Geri Dön

ATM şebekelerde trafik analizi ve güvenlik

Başlık çevirisi mevcut değil.

  1. Tez No: 75555
  2. Yazar: HALİL AYDIN
  3. Danışmanlar: PROF. DR. GÜNSEL DURUSOY
  4. Tez Türü: Yüksek Lisans
  5. Konular: Elektrik ve Elektronik Mühendisliği, Electrical and Electronics Engineering
  6. Anahtar Kelimeler: Belirtilmemiş.
  7. Yıl: 1998
  8. Dil: Türkçe
  9. Üniversite: İstanbul Teknik Üniversitesi
  10. Enstitü: Fen Bilimleri Enstitüsü
  11. Ana Bilim Dalı: Elektronik ve Haberleşme Mühendisliği Ana Bilim Dalı
  12. Bilim Dalı: Belirtilmemiş.
  13. Sayfa Sayısı: 131

Özet

ÖZET Günümüzde lokal ve kampus alanlarda kullanılan ATM omurga şebekeler gerekli bandgenişliği, yüksek hız ve kullanıcılara verdiği hizmetin kalitesi açısından yüksek performans sağlayacak yetenektedir. Bağlantı yönelimli çalışan ATM'de iletim temel olarak hücre denilen sabit uzunluklu paketlerde yapılır ve bu yönüyle diğer iletim tekniklerinden ayrılır. Halen kullanılan çok sayıda şebeke ile birlikte çalışmanın desteklenmesi kısa bir gelecekte ATM'ye olan talebin artması anlamına gelecektir. Asenkron transfer modu (ATM) ses, video ve veri gibi üç temel iletimi aynı bağlantıda birleşik olarak sunduğundan evrensel iletim modu olma yolundadır ve BISDN teknolojisinin geliştirilmesine temel oluşturmaktadır. Paket ve devre bağlaşmak şebekelerin bazı özellikleri birleştirilerek geliştirilen ATM'de farklı uygulamalar şebekeden farklı hizmet isteklerinde bulunmaktadır. Dolayısıyla şebekeye hizmet isteğinde bulunan bütün trafik tiplerini desteklemek için önceden üzerinde anlaşılan hizmet kalitesi (QoS) etkin bir şekilde sunulmalıdır. ATM'nin gelecekte daha fazla tercih edilen bir iletim modu olabilmesi için varolan haberleşme protokolleri, uygulamaları ve şebeke elemanları ile birlikte çalışmalıdır. Bunun başarılabilmesi için bağlantısız modda çalışan LAN'ların bazı ara fonksiyonlar geliştirilerek ATM LAN'larla birlikte çalışması sağlanmalıdır. Donanım tabanlı çalışan ATM'de yüksek hızlarda iletim yapıldığından şebekeyi kontrol altında tutmak da zorlaşmaktadır. Bu nedenle çok büyük bir ATM şebeke oluşturmak yerine hem yönetilebiliriliği artırmak he de sınırlarda güvenliği sağlamak amacıyla daha küçük ATM LAN' lar oluşturma tercih nedeni olmaktadır. Çok farklı trafik karakteristiğine sahip hizmet isteklerinin karşılanması şebekede trafik ve yığılma açısından çeşitli sorunlara neden olmaktadır. Bu yüzden trafik ve yığılma kontrolü ATM şebekelerde üzerinden gelinmesi gereken ana konulardan biridir. Kayıp ve gecikmelerin minumuma indirilmesi amacıyla kullanılan öncelik kontrolü, hücre akışına yönelik etkili kontroller getiren kullanım parametre kontrolü (UPC) ve bir bağlaşma elemanında bağlantının kabul edilip edilmeyeceğine karar veren bağlantı kabul kontrolü gibi etkin kontrol yöntemlerinin geliştirilmesi ATM şebekelere olan güveni artırmaktadır. Bu çalışmada değinilen ATM şebekelerde güvenlik sorunu da son zamanlarda üzerinde en çok çalışılan ve ilgi çeken konulardan biridir. Şebekelere yapılabilecek çeşitli saldırılardan korunmak için güvenlik amaçlı çeşitli tedbirler alınmaktadır. Hücreyi bir noktadan varış yerine güvenli bir şekilde iletmenin en etkili yollarından biri, içinde taşınan verinin şifrelenmesidir. Şifrenin de elde edilmesi olasılığı karşısında şifrenin belli zaman aralıklarında değiştirilmesi ve güncellenmesi etkin çözüm yolları arasında sayılabilir.

