackhole" attributes are used to control the range of the reachable
destination IP address of the router and to help analyze the network faults.
In a routing table, the default route is the route to the network 0.0.0.0 (with the mask 0.0.0.0).
Using the display ip routing-table command, you can check whether the default route is
configured. If the destination address of a packet does not match any entry in the routing table,
the router selects the default route to forward this packet. If there is no default route, and the
destination address of the packet does not match any entry in the routing table, the packet is
discarded. An Internet Control Message Protocol (ICMP) packet is then sent to inform the source
host that the destination host or network is unreachable.
4.6 RIP
RIP is a kind of Distance-Vector (D-V) algorithm-based protocol and exchanges the routing
information through the UDP packets. It employs the hop count to measure the distance to the
destination host, which is called routing cost.
In RIP, the hop count from a router to its directly connected network is 0, and that to a network
which can be accessed through another router is 1. To restrict the time to converge, RIP prescribes
that the cost is an integer in the range of 0 to 15. The hop count equal to or more than 16 is
defined as infinite, that is, the destination network or the host is inaccessible.
RIP sends route refreshment packets every 30 seconds. If the route cannot receive the route
refreshment packets from some network neighbor within 180 seconds, it marks all routes in this
network neighbor to be unreachable. If the route can still not receive route refreshment packets
within 300 seconds, it will clear all routes of this network neighbor from the routing table.
To improve performance and avoid the creation of routing loop, RIP supports split horizon.
Besides, RIP can also import routes from other routing protocols.
Each router running RIP manages a route database, which contains routing entries to all the
reachable destinations in the network.
l Destination address
Refer to the IP address of a host or a network.
l Next hop address
Refer to the address of the next router that a router will pass through for reaching the
destination.
l Interface
Refer to the interface through which the IP packet should be forwarded.
l Cost
Refer to the cost for the router to reach the destination, which should be an integer in the
range of 0 to 16.
l Timer
Refer to duration from the last time that the routing entry is modified till now. The timer
is reset to 0 whenever a routing entry is modified.
l Route flag
Refer to a label to distinguish routes of internal routing protocols from those of external
routing protocols.
The whole process of RIP startup and running can be described as follows.
1. When RIP is just enabled on a router, request packet is forwarded to a neighbor router in
broadcast mode. After the neighbor router receives the packet, it responds to the request
and resends a response packet containing information in the local routing table.
2. When the router receives the response packet, it modifies its local routing table and
meanwhile sends a modification triggering packet to the neighbor router and broadcast the
route modification information. Upon receiving the modification triggering packet, the
neighbor router will send it to all its neighbor routers. After a series of modification
triggering broadcast, each router can get and keep the updated routing information.
3. At the same time, RIP broadcasts its routing table to the adjacent routers every 30 seconds.
The adjacent routers will maintain their own routing tables after receiving the packets and
will select an optimal route, and then advertise the modification information to their
adjacent networks so as to make the updated route globally known. Furthermore, RIP uses
the timeout mechanism to handle the timeout routes so as to ensure the real time and validity
of the routes.
RIP is adopted by most of IP router suppliers. It can be used in most of the campus networks
and the regional networks that are simple and extensive. For larger and more complex networks,
RIP is not recommended.
4.7 OSPF
generates a Link State Advertisement (LSA) . The routers on the network send the LSAs
by sending the protocol packets to each other. Thus, each router receives the LSAs of other
routers and all these LSAs compose its LSDB.
l LSA describes the network topology around a router, while LSDB describes the topology
of the whole network. Routers can easily transform the LSDB to a weighted directed map,
which actually reflects the topology of the whole network. Obviously, all the routers get
the same map.
l Each router uses the SPF algorithm to calculate the shortest path tree with itself as the root.
The tree shows the routes to the nodes in AS. The external routing information is leaf node.
A router, which advertises the routes, also tags them and records the additional information
of the AS. Obviously, each router obtains different routing tables.
Router ID
To run OSPF protocol, a router must have a Router ID. If not, the system will automatically
select one from the IP addresses on the current interfaces for the router.
DR and BDR
Basic concepts related to DR and BDR:
Area
As the network keeps extending in scale, if more and more routers in a network run OSPF, LSDB
will become very huge. As a result, a great amount of memory is occupied and much CPU is
consumed to complete SPF algorithm. In addition, network expansion makes it more possible
to change topology. As a result, many OSPF packets are forwarded in the network, and
bandwidth utility of the network is reduced.
To solve this problem, OSPF divides AS into several areas. Areas divide routers into groups
logically. Each area is marked by area ID. One of the most important areas is area 0, which is
also named backbone area.
The backbone area needs to realize the exchange of route information from non-backbone area.
The backbone area must be consecutive. For physically inconsecutive areas, you need to
configure virtual links to keep the backbone area logically consecutive.
The router that connects backbone area and non-backbone area is named Area Border Router
(ABR) .
Route Summary
AS is divided into different areas, each area is interconnected through OSPF ABR. The routing
information between areas can be reduced through route summary. Thus, the size of routing
table can be reduced and the calculation speed of the router can be improved.
After calculating an intra-area route in an area, the ABR will look up the routing table and
encapsulate each OSPF route into an LSA and send it outside the area.
Area 19
Virtual Link
Area 0
RTA
19.1.2.0/24 19.1.3.0/24
Area 8
For example, in Figure 4-8, there are three intra-area routes in area 19, which are 19.1.1.0/24,
19.1.2.0/24 and 19.1.3.0/24. If route summary is configured and the three routes are aggregated
into one route 19.1.0.0/16, only one LSA, which describes the route after summary, is generated
on RTA.
l Hello packet
It is a kind of most common packet, which is sent to the neighbor of a local router regularly.
It contains the values of some timers, DR, BDR and the known neighbors.
l Database Description (DD) packet
When two routers synchronize their databases, they use the DD packets to describe their
own LSDBs, including the summary of each LSA. The summary refers to the HEAD of an
LSA, which can be used to uniquely identify the LSA. This reduces the traffic size
transmitted between the routers, since the HEAD of an LSA only occupies a small portion
of the overall LSA traffic. With the HEAD, the peer router can judge whether it already
has had the LSA.
l Link State Request (LSR) packet
After exchanging the DD packets, the two routers know which LSAs of the peer routers
are lacked in the local LSDBs. In this case, they will send LSR packets to request for the
needed LSAs to the peers. The packets contain the summary of the needed LSAs.
l Link State Update (LSU) packet
The packet is used to send the needed LSAs to the peer router. It contains a collection of
multiple LSAs (complete contents).
l Link State Acknowledgment (LSAck) packet
The packet is used to acknowledge the received LSU packets. It contains the HEAD(s) of
LSA(s) to be acknowledged (a packet can acknowledge multiple LSAs).
Type-7 LSA
A new LSA, Type-7 LSA, is added in RFC 1587 (OSPF NSSA Option).
As described in RFC 1587, Type-7 LSAs and Type-5 LSAs mainly differ in:
l Type-7 LSAs are generated and spread throughout Not-So-Stubby Area (NSSA), while
Type-5 LSAs are not.
l Type-7 LSAs can only be spread throughout an NSSA. When Type-7 LSAs reach ABR of
NSSA, they will be translated into Type-5 LSAs and spread into other areas. They can not
be directly spread into other areas or the backbone area.
4.9 QoS
4.9.1 QoS Overview
4.9.2 Traditional Packets Transmission Application
4.9.3 New Application Requirements
4.9.4 Congestion Causes, Impact and Countermeasures
4.9.5 Traffic Control Techniques
device in this mode tries its best to transmit packets to the destination. The BE mode however,
does not ensure any improvement in delay time, jitter, packet loss ratio, and high reliability.
The traditional BE mode applies only to services that have no specific request for bandwidth
and jitter, such as, World Wide Web (WWW), file transfer, and E-mail.
Congestion Causes
Congestion often occurs in the complex packet switching environment of the Internet. It is caused
by the bandwidth bottleneck of two types of links, as shown in Figure 4-9.
100M
Traffic congestion on
interfaces operating at
different speeds 100M
Traffic congestion on
interfaces operating at
the same speeds
l Packets enter the Router at the high speed of v1, and are forwarded at the low speed of v2.
Congestion occurs in the Router because v1 is greater than v2.
l Packets from multiple links enter the Router at the speed of v1, v2, and v3. They are
forwarded at the speed of v4 from a single link. Congestion occurs in the Router because
the sum of v1, v2, and v3 is greater than v4.
The resource bottleneck caused when packets enter the Router at line speed.
Shortage of resources such as available CPU time, buffer or memory size used for sending
packets. The network resources required to handle the traffic exceed the assignable value. This
happens when the system fails to process the traffic flow within a short time.
Congestion Effect
Congestion can lead to the following negative effect:
Congestion is the main cause of decline in the QoS. It is very common in complex networks and
must be solved to increase the efficiency of the network.
Countermeasures
The following are the two commonly used methods to address network congestion:
l Increasing the network bandwidth is a direct way to solve the shortage of resources. This
method however, cannot solve all the congestion problems.
l Improving the functions of traffic control and resource allocation at the network layer is a
more effective method. This requires providing differentiated services (Diff-Serv) for
applications that have different demands for QoS. During resource allocation and traffic
control, the direct or indirect factors that cause network congestion can be controlled to a
greater extent. In case of congestion, resource allocation should be balanced according to
the application's demand. The influence of congestion on QoS can thus be reduced to the
minimum.
5 VPN
The Eudemon supports IPSec VPN and SSL VPN applications, which provides highly reliable
and secure transmission tunnels for users. It also supports many types of VPN applications
constructed by using Layer 2 Tunneling Protocol (L2TP), and Generic Routing Encapsulation
(GRE).
5.1 Introduction
As enterprises and companies develop in scale, staffs go on business more frequently. With
overseas offices and clients increasingly scattered and the number of partners growing, more
and more enterprises need to use public Internet resources for conducting promotion, sale, after-
sale service, training, cooperation, and consultation. The urgent demand helps VPN applications
find a good market.
5.2 L2TP
The Layer 2 Tunneling Protocol (L2TP) is a kind of VPDN tunneling protocol. To know L2TP
better, you need certain knowledge of VPDN.
5.3 IPSec
Through AH and ESP, IPSec guarantees the confidentiality, integrity, authenticity, and anti-
replay of data packets during transmission on networks. IPSec can realize auto-negotiation key
exchange and SA setup as well as maintenance services through Internet Key Exchange (IKE).
That simplifies the use and management of IPSec.
5.4 GRE
The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packet of the network
layer protocol such as Internet Packet Exchange (IPX). The encapsulated packet can be
transmitted in another network layer protocol such as IP. GRE is the third layer tunnel protocol
of the VPN.
5.5 SSL VPN
The SSL VPN is a VPN of enhanced SSL/TLS functions. In addition to providing the web access
service and TCP and UDP applications, the SSL VPN protects IP communications. Additionally,
SSL VPN communications are based on the standard TCP or UDP and are not confined by NAT;
therefore, users anywhere can access intranet resources through the virtual gateway proxy. The
SSL VPN provides a simpler and more flexible solution to secure remote access, hence greatly
reducing the cost of VPN maintenance.
5.6 BGP/MPLS IP VPN
BGP/MPLS IP VPN is a kind of PE-based Layer 3 Virtual Private Network (L3VPN) technology
in the Provider Provisioned VPN (PPVPN). It uses the Border Gateway Protocol (BGP) to
advertise VPN routes and uses Multiprotocol Label Switch (MPLS) to forward VPN packets on
the provider backbone network.
5.1 Introduction
As enterprises and companies develop in scale, staffs go on business more frequently. With
overseas offices and clients increasingly scattered and the number of partners growing, more
and more enterprises need to use public Internet resources for conducting promotion, sale, after-
sale service, training, cooperation, and consultation. The urgent demand helps VPN applications
find a good market.
5.1.1 VPN Overview
As a new technology, Virtual Private Network (VPN) rapidly develops as the Internet is widely
used in recent years. It is used to build private networks on a public network. The word virtual
mainly indicates that a VPN network is a kind of logical network.
5.1.2 Basic VPN Technology
The basic principle of VPN is to use tunneling protocols to encapsulate packets into tunnels and
construct private data transmission tunnels on backbone networks to realize transparent
transmission of data packets.
5.1.3 VPN Classification
IP VPN uses IP facilities, including public Internet or dedicated IP backbone networks, to realize
the emulation of WAN device private line services, such as remote dial-up and Digital Data
Network (DDN). According to different standards, IP VPNs can be classified into different types.
VPN Features
VPN has the following features:
l Different from traditional networks, a VPN does not physically exist. It is a kind of logical
network, a virtual network configured on the basis of existing public network resources.
l A VPN is exclusively used by an enterprise or a user group.
For VPN users, a VPN is the same as a traditional dedicated network in usage. As a kind
of private networks, the resources of VPNs are independent of bear network resources.
Typically, the resources of one VPN are not used by other VPNs on the bear network or
non-authorized VPN users. VPN offers reliable protection mechanism to defend VPN
internal information against external intrusion and interruption.
l VPN is a kind of sophisticated upper-layer service.
VPN services help set up interconnection for the users of a private network. VPN services
realize VPN internal network topology setup, routing calculation, and user login or logout.
VPN technology is much more complicated than common point-to-point application
mechanisms.
VPN Advantages
VPN presents the following advantages:
l Helping set up reliable connection between remote users, overseas offices, partners,
suppliers, and company headquarters to ensure secure data transmission.
This advantage is significant because it realizes the convergence of E-business or financial
networks with communication networks.
l Using public networks to realize information communication. With VPNs, enterprises can
connect remote offices, telecommuters, and business partners at a dramatically low cost.
In addition, VPNs significantly increase the use rate of network resources, thus helping the
Internet Service Providers (ISPs) increase revenue.
l Allowing you to add or delete VPN users through software without changing hardware
facilities.
This mechanism offers great flexibility in VPN applications.
l Allowing telecommuting VPN users to access headquarter resources at any time and in any
place.
That satisfies the increasing demands for mobile services.
l Offering high quality VPNs such as MPLS VPN and diversified VPN services to meet VPN
users' different demands for quality level. Service-specific rating mechanism brings ISPs
more revenue.
PoP
PoP
Company
PoP headquarter
Cooperator
As shown in Figure 5-1, eligible users can connect to the Point of Presence (POP) server of the
local ISP through a Public Switched Telephone Network (PSTN), Integrated Services Digital
Network (ISDN), or LAN so as to access the internal resources of an enterprise. Traditional
WAN networking technology requires dedicated physical links to realize connections. With
established virtual networks, remote users and telecommuters can access internal resources of
an enterprise without need of being authorized by the local ISP. It is helpful for telecommuting
staff and scattered users.
