層次網(wǎng)絡(luò)體系結(jié)構(gòu)短接技術(shù)

1、8. 短接通信8.1 節(jié)點域之間的短接如果一個地區(qū)只有一個ISP向用戶提供接入服務(wù)，在該地區(qū)存在唯一的樹，用戶網(wǎng)絡(luò)的接入就比較簡單合理。但當(dāng)出現(xiàn)兩個或以上的ISP，樹相互交叉重疊，就會出現(xiàn)同地用戶之間的通信要繞道遠程的情況。8.2 短接的需求1） 同一地區(qū)有兩個甚至更多的ISP用層次網(wǎng)絡(luò)的結(jié)構(gòu)向用戶提供網(wǎng)絡(luò)接入服務(wù)。ABECFGABCDEFGHIJKLMHcHaHb8.2短接的需求2）雖然只有一棵樹，但某些接入用戶集團在該城市中不同的區(qū)有多個分支機構(gòu)，相互間有較大的通信量。ABECFHa8.2短接的需求3）對網(wǎng)絡(luò)流量的監(jiān)測與分析，認(rèn)為某兩個區(qū)之間應(yīng)增加一條直接的信道。8.2短接的需求4）短接的

2、目的是通達對方的整個網(wǎng)絡(luò)，而不只是對方的一棵子數(shù)。8.3節(jié)點域的短接方式允許層次網(wǎng)絡(luò)中有任意多的短接信道；允許一個節(jié)點域?qū)ζ渌我舛鄠€節(jié)點域有短接信道；允許處于樹的任意不同層次的節(jié)點域之間有短接信道；允許短接信道任意延伸。8.3節(jié)點域的短接方式ABECFGBCDEFGHIJKLMHcHaHb8.4短接信道的控制與管理樹枝信道：由一根或多根物理信道組成。短接信道：虛線表示的信道。在處理樹信道之前，先作一個判斷，如果本節(jié)點沒有短接信道或短接信道處于失效狀態(tài)，則直接處理樹信道；如果存在短接信道，則先處理短接信道，然后處理樹信道。8.4短接信道的控制與管理-短接信道表Node-IdSIDPIDBand

3、widthstatusA1/B1136220A2/B2321550A3/B33315508.4短接信道的控制與管理-短接信道局部化 為了使增加的短接信道不影響樹狀結(jié)構(gòu)的特性，把短接信道局部化。一條短接信道只有點到點的作用，把數(shù)據(jù)包送到短接信道的對方，就算完成了任務(wù)。8.4短接信道的控制與管理-直接短接節(jié)點域當(dāng)短接信道用于兩個直接短接節(jié)點域中的用戶之間互相通信時，稱為短接信道的直接短接通信。對短接信道的直接短接通信，上面的控制方法只能用于向下傳送的過程。8.4短接信道的控制與管理間接短接節(jié)點域為了具備向上傳送的能力，可以對短接信道表加以擴充與短接信道之間被樹信道隔開的節(jié)點域為間接短接節(jié)點域8.5

4、.1 短接通信遇到的問題之一短接隧道ABDECFGABCDEFGHIJKLMHcHaHb8.5.1 短接通信遇到的問題之一短接隧道節(jié)點域A并不能將數(shù)據(jù)報下行送到E去，認(rèn)為Ha的地址超出了本樹狀網(wǎng)的范圍。8.5.1 短接通信遇到的問題之一短接隧道讓節(jié)點域H中也配置C子域的地址前綴，并設(shè)立一張“短接前綴地址映射表”，把C子域地址前綴映射到E子域的地址前綴。 Simple HeaderThe IPv4 header has 20 octets and 12 basic header fieldsThe IPv6 header has 40 octets, three IPv4 basic heade

5、r fields, and five additional header fields. 8.5.1 短接通信遇到的問題之一短接隧道Using IPV6IPv6 Global Unicast Address48-bit global routing prefix and a 16-bit subnet ID.The current global unicast address that is assigned by the IANA uses the range of addresses that start with binary value 001 (2000:/3)Five RIR re

6、gistries (ARIN, RIPE, APNIC, LACNIC, and AfriNIC). IPV6 AddressingPrivate AddressesSite-local addresses, are addresses similar to the RFC 1918 Address Allocation for Private Internets in IPv4 today. these addresses begin with FEC, FED, FEE, or FEF“ fd00:/8.Link-local addresses, refer only to a parti

7、cular physical link (physical network),these addresses start with FE8, FE9, FEA, or FEB.IPV6 Addressing8.5.1 短接隧道（1）在H和E之間建立隧道，在隧道終點做處理（2）啟用擴展報頭的處理，利用信宿選項擴展報頭，讓臨時信宿E檢查TLV并做處理。（3）封裝成內(nèi)部報文，在臨時信宿E 撤消封裝。8.5.2 短接通信問題之二重復(fù)路徑ABDECFGABCDEFGHIJKLMHcHaHb8.5.2 短接通信問題之二重復(fù)路徑需要增加一條規(guī)則，不僅在間接短接節(jié)點域A中保存C的地址前綴與E地址前綴的映射表項

8、，還要求在直接短接節(jié)點域 A之間的所有途徑的節(jié)點域都保存這個映射表項。單調(diào)上行路徑單調(diào)下行路徑8.5.2 短接通信問題之二重復(fù)路徑（1）在間接短接節(jié)點域中保存短接信道對所有直接短接節(jié)點域和間接短接節(jié)點域的地址前綴到本側(cè)直接短接節(jié)點域地址前綴的映射表項。（2）如果從直接短接節(jié)點域到間接短接節(jié)點域的路段上是單調(diào)上行路徑，則沿路所有途經(jīng)的節(jié)點域都要保存地址映射表項；如果該路段是非單調(diào)路徑，則沿途節(jié)點域都不要保存地址映射表項。（3）轉(zhuǎn)發(fā)反向數(shù)據(jù)時，遇到第一個擁有相應(yīng)地址映射表項的節(jié)點域時，就要用隧道送到對應(yīng)的直接短接節(jié)點域。8.5.3 短接通信問題之三循環(huán)路徑ABCDEFGHJKLMIPNHaHb8.

