Networking and VPN Basics · 2020-03-09 · Networking Basics In its most basic form, a computer network is nothing more that two or more computers that are connected together via

1

Tremendous strides in computer networking have increased the productivityof today’s workers in today’s workplace. The speed at which we are able toaccess and share data is more than was dreamed of 15 years ago. The securityrisk in networking today has also grown. This book is dedicated to one of theindustry milestones that is quickly becoming a standard in most workplaces.This book is about Virtual Private Networks (VPNs) with the Nortel VPNrouters.

VPN routing uses “virtual” connections (instead of the traditional dialedline or a leased line) to connect users in remote offices to a private networkover a public network. VPN networking offers many benefits. It allows forextended geographic connectivity, improves security, and is much more cost-effective than traditional wide area network (WAN) connectivity. Most ofthese benefits are discussed later in this book. Never before have so many peo-ple been able to connect almost seamlessly to their corporate network fromhome and on the road, which instantly allows real-time communication withtheir corporate LAN.

This chapter is a basic overview of networking and VPN basics. It’s importantto cover some networking basics to understand VPN. Most of the informationcontained in this chapter is covered in detail in later chapters. The informationpresented here will provide you with a basic understanding of how VPN net-working works.

Networking and VPN Basics

C H A P T E R

1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 1

COPYRIG

HTED M

ATERIAL

Networking Basics

In its most basic form, a computer network is nothing more that two or morecomputers that are connected together via a medium to allow the transfer ofdata. Today, most businesses rely on networking to complete daily businesstransactions. Networks today are built to allow sharing of hardware and soft-ware services. Networking allows you to retrieve applications on remoteservers, for file transfers, for print services, and so much more. Figure 1-1shows a basic network.

Networks can be described several ways. Most often, when we think of net-works, we think of either a local area network (LAN) or a wide area network(WAN). Although there are several types of “area networks,” for purposes ofdiscussion in this chapter, we will discuss these two types.

The OSI Reference ModelThe Open Systems Interconnection Reference Model (also known as the OSIReference Model, OSI seven-layer Model, or OSI Model) was developed as atool to describe network communications and network design. The OSI Refer-ence Model divides the functions of a network protocol into seven layers. Eachlayer of the OSI Reference Model utilizes the functions of the layer below itand transfers functionality to the layer above it. Figure 1-2 shows an exampleof the OSI Reference Model.

Typically, the lower layers of the OSI Reference Model (Physical, Data Link,Network, and Transport) are implemented in the hardware in the network,while the upper layers (Session, Presentation, and Application) are imple-mented in the software applications that are being used.

Figure 1-1: A simple network of two computers sharing data

2 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 2

Figure 1-2: The OSI Reference Model

The OSI Reference Model is considered an abstract model because it ismerely a guide and does not have to be strictly adhered to when networkimplementation occurs. The OSI Reference Model’s layered approach isadvantageous to system implementation. Because a network design can bebroken into the layered pieces, it offers a lot of flexibility and reduces problemsin the beginning stages of network design. A product that is implementedfrom one vendor at Layer 2 of the reference model should be fully interopera-ble with the Layer 2 and Layer 1 offerings of another vendor. This allows formore options when designing the network. Additionally, new protocols andstandards are easier to implement at a layered level.

Let’s take a detailed look at the OSI Reference Model, beginning with theupper layers.

The Application Layer (Layer 7)

Layer 7 of the OSI Reference Model is the Application layer. Simply put, theApplication layer is used by applications on the network. The Applicationlayer does not control all network applications; rather, it is the layer that con-tains services that are used by applications.

Some of the more popular applications that perform functions at this layerare File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), andHyperText Transfer Protocol (HTTP), among many others. Because this layer isat the very top of the OSI Reference Model, it does not have any layers aboveit to interact with. Instead, it provides functions that are used by the end user.This layer represents the actual applications used on the network.

APPLICATION

PRESENTATION

SESSION

TRANSPORT

NETWORK

DATA LINK

PHYSICAL

Receive from

Network

Sendto

Network

Networking and VPN Basics 3

04_781274 ch01.qxp 6/22/06 12:23 AM Page 3

The Presentation Layer (Layer 6)

Layer 6 of the OSI Reference Model is the Presentation layer. This layer has amuch more specific function than the other layers. Its function is to ensure thatdata is presented on the receiving end the way that the originator intended it to be.

Because there are various vendors involved in the development of deviceson a network, sometimes these systems have distinct characteristics and mayrepresent data in different ways. For example, even though a Microsoft-basedPC and Macintosh personal computer are both computers, they use differentapplications and represent data in different ways. It is the responsibility of thePresentation layer to ensure that data is presented in a similar fashion betweenthe two devices.

Compression and decompression of data can also be performed at the Pre-sentation layer. Because the Presentation layer is not always needed (considerenvironments that are running a standard system between users), its functionsare often included and described at the Application layer. It is not uncommonfor Layer 7 to speak directly with Layer 5, and vice versa.

The Session Layer (Layer 5)

The fifth layer of the OSI Reference Model is the Session layer. The Sessionlayer is the lowest of the three upper layers of the OSI Reference Model. It isconcerned primarily with software application issues and not so much withthe transportation of data within the network. The purpose of this layer is toallow network devices to establish and maintain extended sessions for thepurpose of sharing data.

Common application protocols that are used at this layer are Transportationcontrol Protocol/Internet Protocol (TCP/IP) sockets and Network BasicInput/Output System (NetBIOS). These protocols allow applications the abilityto set up and maintain communications over the network. Simply put, this layerhandles the starting, coordinating, and terminating of communication betweencomputer applications and between a source and a destination on the network.

The Transport Layer (Layer 4)

Layer 4 of the OSI Reference Model is the Transport layer. This layer isinvolved with the transportation of data within a network. It is an interfacelayer and (unlike Layers 1, 2, and 3) it really does not concern itself with theway that data is transported between the source and the destinations. Thislayer relies on the lower layers to handle the actual packaging and movementof the packet, and it acts as a liaison between the lower layers and the upperlayers. This layer enables communication of applications between devices onthe network.

4 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 4

The Transport layer is responsible for keeping track of information comingfrom the upper layers and ensures that the data is combined into a single flowof data to the lower layers. This layer is responsible for ensuring that largeamounts of data are systematically broken down into smaller blocks to be sentto the lower layers for transport. The Transport layer uses algorithms to ensurethat data is transported reliably and that solid communication betweendevices takes place. Some of the protocols that are used at this level are theUser Datagram Protocol (UDP) and the Transmission Control Protocol (TCP).

User Datagram Protocol

The User Datagram Protocol (UDP) is a protocol that allows a source device totransfer data to a destination device without first checking to see if it is able toestablish a session with the destination device. Because of this, UDP is definedas a connectionless delivery protocol. UDP is used by applications that do notrequire error checking and delivery control. Broadcast messages are an exam-ple of an application that would use UDP for a delivery protocol. There is verylittle overhead with UDP.

