Lecture 16: Architectural Considerations Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4185 16-1 Network : high-level, end-to-end structure for the network. Relationships between major architectural components of the network. Addressing and routing Network management Performance Security It is key in integrating requirements and flows into the structure of the a network. You can think of it as the blue print that encompasses all the important components of the network, from a highlevel perspective. Prof. Shervin Shirmohammadi CEG 4185 16-1
Network vs. Design describes relationships, which are generally location independent. Design specifies technologies, protocols, and network devices. Locations play an important role in network design Even the most experienced network designer must first conceptualize a big picture of the network before developing a more detailed design of the components. Broad Generalized Relationships Independent Scope Level of Detail Description Location Design Focused In Depth Technologies Dependant Prof. Shervin Shirmohammadi CEG 4185 16-3 Component Function Addressing / Routing Network Management Performance Security Capability Provides robust and flexible connectivity between devices Provides monitoring, configuring, and troubleshooting Provides resources to support capacity, delay, and RMA Restricts unauthorized access, usage, and visibility within the network. Mechanism Addressing, Routing NMS, NM protocols QoS, SLA, Policies Firewalls, Security policies, filters, Access Control List (ACL). Prof. Shervin Shirmohammadi CEG 4185 16-4
Reference Goal Our objective is to get to a reference architecture that is influenced by our requirements, flows, and goals, as well as the component architectures. Requirements, Flows, and Goals Security Net Mgmt Performance Routing Other Reference Prof. Shervin Shirmohammadi CEG 4185 16-5 Balancing the Reference Depending on the requirements, traffic flows, and goals the reference architecture is either balanced or favored to particular functions. This is an informed decision that is important in the documented part of the network architecture. Example: Consider a network where low delay and jitter performance are a requirement. Routing, Security and N.M. affect these values, so some of them must be sacrificed to meet performance. In this approach each function is developed as its own composite architecture and delay and jitter can be optimized in the performance component architecture and can be prioritized over the other architectures. Prof. Shervin Shirmohammadi CEG 4185 16-6 3
Optimizing the Reference Numerous trade-offs occur between addressing/routing, N.M., performance, security. High security => low performance Security may have to take low profile in parts of the network. N.M. => low security When management is a high priority a separate security component architecture for N.M. may be required. High Resolution N.M. => low Performance Out-of-band N.M. a solution. What about security? Simplicity in addressing/routing => low performance Several performance protocols like DiffServ and RSVP are tightly coupled to the addressing scheme. Prof. Shervin Shirmohammadi CEG 4185 16-7 Architectural Models Three types of architectural models make a good starting point: Topological maps Concentrate mostly on geographical or topological arrangement. LAN/MAN/WAN Access/Distribution/Core Flow-based maps Take advantage of flow information Peer-to-peer Client-server Hierarchical client-server Distributed computing Functional models Focus on one or more functions or features of the network. Service-provider Intranet/extranet single-/multi-tier end-to-end Prof. Shervin Shirmohammadi CEG 4185 16-8 4
Network Regions Characterizing regions by traffic flows allows each region to be applied in a similar fashion to all functions. Common regions Access (edge) Most traffic is generated and terminated here. Access control & traffic shaping Distribution Traffic flows are aggregated and terminated for common services, applications & storage servers Core (backbone) Transits for aggregates of traffic flows Differentiated services External Interfaces, and DMZ (demilitarized zone) Aggregation points for traffic flows external to the network. Prof. Shervin Shirmohammadi CEG 4185 16-9 Topological Models There are popular topological maps LAN/MAN/WAN model Access/distribution/core model LAN / MAN / WAN Concentrates on the boundaries between the WAN / MAN / LAN Access/distribution/core focuses on function rather than location. Focuses on the behaviour of these interface points. Access is closer to the user this is where most traffic flows are sourced and/or sinked. Distribution is where flows are consolidated Core is used for bulk transport WAN Core MAN Dist. MAN Dist. Access LAN Access LAN Access LAN Access LAN Prof. Shervin Shirmohammadi CEG 4185 16-10 5
Flow-based Models These are based on the flow models that were developed during analysis. Like before there are 4 flow models Peer-to-peer No obvious location for peers closer to the core model Client-server Functions, features, and services are focused on the servers therefore architectural features are at these interfaces Hierarchical client-server Similar to client-server Distributed computing Data sources and sinks are obvious locations for architectural features. Prof. Shervin Shirmohammadi CEG 4185 16-11 Functional Models Focus on particular functions in the network. Service-provider Focuses on privacy and security, service delivery, and billing. Intranet/extranet Typical enterprise model focusing on security and privacy. Single-tier/multitier Identifies parts of the network as having single-tier or multi-tier performance End-to-end models Are the most difficult to apply because one has to understand where each function will be located. These models will generally be fairly closely related to the requirements. Prof. Shervin Shirmohammadi CEG 4185 16-1 6
