Posts

Showing posts from October 21, 2007

IS-IS LSP(Link-State Packets) Header

Image
Appendix A. IS-IS Packet FormatsIS-IS Packet Fields (Alphabetical Order)ATT— Attachment Bits (Flags attachment to other areas)Checksum— Checksum of contents of LSP from source ID field to the endCircuit Type— Defines whether link is Level-1 and Level-2End LSP— LSP ID of last LSP in CSNPHolding Time— Defines how long to wait for a hello from this system before clearing the adjacencyID Length— Length of the System ID field in an NSAP(NET)Intradomain Routing Protocol Discriminator— Network layer protocol identifierIS Type— Defines type of router, Level-1 or Level-2LAN ID— LAN Identifier, Consists of the System ID of the designated intermediate system plus a unique numberLength Indicator— Length of the fixed header of the packet in bytesLocal Circuit ID— Unique identifier for a linkLSP ID— Identifier for router's LSP, consisting of the System ID of the router, fragment number, and a nonzero octet for pseudonode number in case of pseudonode LSPMaximum Area Addresses— Number of areas pe…

Cisco Segmented Generalized Multiprotocol Label Switching(GMPLS)

Image
A primary component of the Cisco Systems® IP over Dense Wavelength-Division Multiplexing (IPoDWDM) solution for the IP Next-Generation Network (IP NGN) is the simplification of end-to-end control between IP and DWDM networks. To alleviate high operational expenses (OpEx), increase speed for carrier service activations, and eliminate cumbersome and disparate manual provisioning methods at the transport layer, Cisco® has introduced a new cost-effective and efficient solution based on Generalized Multiprotocol Label Switching (GMPLS). This solution enables both optical and IP devices to dynamically find, identify, and provision optimal paths based on user traffic requirements. Called the Segmentation model of GMPLS (S-GMPLS), this new GMPLS model is a hybrid of current approaches that overcomes several daunting obstacles by allowing both IP and optical networks to maintain their existing segmented administration environments. S-GMPLS allows providers to keep the topology of t…

Multicast VPNs(MVPN)

Image
Multicast VPNs (mVPNs) provide a scaleable architecture to enable multicast in an RFC2547 Layer 3 Multiprotocol Label Switching (MPLS) VPN environment.
Originally derived from tag switching, MPLS uses labels to combine the intelligence of routing with the high performance of switching. MPLS VPNs are a natural extension of MPLS and are often by service providers to offer VPN services over a shared infrastructure. MPLS VPNs operate based on label stacks.
Despite the advantage of label stacking and the ability to decouple routing from forwarding for unicast traffic, MPLS VPNs did not address how to handle multicast traffic. As a result, the only available solution for delivery of IP multicast video, voice, and data over a deployed Layer 3 MPLS VPN was to statically configure point-to-point GRE tunnels between Customer Edge (CE) routers. As the number of CE routers increased, the number of point-to-point GRE tunnels required to maintain a full mesh of CEs quickly became unmanageable. A more…

Layer 2 VPN Architectures: Understanding Any Transport over MPLS

Image
...(略)

Understanding AToM Operations

In Chapter 3, you learned how AToM achieves a high degree of scalability by using the MPLS encoding method. You also read an overview of LDP in the previous section. Reading through this section, you will develop a further understanding of how MPLS encapsulation, LDP sig-naling, and pseudowire emulation work together.

The primary tasks of AToM include establishing pseudowires between provider edge (PE) routers and carrying Layer 2 packets over these pseudowires. The next sections cover the operations of AToM from the perspectives of both the control plane and the data plane as follows:

Pseudowire label binding Establishing AToM pseudowires Control word negotiationUsing sequence numbersPseudowire encapsulation Pseudowire Label Binding
An AToM pseudowire essentially consists of two unidirectional LSPs. Each is represented by a pseudowire label, also known as a VC label. The pseudowire label is part of the label stack encoding that encapsulates Layer 2 pac…

