Oct 27, 2007

IS-IS LSP(Link-State Packets) Header

Appendix A. IS-IS Packet Formats

IS-IS Packet Fields (Alphabetical Order)

  • ATT— Attachment Bits (Flags attachment to other areas)
  • Checksum— Checksum of contents of LSP from source ID field to the end
  • Circuit Type— Defines whether link is Level-1 and Level-2
  • End LSP— LSP ID of last LSP in CSNP
  • Holding Time— Defines how long to wait for a hello from this system before clearing the adjacency
  • ID Length— Length of the System ID field in an NSAP(NET)
  • Intradomain Routing Protocol Discriminator— Network layer protocol identifier
  • IS Type— Defines type of router, Level-1 or Level-2
  • LAN ID— LAN Identifier, Consists of the System ID of the designated intermediate system plus a unique number
  • Length Indicator— Length of the fixed header of the packet in bytes
  • Local Circuit ID— Unique identifier for a link
  • LSP ID— Identifier for router's LSP, consisting of the System ID of the router, fragment number, and a nonzero octet for pseudonode number in case of pseudonode LSP
  • Maximum Area Addresses— Number of areas permitted
  • OL— LSP overload bit (also represented as LSPDBOL)
  • P— Partition repair bit
  • PDU Length— Length of packet (PDU) in bytes
  • PDU Type— Type of packet
  • Priority— Priority for node for DIS arbitration
  • R— See Reserved
  • Remaining Lifetime— Remaining time for an LSP to expire
  • Reserved— Unspecified fields, transmitted as 0s and ignored on receipt
  • Sequence Number— Sequence number of LSP
  • Source ID— Same as system identifier (SysID)
  • TLV Fields— Type (or code), Length and Value fields, also known as variable-length fields
  • Version/Protocol ID Extension— Of the IS-IS protocol (defined as 1)



Cisco Segmented Generalized Multiprotocol Label Switching(GMPLS)

A primary component of the Cisco Systems® IP over Dense Wavelength-Division Multiplexing (IPoDWDM) solution for the IP Next-Generation Network (IP NGN) is the simplification of end-to-end control between IP and DWDM networks. To alleviate high operational expenses (OpEx), increase speed for carrier service activations, and eliminate cumbersome and disparate manual provisioning methods at the transport layer, Cisco® has introduced a new cost-effective and efficient solution based on Generalized Multiprotocol Label Switching (GMPLS). This solution enables both optical and IP devices to dynamically find, identify, and provision optimal paths based on user traffic requirements. Called the Segmentation model of GMPLS (S-GMPLS), this new GMPLS model is a hybrid of current approaches that overcomes several daunting obstacles by allowing both IP and optical networks to maintain their existing segmented administration environments. S-GMPLS allows providers to keep the topology of the IP routing domain isolated from the topology of the optical domains, providing a new way to deploy and realize the benefits of GMPLS while respecting the boundaries of these different organizational boundaries or domains.
This paper presents details of S-GMPLS, an innovative technology from Cisco Systems developed for service providers in their optical networks that utilizes the power of IP/GMPLS control protocols for autoconfiguration of optical wavelengths and separates IP routing and optical network domains to respect those diverse organizational boundaries.
SUMMARY
GMPLS is a proposed IETF standard designed to simplify the creation and management of IP/MPLS services over optical networks. The standard would create a single control plane that extends from IP at Layer 3 right down to the optical transport level at Layer 1.
Since service providers first began transporting IP traffic, an extremely complex, multilayered overlay architecture has evolved to do the job of carrying IP traffic over networks that were originally designed to support voice and fixed circuits technology. Yet today, with the rapid growth of IP traffic promoted by the rapid increase in broadband access, new applications, and new services, these complex overlay networks cannot support rapid service provisioning, dynamic bandwidth management, and flexible service creation to meet user demand.
GMPLS was developed as a unified control plane that extends intelligent IP/MPLS connections from Layer 2 and Layer 3 all the way to Layer 1 optical devices. Unlike MPLS, which is supported mainly by routers and switches, GMPLS can also be supported by optical platforms, including SONET/SDH, optical cross-connects (OXCs), and DWDM. GMPLS therefore allows an entire network infrastructure-from access network to core networks-using a common control plane. Establishing a path to enable optical elements within the transport network to become peers of the routers in the IP network and being able to autoprovision wavelengths driven by the IP control plane can translate to significant savings in operational costs because the networks can cooperatively handle fault correlation in real time. Additionally, service provisioning can also be greatly accelerated.
Until recently there were two basic methods proposed for deploying GMPLS-the peer model and the overlay model, which are discussed later in this paper. Both of these have shortcomings that have impeded adoption of GMPLS by service providers.
Now service providers have a better alternative, Cisco S-GMPLS.
S-GMPLS internetworks with the Automatically Switched Optical Network (ASON) architecture (G. 8080) developed by the ITU. ASON, shown in one of many possible implementations of global optical connection control in Figure 1, is a dynamic signaling-based, policy-driven control solution over optical and SONET networks through a distributed or partially distributed control plane that provides autodiscovery and dynamic connection setup.
Figure 1. ASON Architecture for Global Optical Connection Control
Source: ITU pamphlet.
ASON enables improved support for end-to-end provisioning, rerouting, and restoration; new transport services, including bandwidth on demand; rapid service restoration for disaster recovery; switched connections in a private network; and support for a wide range of narrowband and broadband signaling types. The user network interface (UNI) is responsible for signaling operations between end-user and service provider administrative domains. The external network-to-network interface (E-NNI) provides multicontrol domain operations for a single service provider and multicontrol domain operations between different service providers. The visibility of the inner structure of the administrative domain is controlled by the policy of the service provider. The internal network-to-network interface (I-NNI) provides intracontrol domain operation. Finally, the OXC system is an electrical or photonic matrix for switching wavelengths.
Cisco S-GMPLS is an excellent solution for the I-NNI and E-NNI portions of the ASON architecture.
CHALLENGE
GMPLS Operation and Deployment Challenges
GMPLS extends MPLS functionality with the enhancement of forwarding, traffic engineering, and quality-of-service (QoS) capabilities of packet-based networks by creating virtual label-switched paths (LSPs) across a network of label switching routers (LSRs) to optical network devices utilizing time-division multiplexing (TDM), fiber switching, and lambda switching. In a GMPLS network it is therefore possible to find and provision end-to-end paths that traverse different networks. For example, a packet/cell-based LSP can be nested in a TDM-based LSP for transport over a SONET network. The TDM-based LSP can similarly be nested in a lambda-based LSP for transport over a wavelength network. Multiple lambda switch-capable LSPs can be nested within a fiber switch-capable set up between two fiber switching elements. This forwarding hierarchy of nested LSPs allows service providers to transparently send different types of traffic over various types of network segments.
GMPLS introduces Link Management Protocol (LMP) to manage and maintain the health of the control and data planes between two neighboring nodes. LMP is an IP-based protocol that includes extensions to the Resource Reservation Protocol Traffic Engineering (RSVP-TE) and Constraint-Based Label Distribution Protocol (CR-LDP) signaling protocols.
GMPLS provides the ability to automate many of the network functions that are directly related to operational complexities, including:
• End-to-end provisioning of services
• Network resource discovery
• Bandwidth assignment
• Service creation

