EP1374057A1 - SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QoS DENIAL OF SERVICE ATTACKS - Google Patents
SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QoS DENIAL OF SERVICE ATTACKSInfo
- Publication number
- EP1374057A1 EP1374057A1 EP02728525A EP02728525A EP1374057A1 EP 1374057 A1 EP1374057 A1 EP 1374057A1 EP 02728525 A EP02728525 A EP 02728525A EP 02728525 A EP02728525 A EP 02728525A EP 1374057 A1 EP1374057 A1 EP 1374057A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- vpn
- traffic
- network
- intra
- extra
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1403—Architecture for metering, charging or billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1442—Charging, metering or billing arrangements for data wireline or wireless communications at network operator level
- H04L12/1446—Charging, metering or billing arrangements for data wireline or wireless communications at network operator level inter-operator billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4523—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using lightweight directory access protocol [LDAP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4535—Network directories; Name-to-address mapping using an address exchange platform which sets up a session between two nodes, e.g. rendezvous servers, session initiation protocols [SIP] registrars or H.323 gatekeepers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4557—Directories for hybrid networks, e.g. including telephone numbers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1023—Media gateways
- H04L65/103—Media gateways in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1033—Signalling gateways
- H04L65/104—Signalling gateways in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1043—Gateway controllers, e.g. media gateway control protocol [MGCP] controllers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1069—Session establishment or de-establishment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1096—Supplementary features, e.g. call forwarding or call holding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
- H04L65/1104—Session initiation protocol [SIP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
- H04L65/61—Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio
- H04L65/612—Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio for unicast
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
- H04L65/75—Media network packet handling
- H04L65/762—Media network packet handling at the source
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/303—Terminal profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/306—User profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/43—Billing software details
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/44—Augmented, consolidated or itemized billing statement or bill presentation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/49—Connection to several service providers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/51—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP for resellers, retailers or service providers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/52—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP for operator independent billing system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/53—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP using mediation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/55—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP for hybrid networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/58—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP based on statistics of usage or network monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/70—Administration or customization aspects; Counter-checking correct charges
- H04M15/745—Customizing according to wishes of subscriber, e.g. friends or family
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/2218—Call detail recording
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/42—Systems providing special services or facilities to subscribers
- H04M3/436—Arrangements for screening incoming calls, i.e. evaluating the characteristics of a call before deciding whether to answer it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M7/00—Arrangements for interconnection between switching centres
- H04M7/006—Networks other than PSTN/ISDN providing telephone service, e.g. Voice over Internet Protocol (VoIP), including next generation networks with a packet-switched transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q3/00—Selecting arrangements
- H04Q3/0016—Arrangements providing connection between exchanges
- H04Q3/0029—Provisions for intelligent networking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0104—Augmented, consolidated or itemised billing statement, e.g. additional billing information, bill presentation, layout, format, e-mail, fax, printout, itemised bill per service or per account, cumulative billing, consolidated billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0108—Customization according to wishes of subscriber, e.g. customer preferences, friends and family, selecting services or billing options, Personal Communication Systems [PCS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0168—On line or real-time flexible customization or negotiation according to wishes of subscriber
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0172—Mediation, i.e. device or program to reformat CDRS from one or more switches in order to adapt to one or more billing programs formats
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0176—Billing arrangements using internet
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0188—Network monitoring; statistics on usage on called/calling number
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/20—Technology dependant metering
- H04M2215/2046—Hybrid network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/46—Connection to several service providers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/54—Resellers-retail or service providers billing, e.g. agreements with telephone service operator, activation, charging/recharging of accounts
Definitions
- the present invention relates to communication networks and, in particular, to the prevention of denial of service attacks in a public communication network, for example, the
- the present invention relates to method, system and apparatus for preventing denial of service attacks in a communication network having a shared network infrastructure by separating the allocation and/or prioritization of access capacity to traffic of sites within a virtual private network (VPN) from the allocation and/or prioritization of access capacity to sites in another VPN or the public network.
- VPN virtual private network
- a key consideration in network design and management is the appropriate allocation of access capacity and network resources between traffic originating from VPN customer sites and traffic originating from outside the VPN (e.g., from the Internet or other VPNs). This consideration is particularly significant with respect to the traffic of VPN customers whose subscription includes a Service Level Agreement (SLA) requiring the network service provider to provide a minimum communication bandwidth or to guarantee a particular Quality of Service (QoS).
- SLA Service Level Agreement
- QoS Quality of Service
- Such service offerings require the network service provider to implement a network architecture and protocol that achieve a specified QoS and ensure sufficient access capacity and network resources are available for communication with other NPN sites separate from communication with hosts that are not part of the NPN.
- IP Internet Protocol
- IETF Internet Engineering Task Force
- Intserv Integrated Services
- IETF RFC 1633 R. Branden et al., "Integrated Services in the Internet Architecture: an Overview” June 1994
- Intserv is a per-flow IP QoS architecture that enables applications to choose among multiple, controlled levels of delivery service for their data packets.
- Intserv permits an application at a transmitter of a packet flow to use the well-known Resource ReSerVation Protocol (RSVP) defined by IETF RFC 2205 [R. Branden et al., "Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification” Sept.
- RSVP Resource ReSerVation Protocol
- FIG. 1 illustrates the implications of utilizing a conventional Intserv implementation to perform admission control.
