Jul 12, 2007

Mobile IP(IPv4)

資料來源:IPv6 Forum Taiwan

Mobile IP通訊協定架構

Mobile IP的主要目的為可以使得主機使用一個固定的IP位址,和一個暫時位址來連接到網際網路。對於使用者而言,並不會感覺到暫時位址的存在,因此原先所作到一半的事情就不會被干擾而中斷。以下我們將簡單介紹Mobile IP的運作原理。

Mobile IP網路系統架構

Mobile IP網路架構與各子系統如下圖所示,當中:



Mobile Host: 在網際網路上,一台主機如果常常改變其對網路的接點(point of attachment),稱為Mobile Host。接點的改變可能發生在網路正在通信中的狀態。但是通常假設接點的變化時間比通訊協定反應的時間來得慢。


Home Network: 對Mobile Host有管理權的網路,對網際網路上的其他主機而言,Mobile Host不論其目前的位址為何,"似乎"是接在此處。

Home Address: 和其他固定主機的位址一樣,此位址是固定的,由Home Network的管理者提供給Mobile Host。當傳送資料給Mobile Host時,只須知道此位址,不須知道Mobile Host目前的暫時位址。

Home Agent : 在Home Network上的某一台主機,能夠使得Mobile Host對網路上的其他主機而言,是隨時都可以存取的。

Foreign Network : 對任一Mobile Host而言,任一個除了Home Network之外,允許其接上的網路,就稱為Foreign Network。

Care-of-Address: 一個表示當Mobile Host不在Home Network時,在網路上接點的IP位址。

Foreign Agent: 在Foreign Network上的主機,能使封包傳送到Care-of-Address。

Register: Mobile Host告知Home Agent其Care-of-Address。

--------------------------------------------------------------------------------

基本工作原理

Mobile IP是由IETF所制定的RFC 2002, "IP Mobility Support" 作為標準。工作原理其實很簡單,但是細節就很複雜了。Mobile IP只用了三個元件─Mobile Host,Home Agent 和Foreign Agent。Mobile IP的好處就是它只需要這三個元件,不須更動網路的其他部分,例如DNS。
當Mobile Host接上網路時,必須先判斷其位置是在Home Network或是Foreign Network。Mobile Host可以經由”收聽”局部的廣播,來達成這件事,或是主動送出訊息給Agent。只要將現有的RFC 1256-Internet Control Message Protocol (ICMP) Router Discovery通訊協定作擴充,就可以達到這個目的。
如果Mobile Host收到由Home Agent的廣播,表示它是在Home Network,那麼只要經由原本的IP 選擇路徑的方法,就可以了。但是如果是在Foreign Network,那麼它可以取得一個Care-of-Address(一個在Foreign Network上的IP address),然後向它的Home Agent註冊(Register)。Care-of-Address的取得方法有兩種,一種是由Foreign Agent指定,另一種則是透過DHCP通訊協定,動態取得一個IP位址,這種狀況時Mobile Host就是自己的Foreign Agent。
接下來,當Mobile Host和它的Home Agent達成聯繫之後,考慮以下的動作:當有一台網際網路上的主機,要傳送封包給Mobile Host時,所有傳送到Mobile Host的封包,都會由它的Home Agent所收到。在收到後,Home Agent將此封包加上Foreign Agent的位址,然後傳送到Foreign Agent。這個加上Foreign Agent的技術稱為Encapsulate。Encapsulate有兩種方法,分別為RFC 2003 (IP Encapsulation within IP) 和RFC 2004 (Minimal Encapsulation within IP)。這個傳送的動作則稱為Tunneling。
還有另一個相關的問題,就是安全性。Home Agent必須要使用某種方法來認證某一個Mobile Host,不然很有可能被有心人士冒充Mobile Host而取得資料封包。在RFC 2002中,也規定了關於安全性的規範。
由以上所述,可以知道Mobile IP並沒有使用什麼特殊的技巧,因此可以和現有的IPv4通訊協定完全相容。以下,將更深入的觀察Mobile IP的三個主要過程,就是如何取得、註冊、和傳送封包到Care-of-Address的方法。

取得Care-of-Address (Discovering Care-of-Address)

一個Mobile Host取得Care-of-Address的方法,是根據現有的RFC 1256-Internet Control Message Protocol (ICMP) Router Discovery通訊協定作擴充。這個通訊協定原本是用來告訴一個主機它的default routers,但是在此協定上再加上有關於Care-of-Address的資訊。
Home Agent和Foreign Agent每隔一段時間就會作”廣播”這個動作(broadcast),發出有關於Care-of-Address的封包給LAN上的每個主機,如果LAN上有Mobile Host,就可以取得Care-of-Address。這麼作的原因是如果Mobile Host現在不是在Home Network時,只能收到廣播的封包。當然,如果Mobile Host現在是在Home Network時,Home Network可以不提供任何的Care-of-Address。當RFC 1256的Router Advertisement再加上Care-of-Address時,這個訊息稱為"Agent Advertisement"。
只靠廣播這個動作時,有時候Mobile Host會等不及,這時Mobile Host也可以主動的broadcast
或者是multicast一個封包,來偵測現在是否有Home Agent 或Foreign Agent的存在。還有一個情形,就是Mobile Host已經隔一段時間都沒有收到任何的Agent Advertisement,就可以假設它現在已經不在這個Foreign Agent的管轄範圍。這時,Mobile Host也可以主動的隔一段時間,就送出一個封包。這個封包是使用RFC 1256的Router Solicitation再加上一些資訊,例如Mobile Host需要這個Care-of-Address多久的時間,這整個訊息稱為"Agent Solicitation"。當Agent收到這個封包時,就必須馬上送出Agent Advertisement 的訊息出去。
作完以上動作,這時Mobile Host就已經取得了Care-of-Address。但是Home Agent還不知道這個Mobile Host目前的位址,所以還要有以下的步驟:

