DSL and Networks Information

Trusted VPNs (sometimes referred to APNs - Actual Private Networks) do not use cryptographic tunneling, and instead rely on the security of a single provider’s network to protect the traffic. In a sense, these are an elaboration of traditional network and system administration work.

* Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality of service control over a trusted delivery network.
* Layer 2 Tunneling Protocol (L2TP) which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco’s Layer 2 Forwarding (L2F) (now obsolete) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP) .

The Internet Engineering Task Force (IETF) categorized a variety of VPNs, some of which, such as Virtual LANs (VLAN) are the standardization responsibility of other organizations, such as the Institute of Electrical and Electronics Engineers (IEEE) Project 802, Workgroup 802.1 (architecture). Originally, network nodes within a single enterprise were interconnected with Wide Area Network (WAN) links from a telecommunications service provider. With the advent of LANs, enterprises could interconnect their nodes with links that they owned. While the original WANs used dedicated lines and layer 2 multiplexed services such as Frame Relay, IP-based layer 3 networks, such as the ARPANET, Internet, military IP networks (NIPRNET,SIPRNET,JWICS, etc.), became common interconnection media. VPNs began to be defined over IP networks . The military networks may themselves be implemented as VPNs on common transmission equipment, but with separate encryption and perhaps routers.

It became useful first to distinguish among different kinds of IP VPN based on the administrative relationships, not the technology, interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service.

When an enterprise interconnected a set of nodes, all under its administrative control, through an LAN network, that was termed an Intranet . When the interconnected nodes were under multiple administrative authorities, but were hidden from the public Internet, the resulting set of nodes was called an extranet. Both intranets and extranets could be managed by a user organization, or the service could be obtained as a contracted offering, usually customized, from an IP service provider. In the latter case, the user organization contracted for layer 3 services much as it had contracted for layer 1 services such as dedicated lines, or multiplexed layer 2 services such as frame relay.

The IETF distinguishes between provider-provisioned and customer-provisioned VPNs . Much as conventional WAN services can be provided by an interconnected set of providers, provider-provisioned VPNs (PPVPNs) can be provided by a single service provider that presents a common point of contact to the user organization.

Attractions of VPNs to enterprises include:

* Shared facilities may be cheaper—especially in capital expenditure (CAPEX)—than traditional routed networks over dedicated facilities.
* Can rapidly link enterprise offices, as well as small-and-home-office and mobile workers.
* Allow customization of security and quality of service as needed for specific applications.
* Can scale to meet sudden demands, especially when provider-provisioned on shared infrastructure.
* Can reduce operational expenditure (OPEX) by outsourcing support and facilities.

Distributing VPNs to homes, telecommuters, and small offices may put access to sensitive information in facilities not as well protected as more traditional facilities. VPNs need to be designed and operated under well-thought-out security policies. Organizations using them must have clear security rules supported by top management. When access goes beyond traditional office facilities, where there may be no professional administrators, security must be maintained as transparently as possible to end users.

Some organizations with especially sensitive data, such as health care companies, even arrange for an employee’s home to have two separate WAN connections: one for working on that employer’s sensitive data and one for all other uses.More common is that bringing up the secure VPN cuts off Internet connectivity for any use except secure communications into the enterprise; Internet access is still possible but will go through enterprise access rather than that of the local user.

In situations in which a company or individual has legal obligations to keep information confidential, there may be legal problems, even criminal ones, as a result. Two examples are the HIPAA regulations in the U.S. with regard to health data, and the more general European Union data privacy regulations which apply to even marketing and billing information and extend to those who share that data elsewhere.

A virtual private network (VPN) is a communications network tunneled through another network, and dedicated for a specific network. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.

A VPN may have best-effort performance, or may have a defined service level agreement (SLA) between the VPN customer and the VPN service provider. Generally, a VPN has a topology more complex than point-to-point. The distinguishing characteristic of VPNs are not security or performance, but that they overlay other network(s) to provide a certain functionality that is meaningful to a user community.

The Internet is most publicly known not by IP addresses but by names (e.g., www.wikipedia.org, www.whitehouse.gov, www.freebsd.org, www.berkeley.edu). The routing of IP packets across the Internet is oblivious to such names. This requires translating (or resolving) names to IP address.

The Domain Name System (DNS) provides such a system to convert names to IP address(es) and IP addresses to names. Much like CIDR addressing, the DNS naming is also hierarchical and allows for subdelegation of name spaces to other DNS servers.

Think of this in a similar way to how you find a phone number. You want to call The Acme Bakers but don’t know the number. You ring directory enquiries and they tell you the number you need to dial or can even connect you. Next you might want to call Acme Builder. Again, you only need to know the phone number of directory enquiries, they will almost always have the number you want and connect you. Only if you ask directory enquiries for the number of a company which doesn’t exist will they say they can’t connect you - similar to a DNS error in your web browser.

It is a common misconception that IP addresses ending in 255 or 0 can never be assigned to hosts on a subnet, but this is purely an artifact of classful addressing.

In classful addressing (now obsolete with the advent of CIDR), there are only 3 possible subnet masks: 255.0.0.0 (Class A), 255.255.0.0 (Class B), 255.255.255.0 (Class C). If we have the subnet 192.168.5.0/255.255.255.0, the network identifier 192.168.5.0 refers to the entire network, so to avoid confusion, it cannot be assigned to a device on the network.

