層次網(wǎng)絡(luò)體系結(jié)構(gòu)-短接技術(shù)

1、,8. 短接通信,,,,,8.1 節(jié)點(diǎn)域之間的短接,如果一個(gè)地區(qū)只有一個(gè)ISP向用戶提供接入服務(wù)，在該地區(qū)存在唯一的樹，用戶網(wǎng)絡(luò)的接入就比較簡(jiǎn)單合理。但當(dāng)出現(xiàn)兩個(gè)或以上的ISP，樹相互交叉重疊，就會(huì)出現(xiàn)同地用戶之間的通信要繞道遠(yuǎn)程的情況。,8.2 短接的需求,1） 同一地區(qū)有兩個(gè)甚至更多的ISP用層次網(wǎng)絡(luò)的結(jié)構(gòu)向用戶提供網(wǎng)絡(luò)接入服務(wù)。,,,,,,,,,,,,,,,,,,,,,,,,A`,B`,E`,C`,F`,G’,A,B,C,D,E

2、,F,G,H,I,J,K,L,M,Hc,Ha,Hb,8.2短接的需求,2）雖然只有一棵樹，但某些接入用戶集團(tuán)在該城市中不同的區(qū)有多個(gè)分支機(jī)構(gòu)，相互間有較大的通信量。,,,,,,,,,A`,B`,E`,C`,F`,Ha,8.2短接的需求,3）對(duì)網(wǎng)絡(luò)流量的監(jiān)測(cè)與分析，認(rèn)為某兩個(gè)區(qū)之間應(yīng)增加一條直接的信道。,8.2短接的需求,4）短接的目的是通達(dá)對(duì)方的整個(gè)網(wǎng)絡(luò)，而不只是對(duì)方的一棵子數(shù)。,8.3節(jié)點(diǎn)域的短接方式,允許層次網(wǎng)絡(luò)中有任意多的短接信道

3、；允許一個(gè)節(jié)點(diǎn)域?qū)ζ渌我舛鄠€(gè)節(jié)點(diǎn)域有短接信道；允許處于樹的任意不同層次的節(jié)點(diǎn)域之間有短接信道；允許短接信道任意延伸。,8.3節(jié)點(diǎn)域的短接方式,,,,,,,,,,,,,,,,,,,,,,,,A`,B`,E`,C`,F`,G’,B,C,D,E,F,G,H,I,J,K,L,M,Hc,Ha,Hb,8.4短接信道的控制與管理,樹枝信道：由一根或多根物理信道組成。短接信道：虛線表示的信道。在處理樹信道之前，先作一個(gè)判斷，如果本節(jié)點(diǎn)沒有短

4、接信道或短接信道處于失效狀態(tài)，則直接處理樹信道；如果存在短接信道，則先處理短接信道，然后處理樹信道。,8.4短接信道的控制與管理--短接信道表,8.4短接信道的控制與管理--短接信道局部化,為了使增加的短接信道不影響樹狀結(jié)構(gòu)的特性，把短接信道局部化。一條短接信道只有點(diǎn)到點(diǎn)的作用，把數(shù)據(jù)包送到短接信道的對(duì)方，就算完成了任務(wù)。,8.4短接信道的控制與管理--直接短接節(jié)點(diǎn)域,當(dāng)短接信道用于兩個(gè)直接短接節(jié)點(diǎn)域中的用戶之間互相通信時(shí)，稱為短接信道

5、的直接短接通信。對(duì)短接信道的直接短接通信，上面的控制方法只能用于向下傳送的過程。,8.4短接信道的控制與管理—間接短接節(jié)點(diǎn)域,為了具備向上傳送的能力，可以對(duì)短接信道表加以擴(kuò)充與短接信道之間被樹信道隔開的節(jié)點(diǎn)域?yàn)殚g接短接節(jié)點(diǎn)域,8.5.1 短接通信遇到的問題之一——短接隧道,,,,,,,,,,,,,,,,,,,,,,,,A`,B`,D`,E`,C`,F`,G’,A,B,C,D,E,F,G,H,I,J,K,L,M,Hc,Ha,Hb,8.

