Operator Neutrality in Residential Area network. MSc Student: Sermed Al-abbasi Coach: Fredrik Lilieblad Examiner: Björn Pehrson

Transcription

1 Operator Neutrality in Residential Area network MSc Student: Sermed Al-abbasi Coach: Fredrik Lilieblad Examiner: Björn Pehrson

2 Abstract Operator neutrality have received a great deal of attention the last year, small Internet Service Providers (ISP) saw it as an opportunity to enter the market although large ISPs saw it as a threat. The average user sees great benefit in such a network in terms of competition between the ISP, which might lead to cheaper Internet service. The residential area owners see it as a way to draw tenants to their real estate. This was the case with Svenska Bostäder (SveBo) one of the biggest real estate owners in Stockholm. SveBo started the KistaIP project together with KTH to build an operator neutral network. This thesis work resulted in one of the first operator neutral networks, providing the tenants with the opportunity and freedom to choose from different Internet providers. The work didn t only result in an operator neutral network but also in a model to build future residential area networks. 2

3 Acknowledgments This thesis work has been a rewarding experience from day one, it has been a great opportunity to learn how to build a network from scratch as well as an opportunity to work with some great people. I would first like to thank Björn Pehrson who gave me this challenging, rewarding thesis work and for believing in me. Big thanks go to my coach Fredrik Lilieblad who has managed to put up with my questions and help me build the KistaIP network. There have been many colleges that helped me solve different tasks during these months, one of them is Martin Hedenfalk who had developed the OASIS and helped with the server. Thanks to everybody at TSLab, ITuniversity and KTH. Finally I would like to thank my family and fiancé for giving me the support and just being there. 3

4 Index OPERATOR NEUTRALITY IN RESIDENTIAL AREA NETWORK...1 ABSTRACT...2 FIGURES INTRODUCTION Background KistaIP and KistaIX project Operator neutrality The Project Goals Report outline NETWORK TECHNOLOGIES DTM Benefits and drawbacks using DTM Design types in DTM networks Dual Bus topology Point to point Single Ring Dual Ring Conclusion ATM Benefits using ATM The ATM network design Conclusion Gigabit Ethernet Benefits and Drawbacks using 1000BASE-T/FX Conclusion Summery of the different network technologies PROTOCOLS, STANDARDS AND SERVICES VLAN 802.1Q The 802.1Q Frame Examples VLAN benefits and drawbacks The RADIUS authentication protocol DHCP PAM (Pluggable Authentication Modules) How it works ACCESS MODELS IN OPEN NETWORKS DHCP login ISP Selection PPPoE login PPPoE ISP selection PPPoA login DHCP with Web Page login L2TP login

5 4.5.1 L2TP ISP Selection Conclusion INTERNET SERVICE PROVIDER (ISP) MODELS Single ISP access Multi ISP access Shared Access Infrastructure Conclusion METHOD Goals for achieving operator neutrality Model THE KISTAIP IMPLEMENTATION Resources Single-mode and multi-mode fibers Single-mode Multi-mode The network infrastructure Using VLANs The DTM ring and interfaces Changing the VLAN The ARV server box The client interface The configuration on the ARV box The ISP side The OASIS The lease script The SSL web server Prototype Security IP Spoofing User impersonation DoS attacks (Denial of Services) Packet sniffing Gateway security FUTURE WORK Adding wireless components to the network Improving the logout mechanism Video and audio Economical issues Faster ISP switching CONCLUSION Performance Security Usability Economy Future prospects

6 10 REFERENCES APPENDIX Available resources The VLAN Port Changer (VPCH) The lease script The Database Macdb Isp The OASIS configuration Status report...62 CURRENT STATUS AT KISTAIP...62 Background...62 Current network configuration

7 Figures Figure 1.1: A map over the area around KistaIP...9 Figure 2.1: Interface Configuration in a Dual Bus Topology Figure 2.2: Interface configuration in Point-to-point Topology...13 Figure 2.3: Interface Configuration in a Single Ring Topology...13 Figure 2.4: Interface Configuration in a Dual Ring Topology...14 Figure 2.5: Example of an ATM Network Configuration...15 Figure 3.1: The Ethernet Frame with and without the VLAN extension...17 Figure 3.2: The VLAN Tag...18 Figure 3.3: VLAN usage in different networks...19 Figure 3.4: Message exchange between DHCP client and Servers...21 Figure 3.5: The relationship between the different parts in PAM Figure 4.1: Message exchange between the Access Concentrators and host...25 Figure 4.2: An open access network using PPPoE...26 Figure 5.1: Single ISP access model...30 Figure 5.2: Multi ISP access model...31 Figure 5.3: Shared ISP access model...32 Figure 6.1: a simple operator neutral model...34 Figure 6.2: Message transport between the end user and the ISP...34 Figure 7.1: A Dynarc Figur 7.2: A Dynarc Figure 7.3: The Network Infrastructure at KistaIP...37 Figure 7.4: The database fields used for changing the VLAN...38 Figure 7.5: The registration page...39 Figure 7.6: The ISP change interface...40 Figure 7.7: The ARV box...41 Figure 7.8: The ISPs network configuration...42 Figure 7.9: The login page...44 Figure 7.10: The prototype

8 1 Introduction The Internet consist of many Internet Service Providers (ISP) interconnected in Internet exchange points (IX) where they exchange traffic with each other. To obtain access to the Internet the consumer needs to sign a contract with one of these providers usually for a long period of time and for a certain amount of money, which makes it hard and uneconomical to change the ISP. One of the goals for KistaIP is to provide an operator independent access to the Internet, meaning the ability to change ISP often and easy depending on the services that are provided. About years ago Svenska Bostäder (SveBo) signed a contract with a cable-tv company to provide cable-tv for the tenants. This contract was signed to apply a long period of time, once the tenants wanted to see other channels than the ones offered by the cable provider they noticed that this was not possible. SveBo realized the problem and decided not to make the same mistake when building the network infrastructure for newly built buildings. SveBo and KTH decided to work together and build one of the first operator neutral networks for residential areas. KistaIP is the name of the residential area. 1.1 Background August was the start for the new MSc program (civilingenjör, IT-linjen) at the then new IT-University. The program was planned to admit 150 students the first two years and then 300 students annually. To meet the need for student housing, Svenska Bostäder 1 (SveBo) built 144 new student dorms at KistaIP with an advanced broadband infrastructure. To make use of the advanced infrastructure a study [1] was conducted evaluating different network infrastructures, administrations and service provisions. As a continuation of the evaluation, a project called Kista IP-IX [2] at the project course 2G at KTH was designed to provide a Neutral Access Network at the KistaIP student dorms. During the project time a study on different types of network models were made as well as the purchase of hardware for the network. Figure 1.1 shows a map over KistaIP (The map is taken from the IT university website at