Transmission Control Protocol

The Transmission Control Protocol (TCP) is more reliable than UDP because itdoes ensure that a connection can be established between a source and a desti-nation on the network. TCP uses very strict error-detection algorithms to ensuredelivery of data. TCP uses sequence numbers and acknowledgments to ensuredata is delivered in its entirety to a destination.

Sequence numbers help ensure that all packets are received and put backinto the correct order by the receiving station. The sending station will assigna sequence number to each packet that is transmitted. The receiving stationkeeps track of each packet. When a packet is received, the receiving station willkeep track of the sequence numbers and will return an acknowledgment to thesending station as each packet is received. The sending station will resendpackets when there is no acknowledgment received, and the receiving stationcan verify receipt by the order of sequence numbers.

The Network Layer (Layer 3)

The third layer of the OSI Reference Model is the Network layer. Here it isdetermined how interconnected LANs communicate with one another. This isthe most important layer when transmitted data is sent onto the WAN. Thelayers above this layer (Layers 4 through 7) do not concern themselves withhow data is sent to and received from its destination.

At the Network layer, devices on the network are given a logical addressthat is used for data delivery. The Internet Protocol (IP) standard is the mostcommonly used address for data delivery, and every device on a network has

Networking and VPN Basics 5

04_781274 ch01.qxp 6/22/06 12:23 AM Page 5

a unique IP address. Data is transported from LAN to LAN at this level. It isthe job of devices that are operating at this level to handle packets that arereceived from various sources and to ensure that those packets arrive at theirdestinations.

The Network layer is responsible for encapsulating data from higher layersand then passing the data to the Data Link layer (Layer 2). When encapsulat-ing the data, the Network layer will place a header onto the packet. Often, theData Link layer has a limit on the size of packets that it accepts, so the Networklayer breaks the packet up into fragments and sends these fragmented packetsto the Data Link layer. The Network layer is responsible for reassembling thepackets once they arrive at their destination. A router is an example of a Layer3 device.

The Data Link Layer (Layer 2)

Layer 2 of the OSI Reference Model is the Data Link layer. The Data Link layeris often divided into two sub-layers:

■■ Logical Link Control (LLC): Used to establish and control logical linksbetween devices within a network.

■■ Media Access Control (MAC): Defines standards in which devices manage access to the network to avoid conflicting with other devicesthat are trying to send data.

The Data Link layer is responsible for the encapsulation of messages that arebeing sent from higher layers. The data is encapsulated by the Data Link layerand then it is forwarded to the Physical layer to be sent to the network destina-tion. This layer also handles errors that occur on the network during transport.One of the ways that errors are managed is with the cyclic redundancy check(CRC), which is simply a small number of bits in a packet that is used on eachend of transport to ensure data integrity. Switches and bridges are examples ofLayer 2 devices.

The Physical Layer (Layer 1)

The lowest layer of the OSI Reference Model is the Physical layer. In network-ing, the Physical layer is important because it is the only layer in which data isphysically transferred across the network interface. The physical layer detailsthe way in which the connectors, cables, and other hardware devices operatewithin a network. At this layer, data is encoded and transmitted from onedevice to another. In general, the Physical layer is the layer that deals with theactual 0s and 1s that are transmitted through the network. Devices that oper-ate at this level are lower-level devices, which really have no understanding ofthe data being transmitted. This layer simply accepts and passes data. A hubwould be an example of a Layer 1 device.

6 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 6

Overview of a Local Area NetworkA LAN is considered to be a group of computers that are in close proximity toeach other (such as a school, a department in an office building, a home net-work, and so on). The LAN allows these users to share applications, transferdata among one another, and share hardware (such as printers). Most often, aLAN connects to other LANs or to a WAN.

Computers and devices that make up a LAN are connected with cables, network adapters, and hubs. There are also other components in LAN net-working, but we are just covering the basics. Some networking protocols arealso used to get these devices to communicate with one another. Many of theseprotocols come standard with most operating systems.

The most common type of LAN is an Ethernet LAN (see Figure 1-3). An Eth-ernet LAN can transfer data up to 100 megabits per second (Mbps). It is by farthe most popular and widely used technology in most LANs mainly becausemost computer vendors provide Ethernet attachments with their equipment,making it easier to link to almost any hardware that is used in the LAN.Because it is so widely used, it works well in environments where multiple-vendor hardware is being used.

All of the Ethernet equipment in a LAN operates independent of the otherEthernet equipment. Ethernet signals are provided to all of the equipment onthe LAN and the equipment “listens” for the line to be clear before transmit-ting its data.

A LAN can be as simple as two computers on a home network or as compli-cated as several thousand devices in a larger environment. Many LANs aredivided into subnetworks, which allow you to break down larger LANs intosmaller groups.

Figure 1-3: An example of an Ethernet LAN

Networking and VPN Basics 7

04_781274 ch01.qxp 6/22/06 12:23 AM Page 7

Overview of a Wide Area NetworkA WAN comprises multiple LANs and spans a large geographical distance.The most commonly known (and used) WAN is the Internet. Figure 1-4 showsan example of a WAN.

A network device known as a router is used to connect LANs to the WAN.The router is used to collect the address destinations of LAN and WAN devices,and it uses these addresses to deliver data between devices.

Media Access Control AddressingEvery device on a LAN contains a physical address, called the Media AccessControl (MAC) address. The MAC address is a unique hardware address thatidentifies each device on the network. Most Layer 2 protocols use the MACaddress to identify a device on the network. Mac addresses are written in hexa-decimal notation, which is written in the base-16 numbering system.

Not all networking protocols will use the MAC address, but on broadcastnetworks, the MAC address allows all of the devices in the network to be iden-tified and allows delivery of frames intended for a specific destination. MACaddresses are permanently attached to a device and are assigned by productmanufacturers.

Figure 1-4: A WAN

Internet

8 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 8

Typically, MAC addresses are read as a group and are divided into six setsof two hexadecimal digits. Each set is separated from the remaining sets byeither a colon (:) or a hyphen (-). Figure 1-5 shows an example of how MACaddressing may appear.

Internet Protocol AddressingAn IP address is a unique number that is used by devices to communicate witheach other over a WAN. An IP address is much like a telephone number or astreet address. An IP address is assigned to each host interface within a network.To communicate with any other device on a WAN, the sending and receivingdevice’s IP address must be known. An IP address may be static, which meansthat it is permanently assigned to a device. It can also be dynamically assignedby a server that is within the LAN of the device.

IP addresses are broken into four octets. Each octet contains 8 bits. The octetsare written in dotted-decimal notation. Dotted-decimal notation is simply amethod of writing octet strings in the base-10 numeral system. Each octet isseparated from the other octets with a decimal point. Figure 1-6 shows anexample of binary to dotted-decimal conversion.

Figure 1-5: An example of a MAC address

Figure 1-6: An example of binary to dotted-decimal conversion

11010010 00001100 10000000 00100000

210.12.128.21

210 12 128 32

23-4F-AD-21-33-AF

23:4F:AD:21:33:AF

Networking and VPN Basics 9

04_781274 ch01.qxp 6/22/06 12:23 AM Page 9

IP Address Classes

IP addresses are broken down into different classes. This allows for the assign-ment of different classes to meet the needs of networks that have differentsizes. IP addresses can be divided into two parts: One part identifies the net-work that the IP address is assigned to, and the other part identifies the devicethat has been assigned a particular IP address.