To experience VPN services, an enterprise needs to deploy only a server, such as a Windows
NT server or a firewall that supports VPN to share resources. After connecting to the local POP
server through the PSTN, ISDN, or LAN, eligible users can directly call the remote server (VPN
server) of the enterprise. The access server of the ISP and the VPN server work together to realize
the call.
VPN Fundaments
Tunnel
VPN user
NAS VPN Server
As shown in Figure 5-2, VPN users dial up to the Network Access Server (NAS) of the ISP
through the PSTN or ISDN.
The NAS identifies users by checking user names or access numbers. If the NAS server
determines that a user is a VPN user, it sets up a connection (a tunnel) with the user's destination
VPN server. Then the NAS encapsulates the user's data into an IP packet and transmits it to the
VPN server through the tunnel. After the VPN server receives the packet, it decapsulates the
packet to read the real packet.
Packets can be encrypted on both sides of the tunnel. Other users on the Internet cannot read the
encrypted packets. That ensures the security of packets. For users, a tunnel is a logical extension
of the PSTN or ISDN link. The operations on the logical tunnel are similar to that on a physical
link.
Based on the realization of tunnels on Open Systems Interconnection (OSI) reference model,
tunnel protocols can be categorized into three groups:
location at which the dial-up protocol connection is terminated and access to the network
provided.
– Layer 2 Tunneling Protocol (L2TP)
L2TP is drafted by IETF with the support of Microsoft. By integrating the advantages
of the preceding two protocols, L2TP has developed into a standard RFC. L2TP can be
used to realize both dial up VPN services (such as VPDN access) and private line VPN
services.
l Layer 3 (L3) tunneling protocols
For an L3 tunneling protocol, both the starting point and ending point are within an ISP. A
PPP session is terminated on the NAS. Tunnels carry only L3 packets.
The existing L3 tunneling protocols are as follows:
– Generic Routing Encapsulation (GRE)
It is used to realize the encapsulation of the network layer protocol such as IP or Internet
Packet Exchange (IPX) over another arbitrary network layer protocol.
– IP Security (IPSec)
IPSec is not a single protocol. Instead, it offers a set of system architecture for data
security on IP networks, including Authentication Header (AH), Encapsulating Security
Payload (ESP), and Internet Key Exchange (IKE).
– BGP/MPLS
BGP/MPLS IP VPN uses the Border Gateway Protocol (BGP) to advertise VPN routes
and uses Multiprotocol Label Switch (MPLS) to forward VPN packets on the provider
backbone network.
GRE and IPSec are mainly applied to private line VPN services.
l Application layer tunneling protocol: Security Socket Layer (SSL)
SSL is a security protocol, which provides secure connections for TCP-based application
layer protocols. For example, SSL can provide secure connections for HTTP. SSL widely
applies to fields such as e-commerce and online-banking, which provides security
guarantees for data transmission on the network.
l Comparison among L2 tunneling protocols, L3 tunneling protocols and application layer
protocol (SSL VPN)
L3 tunneling protocol is superior to L2 tunneling protocol in the following aspects:
– Security and Reliability
An L2 tunnel usually ends at a user-side device, so it has higher requirements for the
security of user networks and firewall technology. An L3 tunnel usually ends at an ISP
gateway. Therefore, it has not high requirements for the security technology of user
networks.
– Scalability
Since an L2 tunnel tunnels a whole PPP frame, transmission efficiency may be
decreased. In addition, a PPP session runs through a whole tunnel and terminates at a
user-side device. That requires that the user-side gateway should keep a large amount
of PPP session status and information. That may overload the system and impact its
scalability. Moreover, since the Link Control Protocol (LCP) and Network Control
Protocol (NCP) negotiations are quite sensitive to time, degraded tunnel efficiency may
result in a series of problems such as PPP session timeout. On the contrary, an L3 tunnel
terminates on an ISP gateway, and a PPP session ends on the NAS. Thus, the user
gateway does not need to manage and maintain the status of each PPP session. Thereby,
system load is reduced.
The SSL VPN needs no clients. Users can conveniently establish standard secure channels
to access remote applications through Web browsers supporting HTTPS (SSL-based
HTTP). In this case, the workload of the VPN system administrator is greatly reduced. The
feature that requires no clients, however, reduces the security of the SSL VPN. The SSL
VPN applies to the following scenarios:
– Enterprises need to access the Internet remotely through the Web.
– The firewall is deployed between the client and the target server. HTTPS packets are
permitted, but IKE or IPSec packets are denied.
– Refined access control is required.
Typically, L2 tunneling protocols, L3 tunneling protocols and application layer protocols
are used separately. If they are appropriately used together, for example, using L2TP and
IPSec together, they may provide users with high security and better performance.
l Intranet VPN
An intranet VPN interconnects distributed internal points of an enterprise through public
networks. It is an extension or substitute of traditional private line networks and other
enterprise networks.
l Access VPN
An access VPN provides private connections between internets and extranets for
telecommuting staff, mobile offices, and remote offices through public networks. There
are two type of access VPN architectures:
– Client-initiated VPN connection
5.2 L2TP
The Layer 2 Tunneling Protocol (L2TP) is a kind of VPDN tunneling protocol. To know L2TP
better, you need certain knowledge of VPDN.
5.2.1 VPDN Overview
A Virtual Private Dial Network (VPDN) realizes a VPN by using the dial-up function of public
networks such as the ISDN and PSTN as well as access networks. VPDNs provide access
services for enterprise customers, small-sized ISPs, and mobile offices.
5.2.2 L2TP Overview
L2TP supports the tunneling of PPP link layer packets. L2TP extends the PPP model by allowing
the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched
network. By integrating the advantages of PPTP and L2F, L2TP has developed into the industry
standard of layer two tunneling protocols.
obtain a network connection to their headquarter through a virtual encryption tunnel over public
networks. Other users on the public networks cannot pass through the virtual tunnel to access
internal resources on the enterprise network.
l The NAS sets up a tunnel to the VPDN gateway based on tunneling protocols.
This realization mechanism directly connects the PPP connection of users to the gateway
of the enterprise network. So far, available tunneling protocols are L2F and L2TP.
The advantages of this realization mechanism are as follows:
– The realization process is transparent to users.
– Users can access the enterprise network after a one-time login.
– Since the enterprise network authenticates users and assigns IP addresses, no extra
public addresses are required.
– Users can implement network access through different platforms.
This realization mechanism requires the NAS to support the VPDN protocol, and the
authentication system to support VPDN attributes. Typically, a firewall or dedicated VPN
server is used as a gateway.
l A client host sets up a tunnel with the VPND gateway.
The client host connects with the Internet first, and then it uses dedicated client software
such as the L2TP client on the Windows 2000 to set up a tunnel with the gateway.
The advantage and disadvantage of this realization mechanism are as follows:
– Since this realization mechanism has no requirements for ISPs, users can access
resources at any place and in any way.
– Since this mechanism requires users to install and use dedicated software, usually
Windows 2000, users can select a specified platform.
Background
PPP defines an encapsulation mechanism for transporting multiprotocol packets across L2 point-
to-point links. Typically, a user obtains a L2 connection to a NAS using one of a number
L2TP supports the tunneling of PPP link layer packets. L2TP extends the PPP model by allowing
the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched
network.
By integrating the advantages of PPTP and L2F, L2TP has developed into the industry standard
of layer two tunneling protocols.
L2TP tunnel
Remote LAC LNS
user
NAS
Remote
branch
Internal server
As shown in Figure 5-3, the L2TP Access Concentrator (LAC) is attached to the switch network.
The LAC is a PPP endpoint system and can process L2TP. Usually, an LAC is a NAS, which
provides access services for users across the PSTN or ISDN. The L2TP Network Server (LNS)
acts as one node of the PPP endpoint system and is used to process the L2TP server.
An LAC sits between an LNS and a remote system and forwards packets to and from each.
Packets sent from the remote system to the LNS require tunneling with the L2TP protocol.
Packets sent from the LNS are decapsulated and then forwarded to the remote system. The
connection from the LAC to the remote system is either local or a PPP link. For VPDN
applications, the connections are usually PPP links.
An LNS acts as one side of an L2TP tunnel and is a peer to an LAC. The LNS is the logical
termination point of a PPP session that is being tunneled from the remote system by the LAC.
Technology Details
The following describes the technology details of L2TP:
l L2TP protocol structure
PPP frame
L2TP data L2TP control
message messsage
L2TP data tunnel L2TP control tunnel
(unreliable) (reliable)
Packet trasmission network (UDP,...)
Figure 5-4 depicts the relationship of PPP frames and Control Messages over the L2TP
Control and Data Channels. PPP Frames are passed over an unreliable Data Channel
encapsulated first by an L2TP header and then a Packet Transport such as UDP, Frame
Relay, and ATM. Control messages are sent over a reliable L2TP Control Channel which
transmits packets in-band over the same Packet Transport.
L2TP uses the registered UDP port 1701. The entire L2TP packet, including payload and
L2TP header, is sent within a UDP datagram. The initiator of an L2TP tunnel picks an
available source UDP port (which may or may not be 1701), and sends to the desired
destination address at port 1701. The recipient picks a free port on its own system (which
may or may not be 1701), and sends its reply to the initiator's UDP port and address, setting
its own source port to the free port it found. Once the source and destination ports and
addresses are established, they must remain static for the life of the tunnel.
l Tunnel and session
There are two types of connections between an LNS-LAC pair:
– Tunnel: defines an LNS-LAC pair.
– Session: is multiplexed over a tunnel to denote each session process over the tunnel.
Multiple L2TP tunnels may exist between the same LAC and LNS. A tunnel consists of
one control connection and one or several sessions. A session is set up after a tunnel is
successfully created, namely, information such as ID, L2TP version, frame type, and
hardware transmission type are exchanged. Each session corresponds with a PPP data
stream between an LAC and an LNS.
Both control message and PPP packets are transmitted through tunnels.
L2TP uses Hello messages to check the connectivity of a tunnel. The LAC and the LNS
periodically send Hello messages to each other. If no Hello message is received within a
period of time, the session between them is cleared.
l Control message and data message
L2TP utilizes two types of messages:
– Control messages
Control messages are used in the establishment, maintenance, and transmission control
of tunnels and sessions.
Control messages utilize a reliable Control Channel within L2TP to guarantee delivery.
Control messages support traffic control and congestion control.
– Data messages
Data messages are used to encapsulate PPP frames being carried over the tunnel.
Data messages are not retransmitted when packet loss occurs. Data messages do not
support traffic control and congestion control.
L2TP packets for the control channel and data channel share a common header format.
An L2TP message header includes a tunnel ID and a session ID, which are used to identify
tunnels and sessions. Packets with the same Tunnel ID but different session IDs are
multiplexed over the same tunnel. Tunnel IDs and session IDs in a packet header are
assigned by the peer ends.
LAC LNS
Remote client
LAC LNS
IP IP
network network
PC
LAC LNS
PC
Eudemon Eudemon
PC
13. The LNS re-sends this access request to RADIUS for authentication.
14. RADIUS server re-authenticates this access request and sends back a response if
authentication is successful.
15. After all authentications are passed, the VPN user can access the internal resources of the
enterprise.
L2TP supports the backup LNS. When the active LNS is inaccessible, the LAC can
reconnect with the backup LNS, which improves the reliability and fault tolerance of VPN
service.
5.3 IPSec
Through AH and ESP, IPSec guarantees the confidentiality, integrity, authenticity, and anti-
replay of data packets during transmission on networks. IPSec can realize auto-negotiation key
exchange and SA setup as well as maintenance services through Internet Key Exchange (IKE).
That simplifies the use and management of IPSec.
5.3.1 IPSec Overview
IP Security (IPSec) protocol family is a series of protocols defined by IETF. It provides IP data
packets with cryptology-based security, featuring high quality and interoperability.
5.3.2 IKE Overview
IKE is designed based on the framework provided by the Internet Security Association and Key
Management Protocol (ISAKMP). IKE can automatically negotiate key exchange and create
security associations (SAs) for IPSec. That helps simplify the use and management of IPSec.
5.3.3 IPSec Basic Concepts
The basic IPSec concepts include security association (SA), SA negotiation mode/operation
mode, authentication algorithm and encryption algorithm.
5.3.4 NAT Traversal of IPSec
The NAT traversal of IPSec is to add a standard UDP header between IP and ESP headers of
the original packet (without regard for AH mode).
5.3.5 CA Authentication
The Eudemon supports Public Key Infrastructure (PKI) framework-based Certificate
Authentication (CA) mechanism. The CA mechanism provides a centralized key management
mechanism for IPSec networks and enhances the expansibility of the entire IPSec network.
5.3.6 Realizing IPSec on the Eudemon
Through IPSec, the Eudemon and its peer can implement different means of protection for
different data traffic (authentication, encryption, or both).
The two sides of communication perform encryption and data source authentication on the IP
layer to ensure the confidentiality, integrity, authenticity, and anti-replay of packets transmitted
on networks. The details are as follows:
l Confidentiality
User data is encrypted and transmitted in cipher text.
l Integrity
Received data is authenticated to check whether they are juggled.
l Authenticity
Data source is authenticated to ensure that data is from a real sender.
l Anti-replay
It prevent malicious users from repeatedly sending captured packets. In other words, the
receiver can deny old or repeated data packets.
IPSec realizes the preceding aims with two security protocols: Authentication Header (AH) and
Encapsulating Security Payload (ESP). IPSec can realize auto-negotiation key exchange and SA
setup as well as maintenance services through Internet Key Exchange (IKE). That simplifies the
use and management of IPSec. The details are as follows:
l AH
AH mainly provides data source authentication, data integrity check, and anti-replay.
However, it cannot encrypt the packet.
l ESP
ESP provides all functions of AH. In addition, it can encrypt the packets. However, its data
integrity authentication does not cover IP headers.
l IKE
IKE is used to automatically negotiate cipher algorithms for AH and ESP and put the
necessary key required by the algorithm to a proper place.
NOTE
l AH and ESP can be used either separately or jointly. Both AH and ESP support the tunnel mode.
l IPSec policy and algorithm can also be negotiated manually. So IKE negotiation is not necessary. The
comparison of these two negotiation modes are introduced in the following sections.
IPSec SA can be created manually. However, when the number of nodes on the network increase,
it is hard to guarantee the security of the network. In this case, IKE can be used to automatically
create SAs and implement key exchange.
With a self-protection mechanism, IKE can distribute keys, authenticates IDs, and establish SAs
on insecure networks.
other keys. PFS functions based on DH algorithm. PFS is realized when key exchange is
added during IKE phase 2.
l ID authentication
ID authentication helps identify the two parties of communication. The negotiation modes
are as follows:
– pre-share: you need to configure each peer with the pre-shared key. The peers of a
security connection must have identical pre-shared keys.