QoS DESIGN FOR MPLS VPN SERVICE PROVIDERS

...(略)

RFC 3270 presents three modes of MPLS/DiffServ marking for service providers:

1)Uniform Mode: SP can remark customer DSCP values

...(略)

Understanding Selective Packet Discard (SPD)

...(略)

SPD State Check
The IP process queue on the RP is divided into two parts: a general packet queue and a priority queue. Packets put in the general packet queue are subject to the SPD state check, and those that are put in the priority queue are not. Packets that qualify for the priority packet queue are high priority packets such as those of IP precedence 6 or 7 and should never be dropped. The non-qualifiers, however, can be dropped here depending on the length of the general packet queue depending on the SPD state. The general packet queue can be in three states and, as such, the low priority packets may be serviced differently: NORMAL: queue size <= min RANDOM DROP: min <= queue size <= max FULL DROP: max <= queue size In the NORMAL state, we never drop well-formed and malformed packets.

In the RANDOM DROP state, we randomly drop well-formed packets. If aggressive mode is configured, we drop all malformed packets; otherwise, we treat them as well-formed packets.

In FU…

QoS DESIGN FOR MPLS VPN SERVICE PROVIDERS

...(略)

3)Short Pipe Mode (shown below):

SP does not remark customer DSCP values (SP uses independent MPLS EXP markings); final PE-to-CE policies are based on customer’s markings

...(略)

Layer Two Tunneling Protocol - Version 3 (L2TPv3)

...(略)

4.1.1. L2TPv3 over IP

L2TPv3 over IP (both versions) utilizes the IANA-assigned IP protocol ID 115.

...(略)

AToM traffic encapsulation(Control Word)

Image
Layer 2 Circuit ConceptThe Layer 2 circuit framework requires LDP to be used as the signaling protocol for advertising ingress labels. In most cases, it is not necessary to transport the Layer 2 encapsulation across the network; rather, the Layer 2 header can be stripped at one PE router, and reproduced at the egress PE router. Such Layer 2 information is carried in a special Layer 2 circuit header called a control word.In the Layer 2 circuit IETF drafts, the control word is optional for most Layer 2 protocols, except Frame Relay and ATM AAL5 where it is required. However, in JUNOS Release 5.6 and later, a control word for all forms of Layer 2 circuits is sent by default. If you are establishing a Layer 2 circuit between a router running JUNOS Release 5.5 or earlier and a router running JUNOS Release 5.6 or later, use of the control word is negotiated automatically. The Layer 2 protocols that are supported for Layer 2 circuits are: ATM cell-relay mode and ATM Adaptation Layer 5 (AAL5)…

MPLS TE Tunnel

...(略)

After having established the TE tunnel, the next step in deploying MPLS-TE is to direct traffic down the TE tunnel. Directing traffic down a TE tunnel can be done by one of the following four methods:

Autoroute—The TE tunnel is treated as a directly connected link to the tail IGP adjacency and is not run over the tunnel. Unlike an ATM/FR VC, autoroute is limited to single area/level only. Forwarding adjacency—With autoroute, the LSP is not advertised into the IGP, and this is the correct behavior if you are adding TE to an IP network. However, it might not be appropriate if you are migrating from ATM/FR to TE. Sometimes advertising the LSP into the IGP as a link is necessary to preserve the routing outside the ATM/FR cloud. Static routesPolicy routing...(略)

MPLS Label Stacking

Image

REMOTELY TRIGGERED BLACK HOLE FILTERING—DESTINATION BASED AND SOURCE BASED

Image
Destination-Based Remotely Triggered Black Hole Filtering

With a denial-of-service (DoS) attack, in addition to service degradation of the target, there is possible collateral damage such as bandwidth
consumption, processor utilization, and potential service loss elsewhere in the network. One method to mitigate the damaging effects of such
an attack is to black hole (drop) traffic destined to the IP address or addresses being attacked and to filter the infected host traffic at the edge of
the network closest to the source of the attack.