Table 1-1 shows how IP addresses are divided into classes.IP addressing is broken down into the following five classes:

■■ Class A (for networks that have more than 65,536 hosts)

■■ Class B (for networks that have between 256 and 65,536 hosts)

■■ Class C (for networks that have less than 256 hosts)

■■ Class D (reserved for multicasting)

■■ Class E (reserved for future use)

Class A Addresses

Class A addresses are used for very large networks. There are only a smallnumber of Class A addresses. The leading bit in a class A address is always a 0.The next 7 bits identify the network, and the last 24 bits belong to the device inwhich the IP address is assigned.

Table 1-2 shows a breakdown of the octets in a Class A address.

Table 1-1: Dividing Sections of the IP Address for Each Class

IP ADDRESS CLASS NETWORK PORTION HOST PORTION

Class A Octet 1 Octets 2, 3, 4

Class B Octets 1, 2 Octets 3, 4

Class C Octets 1, 2, 3 Octet 4

Table 1-2: The Breakdown of the Octets in a Class A Address

FIRST BIT OCTET 1 OCTET 2 OCTET 3 OCTET 4

0 Network ID Host ID Host ID Host ID

10 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 10

Class B Addresses

A Class B address is assigned to medium-size networks. The first bit is alwaysa 1 and the second bit is always a 0. The remaining 14 leading bits of theaddress are assigned to the network, and the last 16 bits identify the device inwhich the IP address is assigned.

Table 1-3 shows a breakdown of the octets in a Class B address.

Class C Addresses

Class C addresses are the most common type of addresses and are assigned tothousands of networks throughout the world. The first and second bit of an IPaddress is a one (1) , with the third bit always being a zero (0). The remaining21 leading bits identify the network number, and the last 8 bits are used toidentify the device that the address is assigned to.

Table 1-4 shows a breakdown of the octets in a Class C address.

Class D Addresses

Class D addresses are reserved for multicast addresses and can range from224.0.0.0 to 239.255.255.255. The class D address identifies a group of hosts in anetwork that are members of a multicast group. Multicasting allows for thedelivery of information to multiple devices within a group. It is a very efficientstrategy to deliver messages that need to be shared with all members of thegroup.

Table 1-5 shows examples of well-known Class D addresses.

Table 1-3: The Breakdown of the Octets in a Class B Address

FIRST BIT SECOND BIT OCTET 1 OCTET 2 OCTET 3 OCTET 4

1 0 Network ID Network ID Host ID Host ID

Table 1-4: The Breakdown of the Octets in a Class C Address

FIRST SECOND THIRD OCTET 1 OCTET 2 OCTET 3 OCTET 4BIT BIT BIT

1 1 0 Network ID Network ID Network ID Host ID

Networking and VPN Basics 11

04_781274 ch01.qxp 6/22/06 12:23 AM Page 11

Table 1-5: Examples of Well-Known Class D Addresses

CLASS D ADDRESS DESCRIPTION

224.0.0.0 Reserved

224.0.0.1 All devices within a network segment

224.0.0.2 All routers within a network segment

224.0.0.9 Used to send routing information in a RIP environment

Protocols and Other StandardsIn data communication, a protocol is a convention that enables the establish-ment of a connection between networking devices. The protocol sets the rulesby which the connection is established and the rules governing the transfer ofdata between the devices. A protocol can govern hardware, software, andsometimes both hardware and software.

A technical standard can be considered a guideline or an example of a specifi-cation. A standard is used to form a basis in which a technology or a protocolcan be developed.

This section describes some of the more common protocols and technicalstandards.

Internet Protocol

The Internet Protocol (IP), as mentioned earlier in this chapter, is a data protocolthat is used by a source and a destination to communicate across a network.

In an IP network, data is transferred in blocks known as packets. The IPmakes no guarantees that the information that is contained within a packet isnot damaged. It is possible for data to be damaged, sometimes duplicated, andsometimes dropped completely. This is known as best-effort delivery.

In a data network, a packet is the block of information that contains the datathat is being transmitted between devices. A packet comprises the followingthree elements:

■■ Header: Contains instructions about the data that is contained in thepayload portion of the packet.

■■ Payload: Contains the data that is being transmitted.

■■ Footer: Contains end-of-packet information, as well as error-checking.

Figure 1-7 shows the packet header.

12 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 12

Figure 1-7: The IP packet header

As shown in Figure 1-7, the bits in the IP packet header are as follows:

■■ Version: Identifies the version number of the packet.

■■ Internet Header Length (IHL): This field identifies the length of the IPpacket header.

■■ Type of Service (TOS): Identifies the type of service. Used by networks toidentify the data being transported and helps determine how the packetis to be handled.

■■ Identification: Helps identify packet fragments to ensure they are keptseparate from other packet fragments.

■■ Flags: Keeps information as to whether or not fragmentation is usedand if there are more fragments.

■■ Fragment Offset: Directs the reassembly of packets.

■■ Time to Live (TTL): A timer that is used to keep track of a packet.

■■ Protocol: Identifies the next encapsulated protocol.

■■ Header Checksum: The checksum data of the IP header and the Optionsfield.

■■ Source IP address: Identifies the IP address of the source device.

■■ Destination IP address: Identifies the IP address of the destination.

■■ Options and Padding: Special instruction data for the packet and maycontain filler data to ensure that the data starts on a 32-bit boundary.

Interior Gateway Protocol

The Interior Gateway Protocol (IGP) is a protocol that is used to exchange routinginformation between devices within a single autonomous system. The infor-mation that is exchanged is then used by other network protocols to specifyhow data is transmitted to its destination.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Version IHL TOS Total Length

Identification Flags Fragment OffsetTTL Protocol Header Checksum

Source IP addressDestination IP addressOptions and Padding

Networking and VPN Basics 13

04_781274 ch01.qxp 6/22/06 12:23 AM Page 13

Exterior Gateway Protocol

The Exterior Gateway Protocol (EGP) is used to exchange data between multipleautonomous systems. Commonly used on the Internet, it allows communicationsbetween hosts to build routing information to ensure data can be transportedfrom source to destination.

Routing Information Protocol

The Routing Information Protocol (RIP) is the most commonly used IGP in net-working today. RIP is used to manage information that is given to a router in aLAN (or group of LANs).

An edge device that supports RIP will send out RIP information to otheredge devices. The information that each of these edge devices sends out isknown as the routing table. The routing table contains information about all ofthe IP devices that the edge device knows about. Each of the neighboringdevices then sends out routing information to its neighbors with the informa-tion that it has learned, along with the information of the devices that are localto it.

The route from one device to another is known as a hop. RIP determines thenumber of hops it takes to get from one device to another and uses that infor-mation to determine the distance it takes to get from one device to another.