- an exemplary IP network 10 includes N identical nodes (e.g., service provider boundary routers) 12, each having L links of capacity X coupled to Customer Premises Equipment (CPE) 14 for L distinct customers.
- CPE Customer Premises Equipment
- each node 12 ensures that no link along a network path from source to destination is overloaded.
- access capacity a per-flow approach is able to straightforwardly limit the input flows on each of the ingress access links such that the sum of the capacity for all flows does not exceed the capacity X of any egress access link (e.g., Link 1 of node 12a).
- a similar approach is applicable to links connecting unillustrated core routers within IP network 10.
- Intserv admission control utilizing RSVP has limited scalability because of the processing-intensive signaling RSVP requires in the service provider's boundary and core routers.
- RSVP requires end-to-end signaling to request appropriate resource allocation at each network element between the transmitter and receiver, policy queries by ingress node 12b-12d to determine which flows to admit and police their traffic accordingly, as well as numerous other handshake messages. Consequently, the processing required by Intserv RSVP signaling is comparable to that of telephone or ATM signaling and requires a high performance (i.e., expensive) processor component within each boundary or core IP router to handle the extensive processing required by such signaling.
- RSVP signaling is soft state, which means the signaling process is frequently refreshed (by default once every 30 " seconds) since the forwarding path across the IP network may change and therefore information about the QoS and capacity requested by a flow must be communicated periodically.
- This so-called soft-state mode of operation creates an additional processing load on a router even greater than that of an ATM switch.
- the processor of a boundary router is overloaded by a large number of invalid RSVP requests, the processor may crash, thereby disrupting service for all flows for all customers being handled by the router with the failing processor.
- Diffserv is an IP QoS architecture that achieves scalability by conveying an aggregate traffic classification within a DS field (e.g., the IPv4 Type of Service (TOS) byte or IPv6 traffic class byte) of each IP -layer packet header.
- the first six bits of the DS field encode a Diffserv Code Point (DSCP) that requests a specific class of service or Per Hop Behavior (PHB) for the packet at each node along its path within a Diffserv domain.
- DSCP Diffserv Code Point
- PHB Per Hop Behavior
- Diffserv domain network resources are allocated to aggregates of packet flows in , accordance with service provisioning policies, which govern DSCP marking and traffic conditioning upon entry to the Diffserv domain and traffic forwarding within the Diffserv domain.
- the marking (i.e., classification) and conditioning operations need be implemented only at Diffserv network boundaries.
- Diffserv enables an ingress boundary router to provide the QoS to aggregated flows simply by examining and/or marking each IP packet's header.
- Diffserv allows host marking of the service class
- a Diffserv network customer link can experience a Denial of Service (DoS) attack if a number of hosts send packets to that link with the DS field set to a high priority.
- DoS Denial of Service
- a set of hosts can exceed the subscribed capacity of a Diffserv service class directly by setting the DSCP or indirectly by submitting traffic that is classified by some other router or device to a particular DSCP.
- an IP network can only protect its resources by policing at the ingress routers to ensure that each customer interface does not exceed the subscribed capacity for each Diffserv service class. However, this does not prevent a DoS attack.
- Figure 2 depicts a DOS attack scenario in an exemplary IP network 10' that implements the conventional Diffserv protocol.
- a number of ingress nodes e.g., ingress boundary routers 12b'-12d' each admit traffic targeting a single link of an egress node (e.g., egress boundary router) 12a'.
- egress node e.g., egress boundary router
- each ingress nodes 12' polices incoming packets to ensure that customers do not exceed their subscribed resources at each DSCP, the aggregate of the admitted flows exceeds the capacity X of egress Link 1 of node 12a', resulting in a denial of service to the customer site served by this link.
- the present invention recognizes that it would be useful and desirable to provide a method, system and apparatus for data communication that support a communication protocol that, unlike conventional Intserv implementations, is highly scalable and yet protects against the DoS attacks to which conventional Diffserv and other networks are susceptible.
- a network architecture in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks
- the communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs.
- VPN e.g., traffic from other VPNs or the Internet at large
- the present invention gives precedence to intra-VPN traffic over extra- VPN traffic on each customer's access link through access link prioritization or access link capacity allocation, such that extra- VPN traffic cannot interfere with inter- VPN traffic.
- Granting precedence to intra-VPN traffic over extra- VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning between intra-VPN and extra- VPN traffic on the physical access link and access network using layer 2 switching and multiplexing, as well as the configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra- VPN traffic at the VPN boundary routers and CPE edge routers.
- the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.
- Figure 1 depicts a conventional Integrated Services (Intserv) network that implements per-flow QoS utilizing RSVP;
- Figure 2 illustrates a conventional Differentiated Services (Diffserv) network that implements QoS on aggregated traffic flows utilizing DSCP markings in each packet header and is therefore vulnerable to a Denial of Service (DoS) attack;
- Diffserv Differentiated Services
- Figure 3 depicts an exemplary communication network that, in accordance with a preferred embodiment of the present invention, resists DoS attacks by partitioning allocation and/or prioritization of access capacity by reference to membership in Virtual Private Networks (VPNs);
- VPNs Virtual Private Networks
- Figure 4 illustrates an exemplary network architecture that provides a CPE-based VPN solution to the DoS attack problem
- Figure 5 is a more detailed block diagram of a QoS-aware CPE edge router that maybe utilized within the network architectures depicted in Figures 4 and 7;
- Figure 6A is a more detailed block diagram of a QoS-aware boundary router without
- VPN function that maybe utilized within the network architectures illustrated in Figures 4 and 7;
- Figure 6B is a more detailed block diagram of a QoS-aware boundary router having VPN function that may be utilized within the network architecture illustrated in Figure 4;
- Figure 7 illustrates an exemplary network architecture that provides a network-based VPN solution to the DoS attack problem;
- FIG 8 is a more detailed block diagram of a QoS-aware VPN boundary router that may be utilized within the network architecture depicted in Figure 7.