9 Figure 1.1: A map over the area around KistaIP KistaIP and KistaIX project The KistaIP-IX project was one of the projects designed by the Communication System Design (2G1319) course at KTH. The project goals where the following [2]: Conducting a study on laws and regulations involving the establishment of an IX. To recommend and compare different network technologies suited for an IX. Investigate different business models used in IXs. Implement an operator neutral network. Establish an operator neutral IX. Advantages and disadvantages of running an IX. Many of the goals were accomplished, although no implementation of an operator neutral network was made. This thesis can be considered as a continuation of the KistaIP-IX project in terms of designing and providing an operator neutral network Operator neutrality To be able to provide operator neutrality one must define the meaning of operator neutrality. Being operator neutral can mean many things; in this report it means the following: Freedom of choice: The users have the ability to choose the ISP of there choice. Short commitment time: Binding time to one ISP is only for a few seconds, making it easy to switch between ISPs The Project Goals 1. Make a status report for the current network configuration at KistaIP including the routing and connection to KistaIX (See 11.6). 2. Specify how KistaIP should be built to provide an operator independent access network. 3. Implement the final network configuration for the operator independent KistaIP and to provide the tenants with the required software and instructions. 9

10 1.2 Report outline The report starts with a background and goals description of the project. This report is a technical report, which requires a description of the different technologies, protocols, standards and services; this is done in chapter 2 and 3. In chapter 4 a description of different access models in open networks is made, where in chapter 5 different provider models are described. Chapter 6 discusses the method to solve the different goals and chapter 7 describes the implementation at KistaIP. The report ends with possible future work in chapter 8 and a conclusion in chapter 9. 10

11 2 Network technologies Several link layer technologies exist; each one provides some benefits as well as some drawbacks. Here are some of these technologies that may be implemented in an operator neutral environment. 2.1 DTM Dynamic synchronous Transfer Mode (DTM)[3] is a fiber-optic broadband network architecture based on bandwidth reservation for circuit switching 3 augmented with dynamic reallocation of time slots. The DTM architecture was designed to be used where real-time multimedia application and high-speed computer communication is needed. Nodes, which are connected to the same DTM network, communicate with each other over channels. Channels can be defined as a part of the bandwidth, reserved for use between the sender and receiver [4]. These channels are: Simplex: to achieve high bandwidth utilization. Multirate: The DTM channel is a dynamic resource that can be set to a bandwidth from a multiple of 512 kbps, until the full capacity of the link is reached. Point-to-point: supports both MAC and IP level unicast addressing. Multicast: The DTM channels are built to support multicast traffic. This feature is important when distributing video/audio or other multicast services Benefits and drawbacks using DTM DTM networks have a lot of benefits some of them are mentioned below. DTM offers fast channel establishment, the delays associated with signaling for creations and deletion are short, less then a millisecond. The bandwidth of a channel can be guarantied during the time the channel is up, which provides an isolated channel with constant delay across the network. Synchronous DTM channels support applications with real-time QoS requirements. When handling different types of traffic, DTM networks support separation and physical isolation between these channels. Some of the drawbacks are: It is circuit switched, which means longer connection time. Difficult to maintain. Not supported by many companies, which makes it uncertain as a future technology. Low utilization: the minimum channel speed is 512kbps, which is too big for small transmissions. 3 Circuit Switching is a communication type when a dedicated channel is established for use under the transmission time (e.g. traditional telephones) 11

12 2.2 Design types in DTM networks The design of a network depends on many factors, size, number of nodes, location of nodes, fiber access, QoS requirement and many other factors that should be taken in consideration. Here follows some of the design models[4], which can be used with DTM networks Dual Bus topology In a Dual bus topology the routers are connected as in the figures below, one fiber from Tx in the first router to Rx in the following router. The first router will then receive the traffic in the second interface through Rx, which is connected to the second routers Tx output. In this topology the average inter-node distance is shorter than in a single ring, though using this topology provides no security against link failure; if the link is cut it means loss of communication. Figure 2.1: Interface Configuration in a Dual Bus Topology Point to point Point-to-point topology can only be used between two routers making it inappropriate for use in networks where more than two routers are used as seen in Figure 2.2. The topology is also not secure for link failure. 12

13 Figure 2.2: Interface configuration in Point-to-point Topology Single Ring The single ring topology (see Figure 2.3) is a good way to start a network since it is easy to expand to a dual ring topology. A drawback is that a single ring topology doesn t have redundancy when the link fails, meaning no communication at all. Figure 2.3: Interface Configuration in a Single Ring Topology 13

14 2.2.4 Dual Ring A Dual Ring Topology is like a two single rings where both interfaces are connected as in Figure 2.4. There are two different ways to connect a dual ring: 1. Both rings have the same traffic direction 2. One ring transfers the traffic opposite to the direction of the other ring (see figure). Connecting a DTM network through a dual ring provides the network with high redundancy. In case one of the rings is cut the dual ring will become a single bus and a single ring. In case both rings are cut the remaining configuration is a dual bus topology. Figure 2.4: Interface Configuration in a Dual Ring Topology Conclusion The DTM network provides many ways to construct a network topology. The different setups can be changed easily afterwards, which makes it very manageable. The best way to configure the interfaces is through a dual ring topology, where high redundancy will be achieved. Another benefit for using the dual ring configuration is to double the bandwidth in comparison with a single ring or other configuration where one interface is used. 2.3 ATM Asynchronous Transfer Mode (ATM) [5] is a cell switching, multiplexing and connection oriented 4 technology, which combines the benefits of circuit switching 4 Connection oriented means that to transfer data a virtual channel must be set across the network prior to the transfer. 14