RIP is a distance-vector routing protocol, which means that it makes routingdecisions based on the distance between two communicating devices. It usesa routing table to make route decisions and it updates its routing table every30 seconds. The routing table is reviewed each time a routing update occurs,and then it is recalculated with the best route to a destination IP address. Fig-ure 1-8 shows a diagram of a RIP header.

As shown in Figure 1-8, the bits in the RIP packet header are as follows:

■■ Command: This field describes the action of the message.

■■ Version: Identifies the RIP version being used.

■■ RIP Entry Table: This is a variable length and contains the routing tableinformation.

Figure 1-8: The RIP header

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Command Version 0

Rip Entry Table

14 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 14

Open Shortest Path First

The Open Shortest Path First (OSPF) protocol is another often used IGP. Largerautonomous systems might prefer OSPF to RIP because OSPF does not requirethe 30-second updates that RIP does.

OSPF is a link state, hierarchical routing protocol. This means that each devicein the network calculates and maintains its own routing table, and updatesoccur only when a change in the network occurs.

OSPF can operate securely in a network. It authenticates peers before formingan adjacency with the peers. An OSPF network consists normally of severalsmall networks, known as areas. A central area, known as the backbone area,serves as the core of the OSPF network. All areas in an OSPF network mustconnect to the backbone. Figure 1-9 shows a diagram of an OSPF header.

As shown in Figure 1-9, the bits in the OSPF header are as follows:

■■ Version: Identifies the OSPF version.

■■ Type: Identifies the type of the request or reply that is contained in themessage.

■■ Length: Identifies the size of the header and the message.

■■ Router ID: Identifies the packets source.

■■ Area ID: Identifies the area that the packet belongs to.

■■ Checksum: Identifies the IP checksum of the packet, excluding theauthentication portion of the packet.

■■ Authentication Type: Identifies the procedure in which the packet is to beauthenticated.

■■ Authentication: For use by the type of authentication that was chosenwhen forming the packet.

Figure 1-9: The OSPF header

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Version Type Length

Router IDArea ID

AuthenticationData

Authentication TypeChecksum

Networking and VPN Basics 15

04_781274 ch01.qxp 6/22/06 12:23 AM Page 15

Virtual Router Redundancy Protocol

The Virtual Router Redundancy Protocol (VRRP) assists network reliability byallowing the advertisement of a virtual router as a default route for devices ina network. This virtual router is an abstract representation of a master VRRProuter and a backup VRRP router. Two (or more) physical routers are config-ured to serve as a virtual router, with one being the master and one the backup.The master is the one that performs all routing functions at any one time. If themaster router fails, then the backup router becomes the VRRP master.

VRRP message packets are transmitted encapsulated into IP packets. Fig-ure 1-10 shows a VRRP packet header.

As shown in Figure 1-10, the bits in the VRRP message header are as follows:

■■ Version: The VRRP version number.

■■ Type: The type of request or reply contained in the message.

■■ Virtual Router ID (VRID): This field identifies the router that the packetis reporting a status for.

■■ Priority: Identifies the priority for the sending VRRP router.

■■ IP address count: Identifies the number of IP addresses that are con-tained in the message.

■■ Authentication type: The authentication method that is used.

■■ Authentication interval: Defines the time interval (in seconds) that thereis between advertisements.

■■ Checksum: Identifies the bit count of the entire message.

■■ IP addresses: A list of all of the IP addresses that are associated with thevirtual router.

■■ Authentication data: Data used to authenticate the packet.

Digital Subscriber Line

The Digital Subscriber Line (DSL) technology is actually a group of technologiesthat allow for digital services over a copper telephone wire. DSL operates sim-ilarly to the way that the Integrated Services Digital Network (ISDN) operates,but at a much faster rate. The two most popular forms of DSL are the Asym-metric Digital Subscriber Line (ADSL) and the Symmetrical Digital SubscriberLine (SDSL).

Asymmetric Digital Subscriber Line

Asymmetric Digital Subscriber Line (ADSL) allows for faster data transmissionover telephone lines than a traditional modem allows. ADSL transmits dataasymmetrically, with data transmitting faster in one direction than it does in theother direction. An ADSL modem is required for the implementation of ADSL.

16 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 16

Figure 1-10: The VRRP packet header

Symmetrical Digital Subscriber Line

Symmetrical Digital Subscriber Line (SDSL) transmits data at a higher rate thantraditional modem technology does. The main difference between ADSL andSDSL is that SDSL transmits data at the same rate in both directions. An SDLSmodem is required for the implementation of SDSL.

Integrated Services Digital Network

Integrated Services Digital Network (ISDN) is a standard for transmitting dataover traditional telephone lines. ISDN supports faster rates of data transferthan traditional dial-up modem technology does. In ISDN, there are two typesof data transmission channels: B-channels and D-channels. Additionally, thereare two types of ISDN in use: Basic Rate Interface (BRI) and Primary RateInterface (PRI).

Bearer-Channel

The Bearer-Channel (B-channel) is the main data channel in an ISDN connection.The B-channels carry all of the voice and data services within the ISDN con-nection. In ISDN, both the BRI and the PRI will have more than one B-channelconfigured for their ISDN services.

Delta-Channel

The Delta-Channel (D-channel) is the channel in ISDN that carries the controland signaling information. In ISDN technology, only one D-channel is requiredwith either a BRI or a PRI configuration

Basic Rate Interface

Basic Rate Interface (BRI) is an ISDN configuration that consists of two 64 kilo-bits per second (Kbps) B-channels and one 16 kilobits per second D-channel.The two B-channels are often joined together to support a total data rate of 128 Kbps. BRI is most often used by smaller networks, or for residential use.BRI is often referred to as 2B+D (two B-channels plus one D-channel) or 2B1D(two B-channels, one D-channel).

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Version Type IP address countPriority

IP AddressesAuthentication Data

VRIDAuthentication Type Advertisement interval Checksum

Networking and VPN Basics 17

04_781274 ch01.qxp 6/22/06 12:23 AM Page 17

Primary Rate Interface

Primary Rate Interface (PRI) is an ISDN configuration that, in North Americaand Japan, uses 23 B-channels and 1 D-channel. Most of the rest of the worlduses 30 B-channels and 1 D-channel. In PRI, the D-channel also carries data at64 Kbps. Most large networks use PRI as their ISDN standard configuration.

Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol (LDAP) standard was developed as asimple way to access and search directories that are running over TCP/IP. AnLDAP directory consists of entries that are nothing more than a collection ofattributes that identify groups and individuals assigned to the groups. Eachentry in an LDAP directory defines which attributes are optional, which onesare mandatory, and what type of information the LDAP directory stores. AnLDAP directory is hierarchical in nature, defining geographic and/or organi-zational boundaries.

Remote Authentication Dial-In User Service

Remote Authentication Dial-In User Service (RADIUS) is a protocol that allowsRemote Access Servers (RAS) to communicate with a core RADIUS server toauthenticate and authorize access to remote users. RADIUS is a vehicle thatallows companies to store authentication on a core, central server that allremote servers can utilize. It’s easy for the company to maintain because thereis a central source in which access policies are established, as well as a singlepoint to log network access activities.

