| 리포트 | 기술문서 | 테크-블로그 | 원샷 갤러리 | 네트워크/통신 뉴스 | 기술자료실 | 자유게시판      한국 ICT 기업 총람 |

제품 검색

|

통신 방송 통계

 
 
 
섹션 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/UHD IoT SDN/NFV Wi-Fi Video Streaming KT SK Telecom LG U+ OTT Network Protocol CDN YouTube Data Center
 
Private 5G | Edge 넷매니아즈 Private 5G 분석글 KT SK Telecom Verizon AT&T Vodafone DT Telefonica China Mobile Optage

NEC

Fujitsu Microsoft AWS    
  Ericsson Nokia Huawei Samsung Mavenir Affirmed Metaswitch Athonet Altiostar Airspan Kyocera Apresia   일본 Local 5G 전개 현황
 
스폰서채널 |

 

  스폰서채널 서비스란?
banner
banner
TPS 서비스를 위한 가입자 인증 및 보안 기술: [2]TPS 가입자 및 단말 인증 구조
Authentication and Security for TPS: [2] Subscriber & RG Authentication
By Netmanias (tech@netmanias.com)
banner
코멘트 (0)
6

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.
Transcript
Netmanias 기술문서: TPS 서비스를위한가입자인증및보안기술[2] TPS 가입자및단말인증구조

2007년2월28일
NMC Consulting Group(tech@netmanias.com)

2
Contents
.PPPoA/PPPoE Authentication
.DHCP authentication
.RG authentication
.Multicast Security (IGMP Join filter)
.Service provisioning: PEP, PDP
.Case study

3
AAL5
PPPoA
PPPoA Authentication
AAL5
Ethernet
MAC
IPv4
xDSL PHY
ATM
Ethernet PHY
xDSL PHY
Optical PHY
ATM
Optical PHY
PHY
PPPoA
Some L2
IPv4
ATM
dslaccessnode1-s
1107378_L1
PC
XDSL
modem
ont
그림10 copy
DSLAM
cloud
cloud
ATM
IP Core
BRAS
AAA
Authenticating (ID, Password)
PPP Link Establishment
PAP/CHAP Authenticating Request (ID/Password)
IPCP (IP assignment)
BRAS asks to the authentication server to verify the user identification.
The server’s answer is either “Successful” or “Failed”.
Authentication based on User ID, Password (+ VPI/VCI)
PPPoA: ATM based ADSL
DATA Transfer

4
PPPoE Protocol Stack
AAL5
Ethernet
MAC
IPv4
xDSL PHY
ATM
Ethernet PHY
ATM
Optical PHY
PHY
PPPoE
Ethernet
Some L2
IPv4
Ethernet
dslaccessnode1-s
1107378_L1
PC
(m1)
XDSL
modem
ont
그림10 copy
DSLAM
cloud
cloud
Ethernet
Backhaul
IP Core
BRAS
AAL5
Ethernet
Optical PHY
xDSL PHY
PPPoE
PPPoE: ATM based ADSL, IP based ADSL
AAA

5
PPPoE
Destination MAC
(6 byte)
Source MAC
(6 byte)
ETHER_TYPE(2 byte)
Payload
FCS
.PPPoE Frame
.Discovery Stage (BRAS Searching Stage)
.Discovers an Access Concentrator (BRAS)
.Identify Ethernet MAC Address of the peer (BRAS)
.Establish a Unique PPPoE Session_ID
.PPP Session Stage (PPP Frame Transmission Stage)
.Ethernet Unicast Packet with PPP Encapsulation
.LCP, PAP/CHAP,IPCP
ETHER_TYPE : 0x8863 (Discovery Stage)
ETHER_TYPE : 0x8864(PPP Session Stage)

6
PPPoE Operation:  Discovery stage
.Discovery Stage: BRAS Searching stage
PADI (src MAC=m1, dst MAC=broadcast)
PADO (src MAC=mBRAS, dst MAC=m1)
PADR (src MAC=m1, dst MAC=mBRAS)
PADS (src MAC=mBRAS, dst MAC=m1)
PADI: PPPoE Active Discovery Initiation packetPADO: PPPoE Active Discovery Offer packetPADR: PPPoE Active Discovery Request packetPADS: PPPoE Active Discovery Session-Confirmation packetPADT: PPPoE Active Discovery Terminate packet
.CPE는PPPoE Discover stage 에서BAR의MAC address를알게됨.
.PPPoE에서는ARP 없음
.PPPoE에서는Backhaul network을통한가입자갂통신이원천적으로불가능하며항상BRAS를경유해야한다. Existing standardized solutions may be deployed to prevent layer-2 visibility (hair-pin) between stations:PPP over Ethernet [RFC2516].  The use of PPPoE creates individual tunnels between hosts and one or more Access Concentrators (AC) over a bridged Ethernet topology.  Traffic always flows between an AC and hosts, never between hosts.  The Access Node can enforce that upstream traffic will only go to the AC initially selected by the host.
dslaccessnode1-s
1107378_L1
PC
(m1)
XDSLmodem
ont
그림10 copy
DSLAM
cloud
cloud
Ethernet
Backhaul
IP Core
BRAS
AAA