A broadcast address is an IP address that allows information to be sent to all machines on a given subnet rather than a specific machine. Generally, the broadcast address is found by taking the bit complement of the subnet mask and then OR-ing it bitwise with the network identifier. More simply, the broadcast address is the last IP address in the range belonging to the subnet. In our example, the broadcast address would be 192.168.5.255, so to avoid confusion this IP address also cannot be assigned to a host. On a Class A, B, or C subnet, the broadcast address would always end in 255.

However, this does not mean that all IP addresses ending in 255 cannot be used as host IP addresses. For example, if we had a Class B subnet 192.168.0.0/255.255.0.0, this is equivalent to the range 192.168.0.0 - 192.168.255.255. The broadcast address would be 192.168.255.255. However, we can assign 192.168.1.255, 192.168.2.255, etc. (though this can cause confusion). Also, 192.168.0.0 is the network identifier and so cannot be assigned, but 192.168.1.0, 192.168.2.0, etc. can be assigned (though this can also cause confusion).

With the advent of CIDR, broadcast addresses may not necessarily end with 255.

In general, the first and last IP addresses in a subnet are used as the network identifier and broadcast address, respectively. All other IP addresses in the subnet can be assigned to hosts on the subnet.

Originally, the IP address was divided into two parts:

* Network id – first octet
* Host id – last three octets

This created an upper limit of 256 networks. As the networks began to be allocated, this was soon seen to be inadequate.

To overcome this limit, different classes of network were defined, in a system which later became known as classful networking. Five classes were created (A, B, C, D, & E), three of which (A, B, & C) had different lengths for the network field. The rest of the address field in these three classes was used to identify a host on that network, which meant that each network class had a different maximum number of hosts. Thus there were a few networks with lots of host addresses and numerous networks with only a few addresses. Class D was for multicast addresses and class E was reserved.

Around 1993, these classes were replaced with a Classless Inter-Domain Routing (CIDR) scheme, and the previous scheme was dubbed “classful”, by contrast. CIDR’s primary advantage is to allow re-division of Class A, B & C networks so that smaller (or larger) blocks of addresses may be allocated to entities (such as Internet service providers, or their customers) or local area networks.

The actual assignment of an address is not arbitrary. The fundamental principle of routing is that address encodes information about a device’s location within a network. This implies that an address assigned to one part of a network will not function in another part of the network. A hierarchical structure, created by CIDR and overseen by the Internet Assigned Numbers Authority (IANA) and its Regional Internet Registries (RIRs), manages the assignment of Internet address worldwide. Each RIR maintains a publicly searchable WHOIS database that provides information about IP address assignments; information from these databases plays a central role in numerous tools that attempt to locate IP addresses geographically.

IPv4 uses 32-bit (4-byte) addresses, which limits the address space to 4,294,967,296 (232) possible unique addresses. However, some are reserved for special purposes such as private networks (~18 million addresses) or multicast addresses (~16 million addresses). This reduces the number of addresses that can be allocated as public Internet addresses. As the number of addresses available are consumed, an IPv4 address shortage appears to be inevitable, however Network Address Translation (NAT) has significantly delayed this inevitability.

This limitation has helped stimulate the push towards IPv6, which is currently in the early stages of deployment and is currently the only contender to replace IPv4.

Internet Protocol version 4 (IPv4) is the fourth iteration of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. IPv4 is the dominant network layer protocol on the Internet and apart from IPv6 it is the only standard internetwork-layer protocol used on the Internet.

It is described in IETF RFC 791 (September 1981) which made obsolete RFC 760 (January 1980). The United States Department of Defense also standardized it as MIL-STD-1777.

IPv4 is a data-oriented protocol to be used on a packet switched internetwork (e.g., Ethernet). It is a best effort protocol in that it does not guarantee delivery. It does not make any guarantees on the correctness of the data; It may result in duplicated packets and/or packets out-of-order. These aspects are addressed by an upper layer protocol (e.g., TCP, and partly by UDP).

IP is the common element found in today’s public Internet. The current and most popular network layer protocol in use today is IPv4; this version of the protocol is assigned version 4. IPv4 is described in RFC-791 (1981).

IPv6 is the proposed successor to IPv4 whose most prominent change is the addressing. IPv4 uses 32-bit addresses (~4 billion addresses) while IPv6 uses 128-bit addresses (~3.4×1038 addresses). Although adoption of IPv6 has been slow, as of 2008, all United States government systems must support IPv6 (if only at the backbone level).
Version numbers 0 through 3 were development versions of IPv4 used between 1977 and 1979. Version number 5 was used by the Internet Stream Protocol (IST), an experimental stream protocol. Version numbers 6 through 9 were assigned to experimental protocols designed to replace IPv4: SIPP (Simple Internet Protocol Plus, known nowadays as IPv6), TP/IX (RFC 1475), PIP (RFC 1621) and TUBA (TCP and UDP with Bigger Addresses, RFC 1347). Of these, only IPv6 is still in use.

In 2004, a Chinese project called IPv9 was briefly mentioned in the press as a possible competitor to IPv6. The proposal had no affiliation with or support by any international standards body, and appears to have gained no traction even within China.