9、5.3 短接通信問題之三循環(huán)路徑短接通信不僅可以用于兩個不同的樹狀網(wǎng)絡(luò)之間，也可以用于同一個樹狀網(wǎng)絡(luò)的不同子樹之間。兩類錯誤：（1）繞路，浪費了寶貴的高層信道帶寬（2）回路循環(huán)，L與下層用戶之間的通信。8.5.3 短接通信問題之三短接規(guī)則短接信道兩側(cè)的直接短接節(jié)點域之間，如果為同一樹的單調(diào)上行路徑或單調(diào)下行路徑，應(yīng)該被禁止的。如果是非單調(diào)路徑，則是允許的。8.5.4 短接通信問題之四短接信道的延伸ABCDEFGHJKLMIPNABCQHbHaHcHd8.5.4 短接通信問題之四短接信道的延伸不管多少次延伸，有一個規(guī)律，直接短接信道可以連續(xù)出現(xiàn)，也可以在中間插入一個間接短接關(guān)系。延伸的次數(shù)原則上

10、沒有限制，只是過多的延伸，很容易使管理員感到復(fù)雜。9. 網(wǎng)絡(luò)安全9.1 Drivers for Network Security9.1 Drivers for Network SecurityNetwork security professionals 9.1 網(wǎng)絡(luò)安全環(huán)節(jié)網(wǎng)絡(luò)基礎(chǔ)平臺網(wǎng)絡(luò)應(yīng)用人9.1 網(wǎng)絡(luò)安全環(huán)節(jié)9.1 A TCP conversationACLs enable you to control traffic into and out of your network. ACLs can be configured to control network traffic based

11、 on the TCP and UDP port. Port Numbers9.1 A TCP conversation9.1 Packet filteringA router acts as a packet filter when it forwards or denies packets according to filtering rules. The ACL can extract the following information from the packet header, test it against its rules, and make allow or deny de

12、cisions based on: Source IP address Destination IP address ICMP message typeThe ACL can also extract upper layer information and test it against its rules. Upper layer information includes: TCP/UDP source port TCP/UDP destination portFor this scenario, the packet filter looks at each packet as follo

13、ws: If the packet is a TCP SYN from network A using port 80, it is allowed to pass. All other access is denied to those users. If the packet is a TCP SYN from network B using port 80, it is blocked. However, all other access is permitted.9.1 Packet filteringAn ACL is a router configuration script th

14、at controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs perform the following tasks: Limit network traffic to increase network performance. Provide traffic flow control. ACLs can restrict the delivery of routing updates. Provide a basic level

15、 of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. Decide which types of traffic to forward or block at the router interfaces. Control which areas a client can access on a network. Screen hosts to permit or

16、deny access to network services. ACLs can permit or deny a user to access , such as HTTP.9.1 What is an ACL?9.1 What is an ACL?The Three PersOne ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. One ACL per direction - ACLs

17、 control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface - ACLs control traffic for an interface, for example, Fast Ethernet 0/0.9.1 ACL operationHow ACLs WorkACLs are configured either to apply to i

18、nbound traffic or to apply to outbound traffic. Inbound ACLs -Incoming packets are processed before they are routed to the outbound interface. Outbound ACLs -Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.The implied Deny All Traffic Crite

19、ria StatementACL and Routing and ACL Processes on a Router9.1 ACL operation9.1 Types of Cisco ACLsThere are two types of Cisco IP ACLs, standard and extended. Standard ACLs: Standard ACLs allow you to permit or deny traffic from source IP addresses. Extended ACLs: Extended ACLs filter IP packets bas

20、ed on several attributes(IP,ICMP,UDP,TCP,or protocol number).9.1 How a Standard ACL WorksThe two main tasks involved in using ACLs are as follows:Step 1. Create an access list by specifying an access list number or name and access conditions.Step 2. Apply the ACL to interfaces or terminal lines.9.1

21、Numbering and Naming ACLsStarting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL. It inform you of the purpose of the ACL.Numbers 200 to 1299 are used by other protocols. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX.9.1 Where

22、to Place ACLsEvery ACL should be placed where it has the greatest impact on efficiency. The basic rules are: Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. Because standard ACLs do

23、not specify destination addresses, place them as close to the destination as possible. 9.2 層次網(wǎng)絡(luò)的安全性能IP源地址定位9.2.1 IP源地址定位-攻擊的三種情況（1）處于一個用戶接入網(wǎng)中的攻擊者企圖偽造其他用戶接入網(wǎng)的地址。（2）對于惡意攻擊者偽造本用戶接入網(wǎng)中他人的地址，不改變層次網(wǎng)邊緣端口分配的地址前綴，而被攻擊對象在其他用戶接入網(wǎng)的情況。（3）偽造用戶與受害對象在同一接入網(wǎng)中?，F(xiàn)有的Internet是否也能在路由器邊緣做同樣的監(jiān)測呢？9.2.1 IP源地址定位由于網(wǎng)絡(luò)連接的任意性，所連接的用戶或ISP網(wǎng)絡(luò)，既有末端網(wǎng)絡(luò)，又有過路網(wǎng)絡(luò)，路由器邊緣端口無法定位一個偽造的地址的數(shù)據(jù)包的屬地范圍