7
PPPoE Operation: PPP Session stage
.Discovery Stage: PPP Connection stage
dslaccessnode1-s
1107378_L1
PC(m1)
XDSLmodem
ont
그림10 copy
DSLAM
cloud
cloud
EthernetBackhaul
IP Core
BRAS
AAA
Authenticating (ID, Password)
PPP Link Establishment
PAP/CHAP Authenticating Request (ID/Password)
IPCP (IP assignment)
BRAS asks to the authentication server to verify the user identification.
The server’s answer is either “Successful” or “Failed”.
Authentication based on User ID, Password
DATA Transfer

8
PPPoE Encapsulation
Destination MAC
Source MAC
E-type =0x8864
Version(4bits)
Type(4bits)
Code(1byte)
Session ID(2bytes)
Length(2bytes)
PPP protocol ID(2byte)
FCS
PPP Encapsulation Data
PPPoE Payload
PPP Payload
PPP Protocol ID
LCP = 0xc021
PAP = 0xc023
CHAP = 0xc223
IPCP = 0x8021  
Destination MAC
Source MAC
E-type =0x8863
Version(4bits)
Type(4bits)
Code(1byte)
Session ID(2bytes)
Length(2bytes)
Payload
FCS
Version(0x01)
Type(0x01)
Code
PADI=0x09, PADO=0x07
PADR=0x19, PADS=0x65
PADT=0xa7
PPP Session Stage=0x00
Session_ID
Identify PPPoE Session
PPPoE Payload

9
DSL Line Identification: Subscriber traceability
small cloud
L2-Access
small cloud
IP Network
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
Home GW
PC
Radius Server
ATM VC
PPP
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
NAS-Port-Id: “[Relay-identifier] atm 3/0:100.33”.slot = 3, port = 0, vpi = 100, vci = 33
Radius
blue drum
icon_c_router_ppt
BRAS
DSLAM
VC per subscriber
small cloud
L2-Access
small cloud
IP Network
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
Home GW
PC
DHCP Server
ATM VC
DHCP
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
Circuit-Id: “[Relay-identifier] atm 3/0:100.33”.slot = 3, port = 0, vpi = 100, vci = 33
DHCP
blue drum
icon_c_router_ppt
BRAS
DSLAM
VC per subscriber
small cloud
L2-Access
small cloud
IP Network
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
Home GW
PC
Radius/DHCP Server
VLAN per subscriber
PPP or DHCP
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
SWITCHs.tif                                                    000042B0G3/40                          B71B569D:
NAS-Port-Id: “[Relay-identifier] eth 3/0:33”.slot = 3, port = 0, vlan-tag = 33
Radius or DHCP
blue drum
icon_c_router_ppt
BRAS
DSLAM
ATM VC
VLAN per subscriber
ATM/PPP: DSL Line identification
ATM/DHCP: DSL Line identification
Eth/VLAN: DSL Line identification
홍길동ID1 PW1  

10
PPPoE Intermediate Agent requirements
PPPoE session establishment
The PPPoE Intermediate Agent intercepts all PPPoE discovery packets, i.e. the PADI, PADO, PADR, PADS and PADT packets. The Intermediate Agent does not change the source or destination MAC address of these PPPoE discovery packets.
Upon reception of a PADI or PADR packet sent by the PPPoE client, the Intermediate Agent adds a TAG to the packet sent upstream. The TAG contains the identification of the DSL line on which the PADI or PADR packet was received in the Access Node where the Intermediate Agent resides. For the details of this TAG, please refer to section 3.5.1.
If the TAG containing the DSL line identification is present in PADO or PADS packets sent by the BRAS, the Intermediate Agent MUST remove the TAG before sending the packet downstream.
If a PADI or PADR packet exceeds 1500 octets after adding the TAG containing the DSL line identification, the Intermediate Agent MUST NOT send the packet to the BRAS. The PPPoE Intermediate Agent SHOULD then return a Generic-Error TAG to the sender in the appropriate PPPoE discovery packet (i.e. PADO or PADS).
PADO, PADS or PADT packets sent by the BRAS contain the MAC address of the Host as the destination MAC address.
PPPoE
Intermediate Agent / Relay
Access Concentrator
Host
PPPoE
discovery stage
PPPoE
session stage
PADR
LCP message exchange
PADR +
PADS
PADI
PADI +
Line ID
PADO
NCP message exchange
Data exchange
PADS
PADO
Line ID

11
BRAS (Access Concentrator) requirements
The BRAS MUST accept PADI and PADR packets containing a TAG that is used to convey the DSL line identification to the BRAS. For the details of this TAG, please refer to section 3.5.1.
The DSL line information present in a TAG in the PADI and PADR packets MAY be used by the BRAS to check whether PPPoE discovery is allowed for the identified subscriber line. This behavior is independent of the PPP authentication phase performed later on.
The BRAS MUST be able to use the DSL line identification to construct the proper RADIUS Attributes (e.g. NAS-Port-Id, NAS-Port or Calling-Station-Id) during the PPP authentication phase. These Attributes are sent in a RADIUS Access-Request packet to the RADIUS server. This allows the RADIUS server to take the DSL line identification into account when performing authentication, authorization and

