Teoría de las Comunicaciones 16 de mayo de 2012 • Tunneling. • Virtual Networks and Tunnels. • ATM (Asynchronous Transfer Mode). • MPLS (Multi-Protocol Label Switching). • MPLS. Ejercicio. 1 Tunneling 2 Tunneling a packet from Paris to London 3 Why tunneling ? • One reason is security. Supplemented with encryption, a tunnel can become a very private sort of link across a public network. • Another reason may be that R1 and R2 have some capabilities that are not widely available in the intervening networks, such as multicast routing. By connecting these routers with a tunnel, we can build a virtual network in which all the routers with this capability appear to be directly connected. • A third reason to build tunnels is to carry packets from protocols other than IP across an IP network. As long as the routers at either end of the tunnel know how to handle these other protocols, the IP tunnel looks to them like a point-to-point link over which they can send non-IP packets. • Tunnels also provide a mechanism by which we can force a packet to be delivered to a particular place even if its original header—the one that gets encapsulated inside the tunnel header—might suggest that it should go somewhere else. • Thus, we see that tunneling is a powerful and quite general technique for building virtual links across internetworks. 4 Tunneling does have its downsides • One is that it increases the length of packets; this might represent a significant waste of bandwidth for short packets. • There may also be performance implications for the routers at either end of the tunnel, since they need to do more work than normal forwarding as they add and remove the tunnel header. • Finally, there is a management cost for the administrative entity that is responsible for setting up the tunnels and making sure they are correctly handled by the routing protocols. 5 Tunneling: examples • IP/IP • GRE (Generic Routing Encapsulation) – RFCs 1701 y 1702… • L2TP (Layer 2 Tunneling Protocol) – RFCs 2661… • IPSec (Internet Protocol Security) – RFCs 4301 y 4309… • MPLS (Multi-Protocol Label Switching) – RFC 3031 (1998 )… • HTTP Tunneling • Secure shell tunneling 6 Virtual Networks and Tunnels 7 Two separate private networks 8 Two virtual private networks sharing common switches 9 A tunnel through an internetwork 10 ATM Asynchronous Transfer Mode 11 ??? Virtual circuit network 12 ATM • ATM is a connection-oriented, packet-switched technology, which is to say, it uses virtual circuits. • In addition to discovering a suitable route across an ATM network, connection setup phase is also responsible for allocating resources at the switches along the circuit. • This is done in an effort to ensure the circuit a particular Quality Of Service. • Indeed, the QoS capabilities of ATM are one of its greatest strengths. 13 Quality Of Service requirement 14 ATM • One thing that makes ATM really unusual is that the packets that are switched in an ATM network are of fixed length. • To distinguish these fixed-length packets from the more common variable-length packets normally used in computer networks, they are given a special name: cells. • ATM may be thought of as the canonical example of cell switching. 15 ATM cell format • Generic Flow Control (GFC). These bits have not been widely used. • The next 24 bits contain an 8-bit Virtual Path Identifier (VPI) and a 16bit Virtual Circuit Identifier (VCI). Is adequate to think of them as a single 24-bit identifier that is used to identify a virtual connection. • Following the VPI/VCI is a 3-bit Type field that has eight possible values. Four of them, when the first bit in the field is set, relate to management functions. • Cell Loss Priority (CLP); a user or network element may set this bit to indicate cells that should be dropped preferentially in the event of overload. • The last byte of the header is an 8-bit CRC, known as the header error check (HEC). 16 Example of a virtual path • ATM uses a 24-bit identifier for virtual circuits. The one twist is that the 24-bit identifier is split into two parts: an 8-bit virtual path identifier (VPI) and a 16-bit virtual circuit identifier (VCI). This effectively creates a two-level hierarchy of virtual connections. 