15 with packet 5 switching. ATM has a bandwidth from T1 6 to OC-48 7 in a MAN (Metropolitan Area Network) Benefits using ATM ATM is asynchronous; time slots are available on demand, in difference to time-division multiplexing (TDM), where each device gets a time slot. Was conceived as a high-speed transfer technology to support audio, video and data communication. Dynamic bandwidth for bursty 8 traffic. Guaranteed capacity and constant transmission delay. High transmission rates. ATM provides a lot of benefits though this comes with a price. ATM is a complex, expensive technology that lacks support for broadcast, multicast and provides QoS support for only some ATM traffic classes The ATM network design The ATM network consists of an ATM switch and ATM endpoints as shown in the figure below. The ATM switch is used to receive the incoming cells from ATM endpoints or other ATM switches. It reads and updates the header and then switches the cell to its destination through one of the output interfaces. The ATM endpoints are systems or device containing an ATM network interface adapter. These endpoints can be routers, LAN switches, workstations and digital service units (DSUs). Figure 2.5: Example of an ATM Network Configuration Conclusion The ATM network is virtual circuit switched which provides good support for video and audio application. The network is more suited for backbone networking rather than Local area networks although it doesn t provide high bandwidth compared to DTM and Gigabit Ethernet. 2.4 Gigabit Ethernet 5 The message is divided to packets and transmitted individually and can even follow different routes to its destination. 6 T1 = megabits per second 7 OC48 = 2.5 gigabits per seconds 8 Variable amount of data, like voice and video. 15

16 The Gigabit Ethernet [6] was developed by the IEEE 9 to support faster network technologies than the already existing Fast Ethernet 100BASE-T, at the same time the technology should be compatible with older Ethernet technologies. 1000BASE-T provides a half-duplex (CSMA/CD 10 ) and a full-duplex 1000Mb/s Ethernet with support for multicast and broadcast traffic. Gigabit Ethernet has some similarity with 100BASE-T, which simplifies the integration process. Two of these similarities are that they share the same topology rules and they use the same Auto- Negotiation system Benefits and Drawbacks using 1000BASE-T/FX The benefits using 1000BASE-T are: Back compatible with existing Ethernet networks (i.e. 100BASE-TX) Support for multicast and broadcast traffic. Low overhead size. Uses Category 5 cabling which is widely used (in case of 1000BASE-TX). Is a cheap technology. Easy to install and manage. There are some drawbacks when using Gigabit Ethernet. These are: There is no redundancy. No link level control making it hard to locate place of failure. No bandwidth guarantee, work at best effort basis Conclusion Ethernet is the most used technology in networks especially in Local Area Networks. Many applications are developed it, and it is considered to be a cheap technology. The bandwidth can go up to 10Gbps making it one of the fastest network technologies. 2.5 Summery of the different network technologies Many factors must be considered when choosing a network technology, once a technology is chosen it will be hard to upgrade in terms of financing and reconstruction of the network. The three types that where discussed here all have some benefits as well as drawbacks. The study made shows that the DTM network provides a fast network with redundancy and some other important features like multicast support. The Gigabit Ethernet is a fast and simple technology that has been around for many years, although it lacks redundancy and works at best effort basis. The ATM can be considered to be reliable and offers good audio and video support although it lacks bandwidth. After this evaluation the choice lies between DTM and Gigabit Ethernet although the choice should also consider the main areas the network will be used for. The choice between them can be made once the network requirements and financing is taken in consideration. 9 Institute of Electrical and Electronics Engineers 10 CSMA/CD is an access method, which stands for Carrier Sense, Multiple Access with Collision Detection. 16

17 3 Protocols, Standards and Services Building an operator neutral network involves using many protocols and services. Here follows a technical description of the protocols, standards and services that can be used in such networks. 3.1 VLAN 802.1Q Virtual Local Area Network (VLAN) [7] is mainly a way to create LANs between different network devices by joining them to the same VLAN. This is used for two main purposes. 1. Used to make several LANs appear as one logical LAN (VLAN). 2. Used to divide a LAN to different small LANs (VLANs), limiting the broadcast traffic and making the network more manageable. This is achieved when the routers/switches ports are set to belong to different VLANs. Using VLAN helps managing a network structure more freely since there are no restriction on design and cabling infrastructure The 802.1Q Frame The Ethernet frame in its original form didn t support VLAN tagging (see below), until 1998 [9] when the IEEE approved the 802.3ac 11 standard that defines the frame extension, which resized the frame from 1518-bytes to 1522-bytes allowing VLAN tagging on Ethernet (802.3) networks. The Ethernet frame is extended by the insertion of an identifier also called VLAN tag into the Ethernet frame, which is placed between the Source MAC Address field and the Length/Type field (see Figure 3.1). Figure 3.1: The Ethernet Frame with and without the VLAN extension The VLAN tag have the length of 4-bytes as shown in Figure 3.2, the first two bytes is the 802.1Q Tag Type with the value 0x8100. This value indicates the presence of the VLAN tag and signals that the Length/Type field is found 4-bytes further in the frame. 11 The 802.3ac standard defines only the implementation details of the VLAN protocol that are specific to Ethernet. 17

18 The other 2-bytes contains the following information: The 3 first bits are for setting the users priority level for the frame. The Canonical Format Indicator field is used to indicate if there is any Routing Information Field (RIF) 12 and is only one bit long. The last field in the VLAN tag is the VLAN identifier (VID) that is used to identify which VLAN this frame belongs to. Figure 3.2: The VLAN Tag Examples In the Figure 3.3 one can see some of the advantages with using VLANs. In VLAN #1, two devices are located at different LANs although they can still communicate with each other as if they were at the same LAN. This configuration will require VLAN tunneling all the way between the two devices. To provide segmentation in a LAN one can configure the devices to belong to different VLANs (VLAN #3 and #4) as shown in the figure. Network devices can be a member of two or more VLANs simultaneously. By doing this the devices can be shared between all the devices from the same VLAN. 12 This field contains the routing information needed by the bridge to forward a frame. 18

19 Figure 3.3: VLAN usage in different networks VLAN benefits and drawbacks VLAN benefits Increased performance: Dividing large networks to groups of logical networks will limit broadcast traffic as well as limit the collision domains 13. Improved manageability: It is easer and cheaper to rearrange network groups. Network tuning and simplification of software configurations: Administrators will be able to fine-tune their network by logically grouping users. The administrator will not need to implement as many services since these services can be shared between larger groups. Physical topology independence: If the physical infrastructure is already in place, it will only be a case of adding or removing switch ports to expand or relocate departments. VLAN drawbacks Broadcast limitations: Switches and routers do not forward broadcast messages; this was mentioned previously as a benefit. In some cases where 13 A collision domain is formally defined as a single CSMA/CD network in which there will be a collision if two computers attached to the system transmit at the same time. 19

