Quidway Eudemon 200E-C&200E-F Firewall Feature Description(V100R002_01)

Quidway Eudemon 200E-C/200E-F Firewall

V100R002

Feature Description

Issue 01

Date 2009-12-01

Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For anyassistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Copyright © Huawei Technologies Co., Ltd. 2009. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but the statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

http://www.huawei.com

mailto:[email protected]

Contents

About This Document.....................................................................................................................1

1 Overview......................................................................................................................................1-11.1 Introduction to the Device...............................................................................................................................1-21.2 Location of the Eudemon................................................................................................................................1-31.3 Functions and Features of the Eudemon.........................................................................................................1-3

1.3.1 Network Interconnection........................................................................................................................1-31.3.2 Security Defense....................................................................................................................................1-41.3.3 Service Application................................................................................................................................1-51.3.4 Configuration and Management.............................................................................................................1-51.3.5 Maintenance...........................................................................................................................................1-61.3.6 System Log Management.......................................................................................................................1-6

2 Introduction.................................................................................................................................2-12.1 Working Mode................................................................................................................................................2-2

2.1.1 Working Mode Classification................................................................................................................2-22.1.2 Working Process in Route Mode...........................................................................................................2-42.1.3 Working Process in Transparent Mode..................................................................................................2-42.1.4 Working Process in Composite Mode..................................................................................................2-10

2.2 Security Zone................................................................................................................................................2-102.2.1 Introduction to Security Zone..............................................................................................................2-102.2.2 Features of the Security Zone...............................................................................................................2-102.2.3 Security Zone on Eudemon..................................................................................................................2-11

3 System Management.................................................................................................................3-13.1 SNMP Overview.............................................................................................................................................3-2

3.1.1 Introduction to SNMP............................................................................................................................3-23.1.2 SNMP Versions and Supported MIB.....................................................................................................3-3

3.2 Introduction to the Features of Web Management..........................................................................................3-4

4 Security Features........................................................................................................................4-14.1 ACL.................................................................................................................................................................4-2

4.1.1 ACL Definition......................................................................................................................................4-24.1.2 ACL Application....................................................................................................................................4-24.1.3 ACL Step................................................................................................................................................4-34.1.4 ACL on the Eudemon.............................................................................................................................4-4

Quidway Eudemon 200E-C/200E-F FirewallFeature Description Contents

Issue 01 (2009-12-01) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

4.2 Security Policy................................................................................................................................................4-64.2.1 Packet Filter............................................................................................................................................4-64.2.2 ASPF......................................................................................................................................................4-64.2.3 Blacklist..................................................................................................................................................4-84.2.4 MAC and IP Address Binding...............................................................................................................4-84.2.5 Port Identification...................................................................................................................................4-84.2.6 Virtual Firewall......................................................................................................................................4-9

4.3 NAT...............................................................................................................................................................4-104.3.1 Introduction..........................................................................................................................................4-104.3.2 NAT on the Device..............................................................................................................................4-12

4.4 Attack Defense..............................................................................................................................................4-174.4.1 Introduction..........................................................................................................................................4-174.4.2 Classes of Network Attacks.................................................................................................................4-174.4.3 Typical Examples of Network Attacks................................................................................................4-184.4.4 Introduction to the Attack Defense Principle.......................................................................................4-19

4.5 P2P Traffic Limiting.....................................................................................................................................4-214.5.1 Introduction to P2P Traffic Limiting...................................................................................................4-214.5.2 P2P Traffic Detection and Limiting.....................................................................................................4-21

4.6 IM Blocking..................................................................................................................................................4-224.6.1 Introduction to IM Detecting and Blocking.........................................................................................4-224.6.2 IM Detecting and Blocking..................................................................................................................4-22

4.7 Static Multicast..............................................................................................................................................4-234.7.1 Restrictions of Unicast or Broadcast....................................................................................................4-234.7.2 Overview of Static Multicast................................................................................................................4-254.7.3 Implementing Static Multicast on the Eudemon..................................................................................4-26

4.8 Keyword Authentication...............................................................................................................................4-264.9 Authentication and Authorization.................................................................................................................4-27

4.9.1 Introduction to Authentication and Authorization...............................................................................4-274.9.2 Introduction to Domain........................................................................................................................4-284.9.3 Introduction to Local User Management..............................................................................................4-28

4.10 IP-CAR........................................................................................................................................................4-284.11 TSM Cooperation........................................................................................................................................4-29

4.11.1 Introduction to TSM Cooperation......................................................................................................4-294.11.2 Work Flow of TSM Cooperation.......................................................................................................4-304.11.3 Specifications of TSM Cooperation...................................................................................................4-31

4.12 SLB..............................................................................................................................................................4-314.12.1 Introduction to SLB............................................................................................................................4-314.12.2 Virtual Service Technology...............................................................................................................4-324.12.3 Server Health Check...........................................................................................................................4-334.12.4 Traffic-based Forwarding...................................................................................................................4-33

5 VPN...............................................................................................................................................5-15.1 Introduction.....................................................................................................................................................5-2

ContentsQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

ii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

5.1.1 VPN Overview.......................................................................................................................................5-25.1.2 Basic VPN Technology..........................................................................................................................5-35.1.3 VPN Classification.................................................................................................................................5-5

5.2 L2TP................................................................................................................................................................5-75.2.1 VPDN Overview....................................................................................................................................5-75.2.2 L2TP Overview......................................................................................................................................5-7

5.3 IPSec..............................................................................................................................................................5-135.3.1 IPSec Overview....................................................................................................................................5-135.3.2 IPSec Basic Concepts...........................................................................................................................5-145.3.3 IKE Overview......................................................................................................................................5-175.3.4 Overview of the IKEv2 Protocol..........................................................................................................5-195.3.5 Security Analysis of IKEv2..................................................................................................................5-205.3.6 IKEv2 and EAP Authentication...........................................................................................................5-215.3.7 NAT Traversal of IPSec.......................................................................................................................5-225.3.8 Realizing IPSec on the Eudemon.........................................................................................................5-23

5.4 GRE...............................................................................................................................................................5-255.4.1 GRE Overview.....................................................................................................................................5-255.4.2 Implementation of GRE.......................................................................................................................5-255.4.3 GRE Application..................................................................................................................................5-26

6 Network Interconnection..........................................................................................................6-16.1 VLAN..............................................................................................................................................................6-2

6.1.1 Introduction............................................................................................................................................6-26.1.2 Advantages of VLAN.............................................................................................................................6-3

6.2 PPP..................................................................................................................................................................6-46.2.1 Introduction............................................................................................................................................6-46.2.2 PPP Authentication................................................................................................................................6-56.2.3 PPP Link Operation................................................................................................................................6-6

6.3 PPPoE..............................................................................................................................................................6-96.3.1 Basic Principles of PPPoE......................................................................................................................6-96.3.2 PPPoE Discovery Period......................................................................................................................6-106.3.3 PPPoE Session Period..........................................................................................................................6-12

6.4 DHCP Overview...........................................................................................................................................6-126.4.1 DHCP Service......................................................................................................................................6-126.4.2 DHCP Relay.........................................................................................................................................6-136.4.3 DHCP Client........................................................................................................................................6-14

6.5 Static Route Overview..................................................................................................................................6-166.5.1 Static Route..........................................................................................................................................6-166.5.2 Default Route.......................................................................................................................................6-18

6.6 RIP.................................................................................................................................................................6-186.6.1 RIP Overview.......................................................................................................................................6-186.6.2 RIP Versions........................................................................................................................................6-196.6.3 RIP Startup and Operation...................................................................................................................6-19



iii

6.7 OSPF.............................................................................................................................................................6-206.7.1 OSPF Overview....................................................................................................................................6-206.7.2 Process of OSPF Route Calculation.....................................................................................................6-206.7.3 Basic Concepts Related to OSPF.........................................................................................................6-216.7.4 OSPF Packets.......................................................................................................................................6-256.7.5 Types of OSPF LSAs...........................................................................................................................6-25

6.8 BGP...............................................................................................................................................................6-276.8.1 BGP Overview.....................................................................................................................................6-276.8.2 Classification of BGP Attributes..........................................................................................................6-306.8.3 Principles of BGP Route Selection......................................................................................................6-31

6.9 Introduction to Policy-Based Routing...........................................................................................................6-336.10 Routing Policy Overview............................................................................................................................6-33

6.10.1 Applications and Implementation of Routing Policy.........................................................................6-346.10.2 Differences Between Routing Policy and Policy-based Routing.......................................................6-34

6.11 Load Balancing...........................................................................................................................................6-356.12 Introduction to QoS.....................................................................................................................................6-37

6.12.1 QoS Overview....................................................................................................................................6-376.12.2 Traditional Packets Transmission Application..................................................................................6-376.12.3 New Application Requirements.........................................................................................................6-376.12.4 Congestion Causes, Impact and Countermeasures.............................................................................6-386.12.5 Traffic Control Techniques................................................................................................................6-39

6.13 GPON Line..................................................................................................................................................6-406.13.1 Introduction to the GPON Line Feature.............................................................................................6-406.13.2 Principles of GPON Upstream Transmission.....................................................................................6-416.13.3 Principles of GPON Lines..................................................................................................................6-41

6.14 Introduction to Voice Services....................................................................................................................6-426.14.1 Overview of Voice Features...............................................................................................................6-426.14.2 General Specifications........................................................................................................................6-436.14.3 H.248–based Voice Services..............................................................................................................6-456.14.4 SIP-based Voice Services...................................................................................................................6-546.14.5 Key Voice Feature..............................................................................................................................6-696.14.6 Voice Reliability................................................................................................................................6-78

7 Reliability....................................................................................................................................7-17.1 Overview of VRRP......................................................................................................................................... 7-2

7.1.1 Traditional VRRP...................................................................................................................................7-27.1.2 Disadvantages of Traditional VRRP in Eudemon Backup.................................................................... 7-4

7.2 Introduction to Dual-System Hot Backup.......................................................................................................7-67.2.1 HRP Application....................................................................................................................................7-67.2.2 Primary/Secondary Configuration Devices............................................................................................7-7

7.3 Relations Between the VRRP Backup Group, Management Group, and HRP.............................................. 7-77.4 IP-Link Auto-detection Overview...................................................................................................................7-8

A Glossary..................................................................................................................................... A-1

ContentsQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

B Acronyms and Abbreviations.................................................................................................B-1



v

Figures

Figure 2-1 Networking diagram in route mode....................................................................................................2-2Figure 2-2 Networking diagram in transparent mode..........................................................................................2-3Figure 2-3 Networking in composite mode..........................................................................................................2-4Figure 2-4 Broadcasting a data packet.................................................................................................................2-5Figure 2-5 Reversely learning the relationship between the MAC address of workstation A and the interface...............................................................................................................................................................................2-6Figure 2-6 Reversely learning the relationship between the MAC address of workstation B and the interface...............................................................................................................................................................................2-7Figure 2-7 Forwarding the frame after successfully obtaining corresponding information from the address table...............................................................................................................................................................................2-8Figure 2-8 Filtering frames after successfully obtaining corresponding information from the address table...............................................................................................................................................................................2-9Figure 2-9 Forwarding the frame after failing to obtain corresponding information from the address table......2-9Figure 2-10 Relationship diagram of interface, network and security zones.....................................................2-12Figure 3-1 MIB tree..............................................................................................................................................3-3Figure 4-1 Networking diagram of virtual firewall..............................................................................................4-9Figure 4-2 Networking diagram of basic processes of NAT..............................................................................4-11Figure 4-3 NAPT allows multiple internal hosts to share a public address by translating IP address and port number.............................................................................................................................................................................4-13Figure 4-4 Networking diagram of configuring inbound NAT..........................................................................4-15Figure 4-5 Networking diagram of NAT within the zone..................................................................................4-15Figure 4-6 Unicast information transmission.....................................................................................................4-24Figure 4-7 Broadcast information transmission.................................................................................................4-24Figure 4-8 Multicast information transmission..................................................................................................4-25Figure 4-9 Transmission mode of static multicast.............................................................................................4-26Figure 4-10 Networking diagram of TSM Cooperation.....................................................................................4-30Figure 4-11 Schematic diagram of Virtual Service............................................................................................4-32Figure 5-1 Networking diagram of VPN applications.........................................................................................5-3Figure 5-2 Networking diagram of a VPN access................................................................................................5-4Figure 5-3 Networking diagram of VPDN application based on L2TP...............................................................5-8Figure 5-4 L2TP protocol structure......................................................................................................................5-9Figure 5-5 Two typical L2TP tunnel modes......................................................................................................5-10Figure 5-6 Typical networking diagram of L2TP..............................................................................................5-11Figure 5-7 Procedure for setting up an L2TP call..............................................................................................5-11Figure 5-8 Data encapsulation format for security protocols.............................................................................5-16

Quidway Eudemon 200E-C/200E-F FirewallFeature Description Figures


vii

Figure 5-9 Relationship of IKE and IPSec.........................................................................................................5-18Figure 5-10 Procedure for setting up an SA.......................................................................................................5-18Figure 5-11 IP network interconnection through the GRE tunnel.....................................................................5-25Figure 5-12 Format of the encapsulated packet.................................................................................................5-26Figure 5-13 IP packet transported in the tunnel.................................................................................................5-26Figure 5-14 Network enlargement.....................................................................................................................5-27Figure 5-15 Inconsistent subnet connection.......................................................................................................5-27Figure 5-16 GRE-IPSec tunnel...........................................................................................................................5-28Figure 6-1 Example of VLAN..............................................................................................................................6-3Figure 6-2 Operation process of PPP...................................................................................................................6-7Figure 6-3 Diagram of the host sending PADI packets in broadcast.................................................................6-10Figure 6-4 Sending the PADO packet from the server.......................................................................................6-11Figure 6-5 Diagram of the host choosing a server and sending a PADR packet...............................................6-11Figure 6-6 Diagram of the server sending a PADS packet to the host...............................................................6-11Figure 6-7 DHCP relay.......................................................................................................................................6-14Figure 6-8 OSPF area partition..........................................................................................................................6-22Figure 6-9 OSPF router types.............................................................................................................................6-23Figure 6-10 Area and route summary.................................................................................................................6-24Figure 6-11 Opaque LSAs structure...................................................................................................................6-26Figure 6-12 BGP operating mode......................................................................................................................6-29Figure 6-13 Synchronization of IBGP and IGP.................................................................................................6-33Figure 6-14 Networking diagram of packet-by-packet load balancing..............................................................6-35Figure 6-15 Networking diagram of session-by-session load balancing............................................................6-36Figure 6-16 Schematic diagram of traffic congestion........................................................................................6-38Figure 6-17 Overall voice service solution of the SRG.....................................................................................6-43Figure 6-18 Registration flow of the MG...........................................................................................................6-47Figure 6-19 Unsolicited deregistration flow of the MG.....................................................................................6-48Figure 6-20 Unsolicited deregistration flow of the MGC..................................................................................6-48Figure 6-21 Authentication flow........................................................................................................................6-49Figure 6-22 Principle of the VoIP feature that supports the H.248 protocol ....................................................6-50Figure 6-23 Principles of the T.38 fax...............................................................................................................6-54Figure 6-24 IETF multimedia data and control protocol stack..........................................................................6-55Figure 6-25 Flowchart of the registration through unsafe connection...............................................................6-59Figure 6-26 Flowchart of the registration through safe connection...................................................................6-60Figure 6-27 SIP-based call flow of a VoIP calling party...................................................................................6-61Figure 6-28 SIP-based call flow of a VoIP called party.....................................................................................6-62Figure 6-29 Flow of call release.........................................................................................................................6-63Figure 6-30 Flow of the negotiated-switching transparent transmission fax.....................................................6-64Figure 6-31 Flow of the negotiated-switching T.38 fax.....................................................................................6-65Figure 6-32 Flow of the negotiated-switching T.38 fax when the peer device does not support the T.38 mode(scenario 1)..........................................................................................................................................................6-66Figure 6-33 Flow of the negotiated-switching T.38 fax when the peer device does not support the T.38 mode(scenario 2)..........................................................................................................................................................6-67

FiguresQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

viii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Figure 6-34 Flow of the negotiated-switching modem service..........................................................................6-69Figure 6-35 Generation of the electrical echo....................................................................................................6-71Figure 6-36 Implementation of the EC function................................................................................................6-72Figure 6-37 Working principles of dual homing................................................................................................6-79Figure 6-38 Operating principle for implementing the dual-homing with no auto-switching...........................6-80Figure 6-39 Operating principle for implementing the dual-homing with auto-switching................................6-81Figure 6-40 Call releasing flow..........................................................................................................................6-82Figure 6-41 802.1q frame format.......................................................................................................................6-83Figure 6-42 DSCP identification format............................................................................................................6-84Figure 7-1 Networking using the default route....................................................................................................7-2Figure 7-2 Networking of using the VRRP virtual router....................................................................................7-3Figure 7-3 Typical networking of Eudemon backup............................................................................................7-4Figure 7-4 Eudemon backup state........................................................................................................................7-5Figure 7-5 Typical data path in primary/secondary mode....................................................................................7-6Figure 7-6 Hierarchical relations between the VRRP backup group, management group, and HRP..................7-7

Quidway Eudemon 200E-C/200E-F FirewallFeature Description Figures


ix

Tables

Table 3-1 MIB supported by the system.............................................................................................................. 3-3Table 4-1 Classification of the ACL.....................................................................................................................4-4Table 6-1 Default settings of the timers.............................................................................................................6-16Table 6-2 Route attributes and their types..........................................................................................................6-30Table 6-3 Differences between routing policy and PBR....................................................................................6-35Table 6-4 Voice services supported....................................................................................................................6-43Table 6-5 SIP request messages.........................................................................................................................6-58Table 6-6 SIP response messages.......................................................................................................................6-59Table 6-7 Codec list............................................................................................................................................6-70Table 6-8 Mapping between frequencies and numbers......................................................................................6-75

Quidway Eudemon 200E-C/200E-F FirewallFeature Description Tables


xi

About This Document

PurposeThis document describes the functions and features of the Quidway Eudemon 200E-C/200E-F( hereafter referred to as the Eudemon ), including system management, security features andnetwork interconnection.

This document introduces the functions, principles and features of the Eudemon.

Related VersionsThe following table lists the product versions related to this document.

Product Name Version

Quidway Eudemon 200E-C/200E-F V100R002

Intended AudienceThis document is intended for:

l Technical support engineers

l Maintenance engineers

l Network engineers

l Network administrators

l Network maintenance engineers

OrganizationThis document is organized as follows.

Quidway Eudemon 200E-C/200E-F FirewallFeature Description About This Document


1

Chapter Description

1 Overview This section describes introduction to Eudemon, the locationof the Eudemon in network and the functions of Eudemon.

2 Introduction This section describes the operating modes and the securityzones of the Eudemon.

3 System Management This section describes SNMP management features and Webmanagement features of the Eudemon,

4 Security Features This section describes the security features of the Eudemon,including ACL, security policy, attack defense, NAT,keyword authentication, authentication and authorization ,IP-CAR, P2P Traffic Limiting, IM Blocking, StaticMulticast, TSM Cooperation and SLB.

5 VPN This describes the VPN features of the Eudemon, includingL2TP, IPSec, and GRE.

6 Network Interconnection This section describes the network interconnection featuresof the Eudemon, including VLAN, PPP, PPPoE, DHCP, IPstatic route, RIP, OSPF, BGP, policy-based routing and QoS.

7 Reliability This describes the reliability features of the Eudemon,including VRRP, two-node cluster hot backup, and IP-Link.

A Glossary This section lists acronyms in the volume.

B Acronyms andAbbreviations

This section lists abbreviations in the volume.

Conventions

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

About This DocumentQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Symbol Description

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize orsupplement important points of the main text.

General ConventionsThe general conventions that may be found in this document are defined as follows.

Convention Description

Times New Roman Normal paragraphs are in Times New Roman.

Boldface Names of files, directories, folders, and users are inboldface. For example, log in as user root.

Italic Book titles are in italics.

Courier New Examples of information displayed on the screen are inCourier New.

Command ConventionsThe command conventions that may be found in this document are defined as follows.


Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.



3

GUI Conventions

The GUI conventions that may be found in this document are defined as follows.


Boldface Buttons, menus, parameters, tabs, window, and dialog titlesare in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"signs. For example, choose File > Create > Folder.

Keyboard Operations

The keyboard operations that may be found in this document are defined as follows.

Format Description

Key Press the key. For example, press Enter and press Tab.

Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt+A means the three keys should be pressed concurrently.

Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A meansthe two keys should be pressed in turn.

Mouse Operations

The mouse operations that may be found in this document are defined as follows.

Action Description

Click Select and release the primary mouse button without movingthe pointer.

Double-click Press the primary mouse button twice continuously andquickly without moving the pointer.

Drag Press and hold the primary mouse button and move thepointer to a certain position.

Update HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

About This DocumentQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Updates in Issue 01 (2009-12-01)Initial commercial release.



5

1 Overview

About This Chapter

1.1 Introduction to the Device

1.2 Location of the Eudemon

1.3 Functions and Features of the Eudemon

Quidway Eudemon 200E-C/200E-F FirewallFeature Description 1 Overview


1-1

1.1 Introduction to the Device

The Eudemon is a Firewall developed by Huawei. The Eudemon is a cost-effective security andaccess solution for small and medium-sized enterprise networks and the telecommunicationnetworks.

Powerful Networking and Service-Supporting CapabilityThe Eudemon is integrated with powerful routing capabilities:l Static routing

l Routing Information Protocol (RIP) dynamic routing

l Open Shortest Path First (OSPF) dynamic routing

l Routing policy

l Routing iteration

l Routing management

These increase the flexibility in the Eudemon networking application.

Besides the powerful routing capabilities, the Eudemon is integrated with security and safetycapabilities:l Supports detection to malicious commands.

l Supports Network Address Translation (NAT) application.

l Supports filtering static and dynamic black list.

l Supports proxy-based SYN Flood defense flow control.

Multiple Types of InterfacesThe Eudemon provides fixed interfaces, such as the Gigabit Ethernet (GE) interfaces andConsole ports, and extended slots for optional Mini Interface Cards (MICs) and FlexibleInterface Modules (FICs). The Ethernet fiber and electrical interface card, Asymmetric DigitalSubscriber Line 2+ (ADSL2+) interface card, E1/CE1 interface card, GE interface card can beinserted in the extended slots. You can select the interface cards according to the networkenvironment. The excellent software scalability provides you with an economical solution forfuture network upgrades.

Enhanced SecurityThe Eudemon uses a specially designed hardware platform and a secure operating system withindependent intellectual property right. Its packet processing is totally separated from operatingsystem, which greatly increases the security of the system.

With its own Application Specific Packet Filter (ASPF) state inspection technology, theEudemon can:

l Monitor the connection process and malicious commands.

l Cooperate with ACL to achieve packet filtering.

l Provide a number of attack defense capabilities.

1 OverviewQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

All of the above features ensure the security of networks.

High-Speed Processing CapabilityOriented to medium and small-sized enterprise and industry users, the Eudemon provides wire-rate, high-performance security defense and packet processing capabilities by using themulticore technology.

The Eudemon uses high speed algorithm and optimized software structure, which effectivelyensure the performance of the system. For example, ACL high speed algorithm can search a fewor thousands of policies for a specific one at the same speed.

Powerful Log and StatisticBased on powerful log and statistic provided by the Eudemon, you can obtain useful help insecurity analysis and event tracing.

1.2 Location of the Eudemon

The Eudemon is often deployed in the entrance to the zone protected to provide access controlpolicy-based security defense. For example:

l When you need to protect malicious attack or internal network and data from illegal accessof external network, (such as unauthorized or unauthenticated access), you can deploy theEudemon at the joint of the internal and external network.

l When you need to deny internal users access to sensitive data, you can deploy theEudemon at the joint where relatively open segment meets relatively sensitive ones (suchas segment that holds sensitive or private data).

1.3 Functions and Features of the Eudemon

1.3.1 Network Interconnection

1.3.2 Security Defense

1.3.3 Service Application

1.3.4 Configuration and Management

1.3.5 Maintenance

1.3.6 System Log Management

1.3.1 Network Interconnection

Link Layer ProtocolDescription of the link layer protocol of the Eudemon:

l Supports Ethernet_II and Ethernet_SNAP.



1-3

l Supports VLAN (Virtual Local Area Network).

l Supports HDLC (High-level Data Link Control).

l Supports PPP (Point-to-Point Protocol).

l Supports PPPoE (PPP over Ethernet).

l Supports DDR (Dial-on-Demand Routing)

IP ServiceDescription of the IP services of the Eudemon:

l Supports ARP (Address Resolution Protocol).

l Supports DHCP (Dynamic Host Configuration Protocol) relay, DHCP server and DHCPclient.

l Supports FTP client/server.

l Supports TFTP client.

l Supports ping and tracert.

Routing ProtocolDescription of the routing protocol of the Eudemon:

l Supports static routing.

l Supports dynamic routing (RIP, OSPF).

l Supports route policy.

l Supports policy-based routing.

l Supports route management and route iteration.

1.3.2 Security Defense

Packet FilteringThe Eudemon supports the following packet filtering modes:

l Supports basic ACL, advanced ACL.

l Supports time range ACL.

l Supports inter-zone ACL.

l Maintains ACL rules dynamically.

l Supports blacklist, MAC and IP addresses binding.

l Supports the application specific packet filter (ASPF) and the state inspection.

l Provides the port mapping mechanism.

NATThe following describes the NAT (Network Address Translation) of the Eudemon:

l Address translation.


Feature Description


Issue 01 (2009-12-01)

l Provides the internal server.

l Port-level NAT server.

l Supports multiple NAT ALG (Application Level Gateway), including FTP (File TransferProtocol), PPTP (Point-to-Point Tunneling Protocol), ILS (Instrument Landing System),ICMP (Internet Control Message Protocol), H.323, QQ, MSN and RTSP (Real-TimeStreaming Protocol).

Attack DefenseThe following describes the attack defense of the Eudemon:

l Defends multiple DoS attacks, such as SYN Flood, ICMP Flood, UDP Flood, ARP,WinNuke, ICMP redirection and unreachable packet, Land, Smurf and Fraggle.

l Defends scanning and snooping, such as address scanning, port scanning, IP source routingoption, IP routing record option and ICMP snooping packet.

l Defends other attacks, such as IP Spoofing.

Traffic MonitoringThe following describes the traffic monitoring of the Eudemon:

l Supports the limit to connection rate and connection number based on IP.

l Supports CAR (Committed Access Rate).

l Supports real time traffic statistic and attack packet statistic.

1.3.3 Service Application

AAAAAA (Authentication, Authorization and Accounting) service application of the Eudemon:

l Supports AAA domain.

l Supports local user management.

l Supports multiple ISP.

QoSQoS (Quality of Service) service application of the Eudemon:

l Supports traffic categorization.

l Supports traffic monitoring.

l Supports congestion management.

1.3.4 Configuration and Management

Command Line InterfaceThe following describes the command line interface of the Eudemon:



1-5

l Prompt and help information in English and Chinese.

l Hierarchical protection of command lines from the intrusion from the unauthorized users.

l Detailed debugging information helps network fault diagnosis.

l Network test tools, such as tracert and ping tools, which can help rapidly identify whetherthe network is normal.

Web Configuration InterfaceThe Eudemon provides user-friendly and easy-to-use Web configuration interfaces to help youoperate and maintain the Eudemon in a centralized manner. In addition, the Eudemon supportsboth encrypted access and unencrypted access.

System ManagementThe following describes the system management of the Eudemon:

l Supports programs upload, download, or delete files through FTP.

l Supports programs upload or download files through TFTP.

l Supports programs upload configuration file or license file, download, or delete filesthrough web.

Terminal ServiceThe following describes the terminal service of the Eudemon:

l Supports terminal services of the console port.

l Supports terminal services of Telnet and secure shell (SSH).

l Supports the send function so that terminal users can communicate with each other.

1.3.5 Maintenance

System ManagementSupports standard network management protocol SNMP v1/v2c/v3.

CPU Protection for Over-high TemperatureWhen the temperature of the CPU is higher than 60ºC, the alarm indicator on the front panel ison. The system sends an alarm information for high temperature and a log.

When the temperature of the CPU is higher than 90ºC, the system sends an alarm informationof shutting down and a log. If the temperature is still rising, the system switches to the heatprotection state after the alarm information of shutting down is generated for three minutes. Theindicators on the front panel are flashing except for the system indicator and the active/standbyindicators. This indicates that the system is in the heat protection state. After 16 minutes, thesystem switches on automatically.

1.3.6 System Log Management

The following describes the system log of the Eudemon:


Feature Description


Issue 01 (2009-12-01)

l Provides the log server for browsing and querying log information.

l Provides input and output IP packets statistics. NAT log, ASPF log, attack defense log,blacklist log, address binding log, traffic statistics alarm/recovery log, and operation logcan be queried.

l Supports the syslog format and binary log format.

l The syslog logs can be queried based on date. The binary logs can be queried based ontime, protocol, source address/port, NAT address/port, and destination address/port. Thesystem supports fuzzy query. The query results can be exported as an Excel file.



1-7

2 Introduction

About This Chapter

2.1 Working Mode

2.2 Security Zone

Quidway Eudemon 200E-C/200E-F FirewallFeature Description 2 Introduction


2-1

2.1 Working Mode

2.1.1 Working Mode Classification

2.1.2 Working Process in Route Mode

2.1.3 Working Process in Transparent Mode

2.1.4 Working Process in Composite Mode

2.1.1 Working Mode Classification

Route Mode

In the scenario where the Eudemon is connected to external networks through Network Layer(the physical interface is configured with an IP address), the Eudemon works in route mode.

When the Eudemon is deployed between an internal network and an external network, you needto configure the Eudemon interfaces connecting respectively with the internal network andexternal network with IP addresses in different segments. In addition, you need to replan thenetwork topology. The Eudemon fulfills the routing function in internal networks and externalnetworks. It functions as a router.

As shown in Figure 2-1, the Eudemon is connected to the internal network through an interfacesegmented to the Trust zone, and connected to the external network through an interfacesegmented to the Untrust zone. The two interfaces respectively in the Trust zone and the Untrustzone are segmented to different subnets.

Figure 2-1 Networking diagram in route mode

Eudemon

202.10.0.1/2410.110.1.254/24

RouterServer

PC PCPC

Trust UntrustServerExternal network Internal network

When working in route mode, the Eudemon can implement functions such as ACL packetfiltering, ASPF dynamic filtering, and NAT. When you configure a Eudemon to work in routemode, you need to change the topology of the existing network. For example, internal networkusers need to change their gateway settings and the route configuration of the router should bechanged as well. Reconstructing a network is time and resource consuming. It is recommendedthat you weigh the advantages and disadvantages in selecting this mode.

2 IntroductionQuidway Eudemon 200E-C/200E-F Firewall

Feature Description


Issue 01 (2009-12-01)

Transparent ModeIn the scenario where the Eudemon is connected to external networks through Data Link layer(the physical interface is not configured with an IP address), the Eudemon works in transparentmode.

Letting the Eudemon to work in transparent mode saves you from the trouble in changingnetwork topology.

To adopt the transparent mode, you only need to deploy the Eudemon on the network just likeplacing a bridge. That saves you from the trouble in changing any current configuration. Similarto the transaction in route mode, the Eudemon checks and filters IP packets, protecting internalusers against threats.

Figure 2-2 shows a typical networking in transparent mode.

Figure 2-2 Networking diagram in transparent mode

Eudemon

202.10.0.1/24

Router

Server

PC PCPC

Trust Untrust

202.10.0.2/24

ServerInternal network External network

Router

In transparent mode, the Eudemon can perform packet forwarding only. The two connectednetworks must be in the same network segment. The Eudemon is connected with the internalnetwork through an interface in the Trust zone, and connected with the external network throughan interface in the Untrust zone.

Note that the internal network and external network should be in the same subnet.

Composite ModeIf there are interfaces working in routing mode (such interfaces have IP addresses) and interfacesworking in transparent mode (such interfaces have no IP address) in the Eudemon, it means thatthe Eudemon works in composite mode.

The composite mode is applied to the two-node cluster hot backup in transparent mode. Theinterface on which Virtual Router Redundancy Protocol (VRRP) is enabled needs to beconfigured with an IP address, and other interfaces do not need to be configured with IPaddresses..

Figure 2-3 shows a typical networking in composite mode.



2-3

Figure 2-3 Networking in composite modeEudemon (Master)

Server

PC PCPC

Trust Untrust

202.10.0.0/24 202.10.0.0/24

Eudemon (backup)

HUB

Server

Primary and secondary Eudemons are connected to the intranet through interfaces in the Trustzone, and connected to the Internet through interfaces in the Untrust zone.

In addition, primary and secondary Eudemons:

l Connect with each other through a hub or a local area network (LAN) Switch.l Perform backup over VRRP.

NOTE

The primary and secondary Eudemons can be connected directly or through a hub or a LAN Switch. Youcan connect the primary and the secondary Eudemons based on the actual conditions. The intranet and theInternet must reside in the same subnet.

2.1.2 Working Process in Route Mode

When packets are forwarded between interfaces in the network layer, the Eudemon acts as arouter, searching for routing entries based on IP addresses of the packets. Different from a router,the Eudemon delivers the forwarded IP packets to the upper layer for filtering. The Eudemondetermines whether to allow the packets pass through or not according to session entries andACL rules. In addition, the Eudemon is also responsible for some other attack defense checks.

2.1.3 Working Process in Transparent Mode

When packets are forwarded between interfaces in the layer 2 network, the Eudemon acts as atransparent bridge, searching for outbound interfaces based on MAC addresses of the packets.Different from a bridge, the Eudemon delivers the forwarded IP packets to the upper layer forfiltering. The Eudemon determines whether to permit the packets to pass through or notaccording to session entries and ACL rules. In addition, the Eudemon is also responsible forsome other attack defense checks.

In transparent mode, the Eudemon is connected to a LAN at Data Link Layer; therefore, endusers do not need to perform special configurations on devices for connecting the networks (likeLAN Switch connection).


Feature Description


Issue 01 (2009-12-01)

The working process in transparent mode has several phases, which are described in thefollowing sections:

l Obtaining an Address Table

l Forwarding or Filtering a Frame

Obtaining an Address TableIn transparent mode, the Eudemon forwards packets based on the MAC address table, whichconsists of MAC addresses and interfaces. To forward packets, the Eudemon must obtaininformation about the relationship between MAC addresses and interfaces.

In transparent mode, the process that the Eudemon obtain address table is as follows:

1. Broadcast a data packet.When connected with a physical network segment, the transparent Eudemon monitors allEthernet frames on the physical network segment. Once it detects an Ethernet frame froma certain interface, it extracts the source MAC address from the frame, and then adds therelationship between the MAC address and the interface to the MAC address table. Figure2-4 shows the process.

Figure 2-4 Broadcasting a data packet

00e0.fcdd.dddd

Workstation C

00e0.fcaa.aaaa 00e0.fcbb.bbbb

00e0.fccc.cccc Eudemon

Segment 1

Destination address

00e0.fcaa.aaaa

Interface 1

Interface 2

Workstation ASource address

Workstation D

Workstation B

Segment 2

00e0.fcbb.bbbb

Segments 1 and 2 are respectively connected with interfaces 1 and 2 on the Eudemon. Forexample, when workstation A sends an Ethernet frame to workstation B, both thetransparent Eudemon and workstation B receive the frame.

2. Reversely learn the relationship between the MAC address of workstation A and theinterface.After receiving the Ethernet frame, the transparent Eudemon knows that workstation A isconnected with interface 1 on the Eudemon because interface 1 receives the frame. Thenthe Eudemon adds the relationship between the MAC address of workstation A andinterface 1 of workstation A to the MAC address table. Figure 2-5 shows the process.



2-5

Figure 2-5 Reversely learning the relationship between the MAC address of workstationA and the interface

MAC address00e0.fcaa.aaaa

Address tableInterface

1

00e0.fcdd.dddd

Workstation A


00e0.fccc.cccc

Eudemon

00e0.fcaa.aaaa

Interface 1

Interface 2

Workstation C

Workstation B

Workstation D

Destination address

Source address

Segment 1

Segment 2

00e0.fcbb.bbbb

3. Reversely learn the relationship between the MAC address of workstation B and the

interface.After workstation B responds to the Ethernet frame from workstation A, the transparentEudemon can detect the response Ethernet frame of workstation B. The transparentEudemon knows that it is connected with workstation B through interface 1, becauseinterface 1 receives the frame. Then the Eudemon adds the relationship between the MACaddress of workstation B and interface 1 to the MAC address table. Figure 2-6 shows theprocess.


Feature Description


Issue 01 (2009-12-01)

Figure 2-6 Reversely learning the relationship between the MAC address of workstationB and the interface

00e0.fcdd.dddd


00e0.fccc.cccc

Eudemon

00e0.fcbb.bbbb00e0.fcaa.aaaa

Interface 1

Interface 2

MAC address00e0.fcaa.aaaa00e0.fcbb.bbbb

Interface11

Workstation A

Address table

Destination address

Source address

Segment 1

Segment 2

Workstation C

Workstation B

Workstation D

The reverse learning process continues until the transparent Eudemon obtains allrelationship between MAC addresses and interfaces.

Forwarding or Filtering a FrameAt Data Link Layer, the transparent Eudemon processes a frame in the following situations:

l When the transparent Eudemon successfully obtains corresponding information from theaddress table, it forwards the frame.After workstation A sends an Ethernet frame to workstation C, the transparent Eudemonsearches the address table for the interface corresponding with workstation C. Then theEudemon forwards the frame through interface 2 according to the searching result. Figure2-7 shows the process.



2-7

Figure 2-7 Forwarding the frame after successfully obtaining corresponding informationfrom the address table

00e0.fcdd.dddd

00e0.fcaa.aaaa00e0.fcbb.bbbb

00e0.fccc.cccc

Eudemon

00e0.fccc.cccc00e0.fcaa.aaaa

Interface 1

Interface 2

00e0.fccc.cccc 00e0.fcaa.aaaa

ForwardingWorkstation C

Destination address

Source address

Address tableSegment 1

Workstation D

Segment 2

Source address

Destination address

Workstation A

Workstation B

MAC address00e0.fcaa.aaaa00e0.fcbb.bbbb00e0.fccc.cccc00e0.fcdd.dddd

1

22

1

Interface

If the transparent Eudemon receives a broadcast frame or multicast frame from a interface,it forwards the frame to other interfaces.

l When the transparent Eudemon successfully obtains corresponding information from theaddress table, it does not forward the frame.If workstation A sends an Ethernet frame to workstation B, the Eudemon does not forwardbut filter the frame. That is because workstations B and A reside in the same physicalnetwork segment. Figure 2-8 shows the process.


Feature Description


Issue 01 (2009-12-01)

Figure 2-8 Filtering frames after successfully obtaining corresponding information fromthe address table

00e0.fcdd.dddd

00e0.fcaa.aaaa00e0.fcbb.bbbb

00e0.fccc.cccc

Eudemon

00e0.fcbb.bbbb00e0.fcaa.aaaa

Not forwarding

Workstation BDestination

addressSource address

Segment 1

Interface 2

Workstation D

Segment 2

Interface 1Address table

Workstation A

Workstation C

MAC address00e0.fcaa.aaaa00e0.fcbb.bbbb00e0.fccc.cccc00e0.fcdd.dddd

Interface1

22

1

l When the transparent Eudemon fails to obtain corresponding information from the addresstable, it forwards the frame.

When workstation A sends an Ethernet frame to workstation C and the Eudemon does notobtain the relationship between the MAC address of workstation C and the interface fromthe address table, the Eudemon forwards this frame to all the other interfaces but the sourceinterface of the frame. In this case, the Eudemon acts as a hub, ensuring the continuoustransfer of the frame. Figure 2-9 shows the process.

Figure 2-9 Forwarding the frame after failing to obtain corresponding information fromthe address table

00e0.fcdd.dddd


00e0.fccc.cccc

Eudemon

00e0.fcccc.cccc00e0.fcaa.aaaa

Interface 1

Interface 2

Address table

Workstation ADestination

addressSource address

Segment 1

Segment 2

Workstation B

Workstation C

Workstation D

MAC address00e0.fcaa.aaaa00e0.fcbb.bbbb

Interface11



2-9

2.1.4 Working Process in Composite Mode

When the Eudemon works in composite mode, some interfaces should be configured with IPaddresses and some not. The interfaces configured with IP addresses reside in the layer 3network, with VRRP enabled for dual-system hot backup. The interfaces not configured withIP addresses reside in the layer 2 network. External users connected with the interfaces in thelayer 2 network belong to the same subnet.