6、5.1 短接通信遇到的問題之一——短接隧道,節(jié)點(diǎn)域A并不能將數(shù)據(jù)報(bào)下行送到E去，認(rèn)為Ha的地址超出了本樹狀網(wǎng)的范圍。,8.5.1 短接通信遇到的問題之一——短接隧道,讓節(jié)點(diǎn)域H中也配置C‘子域的地址前綴，并設(shè)立一張“短接前綴地址映射表”，把C’子域地址前綴映射到E子域的地址前綴。,Simple Header,The IPv4 header has 20 octets and 12 basic header fieldsThe IPv6

7、 header has 40 octets, three IPv4 basic header fields, and five additional header fields.,8.5.1 短接通信遇到的問題之一——短接隧道Using IPV6,IPv6 Global Unicast Address,48-bit global routing prefix and a 16-bit subnet ID.The current glo

8、bal unicast address that is assigned by the IANA uses the range of addresses that start with binary value 001 (2000::/3)Five RIR registries (ARIN, RIPE, APNIC, LACNIC, and AfriNIC).,IPV6 Addressing,Private Addresses,Sit

9、e-local addresses, are addresses similar to the RFC 1918 Address Allocation for Private Internets in IPv4 today. these addresses begin with "FEC", "FED", "FEE", or "FEF“ fd00::/8.Link

10、-local addresses, refer only to a particular physical link (physical network),these addresses start with "FE8", "FE9", "FEA", or "FEB".,IPV6 Addressing,8.5.1 短接隧道,（1）在H和E之間建立隧道，在隧道

11、終點(diǎn)做處理（2）啟用擴(kuò)展報(bào)頭的處理，利用信宿選項(xiàng)擴(kuò)展報(bào)頭，讓臨時(shí)信宿E檢查TLV并做處理。（3）封裝成內(nèi)部報(bào)文，在臨時(shí)信宿E 撤消封裝。,8.5.2 短接通信問題之二——重復(fù)路徑,,,,,,,,,,,,,,,,,,,,,,,,A`,B`,D`,E`,C`,F`,G’,A,B,C,D,E,F,G,H,I,J,K,L,M,Hc,Ha,Hb,8.5.2 短接通信問題之二——重復(fù)路徑,需要增加一條規(guī)則，不僅在間接短接節(jié)點(diǎn)域A中保存C’的地址

12、前綴與E地址前綴的映射表項(xiàng)，還要求在直接短接節(jié)點(diǎn)域 A之間的所有途徑的節(jié)點(diǎn)域都保存這個(gè)映射表項(xiàng)。單調(diào)上行路徑單調(diào)下行路徑,8.5.2 短接通信問題之二——重復(fù)路徑,（1）在間接短接節(jié)點(diǎn)域中保存短接信道對(duì)所有直接短接節(jié)點(diǎn)域和間接短接節(jié)點(diǎn)域的地址前綴到本側(cè)直接短接節(jié)點(diǎn)域地址前綴的映射表項(xiàng)。（2）如果從直接短接節(jié)點(diǎn)域到間接短接節(jié)點(diǎn)域的路段上是單調(diào)上行路徑，則沿路所有途經(jīng)的節(jié)點(diǎn)域都要保存地址映射表項(xiàng)；如果該路段是非單調(diào)路徑，則沿途節(jié)點(diǎn)域都

13、不要保存地址映射表項(xiàng)。（3）轉(zhuǎn)發(fā)反向數(shù)據(jù)時(shí)，遇到第一個(gè)擁有相應(yīng)地址映射表項(xiàng)的節(jié)點(diǎn)域時(shí)，就要用隧道送到對(duì)應(yīng)的直接短接節(jié)點(diǎn)域。,8.5.3 短接通信問題之三——循環(huán)路徑,,,,,,,,,,,,,A,B,C,D,E,F,G,H,J,K,L,M,,I,,,P,N,,Ha,,Hb,8.5.3 短接通信問題之三——循環(huán)路徑,短接通信不僅可以用于兩個(gè)不同的樹狀網(wǎng)絡(luò)之間，也可以用于同一個(gè)樹狀網(wǎng)絡(luò)的不同子樹之間。兩類錯(cuò)誤：（1）繞路，浪費(fèi)了寶貴的高