17 ATM: example 18 MPLS Multiprotocol Label Switching 19 MPLS • Originally viewed as a way to improve the performance of the Internet. • Tries to combine some of the properties of virtual circuits with the flexibility and robustness of datagrams. • MPLS is very much associated with the Internet Protocol’s datagram-based architecture—it relies on IP addresses and IP routing protocols to do its job. • MPLS-enabled routers also forward packets by examining relatively short, fixed-length labels, and these labels have local scope, just like in a virtual circuit network. 20 MPLS • It is perhaps this marriage of two seemingly opposed technologies that has caused MPLS to have a somewhat mixed reception in the Internet engineering community. 21 “What is it good for?” • • • To enable IP capabilities on devices that do not have the capability to forward IP datagrams in the normal manner (e.g. ATM switches). To forward IP packets along “explicit routes”— precalculated routes that don’t necessarily match those that normal IP routing protocols would select. To support certain types of virtual private network services. 22 MPLS provides these beneficial applications • • • • Virtual Private Networking (VPN). Traffic Engineering (TE). Quality of Service (QoS). Any Transport over MPLS (AToM). • Additionally, it decreases the forwarding overhead on the core routers. • MPLS technologies are applicable to any network layer protocol. 23 MPLS Label Swapping Label Pop Label push LIB Incoming IF1 L1 Outgoing IF2 L2 24 MPLS IP IP IP Forwarding #L1 IP #L2 LABEL SWITCHING IP #L3 IP IP Forwarding 25 Destination-Based Forwarding Example network… 26 R2 allocates labels and advertises bindings to R1… This advertisement is carried in the “Label Distribution Protocol.” (LDP) 27 R1 stores the received labels in a table… 28 R3 advertises another binding, and R2 stores the received label in a table… R1: Label Edge Router (LER), performs a complete IP lookup on arriving IP packets, and then applies labels to them as a result of the lookup. R2: label switching routers (LSRs), devices that run IP control protocols but use the label switching forwarding algorithm 29 Label switching forwarding algorithm IP LAN LAN MPLS Analiza Etiqueta Router IP Analiza Etiqueta LSR IP LSR P LS Edge LSR IP Edge LSR IP Etiqueta Introduce (push) Etiqueta Extrae (pop) Etiqueta LSR Analiza Etiqueta LSR Analiza Etiqueta 30 Label switching forwarding algorithm Las etiquetas tienen significado local; no tiene significado global IP Interfaz Etiqueta Interfaz Etiqueta de entrada de entrada de salida de salida IP 2 3 34 71 4 4 swap 17 77 LAN LAN MPLS LSR LSR 2 1 FEC Interfaz Etiqueta de salida de salida a 2 70 b 2 23 2 1 IP 70 23 IP 80 4 34 80 2 2 3 LSR 3 4 IP 34 Interfaz Etiqueta Interfaz Etiqueta de entrada de entrada de salida de salida 1 1 IP I P 4 17 3 77 1 2 3 IP 1 Edge 70 IP LSR 23 2 1 IP 71 Router IP Edge LSR 3 IP IP 3 1 LSR Interfaz Etiqueta Interfaz Etiqueta de entrada de entrada de salida de salida 1 80 2 71 31 Label switching forwarding algorithm • We have replaced the normal IP destination address lookup with a label lookup. • IP prefixes are of variable length, and the IP destination address lookup algorithm needs to find the longest match— the longest prefix that matches the high- order bits in the IP address of the packet being forwarded. • By contrast, the label forwarding mechanism just described is an exact match algorithm. • Note that the routing algorithm can be any standard IP routing algorithm (e.g., OSPF). • The path that a packet will follow in this environment is the exact same path that it would have followed if MPLS were not involved—the path chosen by the IP routing algorithms. • All that has changed is the forwarding algorithm. 32 Label Distribution Protocol (LDP) • RFC 3036. • The Label Distribution Protocol (LDP) is used to establish MPLS transport LSPs when traffic engineering is not required. • It establishes LSPs that follow the existing IP routing table, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. • LDP can operate in many modes to suit different requirements; however the most common usage is unsolicited mode, which sets up a full mesh of tunnels between routers. 