When packets are forwarded between interfaces in the layer 2 network, the forwarding processis the same as that in transparent mode. For details, see section "2.1.3 Working Process inTransparent Mode". When packets are forwarded between interfaces in the layer 3 network,the forwarding process is similar to that in route mode. For details, see section "2.1.2 WorkingProcess in Route Mode".

2.2 Security Zone

2.2.1 Introduction to Security Zone

2.2.2 Features of the Security Zone

2.2.3 Security Zone on Eudemon

2.2.1 Introduction to Security Zone

Zone is a concept introduced in Eudemon, which is one of main features distinguishing theEudemon from the router. For the router, the network security check is performed on interfacesbecause the networks connected with each interface are equal in security. That is, there is noobvious difference between internal networks and external networks for the router.

In this way, when a data stream unidirectionally passes through a router, it may be checked twiceon both the ingress interface and the egress interface to meet the separate security definitions oneach interface. However, the Eudemon's situation is different, where internal networks andexternal networks are clearly defined. The Eudemon protects internal networks from illegalintrusion of external networks.

When a data stream passes through a Eudemon device, the security operation triggered varieswith data stream direction. At this time, it is not suitable to check the security policy on theinterface of the Eudemon. Therefore, the Eudemon introduces the concept of security zone.

2.2.2 Features of the Security Zone

A security zone is composed of one or more interfaces with the same security level.

The features of the security zones are as follows:

l The security level is denoted by an integer in the range of 1 to 100. The greater the numberis, the higher the level is.

l There are no two zones with the same security level.


Feature Description


Issue 01 (2009-12-01)

2.2.3 Security Zone on Eudemon

Security Zone ClassificationThe default security zones on Eudemon are as follows:

l Virtual zone (Vzone)It is a lowest-level security zone whose security level is 0.

l Untrust zoneIt is a low-level security zone, whose priority is 5.

l Demilitarized Zone (DMZ)It is a medium level security zone, whose priority is 50.

l Trust zoneIt is a high-level security zone, whose priority is 85.

l Local zoneIt is a highest-level security zone, whose priority is 100.

When Eudemon works in router mode, you do not need to create the five zones above. At thesame time, deleting and re-setting the security level is prohibited.

When Eudemon works in transparent mode or composite mode, by default, the Vzone is notsupported. And the other zones neither be created nor deleted or reset the security level.

In addition to the preceding default zones, the Eudemon also supports 11 customized zones.

NOTE

Derived from military, DMZ is an intermediate zone between the severe military zone and the incompactpublic zone. That is, it is partially dominated by military. Here in Eudemon, it indicates a zone that isindependent of internal networks and external networks both logically and physically, in which publicdevices such as Web Server and FTP Server are placed. It is hard to locate these servers for external accessif they are placed in external networks, their securities cannot be assured; while placed in internal networks,their security defects might provide opportunity for some external malicious client to attack internalnetworks. DMZ is developed to solve this problem.

Relations Between Interface, Network and Security Zones

CAUTIONNeither two security zones with the same security level nor an interface belonging to twodifferent security zones are allowed in the system.

Relations between interface, network and security zones:

l Relation between interface and security zonesA security zone includes one or several interfaces with one security level.Except for the Local zone, all the other security zones need to be associated with someinterfaces of the Eudemon respectively, that is, to add the interface into those zones.

l Relations between network and security zones



2-11

– Internal networks should be located in high-level security zone, for example, trust zone.

– External networks should be located in low-level security zone, for example, untrustzone.

– Networks offering conditional services for the external should be located in mediumlevel DMZ.

– The Local zone has no interface. The Eudemon device is in the Local zone.

– The Vzone has no interface and is used for the traffic forwarding between Virtual PrivateNetwork (VPN) instances.

l Relation between the interface, network and security zones

The relationship is shown in Figure 2-10.

Figure 2-10 Relationship diagram of interface, network and security zones

GE0/0/1

GE0/0/2GE0/0/0Eudemon

Local

Vzone

Trust Untrust

Server Server

DMZ

Outbound

......Outbound

Outbound Outbound

Outbound

Outbound Inbound

Inbound

InboundInbound

Inbound

Inbound

Inbound and Outbound

Data flows of the two security zones (interzone) are grouped into two directions:

l Inbound

It refers to the direction that data are transmitted from low-level security zones to high-level security zones.


Feature Description


Issue 01 (2009-12-01)

l OutboundIt refers to the direction that data are transmitted from high-level security zones to low-level security zones.

Data transmission between security zones in different levels will enable the Eudemon to checksecurity policy. You can set different security policy to different direction of the same interzone.When data flow moves in the two directions of the security zones, different security policy checkis triggered.

Data transmission direction on the Eudemon is determined based on the side with higher levelsecurity. You can conclude that:

l Data stream transmitted from the Local zone to the Trust zone, DMZ zone and Untrust zoneis called outbound data stream while inbound data stream contrarily.

l Data stream transmitted from the Trust zone to the DMZ zone, Untrust zone and vzone iscalled outbound data stream while inbound data stream contrarily.

l Data stream transmitted from the DMZ zone to the Untrust zone and vzone is calledoutbound data stream while inbound data stream contrarily.

l The data stream transmitted from the Untrust zone to the Vzone is called outbound datastream, while the data stream transmitted from the Vzone to the Untrust zone is calledinbound data stream.

NOTE

l If you allow users in high security zone to access external networks, you can configure a defaultinterzone packet-filtering rule for the Eudemon, allowing packets to travel from a high-level securityzone to a low-level security zone.

l Data transmission direction on the router is determined based on the interface, which is also one ofmain features differentiating the Eudemon from the router. Data stream sent from the interface iscalled outbound data stream while inbound data stream contrarily.



2-13

3 System Management

About This Chapter

3.1 SNMP Overview

3.2 Introduction to the Features of Web Management

Quidway Eudemon 200E-C/200E-F FirewallFeature Description 3 System Management


3-1

3.1 SNMP Overview

3.1.1 Introduction to SNMP

3.1.2 SNMP Versions and Supported MIB

3.1.1 Introduction to SNMP

At present, the Simple Network Management Protocol (SNMP) is widely used in networkmanagement. It is an industrial standard.

The SNMP protocol ensures that management information can be transmitted between any twonodes. Based on the SNMP, a network administrator can perform the following operations atany node on the network:

l Retrieve information

l Modify information

l Locate a fault

l Diagnose a failure

l Plan capacity

l Generate reports

SNMP adopts the polling mechanism and provides a basic set of functions. It is applicable tothe small-sized, fast, and low-cost scenario.

SNMP is widely supported by many products because it requires only the unacknowledgedtransport layer protocol UDP.

The architecture of the SNMP protocol can be divided into the following parts:

l Network Management Station (NMS)It is a workstation on which the client program runs.

l AgentIt is a kind of server-side software running on the network device.

The detailed operations are described as follows:

The NMS sends packets to the agent, including:

l GetRequest

l GetNextRequest

l Getbulk

l SetRequest packet

After receiving the request packet from the NMS, the agent reads or writes the managementvariables based on the packet type. The agent generates a response packet, and then return thepacket to the NMS.

When exceptions occur during the cold/hot startup of the device, the agent sends a trap packetto the NMS to report the event.

3 System ManagementQuidway Eudemon 200E-C/200E-F Firewall

Feature Description


Issue 01 (2009-12-01)

3.1.2 SNMP Versions and Supported MIB

To uniquely identify the management variable of the device in the SNMP packet, SNMP usesa hierarchical naming scheme to identify the management object. The hierarchical structure islike a tree. Each node on the tree represents a management object. As shown in Figure 3-1, onepath starting from the root can be used to uniquely identify the management object.

Figure 3-1 MIB tree

1

1 2

1 2

1 2

1 2

B

A

As shown in Figure 3-1, management object B can be uniquely identified by a string of numbers{1.2.1.1} that is an object identifier of the management object. The management informationbase (MIB) is used to describe the hierarchical structure of the tree. It is a set of standard variabledefinitions of the monitored network device.

At present, the SNMP agent on the Eudemon system supports standard network managementsystem SNMP v3 and is compatible with SNMP v1 and SNMP v2c.

Table 3-1 shows MIB supported by the system.

Table 3-1 MIB supported by the system

Attribute Content Standard orSpecifications

Public MIB MIB II based on the TCP/IPnetwork device

RFC1213

RIP-2 MIB RFC1724

Ethernet MIB RFC2665, RFC2668

PPP MIB RFC1471, RFC1473

OSPF MIB RFC1253

IF MIB RFC1573

SNMPV2 MIB RFC1907

Framework MIB RFC2571



3-3

Attribute Content Standard orSpecifications

Usm MIB RFC2573

Mpd MIB RFC2572

Vacm MIB RFC2275

Target MIB RFC2273

Notification MIB RFC2273

RADIUS MIB RFC2618, RFC2620

Private MIB Performance alarm MIB -

Device panel MIB -

Device resource MIB -

VLAN -

QoS -

Configuration managementMIB

-

System management MIB -

3.2 Introduction to the Features of Web Management

The web-manager function provides users with a simple and friendly web configurationinterface. Through this interface, users can operate and maintain the Eudemon conveniently.

Users can access the interface with either of the following methods:

l EncryptionThe Web browser communicates with the Eudemon through the HTTP security protocol(HTTPS). The encryption function ensures the security of user information.

l Non-encryptionThe Web browser communicates with the Eudemon through the HTTP protocol.

Users access the Eudemon through the Web browser and send HTTP packets to the Eudemon.The Eudemon starts the Web server to process the HTTP packets sent from the users.

HTTP packets are classified into the following two types:

l getIf the HTTP packets sent from the Web browser to the Eudemon are get packets, theEudemon triggers the get-processing process and gets the configuration information abouteach function modules from the Eudemon.

l post

3 System ManagementQuidway Eudemon 200E-C/200E-F Firewall

Feature Description


Issue 01 (2009-12-01)

If the HTTP packets sent from the Web browser to the Eudemon are post packets, theEudemon triggers the post-processing process and sends the configuration information toeach function module of the Eudemon.



3-5

4 Security Features

About This Chapter

4.1 ACL

4.2 Security Policy

4.3 NAT

4.4 Attack Defense

4.5 P2P Traffic Limiting

4.6 IM Blocking

4.7 Static Multicast

4.8 Keyword Authentication

4.9 Authentication and Authorization

4.10 IP-CAR

4.11 TSM Cooperation

4.12 SLB

Quidway Eudemon 200E-C/200E-F FirewallFeature Description 4 Security Features


4-1

4.1 ACL

4.1.1 ACL Definition

4.1.2 ACL Application

4.1.3 ACL Step

4.1.4 ACL on the Eudemon

4.1.1 ACL Definition

The Eudemon must be capable of controlling network data stream so as to define:

l Network security

l QoS requirement

l Various policies

Access Control List (ACL) is one of methods to control data stream.

An ACL is a series of ordered rules composed by permit or deny statements. The permit actionallows the packets to pass through the Eudemon while the deny action forbids the packets topass through the Eudemon.

The rules are described mainly by:

l Source address

l Destination address

l Port number

l Upper layer protocol

4.1.2 ACL Application

Packet FilterPacket filter is a kind of network security protection mechanism. It is used to control the inboundand outbound data between networks in different security levels.

Before forwarding the data packet, the Eudemon needs to check information in the packet header,including source address of packets, destination address of packets, source port, destination port,upper layer protocol and so on.

Then, the Eudemon determines whether to forward the data packet or discard it based on thecomparison result with the defined rule.

NATNetwork Address Translation (NAT) is to translate an IP address in a data packet header intoanother IP address. The NAT mechanism is mainly used to enable internal networks (that use

4 Security FeaturesQuidway Eudemon 200E-C/200E-F Firewall

Feature Description


Issue 01 (2009-12-01)

private IP addresses) to access external networks (that use public IP addresses) and solve thelack of IP addresses..

In practice, it is required that some internal hosts (with private IP addresses) can access theInternet (namely the external network) while others cannot. It can be achieved by associatingACL and NAT address pools, that is, only the data packet matching ACL rules can performNAT. In this way, it efficiently controls the range of NAT.

QoSQuality of Service (QoS) is used to evaluate the service capability to meet the need of clients.In order to assure QoS on the Internet, it is required to enhance traffic control and resourceallocation of IP layer to provide differentiated services for different requirements.

Traffic classification is the premise and basis for differentiated service. In practice, you need todo as follows.

1. Defining traffic classification rules.Traffic classification rules can classify traffic by identifying traffic priority based on:l Type of Service (ToS) field in the IP packet header

l Defined ACL, For example, ACL including the following elements.– Source address– Destination address– MAC address– IP protocol– Port number of application program

2. Applying traffic classification policy or ACL on traffic monitoring and congestionmanagement.

Routing PolicyRouting policy is used to send and receive routing information as well as filter routinginformation.

There are many methods to filter routing information, in which ACL is one of the most importantmethods and widely used. A client can apply ACL to specify an IP address or subnet range asthe destination address or the next hop address for matched routing information.

4.1.3 ACL Step

Configuring the Eudemon, you can set a step for an ACL rule group. Step means the differencebetween neighbor IDs automatically allocated to each rule in the ACL rule group. For instance,given the step is set to 5, IDs of rules should be multiples of 5 beginning with 0, that is, 0, 5, 10,15 and so on. By default, the step of the ACL rule group is 5.

Setting step is helpful for inserting new rules between rules. For example, there are four rules,and their rule numbers are 0, 5, 10, and 15. To insert a rule after the first rule, you can use therule 1 xxxx command to insert a rule numbered 1 between 0 and 5.

NOTE

Suppose you set a step. You must delete the existed rule (including rule 0) before you use the step commandto change the step or use the undo step command to restore the default step value.



4-3

4.1.4 ACL on the Eudemon

Eudemon supports various ACLs as well as time-range-based application and logging of ACL.

ACL Classification

Eudemon supports the following ACL:

l Basic ACL

l Advanced ACL

l MAC-based ACL

Table 4-1 lists the classification of the ACL.

Table 4-1 Classification of the ACL

Type Value Range Description

Basic ACL 2000 to 2999 Basic ACL only uses sourceaddresses to define data flow.

Advanced ACL 3000 to 3999 Advanced ACL can definerules based on sourceaddresses, destinationaddresses, and IP payloadprotocol type, such as TCPsource or target port, the typeof the ICMP protocol, andmessage codes.

MAC-based ACL 700 to 799 MAC-based ACL can definedata flows though the sourceMAC addresses, destinationMAC addresses, and typefield in the Ethernet frameheader.

ACL Match Order

An ACL is composed of multiple permit or deny statements. Each statement describes differentrules, which may be repeated or inconsistent.

When matching a packet to the ACL rules, you need to set the ACL match order. By default,the Eudemon is matched in configuration order; that is, the Eudemon is matched according tothe configuration order of the ACL rules.

When configuring the ACL rules, you need to pay attention to the matching order. Configurethe ACL rule according to the specific situation.

Once the data stream successfully matches with a rule, it does not go on matching. TheEudemon performs the subsequent data stream configuration based on this rule.


Feature Description


Issue 01 (2009-12-01)

Source Address and Wildcard MaskWhen basic ACL is applying, a source address need to be specified, which can be a host, a hostgroup or an entire subnet or network. The range of the source address is determined by itswildcard mask field.

Different from a subnet mask, 0 in a wildcard mask refers to a bit that must be matched and 1refers to a bit that allows of mismatch. That is, perform "not" algorithm of each bit source-wildcard and then perform "and" with source-address to get the source address range as follows:

source-address = 192.168.15.16 11000000.10101000.00001111.00010000

source-wildcard = 0.0.0.255 00000000.00000000.00000000.11111111

source-address range = 192.168.15.0 11000000.10101000.00001111.00000000

The any parameter indicates that packets from any source IP address match the rule. In this case,the value of the source-wildcard parameter is 255.255.255.255 and the value of the source-address parameter can be any address.

ACL Rule Based on Time RangeIt is required to improve the flexibility on the control of resource access. For example, systemadministrator only permits passing some data streams during worktime or allows clients to accesssome resources in some time ranges. In this case, ACL rule based on time range can be used.

ACL Rules Quoting Address Set and Port SetTo simplify the configuration and maintenance of ACL rules, the Eudemon supports the ACLthat quotes the address set and port set.

An ACL rule that is described through the address set and port set shows as a traditional set ofrules with the same priority in application. The formula in the new set is described as follows:

The number of the rule elements with the same priority = the number of the elements in addressset 1 × the number of elements in address set 2 × the number of elements in port set 1 × thenumber of elements in port set 2.

For example, configure two address sets and one port set, and each set respectively contains twoelements and is applied in ACL 3000.

<Eudemon> system-view[Eudemon] ip address-set a1[Eudemon-address-set-a1] address 1 1.1.1.1 0[Eudemon-address-set-a1] address 2 2.2.2.1 0[Eudemon-address-set-a1] quit[Eudemon] ip address-set a2[Eudemon-address-set-a2] address 1 3.3.3.1 0[Eudemon-address-set-a2] address 2 4.4.4.1 0[Eudemon-address-set-a2] quit[Eudemon] ip port-set p1 protocol tcp[Eudemon-tcp-port-set-p1] port 1 eq 21[Eudemon-tcp-port-set-p1] port 2 eq 22[Eudemon-tcp-port-set-p1] quit[Eudemon] acl 3000[Eudemon-acl-adv-3000] rule permit tcp source address-set a1 destination address-set a2 destination-port port-set p1

The configuration effects of the above commands are the same as the following ACL rules:

[Eudemon] acl 3000[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 3.3.3.1 0



4-5

destination-port eq 21[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 3.3.3.1 0 destination-port eq 22[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 4.4.4.1 0 destination-port eq 21[Eudemon-acl-adv-3000] rule permit tcp source 1.1.1.1 0 destination 4.4.4.1 0 destination-port eq 22[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 3.3.3.1 0 destination-port eq 21[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 3.3.3.1 0 destination-port eq 22[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 4.4.4.1 0 destination-port eq 21[Eudemon-acl-adv-3000] rule permit tcp source 2.2.2.1 0 destination 4.4.4.1 0 destination-port eq 22

4.2 Security Policy

4.2.1 Packet Filter

4.2.2 ASPF

4.2.3 Blacklist

4.2.4 MAC and IP Address Binding

4.2.5 Port Identification

4.2.6 Virtual Firewall

4.2.1 Packet Filter

Packet filter is a kind of network security protection mechanism. It is used to control the inboundand outbound data between networks in different security levels.

When forwarding packets, first, the Eudemon compares ACL with the information in the packetheader, including:

l Source address

l Destination address

l Upper layer protocol borne on IP layer

l Source port of the data packet

l Destination port of the data packet

After that, the Eudemon determines whether to forward the data packet or discard it based onthe comparison result with the defined rule.

A series of filter rules are needed to filter data packets, which can be carried out by applyingfilter rules defined by ACL between different zones in the Eudemon.

4.2.2 ASPF

Overview of ASPFApplication Specific Packet Filter (ASPF) is the packet filter based on the application layer, thatis, the status-based packet filter. It cooperates with the common static packet filter function to


Feature Description


Issue 01 (2009-12-01)

carry out the security policy of internal network. ASPF can detect the application layer protocolsession to prevent the unmatched data packet from passing the Eudemon.

In order to protect the security of network, the packet filter based on ACL rule can detect datapackets on network layer and transmission layer to prevent illegal intrusion. ASPF can detectprotocols on application layer and monitor application traffic.

In addition, ASPF provides the following functions:

l Java Blocking can prevent network from being destroyed by harmful Java Applets.

l ActiveX Blocking can prevent network from being destroyed by harmful ActiveX.

ASPF detects protocols on the application layer and prevents malicious intrusion, throughmaintaining session status and checking packet protocol and port number of session.

The ASPF protocol of the Eudemon supports multiple types of traffic monitoring:

l File Transfer Protocol (FTP)

l H.323 Protocol (H323)

l Hyper Text Transport Protocol (HTTP)

l Huawei Conference Control protocol (HWCC)

l Windows Messenger (MSN)

l Network Basic Input/Output System (NetBIOS)

l Detect QQ protocol (QQ)

l Point to Point Tunnel Protocol (PPTP)

l Real-Time Streaming Protocol (RTSP)

l Session initiation Protocol (SIP)

l SQL*NET Protocol (SQLNET)

l Media Gateway Control Protocol (MGCP)

l Multimedia Messaging Service (MMS)

l Remote Procedure Call (RPC)

QQ/MSN Chat Detection

At present, most networks deploy the NAT devices to save resources of IP addresses. Thus, usersin different intranets can chat with each other after NAT.

For the text chat, the communication of users can be forwarded smoothly by QQ server sincethe server saves the address mapping information of these two users.

For audio or video chat, it is expected that the two users directly exchange file, audio, or videoinformation of large traffic. Thus, resources resulting from transfer of the QQ server will not beconsumed. However, the traditional NAT devices cannot meet such requirement.

To solve this problem, on the Eudemon, you can enable the detection of QQ or MSN chatsbetween the private network and public network. Thus, address mapping is set up when a QQor MSN chat is started up. In this case, users in two different private networks can transfer filesand conduct audio or video chat directly.



4-7

Triplet ASPFThe Eudemon is equivalent to a quintuple NAT device. That is, to set up a session on theEudemon, five elements are required, including the source IP address, source port number,destination IP address, destination port number, and protocol number.

A session can be created and packets can pass through the Eudemon only when these elementsare available.

However, some real-time communication tools, such as QQ and MSN, require process of tripletfields:

l Source IP address

l Source port

l Protocol number

In order to adapt to such communication mechanism, the Eudemon changes quintuple processto triplet process. In this way, communications such as QQ and MSN can traverse smoothly.

Besides the NAT traversal of QQ or MSN, other sessions like TFTP, which only uses the sourceIP address, the source port and the protocol number, also need configuring triplet ASPF on theEudemon.

4.2.3 Blacklist

Blacklist is one of security features of the Eudemon. The most important feature of blacklist isthat it can be added or deleted dynamically by the Eudemon module. Compared with the ACL-based packet filter, the blacklist packet filter can filter users with specific IP addresses at a muchhigher speed. This is because that the blacklist packet filter can associate with advanced ACLsto match only IP addresses, which significantly accelerates blacklist entries matching.

You can create blacklist entry in three ways:

l Creation through command lines.

l Dynamical creation through the Eudemon attack defense module.

l If a user consecutively failed to log in to the system for three times, the user is added to theblacklist.

After corresponding attack defense is enabled, when Eudemon discovers the attack attempt ofa specific IP address based on the packet action, it can automatically modify its blacklist to filterall the packets sent from the specific address.

4.2.4 MAC and IP Address Binding

MAC and IP address binding means that the Eudemon associates the specific IP address andMAC address based on the client configuration. In this way, the Eudemon will discard the packetwhose MAC address does not correspond to the associated IP address and forcibly forward thepacket whose destination address is the specific IP address to the bound MAC address. As aresult, the imitated IP address attack is avoided and the network is protected.

4.2.5 Port Identification

Application layer protocols usually communicate through well-known port number. Portidentification allows a client to define a group of new port numbers besides the system-defined


Feature Description


Issue 01 (2009-12-01)

port number for various applications and also provides some mechanisms to maintain and usethe user-defined port configuration information.

Using port identification, you can create and maintain a system-defined port and a user-definedport identification list for various application protocols.

The Eudemon supports basic ACL-based host port identification. Host port identification is toestablish user-defined port number and application protocol identification on packets sent tosome specific hosts. For example, regard TCP packets sent to the host at 10.110.0.0 through port8080 as HTTP packets. The host range is defined based on basic ACL.

The ACL identified by the port of the host and quoted by the packet filter differ in the followingaspects:

l When configuring the interzone packet-filtering rule, the specified ACL should haveexplicit directivity. The Eudemon only permits the packets that move from the sourceaddress to the target address to pass.

l When configuring port identification, the specified basic ACL is only used to define therange of hosts without directivity.

4.2.6 Virtual Firewall

In recent years, small private networks are increasing. Such networks usually belong to small-scale enterprises, which have the following features:

l High requirement on securityl Cannot afford a dedicated security device

According to this reason, Huawei launches the Eudemon multi-instance solution. Figure 4-1shows the networking of the firewall multi-instance configuration. As shown in Figure 4-1, afirewall is partitioned into multiple virtual firewalls to provide relatively separate securityassurance for small private networks. Carriers can adopt the virtual firewall technology toprovide separate network security assurance services for multiple private networks.

Figure 4-1 Networking diagram of virtual firewall

vfw1Trust

vfw2DMZ

vfw2Trust

vfw1Untrust

vfw2Untrust

vfw1DMZ

GE 0/0/0192.168.2.1/24

GE 0/0/12.1.2.1/24

Eth 2/0/0

GE 6/0/0192.168.3.1/24

192.168.4.1/24

Eth 1/0/010.2.1/24

GE 5/0/010.1.1.1/24



4-9

Each virtual firewall is a combination of one VPN instance, one security instance and oneconfiguration instance. It can provide proprietary route forwarding plane, security service planeand configuration management plane for virtual firewall users.

VPN InstanceThe VPN instance provides isolated VPN routes for the virtual firewall users. A VPN instancecorresponds with one virtual firewall. VPN routes provide routes for packets received by virtualfirewalls.

Security InstanceThe security instance provides isolated security service for the virtual firewall users. A securityinstance corresponds with one virtual firewall.

A security instance owns private interfaces, zones, inter-zones, ACLs, and NAT address pools.

The security instance can provide private security services, including:

l Address binding

l Blacklist

l NAT

l Packet filter

l Statistics

l Attack defense

l ASPF

Configuration InstanceThe configuration instance provides isolated configuration management planes for virtualfirewall users. A configuration instance corresponds with one virtual firewall. After virtualfirewall users log on to the firewall, they have rights to manage and maintain the VPN instanceand security instances.

4.3 NAT

4.3.1 Introduction

4.3.2 NAT on the Device

4.3.1 Introduction

NAT is to translate the IP address in IP data packet header into another IP address. It is mainlyused for private network to access external network in practice. NAT can slow down the IPaddress space depletion by using several public IP addresses to represent multiple private IPaddresses.

Usually, private networks use private IP addresses. RFC 1918 defines three IP address blocksfor private and internal use as follows:


Feature Description


Issue 01 (2009-12-01)

l Class A: 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)

l Class B: 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)

l Class C: 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)

IP addresses in the above three ranges will not be assigned in the Internet, so they can be usedin the intranet of a company or enterprise without need of requesting Internet Service Provider(ISP) or register center.

NAT is mainly used for private network to access external network in practice. It can slow downthe IP address space depletion by using several public IP addresses to represent multiple privateIP addresses.

Figure 4-2 shows a basic NAT application process.

Figure 4-2 Networking diagram of basic processes of NAT

192.168.1.2

PC202.130.10.3

Server202.120.10.2

Server

PC192.168.1.3

GE0/0/1202.169.10.1

GE0/0/0192.168.1.1

Trust Untrust

Data Packet 2'202.120.10.2

202.169.10.1

Data Packet 1'Source: 202.169.10.1Destination:

Data Packet 2202.120.10.2

192.168.1.3

Data Packet 1Source:Destination:

Eudemon

192.168.1.3202.120.10.2202.120.10.2

Source:Destination: Destination:

Source:

NAT server such as Eudemon is located at the joint between private network and public network.Interactive packets between an internal Personal Computer (PC) and an external server all passthe NAT sever. The exchange of addresses is as follows.

1. When the internal PC at 192.168.1.3 sends the data packet 1 to the external server at202.120.10.2, the data packet will traverse the NAT server. The NAT server checks thecontents in the packet header. The destination address in the header is an extranet address.

2. The server will translate the source address 192.168.1.3 of the data packet 1 into a validpublic address on the Internet 202.169.10.1, then forward the packet to the external serverand record the mapping on the NAT list.

3. After receiving the data packet 1', the external server sends the response packet 2' (Thedestination is 202.169.10.1).

4. After the data packet 2' access the NAT server, the NAT server will inquire the NAT list,the NAT server replaces the destination address in packet 2 header with the original privateaddress 192.168.1.3 of the internal PC.

The NAT process is transparent to the internal PC and the external server. The internal PCdetermines that the packets exchanged with the external server are not processed by the NATserver. The external server determines that the IP address of the internal PC is 202.169.10.1. IPaddress 192.168.1.3 is transparent to the external server.



4-11

4.3.2 NAT on the Device

NAT Mechanism on the Eudemon

NAT mechanism can be divided into the following two parts:

l Translating an IP address and port of a host in the internal network into an extranet addressand port.

l Translating the extranet address and port into the IP address and port of a host in the internalnetwork.

This process is called translation between private address or port and public address or port.

When data flow moves from one security zone to another, the Eudemon checks the data packetto determine whether to perform the NAT. If necessary, the NAT is performed based on thefollowing principles:

l At the egress of the IP layer, the Eudemon translates the source address from the privateaddress to the public address and sends it to the external network.

l At the ingress of the IP layer, the Eudemon restores the destination address from the publicaddress to the private address and sends it to the internal network.

Many-to-Many NAT and NAT Control

As shown in Figure 4-2, the IP address of the egress interface of the NAT server is the sourceaddress performed by NAT conversion. In this way, all the hosts in the intranet share one extranetIP address when they access the external network. In other words, only one host can access theexternal network at a time when several hosts intend to access the external network at the sametime, which is called one-to-one NAT.

An extended NAT implements the concurrent access, that is, multiple public IP addresses areassigned to a NAT server. When one internal host accesses the external network, the NAT serverassigns a public address IP1 to a requesting host, appends a record in the NAT list, and forwardsthe data packet. When another internal host accesses the external network, the NAT serverassigns another public address IP2 to another request host and so on. This is called many-to-many NAT.

NOTE

The number of public IP addresses on the NAT server is far less than the number of hosts in the intranetbecause not all hosts will access the extranet at a time. The public IP address number is determined basedon the maximum number of intranet hosts that access the external network at the rush hour of the network.

In practice, it may be required that only some intranet hosts can access the Internet (externalnetwork). In other words, the NAT server will not translate source IP addresses of thoseunauthorized hosts, which is called NAT control.

Eudemon fulfills many-to-many NAT through defining address pool and controls NAT throughACL. The detail is as follows:

l Address poolIt is a set of public IP addresses for NAT. You should configure a proper address pool basedon valid IP address number, internal host number as well as the actual condition. An addresswill be selected from the pool as the source address during the NAT.


Feature Description


Issue 01 (2009-12-01)

l ACL-based NATIt indicates that only the data packet meeting the requirement of ACL rule can be translated.In this way, the NAT range can be controlled effectively and some hosts are entitled toaccess the Internet.

NAPTBesides the many-to-many NAT, Network Address Port Translation (NAPT) is another way toachieve the concurrent access.

NAPT allows the map from multiple internal addresses to a public address. Therefore, it can becalled as "many-to-one NAT" or address multiplex informally.

NAPT maps IP addresses and port numbers. Data packets from various internal addresses canbe mapped to the same external address with different port numbers. In this way, differentinternal addresses can share the same public address.

The fundamentals of NAPT are shown in Figure 4-3.

Figure 4-3 NAPT allows multiple internal hosts to share a public address by translating IPaddress and port number

192.168.1.2

PC

202.120.10.2Server

202.130.10.3

Eudemon GE0/0/1202.169.10.1

GE0/0/0192.168.1.1

Trust Untrust

Server

PC192.168.1.3

192.168.1.3Source port: 1357

Data Packet 1'202.169.10.1

1357

Data Packet 2 Data Packet 2'


11111

Data Packet 3'202.169.10.1

11111


11111

Data Packet 4'202.169.10.1

22222

Data Packet 1Source:

Source port:Source:

192.168.1.32468

Source:Source port:

202.169.10.12468Source port:

Source:

Source port:Source:

Source port:Source:

Source port:Source:

Source port:Source:

As shown in Figure 4-3,four data packets from internal addresses arrive at the NAT server.

l Packet 1 and packet 2 come from the same internal address with different source portnumber.

l Packet 3 and packet 4 come from different internal addresses with the same source portnumber.

After the NAT mapping, all the four packets are translated into the same external address withdifferent source port numbers, so they are still different from each other.



4-13

When the response packets access the Eudemon, the NAT process can also differentiate thembased on their destination addresses and port numbers and forward them to the internal hosts.

After the NAPT function is configured, during the NAT conversion, the Eudemon firstmultiplexes the chosen address in the address pool. When the port numbers of the address areused up, the Eudemon chooses another address to fulfill the conversion. Compared with themany-to-many address conversion, that can largely reduce the number of common addresses inthe address pool.

Internal Server

NAT can "shield" internal hosts by hiding the architecture of the intranet. However, sometimesyou want to permit some hosts on external networks to access some hosts on the intranet, suchas a Web server or a FTP server. You can flexibly add servers on the intranet through NAT. TheEudemon applies two ways to specify the external address for the internal server.

For example:

l You can use 202.169.10.10 as the external address of the WWW server.

l You can use 202.110.10.12:8080 as the external address of the WWW server.

NAT on the Eudemon provides some servers on the intranet for some hosts on external networks.When a client on an external network accesses a server on the intranet, the Eudemon operatesthe following two parts:

l The Eudemon translates the destination address in the request packet into a private addresson the internal server.

l The Eudemon translates the source address (a private address) in the response packet intoa public address.

Moreover, NAT can provide multiple identical servers such as WWW servers for externalclients.

NOTE

he internal servers serving for external hosts are usually located in DMZ zone of Eudemon, which are notallowed to initiate connections to external hosts generally.

Bi-directional NAT

The bi-directional NAT can be used in the following two situations:

l When users in the low-priority zone access the public IP address of the NAT server, thedestination address of the packets are translated to the private IP address of the server. But,the server need be configured with the route to the public IP address. If you need to simplifythe configuration, that is, do not configure the route to the public IP address, you need toconfigure the inbound NAT, that is, from the low priority zone to the high priority zone.

l When users in the same security zone access each other, you need to configure interzoneNAT you need to configure the interzone NAT function.

As shown in Figure 4-4, the NAT from the low priority zone to the high priority zone isconfigured on the Eudemon. For example, configure the NAT from the Untrust zone to the DMZzone.


Feature Description


Issue 01 (2009-12-01)

Figure 4-4 Networking diagram of configuring inbound NAT

GE0/0/010.1.1.1/24

GE0/0/1200.1.1.1/24

FTP Server10.1.1.2/24

PC200.1.1.2/24

UntrustDMZEudemon

Untrust

private IP address public IP address

When users in the Untrust zone access the server in the DMZ zone, the Eudemon carries outNAT as follows:

l The Eudemon converts the destination address of the request packet from the external usersto the private IP address of the internal server. The Eudemon converts the source IP addressto the address in the address pool (private IP address).

l The Eudemon converts the source address (private IP address) of the response packets fromthe internal server to the public IP address. The Eudemon converts the destination IP address(private IP address) to the public IP address.

NOTE

The internal servers that allow the access of the external users are usually located in the DMZ zone.Normally, the equipment in the DMZ zone is not allowed to originate connections to the external device.

As shown in Figure 4-5, NAT within the same zone is configured on the Eudemon. For example,configure NAT in the Trust zone.

Figure 4-5 Networking diagram of NAT within the zone

Eudemon

GE5/0/010.1.1.1/24

Trust

PC10.1.1.5/24

FTP Server10.1.1.2/24

Switch

When users in the Trust zone access the server in the same zone, the Eudemon carries out NATas follows:



4-15

l The Eudemon converts the destination IP address of the request packet from the externalusers to the private IP address of the internal server. The Eudemon converts the source IPaddress to the public IP address in the address pool.

l The Eudemon converts the private source IP address of the response packet in the internalserver to the public IP address. The Eudemon converts the destination address (public IPaddress) to the address of the private network.

ALG-Application Level Gateway

NAT and NAPT can translate the address in the IP packet header and the port number in theTCP/UDP packet header only. However, the IP address and port number information can alsobe put in the payload of some packets, such as ICMP and FTP packets, which cannot be translatedby NAT technologies and may cause some errors.

For instance, an FTP server sends its internal IP address to an extranet host to establish a sessionconnection. Because the IP address information is put in the payload of the packet, the NATdevice cannot translate it. If the external host uses the untranslated private address, the FTPserver will be unreachable.

Adding Application Level Gateway (ALG) to NAT, you can solve the above problem. ALG isthe translation proxy of some application protocols. It interacts with NAT to modify the specificdata encapsulated in the IP packet based on the NAT state information and helps the applicationprotocols to function in various ranges through other necessary processes.

For instance, a "destination unreachable" ICMP packet is that its data part contains the headerof packet A which causes the error (Note because packet A has been translated over NAT, thecurrent source address is not the real address of the internal host). If ICMP ALG is enabled, itwill interact with NAT and open the ICMP packet before NAT forwards the packet. Then NATtranslates the address in the header of packet A into the accurate format of the internal hostaddress and forwards the ICMP packet after other necessary processes.

Eudemon provides a perfect NAT ALG mechanism with good scalability, which can supportvarious special application protocols without need of modifying NAT platform.

Between different security zones, the Eudemon implements the following ALG functions offrequently used application protocols:

l FTP

l H.323

l HWCC (Huawei Conference control Protocol)

l ICMP

l ILS (Internet Locator Service)

l MGCP (Media Gateway Control Protocol)

l MSN

l NetBIOS

l PPTP

l QQ

l RTSP

l User-define


Feature Description


Issue 01 (2009-12-01)

4.4 Attack Defense

4.4.1 Introduction

4.4.2 Classes of Network Attacks

4.4.3 Typical Examples of Network Attacks

4.4.4 Introduction to the Attack Defense Principle

4.4.1 Introduction

Normally, network attacks intrude or destroy network servers (hosts) to steal the sensitive dataon servers or interrupt server services. There are also the network attacks that directly destroynetwork devices, which can make networks service abnormal or even out of service.

The attack defense of the Eudemon can detect various types of network attacks and take themeasures to protect internal networks from malicious attacks. As a result, the Eudemon canassure the normal operations of the internal networks and systems.

4.4.2 Classes of Network Attacks

Network attacks can be divided into three classes: denial of service attack, scanning and snoopingattack, and defective packet attack:

l Denial of Service Attack

– Denial of Service (DoS) attack is to attack a system by sending a large number of datapackets. As a result, the system cannot receive requests from valid users normally orthe host is suspended and cannot work normally.

The DoS attacks include SYN Flood, Fraggle and so on. The DoS attack differs fromother types of attacks. In the DoS attack, attackers prevent valid users from accessingresources or routers. In other types of attacks, attackers search for ingresses of internalnetworks.

– Distributed denial of service (DDoS) attack is one type of DoS attack. DDoS attack isa kind of attack, where attackers attack a host by using tens of or hundreds of computersunder their control, so that the system cannot accept normal requests of users or cannotnormally work.

l Scanning and Snooping Attack

Scanning and snooping attack is to point out a potential target by identifying an existingsystem in the network by means of ping scanning (including ICMP and TCP). ThroughTCP and UDP port scanning, the attacker can detect the running system and the monitoringservice and then get a general idea of the service type and the potential security defect ofthe system so as to prepare for the further intrusion.

l Defective Packet Attack

Defective packet attack is to send a defective IP packet to the destination system so thatthe system will crash when it processes the IP packet. The defective packet attacks includePing of Death and Teardrop and so on.