Traffic engineering parameters relating to SONET protection support, available bandwidth, route diversity, and QoS are distributed throughout the network. This allows every node in the network to have full visibility and configuration status of every other node. This ultimately provides an intelligent optical network.
As service providers introduce new network elements into their networks, add or remove facilities, or turn up new circuits, the control plane will automatically distribute and update the network with the new information. Contrast this with the operationally intensive manual upgrades and updates performed today. Provisioning of connections often requires a substantial amount of coordination among operations staff located throughout the network. Capacity is assessed, optimal connection and restoration paths are determined, and the connection must be fully tested after it is established.
In contrast with operationally intensive manual upgrades and updates, GMPLS uses advanced routing features, including the Open Shortest Path First (OSPF) protocol and Intermediate System-to-Intermediate System (IS-IS) protocol and signaling protocols such as RSVP and CR-LDP to build intelligence into the network. The network can then effectively self-discover to dynamically advertise the availability or lack of availability of resources. With such capabilities, multihop connections with optical routes and backup paths can be established in a single provisioning step.
GMPLS Peer Model Deployment
In the peer model instance of GMPLS, an NNI allows the IP/MPLS layer to operate as a full peer of the optical transmission layer, as noted in Figure 2. Specifically, the IP routers are able to determine the entire path of the connection, including passing through the optical cross connects and SONET/SDH optical devices.
Figure 2. Peer GMPLS Topology
• Routers and optical transport network (OTN) nodes in same network act as peers
• Single instance of a control plane for addressing, routing, signaling, etc.
• More efficient interaction between IP and optical nodes for faster provisioning and optimal path selection
• Applicable to single administrative domain
One of the major challenges for the full peer model deployment can be the lack of separation of administrative organizational boundaries between the routed and optical domains. All of the network elements have to be in a single administrative domain. This can be a problem if there are multiple administrative groups (transport and data) for each within a service provider's domain or where multiple service providers may be involved. Where optical transport and ISP networks are operated by the same entity, no such separation is required, and the peer model may be suitable.
Another potential challenge with the GMPLS peer model is that it results in the exposure of control and topology information on the transport network between the transport and data groups or between the service provider and customers. This can create both security and operational risks. Today two different organizations are responsible for optical and IP networks in many service provider organizational structures, each with longstanding practices, procedures, and infrastructures. The full peer model assumes the abrupt convergence of technologies and administrative control, an often unsettling organizational challenge.
The full peer model also requires that all of the transport nodes be able to run the full GMPLS protocol suite to interoperate. This would be a significant burden on some of the existing transport equipment, which was designed with manual provisioning in mind. Also, any upgrade would require the entire network or significant part to be down and unavailable as every device is upgraded, another challenge that is not easily manageable in service provider environments.
GMPLS Overlay Deployment Model
In the overlay model of GMPLS, also called a user-to-network interface (UNI), the router is a client to the optical domain and interacts only with the optical node that is directly adjacent to it (Figure 3). The physical light path is decided by the optical network and not by the router.
Figure 3. Overlay GMPLS Topology
• Two Administrative Domains
• Optical Service Provider
• Internet Service Provider
• No Exchange of Routing and Topology Information between Optical and IP Networks
• Routers do not see optical transport topology and vice-versa

The goal for the overlay model is to define a signaling message to provision a circuit from a point of presence (POP) in one IP network to an optical network endpoint or through an optical network to another POP in an IP network. On the UNI no routing protocol is running; it is just a signaling interface.
SOLUTION
To overcome the limitations of GMPLS overlay and peer models, Cisco has developed S-GMPLS, which combines the best of both topologies. In the S-GMPLS model, only border routers receive information from the optical devices and from other routers (Figure 4). The border routers in the four corners between the optical network (dotted lines) and the IP network (solid lines) maintain both routing and optical topology information. Routers in the IP cloud only maintain topology information for their region, and optical devices only maintain optical topologies within the optical network segment.
Figure 4. S-GMPLS Topology
• Border routers receive routing information from the optical devices as well as router
• Border router keeps the optical and router domain topology information in separate routing tables
• No routing information from the router region is carried into the optical region
The border routers use secure domain logical router instances to shield and segment the topology information between the IP domain and the optical domain. They act as gatekeepers between the two and enable a segmented administrative boundary that helps ensure management separation between the two networks, while still unifying the control plane aspects of the two networks. S-GMPLS is now available in Cisco IOS® XR Software on Cisco platforms, including the Cisco Carrier Routing System 1 (CRS-1), and the Cisco XR 12000 Series Routers, allowing optical and IP network administrators to each manage their own end devices as the networks gain a single intelligent IP and optical control plane. The border router has separate instances for IP and optical topologies but does not leak information to either side. Instead, the border router handles routing and signaling for a region, moving traffic back and forth across the border of the networks in a manner similar to how service providers peer in IP networks today. The border router keeps the optical and routing domain topology information in a separate topology database through the use of secure domain routing instances on the border routers. Administrative control of the secure domain routing instances can be provided through both in-band and out-of-band management.
S-GMPLS uses the strengths of the peer model while respecting the separateness of IP and optical administrative domains. Service providers have the choice of supporting either integrated or separated operations groups depending on organizational needs. S-GMPLS brings the benefits of MPLS for efficient use of resources and consistent path selection in a heterogeneous network of routers and optical devices. It also simplifies fault handing. To make the transition to GMPLS smoother and easier for service providers, S-GMPLS allows for incremental deployment of optical regions with little or no reconfiguration of the router region required, making GMPLS more deployable within service providers, and allows control of capital expenditures.
A comparison of the three GMPLS models in Figure 5 shows how Cisco S-GMPLS borrows the best features of the other models while engineering around one of the primary problems that has slowed GMPLS adoption.
Figure 5. Comparison of GMPLS Models
An important element of the Cisco IPoDWDM solution is reconfigurable optical add/drop multiplexers (ROADMs), which integrate photonic switching into optical multiplexers. ROADM can provide automated patching capabilities alongside S-GMPLS, which will provide automated provisioning capabilities from an end-to-end perspective across both IP routing and optical platforms.
Standards Framework Applicability
Table 1 shows the protocol perspectives of the ASON framework. Today there are two applicable standards for UNI: Optical Internetworking Forum UNI (OIF-UNI) and GMPLS-UNI. In the context of S-GMPLS, when considering client layers with intra-service provider and inter-service provider networks, GMPLS-UNI is a preferred choice for UNI because the protocols are drawn from one standards organization, the IETF. Use of OIF-UNI introduces compatibility issues to interoperate with S-GMPLS because the original RSVP-TE signaling protocol in Overlay UNI (O-UNI) is modified and departs from the IETF RSVP-TE RFC.
Table 1. Comparison of GMPLS Models
ASON Framework
     