- FIG. 3 there is depicted a high level block diagram of an exemplary network architecture 20 that, in accordance with the present invention, provides a scalable method of providing QoS to selected traffic while protecting a Virtual Private Network (VPN) customer's access and trunk network links against DoS attacks.
- network architecture 20 of Figure 3 includes a Diffserv network 21 having N service provider boundary routers (BRs) 22 that each have L access links.
- BRs service provider boundary routers
- Diffserv network 21 supports a plurality of VPN instances, of which two are shown in the figure as identified by the access links of boundary routers 22 coupled to CPE edge routers (ERs) for a first network service customer 24 and an ER for a second network service customer 25 at each of four sites, respectively identified by letters a through d.
- Each CPE ER provides network service to a customer's local area networks (LANs).
- the service provider network-based VPN may support many more customers than the two shown in this figure.
- hosts within the LANs of the first VPN customer coupled to CPE edge routers 24b-24d those within a second VPN customer's LANs coupled to CPE edge routers 25a-25d, as well as sites coupled to other unillustrated CPE edge routers linked to boundary routers 22a-22d, may all transmit packet flows targeting the LAN coupled to the first VPN customer CPE edge router 24a. If the conventional Diffserv network of the prior art described above with respect to Figure 2 were implemented, the outgoing access link 1 of boundary router 22a coupled to CPE edge router 24a could be easily overwhelmed by the convergence of these flows, resulting in a DoS.
- Diffserv network 21 of Figure 3 prevents a DoS attack from sites outside the VPN by directing intra-VPN traffic to a first logical port 27 on physical access link 1 of boundary router 22a, while directing traffic from other VPNs or other sites to a second logical port 28 on physical access link 1 of boundary router 22a.
- a customer's community of interest e.g., traffic from other VPNs or the Internet at large
- the present invention either prioritizes intra-VPN traffic over extra- VPN traffic, or allocates access link capacity such that extra- VPN traffic cannot interfere with inter- VPN traffic.
- each boundary router 22 gives precedence on each customer's access link to traffic originating within the customer's VPN, where a VPN is defined herein as a collection of nodes coupled by a shared network infrastructure in which network resources and/or communications are partitioned based upon membership of a collection of nodes. Granting precedence to intra-VPN traffic over extra- VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning of the physical access between intra-VPN and extra- VPN traffic using layer 2 multiplexing and the configuration of routing protocols to achieve logical traffic separation.
- the configuration of the CPE edge router, the access network, the network-based VPN boundary router and the routing protocols involved in the edge and boundary routers cooperate to achieve the high-level service of DoS attack prevention, as detailed below.
- Conventional Diffserv and CPE edger router IPsec-based IP VPN implementations do not segregate traffic destined for sites within the same VPN (i.e., intra-VPN traffic) and traffic sent from other regions of the Internet (i.e., extra- VPN traffic).
- Figures 4-8 at least two classes of implementations of the generalized network architecture 20 depicted in Figure 3 are possible.
- a network in accordance with the present invention can be realized as a CPE-based VPN implementation, as described below with reference to Figures 4-6, or as a network-based VPN implementation, as described below with reference to Figures 7-8.
- the depicted network architecture includes a Diffserv-enabled IP VPN network 44, a best effort IP public network 46, and a plurality of customer Local Area Networks (LANs) 32.
- Customer LANs 32 each include one or more hosts 48 that can function as a transmitter and/or receiver of packets communicated over one or both of networks 44 and 46.
- VPN community of interest
- Each customer LAN 32 is coupled by a respective CPE edge router 34 and physical access link 35 to a respective access network (e.g., an L2 access network) 38.
- Access networks e.g., an L2 access network
- VPN-aware CPE edge routers 34a and 34b route only packets with IP address prefixes belonging to the IP VPN via Diffserv-enabled IP
- VPN network 44 and route all other traffic via best effort IP public network 46.
- CPE edge routers 34a and 34b send all traffic to and from best effort IP public network 46 through a respective one of firewalls 36a and 36b.
- L2 access networks that support such prioritization of access links 35 include Ethernet (e.g., utilizing Ethernet priority),
- each boundary router 40 of Diffserv enabled IP VPN network 44 shapes the transmission rate of packets to its logical connection to access network 38 to a value less than that of the access link to prevent starvation of the L2 access logical connection to best effort IP public network 46.
- boundary routers 40a-40b and 42a-42b may be individually configured to shape the traffic destined for each L2 access network logical connection to a specified rate, where the sum of these rates is less than or equal to the transmission capacity of the physical access medium linking CPE edge routers 34 and access networks 38.