12
DHCP authentication
.Authentication based on DHCP options
.Option 60: Vendor Class ID
.Option 61: Client ID
.Option 82: Line ID
.RFC 2132 : DHCP Options and BOOTP Vendor Extensions
.RFC 3046: DHCP Relay Agent Information Option (option 82)
dslaccessnode1-s
1107378_L1
PC
(m1)
Modem(CPE)
ont
그림10 copy
L2SW
(DSLAM)
cloud
cloud
Ethernet
Backhaul
IP Core
BRAS
DHCP server
Initial Subscriber Information Registration
Vendor Class ID, Clinet ID (MAC address, Port ID, Service Profile)
DHCP snooping
DHCP Relay
DHCP-Request + Option82 (Port ID)
+ GI address
DHCP-Request (Option 60/61)
DHCP-Request +Option 82 (Port ID)
1) Authentication based on Device Info (option60/61) & Port ID (option82)
→Authentication Success
2) IP allocation
DHCP_Ack (IP address)

13
DHCP re-authentication
DHCP Client
DHCP Server
1. Broadcast DHCP request message
DHCP Request (option 60/61, Option 82)
DHCP Ack (ip address, T1 timer value,…)
BOUND
T1 timer
T2 timer
2. Renewal timer(T1) expires
3. Send DHCP request message to Original Leaser Server
RENEWING
BOUND
T1 timer
T2 timer
DHCP Ack (ip address, T1 timer value,…)
4. Renewal timer(T1) expires
5. Send DHCP request message to Original Leaser Server
RENEWING
BOUND
DHCP Ack (ip address, T1 timer value,….)
IP renewal timer
= 10 ~ 30sec
IP renewal timer
= 10 ~ 30sec

Client authentication
base on Device Info (option60/61) & Port ID (option82)
Client authentication
base on Device Info (option60/61) & Port ID (option82)
Client authentication
base on Device Info (option60/61) & Port ID (option82)
DHCP Request (option 60/61, Option 82)
DHCP Request (option 60/61, Option 82)

14
RG Device Information
1. ITU-T H.610
DHCP DISCOVER and DHCP REQUEST messages, issued by FS-VDSL compliant terminals shall include a Vendor Class Identifier option(sub clause 9.13 of IETF RFC 2132 [27]) specifying the terminal type.
The value of this option shall be interpreted as a string of UTF-8 IETF RFC 2279 [24] characters with the 4-field format described below.
<FSVDSL><Service Type><Manufacturer ID><Model Number>
.<FSVDSL>is the constant 6-character string \"FSVDSL\" followed by the dot (\'.\') character.
.<Service Type>is a variable length string indicating the service supported by the terminal.
This field shall contain exactly one dot character as the last character.
.<Manufacturer ID>is a variable length string that uniquely identifies the manufacturing vendor. It is recommended that this field will be encoded as the OUI allocated to the vendor by the IEEE. This field shall contain exactly one dot character as the last character.
Appendix X gives the current method to obtain an OUI from IEEE.
.<Model Number>is a variable length string that uniquely identifies the terminal type within the scope of this vendor. Model numbers shall be allocated and published by the terminal vendors.
The DHCP server in the VTP/D should ignore DHCPDISCOVER and DHCPREQUEST messages carrying User Class or Vendor Class Identifier options of the above syntax, in order to allow controlling IP addressing for advanced services to be from the network (i.e., service operator). The following basic service types are defined for the usage of FS-VDSL terminals (additional types may be used):
.\"VOICE\" .for derived voice services;
.\"VIDEO\" .for digital broadcast and VoDservices;
.\"DATA\" .for data only service.
2. DSL Forum
DSLForum2004.297.00, August 2004, “TR-69 DHCP conditional serving parameters”
-Vendor Class ID (Option 60)
-Client ID (Option 61)
-User Class Option (Option 77)
DHCP
DHCP client
DHCP
DHCP client
DHCP_Request
<service Type> = “VIDEO”
<Manufacture ID> = KT
DHCP_Ack {Video IP address=200.30.1.10,
TFTP server IP address(66), Configuration filename(67)}
DHCP_Request
<service Type> = “VIDEO”
<Client ID> = 3F206A7810
DHCP_Ack {Video IP address=200.30.1.10,
TFTP server IP address(66), Configuration filename(67)}

15
Name
Type
Description

Internet-Gateway-Device.-Device-Info.-
object
This object contains general device information.

Manufacturer
string(64)
The manufacturer of the CPE (human readable string).

Manufacturer-OUI
string(6)
Organizationally unique identifier of the device manufacturer.  Represented as a six hexadecimal-digit value using all upper-case letters and including any leading zeros.  The value MUST be a valid OUI as defined in [2].

Model-Name
string(64)
Model name of the CPE (human readable string).

Description
string(256)
A full description of the CPE device (human readable string).

Product-Class
string(64)
Identifier of the class of product for which the serial number applies.  That is, for a given manufacturer, this parameter is used to identify the product or class of product over which the SerialNumber parameter is unique.

Serial-Number
string(64)
Serial number of the CPE.