 
Signaling
Routing
Service
OIF-UNI
O-UNI
No
Inter service provider (wholesale), service provider to customer
Peer
RSVP-TE
OSPF-TE
Intra service provider
S-GMPLS
RSVP-TE
OSPF-TE
Intra service provider, inter service provider
IETF Overlay (GMPLS-UNI)
RSVP-TE
No
Service provider to customer
CONCLUSION
The deployment of Cisco S-GMPLS will alleviate many of the challenges currently faced with integrated IP and optical network services by making GMPLS more deployable. It brings the opportunity for new service provider revenue with new service offerings such as Gigabit Ethernet, networked storage, video streaming, and VPNs across both network types that can be rapidly provisioned in a more flexible manner while reducing the operational complexity for the service provider. Instead of investing in multiple new networks with differing control architectures that are complex to interoperate and manage and have questionable long-term operational benefits, service providers can now deploy a new generation architecture-S-GMPLS-that is simple, efficient, and automated.
Cisco and NTT Com recently announced that they have successfully demonstrated on-demand network settings and automatic fault recovery between Tokyo and Osaka by utilizing S-GMPLS technology, available on Cisco XR 12000 Series Routers. In the experiment, NTT deployed the S-GMPLS control plane on Cisco XR 12000 Series Routers over a wide-area SDH optical network to demonstrate autonomous network settings. The testing succeeded in running conventional fixed redundant switchover functions and autonomous rererouting functions using S-GMPLS.

Multicast VPNs(MVPN)

Multicast VPNs (mVPNs) provide a scaleable architecture to enable multicast in an RFC2547 Layer 3 Multiprotocol Label Switching (MPLS) VPN environment.
Originally derived from tag switching, MPLS uses labels to combine the intelligence of routing with the high performance of switching. MPLS VPNs are a natural extension of MPLS and are often by service providers to offer VPN services over a shared infrastructure. MPLS VPNs operate based on label stacks.
Despite the advantage of label stacking and the ability to decouple routing from forwarding for unicast traffic, MPLS VPNs did not address how to handle multicast traffic. As a result, the only available solution for delivery of IP multicast video, voice, and data over a deployed Layer 3 MPLS VPN was to statically configure point-to-point GRE tunnels between Customer Edge (CE) routers. As the number of CE routers increased, the number of point-to-point GRE tunnels required to maintain a full mesh of CEs quickly became unmanageable. A more scalable solution was required.
Cisco IOS Multicast VPNs address the inherent scalability issues of using fully meshed point-to-point GRE tunnels by introducing the concept of Multicast Tunnel Interfaces (MTIs) and Multicast Distribution Trees (MDTs).
MTIs use GRE encapsulation; however they fundamentally differ from traditional point-to-point GRE tunnels in that they use multicast-rather than unicast-destination addresses. The multicast destination address used by a MTI is what allows a Provider Edge (PE) router to map Customer multicast traffic (C-packets) to Provider multicast traffic (P-packets).

Figure 21. Example of MTI Encapsulation


MVPN uses two types of MDTs in the MPLS core. Each serves a different purpose:
• Default-Multicast Distribution Tree (MDT): nailed tree used for maintaining PIM adjacencies between PE routers and carrying low-rate multicast traffic.

• Data-MDT: dynamic tree used for high-rate multicast traffic; unlike the Default-MDT, this tree is built only as needed between the source PE and PEs with interested receivers.

Figure 22. Example of Default-MDT



Figure 23. Example of Data-MDT

Layer 2 VPN Architectures: Understanding Any Transport over MPLS

...(略)

Understanding AToM Operations

In Chapter 3, you learned how AToM achieves a high degree of scalability by using the MPLS encoding method. You also read an overview of LDP in the previous section. Reading through this section, you will develop a further understanding of how MPLS encapsulation, LDP sig-naling, and pseudowire emulation work together.

The primary tasks of AToM include establishing pseudowires between provider edge (PE) routers and carrying Layer 2 packets over these pseudowires. The next sections cover the operations of AToM from the perspectives of both the control plane and the data plane as follows:

  • Pseudowire label binding
  • Establishing AToM pseudowires
  • Control word negotiation
  • Using sequence numbers
  • Pseudowire encapsulation

Pseudowire Label Binding
An AToM pseudowire essentially consists of two unidirectional LSPs. Each is represented by a pseudowire label, also known as a VC label. The pseudowire label is part of the label stack encoding that encapsulates Layer 2 packets going over AToM pseudowires. Refer to Chapter 3 for an overview of an AToM packet.

The label distribution procedures that are defined in LDP specifications distribute and manage the pseudowire labels. To associate a pseudowire label with a particular Layer 2 connection, you need a way to represent such a Layer 2 connection. The baseline LDP specification only defines Layer 3 FECs. Therefore, the pseudowire emulation over MPLS application defines a new LDP extension—the Pseudowire ID FEC element—that contains a pseudowire identifier shared by the pseudowire endpoints. Figure 6-8 depicts the Pseudowire ID FEC element en-coding.