Özet (Çeviri)

SUMMARY TRAFFIC ANALYSIS AND SECURITY IN ATM NETWORKS In the mid-1980s some scientists argued that virtual circuits were ideal for the efficient utilization of network resources when applications have widely different performance requiriments. In a virtual network, the nodes can set aside resources for specific connections and they can also discriminiate among connections in order to meet their different requirements. Those arguments culiminated in the development of a new set of standards for a class of virtual circuits networks called ATM networks. ATM networks seek to provide the end-to-end transfer of fixed-size packets or cells over a virtual circuit and with specified quality of service. Asynchronous Transfer Mode (ATM) is a hardware, switching and mutiplexing technology to be implemented connection oriented mode for a wide range of services. ATM would be universe transfer mode in both local and wide area networks. ATM is different from existing in many ways. One of them is ATM make a contract that guarantees specified bounds of delay and cell loss. Also ATM guarantees sufficient idle resources to meet QoS requierements of a new connection request. In order to provide a wide range of applications, ATM networks must be appropriately scalable and supply different quality of services. ATM networks are designed to support both real-time applications such as video connections and telephone services and non real-time applications such as e-mail and file transfers. ATM will also support Broadband Integrated Services Digital Networks (BISDNs) and internetworking such as TCP/IP and working with existing LANSs. ATM is a connection-oriented services. In a connection service over a virtual circuit, the data stream from origin to destination follows the same path. Data from diffemet connection is distinguished by means of a virtual channel identifier (VCI). A connection over a virtual circuit is called virtual channel in the ATM terminology. In ATM networks cells in the same connections reach the destination in the order they are sent from the source. The ATM Forum specifies five categories of services that an ATM network can provide: constant bit rate (CBR), variable bit rate-real time (VBR-RT), variable bit rate-non real time (VBR-NRT), available bit rate (ABR), and unspecified bit rate (UBR). These services differ in the parameters of the quality the service and of the traffic that they specify. To find a path from the source to destination that can provide the service, the ATM network uses a routing algorithm. This algortihm is still largely unspecified, exceptfor its general mechanism. When a user want to services from the network, the user indicates to the network that it desires a given service, example VBR-RT with given parameters. The indication is carried on specific VCI between the user and system and the ATM switch. This switch looks into its routing database, which maintains an image of the network state. Importantly, ATM switches can identify different connections by their VCI. This means, the switches potentially can discriminiate among differnet connections. Another important thing in ATM network is that ATM network expected that to offer to transfer cell streams from source to destination, under a specified range of quality of service to meet to varying needs of applications. The ATM addressing has been defined by the ATM Forum. Each ATM system is assigned an ATM address that is independent of the higher protocol addresses (such as IP addresses). The ATM addresses have 20 bytes, contain a 48-bit MAC addresses. Through signalling, an and system can specify its MAC address to the ATM switch it is attached to and get back its full ATM address. In ATM networks group address also can be defined. For example, to send an IP packet to specified over ATM network router use address resolution protocol to determine the destination ATM address. Since its flexibility and support of multimedia traffic interest has been arison on ATM techonology. Interest is growing in the application of ATM technology to the local and campus area networks. Difference between existing LANs and ATM networks is that ATM offers much greater capacity than shared medium LANs. It is scalable that the capacity of an ATM system is not fundamentally limited by the technology itself. To be successfully imlemented on LANs, ATM must offer LAN like service for data traffic and be compatible with the existing data communications protocols, applications and equipments. Currently, LANs offer connectionless best effort (lost or corrupted packets are not retransmitted) service for the transfer of variable size data packets. They offer broadcast, multicast and point to point data transfer. Users need not to set up a connection and not required traffic characteristics before transmit any data. Users that need to sent their data simply submit traffic of the current LAN. In contrast, ATM guarantiees the bandwidth and resource allocation. To offer general compatibility with existing networks and protocols, regardless of the network layer and upper layers, and to support MAC bridging, an interface at sublayer is required. This will provide to working with legacy of existing LAN applications to migrate to the ATM environment. For this reason as mentioned above a MAC sublayer should be developed for ATM LANs that ofers the same connectionless MAC service as the IEEE 802 and FDDI MAC sublayers. ATM is a connection oriented and because of this, it naturally does not support a connectionless service. To work with connectionless network ATM LAN must offer a connectionless service at MAC sublayer. As mentioned above ATM provide connection-oriented service and to compatible with connectionless MAC service, a protocol layer emulating the connectionless IXservice of a LAN must designed on top of the ATM adaptation layer (AAL). This service called ATM MAC sublayer. The ATM MAC sublayer emulates the LAN service by creating the appearance of a virtual shared medium out of an actual point- to-point network. Thus, the ATM MAC sublayer offer a best-effort, connectionless, datagram transfer service. However, this