20 broadcast messages are desired, dedicated servers are needed to forward these messages. Clients have a very limited support for VLAN tagged packets, which makes it necessary to untag the packet at the router/switch. 3.2 The RADIUS authentication protocol The Remote Authentication Dial In User Service (RADIUS) [10] is a widely used authentication protocol used to provide centralized authentication, authorization, and accounting for dial-up, virtual private network, and wireless networks. A RADIUS server is used to authenticate users after a request from the client. The client can be a Network Access Server (NAS) 14 responsible for passing the information to the server. The system works as following: 1. A user tries to access a site where RADIUS authentication is required, the user may be asked to enter the username and password for the account, or this can be done using a link framing protocol like PPP. 2. The client obtains this information and passes them to the RADIUS server through an Access- Request message 15 asking the server to verify the information. 3. The server looks in the users database to verify the information sent by the client. 4. If the server finds all information correct the server will issue an Access- Accept message. The server can also send an Access- Challenge message which the user needs to respond to. If the user succeeds to response to the challenge an Access-Accepted message will be sent. The challenge is an unpredictable number, which the user is challenged to encrypt and send back. 5. In case the security measures were not met, the server returns an Access- Reject message to the client. The RADIUS server and the client have to be authenticated to be able to communicate with each other. This authentication is done through the use of a shared secret that is never sent over the network. The users passwords are sent encrypted between the client and the server to avoid the user passwords from being stolen. The RADIUS server supports many authentication methods, some of these are: PAP CHAP UNIX login 3.3 DHCP The Dynamic Host Configuration Protocol (DHCP) [11] is a protocol used to provide configuration information to hosts on a TCP/IP network. The protocol is based on the Bootstrap Protocol (BOOTP) [12] with the addition of some new options like automatic allocation of reusable network addresses. The DHCP consist of two components, one is to deliver host-specific configuration parameters and the other is the allocation of the network addresses to hosts. The mechanism for allocating IP addresses is as follows (see Figure 3.4): 14 NAS is a server that the ISPs use to provide Internet access to connected users. 15 Is a message sent to the RADIUS server containing the user information (name, password, etc). 20

21 1. The client broadcasts a DHCPDISCOVER message on the LAN. The discovery messages can be forwarded by BOOTP relays to a server on another LAN. 2. The servers will reply with a DHCPOFFER, offering an available IP address and other network configuration parameters. 3. The client will receive one or more offers from the DHCP servers. The client can make a decision based on the network configuration parameters, then the clients will send a DHCPREQUEST message with the chosen servers id. Incase the DHCPOFFER is lost; the client will broadcast a new DHCPDISCOVER message. 4. The servers will receive the broadcast of the DHCPREQUEST message. Servers not selected will take the message as a decline from the client. The server that matches the server id 16 will bind the offered IP to the client and send a DHCPACK message containing the configuration parameters. If for some reason the selected server can t meet the previously sent parameters in the DHCPREQUEST message the server will send a DHCPNAK. 5. Once the client receives the DHCPACK message a final check of the network parameters must be done. One of these checkups is to see if the address offered is still available, which can be done by ARP 17 [13]. If the client discovers by ARP that the address is used by another device a DHCPDECLINE message is sent and the whole process must be restarted. In case the client receives a DHCPNAK the process will also be restarted. Figure 3.4: Message exchange between DHCP client and Servers The client receives two timers, T1 and T2. T1 is the time where the client enters the RENEWING state, which is usually set to 0.5* (lease 18 duration). T2 is when the client enters the REBINDING state and attempts to contact any DHCP server by broadcasting the request, it is usually set to 0.875* (lease duration). T1 must be shorter then T2, because the client must renew the lease before the request is broadcasted to all servers and the process is restarted. 16 Used to identify the server. 17 ARP: Address Resolution Protocol 18 The client gets an IP for a certain amount of time, also called lease time. 21

22 At T1 the client will start the RENEWING state by sending a unicast DHCPREQUEST message to the DHCP server. The server will reply with a DHCPACK and the client returns to continue the network services. In the RENEWING state if no message has been returned the client will wait one-half of the time remaining until T2, before retransmitting the message. In the REBINDING state the client will wait for one-half of the remaining lease time down to a minimum of 60s before retransmitting the DHCPREQUEST message. If no DHCPACK is received before the lease is expired the client will stop all network processes and restart the whole DHCP process. Once the client shutdowns a DHCPRELEASE is sent to the server and the network address is released. 3.4 PAM (Pluggable Authentication Modules) PAM was introduced to solve the problem with using different authentication mechanisms in programs [14][15]. The problem was that every time a new authentication method was introduced, the system administrator needed to recompile the software that uses user authentication to work with the new authentication method. Needing to recompile all the programs is not very efficient. PAM provides a library of functions that can be used by an application to authenticate users. By using PAM an application can change its authentication method dynamically only by editing a configuration file How it works PAM mechanisms consist of four major parts [16] (See Figure 3.5): 1. The application: These are the application that will be using PAM. Example of such applications are FTP, telnet and a login mechanism. 2. The library: Is used to load the appropriate modules for the applications. 3. The pam.conf: Is the config file for assigning an authentication mechanism for each application. 4. The modules: Provides the implementation of a specific mechanism, the modules are divided to four types based on their function (authentication, account management, session management or password management). The application (FTP, login, telnet) uses the PAM library to access the different modules accordantly to the pam.conf file. The module responds to the application through the library. 22

23 Figure 3.5: The relationship between the different parts in PAM. 23

24 4 Access models in open networks The following access models are some of the models for implementing open access networks [17]. An open access network is the scenario where a user is connected to a network, which provides more than one ISP (open for all ISPs to join the network) and the user have the ability to select the ISP of their choice. These models are the following: DHCP login PPPoE PPPoA DHCP with Web Page Login L2TP 4.1 DHCP login In this access model the access network between the user s PC and the DHCP server is either bridged or routed [17] ISP Selection When the user powers on the PC the DHCP client will provide the user with an IP address, this IP will be associated with a certain ISP. The IP address that is given is related to the users MAC address, this makes it difficult to change from one ISP to another. To make the change, the user needs to submit the user information to a web server. The web server will trigger a script that changes the MAC address-to-ip address relation in the DHCP server. When the PC reboots, or sends a DHCP request due to IP address leased time expiration, it will receive the new IP address associated to the requested ISP. 4.2 PPPoE login This access network model establishes a layer 2 end-to-end session between the user and the end device. After establishing the session the user will be authenticated and assigned an IP address PPPoE PPP over Ethernet (PPPoE) [18] can be used to connect a network of hosts to an access point on a different network. When a PPPoE session is initiated, two stages have to be preformed, the Discovery session and the PPP session. Discovery session Here follows a short description of the stages involved in this session (See Figure 4.1): 1. The host broadcasts a PPPoE Active Discovery Initiation message (PADI). 2. An Access Concentrator (AC) receives the PADI and replies to the host by sending a PPPoE Active Discovery Offer message (PADO). 3. Because the PADI was broadcast a host may receive more then one offer. The host then has to select one of the offers. The decision may be based on service or AC name. The host sends back a PPPoE Active Discovery Request (PADR) message back to the chosen AC. 24