Figure 6-8 Pseudowire ID FEC Element

The Pseudowire ID FEC element has the following components:

  • Pseudowire ID FEC—The first octet has a value of 128 that identifies it as a Pseudowire ID FEC element.
  • Control Word Bit (C-Bit)—The C-bit indicates whether the advertising PE expects the control word to be present for pseudowire packets. A control word is an optional 4-byte field located between the MPLS label stack and the Layer 2 payload in the pseudowire packet. The control word carries generic and Layer 2 payload-specific information. If the C-bit is set to 1, the advertising PE expects the control word to be present in every pseudowire packet on the pseudowire that is being signaled. If the C-bit is set to 0, no control word is expected to be present.
  • Pseudowire Type—PW Type is a 15-bit field that represents the type of pseudowire. Examples of pseudowire types are shown in Table 6-1.
  • Pseudowire Information Length—Pseudowire Information Length is the length of the Pseudowire ID field and the interface parameters in octets. When the length is set to 0, this FEC element stands for all pseudowires using the specified Group ID. The Pseudowire ID and Interface Parameters fields are not present.
  • Group ID—The Group ID field is a 32-bit arbitrary value that is assigned to a group of pseudowires.
  • Pseudowire ID—The Pseudowire ID, also known as VC ID, is a non-zero, 32-bit identifier that distinguishes one pseudowire from another. To connect two attachment circuits through a pseudowire, you need to associate each one with the same Pseudowire ID.
  • Interface Parameters—The variable-length Interface Parameters field provides attachment circuit-specific information, such as interface MTU, maximum number of concatenated ATM cells, interface description, and so on. Each interface parameter uses a generic TLV encoding, as shown in Figure 6-9.

Table 6-1 Pseudowire Types
Pseudowire Type Description
0x0001 Frame Relay data-link connection identifier (DLCI)
0x0002 ATM AAL5 service data unit (SDU) virtual channel connection (VCC)
0x0003 ATM Transparent Cell
0x0004 Ethernet VLAN
0x0005 Ethernet
0x0006 High-Level Data Link Control (HDLC)
0x0007 PPP


Figure 6-9 Interface Parameter Encoding

Even though LDP allows multiple FEC elements encoded into an FEC TLV, only one FEC element—the Pseudowire ID FEC element—exists in each FEC TLV for the pseudowire emulation over MPLS application.


...(略)

QoS DESIGN FOR MPLS VPN SERVICE PROVIDERS

...(略)

RFC 3270 presents three modes of MPLS/DiffServ marking for service providers:

1)Uniform Mode: SP can remark customer DSCP values

...(略)

Understanding Selective Packet Discard (SPD)

...(略)

SPD State Check
The IP process queue on the RP is divided into two parts: a general packet queue and a priority queue. Packets put in the general packet queue are subject to the SPD state check, and those that are put in the priority queue are not. Packets that qualify for the priority packet queue are high priority packets such as those of IP precedence 6 or 7 and should never be dropped. The non-qualifiers, however, can be dropped here depending on the length of the general packet queue depending on the SPD state. The general packet queue can be in three states and, as such, the low priority packets may be serviced differently:

  • NORMAL: queue size <= min
  • RANDOM DROP: min <= queue size <= max
  • FULL DROP: max <= queue size

In the NORMAL state, we never drop well-formed and malformed packets.

In the RANDOM DROP state, we randomly drop well-formed packets. If aggressive mode is configured, we drop all malformed packets; otherwise, we treat them as well-formed packets.

In FULL DROP state, we drop all well-formed and malformed packets. These minimum (default 73) and maximum (default 74) values are derived from the smallest hold-queue on the chassis, but can be overridden with the global commands ip spd queue min-threshold and ip spd queue max-threshold.

...(略)

QoS DESIGN FOR MPLS VPN SERVICE PROVIDERS

...(略)

3)Short Pipe Mode (shown below):

SP does not remark customer DSCP values (SP uses independent MPLS EXP markings); final PE-to-CE policies are based on customer’s markings

...(略)

Layer Two Tunneling Protocol - Version 3 (L2TPv3)

...(略)

4.1.1. L2TPv3 over IP

L2TPv3 over IP (both versions) utilizes the IANA-assigned IP protocol ID 115.

...(略)

AToM traffic encapsulation(Control Word)

Layer 2 Circuit Concept

The Layer 2 circuit framework requires LDP to be used as the signaling protocol for advertising ingress labels. In most cases, it is not necessary to transport the Layer 2 encapsulation across the network; rather, the Layer 2 header can be stripped at one PE router, and reproduced at the egress PE router. Such Layer 2 information is carried in a special Layer 2 circuit header called a control word.

In the Layer 2 circuit IETF drafts, the control word is optional for most Layer 2 protocols, except Frame Relay and ATM AAL5 where it is required. However, in JUNOS Release 5.6 and later, a control word for all forms of Layer 2 circuits is sent by default. If you are establishing a Layer 2 circuit between a router running JUNOS Release 5.5 or earlier and a router running JUNOS Release 5.6 or later, use of the control word is negotiated automatically.

The Layer 2 protocols that are supported for Layer 2 circuits are:

  • ATM cell-relay mode and ATM Adaptation Layer 5 (AAL5) mode on ATM2 Intelligent Queuing (IQ) interfaces
  • Cisco High-Level Data Link Control (HDLC), Frame Relay, and PPP on
    SONET/SDH-based interfaces
  • Ethernet, VLAN, and Extended VLAN on Ethernet-based interfaces

For an Ethernet 802.1q VLAN or simple Ethernet, the entire Ethernet frame without the preamble or frame check sequence (FCS) is transported. For ATM cell-relay mode, ATM cells are transported without a SAR process. For Cisco HDLC, the frame is transported in its entirety except for HDLC flags and the FCS. For PPP, the frame is transported in its entirety except for any media-specific framing information.

For most protocols, a null control word consisting of all zeroes is sent between Layer 2 circuit neighbors. However, individual bits are available in a control word that can carry Layer 2 protocol control information. The control information is mapped into the control word, which allows the header of a Layer 2 protocol to be stripped from the frame. The remaining data and control word can be sent over the Layer 2 circuit, and the frame can be reassembled with the proper control information at the egress point of the circuit.

The Layer 2 protocols that map Layer 2 control information into special bit fields in the control word are as follows:

  • Frame Relay—This control word supports the transport of discard eligible (DE), forward explicit congestion notification (FECN), and backward explicit congestion notification (BECN) information. (For configuration information, see Option: Map Layer 2 Protocol Control Information into a Layer 2 Circuit.)
  • ATM AAL5 mode—This control word supports the transport of sequence number processing, ATM cell loss priority (CLP), and explicit forward congestion indication (EFCI) information. When you configure an AAL5 mode Layer 2 circuit, the control information is carried by default and no additional configuration is needed.
  • ATM cell-relay mode—This control word supports sequence number processing only. When you configure a cell-relay mode Layer 2 circuit, the sequence number information is carried by default and no additional configuration is needed.