- boundary routers 40 and 42 perform scheduling and prioritization based upon packets' DSCP markings and shape to the capacity allocated to the access network connection for IP VPN traffic.
- selection of which of the alternative configurations to implement is a matter of design choice, as each configuration has both advantages and disadvantages.
- coordination of the access network configuration between networks 44 and 46 is easier.
- IP VPN traffic from Diffserv-enabled IP VPN network 44 may starve best effort traffic communicated over IP public network 46.
- the second configuration addresses this disadvantage by allocating a portion of the access link capacity to each type of network access (i.e., both intra-VPN and extra- VPN).
- boundary routers 40 and 42 shape traffic in accordance with the second configuration, unused access capacity to one of networks 44 and 46 cannot be used to access the other network. That is, since the shapers are on separate boundary routers 40 and 42, only non- work-conserving scheduling is possible.
- QoS-aware CPE edge router 34 that may be utilized within the network architecture depicted in
- CPE edge router 34 includes a number of LAN ports 60, which provide connections for a corresponding number of customer LANs 32.
- LAN port 60a is connected to a customer LAN 32 including a number of hosts 48 respectively assigned 32-bit IP addresses "a.b.c.d,” “a.b.c.e.,” and "a.b.c.f.”
- Each LAN port is also coupled to a forwarding function 62, which forwards packets between LAN ports 60 and one or more logical ports (LPs) 66 residing on one or more Wide Area Network (WAN) physical ports 64 (only one of which is illustrated).
- LPs 66 which each comprise a layer-2 sub-interface, may be implemented, for example, as an Ethernet Virtual LAN
- WAN physical port 64 employs a scheduler 68 to multiplex packets from logical ports 64 onto the transmission medium of an access network 38 and forwards packets received from access network 38 to the respective logical port utilizing a forwarding function 70.
- classifier 80 When a LAN port 60 of CPE edge router 34 receives packets from a customer LAN 32, the packets first pass through a classifier 80, which determines by reference to a classifier table 82 how each packet will be handled by CPE edge router 34. As illustrated in Figure 5, classifier table 82 may have a number of indices, including Source Address (S A) and Destination Address (DA), Source Port (SP) and Destination Port (DP), Protocol Type (PT), DSCP, or other fields from packets' link, network or transport layer headers.
- S A Source Address
- SP Source Port
- DP Destination Port
- PT Protocol Type
- DSCP Protocol Type
- classifier 72 Based upon a packet's values for one or more of these indices, classifier 72 obtains values for a policer (P), marker (M), destination LP, and destination LP queue (Q) within CPE edge router 34 that will be utilized to process the packet.
- P policer
- M marker
- Q destination LP queue
- lookup of the destination LP and destination LP queue entries could be performed by forwarding function 62 rather than classifier 80.
- table entry values within classifier table 82 may be fully specified, partially specified utilizing a prefix or range, or null (indicated by "-").
- the SAs of hosts 48 of LAN 32 are fully specified utilizing 32-bit IP addresses
- DAs of several destination hosts are specified utilizing 24-bit IP address prefixes that identify particular IP networks
- a number of index values and one policing value are null.
- the same policer, marker, and/or shaper values, which for Intserv flows are taken from RSVP RESV messages, may be specified for different classified packet flows.
- classifier table 82 specifies that policer PI and marker Ml will process packets from any SA marked with DSCP "101" as well as packets having a SA "a.b.c.e” marked with DSCP "010.”
- classifier table 82 distinguishes between flows having different classifications by specifying different destination LP values for traffic having a DA within the VPN (i.e., intra-VPN traffic) and traffic addressed to hosts elsewhere in the Internet (i.e., extra- VPN traffic).
- IP address prefixes "r.s.t” because IP address prefixes "r.s.t,”
- the logical port 66 and LP queue to which packets are forwarded can be determined by static configuration or dynamically by a routing protocol. .
- a VPN route should always have precedence over an Internet route if a CPE router 34 has both routes installed for the same destination IP address.
- IGP Interior Gateway Protocol
- EBGP static routing to install Internet routes
- VPN routes with a higher local preference being given for VPN routes.
- packets are policed and marked, as appropriate, by policers P0, PI and markers MO, Ml, M2 as indicated by classifier table 82 and then switched by forwarding function 62 to either logical port 66a or 66b, as specified by the table lookup.
- packets are directed to the LP queues Q0-Q02 specified by classifier table 82.
- LP queues Q0-Q2 perform admission control based upon either available buffer capacity or thresholds, such as Random Early Detection (RED).
- a scheduler 90 then services LP queues Q0-Q2 according to a selected scheduling algorithm, such as First In, First Out (FIFO), Priority, Weighted Round Robin (WRR), Weighted Fair Queuing (WFQ) or Class-Based Queuing (CBQ).
- scheduler 90 of LP-2 66a implements WFQ based upon the weight w, associated with each LP queue / and the overall WFQ scheduler rate r 2 for logical port 2, thereby shaping traffic to the rate r 2 .
- scheduler 68 of physical WAN port 64 services the various logical ports 66 to control the transmission rate to access network 38.
- CPE edge router 34 receives packets from access network 38 at WAN physical port 64 and then, utilizing forwarding function 70, forwards packets to the appropriate logical port 66a or 66b as indicated by configuration of access network 38 as it maps to the logical ports.