– rsa-encr: you need to configure RSA public keys for each peer end.
– rsa-sig: you need to configure local certificates.
l Identity protection
After a shared key is generated, identity data is transmitted in encrypted mode.
TCP/UDP SA SA TCP/UDP
IPSec IPSec
IP
Encripted IP packets
1. On an interface that runs IPSec, an outbound packet should be compared with IPSec
policies.
2. If the packet matches an IPSec policy, search for the relevant SA. If the SA has not been
created, IKE will be triggered to negotiate an SA in stage 1, that is, IKE SA.
3. Under the protection of IKE SA, IKE continues to negotiate the SA in stage 2, that is, IPSec
SA.
4. The IPSec SA is used to protect the communication data.
l Main mode
In main mode, key exchange information is separated from identity and authentication
information. This separation realizes identity protection. The exchanged identity
information is protected by the Diffie-Hellman (DH) shared key generated. However, it
takes three extra messages to complete the process.
l Aggressive mode
In aggressive mode, payloads relevant with SA, key exchange, and authentication can be
transmitted simultaneously. Transmitting these payloads in one message helps reduce
round trips. However, this mode cannot provide identity protection.
Although aggressive mode has some functional limitations, it can meet the requirements
of some specific network environment.
For example, during a remote access, the responder (server end) has no way to learn about
the address of the initiator (terminal user) in advanced or the address of the initiator is
always changing, but both parties wish to create IKE SAs through pre-shared key
authentication. In this case, the aggressive mode without identity protection is the only
available exchange method. In addition, if the initiator has learnt about the responder's
policy or had a comprehensive understanding of it, aggressive mode can be adopted to
rapidly create IKE SAs.
Security Association
IPSec provides secure communication between two endpoints. These two endpoints are called
IPSec peers.
For example, the IPSec policies of a group define that data streams from a subnet should be
protected with AH and ESP and be encrypted with Triple Data Encryption Standard (3DES) at
the same time. Moreover, the policies define that data streams from another site should be
protected with ESP only and be encrypted with DES only. IPSec can provide protection in
various levels for different data streams based on SA.
An SA is the basis and essence of IPSec. An SA specifies the shared policies and keys used by
two negotiating peers to protect their communication:
l Applied protocols (AH, ESP, or both)
l Operation mode of protocols (transport mode or tunnel mode)
l Encryption algorithm (DES and 3DES)
l Shared keys used to protect data in certain streams
l Life duration of the shared keys
SA is unidirectional. For directional communication between peers, at least two SAs are needed
to protect data streams in two directions. Moreover, if both AH and ESP are applied to protect
data streams between peers, two SAs are needed respectively for AH and ESP.
An SA has a life duration, which can be calculated in one of the two methods:
SA Negotiation Modes
There are two negotiation modes to create SAs:
AH-ESP IP TCP Data ESP ESP New IP Raw IP TCP ESP ESP
AH ESP AH ESP header header Data
header header Tail Auth data header Tail Auth data
The tunnel mode is excellent than the transport mode in security. The tunnel mode can
authenticate and encrypt original IP data packets completely. Moreover, it can hide the client IP
address with the IPSec peer IP address.
With respect to performance, the tunnel mode occupies more bandwidth than the transport mode
because it has an extra IP header.
Therefore, when choosing the operation mode, you need weigh the security and performance.
Eudemon supports the tunnel mode only.
l Authentication algorithm
Both AH and ESP can authenticate integrity for an IP packet so as to determine whether
the packet is juggled. The authentication algorithm is performed through hybrid. The hybrid
is a kind of algorithm that can receive a message of arbitrary length and generate a message
of fixed length. The generated message is called message digest. IPSec peers calculate the
packet through the hybrid respectively. If they get identical summaries, the packet is
considered as integrated and intact.
Usually, there are two types of IPSec authentication algorithms:
– MD5
It inputs a message of arbitrary length to generate a 128-bit message digest.
– SHA-1
It inputs a message less than 264-bit to generate a 160-bit message digest.
The SHA-1 summary is longer than that of MD5, so SHA-1 is safer than MD5.
l Encryption algorithm
ESP can encrypt IP packets so that the contents of the packets are not snooped during the
transmission. Based on the encryption algorithm, packets are encrypted or decrypted with
the same key over the symmetric key system.
Generally, IPSec uses the following types of encryption algorithms:
– DES
It encrypts a 64-bit clear text with a 56-bit key.
– 3DES
It encrypts a clear text with three 56-bit keys (168 bits key in total).
– Advanced Encryption Standard (AES)
It encrypts a clear text through a 128-bit, 192-bit, or 256-bit key.
Obviously, 3DES is more excellent than DES in security. However, its encryption speed
is lower than that of DES.
NAT Traversal
One of the main applications of IPSec is to set up VPNs. In actual networking applications, there
is one scenario where IPSec VPN deployment may be hindered. When the initiator resides on
an private network and wishes to directly create an IPSec tunnel to the remote responder, the
creation inevitably requires the cooperation of IPSec and NAT. The main problem lies in how
IKE can discover the existence of the NAT gateway between the two endpoints during the
negotiation and how IKE can make ESP packets normally traverse the NAT gateway.
At first, the two endpoints of the desired IPSec tunnel need to negotiate the NAT traversal
capacities. The negotiation is implemented with the first two messages of IKE negotiation. The
Vendor ID payload specifies a group of data to identify the negotiation The definitions of the
payload data vary with the draft versions.
IKE depends on NAT-D payload to discover the NAT gateway.
The payload is used for two purposes:
The peer on the NAT side, as the initiator, needs to periodically send NAT-Keepalive packets
to help the NAT gateway ensure that the security tunnel is in active state.
5.3.5 CA Authentication
The Eudemon supports Public Key Infrastructure (PKI) framework-based Certificate
Authentication (CA) mechanism. The CA mechanism provides a centralized key management
mechanism for IPSec networks and enhances the expansibility of the entire IPSec network.
CA Authentication Function
There are two types of IPSec networks:
PKI System
As the collection of software and hardware systems and security policies, PKI provides a whole
security mechanism to provide users with a secure network environment. PKI uses public key
technique and digital certificate to authenticate the identify of a network device so as to ensure
the confidentiality, integrity, and authenticity of date on networks.
A PKI system consists of authentication institution, register institution, digital certificate, and
PKI storage.
PKI application
Digital
certificate
Authentication
Register institution PKI storage library
institution
Certificate
A digital certificate is granted by CA, a trusted third party, and used to authenticate a user's
identity for the sake of security during IKE/IPSec tunnel negotiation.
In a certificate, CA uniquely determines one IPSec device with Distinguished Name (DN). A
DN includes following information:
l Common user name
l Affiliation
l Country
l Name of the holder
NOTE
l CA certificate
The CA certificate is used to check the validity of Certificate Revocation List (CRL) and
the local certificate issued by CA.
l Local certificate
The local certificate is issued by CA, and is used for communication between the IPSec
devices. The local certificate binds the name of the IPSec device to the local public key,
and acts as the network ID.
Each certificate has a life cycle, which is specified when the certificate is generated. The
authentication institution can withdraw a certificate thus terminating its life cycle earlier than
its due date.
Applying a Certificate
For an IPSec device, applying a certificate is to introduce itself to CA.
The process of generating and obtaining a certificate is as follows:
1. The PKI entity sends a certificate request that contains including identity information to
CA. Information contained in the request will be a part of the certificate granted by CA.
2. CA accepts the application and checks the following information to ensure that a certificate
is correctly bound to a certain identity:
l Credibility of the applicant
l Purpose for applying the certificate
l Reliability and authenticity of identity
This standard may require offline and non-automatic offline identity authentication such
as telephone, disk, and email authentication.
3. CA grants a certificate to the applicant.
CA may need to withdraw users' certificates before due date because of:
l Their identity names are changed.
l Their private keys are stolen or disclosed.
l Their affiliations are changed.
higher strength the algorithm has, the harder it is to decrypt the protected data. Algorithm
with higher strength consumes more calculation resources. In general, the longer the key
is, the higher the algorithm strength is.
Besides the preceding basic steps, IKE has the keepalive mechanism. It can determine whether
the peer can communicate normally. Two parameters are configured for the keepalive
mechanism, interval and timeout. When IPSec NAT traversal is configured, you can set a time
interval, at which NAT updating packets are sent.
After the preceding IKE configuration, you need to quote the IKE peer in the IPSec policy view
to complete IPSec auto-negotiation configuration.
5.4 GRE
The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packet of the network
layer protocol such as Internet Packet Exchange (IPX). The encapsulated packet can be
transmitted in another network layer protocol such as IP. GRE is the third layer tunnel protocol
of the VPN.
5.4.1 GRE Overview
The GRE Protocol is used to encapsulate packet of the network layer protocol such as IP or
Internet Packet Exchange (IPX). The encapsulated packet can be transmitted in another network
layer protocol such as IP.
5.4.2 Implementation of GRE
The packets transmitted through the GRE tunnel need to be encapsulated and decapsulated.
5.4.3 GRE Application
The GRE protocol can implement many types of services. For example, the combination of GRE
and IPSec can protect multicast data.
Tunnel
IP Internet IP
group1 group2
Eudemon A Eudemon B
Encapsulation
The Eudemon A connects to the interface of IP group 1 and receives the IP packet. Then the IP
packet is sent to the IP module. The IP module checks the destination address field at the IP
header and decides the route. If the destination address is the virtual network number of the
tunnel, the packet is sent to the port of the tunnel. The packet is encapsulated at the port of the
tunnel, and sent back to the IP module. The IP packet header is encapsulated. The packet is sent
to a network interface based on the destination address and routing table.
Decapsulation
Decapsulation is reversed to encapsulation. The Eudemon B receives the IP packet from the port
of the tunnel. If the destination address of the packet is Eudemon B, the IP header of the packet
is decapsulated. The packet is sent to the GRE module. The GRE module checks the key, verifies
the checking results, and checks serial number of the packet, and then decapsulates the GRE
header. The packet is sent to the IP module. The IP module handles the packet in the common
way.
The packet to be encapsulated and routed is called payload. The payload is encapsulated into a
GRE packet and then an IP packet. In this way, it can be forwarded on the network layer. The
routing protocol for forwarding the packet is called Delivery Protocol or Transport Protocol.
IP GRE IP
Passager Protocol
Encapsulation Protocol
Transport Protocol
Network Enlargement
Tunnel
Eudemon Eudemon
PC PC
As shown in Figure 5-15, when the number of hops exceeds 15, the two terminals can not
communicate with each other. The tunnel hides some hops. In this way, the network is enlarged
and the communication is recovered.
Tunnel
IP IP
group1 group2
Eudemon Eudemon
VLAN
As shown in Figure 5-16, group 1 and group 2 are IP subnet in different cities. The tunnel
connects group 1 and group 2, and builds the VPN.
GRE-IPSec Tunnel
Eudemon Eudemon
Corporate Remote office
intranet network
IP Netwrok
GRE Tunnel
IPSec Tunnel
As shown in Figure 5-17, the multicast data can be encapsulated in the GRE packet and
transmitted in the GRE tunnel. According to the protocol, the IPSec only encrypts and protects
unicast data. To transmit multicast data such as routing protocol, voice, and video, set up a GRE
tunnel and encapsulate the multicast data in the GRE packet. Then the IPSec encrypts the GRE
packet. In this way, the packet can be transmitted in the IPSec tunnel.
The user can choose to record the keyword of the GRE tunnel interface, and check the
encapsulated packet in end-to-end manner.
Encapsulation and decapsulation, and data increase due to the encapsulation may reduce the
forwarding efficiency of the Eudemon.
therefore, users anywhere can access intranet resources through the virtual gateway proxy. The
SSL VPN provides a simpler and more flexible solution to secure remote access, hence greatly
reducing the cost of VPN maintenance.
5.5.1 Introduction to SSL
SSL is a security protocol, which provides secure connections for TCP-based application layer
protocols. For example, SSL can provide secure connections for HTTP. SSL widely applies to
fields such as e-commerce and online-banking, which provides security guarantees for data
transmission on the network.
5.5.2 SSL VPN Service
SSL VPN services refer to the services that can be accessed through the SSL VPN, including
the Web proxy, network expansion, file sharing, and port forwarding.
1. The SSL client connects to the SSL server and requires the server to authenticate the server
itself.
2. The server authenticates its identity by sending its digital certificate.
3. The server sends a request to authenticate the certificate on the client.
4. The encryption algorithm and the HASH function are negotiated. The former is used to
encrypt the message, and the latter is used to check the integrity. The client usually provides
the list of all supported algorithms, and the server selects the most powerful algorithm from
the list.
5. The client and the server generate the session key as follows:
(1) The client implements the following actions:
Generating a random number
Encrypting the number with the server's public key that is obtained from the certificate
of the server
Sending the encrypted number to the server
(2) The server responds to the client by using random data. The client's key is used if it
is available; otherwise, data is sent in plain text.
(3) The key is generated from these random numbers by using the HASH function.
Like the IP Security Protocol (IPSec), SSL provides encryption and identity authentication. SSL,
however, encrypts only the application data but not all data transmitted between two hosts.
To use SSL for communications between VPNs, both communication parities must support the
SSL. Currently, most common applications such as IE and Netscape browsers, Outlook, and
Eudora email support the SSL.
The SSL protocol and proxy enable users to access intranet resources remotely and securely.
There are mainly four SSL VPN services:
l Web proxy
Using the web proxy, users can securely access web resources through standard browsers
without installing any client software. The accesses include the intranet web page access,
Outlook web access, and iNotes access.
l Network extension
Network extension is a function extension based on the SSL protocol. It supports all IP
applications to ensure that remote users access intranet resources the way they access a
Local Area Network (LAN).
The virtual network card generated by the network extension client intercepts IP packets,
encrypts them based on the SSL protocol, and then forwards them to the virtual gateway.
In this way, users who have installed the client can work as on hosts in the intranet, accessing
all the intranet resources rapidly and securely when no Access Control List (ACL) is active.
l File sharing
File sharing uses protocol translation technologies to translate network file systems, such
as translating the Network File System (NFS) protocol to the Secure Hypertext Transfer
Protocol (HTTPS). Users can create and browse the directory, and create, download,
upload, modify, and delete files through the browser.
l Port forwarding
The SSL protocol was originally applied to browsers and port forwarding is an application
extension of the SSL protocol. Port forwarding controls user access to application services
at the application layer. The services include Telnet, remote desktop, FTP, and email.