MPLS TE Tunnel

...(略)

After having established the TE tunnel, the next step in deploying MPLS-TE is to direct traffic down the TE tunnel. Directing traffic down a TE tunnel can be done by one of the following four methods:

  • Autoroute—The TE tunnel is treated as a directly connected link to the tail IGP adjacency and is not run over the tunnel. Unlike an ATM/FR VC, autoroute is limited to single area/level only.
  • Forwarding adjacency—With autoroute, the LSP is not advertised into the IGP, and this is the correct behavior if you are adding TE to an IP network. However, it might not be appropriate if you are migrating from ATM/FR to TE. Sometimes advertising the LSP into the IGP as a link is necessary to preserve the routing outside the ATM/FR cloud.
  • Static routes
  • Policy routing

...(略)

MPLS Label Stacking

REMOTELY TRIGGERED BLACK HOLE FILTERING—DESTINATION BASED AND SOURCE BASED

Destination-Based Remotely Triggered Black Hole Filtering

With a denial-of-service (DoS) attack, in addition to service degradation of the target, there is possible collateral damage such as bandwidth
consumption, processor utilization, and potential service loss elsewhere in the network. One method to mitigate the damaging effects of such
an attack is to black hole (drop) traffic destined to the IP address or addresses being attacked and to filter the infected host traffic at the edge of
the network closest to the source of the attack.

The challenge is to find a way to quickly drop the offending traffic at the network edge, document and track the black holed destination addresses,
and promptly return these addresses to service once the threat disappears.

Destination-based IP black hole filtering with remote triggering allows
a network-wide destination-based black hole to be propagated by adding a simple static route to the triggering device (trigger).

The trigger sends a routing update for the static route using iBGP to the other edge routers configured for black hole filtering. This routing
update sets the next hop IP address to another preconfigured static route pointing to the null interface. This process is illustrated in Figure 1.

Figure 1. Destination-Based Black Hole Filtering with Remote Triggering


The three steps in destination-based black hole filtering are summarized below.

Step 1. The setup (preparation)
A trigger is a special device that is installed at the NOC exclusively for the purpose of triggering a black hole. The trigger must have
an iBGP peering relationship with all the edge routers, or, if using route reflectors, it must have an iBGP relationship with the route
reflectors in every cluster. The trigger is also configured to redistribute static routes to its iBGP peers. It sends the static route by means
of an iBGP routing update.
The Provider Edges (PEs) must have a static route for an unused IP address space. For example, 192.0.2.1/32 is set to Null0. The IP
address 192.0.2.1 is reserved for use in test networks and is not used as a deployed IP address.

Step 2. The trigger
An administrator adds a static route to the trigger, which redistributes the route by sending a BGP update to all its iBGP peers, setting
the next hop to the target destination address under attack as 192.0.2.1 in the current example.
The PEs receive their iBGP update and set their next hop to the target to the unused IP address space 192.0.2.1. The route to this address
is set to null0 in the PE, using a static routing entry in the router configuration. The next hop entry in the forwarding information base
(FIB) for the destination IP (target) is now updated to null0.
All traffic to the target will now be forwarded to Null0 at the edge and dropped.

Step 3. The withdrawal
Once the trigger is in place, all traffic to the target destination is dropped at the PEs. When the threat no longer exists, the administrator
must manually remove the static route from the trigger, which sends a BGP route withdrawal to its iBGP peers. This prompts the edge
routers to remove the existing route for the target that is pointed to 192.0.2.1 and to install a new route based on the IGP routing
information base (RIB).

AFI(Address Family Identifier) vs SAFI(Subsequent Address Family Identifier)

...(略)

2. Multiprotocol Reachable NLRI - MP_REACH_NLRI (Type Code 14):

This is an optional non-transitive attribute that can be used for the
following purposes:

(a) to advertise a feasible route to a peer

(b) to permit a router to advertise the Network Layer address of
the router that should be used as the next hop to the
destinations listed in the Network Layer Reachability
Information field of the MP_NLRI attribute.

(c) to allow a given router to report some or all of the
Subnetwork Points of Attachment (SNPAs) that exist within the
local system

The attribute is encoded as shown below:

+---------------------------------------------------------+
Address Family Identifier (2 octets)
+---------------------------------------------------------+
Subsequent Address Family Identifier (1 octet)
+---------------------------------------------------------+
Length of Next Hop Network Address (1 octet)
+---------------------------------------------------------+
Network Address of Next Hop (variable)
+---------------------------------------------------------+
Number of SNPAs (1 octet)
+---------------------------------------------------------+
Length of first SNPA(1 octet)
+---------------------------------------------------------+
First SNPA (variable)
+---------------------------------------------------------+
Length of second SNPA (1 octet)
+---------------------------------------------------------+
Second SNPA (variable)
+---------------------------------------------------------+
...
+---------------------------------------------------------+
Length of Last SNPA (1 octet)
+---------------------------------------------------------+
Last SNPA (variable)
+---------------------------------------------------------+
Network Layer Reachability Information (variable)
+---------------------------------------------------------+

The use and meaning of these fields are as follows:

Address Family Identifier:

This field carries the identity of the Network Layer protocol
associated with the Network Address that follows. Presently
defined values for this field are specified in RFC 1700 (see
the Address Family Numbers section).

Subsequent Address Family Identifier:

This field provides additional information about the type of
the Network Layer Reachability Information carried in the
attribute.

Length of Next Hop Network Address:

A 1 octet field whose value expresses the length of the
"Network Address of Next Hop" field as measured in octets

Network Address of Next Hop:

A variable length field that contains the Network Address of
the next router on the path to the destination system

Number of SNPAs:

A 1 octet field which contains the number of distinct SNPAs to
be listed in the following fields. The value 0 may be used to
indicate that no SNPAs are listed in this attribute.

Length of Nth SNPA:

A 1 octet field whose value expresses the length of the "Nth
SNPA of Next Hop" field as measured in semi-octets

Nth SNPA of Next Hop:

A variable length field that contains an SNPA of the router
whose Network Address is contained in the "Network Address of
Next Hop" field. The field length is an integral number of
octets in length, namely the rounded-up integer value of one
half the SNPA length expressed in semi-octets; if the SNPA
contains an odd number of semi-octets, a value in this field
will be padded with a trailing all-zero semi-octet.

Network Layer Reachability Information:

A variable length field that lists NLRI for the feasible routes
that are being advertised in this attribute. When the
Subsequent Address Family Identifier field is set to one of the
values defined in this document, each NLRI is encoded as
specified in the "NLRI encoding" section of this document.

...(略)

What is a Forwarding Equivalence Class (FEC)?

A. FEC is a group of IP packets which are forwarded in the same manner, over the same path, and with the same forwarding treatment. An FEC might correspond to a destination IP subnet, but it also might correspond to any traffic class that the Edge-LSR considers significant. For example, all traffic with a certain value of IP precedence might constitute a FEC.