4-17

4.4.3 Typical Examples of Network Attacks

The attacks in the current network fall into the following groups:

l IP Spoofing AttackTo get an access right, an intruder generates a packet carrying a bogus source address whichcan make an unauthorized client access the system applying the IP authentication even inthe root authority. In this way, the system can also be destroyed even though the responsepacket does not reach the intruder. This is the IP Spoofing attack.

l Land AttackLand attack is to configure both the source address and the destination address of the TCPSYN packet to the IP address of the attack target. Thus, the attack target sends the SYN-ACK message and sends back the ACK message to itself, and then creates a null connection.Each of the null connection will be saved till it times out. Different attack targets havedifferent responses to the Land attack. For instance, many UNIX hosts will crash andWindows NT hosts will slow down.

l Smurf AttackThe simple Smurf attack is to attack a network by sending an ICMP request to the broadcastaddress of the target network. All the hosts in the network will respond to the request, whichwill generate the traffic 10 or 100 times more than the traffic of large ping packets. Networkcongestion thus occurs. The advanced Smurf attack is mainly used to attack the target hostby configuring the source address of the ICMP packet to the address of the target host soas to make the host crash finally. It takes certain traffic and duration to send the attackpacket to perform attack. Theoretically, the larger the number of the hosts is, the moreobvious the effect will be. Another new form of the Smurf attack is the Fraggle attack.

l WinNuke AttackWinNuke attack is to cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB)data packets to the NetBIOS port (139) of the specified target installed with the Windowssystem so as to make the target host crash. There are also Internet Group ManagementProtocol (IGMP) fragment packets. Because IGMP packets cannot be fragmentedgenerally, few systems can solve the attack caused by IGMP fragment packets thoroughly.When the system receives IGMP fragment packets, you can guess there is attack.

l SYN Flood AttackBecause of the limited resources, TCP/IP stacks only permit a restricted number of TCPconnections. Based on the above defect, the SYN Flood attack forges an SYN packet whosesource address is a bogus or non-existent address and initiates a connection to the server.Accordingly, the server will not receive the ACK packet for its SYN-ACK packet, whichforms a semi-connection. A large number of semi-connections will exhaust the networkresources. As a result, valid users cannot access the network until the semi-connectionstime out. The SYN Flood attack also takes effect in the applications whose connectionnumber is not limited to consume the system resources such as memories.

l ICMP Flood AttackICMP flood attack is to send a large number of ICMP messages (such as ping) to the specifictarget in a short time. Thus, the target system is unable to transmit valid packets normally.

l UDP Flood AttackThe attacker sends a lot of UDP packets to the server. The packets occupy the linkbandwidth of the server. In this way, the server cannot provide services for the outsideproperly due to the heavy load.


Feature Description


Issue 01 (2009-12-01)

l IP Sweeping or Port Scanning AttackIP Sweeping or Port Scanning Attack is to detect the target address and port via scanningtools to make sure the active system connected with the target network if it receivesresponses from the system and the port through which the host provides services.

l Ping of Death AttackThe field length of an IP packet is 16 bits, which means the maximum length of an IP packetis 65535 bytes. Therefore, if the data length of an ICMP request packet is larger than 65507,the entire length of the ICMP packet (ICMP data + IP header 20 + ICMP header 8) will belarger than 65535, which may make some routers or systems crash, die or reboot. This isthe Ping of Death attack.

l TCP Connection Flood AttackTCP Connection flood attack is a means of DDoS attack. The attacker sends a lot of requeststo the attacked server. A lot of links are generated; therefore, the attacked server cannotdeal with the requests for authorized users.

l GET Flood AttackThe attacker sends a lot of get and post packets to the attacked server. The attacked serverbreaks down and cannot deal with the legal packets.

l DNS Flood AttackDNS flood attack is a DDoS attack means. The attacker sends a large number of querypackets to the Domain Name Server (DNS) within a short time. Therefore, the server hasto respond to all the query requests. As a result, the DNS can not provide services for legalusers.

l ARP AttacksCommon ARP attacks include ARP spoofing attacks and ARP Flood attacks.ARP spoofing attacks: The attacker sends a large amount of spoofing ARP requests andresponse packets to attack network devices. ARP spoofing attacks mainly include ARPbuffer overflow attacks and ARP DDoS attacks.ARP Flood attacks (ARP scanning attacks): When the attacker scans hosts in its ownnetwork segment or across network segments, the firewall checks the ARP entry beforesending the response message. If the MAC address of the destination IP address does notexist, the ARP module of the firewall sends the ARP Miss message to the upper layersoftware, asking the upper layer software to send an ARP request message to obtain theMAC address. Massive scanning packets induce massive ARP Miss messages. As a result,the firewall uses a lot of its resources to handle the ARP Miss messages and thus cannotprocess other services properly. In this way, scanning attacks are launched.

4.4.4 Introduction to the Attack Defense Principle

The main types of the attack defense and their principle are showed as follows.

ICMP Flood Attack Defense PrincipleThe Eudemon defense the ICMP flood attack by restricting the speed of ICMP packets. If a largetraffic of ICMP packets appears, the Eudemon judges that the traffic is the attack traffic.

SYN Flood Attack Defense PrincipleThe following describes how the Eudemon defense the SYN flood attack.



4-19

1. The Eudemon detects the TCP SYN packets sent to the server. If the rate of the TCP SYNpacket exceeds the threshold, the Eudemon judges that the server suffers the SYN floodattack.

2. The Eudemon uses the TCP Proxy or TCP reverse detection to defense the SYN floodattack.

UDP Flood Attack Defense Principle

The UDP flood attack defense process is as follows.

1. The Eudemon detects UDP packets transmitted to the server.

If the rate at which the protected server receives UDP packets exceeds the thresholdconfigured, the Eudemon considers the server is under UDP Flood attack.

2. The Eudemon monitors the source IP addresses accessing the server.

If the Eudemon finds that one source IP address sends same UDP packets to a certain serverfor multiple times, this source IP address is considered as the IP address of the attacker.

TCP Connection Flood Attack Defense Principle

If the TCP Connection Flood attack defense function is enabled, the Eudemon performs thefollowing operations:

1. If the link between the user and the server is generated, the Eudemon judges whether theuser is an authorized user in the following two aspects.

l The Eudemon collects statistics on the number of packets sent by the user to the server.In a specified duration, if the number of the packets does not exceed the threshold, thelink is an unauthorized link.

l The Eudemon collects the unauthorized links set from the user to the server. In aspecified duration, if the number of the unauthorized links is larger than the threshold,the user is an unauthorized user.

2. The Eudemon adds the IP address to the blacklist.

GET Flood Attack Defense Principle

The Eudemon detects the get or post packets that are sent from the user to the target system. Ifthe packet rate is larger than the specific value, the Eudemon performs the URI sampling matchfor the source IP address. When the number of matching reaches a specific value, theEudemon adds the source IP address to the blacklist.

DNS Flood Attack Defense Principle

The Eudemon detects the DNS flood attack based on the querying rate of the DNS packets.When the querying rate of the DNS packets is larger than the specific alarm value, theEudemon checks the source host for validity.

ARP Flood Attack Defense Principle

The Eudemon performs detection according to the ARP request rate. When the rate exceeds theset alarm value, the ARP request is identified as an attack.


Feature Description


Issue 01 (2009-12-01)

4.5 P2P Traffic Limiting4.5.1 Introduction to P2P Traffic Limiting

4.5.2 P2P Traffic Detection and Limiting

4.5.1 Introduction to P2P Traffic Limiting

Peer to Peer (P2P) protocols are widely used in downloading on the network. The constantincrease of P2P traffic affects normal operation of other network applications and increases thecosts of network operation, especially for enterprises and operators who are charged by traffic.To address this problem, the Eudemon is designed with the P2P traffic limiting function.

The Eudemon can accurately identify P2P traffic on networks through in-depth detection andbehavior detection, and then limit the traffic according to the configured traffic limiting policies.In addition, the Eudemon can produce detailed statistics on traffic of various P2P protocols tofacilitate monitoring of P2P traffic tendency.

The P2P traffic limiting function can control P2P traffic and guarantee normal running of otherservices. The P2P traffic limiting function of the Eudemon can work jointly with ACL rules andtime segment-based rate control to restrict P2P traffic, thus satisfying customers' specificrequirements.

The P2P traffic limiting function can be widely applied to access networks carrying high volumesof P2P traffic such as community network, campus network, and enterprise intranet.

The Eudemon can limit traffic of various P2P protocols, such as BT, PPlive, PPStream. Whenexcessive packets of protocols are detected, the performance is degraded. Therefore, theEudemon supports setting of the number of packets to be detected for each type of P2P protocolto meet different identification requirements.

When the current Eudemon cannot identify certain P2P traffic, it obtains new mode files to limitthe traffic.

4.5.2 P2P Traffic Detection and Limiting

P2P Traffic DetectionIf P2P traffic limiting policies are configured or P2P detection is enabled, the Eudemon detectsthe sessions to identify P2P traffic.

The Eudemon supports two modes of detection:

l In-depth detectionThe detection provides feature matching based on files. It is the main detection mode.

l Behavior detectionThe detection is on the basis of the length sequence of consecutive data packets. If thelength sequence complies with the preset rules, the detection result is the P2P traffic.Behavior detection mainly detects encrypted data traffic.

To lower the load of the detection, the Eudemon uses the association detection technology. Whena session is identified as that of P2P traffic, its source IP address, source port number, destination



4-21

IP address, and destination port number are recorded in the associate table. If the IP address andport number of a new session match those in the associate table, the session is identified as thatof P2P traffic. This reduces the burden of in-depth detection.

P2P Traffic Limiting

If P2P traffic Limiting policies are configured and a session is certainly confirmed that of P2Ptraffic, the Eudemon limits the P2P traffic according to the policies.

The Eudemon supports flexible traffic limiting modes. The Eudemon can set multiple types oftraffic-limitation bandwidth concurrently, thus using different limited bandwidth based on theP2P traffic with different policies. The Eudemon performs P2P traffic limitation on certain usersthrough ACLs, or limits the upload and download separately of users. The Eudemon can alsoperform traffic limitation based on time periods.

4.6 IM Blocking

4.6.1 Introduction to IM Detecting and Blocking

4.6.2 IM Detecting and Blocking

4.6.1 Introduction to IM Detecting and Blocking

The Instant Message (IM) detecting and blocking function can block IM traffic and guaranteenormal running of other services. The IM detecting and blocking function of the Eudemon canwork jointly with ACL rules to block IM traffic, thus satisfying customers' specific requirements.

The Eudemon can block traffic of various IM protocols, such as QQ, and MSN.

When the current Eudemon cannot identify certain IM traffic, it obtains new mode files to blockthe traffic.

The number of packets that need to be inspected for each session is the larger, the more systemresources are used. If the effect of IM blocking is not satisfactory, increase the number of packetsto be inspected.

4.6.2 IM Detecting and Blocking

IM Detecting

If IM blocking policies are configured or IM detection is enabled, the Eudemon detects thesessions to identify IM traffic.

The Eudemon supports the modes of detection, namely, in-depth detection.

IM Blocking

If IM blocking policies are configured and a session is certainly that of IM traffic, theEudemon limits the IM traffic according to the policies.


Feature Description


Issue 01 (2009-12-01)

The Eudemon also supports global traffic blocking and interzone traffic limiting. You canassociate ACL rules with traffic limiting policies for interzones and specify the users whose IMtraffic are to be blocked.

NOTE

If you are to detect or block IM traffic for a specific interzone, you can configure only related detectionand blocking policies for this interzone to improve the performance. Then, the Eudemon does not detector block IM traffic in other interzones.

4.7 Static Multicast

4.7.1 Restrictions of Unicast or Broadcast

4.7.2 Overview of Static Multicast

4.7.3 Implementing Static Multicast on the Eudemon

4.7.1 Restrictions of Unicast or Broadcast

OverviewWith the development of the Internet, a large amount of data and voice and video informationare exchanged on the network.

In addition, new services come into being:

l E-commerce

l Online conference

l Online auction

l Video on Demand (VOD)

l E-learning

All these have requirements for the information security, payment, and network bandwidth.

Unicast Information TransmissionThe unicast mode establishes an independent data transmission path and sends an independentcopy of the information for each user.

Figure 4-6 shows the unicast information transmission.



4-23

Figure 4-6 Unicast information transmission

Unicast

User A

User B

User C

Server

Data transmission channel

Device connection

The amount of information transmitted on the network is in direct proportion to the number ofusers who have demand for this information. When there are too many users, there is too muchidentical information flow on the network. Thus, the bandwidth bottleneck is caused. The unicastmode is not applicable to the transmission of mass information.

Broadcast Information TransmissionThe broadcast mode sends information to all the users on the network regardless of whetherusers need it or not.

Figure 4-7 shows the broadcast information transmission.

Figure 4-7 Broadcast information transmission

Broadcast

User A

User B

User C

Server


Device connection


Feature Description


Issue 01 (2009-12-01)

The broadcast mode cannot guarantee the information security and paid services. In addition,the bandwidth is wasted when only few users require the information.

4.7.2 Overview of Static Multicast

Multicast Information Transmission

The IP multicast technology solves the above problems. When some users require specifiedinformation, the multicast source sends the information only once. A tree topology is used inrouting connections for multicast packets based on multicast routing protocols. The informationbeing sent is replicated and distributed on the node as far as possible.

Figure 4-8 shows the multicast information transmission .

Figure 4-8 Multicast information transmission

Multicast User A

User B

User D

User CServer Eudemon


Device connection

Suppose users A, C, and D require the information from the server. To transmit the informationaccurately to the three users, first you should organize them into a receiver group. Then, therouters on the network perform the information forwarding and replicating based on thegeographic location of each user of the group. Finally, the information can be correctlytransmitted to the three users.

For the multicast mode, the following roles exist during multicast transmission:

l The information sender is called "multicast source".

l Receivers who receive the same information comprise a multicast group and each receiveris a "multicast group member".

l All the routers that provide the multicast function are called "multicast routers".

For the roles in each multicast transmission, the following rules exist:

l Members in a multicast group can reside anywhere on the network without restriction onthe geographic location.

l A multicast source may not belong to a multicast group. It sends data to the multicast groupand it may not be one receiver.



4-25

l Multiple sources can send packets to a multicast group concurrently.

l Some routers that do not support multicast exist on the network. Based on the tunneltechnology, a multicast router can encapsulate the multicast packets into unicast IP packetsand send them to a neighboring multicast router. The neighboring multicast router removesthe unicast IP header and continues the multicast transmission. This prevents the networktopology architecture from changing greatly.

Advantages of MulticastThe advantages of multicast are as follows:

l Enhanced efficiencyIt reduces network traffic and relieves server loads and CPU loads.

l Optimized performanceIt decreases redundancy traffic.

l Distributed applicationIt makes multipoint application possible.

4.7.3 Implementing Static Multicast on the Eudemon

The Eudemon forwards packets in the static multicast mode. Thus, the Eudemon should bedeployed between the multicast source and the access router rather than other locations on themulticast network, as shown in Figure 4-9.

Figure 4-9 Transmission mode of static multicast

Multicast User A

User B

User D

User CServer Eudemon


Device connection

The Eudemon forwards packets from the multicast source host to the multicast access router,and then the multicast access router is combined with other multicast routers to send packets toeach multicast user.

4.8 Keyword AuthenticationUsers in the private network can download or upload files through logging in the external FTPserver. For the sake of security and management, managers in the private network need to restrictthe right of users to operate FTP. For example, when managers intend to configure that someusers only have rights of "get" or "put" and other users have neither.


Feature Description


Issue 01 (2009-12-01)

The Eudemon can be located in the egress of the private network and configured with keywordauthentication function. When some users in the private network log in the external FTP serverand intend to put or get a file, the Eudemon will intercept these packets. In this way, the securityof information is ensured and internal users are managed.

4.9 Authentication and Authorization

4.9.1 Introduction to Authentication and Authorization

4.9.2 Introduction to Domain

4.9.3 Introduction to Local User Management

4.9.1 Introduction to Authentication and Authorization

In general, Authentication and Authorization adopts the Server-Client mode. The client runs onthe resource side and the server stores the user information. This structure has good extensibilityand is convenient for concentrated management of user information.

Authentication FunctionEudemon supports the following authentication modes:

l None authenticationIt completely trusts users and does not check their validity. It is not used usually.

l Local authenticationIt configures the user information, including the user name, password, and other attributes,on a Broadband Access Server (BAS). Its advantage lies in fast processing speed, whichreduces the operation cost. Its disadvantage is that information storage capacity is limitedby its hardware.

l Remote authenticationIt authenticates the user over Remote Authentication Dial in User Service (RADIUS)protocol. BAS acts as client to communicate with RADIUS server. RADIUS protocol canbe either the standard RADIUS protocol or the extended RADIUS protocol of Huawei, andcooperates with iTELLIN/CAMS to complete the authentication.

Authorization FunctionEudemon supports the following authorization modes:

l Direct authorizationIt completely trusts users and directly authorizes them to pass through.

l Local authorizationIt authorizes users based on the relative attributes of the local user account configured onthe BAS.

l If-authenticated authorizationIf the user passes the authentication and the authentication mode is not none, the user isauthorized.



4-27

l Authorization after RADIUS authenticationIt authorizes users after they pass through the RADIUS authentication.The authentication and the authorization of the RADIUS protocol are bound together, soRADIUS cannot be used to perform only authorization.

4.9.2 Introduction to Domain

The Eudemon manages users in the following two modes:

l Management through domains

l Management through user accounts

Note that all users belong to some domain.

Within a domain, you can configure:

l Default authorizations

l RADIUS templates

l Authentication schemes

The authorization precedence configured within a domain is lower than that configured on anAuthencation and Authorization server, that is, the authorization attribute of the Authencationand Authorization server is used first. The domain authorization attribute is valid only when theAuthencation and Authorization server is not of this authorization or does not support thisauthorization. In this way, the attribute limitation from the Authencation and Authorizationserver has gone and the service addition becomes flexible by managing through a domainaccordingly.

In the event that a domain and a user within the domain are configured with some attributesimultaneously, the precedence of the user-based configuration is higher than that of the domain-based configuration.

4.9.3 Introduction to Local User Management

The Authencation and Authorization sets up a local user database on the local Eudemon tomaintain the user information and to manage users. Besides creating local user accounts, theEudemon can conduct local authentication.

NOTE

Users with information on the local user database are called local users.

4.10 IP-CAR

IP-CAR provides the following functions:

l Connection number limit: You can limit the number of connections of a specific IP address.

l Bandwidth limit: You can limit the session bandwidth of a specific IP address.

The connection number limit function can protect specific users from attacks and prevent certainusers from launching attacks. The bandwidth limit function can balance network traffic, thusensuring the normal access rate and indirectly defending against network attacks.


Feature Description


Issue 01 (2009-12-01)

The Eudemon offers seven levels of bandwidth limit and connection number limit. You can seta connection number limit or bandwidth limit of a certain level for a specified scope. In addition,you can limit connection number or bandwidth by using both the ACLs and the limit level setting.

4.11 TSM Cooperation

4.11.1 Introduction to TSM Cooperation

4.11.2 Work Flow of TSM Cooperation

4.11.3 Specifications of TSM Cooperation

4.11.1 Introduction to TSM Cooperation

Networks have become an indispensable part for enterprises. However, they also exposeenterprises to various security threats, such as:

l Internal employees steal confidential information for their own interests.

l Internal employees access enterprise application systems to tamper with important datawithout permission.

l Illegal accounts access the enterprise networks and insecure terminals access networks.

To solve these problems, the Eudemon cooperates with the TSM (Terminal SecurityManagement) server to protect important network resources. By working jointly with aSecospace server, the Eudemon can classify internal users and control their access to resourcesbased on their permission classes. This mechanism helps ensure that a user can access onlyauthorized resources, thus preventing unauthorized internal users from accessing confidentialdata or applications.

Figure 4-10 shows a specific networking.



4-29

Figure 4-10 Networking diagram of TSM Cooperation

DMZ

Untrust

Trust

TA1

TA2

Eudemon(SACG)

TC

TM

TRS

TSM Server Group

Service Server A

Service Server C Service

Server B

LAN Switch

GE0/0/0GE0/0/1

GE5/0/0

TSM Controller (TC) TSM Recover Server (TRS) Security Access Control Gateway(SACG)

TSM Manager (TM) TSM Agent (TA)

NOTE

For information about the functions of each part, refer to TSM server-related documents.

4.11.2 Work Flow of TSM Cooperation

As shown in Figure 4-10, the Eudemon functions as the SACG and cooperates with the TSMto control users' network access and provide terminal users with services through the serviceserver.

To access network resources, a terminal user goes through the following steps:

1. The terminal user starts the TSM Agent (TA) and enters the authentication information forthe TSM server to authenticate. The authentication modes are as follows:

l Normal account

l Domain account

l MAC account

l Third-party authentication

2. The TA sends the information about the terminal user to the TSM server for authenticationand security checks.

l If the user is legitimate and the security policy meets the requirement of the enterprise,the user can use the network.


Feature Description


Issue 01 (2009-12-01)

l If the user is not legitimate or the security policy does not meet the requirement of theenterprise, the TA triggers an alarm to the user, and the TRS proposes correspondingrecovery.After recovery, the preceding process takes place again. The terminal user can obtaincertain network resources only when its security meets the requirement.

3. After the terminal user passes the authentication and security check, the TSM server asksthe Eudemon to grant the user certain access rights.

4. The Eudemon determines according to the access rights delivered by the TSM serverwhether the terminal user can obtain specific network resources. If yes, the Eudemon allowsthe user to obtain the resources; if not, the user cannot obtain the resources.

5. When the terminal user logs out, the TA reports the logout to the TSM server. After theuser logs out, the TSM server asks the Eudemon to disable the user's access.

When the terminal user accesses the network resource again, it need be authenticated again.

In addition, a synchronization mechanism between the Eudemon and the TSM server ensuresthat the Eudemon can synchronize the updates and changes of users' role information on theSecospace server.

NOTE

According to the rule of roles, the Eudemon determines whether a user has the authority to access theservice server. Terminal users can access network resources matching their authority.

4.11.3 Specifications of TSM Cooperation

The cooperation between the Eudemon and the TSM supports a maximum of 2500 online usersand 900 roles. One user can have up to 16 roles and one role can be shared by multiple users.

NOTE

Based on its authority, the administrator can define different roles and grant access rights to roles. Theadministrators with the same role enjoy the same operation rights. When creating an administrator account,the administrator need only specify roles for the account, which automatically gain all the operation rightsof the roles. Granting rights in this way saves repeated operations and reduces the burden of accountmanagement.

4.12 SLB

4.12.1 Introduction to SLB

4.12.2 Virtual Service Technology

4.12.3 Server Health Check

4.12.4 Traffic-based Forwarding

4.12.1 Introduction to SLB

Based on configured load balancing algorithm, the Eudemon can distribute traffic destined tothe same IP address to several servers.

To the users, they are accessing the same server. In fact, the Eudemon distributes their requeststo several servers for processing. In this way, the processing capacity of each server is fully



4-31

exploited and load balancing is accomplished. In addition, the availability of the server isguaranteed and the best network expansibility is achieved.

In the typical application of SLB, the Eudemon is located in the egress of the private network.

The load balancing mechanism distributes users' traffic to servers in the following ways:

l Virtual Service Technology

l Server Health Check

l Traffic-based Forwarding

4.12.2 Virtual Service Technology

Every real server has a unique private IP address (real IP address). However, all the real serversare represented by one public IP. The public IP maps a virtual server. The Eudemon distributesthe traffic accessing the virtual server to each real server by using the configured load balancingalgorithm.

For the sake of management, a group is used to connect the virtual server and the real server.Group is a logic concept. The Eudemon uses a group to manage real servers and offers networkservices.

The relationship between the virtual server, the group, and the real server is shown in Figure4-11.

Figure 4-11 Schematic diagram of Virtual Service

Group1

Group2

Vserver1

Vserver2

PC

Rserver1

Rserver2

Rserver3

Rserver4

The advantages of the virtual service are as follows:

l Saving the IP address of the public network

l Improving the security of the system


Feature Description


Issue 01 (2009-12-01)

l Improving the expandability of the system

4.12.3 Server Health Check

The Eudemon completes health check through detecting real servers regularly. If the real serveris available, it returns response packets. If not, the Eudemon does not use this real server andinstead it assigns traffic to other real servers based on the configured policies.

4.12.4 Traffic-based Forwarding

Through specifying the algorithm, the Eudemon sends data streams to each real server to processthem. So far, the Eudemon supports three SLB algorithms, that is, source address hash, sourceaddress round, and source address weighted round.



4-33

5 VPN

About This Chapter

5.1 Introduction

5.2 L2TP

5.3 IPSec

5.4 GRE

Quidway Eudemon 200E-C/200E-F FirewallFeature Description 5 VPN


5-1

5.1 Introduction

5.1.1 VPN OverviewAs a new technology, Virtual Private Network (VPN) rapidly develops as the Internet is widelyused in recent years. It is used to build private networks on a public network. Virtual mainlyindicates that a VPN network is a kind of logical network.

5.1.2 Basic VPN Technology

5.1.3 VPN Classification

5.1.1 VPN OverviewAs a new technology, Virtual Private Network (VPN) rapidly develops as the Internet is widelyused in recent years. It is used to build private networks on a public network. Virtual mainlyindicates that a VPN network is a kind of logical network.

VPN Features

VPN has the following features:

l Different from traditional networks, a VPN does not physically exist. It is a kind of logicalnetwork, a virtual network configured based on existing public network resources.

l A VPN is exclusively used by an enterprise or a user group.For VPN users, a VPN is the same as a traditional dedicated network in usage. As a kindof private networks, the resources of VPNs are independent of bear network resources.Typically, the resources of one VPN are not used by other VPNs on the bear network ornon-authorized VPN users. VPN offers reliable protection mechanism to defend VPNinternal information against external intrusion and interruption.

l VPN is a kind of sophisticated upper-layer service.VPN services help set up interconnection for the users of a private network. VPN servicesrealize VPN internal network topology setup, routing calculation, and user login or logout.VPN technology is much more complicated than common point-to-point applicationmechanisms.

VPN Advantages

VPN presents the following advantages:

l Helping set up reliable connection between remote users, overseas offices, partners,suppliers, and company headquarters to ensure secure data transmission.This advantage is significant because it realizes the convergence of E-business or financialnetworks with communication networks.

l Using public networks to realize information communication. With VPNs, enterprises canconnect remote offices, telecommuters, and business partners at a dramatically low cost.In addition, VPNs significantly increase the use rate of network resources, thus helping theInternet Service Providers (ISPs) increase revenue.

l Allowing you to add or delete VPN users through software without changing hardwarefacilities.

5 VPNQuidway Eudemon 200E-C/200E-F Firewall

Feature Description


Issue 01 (2009-12-01)

This mechanism offers great flexibility in VPN applications.l Allowing telecommuting VPN users to access headquarter resources at any time and in any

place.That satisfies the increasing demands for mobile services.

l Offering high quality VPNs such as MPLS VPN and diversified VPN services to meet VPNusers' different demands for quality level. Service-specific rating mechanism brings ISPsmore revenue.

5.1.2 Basic VPN Technology

VPN Basic Networking ApplicationThe following takes an enterprise network as an example to illustrate VPN basic networking.Figure 5-1 shows the internal network established through VPN.

Figure 5-1 Networking diagram of VPN applications

Cooperator

Remote user Internal server

Company headquarterPoP

PoPPoP

As shown in Figure 5-1, eligible users can connect to the Point of Presence (POP) server of thelocal ISP through a Public Switched Telephone Network (PSTN), Integrated Services DigitalNetwork (ISDN), or LAN so as to access the internal resources of an enterprise. TraditionalWAN networking technology requires dedicated physical links to realize connections. Withestablished virtual networks, remote users and telecommuters can access internal resources ofan enterprise without need of being authorized by the local ISP. It is helpful for telecommutingstaff and scattered users.

To experience VPN services, an enterprise needs to deploy only a server, such as a WindowsNT server or a Eudemon that supports VPN to share resources. After connecting to the localPOP server through the PSTN, ISDN, or LAN, eligible users can directly call the remote server(VPN server) of the enterprise. The access server of the ISP and the VPN server work togetherto realize the call.



5-3

VPN Fundaments

Figure 5-2 Networking diagram of a VPN access

VPN userNAS VPN Server

Tunnel

As shown in Figure 5-2, VPN users dial up to the Network Access Server (NAS) of the ISPthrough the PSTN or ISDN.

The NAS identifies users by checking user names or access numbers. If the NAS server identifiesthat a user is a VPN user, it sets up a connection (a tunnel) with the user's destination VPN server.Then the NAS encapsulates the user's data into an IP packet and transmits it to the VPN serverthrough the tunnel. After the VPN server receives the packet, it decapsulates the packet to readthe real packet.

Packets can be encrypted on both sides of the tunnel. Other users on the Internet cannot read theencrypted packets. That ensures the security of packets. For users, a tunnel is a logical extensionof the PSTN or ISDN link. The operations on the logical tunnel is similar to that on a physicallink.

Tunnels can be achieved through tunnel protocols.

Based on the realization of tunnels on Open Systems Interconnection (OSI) reference model,tunnel protocols can be categorized into two groups:

l Layer 2 (L2) tunneling protocolsAn L2 tunneling protocol tunnels individual Point-to-Point Protocol (PPP) frames.The existing L2 tunneling protocols are as follow:– Point-to-Point Tunneling Protocol (PPTP)

PPTP is supported by Microsoft, Ascend, and 3COM. Windows NT 4.0 and laterversions support PPTP. PPTP supports the tunneling of PPP frames on IP networks.PPTP, as a call control and management protocol, uses an enhanced Generic RoutingEncapsulation (GRE) technology to provide flow and congestion control encapsulationservices for transmitted PPP packets.

– Layer 2 Forwarding (L2F) protocolIt is a Cisco proprietary protocol. L2F permits the tunneling of the link layer of higherlevel protocols and helps divorce the location of the initial dial-up server from thelocation at which the dial-up protocol connection is terminated and access to the networkprovided.

– Layer 2 Tunneling Protocol (L2TP)L2TP is drafted by IETF (Internet Engineering Task Force) with the support ofMicrosoft. By integrating the advantages of the preceding two protocols, L2TP has


Feature Description


Issue 01 (2009-12-01)

developed into a standard RFC. L2TP can be used to realize both dial up VPN services(such as VPDN access) and private line VPN services.

l Layer 3 (L3) tunneling protocolsFor an L3 tunneling protocol, both the starting point and ending point are within an ISP. APPP session is terminated on the NAS. Tunnels carry only L3 packets.The existing L3 tunneling protocols are as follows:– Generic Routing Encapsulation (GRE)

It is used to realize the encapsulation of an arbitrary network layer protocol over anotherarbitrary network layer protocol.

– IP Security (IPSec)IPSec is not a single protocol. Instead, it offers a set of system architecture for datasecurity on IP networks, including Authentication Header (AH), Encapsulating SecurityPayload (ESP), and Internet Key Exchange (IKE).

GRE and IPSec are mainly applied to private line VPN services.l Comparison between L2 and L3 tunneling protocols

L3 tunneling protocol is superior to L2 tunneling protocol in the following aspects:– Security and Reliability

An L2 tunnel usually ends at a user-side device, so it has higher requirements for thesecurity of user networks and Eudemon technology. An L3 tunnel usually ends at anISP gateway. Therefore, it has not high requirements for the security technology of usernetworks.

– ScalabilitySince an L2 tunnel tunnels a whole PPP frame, transmission efficiency may bedecreased. In addition, a PPP session runs through a whole tunnel and terminates at auser-side device. That requires that the user-side gateway should keep a large amountof PPP session status and information. That may overload the system and impact itsscalability. Moreover, since the Link Control Protocol (LCP) and Network ControlProtocol (NCP) negotiations are quite sensitive to time, degraded tunnel efficiency mayresult in a series of problems such as PPP session timeout. On the contrary, an L3 tunnelterminates on an ISP gateway, and a PPP session ends on the NAS. Thus, the usergateway does not need to manage and maintain the status of each PPP session. Thereby,system load is reduced.

Typically, L2 tunneling protocols and L3 tunneling protocols are used separately. If theyare appropriately used together, for example, using L2TP and IPSec together, they mayprovide users with high security and better performance.

5.1.3 VPN Classification

IP VPN is to emulate WAN device private line service (such as remote dial-up and DDN.) withIP devices (including public Internet or private IP backbone network).

IP VPN has the following classification method.

Classification Based on Operation ModesAccording to the operation modes, IP VPNs can be classified into the following types:

l Customer Premises Equipment based VPN (CPE-based VPN)



5-5

This kind of VPN requires users to install expensive devices and special authenticationtools. In addition, users need to accomplish tedious maintenance tasks such as channelmaintenance and bandwidth management. The networking of this kind of VPN iscomplicated and hardly scaled.

l Network-based VPN (NBIP-VPN)This kind of VPN outsource VPN maintenance to ISPs (meanwhile users are permitted tomanage and control certain services). The functionalities of VPN are realized on networkdevices, thus reducing user investment, offering more flexibilities in adding services andscalability, and bringing new revenue to carriers.

Classification Based on Service Applications

According to usages of services, IP VPNs can be classified into the following types:

l Intranet VPNAn intranet VPN interconnects distributed internal points of an enterprise through publicnetworks. It is an extension or substitute of traditional private line networks and otherenterprise networks.

l Access VPNAn access VPN provides private connections between internets and extranets fortelecommuting staff, mobile offices, and remote offices through public networks. Thereare two type of access VPN architectures:– Client-initiated VPN connection

– NAS-initiated VPN connection

l Extranet VPNAn extranet VPN uses a VPN to extend an enterprise network to suppliers, partners, andclients, thus establishing a VPN between different enterprises through public networks.

Classification Based on Networking Modes

According to networking modes, IP VPNs can be classified into the following types:

l Virtual Leased Line (VLL)A VLL is an emulation of traditional leased line services. By emulating leased line throughan IP network, a VLL provides asymmetric, low cost DDN service. For VLL users, a VLLis similar to a traditional leased line.

l Virtual Private Dial Network (VPDN)A VPDN realizes a VPN through a dial-up public network, such as an ISDN and PSTN toprovide access services to enterprise customers, small-sized ISPs, and mobile offices.

l Virtual Private LAN Segment (VPLS)A VPLS interconnects LANs through VPN segments on IP public networks. It is anextension of LANs on IP public networks.

l Virtual Private Routing Network (VPRN)A VPRN interconnects headquarters, branches, and remote offices through networkmanagement virtual routers on IP public networks.There are two kinds of VPRN services:– VPRN realized through traditional VPN protocols such as IPSec and GRE


Feature Description


Issue 01 (2009-12-01)

– VPRN based on Multiprotocol Label Switch (MPLS)

5.2 L2TP5.2.1 VPDN Overview

5.2.2 L2TP Overview

5.2.1 VPDN Overview

Virtual Private Dial Networks (VPDNs) adopt special network encryption protocols to set upsecure VPNs for enterprise customers over public networks. With VPDNs, overseas offices andtelecommuting staff can obtain a network connection to their headquarter through a virtualencryption tunnel over public networks. Other users on the public networks cannot pass throughthe virtual tunnel to access internal resources on the enterprise network.

There are two ways to realize VPDNs:

l The NAS sets up a tunnel to the VPDN gateway based on tunneling protocols.This realization mechanism directly connects the PPP connection of users to the gatewayof the enterprise network. So far, available tunneling protocols are L2F and L2TP.The advantages of this realization mechanism are as follows:– The realization process is transparent to users.

– Users can access the enterprise network after a one-time login.

– Since the enterprise network authenticates users and assigns IP addresses, no extrapublic addresses are required.

– Users can implement network access through different platforms.

This realization mechanism requires the NAS to support the VPDN protocol, and theauthentication system to support VPDN attributes. Typically, a Eudemon or dedicated VPNserver is used as a gateway.

l A client host sets up a tunnel with the VPND gateway.The client host connects with the Internet first, and then it uses dedicated client softwaresuch as the L2TP client on the Windows 2000 to set up a tunnel with the gateway.The advantage and disadvantage of this realization mechanism are as follows:– Since this realization mechanism has no requirements for ISPs, users can access

resources at any place and in any way.– Since this mechanism requires users to install and use dedicated software, usually

Windows 2000, users can select a specified platform.

There are three types of VPDN tunneling protocols:l PPTP

l L2F

l L2TP

L2TP is widely used at present.

5.2.2 L2TP Overview



5-7

Background

PPP defines an encapsulation mechanism for transporting multiprotocol packets across L2 point-to-point links. Typically, a user obtains a L2 connection to a NAS using one of a number

L2TP supports the tunneling of PPP link layer packets. L2TP extends the PPP model by allowingthe L2 and PPP endpoints to reside on different devices interconnected by a packet-switchednetwork.

By integrating the advantages of PPTP and L2F, L2TP has developed into the industry standardof layer two tunneling protocols.

Typical L2TP Networking Application

Figure 5-3 shows the typical networking of VPDN application based on L2TP.

Figure 5-3 Networking diagram of VPDN application based on L2TP

NAS

LAC LNSRemote user

Internal server

L2TP tunnel

Remote branch

As shown in Figure 5-3, the L2TP Access Concentrator (LAC) is attached to the switch network.The LAC is a PPP endpoint system and can process L2TP. Usually, an LAC is a NAS, whichprovides access services for users across the PSTN or ISDN. The L2TP Network Server (LNS)acts as one node of the PPP endpoint system and is used to process the L2TP server.

An LAC sits between an LNS and a remote system and forwards packets to and from each.Packets sent from the remote system to the LNS require tunneling with the L2TP protocol.Packets sent from the LNS are decapsulated and then forwarded to the remote system. Theconnection from the LAC to the remote system is either local or a PPP link. For VPDNapplications, the connections are usually PPP links.

An LNS acts as one side of an L2TP tunnel and is a peer to an LAC. The LNS is the logicaltermination point of a PPP session that is being tunneled from the remote system by the LAC.

Technology Details

The following describes the technology details of L2TP:

l L2TP protocol structure


Feature Description


Issue 01 (2009-12-01)

Figure 5-4 L2TP protocol structure

Packet trasmission network (UDP,...)

L2TP data message

PPP frame

L2TP control tunnel (reliable)

L2TP control messsage

L2TP data tunnel(unreliable)

Figure 5-4 depicts the relationship of PPP frames and Control Messages, data messagesover the L2TP Control and Data Channels. PPP Frames are passed over an unreliable DataChannel encapsulated first by an L2TP header and then a Packet Transport such as UDP,Frame Relay, and ATM. Control messages are sent over a reliable L2TP Control Channelwhich transmits packets in-band over the same Packet Transport.L2TP uses the registered UDP port 1701. The entire L2TP packet, including payload andL2TP header, is sent within a UDP datagram. The initiator (LAC) of an L2TP tunnel picksan available source UDP port (which may or may not be 1701), and sends to the desireddestination address (LNS) at port 1701. The LNS picks a free port on its own system (whichmay or may not be 1701), and sends its reply to the LAC's UDP port and address, settingits own source port to the free port it found. Once the source and destination ports andaddresses are established, they must remain static for the life of the tunnel.

l Tunnel and sessionThere are two types of connections between an LNS-LAC pair:– Tunnel: defines an LNS-LAC pair.

– Session: is multiplexed over a tunnel to denote each session process over the tunnel.

Multiple L2TP tunnels may exist between the same LAC and LNS. A tunnel consists ofone control connection and one or several sessions. A session is set up after a tunnel issuccessfully created, namely, information such as ID, L2TP version, frame type, andhardware transmission type are exchanged.) Each session corresponds with a PPP datastream between an LAC and an LNS.Both control message and PPP packets are transmitted through tunnels.L2TP uses Hello messages to check the connectivity of a tunnel. The LAC and the LNSperiodically send Hello messages to each other. If no Hello message is received within aperiod of time, the session between them is cleared.

l Control message and data messageL2TP utilizes two types of messages:– Control messages

Control messages are used in the establishment, maintenance, and transmission contronof tunnels and sessions.Control messages utilize a reliable Control Channel within L2TP to guarantee delivery.Control messages support traffic control and congestion control.

– Data messagesData messages are used to encapsulate PPP frames being carried over the tunnel.Data messages are not retransmitted when packet loss occurs. Data messages do notsupport traffic control and congestion control.



5-9

L2TP packets for the control channel and data channel share a common header format.An L2TP message header includes a tunnel ID and a session ID, which are used to identifytunnels and sessions. Packets with the same Tunnel ID but different session IDs aremultiplexed over the same tunnel. Tunnel IDs and session IDs in a packet header areassigned by the peer ends.

Two Typical L2TP Tunnel ModesFigure 5-5 shows the tunnel modes of PPP frames between a remote system or an LAC client(running L2TP) and an LNS.

Figure 5-5 Two typical L2TP tunnel modes

LAC LNS

LAC LNS

LAC client

Remote client

Connections can be established in two ways:

l Initiated by a remote dial-up userThe Remote Client initiates a PPP connection across the PSTN/ISDN to an LAC. The LACthen tunnels the PPP connection across the Internet. Authentication, Authorization, andAccounting may be provided by the Home LAN's Management Domain or by the LNS.

l Initiated directly by an LAC client (a host which runs L2TP natively)The LAC clients can directly initiate a tunnel connection to the LNS without use of aseparate LAC. In this case, the address of the LAC is assigned by the LNS.

Setup Procedure of an L2TP Tunnel SessionFigure 5-6 shows a typical networking of L2TP.


Feature Description


Issue 01 (2009-12-01)

Figure 5-6 Typical networking diagram of L2TP

LACEudemonA

LNSEudemonB

RADIUS Server RADIUS Server

PC

PC

PC

IP network

IP network

Figure 5-7 shows the procedure for setting up an L2TP call.