Source: DSL Forum TR-69, CPE WAN Management Protocol, May 2004.
DSL Forum (RG Device Information Example)

16
IGMP Security: Channel Authentication
L3 SW
AN
(DSLAM
/L2 SW)
BRAS
N-SW
Ethernet
or VDSL
RG
LR_HD61THW263_SR_02
PC
TV
IGMP Join (CH 51)
RG
STB그림
LR_HD61THW263_SR_02
STB
PC
TV
IGMP Join (CH 51)
Basic Channels: 1~50
Premium Channels: 51, 52, 53
Basic Channel Subscriber (CH1~CH50)
.
IGMP Join Filter
.Issues: Multicast Channel Authentication
.Basic Channel 가입자가Premium Channel(유료찿널등)에대해서IGMP Join을보내는경우
.Solution: Network-based Conditional Access (IGMP Join Filter)
1107378_L1
1107378_L1
Hacker
cloud_G120
DRM으로문제를풀수도있다.
IP Core
(Premium)
IP-TV
Headend
STB그림
STB

17
Installing IP-TV Access Control List
L3 SW
AN
(DSLAM
/L2 SW)
BRAS
N-SW
Basic Channels: 1~50
Premium Channels: 51, 52, 53
RG
STB그림
LR_HD61THW263_SR_02
Dell Dimension 8200
STB
PC
TV
Modem
Dell Dimension 8200
PC
ont
.
DSLAM
EMS
OSS
snmp
RG
STB그림
LR_HD61THW263_SR_02
Dell Dimension 8200
STB
PC
TV
L3 SW
EMS
RG
EMS
.
.
L3 SW
AN
(DSLAM
/L2 SW)
BRAS
N-SW
RG
STB그림
LR_HD61THW263_SR_02
Dell Dimension 8200
STB
PC
TV
RG
STB그림
LR_HD61THW263_SR_02
Dell Dimension 8200
STB
PC
TV
.
.
Subscriber A
Subscriber B
Policy
Server
S_DB
AAA
DHCP
TFTP
Web인증
Server
IP-TV Portal
IP-TV subscriber policy
provisioning
.
Basic Channels: 1~50
Premium Channels: 51, 52, 53
Basic Channel Subscriber (CH1~CH50)
서비스개통시OSS (EMS)가Static Pre-Provisioning
인증시PS가Provisioning
cloud_G120
IP Core
(Premium)
IP-TVHeadend
cloud_G120
IP Core
(Premium)
IP-TV
Headend

18
IGMP Join filter: H.610 (ITU-T)
ATM SW
DSLAM
BRAS
IGMP traffic (PVC1)
IGMP Router
Multicast channel 1 (PVC2)
Multicast channel 1 (PVC 101)
Multicast channel 2 (PVC 102)
Multicast channel 3 (PVC 103)
1 PVC per channel
Internet traffic (PVC3)
IGMP traffic (PVC4)
Multicast channel 1 (PVC5)
Multicast channel 2 (PVC6)
Internet traffic (PVC7)
ATM Cell Replication
(ATM point-to-multipoint
Cross-Connect)
IGMP Join Filter
(S.E.R.)
OSS
.
Static Provisioning via SNMP
IGMP Join을수신하면
1) IGMP Join Filter lookup
2) ATM PTMT CC
.
.
.
Static Provisioning
via SNMP
OSS

19
ITU-T H.610
DSLAM에서의멀티캐스트를고려하지않는TR-059와달리ITU-T의H.610에서는DSLAM에서의멀티캐스트를권장한다. 즉, DSLAM에서IGMP Proxy 기능을둠으로써DSLAM까지는동일찿널이하나만전달되고여기서그찿널을요청한가입자에게멀티캐스트해줌으로써DSLAM과BRAS갂의네트워크대역폭의낭비를막아준다. TR-59의경우찿널인증을BRAS에서수행하면되지만H.610의경우는멀티캐스트가DSLAM에서발생하므로DSLAM에Conditional Access 기능을부여한다.
모든찿널이OLT까지브로드캐스트되고OLT와ONU에서IGMP/IGMP Proxy로멀티캐스트를수행.
IGMP는channel zapping protocol로사용하려는의도로만들어짂것이아니므로IGMP의default timer값대신에channel zapping용default time값을제시함. 이때가정이Join 메시지가전달된후요청된찿널의첫번째멀티캐스트패킷이도착할때까지의시갂에대한목표치를500msec로규정함.
LastMemberQuery interval: RFC2236 default value (1sec), Recommended value (100msec)
LastMemberQuery count: RFC 2236 default value (2), Recommended value (1)
UnsolicitedReport interval: RFC 2236(10sec), Recommended (100msec)
Conditional Access: Access Node (OLT, ONU)에서Premium channel에대한찿널인증기능을정의함. (Multicast entitlement information=IGMP ACL을AN에둠)
Installing Access Control Lists: Premium 방송서비스가입시에SNMP로static provisioning한다. 찿널변경에관한ITU-T 표준SNMP MIB는그림4.3과같으며관렦된모든MIB는[H.610]를참고하면된다.