Figure 1-11 shows the RADIUS header.As shown in Figure 1-11, the bits in the IP packet header are as follows:

■■ Code: Identifies the type of RADIUS message.

■■ Identifier: Allows for the grouping of requests and replies.

■■ Length: Identifies the length of the packet.

■■ Authenticator: Partly used in the password-hiding algorithm, and it alsois used to authenticate replies from the server.

■■ Attributes: Identifies the authentication details for requests andresponses.

Figure 1-11: The RADIUS header

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Identifier Length

AuthenticatorAttributes

Code

18 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 18

Networking HardwareNetworking hardware is defined as the hardware that is used to allow for com-munication on the network. This includes all of the computers, printers, inter-face cards, various peripherals, routers, switches, hubs, and various otherdevices that are needed to perform network data communication.

Random Access Memory

Random Access Memory (RAM) is a type of computer data storage. RAM is usedto store active data for quick access during processing. Computers (includingnetworking gear) use RAM to store program data and code during the execu-tion of an application. RAM is randomly accessed and most data can beretrieved from anywhere within the RAM module instantly. Figures 1-12 and1-13 show examples of RAM.

Modem

The modem’s name comes from the two main services it provides. It modulatesan analog signal to encode digital information and then it demodulates the sig-nal by decoding the data. The modem takes the 1s and 0s (the bits and thebytes) and turns them into an audio signal that is transmitted from the modemthrough the telephone wire to another modem.

Figure 1-12: An example of a RAM module

Figure 1-13: An example of RAM installed on a PC motherboard

Networking and VPN Basics 19

04_781274 ch01.qxp 6/22/06 12:23 AM Page 19

Channel Service Unit/Data Service Unit

The Channel Service Unit/Data Service Unit (CSU/DSU) is an interface devicethat connects a router to a digital circuit. One of the primary functions of theCSU/DSU is to maintain signal timing between communication devices. TheCSU/DSU is required to be used whenever a dedicated circuit is needed.

The CSU/DSU is a Layer 1 device (Physical layer in the OSI ReferenceModel). In addition to maintaining communication signaling, the CSU/DSU iscapable of performing error checking as well.

Computer Workstations

All of the end user’s computers in the network are considered workstations.Most workstations contain a network interface card (NIC), software for network-ing, and cables. Some workstations have local storage, but often files are storedon a server and are not accessed or stored locally. Virtually any computer canbe considered a workstation.

Servers

A server is one of the most important pieces of equipment in a network. It actsas a storage device, as well as controlling the flow of information in the net-work. A server is a computer that has a lot of RAM and ample storage space tomeet the needs of the LAN it supports. For example, a file server may performmany tasks at a time, so it must be fast enough and large enough to handle andcontrol the data that it supplies. Following are some examples of types ofservers:

■■ Internet server: Provides Internet application services, such as email ser-vices and Web services.

■■ Email server: Provides storage services for emails and also provides con-nections for users to access their email.

■■ File server: Provides file sharing services.

■■ Print server: Provides shared access to network printers.

■■ Application server: Provides sharing services for specific applications.

20 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 20

Network Interface Cards

The network interface card (NIC) is what supplies the physical connectionbetween a workstation and the network. Most NICs are integrated or built intothe PC, although there are some that reside externally to the device that theysupport. The most popular types of NICs are Ethernet and Token Ring.

Switch

A switch provides a central location for multiple LANs to connect to the net-work. A switch is often called an intelligent hub because of its ability to sortdata. Operating at the Data Link layer (Layer 2) of the OSI Reference Model, aswitch can connect multiple network segments together at a central point.

When a switch receives a frame, it saves the MAC address of the originatorand the port on which the frame was received. It will then use the data it col-lects to forward packets based on the MAC address. If it does not have theMAC address in its MAC address table, it will flood the frame out of all of itsinterfaces.

Figure 1-14 shows an example of using a switch to forward data in a LAN.

Figure 1-14: Example of a LAN for which a switch has been implemented to forward data

Switch

Printer

Workstation Workstation

Networking and VPN Basics 21

04_781274 ch01.qxp 6/22/06 12:23 AM Page 21

Hub

A hub (or concentrator) is used to connect multiple devices together in a centralpoint. The hub operates at the Physical layer (Layer 1) of the OSI ReferenceModel. Unlike the switch, the hub is not intelligent enough to forward framesbased on a MAC address. Instead, it simply forwards data it receives out of allof its interfaces.

Router

A router operates at the Network layer (Layer 3) of the OSI Reference Model andnormally connects two LANs together, or a LAN to a WAN (see Figure 1-15).Routers use forwarding tables to determine what the best path is to a destina-tion. There are multiple routing protocols used by a router that assists in makingthe determination on where to forward data. Chapters 8 and 9 detail routingprotocols in depth.

Most computers are capable of performing routing functions, but a router isa specialized computer that has extra hardware built in to speed up routingfunctions.

A router creates a routing table, which lists the best routes to any particulardestination. The routing tables are built with information obtained through arouting protocol, such as the Routing Information Protocol (RIP). Chapter 8includes additional information on RIP.

Repeater

A repeater is a device that is used to replicate a signal in a network. In areas ofthe network where there is transmission loss (perhaps when distance is a fac-tor), a repeater can be used to boost the transmission of data, to ensure itarrives at its destination (see Figure 1-16). A repeater can also be used to trans-mit data between subnetworks that use different protocols and/or types ofcabling.

22 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 22

Figure 1-15: An example of LAN-to-LAN and LAN-to-WAN networking via the router

Figure 1-16: A repeater used to boost the signal of data being transferred a long distance

RepeaterWorkstation Workstation

Switch Switch

20.20.X.X

Router

Router

10.10.X.X 30.30.X.X

Networking and VPN Basics 23

04_781274 ch01.qxp 6/22/06 12:23 AM Page 23

Remote Access

As mentioned previously, remote access is very important for users who arenot local to their corporate LANs. VPNs are steadily becoming available inmost of today’s LANs, but there are other traditional methods covered in thissection. There are many different manners in which a remote user can access anetwork. Following are some examples of these methods:

■■ Remote Access Services (RAS)

■■ Dial access to a single workstation

■■ Dedicated remote access system

■■ Use of a terminal server

The needs of remote users normally dictate the type of remote access that acompany chooses to implement. Figure 1-17 shows an example of a topologyused for remote access.

Remote Access ServicesRAS is a service that is provided by a Windows NT–based computer. Theremote users access the LAN via a modem interface or a WAN link, and thenthey log on to the LAN and are provided the same services as if they were localto the LAN. To access an NT-based LAN, the remote user must have some typeof RAS client loaded on a workstation.

Figure 1-17: An example of a typical remote access topology

24 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 24

Dial Access to a Single WorkstationMany operating systems today support a variety of remote access applications.PCanywhere is an example of one of these. The remote access applicationallows a remote user to connect to a computer via a modem and control thatcomputer from a remote location.

Remote Access SystemGenerally, a remote access system is a networking device that provides supportfor multiple modems that are providing remote network access, as shown inFigure 1-18.