阿里巴巴赴港上市 募港幣百億

【經濟日報╱記者王茂臻/綜合報導】 2007.10.16 03:47 am


大陸最大電子商務網站阿里巴巴香港上市案昨(15)日展開全球法人說明會,並宣布已獲得包括美國國際集團(AIG)與工銀亞洲等多家戰略投資者入股。港報並指,台灣首富、鴻海董事長郭台銘也計劃在阿里巴巴國際配售時斥資1億美元認購。

綜合香港信報等媒體報導,阿里巴巴預計從下周二(23日)展開公眾認購,下月6日在香港主板掛牌上市。阿里巴巴香港上市招股價介於港幣10元到12元,最高募資金額將達到港幣103億元,是港股史上募資金額最高的網路股,亦是網路搜尋引擎龍頭谷歌(Google)在2003年上市後,最受矚目的網路企業上市案。

阿里巴巴昨天在香港上市的法人說會時公布的招股文件顯示,阿里巴巴計劃引入六名戰略投資者。其中,雅虎會斥資超過港幣7億元入股阿里巴巴,相當於持有阿里巴巴上市股本擴充後總股本的8.2%股權。

阿里巴巴引進的其他五家戰略投資者還包括:AIG、工銀亞洲、九倉主席吳光正、新鴻基地產郭氐家族及嘉里建設大股東郭鶴年。上述五家戰略投資者個別入股阿里巴巴的股權不會超過3%,總體持有阿里巴巴的股權最高不超過11%,投資金額約港幣11.31億元。

港報指出,9月才出席阿里巴巴在浙江杭州舉行的網商節活動的台灣鴻海集團董事長郭台銘,打算斥資1億美元認購阿里巴巴在國際配售的股份。

郭台銘9月出席網商節活動時表示,他將與阿里巴巴合作,阿里巴巴創辦人馬雲也證實鴻海與阿里巴巴已經洽談多項業務。

阿里巴巴上市帶動港股另一波網路熱,近期在香港上市的軟體股,包括金山軟件與騰訊股價轉趨熱絡。市場預測,在香港擁有不錯知名度的阿里巴巴,在公眾認股時可望凍結破紀錄的港幣5,000億元資金。

證券分析師指出,網路股較其他實業類股不同,每家網路公司都有其願景。以阿里巴巴為例,馬雲相信阿里巴巴的主力業務:企業對企業電子商務(B2B)未來會大行其道,但香港投資人曾經歷過網路泡沫化,阿里巴巴上市後的股價長遠表現,將考驗投資人對網路股的認同程度。阿里巴巴2007年的預估本益比為79至94倍。

阿里巴巴上市公眾認購期間為10月23日到26日,散戶認購一手(500股)的入場費為港幣6,060元,預料將吸引大批散戶搶購。阿里巴巴的上市保薦人為摩根士丹利、高盛與德銀。

馬雲 下月來台演講

【記者何佩儒/台北報導】阿里巴巴執行長馬雲11月5日將應中國信託之邀,以「全球化企業經營新思維─從兩岸電子商務發展談起」為題來台進行演講,市場推測與阿里巴巴探測台灣市場水溫有關。

阿里巴巴將在11月6日正式在香港掛牌,選在掛牌前夕來台,頗具意義,尤其阿里巴巴已宣布將擴大在國際市場的布局,包括對台灣市場也有興趣,上個月才邀請鴻海董事長郭台銘前去大陸演講,這次馬雲親自來台,是否會拜訪郭台銘也備受矚目。

近來網路大廠陸續有重量級人物訪台,除了馬雲以外,Yahoo!總裁戴可也將在下旬來台,YouTube創辦人陳士駿近期也將再度回台。

【2007/10/16 經濟日報】@ http://udn.com/

合勤科技發佈新型安全網關USG 300

發佈時間:2007.10.25 16:35 來源:賽迪網 作者:賽文

【賽迪網訊】合勤科技近日發佈其新型網路安全設備-ZyWALL USG 300。ZyWALL USG 300為中小企業量身打造,滿足企業對分佈安全網路的需求,提供全面的企業級安全保障。



ZyWALL USG 300融合IPSec VPN和SSL VPN技術,在分佈機構間建立安全的VPN隧道連接,例如遠程分支機構,合作夥伴,併為出差員工和移動用戶提供便捷安全的網路接入。豐富的安全特性包括:用戶訪問控制,時間表,帶寬管理,病毒及入侵偵測及應用控制等。ZyWALL USG 300採用網路多層偵測技術,聯手卡巴斯基,提供全球領先的保護能力,幫助構築安全的企業網路環境。


通過內置雙重SecuASIC專用安全處理器,ZyWALL USG 300能夠在高負載狀況下提供卓越,穩定的網路吞吐量。先進的防病毒和入侵檢測技術針對氾濫的惡意軟體,攻擊和可疑行為,有效保護內部網路不受侵害,降低潛在的安全威脅。


ZyWALL USG 300具備全面彈性的IM/P2P應用管理能力。通過該功能,網路管理人員能夠輕鬆地建立IM/P2P使用規則,根據不同用戶分配不同許可權及網路帶寬配額,例如對濫用帶寬的P2P應用限制帶寬定額,對重要的應用VoIP等給予最高優先級,保障良好的通信效果。同時ZyWALL USG 300具備綜合統計報告,實時監測用戶帶寬利用狀況。


設備高可用性HA的實現徹底消除單點網路故障給企業帶來的災難性破壞,使得中小企業也能享受冗余技術帶來的永續網路。另一方面,ZyWALL USG 300支援多WAN口,多ISP連接,單一ISP不可用將不再會影響網路的正常使用。同時多ISP負載均衡演算法充分利用,優化每條線路利用率。

Nortel多個VoIP產品UNIStim消息竊聽漏洞

Nortel多個VoIP產品UNIStim消息竊聽漏洞

發佈時間:2007.10.26 04:58 來源:賽迪網-技術社區 作者:kill

發佈日期:2007-10-18

更新日期:2007-10-24


受影響系統:

Nortel Networks Meridian-Core-Option 81C

Nortel Networks Meridian-Core-Option 61C

Nortel Networks Meridian-Core-Option 51C

Nortel Networks Meridian-Core-Option 11C Mini

Nortel Networks IP Softphone 2050

Nortel Networks IP Phone 2007

Nortel Networks IP Phone 2004

Nortel Networks IP Phone 2002

Nortel Networks IP Phone 2001

Nortel Networks IP Phone 1150E

Nortel Networks IP Phone 1140E

Nortel Networks IP Phone 1120E

Nortel Networks IP Phone 1110

Nortel Networks IP Phone

Nortel Networks Mobile Voice Client 2050

Nortel Networks IP Audio Conference Phone 2033

Nortel Networks Communications Server 2100

Nortel Networks Communications Server 1000S

Nortel Networks Communications Server 1000M Cabinet/Chassis

Nortel Networks Communications Server 1000E

描述:

BUGTRAQ ID: 26120


Nortel IP Phone、IP Softphone等都是Nortel所發佈的IP電話設備。


Nortel IP Phone實現上存在漏洞,遠程攻擊者可能利用此漏洞實現遠程現場竊聽。


如果用戶發送了正確的UNIStim消息的話,就可能將IP電話置於監控模式。UNIStim消息ID必須匹配發送信號的伺服器與IP電話之間的ID,但協議僅對ID數使用了16位長度。如果惡意用戶發送了65536個窮盡了所有可能ID數的欺騙UNIStim消息的話,就可以打開音頻通道,使IP電話的話筒處於遠程監聽的狀態。

Nortel Networks:目前廠商已經發佈了升級補丁以修復這個安全問題,請到廠商的主頁下載:http://www.nortelnetworks.com/index.html


(責任編輯:高爽)

Oct 25, 2007

Apple CEO Steve Jobs對史丹佛畢業生演講全文

這是一篇朋友轉寄給我的信件,我覺得對世界上目前活著的每一個人都會有所啟示,不要放棄任何可能讓你未來需要用到的各種經驗,也許現在你覺得毫無價值(我很高興大學畢業前夕考完預官後我學會了嘸蝦米 :P )~


Stay Hungry, Stay Foolish (求知若飢 ,虛心若愚 )

今天,很榮幸來到各位從世界上最好的學校之一畢業的畢業典禮上。我從來沒從大學畢業過,說實話,這是我離大學畢業最近的一刻。今天,我只說三個故事,不談大道理,三個故事就好。

第一個故事,是關於人生中的點點滴滴如何串連在一起。我在里德學院(Reed College)待了六個月就辦休學了。到我退學前,一共休學了十八個月。那麼,我為什麼休學?(聽眾笑)這得從我出生前講起。

我的親生母親當時是個研究生,年輕未婚媽媽,她決定讓別人收養我。她強烈覺得應該讓有大學畢業的人收養我,所以我出生時,她就準備讓我被一對律師夫婦收養。但是這對夫妻到了最後一刻反悔了,他們想收養女孩。所以在等待收養名單上的一對夫妻,我的養父母,在一天半夜裡接到一通電話,問他們「有一名意外出生的男孩,你們要認養他嗎?」而他們的回答是「當然要」。後來,我的生母發現,我現在的媽媽從來沒有大學畢業,我現在的爸爸則連高中畢業也沒有。她拒絕在認養文件上做最後簽字。直到幾個月後,我的養父母保證將來一定會讓我上大學,她的態度才軟化。

十七年後,我上大學了。但是當時我無知地選了一所學費幾乎跟史丹佛一樣貴的大學(聽眾笑),我那工人階級的父母將所有積蓄都花在我的學費上。六個月後,我看不出唸這個書的價值何在。那時候,我不知道這輩子要幹什麼,也不知道唸大學能對我有什麼幫助,只知道我為了唸這個書,花光了我父母這輩子的所有積蓄,所以我決定休學,相信船到橋頭自然直。

當時這個決定看來相當可怕,可是現在看來,那是我這輩子做過最好的決定之一。(聽眾笑)
當我休學之後,我再也不用上我沒興趣的必修課,把時間拿去聽那些我有興趣的課。這一點也不浪漫。我沒有宿舍,所以我睡在友人家裡的地板上,靠著回收可樂空罐的退費五分錢買吃的,每個星期天晚上得走七哩的路繞過大半個鎮去印度教的 Hare Krishna神廟吃頓好料,我喜歡Hare Krishna神廟的好料。

就這樣追隨我的好奇與直覺,大部分我所投入過的事務,後來看來都成了無比珍貴的經歷(And much of what I stumbled into by following my curiosity and intuition turned out to be priceless later on )。 舉個例來說。當時里德學院有著大概是全國最好的書寫教育。校園內的每一張海報上,每個抽屜的標籤上,都是美麗的手寫字。因為我休學了,可以不照正常選課程序來,所以我跑去上書寫課。我學了 serif 與sanserif字體,學到在不同字母組合間變更字間距,學到活字印刷偉大的地方。書寫的美好、歷史感與藝術感是科學所無法掌握的,我覺得這很迷人。

我沒預期過學這些東西能在我生活中起些什麼實際作用,不過十年後,當我在設計第一台麥金塔時,我想起了當時所學的東西,所以把這些東西都設計進了麥金塔裡,這是第一台能印刷出漂亮東西的電腦。如果我沒沉溺於那樣一門課裡,麥金塔可能就不會有多重字體跟等比例間距字體了。又因為 Windows抄襲了麥金塔的使用方式(聽眾鼓掌大笑),因此,如果當年我沒有休學,沒有去上那門書寫課,大概所有的個人電腦都不會有這些東西,印不出現在我們看到的漂亮的字來了。當然,當我還在大學裡時,不可能把這些點點滴滴預先串連在一起,但在十年後的今天回顧,一切就顯得非常清楚。

我再說一次,你無法預先把點點滴滴串連起來;只有在未來回顧時, 你才會明白那些點點滴滴是如何串在一起的(you can't connect the dots looking forward; you can only connect them looking backwards )。所以你得相信,眼前你經歷的種種,將來多少會連結在一起。你得信任某個東西,直覺也好, 命運也好,生命也好,或者業力。這種作法從來沒讓我失望,我的人生因此變得完全不同。( Jobs停下來喝水)

我的第二個故事,是有關愛與失去。

我很幸運-年輕時就發現自己愛做什麼事。我二十歲時,跟Steve Wozniak在我爸媽的車庫裡開始了蘋果電腦的事業。我們拚命工作,蘋果電腦在十年間從一間車庫裡的兩個小夥子擴展成了一家員工超過四千人、市價二十億美金的公司,在那事件之前一年推出了我們最棒的作品-麥金塔電腦( Macintosh),那時我才剛邁入三十歲,然後我被解僱了。

我怎麼會被自己創辦的公司給解僱了?(聽眾笑)

嗯,當蘋果電腦成長後,我請了一個我以為在經營公司上很有才幹的傢伙來,他在頭幾年也確實幹得不錯。可是我們對未來的願景不同,最後只好分道揚鑣,董事會站在他那邊,就這樣在我 30歲的時候,公開把我給解僱了。我失去了整個生活的重心,我的人生就這樣被摧毀。