approach denies some of the benefits of the ATM and requires substantial hardware in addition to the ATM switch. LAN emulation using switched virtual connections requires address resolution to locate the destination end station followed by connection establishment to the resulting ATM address. Address resolution may be implemented by broadcast technique or by an address server. An address resolution operation is first required to translate the 48-bit MAC address into an ATM address. Once the ATM address of the destination has been discovered, a point to point ATM virtual connection is established to the destination using the ATM signalling protocol. Another issue to be overcome in ATM networks is traffic and congestion control. One of the basic problems is to design efficient traffic and control schemes related to a lot of different traffic characteristics and quality of service (QoS) requirements from user to the end system that is supported by ATM networks. To meet this requirements the usage of network resources and flexibility in supporting several calls with different bit rates must be optimized. Moreover, in an ATM network it is possible for the user to request a quality service that the network provide by ATM connection. Although there are many topics to be investigated in network technology, the complexity of a traffic and congestion control scheme arises at the same time. One of the major goals of ATM networks is to support different traffic superposition with different bandwidth and meet QoS reqirements. There are two types of control mechanisms in ATM networks, one is preventive and the other one is reactive control mechanism. Preventive correspond to traffic control and reactive corresponds to congestion control. The traffic contract is an agreement between a user and a network across a User Network Interface (UNI). The purpose of traffic control is to minimize congestion. One of the most important preventive control functions is Connection Addmission Control (CAC). It provide an algorithm which determines whether a new call can be accepted or discarded. Also its decision is based on the traffic characteristics and QoS requirements of the new call and existing calls. The importance of CAC come from how to allow calls to coexist by using statistical multiplexing at the same time mamtaining the required QoS for all existing calls. To protect network resources and quality of service by detecting violations of negotiated a policing function called Usage Parameter Control/Network Parameter Control (UPC/NPC) required. UPC/NPC parameters make the bandwidth and buffering resources, and are fairly allocated among the users acording to their traffic contract. Without making the enforcing mere would be a unfair, or a single user can use all of the network resources. But standards do not specify exactly how the UPC/NPC functions is to be implemented; instead the performance of an anyUPC/NPC implementation is specified in relation to the leaky bucket conformance algorithm. In an ATM network, we can use three basic control capacities:the use of cell loss priority (CLP), a capacity for forward notification, and a capacity for backward notification. Priority control can help achieve the full range of QoS loss and delay parameters required by the range of high-performance applications. These issues can be accomplished by priority queueing, service scheduling, or fair queuening. Basically multiple queues are implemented in the switch. Priority queuening is defined between different VPCs and VCCs in order to meet different delay and loss priorities simultaneously. The priority queuning function occurs on the output side of an output buffered switch. Arriving cell streams at switch checked by means of their priority values and then they are directed to the severel corresponding queues for the out port. The output ATM port serves each of the queues according to a particular scheduling function. In a forward congestion notification rate based scheme, when a switch congested, forward notification are sent to the destination to inform it that congestion was encountered at some point of along the VC/VP in the networks. Upon receiving marked cells, that indicate congestion was occurred, the destination returns control cells to inform source of the congestion status. Then the source work with this feedback and increase or decrease the bit rate. In contrast, in the backward congestion notification (BCN) the feedback information is sent directly from congested point to the source. And the needed caution is taken by the source. There is a need to manage critical resources in the nodes of an ATM network. There are two critical resources one is buffer space and the other is trunk bandwidth. To simplify the management of the trunk bandwidth is the network should use Virtual Paths (VP). A VP can contain many VCs, and that VP cell relaying only operates on the VPI portion of the cell header. Another issues that provide bandwidth allocations is called Fast Resource Management (FRM). With this method bandwidth reservation basically involves reserving bandwidth at each node along an end-to-end route. The delayed reservation guarantees that andwidth is reserved end-to-end. This is accomplished by a burst request to reserve the bandwidth for each intermadiate node on the end-to-end route. Congestion management attempts to ensure that congestion is never experienced. For example in real life we do not want to go out in rush hour traffic, or wait until we know that there will a free hour in terms of traffic. If the policying is set to discard cells in excess of the peak rate and all trunk and buffer resources are allocated for the peak rate, then congestion simply cannot occur. This design scheme can be extended to handle worst-case failure scenario. The manner in which resources are allocated to meet a guaranteed QoS. So there should be sufficient resources allocated in order to meet the performance requirements for the expected mix of QoS class traffic. Many data communications applications have a desire to utilise as much of the available bandwidth as possible, thus attempting to continously operate