註冊Care-of-Address (Registering Care-of-Address)

參考下圖,可以看到註冊的過程如下:Mobile Host向Foreign Agent要求服務(這是上一步─Discovering所作的),然後由Foreign Agent向Home Agent要求服務。因為在目前,Mobile Host雖然取得了一個Care-of-Address,但是還不能使用它,要等到Home Agent同意後才可使用。Home Agent會告訴Foreign Agent它同意或是不同意,然後Foreign Agent再把這個結果廣播給Mobile Host。



註冊這個動作包括了三個重要的元素:Home address,Care-of-Address,以及Registration Lifetime,這三個元素又合稱為Binding。當註冊成功時,就產生了Binding。而且Binding是有期限的,超過了這個期限後就要重新註冊,重新取得Binding,稱為Binding Update。
Binding Update這種動作會影響到Home Agent的Routing Table,因此是很危險的。所以為了確保網路的安全性,必須再註冊時作認證Authentication 。Mobile IP規定了Home Agent和Mobile Host都要有相同的一組”key”,相同才表示認證通過。這組key是使用Message Digest 5 – MD5 (RFC 1321)編碼,為128-bit。但是光使用一組key,還是有可能被有心人士所”猜出來”─replay attack。所以光一組key還不夠,另外還再註冊時加上一個特別的identification field,在每次認證時它的值都不相同。這個identification field產生的方法主要是使用時間作為註記,因為每次註冊的時間都不相同。而Home Agent和Mobile Host必須要能夠互相對時才行。
接下來,就是如何真正的來傳送資料。

Tunneling to the Care-of-Address

要怎麼把傳送到Home Network的封包,傳送到Foreign Network給Mobile Host? 這裡使用了Encapsulate 這個技術。Encapsulate有兩種方法,一種是IP-within-IP(RFC 2003),另一種是Minimal Encapsulation(RFC 2004),下圖所示的是前一種。由Home Agent在收到封包後,在封包前加上一個新的標頭,但是原本的標頭維持不變。這樣子,就可以使用原本IP層傳送封包的方法,而不須更動路徑上其他電腦的設定。Foreign Agent在收到封包之後,再把新加上去的標頭刪除,傳送給Mobile Host。這樣子就完成了Mobile IP的所有動作。



如果是Mobile Host想要傳送封包給網路上的主機時,則可以依照原本的IP擇路方式來傳。如果是網路上的主機想要傳送封包給Mobile Host時,其資料傳送途徑則需經過Home Agent與Foreign Agent。由於此兩種傳送資料路徑 的不相同,會造成傳送路徑是三角形(Triangular Routing of Data,見下圖) 的情形。這種路徑雖然是有效的路徑,但是卻沒什麼效率。當Mobile Host改變其位置時,在Mobile Host向Home Agent註冊前,所有的封包會送到舊的路徑而遺失。一直到註冊成功後,產生了一個新的Binding,這時所有的封包就會依循新的路徑來傳送。

Peering

Peering is voluntary interconnection of administratively separate Internet networks for the purpose of exchanging traffic between the customers of each network. The pure definition of peering is settlement-free or "sender keeps all," meaning that neither party pays the other for the exchanged traffic, instead, each derives revenue from its own customers. Marketing and commercial pressures have led to the word peering routinely being used when there is some settlement involved, even though that is not the accurate technical use of the word. The phrase "settlement-free peering" is sometimes used to reflect this reality and unambiguously describe the pure cost-free peering situation.

Peering requires physical interconnection of the networks, an exchange of routing information through the Border Gateway Protocol (BGP) routing protocol and is often accompanied by peering agreements of varying formality, from "handshake" to thick contracts.

How peering works
The Internet is a collection of separate and distinct networks, each one operating under a common framework of globally unique IP addressing and global BGP routing.

The relationships between these networks are generally described by one of the following three categories:

Transit (or pay) - You pay money (or settlement) to another network for Internet access (or transit).
Peer (or swap) - Two networks exchange traffic between each other's customers freely, and for mutual benefit.
Customer (or sell) - Another network pays you money to provide them with Internet access.
Furthermore, in order for a network to reach any specific other network on the Internet, it must either:

Sell transit (or Internet access) service to that network (making them a 'customer'),
Peer directly with that network, or with a network who sells transit service to that network, or
Pay another network for transit service, where that other network must in turn also sell, peer, or pay for access.
The Internet is based on the principle of global reachability (sometimes called end-to-end reachability), which means that any Internet user can reach any other Internet user as though they were on the same network. Therefore, any Internet connected network must by definition either pay another network for transit, or peer with every other network who also does not purchase transit.