- packets pass through a classifier 100, which generally employs one or more indices within the same set of indices discussed above to access a classifier table 102.
- the lookup results of classifiers 100 are less complex than those of classifier 80 because policing and marking are infrequently required.
- packets are forwarded by forwarding function 62 directly from classifiers 100 of logical ports 66 to the particular queues Q0-Q2 of LAN port 60a specified in the table lookup based upon the packets' DSCPs.
- queues Q0-Q2 of LAN port 60a are serviced by a scheduler 102 that implements WFQ and transmits packets to customer LAN 32.
- FIG 6A there is depicted a more detailed block diagram of a QoS- aware boundary router without any VPN function, which may be utilized within the network architecture of Figure 4, for example, to implement boundary routers 42.
- boundary router 42 of Figure 6A includes a plurality of physical ports 116, a plurality of logical ports 110 coupled to access network 38 by a forwarding function 112 for mcoming packets and a scheduler 114 for outgoing packets, and a forwarding function 118 that forwards packets between logical ports 110 and physical ports 116.
- the implementation of multiple physical ports 116 permits fault tolerant connection to network core routers, and the implementation of multiple logical ports coupled to access network 38 permits configuration of one logical port (i.e., LP- 1 110a) as a Diffserv-enabled logical port and a second logical port (i.e., LP-2110b) as abest-effort logical port.
- classifier 124 of LP-2110b directs all packets to marker M0 in accordance with classifier table 126.
- Marker M0 remarks all packets received at LP-2 110b with DSCP 000, thus identifying the packets as best-effort traffic.
- Classifier 120 of LP- 1 110a utilizes classifier table 122 to map incoming packets, which have already received DSCP marking at a trusted CPE (e.g., service provider-managed CPE edge router 34), into queues Q0-Q2 on PHY-1 116a, which queues are each associated with a different level of QoS. Because the packets have already been multi-field classified, marked and shaped by the trusted CPE (e.g., service provider-managed CPE edge router 34), into queues Q0-Q2 on PHY-1 116a, which queues are each associated with a different level of QoS. Because the packets have already been multi-field classified, marked and shaped by the trusted CPE (e.g., service provider-managed C
- boundary router 42 need not remark the packets. If, however, the sending CPE edge router were not a trusted CPE, boundary router 42 would also need to remark and police packets received at LP-1 110a.
- traffic is forwarded to an appropriate physical port 116 or logical port 110 by forwarding function 118.
- boundary router 42 employs an alternative design in which forwarding function 118 accesses forwarding table 128 with a packet's DA to determine the output port, namely, LP-1 110a, LP-2 110b, or PHY-1 116a in this example.
- forwarding table 128 is populated by generic IP routing protocols (e.g., Border Gateway Protocol (BGP)) or static configuration (e.g., association of the 24-bit IP address prefix "d.e.f.” with LP-2 110b).
- Border Gateway Protocol BGP
- static configuration e.g., association of the 24-bit IP address prefix "d.e.f.” with LP-2 110b.
- An alternative implementation could centrally place the IP lookup forwarding function in forwarding function 62.
- the exemplary implementation shown in Figure 6 assumes that boundary router 42 sends all traffic bound for the network core to only one of the physical ports
- classifier 132 accesses classifier table 134 utilizing the DSCP of the packets to direct each packet to the appropriate one of queues QO-Q-2 for the QoS indicated by the packet's DSCP. For a customer that has purchased a Diffserv-enabled logical port 110, this has the effect of delivering the desired QoS since the source CPE has policed and marked the flow with appropriate DSCP value.
- a best-effort customer is capable of receiving higher quality traffic, preventing such a one-way differentiated service would require significant additional complexity in the classifier and include distribution of QoS information via routing protocols to every edge router in a service provider network.
- FIG. 6B there is depicted a more detailed block diagram of a QoS-aware VPN boundary router 40, which may be utilized to provide Diffserv-enabled and
- boundary router 40 includes a plurality of physical ports 226 for connection to core routers of Diffserv-enabled IP VPN network 44, a plurality of Diffserv-enabled logical ports 224 coupled to an access network 38 by a forwarding function 220 for incoming packets and a scheduler 222 for outgoing packets, and a forwarding function 228 that forwards packets between logical ports
- Each Diffserv-enabled logical port 224 implemented on boundary router 40 serves a respective one of a plurality of VPNs.
- Diffserv-enabled logical port LP-A 224a serves a customer site belonging to VPN A, which includes customer sites having the 24-bit IP address prefixes "a.b.c.” and "a.b.d.”
- Diffserv-enabled logical port LP-B 224b serves a customer site belonging to VPN B, which includes two customer sites having the 24-bit IP address prefixes "b.c.d.” and "b.c.e.”
- Diffserv-enabled logical ports 224 do not serve sites belonging to best effort IP public network 46 since such traffic is routed to boundary routers 42, as shown in Figure 4.
- each core-facing physical port 226 of boundary router 40 is logically partitioned into a plurality of sub-interfaces implemented as logical tunnels 240.
- a tunnel may be implemented utilizing any of a variety of techniques, including an IP-over-IP tunnel, a Generic Routing Encapsulation (GRE) tunnel, an IPsec operated in tunnel mode, a set of stacked Multi-Protocol Label Switching
- MPLS Layer 2 Tunneling Protocol
- L2TP Layer 2 Tunneling Protocol
- null tunnel a null tunnel.