To implement port forwarding, you need to run an ActiveX control on the client as a port
repeater to monitor connections on a port. When data packets are received by the port, they
are transmitted to the Eudemon through the virtual gateway. The Eudemon decapsulates
the packets, and then forwards them to the destination application server.
Through configurations, the administrator can confine internal resources that users access.
Compared with the network extension function, port forwarding ensures higher security,
and theoretically has a faster access rate.
The internetworking capability of the Eudemon is the focus. The Eudemon here is looked as a router.
Traditional terms and labels of routers are used here to describe the Eudemon. Therefore, the Eudemon
replaces the router in the following sections.
Introduction to BGP
Three early versions of BGP are BGP-1 (RFC 1105), BGP-2 (RFC 1163) and BGP-3 (RFC
1267). The current version in use is BGP-4 (RFC 1771). BGP-4 applies to distributed structure
and supports Classless Inter-Domain Routing (CIDR). BGP-4 is increasingly becoming the
virtually exterior routing protocol standard on the Internet and is commonly used between ISPs.
BGP Characteristics
The characteristics of BGP are as follows:
l BGP is an Exterior Gateway Protocol (EGP). Different from such Interior Gateway
Protocols (IGPs) as OSPF and RIP, it focuses on route propagation control and selection
of optimal routes rather than discovery and calculation of routes.
l Eliminating route loop completely by adding AS path information to BGP routes.
l Using TCP as transport layer protocol so as to enhance reliability of the protocol.
l When routes are updated, BGP only transmits updated routes, which greatly reduces
bandwidth occupation by route propagation and can be applied to propagation of great
amount of routing information on the Internet.
l BGP-4 supports CIDR. This is an improvement comparing with BGP-3.
l In consideration of management and security, users desire to perform control over outgoing
and incoming routing information of each AS. BGP-4 provides abundant route policies to
implement flexible filtering and selecting of routes.
l BGP-4 can be extended easily to support new developments of the network.
NOTE
l With a brand-new perspective of IP address, Class-A network, Class-B network and Class-C network
are no longer distinguished in CIDR. For example, by means of CIDR notation, an illegal Class-C
network address 192.213.0.0 (255.255.0.0) will turn into 192.213.0.0/16, a legal super network address,
wherein the "/16" indicates that the subnet mask is composed of 16 bits starting from the left of the
address.
l The introduction of CIDR simplifies route aggregation. Actually, route aggregation is the process of
aggregating several different routes, which turns advertisement processes of several routes into the
advertisement of single route so as to simplify the routing table.
The BGP is called IBGP when it runs in an AS and is called EBGP when it runs among different
ASs.
l Type 1, Open: It is the first message sent after the creation of a connection, which is used
to create the connection relation between BGP peers.
l Type 2, Update: It is the most important information in BGP system, which is used to
exchange routing information between peers. It is composed of up to three parts:
unreachable route, path attributes and network layer reachability information (NLRI).
l Type 3, Notification: It is used to notify errors.
The first four messages are defined in RFC 1771, while Type 5 message is defined in RFC 2918
(Route Refresh Capability for BGP-4).
The router transmitting BGP messages is called a BGP speaker, which receives and generates
new routing information continuously and advertises the information to the other BGP speakers.
When a BGP speaker receives a new route advertisement from another AS, it will advertise the
route, if the route is better than the current route that has been learned or is a new route, to all
the other BGP speakers in the AS.
A BGP speaker calls other BGP speakers that exchange information with it peers and multiple
related peers compose a peer group.
l If there are several optional routes, BGP speaker selects the optimal one only.
l BGP speaker only advertises the route it uses to the peers.
l BGP speaker advertises the route received from EBGP to all the BGP peers, including
EBGP and IBGP peers.
l BGP speaker does not advertise the route received from IBGP to the IBGP peers.
l BGP speaker does not advertise the route received from IBGP to the EBGP peers (in
Eudemon, the synchronous relationship does not exist between IGP and BGP).
l On establishing a peer connection, BGP speaker advertises all the BGP routes to the peer.
MBGP
The traditional BGP-4 can only manage the routing information of IPv4 and has limitation in
inter-AS routing when used in the application of other network layer protocols (such as IPv6
etc).
In order to support multiple network layer protocols, IETF extended BGP-4 and formed the
Multiprotocol Extensions for BGP-4 (MBGP). The present MBGP standard is RFC 2858
(Multiprotocol Extensions for BGP-4).
MBGP is compatible backward, that is, a router supporting BGP extension can be interconnected
with a router that does not support it.
In the packets BGP-4 uses, three pieces of information related to IPv4 are carried in the update
packet. They are NLRI, Next_Hop (The next hop address) in path attribute and Aggregator in
path attribute (This attribute includes the BGP speaker address which forms the summary route).
To support multiple network layer protocols, BGP-4 need reflect the information about the
specified network layer protocol to NLRI and the Next_Hop in the route attribute. Two new path
attributes are imported into MBGP:
These two attributes are optional non-transitive. Therefore, the BGP speaker that does not
provide multi-protocol capability will ignore the information about them and will not transfer
them to other peers.
The router adopts address family to differentiate different network layer protocols. For values
of address family, refer to RFC 1700. The Eudemon provides various MBGP extended
applications including extension of multicast and BGP/MPLS VPN etc. Different extended
applications should be performed in their own address family views.
In Eudemon, a BGP peer cannot separate from its peer group and exist independently. In other
words, a peer must belong to a specific peer group. To configure a BGP peer, you must first
configure a peer group and then add the peer into the peer group.
The application of the BGP peer group can facilitate the configuration. When a peer is added
into a peer group, it will obtain the same configuration with the peer group, which can simplify
the configuration in some cases and improve the efficiency of route advertisement.
In the case of any changes in the configuration of the group, configuration of each group member
changes accordingly. For some attributes, you can configure them only for certain member by
designating its IP address. The preference of attribute configured through the IP address is higher
than that of attribute configured through the peer group. Note: a peer group member must adopt
the same route update policy with its group, while the egress policies can be different.
Introduction to MPLS
With the prevalence of the Internet early in the 90s, the IP technology that adopts the longest
match for search becomes the bottleneck to the forwarding performance of the network due to
limitation of the hardware technology. The ATM technology uses the label with fixed length
and maintains the label table with the size much smaller than the size of the routing table.
Therefore, compared with the IP technology, the ATM technology can provide higher
forwarding performance.
The traditional IP technology is simple to implement but limited in performance. The ATM
technology has higher performance but is difficult to popularize because of its complex signaling
and high cost in deployment. The MPLS technology thus emerges to combine the advantages
of IP and ATM technologies.
Initially, MPLS emerges to improve the forwarding speed of the router. With the development
of the ASIC technology, the speed of searching routes is not the bottleneck to the network
development. Therefore, MPLS does not feature in high-speed forwarding. MPLS supports
multi-layer labels and is connection-oriented; therefore, MPLS is widely used in VPN, TE, and
QoS.
Label is an identifier of short and fixed length with local significance, and used to identify
a particular FEC uniquely. In some cases, such as load sharing, one FEC may have multiple
labels, while one label can only identify one FEC.
The label of four bytes is carried in the packet header, indicating the local significance
except the topology information. The encapsulation structure of the label is shown in Figure
5-18.
Layer 3
Frame mode ATM ATM header Label
packet
Layer 3
Cell mode ATM VPI/VCI
packet
l LSR
A Label Switched Router (LSR) is a basic element in the MPLS network and all LSRs
support the MPLS protocol.
An LSR is composed of a control plane and a forwarding plane:
– The control plane is to allocate labels, select routes, create a label forwarding table, set
up or delete an LSP.
– The forwarding plane is to forward a packet received according to the label forwarding
table.
l LSP
A Label Switched Path (LSP) refers to the path where an FEC is transmitted in the MPLS
network.
Similar to a virtual circuit of ATM or FR, the LSP functions as a unidirectional path from
Ingress to Egress, in which each node is an LSR.
l LDP
The Label Distribution Protocol (LDP) is the control protocol of MPLS. Equal to the
signaling protocol in the traditional network, it is in charge of the FEC classification, label
distribution as well as the LSP establishment and maintenance.
(1)
Network1 (2)
LSP
(3)
Ingress (4)
Network2
Egress
MPLS Core
Switch (LSR)
MPLS Edge
Router (LER)
MPLS is a kind of Tunnel technologies rather than a type of service or application. It is a routing
and switching platform possessing the label switched forwarding and network layer routing
technologies. It supports multiple layer protocols, and can guarantee the information
transmission security.
Label Management
In the MPLS architecture, label management includes label distribution, label control, and label
retention. Details of label management are as follows:
On the LSR along the LSP, the mapping table of the import/export labels has been established
[the element of this table is referred to as Next Hop Label Forwarding Entry (NHLFE)]. When
the labeled packet arrives, LSR only needs to find the corresponding NHLFE from the table
according to the label and replace the original label with the new special label, and then forward
the labeled packet. This process is called Incoming Label Map (ILM).
NOTE
TTL processing:
l For labeled packet of public network, it is necessary to copy the TTL value in the original IP packet
into the TTL field in the label. While forwarding the label type packet, LSR will perform minus one
operation for the TTL field of the label on the top of the stack. When the label is out of the stack, the
TTL value on the top of the stack is copied back to IP packet or the label of lower layer.
l However, while LSP goes through the non-TTL LSP segment composing of ATM-LSR or FR-LSR,
the LSR inside the non-TTL LSP segment is not capable of processing TTL field. In this case, it is
necessary to carry out unified processing for TTL while entering non-TTL LSP segment, namely, to
reduce for one time the value that reflects the length of this non-TTL LSP.
LSP Tunnel
MPLS supports LSP tunnel technology.
On an LSP path, LSR Ru and LSR Rd are upstream and downstream for each other. However,
the path between LSR Ru and LSR Rd may not be part of the path provided by routing protocol.
MPLS allows establishing a new LSP path between LSR Ru and LSR Rd, with LSR Ru and
LSR Rd respectively being the starting point and ending point of this LSP. The LSP between
LSR Ru and LSR Rd is referred to as the LSP tunnel, which avoids the traditional encapsulated
tunnel on the network layer.
If the routes along which the tunnel passes is consistent with the route obtained hop by hop from
routing protocol, this tunnel is called hop-by-hop routing tunnel; if not consistent, the tunnel is
called explicit routing tunnel.
As shown in Figure 5-21, LSP<R2 R21 R22 R3> is a tunnel between R2 and R3.
Layer 1
R1 R2 R4
R3
Layer 2
R21 R22
The labels are organized according to the principle "last in first out" in the label stack, and MPLS
processes the labels beginning from the top of the stack.
Suppose that a packet has the label stack depth of m, then the label at the bottom of the stack is
the label of first level, and the label at the top of the stack is the label of level m. The packet
with no label can be regarded as the packet of blank label stack (namely, the label stack depth
is zero).
The LDP is responsible for message regulation and relevant processing in the label distribution.
An LSR can directly map the routing information on the network layer to a switch path on the
data link over LDP, and then establish an LSP on the network layer. The LSP can be set up
between two adjacent LSRs or terminated at an egress LSR. All the middle LSRs in between
adopt the label switching.
l LDP Peers
LDP peers refer to two LSRs undergo an LDP session by exchanging label/FEC mapping
information over LDP.
The LDP peers can obtain the other's label information through an LDP session, namely,
the LDP is bidirectional.
l LDP Session
An LDP session is to exchange label and release messages between LSRs. There are two
types of LDP session:
– Local LDP Session: an LDP session between two directly connecting LSRs.
– Remote LDP Session: an LDP session between two indirectly connecting LSRs.
l LDP Message
There are four types of message involved in the LDP:
– Discovery message: used to notify or maintain the existing LSRs in the network.
– Session message: used to establish, maintain or terminate a session between LDP peers.
– Advertisement message: used to establish, modify or delete a flag, that is, an FEC
binding.
– Notification message: used to provide suggestive messages or error notifications.
l Label Space
A label space refers to the range of labels that can be allocated to LDP peers. You can
specify a label space for each interface of an LSR or for the entire LSR.
l LDP Identifier
An LDP identifier is to identify a special LSR label space. It is a six-byte value in the
following format:
LSR ID: Label space number
The LSR ID occupies four bytes and the label space number occupies two bytes.
The LSR ID and the label space number constitutes the LDP identifier, which identifies
the label space used by the LSR and establishes and maintains LDP sessions between LSRs.
B C
Ingress Egress
A D
LSP2 Label
request
E
Label F G
mapping MPLS LSR
MPLS LER H
LDP session
On an LSP, along the data transmission direction, neighboring LSRs are respectively called as
upstream LSR and downstream LSR. On LSP1 shown in Figure 5-22, LSR B is the upstream
LSR of LSR C.
Labels are distributed in two modes, generally DoD mode and DU mode. The main difference
between these two modes resides in whether the label mapping distribution is up to upstream
request or initially performed downstream.
l DoD mode
In DoD mode, the label is distributed in this way: the upstream LSR sends label request
message (containing FEC descriptive information) to the downstream LSR, and the
downstream LSR distributes label for this FEC, and then sends the bound label back to the
upstream LSR through label mapping message.
When the downstream LSR feeds back the label mapping message depends on whether this
LSR uses independent label control mode or sequential label control mode:
– When the sequential label control mode is used by the downstream LSR, the label
mapping message is sent back to its upstream LSR if only it has received the label
mapping message from its downstream LSR.
– And when the independent label control mode is used by the downstream LSR, it will
send label mapping message to its upstream LSR immediately, no matter if it has
received the returned label mapping message from its downstream LSR.
Usually, the upstream LSR selects the downstream LSR according to the information in its
routing table. In Figure 5-22, the sequential label control mode has been used by the LSRs
on the way along LSP1, and the independent label control mode has been used by the LSRs
on LSP2.
l DU mode
In DU mode, the label is distributed in the following way: when LDP session is established
successfully, the downstream LSR will actively distribute label mapping message to its
upstream LSR. The upstream LSR saves the label mapping information and processes the
received label mapping information according to the routing table.
1. Discovery phase
The originating LSR periodically sends a Hello message to its adjacent LSRs, notifying
them its peer information, so that the LSR can automatically find its LDP peer.
There are two types of LDP discovery mechanisms:
l Basic discovery mechanism
The basic discovery mechanism is to discover the local LDP peer, that is, to establish
a local LDP session between directly connecting LSRs.
In this case, the LSR periodically sends a Hello message of the LDP link to a specific
port, carrying the LDP identifier of the label space where the specific port belongs as
well as other relevant information. If the LSR receives the Hello message over the
specific port, it knows that there is a potential reachable peer on the link layer and also
learns the label space of the port.
l Extended discovery mechanism
The extended discovery mechanism is to discover a remote LDP peer, that is, to establish
a remote LDP session between non-directly connecting LSRs.