Motivations for peering
Peering involves two networks coming together to exchange traffic with each other freely, and for mutual benefit. This 'mutual benefit' is most often the motivation behind peering, which is often described solely by "reduced costs for transit services". Other less tangible motivations can include:

Increased capacity for extremely large amounts of traffic (distributing traffic across many networks).
Increased control over your traffic (reducing dependence on one or more transit providers).
Improved performance (attempting to bypass potential bottlenecks with a "direct" path).
Improved perception of your network (being able to claim a "higher tier").
Government regulations, or the desire to avoid the appearance of being a monopoly.

Physical interconnections for peering
The physical interconnections used for peering are categorized into two types:

‧Public peering - Interconnection utilizing a multi-party shared switch fabric such as an Ethernet switch.
‧Private peering - Interconnection utilizing a point-to-point interconnection such as a patch-cable or dark fiber between two parties.



Public peering
Public peering is accomplished across a Layer 2 access technology, generally called a shared fabric. At these locations, multiple carriers interconnect with one or more other carriers across a single physical port. Historically public peering locations were known as network access points (NAPs), today they are most often called exchange points or Internet exchanges ("IXP" or "IX"). Many of the largest exchange points in the world can have hundreds of participants, and some span multiple buildings and colocation facilities across a city.

Since public peering allows networks interested in peering to interconnect with many other networks through a single port, it is often considered to offer "less capacity" than private peering, but to a larger number of networks. Many smaller networks, or networks who are just beginning to peer, find that public peering exchange points provide an excellent way to meet and interconnect with other networks who may be open to peering with them. Some larger networks utilize public peering as a way to aggregate a large number of "smaller peers", or as a location for conducting low-cost "trial peering" without the expense of provisioning private peering on a temporary basis, while other larger networks are not willing to participate at public exchanges at all.

A few exchange points, particularly in the United States, are operated by commercial carrier-neutral third parties. These operators typically go to great lengths to promote communication and encourage new peering, and will often arrange social events for these purposes.

Private peering
Private peering is the direct interconnection between only two networks, across a Layer 1 or 2 media that offers dedicated capacity that is not shared by any other parties. Early in the history of the Internet, many private peers occurred across 'telco' provisioned SONET circuits between individual carrier-owned facilities. Today, most private interconnections occur at carrier hotels or carrier neutral colocation facilities, where a direct crossconnect can be provisioned between participants within the same building, usually for a much lower cost than telco circuits.

Most of the traffic on the Internet, especially traffic between the largest networks, occurs via private peering. However, because of the resources required to provision each private peer, many networks are unwilling to provide private peering to "small" networks, or to "new" networks who have not yet proven that they will provide a mutual benefit.

Peering agreements/contracts
Throughout the history of the Internet, there have been a spectrum of kinds of agreements between peers, ranging from handshake deals to peering contracts which may be required by one or both sides. Such a contract sets forth the details of how traffic is to be exchanged, along with a list of expected activities which may be necessary to maintain the peering relationship, a list of activities which may be considered abusive and result in termination of the relationship, and details concerning how the relationship can be terminated. Detailed contracts of this type are typically used between the largest ISPs, and the ones operating in the most heavily-regulated economies, accounting for about 1-2% of peering relationships overall.

History of peering
The first Internet exchange point was the Metropolitan Area Ethernet, or MAE, in Tysons Corner, Virginia. When the United States government decided to de-fund the NSFNET backbone, Internet exchange points were needed to replace its function, and initial governmental funding was used to aid the MAE and bootstrap three other exchanges, which they dubbed NAPs, or "Network Access Points," in accordance with the terminology of the National Information Infrastructure document. All four are now defunct or no longer functioning as Internet exchange points:

‧MAE-East - Located in Tysons Corner, VA, and later relocated to Ashburn, Virginia
‧AADS - Located in Chicago, Illinois
‧SprintNAP - Located in Pennsauken, New Jersey
‧PacBell NAP - Distributed throughout California

As the Internet grew, and traffic levels increased, these NAPs became a network bottleneck. Most of the early NAPs utilized FDDI technology, which provided only 100 Mbit/s of capacity to each participant. Some of these exchanges upgraded to ATM technology, which provided OC-3 (155 Mbit/s) and OC-12 (622 Mbit/s) of capacity.

Other prospective exchange point operators moved directly into offering Ethernet technology, such as gigabit Ethernet (1000 Mbit/s), which quickly became the predominant choice for Internet exchange points due to the reduced cost and increased capacity offered. Today, almost all significant exchange points operate solely over Ethernet, and most of the largest exchange points offer ten gigabit Ethernet (10,000 Mbit/s) service.

During the dot-com boom, many exchange point and carrier neutral colocation providers had plans to build as many as 50 locations to promote carrier interconnection in the United States alone. Essentially all of these plans were abandoned following the dot-com bust, and today it is considered both economically and technically infeasible to support this level of interconnection among even the largest of networks.