33 Labels are “attached” to packets, but where exactly are they attached? a. Label on an ATM-encapsulated packet. b. Label on a frame-encapsulated packet. 34 Label 35 What layer is MPLS? • Since the MPLS header is normally found between the layer 3 and the layer 2 headers in a packet, it is some-times referred to as a layer 2.5 protocol. 36 Position of MPLS label 37 Forwarding Equivalence Class LSR LER LSR LER LSP IP1 IP1 IP1 #L1 IP1 #L2 IP1 #L3 IP2 #L1 IP2 #L2 IP2 #L3 IP2 IP2 • FEC is a group of packets which are forwarded in the same manner, over the same path, and with the same forwarding treatment. • An FEC might correspond to a destination IP subnet, but it also might correspond to any traffic class that the Edge-LSR (LER) considers significant. For example, all traffic with a certain value of IP precedence might constitute a FEC. • Thus, a FEC tends to correspond to a label switched path (LSP). The reverse is not true, however: an LSP may be (and usually is) used for multiple FECs. 38 Forwarding Equivalence Class • It is possible for each flow to have its own set of labels through the subnet. However, it is more common for routers to group multiple flows and use a single label for them. • The flows that are grouped together under a single label are said to belong to the same FEC. This class covers not only where the packets are going, but also their service class (in the differentiated services sense) because all their packets are treated the same way for forwarding purposes. • A FEC is not a packet, nor is it a label. A FEC is a logical entity created by the router to represent a class (category) of packets. • When a packet arrives at the ingress router of an MPLS domain, the router parses the packet's headers, and checks to see if the packet matches a known FEC (class). • Once the matching FEC is determined, the path and outgoing label assigned to that FEC are used to forward the packet. 39 Forwarding Equivalence Classes • Destination unicast address. • Traffic Engineering. • VPN. • QoS (Quality of Service). • Etc… 40 Enable IP capabilities on devices that do not have the capability to forward IP datagrams • LSR, Label Switching Routers, devices that run IP control protocols but use the label switching forwarding algorithm. • The major effect of changing the forwarding algorithm is that devices that normally don’t know how to forward IP packets can be used in an MPLS network. • The most notable early application of this result was to ATM switches, which can support MPLS without any changes to their forwarding hardware. 41 Multiprotocol Label Switching • Because the MPLS headers are not part of the network layer packet or the data link layer frame, MPLS is to a large extent independent of both layers. • This property means it is possible to build MPLS switches that can forward both IP packets and ATM cells, depending on what shows up. • This feature is where the ''multiprotocol'' in the name MPLS came from. 42 (a) Routers connect to each other using an “overlay”of virtual circuits. (b) Routers peer directly with LSRs ATM switches MPLS-Enabled switches 43 Explicit Routing • IP has a source routing option, but it is not widely used for several reasons, including the fact that only a limited number of hops can be specified, and because it is usually processed outside the “fast path” on most routers. • MPLS provides a convenient way to add capabilities similar to source routing to IP networks, although the capability is more often called “explicit routing” rather than “source routing.” 44 A network requiring explicit routing R1 R2 R7: R1-R3-R6-R7 R7: R2-R3-R4-R5-R7 • We can’t use the same procedures to distribute labels because those procedures establish labels that cause packets to follow the normal paths picked by IP routing. • A new mechanism is needed. It turns out that the protocol used for this task is the Resource Reservation Protocol (RSVP). • But for now it suffices to say that it is possible to send an RSVP message along an explicitly specified path (e.g., R1-R3-R6-R7) and use it to set up label forwarding table entries all along that path. This is very similar to the process of establishing a virtual circuit. 