14、層信道帶寬（2）回路循環(huán)，L與下層用戶之間的通信。,8.5.3 短接通信問題之三——短接規(guī)則,短接信道兩側(cè)的直接短接節(jié)點(diǎn)域之間，如果為同一樹的單調(diào)上行路徑或單調(diào)下行路徑，應(yīng)該被禁止的。如果是非單調(diào)路徑，則是允許的。,8.5.4 短接通信問題之四——短接信道的延伸,,,,,,,,,,,,,A,B,C,D,E,F,G,H,J,K,L,M,,I,,,P,N,,,A’,B’,,C’,,Q,,Hb,,Ha,,Hc,,Hd,8.5.4 短接通信問

15、題之四——短接信道的延伸,不管多少次延伸，有一個(gè)規(guī)律，直接短接信道可以連續(xù)出現(xiàn)，也可以在中間插入一個(gè)間接短接關(guān)系。延伸的次數(shù)原則上沒有限制，只是過多的延伸，很容易使管理員感到復(fù)雜。,9. 網(wǎng)絡(luò)安全,9.1 Drivers for Network Security,,,,,9.1 Drivers for Network Security,Network security professionals,9.1 網(wǎng)絡(luò)安全環(huán)節(jié),網(wǎng)絡(luò)基礎(chǔ)平臺(tái)網(wǎng)

16、絡(luò)應(yīng)用人,9.1 網(wǎng)絡(luò)安全環(huán)節(jié),,9.1 A TCP conversation,ACLs enable you to control traffic into and out of your network. ACLs can be configured to control network traffic based on the TCP and UDP port.,Port Numbers,9.1 A TCP convers

17、ation,9.1 Packet filtering,A router acts as a packet filter when it forwards or denies packets according to filtering rules. The ACL can extract the following information from the packet header, test it against its rul

18、es, and make "allow" or "deny" decisions based on: Source IP address Destination IP address ICMP message typeThe ACL can also extract upper layer information and test it against its rules. Upper l

19、ayer information includes: TCP/UDP source port TCP/UDP destination port,For this scenario, the packet filter looks at each packet as follows: If the packet is a TCP SYN from network A using port 80, it is allowed to p

20、ass. All other access is denied to those users. If the packet is a TCP SYN from network B using port 80, it is blocked. However, all other access is permitted.,9.1 Packet filtering,An ACL is a router configuration scri

21、pt that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs perform the following tasks: Limit network traffic to increase network performance. Provide traff

22、ic flow control. ACLs can restrict the delivery of routing updates. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing

23、the same area. Decide which types of traffic to forward or block at the router interfaces. Control which areas a client can access on a network. Screen hosts to permit or deny access to network services. ACLs can p

24、ermit or deny a user to access file types, such as FTP or HTTP.,9.1 What is an ACL?,9.1 What is an ACL?,The Three PersOne ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each pr

25、otocol enabled on the interface. One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface

26、 - ACLs control traffic for an interface, for example, Fast Ethernet 0/0.,9.1 ACL operation,How ACLs Work,ACLs are configured either to apply to inbound traffic or to apply to outbound traffic. Inbound ACLs -Incoming p

27、ackets are processed before they are routed to the outbound interface. Outbound ACLs -Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.,,The implied "Deny

28、 All Traffic" Criteria Statement,ACL and Routing and ACL Processes on a Router,9.1 ACL operation,9.1 Types of Cisco ACLs,There are two types of Cisco IP ACLs, standard and extended. Standard ACLs: Standard ACLs a

29、llow you to permit or deny traffic from source IP addresses. Extended ACLs: Extended ACLs filter IP packets based on several attributes(IP,ICMP,UDP,TCP,or protocol number).,9.1 How a Standard ACL Works,The two main ta