25 4. After that the AC receives the PADR it will prepare to begin the PPP session by sending a PPPoE Active Discovery Session-confirmation message (PADS). 5. The last packet that may be sent either to the AC or to the host is the PPPoE Active Discovery Terminate message (PADT). This packet indicates that the PPPoE session has been terminated. Figure 4.1: Message exchange between the Access Concentrators and host PPP Session Once the PPPoE session begins, the Ethernet packets are unicast and the PPP data is sent as any other PPP encapsulation ISP selection This ISP selection works as following (see Figure 4.2): When establishing a PPP session two types of protocols are used, the Link Control Protocol (LCP) and the Network Control Protocol. The LCP in this case is used to configure which type of link the PPP session is running on (i.e. Ethernet), type of authentication mechanism (PAP, CHAP) and the corresponding network protocol. After establishing a PPP session with a service selector, it is time to decide to which ISP a user should be connected. The service selector obtains the username and password to authenticate the user. The selector still needs to know to which ISP the user belongs; this can be done either by providing a domain name with the username (e.g. user@isp1.com) or in the Service-Name TAG_TYPE field in the PPP frame. When the choice of ISP has been done a connection between the user and RADIUS is established. The RADIUS server authenticates the user and provides an IP address from the selected ISP. 25

26 Figure 4.2: An open access network using PPPoE. 4.3 PPPoA login The PPPoA (PPP over ATM) [19] access model is similar to the PPPoE model [18], meaning that a layer 2 session is established between the user device and the end device followed by the authentication and assignment of an IP address from the corresponding ISP. The main difference is that instead of using Ethernet to transport the PPP packets ATM is used instead. The users device is either an internal or external PPPoA modem. In the case where an internal modem is used there will be no difference between this model and the PPPoE model in terms of ISP selection. Using an external PPPoA modem the ISP selection will not be so straightforward. The username and password is stored in the modems flash memory making it difficult to change ISP, though one needs to update the memory in the modem. The user can either change the information by using a mini web server in the modem provided by the vendor, with a command line interface (telnet session) or by using a dummy modem driver, which can interact with the modem by creating a dial-up connection. 4.4 DHCP with Web Page login This access model contains two stages: First the DHCP server provides an IP address corresponding to the users MAC address. The second stage is that the user enters the username and password in a web page and then is authenticated against a RADIUS server. The ISP selection steps are as follows: When the user power on the computer the DHCP server gets an IP request. The users network card MAC address is not associated with any ISP, which forces the DHCP server to provide a temporary IP address to use for the ISP selection. After the user has obtained an IP address it is time to browse to a web form where the ISP selection is made. The form is then submitted via scripts or other methods to a RADIUS server where the user information will be inserted/updated. Once the user reboots or renews the DHCP request, the user will obtain an IP address from the selected ISP. The user will access the web authentication page to submit the username and password, which will be authenticated against a RADIUS server. 26

27 If several users share the same PC, the user has to access the authentications page and enter his own username and password for the corresponding ISP. 4.5 L2TP login In this access model there is a layer 2 session established between the L2TP Access Concentrator (LAC) and the L2TP Network Server (LNS) L2TP Layer 2 Tunnel Protocol (L2TP) [21], is a mechanism to tunnel Point-to-Point Protocol (PPP) sessions. L2TP uses two types of messages, control messages and data messages. The control message is used to establish, manage and clear connections. The data message is used to encapsulate the PPP frames over the tunnel ISP Selection The PPP session is carried within a layer 3 infrastructure between the LAC and the LNS. In this case the LAC is software running on the users PC and the IP Service Router is the LNS. This model is quite similar to the PPPoE/A models; the user disconnects by closing the tunnel and reconnects by providing the username, realm and password. 4.6 Conclusion There are many open access models the trick is which one to chose. Here follows the main benefits and drawbacks for each of these models and protocols. PPPoA The PPPoA provides end-to-end QoS as well as latency and bandwidth guarantees. The PPPoA solution requires the user to obtain an ATM network device, which is quite expensive. The PPPoA protocol like other tunneling protocols has a large overhead, which makes it slow and requires more processing. PPPoE Unlike PPPoA, PPPoE don t suffer from expensive hardware since it uses the common Ethernet network devices. The protocol provides QoS, latency and bandwidth guarantees. Although it seems to be a good protocol it have some drawbacks, these are that it requires client software and suffers from the large overhead. L2TP This model has some advantages and disadvantages. The main advantage is that the model uses the session concept, which permits users sharing the same PC to connect to different ISPs. The main disadvantage is of this model is the large overhead of carrying layer 2 protocol over layer 3. The DHCP models The models using DHCP don t require any client software beside the ones provided by the OS and they use Ethernet network devices, which is the cheapest and most common. The drawbacks with these methods are that it is not very scalable due to the large broadcast domain. 27

28 After evaluating each of these methods one can say that the DHCP method is the best in terms of the packet utilization and being the easiest to install and manage, although it suffers from the scalability issue. The scalability issue can be improved by dividing the network to different VLAN:s limiting the broadcast domain and providing one DHCP server per VLAN. The PPPoE can be considered to be the runner up in this evaluation but is more suited for xdsl solutions. 28

29 5 Internet Service Provider (ISP) models Often a customer has access to one ISP in terms of the real estate owner who has signed some kind of contract with an ISP, giving the customer little or no power to choose the ISP of their choice. To achieve operator neutrality, more than one ISP should be available for the customer to choose between. Here follows some of the ISP models [22] to get Internet access through one or more providers. 5.1 Single ISP access The infrastructure of this model is either owned by the real estate owner or is built by the ISP giving them monopoly over the infrastructure. The second scenario is not discussed here since the end costumer doesn t choose the ISP. The end customers get access to the Internet through one ISP as shown in Figure 2.1. This ISP is the only provider available for the customers for a certain time (usually the contract time). This model addresses a group of end users and not a single user. The end users decide to which ISP they should be connected and how much the service should cost. The single ISP access model provides no operator neutrality for a single user making it a bad choice for an operator neutral Internet access even though it is easy and cheap to build. 29