Depeering
By definition, peering is the voluntary and free exchange of traffic between two networks, for mutual benefit. If one or both networks believes that there is no longer a mutual benefit, they may decide to cease peering: this is known as depeering. Some of the reasons why one network may wish to depeer another include:

A desire that the other network pay settlement, either in exchange for continued peering or for transit services.
A belief that the other network is "profiting unduly" from the settlement free interconnection.
Concern over traffic ratios, which related to the fair sharing of cost for the interconnection.
A desire to peer with the upstream transit provider of the peered network.
Abuse of the interconnection by the other party, such as pointing default or utilizing the peer for transit.
Instability of the peered network, repeated routing leaks, lack of response to network abuse issues, etc.
The inability or unwillingness of the peered network to provision additional capacity for peering.
The belief that the peered network is unduly peering with your customers.
Various external political factors (including personal conflicts between individuals at each network).
In some situations, networks who are being depeered have been known to attempt to fight to keep the peering by intentionally breaking the connectivity between the two networks when the peer is removed, either through a deliberate act or an act of omission. The goal is to force the depeering network to have so many customer complaints that they are willing to restore peering. Examples of this include forcing traffic via a path that does not have enough capacity to handle the load, or intentionally blocking alternate routes to or from the other network. Some very notable examples of these situations have included:

‧BBN Planet vs. Exodus Communications[1]
‧PSINet vs. Cable & Wireless[2]
‧AOL Transit Data Network (ATDN) vs. Cogent Communications[3]
‧Teleglobe vs. Cogent Communications[citation needed]
‧France Télécom vs. Cogent Communications[4]
‧France Télécom (Wanadoo) vs. Proxad (Free)[5]
‧Level 3 Communications vs. XO Communications[citation needed]
‧Level 3 Communications vs. Cogent Communications[6]

Modern peering
The modern Internet operates with significantly more peering locations than at any time in the past, resulting in improved performance and better routing for the majority of the traffic on the Internet. However, in the interests of reducing costs and improving efficiency, most networks have attempted to standardize on relatively few locations within these individual regions where they will be able to quickly and efficiently interconnect with their peering partners.

The primary locations for peering within the United States are generally considered to be[citation needed]:

‧San Francisco Bay Region (San Jose CA, Palo Alto CA, Santa Clara CA, San Francisco CA)
‧Washington DC / Northern Virginia Region (Washington, DC, Ashburn VA, Reston VA, Vienna VA)
‧New York City Region (New York NY, Newark NJ)
‧Chicago Region (Chicago IL)
‧Los Angeles Region (Los Angeles, CA)
‧Dallas Region (Dallas, TX, Plano, TX, Richardson, TX)

For international traffic, the most important locations for peering are generally considered to be:

‧Amsterdam, Netherlands
‧London, United Kingdom
‧Frankfurt, Germany
‧Tokyo, Japan
‧Hong Kong, China
‧Seoul, South Korea
‧Miami, FL, USA

Exchange points
The largest individual exchange points in the world are AMS-IX in Amsterdam, followed closely by LINX in London. The next largest exchange point is generally considered to be JPIX in Tokyo, Japan. The United States, with a historically larger focus on private peering and commercial public peering, has a much smaller amount of traffic on public peers compared to other regions which operate non-profit exchange points. The combined exchange points in multiple cities operated by Equinix are generally considered to be the largest and most important, followed by the PAIX facilities which are currently owned and operated by Switch and Data. Other important but smaller exchange points include LIPEX and LONAP in London UK, DE-CIX in Frankfurt Germany, NYIIX in New York, and Nap of the Americas (or NOTA) in Miami, Florida.

URLs to some public traffic statistics of exchange points include:

‧AMS-IX
‧DE-CIX
‧LINX
‧MSK-IX
‧TORIX
‧NYIIX
‧LAIIX
‧TOP-IX
‧Netnod

Peering and BGP
A great deal of the complexity in the BGP routing protocol exists to aid the enforcement and fine-tuning of peering and transit agreements. BGP allows operators to define a policy that determines where traffic is routed. Three things commonly used to determine routing are local-preference, multi exit discriminators (MEDs) and AS-Path. Local-preference is used internally within a network to differentiate classes of networks. For example, a particular network will have a higher preference set on internal and customer advertisements. Settlement free peering is then configured to be preferred over paid IP transit.

Networks that speak BGP to each other can engage in multi exit discriminator exchange with each other, although most do not. When networks interconnect in several locations, MEDs can be used to reference that network's interior gateway protocol cost. This results in both networks sharing the burden of transporting each others traffic on their own network (or cold potato). Hot-potato or nearest-exit routing, which is typically the normal behavior on the Internet, is where traffic destined to another network is delivered to the closest interconnection point.

Law and policy
Internet interconnection is not regulated in the same way that public telephone network interconnection is regulated. Nevertheless, Internet interconnection has been the subject of several areas of federal policy. Perhaps the most dramatic example of this is the attempted MCI / Sprint merger. In this case, the Department of Justice signaled that it would move to block the merger specifically because of the impact of the merger on the Internet backbone market. In 2001, the Federal Communications Commission's advisory committee, the Network Reliability and Interoperability Council recommended that Internet backbones publish their peering policies, something that they had been hesitant to do before hand. The FCC has also reviewed competition in the backbone market in its Section 706 proceedings which review whether advanced telecommunications are being provided to all Americans in a reasonable and timely manner.

Finally, Internet interconnection has become an issue in the international arena under something known as the International Charging Arrangements for Internet Services (ICAIS).[7] In the ICAIS debate, countries underserved by Internet backbones have complained that it is unfair that they must pay the full cost of connecting to an Internet exchange point in a different country, frequently the United States. These advocates argue that Internet interconnection should work like international telephone interconnection, with each party paying half of the cost.[8] Those who argue against ICAIS point out that much of the problem would be solved by building local exchange points. A significant amount of the traffic, it is argued, that is brought to the US and exchanged then leaves the US, using US exchange points as switching offices but not terminating in the US.[9] In worst case scenarios, traffic from one side of a street is brought to Miami, exchanged, and then returned to another side of the street. Countries with liberalized telecommunications and open markets, where competition between backbone providers occurs, tend to oppose ICAIS.

