The available remote access products range from very small secure Ethernet-to-ISDN bridges/routers that give SOHO users the flexibility to use digital technology without abandoning the PSTN lines to large multiservice systems destined for large enterprise networks, ISPs, or local exchange carriers.
At the heart of high-end access servers is the support for V.90, K.56flex, and V.34 modems (with speeds of up to 56 kbps downstream and 33.6 kbps (V.34) upstream) that can self-configure and provide real-time diagnostics. Advanced modems are DSP driven, with purely digital circuitry. Another important feature of access servers is support of data compression for the ISDN or leased-line connection, which can increase the bandwidth by a factor of 4.
In a nutshell, a medium-size remote access server—suited for high-density wide area network (WAN) service pooling and point-of-presence applications—consists of a pool of V.90 modems, a router, and a server on a single chassis. Such a chassis can support from 10 to about 200 modems. These units may also support frame relay communications (not discussed here). The scalability of an access server can often be increased by stacking multiple hardware chassis and interconnecting them via a LAN. To work as one unit, the product must ensure that a single user’s ISDN connection of 128 kbps (2 x 64 kbps) can span multiple chassis. In addition, the product may allow all port resources of these multiple chassis to be pooled and available to all services.
Two important features of access servers are dynamic port allocation and single incoming telephone number. With the dynamic port allocation feature, the ports are pooled and made available for a call as required by incoming traffic. When the call is terminated, the freed port is returned to the pool. With the single incoming telephone number feature, a single number can be offered for different dial-in services, such as the ISDN and POTS. The access server recognizes whether an incoming call is made via an ISDN or analog (or channelized T1 or E1) line. When a call arrives on a PRI line, the access server checks to see if framing is present. If it is, the access server processes the ISDN call; if it is not, the DSP processor is brought up to execute the modem handshake.
Security solutions in high-end products allow network managers to configure and modify hierarchical security schemes. In some products, RADIUS software (which usually also supports accounting) is included in the offer, but RADIUS itself has to interwork with authentication software. Authentication via the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP)—as well as encrypted administrative passwords are examples of acceptable security solutions present in today’s products. Support of call-back and firewall packet filtering are other important product differentiators for security. In addition, the PSTN information, such as calling line identification (CLI), is sometimes used in combination with the IP security mechanisms.
The requirements of emerging technologies (such as DSL) and the need to interconnect with the ATM networks has resulted in the emergence of carrier-grade access servers (also called remote access concentrators), which are suitable for large ISPs and enterprise networks.
An example hardware configuration of a high-end carrier-grade server is a multislot chassis connected by a fast switching fabric (such as 5-Gbps ATM). (Sometimes time division multiplexer buses are used, but they are inferior to the ATM cell switching fabric, which eliminates any congestion or arbitration delays as well as single points of failure.) The switching fabric, which provides a highly reliable cross-connect matrix, is combined with the passive backplane for redundancy. With the backplane so powerful, a single slot can be provided with a dedicated line whose bandwidth may range from 155 to 622 Mbps, which results in supporting of at least three T3 lines. A single high-end server may support over 800 simultaneous modem sessions (or leased line connections). Those servers can be stacked to support over 4000 modem sessions simultaneously. Systems of this class have highly reliable redundant power supplies, advanced power distribution, and efficient thermal design (typically with hot-swappable cooling fans to dissipate the vast amount of heat created by modem integrated circuits). Another redundancy is achieved by having more modems in the pool than there are possible connections. Thus, a malfunctioning modem can be immediately replaced by an extra modem, even at full capacity.
The capabilities of high-end access servers are attractive to local telephone companies that plan to offer advanced remote access services such as virtual private network (VPN) services. Two IETF-standardized mechanisms addressed —L2TP and IPsec—are essential for provision of secure VPN.