In this case, the LSR periodically sends an LDP Targeted Hello message to a specific
IP address.
The LDP Targeted Hello message is sent in a UDP packet to the Well-known LDP
discovery port of the specific address. The message contains the desired label space of
the LSR as well as all relevant information.
2. Session establishment and maintenance
After the peer is set up, the LSR begins to establish a session by the following two steps:
(1) Establishing a connection on the transport layer, that is, establishing TCP connection
between the LSR peers.
(2) Initializing the session and negotiating the parameters involved in the session, such
as the LDP version, label distribution mode, timer timeout and label space.
3. LSP setup and maintenance
Actually, LSP establishment refers to the process of binding FEC with the label, and then
advertising this binding to the adjacent LSR on LSP.
This process is implemented through LDP in the following steps:
(1) When the routing of the network changes and an LER finds a new destination address
in its routing table not belonging to any existing FEC, the LER needs to create an FEC
for the address and determine routes for the FEC, and then sends a label request
message to the downstream LSR, indicating the FEC to be allocated.
(2) After the downstream LSR receives the label request message and records it, it relays
the message to the next hop LSR according to its routing table.
(3) When the label request message reaches the destination LSR or the Egress LSR in the
MPLS network and either can allocate the requested label, it will allocate the label to
the FEC after the label request message passes its authentication. Then it sends a label
mapping message to the upstream LSR with the allocated label information included.
(4) The upstream LSR compares the received label mapping message with its label
database, allocates the matched label to the FEC, adds the map to its label forwarding
table, and then sends the label mapping message to its upstream LSR.
(5) When the Ingress ISR receives the label mapping message, it adds the map to its label
forwarding table. In this way, an LSP is set up and the corresponding FEC data packet
can be forwarded based on its label.
4. Session termination
The LDP checks the session integrity depending on the LDP PDU transmitted in the session
connection.
The LSR sets up a living timer for each session and refreshes the timer after receiving an
LDP PDU. If the timer expires before the reception of an LDP PDU, the LSR considers the
session interrupted and tears down the corresponding connection on the transport layer to
terminate the session.
provider backbone network. BGP/MPLS IP VPN has flexible networking modes, good
extensibility and convenient support for MPLS QoS and MPLS TE. Hence, it is widely used.
l Customer Edge (CE): is an edge device in the customer network. It has one or more
interfaces directly connected with the service provider network. It can be a router, a switch
or a host. In most cases, the CE cannot "sense" the existence of VPN, and does not need to
support MPLS.
l Provider Edge (PE): is an edge device of the provider network. It is directly connected to
the CE. In MPLS network, the PE router disposes all the VPN processing.
l Provider (P): is a backbone router in the provider network. It is not directly connected to
the CE. The P router should possess MPLS basic forwarding capability.
PE
PE
VPN1
VPN2 P P
CE Site
Site CE
Site
The term site is often mentioned in the VPN. Its meaning is described as follows:
l A site is a group of IP systems with IP connectivity. It does not require a service provider
network to implement connectivity.
l The classification of a site depends on the topology relationship, not on the geographical
positions of devices, even if the devices in a site are adjacent to each other.
l The devices in a site can belong to multiple VPNs. In other words, a site can belong to
multiple VPNs.
l A site is connected to the provider network through CE. A site can contain many CEs, but
a CE only belongs to a site.
Many sites connected to a same provider network can be classified into different sets through
policies. Only the sites in the same set can access each other through the provider network. Such
a set is called VPN.
VPN-instance
VPN-instance is a special entity that PE creates and maintains for directly connected sites. Each
site has its own VPN-instance on PE.
VPN-instance is also called as VPN Routing and Forwarding table (VRF). There are multiple
forwarding tables on a PE, which include a public routing and forwarding table, and one or
multiple VRFs.
l The public routing table consists of routes of all the PE and P routers. It is generated by
IGP of the backbone network.
l A VPN-instance consists of directly connected routes of sites. These sites are obtained
through route advertisement between CE and PE.
In RFC 2547 (BGP/MPLS VPNs), the VPN-instance is called the per-site forwarding table. As
the name implies, one VPN-instance corresponds to one site. Each connection between a CE
and a PE corresponds to a VPN-instance.
As shown in Figure 5-24, all VPN-instances on the PE are independent of each other, and of
the routing and forwarding table of the public network. You can consider each VPN-instance as
a virtual router, which maintains independent address spaces and has the interface connected to
the router.
VPN1
Site1 VPN1
CE VPN-instance
Backbone
PE
Public
forwarding
table
VPN2
VPN-instance
VPN2
Site2 CE
VPN-instance implements independent address spaces through the Route Distinguisher (RD).
It manages VPN membership of directly connected sites and route rules through VPN Target
attributes.
Traditional BGP cannot process the VPN routes which have overlapping address space. If both
VPN1 and VPN2 use addresses on the segment 10.110.10.0/24 and each of them advertises a
route to this network segment, BGP selects only one of them, thus resulting in loss of the other
route.
The cause lies in that BGP cannot distinguish the same IP address prefixes in different VPNs.
To solve this, BGP/MPLS IP VPN uses VPN-IPv4 address that consists of an IPv4 address and
an RD.
A VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, followed by a
4-byte IPv4 address prefix, as shown in Figure 5-25.
l When the type is 0, the Administrator subfield occupies two bytes (16 bits) and the Assigned
Number subfield occupies four bytes (32 bits). The RD format is "16-bit ASN: 32-bit user-
defined number". For example, 100:1.
l When the type is 1, the Administrator subfield occupies four bytes (32 bits) and the
Assigned Number subfield occupies two bytes (16 bits).
The RD format is "32-bit IPv4 address: 16-bit user-defined number". For example,
172.1.1.1:1.
You can use RD to distinguish the IPv4 prefixes that use the same address space, but not to judge
the initiator of a router and the VPN of the route. The service providers can allocate the RD
independently, but it should be globally unique.
In this way, even if several VPNs of different providers use the same IPv4 address, the PE routers
can advertise different routes to that IPv4 address, one for each VPN. VPN-IPv4 addresses with
the RD of zero are equal to common IPv4 addresses.
NOTE
To ensure that RD is globally unique, do not configure the Administrator subfield with a private ASN or
IP address.
The IPv4 addresses being added RD are called VPN-IPv4 addresses. After receiving common
IPv4 routes from a CE, the PE converts them into VPN-IPv4 routes. Thus the private routes can
be transmitted through the public network.
VPN-target
The VPN-target or the Route-target is a 32-bit BGP extended community attribute. BGP/MPLS
IP VPN uses the VPN-target to control the advertisement of VPN routing information.
There are two kinds of VPN-targets:
l Export Target
A local PE sets the Export Target attribute for the VPN-IPv4 routes learnt from its directly
connected sites, before advertising them to other PEs. The attribute is advertised with the
routes as the BGP extended community attribute.
l Import Target
A PE checks the Export Target attribute of VPN-IPv4 routes advertised by other PEs. If
the Export Target is identical with the Import Target of a VPN instance, the PE adds the
route to the VPN routing table.
In other words, the VPN Target attribute defines which sites can receive a VPN-IPv4 route, and
from which sites that PE can receive routes.
Like RD, there are two types of VPN-target formats:
l Autonomous system number: user-defined number, for example, 100:1.
l IP address: user-defined number, for example, 172.1.1.1:1.
A VPN that only receives its own routes and the PE-advertised routes is called stub VPN.
l Routing Information Exchange Between the Ingress PE and the Egress PE
After learning VPN routing information from a CE, the ingress PE adds RDs and VPN
Target for these standard IPv4 routes to form VPN-IPv4 routes, and saves them into the
VPN-instance created for the CE.
Then, the ingress PE advertises the VPN-IPv4 routes to the egress PE through MP-BGP.
The Egress PE compares the Export target of the received routes with the Import targets of
all VPN-instances that it maintains. If the Export target is equal to one of the Import targets,
the PE adds the VPN-IPv4 route to the VPN-instance.
PEs use IGP to ensure the connectivity between them.
l Routing Information Exchange Between Egress PE and Remote CE
The egress PE exports the VPN routes learned from the ingress PE to the remote CEs. A
remote CE can learn VPN routes from the egress PE in several ways, including static
routing, OSPF, and BGP. The exchange of routing information between the egress PE and
the remote CE is the same as that between the local CE and the ingress PE.
If External Border Gateway Protocol (EBGP) runs between PE and the CE, BGP detects the
route loop using the Autonomous System Number (ASN). So, you must allocate different ASNs
to different physical locations to ensure correct transmission of the routing information.
The Eudemon provides the BGP ASN substitute function, allowing physically dispersed CEs to
use the same ASN and implement normal routing information exchange.
With the BGP ASN substitute function, when a PE advertises routes to a CE, if the ASN in the
AS-Path of the route is the same as that of the CE, the PE replaces the ASN in the route with its
own ASN.
NOTE
After BGP ASN substitute is enabled, the PE re-advertises routing information to the CEs connected with
it in the peer group. It then substitutes the attribute of the AS_path of the routes according to the above
rule.
AS: 800
Backbone CE3
AS: 100
PE1
VPNv4_Update: PE2
10.1.0.0/16
RD: 10.1.1.1/32
AS-path: 800
EBGP_Update: EBGP_Update:
CE1 10.1.1.1/32 10.1.1.1/32 CE2
AS: 800 AS-path: 800 AS-path: 100 AS: 800
In Figure 5-26, both CE 1 and CE 2 use ASN 800. Enable ASN substitute function on PE 2 for
substituting the ASN of CE 2. When advertising updates received from CE 1 to CE 2, PE 2 finds
that the ASN in the AS_path is the same as that of CE 2. It substitutes the ASN as 100, its own
ASN, before advertising the route to CE 2. In this way, CE 2 can normally receive routing
information from CE 1.
When PE connects multiple CEs (such as CE 2 and CE 3) through different interfaces, BGP
ASN substitute function can also be used.
NOTE
For a multi-homed CE, you should use the BGP ASN substitute function together with Site-of-Origin
(SOO) function. Otherwise, route loop may occur.
Layer 1
1.1.1.2 Layer 2 Layer 2 1.1.1.2
1.1.1.2 1.1.1.2
CE1 PE1 PE2 CE2
(1) (4)
(2) P P (3)
Site (5)
Site2
1
1.1.1.1/24 1.1.1.2/24
VPN1 VPN2
Import: 100:1 Import: 200:1 VPN2
VPN1 Export: 100:1 Export: 200:1
CE
CE Site3
Site1 Backbone
PE P PE VPN1
VPN2
VPN2 VPN1
CE Import: 200:1 Import: 100:1 CE
Site2 Site4
Export: 200:1 Export: 100:1
l Extranet Networking
Extranet networking can be used when users in a VPN want to provide a part of the VPN
site resources to users that are not in the VPN.
For this kind of networking, if a VPN needs to access a shared site, the Export Target and
the Import Target of the VPN must be contained respectively in the Import Target and the
Export Target of VPN-instance in the shared site.
VPN1
Import: 100:1
CE Export: 100:1
Site1
VPN1
VPN1
PE1
CE
PE2
PE3 Site3
VPN1
Import: 100:1, 200:1
VPN2
Export: 100:1, 200:1
VPN2
CE Import: 200:1
Site2 Export: 200:1
– Based on the above, site 1 and site 3 of VPN 1 can communicate with each other, and
site 2 of VPN 2 and site 3 of VPN 1 can communicate each other.
– PE 3 advertises neither the VPN-IPv4 routes received from PE 1 to PE 2, nor the VPN-
IPv4 routes received from PE 2 to PE 1. Therefore, site 1 of VPN 1 and site 2 of VPN
2 cannot communicate with each other.
l Sham link
In general, BGP peers carry routing information on the MPLS VPN backbone network
through the BGP extension community attribute. The OSPF that runs on the remote PE can
use the information to create Type 3 LSAs that are transmitted to the CEs. These routes are
the inter-area routes.
As shown in Figure 5-32, site 1 and site 2 both belong to VPN 1 and the same OSPF area.
They are connected to different PEs, PE 1 and PE 2. There is an intra-area OSPF link called
backdoor link between them. In this case, the route connecting the two sites through PEs
is the inter-area route. It is not preferred by OSPF because its preference is lower than that
of the intra-area route across the backdoor link.
MPLS VPN
backbone
PE2
PE1 sham link
Area1 Area1
OSPF 200 OSPF 200
CE12 CE22
VPN1 VPN1
Site1 Site3
backdoor
The above case will cause VPN traffic to be forwarded always through the backdoor link
instead of the backbone network. To solve the problem, you can establish a sham link
between the two PEs so that the routes between them over the MPLS VPN backbone
become an intra-area route.
The sham link acts as an inter-area point-to-point link and is advertised through the Type
1 LSA. You can select a route between the sham link and backdoor link by adjusting the
metric.
The sham link is considered as the link between the two VPN instances with one endpoint
address in each VPN-instance. The endpoint address is a Loopback interface address with
a 32-bit mask in the VPN address space on the PE. Different sham links of the same OSPF
process can share an endpoint address, but that of different OSPF processes cannot.
The BGP advertises the endpoint addresses of sham links as VPN-IPv4 addresses. A route
across the sham link cannot be imported into BGP as a VPN-IPv4 route.
The sham link can be configured in any area. You need to configure it manually in
Eudemon. In addition, the local VPN-instance must contain a route to the destination of
sham link.
l Multi-VPN-Instance CE
Generally, the OSPF multi-instance runs on PEs. The routers running the OSPF multi-
instance inside a LAN are called Multi-VPN-instance CEs. Compared with the OSPF multi-
instance on PE, the Multi-VPN-instance CEs need not support the BGP/OSPF
interoperability.
Multi-VPN-instance CEs are used to solve the security problem of LANs with the low cost.
It is hard to implement the complete separation of different services in LANs with
traditional routers. Eudemon can run multiple OSPF processes on a router. The OSPF
process can belong to the public network or a VPN-instance. Therefore, you can run
multiple OSPF processes on a router and bind them to different VPN-instances.
In practice, you can create OSPF instances for different services to separate services and
ensure their security.
6 Intrusion Detection
The Eudemon can identify applications that use nonstandard ports through the intrusion detection
function. Moreover, the Eudemon deeply detects the application data, and thus the network
protection capability is improved.
6.1 Identification of Protocols Using Nonstandard Ports
The protocol identification function of the Eudemon solves the problem of false positive and
false negative in protocol identification of service packets using nonstandard ports.
6.2 Protocol Detection
The protocol detection function of the Eudemon analyzes and detects application layer payload
packets. Thus, potential attacks from the payload packets can be prevented.