20
CustomerEntry ::= SEQUENCE {
onuId InterfaceIndexOrZero,
customerPortId InterfaceIndex,
maxMulticastTraffic Integer32,
maxMulticastStreams Integer32,
untimedEntitlements1 OCTET STRING,
untimedEntitlements2 OCTET STRING,
grantEntitlementIpAddress,
revokeEntitlementIpAddress,
customerAdminStatus INTEGER,
customerRowStatus RowStatus
}
untimedEntitlements1OBJECT-TYPE
SYNTAXOCTET STRING ( SIZE ( 0 .. 256 ) )
MAX-ACCESSread-create
STATUScurrent
DESCRIPTION
\"This object is used as a bitmap to store untimed entitlements to premium channels. Note that the first bit of the first octet is reserved. Bits 1 to 2047 correspond to entitlements for channels with entitlementIndex between 1 and 2047, respectively. In order to entitlement channel with entitlementIndex x, the value of bit x in this bitmap shall be 1. In order to revoke entitlement to channel with entitlementIndex y, the value of bit y in this bitmap shall be 0.“
::= { customerEntry 5 }
ITU-T H.610: SNMP MIB for the channel change function

21
BRAS
ATM
Switch
RG
DSLAM
Policy Server
Policy Enforcement Point
Service 1
Service n
IP Network
PPP, DHCP, IP, etc.
AAA server
DHCP server
.Subscriber management
.Policy Enforcement Point
.Subscriber service policy including multicast policy (Join filter)
.RADIUS (Authentication, Authorization, Accounting)
.Multicast: IGMP, PIM
.IP Address management
.PPP Termination Point
.IGMP Termination Point
ADSL
IGMP
PIM
Ethernet
ATM
ADSL
PPPoE
ATM (PVC)
RG
DSLAM
BRAS
ATM
PHY
AAL5
ATM
PHY
Ethernet
PPPoE
IP
AAL5
ATM
ADSL
Ethernet
PPPoE
IP
No PPP Processing
.
IGMP DSL Forum TR-059: Multicast

22
Service provisioning: PEP, PDP
BRAS
DSLAM
Policy Enforcement Point
Upstream QoS
= IP CoS =
Classification,
marking and
priority queueing
Congestion point로갂주하지않음
TR-59 (Downstream)
TR-59 (Upstream)
Hierarchical Scheduling + DiffServ
BRAS
c
DSLAM
Policy Enforcement Point
c
RG
300Kbps
DiffServ

23
DSL Forum TR-059

24
DSL Forum TR-059: Architecture
BRAS
ATM
Switch
RG
DSLAM
Policy Server
Policy Enforcement Point
Service 1
Service n
IP Network
PPP, DHCP, IP, etc.
AAA server
DHCP server
No ATM QoS used
No IP-aware
No Subscriber Service policy
No queueing
No PPP processing
1 PVC per subscriber
.Subscriber management
.Policy Enforcement Point
.Subscriber service policy including multicast policy
.RADIUS (Authentication, Authorization, Accounting)
.Multicast: IGMP, PIM
.IP Address management
.PPP Termination
.IGMP Termination
ADSL
Ethernet
ATM
ADSL
PPPoE
ATM (PVC)
RG
DSLAM
BRAS
ATM
PHY
AAL5
ATM
PHY
Ethernet
PPPoE
IP
AAL5
ATM
ADSL
Ethernet
PPPoE
IP

25
BRAS
ATMSwitch
RG
DSLAM
Policy Server
Policy Enforcement Point
Service 1
Service n
IP Network
AAA server
DHCP server
ADSL
ATM VC shaper
(Subscriber service rate)
ATM VP shaper
IP DiffServ
Downstream QoS
Classification, marking
and Hierarchical scheduling
Packet classifier
622M
155M
8M
8M
155M
PVP (155M)
PVC (8M)
DSL Forum TR-059: Downstream QoS

26
BRAS
ATM
Switch
RG
DSLAM
Policy Server
Policy Enforcement Point
Service 1
Service n
IP Network
AAA server
DHCP server
ADSL
Upstream QoS
= IP CoS =
Classification, marking
and priority queueing
Congestion point로갂주하지않음
DSL Forum TR-059: Upstream QoS

27
ATM VC shaper
(Subscriber service rate)
ATM VP shaper
Downstream QoS
Classification, marking
and Hierarchical scheduling
Packet classifier
8M
155M
ATMSwitch
RG
DSLAM
Policy Server
Policy Enforcement Point
Service 1
Service n
IP Network
AAA server
DHCP server
ADSL
IP DiffServ
622M
155M
8M
PVP (155M)
PVC (8M)
1107378_L1
Application Server (VoD web, SIP, Web portal,…)
BB (Admission control)
Dynamic subscriber
policy provisioning
BRAS
DSL Forum TR-059: Policy Provisioning