Tier 1 network

Tier 1 network
A Tier 1 Network is an IP network (typically but not necessarily an Internet Service Provider) which connects to the entire Internet solely via Settlement Free Interconnection, commonly known as peering. Another name for a Tier 1 network is "transit-free", because it does not receive a full transit table from any other network.

Although there is no formal definition of the "Internet Tier hierarchy", the generally accepted definition among networking professionals is:

‧Tier 1 - A network that peers with every other network to reach the Internet.
‧Tier 2 - A network that peers with some networks, but still purchases IP transit to reach at least some portion of the Internet.
‧Tier 3 - A network that solely purchases transit from other networks to reach the Internet.

Politics
There are many reasons why networking professionals use the "Tier Hierarchy" to describe networks, but the most important one is better understanding of a particular network's political and economic motivations in relationship to how and with whom it peers.

By definition, a Tier 1 network does not purchase IP transit from any other network to reach any other portion of the Internet. Therefore, in order to be a Tier 1, a network must peer with every other Tier 1 network. A new network cannot become a Tier 1 without the implicit approval of every other Tier 1 network, since any one network's refusal to peer with it will prevent the new network from being considered a Tier 1.

Tier 1 networks typically seek to protect their relatively rare status by preventing new networks from becoming Tier 1s and thus potentially competing. The networks often accomplish this by setting "peering requirements" which are intended to be too high for new networks to meet. Some experts in the field of Internet interconnections have compared the collective behaviors and motivations of Tier 1 networks to those of a cartel, in that they attempt to reduce competition in Internet bandwidth pricing through tacit collusion, and attempt to restrict the admission of new members. When one Tier 1 is perceived to be "cheating" the cartel by selling transit for too low a price, or by "dumping" too much outbound heavy bandwidth (which is significantly easier to deliver for the sending network than the receiving network), other members may move to de-peer that network.

Routing issues
Because a Tier 1 does not have any alternate transit paths, Internet traffic between any two Tier 1 networks is critically dependent on the peering relationship. If two Tier 1 networks arrive at an impasse and discontinue peering with each other (usually in a unilateral decision by one side), single-homed customers of each network will not be able to reach the customers of the other network. This effectively "partitions" the Internet, so that one portion cannot talk to another portion, which has happened several times during the history of the Internet. Those portions of the Internet typically remain partitioned until one side purchases transit (thus losing its "Tier 1" status), or until the collective pain of the outage and/or threat of legislation motivates the two networks to resume voluntary peering.

It is important to remark here that Tier-2 (and lower) ISP and their customers are normally unaffected by these partitions because they can have traffic with more than one tier-1 provider.

Marketing issues
Because there is no formal definition or authoritative body which determines who is and is not a Tier 1, the term is often misused as a marketing slogan rather than an accurate technical description of a network. Frequent misconceptions of the "tier hierarchy" include:

Tier 1 networks are closer to the "center" of the Internet.
In reality, Tier 1 networks usually have only a small number of peers (typically only other Tier 1s and very large Tier 2s), while Tier 2 networks are motivated to peer with many other Tier 2 and end-user networks. Thus a Tier 2 network with good peering is frequently much "closer" to most end users or content than a Tier 1.
Tier 1 networks by definition offer "better" quality Internet connectivity.
Some Tier 2 networks are significantly larger than some Tier 1 networks, and are often able to provide more or better connectivity.
Tier 2 networks are "resellers" of Tier 1 networks.
Only Tier 3 networks (who provide Internet access) are true "resellers", while many large Tier 2 networks peer with the majority or even vast majority of the Internet directly except for a small portion of the Internet which is reached via a transit provider.
Because the "tier" ranking system is used in marketing and sales, a long-held though generally misguided view among customers is that they should "only purchase from a Tier 1". Because of this, many networks claim to be Tier 1 even though they are not, while honest networks may lose business to those who only wish to purchase from a Tier 1. The frequent misuse of the term has led to a corruption of the meaning, whereby almost every network claims to be a Tier 1 even though it is not. The issue is further complicated by the almost universal use of non-disclosure agreements among Tier 1 networks, which prevent the disclosure of details regarding their settlement-free interconnections.

Some of the incorrect measurements which are commonly cited include numbers of routers, route miles of fiber optic cable, or number of customers using a particular network. These are all valid ways to measure the size, scope, capacity, and importance of a network, but they have no direct relationship to Tier 1 status.

Another common area of debate is whether it is possible to become a Tier 1 through the purchase of "paid peering", or settlement-based interconnections, whereby a network "buys" the status of Tier 1 rather than achieving it through settlement-free means. While this may simulate the routing behaviors of a Tier 1 network, it does not simulate the financial or political peering motivations, and is thus considered by most Peering Coordinators to not be a true Tier 1 for most discussions.

Global issues
A common point of contention among people discussing Tier 1 networks is the concept of a "regional Tier 1". A regional Tier 1 network is a network which is not transit free globally, but which maintains many of the classic behaviors and motivations of a Tier 1 network within a specific region.

A typical scenario for this behavior involves a network that was the incumbent telecommunications company in a specific country or region, usually tied to some level of government-supported monopoly. Within their specific countries or regions of origin, these networks maintain peering policies which mimic those of Tier 1 networks (such as lack of openness to new peering relationships and having existing peering with every other major network in that region). However, this network may then extend to another country, region, or continent outside of its core region of operations, where it may purchase transit or peer openly like a Tier 2 network.