The challenge is to find a way to quickly drop the offending traffic at the network edge, document and track the black holed destination addresses,
and promptly return these addresses to service once the threat disappears.

Destination-based IP black hole filtering with remote triggering allows
a network-wide destination-based black hole to be propagated by adding a simple static route to the triggering device (trigger).

The trigger sends a routing update for th…

AFI(Address Family Identifier) vs SAFI(Subsequent Address Family Identifier)

...(略)

2. Multiprotocol Reachable NLRI - MP_REACH_NLRI (Type Code 14):

This is an optional non-transitive attribute that can be used for the
following purposes:

(a) to advertise a feasible route to a peer

(b) to permit a router to advertise the Network Layer address of
the router that should be used as the next hop to the
destinations listed in the Network Layer Reachability
Information field of the MP_NLRI attribute.

(c) to allow a given router to report some or all of the
Subnetwork Points of Attachment (SNPAs) that exist within the
local system

The attribute is encoded as shown below:

+---------------------------------------------------------+
Address Family Identifier (2 octets)
+---------------------------------------------------------+
Subsequent Address Family Identifier (1 octet)
+---------------------------------------------------------+
Length of Next Hop Network Address (1 octet)
+---------------------------------------------------------+
Network Address of Next Hop (variable)
+----------------…

What is a Forwarding Equivalence Class (FEC)?

A. FEC is a group of IP packets which are forwarded in the same manner, over the same path, and with the same forwarding treatment.An FEC might correspond to a destination IP subnet, but it also might correspond to any traffic class that the Edge-LSR considers significant. For example, all traffic with a certain value of IP precedence might constitute a FEC.

合勤科技發佈新型安全網關USG 300

發佈時間:2007.10.25 16:35 來源:賽迪網 作者:賽文

【賽迪網訊】合勤科技近日發佈其新型網路安全設備-ZyWALL USG 300。ZyWALL USG 300為中小企業量身打造,滿足企業對分佈安全網路的需求,提供全面的企業級安全保障。



ZyWALL USG 300融合IPSec VPN和SSL VPN技術,在分佈機構間建立安全的VPN隧道連接,例如遠程分支機構,合作夥伴,併為出差員工和移動用戶提供便捷安全的網路接入。豐富的安全特性包括:用戶訪問控制,時間表,帶寬管理,病毒及入侵偵測及應用控制等。ZyWALL USG 300採用網路多層偵測技術,聯手卡巴斯基,提供全球領先的保護能力,幫助構築安全的企業網路環境。


通過內置雙重SecuASIC專用安全處理器,ZyWALL USG 300能夠在高負載狀況下提供卓越,穩定的網路吞吐量。先進的防病毒和入侵檢測技術針對氾濫的惡意軟體,攻擊和可疑行為,有效保護內部網路不受侵害,降低潛在的安全威脅。


ZyWALL USG 300具備全面彈性的IM/P2P應用管理能力。通過該功能,網路管理人員能夠輕鬆地建立IM/P2P使用規則,根據不同用戶分配不同許可權及網路帶寬配額,例如對濫用帶寬的P2P應用限制帶寬定額,對重要的應用VoIP等給予最高優先級,保障良好的通信效果。同時ZyWALL USG 300具備綜合統計報告,實時監測用戶帶寬利用狀況。


設備高可用性HA的實現徹底消除單點網路故障給企業帶來的災難性破壞,使得中小企業也能享受冗余技術帶來的永續網路。另一方面,ZyWALL USG 300支援多WAN口,多ISP連接,單一ISP不可用將不再會影響網路的正常使用。同時多ISP負載均衡演算法充分利用,優化每條線路利用率。

Nortel多個VoIP產品UNIStim消息竊聽漏洞

Nortel多個VoIP產品UNIStim消息竊聽漏洞

發佈時間:2007.10.26 04:58 來源:賽迪網-技術社區 作者:kill

發佈日期:2007-10-18

更新日期:2007-10-24


受影響系統:

Nortel Networks Meridian-Core-Option 81C

Nortel Networks Meridian-Core-Option 61C

Nortel Networks Meridian-Core-Option 51C

Nortel Networks Meridian-Core-Option 11C Mini

Nortel Networks IP Softphone 2050

Nortel Networks IP Phone 2007

Nortel Networks IP Phone 2004

Nortel Networks IP Phone 2002

Nortel Networks IP Phone 2001

Nortel Networks IP Phone 1150E

Nortel Networks IP Phone 1140E

Nortel Networks IP Phone 1120E

Nortel Networks IP Phone 1110

Nortel Networks IP Phone

Nortel Networks Mobile Voice Client 2050

Nortel Networks IP Audio Conference Phone 2033

Nortel Networks Communications Server 2100

Nortel Networks Communications Server 1000S

Nortel Networks Communications Server 1000M Cabinet/Chassis

Nortel Networks Communications Server 1000E

描述:

BUGTRAQ ID: 26120


Nortel IP Phone、IP Softphone等都是Nortel所發佈的IP電話設備。


Nortel IP Phone實現上存在漏洞,遠程攻擊者可能利用此漏洞實現遠程現場竊聽。


如果用戶發送了正確的UNISti…

Apple CEO Steve Jobs對史丹佛畢業生演講全文

這是一篇朋友轉寄給我的信件,我覺得對世界上目前活著的每一個人都會有所啟示,不要放棄任何可能讓你未來需要用到的各種經驗,也許現在你覺得毫無價值(我很高興大學畢業前夕考完預官後我學會了嘸蝦米 :P )~


Stay Hungry, Stay Foolish (求知若飢 ,虛心若愚 )

今天,很榮幸來到各位從世界上最好的學校之一畢業的畢業典禮上。我從來沒從大學畢業過,說實話,這是我離大學畢業最近的一刻。今天,我只說三個故事,不談大道理,三個故事就好。

第一個故事,是關於人生中的點點滴滴如何串連在一起。我在里德學院(Reed College)待了六個月就辦休學了。到我退學前,一共休學了十八個月。那麼,我為什麼休學?(聽眾笑)這得從我出生前講起。

我的親生母親當時是個研究生,年輕未婚媽媽,她決定讓別人收養我。她強烈覺得應該讓有大學畢業的人收養我,所以我出生時,她就準備讓我被一對律師夫婦收養。但是這對夫妻到了最後一刻反悔了,他們想收養女孩。所以在等待收養名單上的一對夫妻,我的養父母,在一天半夜裡接到一通電話,問他們「有一名意外出生的男孩,你們要認養他嗎?」而他們的回答是「當然要」。後來,我的生母發現,我現在的媽媽從來沒有大學畢業,我現在的爸爸則連高中畢業也沒有。她拒絕在認養文件上做最後簽字。直到幾個月後,我的養父母保證將來一定會讓我上大學,她的態度才軟化。

十七年後,我上大學了。但是當時我無知地選了一所學費幾乎跟史丹佛一樣貴的大學(聽眾笑),我那工人階級的父母將所有積蓄都花在我的學費上。六個月後,我看不出唸這個書的價值何在。那時候,我不知道這輩子要幹什麼,也不知道唸大學能對我有什麼幫助,只知道我為了唸這個書,花光了我父母這輩子的所有積蓄,所以我決定休學,相信船到橋頭自然直。

當時這個決定看來相當可怕,可是現在看來,那是我這輩子做過最好的決定之一。(聽眾笑)
當我休學之後,我再也不用上我沒興趣的必修課,把時間拿去聽那些我有興趣的課。這一點也不浪漫。我沒有宿舍,所以我睡在友人家裡的地板上,靠著回收可樂空罐的退費五分錢買吃的,每個星期天晚上得走七哩的路繞過大半個鎮去印度教的 Hare Krishna神廟吃頓好料,我喜歡Hare Krishna神廟的好料。

就這樣追隨我的好奇與直覺,大部分我所投入過的事務,後來看來都成了無比珍貴的經歷(And much of wh…