28
PD-022
BRAS.Traceability Relay
.QoS encoding
.Hierarchical scheduler: Access Network이802.1를지원하면DiffServ만지원해도됨.
.BW limitation
Ethernet Access Node (UAF).IGMP snooping
.Traceability encoding: DHCP Relay Option82 (Agent Circuit ID= DSL Line ID, DSLAM ID)
.Filtering & Modification
.QoS encoding (Upstream): MF-Classification, BA-classification (RG marking)  
.BW limitation: upstream BW shaping per subscriber
BRAS
802.1p
NCF
(Network Control Function)
SAC (Service Access Control)
PEP (SAF)
PEP (UAF)
DSL Line
DSL Line
Service
Node
(service)
PEP (SAF)
PEP (UAF)
가입자인증가입자별서비스별권한제어
Service요구사항
(BW, QoS 요구사항)을받음
AAA server
Application server
(ASP)
Subscriber policy provisioning
ANM (Access Network Management)
Internet
VoD
.Upstream QoS policy (QoS ACL)
.Upstream BW shaping rate
.Multicast policy
.VoD QoS policy (mark High) *
.VoD rate-limiting
Control Plane
Data Plane
특징.Ethernet 액세스네트워크를Data plane과Control plane으로나눔
.Data plane에PEP (UAF, SAF)와802.1p priority forwarding node로나눔
.UAF: 가입자접속노드의기능을정의(아래참조)
.SAF: Service (Internet, ASP) 접속노드의기능을정의
.Control plane을SAC과ANM으로나눔
.SAC: 가입자인증, 서비스인증(이가입자가어느서비스에가입했는가!)
.ANM: 가입자별Service policy를Data plane의PEP에provisioning 기능의미
.액세스네트워크내에여러개의Service가들어갈수있음.
.Access Node를PEP (Upstream)로설정
.NCF는KT 구조에서제어서버임.
* VoD ASP가신뢰할수있으면policy provisioning개념이없어도됨
(Static defined QoS treatment: 그냥High)

29
Case Study
신인증, DHCP인증, RG인증

30
KT Ethernet Access Networks
전송망(SDH/DWDM)
Best-Effort IP Networks
Premium IP Networks(MPLS)
C
C
E
E
R
R
R
R
ER
L2 SW
그림3
그림3
그림3
그림3
그림5 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
L3 SW
그림5 copy
IP VDSL
L3
SW
CO
Apart
POP
GE
GE
FE
FE
그림4 copy
그림5 copy
그림5 copy
FE
GE
GE
그림5 copy
그림5 copy
50Mbps
Curb (캐비넷)
Apart
Ethernet
VDSL
Ethernet
(Ntopia)
Ntopia
VSDL(Apart)
FTTC+VSDL
alpine3808
alpine3808
Apart
일반주택
VDSL
CO
FTTC+
Ethernet
(AON)
그림3
그림3
FE
일반주택
20/10Mbps
100Mbps
100Mbps
WDM-PON
OLT
alpine3808
OLT사진
100M/.1
100M/.16
ONU
전주
맨홀, 전주
CO
onu
onu
100Mbps
Ethernet
FTTP
일반주택
F7024XG
50Mbps
rs38000

31
위성
VoD streaming server
VoD streaming server
그림4 copy
alpine3808
그림5 copy
1
20
1
12
1
48
N-SW
L3 SW
DSLAM
그림10 copy
그림10 copy
alpine3808
alpine3808
S-DB
PS
S-DB
PS
SER4
SER6
1
4
GSR
GSR
2.5G/10G
2.5G/10G
DHCP
Web
Network Architecture (2004.10 충남사례)
그림4 copy
alpine3808
그림5 copy
그림10 copy
그림10 copy
alpine3808
alpine3808
S-DB
PS
S-DB
PS
DHCP
Web
SER1
SER3
1
4
1
20
1
12
1
48
N-SW
L3 SW
DSLAM
GSR
GSR
2.5G/10G
2.5G/10G
그림4 copy
alpine3808
그림5 copy
1
20
1
12
1
24
N-SW
L3 SW
L2 SW
그림10 copy
그림10 copy
alpine3808
alpine3808
S-DB
PS
S-DB
PS
SER7
SER9
1
4
GSR
GSR
2.5G/10G
2.5G/10G
8K subscribers/1 GE port of SER
30K subscribers/SER
KT’s Nationwide IP core (KORNET)
270K subscribers/
9-SER (province)
SER (Service Edge Router): KT Ethernet BRAS (Redback SE800, JuniperERX1440)
PS: Policy Server (KT 용어로Control Server)
S-DB: Local Subscriber DB
Web: Web Authentication Server
N-SW: Ntopia Switch (Extreme Alpine 3808)
GSR: Cisco 12000/14000
DHCP server (Lucent)
100Mbps
1Gbps
1Gbps
100Mbps
1Gbps
1Gbps
100Mbps
1Gbps
1Gbps
POP
CO
MDF/Curb
MDF/Curb
VoD streaming server
ant-03
SprinterSMR
ant-03
SprinterSMR
Live Encoder
Live Encoder
Live Encoder
Satellite
그림10 copy
그림10 copy
그림10 copy
ant-03
SprinterSMR

32
alpine3808
DHCP
Server
S_DB
BB
AAA
1. DHCP Discover
2. IP Discover (DHCP Relay )
12. IP Ack (210.1.2.5)
7. IP Discover
8. IP Ack (210.1.2.5)
1107378_L1
PC
(m1)
VDSL
modem
ont
Web
Authentication
server
L3 SW
BRAS
3. MAC authentication request
(m1, s_id1)
4. LDAP (m1)
5. There is no entry for MAC m1
6. MAC authentication responsePolicy: for s_id1, Redirect Policy
9. SER: Binding (210.1.2.5, s_id1, m1)ACL: srcIP = 210.1.2.5: Redirect to Web Authentication Server
그림10 copy
Subscriber_ID
SSR
Circuit_ID
MAC
IP
ID
PW
Service
Status

s_id1
m1
210.1.2.5

4
4
11

10. Report (s_id1:210.1.2.5)
11. Report (m1: 210.1.2.5)
DSLAM
VDSL
Policy
Server
그림5 copy
그림4 copy
N-SW
DHCP Relay
Authentication Process at KT Ethernet Access Network (1)