A commonly cited example of these behaviors involves the incumbent carriers within Australia, who will not peer with new networks in Australia under any circumstances, but who will extend their networks to the United States and peer openly with many networks. Less extreme examples of much less restrictive peering requirements being set for regions in which a network peers, but does not sell services or have a significant market share, are relatively common among many networks, not just "regional Tier 1"s.

While the classification of "regional Tier 1" does hold some merit for understanding the peering motivations of such a network within different regions, these networks do not meet the requirements of a true global Tier 1 because they are not transit free globally.

History
The original Internet backbone was the ARPANET. It was replaced in 1989 by the NSFNet backbone. This was similar to a Tier 1 backbone. The Internet could be defined as anything able to send datagrams to this backbone.

When the Internet went private, a new network architecture based on decentralized routing EGP was developed. The Tier 1 ISPs and the peer connections made the NSFNet redundant and later obsolete. On April 30, 1995, the NSFNet backbone was shut down.

Currently, Tier 1 ISPs form the closest thing to a backbone.

List of Tier 1 IPv4 ISPs
The following 9 networks are the only Tier 1 ISPs:

Name AS Number
AOL Transit Data Network (ATDN) 1668
AT&T 7018
Global Crossing (GX) 3549
Level 3 3356
Verizon Business (formerly UUNET) 701
NTT Communications (formerly Verio) 2914
Qwest 209
SAVVIS 3561
Sprint Nextel Corporation 1239

Due to the marketing considerations mentioned above, many people mistakenly believe that other networks are Tier 1 when they are not. Because of this, many online resources and forums incorrectly list several non-qualifying networks as Tier 1. Below is a list of some of these networks which are often listed as Tier 1 networks, along with their upstream providers:

‧Allstream/AS15290 (Verizon Business/AS701 transit)
‧AboveNet/AS6461 (Sprint Nextel Corporation/AS1239 paid peering)
‧PCCWGlobal/AS3491 (Global Crossing/AS3549 and SAVVIS/AS3561 transit)
‧British Telecom/AS5400 (Global Crossing/AS3549 and Sprint Nextel Corporation/AS1239 transit)
‧Broadwing/AS6395 (Sprint Nextel Corporation/AS1239 transit)
‧Cable and Wireless/AS1273 (Level(3)/AS3356 and SAVVIS/AS3561 transit)
‧Cogent Communications/AS174 (Verio/AS2914 Transit to reach ATDN)
‧Comindico/AS9942 (Verizon Business/AS701/AS703 transit)
‧Deutsche Telekom/AS3320 (Sprint Nextel Corporation/AS1239 transit)
‧France Telecom/AS5511 aka OpenTransit (Sprint Nextel Corporation/AS1239 transit)
‧Hurricane Electric/AS6939 (TeliaSonera/AS1299 transit, which uses UUNet/AS701 transit (Verizon Communications)
‧Internode/Agile/AS4739 (Verizon Business/AS701/AS703 transit)
‧nLayer/AS4436 (Global Crossing/AS3549 and SAVVIS/AS3561 transit)
‧Peer1/AS13768 (Global Crossing/AS3549 and SAVVIS/AS3561 transit, plus 701 and 7018)
‧Primus Telecom/AS11867 (Verizon Business/AS701/AS703 transit and Qwest/AS209 transit)
‧Teleglobe/VSNL (Sprint Nextel Corporation/AS1239 paid peering)
‧TeliaSonera/AS1299 (UUNet/AS701 transit)
‧Time Warner Telecom/AS4323 (Sprint Nextel Corporation/AS1239 transit)
‧Tiscali/AS3257 (Sprint Nextel Corporation/AS1239 transit)
‧XO Communications (AS2828)

Jul 11, 2007

IGMPv1 vs IGMPv2 vs IGMPv3

What is IGMPv1?

IGMPv1使用Query-Response模型來允許Multicast Router和Multi-Layer Switch來確定在本網段內哪個Multicast Group是啟動的。在這個模型中,Router或Switch充當IGMP Querier,週期性(每隔60秒)地發送IGMPv1 Membership Query給224.0.0.1。啟用Multicast的所有主機監聽該位址並接收Query Packet。主機以IGMPv1 Membership Report回覆,表示它要接收特定Group的Multicast Traffic;該網段中的Router或Switch就可以了解Multicast Group中有哪些接收者。

主機可以通過發送一個或多個主動的Membership Report封包表明加入(Join)一個Multicast Group。如: 某個主機主動發送一個Report封包表明要接收Multicast Group(224.1.1.1)的流量。

主機通過停止處理Multicast Group Traffic以及不回應IGMP Query的方式來離開Multicast Group。
IGMPv1依靠L3的IP Multicast Routing Protocol(PIM、DVMRP等)來解決同一網段中哪個Router或Multi-Layer Switch成為Querier。Querier Router發送IGMPv1的Query來確定哪個Multicast Group是啟動的。通常Designated Router會被選擇為Querier。

IGMPv1的封包有2種:
- Member Query(224.0.0.1, 每60秒查詢一次)
- Member Report



What is IGMPv2?