30、sks involved in using ACLs are as follows:Step 1. Create an access list by specifying an access list number or name and access conditions.Step 2. Apply the ACL to interfaces or terminal lines.,9.1 Numbering and Naming

31、ACLs,Starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL. It inform you of the purpose of the ACL.,Numbers 200 to 1299 are used by other protocols. For example, numbers 600 to 699 are used b

32、y AppleTalk, and numbers 800 to 899 are used by IPX.,9.1 Where to Place ACLs,,Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are: Locate extended ACLs as close as possible to

33、the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. Because standard ACLs do not specify destination addresses, place them as close to the destination

34、 as possible.,9.2 層次網(wǎng)絡(luò)的安全性能,IP源地址定位,9.2.1 IP源地址定位--攻擊的三種情況,（1）處于一個(gè)用戶接入網(wǎng)中的攻擊者企圖偽造其他用戶接入網(wǎng)的地址。（2）對(duì)于惡意攻擊者偽造本用戶接入網(wǎng)中他人的地址，不改變層次網(wǎng)邊緣端口分配的地址前綴，而被攻擊對(duì)象在其他用戶接入網(wǎng)的情況。（3）偽造用戶與受害對(duì)象在同一接入網(wǎng)中。,現(xiàn)有的Internet是否也能在路由器邊緣做同樣的監(jiān)測(cè)呢？,,9.2.1 IP源地址

35、定位,由于網(wǎng)絡(luò)連接的任意性，所連接的用戶或ISP網(wǎng)絡(luò)，既有末端網(wǎng)絡(luò)，又有過路網(wǎng)絡(luò)，路由器邊緣端口無法定位一個(gè)偽造的地址的數(shù)據(jù)包的屬地范圍。（1）ACL對(duì)路由器性能的嚴(yán)重影響（2）管理人員無法完備地把所有可能危害的地址都列在黑名單上（3）攻擊者不斷變換攻擊的源地址（4）路由器的歸屬單位有數(shù)十萬或更多。,9.2.2 阻斷用戶對(duì)網(wǎng)絡(luò)設(shè)備的訪問,層次網(wǎng)絡(luò)中，將網(wǎng)絡(luò)地址內(nèi)部空間與用戶網(wǎng)絡(luò)地址空間相分離，兩個(gè)不同地址空間中的客體，是不能相互

36、訪問的。層次骨干網(wǎng)絡(luò)的內(nèi)部控制協(xié)議，不進(jìn)入用戶地址空間。用戶數(shù)據(jù)包使用用戶地址空間的地址，他可以穿越層次骨干網(wǎng)，但不會(huì)終止于層次骨干網(wǎng)。,9.2.2 阻斷用戶對(duì)網(wǎng)絡(luò)設(shè)備的訪問,1960s: Phreaking,John Draper,9.2.2 阻斷用戶對(duì)網(wǎng)絡(luò)設(shè)備的訪問,現(xiàn)有的Internet中，路由器端口與用戶主機(jī)都處于相同的地址空間中，無法判斷用戶數(shù)據(jù)包中信宿地址是否指向某臺(tái)核心路由器，因而不可能在數(shù)據(jù)包進(jìn)入骨干網(wǎng)的邊界對(duì)其進(jìn)行

37、過濾。,9.2.3 隱藏服務(wù)器,層次網(wǎng)絡(luò)中的ISP不但能對(duì)層次網(wǎng)絡(luò)的交換機(jī)及其端口分配內(nèi)部，還可以將一些專用的網(wǎng)絡(luò)服務(wù)器分配內(nèi)部地址，使得這些服務(wù)器處于與用戶網(wǎng)絡(luò)不同的地址空間，被隱藏起來。用戶看不到服務(wù)器，因而無法對(duì)其進(jìn)行攻擊。,9.2.3 隱藏服務(wù)器--Access Attacks,Buffer overflow,9.2.4 防止網(wǎng)絡(luò)截聽,安全的另一個(gè)方面是用戶數(shù)據(jù)包在網(wǎng)絡(luò)中走過時(shí)，有可能被別的組織截聽。在層次網(wǎng)絡(luò)，用戶數(shù)據(jù)包