33
17. AAA request (pc003/2468)
18. AAA ack (Service Profile=5)
19. Report (210.1.2.5: pc003/2468, service profile 5,…)
Authentication Process at KT Ethernet Access Network (2)
S_DB
BB
AAA
BRAS
그림10 copy
Subscriber_ID
SSR
Circuit_ID
MAC
IP
ID
PW
Service
Status

netmanias02
30M
s_id1
m1
210.1.2.5
pc003
2468
5

19
19
4
4
11
19
19
19

16. Web authentication
request (IP, ID/PW)
13. Web access
(redirected to web
authentication server)
14. 웹인증창
15. Type (ID/PW=pc003/2468)
가입자가직접ID/PW 입력(PC니까)
alpine3808
1107378_L1
PC
(m1)
210.1.2.5
VDSL
modem
ont
L3 SW
DSLAM
VDSL
그림5 copy
그림4 copy
N-SW
21. Binding (210.1.2.5, s_id1, m1), Policy Setting
SrcIP = 210.1.2.5: Open gate (Tunneling to Clean-I Server)
DstIP =210.1.2.5: Shaping at 30Mbps
20. Policy provisioning[BRAS] for s_id1,Upstream: Open gate (Tunneling to Clean-I Server),Downstream: BoD (SSR=30Mbps)
DHCPServer
Policy
Server
Web
Authentication
server

34
22. DHCP Lease Time: Time Out
23. Report
S_DB
BB
AAA
그림10 copy
Subscriber_ID
SSR
Circuit_ID
MAC
IP
ID
PW
Service
Status

netmanias01
30M
S_id1
m1
210.1.2.5
pc003
2468
5

21
21
21
4
21
19
19
21

24. Policy Lease
alpine3808
1107378_L1
PC
(m1)
VDSLmodem
ont
VDSL
그림5 copy
그림4 copy
BRAS
L3 SW
DSLAM
N-SW
21. Binding (210.1.2.5, s_id1, m1), Policy Setting
SrcIP = 210.1.2.5: Redirect to Web Authentication Server
DstIP =210.1.2.5: Shaping at 30Mbps
DHCP
Server
Policy
Server
Web
Authentication
server
Authentication Process at KT Ethernet Access Network (3)
DHCP Lease Time Out

35
30. AAA request (pc003/2468)
31. AAA ack (Service=5)
S_DB
BB
AAA
BRAS
36. SER: Binding (210.1.2.5, s_id1, m1), Policy Setting
SrcIP = 210.1.2.5: Open gate (Tunneling to Clean-I Server)
DstIP=210.1.2.5: Shaping at 30Mbps
Subscriber_ID
SSR
Circuit_ID
MAC
IP
ID
PW
Service
Status

netmanias02
30M
s_id1
m1
pc003
2468
5

32
32
28
4
19
19
32

33. Policy provisioning
[BRAS] for s_id1,
Upstream: Open gate (Tunneling to Clean-I Server),
Downstream: BoD (SSR=30Mbps)
alpine3808
1107378_L1
PC
(m1)
VDSL
modem
ont
L3 SW
DSLAM
VDSL
그림5 copy
그림4 copy
N-SW
25. DHCP Discover
26. DHCP Discover
(DHCP Relay )
37. DHCP Ack(210.1.2.5)
27. MAC Authentication request(m1, s_id1)
28. LDAP (m1, s-id1)
29. ID/PW=pc003/2468
Subscriber_ID
SSR
Circuit_ID
MAC
IP
ID
PW
Service
Status

m1
pc003
2468

21
21
21
4
21
19
19
21

34. DHCP Discover
35. DHCP Ack (210.1.2.5)
PS가MAC정보를이용해
S_DB에서ID/PW를찾은후인증대행
DHCP
Server
Policy
Server
Web
Authentication
server
그림10 copy
32. Report (service profile)
Authentication Process at KT Ethernet Access Network (4)
Implicit Authentication

36
DHCP
S_DB
BB
AAA
BRAS
36. Binding (210.1.2.5, s_id1, m1), Policy Setting
SrcIP = 210.1.2.5: Redirect to Web Authentication Server
DstIP=210.1.2.5: Shaping at 30Mbps
그림10 copy
Subscriber_ID
SSR
Circuit_ID
MAC
IP
ID
PW
Service
Status

netmanias02
30M
s_id1
m1
210.1.2.5
pc003
2468
5

32
32
28
4
39
19
19
32

PS
Web
인증
서버
alpine3808
1107378_L1
PC
(m1)
VDSL
modem
ont
L3 SW
DSLAM
VDSL
그림5 copy
그림4 copy
N-SW
38. Report (s_id1: 210.1.2.5)
Subscriber_ID
SSR
Circuit_ID
MAC
IP
ID
PW
Service
Status