30 Figure 5.1: Single ISP access model 30

31 5.2 Multi ISP access This model provides access to several ISPs on the same infrastructure as shown in Figure 5.2, where the meeting point between the ISPs and the end users is located at each group [22]. The end customers will divide them self to different groups depending on choice of ISP, this model is similar to the previous one because from the users perspective there is only one ISP. Each group will belong to the ISP for the remaining time of the contract, which can be compared to the ADSL broadband solution. By using this model a single customer can change ISP by changing groups, but it will require canceling the current contract and signing a new one with the new provider. This model is also easy to administrate and rather cheap to build but provides no real provider independency. Figure 5.2: Multi ISP access model 5.3 Shared Access Infrastructure This model has several ISPs in the same network infrastructure, a network access server (NAS) is located between the ISPs and the End users managing and administrating the connections (see Figure 5.3) [22]. The model provides great independency for the end user, where the users will be able to change ISPs as often as they desire independent of each other. This neutral access model will put the pressure on the NAS administration, where it needs to support the customers switching ISPs, and provide the security measures needed by the ISPs. The NAS can be owned by the real estate owner, ISPs or a third party company. 31

32 Figure 5.3: Shared ISP access model 5.4 Conclusion The single ISP model is cheap and easy to build however it does not support any operator neutrality. The multi ISP model is also a model that is cheap and easy to administrate since the users are divided to different ISP groups, this model does not provide the desired operator neutrality though it is not so flexible in terms of changing ISP. The shared access model is where the users will have operator neutrality, the model is harder to administrate since a mechanism must be created to make the ISP switching possible. Even though the maintenance of such a model is high it is the only model for a true operator neutral access network. 32

33 6 Method 6.1 Goals for achieving operator neutrality There are many ways to provide operator neutrality, as described in chapter 4. To decide on which way to provide it one need to specify the main goals for the operator neutral network that should be built at KistaIP. The main goals are: To provide operator neutral access. A user-friendly way to switch between providers. To make the system independent of client software. Keep track of users so that billing and accounting can be achieved. Build a dynamic system, making it easy to add and remove ISPs. 6.2 Model The operator neutral access that should be built is based on the DHCP with web login model (see 4.4) with some modifications. The main idea is that each provider belongs 19 to one VLAN and no two providers may belong to the same VLAN. In section 3.1 a description of VLAN was made and as mentioned there were two major ways on how to use the VLAN concept. One can use it to join many small LANs to a bigger VLAN by joining them all to the same VLAN id or by splitting a large LAN to small VLANs by assigning the to different VLAN ids [7]. By splitting the large LAN to small VLANs one will have a more manageable network, since belonging to the same VLAN will be treated as if the users belonging to the same LAN [8] and then DHCP and other broadcast protocols can be used. Limiting the broadcast domain by dividing the network to different VLANs will make it easier to provide IP addresses through DHCP, since only one DHCP server will answer the request. Each user has to belong to a VLAN, to change ISPs the users needs to leave the previous VLAN and join the VLAN corresponding to the new ISP. The users will have the ability to change ISPs by using a web interface. Once the user has chosen an ISP the web server will activate a program that make the necessary changes to the user s router, which is placed between the ISP and the end user see Figure The definition of belong is when the network interface is set to send and receive packets from a certain VLAN group. 33

34 Figure 6.1: a simple operator neutral model Changes on the network devices mean that all ports 20 from the user to the ISP have to belong to the same VLAN. The devices have to be able to understand VLAN tagged Ethernet packets, except the end user where they will receive untagged packets (see Figure 6.2). After that, all devices belong to the same VLAN, the user will then be able to receive all kinds of broadcast traffic from the ISP as if they were on a LAN. Once the users can send and receive packet from the ISP, the ISP need to have a gateway where the Ethernet packages can go through to the Internet. Figure 6.2: Message transport between the end user and the ISP To be able to make these changes for the user, a computer must be present and always reached by the users. This computer also called Auth, Registration and VLAN changer (see 7.5) has to belong to all available VLANs in the network. The computer shouldn t be a part of the ISP but instead run by the real estate owner, though more then one ISP should be connected to the real estate. This is the model that was the base for the operator neutral access at KistaIP in the following chapters a more detailed description on the different parts will be given. 20 Ports are network interfaces on the router/switch 34

35 7 The KistaIP implementation The KistaIP implementation is an implementation of the previously described model. The implementation uses the DTM network technology since the hardware (see below) was already available from the KistaIP-IX project (see 1.1.1). The Gigabit Ethernet technology could also be used for the implementation if desired. The implementation is based on the shared access model (see 5.3) since it offers the desired operator neutrality for the implementation. Here follows a more detailed description of the components needed to make the model implementation possible. 7.1 Resources This project was the continuation of the 2G1319 Communication System Design course[2]. The main network infrastructure was provided by Svenska Bostäder[23] and was already available though no real prototype was made due to lack of time. The components that were available are the following (the figures were taken from Dynarc 1124 routers each with 24 Ethernet 100Mb ports and Two DTM 1.25Gb Multi-mode interfaces (see 7.2.2). Figure 7.1: A Dynarc Dynarc 5116 router. The 5116 have 2 DTM Single-mode (see 7.2.1) interfaces, 2 DTM MM interfaces and 8 Ethernet 100Mb. 35