- Such tunnels can be distinguished from logical ports in that routing information for multiple VPNs can be associated with a tunnel in a nested manner.
- Border Gateway Protocol (BGP)/MPLS VPNs described in IETF RFC 2547 [E. Rosen et al., "BGP/MPLS VPNs" March 1999]
- the topmost MPLS label determines the destination boundary router while the bottommost label determines the destination VPN.
- a classifier 230 on each of Diffserv-enabled logical ports 224 classifies packets flowing from access network 38 through boundary router 40 to the network core of Diffserv-enabled IP VPN network 44 in accordance with the packets' DSCP values by reference to a respective classifier table 232.
- classifier tables 232a and 232b are accessed utilizing the DSCP as an index to determine the appropriate one of queues Q0-Q2 on physical port PHY- 1 226a for each packet.
- Packets received by physical ports 226 are similarly classified by a classifier 250 by reference to a classifier table 254 to determine an appropriate one of queues Q0-Q2 for each packet on one of logical ports 224.
- forwarding function 228 switches packets between logical ports 224 and physical ports 226 by reference to VPN forwarding tables 234a-234n, which are each associated with a respective VPN.
- VPN forwarding table 234a provides forwarding routes for VPN A
- VPN forwarding table 234b provides forwarding routes for VPN B.
- VPN forwarding tables 234 are accessed utilizing the source port and DA as indices.
- VPN forwarding table 234a For example, in the exemplary network configuration represented in forwarding table 234a, traffic within VPN A addressed with a DA having a 24-bit IP address prefix of "a.b.d.” traverses TNL-1 240a, and traffic received at TNL-1 240b is directed to LP-A 224a. Similar routing between TNL-2240b and LP-B 224b can be seen in VPN routing table 234b. As discussed above, VPN forwarding tables 234 can be populated by static configuration or dynamically utilizing a routing protocol.
- packets are each directed to the output port queue corresponding to their DSCP values. For example, packets marked with the QoS class associated with DSCP 101 are placed in Q2, packets marked with the QoS class associated with DSCP 010 are placed in Q 1 , and traffic marked with DSCP 000 is placed in Q0. Schedulers
- FIG. 7 there is illustrated an exemplary network architecture 150 that provides a network-based VPN solution to the DoS attack problem.
- like reference numerals and traffic notations are utilized to identify features corresponding to features of network architecture 30 depicted in Figure 4.
- network architecture 150 of Figure 7, like network architecture 30 of Figure 4, includes a Diffserv-enabled IP VPN network 44, a best effort IP public network 46, and a plurality of customer Local Area Networks (LANs) 32.
- customer LANs 32a and 32b belong to the same VPN and each include one or more hosts 48 that can function as a transmitter and/or receiver of packets.
- Each customer LAN 32 is coupled by a CPE edge router 34 and a physical access link 153 to a respective access network (e.g., an L2 or L3 access network) 154.
- a respective access network e.g., an L2 or L3 access network
- access networks 154 are only connected to boundary routers 156 of Diffserv-enabled IP VPN network 44, which have separate logical connections to boundary routers 42 of best effort IP public network 46.
- boundary routers 156 In contrast to access networks 38 of Figure 4, which have separate logical connections for QoS and best effort traffic, access networks 154 are only connected to boundary routers 156 of Diffserv-enabled IP VPN network 44, which have separate logical connections to boundary routers 42 of best effort IP public network 46.
- intra-VPN traffic destined for network 44 and extra- VPN traffic destined for network 46 are both routed through boundary routers 156, meaning that work-conserving scheduling between the two classes of traffic is advantageously permitted.
- the complexity of boundary routers 156 necessarily increases because each boundary router 156 must implement a separate forwarding table for each attached customer, as well as a full Internet forwarding table that can be shared among customers.
- boundary router 156 includes a plurality of physical ports 176 for connection to network core routers, a plurality of Diffserv-enabled logical ports 174 coupled to access network 154 by a forwarding function 170 for incoming packets and a scheduler 172 for outgoing packets, and a forwarding function
- each CPE edge router 34 is coupled to a boundary router 156 by only a single access link through access network 154, each network customer site is served at boundary router 156 by a pair of Diffserv-enabled logical ports 174, one for intra-VPN traffic and one for extra- VPN traffic.
- Diffserv-enabled logical ports LP-A1 174a and LP-A2 174 serve a single customer site belonging to VPN A, which includes at least two customer sites having the 24-bit IP address prefixes "a.b.c.” and "a.b.d.”
- LP-A1 174a provides access to QoS traffic communicated across Diffserv-enabled IP VPN network 44 to and from sites belonging to VPN A
- LP-A2 174b provides access to best effort traffic to and from best effort IP public network 46.
- 156 is logically partitioned into aplurality of sub-interfaces implemented as logical tunnels 180.
- a tunnel may be implemented utilizing any of a variety of techniques, including an IP-over-IP tunnel, a Generic Routing Encapsulation (GRE) tunnel, an IPsec operated in tunnel mode, a set of stacked Multi-Protocol Label Switching
- GRE Generic Routing Encapsulation
- MPLS MPLS labels
- a null tunnel Such tunnels can be distinguished from logical ports in that routing information for multiple VPNs can be associated with a tunnel in a nested manner.