in a mildly congested state. The basic idea is to back off the offered load just before any loss XIoccurs in the network, thus achieving maximum throughput with no loss. Also user access to the available bandwidh should be fair as mentioned before. In recent years, security has been more and more significant in network environment with the internetworking technology. Internetworking communication, without integrating with security mechanism, originally, have to be redesigned to provide some security services. At first glimpse, ATM security should not be too diffucult to implement since there are various security practices in other fields. ATM switch is a high speed cell multiplexer and ATM network is a connection-oriented network. These properties will bring some unique problems when trying to secure the ATM communication. As other network environment, in ATM network security would be a very important issues to be overcome. On the other hand ATM promise secure and manageable bandwidth on demand with local/wide area network (LAN/WAN) integration and performance. ATM Security Working Group is currently developing its phase one security specification which defines a number of security services for the ATM user plane and control plane. Also for carrying messages in secure environment and required security infrastructure mechanisms are being defined. Since ATM will likely be used in the future to provide mission-critical for some applications such as financial transaction, military and medical information systems. These applications require a high degree of assurance in the security of the communications. Other caution to be taken is that protection against spoofing, malicious data modifications, and eavesdropping should be ensured. To build an ATM security system, the first thing one should do is to identify the reqirements of securing communication over ATM. When we talk about network security at least authentication, confidentiaUty, integrity. And a security system for a network also has to provide a secure key management (e.g. key distribution) services and user access control. A good key management scheme are the foundation of a security system. Security comes from the encryption/decryption. If the keys used in encryption/decryption can be easily obtained by an attacker, then the security system will be defeated. In ATM security imlementation, encryption will happen in two level. One levels is the application level. At this level there won't be any problem since any security mechanism can be applied. Other level is ATM layer level. In this level security mechanism is applied to a switch. Authentication is very important in communication system. In a public network, even the keys, has to be authenticated to prevent spoofing. Authentication is used to make sure mat the the calling and called parties are indeed genuine. Authentication is the first step of the communications. In the ATM Forum Phase I specification, authentication is done via cryptographic techniques with symmetric or asymmetric key algoritms. According to the specification, data confidentiality mechanism is on per cell basis. Payload of a cell will be encrypted so that it won't be accessed by unauthorized user. Encryption won't encrypt or change the cell header. ConfidentiaUty is not only required to keep the data from unauthorized access but also can guarantee the correctness of distribution of symmetric key. The minimum Xlllevel of security ATM needs to provide is authentication of ATM endpoints, as well as a method of protecting user data. Due to high speed of ATM networks and stringent quality of service requirements, security services should not introduce additional delay or cell variation. ATM security, as defined by the ATM Forum Security Working Group, is modelled after the ATM protocol reference model, which is divided into three planes:user, control and management. The user plane provides the transfer of user data. It contains the physical layer, ATM layer and multiple ATM adaptation layer. The control plane deals with connection establishment, release, and other connection functions. The control plane shares the physical and ATM layers with the user plane. The management plane performs management and coordination functions related to both the user and control planes. Phase one of the ATM Forum security spefication provides security services for the user the user plane and and limited services for the control plane. The key exchange option of the security message exchange protocols to allow the security agents at two endpoints to agree on keys which will be used for confidentiality and encryption services during the lifetime of the connection. Once the connection established the session keys may be exchanged periodically during the duration of the connection the session key update protocol is used. Access control is an ATM security service that determines whether a connection is authorized to proceed. The format of the information required by the access control device must be standardized in order to achieve interoperability. Unlike the security services described earlier, the integrity service (data origin authentication) is active once the ATM circuit is established. This mechanism provides protection against malicious modification and data insertion attacks, which could spoof an end system into acting on false data. As mentioned earlier, when a connection is established, keys for integrity and confidentiality services are negotiated. To protect itself from malicious attacks keys must be changed periodically (the frequency depends on the rate). This procedure uses a master key, which is used to encrypt short-lived session keys, which are then used for a period of time for integrity and confidentiality services. ATM security will provide for both user information as well as network structure. ATM security model divided into three planes. These are user, control and management planes. The ATM user plane security services provide protection for user information carried within virtual circuits in a number of ways. Control plane security service provides strong signalling message authentication. Xlll