45 Explicit Routing • One of the applications of explicit routing is “traffic engineering,” which refers to the task of ensuring that sufficient resources are available in a network to meet the demands placed on it. • Explicit routing can also help to make networks more resilient in the face of failure, using a capability called fast reroute. It is actually a feature of Resource Reservation Protocol Traffic Engineering (RSVP-TE) (RFC 5151). • Explicit routes need not be calculated by a network operator. There are a range of algorithms that routers can use to calculate explicit routes automatically. The most common of these is called constrained shortest path first (CSPF), which is like the link-state algorithms, but which also takes “constraints” into account. 46 ReSerVation Protocol with Traffic Engineering (RSVP-TE) • RSVP-TE is an extension of the resource reservation protocol (RSVP) for traffic engineering. • It supports the reservation of resources across an IP network. Applications running on IP end systems can use RSVP to indicate to other nodes the nature (bandwidth, jitter, maximum burst, and so forth) of the packet streams they want to receive. • RSVP-TE is detailed in RFC 5151. RSVP-TE generally allows the establishment of MPLS label switched paths (LSPs), taking into consideration network constraint parameters such as available bandwidth and explicit hops. 47 ReSerVation Protocol with Traffic Engineering (RSVP-TE) • RSVP allows the use of source routing where the ingress router determines the complete path through the network. • The ingress router can use a Constrained Shortest Path First (CSPF) calculator to determine a path to the destination, ensuring that any QoS requirements are met. The resulting path is then used to establish the LSP. • Operational overhead of RSVP-TE compared to the more widely deployed label distribution protocol (LDP) will generally be higher. • This is a classic trade-off between complexity and optimality in the use of technologies in telecommunications networks. 48 Fast ReRoute (FRR) • For example, it is possible to precalculate a path from router A to router B that explicitly avoids a certain link L. • In the event that link L fails, router A could send all traffic destined to B down the precalculated path. • The combination of precalculation of the “backup path” and the explicit routing of packets along the path means that A doesn’t need to wait for routing protocol packets to make their way across the network or for routing algorithms to be executed by various other nodes in the network. • In certain circumstances, this can significantly reduce the time taken to reroute packets around a point of failure. 49 Fast ReRoute operation Primary path (LSP) from A to E via B and D. The traffic of customers connected to A and E will take this path in the normal operation. Secondary path (LSP) from A to E via C. For the primary LSP, FRR (Fast ReRoute) is enabled. Once enabled, the other network elements on the LSP will know that FRR is enabled. 1) There is a break between D and E. D will immediately know this and it will inform B and A. For A to know that there is a failure between D and E, it takes a while. 2) Since D gets to know immediately about the failure and FRR is enabled on the LSP, it uses the detour path D-C-E to get rid of the failure immediately and traffic will continue to flow along that path. This takes less than 50ms. 3) Once the secondary LSP is up, traffic is switched to the secondary LSP and detour path is turned down. 50 QoS and MPLS • As was seen before, traffic is aggregated into groups called FEC (Forwarding Equivalence Classes) and these groups or behavior aggregates are assigned to specific Label Switched Path (LSP). • Then traffic engineering can be implemented to assign high-priority FECs onto high-quality LSPs and lower-priority FECs onto lowerquality LSPs. • This way QoS is implemented using MPLS. 51 QoS and MPLS Usuario A Tarifa premium A α - β 5 δ - γ 3 B γ α Los routers X y Z se encargan de etiquetar los flujos según origen-destino β Y 4 β α 4 β - γ 7 β - 4 α Z X Usuario B Tarifa normal 5 α 5 β α δ α 3 α 3 7 2 V β β α W 2 α 2 β C Usuario C γ β β 7 C ha de distinguir de algun modo los paquetes que envía hacia A o B (puede usar subinterfaces diferentes) 52 MPLS “layer 2” VPN • In this type of VPN, MPLS is used to tunnel layer 2 data (such as Ethernet frames or ATM cells) across a network of MPLS-enabled routers. • One reason for tunnels is to provide some sort of network service that is not supported by some routers in the network. • The same logic applies here: IP routers are not ATM switches, so you cannot provide an ATM virtual circuit service across a network of conventional routers. However, if you had a pair of routers interconnected by a tunnel, they could send ATM cells across the tunnel and emulate an ATM circuit. • The term for this technique within the IETF is pseudowire emulation. 