Figure 5-7 Procedure for setting up an L2TP callLNS

RADIUS server

(10) Access request

(11) Access accept

(13) Access request(14) Access accept

LACRADIUS server

(5) Access accept(4) Access request

PC

(1) Call setup(2) PPP LCP setup(3) PAP or CHAP authentication

(6) Tunnel establishment(7) PAP or CHAP authentication (challenge/response)(8) Authentication passes(9) User CHAP response, PPP negotiation parameter

(12) CHAP authentication twice(challenge/response)

(15) Authentication passes

LACEudemonA

LNS EudemonB

The procedure for setting up an L2TP call is as follows:

1. The PC at user side initiates a connection request.2. The PC and the LAC (Eudemon A) negotiate PPP LCP parameters.3. The LAC performs the Password Authentication Protocol (PAP) or Challenge Handshake

Authentication Protocol (CHAP) authentication based on the user information provided bythe PC.



5-11

4. The LAC sends the authentication information, including VPN username and password, tothe RADIUS server for ID authentication.

5. The RADIUS server authenticates this user. After the authentication is passed successfully,the LAC is ready for initiating a new tunnel request.

6. The LAC initiates a tunnel request to the LNS specified by the RADIUS server.7. The LAC informs the LNS of CHAP challenge, and the LNS sends back the CHAP response

and its self CHAP challenge, the LAC sends back the CHAP response.8. Authentication passes.9. The LAC transmits the CHAP response, response identifier, and PPP negotiation

parameters to the LNS.10. The LNS sends the access request to RADIUS server for authentication.11. The RADIUS server re-authenticates this access request and sends back a response if

authentication is successful.12. If local mandatory CHAP authentication is configured at the LNS, the LNS will authenticate

the VPN user by sending challenge and the VPN user at PC sends back responses.13. The LNS re-sends this access request to RADIUS for authentication.14. RADIUS server re-authenticates this access request and sends back a response if

authentication is successful.15. After all authentications are passed, the VPN user can access the internal resources of the

enterprise.

Features of the L2TP ProtocolThe features of the L2TP Protocol are as follows:

l Flexible ID authentication mechanism and high security– L2TP itself does not provide connection security, but it can depend on the

authentication, such as CHAP and PAP, provided by PPP. Thereby, it has all securityfeatures of PPP.

– L2TP can integrate with IPSec to fulfill data security, which make it more difficult toattack the data transmitted with L2TP.

– To improve data security, based on the requirement of specific network security, L2TPadopts:– Tunnel encryption technique

– End-to-end data encryption

– Application layer data encryption

l Multi-protocol transmissionL2TP transmits PPP data packet and a wide variety of protocols can be encapsulated inPPP data packet.

l Supporting authentication by the RADIUS serverThe LAC sends user name and password to the RADIUS server for authentication request.The RADIUS server is in charge of:– Receiving authentication request of the user

– Fulfilling the authentication

l Supporting internal address assignment


Feature Description


Issue 01 (2009-12-01)

The LNS can be put behind Intranet Eudemon. It can dynamically assign and manage theaddresses of remote users and support the application of private addresses (RFC1918). TheIP addresses assigned to remote users are internal private addresses of the enterprise insteadof Internet addresses. Thus, the addresses can be easily managed and the security can alsobe improved.

l Flexible network charging

L2TP charges in both the LAC and the LNS at the same time, that is, in ISP (to generatebills) and Intranet gateway (to pay for charge and audit).

L2TP can provide the following charging data:

– Transmitted packet number and byte number

– Start time and end time of the connection

L2TP can easily perform network charging based on these data.

l Reliability

L2TP supports the backup LNS. When the active LNS is inaccessible, the LAC canreconnect with the backup LNS, which improves the reliability and fault tolerance of VPNservice.

5.3 IPSec

5.3.1 IPSec Overview

5.3.2 IPSec Basic Concepts

5.3.3 IKE Overview

5.3.4 Overview of the IKEv2 Protocol

5.3.5 Security Analysis of IKEv2

5.3.6 IKEv2 and EAP Authentication

5.3.7 NAT Traversal of IPSec

5.3.8 Realizing IPSec on the Eudemon

5.3.1 IPSec Overview

IP Security (IPSec) protocol is described as follows. The two sides of communication performencryption and data source authentication on the IP layer to ensure the confidentiality, integrity,authenticity, and anti-replay of packets transmitted on networks. The details are as follows:

l Confidentiality

User data is encrypted and transmitted in cipher text.

l Integrity

Received data is authenticated to check whether they are juggled.

l Authenticity

Data source is authenticated to ensure that data is from a real sender.

l Anti-replay



5-13

It prevent malicious users from repeatedly sending captured packets. In other words, thereceiver can deny repeated data packets.

IPSec realizes the preceding aims with two security protocols: Authentication Header (AH) andEncapsulating Security Payload (ESP). IPSec can realize auto-negotiation key exchange and SAsetup as well as maintenance services through Internet Key Exchange (IKE). That simplifies theuse and management of IPSec. The details are as follows:

l AHAH mainly provides data source authentication, data integrity check, and anti-replay.However, it cannot encrypt the packet.

l ESPESP provides all functions of AH. In addition, it can encrypt the packets. However, its dataintegrity authentication does not cover IP headers.

l IKEIKE is used to automatically negotiate cipher algorithms for AH and ESP.

NOTE

l AH and ESP can be used either separately or jointly. Both AH and ESP support the tunnel mode.

l IPSec policy and algorithm can also adopt manual mode. So IKE negotiation is not necessary. Thecomparison of these two negotiation modes are introduced in 5.3.2 IPSec Basic Concepts.

5.3.2 IPSec Basic Concepts

Security AssociationIPSec provides secure communication between two endpoints. These two endpoints are calledIPSec peers.

IPSec allows systems, network subscribers, or administrators to control the granularity ofsecurity services between peers.

For example, the IPSec policies of a group define that data streams from a subnet should beprotected with AH and ESP and be encrypted with Triple Data Encryption Standard (3DES) atthe same time. Moreover, the policies define that data streams from another site should beprotected with ESP only and be encrypted with DES only. IPSec can provide protection invarious levels for different data streams based on SA.

An SA is the basis and essence of IPSec. An SA specifies the shared policies and keys used bytwo negotiating peers to protect their communication:l Applied protocols (AH, ESP, or both)

l Encapsulation mode of protocols (transport mode or tunnel mode)

l Encryption algorithm (DES and 3DES)

l Shared keys used to protect data in certain streams

l Life duration of the shared keys

SA is unidirectional. For directional communication between peers, at least two SAs are neededto protect data streams in two directions. Moreover, if both AH and ESP are applied to protectdata streams between peers, still two SAs are needed respectively for AH and ESP.

An SA is uniquely identified by a triplet, including:


Feature Description


Issue 01 (2009-12-01)

l Security Parameter Index (SPI)

l Destination IP address

l Security protocol number (AH or ESP)

SPI is a 32-bit figure, uniquely identifying an SA. It is transmitted in an AH or ESP header.

An SA has a life duration, which can be calculated in one of the two methods:

l Time-based life durationThe SA is updated a specific interval.

l Traffic-based life durationThe SA is updated after a specified volume of data (in byte) is transferred.

SA Negotiation ModesThere are two negotiation modes to create SAs:

l Manual mode (manual)Manual mode is more complicated than auto-negotiation mode.In manual mode, all information required to create an SA has to be configured manually.Moreover, it does not support some advanced features of IPSec, such as scheduled keyupdate. The advantage of manual mode is that it can realize IPSec without IKE.

l IKE auto-negotiation mode (isakmp)In IKE auto-negotiation mode, an SA can be created and maintained by IKE auto-negotiation as long as IPSec policies of IKE negotiation are configured.

Manual mode is feasible in the scenario where only a few peer devices exist or the network issmall in size. IKE auto-negotiation mode (isakmp) is recommended for medium or large-sizednetworks.

Encapsulation Modes of the IPSec ProtocolThe IPSec protocol has two encapsulation modes:

l Transport modeIn transport mode, AH or ESP is inserted after the IP header but before the transmissionlayer protocol, or before other IPSec protocols. Take ah-esp for example. AH is insertedafter the IP header and before ESP.

l Tunnel modeIn tunnel mode, AH or ESP is inserted before the original IP header but after the new header.

An SA specifies the encapsulation mode for the IPSec protocol. Figure 5-8 shows the dataencapsulation format for various protocols in the transmission mode and the tunnel mode.Transmission Control Protocol (TCP) is taken as an example to show the data encapsulation inthe mode.



5-15

Figure 5-8 Data encapsulation format for security protocols

ModePro-tocol

Transport Tunnel

AH

ESP

AH-ESP

ESP Data ESPTail

IPheader

ESPAuth data

TCP header

IPheader AH DataTCP

header

ESP Data ESPTail

IPheader

ESPAuth data

TCP headerAH

AH DataNew IPheader

Raw IPheader

TCP header

ESP Data ESPTail

New IPheader

ESPAuth data

TCP header

Raw IPheader

ESP Data ESPTail

New IPheader

ESPAuth data

TCP header

Raw IPheaderAH

The tunnel mode is excellent than the transport mode in security. The tunnel mode canauthenticate and encrypt original IP data packets completely. Moreover, it can hide the client IPaddress with the IPSec peer IP address.

With respect to performance, the tunnel mode occupies more bandwidth than the transport modebecause it has an extra IP header.

Therefore, when choosing the operation mode, you need weigh the security and performance.

Authentication Algorithm and Encryption AlgorithmDetails of the authentication algorithm and the encryption algorithm are as follows:

l Authentication algorithmBoth AH and ESP can authenticate integrity for an IP packet so as to determine whetherthe packet is juggled. The authentication algorithm is performed through hybrid. The hybridis a kind of algorithm that can receive a message of arbitrary length and generate a messageof fixed length. The generated message is called message digest. IPSec peers calculate thepacket through the hybrid respectively. If they get identical summaries, the packet isconsidered as integrated and intact.Usually, there are two types of IPSec authentication algorithms:– MD5

It inputs a message of arbitrary length to generate a 128-bit message digest.– SHA-1

It inputs a message less than 264-bit to generate a 160-bit message digest.The SHA-1 summary is longer than that of MD5, so SHA-1 is safer than MD5.

l Encryption algorithmESP can encrypt IP packets so that the contents of the packets are not snooped during thetransmission. Based on the encryption algorithm, packets are encrypted or decrypted withthe same key over the symmetric key system.Generally, IPSec uses the following types of encryption algorithms:– DES

It encrypts a 64-bit clear text with a 56-bit key.– 3DES

It encrypts a clear text with three 56-bit keys (168 bits key in total).


Feature Description


Issue 01 (2009-12-01)

– Advanced Encryption Standard (AES)

It encrypts a clear text through a 128-bit, 192-bit, or 256-bit key.

Obviously, 3DES is more excellent than DES in security. However, its encryption speedis lower than that of DES.

5.3.3 IKE Overview

IPSec SA can be created manually. However, when the number of nodes on the network increase,it is hard to guarantee the security of the network. In this case, IKE can be used to automaticallycreate SAs and implement key exchange.

With a self-protection mechanism, IKE can distribute keys, authenticates IDs, and establish SAson insecure networks.

IKE Security Mechanism

IKE security mechanism is as follows:

l Diffie-Hellman (DH) exchange and key distribution

DH algorithm is a public key algorithm. The both parties in communication can exchangesome data without transmitting the key and find the shared key by calculation. Theprerequisite for encryption is that the both parties must have a shared key. The merit ofIKE is that it never transmits the key directly in the unsecured network, but calculates thekey by exchanging a series of data. Even if the third party (such as Hackers) captured allexchange data used to calculate the shared key for both parties, he cannot figure out thereal key.

l Perfect Forward Secrecy (PFS)

PFS is a security feature. PFS refers to the notion that the compromise of a single key doesnot impact the security of other keys. That is because a key cannot be used to derive anyother keys. PFS functions based on DH algorithm. PFS is realized when key exchange isadded during IKE phase 2.

l ID authentication

ID authentication helps identify the two parties of communication. The negotiation modesare as follows:

– pre-share: you need to configure each peer with the pre-shared key. The peers of asecurity connection must have identical pre-shared keys.

– rsa-sig: you need to configure local certificates.

l Identity protection

After a shared key is generated, identity data is transmitted in encrypted mode.

IKE Exchange Phases

IKE uses two phases to negotiate IPSec keys and create SAs:

l Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel withwhich to communicate. This is called the ISAKMP Security Association (ISAKMP SA orIKE SA).



5-17

l Phase 2 is where SAs are negotiated on behalf of services such as IPSec or any other servicewhich needs key material and/or parameter negotiation. IPSec SA is used for transmittingIP data.

Figure 5-9 shows the relationship of IKE and IPSec.

Figure 5-9 Relationship of IKE and IPSec

TCP/UDP

IPSec

TCP/UDP

IPSecIP

IKE IKE

SA SA

SA negotiation

EudemonBEudemonA

Encrypted IP packets

Figure 5-10 shows the procedure for setting up an SA.

Figure 5-10 Procedure for setting up an SA

Step 1

Step 2

Step 3

Step 4

EudemonA EudemonBData flow is output from the interface that applies IPSec

Trigger SA of IKE negotiation stage 1

Under the protection of security association of IKE stage 1, IPSec SA of negotiation stage 2

Communication under the protection of security association of stage 2

The process for setting up an SA is as follows:

1. On an interface that runs IPSec, an outbound packet should be compared with IPSecpolicies.

2. If the packet matches an IPSec policy, search for the relevant SA. If the SA has not beencreated, IKE will be triggered to negotiate an SA in stage 1, that is, IKE SA.

3. Under the protection of IKE SA, IKE continues to negotiate the SA in stage 2, that is, IPSecSA.

4. The IPSec SA is used to protect the communication data.


Feature Description


Issue 01 (2009-12-01)

IKE Negotiation Modes

As defined in RFC 2409 (the Internet Key Exchange), IKE negotiation in phase 1 can use twomodes:

l Main mode

In main mode, key exchange information is separated from identity and authenticationinformation. This separation realizes identity protection. The exchanged identityinformation is protected by the Diffie-Hellman (DH) shared key generated. However, ittakes extra messages to complete the process.

l Aggressive mode

In aggressive mode, payloads relevant with SA, key exchange, and authentication can betransmitted simultaneously. Transmitting these payloads in one message helps reduceround trips. However, this mode cannot provide identity protection.

Although aggressive mode has some functional limitations, it can meet the requirementsof some specific network environment.

For example, during a remote access, the responder (server end) has no way to learn aboutthe address of the initiator (terminal user) in advanced or the address of the initiator isalways changing, but both parties wish to create IKE SAs through pre-shared keyauthentication. In this case, the aggressive mode without identity protection is the onlyavailable exchange method. In addition, if the initiator has learnt about the responder'spolicy or had a comprehensive understanding of it, aggressive mode can be adopted torapidly create IKE SAs.

5.3.4 Overview of the IKEv2 Protocol

Introduction

As a first-choice key exchanging protocol to implement IPSec VPNs, IKE ensures secure anddynamic creation of the SA. IKE is a hybrid protocol. Its complexity inevitably incurs defectsin security and performance, which already becomes a bottleneck for the current IPSec systems.The IKEv2 protocol reserves the basic functions of IKE and overcomes the problems foundduring IKE study. Moreover, for considerations of simplicity, efficiency, security, androbustness, relevant IKE documents are replaced by RFC4306. By minimizing core functionsand default password algorithms, IKEv2 greatly improves the interoperation capability amongdifferent IPSec VPNs.

Compared with IKE, IKEv2 has the following advantages:

l After four messages, one IKE SA and a pair of IPSec SAs can be created throughnegotiation. Thus, the negotiation efficiency is improved.

l Data structures that are difficult to understand and likely to be confusing are deleted,including DOI, SIT and domain identifier.

l Many cryptographic loopholes are closed, and thus security is improved.

l IKEv2 can choose payloads of specific traffic to protect. In this way, IKEv2 takes overcertain functions of the former ID payload and becomes more flexible.

l IKEv2 supports EAP authentication, and thus the authentication is improved in flexibilityand expansibility.



5-19

Negotiation Process of IKEv2To create a pair of IPSec SAs, IKE requires two phases, namely, the main mode + the fast modeor the aggressive mode + the fast mode. The main mode + the fast mode requires at least 9messages while the latter requires at least 6 messages. Normally, by using IKEv2 twice andexchanging four messages, you can create one IKE SA and a pair of IPSec SAs throughnegotiation. To create more than a pair of IPSec SAs, only one exchange is needed for eachadditional pair of SAs. That is, two messages can accomplish the task. IKEv2 is much simplerthan IKE in this aspect.

5.3.5 Security Analysis of IKEv2

IKEv2 closes the security loopholes of IKE and improves the security of key negotiation. Inaddition, IKEv2 requires that all messages should exist in the format of request/reply pairs, thuseffectively improving reliability of UDP used as a transmission layer protocol.

The following describes the security of IKEv2.

Defense against man-in-the-middle attacksThe man-in-the-middle attack is a kind of proactive attack. During the attack, the attackereavesdrops the communications parties to capture the messages. After inserting data into themessages, or deleting or changing the information in the messages, the attacker returns thechanged messages to the sender, or replays or redirects the original messages. This is the mostharmful attack. In IKEv2, the mechanism and methods for defending against man-in-the-middleattacks is as follows:

l Modes for generating key materialsThe key materials of IKEv2 are different from those of IKE in that the encryption key andthe authentication key used for follow-up interactions are different. These keys are extractedfrom the PRF + output traffic one by one. Therefore, it is more difficult for the attacker toguess the keys. As a result, the keys are less likely to be disclosed, transmission becomessafer, and to a certain extent, man-in-the-middle attacks are prevented.

l AuthenticationIKEv2 performs authentication by using pre-shared keys and digital signatures. Theauthentication is two-way authentication. The negotiation parties authenticate each other.In addition, the authentication is symmetrical. The negotiation parties use the samemechanism and method to authenticate each other. The two-way authentication caneffectively defend against man-in-the-middle attacks. Meanwhile, IKEv2 defines extendedauthentication. That is, the negotiation parties authenticate each other through the methoddescribed in EAP. The extended authentication supports asymmetrical two-wayauthentication, thus further improving the flexibility of authentication and expansibility ofnegotiations.

l Message exchangeIKEv2 reduces the six messages of IKE in main mode to four messages and sends the SApayload, KE payload, and nonce payload together. So, the messages contain the noncevalues. When an attacker returns the messages to their senders, the senders can decidewhether the messages are real. This can prevent replay attacks to a certain extent. EachIKEv2 message header contains a message ID, which is used for matching thecorresponding request and reply messages, and identifying replay attacks. When a requestis sent or received, the message ID must be increased in number order. Moreover, exceptthe IKE_SA_INIT interaction, the message ID is protected through encryption and the


Feature Description


Issue 01 (2009-12-01)

integrity of the message ID is protected to prevent replay. IKEv2 introduces the slidingwindow mechanism so that interactions can effectively resist replay attacks.

Defense against DoS attacksIn IKEv2, the mechanism and methods for defending against DoS attacks are as follows:

l SPI valueIn the header of an IKEv2 message, there are the initiator SPIi and the responder SPIr. TheSPIi and the SPIr are random 8-byte values generated by the kernel to identify the SA anda pair of nodes for exchanging messages. Only one of the requests with the same SPI valueis processed, excluding retransmission messages. Other requests are discarded as repeateddata. This mechanism can prevent DoS attacks to a certain extent.

l Interactions with cookiesIKEv2 defends against DoS attacks through auxiliary exchanges during which the Notifypayload carries cookies. During communications, when the responder deems that it issuffering from DoS attacks, it can request a stateless cookie from the initiator.When the responder receives the first message from the initiator, it does not perform theIKE_SA_INIT interaction immediately. Instead, it generates a new cookie, encapsulates itinto a notice payload, and then sends it to the initiator. If the initiator is not an attacker, itcan receive this message, and then resume the negotiation. Moreover, it encapsulates thecookie from the responder into the message and keep the other contents in the payloadunchanged.

l Retransmission conventionAll messages of IKEv2 come in pairs. In each pair of messages, the initiator is responsiblefor retransmission events. The responder does not retransmit the response message unlessit receives a retransmission request from the initiator. In this way, the two parties do notboth initiate retransmission, and thus resources are not wasted. In addition, attackers cannotcapture the messages for sending retransmission messages repeatedly to exhaust theresources of the parties of the negotiation.

l Discarding half-open connectionsWhen using IKEv2, one negotiation party decides whether the other party expires in twoways. One way is to repeatedly try to contact the other party until the response times out.The other way is that it receives the encrypted Initial Contact notices of different IKE SAsfrom the other party. The initiator allows multiple responders to respond to the first messageand in turn responds to all the responders by regarding them as legal. After sending somemessages, once the initiator receives an valid encrypted response message, it ignores allthe other response messages and discards all the other invalid half-open connections. Inthis way, DoS attacks are avoided at the beginning of the negotiation.

Perfect forward secrecy (PFS)PFS allows individual keys to decrypt only the data protected by them. Therefore, even if theattacker obtains one key, it can only decrypt the data protected by the key.

The key materials used to generate keys for the initial IKEv2 interaction are not used to generatekeys for IPSec SAs. Instead, new key materials are generated by introducing available KEpayloads during the CREATE_IPsec_SA interaction.

5.3.6 IKEv2 and EAP Authentication



5-21

The Extensible Authentication Protocol (EAP) is an authentication protocol that supportsmultiple authentication methods. The biggest advantage of EAP is its extensibility. Newauthentication modes can be added like components without changing the original authenticationsystem. EAP authentication can conveniently adopt the original authentication mechanism ofthe system.

IKEv2 supports third-party EAP authentication of the negotiation initiator. The responderdetermines whether EAP authentication is necessary according to the fact whether theAuthentication (AUTH) payload exists in the message from the initiator.

If the message from the initiator does not contain the AUTH payload, it indicates that the initiatorrequests EAP authentication. In the response message from the responder, the EAPauthentication method that the responder allows is specified. The next request message from theinitiator carries the authentication information for the EAP authentication method. Afterreceiving the message, the responder sends the message to the EAP authentication server of thethird party for the server to perform authentication according to RFC 3748. Then, the respondersends a response message to notify of the success or failure of the authentication.

During the process, the responder does not need to know the specific authentication method andprocess. Instead, it functions as a relay between the initiator and the EAP authentication server.The initiator and the EAP authentication server accomplish the entire process and the responderonly needs the authentication result. In this way, many authentication methods can be supported.Many high-density authentication algorithms are involved but the software complexity of theresponder is not increased.

5.3.7 NAT Traversal of IPSec

NAT TraversalOne of the main applications of IPSec is to set up VPNs. In actual networking applications, thereis one scenario where IPSec VPN deployment may be hindered. When the initiator resides onan private network and wishes to directly create an IPSec tunnel to the remote responder, thecreation inevitably requires the cooperation of IPSec and NAT. The main problem lies in howIKE can discover the existence of the NAT gateway between the two endpoints during thenegotiation and how IKE can make ESP packets normally traverse the NAT gateway.

At first, the two endpoints of the desired IPSec tunnel need to negotiate the NAT traversalcapacities. The negotiation is implemented with the first two messages of IKE negotiation. TheVendor ID payload specifies a group of data to identify the negotiation The definitions of thepayload data vary with the draft versions.

IKE depends on NAT-D payload to discover the NAT gateway.

The payload is used for two purposes:

l To discover the NAT gateway between the IKE peers

l To determine which side of the peer NAT device resides

The peer on the NAT side, as the initiator, needs to periodically send NAT-Keepalive packetsto help the NAT gateway ensure that the security tunnel is in active state.

IPSec Traversing NAT GatewayThe NAT traversal of IPSec is to add a standard UDP header between IP and ESP headers ofthe original packet (without regard for AH mode). In this case, when an ESP packet traverses


Feature Description


Issue 01 (2009-12-01)

NAT gateway, NAT will translate the address and port number of the external layer IP headerof the packet and the added UDP header. When the translated packet reaches the peer end ofIPSec tunnel, it will be processed in the same method as the common IPSec. However, an UDPheader also needs to be added between the IP and ESP headers when the response packet is sent.

5.3.8 Realizing IPSec on the Eudemon

Realizing IPSec on the EudemonThe Eudemon helps realize the functions and mechanisms mentioned in the preceding sections.

The following describes the realization roadmap:l Through IPSec, data streams between peers (here refer to the Eudemon and its peer) can

perform data stream-specific protection by means of authentication, encryption, or both.Data streams are differentiated based on ACLs.Security protection elements are defined in IPSec, including:– Security protocol

– Authentication algorithm

– Encryption algorithm

– Encapsulation mode

Following are defined in the IPSec policy:– Association between data streams and the IPSec proposal (namely, apply a certain

protection on a certain data stream)– SA negotiation mode

– Peer IP address settings (that is, the start/end IP address of the protection path)

– Required key

– Life duration of the SA

l IPSec policies are applied on Eudemon interfaces.

Following details the procedure:

1. Define data streams to be protected.A data stream is a collection of a group of traffic specified by:l Source address/mask

l Destination address/mask

l Number of protocol over IP

l Source port number

l Destination port number

An ACL rule defines a data stream. Namely, traffic that matches an ACL rule is a datastream logically. A data stream can be a single TCP connection between two hosts or alltraffic between two subnets. IPSec can apply different security protections on data streams.So the first step in IPSec configuration is to define data streams.

2. Define an IPSec proposal.An IPSec proposal defines the following for the data stream to be protected:l Security protocol



5-23

l Authentication or encryption algorithm

l Encapsulation mode (namely, the packet encapsulation mode)

AH and ESP supported by the Eudemon can be used either separately or jointly. AHsupports MD5 and SHA-1 authentication algorithms.ESP supports MD5 and SHA-1 authentication algorithms as well as DES, 3DES, and AESencryption algorithms.As for a data stream, peers should be configured with the same protocol, algorithm, andencapsulation mode. Moreover, if IPSec is applied on two Firewall (for example betweenthe Eudemons), the tunnel mode is recommended so as to hide the real source anddestination addresses.Therefore, you need to define an IPSec proposal based on requirements so that you canassociate it with data streams.

3. Define an IPSec policy or IPSec policy group.An IPSec policy defines the IPSec proposal adopted by a data stream. An IPSec policy isuniquely defined by a name and a sequence number.There are two types of security policies:l Manual IPSec policies

l IKE negotiation IPSec policies

For manual IPSec policies, you need to manually set parameters such as key, SPI, and SAlife duration. If the tunnel mode is configured, you need to manually set the IP addressesfor the two endpoints of a security tunnel. For IKE negotiation IPSec policies, theseparameters are generated by IKE auto-negotiation.An IPSec policy group is a collection of IPSec policies with the same name but differentsequence numbers. In an IPSec policy group, the smaller the sequence number is, the higherthe priority is.

4. Apply IPSec policies on an interface.When you apply an IPSec policy group on an interface, all the security policies in the IPSecpolicy group are applied on the interface. Different data streams passing through theinterface are protected with their respective security policies.

Realizing IKE on the EudemonThe Eudemon supports the two modes of IKE, main mode and aggressive mode. Since theEudemon realizes IKE based on RFC 2408 and RFC 2409, the Eudemon can interwork with thedevices of most mainstream manufacturers.

To realize NAT traversal for IPSec on the Eudemon, you need to adopt the main mode oraggressive mode at the stage 1 of IKE negotiation. In this case, the peer ID type is the name orIP address of the peer. In addition, you need to configure ESP and encapsulate packets in tunnelmode.

On the Eudemon, IKE is realized as follows:

1. Set the local ID used in IKE exchange.2. Specify a series of attributes for the IKE peer, including IKE negotiation mode, pre-shared

key, peer address or peer ID, and NAT traversal to ensure the IKE negotiation.3. Create an IKE IPSec proposal to determine the algorithm strength during IKE exchange,

namely, the security protection strength, including ID authentication method, encryptionalgorithm, authentication algorithm, and DH group. Strength varies with algorithm. The


Feature Description


Issue 01 (2009-12-01)

higher strength the algorithm has, the harder it is to decrypt the protected data. Algorithmwith higher strength consumes more calculation resources. In general, the longer the keyis, the higher the algorithm strength is.

Besides the preceding basic steps, IKE has the keepalive mechanism. It can determine whetherthe peer can communicate normally. Two parameters are configured for the keepalivemechanism, interval and timeout. When IPSec NAT traversal is configured, you can set a timeinterval, at which NAT updating packets are sent.

After the preceding IKE configuration, you need to quote the IKE peer in the IPSec policy viewto complete IPSec auto-negotiation configuration.

5.4 GRE

5.4.1 GRE Overview

5.4.2 Implementation of GRE

5.4.3 GRE Application

5.4.1 GRE Overview

Generic Routing Encapsulation (GRE) is the third layer tunnel protocol of the VPN. Tunnel isthe technique used between protocol layers. It is a virtual point-to-point connection. In practice,it is a virtual interface that only supports the point-to-point connection. The packet is transmittedthrough the interface, and encapsulated and decapsulated at the two ends of a tunnel.

5.4.2 Implementation of GRE

Take the network of Figure 5-11 as an example for describing the two processes.

Figure 5-11 IP network interconnection through the GRE tunnel

IPgroup1

IP group2

EudemonB

Internet

Tunnel

EudemonA

EncapsulationThe Eudemon A connects to the interface of IP group 1 and receives the IP packet. Then the IPpacket is sent to the IP module. The IP module checks the destination address field at the IPheader and decides the route. If the destination address is the virtual network number of thetunnel, the packet is sent to the port of the tunnel. The packet is encapsulated at the port of the



5-25

tunnel, and sent back to the IP module. The IP packet header is encapsulated. The packet is sentto a network interface based on the destination address and routing table.

DecapsulationDecapsulation is reversed to encapsulation. TheEudemon B receives the IP packet from the portof the tunnel. If the destination address of the packet is Eudemon B, the IP header of the packetis decapsulated. The packet is sent to the GRE module. The GRE module checks the key, verifiesthe checking results, and checks serial number of the packet, and then decapsulates the GREheader. The packet is sent to the IP module. The IP module handles the packet in the commonway.

The packet to be encapsulated and routed is called payload. The payload is encapsulated into aGRE packet and then an IP packet. In this way, it can be forwarded on the network layer. Therouting protocol for forwarding the packet is called Delivery Protocol or Transport Protocol.

Figure 5-12 shows the format of the encapsulated packet.

Figure 5-12 Format of the encapsulated packet

Delivery Header Transport Protocol

GRE Header Encapsulation Protocol

Payload Packet Passenger Protocol

For example, Figure 5-13 shows an IP packet transported in the tunnel.

Figure 5-13 IP packet transported in the tunnel

IP GRE IP

Passenger Protocol

Encapsulation Protocol

Transport Protocol

5.4.3 GRE Application


Feature Description


Issue 01 (2009-12-01)

Network Enlargement

Figure 5-14 Network enlargement

EudemonEudemon

Tunnel

PC PC

As shown in Figure 5-14, when the number of hops exceeds 15, the two terminals can notcommunicate with each other. The tunnel hides some hops. In this way, the network is enlargedand the communication is recovered.

Inconsistent Subnet Connection

Figure 5-15 Inconsistent subnet connection

IP group2

IP group1

Eudemon

Tunnel

Eudemon

VLAN

As shown in Figure 5-15, group 1 and group 2 are IP subnet in different cities. The tunnelconnects group 1 and group 2, and builds the VPN.



5-27

GRE-IPSec Tunnel

Figure 5-16 GRE-IPSec tunnel

Eudemon

IP Netwrok

GRE TunnelIPSec Tunnel

EudemonCorporate intranet

Remote office network

As shown in Figure 5-16, the multicast data can be encapsulated in the GRE packet andtransmitted in the GRE tunnel. According to the protocol, the IPSec only encrypts and protectsunicast data. To transmit multicast data such as routing protocol, voice, and video, set up a GREtunnel and encapsulate the multicast data in the GRE packet. Then the IPSec encrypts the GREpacket. In this way, the packet can be transmitted in the IPSec tunnel.

The user can choose to record the keyword of the GRE tunnel interface, and check theencapsulated packet in end-to-end manner.

Encapsulation and decapsulation, and data increase due to the encapsulation may reduce theforwarding efficiency of the Eudemon.


Feature Description


Issue 01 (2009-12-01)

6 Network Interconnection

About This Chapter

6.1 VLAN

6.2 PPP

6.3 PPPoE

6.4 DHCP Overview

6.5 Static Route Overview

6.6 RIP

6.7 OSPF

6.8 BGP

6.9 Introduction to Policy-Based Routing

6.10 Routing Policy Overview

6.11 Load Balancing

6.12 Introduction to QoS

6.13 GPON LineThis topic describes the principles and security mechanism of the GPON line that is used for theupstream transmission of the SRG.

6.14 Introduction to Voice ServicesIn line with the three-in-one trend of data, voice, and video services integration, the SRGfunctions as the enterprise gateway in the FTTO deployment model not only to providebroadband services (including data, video live, and VOD services), but also to provide end userswith high-quality voice service by the built-in voice module directly through twisted pairs.

Quidway Eudemon 200E-C/200E-F FirewallFeature Description 6 Network Interconnection


6-1

6.1 VLAN

6.1.1 Introduction

6.1.2 Advantages of VLAN

6.1.1 Introduction

Potential Problems in LAN InterconnectingThe Ethernet is a kind of data network communication technology, which is based on the sharedcommunication medium of Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Under CSMA/CD, each node uses the shared medium to send frames in turn. Thus, in amoment, only one host can send frames while other hosts can only receive frames.

When many hosts are connected to the hub (with star topology) through the twisted pairs, orconnected by the coaxial cables (with bus topology), all the hosts interconnected to the sharedphysical media forms a physical collision domain. That is usually regarded as a LANsegmentation. According to the previous Ethernet basic principles, the problems of using HUBsfor interconnecting VLANs are:

l Severe collision

l Flooding broadcast

l Performance reduction

l Unavailability of network

The above problems can be solved by using the Transparent Bridge or LAN switch tointerconnect the LANs.

Although the switch has solved the problem of severe collision caused by using hub, it stillcannot separate the broadcast. In fact, all the hosts (perhaps including many switches)interconnected by switches are in one broadcast domain. For the broadcast packets with"f" (0xffffffffffff) as their destination MAC address, such as the ARP request packet, the switchwill forward them to all the ports. In this case, the broadcast storm will be caused and theperformance of the entire network will be degraded.

VLAN Principle and DivisionThe LAN interconnection by means of switches cannot restrict the broadcast. The technologyof Virtual Local Area Network (VLAN) comes into being to solve the problem.

In this way, one LAN is divided into several logical "LANs" (VLANs), with each VLAN as abroadcast domain. In each VLAN, the hosts can communicate with each other just as they arein a LAN, but the VLANs cannot interact with one another directly. Therefore, the broadcastpackets are restricted in one VLAN, as shown in Figure 6-1.

6 Network InterconnectionQuidway Eudemon 200E-C/200E-F Firewall

Feature Description


Issue 01 (2009-12-01)

Figure 6-1 Example of VLAN

VLAN A

VLAN B

LAN Switch

LAN Switch

Router

The buildup of VLAN is not restricted by physical locations, that is, one VLAN can be withinone switch or across switches, or even across three layers Ethernet devices such as routers orFirewall.

The VLAN can be classified based on the following aspects:

l Port

l MAC address

l Protocol type

l IP address mapping

l Multicast

l Policy

At present, the VLAN is usually classified based on the port. In this manual, the VLANs are allclassified based on the port except special declaration.

6.1.2 Advantages of VLAN

The advantages of using VLAN are listed as follows:

l It can restrict broadcast packets (broadcast storm), save the bandwidth and thus improvethe performance of the network.The Broadcast domain is restricted in one VLAN and the switch cannot directly send framesfrom one VLAN to another except that it is a layer 3 switch.

l It can enhance the security of LAN.VLANs cannot directly communicate with one another, that is, the users in one VLANcannot directly access those in other VLANs. They need help of such layer 3 devices asrouters and Layer 3 switches to fulfill the access.

l It provides the virtual workgroup.VLAN can be used to group users to different workgroups. When the workgroups change,the users need not change their physical locations.



6-3

On a switch, the common ports can only belong to one VLAN, that is, they can only identifyand send packets of the VLAN they belong to. However, when the VLAN is across switches, itis necessary that the ports (links) among the switches can identify and send packets of severalVLANs at the same time. The same problem exists among the switches and routers that supportVLAN.

The link of this type is called Trunk, which has two meanings:

l RelayNamely, the VLAN packets are transparently transmitted to the interconnected switches orrouters to extend the VLAN.

l TrunkNamely, several VLANs run on such a link.

The common protocol used to implement Trunk is IEEE 802.1Q (dot1q) that is a standardprotocol of IEEE. It identifies the VLAN by adding a 4-byte VLAN tag to the end of the sourceaddress field in the original Ethernet packet.

VLANs cannot directly interconnect with each other. So routers or Layer 3 switches must beused to connect each VLAN to implement the interconnection among VLANs. Usually, this isa kind of layer 3 (IP layer) interconnection.

6.2 PPP

6.2.1 Introduction

6.2.2 PPP Authentication

6.2.3 PPP Link Operation

6.2.1 Introduction

Point to Point Protocol (PPP) is a link layer protocol that transmits network layer packets onpoint-to-point (P2P) links. PPP is widely applied because it is easy in expansion and supportsuser authentication and synchronous and asynchronous communication.

PPP is located on the data link layers of both Open Systems Interconnection (OSI) and the TCP/IP protocol stack. PPP supports synchronous and asynchronous full-duplex links in transmittingdata in a P2P way.

PPP mainly consists of the following three protocols:

l The Link Control Protocol (LCP) suite: This protocol suite is responsible for establishing,removing, and monitoring data links.

l The Network Control Protocol (NCP) suite: This protocol suite is responsible fornegotiating the format and type of packets transmitted over a data link.

l PPP extended protocol suite: This protocol suite such as PPPoE provides extended PPPfunctions. With the development of network technologies, network bandwidth is no longera bottleneck. PPP extended protocol suite, therefore, is rarely used nowadays. When talkingabouting PPP, people often forget the PPP extended protocol.

In addition, PPP provides the authentication protocols: Password Authentication Protocol (PAP)and Challenge-Handshake Authentication Protocol (CHAP).


Feature Description


Issue 01 (2009-12-01)

6.2.2 PPP Authentication

PAP Authentication ProcessPAP is the authentication of two-way handshake. In PAP authentication, the password is in plaintext. The authentication process is performed in the Establish phase.

After the Establish phase finishes, the user name and password of the authenticated are repeatedlysent to the authenticator until the authentication succeeds or the link is ended.

PAP authentication is the optimal option in the case that the plain password must be used in thesimulated login on a remote host.

l The authenticated sends the local user name and password to the authenticator.

l The authenticator checks the user list for the user name and whether the password is correct,and then returns different responses (permit or deny).

PAP is an unsecured protocol. In PAP authentication, passwords are sent over links in plain text.After a PPP link is established, the authenticated repeatedly sends the user name and passworduntil the authentication finishes. The malicious attack, therefore, cannot be avoided.

CHAP Authentication ProcessThe Challenge Handshake Authentication Protocol (CHAP) is a authentication protocol of three-way handshake. In CHAP authentication, only the user name is transmitted in a network.Compared with PAP, CHAP features higher security because passwords are not transmitted.

The CHAP negotiation is complete before a link is set up. After a link is set up, CHAPauthentication can be performed anytime through the CHAP negotiation packets.

After the Establish phase, the authenticator sends a Challenge packet to the authenticated. Afterperforming the "one-way Hash" algorithm, the authenticated returns a calculated value to theauthenticator.

The authenticator compares the value calculated by itself through the Hash algorithm with thevalue returned by the authenticated. If the two values are matched, the authentication succeeds.Otherwise, the authentication fails and the link is torn down.

CHAP authentication is divided into the following two modes:

l Unidirectional CHAP authentication: In this mode, one end acts as the authenticator, whilethe other end acts as the authenticated.

l Bidirectional CHAP authentication: In this mode, two ends act as both the authenticatorand the authenticated.

Generally, unidirectional authentication is adopted.

Unidirectional CHAP authentication involves two situations: the authenticator is configuredwith a user name and the authenticator is not configured with a user name. It is recommendedto configure the authenticator with a user name. Authenticating the user name can improve thesecurity.l Authentication process in the case that the authenticator is configured with a user name

The authentication process in the case that the authenticator is configured with a user nameis as follows:



6-5

– The authenticator sends a randomly-generated Challenge packet and the host name tothe authenticated.