Terminal ServersThe first terminal servers were placed in networks and provided services fordumb terminals. Dumb terminals are basically the green screen monitors andkeyboards that were placed at users’ desks. Terminal servers gradually grewto support Graphical User Interface (GUI) applications to clients that did nothave the applications local to their workstations. Terminal servers are alsovery popular in providing remote access services. A Windows-based terminalserver can support multiple client sessions.

Figure 1-18: A remote office accesses the corporate LAN via an ISDN dialup configuration.

ISDN DialupAccess

RemoteOffice User

ISDN Modem

ISDN Modem

Hub

LAN User

Server Farm

Networking and VPN Basics 25

04_781274 ch01.qxp 6/22/06 12:23 AM Page 25

Network Security

Network traffic is a series of 1s and 0s that are transmitted between a sourceand a destination. Because this information is transferred over a public infra-structure, security of this data is a major concern with most companies. Theability to protect data (not only while it is in transit, but also while it is storedon the devices within your LAN) is a very important concern in today’s net-works. It is so important, in fact, that many companies hire professionals forthe sole purpose of securing corporate data.

The FirewallIn most of today’s LANs, a firewall is implemented to help protect the sensitivedata stored on devices in the network. A firewall is either a hardware or softwaresolution that has been implemented on the edge of the network to monitor andlimit information transfers based on a set of defined rules.

The firewall protects the LAN from unauthorized access. This helps reducethe possibility of a malicious attack on the network and the devices that com-prise the network. A secondary function of the firewall is to control the accessof destinations that reside outside of the LAN.

It is important to recognize that most LANs contain several hundred com-puters and network devices and normally have multiple access points to theInternet or WAN. Without some type of firewall protection, a hacker has com-plete access to all of those devices and can cause a lot of headaches for not onlythe administrators within the network, but headaches for the company. Manycompanies have fallen prey to a hacker and end up spending a lot of moneyrecovering from malicious attacks. It takes just one person in the LAN to makea mistake and open up a hole for a hacker to enter.

Firewalls are implemented at the edge of each access point in the LAN (seeFigure 1-19). The firewall allows the administrator of the network to set uprules based on LAN segments down to individual users. The firewall can alsocontrol which users are allowed access outside of the local network. The fire-wall provides a lot of control over the users on the LAN.

Figure 1-19: An example of a firewall implementation

01100111001100

010101100110010110011100110010011001100100

26 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 26

Proxy services are one of the more popular methods of firewall implemen-tations. Packet filtering and stateful packet inspection are two other methodsthat are used.

Proxy Server

The most common form of a firewall is the proxy server. The proxy server willselectively block packets of data at the edge of the network. It also provides alittle more security because it will mask the addresses of devices on the LANfrom devices outside of the LAN. Devices on the outside that receive data froma user within the LAN will see the address that belongs to the proxy server andall users within the LAN will appear to have the same proxy address.

A proxy server allows a client to make an indirect connection to other ser-vices in the network. The client will make a connection to the proxy server. Theproxy server will then provide either access to a server that contains the datathat the client wishes to access, or the proxy server will retrieve the data fromcache and provide that to the client. The proxy server speeds up the retrievalof data and increases the possibility of reliable data delivery.

Many networks implement proxy servers to control what users within theLAN are able to access, as well as to provide security from potential attacksfrom the outside.

Packet Filtering

A network administrator can implement a set of filters on the firewall. Whenthe firewall receives a packet, it will compare that packet with the establishedfilter rules and will make a forwarding decision based on the filter rules thatare set on the firewall.

Stateful Packet Inspection

In a stateful packet inspection implementation (also referred to as stateful firewall),the firewall keeps a record of the state of network connections. It can recognizewhat are considered legitimate packets for these network connections. Thefirewall will then forward packets that match the established criteria for theseconnections and refuse packets that do not match.

Demilitarized ZoneA DMZ is an area between the Internet and the firewall where a networkdevice resides to help intercept Internet traffic and control requests from theLAN (see Figure 1-20). In this configuration, an extra layer of security is added.In most DMZ configurations, the computers in the DMZ will act as proxyservers for requests coming from the LAN. The equipment in the DMZ can beservers, computers, routers, and so on.

Networking and VPN Basics 27

04_781274 ch01.qxp 6/22/06 12:23 AM Page 27

Figure 1-20: An example of a firewall solution that includes a DMZ

HackersIn the world of data security, the term “hacker” describes an individual (orgroup of individuals) who is able to gain access to a system to perform someaction that can be extremely detrimental to the stability of the network and thedata contained within the network. Following are some of the methods that ahacker can use to corrupt the integrity of the network:

■■ Backdoors: Sometimes applications may contain a bug allowing for back-door access that may provide a hacker with a certain degree of controlto that application and to other applications.

■■ Remote access: Occasionally, a hacker may access the LAN through someform of remote access. If a hacker is able to access a workstation remotely,he or she is often able to gain access to files on that workstation, if notaccess to information within the LAN.

■■ Operating system vulnerabilities: Like any other software application, acomputing operating system can contain bugs that allow a hacker toaccess computers and other devices.

Workstation

Workstation

SMTPServer

HTTPServer

28 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 28

■■ Email: Email messages are one of the easiest ways for hackers to causeproblems. Often, hackers exploit backdoors in email programs thatallow them to generate thousands of repeat messages that cause emailservers to slow greatly, or even shut down.

■■ Spam: Usually just annoying, spam may contain links to Web sites thatwill install cookies on a computer. Some of these cookies exploit a back-door that allows a hacker in.

■■ Macros: Many applications contain macros that are user-defined scriptsused to enhance the application. Hackers can use the applications tocreate macros that could crash your computer.

■■ Viruses: Anyone who uses a computer has heard of a virus. A virus is aprogram that is created to copy itself onto computers and spread itselfthrough shared data. A lot of viruses are harmless, but there are somethat could erase data and even cause your system to crash.

■■ Denial of Service (DoS): A DoS attack is generated when a hacker sendsa request to join to a server. The server, in turn, will try to send anacknowledgment to the user and attempt to create a session. When it isunable to find the user that sent the request, the server becomes boggeddown with these repeated requests. This causes the server to slowdown or even crash.

VPN Basics

Understanding basic networking is a good first step to understandingVPNs, which are private networks, used by a company over an existing WANinfrastructure.

A secure VPN uses tunneling protocols to provide security, authentication,and integrity to VPN users.

VPN OverviewBusiness needs are constantly evolving and, with that evolution, the need toaccess information from a central location is even more prevalent. The VPN ishighly sought after by companies interested in expanding the capabilities oftheir networks.

Networking and VPN Basics 29

04_781274 ch01.qxp 6/22/06 12:23 AM Page 29

VPNs are prevalent in most business and homes where users are able tosecurely log in to the corporate LANs. VPN technology is very beneficial topeople who travel often. They find that VPN allows them the flexibility ofchecking corporate applications virtually anywhere in the world. Because theaccess of data is instantaneous, information is shared in real time.