- Border Gateway Protocol BGP
- MPLS VPNs described in IETF RFC 2547
- the topmost MPLS label determines the destination boundary router while the bottommost label determines the destination VPN.
- a classifier 182 on each of Diffserv-enabled logical ports 174 classifies packets flowing from access network 154 through boundary router 156 to the network core in accordance with the packets' DSCP values by reference to a respective classifier table 190.
- classifier tables 190a and 190b are accessed utilizing the DSCP as an index to determine the appropriate one of queues Q0-Q2 on physical port PHY-1 176a for each packet.
- Packets received by physical ports 176 are similarly classified by a classifier 198 by reference to a classifier table 192 to determine an appropriate one of queues Q0-Q2 for each packet on one of logical ports 174.
- forwarding function 178 switches packets between logical ports 174 and physical ports 176 by reference to VPN forwarding tables 194a-194n, which are each associated with a respective VPN and shared Internet forwarding table 195.
- forwarding table 194a contains entries providing forwarding routes for VPN A
- Internet forwarding table 195 contains entries providing forwarding routes for packets specifying LP-A2 or TNL-2 (i.e., the logical interfaces configured for Internet access) as a source.
- Forwarding tables 194 are accessed utilizing the source port and DA as indices. For example, in the exemplary network configuration represented in forwarding table 194a, intra- VPN traffic addressed with a DA having a 24-bit IP address prefix of "a.b.d.” traverses TNL-1 180a, while extra- VPN (i.e., Internet) traffic traverses TNL-2 180b (which could be a null tunnel). Forwarding table 194a further indicates that intra-VPN traffic received via TNL-1 180a is directed to LP-A1 174a, and all other traffic arriving from the Internet via tunnel TNL-2180b addressed with a DA having a 24-bit IP address prefix of "a.b.c.” is sent to LP-A2 174b.
- Traffic that terminates to other ports on boundary router 156 i.e., traffic having a Local DA
- LP-x the entries in forwarding table 194a marked "Local" specify address prefixes other than those assigned to VPNs (e.g., a.b.c/24) that are assigned to interfaces on boundary router 156.
- packets are each directed to the output port queue corresponding to their DSCP values. For example, packets marked with the QoS class associated with DSCP 101 are placed in Q2, packets marked with the QoS class associated with DSCP 010 are placed in Q 1 , and best effort traffic marked with DSCP 000 is placed in Q0. Schedulers 196 then schedule output of packets from queues Q0-Q2 to achieve the requested QoS.
- the present invention provides an improved network architecture for providing QoS to intra-VPN traffic while protecting such flows against DoS attack from sources outside the VPN.
- the present invention provides DoS-protected QoS to selected flows utilizing a network-based VPN service and a best effort Internet service connected to a CPE edge router using a L2 access network with appropriately configured routing protocols.
- Diffserv marking at the edge and handling in the network-based VPN core provides QoS to selected flows while logically partitioning intra-VPN and extra- VPN traffic to prevent DoS to a VPN network customer site due to traffic originating from outside of the customer's VPN exceeding that site's access capacity.
- Intserv policy control implemented on the CPE edge router and/or the QoS-aware boundary router, as described in IETF RFC 2998 [Y. Bernet et al., "A Framework for Integrated Services Operation over Diffserv Networks” Nov. 2000] .
- the network architecture of the present invention may be realized in CPE-based and network-based implementations.
- the CPE-based implementation permits easy configuration of the access networks linking the CPE edge routers and service provider boundary routers and permits QoS to be offered to VPN sites without implementing Diffserv across the entire service provider network.
- the network-based configuration advantageously permits work conserving scheduling that permits extra- VPN traffic to utilize excess access capacity allocated to intra-VPN traffic.
- FIGS 3, 4 and 7 illustrate the connection of each CPE edge router to a VPN network and a best effort network by one access link
- a CPE edge router may be connected by multiple access links to one or more access networks, which provide logical connections to one or more boundary routers of each of the VPN and best effort networks.
- the multiple access links can be utilized in either a primary/backup or load-sharing arrangement through installation of static routes in the service provider boundary routers or dynamic configuration of the service provider boundary routers utilizing routing protocols (e.g., EBGP).
- CPE edge router implement multiple forwarding tables and separate instances of the routing protocol for the VPN and Internet access address spaces.