– After receiving the packet, the authenticated searches for the local password in the localuser list according to the user name of the authenticator. According to the foundpassword and the Challenge packet, the authenticated obtains a value calculated withthe MD5 algorithm. The authenticated then sends its host name and the calculated valuein a response packet to the authenticator.

– After receiving the response packet, according to the host name of the authenticated,the authenticator searches for the password of the authenticated in the local user list.After successful search, the authenticator uses the Challenge packet and the passwordof the authenticated to obtain a value through calculation with the MD5 algorithm. Theauthenticator compares the value with the result in the received response packet andthen returns the verification result (permit or deny).

l Authentication process in the case that the authenticator is not configured with a user nameIf the authenticator is not configured with a user name, the authenticator sends the Challengepacket to the authenticated. According to the local password and the Challenge packet, theauthenticated obtains a value through the MD5 algorithm. Then the authenticated sends itshost name and the calculated value in a response packet to the authenticator. The remainingprocess is the same as that described previously.

6.2.3 PPP Link Operation

PPP links can be set up only after a series of successful negotiations.

l LCP negotiation: Besides establishing, closing, and monitoring PPP data links, LCPnegotiates link layer parameters such as maximum receive unit (MRU) and authenticationmode.

l NCP negotiation: NCP negotiates formats and types of packets transmitted over the datalinks. IP addresses are also negotiated in NCP negotiation.

To set up P2P connection through PPP, the devices on two ends must send LCP packets to setup the P2P link.

After the LCP configuration parameters are determined through negotiation, the twocommunicating devices choose the authentication mode according to the authenticationparameters in the LCP Configure-Request packets.

By default, the devices on the two ends do not authenticate each other. The devices negotiateNCP configuration parameters without any authentication. After all the negotiations, the twodevices on the P2P link can transmit network-layer packets. At this time, the whole link isavailable.

If any end receives a packet that initiates an LCP or NCP close, if the carrier cannot be detectedat the physical layer, or if the maintenance personnel closes the link, the link is torn down andthe PPP session thus is terminated. Typically, NCP should not necessarily has the capability inclosing links. Therefore, the packet used to close a link is usually sent during the LCP negotiationor application program session.

Figure 6-2 shows the setup process of a PPP session and the status transition in the whole process.


Feature Description


Issue 01 (2009-12-01)

Figure 6-2 Operation process of PPP

Dead Establish Authenticate

NetworkTerminate

UP OPENED

FAIL

FAIL

DOWN CLOSED

SUCCESS

The PPP operation process is described as follows:

1. The Establish phase is the first phase to set up a PPP link.2. During the Establish phase, the LCP negotiation is performed. The negotiation involves

the options such as the working mode, which is either Single-link PPP (SP) or MultilinkPPP (MP), MRU, authentication mode, magic number, asynchronous character mappingand so on. After the LCP negotiation succeeds, the LCP status turns Opened, whichindicates the bottom layer is established.

3. If no authentication is configured, the communicating devices directly enter the NCPnegotiation phase. If authentication is configured, the communicating devices enter theAuthentication phase and perform CHAP authentication or PAP authentication.

4. If the authentication failed, the devices enter the Terminate phase, and then remove thelink. At this time, LCP status turns Down. If the authentication succeeds, the devices enterthe NCP negotiation phase. The LCP status remains Opened, while the NCP status turnsStarting from Initial.

5. The NCP negotiation includes IPCP, MPLSCP, and OSCICP negotiations. The IPCPnegotiation mainly involves the negotiation of the IP addresses of the two ends. A networklayer protocol is chosen and configured through the NCP negotiation. The network layerprotocol can send packets over the PPP link only after the negotiation of the network layerprotocol succeeds.

6. The PPP link remains in the normal state until an LCP or NCP frame aiming at closing thelink is generated or some forcible interruptions occur, such as user intervention.

PPP undergoes the following phases during the configuration, maintenance, and termination ofa P2P link.

l Dead Phasel Establish Phasel Authenticate Phasel Network Phasel Terminate Phase

Dead PhaseThe Dead phase is also called the unavailable phase of the physical layer. Setup of a PPP linkbegins with and terminates at the Dead phase.



6-7

After the communicating devices on both ends detect a physical link is activated, generally, thecarrier signal is detected on the link, and the devices enter the Establish phase.

In the Establish phase, link parameters are set mainly by using LCP. The state machine of LCPchanges according to different events. If a link is in the Dead phase, the status of the LCP statemachine is Initial or Starting. After the link becomes available, the status of the LCP statemachine changes.

After a link is torn down, the link returns to the Dead phase. In actual process, this state lastsquite short and detects only the existence of the peer device.

Establish PhaseThe Establish phase is the key and most complicated phase of PPP.

In this phase, packets used to configure data links are transmitted. Those configurationparameters do not include the parameters needed for the network layer protocol. After the packetsare exchanged, the link between the communicating devices enters the next phase.

According to user configuration, the next phase can be either the Authenticate phase or theNetwork phase. The next phase is determined by the configurations of devices at two ends ofthe link. The configurations are usually made by users.

In the Establish phase, the LCP state machine changes three times.

l When the link status is unavailable, the status of the LCP state machine is Initial or Starting.If the link is detected as available, the physical layer sends an Up event to the link layer.After receiving the event, the link layer changes the current status of the LCP state machineto the Request-Sent state. Then LCP sends Configure-Request packets to configure the datalink.

l If the local end receives the Configure-Ack packet from the peer end, the LCP state machinechanges from the current state to the Ack-Received state. The peer end enters the Ack-Sentstate.

l If the end in the Ack-Received state sends the Configure-Ack packet or the end in the Ack-Sent state receives the Configure-Ack packet, the LCP state machine changes from thecurrent state to the Opened state. After one of the two ends receives the Configure-Ackpacket, the current status of the LCP state machine changes to Opened. The link enters thenext phase.

The other end is in the same condition. Note that the operation process of the link configurationon either end is mutually independent. In the Establish phase, non-LCP packets are discardedafter being received.

Authenticate PhaseGenerally, authentication is performed before devices on both ends enter the Network phase.

By default, PPP does not involve authentication. If authentication is necessary, you must specifythe authentication protocol in the Establish phase.

PPP authentication is mainly used on the following two types of links:

l Links connected through the PPP server or dial-in access between hosts and routers in mostcases

l Private links occasionally

PPP provides the following two authentication modes:


Feature Description


Issue 01 (2009-12-01)

l Password Authentication Protocol (PAP)

l Challenge-Handshake Authentication Protocol (CHAP)

The authentication mode is determined by the outcome of the negotiation in the Establish phase.The link-quality detection is also performed in the Establish phase. According to the PPPprotocol, the detection does not unlimitedly delay the authentication process.

This phase supports only the link control protocol, authentication protocol, and quality-detectionpacket. Packets of other types are discarded. If a device receives the Configure-Request packetin this phase, the link restores the Establish state.

Network PhaseIn the Network phase, network protocols such as IP, IPX, and AppleTalk are negotiated throughcorresponding NCPs, which can be enabled and disabled during any phase. After a NCP statemachine turns Opened, PPP links can transmit network-layer packets.

If a device receives a Configure-Request packet in this phase, the communicating devices returnto the Establish phase.

Terminate PhasePPP can terminate links at any time. Except that the network administrator manually closes thelinks, carrier lost, authentication failure, or link-quality detection failure can lead to the end ofa link. In the Establish phase, after the exchange of LCP Terminate frames, a link is torn downphysically.

When a link is being established, LCP link terminating packets are possibly exchanged to closethe link. After the link is closed, the link layer informs the network layer of correspondingoperations and the link is also forcibly closed through the physical layer. NCP cannot, and doesnot need to close a PPP link.

6.3 PPPoE

6.3.1 Basic Principles of PPPoE

6.3.2 PPPoE Discovery Period

6.3.3 PPPoE Session Period

6.3.1 Basic Principles of PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) describes the method to set up PPPoE sessionsand encapsulate PPP datagram over Ethernet. These functions require a point-to-point (P2P)relation between the peers instead of the multi-point relationships that are available in Ethernetand other multi-access environments. PPPoE uses Ethernets to connect a large number of hosts.PPPoE uses a remote client to access the Internet, and implements the controlling and accountingfunctions over the access hosts. With the cost-effective feature, PPPoE is widely applied in aseries of applications such as community networks.

With this model, each host uses its own PPP stack and the user is presented with a familiar userinterface.



6-9

The access control, payment, and Type of Service (ToS) functions supported by PPPoE are basedon individual users.

PPPoE is divided into two stages: Discovery stage and PPPoE Session stage.

To establish the P2P connections on the Ethernet network, each PPPoE session must know theEthernet MAC address of the counterpart. A unique session_ID needs to be given to the sesion.The PPPoE discovers the protocol through the address and looks for the Ethernet MAC addressof the counterpart. When a host wants to initiate a PPPoE session, it must first perform Discoveryto identify the Ethernet MAC address of the peer and set up a PPPoE Session_ID.

Although PPP defines a peer-to-peer relationship, Discovery is a client-server relationship.During address discovery, a host as the client discovers the MAC address of the AccessConcentrator (AC), that is, the server.

Based on the network topology, the host may communicate with more than one AC. TheDiscovery stage allows the host to discover all ACs and then select one.

When the Discovery stage is complete successfully, both the host and selected AC have theinformation they use to set up P2P connection over Ethernet.

The Discovery stage remains stateless until a PPPoE session is set up. Once a PPPoE session isset up, both the host and the AC that serves as an access server must allocate the resources fora PPP virtual interface. After PPPoE sessions are set up successfully, the host and access servercan communicate.

6.3.2 PPPoE Discovery Period

When the host accesses the server through PPPoE, it should identify the MAC address of thepeer before setting up the PPPoE Session_ID. This is the function of the Discovery stage.

The Discovery stage consists of four steps. When the Discovery stage completes, both peersknow the PPPoE Session_ID and the peer MAC address, which together define the unique PPPoEsession.

Discovery stage consists of the following four steps.

1. The host broadcasts a PPPoE Active Discovery Initial (PADI) packet within the localEthernet. This packet contains the service information that the host needs.

Figure 6-3 Diagram of the host sending PADI packets in broadcast

Server A

PADI

PCServer C

Server BPADI

PADI

PADI

2. After receiving this PADI packet, all the servers on the Ethernet compare the requested

services with services they can provide. Then, the servers that can provide the requestedservices send back PPPoE Active Discovery Offer (PADO) packets.


Feature Description


Issue 01 (2009-12-01)

As shown in Figure 6-4, both Server A and Server B can provide services, and send backPADO packets to the host.

Figure 6-4 Sending the PADO packet from the server

Server A

PADO-A

PCServer C

Server B

PADO-B

PADO-B

PADO-A

3. The host may receive more than one PADO packet from servers. The host looks through

the PADO packets and chooses a server (For example, choose the one who replies first).Then, the host sends a PPPoE Active Discovery Request (PADR) packet to the server.As shown in Figure 6-5, the host chooses Server A and sends a PADR packet to it.

Figure 6-5 Diagram of the host choosing a server and sending a PADR packet

Server A

PADR

PCServer C

Server B

PADR

4. The server generates a unique session identifier to identify the PPPoE session with the host.

Then, the server sends this session identifier to the host through the PPPoE ActiveDiscovery Session-confirmation (PADS) packet. If no error occurs, both the server andhost enter the PPPoE Session stage.As shown in Figure 6-6, Server A sends a PADS packet to the host after receiving thePADR packet.

Figure 6-6 Diagram of the server sending a PADS packet to the host

Server A

PADS

PCServer C

Server B

PADS



6-11

After sending the PADS packet, the access server can enter the PPPoE Session stage. Afterreceiving this PADS packet, the host can enter the PPPoE Session stage.

6.3.3 PPPoE Session Period

Once a PPPoE session begins, PPP packets, as the PPPoE payload, are encapsulated in Ethernetframes and sent to the peer. The session ID should be the ID determined in the Discovery stage.The MAC address should be the MAC address of the peer. The PPP packets start with the protocolID. In the Session stage, either the host or the server can send a PPPoE Active DiscoveryTerminate (PADT) packet to the peer to terminate the session.

All the Ethernet packets are unicast.

l The Ethernet_Type field is set to 0x8864.

l The PPPoE Code field must be set to 0x00.

l The Session_ID of a PPPoE session cannot be changed and must be the value specified inthe Discovery stage.

l The PPPoE payload contains a PPP frame that begins with the PPP Protocol-ID.

After entering the PPPoE Session stage, either the host or access server can send a PADT packetto notify the peer to end the PPPoE session.

6.4 DHCP Overview

6.4.1 DHCP Service

6.4.2 DHCP Relay

6.4.3 DHCP Client

6.4.1 DHCP Service

With the rapid growth in network scale and complexity, network configuration has become moredifficult. Because changes in computer positions and the number of hosts has exceeded that ofthe available IP addresses, Dynamic Host Configuration Protocol (DHCP) is created.

The DHCP works in Client-Server model. With the DHCP, a client can dynamically requestconfiguration information from a DHCP server, including the assigned IP address, the subnetmask, and the default gateway and so on. The DHCP server returns the correspondingconfiguration information based on a certain configuration policy to the DHCP client.

The DHCP has extended BOOTP in two aspects:

l DHCP can get all the configuration information that a host needs by sending only twomessage.

l DHCP helps the computer to get an IP address fast and dynamically, instead of specifyingan IP address for each host manually.


Feature Description


Issue 01 (2009-12-01)

IP Address Assigned by DHCP

Different hosts need to occupy the IP addresses in different periods.

For example:

l A server may need to occupy a fixed IP address for a long time.

l Some enterprise hosts may need to occupy a dynamically assigned IP address for a longtime.

l Some clients may need only a temporary IP address.

The DHCP server supports the following address assignation methods:

l Manual

The administrator assigns fixed IP addresses for specific hosts, such as the Web server.

l Automatic

The server assigns long-term fixed IP addresses for some hosts when they are connectedto the network for the first time.

l Dynamic

The server assigns an IP address to a client in a leasing manner. The client needs to requestan IP address again when the service expires. This method is widely used.

Distribution Sequence of IP Addresses

The DHCP server selects IP addresses for clients in the following sequence:

l The IP address in the database of the DHCP sever is statically bound with the client's MACaddress.

l The IP address assigned to the client before. That is, the IP address in the Requested IPAddress Option that is in the DHCP Discover packet sent by the client.

l The IP address that is found first when the server searches for the available IP addresses inthe DHCP address pool.

If no IP addresses are available, the DHCP server searches the timeout IP addresses and thecollision IP addresses in turn and assigns the found IP address. Otherwise, it sends a fault report.

6.4.2 DHCP Relay

The DHCP client sends interactive messages through broadcasting. Therefore, the DHCP clientsand servers can only take effect in the same sub-network rather than work in different networksegments, whereas it is not economic.

Therefore, DHCP relay is introduced to solve the problem. It provides relay services betweenDHCP clients and servers on different network segments, relaying a DHCP packet to itsdestination DHCP server or client of a different network segment. In this way, multiple DHCPclients in a network can share one DHCP server. That not only saves cost but also facilitatecentralized management. The schematic diagram of DHCP relay is as shown in Figure 6-7.



6-13

Figure 6-7 DHCP relay

Eudemon

DHCP Client DHCP Client

DHCP Client

DHCP Client

DHCP Server

DHCP Relay

The working principle of DHCP relay is as follows:

l After the DHCP client starts up and begins to initialize the DHCP, the configuration requestpacket is broadcast in the local network.

l If there is a DHCP server in the local network, the DHCP can be configured without theDHCP relay.

l If there is no DHCP server in the local network, the network device with the DHCP relay,which is connected with the local network, will forward the packets to the specific DHCPservers in the other networks after it receives and processes the broadcast packets properly.

l Based on information offered by the client, the server sends configuration information tothe client via DHCP relay. Thus, dynamic configuration of client finishes.

In fact, there may be more than one similar interactive process from the beginning to the end ofthe configuration.

In nature, DHCP relay fulfills the transparent transmission of DHCP broadcast packets; that is,transparently send broadcast packets of the DHCP client (or the DHCP server) to the DHCPserver (or the DHCP client) on other network segments.

In actual practice, the DHCP relay function is usually implemented on the specific interface ofa Eudemon. To realize the DHCP function on an interface, you need to assign an IP relay addressto the interface for specifying the DHCP server.

6.4.3 DHCP Client

A typical DHCP application usually includes one DHCP server and multiple clients. The DHCPclients exchange different information with the server in different phases to obtain the valid anddynamic IP addresses. The following describes the common application scenarios in actualpractice.

l DHCP Client Logging In to the Network for the First Time

l DHCP Client Logging In to the Network Again

l DHCP Client Prolongs the IP Address Lease Duration


Feature Description


Issue 01 (2009-12-01)

DHCP Client Logging In to the Network for the First Time

When the DHCP client logs in to the network for the first time, it sets up a connection with theDHCP server after four phases:

l DHCP discovery: In this phase, the DHCP client looks for the DHCP server. When theclient starts and changes to the initialization status, it sends a DHCPDISCOVER broadcastpacket to the DHCP server.

l DHCP offers: In this phase, the DHCP server provides an IP address. After the DHCPserver receives the DHCPDISCOVER packet from the client, it extends an IP lease offer.The DHCP server selects an available IP address (not assigned) from the IP address pooland assigns the IP address to the client by sending a DHCPOFFER packet to the client. Thepacket contains the IP address leased and other settings.

l DHCP requests: In this phase, the DHCP client selects an IP address. If several DHCPservers send the DHCPOFFER packets to the client, the client accepts only the firstDHCPOFFER packet. The client then broadcasts a DHCPREQUEST packet to each DHCPserver and changes to the request status. The DHCPREQUEST packet contains the IPaddress of the DHCP server that made the offer.

l DHCP acknowledgement: In this phase, the DHCP server confirms the IP address. Afterthe DHCP server receives the DHCPREQUEST packet from the client, it sends aDHCPACK packet to the client. The packet includes the IP address and other settings.Then, the DHCP client binds the TCP/IP components to the network adapter and thenchanges to the binding status.

Except the server selected by the DHCP client, the other DHCP servers with unassigned IPaddresses can still offer IP addresses for other clients.

DHCP Client Logging In to the Network Again

When the DHCP client logs in to the network again, it sets up a connection with the DHCP serverafter the following phases:

l After the DHCP client correctly logged in to the network for the first time, when it tries tolog in to the network again, it changes to the restart and initialization status. Under thisstatus, the DHCP clients needs only to directly send the DHCPREQUEST broadcast packet,which contains the IP address obtained during last login. After the DHCP client sends theDHCPREQUEST packet, it waits for the response of the DHCP server.

l After the DHCP server receives the DHCPREQUEST packet, if the IP address requestedby the client is not assigned, the DHCP server sends a DHCPACK packet to the client,telling the DHCP client to go on to use this IP address. After receiving the DHCPACKpacket from the DHCP server, the client changes to the binding status.

l If this IP address cannot be assigned to the DHCP client any more (for example, it isassigned to another client already), the DHCP server sends a DHCPNAK packet to theclient. After receiving the DHCPNAK packet, the client changes to the initialization status.In this case, the client resends a DHCPDISCOVER packet to request for a new IP address.The following procedures are the same as those during the first login.

DHCP Client Prolongs the IP Address Lease Duration

The DHCP server specifies a lease duration when assigning a dynamic IP address to a client.After the lease expires, the server retracts the IP address. If the DHCP client needs to keep thisIP address, it should renew the IP lease (for example, to prolong the IP address lease).



6-15

After the DHCP client obtains an IP address and changes to the binding status, it sets three timersto control lease renewal, perform rebinding, and identify whether the lease expires. When theDHCP server assigns an IP address to a client, it specifies specific values for the timers. If theserver does not set the values for the timers, the client uses the default settings. Table 6-1 showsthe default settings of the timers.

Table 6-1 Default settings of the timers

Timer Default Setting

Lease renewal It should be half of the total lease duration.

Rebinding It should be 87.5% of the total lease duration.

Lease expiry Total lease duration

l When the Lease renewal timer expires, the DHCP client should renew the IP address. TheDHCP client automatically sends an unicast DHCPREQUEST packet to the DHCP serverthat assigned the IP address, and then the client changes to the renewal status. If the IPaddress is valid, the DHCP server responds to the client with a DHCPACK packet, tellingthe client that the new IP lease is granted. Then the client changes to the binding statusagain. If replying with a DHCPNAK packet and using the current IP address until 87.5%of the lease validity period expires, the DHCP server sends broadcast packets to re-leasethe IP address. If the client receives a DHCPNAK packet from the DHCP server, it changesto the initialization status.

l After the client sends a DHCPREQUEST packet for prolonging the lease duration, it keepsin the renewal status, waiting for a response from the server. If the client does not receiveany response from the server till the Rebinding timer expires, the client assumes that theoriginal DHCP server is unaccessible and then sends a DHCPREQUEST broadcast packet.Any DHCP server on the network can respond to the request of the client and send aDHCPACK or DHCPNAK packet to the client.If the client receives a DHCPACK packet, it changes to the binding status and re-sets theLease renewal and Rebinding timers.If the packets received by the client are all DHCPNAK packets, it changes to theinitialization status. In this case, the client should stop using this IP address immediatelyand change to the initialization status to apply for a new IP address.

l If the client does not receive any response before the Lease expiry timer expires, it shouldstop using this IP address immediately and change to the initialization status to apply fora new IP address.

6.5 Static Route Overview

6.5.1 Static Route

6.5.2 Default Route

6.5.1 Static Route


Feature Description


Issue 01 (2009-12-01)

In a simpler network, you only need to configure the static routes to make the router worksnormally.

The proper configuration and usage of the static routes can not only improve the networkperformance but also ensure the bandwidth of the important applications.

You can set up an interworking network by configuring the static route. The problem of the staticroute lies in that once the network is faulty, the static routes can not automatically changeaccordingly without the intervention of an administrator.

Composition of a Static RouteIn the system view, you can use the ip route-static command to configure a static route. A staticroute includes the following elements:

l Destination Address and MaskIn the ip route-static command, the destination IP address is in a dotted decimal format.The subnet mask can be in a dotted decimal format or be represented by the mask length.

l Egress Interface and Next Hop AddressWhen configuring a static route, you can specify interface-type interface-number ornexthop-address according to actual situation.

When specifying the transmission interface, note the following:

l For point-to-point interfaces, the next hop address is specified implicitly in the specifiedtransmission interface. The address of the peer interface connected with this interface isthe next hop address. For example, when an E1 link encapsulates PPP, the peer IP addressis obtained through PPP negotiation. In this case, you only need to specify the transmissioninterface without the next hop address.

l For Non-Broadcast Multiple Access (NBMA) interfaces such as ATM interfaces, theysupport point-to-multipoint networks. Therefore, in actual application, you need to not onlyconfigure IP routing but also set up the secondary route at the link layer, that is, the mappingbetween the IP address and the link layer address. In this case, you need to configure thenext hop IP address.

l When configuring a static route, if you specify the broadcast interface (Ethernet interfacefor example) as the sender interface, you are advised to specify a next hop address as well.The Ethernet interface is a broadcast interface. As a result, many next hops exist and aunique next hop cannot be determined. However if you have to specify a broadcast interface(such as an Ethernet interface) as the transmission interface, the next hop address shouldbe specified at the same time.

Attributes of a Static RouteThe static route has the following attributes:

l Reachable routeNormal routes belong to this case. IP packets are sent to the next hop according to the routedetermined by the destination IP address. The static route is commonly used in this way.

l Unreachable routeWhen the static route of a certain destination IP address has the "reject" attribute, all IPpackets to the destination IP address are discarded and the source host is notified that thedestination IP address is unreachable.



6-17

l Blackhole routeWhen the static route of a certain destination IP address has the "blackhole" attribute, allIP packets to the destination IP address are discarded and the source host is not notified.

The "reject" and "blackhole" attributes are used to control the range of the reachabledestination IP address of the router and to help to analyze the network faults.

6.5.2 Default Route

In a word, a default route is a route used only when no routing table entry is matched. That is,the default route is used only when no proper route is found.

In a routing table, the default route is the route to the network 0.0.0.0 (with the mask 0.0.0.0).Using the display ip routing-table command, you can check whether the default route isconfigured. If the destination address of a packet does not match any other entry except thedefault route in the routing table, the router selects the default route to forward this packet. Ifthere is no default route, and the destination address of the packet does not match any entry inthe routing table, the packet is discarded. An Internet Control Message Protocol (ICMP) packetis then sent to inform the source host that the destination host or network is unreachable.

6.6 RIP

6.6.1 RIP Overview

6.6.2 RIP Versions

6.6.3 RIP Startup and Operation

6.6.1 RIP Overview

Routing Information Protocol (RIP) is a relatively simple dynamic routing protocol and is mainlyapplied to small-sized networks such as campus networks.

RIP is a kind of Distance-Vector (D-V) algorithm-based protocol and exchanges the routinginformation through the UDP packets. It employs the hop count to measure the distance to thedestination host, which is called routing cost.

In RIP, the hop count from a router to its directly connected network is 0, and that to a networkwhich can be accessed through another router is 1. To restrict the time to converge, RIP prescribesthat the cost is an integer in the range of 0 to 15. The hop count equal to or more than 16 isdefined as infinite, that is, the destination network or the host is unreachable.

RIP sends route refreshment packets every 30 seconds. If the router cannot receive the routerefreshment packets from some network neighbor within 180 seconds, it marks all routes in thisnetwork neighbor to be unreachable. If the route can still not receive route refreshment packetswithin 300 seconds, it will clear all routes of this network neighbor from the routing table.

To improve performance and avoid the creation of routing loop, RIP supports split horizon andpoison reverse. Besides, RIP can also import routes from other routing protocols.

Each router running RIP manages a route database, which contains routing entries to all thereachable destinations in the network.


Feature Description


Issue 01 (2009-12-01)

l Destination addressRefer to the IP address of a host or a network.

l Next hop addressRefer to the address of the next router that a router will pass through for reaching thedestination.

l Egress interfaceRefer to the interface through which the IP packet should be forwarded.

l CostRefer to the cost for the router to reach the destination, which should be an integer in therange of 0 to 15.

l TimerRefer to duration from the last time that the routing entry is modified till now. The timeris reset to 0 whenever a routing entry is modified.

l Route flagRefer to a label to distinguish routes of internal routing protocols from those of externalrouting protocols.

6.6.2 RIP Versions

There are two RIP versions: RIP-1 and RIP-2.

l RIP-1 supports broadcasting protocol packets.

l RIP-2 transmits packets in two modes, the broadcast mode and the multicast mode. Bydefault, packets are transmitted in multicast mode using the multicast address 224.0.0.9.The advantages of multicast message transmitting are:– In the same network segment, those hosts that do not run RIP can avoid receive RIP

broadcasting message.– Multicast message can prevent hosts running RIP-1 from falsely receiving and

processing subnet mask route in RIP-2.

6.6.3 RIP Startup and Operation

The whole process of RIP startup and running can be described as follows.

1. When RIP is just enabled on a router, request packet is forwarded to a neighbor router inbroadcast mode. After the neighbor router receives the packet, it responds to the requestand resends a response packet containing information in the local routing table.

2. When the router receives the response packet, it modifies its local routing table andmeanwhile sends a modification triggering packet to the neighbor router and broadcast theroute modification information. Upon receiving the modification triggering packet, theneighbor router will send it to all its neighbor routers. After a series of modificationtriggering broadcast, each router can get and keep the updated routing information.

3. At the same time, RIP broadcasts its routing table to the neighbor routers every 30 seconds.The neighbor routers will maintain their own routing tables after receiving the packets andwill select an optimal route, and then advertise the modification information to theirneighbor networks so as to make the updated route globally known. Furthermore, RIP uses



6-19

the timeout mechanism to handle the timeout routes so as to ensure the real time and validityof the routes.

RIP is adopted by most of IP router suppliers. It can be used in most of the campus networksand regional networks of simple structures and strong continuity. For larger and more complexnetworks, RIP is not recommended.

6.7 OSPF

6.7.1 OSPF Overview

6.7.2 Process of OSPF Route Calculation

6.7.3 Basic Concepts Related to OSPF

6.7.4 OSPF Packets

6.7.5 Types of OSPF LSAs

6.7.1 OSPF Overview

Open Shortest Path First (OSPF) is a link state-based internal gateway protocol developed byIETF organization. OSPF is a dynamic routing protocol that runs within an Autonomous System(AS). At present, OSPF version 2 (RFC 2328) is used widely, which has the following features:

l Applicable scopeIt can support networks in various sizes and can support hundreds of routers at most.

l Fast convergenceIt can send the update packets as soon as the network topology changed so that the changeis synchronized in the AS.

l Loop-freeSince the OSPF calculates routes with the shortest path tree algorithm based on the collectedlink states, this algorithm itself ensures that no loop routes will be generated.

l Area partitionIt allows the network of AS to be divided into areas for the sake of management. In thisway, the routing information transmitted between the areas is abstracted further, and as aresult less network bandwidth is consumed.

l Routing hierarchyOSPF has four-class routes, which rank in the order of priority. They are intra-area, inter-area, external type-1, and external type-2 routes.

l AuthenticationIt supports the interface-based packet authentication so as to guarantee the security of theroute calculation.

l Multicast transmissionIt supports multicast address to receive and send packets.

6.7.2 Process of OSPF Route Calculation

The routing calculation process of the OSPF protocol is as follows.


Feature Description


Issue 01 (2009-12-01)

l Each router in support of OSPF maintains a Link State Database (LSDB) , which describesthe topology of the whole AS. According to the network topology around itself, each routergenerates a Link State Advertisement (LSA) . The routers on the network send the LSAsby sending the protocol packets to each other. Thus, each router receives the LSAs of otherrouters and all these LSAs compose its LSDB.

l LSA describes the network topology around a router, while LSDB describes the topologyof the whole network. Routers can easily transform the LSDB to a weighted directed map,which actually reflects the topology of the whole network. Obviously, all the routers getthe same map.

l Each router uses the SPF algorithm to calculate the shortest path tree with itself as the root.The tree shows the routes to the nodes in AS. The external routing information is leaf node.A router, which advertises the routes, also tags them and records the additional informationof the AS. Obviously, each router obtains different routing tables.

6.7.3 Basic Concepts Related to OSPF

Router IDTo run OSPF protocol, a router must have a Router ID. If not, the system will automaticallyselect one from the IP addresses on the current interfaces for the router.

DR and BDRBasic concepts related to DR and BDR:

l Designated Router (DR)In order for each router to broadcast its local state information to the whole AS, multipleneighboring relations should be created between routers. However, the route changes on arouter will be transmitted time after time, which wastes the valuable bandwidth resource.To solve the problem, OSPF defines DR. All the routers only need to send information tothe DR, which then broadcasts the network link states. Neither neighbor relation isestablished nor route information is exchanged between routers except DRs, which arecalled as DR Others.Which router will act as the DR are not specified, but selected by all the routers in thenetwork segment.

l Backup Designated Router (BDR)If the DR becomes invalid due to some faults, it must be reelected and synchronized. Ittakes long time and meanwhile the route calculation is incorrect. In order to speed up thisprocess, OSPF puts forward the concept of BDR. In fact, BDR is a backup for DR. DR andBDR are elected in the mean time. The adjacencies are also established between the BDRand all the routers on the local network segment, and routing information is also exchangedbetween them. Once the DR becomes invalid, the BDR will turn into the DR instantly.

Area PartitionAs the network keeps extending in scale, if more and more routers in a network run OSPF, LSDBwill become very huge. As a result, a great amount of memory is occupied and much CPU isconsumed to complete SPF algorithm. In addition, network expansion makes it more possibleto change topology. As a result, many OSPF packets are forwarded in the network, andbandwidth utility of the network is reduced.



6-21

To solve this problem, OSPF divides AS into several areas. Areas divide routers into groupslogically. Each area is marked by area ID, as showed in Figure 6-8. One of the most importantareas is area 0, which is also named backbone area.

Figure 6-8 OSPF area partition

Area3

Area0

Area1

Area2

Area4

The backbone area needs to realize the exchange of route information from non-backbone area.The backbone area must be consecutive. For physically inconsecutive areas, you need toconfigure virtual links to keep the backbone area logically consecutive. At the border of an arearesides a router rather than a link. A network segment (or a link) can only belong to one area,namely, each interface running OSPF must specify explicitly to which area it belongs.

The router that connects backbone area and non-backbone area is named Area Border Router(ABR).

Router TypesAs Figure 6-9 shows, the OSPF routers fall into the following four categories according to theirlocations in AS:

l Internal routersAll interfaces of these routers belong to an OSPF area.

l ABRThese routers can belong to two or more areas at the same time, but one of the areas mustbe a backbone area. An Area Border Router (ABR) is used to connect the backbone areaand the non-backbone areas. It can connect to the backbone area physically or logically.

l Backbone routersThese routers have at least one interface that belongs to the backbone area. Thus, all ABRsand the routers inside Area0 are backbone routers.

l ASBRThe routers exchanging routing information with other ASs are AS Boundary Routers(ASBRs). ASBR is not necessarily on the AS border. It can be an internal router or an ABR.Once an OSPF router imports some external routing information, it becomes an ASBR.


Feature Description


Issue 01 (2009-12-01)

Figure 6-9 OSPF router types

Area3

Area0

Area1

Area2

Area4

Internal Router

ABR

Backbone Router

ASBRRIP

Stub AreaA stub area is a special area in which the ABRs do not propagate the learned AS external routes.In these areas, the size of the routing table of the routers and the routing traffic are significantlyreduced.

Configuring a stub area is optional. Not all the areas conform to the configuration requirements.Generally, a stub area is a non-backbone area with only one ABR and it is located at the ASboundaries.

To ensure that the route to a destination outside the AS is still reachable, the ABR in an areaoriginates a default route and advertises it to the non-ABR routers in the area.

Note the following items while configuring a stub area:

l The backbone area cannot be configured to be the stub area.

l If you want to configure an area to be a stub area, all the routers in this area must configuredwith the stub command.

l ASBR cannot exist in the stub area. In other words, AS external routes are not transmittedin the stub area.

l The virtual link cannot pass through the stub area.

NSSA AreaA new area (NSSA area) and a new LSA (NSSA LSA or Type-7 LSA) are added in the RFC1587NSSA option.

Similar to the stub area, an NSSA area cannot be configured with virtual links.

Route SummaryAS is divided into different areas, each area is interconnected through OSPF ABR. The routinginformation between areas can be reduced through route summary. Thus, the size of routingtable can be reduced and the calculation speed of the router can be improved.



6-23

After calculating an intra-area route in an area, the ABR will look up the routing table andencapsulate each OSPF route into an LSA and send it outside the area. The route summary isshowed in Figure 6-10.

Figure 6-10 Area and route summary

Area 0

Area 12

Area 19

RTA

Area 8

Virtual Link

19.1.3.0/24

19.1.1.0/24

19.1.2.0/24

For example, in Figure 6-10, there are three intra-area routes in area 19, which are 19.1.1.0/24,19.1.2.0/24 and 19.1.3.0/24. If route summary is configured and the three routes are aggregatedinto one route 19.1.0.0/16, only one LSA, which describes the route after summary, is generatedon RTA.

OSPF has two types of aggregation:

l ABR aggregation

When an ABR transmits routing information to other areas, it originates Type-3 LSA pernetwork segment. If some continuous segments exist in this area, you can aggregate thesesegments into a single segment by using the abr-summary command. In this way, ABRonly sends an aggregated LSA. Any LSA falling into the specified aggregation networksegment of this command is not transmitted separately. This accordingly reduces the LSDBscale in other areas.

Once the aggregate segment of a certain network is added to the area, all the internal routesof the IP addresses are not broadcasted separately to other areas. These IP address are inthe range of the aggregate segment. The routing information of the entire aggregate networksegment is broadcast.

l ASBR aggregation

After the route aggregation is configured, if the local router is ASBR, it aggregates theimported Type5 LSA. This LSA is within the aggregate address range. After the NSSAarea is configured, it aggregates the imported Type7 LSA within the aggregate addressrange.

If the local router is ABR, it aggregates Type5 LSA transformed from Type7 LSA.

Refer to 6.7.5 Types of OSPF LSAs to see the types of the OSPF LSAs.


Feature Description


Issue 01 (2009-12-01)

6.7.4 OSPF Packets

OSPF uses five types of packets:

l Hello packet

It is a kind of most common packet, which is sent to the neighbor of a local router regularly.It contains the values of some timers, DR, BDR and the known neighbors.

l Database Description (DD) packet

When two routers synchronize their databases, they use the DD packets to describe theirown LSDBs, including the summary of each LSA. The summary refers to the HEAD of anLSA, which can be used to uniquely identify the LSA. This reduces the traffic sizetransmitted between the routers, since the HEAD of an LSA only occupies a small portionof the overall LSA traffic. With the HEAD, the peer router can judge whether it alreadyhas had the LSA.

l Link State Request (LSR) packet

After exchanging the DD packets, the two routers know which LSAs of the peer routersare lacked in the local LSDBs. In this case, they will send LSR packets to request for theneeded LSAs to the peers. The packets contain the summary of the needed LSAs.

l Link State Update (LSU) packet

The packet is used to send the needed LSAs to the peer router. It contains a collection ofmultiple LSAs (complete contents).

l Link State Acknowledgment (LSAck) packet

The packet is used to acknowledge the received LSU packets. It contains the HEAD(s) ofLSA(s) to be acknowledged (a packet can acknowledge multiple LSAs).

6.7.5 Types of OSPF LSAs

Five Types of Basic LSAs

The OSPF calculates and maintains the routing information mainly based on the LSAs.

Five types of LSAs are defined in RFC 2328:

l Router-LSAs

Type-1 LSAs, generated by routers and spread throughout the area where the routers locate.They describe the link state and cost of the routers.

l Network-LSAs

Type-2 LSAs, generated by DRs on the broadcast network, and spread throughout the areawhere the DRs locate. They describe the link state of the local network segment.

l Summary-LSAs

Type-3 LSAs or Type-4 LSAs, generated by ABR and spread into related areas. Theydescribe routes to destinations internal to the AS, yet external to the area (i.e., inter-arearoutes). Type-3 Summary-LSAs describe routes to networks (with the destination as anetwork segment), while Type-4 Summary-LSAs describe routes to ASBRs.

l AS-external-LSAs



6-25

Type-5 LSAs (also written as ASE LSA). Generated by ASBRs, they describe routes todestinations external to the AS. They are spread throughout the entire AS, except stub areasand NSSA areas. A default route for the AS can also be described by an AS-external-LSA.

Type-7 LSA

A new LSA, Type-7 LSA, is added in RFC 1587 (OSPF NSSA Option).

As described in RFC 1587, Type-7 LSAs and Type-5 LSAs mainly differ in:

l Type-7 LSAs are generated and spread throughout Not-So-Stubby Area (NSSA), whileType-5 LSAs are not.

l Type-7 LSAs can only be spread throughout an NSSA. When Type-7 LSAs reach ABR ofNSSA, they will be translated into Type-5 LSAs and spread into other areas. They can notbe directly spread into other areas or the backbone area.

Opaque LSAs

To make the OSPF support more service applications, RFC 2370 (The OSPF opaque LSA)defines opaque LSAs to further extend OSPF.

There are three types of opaque LSAs with different spread scopes:

l Type-9With a link-local scope, type-9 opaque LSAs are not spread beyond the local (sub) network.

l Type-10With an area-local scope, type-10 opaque LSAs are not spread beyond the borders of theirassociated area.

l Type-11With the same spread scope with type-5 LSAs, type-11 LSAs are spread throughout theentire AS except stub and NSSA areas.

Opaque LSAs consist of a standard 20-byte LSA header followed by a field related to applicationinformation. The packet structure is shown in Figure 6-11.

Figure 6-11 Opaque LSAs structure

Options8-bit

LS type (9, 10 or 11) 8-bit

LS age16-bit

Opaque type8-bit

Opaque ID24-bit

Advertising Router32-bit

LS Sequence Number32-bit

LS checksum16-bit

Length16-bit

Opaque Information

0 16 24 32


Feature Description


Issue 01 (2009-12-01)

And in Figure 6-11:

l Opaque type byte is used to identify the application type of the LSA.

l Opaque ID is used to differentiate LSAs of the same type.

l Opaque information field contains the LSA information. The information format can bedefined at the request of applications.