Using the Architectural Models It is generally easier to start from the topological model because they can easily cover the larger scope of the network. On the other hand functional and flow-based models are better for focusing on a particular area of the network. Prof. Shervin Shirmohammadi CEG 4185 16-13 Combining Models (1/) Where client-server or hierarchical client-server models may overlap with the access/distribution/core model. Prof. Shervin Shirmohammadi CEG 4185 16-14 7
Combining Models (/) Core Distributed Computing Model Client- Server Model Hierarchical Client-Server Model Dist. Service- Provider Model Intranet/ Extranet Model End-toend Model Access Prof. Shervin Shirmohammadi CEG 4185 16-15 Recall from lecture 8 Example Central Campus LAN North Campus LAN 40 67 45 F4 Servers (4) 51 Servers () F5 F6 14 60 14 South Campus LAN Storage Servers () F7 88 74 Prof. Shervin Shirmohammadi CEG 4185 16-16 8
Access/Distribution/Code areas Topological Model Central Campus LAN Access Core North Campus LAN 45 40 Servers () 67 Access Servers (4) 51 14 60 14 South Campus LAN Storage Servers () 88 74 Prof. Shervin Shirmohammadi CEG 4185 16-17 Distributed Computing Model Flow-Based Model Central Campus LAN North Campus LAN Distributed Computing Distributed Computing 40 45 Servers () 67 F4 Servers (4) 51 F5 F6 14 60 14 Distributed Computing Storage Servers () F7 88 74 South Campus LAN Prof. Shervin Shirmohammadi CEG 4185 16-18 9
Architectural Considerations: Security Evaluate potential security mechanisms Consider where they apply within the network Determine external and internal relationships. Start simple and work toward more complex solutions: The access / distribution / core architectural model we discussed before can be used as a starting point to apply security points. Security can be added at different points in the architecture. Security is increased from access to distribution to core areas. External Relationships: Security & Addressing NAT is an addressing scheme that helps security. Dynamic addressing interferes with address specific filtering. Security & Network Management Security depends on Network Management Security & Performance These are nearly always at odds. Security zones will affect the performance of that zone Prof. Shervin Shirmohammadi CEG 4185 16-19 Access / Dist / Core & Security Level 3 Firewall Core Packet Filters Level Firewall Distribution Distribution Encryption Level 1 Firewall Access Access Access Intrusion Detection Firewalls User A User B User C Prof. Shervin Shirmohammadi CEG 4185 16-0 10
Security Zones Security Level 1: Lowest Core Security Level 3: Highest Security Level : Medium Distribution Distribution Access Access Access User Devices User Devices User Devices Prof. Shervin Shirmohammadi CEG 4185 16-1 Developing Security Zones More realistically you will need to define security level zones for user devices, services and the network. Security Level 4: Groups A and B Network A Network B Security Level 5: Servers Network E Security Level 1: General Network G Network C Network F Security Level : External Network D Security Level 3: Group D External Network / Internet Prof. Shervin Shirmohammadi CEG 4185 16-11
Architectural Considerations: Performance Start simple BestEffort -> DiffServ -> IntServ From the flow analysis maps you know where performance requirements need to be applied in the network. Recall that the access/distribution/core architectural model separates network based on function. Core -> bulk traffic -> aggregated Distribution -> flows to and from servers and aggregate traffic. Access -> most traffic is sources and sinked here. Performance mechanisms that operate on individual flows (admission control, resource allocation, IntServ, ATM QoS) should be considered for access. Performance mechanisms that operate on aggregated flows (DiffServ, WFQ RED/WRED, and MPLS all fit in here) should be considered for core and distribution. External Relationships: Performance and Addressing Performance is closely coupled with routing through mechanisms like DiffServ & IntServ, and RSVP. These are not simple protocols. Performance and NM Performance relies on NM to configure, monitor, manage, verify, and bill. Performance and Security Security mechanisms will affect negatively performance, especially those security mechanisms that are intrusive. If security mechanisms interrupt, terminate, or regenerate a traffic flow they seriously affect the ability to provide end-to-end QoS. Prof. Shervin Shirmohammadi CEG 4185 16-3 Architectural Considerations: NM Centralized/distributed monitoring Centralized: all monitoring data are sent from one monitoring node using either in-band or out-ofband-monitoring Distributed: local monitoring nodes Less NM traffic In-band/out-of band For a LAN start with one monitoring device per IP subnet. Estimate: Number of user and network devices to be polled Average number of interfaces / device, and the number of parameters to be collected Frequency of polling This combined rate should not be more than 10% of the capacity of the line. For Ethernet keep this at 5%. For a WAN start with a monitoring device per WAN/LAN interface. Local storage vs. archival Data usually kept locally, cached for easy retrieval (within hours). If not used this quickly then archive it. Selective copying of data Consider saving only every N iteration of data. N can range from 100 to 10000. Data Migration Usually occurs at night time from local to archive Metadata Additional information about the data is very useful. Data types time stamps etc. Prof. Shervin Shirmohammadi CEG 4185 16-4 1
Trade-offs Internal: In-band management cheaper than out-of-band but affects the traffic flow performance. Out-of-band is more reliable and allows access to remote devices. Out-of-band can be more secure. Centralized manager is simpler but is a single point of failure. External: Network Management and Addressing Management domain needs to be considered in the network architecture design. Network Management and Performance This is discussed before: how network data affects traffic flow and capacity. Network Management and Security Network management relies on a particular level of security to get access to the managed objects. Prof. Shervin Shirmohammadi CEG 4185 16-5 13