- the implementation of such a CPE edge router would be similar to that illustrated in Figure 8 and described in the associated text, with only a single VPN table and a single table for Internet routes.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Multimedia (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Probability & Statistics with Applications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
Claims
Applications Claiming Priority (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US27695301P | 2001-03-20 | 2001-03-20 | |
US27692301P | 2001-03-20 | 2001-03-20 | |
US27695501P | 2001-03-20 | 2001-03-20 | |
US276955P | 2001-03-20 | ||
US276953P | 2001-03-20 | ||
US276923P | 2001-03-20 | ||
US10/023,043 US20030115480A1 (en) | 2001-12-17 | 2001-12-17 | System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks |
US23043 | 2001-12-17 | ||
PCT/US2002/008577 WO2002075548A1 (en) | 2001-03-20 | 2002-03-20 | SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QoS DENIAL OF SERVICE ATTACKS |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1374057A1 true EP1374057A1 (en) | 2004-01-02 |
EP1374057A4 EP1374057A4 (en) | 2004-11-10 |
Family
ID=27487176
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02728525A Withdrawn EP1374057A4 (en) | 2001-03-20 | 2002-03-20 | SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QoS DENIAL OF SERVICE ATTACKS |
Country Status (7)
Country | Link |
---|---|
EP (1) | EP1374057A4 (en) |
JP (1) | JP2004533149A (en) |
CN (1) | CN1498368A (en) |
BR (1) | BR0208223A (en) |
CA (1) | CA2441712A1 (en) |
MX (1) | MXPA03008421A (en) |
WO (1) | WO2002075548A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7653050B2 (en) | 2002-02-05 | 2010-01-26 | Nortel Networks Limited | Technique for implementing a multi-service packet and optical/TDM virtual private cross-connect |
US7478429B2 (en) | 2004-10-01 | 2009-01-13 | Prolexic Technologies, Inc. | Network overload detection and mitigation system and method |
US7515926B2 (en) * | 2005-03-30 | 2009-04-07 | Alcatel-Lucent Usa Inc. | Detection of power-drain denial-of-service attacks in wireless networks |
US8914885B2 (en) * | 2006-11-03 | 2014-12-16 | Alcatel Lucent | Methods and apparatus for delivering control messages during a malicious attack in one or more packet networks |
EP2951973B1 (en) | 2013-01-31 | 2020-05-27 | BAE Systems PLC | Data transfer |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4924500A (en) * | 1989-05-17 | 1990-05-08 | Northern Telecom Limited | Carrier independent network services |
-
2002
- 2002-03-20 WO PCT/US2002/008577 patent/WO2002075548A1/en not_active Application Discontinuation
- 2002-03-20 MX MXPA03008421A patent/MXPA03008421A/en unknown
- 2002-03-20 CA CA002441712A patent/CA2441712A1/en not_active Abandoned
- 2002-03-20 CN CNA028068203A patent/CN1498368A/en active Pending
- 2002-03-20 BR BR0208223-3A patent/BR0208223A/en not_active Application Discontinuation
- 2002-03-20 EP EP02728525A patent/EP1374057A4/en not_active Withdrawn
- 2002-03-20 JP JP2002574087A patent/JP2004533149A/en not_active Withdrawn
Non-Patent Citations (5)
Title |
---|
ANONYMOUS: "I-D Action: draft-ouldbrahim-vpn-vr-03.txt"[Online] 5 March 2001 (2001-03-05), XP002295822 IETF Announcement list Retrieved from the Internet: URL:http://www.atm.tut.fi/list-archive/iet f-announce/msg02879.html> [retrieved on 2004-09-07] * |
KAVAK N: "ERICSSON'S NETWORK-BASED IP-VPN SOLUTIONS" ON - ERICSSON REVIEW, ERICSSON. STOCKHOLM, SE, no. 3, 2000, pages 178-191, XP000966163 ISSN: 0014-0171 * |
O'LEARY D: "Virtual Private Networks: Progress and Challenges" THE NORTH AMERICAN NETWORK OPERATORS' GROUP NANOG 18TH MEETING, 6-8 FEBRUARY, SAN JOSE, CA, US, [Online] 7 February 2000 (2000-02-07), XP002295672 Retrieved from the Internet: URL:http://www.nanog.org/mtg-0002/ppt/vpn. ppt> [retrieved on 2004-09-08] * |
OULD-BRAHIM H ET AL: "Network based IP VPN Architecture Using Virtual Routers" INTERNET DRAFT, 2 March 2001 (2001-03-02), XP002295821 * |
See also references of WO02075548A1 * |
Also Published As
Publication number | Publication date |
---|---|
MXPA03008421A (en) | 2004-01-29 |
CA2441712A1 (en) | 2002-09-26 |
WO2002075548A1 (en) | 2002-09-26 |
CN1498368A (en) | 2004-05-19 |
BR0208223A (en) | 2004-03-02 |
JP2004533149A (en) | 2004-10-28 |
EP1374057A4 (en) | 2004-11-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9009812B2 (en) | System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks | |
US7447151B2 (en) | Virtual private network (VPN)-aware customer premises equipment (CPE) edge router | |
US7809860B2 (en) | System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks | |
US9088619B2 (en) | Quality of service based on logical port identifier for broadband aggregation networks | |
US20040223499A1 (en) | Communications networks with converged services | |
US7302493B1 (en) | System and method for providing desired service policies to subscribers accessing the internet | |
JP2013009406A (en) | Providing desired service policies to subscribers accessing internet | |
WO2002076029A1 (en) | System, method and apparatus that isolate virtual private network (vpn) and best effort traffic to resist denial of service attacks | |
EP1374057A1 (en) | SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QoS DENIAL OF SERVICE ATTACKS | |
Cisco | Introduction to Cisco MPLS VPN Technology | |
Cisco | Introduction to Cisco MPLS VPN Technology | |
Cisco | Introduction to MPLS VPN Technology | |
AU2002258570A1 (en) | System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks | |
AU2002250371A1 (en) | System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks | |
AU2002242345A1 (en) | Virtual private network (VPN)-aware customer premises equipment (CPE) edge router | |
Anerousis et al. | Service level routing on the Internet | |
Redlich et al. | Virtual networks in the Internet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20031020 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: 7H 04L 12/46 B Ipc: 7H 04L 29/06 A |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20040929 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20041213 |