53 ATM circuit emulated by a tunnel MPLS-enabled routers • The head router needs to be configured with the incoming port, the incoming VCI, the “demultiplexing label” for this emulated circuit, and the address of the tunnel end router. • The tail end router needs to be configured with the outgoing port, the outgoing VCI, and the demultiplexing label. 54 Forwarding ATM cells along a tunnel 1. An ATM cell arrives on the designated input port with the appropriate VCI value (101 in this example). 2. The head router attaches the demultiplexing label that identifies the emulated circuit. 3. The head router then attaches a second label, which is the tunnel label that will get the packet to the tail router. 4. Routers between the head and tail forward the packet using only the tunnel label. 5. The tail router removes the tunnel label, finds the demultiplexing label, and recognizes the emulated circuit. 6. The tail router modifies the ATM VCI to the correct value (202 in this case) and sends it out the correct port. 55 MPLS labels may be “stacked” • In this example the packet has two labels attached to it. This is one of the interesting features of MPLS— labels may be “stacked” on a packet to any depth. This provides some useful scaling capabilities. • In this example, it enables a single tunnel to carry a potentially large number of emulated circuits. • The same techniques described here can be applied to emulate many other layer 2 services, including Frame Relay and Ethernet. • Virtually identical capabilities can be provided using IP tunnels; the main advantage of MPLS here is the shorter tunnel header. 56 Label stacking • Label: Label Value, 20 bits. • Exp: Experimental Use, 3 bits. • S: Bottom of Stack, 1 bit. • TTL: Time to Live, 8 bits. 57 Label stacking IP PE IP PE 41 IP P P IP LS P P 91 1 PE P IP IP 31 P 2 1 3 1 P2 LS 2IP 4 IP 2 3 IP P LS IP 72 1 91 70 2 72 70 1 3 P 72 91 1 17 17 2 IP 2 P1 LS IP 81 3 PE IP 27 IP 72 91 IP 61 P IP 25 4 1 PE P IP LS P 2 PE IP LSP LSP1 LSP2 Túnel 58 MPLS layer 3 VPN • The details of layer 3 VPNs are quite complex. Represent one of the most popular uses of MPLS. • Use stacks of MPLS labels to tunnel packets across an IP network. However, the packets that are tunneled are themselves IP packets —hence the name “layer 3 VPNs.” • In a layer 3 VPN, a single service provider operates a network of MPLS-enabled routers and provides a “virtually private” IP network service to any number of distinct customers. • Each customer of the provider has some number of sites, and the service provider creates the illusion for each customer that there are no other customers on the network. 59 MPLS layer 3 VPN • The customer sees an IP network interconnecting his own sites, and no other sites. This means that each customer is isolated from all other customers in terms of both routing and addressing. • Customer A can’t send packets directly to customer B, and vice versa. Customer A can even use IP addresses that have also been used by customer B. As in layer 2 VPNs, MPLS is used to tunnel packets from one site to another. • The configuration of the tunnels is performed automatically by some fairly elaborate use of BGP (BGP/MPLS VPNs RFC 2547). 60 Layer 3 VPN. Customers A and B each obtain a virtually private IP service from a single provider 61 LDP for MPLS Services • The Label Distribution Protocol (LDP) is used to establish MPLS transport LSPs when traffic engineering is not required. • It establishes LSPs that follow the existing IP routing table, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. • LDP can operate in many modes to suit different requirements; however the most common usage is unsolicited mode, which sets up a full mesh of tunnels between routers. 