A VPN is very cost-effective as well. Unlike traditional private leased lines,VPN technology utilizes existing cabling and routers to connect one site toanother in a virtual manner, over a public network (most often the Internet).

VPN Tunneling Protocols and StandardsA few protocols have been introduced to accommodate VPN technology,including the following:

■■ Secure Sockets Layer (SSL)

■■ Public Key Infrastructure (PKI)

■■ SecurID

■■ Internet Protocol Security (IPSec)

■■ Layer 2 Forwarding (L2F)

■■ Point-to-Point Tunneling Protocol (PPTP)

■■ Layer 2 Tunneling Protocol (L2TP)

■■ Generic Routing Encapsulation (GRE)

In this section, we discuss these protocols and get an understanding of whateach does.

Secure Sockets Layer

Secure Sockets Layer (SSL) is a networking standard that is used to improvesafety and security of network communications, through the use of encryp-tion. SSL utilizes several security standards, including certificates, privatekeys, and public keys.

An SSL session starts with the handshake that first establishes a TCP/IP ses-sion. Once the TCP/IP session has been established, then a client is authenticatedwith a public key. After the authentication is complete, the server determinesthe level of security that is required for the client by choosing the strongestalgorithm that is supported by the client and the server. The last step that istaken is the establishment of a shared secret that is used to encrypt data beingpassed between the server and the client. Finally, the SSL session is established.

Encryption services are very CPU-intensive and, therefore, an SSL session isestablished only when the transfer of sensitive data occurs. You can oftendetermine if SSL has been employed by looking at a URL address field in aWeb browser and seeing an “s” following the “http” (that is, “https”).

30 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 30

SSL uses several components to verify the digital identity of an inquiringnode. To establish an SSL session, these components are used for the purposesof performing checks and verifications made between the end nodes. Thesecomponents are as follows:

■■ Certificates

■■ Certificate Authority

■■ Keys

■■ Shared Secret

Certificates

SSL uses certificates, which are digital records that identify a person, group, ororganization. Certificates are personal digital identification used for a varietyof security reasons (see Figure 1-21). Certificates are used in conjunction withpublic keys to identify the owner of the key and provide a way to pass sensi-tive data.

Certificate Authority

Certificates are assigned by a Certificate Authority (CA). Once the certificate isissued, it is then made available to the public. The certificate basically is con-firmation that the CA verifies information to be true and secure, and that thepublic key attached to the certificate is valid.

Figure 1-21: An example of a certificate

Networking and VPN Basics 31

04_781274 ch01.qxp 6/22/06 12:23 AM Page 31

Keys

A key is a series of bits used by algorithms to encrypt and decrypt data mes-sages. An encryption algorithm will take a message and a key. Based on thekeys bits, a new, encrypted message is generated and sent to the destination.Sometimes the same key is used to decrypt the data, but most often the destination has a key (which will be the only key that can decrypt the data and restore it back to the original message). Keys are used to provide the nec-essary encryption and decryption methods used to protect and secure datatransmissions.

When a sending station wants to send encrypted data, a pair of keys isassigned: One of the keys is given to the sender and one to the destination.Data is then encrypted by one key and decrypted by the other. No other keycan decrypt this information.

Shared Secret

A shared secret is widely used because it is one password that is shared betweenusers. The problem with a shared secret is that it stands a chance of being com-promised because it is shared. Shared secrets are pre-shared keys that are allocated to source and destination devices prior to the transfer of data.

Public Key Infrastructure

Public Key Infrastructure (PKI) is a way of verifying identities. It allows the usersto be united with a public key. PKI allows users to be known to each otherthrough authentication. It allows the sharing of data by establishing the rela-tionship and then sharing certificates to decrypt and encrypt information.

PKI encompasses the hardware, software, and the procedures that areneeded to provide these services. It ensures that all users use a private key toprovide a digital signal to one another, which allows users to establish secrecyand integrity in the data they are sharing.

SecurID

Developed by RSA Security, SecurID is a technology that provides user authen-tication to network resources. The SecurID mechanism contains hardware(known as a token) that is assigned to an individual user (see Figure 1-22). Thetoken generates authentication codes that regenerate periodically, using abuilt-in clocking device. The authentication codes are also set and are gener-ated by the token’s corresponding SecurID server.

32 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 32

Figure 1-22: Examples of two different SecurID tokens

Internet Protocol Security

Internet Protocol Security (IPSec) is the standard that has been established forInternet Protocol communication. IPSec provides authentication and encryp-tion for IP packets.

IPSec is a collection of several related protocols. It can be used on its own orcan work with other tunnel protocols to provide an encryption scheme withinthem. IPSec operates at Layer 3 of the OSI Reference Model. It is capable ofprotecting both UDP and TCP traffic.

IPSec is designed to provide for key exchange and for securing the flow ofpackets. Securing packet flow is accomplished by using an AuthenticationHeader (AH) and Encapsulating Security Payload (ESP). Currently, key exchangesare handled with the Internet Key Exchange (IKE) protocol.

Figure 1-23 shows an AH packet.As shown in Figure 1-23, the bits in the AH packet are as follows:

■■ Next Header: Refers to the protocol of the data that is transferred.

■■ Payload Length: Refers to the size of the packet.

■■ Reserved: Not used.

■■ Security Parameters Index: Refers to the security parameters.

■■ Sequence Number: Refers to an incrementing number that is used to pre-vent replay attacks. A replay attack is data that is captured and repeatedor delayed.

■■ Authentication Data: The data necessary to authenticate the packet.

Figure 1-24 shows an ESP packet.

Figure 1-23: Diagram of an Authentication Header (AH) packet

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Next Header Length 0

Security Parameters Index (SPI)Sequence Number

Authentication Data (variable)

Networking and VPN Basics 33

04_781274 ch01.qxp 6/22/06 12:23 AM Page 33

Figure 1-24: Diagram of an Encapsulating Security Payload (ESP) packet

As shown in Figure 1-24, the bits in the ESP packet are as follows:

■■ Security Parameters Index: The security parameters.

■■ Sequence Number: Refers to an incrementing number that is used to pre-vent replay attacks.

■■ Payload: The data that is being transferred.

■■ Padding: Used to pad the data the full length of the block.

■■ Pad Length: Size of the padding used.

■■ Next Header: Refers to the protocol of the data that is transferred.

■■ Authentication Data: The data necessary to authenticate the packet.

Layer 2 Forwarding

The Layer 2 Forwarding (L2F) protocol is used to create a secure tunnel betweena LAN and a remote user. L2F permits the tunneling of information at the DataLink layer (Layer 2) of the OSI Reference Model. L2F allows the encapsulationof Point-to-Point Protocol (PPP) packets within the tunnel. This protocol waslater merged with the Point-to-Point Tunneling Protocol (PPTP) to make L2TP.RFC 241 covers the L2F protocol.

Figure 1-25 shows the L2F header.As shown in Figure 1-25, the bits in the L2F packet header are as follows:

■■ F: This bit is either on or off, and it identifies whether or not an offsetbit is set.