IGMPv2的Query和Membership Report與IGMPv1類似。它們的差別在於:
(一) IGMPv2的Query分為兩部分:
- General Query(功能與IGMPv1的Query相同)
- Group-Specific Query(僅查詢特定Group的資訊)

(二) IGMPv1和IGMPv2的Membership Report使用不同的類型代碼。
IGMPv2的新特性包括:

1)Querier的選擇過程――IGMPv2 Router或Multi-Layer Switch可以自己選舉Querier Router(不需要依賴Multicast Routing Protocol來完成這個工作)。每個IGMPv2的Router或Multi-Layer Switch啟動時,它發送IGMPv2的一般Query Packet(以其interface IP位址作為Packet的Source IP)給所有主機。每個IGMPv2設備比較接收到的這種Message Packet,在網段中擁有最小interface IP位址的Router成為Querier。

2)Maximum Response Time――Query Message中的這個欄位允許Query Router指定最大的查詢回應時間,並控制突發的應答過程。在某個子網路中若存在著大量的Multicast Group,可能需要較長的時間來傳送這個Reply。成員要加入一個Multicast Group不需要等待Query Message即可加入。它們傳送一個未經許可的Report告知他們的參加。這個程序在沒有其他成員存在的情況時減低了終端系統加入的延遲。

3)特定Group的Query Message――允許Query Router針對某個特定的Multicast Group進行查詢

4)Leave Group Message(224.0.0.2)――為主機提供一種方式,來通知Router或Multi-Layer Switch這些主機將要離開某個Multicast Group

某個屬於Multicast Group(224.1.1.1)的主機要離開時會發出一個Leave Mssage給所有Multicast Group中所有的Router(224.0.0.2)通知所有的Router和Multi-Layer Switch它將離開這個Multicast Group。Querier Router接收到Message後,由於它保留的Group Membership Message還有其他的包員,因此它發送一個特定的Query給Multicast Group(224.1.1.1),來確定該Multicast Group中是否還有成員主機。如果還有屬於該Multicast Group(224.1.1.1)的成員接收到特定Group的Query後,它將會回覆IGMPv2 Membership Report,通知Querier Router仍然有成員存在。當Querier Router接收到Membership Report時,它將會讓Multicast Group(224.1.1.1)維持Active狀態。若是沒有收到回應,Querier Router將會停止轉發該Multicast Group(224.1.1.1)的流量。

在相同的乙太網路網段(broadcast domain)上有兩個IGMP Routers時,擁有最小IP Address的Router會是Designated Querier。


What is IGMPv3?

IGMPv3新增了可以根據Multicast Source來過濾Multicast的功能。

IGMPv3主要改進的功能是可以允許主機指定它們想要在某個Multicast Group中只接收特定的Multicast Source。這個增強功能使得路由資源得可以更加有效地被使用。

在IGMPv3中主機在加入某個Multicast Group時會立刻傳送IGMPv3 Report給224.0.0.22。主機會傳送一個帶著明確請求加入Source List中單一或是多個Source的Join Message出去。這就是IGMPv3用來"過濾來源(source filtering)"的Source List - 也就是讓系統可以回報給特定Multicast Address,通知系統它只想要接收來自於特定來源位址(INCLUDE Mode),或是來自於所有的來源位址但是特定來源位除外(EXCLUDE Mode)。這樣的資訊也許可以被Multicasting Routing Protocol利用來避免傳送來自於特定來源的Multicast封包到達根本沒有感興趣的接收者所存在的網路。

IGMPv3可向下相容於之前版本的IGMP通訊協定。為了維持與較舊版本IGMP系統的向下相容性,IGMPv3 Mulitcast Routers必須也同時採用Version 1和Version 2的通訊協定。

OSPF DR/BDR vs IS-IS DIS

在Link-State Routing Protocol兩兄弟OSPF, IS-IS之間,有很多地方相似及相異之處,我這次特別將OSPF Designated Router(DR)/Backup Designated Router(BDR)及IS-IS Designated Intermediate System(DIS)這兩個同為SPF algorithm中在MultiAccess網路中必須存在的角色分別說明它們之間的相異點,希望可以為大家省去一一比對的麻煩。(如附圖)

Jul 10, 2007

OSPF LSA Sequence Number(From 0x80000001 to 0x7FFFFFFF ?)

很多人在讀到BSCI OSPF LSA Sequence Number這個章節時,常常會在心中出現一個問號? Cisco的教材是不是又打錯字了(Cisco教材編輯校閱相關負責單位請好好反省…真的是錯字百出),其實是沒錯的。OSPF LSA Sequence Number的起始值是0x80000001,結束值是0x7FFFFFFF,或許你可能會感到困惑,怎麼會一開始的數字比結束的數字還要大呢?

事實上,這是因為起始值中開頭的8是代表著負數,它的意思是-7FFFFFFF,請參考以下的說明,就會明白了:

在古早時期玩遊戲是一種電腦能力的自我修練與提昇,怎麼說呢? 如果十幾年前很喜歡玩電腦遊戲的朋友,一定曾經使用過種種遊戲修改工具,像是PCTOOLS、整人專家等,透過這些工具的輔助將遊戲中的夢想變為現實,只要是各種可能的數字上限與主角能力的極限都可以任意調整。

廢話不多說,來看看我們要談的東西。一個位元組(byte)資料可表示的範圍從0(0000 0000)到255(1111 1111),那麼負數的話要怎麼表示呢? 在電腦系統中只有0與1,並沒有任何的額外符號可以用來表示所謂的正/負數,因此可以使用一種變通的方式,我們利用位元組中最左邊的數字來代表正或負,以0為正,以1為負。