62 LDP vs. RSVP-TE • “Which signaling protocol to use – LDP or RSVP-TE?”. • The traditional response is “Use LDP when you want simplicity, use RSVP-TE when you want bandwidth guarantees and 50ms reroute around failure”. • Why not both? - LDP over RSVP-TE (LDPoRSVP-TE). 63 LDP vs. RSVP-TE • The main advantage of LDP over RSVP is the ease of setting up a full mesh of tunnels using unsolicited mode. • So it is most often used in this mode to set up the underlying mesh of tunnels needed by Layer 2 and Layer 3 VPNs. 64 MPLS. Ejercicio Assume that it takes 32 bits to carry each MPLS label that is added to a packet when the “shim” header is used. a) How many additional bytes are needed to tunnel a packet using the MPLS techniques? b) How many additional bytes are needed, at a minimum, to tunnel a packet using an additional IP header (IP/IP)? c) Calculate the efficiency of bandwidth usage for each of the two tunneling approaches when the average packet size is 300 bytes. Repeat for 64-byte packets. Bandwidth efficiency is defined as (payload bytes carried)÷(total bytes carried). 65 MPLS Terms LSP FECs α - β 5 δ - γ 3 δ α γ 3 X B 5 β 4 β α 5 β α A no MPLS enabled LIB 4 Y α β 2 α W V α 4 β - γ 7 β - α no MPLS enabled β C Z 7 β LIB LER α γ LIB 3 MPLS Multiple Protocol Label Switching LER Label Edge Router LSR Label Switch Router LIB Label Information Base LSP Label Switch Path FEC Forward Equivalence Class β 2 α 2 β 7 LER LSR (V, W, Y) LSRs X, Y, Z, V, W: MPLS enabled. 66 MPLS Anexo opcional 67 Behavior of TTL 68 Propagation behavior of TTL between IP header and MPLS labels 69 TTL propagation in label-to-label operation in the case of a swap, push, and pop operation 70 ICMP "Time Exceeded" sent by a router in an MPLS network 71 Ejemplo de MPLS 72 Ejemplo de MPLS • En este ejemplo se quiere comunicar el router (no MPLS) que se encuentra en la parte superior y el router (no MPLS) que se encuentra en la parte inferior a través de la red MPLS • Las tablas muestran la asociación de las direcciones de red con las parejas interfaz-etiqueta de salida y de entrada. 73 Ejemplo de MPLS • Paso 1: Vemos la tabla del router externo que está conectado a dos redes de clase C. La flecha azul claro indica que el router externo comunica al LSR frontera las rutas que posee (a través del protocolo que sea). Es el ‘routing update’. 74 Ejemplo de MPLS • Paso 2: El LSR elige una etiqueta no usada mediante LDP (la 5 por ejemplo). Así un paquete que llegue por el Serial1 con la etiqueta 5 será enviada por el Serial0 sin etiqueta. La flecha roja indica que se comunica el uso de la etiqueta 5 al siguiente LSR . 75 Ejemplo de MPLS • Paso 3: El siguiente LSR almacena la etiqueta 5 (como etiqueta de salida) en su LIB asociada con la Serial0. Escoge la etiqueta 17 (como etiqueta de entrada) y la asocia con el Serial1 y lo propaga al siguiente LSR vía LDP. De este modo los paquetes que lleguen por el Serial1 con la etiqueta 17 se enviaran por la Serial0 con la etiqueta 5. 76 Ejemplo de MPLS • Pasos 4 y 5: Se procede de forma similar a los anteriores pasos. La tabla del paso 4 es más grande porque se actualiza con información del LSR de la derecha. La tabla del LSR frontera (paso 5) solo tiene etiquetas de salida porque esta conectado al router no-MPLS emisor. El LSP establecido queda señalado con la flecha azul marino. 77 Ejemplo de MPLS • Paso 6: El LSR frontera envía información de routing al router externo. Éste actualiza sus tablas de routing, de modo que para enviar paquetes a las redes de clase C del router de la parte inferior, lo hará a través del Serial0. 78 Ejemplo de MPLS • Pasos 7 y 8: El LSR frontera del fondo también propaga la información de routing al LSR que tiene conectado por el Serial2. Éste actúa de forma similar y propaga la información al otro LSR. Se supone que se seguiría propagando por todos los LSR 79 Ejemplo de MPLS • Paso 9: El LSR recibe información de routing del LSR de la izquierda y actualiza su tabla LIB. • Podemos observar el comportamiento multipunto del MPLS en el LSR del paso 4 ya que todos los paquetes que entran son etiquetados con la misma etiqueta (17) y enviados por el Serial0. 80