36 Figur 7.2: A Dynarc Single-mode and multi-mode fibers There are two used ways to transmit the light signal in fibers these are single-mode and multi-mode signals[25] Single-mode A LED 21 in one end of the fiber produces a single frequency of light that is received in the other end by another diode. The light is pulsed in digital format from one end to another. The benefits of using single-mode signals are that it travels for a longer distance and is faster then the multi-mode signal. The drawback is that the hardware is expensive Multi-mode The digital signal consists of multiple light frequencies, which makes it travel a less distance due to dispersion. The hardware is much cheaper since it doesn t need to be as precise as in the single-mode hardware. 7.3 The network infrastructure The KistaIP student dorms have 144 apartments each with an optical fiber connection. To use the connection on a computer with an Ethernet network card a fiber to Ethernet converter is needed and provided for the students. The fibers are connected to the router room at KistaIP with a multimode fiber cable. Once the fibers arrive to the router room they are converted once again to Ethernet, so the whole trip is Ethernetfiber-Ethernet. There are 6 routers each with 24 Ethernet ports providing a total number of 6*24=144 ports, one for each apartment. The KistaIP router room is connected to the KistaIP Gateway at Electrum by a pair of single-mode fibers. The reason for using fiber between the apartments is due to the short network transport range of Ethernet cables (around 100m) and off course for future improvements. Figure 7.3 below shows the whole infrastructure. 21 Light Emitting Diode (LED). 36

37 Figure 7.3: The Network Infrastructure at KistaIP In the figure above one can see that 6 routers will provide access to each one of the 144 apartments. The 6 routers are then connected to the 5116 router at Electrum (see the map in Figure 1.1), the fiber cable to Electrum is a singlemode fiber cable. Having the 6 routers at the KistaIP router room connected by multimode cables makes it necessary to use a multimode to singlemode converter to be able to join all routers in a DTM ring. The ring is a dual ring (see 2.2.4) making it more redundant and provides higher bandwidth. 7.4 Using VLANs As mentioned the ISP belongs to a VLAN and to be able to communicate with the ISP the users needed to belong to the same VLAN. The network infrastructure has some common resources, which needs to be available to all of the ISPs, these resources are: The ARV (Auth, Registration and VLAN changer) server. The DTM ring and interfaces The DTM ring and interfaces The six Dynarc 1124 routers are connected to each other at the KistaIP router room and then connected to the Dynarc 5116 router at Electrum. They are all connected with a dual DTM ring (see 2.2.4). The ring then should be able to transport packages belonging to all the VLANs, this is achieved when the DTM interfaces is set to send and receive all of the available VLANs. 37

38 7.4.2 Changing the VLAN The Dynarc 1124 routers at the KistaIP router room are connected to the users by the 24 ports each router has. The ports on the routers have to belong to a VLAN. In order to change ISPs, the ports need to be changed to join the VLAN corresponding to the ISP. To be able to change the VLAN on each port a mechanism must be developed. The Dynarc 1124 routers can be configured through both SSH [26] and Telnet. There is a way to send remote commands through SSH to a computer with an SSH daemon installed on it, since this was not supported by the SSH daemon on the Dynarc routers. To work around this problem one can use telnet. A program, which is called vpch (VLAN Port Changer, see Appendix 11.2) is used to connect to the router and make the necessary changes, these changes are: 1. Leave the last joined VLAN. 2. Join the selected VLAN, untagged. 3. Set the portvid (port VLAN identification) to the one corresponding to the ISP. 4. Exit. The operating systems that are commonly used today doesn t support VLAN tagged Ethernet packages. Meaning that Ethernet packages going from the closest router to the user needs to be untagged for the users computer to understand. This makes it difficult to have more then one untagged VLAN associated to an Ethernet port. The scenario is as follows: A package that is sent to a user will be tagged all the way to the router for that user where it will be untagged and sent on to the user. A package that is sent from a user will be sent untagged from the users computer until it reaches the port on the closest router where it will be tagged with the VLAN number and sent on over the DTM ring and to the ISP. The above description may make it easier to understand why the portvid should be set. The portvid is the VLAN number that the Ethernet packages will be tagged with once they enter the switch port. If one had clients using operating systems that understood tagged packages then we would just join the switch/router ports to all available VLAN without worrying about changing the VLANs. The only changes would be on the client side where the user will need to assign a virtual interface for each VLAN. Example taken from the Linux VLAN implementation: If the user has an interface eth0 then by joining the interface to VLAN #1 the result will be two interfaces eth0 and eth0.1 where eth0.1 will be able to understand tagged packets from VLAN #1. Now that changes can be made on any port, one needs to specify the exact port for a specific user, to achieve that a database is introduced. The database is called info and contains the following information: Lgh Passwd mac router interface oldvlan Figure 7.4: The database fields used for changing the VLAN Lgh: is the apartment number, which is a unique number between 1 and 144, this field is used to identify the user. Passwd: is a randomly generated password that is used to register a certain MAC address to an apartment. MAC: is the hardware address of the network card. Unregistered users have an empty slot here. Router: Is the routers IP address that is used for configuring via telnet. 38

39 Interface: The interface or port for the user. Oldvlan: This is the VLAN id that the user is connected to. 7.5 The ARV server box The ARV server box is a computer running on Linux operating system. The main tasks for the ARV server are: To provide the client interface for changing the VLAN via the web. Registration and authentication of new users The client interface To change the VLAN as mentioned in chap the users needs to have access to the vpch program, which resides in the ARV server. To allow the interaction between the user and the vpch program an interface must be made. A client interface to achieve this should be easy and should use available resources on the operating system, meaning no additional software installation should be required on the client. A perfect resource that is available in most of the operating systems is the web browser. Introducing a web based configuring or VLAN changing mechanism should fulfill the requirements. The web interface will start by obtaining the MAC address of the user. This MAC address will be checked in the database incase it exists. For a first time user the MAC address field in the database will be empty. Having an empty MAC field will redirect the user to a registration page (see figure below). Figure 7.5: The registration page The registration page is a web form with two fields: 1. The password field: The users enter the password that they have received. 2. The apartment number field. Is the unique number that is used for assigning the MAC address that is obtained by the webpage to the apartment number entered. 39

40 The combination of these two fields will secure that the current user belongs to a certain apartment and will insert the MAC address to the database entry. By using the registration page the user only needs to register once as long as they don t change the MAC address on the network device. The benefit for using a registration page is to get hold of the vital information that is needed to achieve an ISP change. Having a page that query the username and password could achieve the same result by mapping the user/password to the database. This is not desired because it would be rather annoying to insert the user/password every time the ISP is changed. Once a registration is made the user is redirected via the webpage to the ISP change webpage (see figure below). Figure 7.6: The ISP change interface In this page the user will get the following information: The apartment number to which the user is registered in. The current ISP, which the user is connected to. The information is obtained by mapping the users MAC address in the database with the MAC address obtained by the webpage. The user have the opportunity to reregister incase of that the apartment number is not accurate. This can happen when a user using a laptop moves from one apartment to another. The user will get information of which ISP he/she is connected to, this information is also retrieved from the same database. If the user is satisfied with the choice of ISP and does not whish to change, then the user will be redirected to the ISPs login page. If the user changes the choice of ISP the following will occur: 1. The web server will use the vpch program to contact the router on which the user is connected to and make the necessary changes based on the information obtained through the info database. 2. The database will update the oldvlan field to the chosen VLAN. 3. A web page will appear and informs the user that he/she will be redirected in a certain amount of seconds (T seconds). 4. After the defined time elapses the page will be redirected to the ISPs login page. 40