比如說0111 1111轉換為十進位的話是127,1111 1111轉換為十進位的話則是-127,由此我們知道一個位元組的表示範圍可以從-127到127。

以上我們談的都是所謂的原碼表示法,但是在電腦中的資料都是以補數來存放的,只有這樣才能減輕CPU的負擔。提到了補數,我們就不得不提一下倒數了。在電腦中是這樣規定倒數的:如果是正數,則按照原碼表示法的表示方式維持不變,如127仍為0111 1111;而如果為負數,那麼第一個數字為1,其他數字則倒反過來(也就是0變1,1變0),比如說二進位表示法-127(1111 1111),倒數的表示法為1000 0000。

補數也是相同道理,如果是正數,則依照原碼表示法不變,如127仍為0111 1111;如果為負數,則是除了第一個數字為1之外,其他數字先取倒數再加1,如-127,先取倒數為1000 0000,然後再加1,則為1000 0001。但1000 0000比較特殊,我們可以用它來表示-128,由此可以補數可表示的範圍為-128到127。

◎參考資料:原码、反码和补码(http://blog.csdn.net/ncdawen/archive/2006/06/28/846672.aspx)

Cisco CCNP BSCI 3.0(OSPF LSDB Overload Protection)

在Cisco CCNP BSCI 3.0教材中有一個章節(P.3-108)提到OSPF的新功能(Since Cisco IOS 12.3(T) and later)可以避免大量非本機產生的LSA交換導致本機路由器的資源被消耗殆盡,那就是max-lsa這個指令。建議各位對照課文中的解釋來參考本文,應該會比較容易了解這些參數所代表的意義,而且Cisco官網所提供的資訊看來是比教材中的內容來得詳盡些。

以下文字翻譯自Cisco官網:

使用OSPF LSDB超載保護的好處
OSPF LSDB超載保護功能提供了一個讓OSPF可以限制非自身產生LSA數量的機制。當網路中其他的路由器由於設定上的不適當,可以會產生大量的LSA,例如,透過不當的路由重製(redistribution)產生很大數量的路由網段出現。這個LSDB保護機制避免路由器接受過大數量的LSA而導致CPU及記憶體資源的短缺。

OSPF LSDB超載保護如何運作
當OSPF LSDB超載保護功能被啟用時,路由器會追蹤接收到(非自身產生)的LSAs數量。
當接受到的LSAs數量到達設定的LSAs門檻(threshold)數量時,會登錄(log)一個錯誤訊息。
當接受到的LSAs數量超過設定的最大LSAs數量時,路由器將會傳送一個通知(notification)。
如果接收到的LSAs數量持續高於設定的最大數量超過一分鐘的話,OSPF程序(process)將會終結所有鄰居關係(adjacencies)並且清空OSPF資料庫。在這個ignore state狀態下,所有屬於這個OSPF程序的任何介面所接受到所有OSPF封包都會被忽略而且沒有任何一個介面會產生OSPF的封包。

OSPF程序會根據max-lsa指令中設定的關鍵字ignore-time之後的時間參數來決定持續ignore state的時間。(ignore-time預設為5分鐘)

每次當OSPF程序進入ignore state時,就會將一個計數器(ignore-count)加1。如果這個計數器超過關鍵字ignore-count所指定的次數(預設為5次),OSPF程序將會永久地保持在相同的ignore state下,必須要有人工手動的介入才能讓OSPF程序脫離ignore state

當OSPF程序持續處於正常運作狀態的時間達到關鍵字reset-time所指定的時間數量時,ignore state計數器就會被重設成0。(reset-time預設為10分鐘)

如果max-lsa指令中有設定關鍵字warning-only的話,OSPF程序將只會傳送一個警告訊息(warning)告知已經超過LSA的最大數量,而不會終結鄰居關係。

Cisco CCNP BSCI 3.0(EIGRP Updates and Queries in Hub-and-Spoke Topology)

在Cisco CCNP BSCI 3.0的教材中(P.2-84),有一篇描敘EIGRP Query & Update的scenario,第一次看到這張圖片(如附圖)的同學一定看得頭昏眼花,根本不知道課本中想要表達的來龍去脈,更不知道為何會發生Stuck-In-Active(SIA),因此我回頭查了一下舊版的BSCI教材,原來是新版的內容將部份內容加以省略了,但是個人認為這實在是應該要說明清楚,避免學生囫圇吞棗不知所以然,因此我特別將舊版中省略的所有流程及細節一一列出,希望對各位學習有立竿見影之成效。



1. B == QUERY ==> C,D,E and A
2. C,D,E == REPLY(Next-Hop:A) ==> B
A == QUERY ==> C,D,E(Then C,D,E will remove the route 10.1.8.0/24 from routing table)
3. C,D,E == QUERY ==> B
(B is still waiting for A's reply)
(A is still waiting for C,D,E's reply)
(C,D,E are still waiting for B's reply)
=> Deadlock ...
4. B - A => Stuck-In-Active(SIA)(more than 3 minutes without reply from A)
5. B -X- A (Disconnect neighbor relationship)
B == REPLY(Next-Hop:NULL) ==> C,D,E
C,D,E == REPLY(Next-Hop:NULL) ==> A
6. A - B (Neighbor relationship re-establish)
A will remove 10.1.8.0/24 from routing table