6.8 BGP

6.8.1 BGP Overview

6.8.2 Classification of BGP Attributes

6.8.3 Principles of BGP Route Selection

6.8.1 BGP Overview

BGP Origin

In the ARPANET of the early 1980s, the Internet functions as a single network, and it runs theGateway to Gateway Protocol (GGP). GGP requires each gateway to know the routes to otherreachable gateways. With the increase of the network scale, the size of the routing table and thecost of calculating routes become very large. As the number of gateways increases, the numberof maintainers also increases. The low-extensibility of GGP cannot meet the requirements ofnetwork development.

In RFC 827, the ARPANET network is divided into several levels, from a single network to anetwork formed by multiple interconnected Autonomous Systems (ASs). Each AS is identifiedby an AS number. The AS is an interconnected network independently managed by anadministrative institution.

l In an AS, the administrative institution can freely choose the Interior Gateway Protocol(IGP). GGP is the first IGP of ARPANET, and later is replaced by Routing InformationProtocol (RIP), Open Shortest Path First (OSPF), and Intermediate-System to Intermediate-System (IS-IS).

l ASs share routing information through the Exterior Gateway Protocol (EGP).

With further expansion of the network, the topology is more complex. EGP is replaced by theBorder Gateway Protocol (BGP) due to the following defects:

l It is unable to perform loop detection.

l It does not have the algorithm that is used to select the optimal inter-area route.

l It converges slowly when the network changes.

l It cannot apply the routing policy.



6-27

BGP VersionBGP is a dynamic routing protocol used between ASs. The early three versions are BGP-1(defined in RFC 1105), BGP-2 (defined in RFC 1163), and BGP-3 (defined in RFC 1267). Thecurrent version of BGP is BGP-4 (defined in RFC 4271).

In the three early issued versions, BGP system is used to exchange the reachable inter-AS routinginformation, establish inter-AS paths, prevent the routing loop, and apply the routing policy toASs.

BGP-4 supports the Classless Inter-Domain Routing (CIDR).

NOTE

Unless otherwise specified, BGP stated in this manual refers to BGP-4.

BGP CharacteristicsBGP has the following characteristics:

l It is an EGP protocol. It focuses on the control of the route propagation and selection ofoptimal routes rather than discovery and calculation of routes. This distinguishes BGP fromIGPs such as OSPF and RIP.

l It uses TCP as the transport layer protocol to enhance the reliability of the protocol. It listensat TCP port 179.– BGP performs inter-domain route selection that proposes high requirements for the

reliability of the protocol. TCP with higher reliability, therefore, is used to enhance thestability of BGP.

– BGP peers must be logically interconnected and establish TCP connections. When aconnection request is sent to a peer, the destination port number is 179 and the localport number can be any number.

l It supports CIDR.

l It transmits only the updated routes during the update period. This reduces the bandwidthused by BGP to transmit routes and is suitable for transmitting a large amount of routinginformation on the Internet.

l It is a Distance-Vector (DV) routing protocol, and the routing loop is prevented in design.– Inter-AS: BGP routes carry the information on the AS it passes through. The route that

carries the local AS number is discarded, so the inter-AS routing loop is prevented.– Intra-AS: BGP does not advertise the routes to its neighbors in the same AS from which

it learns the routes, so the intra-AS routing loop is prevented.l It provides abundant routing policies to flexibly filter and select routes.

l It provides the mechanism to prevent route flapping. This effectively increases the stabilityof the Internet.

l It extends easily to support new development of the network.

BGP Operating ModesBGP operates on Eudemons in the following modes, as shown in Figure 6-12:

l Internal BGP (IBGP)

l External BGP (EBGP)


Feature Description


Issue 01 (2009-12-01)

IBGP runs within an AS. EBGP runs among ASs.

Figure 6-12 BGP operating mode

ISP1 ISP2

Client AS

Internet

EBGP EBGP

IBGP

BGP Application Scenarios

BGP is used to transmit routing information between ASs. BGP is not used in all cases.

BGP is required in the following cases:

l As shown in Figure 6-12, the user needs to be connected to two or more Internet ServiceProviders (ISPs). The ISPs need to provide complete or partial Internet routes for the user.Routers, therefore, can determine the optimal route through the AS of an ISP to thedestination, according to the AS information carried in BGP routes.

l Users of different organizations need to transmit AS path information.

l Users transmit private network routes through Layer 3 VPN.

l Users use BGP as signaling to transmit routing information in Layer 2 applications (suchas VPLS in Kompella mode).

l Users need to transmit multicast routes to construct the multicast topology.

BGP is not required in the following cases:

l The user is connected to only one ISP.

l The ISP does not need to provide Internet routes to users.

l Default routes are used to connect ASs.



6-29

BGP ProcessingThe transport layer protocol of BGP is TCP; therefore, TCP connections must be set up betweenpeers before BGP peers are set up.

By exchanging Open messages, BGP peers negotiate related parameters used to establish theBGP peer relationship.

After the connection is set up, BGP peers exchange the entire BGP routing table. BGP routersdo not periodically update the routing table. When the BGP routes change, routers update theBGP routing table through Update messages.

BGP routers send Keepalive messages to maintain BGP connections with peers. When BGProuters detect an error in the network, they send Notification messages to report the error. TheBGP connection between them is immediately closed.

6.8.2 Classification of BGP Attributes

The BGP route attribute is a set of parameters, and describes a specific route for BGP to filterand select routes.

All BGP route attributes are classified as follows:

l Well-known mandatory: can be identified by all BGP routers. The attribute is mandatoryand must be carried in Update messages. Without the attribute, errors occur in routinginformation.

l Well-known discretionary: can be identified by all BGP routers. The attribute isdiscretionary and is not necessarily carried in Update messages. The attribute can beselected according to practical conditions.

l Optional transitive: indicates the transitive attribute between ASs. A BGP router may notsupport this attribute, but it still receives the routes with this attribute and advertises themto other peers.

l Optional non-transitive: If a BGP router does not support this attribute, the Update messageswith this attribute are ignored and are not advertised to other peers.

Table 6-2 shows the BGP route attributes and their corresponding types.

Table 6-2 Route attributes and their types

Attribute Name Type

Origin Well-known mandatory

AS_Path Well-known mandatory

Next_Hop Well-known mandatory

Local_Pref Well-known discretionary

Atomic_Aggregate Well-known discretionary

Aggregator Optional transitive

Community Optional transitive

Multi_Exit_Disc(MED) Optional non-transitive


Feature Description


Issue 01 (2009-12-01)

Attribute Name Type

Originator_ID Optional non-transitive

Cluster_List Optional non-transitive

6.8.3 Principles of BGP Route Selection

Policies for BGP Route SelectionIn the implementation of Eudemon, when there are multiple routes to the same destination, BGPselects routes according to the following policies:

1. Selecting a locally originated route with a smaller preference value. The preference is thepreference value of various protocol routes including direct routes and static routes in theIP routing table. You can run the display ip routing-table command to view the preferencevalue in the IP routing table. The smaller the preference value is, the higher the preferenceis.

NOTE

The locally originated route refers to the routes imported by BGP with the import and networkcommands or the routes aggregated with the aggregate and the summary automatic commands.Compared with the routes received from BGP peers, the local routes are defined.

2. Selecting a protocol route in the following order: OSPF, IS-IS Level-1, IS-IS Level-2,EBGP (including BGP aggregated route), static, RIP, OSPF_ASE and IBGP, if differentprotocol routes have the same preference value.

NOTE

BGP prefers direct routes when there are direct routes among locally originated routes. This is becausethat the preference value of the direct route is the smallest one (that is, 0).

3. Discarding the routes with the unreachable Next_Hop.4. Preferring the labeled IPv4 routes unconditionally.5. Preferring the route with the greatest PreVal.6. Preferring the route with the highest Local_Pref.7. Preferring the aggregated route. The preference of an local aggregated route is higher than

the preference of a local non-aggregated route.8. Preferring the route with the shortest AS-Path.9. Comparing the Origin attribute and selecting the routes with the Origin attribute as IGP,

EGP, or Incomplete in order.10. Preferring the route with the smallest MED value.11. Preferring the route learned from EBGP. The preference of an EBGP route is higher than

that of an IBPG route.12. Preferring the route with the smallest IGP metric in an AS. Load balancing is performed

according to the number of configured routes if load balancing is configured and there aremultiple external routes with the same AS-Path.

13. Preferring the route with the shortest Cluster_List.14. Preferring the route with the smallest Originator_ID.



6-31

15. Preferring the route advertised by the router with the smallest router ID.16. Comparing IP addresses of the peers and preferring the route that is learnt from the peer

with a smaller IP address.

Route Selection Policy When BGP Load Balancing Is AppliedIn BGP, the next hop address of a generated route may not be the address of the peer directlyconnected to the local router. One of the reasons is that the next hop is not changed when routinginformation is advertised between IBGP peers. In this case, to ensure that packets can be correctlyforwarded, the router must find a reachable address, and then forward packets to the next hopaccording to the address. In this process, the route to the reachable address is called the dependentroute. BGP forwards packets according to dependent routes. The process of finding thedependent route according to the next hop address is called route iteration.

The Eudemon supports BGP load balancing based on route iteration. That is, if the dependentroute is configured for load balancing (suppose there are three next hop addresses), BGPgenerates the same number of next hop addresses to guide the forwarding of packets. Theiteration-based BGP load balancing need not be configured through commands. This feature isalways enabled in the Eudemon.

NOTE

l In BGP, the load balancing is performed among the routes with the same AS_Path attribute.

l BGP load balancing is applied to the ASs in the confederation.

BGP load balancing is different from that of IGP in the following implementation methods:

l For different routes to the same destination address, IGP calculates the metric values ofroutes according to its routing algorithm. Load balancing is performed on the routes withthe same metric.

l BGP does not have its own routing algorithm, so it cannot determine whether to performload balancing among routes according to metric values. BGP have many route attributesthat have different priorities in the route selection policy. BGP load balancing is only onepart of the route selection policy. That is, BGP load balancing is performed according tothe maximum number of equal-cost routes only when all attributes of routes with higherpreference are the same.

Policies for BGP Route AdvertisementIn the implementation of Eudemon, BGP routers advertise routes according to the followingpolicies:

l The BGP speaker advertises only the optimal route to its peers when there are multipleactive routes.

l The BGP speaker sends only the routes that it uses to its peers.

l The BGP speaker advertises the routes learned from EBGP routers to all BGP peers(including EBGP peers and IBGP peers).

l The BGP speaker does not advertise the routes learned from IBGP routers to its IBGP peers.

l The BGP speaker advertises the routes learned from IBGP routers to its EBGP peers (whensynchronization of BGP and IGP is not enabled).

l The BGP speaker advertises all BGP routes to the new peers once the connections withnew peers are established.


Feature Description


Issue 01 (2009-12-01)

Synchronization of IBGP and IGPThe synchronization of IBGP and IGP is to prevent misleading external AS routers.

If a non-BGP router in an AS provides forwarding service, IP packets forwarded by this AS maybe discarded because the destination address is unreachable. As shown in Figure 6-13,EudemonE learns a route 8.0.0.0/8 of EudemonA from EudemonD through BGP, and thenforwards the packet to EudemonD. EudemonD searches the routing table and finds that the nexthop is EudemonB. EudemonD forwards the packet to EudemonC through route iteration,because EudemonD learns a route to EudemonB through IGP. EudemonC, however, does notknow the route to 8.0.0.0/8 and discards the packet.

Figure 6-13 Synchronization of IBGP and IGP

8.0.0.0/8

EudemonAAS10 EBGP

EudemonB

IGP

IGPEudemonCAS20

EudemonD

EBGPEudemonE

AS30IBGP

If the synchronization is configured, Eudemons check the IGP routing table before adding theIBGP route to the routing table and advertising it to the EBGP peers. The IBGP route is addedto the routing table and advertised to the EBGP peers only when IGP knows this IBGP route.

The synchronization can be disabled surely in the following cases:

l The local AS is not a transitive AS (The AS20 in Figure 6-13 is a transitive AS).

l All Eudemons in the local AS are full-meshed IBGP peers.

NOTE

In the Eudemon, the synchronization function is disabled by default.

6.9 Introduction to Policy-Based RoutingDifferent from the routing based on the destination address in the IP packets, the policy-basedrouting is a mechanism in which packets are transmitted and forwarded on the basis of the user-defined policies.

The policy-based routing on this device can be flexibly designated on the basis of the variousinformation that in the received packets, such as the source address, the destination address, theodd or even IP address. The policy-based route has higher priority than other routes and routessuch as the static route are not used after the policy-based route is matched.

The policy-based routing of the Eudemon is used in zones.

6.10 Routing Policy Overview



6-33

6.10.1 Applications and Implementation of Routing Policy

6.10.2 Differences Between Routing Policy and Policy-based Routing

6.10.1 Applications and Implementation of Routing PolicyRouting policies are used for route control, including route filtration and route attribute setting.Routing policies can change the paths through which network traffic passes, by changing routeattributes such as reachability.

Applications of Routing PoliciesRouting policies have flexible and wide applications. The following describes several majorapplications:

l Controlling the route advertisementOnly the routes that meet the conditions specified in a policy are advertised.

l Controlling the route receptionAfter a routing policy is configured, only the necessary and eligible routing information isreceived. This helps to control the capacity of a routing table and improve the networksecurity.

l Filtering and controlling the imported routesTo enrich the routing information, a routing protocol such as RIP imports eligible routesdiscovered by other routing protocols, and sets certain attributes for the imported routes tomeet the requirements of the protocol.

l Setting the attributes for specific routesAfter passing a filtration, the routes can be set with some attributes through the routingpolicy.

Implementation of Routing PoliciesThe implementation of a routing policy consists of the following steps:

l Defining rulesDefine the characteristics of routing information to which routing policies are applied, thatis, a set of matching rules and setting rules. You can choose different attributes such asdestination addresses or router addresses to define the matching rules.

l Implementing the rulesApply the matching rules to the routing policies for route advertisement, reception, andimport.

The Eudemon provides multiple filters such as IP prefix list and Route-Policy, which can beused to define the matching rules flexibly.

6.10.2 Differences Between Routing Policy and Policy-basedRouting

Policy-based routing (PBR) is different from packet forwarding based on the ForwardingInformation Base (FIB). PBR is the IP forwarding procedure before FIBs are searched. PBR isa route selection mechanism based on customized policies. PBR can be applied to guaranteedata security or to realize load balancing.


Feature Description


Issue 01 (2009-12-01)

In the Eudemon, PBR supports the route selection based on information such as source addressesand packet length.

Routing policies and PBR are different mechanisms. Table 6-3 shows the differences betweenthe two mechanisms.

Table 6-3 Differences between routing policy and PBR

Routing Policy PBR

Controls routing information. Forwards packets based on policies. If theforwarding fails, the packets are forwardedaccording to the FIB.

Based on the control plane and used byrouting protocols and routing tables.

Based on the forwarding plane and used byforwarding policies.

Works with the routing protocol to forma policy.

Must be manually configured hop by hop to ensurethat packets are forwarded based on policies.

The configuration command is route-policy.

The configuration command is policy-based-route.

6.11 Load BalancingThe Eudemon supports the multi-route mode. That is, users can configure multiple routes withthe same destination and the same preference. If the destinations and costs of the multiple routesdiscovered by a routing protocol are the same, load balancing can be performed among the routes.The load balancing is classified into the following types:

l Packet-by-packet load balancingWhen the packet-by-packet load balancing is configured, Eudemons at the network layerforward packets to the same destination through various equal-cost paths. Thatis,Eudemons always choose the next hop address that is different from the last one to sendpackets. In this way, the load balancing, that is, packet-by-packet load balancing, isimplemented. Figure 6-14 shows the packet-by-packet load balancing.

Figure 6-14 Networking diagram of packet-by-packet load balancing

EudemonA

EudemonB

EudemonC

EudemonD

10.1.1.0/24

P2、P4、P6

POS1/0/0

POS2/0/0

P1、P3、P5



6-35

EudemonA forwards packet to the destination address 10.1.1.0/24. Packets P1, P2, P3, P4,P5, and P6 need to be forwarded to the destination. The procedure for sending these packetsis as follows:

– Sending P1 through POS 1/0/0






EudemonA sends packets to the destination address 10.1.1.0/24 alternatively through thetwo interfaces.

l Session-by-session load balancing

When the session-by-session load balancing is configured, Eudemons forward packetsaccording to the source address, destination address, source port, destination port, andprotocol contained in the packets. When the five factors are the same, Eudemons alwayschoose the next hop address the same as the last one to send packets. Figure 6-15 showsthe session-by-session load balancing.

Figure 6-15 Networking diagram of session-by-session load balancing

EudemonA

EudemonB

EudemonC

EudemonD

10.1.1.0/24

10.2.1.0/24P1～P6

POS1/0/0

POS2/0/0

10.1.1.0/24P1～P6

10.2.1.0/24

EudemonA forwards packets to the destinations at 10.1.1.0/24 and 10.2.1.0/24 respectively.The routing policy of the session-by-session load balancing is that packets in the same floware always transmitted along the previous path. The process for EudemonA to forwardpacket is as follows:

– The first packet P1 to the destination address 10.1.1.0/24 is forwarded through POS1/0/0, so packets to the destination are forwarded through the interface.

– The first packet P1 to the destination address 10.2.1.0/24 is forwarded through POS2/0/0, so packets to the destination are forwarded through the interface.

NOTE

By default, the Eudemon adopts the session-by-session load balancing. You can run the load-balancepacket command to change the load balancing mode to packet-by-packet load balancing.


Feature Description


Issue 01 (2009-12-01)

In real application, the protocols that support load balancing are RIP, OSPF, BGP, and IS-IS.Besides, static routes also support load balancing.

NOTE

The number of equal-cost routes among which load balancing is performed varies with the product.

6.12 Introduction to QoS

6.12.1 QoS Overview

6.12.2 Traditional Packets Transmission Application

6.12.3 New Application Requirements

6.12.4 Congestion Causes, Impact and Countermeasures

6.12.5 Traffic Control Techniques

6.12.1 QoS Overview

Quality of service (QoS) is used to assess the ability of the supplier to meet the customerdemands. In the Internet, QoS is used to assess the ability of the network to transmit packets.The network provides a wide variety of services and therefore, QoS should be assessed fromdifferent aspects.

QoS generally refers to the analysis of the issues related to the process of sending packets suchas, bandwidth, delay, jitter, and packet loss ratio.

6.12.2 Traditional Packets Transmission Application

It is difficult to ensure QoS in the traditional IP network. Routers in the network handle all thepackets equally and adopt First In First Out (FIFO) method to transfer packets. Resources usedfor forwarding packets are allocated based on the arrival sequence of the packets.

All packets share the bandwidth of networks and devices. The quantity of the resources isobtained depending on the arrival time of the packets. This policy is called best effort (BE) . Thedevice in this mode tries its best to transmit packets to the destination. The BE mode however,does not ensure any improvement in delay time, jitter, packet loss ratio, and high reliability.

The traditional BE mode applies only to services that have no specific request for bandwidthand jitter, such as, World Wide Web (WWW), file transfer, and E-mail.

6.12.3 New Application Requirements

With the rapid development of the network, increasing number of networks are connected to theInternet. The Internet extends greatly in size, scope, and user numbers. The usage of the Internetas a platform for data transmission and implementation of various applications is increasing.Further, the service providers also want to develop new services for more profits.

Apart from traditional applications such as WWW, E-Mail and File Transfer Protocol (FTP),the Internet has expanded to encompass other services such as E-learning, telemedicine,videophone, videoconference, and video on demand. Enterprise users want to connect their



6-37

branches in different areas through VPN technologies to implement applications such asaccessing corporate databases or managing remote devices through Telnet.

The new applications demand special requirements for bandwidth, delay, and jitter. For example,videoconference and video on demand need high bandwidth, low delay, and low jitter. Telnetstresses on low delay and priority handling in case of congestion.

With the emergence of new services, the number of requests for the service capability of IPnetworks has increased. Users expect improved service transmission to the destination and alsobetter quality of services. For example, IP networks are expected to provide dedicatedbandwidth, reduce packet loss ratio, avoid network congestion, control network flow, and setthe preference of packets to provide different QoS for various services.

These conditions demand better service capability from the network.

6.12.4 Congestion Causes, Impact and Countermeasures

Low QoS in the traditional networks is mainly caused by the network congestion. When thecurrent supply resources temporarily fail to meet the requirements of the service transmission,the bandwidth cannot be ensured. As a result, QoS decreases, which causes long delay and highjitter. This phenomenon is called congestion.

Congestion Causes

Congestion often occurs in the complex packet switching environment of the Internet. It is causedby the bandwidth bottleneck of two types of links, as shown in Figure 6-16.

Figure 6-16 Schematic diagram of traffic congestion

100M 10M

Traffic congestion on Interfaces operating at

the same speed

100M 100M

100M

100M

Traffic congestion on Interfaces operating at

different speeds

l Group flows reach the router from a high-speed link, and then are forwarded over a low-

speed link.l Group flows reach the router from several interfaces working at the same rate, and then are

forwarded from one interface works at the rate.

If flows reach the router at line rate, congestion occurs because of resource bottleneck.

Not only link bandwidth bottleneck causes congestion. Any resource insufficiency, such asprocessor, buffer, memory insufficiency may result in congestion during normal forwarding


Feature Description


Issue 01 (2009-12-01)

transactions. In addition, when traffic reaching a certain destination at a specific time is out ofcontrol, exceeding available network resources, network congestion occurs.

Congestion EffectCongestion can lead to the following negative effect:

l Increases the delay and the jitter in sending packets.

l Long delay can cause retransmission of packets.

l Reduces throughput of the network and causes resources to be assigned unequally on thenetwork.

l Consumes more network resources particularly storage resources when congestion isaggravated. If resources are not allocated properly, there may be a system deadlock or thesystem may crash.

Congestion is the main cause of decline in the QoS. It is very common in complex networks andmust be solved to increase the efficiency of the network.

CountermeasuresThe following are the two commonly used methods to address network congestion:

l Increasing the network bandwidth is a direct way to solve the shortage of resources. Thismethod however, cannot solve all the congestion problems.

l Improving the functions of traffic control and resource allocation at the network layer is amore effective method. This requires providing differentiated services (Diff-Serv) forapplications that have different demands for QoS. During resource allocation and trafficcontrol, the direct or indirect factors that cause network congestion can be controlled to agreater extent. In case of congestion, resource allocation should be balanced according tothe application's demand. The influence of congestion on QoS can thus be reduced to theminimum.

6.12.5 Traffic Control Techniques

The following are the commonly used techniques to control traffic in the network:

l Traffic classificationIdentifies the object according to specific rules. It is the basis of Diff-Serv and is used toidentify packets with a defined rule.

l Traffic policingMeasure to control the traffic rate. The rate of the traffic that enters the network is monitoredand the traffic exceeding its rate limit is restricted. Only a reasonable traffic range is allowedto pass through the network. This ensures optimization of network resources and protectsthe interests of the providers.

l Congestion managementHandles resource allocation during network congestion. It stores packets in the queue first,and then takes a dispatching algorithm to decide the forwarding sequence of packets.Congestion management includes creating queues, classifying packets, sending packets toa specific queue, and scheduling queues. During the process of scheduling queues, packetsare processed according to their priorities. The higher the priority, the earlier the packet issent.



6-39

The common queue scheduling mechanisms are as follows:– First-in, first-out (FIFO) queuing

– Priority queuing (PQ)

– Custom queuing (CQ)

– Weighted fair queuing (WFQ)

– Class-based queuing (CBQ)

Among these traffic control techniques, traffic classification is the basic one. Trafficclassification identifies packets according to certain matching rules. In this sense, trafficclassification is a prerequisite to differentiated services. Traffic policing and congestionmanagement control network traffic and resource allocation from different aspects, whichreflects the concept of differentiated services.

QoS is used to provides assessment on supported service capabilities for core requirements suchas the bandwidth, throughput, delay, delay jitter, packet loss ratio, and availability during packetforwarding. Generally, the following functions are used to clear congestion:l Traffic classification

l Traffic policing

l Congestion management

6.13 GPON LineThis topic describes the principles and security mechanism of the GPON line that is used for theupstream transmission of the SRG.

6.13.1 Introduction to the GPON Line FeatureThis topic describes the principles and the security mechanism of the upstream transmissionthrough the GPON line.

6.13.2 Principles of GPON Upstream Transmission.This topic describes the implementation principles of the GPON upstream transmission.

6.13.3 Principles of GPON LinesThis topic describes the implementation principles of the AES128 encryption feature for GPONlines.

6.13.1 Introduction to the GPON Line FeatureThis topic describes the principles and the security mechanism of the upstream transmissionthrough the GPON line.

The SRG supports the upstream GPON port. As a multi-dwelling unit (MDU), the SRG takesfull advantage of the wide coverage, flexible networking, and low maintenance cost of the GPONnetwork. It works with the OLT to provide high-bandwidth broadband access for users. Inaddition, the SRG helps increase the number of users supported at the OLT end.

The GPON system adopts AES128 encryption for line security control, thus effectivelypreventing security problems such as data embezzlement.


Feature Description


Issue 01 (2009-12-01)

NOTE

Advanced Encryption Standard–Federal Information Processing Standard 197 (AES-FIPS 197) is the latestencryption standard issued by the National Institute of Standards and Technology (NIST) of the USA. The AESalgorithm can use 128-bit, 192-bit, and 256-bit encryption keys to encrypt and decrypt 128-bit data blocks, thusprotecting electronic data.

l The SRG supports one GPON upstream port with a downstream rate of 2.488 Gbit/s andan upstream rate of 1.244 Gbit/s.

l The SRG supports eight transmission containers (T-CONTs) with up to 32 GEM ports.

l The SRG can be configured and managed from the OLT through the OMCI protocol.

l The SRG supports the T-CONT queue mapping and scheduling based on CoS.

6.13.2 Principles of GPON Upstream Transmission.This topic describes the implementation principles of the GPON upstream transmission.

The GPON upstream port of the SRG sends the PLOAM message to report its serial number tothe OLT for registration. The OLT determines whether to register the SRG according to theinternal serial number database.

After the SRG registers with the OLT successfully, the OLT allocates T-CONTs to the SRG.The index of a T-CONT is an allocation ID (Alloc ID) that ranges from 0 to 4095. The SRGsupports up to eight T-CONTs. The OLT allocates bandwidth to the T-CONTs and setsbandwidth parameters for these T-CONTs.

The packets of the SRG that go upstream from the switch fabric are mapped to the specifiedGEM port and then to the T-CONT through the packet classifier.

The rule of the packet classifier is VLAN+802.1p priority.

The mapping actions of each service stream can be configured through the CLI or the NMS.

6.13.3 Principles of GPON LinesThis topic describes the implementation principles of the AES128 encryption feature for GPONlines.

Working Principles

The AES algorithm can use 128-bit, 192-bit, and 256-bit encryption keys to encrypt and decrypt128-bit data blocks, thus protecting electronic data.

The AES algorithm replaces the original DES and 3DES algorithms that are less secure. TheAES128 encryption feature can be used to randomly select a key from as many as 3.4 x 1038unique password keys to encrypt bit streams. Therefore, even precise hacker programs that candecrypt one million encryption keys per second (which is a highly advanced concurrentalgorithm already) need 10 million of 1000 billion years to find the encryption key generatedby the AES-128 encryption.

In the AES128 encryption system, the SRG supports key change and switching.

1. When key change is required, the OLT sends a key change request. After receiving the keychange request, the ONU (ONT or SRG) responds and generates a new key.



6-41

2. The length of a PLAOM message is limited. Therefore, the generated key is sent to theOLT in two parts and for three times repeatedly.

3. If the OLT does not receive the key in any of the three times, the OLT resends the keychange request. The OLT stops sending the key change request until it receives the samekey for three times.

4. After receiving the new key, the OLT starts the key switching.5. The OLT notifies the ONU (ONT or SRG) of the new key by sending a command containing

the frame number of the new key. Generally, this command is sent for three times. As longas the ONU receives the command once, it switches the check key on the correspondingdata frame.

6.14 Introduction to Voice ServicesIn line with the three-in-one trend of data, voice, and video services integration, the SRGfunctions as the enterprise gateway in the FTTO deployment model not only to providebroadband services (including data, video live, and VOD services), but also to provide end userswith high-quality voice service by the built-in voice module directly through twisted pairs.

6.14.1 Overview of Voice FeaturesThis topic describes the overall voice service solution of the SRG.

6.14.2 General SpecificationsThis topic describes the general specifications of the voice features.

6.14.3 H.248–based Voice ServicesThis topic describes the H.248 protocol and the running mechanisms of the H.248–based VoIP,MoIP, and FoIP services.

6.14.4 SIP-based Voice ServicesThis topic provides an introduction to the SIP protocol, and describes in detail the useridentification, registration flow, and implementation principles of related services of the SIPprotocol.

6.14.5 Key Voice FeatureThis topic provides the overview of key voice features and then describes working principles ofeach sub feature in detail.

6.14.6 Voice ReliabilityThis topic describes features related to voice reliability, including dual homing networking,highly reliable transmission (SCTP), and voice QoS.

6.14.1 Overview of Voice FeaturesThis topic describes the overall voice service solution of the SRG.

As the SRG access devices in the FTTB deployment model, the SRG not only providesbroadband services (including data and video live/on demand service), but also provides high-quality voice services by the built-in voice module for the end users directly over twisted pairs.Such SRGs fit in with the trend of data, voice, and video services integration.

Figure 6-17 illustrates the overall voice service solution of the SRG.


Feature Description


Issue 01 (2009-12-01)

Figure 6-17 Overall voice service solution of the SRG

Switchingmodule

SLIC CODEC

POTSinterface

Service board

DSP

Main board

Interface module

SLIC CODECPOTSinterface

Service board

CPU

GE

GE

VoIP service channelSignaling channel

DSP

In this figure, SLIC is the short form for subscriber line interface circuit. It is used for processinganalog signals. It sends the feed and voice frequency to the telephone for generating the ringingand signals such as the offhook detection signal and onhook detection signal. CODEC is usedfor converting between analog signals and digital signals. DSP is used for processing voicefrequency (such as voice encoding, echo cancellation, and DTMF generation and detection), andconverting digital signals into VoIP packets.

The VoIP service channel and signaling channel are indicated by the dotted lines in differentcolors in Figure 6-17. Each service board uses its DSP chip to process the service andcommunicates with the control board through the GE bus. The CPU processes the voicesignaling, for example, encapsulates and parses the signaling packets, processes the user offhook,controls instructions such as ringing on the user port, and at the same time controls and managesthe service boards.

6.14.2 General SpecificationsThis topic describes the general specifications of the voice features.

l Supporting the H.248, and SIP voice protocols

l Supporting a maximum of 32 voice users

l Supporting VoIP, FoIP, and MoIP (Table 6-4 lists the specific services supported)

Table 6-4 Voice services supported

Type Service

Basic SIP call services

SIP service

SIP call holding service

SIP three-party service



6-43

Type Service

SIP call waiting service

SIP conference calling service

SIP call transfer service

SIP registration and management

SIP fax service

SIP modem service

SIP calling line identification presentation (CLIP)service

Notification and display of the charge informationof SIP calls (advice of charge at the end of the callonly)

SIP message waiting indicator (MWI) service

SIP malicious call tracing

SIP Ua profile subscription

Distinctive ringing

MGCP/H.248 services

Common POTS service

New POTS services:l Calling party release

l Called party release

l Last-party release

l First-party release

l Call waiting service

l Call transfer service

l Call forwarding service

l Co-group pickup service

l Designated pickup service

l Three-party service

l Conference calling service

l CLIP service


Feature Description


Issue 01 (2009-12-01)

Type Service

FoIP services:l Auto-switching fax service

l T.30 transparent transmission fax service

l T.38 fax service

l Configuring of fax parameters, and V2 and V3fax flows

MoIP services:l Transparent transmission modem service

l Auto-switching modem flow

l Softswitch-controlled modem flow

l Direct mode of event report

l Low-speed modem

l High-speed modem

## service

MWI service

Distinctive ringing

Advice of charge at the end of conversation

Dual tone multi-frequency (DTMF) transmission

l Supporting the G.711A/Mu encoding/decoding at the packetization periods of 10 ms, 20

ms, and 30 msl Supporting the G.729 encoding/decoding at the packetization periods of 20 ms, 40 ms, and

60 msl Complying with RFC2833 (only H.248) and RFC2198 and supporting voice features such

as echo cancellation (EC), voice activity detection (VAD), DTMF,voice qualityenhancement (VQE), and modem quality enhancement

l Supporting circuit test, loop line test, call emulation test, and connectivity testl Supporting H.248, and SIP dual-homingl Supporting the digitmap with a length of 8 K bytesl Supporting 16 G.711 DSP channels or 16 G.729 DSP channels

6.14.3 H.248–based Voice ServicesThis topic describes the H.248 protocol and the running mechanisms of the H.248–based VoIP,MoIP, and FoIP services.

Introduction to the H.248 ProtocolThis topic describes the definition, purpose, and reference standards and protocols of the H.248protocol.



6-45

Definition

H.248 is a media gateway control protocol through which the media gateway controller (MGC)controls the media gateway (MG) so that interoperability is implemented between differentmedia. ITU-T issued the first version of this protocol in June 2000.

Purpose

Compared with MGCP, H.248 has the following merits:

l Supports more types of access technologies, and is more thorough and complete instandardization

l Compensates for the deficiency of MGCP in descriptiveness, is applicable to largernetworks and has better extensibility and flexibility

l Carried on various protocols, such as UDP/SCTP (MGCP message is carried on UDP); theSRG supports only the H.248 message carried on UDP

NOTE

MGCP is defined by IETF. MGCP defines a call control structure. In this structure, call control is separatedfrom service carrying. Call control is independent of the MG and is processed by the MGC. Therefore, MGCPis a master-slave protocol in nature. The MG creates various service connections under the control of the MGC.

Reference Standards and Protocols

RFC3525 H.248 Protocol

Mechanism of the H.248 Protocol

This topic describes the basic concepts and mechanism of the H.248 protocol.

Termination ID

A termination ID identifies a termination that is going to register or deregister a service. Thetermination ID of each termination is unique. During service configuration, the termination IDcorresponding to each termination must be configured on the MG and the MGC. The roottermination ID represents an entire MG. The ServiceChange command executed on the roottermination ID is effective on an entire MG. The wildcarding principle is that the ALL wildcard(*) can be used but the CHOOSE wildcard ($) cannot be used.

Registration Mechanism of the H.248 Interface

The MG sends the ServiceChangeRequest command to inform the MGC that a user or a groupof users are about to register or deregister service. After this command is executed successfully,the termination status is changed to InService or OutOfService. In addition, the MGC canunsolicitedly sends the ServiceChangeRequest command to request the MG to register orderegister service for a user or a group of users.

NOTECurrently, the MG does not support the MGC to unsolicitedly send the ServiceChangeRequest commandrequesting the MG to register service for a user or a group of users.

Figure 6-18 shows the registration flow of the MG.


Feature Description


Issue 01 (2009-12-01)

Figure 6-18 Registration flow of the MG

StartServicechange

Reply

Modify

Reply

MG MGC

Description of the flow:

1. The MG sends the ServiceChangeRequest command to the MGC. In the command,TerminationId is Root, Method is Restart, and ServiceChangeReason is 901 (cold boot,registering for the first time after power-on), 902 (warm boot, through command lines), or900 (in other cases).

2. The MGC sends the Reply message to the MG indicating the successful registration.3. The MGC sends the Modify command to the MG requesting the MG to detect the offhook

of all users (al/of).4. The MG responds to the MGC with the Reply message.

Heartbeat Mechanism of the H.248 InterfaceAfter the registration is successful, the MG and the MGC maintain communication by sendingeach other the heartbeat message Notify (it/ito). By default, the heartbeat message is sent every60s. The sending interval can be set within the range of 5-655s.

After the MG sends the first heartbeat message to the MGC, if the MG does not receive theheartbeat response from the MGC before the preset interface heartbeat timer (for example, thelength of three sending intervals) times out, the MG sets the interface status to "wait forresponse". Then, the MG keeps initiating a registration with the MGC. If dual-homing isconfigured, the MG initiates registration with the two MGCs alternatively. The registration isinitiated once every 30s, every three trials of registration are one round, and every registrationmessage is re-transmitted 7 times. Therefore, 24 registration messages in total are transmittedwithin 90s. Then, the MG starts the next round of registration with the other MGC.

Deregistration Mechanism of the H.248 InterfaceFigure 6-19 shows the unsolicited deregistration flow of the MG.



6-47

Figure 6-19 Unsolicited deregistration flow of the MG

Servicechange

Reply

MG MGC


1. The MG sends the ServiceChangeRequest command to the MGC. In the command,TerminationId is Root, Method is Forced, and ServiceChangeReason is 905 ("905"indicates that the termination is taken out of service because of maintenance operation, andnow the MG uses "905" to initiate a deregistration request through command lines).

2. The MGC sends the Reply message to the MG indicating a successful deregistration.

Figure 6-20 shows the flow of the MGC unsolicitedly deregistering the MG.

Figure 6-20 Unsolicited deregistration flow of the MGC

Servicechange

Reply

MG MGC


1. The MGC sends the ServiceChangeRequest command to the MG. In the command,TerminationId is Root, Method is Forced, and ServiceChangeReason is 905.

2. The MG responds to the MGC with the Reply message. The SRG (MG) supports theregistration and deregistration of not only an entire MG but also a single termination. Theservice status of a single user can be changed through the registration and deregistration ofa single termination.


Feature Description


Issue 01 (2009-12-01)

Authentication Mechanism of the H.248 InterfaceAuthentication is a security mechanism through which the MGC authenticates the legality ofthe MG user. The purpose of authentication is to prevent unauthorized entities from establishingillegal calls or interfering with legal calls through the H.248 or MGCP protocol. Authenticationcan be implemented only when it is also supported by the softswitch interconnected with theMG.l In H.248, the implementation of authentication complies with RFC2402.

l MD5 is adopted as the encryption algorithm.

Figure 6-21 shows the authentication flow.

Figure 6-21 Authentication flow

MG

ServiceChange(1)

Reply(2)

Modify(3)

Reply(4)

Modify(5)

Reply(6)

Start

Softswitch

The basic flow is as follows:

1. The MG sends the ServiceChange command to register with the MGC. The commandcontains the digital signature of the MG.

2. After receiving the ServiceChange command, the softswitch verifies the MG and sends areply.

3. The softswitch sends the Modify message to the MG. The message contains the requiredalgorithm ID and random number.

4. The MG verifies the message sent by the softswitch and sends a reply.5. The softswitch authenticates the MG periodically.6. The MG sends replies to the softswitch.

H.248-Based VoIPThis topic describes the principles of the call establishment and release in the H.248-based VoIPservice.



6-49

Figure 6-22 illustrates the principles of the call establishment and release in the H.248-basedVoIP service.

Figure 6-22 Principle of the VoIP feature that supports the H.248 protocol

MG-0 MG-1

A 0 A 1ContextRTP StreamCall

MGC

H. 248 H. 248

The basic flow of a call establishment and release is as follows:

1. MG-0 detects the offhook of user A0, and notifies the MGC of the offhook event throughthe Notify command.

2. After receiving the offhook event, the MGC sends a digitmap to MG-0, requests MG-0 toplay the dial tone to user A0, and at the same time checks for the digit collection event.

3. User A0 dials a telephone number, and MG-0 collects the digits according to the digitmapissued by the MGC. Then, MG-0 reports the result of digit collection to the MGC.

4. The MGC sends the Add command to MG-0 for creating a context and adding thetermination and RTP termination of user A0 into the context.

5. After creating the context, MG-0 responds to the MGC. The response contains the sessiondescription that provides the necessary information for the peer end to send the packet toMG-0, such as the IP address and UDP port number.

6. The MGC sends the Add command to MG-1 for creating a context and adding thetermination and RTP termination of user A1 into the context, and then issues the IP address/UDP port number of user A0 to user A1.

7. After creating the context, MG-1 responds to the MGC. The response contains the sessiondescription that provides the necessary information for the peer end to send the packet toMG-1, such as the IP address and UDP port number.

8. MG-1 detects the offhook of user A1, and then reports the offhook event to the MGC. Thesoftswitch (MGC) sends the Modify command to stop the ring back tone of user A0 andthe ringing of user A1.


Feature Description


Issue 01 (2009-12-01)

9. The MGC sends the session description of MG-1 to user A0 through the Modify command.Then, the conversation is set up between users A0 and A1.

10. MG-0 detects the onhook of user A0, and notifies the MGC of the onhook event throughthe Notify command.

11. The MGC sends the Modify command to MG-0 and MG-1 respectively to modify the RTPmode to receive-only.

12. The MGC sends the Modify command to MG-1 requesting MG-1 to play the busy tone touser A1, and at the same time checks for the onhook event.