Benzer Tezler

  1. Tez No

    128488

    ATM şebekelerinde veri trafiği yönetimi ve yığılma kontrolü

    Traffic management and congestion control in ATM networks

    İBRAHİM KOÇYİĞİT

    Doktora

    Türkçe

    Türkçe

    2002

    Elektrik ve Elektronik MühendisliğiUludağ Üniversitesi

    Elektronik Mühendisliği Ana Bilim Dalı

    PROF. DR. ALİ OKTAY

  2. Tez No

    46288

    ATM şebekelerde trafik ve yığılma kontrol problemi ve çözüm yaklaşımları

    Traffic control and congestion control in ATM networks and proposed solution approaches

    NİL IŞIL

    Yüksek Lisans

    Türkçe

    Türkçe

    1995

    Elektrik ve Elektronik Mühendisliğiİstanbul Teknik Üniversitesi

    PROF.DR. GÜNSEL DURUSOY

  3. Tez No

    154658

    ATM (asenkron transfer modu) şebekelerde trafik kontrolü

    Trafic control in ATM (asynchronous transfer mode) networks

    GAZİ KARAKUŞ

    Yüksek Lisans

    Türkçe

    Türkçe

    2004

    Elektrik ve Elektronik Mühendisliğiİstanbul Teknik Üniversitesi

    Elektronik ve Haberleşme Mühendisliği Ana Bilim Dalı

    PROF.DR. GÜNSEL DURUSOY

  4. Tez No

    55653

    Hibrit bağlaşmalı şebekeler için performans modelleri

    Başlık çevirisi yok

    HAKKI ASIM TERCİ

    Yüksek Lisans

    Türkçe

    Türkçe

    1996

    Elektrik ve Elektronik Mühendisliğiİstanbul Teknik Üniversitesi

    PROF.DR. GÜNSEL DURUSOY

  5. Tez No

    152210

    MPLS teknolojisi

    MPLS technology

    EKREM TIĞLI

    Yüksek Lisans

    Türkçe

    Türkçe

    2004

    Elektrik ve Elektronik Mühendisliğiİstanbul Teknik Üniversitesi

    Elektrik-Elektronik Mühendisliği Ana Bilim Dalı

    PROF. DR. GÜNSEL DURUSOY

Geri Dön