6.3 IPS Detection
This topic describes process and working principle of the IPS detection, and process and upgrade
method of the IPS rule.
6.1.1 Overview
This topic describes the reasons and advantages of protocol identification using nonstandard
ports.
With the emergence of new network protocols and software, traditional methods for identifying
protocols based on ports are seeing greater and greater limitations. The Eudemon supports
protocol identification based on both standard and nonstandard ports. Thus, the following
common network problems can be solved:
l Certain new network protocols do not use fixed ports. Instead, the protocols negotiate ports
when they work. Protocol identification based on ports cannot identify protocols of this
type.
l Certain network administrators use nonstandard ports for common network application
services to reduce the risks of external attacks.
l A large number of services run on nonstandard ports. During attack detection, the protocol
types of the packets of these services cannot be identified. Therefore, attacks in these
services can evade the detection.
The protocol identification function of the Eudemon solves the problem of false positive and
false negative in protocol identification of application packets using nonstandard ports.
6.2.1 Overview
This topic describes the common types of detected protocols and response policies of abnormal
packets detected.
Response Policies
After the protocol detection, the Eudemon processes abnormal packets detected according to
response policies as shown in Table 6-1.
Reference
For details about the working principle of the DNS detection, refer to the following standards:
When you read this guide, the draft number in the preceding standards may be added.
l Restrict the size of the Chunk block if HTTP packets are transferred in Chunk mode. Some
attack packets are packed as a big Chunk block to attack the WWW server, which may
cause the Web server cache to overflow.
l Restrict the receiving of abnormal HTTP response packets. Some attack packets pretend
to be HTTP response packets to attack the HTTP client.
Working Principles
Figure 6-1 shows the working process of the HTTP detection of the Eudemon.
Internal External
network network
4 Overflow/behavior/CGI 6
attack detection
The following describes the working principle of the HTTP detection through the example that
the HTTP client accesses a WWW server:
1. The HTTP client sends a request packet to the WWW server.
2. The Eudemon intercepts the request packet and performs the HTTP detection.
3. The Eudemon processes the request packet according to the detection result.
l If the detection result of the packet is normal, the Eudemon forwards the request packet
to the WWW server.
l If the detection result of the packet is abnormal, the Eudemon processes the request
packet according to the response policies configured by users.
4. The HTTP server sends a response packet after receiving the HTTP request packet.
5. The Eudemon intercepts the response packet and performs the HTTP detection.
6. The Eudemon processes the response packet according to the detection result.
l If the detection result of the packet is normal, the Eudemon forwards the response packet
to the HTTP client.
l If the detection result of the packet is abnormal, the Eudemon processes the response
packet according to the response policies configured by users.
Reference
For details about the working principle of the HTTP detection, refer to the following standards:
l RFC1945: Hypertext Transfer Protocol HTTP/1.0
l RFC2616: Hypertext Transfer Protocol HTTP/1.1
l RFC3986: Uniform Resource Identifier (URI) Generic Syntax
NOTE
When you read this guide, the draft number in the preceding standards may be added.
Working Principles
Figure 6-2 shows the working process of the FTP detection of the Eudemon.
3 1
2/5 FTP detection
4 Overflow/behavior 6
Figure 6-2 describes the working process of the FTP detection of the Eudemon through the
example that the FTP client accesses an FTP server:
Reference
For details about the working principle of the FTP detection, refer to the following standards:
NOTE
When you read this guide, the draft number in the preceding standards may be added.
Working Principle
Figure 6-3 shows the working process of the SMTP detection of the Eudemon.
Internet
Internal mail
SMTP client 6 server
Eudemon
Trust DMZ
2/5
4
1 SMTP
detection
3
Figure 6-3 describes the process of the SMTP detection when the SMTP client sends an email.
l If no abnormal packet is detected, the Eudemon sends the email to the internal mail
server.
l If abnormal packet is detected, the Eudemon processes the email according to the
response policies configured by users.
4. The internal mail server sends an email received to the external mail server.
5. The Eudemon intercepts the packets during the sending and performs the SMTP detection.
6. The Eudemon processes the email according to the detection result.
l If no abnormal packet is detected, the Eudemon sends the email to the external mail
server.
l If abnormal packet is detected, the Eudemon processes the email according to the
response policies configured by users.
Reference
For details about the working principle of the HTTP detection, refer to the following standards:
When you read this guide, the draft number in the preceding standards may be added.
Working Principle
Figure 6-4 shows the working process of the IMAP/POP3 detection of the Eudemon.
External mail
Internet server
IMAP/POP3 Internal mail
1
client server
Eudemon
Trust DMZ
2/5
IMAP/POP3 3
6
detection
4
Figure 6-4 shows the working process of the IMAP/POP3 detection through the example that
the IMAP/POP3 client on the internal network receives emails from the external mail server:
1. The external mail server sends an email to the internal mail server.
2. The Eudemon intercepts the packets during the sending and performs the IMAP/POP3
detection on them.
3. The Eudemon processes the email according to the detection result.
l If no abnormal packet is detected, the Eudemon sends the email to the internal mail
server.
l If abnormal packet is detected, the Eudemon processes the email according to the
response policies configured by users.
4. The internal mail server sends an email to the IMAP/POP3 client.
5. The Eudemon intercepts the packets during the sending and performs the IMAP/POP3
detection on them.
6. The Eudemon processes the email according to the detection result.
l If no abnormal packet is detected, the Eudemon forwards the email to the IMAP/POP3
client.
l If abnormal packet is detected, the Eudemon processes the email according to the
response policies configured by users.
Reference
For details about the working principle of the IMAP/POP3 detection, refer to the following
standards:
When you read this guide, the draft number in the preceding standards may be added.
6.3.1 Overview
This topic describes the function and general concepts of the IPS detection.
Introduction
Through the IPS detection, the Eudemon detects application layer data and prevents various
types of vulnerability exploits, such as worm viruses, Trojan, DoS attacks, and code attacks.
Through the IPS function, the Eudemon can detect both the quintuple (source addresses, source
port numbers, destination addresses, source port numbers, and protocol types) and the payload
of the application layer data.
General Concepts
The following concepts are involved in the IPS detection of the Eudemon:
l IPS rules
The Eudemon detects application layer data with the IPS rule file. The IPS rules can be
categorized into the following two types:
– System predefined IPS rules that are provided by Huawei and can be updated through
the online upgrade.
– User defined IPS rules that are defined according to the network requirement and ensure
the network security in the earliest time.
l Event response policies
– The Eudemon records the IPS detection result, and thus the network operation can be
audited, which provides reference for the network administrator and other network
security decision-makers.
– In addition, the Eudemon can stop abnormalities on the network in time according to
the response policies configured by users. In this way, the internal network is less likely
to be attacked and the information security is ensured.
When detecting with the IPS rule file, the Eudemon processes abnormal packets according
to the packet processing polices shown in Table 6-2.
Yes
Yes
Yes
Yes
IPS Detection
The IPS detection realizes the attack detection through the comparison between packets and IPS
rules. Each IPS rule contains an attack feature. When a packet matches an IPS rule, the
Eudemon regards the packet as an attack packet and processes the packet according to the
response policy of the IPS rule.
NOTE
If a packet matches several IPS rules, the Eudemon processes the packet according the response policy of
the IPS rule that is of the highest security level.
According to the severity level of threats on the network security, the Eudemon classified the IPS rules
predefined by the system into three levels. They are high, medium, and low in the order.
Introduction
The IPS rule is used to save attack features of network attacks that have been detected. The
Eudemon performs the intrusion defense through the IPS and thus the internal network is
protected. The IPS rule is developed and maintained by Huawei. In addition, the IPS rule is
periodically updated by Huawei. The latest version provides the latest feature information.
Version Upgrade
After buying the IPS rule upgrade service, users can update the IPS rule of the device periodically
in the following three ways:
l Automatic upgrade
Connect to the configured upgrade server periodically to upgrade the IPS rule.
The automatic upgrade cycle is one day. If new attacks occur on the network after an
automatic upgrade, the automatic upgrade function cannot update the IPS rule immediately
and you have to wait for the next automatic upgrade. In this way, the IPS rule cannot be
upgraded in real time.
l Manual upgrade
Connect to the configured upgrade server immediately to upgrade the IPS rule.
In this way, the IPS rule can be upgraded in real time.
l Local upgrade
Download the IPS rule from the upgrade server and manually upload the IPS rule file to
the device. Thus, the IPS rule is upgraded.
Version Rollback
If faults occur on the current IPS rule, you can roll back to the previous version through the
version rollback function.
Internal
network
Figure 6-6 shows the automatic/manual upgrade procedure of the IPS rule:
1. Specify the address of the upgrade server of the IPS rule on the Eudemon.
2. The Eudemon sends an HTTP request for the IPS rule to the upgrade server.
3. The upgrade server authenticates whether the device has bought the IPS rule upgrade
service.
4. The authenticated Eudemon downloads the latest IPS rule through FTP.
5. The Eudemon saves the latest IPS rule in the flash.
NOTE
The earlier IPS rule is stored on the Eudemon for version rollback.
The surfing behavior management can control and audit the IM. In addition, the surfing behavior
management can identify and control P2P traffic, game applications, and stock applications.
7.1 Overview
This topic describes basic functions of the surfing behavior management.
7.2 Type
The surfing behavior management functions of the Eudemon can be classified into four types
according to contents.
7.3 Working Principles
This topic describes the working principle of the IM management and management of P2P,
stock, and game data.
7.1 Overview
This topic describes basic functions of the surfing behavior management.
To diminish impacts of the entertainment functions, the Eudemon provides the surfing behavior
management function to control enterprise internal users' applications of QQ, MSN, P2P traffic,
stock applications, and game applications.
7.2 Type
The surfing behavior management functions of the Eudemon can be classified into four types
according to contents.
7.2.1 IM Management
This topic describes the application of the Instant Messaging (IM) management of the
Eudemon to QQ and MSN.
7.2.2 P2P Traffic Identification and Control
The Eudemon can identify P2P traffic and specify P2P control policies to restrict P2P traffic.
7.2.3 Game Identification and Control
The Eudemon can identify game and specify game control policies to restrict game.
7.2.4 Stock Identification and Control
The Eudemon can identify stock data and specify stock control policies to restrict stock.
7.2.1 IM Management
This topic describes the application of the Instant Messaging (IM) management of the
Eudemon to QQ and MSN.
The IM management of the Eudemon is realized through the IM login control and IM login audit.
IM Login Control
The Eudemon controls the login of QQ/MSN users through IM control policies based on the
address set and time range.
Based on IM control policies, the Eudemon controls whether users in the specified network
segment can use the IM in the specified time period. For example, there are managers and
engineers on an enterprise network. You can configure two IM control policies to manage
different employee networks. One IM control policy allows managers to use the IM at any time.
The other IM control policy allows engineers to use the IM only during the non-work time.
In addition, the Eudemon supports the control on QQ/MSN users who have logged in.
IM Login Audit
The Eudemon records the following information when a QQ/MSN user logs in and uploads the
information to the log server:
Program Version
MSN Messenger Windows Live Message 2008 ( build 8.5 1302 1018 )
The Eudemon adopts the deep detection and behavior detection technologies to accurately
identify P2P packets and restrict P2P traffic.
Through Huawei-proprietary dynamic loadable pattern files, the Eudemon can also identify
newly-emerged P2P applications, game, and stock.
The Eudemon identifies and restricts P2P applications in the following ways:
l Identify popular P2P applications and constantly update its P2P library.
l Restrict P2P traffic and enable users to set upper thresholds for P2P traffic.
l Control the using of P2P applications according to control policies defined by users.
Control policies control P2P applications in the following fields:
Figure 7-1 shows the working principle of the IM management of the Eudemon.
Trust Untrust
Login request
IM login audit
Address set/time range/action
Trust Untrust
Access request
P2P/stock/game data
management
Source IP/Source Port/Dest IP
/Dest Port/Protocol
Discard the request packet Forward the request packet
Response packet
P2P/stock/game data
management
Source IP/Source Port/Dest IP
/Dest Port/Protocol
Forward the response packet Discard the response packet
The following describes the process of the management of P2P/game/stock through the example
of the management of P2P application.
1. An internal user sends a request to the external P2P server such as the Web server shown
in Figure 7-2.
2. The Eudemon intercepts the request and detects it according to internal P2P management
policies.
3. The Eudemon processes the request according to P2P management polices.
l If the Eudemon identifies that the corresponding P2P management policy of the request
is permit, the request is sent to the P2P server.
l If the Eudemon identifies that the corresponding P2P management policy of the request
is deny, the request is discarded and the alarm message is sent to the log server.
4. After receiving the request, the external P2P server sends the response packet.
5. The Eudemon intercepts the response packet and detects it according to internal P2P
management policies.
6. The Eudemon processes the response packet according to P2P management polices.
l If the Eudemon identifies that the corresponding P2P management policy of the
response packet is permit, the response packet is sent to the internal user.
l If the Eudemon identifies that the corresponding P2P management policy of the
response packet is deny, the response packet is discarded and the alarm message is sent
to the log server.
8 Mail Filtering
The mail filtering function detects mails transferred through SMTP and identifies whether they
should be filtered or not.
8.1 Overview
This topic describes the mail filtering function of the Eudemon.
8.2 Concept
This topic describes some general concepts of the mail filtering function.
8.3 Working Principles
This topic describes the working principle of mail filtering of the Eudemon.
8.1 Overview
This topic describes the mail filtering function of the Eudemon.
The mail filtering function detects mails transferred through SMTP and identifies whether they
should be filtered or not. The mail filtering function of the Eudemon is realized mainly through
the Real-time Blackhole list (RBL) server.
8.2 Concept
This topic describes some general concepts of the mail filtering function.
Reply Code
The reply code is the specified field in a DNS packet the RBL server returned when users query
mails through the RBL server.
The reply code indicates whether an mail should be filtered or not. The system processes the
mail matching the reply code according to the reply codes and mail processing policies
configured by users. If no matched reply code is found, the unknown-code processing policy is
adopted.
RBL Server
The RBL server provides the spam query function. After receiving a query request, the RBL
server performs the query and returns the query result in the form of reply codes. The spam query
is realized directly or indirectly through the RBL server:
l If the RBL server can provide the direct query service, the address of the RBL server is
configured as the parameter of the rbl-filter server command.
l If the RBL server cannot provide the direct query service, for example, most servers (outside
China) that provide the RBL service for free, IP addresses of some famous DNS servers
on the network can be configured as the parameter of the rbl-filter server command.
Then, the query service is redirected to the RBL server through the DNS server.