41 The delay that occurs when an ISP have been chosen depends on the clients DHCP lease timeout. The DHCP as described previously tries to renew the lease time. This is done when the clients sends a unicast message to the DHCP server. Now that the VLAN is changed the DHCP server is not available anymore and no reply will be sent to the client. The client will wait for 0.5*(lease duration) and tries again, but without any luck. The client will start the REBINDING state by broadcasting the request. The DHCP server on the new VLAN will answer broadcast message from the client and the client will obtain a new network address for the new subnet. Once the client receives the new IP and the T seconds has elapsed, the page will be redirected to the ISP s login page The configuration on the ARV box The ARV server box has Linux with kernel installed on it with support for the 802.1q protocol (experimental), a DHCP server and an SSL web server are also available. Using Ben Greears 802.1Q implementation for Linux [27] the ARV box was able to join the needed VLANs by joining the Ethernet interface to all VLANs (see figure). The ARV box has also a DHCP server, which is used to provide private IP addresses for users on VLAN 100. VLAN 100 is the VLAN that is used to connect to the private KistaIP network and is used for getting access to the KistaIP.net page, which is used to inform the tenants of any important changes in the network. The tenants will also get access to the VLAN change page. For first time users this will be the default VLAN since there is no need for any accounts and it doesn t provide any Internet access. Figure 7.7: The ARV box 41

42 The ARV box is connected to the Dynarc 5116 router through the Ethernet interface. The interface on the router belongs to all the available VLANs, so that all the users independently of which VLAN they belong to will be able to access the ARV box. VLAN 10 is the VLAN used by the vpch program to access the routers and make the previously mentioned changes on the ports. These components are the common ground for all the ISPs on the network. The ARV box contains the databases used in the network. These are the info database that was mentioned earlier and the ISP database, which has three fields: 1. ISP: Is the name of the ISP. 2. VLAN: The VLAN where the ISP belongs. 3. IP: the IP address of the login page for the ISP. 7.6 The ISP side The network is divided to two major parts, a part that is run by the real estate owner and the part associated with the ISP. The ISP configuration can be built of many computers or just one like in the KistaIP implementation. The ISP computer is connected to the Dynarc 5116 router through the Ethernet interface. The interface has to belong to the chosen VLAN for the ISP, which is then entered in the database in the ARV box. Figure 7.8: The ISPs network configuration The ISP box used is a Linux system like the ARV box, which has support for Tagged Ethernet packets (802.1q) [27]. The ISP box contains the following components: 1. The OASIS access server. 2. A perl script to logout users. 3. SSL secure apache web server The OASIS The OASIS[29] is the result of the master thesis done by Martin Hedenfalk at The Royal Institute of Technology (KTH). It is a NAS (Network Access Server) for providing Internet access for users in a public network. The OASIS is an Open 42

43 Source 22 project and is available for download at Here are some of the OASIS features that were used in the KistaIP implementation: Authentication by using PAM. Dynamic Firewall. The user authentication mechanism uses Pluggable Authentication Modules (PAM) [15], by using PAM the ISP is free to use any kind of authentication scheme. In the KistaIP implementation a Kerberos authentication scheme is used to authenticate the users. Once the user is authenticated, the OASIS will enter a new rule in the firewall [30] using iptables 23 [31] permitting the user with a certain IP and MAC address to send and receive packets. The OASIS stores the MAC and IP address in a database as well as the username. This database is then used to verify if a user is already logged in or for logging out existing users The lease script The OASIS has a built in mechanism to log out users. The mechanism works with the help of ping 24. The OASIS machine pings the users every x seconds and waits for a reply. If no reply is received the users are assumed inactive and will be logged out. This solution was used in the first KistaIP implementation but was removed later. The reasons for removing it was because of some users were logged out even if they were active. This happened when clients used firewalls, since the firewall did not answer the ping sent by the OASIS. Windows XP users experienced many problems with the ping system since it has a built in firewall. The OASIS has also an ARP ping 25 mechanism to detect inactivity but was not functional at the time of implementation. To solve the problem a perl script is used to read the lease file used by the DHCP server and detects the state for a certain IP (See Appendix 11.3). The reason for using the lease file is because DHCP uses the BOOTP, which is not port filtered by any firewall since no IP address will be obtained in case the port was filtered. The OASIS has a database of the current logged in users. The MAC and IP addresses are taken from that database and is compared with the entries in the DHCP lease file. The lease file is built like a log, meaning it only adds the new status and don t alter the existing data. The perl script reads the file from the end and as soon as it encounters the questioned IP and MAC it will check to see if it is marked as free or leased. Depending on the outcome of the script, the users will be logged out or left without any changes. This is done for each user logged in the OASIS and takes a short time. The amount of time it takes to logout an inactive user depends on how often the script file is run, if the script is run every 5 minutes it will take a maximum of 5 minutes to logout the user. Since this script was implemented most complaints by the users have vanished The SSL web server The ISP should use an SSL enabled web server [28] to maintain a secure connection between the users and the OASIS during the authentication procedure. The login php script has the following tasks: Retrieve the MAC address of the user. 22 For more info, visit 23 Iptables is an IP packet filtering administration tool. 24 Is a utility to send ICMP Echo packets to network hosts 25 ARP ping is an ARP level ping utility, good for finding if an IP is taken. 43

44 Connects to the UNIX socket created by the OASIS. Sends the login parameters (username and password). Retrieves the results from the OASIS and displaying it on the screen. Figure 7.9: The login page The login page works as an interface between the OASIS and the users (see Figure 7.9). 7.7 Prototype The KistaIP prototype includes all the necessary components discussed in the previous chapters to achieve an operator neutral network. The network have two ISPs (KTH and SSVL), both ISPs are installed on the same computer. The OASIS mechanism is also shared between them, as well as the Kerberos server. In the Figure 7.10 a complete network sketch is drawn showing all the VLANs involved and how the ISPs are connected to the different components. 44