13. The MGC sends the Subtract command to MG-0, requesting MG-0 to release the resourcesthat are occupied by the call of user A0.

14. MG-1 detects the onhook of user A1, and notifies the MGC of the onhook event throughthe Notify command.

15. The MGC sends the Subtract command to MG-1, requesting MG-1 to release the resourcesthat are occupied by the call of user A1.

16. The call between users A0 and A1 is terminated, and all the resources occupied by the callare released.

H.248-based MoIP

This topic describes the principles of the connection setup and release of the H.248-based MoIPservice.

Modem over Internet Protocol (MoIP) refers to providing modem service over the IP networkor between the IP network and traditional PSTN network. According to different control devices,MoIP can be classified as softswitch-controlled MoIP and auto-switch MoIP.

Softswitch-Controlled MoIP

The basic flow of the softswitch-controlled MoIP service is as follows:

1. Set up a call. If the MoIP service is configured on the softswitch, the softswitch sends acommand to the MG instructing the MG to detect the modem event.

2. The calling party and called party start communicating with each other.3. During the call, when the MG detects the ANS or ANSAM modem start event (both are

low-speed modem signals), or detects the ANSBAR or ANSAMBAR modem start event(both are high-speed modem signals), the MG reports the event to the softswitch.

4. According to the event, the softswitch issues a command instructing the MG to switch theDSP channel of the calling and called parties to the low-speed or high-speed modem mode.

5. According to the command issued by the softswitch, the MG switches the DSP channel tothe corresponding modem mode. At this stage, the MG adopts the encoding format andport number specified by the softswitch.

6. The settings of echo cancellation (EC), voice activity detection (VAD), and DSP workingmode are as follows:

(1) Low-speed modem: EC–ON, VAD–OFF, DSP working mode–modem mode(2) High-speed modem: EC–OFF, VAD–OFF, DSP working mode–modem mode

7. After the modem data is transmitted, if the conversation proceeds, the DSP working modedoes not automatically switch from the modem mode to the voice mode, because the modemend event is not issued. As a result, the quality of the voice service may be affected.



6-51

Auto-Switch MoIPThe basic flow of the auto-switch MoIP service is as follows:

1. Set up a call.2. The MGs at both ends check for the modem event on the IP side and the TDM side. When

the modem event is detected, if the modem transmission mode is configured as auto-switch,the coding mode is switched to G.711 (the a/μ law is configurable), and the DSP parametersare modified according to the modem mode (high-speed/low-speed) detected.

3. When the modem service is completed, the call is released.

H.248-based FoIPThis topic describes the implementation principles of the H.248-based fax over Internet protocol(FoIP) service.

FoIP refers to providing fax service on the IP network or between the IP network and traditionalPSTN network. The fax machine can be regarded as a special modem. In the FoIP negotiation,the modem negotiation is performed before the fax negotiation.

According to the transmission protocol adopted, there are two modes of fax services carried onthe IP network: the T.30 transparent transmission mode and the T.38 mode. According todifferent control devices, FoIP can be classified as softswitch-controlled FoIP and auto-switchFoIP.

Softswitch-Controlled FoIPThe fax service can be divided into high-speed fax and low-speed fax. The softswitch-controlledlow-speed fax service supports the T.30 transparent transmission mode and the T.38 mode. Thebasic service flow is as follows:

1. Configure the fax service and fax flow on the MGs and the softswitch.2. After the voice channel is set up, the softswitch instructs the MG to detect the fax event

and modem event.3. When detecting the fax event, the MG reports the event to the softswitch. The event can

be a high-speed modem event (ANSBAR or ANSAMBAR) or a low-speed fax event (V.21Flag).

4. According to the preset fax flow, the softswitch instructs the MGs at both ends to changethe DSP channel working mode to the T.30 transparent transmission mode or T.38 mode.

5. Start the fax.6. After the fax is completed, if the MG detects the fax end event, the MG reports the event

to the softswitch.7. The softswitch instructs the MGs at both ends to change the DSP channel working mode

to the voice mode.8. The voice service continues.

The softswitch-controlled high-speed fax service supports the T.30 transparent transmissionmode. The basic service flow is as follows:

1. Configure the fax service and fax flow on the MGs and the softswitch.2. After the voice channel is set up, the softswitch instructs the MG to detect the fax event

and modem event.


Feature Description


Issue 01 (2009-12-01)

3. When detecting a fax event, the MG reports the event to the softswitch. The event can bea high-speed modem event (ANSBAR or ANSAMBAR) or a low-speed fax event (V.21Flag; if the peer end is a low-speed fax machine or the network quality is poor, the faxspeed is automatically decreased and this event is reported).

4. According to the preset fax flow, the softswitch instructs the MGs at both ends to changethe DSP channel working mode to the T.30 transparent transmission mode.

5. Start the fax.6. After the fax is completed, if the MG detects the fax end event, the MG reports the event

to the softswitch.7. The softswitch instructs the MGs at both ends to change the DSP channel working mode

to the voice mode. The voice service continues.

Auto-Switch FoIPThe auto-switch fax service supports the T.30 transparent transmission mode and the T.38 mode.The basic service flow is as follows:

1. Configure the auto-switch fax service on the MGs at both ends.2. Set up a call and start the conversation.3. The MG checks for the fax event on the IP side and the TDM side. When detecting the fax

event, the MG changes the DSP channel working mode to the T.30 transparent transmissionmode or T.38 mode.

4. After the fax is complete, when the MG detects the fax end event, the MG changes the DSPchannel working mode to the voice mode.

5. The voice service continues.

Common Fax ProtocolsTwo protocols are usually used for implementing the fax service on the packet voice network:the ITU-T Recommendation T.30 and ITU-T Recommendation T.38.

T.30 is based on the PSTN network. T.30 particularly defines the flow for transmitting fax signalson the PSTN network. It also defines the modulation mode (V.17/V.21/V.27/V.29/V.34) andtransmission format (HDLC) of data, and the physical standard for fax signals. The T.30 faxmessages and data can be transmitted transparently between MGs. This is called the T.30transparent transmission mode. The quality of the fax in this mode may not be high due to packetloss, latency, and disorder on the IP network.

T.38 is a real-time fax mode based on the IP network. In this mode, the MG terminates the T.30 signals sent from the fax machine, and transmits the data to the peer MG in the T.38 mode.The peer MG then receives the T.38 packets and converts the packets into T.30 signals. Themerit of the T.38 fax is that the fax packets have a redundancy processing mechanism and donot strictly rely on the network quality (the fax service can be processed even when a 20% packetloss occurs on the network). The demerit is that the DSP chip needs to participate in parsing theT.30 signals. There being various types of terminals on the network, the compatibility problemmay arise. Figure 6-23 shows the principles of the T.38 fax.



6-53

Figure 6-23 Principles of the T.38 fax

IP backbonenetwork

Data

TDM

FAX MG MG FAX

MGC(Call Server)

TMG

Data Data

Encapsulation of T.30 fax packet

UDP/IP



TDM

6.14.4 SIP-based Voice ServicesThis topic provides an introduction to the SIP protocol, and describes in detail the useridentification, registration flow, and implementation principles of related services of the SIPprotocol.

Introduction to the SIP ProtocolThis topic describes the definition, purpose, and features of the Session Initiation Protocol (SIP).

DefinitionSIP is an application protocol for setting up, modifying, and terminating multimediacommunication sessions or calls. The multimedia session can be a multimedia meeting, distancelearning, or Internet telephony. SIP can be used for initiating sessions or inviting a member tojoin a session that has been set up otherwise. SIP transparently supports the mapping of namesand the redirecting service, which facilitates the implementation of ISDN service, intelligentnetwork, and personal mobile service. Once the session is set up, media streams are directlytransmitted at the bearer layer through the Real-time Transport Protocol (RTP).

SIP supports the following five features for the multimedia communication:

1. User location: determination of the end system used for the communication2. User capabilities: determination of the communication media and media parameters to be

used


Feature Description


Issue 01 (2009-12-01)

3. User availability: determination of the willingness of the called party to join thecommunication

4. Call setup: establishment of the call parameters of the calling party and called party5. Call processing: including transfer and termination of calls

SIP is a component of the IETF multimedia data and control architecture. Figure 6-24 showsthe structure of the IETF multimedia data and control protocol stack.

Figure 6-24 IETF multimedia data and control protocol stack

H.323 SIP RTSP RSVP RTCPH.263 etc.

RTP

TCP UDP

IP

PPP AAL3/4 AAL5

Sonet ATM Ethernet

PPP

V.34

SIP can be used with the Resource Reservation Protocol (RSVP) for reserving networkresources, with RTP for transporting real-time data and providing the QoS feedback, with theReal-Time Streaming Protocol (RTSP) for controlling the transport of real-time media streams,with the Session Announcement Protocol (SAP) for announcing multimedia sessions throughmulticast, and with the Session Description Protocol (SDP) for describing multimedia sessions.The functionality and implementation of SIP, however, does not depend on these protocols.

SIP can also co-work with other call-establishing protocols and signaling protocols. In this case,an end system can obtain the address and protocol of the peer end through the SIP protocol bya specific address independent of the protocol. For example, through SIP, an end system canlearn that the peer end is interoperable through H.323, and the end system can then obtain theH.245 gateway address and user address and set up a call by H.225.0. Or, through SIP, an endsystem can learn that the peer end is interoperable through PSTN, and SIP can specify the numberof the called party and suggests that the call connection be set up through the Internet-to-PSTNgateway.

SIP does not provide the conference control services, such as floor control or voting, and doesnot specify how the conference should be managed. SIP can be used to introduce some othersession control protocols for the sessions. SIP does not allocate multicast addresses.



6-55

SIP can invite users to join a session that has reserved or unreserved resources. SIP itself doesnot reserve resources, but it can convey necessary information to the invited party.

By using the SIP protocol gateway to realize the interoperability between the Internet and thePSTN/ISDN network, calls can be implemented between the POTS users who are connectedthrough the Internet, and between POTS users and Internet phone users. The SIP protocolgateway interoperable with H.323 can also be designed.

Purpose

SIP will revolutionize the mode of communication service provisioning and the users' habit ofcommunication consumption. An innovating communication mode integrating video phoneservice, messaging, Web service, e-mail, synchronous browsing, and conference call will beintroduced to the telecommunication industry. Adopting SIP as the control layer protocol hasthe following advantages:

1. Based on an open Internet standard, SIP has inherent benefits in the integration andinteroperability of voice and data services. SIP can implement across-media and across-device call control, and supports various media formats. SIP also supports dynamic addingand deleting of media streams, which makes it easier to support richer service features.

2. SIP is intelligently extensible to the service and terminal side, thus reducing the networkload and facilitating the provisioning of service.

3. SIP supports mobile functions at the application layer, including the dynamic registeringmechanism, location management mechanism, and redirecting mechanism.

4. SIP supports features such as presence, fork, and subscription, which facilitatesdevelopment of new services.

5. As a simple protocol, SIP has generally acknowledged extensibility.

Protocol Features

SIP is a text-based protocol put forth by IETF for IP phone/multimedia conferencing. It is alight-weight signaling protocol and has the following features:

1. Minimum status: One conference call or phone call can contain one or multiple requestsor transactions. The proxy server can work in the stateless mode.

2. Irrelevance with lower layer protocols: SIP has minimum assumption of the lower layerprotocols. The lower layer protocols can provide reliable or unreliable services to the SIPprotocol layer, which can be packet or byte stream services. On the Internet, the SIP protocollayer can use the UDP or TCP protocol, and UDP is preferred. When UDP is not available,TCP is used.

3. Text-based: SIP adopts the text-based UTF-8 coding format and uses the ISO 10646character set, which makes it easy to realize programming languages such as Java. Thisfeature brings about merits such as easy commissioning, flexibility, and extensibility. Thelength of message, however, may also increase. For this reason, the message format isparticularly designed so that the SIP messages are easy to parse.

4. Robustness: The robustness of SIP is demonstrated in several facets. For example, the proxyserver need not maintain the call status, subsequent requests and re-transmission can adoptdifferent routes, and the response message is transmitted in the self-routing mode.

5. Extensibility: The extensibility of SIP is demonstrated in several ways. Unidentifiableheader fields can be ignored, the user can specify the message content that the SIP server


Feature Description


Issue 01 (2009-12-01)

must understand, new header fields can be introduced easily, and status codes are encodedin the layered coding mode.

6. Readiness to support IN services: Working with the end system, SIP and other call controlextended protocols can support most services in Capability Set 1 and Capability Set 2 ofITU-T.

Reference Standards and Protocolsl RFC 3262: Reliability Of Provisional Responses in the Session Initiation Protocol (SIP)

l RFC 3263: SIP Locating SIP Servers

Running Mechanism of the SIP ProtocolThis topic describes the user identification, message format, and user registration flow of theSIP protocol.

SIP User IdentificationThe SIP user ID can be SIP URL or TEL URL, either of which identifies a SIP user uniquely.The user ID configured on the SRG and that on the IMS device must be the same.

SIP URL is used in the SIP message, indicating the initiator of request (From), the currentdestination address (Request-URI), the final receiver (To), and the address of redirection(Contact). SIP URL can also be embedded into the Web page or other hyper links to indicatethat a certain user or service can be accessed through SIP. When embedded into a hyper link,SIP URL indicates the INVITE mode. It is presented as follows:

SIP-URL="sip:"[ userinfo "@" ]hostport

For example:

sip:[email protected]

sip:+1-212-555-1212:[email protected];user=phone




sip:alice%[email protected]

TEL URL (telephone URI) indicates to occupy the resource of a telephone number. Thetelephone number can be a global number or a local number. The global number complies withthe E164 coding scheme, starting with +. The local number complies with the local proprietarycoding scheme. The formats are as follows:

tel:+86-755-6544487

tel:45687;phonecontext=example.com

tel:45687;phonecontext=+86-755-65



6-57

SIP Message FormatFormat

The SIP message is encoded in the text format, each line ending with CR or LF. The SIP messagehas two types: the request message and the response message. The formats are as follows:

SIP message = Start-line

*Message header field

Empty line (CRLF)

[Message body]

Start-line = Request line | Status line

Messageheader =

(General header field| Request header field| Response header field| Entityheader field)

Request messages

The SRG supports the following SIP request messages: INVITE, ACK, OPTIONS, BYE,CANCEL, REGISTER, PRACK, and UPDATE. Table 6-5 lists the functions of the requestmessages.

Table 6-5 SIP request messages

Type of RequestMessage Meaning

INVITE Invites a user to join a call

ACK Acknowledges the response message of the request

OPTIONS Requests for the capability information

BYE Releases a call that has been set up

CANCEL Releases a call that has not been set up

REGISTER Registers the user location information on the SIP network server

PRACK Acknowledges a reliable provisional response message

UPDATE Updates the session

Response messages

The SIP response messages are used for responding to the SIP request message, indicatingwhether the call is successful or fails. Different types of response messages can be distinguishedby the status code. A status code contains three integers. The first integer defines the type of theresponse message, and the other two integers further define the details of the response message.Table 6-6 lists the types of response messages.


Feature Description


Issue 01 (2009-12-01)

Table 6-6 SIP response messages

1XX Informational Provisional

2XX Success Final

3XX Redirection Final

4XX Client Error Final

5XX Server Error Final

6XX Global Failure Final

l "Provisional" indicates that the call is in process.

l "Final" is used to terminate the request message.

l "1xx" indicates that the request message is received and is being processed.

l "2xx" indicates that the request message is received, processed, and accepted successfully.

l "3xx" indicates that further actions are required for finishing processing the requestmessage.

l "4xx" indicates that the request message contains syntax errors or that the SIP server failsto process the request message.

l "5xx" indicates that the SIP server is faulty and fails to process the request message.

l "6xx" indicates that the request message cannot be processed by any SIP server.

The SIP protocol requires that the application program must understand the first integer of theresponse status code, and allows the application program not to process the last two integers ofthe status code.

User Registration FlowBefore initiating a call, the SIP user must register the user information (such as the domain name–IP mapping) on the home network. The registration has two types: the registration through unsafeconnection and the registration through safe connection. After the system is powered on or aftera user is added, the user registration flow is started.

Registration through unsafe connection

Figure 6-25 Flowchart of the registration through unsafe connection

SIP AG IMS Core

Register

Response 200



6-59

As shown in Figure 6-25, the SIP AG sends the REGISTER request message to the IMS foreach user. The message contains information such as the user ID. After receiving the REGISTERrequest message, the IMS checks whether the user is already configured on the IMS. If the useris already configured, the IMS responds to the SIP AG with the RESPONSE 200 message.

Registration through safe connection

Figure 6-26 Flowchart of the registration through safe connection

SIP AG IMS Core

Register

Response 401/407

Register

Response 200

As shown in Figure 6-26, the SIP AG sends the REGISTER request message to the IMS foreach user. The message contains information such as the user ID.

The IMS responds with the RESPONSE 401/407 message, the message containing informationsuch as the key and the encryption mode. The SIP AG encrypts the corresponding user nameand password, generates a new REGISTER request message, and sends the message to the IMS.The IMS decrypts the message and verifies the user name and password. If the user name andpassword are correct, the IMS responds to the SIP AG with the RESPONSE 200 message.

SIP-based VoIP ServiceThis topic describes the flows of the SIP-based VoIP service.

Call Flow of the Calling PartyFigure 6-27 shows the SIP-based call flow of a VoIP calling party.


Feature Description


Issue 01 (2009-12-01)

Figure 6-27 SIP-based call flow of a VoIP calling party

AGUSER1 P-CSCF-O

P1

P2

D1:INVITE(SDP)

D2:100 Trying

P3

dialtone

Dialtone stopped

conversation

Caller offhook

1st digit

2nd digit

3th digit

P4

P5

P6

D3:180 Ringing

D4:200 OK

D5:ACK

200(callee offhook)

l P1: The AG receives the offhook message of the calling party and plays the dial tone to the

calling party.l P2: The AG receives the first dialed digit, stops playing the dial tone, and starts matching

the digit with the digitmaps.l P3: After receiving N dialed digits and matching the digits with the digitmaps, the AG finds

that the dialed number matches a certain digitmap. Then, the AG generates the INVITEmessage and sends the message to P-CSCF.

l P4: The AG receives RESPONSE 100 and is informed that the peer end receives theINVITE message, so the AG stops the INVITE message re-transmitting flow.

l P5: The AG receives 180, which indicates that the phone of the called party is ringing.Then, the AG plays the ringback tone to the calling party.

l P6: The AG receives 200, which indicates that the called party answers the phone, so theAG stops playing the ringback tone to the calling party, and changes the stream mode tothe bi-directional mode. Then, the AG generates the ACK message and sends the messageto P-CSCF.

The preceding flow is for the call in normal conditions. The scenario may vary. That is, whenthe calling party initiates a call, P-CSCF determines the situation as follows:



6-61

l If the calling party is configured but is not registered on P-CSCF, P-CSCF rejects the callingparty and responds with 403 to the AG.

l If the calling party is not configured on P-CSCF, P-CSCF rejects the calling party andresponds with 404 to the AG.

Call Flow of the Called PartyFigure 6-28 shows the SIP-based call flow of a VoIP called party.

Figure 6-28 SIP-based call flow of a VoIP called party

AGUSER1

D1:INVITE(SDP)

P-CSCF-T

P1

D2:100 Trying

D3:180 Ringing

P2

D4:200 OK

D5:ACK

P3

ring

Callee offhook

conversation

l P1: The AG receives the INVITE message from P-CSCF, generates the RESPONSE 100

message, and sends the message to P-CSCF. According to the P-Called-Party-ID headerfield, RequestURI, and TO header field that are contained in the INVITE message, the AGlocates the called party. If the user is identified by TEL URI, the AG can locate the calledparty through the telephone number contained in TEL URI instead of through the headerfields. After locating the called party, the AG plays the ringing tone to the called party,generates the RESPONSE 180 message, and sends the message to P-CSCF, informing P-CSCF that the phone of the called party is ringing.

l P2: After receiving the offhook message of the called party, the AG stops playing theringing, generates the 200 message, and sends the message to P-CSCF, informing P-CSCFthat the called party answers the phone.

l P3: The AG receives the ACK message. Then, the calling party and called party are engagedin the conversation.

The scenario may vary. That is, the AG receives the INVITE message and determines thesituation as follows:


Feature Description


Issue 01 (2009-12-01)

l If the called party is configured but is not registered on the AG, the AG rejects the callingparty and responds with 403 to P-CSCF.

l If the called party is not configured on the AG, the AG rejects the calling party and respondswith 404 to P-CSCF.

Flow of Call Release

Figure 6-29 shows the flow of call release.

Figure 6-29 Flow of call release

AGUSER1 P-CSCF-O

P1 D1:BYE

D2:200 OK

P2

onhook

conversation

l P1: The AG receives the onhook message of the user, generates the BYE request message,

and sends the message to P-CSCF. Then, the AG releases the DSP resource that is allocatedto the user for the call.

l P2: The AG receives the 200 message from P-CSCF.

SIP-Based FoIP

This topic describes the implementation mechanism of the SIP-based FoIP service.

In terms of transmission protocol, the fax service can be classified into transparent transmissionand T.38; in terms of switching mode, the fax service can be classified into auto-switching andnegotiated-switching. Hence, there are four combinations of the fax mode: auto-switchingtransparent transmission, auto-switching T.38, negotiated-switching transparent transmission,and negotiated-switching T.38.

The working principle of auto-switching is that the AG detects the fax tone, and then selects thetransparent transmission or T.38 mode according to the configuration. In this case, the AG neednot send any signaling to the peer device.

The working principle of negotiated-switching is that the AG detects the fax tone, and accordingto the configuration sends the peer end the re-INVITE message that contains the negotiationparameters for negotiating the fax mode.

In actual application, fax can also be classified into low-speed fax and high-speed fax in termsof transmission speed. The high-speed fax cannot adopt the T.38 mode. A high-speed fax



6-63

machine can actually be regarded as a modem. With the speed reduced, a high-speed fax machinecan also adopt the T.38 mode.

Flow of the Negotiated-Switching Transparent Transmission Fax

Currently, this fax mode can be presented in three ways.

l Presented as a=fax. This is a G.711 transparent transmission fax mode proposed by ChinaTelecom.

l Presented as a=silenceSupp:off. This is a G.711 transparent transmission fax mode definedin the draft-IETF-sipping-realtimefax-01.txt.

l Presented as a=gpmd:99 vbd=yes. This is a VBD mode defined in the ITU-T V.152.

Which method to be applied depends on the parameters configured.

Figure 6-30 shows the fax flow.

Figure 6-30 Flow of the negotiated-switching transparent transmission fax

AG-O

200 OK(SDP VBD)

P-CSCF-OUSER1

re-INVITE(SDP VBD)

AG-T

200 OK(SDP VBD)

P-CSCF-T

re-INVITE(SDP VBD)

USER2Other elements are omitted

FAX tone

re-INVITE(SDP VBD)

200 OK(SDP VBD)

Call established

P2

FAX pass-through P3

P1L1

200 OK(SDP audio)

re-INVITE(SDP audio)

200 OK(SDP audio)


FAX END


200 OK(SDP audio)

P5

VOICE P6

P4L1

l P1: AG-T first detects the fax tone, and then sends the re-INVITE message to the AG (AG-

O) to which the calling party is connected.l L1: The SDP message contained in the re-INVITE message has three types. The specific

fax mode must be configured on the AGs. The initiator of negotiation uses the a parameterof different values, and the recipient of negotiation needs to be compatible with the threeparameter values. This means that when the recipient receives the re-INVITE message, therecipient should be able to complete the negotiation process with the initiator regardless ofthe a parameter value.


Feature Description


Issue 01 (2009-12-01)

– The G.711 transparent transmission fax/modem mode defined in the draft-IETF-sipping-realtimefax-01.txt.

– The G.711 transparent transmission fax/modem mode proposed by China Telecom.

– The VBD mode defined in the ITU-T V.152.

l P2: AG-O receives the re-INVITE message. Then, AG-O generates the 200 OK messageand sends the message to AG-T.

l P3: AG-T receives the 200 OK message, and also enables the DSP channel in the fax mode.

l P4: AG-T receives the fax end signal, and sends the re-INVITE message to AG-O.

l L2: The SDP message contained in the re-INVITE message is for setting up a commonvoice channel.

l P5: AG-O receives the re-INVITE message and switches the DSP channel to the voicemode.

l P6: AG-T receives the 200 OK message, and also switches the DSP channel to the voicemode.

Flow of the Negotiated-Switching T.38 Fax

Figure 6-31 shows the flow of the negotiated-switching T.38 fax.

Figure 6-31 Flow of the negotiated-switching T.38 fax

AG-O

200 OK(SDP T38)

P-CSCF-OUSER1

re-INVITE(SDP T38)

AG-T

200 OK(SDP T38)

P-CSCF-T

re-INVITE(SDP T38)


FAX tone

re-INVITE(SDP T38)

200 OK(SDP T38)

Call established

P2

FAX T38 P3

P1L1

200 OK(SDP audio)


200 OK(SDP audio)


FAX END


200 OK(SDP audio)

P5

VOICE P6

P4L2



6-65

l P1: AG-T first detects the fax tone, and then sends the re-INVITE message to the AG (AG-O) to which the calling party is connected.

l L1: The SDP message contained in the re-INVITE message carries the T.38 information.

l P2: AG-O receives the re-INVITE message, learns that the peer device requires the T.38mode, and enables the DSP channel in the T.38 mode. Then, AG-O generates the 200message and sends the message to AG-T.

l P3: AG-T receives the 200 OK message, and also enables the DSP channel in the T.38mode.

l P4: AG-T receives the fax end signal, and sends the re-INVITE message to AG-O.

l L2: The SDP message contained in the re-INVITE message is for setting up a commonvoice channel.

l P5: AG-O receives the re-INVITE message and switches the DSP channel to the voicemode.

l P6: AG-T receives the 200 OK message, and also switches the DSP channel to the voicemode.

NOTE

Figure 6-32 and Figure 6-33 shows the fax flows when the peer device does not support the T.38 mode.

Figure 6-32 Flow of the negotiated-switching T.38 fax when the peer device does not supportthe T.38 mode (scenario 1)

AG-O

415 Unsupported Media Type

P-CSCF-OUSER1

re-INVITE(SDP T38)

AG-T


P-CSCF-T

re-INVITE(SDP T38)


FAX tone

re-INVITE(SDP T38)


Call established

P2

P3

P1L1

200 OK

BYE

200 OK

BYEBYE

200 OK

P5

P6

P4L2

Busy tone

Busy tone


Feature Description


Issue 01 (2009-12-01)

Figure 6-33 Flow of the negotiated-switching T.38 fax when the peer device does not supportthe T.38 mode (scenario 2)

AG-O P-CSCF-OUSER1

re-INVITE(SDP T38)

AG-TP-CSCF-T

re-INVITE(SDP T38)


FAX tone

re-INVITE(SDP T38)

Call established

P2

FAX pass-through

P3

P1L1

200 OK(SDP audio)


200 OK(SDP audio)


FAX END


200 OK(SDP audio)

P8

VOICE P9

P7L3

200 OK(SDP VBD)

re-INVITE(SDP VBD)

200 OK(SDP VBD)

re-INVITE(SDP VBD)re-INVITE

((SDP VBD)

200 OK(SDP VBD)

P5

P6

P4L2

488 Not Acceptable Here

（or 606）488 Not Acceptable Here（or 606）

488 Not Acceptable Here（or 606）

In scenario 1, if AG-O does not support T.38, it may respond with 415 Unsupported Media Type.After AG-T receives the 415 response, AG-T sends the BYE message and releases the currentcall. In scenario 2, if AG-O does not support T.38, it responds with 488 Not Acceptable Hereor 606 Not Acceptable. After AG-T receives the 488/606 response, AG-T generates another re-INVITE message. The SDP message in this message contains the VBD media type. Thus, thenegotiation on the T.38 mode fails, and the transparent transmission mode is adopted.

The MA5616 supports the T.38 mode, and therefore does not respond with the 415/488/606message in the T.38 negotiation. The MA5616, however, can process such error codes sent bythe peer device.



6-67

Flow of the Auto-Switching Transparent Transmission FaxGenerally, the called fax terminal detects the fax tone on the TDM side first, and the calling faxterminal detects the fax tone sent from the IP side. The fax terminal that detects the fax toneautomatically switches to the transparent transmission mode without the SIP negotiation.

One problem currently exists in the auto-switching fax flow: If the DSP channel originally worksin the G.729 mode for the voice service, and is now switched to the G.711 transparenttransmission mode when the fax tone is detected, the G.711 voice packet may not be recognized.This is because the DSP channel of the calling party stills works in the G.729 mode. Therefore,the DSP chip is required to be able to receive G.711 packets when working in the G.729 or othercoding modes. The prerequisite remains that the DSP chip should detect and report the fax tonesent from the IP side.

Flow of the Auto-Switching T.38 FaxThe working principle of this fax flow is the same as the working principle of the auto-switchingtransparent transmission fax. The difference is that, after the fax tone is detected, the DSP channelis enabled in the T.38 mode instead of the transparent transmission mode.

SIP-Based MoIPThis topic describes the SIP-based modem service flow.

In terms of service flow, the modem service is similar to the transparent transmission fax service,and can also be classified as auto-switching and negotiated-switching.

The modem service in the negotiated-switching transparent transmission mode can be presentedin three ways.

l Presented as a=modem. This is a G.711 transparent transmission modem mode proposedby China Telecom.

l Presented as a=silenceSupp:off. This is a G.711 transparent transmission modem modedefined in the draft-IETF-sipping-realtimefax-01.txt.

l Presented as a=gpmd:99 vbd=yes. This is a VBD mode defined in the ITU-T V.152.

The method actually applied depends on the parameters configured.

Flow of the Negotiated-Switching Modem ServiceFigure 6-34 shows the flow of the negotiated-switching modem service.


Feature Description


Issue 01 (2009-12-01)

Figure 6-34 Flow of the negotiated-switching modem service

AG-O

200 OK

P-CSCF-OUSER1

re-INVITE

AG-T

200 OK

P-CSCF-T

re-INVITE

USER2

Other elements are omitted

Modem tone

re-INVITE

200 OK

Call established

P2

Modem pass-through P3

P1L1

l P1: AG-T first detects the modem tone, and then sends the re-INVITE message to the AG

(AG-O) to which the calling party is connected.l L1: The SDP message contained in the re-INVITE message has three types, corresponding

to the three preceding presentations of the negotiated-switching transparent transmissionmode. The specific transparent transmission modem mode must be configured on the AGs.

l P2: AG-O receives the re-INVITE message. Then, AG-O generates the 200 message andsends the message to AG-T.

l P3: AG-T receives the 200 OK message, and also enables the DSP channel in the fax ormodem mode.

Auto-Switching Modem ModeIn this mode, after the AG detects the modem tone, the AG automatically switches the DSPchannel to the VBD mode without notifying the IMS or the peer device.

Generally, the called modem detects the modem tone on the TDM side first, and the callingmodem detects the modem tone sent from the IP side. The modem that detects the modem toneautomatically switches to the VBD mode without the SIP negotiation.

Modem Redundancy TransmissionThe modem redundancy transmission is currently implemented through RFC2198. The DSPchip on Huawei device already supports the modem service using RFC2198. Only oneredundancy packet is supported, however.

6.14.5 Key Voice FeatureThis topic provides the overview of key voice features and then describes working principles ofeach sub feature in detail.



6-69

IntroductionThis topic describes key voice features supported by the DSP chip. These features are applicableto all voice protocols.

DefinitionKey voice features are a series of technologies adopted to deliver high-quality voice services.Examples of these technologies are the voice codec, Echo Canceller (EC), and Voice ActivityDetection (VAD).

PurposeThe purpose is to deliver high-quality voice services.

Codec and Packetization DurationThis topic provides the basic information about the codec and packetization duration (PTime).

IntroductionCodec is a key technology of voice services. Coding means that the DSP encodes the TDM-based voice data, assembles the data into packets, and then sends the packets to the IP network.Decoding means that the DSP decodes the voice packets received from the IP network and playsthe voice to the TDM side.

Frequently-used codec types are G.711A, G.711Mu, G.729, G.723.1Low, and G.723.1High. G.711A and G.711Mu are lossless coding schemes. G.729, G.723.1Low, and G.723.1High arelossy compressed coding schemes. The compressed coding schemes require less bandwidth, butthe voice quality is poor and the delay is large. (G.711 delivers the best voice quality but requiresa bandwidth of 64 kbps. G.723 requires less bandwidth but the voice quality is less satisfying.)

PTime is the interval at which the DSP assembles the voice data into packets. It varies accordingto the codec type. Table 6-7 lists the codec types.

Table 6-7 Codec list

Codec Type Coding Rate (kbit/s)PTime and Packet Size (includingthe RTP header, UDP header, IPheader, and Ethernet header)

G.711A/Mu 64 20 ms, 214 bytes

G.729a 8 20 ms, 74 bytes

G.723.1High 6.3 30 ms, 78 bytes

G.723.1Low 5.3 30 ms, 74 bytes

SpecificationsThe 16-line G.711A, G.711Mu, and 16-line G.729a are supported. G.723.1 is not supported.


Feature Description


Issue 01 (2009-12-01)

Reference Standards and ProtocolsITU-T G0.711, ITU-T G0.729, and ITU-T G0.723

Echo CancellerThis topic provides the basic information about the Echo Canceller (EC).

IntroductionEcho is classified into the acoustic echo and electrical echo.

l Acoustic echoAcoustic echo refers to the echo reflected by an obstacle when the voice encounters theobstacle in the transmission path. For example, if you place the phone at one side and speakat the other side, you can hear your own voice. This is because the voice is transmittedthrough the table and reflected from the collector to the receiver of the phone. Currently,the VoIP DSP chip does not support cancellation of the acoustic echo because it cannotdistinguish the normal voice from the acoustic echo.

l Electrical echoElectrical echo is generated by the 2-wire/4-wire converter on the service board, becausethe impedance matching is not ideal on the 2-wire/4-wire converter. EC generally refers tothe cancellation of the electrical echo.

Figure 6-35 shows how the electrical echo is generated.

Figure 6-35 Generation of the electrical echo

echo

4-wiretransmission

networkHybrid

2-wiresubscriber

line

In the PSTN network, owing to the small delay, the voice and the echo reach the ears of thespeaker almost at the same time. Thus, the echo can hardly be perceived. In the VoIP network,



6-71

owing to the large delay, the echo reaches the ears some time after the voice is heard. Thus, theecho can be easily perceived. As described in ITU-T G.131 and ITU-T G.161, the echo can beperceived when the echo delay exceeds 25 ms.

Figure 6-36 shows how the EC is implemented.

Figure 6-36 Implementation of the EC function

+

2/4-wire conversion

+

Filter

EC

Rout

G

SSin

g

Rout

Rin

Rin is the voice received from the remote end. Rin is the input of the wave filter and the outputof the wave filter is the simulated echo g. Rin is converted into the echo G on the 2-wire/4-wireconverter. S is the local-end voice, that is, the voice received by the local receiver. The local-end voice S is overlaid with the echo G, resulting in the input signal of the EC, Sin. The ECremoves the simulated echo g from the input signal Sin to obtain the output signal Sout.

Sin = S + G

Sout = Sin - g = S + G - g

G ≈ g

Therefore, Sout ≈ S

Specifications

Enabling or disabling the EC and the 64-ms tail delay are supported.


ITU-T G0.168, ITU-T G0.131, and ITU-T G0.161

Non-Linear Processor

This topic describes the basic principles of the Non-Linear Processor (NLP).


Feature Description


Issue 01 (2009-12-01)

IntroductionOwing to various reasons, the EC cannot cancel all the echoes. To improve the EC performance,a non-linear processing is performed on the remaining echoes when the power of the remainingechoes is lower than a preset value. This can further reduce the power of the remaining echoes.A simple method is to replace the remaining echoes with the silence when the power of theremaining echoes is lower than the threshold.

SpecificationsEnabling or disabling the NLP (user-port based) is supported.

ImpactThe NLP function must be disabled in the case of FoIP or MoIP.

Reference Standards and ProtocolsITU-T G0.168, ITU-T G0.131, and ITU-T G0.161

VADThis topic describes the basic principles of the voice activity detector (VAD).

IntroductionThe VAD is used to reduce the consumption of the network bandwidth.

Input signals of phones are classified into the voice signals and the silence signals. The VAD isused to distinguish the voice signals from the silence signals based on the energy of the signals.

The VAD is often used together with the silence compression. For example, after the VAD isenabled, the DSP sends the RTP packets to the remote end when it detects the voice. The DSPdoes not send the RTP packets to the IP network when it detects the silence. The DSP sends asilence ID (SID) to the remote end only when the background noise changes. Based on thereceived SID, the remote DSP generates the background noise, thus saving the networkbandwidth when the silence signals are transmitted.

In a conversation, only 40% of signals are valid voice signals. Therefore, enabling the VAD cansubstantially reduce the consumption of the network bandwidth when the network resources areinsufficient.

SpecificationsEnabling or disabling the VAD is supported. Sending and receiving the SID packets aresupported.

Reference Standards and ProtocolsITU-T G.711 and ITU-T G.729

Packet Loss ConcealmentThis topic describes the basic principles of the Packet Loss Concealment (PLC).



6-73

IntroductionWhen a network or a device loses packets, the voice quality deteriorates. In practice, packet lossis inevitable. If the PLC is enabled to compensate the signals, however, the impact of packetloss on the voice quality is reduced and the success rates of FoIP and MoIP services increasesin the case of packet loss.

Three compensation modes are available:l Compensate the lost packet with the silence.

l Compensate the lost packet with the previous packet.

l Compensate the lost packet with a similar packet that is calculated based on the energiesof the previous packet and the subsequent packet (as described in G.711 Appendix I).

The third mode consumes the most DSP resources, but improves the voice quality in the mostsatisfying manner. The first mode consumes the least DSP resources, but improves the voicequality in the least satisfying manner.

SpecificationsEnabling and disabling the PLC and configuration of the compensation mode described in G.711 Appendix I are supported. By default, the mode of compensating the lost packet with theprevious packet is adopted.

Reference Standards and ProtocolsG.711 Appendix I

Jitter BufferThis topic describes the basic principles of the jitter buffer (JB).

IntroductionThe transmission quality on the IP network is not guaranteed. The interval at which packets arereceived from the remote end is not even, and the sequence of packets received may be differentfrom the sequence that these packets are sent. As a result, the voice quality is degraded.Therefore, the JB is introduced to eliminate the jitter of the IP network. The basic idea of JB isto restore the sequence of packets by increasing the delay and reduce the packet loss rate.

The JB is classified into the dynamic JB and the static JB.

During a conversation, it is possible that the network jitter is not serious or even does not occurin a period of time and is serious in another period of time. The dynamic JB can adjust the depthof the buffer based on the severity of the network jitter. In this way, when the jitter is not serious,the introduced delay is also small. When the jitter is serious, a sufficient buffer depth is availableto eliminate the jitter. The static JB must be adopted for data services such as the FoIP and MoIP,because adjustment of the JB may cause packet loss and packet loss has a great impact on dataservices.

SpecificationsThe dynamic JB and the static JB are supported. The adjustable range of the JB depth is 0 msto 200 ms.


Feature Description


Issue 01 (2009-12-01)


None

Dual Tone Multi Frequency

This topic describes the basic principles of dual tone multi frequency (DTMF).

Introduction

DTMF means that the tones of two frequencies are overlaid to represent a number, as shown inTable 6-8.

Table 6-8 Mapping between frequencies and numbers

Unit: Hz 1209 1336 1477 1633

697 1 2 3 A

770 4 5 6 B

852 7 8 9 C

941 * 0 # D

When numbers are dialed on the phone, the dialed numbers are converted into the dual-frequencyoverlay tones. The DSP detects the dialed numbers by checking the DTMF.

The supported DTMF-specific functions are as follows:l DTMF erasure: After the DSP detects DTMF signals, it erases the DTMF signals from the

RTP media stream.l DTMF transparent transmission: After the DSP detects DTMF signals, it retains the DTMF

signals in the RTP media stream.l DTMF RFC2833 transmission: After the DSP detects DTMF signals, it erases the DTMF

signals from the RTP media stream and sends the DTMF information in RFC2833transmission mode.

Specifications

Detection and sending of the DTMF signals is supported.

Configuration of DTMF-specific functions (device-based) is supported.


ITU-T Q.24

Tone Playing

This topic describes the basic principles of tone playing.