Layer Two Tunneling Protocol (L2TP), allows the (possibly encrypted) point-to-point protocol frames to be encapsulated in an IP packet and tunneled over any IP-based network. Two devices are used for the L2TP tunnel: the L2TP access concentrator (LAC) and the L2TP network server (LNS). (Figure 1 depicts the relevant architecture.) LAC encapsulates point-to-point protocol frames within L2TP packets and passes them to one or more L2TP network servers over any IP-based transport (which includes frame relay and ATM networks). The LNS deencapsulates the L2TP packets, processes PPP frames, and routes them over the enterprise network.
Figure 1: L2TP tunneling with RASs.
Advanced remote access products implement both the LAC and LNS functions, thus supporting over 800 simultaneous L2TP tunnels. The routing software on the LAC side benefits from the implementation of the Border Gateway Protocol (BGP) by realizing multihoming (that is, maintenance of connections to multiple Internet service providers). On the LNS side, the challenge is that terminating L2TP tunnels is highly CPU intensive. For this reason, hardware solutions (such as LNS cards, which can be inserted into chassis slots) are necessary to ensure linear scalability. Some existing LNS cards can support up to 500 L2TP sessions each; however, interworking with the (invariably proprietary) software of RASs may actually reduce the number of active simultaneous sessions.
As in the case of the LNS, the software-only IPsec solutions are deemed neither to scale nor meet the performance requirements of typical networks. Optional IPsec encryption cards are supplied with advanced offers. Such cards can deliver near-wire speeds (that is, 1 to 1.5 Mbps, depending on the packet size) while supporting the 56-bit Data Encryption Standard (DES) or 168-bit Triple DES with MD-5 Authentication in Encapsulated Security Payload (ESP) mode.
RADIUS servers implement the authentication, authorization, and accounting (AAA) solution for the time being. The essence of the existing products [largely based on RFC 2138 and reported in the informational RFC 2139] is that they are software based. The problem itself does not require computationally intensive solutions; instead, platform independence and extensible plug-in capabilities are important requirements.
Platform independence is best achieved by providing software that can be executed in most environments. Presently, the Java programming environment is the environment of choice from this point of view. With the core RADIUS software developed by one vendor, plug-ins for support of user directories, data analysis tools, security, and billing services can be developed by other vendors or even customers. The key product differentiator is support of construction and management of specific policies that guard access to services. For example, leading products enable network managers to construct configuration files that specify AAA processing paths for unique policies executed in conjunction with external data sources. The feature sets so provided enable the support of applications starting with simple enterprise (or Internet) access and finishing with remote access outsourcing. For example, a built-in session control limits the number of sessions permitted on a per-user or per-realm basis. In support of remote access outsourcing, RADIUS servers enforce group limits and manage loading of logical ports and modem groups. As far as the accounting goes, it is again a matter of plug-in software, which can be supplied by the RADIUS vendors or developed independently. The RADIUS software interacts with that of the accounting plug-in by means of billing events.
Remote access servers typically support SNMP and telnet for network management. There are multiple network management applications with graphic interfaces that come with products.
The last, but not least important, feature of the leading remote access servers is support of SS No. 7 and, in some cases, DSSI (Q.931) between the access servers and central office, which enables the Internet offloading application. The ISP or enterprise can take a data call at the access server and route it through the Internet to the main facilities (which otherwise would need to terminate PSTN calls). With this feature an ISP can connect to a local exchange carrier (LEC) as a competitive LEC (CLEC) via a particular trunking arrangement. The calls are then routed to the ISP’s access number so the ISP looks like a competing local carrier serving a single customer—the ISP access server. [For a detailed description, see Kozik et al. (1998).] The feature usually employs the SS7 gateway products (SS7, a shorter and simpler abbreviation than standard SS No. 7).
It's a little surprising to read about these remote access servers in such technical jargon considering that anyone who dials into a network from home using an analog modem or an ISDN connection will dial into a remote access server.
ReplyDeleteI like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
ReplyDeleteEstablishing Serial Point-to-Point Connection