有幾個月,我不知道要做些什麼。我覺得我令企業界的前輩們失望-我把他們交給我的接力棒弄丟了。我見了創辦HP的 David Packard跟創辦Intel的 Bob Noyce,跟他們說很抱歉我把事情給搞砸了。我成了公眾眼中失敗的示範,我甚至想要離開矽谷。

但是漸漸的,我發現,我還是喜愛那些我做過的事情,在蘋果電腦中經歷的那些事絲毫沒有改變我愛做的事。雖然我被否定了,可是我還是愛做那些事情,所以我決定從頭來過。

當時我沒發現,但現在看來,被蘋果電腦開除,是我所經歷過最好的事情。成功的沉重被從頭來過的輕鬆所取代,每件事情都不那麼確定,讓我自由進入這輩子最有創意的年代。

接下來五年,我開了一家叫做 NeXT的公司,又開一家叫做 Pixar的公司,也跟後來的老婆(Laurene)談起了戀愛。 Pixar接著製作了世界上第一部全電腦動畫電影,玩具總動員( Toy Story),現在是世界上最成功的動畫製作公司(聽眾鼓掌大笑)。然後,蘋果電腦買下了 NeXT,我回到了蘋果,我們在NeXT發展的技術成了蘋果電腦後來復興的核心部份。

我也有了個美妙的家庭。我很確定,如果當年蘋果電腦沒開除我,就不會發生這些事情。這帖藥很苦口,可是我想蘋果電腦這個病人需要這帖藥。有時候,人生會用磚頭打你的頭。不要喪失信心。我確信我愛我所做的事情,這就是這些年來支持我繼續走下去的唯一理由( I'm convinced that the only thing that kept me going was that I loved what I did)。

你得找出你的最愛,工作上是如此,人生伴侶也是如此。

你的工作將佔掉你人生的一大部分,唯一真正獲得滿足的方法就是做你相信是偉大的工作,而唯一做偉大工作的方法是愛你所做的事( And the only way to do great work is to love what you do )。如果你還沒找到這些事,繼續找,別停頓。盡你全心全力,你知道你一定會找到。而且,如同任何偉大的事業,事情只會隨著時間愈來愈好。所以,在你找到之前,繼續找,別停頓。(聽眾鼓掌, Jobs喝水)

我的第三個故事,是關於死亡。

當我十七歲時,我讀到一則格言,好像是「把每一天都當成生命中的最後一天,你就會輕鬆自在。(If you live each day as if it was your last, someday you'll most certainly be right )」(聽眾笑)這對我影響深遠,在過去33年裡,我每天早上都會照鏡子,自問:「如果今天是此生最後一日,我今天要做些什麼?」每當我連續太多天都得到一個「沒事做」的答案時,我就知道我必須有所改變了。

提醒自己快死了,是我在人生中面臨重大決定時,所用過最重要的方法。因為幾乎每件事-所有外界期望、所有的名聲、所有對困窘或失敗的恐懼-在面對死亡時,都消失了,只有最真實重要的東西才會留下( Remembering that I'll be dead soon is the most important tool I've ever encountered to help me make the big choices in life. Because almost everything - all external expectations, all pride, all fear of embarrassment or failure - these things just fall away in the face of death, leaving only what is truly important )。

提醒自己快死了,是我所知避免掉入畏懼失去的陷阱裡最好的方法。人生不帶來、死不帶去,沒理由不能順心而為。

一年前,我被診斷出癌症。我在早上七點半作斷層掃瞄,在胰臟清楚出現一個腫瘤,我連胰臟是什麼都不知道。醫生告訴我,那幾乎可以確定是一種不治之症,預計我大概活不到三到六個月了。醫生建議我回家,好好跟親人們聚一聚,這是醫生對臨終病人的標準建議。那代表你得試著在幾個月內把你將來十年想跟小孩講的話講完。那代表你得把每件事情搞定,家人才會儘量輕鬆。那代表你得跟人說再見了。

我整天想著那個診斷結果,那天晚上做了一次切片,從喉嚨伸入一個內視鏡,穿過胃進到腸子,將探針伸進胰臟,取了一些腫瘤細胞出來。我打了鎮靜劑,不醒人事,但是我老婆在場。她後來跟我說,當醫生們用顯微鏡看過那些細胞後,他們都哭了,因為那是非常少見的一種胰臟癌,可以用手術治好。所以我接受了手術,康復了。(聽眾鼓掌)

這是我最接近死亡的時候,我希望那會繼續是未來幾十年內最接近的一次。經歷此事後,我可以比先前死亡只是純粹想像時,要能更肯定地告訴你們下面這些: 沒有人想死。即使那些想上天堂的人,也想活著上天堂。(聽眾笑)

但是死亡是我們共同的終點,沒有人逃得過。這是註定的,因為死亡很可能就是生命中最棒的發明,是生命交替的媒介,送走老人們,給新生代開出道路。現在你們是新生代,但是不久的將來,你們也會逐漸變老,被送出人生的舞台。抱歉講得這麼戲劇化,但是這是真的。

你們的時間有限,所以不要浪費時間活在別人的生活裡。不要被教條所侷限-- 盲從教條就是活在別人思考結果裡。不要讓別人的意見淹沒了你內在的心聲。最重要的,擁有追隨自己內心與直覺的勇氣,你的內心與直覺多少已經知道你真正想要成為什麼樣的人( have the courage to follow your heart and intuition. They somehow already know what you truly want to become),任何其他事物都是次要的。(聽眾鼓掌)

在我年輕時,有本神奇的雜誌叫做《Whole Earth Catalog》,當年這可是我們的經典讀物。那是一位住在離這不遠的 Menlo Park的Stewart Brand發行的,他把雜誌辦得很有詩意。那是 1960年代末期,個人電腦跟桌上出版還沒出現,所有內容都是打字機、剪刀跟拍立得相機做出來的。雜誌內容有點像印在紙上的平面 Google,在Google 出現之前35年就有了:這本雜誌很理想主義,充滿新奇工具與偉大的見解。

Stewart跟他的團隊出版了好幾期的《Whole Earth Catalog》,然後很自然的,最後出了停刊號。當時是 1970年代中期,我正是你們現在這個年齡的時候。在停刊號的封底,有張清晨鄉間小路的照片,那種你四處搭便車冒險旅行時會經過的鄉間小路。在照片下印了行小字: 求知若飢,虛心若愚(Stay Hungry , Stay Foolish)。那是他們親筆寫下的告別訊息,我總是以此自許。當你們畢業,展開新生活,我也以此祝福你們。