6-75

IntroductionTone files are stored on the flash memory of the control board. The file name is generallyvoice.efs. The tone file contains the description about the tone types supported by the DSP. Thedescription covers the information such as the signal tone type, frequency, duration, and strength.After the system initiation is complete, the tone playing parameters are configured on the DSP.When requested to play the tone for a subscriber, the DSP reads the configuration and generatesthe signal tone that should be played to the subscriber on a real-time basis.

Tone files are classified into the parameter tone, waveform tone, and announcement.

The parameter tone is a type of simple tones, such as the dialing tone, busy tone, and ringbacktone. The information about the frequency, energy, duration, and beat of the parameter tone aresent to the DSP and then the DSP generates the parameter tone accordingly.

The waveform tone is a type of simple tones, such as the dialing tone, busy tone, and ringbacktone. These tones are recorded, converted into the PCM data, and stored in the logic. The logiccyclically plays the data of a type of tones on a TDM timeslot. When a tone should be playedto a subscriber, the timeslot mapping the subscriber is connected to the timeslot , on which thelogic plays the tone. The parameter tone takes precedence over the waveform tone. Thewaveform tone is used only when the DSP is faulty or when the DSP resources are not available.

The announcement is a type of messages played to subscribers, such as "The subscriber youdialed is busy. Please call later". The message to be played is recorded and stored on the DSP.When an announcement should be played to a subscriber, the logic or the DSP plays the recordedannouncement to the subscriber.

Specificationsl Playing of parameter tones, waveform tones, and announcements is supported.

l Storage of 1-MB announcement data on the DSP is supported.

l Simultaneous playing of announcements for 16 subscribers is supported.

Voice Quality EnhancementThis topic describes the basic principles of the voice quality enhancement (VQE).

IntroductionThe VQE feature is applicable to voice services in the noisy public areas, such as the roads,docks, scenic spots, and bus stations. Deployment of VQE in these areas can improve the voicequality, user experience, and competitiveness of the products.

The VQE consists of two functions, automatic gain control (AGC) and spectral noise suppression(SNS).

AGC refers to the automatic adjustment of the output gain based on the preset target value ofthe gain during the VoIP communication process. In this way, listeners are free from thediscomfort causes by the sudden change in the background noise. AGC provides smoothadjustment of the energy and prevents the sudden change in the output energy.

SNS refers to the reduction of the energy of the background noise based on the preset targetvalue of background noise suppression through the background noise detection during the VoIPcommunication process. With the SNS function, listeners feel more comfortable with theconversation and the conversion is better understandable.


Feature Description


Issue 01 (2009-12-01)

Specifications

At present, only the AGC function is supported. The VQE feature is based on the configurationof the user port. After the parameter configuration is complete, the configuration takes effect onthe next call.

At present, the VQE function takes effect only when the G.711 codec is used. It does not takeseffect when other codecs, such as G.729 and G.723, are used. If the VQE function is configuredwhen a codec other than G.711 is used, the configuration does not take effect and the prompt isnot given.

RFC2833 Encryption

This topic describes the background information and basic principles of the RFC2833encryption.

Background

On the NGN network, the voice and DTMF signals are encapsulated as the IP packets beforethey are sent over the IP network. The DTMF signals are sent in the RTP packets of the voicein two modes:

l The DTMF signals are sent as the RTP media stream on the NGN network. That is, thesending media gateway (MG) measures the frequencies of the DTMF signals and sends themeasurement result to the receiving MG through RTP packets. In this transmission mode,the receiving MG processes the DTMF signals as the voice signals. If the voice signals aredamaged, the receiving MG cannot detect the DTMF signals in the media stream. Therefore,this DTMF transmission mode is not recommended when the network quality is poor orwhen the compressed codecs (such as G.723.1 and G.729) are used.

l The DTMF signals are sent in RFC2833 mode on the NGN network. In this case, the sendingMG must be equipped with the digital signal processor and the related algorithm, so that itcan detect the DTMF signals, translate the data into the number, and send the numberthrough the RFC2833 packets. The receiving MG identifies the DTMF signals in theRFC2833 packets and performs further processing.

Regardless of the transmission mode, the DTMF signals are sent in plain text over the IP network.Owing to the openness of the IP network, it is easy for network hackers to intercept the IP packetsand analyze the IP packets to obtain the voice and DTMF information carried by the IP packets.For example, the customer information is contained in the DTMF signals during the telephonebanking service. If the DTMF packets in the two-stage dialing are sent without being encrypted,it is easy for hackers to intercept the customer information of the bank. The leakage of thecustomer information is devastating for banks.

Introduction to the RFC2833 Standard

RFC2833 specifies the methods for transmitting the DTMF signals, other telephony tones, andtelephony signals through the RTP packets.

When the DTMF signals are sent in RFC2833 mode, the MG identifies the DTMF signals,translates them into the corresponding numbers, assembles the number into RFC2833 packets,and then sends the packets to the receiving end. The receiving end restores the DTMF signalsbased on the numbers in the RFC2833 packets.



6-77

Implementation of RFC2833 EncryptionThe RFC2833 encryption function of the MG is configured on the softswitch. The softswitchsends the key to the sending and receiving MGs and the two MGs send the key to the DSP. TheDSP on the sending MG detects the DTMF signals, erases the DTMF signals from the mediastream, assembles the DTMF signals in the RFC2833 packets, and encrypts the RFC2833 packetsbased on the key sent by the softswitch. The DSP on the receiving MG decrypts the RFC2833packets based on the key sent by the softswitch, obtains the DTMF information, and restores theDTMF signals.

The Huawei proprietary algorithm, NGN Cipher Version 1 (HNC1), is adopted. It supports the128-bit to 256-bit key. The dynamic key mechanism ensures the security of the key. The key iscontrolled by the softswitch, updated dynamically at each call, encrypted and sent through theSDP packets in compliance with the H.248/MGCP protocol.

With the RFC2833 encryption function, the transmission security of the DTMF information isensured. This encryption function is implemented jointly by the MA5600T and the HuaweiMSOFTX3000.

Reference Standards and ProtocolsRFC2833: RTP Payload for DTMF Digits, Telephony Tones and Telephony Signals

6.14.6 Voice ReliabilityThis topic describes features related to voice reliability, including dual homing networking,highly reliable transmission (SCTP), and voice QoS.

IntroductionThis topic describes features related to the voice reliability.

DefinitionFeatures related to voice reliability include dual homing networking, highly reliabletransmission, and voice QoS.

PurposeThe purpose is to ensure the high reliability of the SRG voice service.

H.248 Dual HomingThis topic describes working principles of dual homing from the MG to the softswitch throughH.248.

Dual homing is an NGN total solution. Based on this solution, when the active softswitch or thelink from the MG to the active softswitch is faulty, the MG need be switched to the standbysoftswitch immediately to prevent call services of users connected to the softswitch and the MGfrom being affected.

Dual homing requires that one MG is configured with two softswitches, one active and onestandby. The connection between the MG and the softswitch is detected through the heartbeatmessage.


Feature Description


Issue 01 (2009-12-01)

Figure 6-37 illustrates the working principles of dual homing.

Figure 6-37 Working principles of dual homing

Heartbeat

Heartbeat

Register

Active softswitch MG

Register

Reply with success

Standby softswitch

Reply

Reply with success

Deregister

Reply with success

Resumes communication with active softswitch

Loses communication with active softswitch

MG_1 registers with both MGC_1 and MGC_2. When MGC_1 fails, MG_1 can automaticallyswitch to MGC_2.

Different carriers may choose the following different dual homing policies:

l auto-switchingWhen the original active softswitch recovers, the MG automatically switches to the originalactive softswitch.

l no auto-switchingThe MG does not support the auto-switching. Regardless of whether the MG registers withthe active softswitch or the standby softswitch, if the softswitch with which the MG registersis normal, the MG works with this softswitch all along. The SRG can support the precedingtwo policies through related configuration.

NOTE

By default, the SRG supports the no auto-switching policy.

Dual-Homing with no Auto-SwitchingFigure 6-38 shows the operating principle for implementing the dual-homing with no auto-switching.



6-79

Figure 6-38 Operating principle for implementing the dual-homing with no auto-switching

.

.

.

Disconnect from the active MGC

Registration message

Registration message

Quit from the service

Register

Reply with success

Heartbeat

Reply

Register with the active MGC

Reply with success

Active MGC 1 MG Standby MGC 2

The basic process of the dual-homing with no auto-switching is as follows:

1. If the MG sends N consecutive heartbeat detection messages (Notify (it/ito)) to its primaryMGC (MGC 1), but gets no response, it indicates that MGC 1 fails.

2. The MG sends the registration message ServiceChange (Method = Failover, Reason = 909(neighboring MGC fault)) to the preset secondary MGC (MGC 2).

3. If the MG receives the response message (Reply) from MGC 2, it indicates that the MGhas registered with MGC 2 successfully and the process is complete. If the MG sends Nconsecutive ServiceChange messages to MGC 2 but gets no response, it indicates that theMG fails to register with MGC 2.

4. If the registration with MGC 2 fails, the MG sends the registration message ServiceChange(Method = Disconnected, Reason = 909 (neighboring MGC fault)) to the original primaryMGC (MGC 1).

5. If the MG receives the response message (Reply) from MGC 1, it indicates that thecommunication between the MG and MGC 1 recovers and the process is complete. If theMG sends N consecutive ServiceChange messages to MGC 1 but gets no response, itindicates that the registration with MGC 1 fails and the MG returns to step 2.

Dual-Homing with Auto-SwitchingFigure 6-39 shows the operating principle for implementing the dual-homing with auto-switching.


Feature Description


Issue 01 (2009-12-01)

Figure 6-39 Operating principle for implementing the dual-homing with auto-switching

MG

(1)Notify(it/ito) ctpd/dtone

Lost Heartbeat(2)ServiceChange(Metho d=Failover,Reason=909)

(3)Reply

Register Successful

Register Failure(4)ServiceChange(Method= Disconnected,Reason=909)

(5)Reply

MGC1 MGC2

The basic process of the dual-homing with auto-switching is as follows:

1. The MG, through the heartbeat message, detects that the communication with the primaryMGC 1 is interrupted.

2. The MG registers with the secondary MGC 2.3. Meanwhile, the MG sends the registration message to the primary MGC 1 at intervals. If

the MG receives the response, it indicates that the communication with the primary MGC1 recovers and the MG goes to step 4. If the MG fails to receive the response, it continuessending the message. In the meantime, service can be set up on the secondary MGC 2.

4. If the MG receives the registration response from the primary MGC 1, it indicates that theMG 1 has been registered with the primary MGC 1 . In this case, the MG sends a messageto the secondary MGC 2 for quitting the service and waits for a response from the secondaryMGC 2 .

SIP Dual HomingThis topic describes the working principles of SIP dual homing.

Figure 6-40 shows the networking of SIP dual homing.



6-81

Figure 6-40 Call releasing flow

IP Core Network

SIP:OPTIO

NS SIP:

OPT

IONS

SRG

Server 1 Server 2

The working flow of SIP dual homing is similar to the working flow of H.248 dual homing. TheSRG detects the proxy server in real time. When the primary proxy server is faulty, services canbe switched to the secondary proxy server. Before the switching, the call can be released. Afterthe switching, the call can be initiated.

Voice QoSThis topic describes the implementation mechanism of the voice QoS, mainly the priorityidentification.

The voice service requires high real-time performance, low delay, and fast call connection.Therefore, the voice packets should be forwarded with a high priority. The router, however,forwards the packets based on the VLAN priority (complying with 802.1p) and DSCP/ToS setin the packets.


Feature Description


Issue 01 (2009-12-01)

802.1p Priority (Separately Set for Signaling and Media Streams)

Figure 6-41 802.1q frame format

1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0

7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0

PriorityCFi

VLAN ID

TPID(Tag Protocol Identifier) TCI (Tag Control Information)

Byte 1 Byte 2 Byte 3 Byte 4

SourceAddress

802.1QheaderTPID

TCI

Destnation

Address

Length/Type Data FCS

(CRC-32)

6 bytes 6 bytes 4 bytes 2 bytes 46-1517 bytes 4 bytes

Figure 6-41 shows the Ethernet frame format defined in 802.1q. The four-byte 802.1q headercontains the following contents:

l Tag protocol identifier (TPID): Two-byte tag protocol identifier, with the value of 8100.

l Tag control information (TCI): Two-byte tag control information. It is a new type ofinformation defined by IEEE, indicating a text added with the 802.1q label. The TCI isdivided into the following three fields:– VLAN identifier (VLAN ID): 12-bit, indicating the VLAN ID. Up to 4096 VLANs are

supported. All the data packets transmitted from the host that supports 802.1q containthis field, indicating the VLAN to which the data packets belong.

– Canonical format indicator (cfi): one-bit. It is used in the frame for data exchangebetween the Ethernet network of the bus type and the FDDI or token ring network.

– Priority: three-bit, indicating the priority of the frame. Up to eight priorities aresupported. It determines the data packet to be transmitted first in case of switchcongestion.

The local media IP address and signaling IP address of the SRG can be configured in one VLANor different VLANs according to the networking requirements. The 802.1p priorities (in therange of 0-7) can be set for the media IP address and signaling IP address respectively. By default,the priority for either the media IP address or the signaling IP address is 6.

DSCP/TOSAs defined in the IP protocol, the DSCP and ToS occupy the same field (one-byte) in the IPheader. The device on the IP bearer network identifies whether DSCP or ToS is filled in the IP



6-83

header, and schedules and forwards the packets with the DSCP/ToS field according to thesettings to ensure the QoS for different services.

The type of service (ToS) field contains a three-bit precedence subfield (ignored currently), afour-bit ToS sub field, and one reserved bit (it must be set to 0). The four bits in the ToS subfield represent the minimum delay, maximum throughput, maximum reliability, and minimumcost respectively. Only one of the four bits can be set. If all four bits are set to 0, it indicates thecommon service.

The DSCP identification is based on the IPv4 ToS and the IPv6 traffic class.

As shown in Figure 6-42, the first six bits in the DS field (bits 0-5) are used to differentiate theDS codepoints (DSCPs) and the last two bits (bits 6 and 7) are reserved. The first three bits inthe DS field (bits 0-2) are the class selector codepoint (CSCP), which indicates a class of DSCP.

Figure 6-42 DSCP identification format

0 1 2 3 4 5 6 7

D S C P

DS Field

CSCP

unused

IPv4 TOS

0 1 2 3 4 5 6 7

ToSPrecedence

0

DSCP is used to select the corresponding per-hop behavior (PHB) on all the nodes of the network.The PHB describes the external visible behaviors when the DS node functions on the data streamaggregation. Currently, IETF defines three types of PHB: expedited forwarding (EF), assuredforwarding (AF), and best-effort. For example,l BE: DSCP = 000000

l EF: DSCP = 101110

l The AF codepoints are as follows:

Low DiscardPriority, j = 1

Middle DiscardPriority, j = 2

High DiscardPriority, j = 3

AF (i = 4) 100010 100100 100110

AF (i = 3) 011010 011100 011110

AF (i = 2) 010010 010100 010110

AF (i = 1) 001010 001100 001110

The first three bits (bits 0-2) for one type of AFs are the same. To be specific, the first threebits of AF1 are 001, AF2 010, AF3 011, and AF4 100. Bits 3-4 represent the discard priority,namely, 01, 10, and 11. The larger the value, the higher the discard priority.


Feature Description


Issue 01 (2009-12-01)

The DSCP/ToS value of local media IP packet and signaling IP packet can be configured on theSRG respectively. First the configuration policy (DSCP or ToS) is selected, and then thecorresponding value is set. By default, DSCP is selected on the SRG, with the value of 56 (EFwith the highest priority).



6-85

7 Reliability

About This Chapter

7.1 Overview of VRRP

7.2 Introduction to Dual-System Hot Backup

7.3 Relations Between the VRRP Backup Group, Management Group, and HRP

7.4 IP-Link Auto-detection Overview

Quidway Eudemon 200E-C/200E-F FirewallFeature Description 7 Reliability


7-1

7.1 Overview of VRRP

7.1.1 Traditional VRRP

7.1.2 Disadvantages of Traditional VRRP in Eudemon BackupSecurity zones are introduced in the Eudemon. Two Eudemons can implement a routeredundancy backup. One serves as the primary Eudemon and the other the secondaryEudemon. Interfaces on the primary and secondary Eudemons are associated with correspondingsecurity zones.

7.1.1 Traditional VRRP

Usually, each host on an intranet is configured with a default route to the next hop that is to theIP address of the egress router, that is, 10.100.10.1/24, as shown in Figure 7-1.

Figure 7-1 Networking using the default route

Server10.100.10.0/24

Router

10.100.10.1/24

PC

The interactive packets between intranet users and Internet users all pass the router. When therouter fails, all hosts (whose next hops are the router by default) on the intranet fail tocommunicate with the Internet. In this case, communication is unreliable in default route mode.

The Virtual Router Redundancy Protocol (VRRP) can solve such a problem.

As a fault tolerant protocol, VRRP is applicable to a LAN that supports multicast or broadcast,such as Ethernet.

VRRP organizes several routers on a LAN into a virtual router, named a backup group. In abackup group, only one device is in active state, which is named Primary. Others are in standbystate and are ready to take over the tasks at any time based on the priority, and these inactivedevices are named Secondary.

Figure 7-2 shows a backup group comprising of three routers.

7 ReliabilityQuidway Eudemon 200E-C/200E-F Firewall

Feature Description


Issue 01 (2009-12-01)

Figure 7-2 Networking of using the VRRP virtual router

Server10.100.10.0/24

PC

Router A10.100.10.2/24

Primary

Router B

Secondary10.100.10.3/24

Router C10.100.10.4/24

SecondaryBackup group

Virtual IP address10.100.10.1/24

As shown in Figure 7-2:

l Routers A, B, and C make up a backup group (serves as a virtual router), whose virtual IPaddress is 10.100.10.1.

l Router A is the Primary with the IP address 10.100.10.2.

l Routers B and C are Secondary with IP addresses 10.100.10.3 and 10.100.10.4 respectively.

l In VRRP, only the active router can forward the packet that takes the virtual IP address asthe next hop.

All hosts on the intranet are aware of the virtual IP address 10.100.10.1, instead of the IP addressof the Primary or Secondary. Therefore, the default route of each host is configured to the virtualIP address. Thus, all hosts on the intranet can communicate with the Internet through this backupgroup.

The VRRP module on the primary router monitors the state of the communication interface andsends notification packets to the secondary routers in multicast mode.

When the primary router fails, for example, an interface or link fails, the VRRP notificationpackets are not be sent out as usual.

When the secondary router does not receive any VRRP notification packet in a specified interval,the secondary router with the highest priority changes its VRRP state to the active state. In thisway, the services running on the primary router can continue to run on the secondary router.

If the primary router of the backup group fails, other secondary routers of the group select a newprimary router according to their priorities. So the selected router works in active state andprovides routing services to the hosts on the network.

With the VRRP technology, the hosts on the intranet can communicate with the Internetcontinuously. Thus, reliability is guaranteed.



7-3

7.1.2 Disadvantages of Traditional VRRP in Eudemon BackupSecurity zones are introduced in the Eudemon. Two Eudemons can implement a routeredundancy backup. One serves as the primary Eudemon and the other the secondaryEudemon. Interfaces on the primary and secondary Eudemons are associated with correspondingsecurity zones.

Typical Networking of Eudemon Backup

Based on traditional VRRP, each zone needs a VRRP group to monitor the working state ofinterfaces that are connected to security zones. Namely, interfaces connected to each securityzone on the Eudemon form a backup group (the virtual firewall), and each group is assignedwith a virtual IP address, as shown in Figure 7-3.

Figure 7-3 Typical networking of Eudemon backup

Primary

10.100.20.0/24EudemonBSecondary

10.100.10.0/24

Backup1Virtual IP Address

10.100.10.1

Backup2Virtual IP Address

10.100.20.1

BackupVirtual IP Address

202.38.10.1

Trust

DMZ

Untrust

EudemonA

As shown in Figure 7-3:

l Eudemon A is the Primary and Eudemon B is the Secondary.

l Interfaces connected to the Trust zone on the primary and secondary Eudemons make upbackup group 1 with the virtual IP address 10.100.10.1.

l Interfaces connected to the DMZ on the primary and secondary Eudemons make up backupgroup 2 with the virtual IP address 10.100.20.1.

l Interfaces connected to the Untrust zone on the primary and secondary Eudemons makeup backup group 3 with the virtual IP address 202.38.10.1.

State Requirements for Eudemon Backup

As the Eudemon is a stateful firewall, it checks the first session packet and generates a sessionentry dynamically. Only the subsequent packets (including return packets) that match the sessionentry can pass through the Eudemon. Therefore, the inbound path and the outbound path of thesame session must be consistent; otherwise, unmatched subsequent packets or return packets arediscarded, as shown in Figure 7-4.


Feature Description


Issue 01 (2009-12-01)

Figure 7-4 Eudemon backup state

Primary

EudemonBSecondary

(1) (2)(3)

(6)

(7)(8)

(9)

Session entry

Actual connectionPackets traffic

Untrust

DMZ

PC1

(4)

(5) PC2

Trust

EudemonA

Packets traffic

In Figure 7-4, assume that the VRRP status of Eudemon A and Eudemon B are consistent, thatis, all the interfaces on Eudemon A are in active state, and all the interfaces on Eudemon B arein standby state. If PC1 in the Trust zone accesses PC2 in the Untrust zone, a packet is sent fromthe Trust zone to the Untrust zone along the path (1)-(2)-(3)-(4). When the packet passesEudemon A, a dynamic session entry is generated. The return packet matches the session entryand successfully reaches the host in the Trust zone if it is sent along the path (5)-(6)-(7)-(8).

Assume that the VRRP status of Eudemon A and Eudemon B are inconsistent. For example, onEudemon B, the interface connected to the Trust zone is in standby state, while the interfaceconnected to the Untrust zone is in active state. After the packets from PC1 of the Trust zonepass Eudemon A and reach PC2 in the Untrust zone, a session entry is dynamically generatedon Eudemon A. The return packet is sent along the path (5)-(9). At this time, no session entryrelated to the data flow is available on Eudemon B. If no other packet-filtering rules are availableto permit the packet to pass, Eudemon B discards the packet. In this case, the session is disrupted.

To summarize, if the VRRP states are consistent, the states of interfaces connected to each zoneon the same Eudemon are identical, that is, all are in active state or in standby state at the sametime.

The Eudemon connects to several security zones and comprises a backup group with otherinterfaces connected to each security zone.

Disadvantages of Traditional VRRP in Eudemon BackupBased on the traditional VRRP mechanism, VRRP in each backup group works in an independentstate. Therefore, the state of VRRP on each interface on one Eudemon cannot be consistent. Thatis, the traditional VRRP mechanism cannot achieve VRRP state consistence of the Eudemon.

In the current networking application, the Eudemon, as a security device, is usually located atthe service access point between a protected network and an unprotected network.

In the current networking application, users have higher requirements on reliability.

Users specifically require that communications between the following points should beundisrupted:



7-5

l Important service ingress

l Access points

l Enterprise Internet access points

l Bank database servers

If only one Eudemon is located at the service point, the network may be disrupted due to thesingle point failure, though the Eudemon is highly reliable.

In this case, the redundancy backup mechanism is offered to improve the stability and reliabilityof the entire system.

7.2 Introduction to Dual-System Hot Backup

7.2.1 HRP Application

7.2.2 Primary/Secondary Configuration Devices

7.2.1 HRP Application

The Eudemon is a stateful firewall, which means there is a session entry for each dynamic sessionconnection on the Eudemon, as shown in Figure 7-5.

Figure 7-5 Typical data path in primary/secondary mode

Primary

EudemonBSecondary

(1) (2)

(3)

(6)

Untrust

DMZ

PC1

(4)

(5)PC2

(7)

(8)

Trust

EudemonA

Actual connectionPackets trafficPackets traffic

Session entry

In primary/secondary mode, if Eudemon A is the active device, it takes up all data transmissiontasks and many dynamic session entries are set up on it; Eudemon B is the standby device, andno data passes it.

When errors occur on Eudemon A or on associated links, Eudemon B switches to the activeEudemon and begins to transfer data; however, if there is no backup session entry or


Feature Description


Issue 01 (2009-12-01)

configuration command on Eudemon B before the switchover, all sessions that have passedEudemon A are disconnected as a result of mismatch. Then, services are disrupted.

In order to make the secondary Eudemon take over tasks from the primary Eudemon smoothlywhen the primary Eudemon breaks down, you need to backup configuration commands and stateinformation between the primary Eudemon and the secondary Eudemon.

Huawei Redundancy Protocol (HRP) is developed for this purpose. HRP is transmitted overVGMP packets in data channels in the VRRP management group.

7.2.2 Primary/Secondary Configuration Devices

In load balancing mode, there are two primary Eudemons on the network. Users can enter a lotof commands on the two primary Eudemons. When one primary Eudemon fails, to avoidconfusion during backup, Eudemons are grouped into primary configuration devices to sendbackup data and secondary configuration devices to receive backup data.

A primary configuration device must meet the following specifications:

l In a VRRP management group, only the Eudemon that is in active state can be the primaryconfiguration device.

l In load balancing mode, both Eudemons that take part in two-node cluster hot backup areprimary Eudemons. In this case, the primary configuration device is selected based onpriorities of VRRP groups and actual IP addresses (in descending order) of interfaces.

To assure the stability of the primary configuration device, the primary configuration devicealways works in active mode unless it fails or quits the VRRP backup group.

NOTE

The concepts of primary/secondary configuration devices are used in load balancing mode rather thanprimary/secondary mode.

7.3 Relations Between the VRRP Backup Group,Management Group, and HRP

The hierarchical relations between the VRRP backup group, management group, and HRP areshown in Figure 7-6.

Figure 7-6 Hierarchical relations between the VRRP backup group, management group, andHRP

VRRPbackup group

VRRPmanagement group

VGMP packet

HRP module

HRP packet



7-7

When the state of the VRRP management group changes, the system notifies HRP and theprimary or secondary configuration device to change their states. In this way, configurationcommands and session state information between two Eudemons can be backed up in time. Inaddition, the state of the VRRP management group is affected by the HRP state. In other words,based on the result of HRP state switchover, VRRP modifies priorities and changes the VRRPstate.

When the state of the VRRP backup group changes, the VRRP management group determineswhether to change the states of the following elements:

l VRRP management group

l HRP

l Primary and secondary configuration devices

7.4 IP-Link Auto-detection Overview

IP-Link detection periodically sends an ICMP or ARP requests to the specified destination IPaddress, waits for the reply packets from the destination IP address, and then determines theconnection status of the network.

If no reply packet is received in the specific time, IP-Link auto-detection determines that faultsoccur on the link and performs related operations. If three reply packets are receivedconsecutively in a specified period, IP-Link auto-detection determines that the faulty link hasrecovered, and then performs related operations.

The detection result (destination host reachable or unreachable) provided by IP-Link auto-detection can be referred by other features such as:

l Static route

NOTE

The IP-link detection is not supported in the dynamic router environment on the Eudemon.

When IP-Link auto-detection discovers faults on the link, the Eudemon adjusts its ownstatic routes correspondingly. If a link used by the static route of higher preference is foundfaulty, the Eudemon selects a new link for forwarding services. If the link recovers fromthe fault, the Eudemon adjusts its own static routes, replacing the lower preference routewith the higher preference route. Such adjustment ensures that the Eudemon always usesa reachable link of the highest preference available, thus keeping the continuity of services.

l Dual-system hot backupIf the faulty link detected by IP-Link detection affects the active/standby service of theEudemon, the Eudemon adjusts the priority of VGMP to implement active/standby switch,thus ensuring service continuity.


Feature Description


Issue 01 (2009-12-01)

A Glossary

A

AAA It provides a framework for configuring the security functions ofauthentication, authorization, and accounting. It is a kind ofmanagement on network security.

ACL A sequential instruction list consisting of a series of permit | denystatements. In the scenario where a Eudemon is deployed on anetwork, an ACL is applied to the interface of a router, and therouter determines which packets can be received and whichshould be denied according to the ACL. In QoS, ACL are alsoused for traffic classification.

ARP A protocol used to resolve an IP address into an Ethernet MACaddress. RFC 826 defines the protocol.

ASPF A state-based packet filter mechanism applied to the applicationlayer. ASPF can be used to work with a common staticEudemon to implement security policies of an internal network.As ASPF is based on the session information about the applicationlayer protocol, it can intelligently filter TCP and UDP packets. Inaddition, ASPF can detect sessions originated by any side of theEudemon.

B

BGP The Border Gateway Protocol (BGP) is an interautonomoussystem routing protocol. An autonomous system is a network orgroup of networks under a common administration and withcommon routing policies. BGP is used to exchange routinginformation for the Internet and is the protocol used betweenInternet service providers (ISP).

C

Quidway Eudemon 200E-C/200E-F FirewallFeature Description A Glossary


A-1

CHAP A password authentication method. It is a three-way handshakeauthentication with encrypted passwords. The authenticator firstsends to the peer some randomly created packets (Challenge);then the peer encrypts the random packets with its own passwordand MD5 algorithm and resends the Response packets; finally,the authenticator encrypts the original random packets with thepeer's password and MD5 algorithm, compares the Responsevalue with its own calculation of expected value, and returns theresponse (Acknowledge or Not Acknowledge) based on thiscomparison.

D

DDoS Distributed Denial of Service attack. On the Internet, a distributeddenial-of-service (DDoS) attack is one in which a multitude ofcompromised systems attack a single target, thereby causingdenial of service for users of the targeted system.

DES A data encryption standard that encrypts data in 64-bit block andgenerating 64-bit encrypted text.

DH A shared key protocol proposed by Diffie and Hellman. With thisprotocol, the communication parties can exchange data withouttransmitting the shared key and calculating the shared key.

DMZ DMZ derives from military, DMZ is an intermediate zonebetween the severe military zone and the incompact public zone.That is, it is partially dominated by military.Here in Eudemon, DMZ indicates a zone that is independent ofinternal networks and external networks both logically andphysically, in which public devices such as WWW Server andFTP Server are placed. It is hard to locate these servers for externalaccess because if placed in external networks, their securitiescannot be assured; while placed in internal networks, theirsecurity defects might provide opportunity for some externalmalicious client to attack internal networks. DMZ is developedto solve this problem.

DNS A hierarchical way of tracking domain names and their addresses,devised in the mid-1980's. The DNS database does not rely onone file or even one server, but rather is distributed over severalkey computers across the Internet to prevent catastrophic failureif one or a few computers go down. DNS is a TCP/IP service thatbelongs to the Application layer of the OSI model.

E

ESP A secure packet encapsulation protocol used in transport modeand tunnel mode. Adopting encryption and authenticationmechanisms, it provides IP data packets with such services as datasource authentication, data integrity, anti-replay, and dataconfidentiality services.

A GlossaryQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

A-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

F

FTP An application layer protocol used to transmit files betweenremote hosts. FTP is implemented on the basis of thecorresponding file system.

G

GRE Tunneling protocol developed by Cisco Systems that canencapsulate a wide variety of protocol packet types inside IPtunnels, creating a virtual point-to-point link to Cisco routers atremote points over an IP internetwork. By connectingmultiprotocol subnetworks in a single-protocol backboneenvironment, IP tunneling using GRE allows network expansionacross a single-protocol backbone environment.

H

HTTP Hypertext Transfer Protocol. The protocol used to carry requestsfrom a browser to a Web server and to transport pages from Webservers back to the requesting browser. Although HTTP is almostuniversally used on the Web, it is not an especially secureprotocol.

I

ICMP A Layer 2 protocol that reports errors and provides otherinformation relevant to IP packet processing.

IETF The Internet Engineering Task Force. An organization that isdedicated to developing and designing TCP/IP protocol stack andInternet standards.

IKE A protocol used to exchange keys between Oakley and SKEMEthrough ISAKMP.

IP A protocol that provides connectionless best effort delivery ofdatagram across heterogeneous physical networks. IP is a networklayer protocol in the TCP/IP protocol stack.

L

LAC A device attached to the switching network. An LAC has a PPPterminal system and delivers L2TP processing. It usually providesaccess services.



A-3

LAN Local Area Network. A network consisting of personal computersand workstations residing in the same building or within severalkilometers in circumference. LAN features high speed and lowerror rate. Ethernet, FDDI, and Token Ring are three mainrealization technologies of LANs.

LCP Link Control Protocol. In the Point-to-Point Protocol (PPP), theLink Control Protocol (LCP) establishes, configures, and testsdata-link Internet connections.

M

MAC The lower of the two sub-layers of the Data Link Layer. The MAClayer is closer to the physical layer.

MD5 An algorithm that is developed by Ron Rivest to provide a strongone -way hashing function. The algorithm generates a fixed length(128-bit) digest from a message of any length. That can beappended to prove data integrity.

N

NAPT NAPT translates transport identifier (for example, TCP and UDPport numbers, ICMP query identifiers). This allows the transportidentifiers of a number of private hosts to be multiplexed into thetransport identifiers of a single external address. NAPT allows aset of hosts to share a single external address.

NAS A server that provides PSTN/ISDN dial-in users with Internetaccess services.

NAT A mechanism for reducing the need for globally unique IPaddresses. NAT allows an organization with private IP addressesto connect to the Internet by translating those addresses into aglobally unique and routable IP address.

NCP This is the program that switches the virtual circuit connectionsinto place, implements path control, and operates theSynchronous Data Link Control (SDLC) link.

NP An integrated circuit which has a feature set specifically targetedat the networking application domain. Network Processors aretypically software programmable devices and would have genericcharacteristics similar to general-purpose CPUs that arecommonly used in many different types of equipment andproducts.

NTP The Network Time Protocol was developed to maintain acommon sense of "time" among Internet hosts around the world.Many systems on the Internet run NTP, and have the same time(relative to Greenwich Mean Time), with a maximum differenceof about one second.


Feature Description


Issue 01 (2009-12-01)

O

OSI OSI (Open Systems Interconnection) is a standard description orreference model for how messages should be transmitted betweenany two points in a telecommunication network.

OSPF Link-state, hierarchical IGP routing algorithm proposed as asuccessor to RIP in the Internet community. OSPF featuresinclude least-cost routing, multipath routing, and load balancing.OSPF was derived from an early version of the IS-IS protocol.

P

PAM Port to Application Mapping (PAM) allows you to customize TCPor UDP port numbers for network services or applications. PAMuses this information to support network environments that runservices using ports that are different from the registered or well-known ports associated with an application.

PAP A protocol that requires twice handshake authentications. Thepassword of PAP is in plain text. The authenticated side first sendsthe user name and password to the authenticating side. Then theauthenticating side checks whether the user exists and whetherthe password is correct according to user configuration, and thenreturns response (Acknowledge or Not Acknowledge).

PPP A dedicated transmission link between two devices.

PPTP A protocol that encapsulates PPP in tunneling mode over IPnetworks. It is supported by products of Microsoft, Ascend,3COM, and some other companies.

Q

QoS Quality of Service. The service performance of IP networkdelivery group is usually expressed in terms of QoS. QoSestimates core capabilities required by services such as delay,delay variation, and packet loss ratio. Certain supportingtechnologies are needed to meet these key requirements.

R

RADIUS A distributed server/client system developed by LivinggstonEnterprise. RADIUS can provide the AAA function. As anauthentication and accounting protocol, RADIUS can realizeaccess authentication, authorization, and accounting functions fora great number of users through serial port and Modem.

RAS Windows software that allows a user to gain remote access to thenetwork server via a modem.



A-5

RFC A document in which a standard, a protocol, or other informationpertaining to the operation of the Internet is published.

RIP Routing Information Protocol. A routing protocol that calculatesroutes with the D-V algorithm and selects routes according to thehop number. RIP is widely used in small-sized networks.

RTSP The Real Time Streaming Protocol is a client-server application-level protocol for controlling the delivery of data with real-timeproperties.

S

SIP A protocol developed by IETF MMUSIC Working Group andproposed standard for initiating, modifying, and terminating aninteractive user session that involves multimedia elements.

SMTP Simple Mail Transfer Protocol (SMTP) is the de facto standardfor e-mail transmissions across the Internet.

SNMP Simple Network Management Protocol is part of the TCP/IP suiteand is used to control and manage IP gateways and other networkfunctions.

SSH A set of network standards and protocols that provide secureTelnet access.

SSL Security Socket Layer is a security protocol used to encrypt allthe messages communicated on a network such as Internet.

T

TCP A transport layer protocol that provides a connection-oriented,full-duplex, point-to-point service between hosts.

TCP/IP A suite of communications protocols used to connect hosts on theInternet. TCP/IP uses several protocols, the two main ones beingTCP and IP.

TE TE encompasses traffic management, capacity management,traffic measurement and modelling, network modelling, andperformance analysis.

TFTP Trivial File Transfer Protocol. A version of the TCP/IP FTPprotocol that has no directory or password capability.

U

UDP Part of the TCP/IP protocol suite. UDP is a standard,connectionless, host-to-host protocol that is used over packet-switched computer communication networks. UDP does notprovide the reliability and ordering guarantees that TCP does.


Feature Description


Issue 01 (2009-12-01)

V

VLAN Virtual Local Area Network. A logically independent network. Itdivides a LAN into multiple logical LANs. Each VLAN is abroadcast domain. The communication between the hosts in aVLAN is similar to that in a LAN.

W

WWW World Wide Web. It is a wide-area hypermedia informationretrieval initiative to give universal access to large universe ofdocuments.



A-7

B Acronyms and Abbreviations

A

AAA Authorization, Authentication and Accounting

ACK ACKnowledgement

ACL Access Control List

AES Advanced Encryption Standard

AH Authentication Header

ALG Application Level Gateway

ARP Address Resolution Protocol

ASPF Application Specific Packet Filter

B

BGP Border Gateway Protocol

C

CA Certification Authority

CHAP Challenge - Handshake Authentication Protocol

D

DDoS Distributed Denial of Service

DHCP Dynamic Host Configuration Protocol

DMZ Demilitarized Zone

DNS Domain Name System

Quidway Eudemon 200E-C/200E-F FirewallFeature Description B Acronyms and Abbreviations


B-1

DoS Denial of Service

E

ESP Encapsulating Security Payload

F

FIFO First In First Out

FTP File Transfer Protocol

G

GE Gigabit Ethernet

GRE Generic Routing Encapsulation

H

HTTP Hypertext Transfer Protocol

HWCC Huawei Conference Control protocol

I

ICMP Internet Control Message Protocol

ID Identity

IETF Internet Engineering Task Force

IGMP Internet Group Management Protocol

IP Internet Protocol

IPX Internetwork Packet Exchange

ISP Internet Service Provider

L

LAN Local Area Network

LCP Link Control Protocol

M

MAC Media Access Control

B Acronyms and AbbreviationsQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

B-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

MD5 Message Digest Algorithm 5

MGCP Media Gateway Control Protocol

MIB Management Information Base

MPLS MultiProtocol Label Switching

MRU Maximum Receive Unit

N

NAPT Network Address and Port Translation

NAS Network Access Server

NAT Network Address Translation

NCP Network Control Protocol

NP Network Processor

NTP Network Time Protocol

O

OOB Out-Of-Band

OSI Open Systems Interconnection

OSPF Open Shortest Path First

P

PAM Port to Application Mapping

PAP Password Authentication Protocol

PFS Perfect Forward Secrecy

POP Point of Presence

PPP Point-to-Point Protocol

PPPoE Point-to-Point Protocol over Ethernet

PPTP Point-to-Point Tunneling Protocol

PSTN Public Switched Telephone Network

Q

QoS Quality of Service



B-3

R

RADIUS Remote Authentication Dial in User Service

RAS Remote Access service

RFC Request For Comments

RIP Routing Information Protocol

RSA Rivest,Shamir,Adleman

RTSP Real-Time Streaming Protocol

S

SIP Session Initiation Protocol

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SSH Secure Shell

SYN Flood Synchronization Flood

T

TCP Transmission Control Protocol

TCP/IP Transmission Control Protocol/Internet Protocol

TFTP Trivial File Transfer Protocol

ToS Type of Service

U

UDP User Datagram Protocol

URL Universal Resource Locator

V

VLAN Virtual LAN

VPDN Virtual Private Dial Network

VPLS Virtual Private LAN Segment

W

WWW World Wide Web

B Acronyms and AbbreviationsQuidway Eudemon 200E-C/200E-F Firewall

Feature Description

B-4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)



B-5

Quidway Eudemon 200E-C&200E-F Firewall Feature Description(V100R002_01)

Documents

Transcript of Quidway Eudemon 200E-C&200E-F Firewall Feature Description(V100R002_01)