The following are some of the RBL servers that are free of charge and their query sets:
l www.anti-spam.org.cn, where query sets such as cbl, cdl, cbl+, and cbl- are available.
l www.spamhaus.org, where query sets such as sbl, xbl, and pbl are available.
l The source IP address of the mail does not exist in the RBL query sets.
l The RBL server returns the reply code, but the corresponding processing policy is not
configured in the Eudemon.
Table 8-1 shows the unknown-code processing policies of mail filtering of the Eudemon.
Receiver
Trust Sender
RBL server
Mail server Eudemon
DMZ Untrust
Mail server
Email filtering query
Return reply code
Email filtering policy
Forward the email Disconnect SMTP connection
When a sender on the external network sends a mail to the internal mail server on the internal
network through the external mail server, the Eudemon performs the following detection to
prevent spam:
1. The Eudemon detects the SMTP connection request.
2. The Eudemon obtains the IP address of the sender and queries it in the RBL server.
3. The RBL server queries the IP address in the query sets. If the corresponding reply code is
found, the RBL server sends the reply code to the Eudemon.
4. The Eudemon processes the mail according to the query result and mail filtering policy.
l If the returned reply code matches that configured by users in the Eudemon and the
corresponding mail filtering policy is deny, the connection request is rejected.
l If the returned reply code matches that configured by users in the Eudemon and the
corresponding mail filtering policy is permit, the connection request is forwarded.
l If the source IP address of the mail does not exist in the RBL query sets, or the RBL
server returns the reply code but no corresponding processing policy is configured in
the Eudemon, the Eudemon processes the mail according to the unknown-code
processing policies.
l If it is timeout for the RBL server to return the reply code, the Eudemon processes the
mail according to the timeout processing policies.
9 Reliability
The Eudemon supports VRRP, VGMP, and HRP. It can implement routing information backup,
backup group management, and dual-system hot backup. Therefore, the Eudemon delivers high
reliability.
9.1 VRRP Overview
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol defined by the RFC
3768. By separating physical devices from logical devices, VRRP chooses a path from multiple
egress gateways.
9.2 VGMP Overview
To avoid VRRP state inconsistency, Huawei develops the VRRP Group Management Protocol
(VGMP) based on VRRP. VGMP can manage the VRRP state of each backup group. With the
VGMP mechanism, you can manage multiple VRRP backup groups (the virtual firewalls) in
terms of: state consistency, preemption, and channel.
9.3 Introduction to Dual-System Hot Backup
The dual-system hot backup function of the Eudemon accomplishes hot backup of the
configuration commands and the state information. This function supports automatic backup
and manual patch backup.
9.4 Hierarchical Protocol Relation Between VRRP Backup Group, Management Group, and
HRP
Protocol relationships exist between the VRRP backup group and the VGMP group, and the
VGMP group and HRP. HRP packets are carried by VGMP packets for transmission.
9.5 Checking the Configuration Consistency
Consistency check of configurations is used in the dual-system hot backup to check whether the
ACL configurations and HRP configurations of the master and backup devices are consistent
with each other.
9.6 IP-Link Auto-detection Overview
IP-Link auto-detection automatically checks whether a service link works normally by utilizing
the features of the Internet Control Message Protocol (ICMP) or the Address Resolution Protocol
(ARP).
PC
10.100.10.1/24
Server Router
10.100.10.0/24
The interactive packets between the internal and the external users all pass through the router.
When the router fails, all hosts (whose default next hop is the router) in the internal network fail
to communicate with the external networks. Therefore, communication is unreliable in the
default route mode.
VRRP can solve the preceding problem.
As a kind of fault tolerant protocol, VRRP applies to LANs that support multicast or broadcast,
for example, the Ethernet.
VRRP groups several routers on a LAN as a virtual router, which is called a backup group. In
a backup group, only one router functions as an active device, which is called master device; all
the other routers act as backup devices (functioning in priority order), ready to take over
transactions at any time.
Figure 9-2 shows a backup group consisting of three routers.
PC
Backup
10.100.10.3/24
Router B
Server 10.100.10.0/24
Backup
Backup group
Virtual IP Address 10.100.10.4/24 Router C
10.100.10.1/24
l Routers A, B, and C set up a backup group (acting as a virtual router), whose virtual IP
address is 10.100.10.1/24.
l Router A is the master device, whose IP address is 10.100.10.2/24.
l Routers B and C are backup devices, whose IP addresses are 10.100.10.3/24 and
10.100.10.4/24 respectively.
l For VRRP, only the master device can forward packets whose next hop addresses are the
virtual IP address.
Hosts on the internal network only know that the virtual IP address is 10.100.10.1. They do not
know the IP addresses of the master or backup devices. Therefore, each host configures its default
route to the virtual IP address. In this case, all hosts on the internal network can communicate
with external networks through this backup group.
The VRRP module on the master router monitors the state of the communication interface and
sends notification packets to the backup routers in multicast mode.
If the master router fails because of interface or link faults, the VRRP notification packets cannot
be sent out as usual.
When the backup routers do not receive any VRRP notification packet in a specified interval,
VRRP specifies the backup router with the highest priority as the new master router by bringing
the state of VRRP on it to master, and switches related transactions to the new master router.
Once the new master router fails, another backup router is selected as the master router according
to the priority, continuing to provide routing services to internal hosts.
The VRRP technology can ensure the communication between hosts on the internal network
and the external networks, thus enhancing reliability effectively.
LAN Switch
LAN Switch
LAN Switch
Untrust
Backup group3
Eudemon B Virtual IP address
Backup group2 202.38.10.1/24
10.100.20.0/24 Backup
Virtual IP address
DMZ
10.100.20.1/24
l Eudemon A acts as the master device and Eudemon B acts as the backup device.
l Interfaces connected with the Trust zone on the master and backup devices set up backup
group 1, which virtual IP address is 10.100.10.1/24.
l Interfaces connected with the DMZ on the master and backup devices set up backup group
2, which virtual IP address is 10.100.20.1/24.
l Interfaces connected with the Untrust zone on the master and backup devices set up backup
group 3, which virtual IP address is 202.38.10.1/24.
State Requirements
As a stateful firewall, the Eudemon checks only the head packet of a session flow and
dynamically creates session entries. Subsequent packets, including response packets can pass
through the Eudemon only when they match these session entries. If the outgoing and incoming
paths of a session are inconsistent, subsequent packets or response packets are dropped because
they cannot match the session entries of the Eudemon. Figure 9-4 shows the process.
Untrust
Eudemon A
(1) (2) Master
Session entry
PC1 (3)
(8)
(7)
(4)
(6)
PC2
(5)
(9)
Backup
Eudemon B Actual connection
DMZ Packets traffic
As the requirements of customers for network reliability increase, it is necessary to ensure the
continuity of certain critical service ingresses or access points such as Internet access points and
database server access points.
If only one Eudemon is deployed at the service access point, no matter how reliable the
Eudemon is, the network is still prone to interruption because of single point failure.
In this case, you need to depend on the redundancy backup mechanism to enhance the stability
and reliability of the entire system.
You can determine whether to add a backup group to the VRRP management group or not
according to actual backup demand. The VRRP management group can manage backup groups
that have been added to it.
Figure 9-5 shows the protocol hierarchical relation between VRRP management groups and
backup groups.
Figure 9-5 Protocol hierarchical relation between VRRP management groups and backup
groups
VGMP packet
Interface
VRRP backup groups report their own state information to the VRRP management group and
accept the management of the VRRP management group. When there is a problem with an
interface of a backup group or a related link, the state of the backup group changes. That may
affect the state of the VRRP management group.
In addition, a VRRP backup group can run independently without being added to the VRRP
management group. If the priority of the dissociative backup group is higher than that of the
backup groups in the VRRP management group, the master device determined by the
management group may be not identical with that elected by the dissociative backup groups. To
avoid system confusion caused by inconsistency, you need to configure higher priorities for
backup groups in the VRRP management group.
management group does not agree on the switchover, the VRRP state of each Eudemon in the
VRRP backup group cannot change.
State consistency management helps the devices of a VRRP group share VRRP state
information. The VRRP management group determines whether to perform state switchover,
thus ensuring that the VRRP backup groups are consistent in state.
Besides a notification packet, the master device can also initiatively send a Hello message to
backup device. Then backup device sends a notification packet after receiving the Hello message.
This mechanism helps the master and backup devices exchange state information.
Preemption Management
When a backup group is added into a VRRP management group and the VRRP management
group is already enabled, the VRRP management group determines whether to take preemption
no matter whether the preemption function is configured on the Eudemons in each VRRP backup
group. Namely, when a Eudemon finds that its own priority is higher than the present master
device, it is the VRRP management that determines whether to perform the preemption
operation.
When the communication between VRRP backup groups is interrupted while VGMP packets
can be normally transmitted, the state consistency can still be assured. In this case, no state
switchover occurs.
When the communication between the master device and the backup device is interrupted, and
no VGMP packet can be transmitted, that is, all data channels fail, the backup device
automatically changes to the master state.
When network communication resumes, there are two master devices on the network, sending
notification packets to each other. In this case, the VRRP management group determines the
master device according to priority.
Channel Management
Channel management can provide reliable channels for transferring the following packets:
l VGMP packets
l Packets over VGMP
l VRRP state packets
A VRRP management group can include several data channels. A data channel can exist in the
same physical link with a service flow channel or exist alone in a physical link. That depends
on your configuration. Your configuration also determines whether the state of a data channel
affects the state of each VRRP in a VRRP management group.
Figure 9-6 shows the relation between service channels and data channels.
A3
A1
A2 A4
Trust
LAN
Hub Untrust
switch
LAN
B1 B4 switch
DMZ B2
LAN
B3
switch
Eudemon B Actual connection
Backup Packets traffic
A1, A2, A3, and A4 Interface of Eudemon A
Any interface that connects the master device with a security zone can act as a starting end of a
data channel. An ending end is on the backup device. As a result, a data channel traversing the
LAN switch is set up.
Figure 9-6 consumes that A and B are interfaces and S is the LAN switch. Then A1-S-B1, A2-
S-B2, and A3-S-B3 are data channels.
In some cases, for the sake of link bandwidth and transmission quality, you can directly connect
the master device to the backup device (multiple lines are allowed) to protect service flows
against the interference of VRRP state information. In this case, you can set up data channel A4-
Hub-B4 between the master device and the backup device.
Figure 9-7 Relation between a VRRP management group and a backup group
Eudemon A
Master Management
group 1
A1
Backup group 1 A3
A2
Trust
Untrust
Backup group 3
DMZ B1
Backup group 2 B3 Management
B2 group 1
Backup
Eudemon B
Actual connection
Traffic
The function of the redundancy backup mechanism is to duplicate a device in some sense. The
following sections describe the relationship between interfaces, backup groups, and management
groups on the Eudemons.
For example, the configuration of interface A1 on Eudemon A must be identical with that of
interface B1 on Eudemon B. Be specific, both of them should be Ethernet interfaces, numbered ,
and associated with backup group 1.
Master/Backup Mode
Based on the VGMP mechanism, you can carry out backup for two Eudemons. Each
Eudemon is configured with a VRRP management group with the same number but different
priorities, as shown in Figure 9-8.
Untrust
Backup group 3
DMZ B1
Backup group 2 B3
B2
Backup
Eudemon B
Actual connection
Traffic
A1, A2, and A3 Interface of Eudemon A
In Figure 9-8:
Since Level 1 priority is higher than Level 2 priority, Eudemon A works as the Master and
Eudemon B as the Backup.
Hosts in the Trust zone, DMZ, and Untrust zone respectively send service data to interfaces A1,
A2 and A3 on Eudemon A (Master). All sessions are transferred through Eudemon A.
When the master device or its link fails, its status changes. The backup device becomes the
master device and transfers all session data.
DMZ Backup
B1 Backup group 3
group 6
B3
B2
Backup Backup Backup/Master
group 2 group 5 Eudemon B
Actual connection
Traffic
A1, A2, and A3 Interface of Eudemon A
Table 9-2 lists the device status in load balancing mode I when the master and backup
devices work normally.
The priorities of the two VRRP management groups overlap, that is, Level 1 > Level 3 and
Level 2 < Level 4. Therefore, hosts in the Trust zone, DMZ, and Untrust zone respectively
send sessions to interfaces A1, A2 and A3 on Eudemon A and send the other sessions to
interfaces B1, B2 and B3 on Eudemon B. The two Eudemons share the communication
load.
When Eudemon B becomes faulty, VRRP management group 2 will switch the status of
each device. Eudemon A becomes the master device in VRRP management group 2 and
Eudemon B becomes the backup device. Eudemon A will transmit all sessions in this case.
The status listed in Table 9-2 change to these in Table 9-3.
However, when Eudemon B recovers, it will be the master device in management group 2
again and share load with Eudemon A.
Backup Untrust
group 2
Backup B3 B4 B5
DMZ B2 Backup
group 5 group 6
B1 B6
Eudemon B
Backup / Master
A1, A2, A3, A4, A5, and A6 Interface of Eudemon A
When errors occur on Eudemon A or on associated links, Eudemon B will become the master
device and begin to transfer data. However, if there are no backup session entries or configuration
commands on Eudemon B before status switch, all sessions that passed through Eudemon A will
be disconnected because the sessions cannot match the session entries on Eudemon B. As a
result, services are interrupted.
In order to make the backup device smoothly take over work when the master device breaks
down, backing up of configuration commands and session entries between the master device
and the backup device are necessary.
Huawei Redundancy Protocol (HRP) is developed for this purpose. HRP is transmitted over
VGMP packets in the data channels of a VRRP management group.
After the HRP dual-system hot backup function is enabled, if the status of the VRRP management
group changes because the master device becomes faulty, fault of master device leads to the
state change of VRRP management group, the VRRP management group reports the status
switch the HRP module, Then the HRP module decides whether to synchronize the backing up
of the configuration commands and information about the session status. Upon completion of
the backing up process, the VRRP management group preemption and then the VRRP backup
group preemption take place. In this way, the backup device smoothly takes over the service.
The concepts of the master and slave configuration devices are introduced only in load balancing mode
rather than master/backup mode.
Figure 9-12 Hierarchical protocol relation between VRRP backup group, management group,
and HRP
HRP module
HRP packet
When the state of the VRRP management group changes, the system notifies the HRP and
master/slave configuration devices to change their states accordingly. In this way, configuration
commands and session status information are backed up in time between two devices.
Meanwhile, the state of the VRRP management group is also affected by HRP state change. In
other words, VRRP adjusts the priority and switch VRRP state according to the result of HRP
state switch.
When the state of the VRRP backup group changes, the VRRP management group decides
whether to change the state of the following elements:
l VRRP management group
l HRP
l Master and slave configuration devices
– Whether the VRRP management group numbers configured and enabled on the master
and backup devices are the same.