■■ K: This bit is either on or off, and it identifies whether or not a Key fieldis present.

■■ P: This bit is either on or off, and it identifies if the packet is a prioritypacket or not.

■■ S: This bit is either on or off, and it identifies if there is any data in thesequence field.

■■ Reserved: Reserved for future use. Always 0.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Pad Length Next HeaderPadding

Security Parameters Index (SPI)Sequence Number

Authentication Data (variable)

Payload data

34 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 34

■■ C: Identifies if the packet contains a checksum or not. This bit is eitheron or off.

■■ Version: Identifies the protocol version.

■■ Protocol: Identifies the protocol that is encapsulated in the L2F packet.

■■ Sequence: Identifies the sequence number.

■■ Multiplex ID: Identifies the particular connection that is used in the tunnel.

■■ Client ID: This field is used to assist endpoints in ensuring data isdirected to the correct users.

■■ Length: Identifies the size of the packet.

■■ Offset: Identifies the number of bytes past the header that the payloaddata begins.

■■ Key: The Public Key data.

■■ Data: The payload.

■■ Checksum: Used to ensure data is received intact.

Point-to-Point Tunneling Protocol

The Point-to-Point Tunneling Protocol (PPTP) is a standard that supports multi-ple protocol VPN tunnels. PPTP allows remote users the ability to connect to their corporate network over the Internet in a secure manner. PPTP is not considered as secure as IPSec. PPTP authentication is normally handled byMicrosoft Challenge Handshake Authentication Protocol (MSCHAP). PPTP isnot a pure TCP protocol because it uses two channels for communication. Oneof the channels is a TCP channel on port 1723, and the other is a packet chan-nel that is called the Generic Routing Encapsulation (GRE) protocol (which isdiscussed later in this section).

Figure 1-26 shows the PPTP header.

Figure 1-25: The L2F header

0 1 2 3F K P S

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Reserved C Version Protocol Sequence

Client IDMultiplex IDOffsetLength

ChecksumDataKey

Networking and VPN Basics 35

04_781274 ch01.qxp 6/22/06 12:23 AM Page 35

Figure 1-26: The PPTP Header

As shown in Figure 1-26, the bits in the PPTP header are as follows:

■■ Length: Identifies the length of the message.

■■ Message Type: Identifies the type of data contained within the message.

■■ Magic Cookie: Ensures data synchronization. This field is always set tohexadecimal 0x1A2B3C4D.

■■ Data: The payload.

Layer 2 Tunneling Protocol

Layer 2 Tunneling Protocol (L2TP) operates at the Data Link layer (Layer 2) ofthe OSI Reference Model. It is a protocol standard for tunneling traffic betweentwo peers over a public network. L2TP does not provide authentication ser-vices or security, so IPSec is often used to tunnel L2TP packets.

L2TP supports multiple protocols and supports providing private IP addressesover the Internet. L2TP offers the same functions as L2F, as well as supportingFlow Control and Attribute Value Pair (AVP) Hiding.

Flow control is used to control the flow of data in a network under controlledconditions.

AVP hiding prevents hackers from eavesdropping by encrypting L2TP mes-sages. An AVP represents a variable and a value used for comparison when try-ing to authenticate a user network access request. AVP hiding is used by theL2TP tunneling protocol, and it shows the status of AVPs that are consideredsensitive. When AVP hiding is implemented, then the attribute pairs areencrypted. An example of an attribute is a username or a password; the valuecould be the subnetwork or a group that the user should belong to.

L2TP was developed by combining two well-known tunneling protocols:PPTP and L2F.

Figure 1-27 shows the L2TP header.As shown in Figure 1-27, the bits in the L2TP packet header are as follows:

■■ T: This refers to the message type. This bit is either on or off and it iden-tifies if this is a data message or a control message.

■■ L: This bit is either on or off and it identifies if there is anything set inthe Length field.

■■ S: This bit is either on or off and it identifies if there is anything set inthe Ns or the Nr field.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Message TypeLength

Magic CookieData

36 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 36

■■ O: This bit is either on or off, and it identifies if there is any data in theOffset field.

■■ P: This bit is either on or off, and it identifies if the data message is apriority message or not.

■■ Version: Identifies the L2TP version.

■■ Length: Identifies the total length of the message.

■■ Tunnel ID: Identifies the connection.

■■ Session ID: Identifies the session inside the tunnel.

■■ Ns: Identifies the sequence number for this message.

■■ Nr: Identifies the sequence number that is expected in the next message.

■■ Offset: Identifies the number of bytes past the header that the payloadbegins.

■■ Offset pad: This is the padding field, if used.

■■ Data: The payload.

Generic Routing Encapsulation

The Generic Routing Encapsulation (GRE) protocol is established as a way toencapsulate a large variety of protocol packet types in a tunnel. GRE tunnelsare connectionless, which means that each end of the tunnel does not keep anyinformation about the status of the other end. A GRE tunnel interface is activeas soon as it is implemented, and it remains up as long as the interface is up.GRE interfaces do not keep track of the opposite end, so data can be transmit-ted through a tunnel when the destination is unavailable.

Figure 1-28 shows the GRE header.

Figure 1-27: The L2TP header

Figure 1-28: The GRE header

0 1 2 3 C R K S

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Flags Version Protocol

Offset Checksum Key

Sequence Number Routing

s Recur

0 1 2 3T L 0 S 0 O P

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 310 Version

Session IDLength

Tunnel IDNrNs

Offset PaddingOffsetData

Networking and VPN Basics 37

04_781274 ch01.qxp 6/22/06 12:23 AM Page 37

As shown in Figure 1-28, the bits in the GRE header are as follows:

■■ C: The first bit is the Checksum Present bit. This identifies if a checksumfield is set or not.

■■ R: This bit is the Routing Present bit, and it identifies if the routing fieldis set or not.

■■ K: This bit is the Key Present bit, and it identifies if the key field is setor not.

■■ S: This bit is the Sequence Number Present bit, and it identifies if thesequence number field is set.

■■ s: This is the Strict Source Route bit. This bit is set only if the routinginformation contains strict source routes.

■■ Recur: This is a 3-bit field used for recursion control. This identifies thenumber of additional encapsulations that are permitted.

■■ Flags: This represents five reserved bits that are always 0.

■■ Version: The GRE version number.

■■ Protocol: Identifies the protocol type of the payload.

■■ Checksum: The IP checksum of the GRE header and the payload. If adestination compares data it receives with the checksum and thedata does not match, the receiver knows that the data was corruptedin transit.

■■ Offset: Indicates the byte offset between the routing field and the SourceRoute Entry.

■■ Key: Used by the receiver to authenticate the source of the packetreceived.

■■ Sequence Number: Used by the receiver to determine the order of thepackets received.

■■ Routing: This is a list of the source route entries.

Summary

This chapter has reviewed networking and VPN basics. The information thatwas covered in this chapter should establish an understanding for informationpresented in other chapters of this book. Many of the concepts that were pre-sented in this chapter are covered later in the book.

38 Chapter 1

04_781274 ch01.qxp 6/22/06 12:23 AM Page 38