– Whether the configurations of VRRP backup groups within the same VRRP
management group are the same.
– Whether the configurations of the triggerdown attribute of interfaces within the same
VRRP management group are consistent.
– Whether the intervals for sending Hello packets within the same VRRP management
group are the same.
A Glossary
A
AAA An integrity framework for configuring the authentication, authorization, and
accounting functions. It is a way to manage the network security.
ACL A sequential instruction list consisting of a series of permit | deny statements.
In the scenario where a firewall is deployed on a network, an ACL is applied
to the interface of a router, and the router determines which packets can be
received and which should be denied according to the ACL. In QoS, ACLs
are also used for traffic classification.
AES The Advanced Encryption Standard (AES) is an encryption algorithm for
securing sensitive but unclassified material by U.S. Government agencies
and, as a likely consequence, may eventually become the de facto encryption
standard for commercial transactions in the private sector. (Encryption for the
US military and other classified communications is handled by separate,
secret algorithms.)
AH A protocol used in transport mode and tunnel mode for providing data
integrity and authentication services for IP packets.
ALG In the context of computer networking, an application-level gateway (also
known as application layer gateway) consists of a security component that
augments a firewall or NAT employed in a computer network. It allows
legitimate application data to pass through the security checks of the firewall
that would have otherwise restricted the traffic for not meeting its limited filter
criteria.
ARP A protocol used to resolve an IP address into an Ethernet MAC address.
AS In the Internet, an autonomous system (AS) is a collection of IP networks and
routers under the control of one entity (or sometimes more) that presents a
common routing policy to the Internet.
ASPF A state-based packet filter mechanism applied to the application layer. ASPF
can be used to jointly work with a common static firewall to implement
security policies of an internal network. As ASPF is based on the session
information of the application layer protocol, it can intelligently filter TCP
and UDP packets. In addition, ASPF can detect sessions originated by any
side of the firewall.
B
BGP An interautonomous system routing protocol. An autonomous system is a
network or group of networks under a common administration and with
common routing policies. BGP is used to exchange routing information for
the Internet and is the protocol used between Internet service providers (ISP).
C
CA An organization that issues digital certificates (digital IDs) and makes its
public key widely available to its intended audience.
CAR An instance of traffic policing. CAR defines three traffic parameters, that is,
Committed Information Rate (CIR), Committed Burst Size (CBS), and Excess
Burst Size (EBS). CAR depends on the preceding parameters to evaluate
traffic. In addition, CAR classifies the monitoring objects and defines the
monitoring actions.
CE The router that is on the customer's side of the customer-provider interface.
CHAP A password authentication method. It is a three-way handshake authentication
with encrypted passwords. The authenticating party first sends some
randomly generated packets (Challenge) to the authenticated party. Then the
authenticated party encrypts the random packets with its own password and
MD5 algorithm and resends the generated encryption to the authenticating
party (Response). Finally, the authenticating party encrypts the original
random packets with the authenticated party password and MD5 algorithm,
compares the two encryptions, and returns the response (Acknowledge or Not
Acknowledge) according to the comparison.
CIDR An internetworking routing protocol. It is a way of using the existing 32-bit
Internet address space more efficiently commonly used by Internet Service
Providers. It allows the assignment of Class C IP addresses in multiple
contiguous blocks.
COPS COPS specifies a simple client/server model for supporting policy control
over Quality of Service (QoS) signaling protocols.
CPE-based A type of VPN application based on the client side device. The VPN function
VPN is realized on the client side device. The client is responsible for maintain the
VPN.
DDN Digital Data Network (DDN) combines the digital channel such as fiber
channel, digital microwave channel or satellite channel with the cross
multiplex technology, providing a high-quality data transport tunnel.
DES A data encryption standard encrypting data in 64-bit block and generating 64-
bit encrypted text.
DH A shared key protocol proposed by Diffie and Hellman. With this protocol,
the communication parties can exchange data without transmitting the shared
key and calculate the shared key.
DHCP A client-server networking protocol used to obtain all necessary
configurations including IP addresses.
DNS A system used to map a human-friendly domain name to an IP address.
E
EGP Exterior Gateway Protocol (EGP) is a protocol for exchanging routing
information between two neighbor gateway hosts (each with its own router)
in a network of autonomous systems.
ESP A secure packet encapsulation protocol used in transport mode and tunnel
mode. Adopting encryption and authentication mechanisms, it provides IP
data packets with such services as data source authentication, data integrity,
anti-replay, and data confidentiality services.
F
FTP An application layer protocol used to transmit files between remote hosts.
FTP is realized based on the corresponding file system.
FIFO A message processing mode where packets are forwarded in the same order
in which they arrive at the interface.
G
GGSN The location register function in the GGSN stores subscription information
and routing information (needed to tunnel packet data traffic destined for a
GPRS MS to the SGSN where the MS is registered) for each subscriber for
which the GGSN has at lest one PDP context active.
GRE A protocol for performing encapsulation of an arbitrary network layer
protocol over another arbitrary network layer protocol.
H
HTTP A protocol used to transfer files for WWW service programs.
ICMP A layer 2 protocol that reports errors and provides other information relevant
to IP packet processing.
IETF An organization that is dedicated to developing and designing TCP/IP
protocol stack and Internet standards.
IKE A protocol used to exchange keys between Oakley and SKEME through
ISAKMP.
IP A protocol that provides connectionless best effort delivery of datagram
across heterogeneous physical networks. IP is a network layer protocol in the
TCP/IP protocol stack.
IPSec A series of protocols defined by the Internet Engineering Task Force (IETF).
This protocol family includes a set of system structures concerning data
security on an IP network, including such protocols as AH, ESP, and IKE.
ISAKMP A protocol providing a framework for authentication and key exchange. This
protocol does not specify specific implementation about authentication and
key exchange.
ISP A company that provides access to the Internet for users.
L
L2F A protocol that offers the tunnel encapsulation for the higher-level link layer.
L2F helps realize the physical separation between the dial-up server and dial-
up protocol connection.
L2TP A protocol that is drafted by the IETF and involves the participation of
companies such as Microsoft. L2TP combines the advantages of both PPTP
and L2F.
LAC A device that is attached to a switching network and is capable of L2TP
processing. It possesses PPP terminal system and generally provides the
access service to users.
LAN A network consisting of personal computers and workstations residing in the
same building or within several kilometers in circumference. LAN features
high speed and low error rate. Ethernet, FDDI, and Token Ring are three main
LAN techniques.
LNS A set of server software that processes the L2TP protocol on a PPP terminal
system.
M
MAC The lower of the two sublayers of the Data Link Layer. The MAC layer is
closer to the physical layer.
MAN A network of LANs or computers within a wide geographical area such as a
university campus. An MAN usually adopts the same technology as LAN. An
MAN can cover dozens of kilometers wide or a metropolitan (city-wide) area.
MD5 The fifth of the hash function series developed by Ron Rivest. The algorithm
converts a message of any length into a 128-bit "fingerprint" or digest to
realize digital signature and ensure the integrity of messages.
MTU The largest amount of data that is permissible to transmit as one unit according
to a protocol specification.
N
NAS A server that provides PSTN/ISDN dial-in users with Internet access services.
NAT A mechanism for reducing the need for globally unique IP addresses. NAT
allows an organization with private addresses to connect to the Internet by
translating those addresses into a globally unique and routable address.
P
PAP A protocol that requires twice handshake authentications. The password of
PAP is in plain text. The authenticated side first sends the user name and
password to the authenticating side. Then the authenticating side checks
whether the user exists and whether the password is correct according to user
configuration, and then returns response (Acknowledge or Not
Acknowledge).
PFS Perfect forward secrecy means that the attacker does not also gain the ability
to decrypt past or future connections, and only the messages from the one
connection can be read.
PING A utility program which tests access to a device by sending a series of ICMP
Echo messages and measuring its acknowledgement.
PPP A dedicated transmission link between two devices.
PPTP A tunnel protocol that encapsulates PPP on the tunnels of an IP network. The
protocol is supported by Microsoft, Ascend, and 3COM.
Q
QoS A way of evaluating the packet delivery ability of IP networks. The core
factors to determine the QoS are delay, delay jitter, and packet loss ratio.
These core factors require technical support.
R
RADIUS A distributed client/server system developed by Livinggston Enterprise.
RADIUS can provide the AAA function. As an authentication and accounting
protocol, RADIUS can realize access authentication, authorization, and
accounting functions for a great amount of users through serial ports and
modems.
RFC An Internet standard-related formal document from the IETF.
RIP A routing protocol that calculates routes with the D-V algorithm and selects
routes according to the hop number. RIP is widely used in small-sized
networks.
S
SA IPSec depends on SAs to realize security services for data streams. In IPSec,
a security association is uniquely identified by a triple consisting of a Security
Parameters Index (SPI), an IP Destination Address, and a security protocol
identifier, which specify how to process IP packets.
SPI A 32-bit pointer that is carried by each IPSec packet. An SA is uniquely
identified by a triple consisting of a Security Parameters Index (SPI), an IP
Destination Address, and a security protocol identifier.
SSH A set of network standards and protocols that provide secure Telnet access.
T
TCP A transport layer protocol that provides a connection-oriented, full-duplex,
point-to-point service between hosts.
TCP/IP TCP/IP protocol stack.
ToS Type of Service. The IP uses the ToS field to provide an indication of the
quality of service desired.
U
UDP Part of the TCP/IP protocol suite. UDP is a standard, connectionless, host-to-
host protocol that is used over packet-switched computer communication
networks.
V
VLAN A logically independent network. It divides a LAN into multiple logical
LANs. Each VLAN is a broadcast domain. The communication between the
hosts in a VLAN is similar to that in a LAN.
VP A logical terminal line used to access a router through Telnet.
VPDN A network that realizes VPN through the access network and the dialing up
function of the public network such as ISDN and PSTN.
VPLS A technology that enables interconnection of Local Area Networks (LANs)
through virtual private networks. VPLS realizes the extension of LANs to the
Internet.
VPN A new technology that helps implement a private network link, which is
carried on a public network through the use of tunneling. A VPN is a logical
network.
W
WAN A network that provides data communications to a large number of
independent users spread over a larger geographic area such as a country or
a province. It may consist of a number of LANs connected together.
WWW A large scale hypermedia information system that allows users to browse
information.
A
AAA Authentication, Authorization and Accounting
ACK Acknowledgement
ACL Access Control List
AES Advanced Encryption Standard
AH Authentication Header
ALG Application Level Gateway
ARP Address Resolution Protocol
AS Autonomous System
ASPF Application Specific Packet Filter
B
BSD Berkeley Software Distribution
BGP Border Gateway Protocol
C
CA Certification Authority
CAR Committed Access Rate
CE Customer Edge
CHAP Challenge Handshake Authentication Protocol
CIDR Classless Inter-Domain Routing
CMS Call Management Server
D
DDN Digital Data Network
DES Data Encryption Standard
DH Diffie-Hellman algorithm
DHCP Dynamic Host Configuration Protocol
DLCI Data-Link Connection Identifier
DMZ Demilitary Zone
DN Distinguished Name
DNS Domain Name System
DoD Downstream On Demand
DoS Denial of Service
DU Downstream Unsolicited
E
EGP Exterior Gateway Protocol
EMTA Embedded Multifunctional Terminal Adapter
ESP Encapsulating Security Payload
F
FEC Forwarding Equivalence Class
FIFO First In First Out
FTP File Transfer Protocol
G
GGSN Gateway GPRS Support Node
GRE Generic Routing Encapsulation
H
HRP Huawei Redundancy Protocol
HTTP Hyper Text Transfer Protocol
HWCC Huawei Conference Control Protocol
HWTACACS Huawei Terminal Access Controller Access Control System
I
ICMP Internet Control Message Protocol
ID Identity
IDC Internet Data Center
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
IGP Interior Gateway Protocol
IKE Internet Key Exchange
ILS Internet Locator Service
IP Internet Protocol
IPC Inter-Process Communication
IPSec IP Security Protocol
IPX Internet Packet Exchange
ISAKMP Internet Security Association and Key Management
Protocol
ISDN Integrated Services Digital Network
ISP Internet Service Provider
L
L2F Layer 2 Forwarding
L2TP Layer 2 Tunneling Protocol
LAC L2TP Access Concentrator
LAN Local Area Network
LCP Link Control Protocol
LDP Label Distribution Protocol
M
MAC Media Access Control
MBGP Multiprotocol Border Gateway Protocol
MD5 Message Digest 5
MED Multi-Exit Discriminator
MGCP Media Gateway Control Protocol
MIB Management Information Base
MMS Microsoft Media Service
MPLS Multi-Protocol Label Switch
MSDP Multicast Source Discovery Protocol
MSN MSN Messenger Service
N
NAPT Network Address and Port Translation
NAS Network Access Server
NAT Network Address Translation
NCP Network Control Protocol
NCS Network Call Signalling
NetBIOS Network Basic Input/Output System
NLRI Network Layer Reachable Information
O
OSI Open System Interconnection
OSPF Open Shortest Path First
P
P2P Peer To Peer
PAP Password Authentication Protocol
PC Personal Computer
PCI Peripheral Component Interconnect
PDU Packet Data Unit
PE Provider Edge
PFS Perfect Forward Secrecy
PKC Public Key Certificate
PKI Public Key Infrastructure
POP Point Of Presence
PPP Point-to-Point Protocol
PPPoE PPP over Ethernet
PPTP Point to Point Tunneling Protocol
PQ Priority Queue
PSTN Public Switched Telephone Network
Q
QoS Quality of Service
QQ Tencent QQ
R
RADIUS Remote Authentication Dial in User Service
RD Route Distinguisher
RFC Request For Comments
RIP Routing Information Protocol
RSA Rivest, Shamir and Adelman
RTSP Real-Time Streaming Protocol
S
SA Security Association
SACG Security Access Control Gateway
T
TACACS Terminal Access Controller Access Control System
TCP Transmission Control Protocol
TCP/IP Transmission Control Protocol / Internet Protocol
TFTP Trivial File Transfer Protocol
ToS Type of Service
TTL Time To Live
U
UDP User Datagram Protocol
V
VGMP VRRP Group Management Protocol
VLAN Virtual Local Area Network
VLL Virtual Leased Line
VPDN Virtual Private Dial Network
VPLS Virtual Private LAN Service
VPN Virtual Private Network
VPRN Virtual Private Routing Network
VRP Versatile Routing Platform
VRRP Virtual Router Redundancy Protocol
W
WAN Wide Area Network
WAP Wireless Application Protocol
WFQ Weighted Fair Queuing
WRED Weighted Random Early Detection
WWW World Wide Web