m1
pc003
2468

21
21
21
4
21
19
19
21

39. Report (s_id1: 210.1.2.5)
Authentication Process at KT Ethernet Access Network (4)Implicit Authentication (cont)

37
ADSL 가입자관리는?
.Subscriber Connection : PPP/PPPoA
.Session Connection
.IP allocation
.Subscriber Authentication and Accounting
.PAP/CHAP
.RADIUS
MTU-Metro
house
house
MTU-Metro
MTU-Metro
hq
Metro Core
Access
POP
CO
CO
CO
1107378_L1
1107378_L1
DSLAM
adsl
(<8Mbps)
ATM
SONET/SDH
45M/155M
Public
Internet
Edge
Router
(BRAS)
Residential
modem
AAA
PPPoA Connection
VCI/VPI=1/1
VCI/VPI=1/10
ADSL: PPPoA

38
silver_bubble
1107378_L1
M35I_HPBL_D_F
그림15
그림11 copy
(ID/PWD)
(USIM)
(USIM)
R/G
(with RADIUS Client)
silver_bubble
SER
RADIUS Proxy
(in ESCP)
IAMS(RADIUS Server)
R/G 위치관리시스템
DHCP 서버
1. RADIUS Client ON
2. IP 할당요청및IP 할당
R/G
Policy Manager
3. 실시갂할당IP 보고
(radius client의IP)
0. RADIUS Proxy 등록
4. RADIUS Client 등록
5. 접속(인증요청)
6. Auth. Req (RADIUS)
7. Auth. Req/Ack
8. Auth. Ack (RADIUS)
Regional
QoS Manager
IP Comm.
응용플랫폼
Node Controller
ESCP
9. 세션설정요구
10. Policy Control
11. 세션marking, 트래픽conditioning
Home Networking 접속인증통합모델

39
SBC: 인증, IP 주소할당, Policy Configuration
DSLAM
(FTTN)
SAIC
ADSL2+
L2++ SW
(BSA)
CO
Internet
BRAS
(Edge Router화)
National Video Content Distribution Network
(IP Multicast)
PEP
7330
7450 ESS
7750 SR
SmartEdge_800_purple
GE
2Wire_HomePortal_1100_Residential_Gateway_Routers_and_Bridges-resized200
RG(L3)
STB
PC
GE
7750_red_sr12
7750_red_sr12
7750_red_sr12
7750_red_sr12
BSR
BSR
AAA
Server
IP-TV
VoIP
Internet
Home 1001
IP-TV
VoD
SSW
videophone
POTS
1107378_L1
그림11 copy
그림15
boa
DHCP snoop/relay
(Option82: VLAN ID)
DHCP proxy
DHCP discover (Option 60/61 = VoIP: 단말종류, RG 인증)
DHCP offer
DHCP request
DHCP ack (10.20.192.10 for VoIP?)
STB (DHCP Client)
DHCP
PC (DHCP Client)
DHCP
DHCP Client
DHCP
Server
-5750
RB SMS1800
Static Policy Configuration
(개통시)
DHCP Option82
(VLAN ID: traceability,
troubleshooting)
BSA1/VLAN 1001: 10.20.192.10
DHCP
Server
RADIUS
Server
Per-subscriber, per-service accounting queueing and policing/shaping/filtering
VLAN
1001
VLAN
1400
Per-subscriber HIS shaping (PIR/CIR)
2Wire_HomePortal_1100_Residential_Gateway_Routers_and_Bridges-resized200
RG(L3)
STB
PC
Home 1400
videophone
POTS
1107378_L1
그림11 copy
그림15
boa
dslaccessnode1-s
VLAN 1400
VLAN 1001
7750_red_sr12
Voice VLAN
Video VLAN
Internet VLAN
Install Static ARP cache entry in BSR (user MAC/user IP)
(SecureARP)
Install anti-spoof rule per user
(IP Lease Table)
L3
(BSR)
NMS
.DHCP 단말인증: Option 60/61
.IP 서비스별할당: Option60/61
.SecureARP/IP Lease Table
.Option 82
.RG에는3개의MAC이있고각각에대해IP 주소가DHCP로할당된다.[p6. ATR]  -MAC A (Voice): 10.20.192.10 (Private)-MAC B (Video): 192.168.0.20 (Private)-MAC C (Internet): 138.120.0.30 (Public)
.DHCP server는어떻게서비스를구분하나?1) Option 60/61: RG가알려준다.(RG send credential)2) MAC 등록: RG의서비스별MAC A, B를미리등록해놓는다.

40
Tele2-Versatel: RG(IAD) Authentication

41
End of Document
banner
Related Contents

 

 

     
         
     

 

     
     

넷매니아즈 회원 가입 하기

2020년 1월 현재 넷매니아즈 회원은 49,000+분입니다.

 

넷매니아즈 회원 가입을 하시면,

► 넷매니아즈 신규 컨텐츠 발행 소식 등의 정보를

   이메일 뉴스레터로 발송해드립니다.

► 넷매니아즈의 모든 컨텐츠를 pdf 파일로 다운로드

   받으실 수 있습니다. 

     
     

 

     
         
     

 

 

비밀번호 확인
코멘트 작성시 등록하신 비밀번호를 입력하여주세요.
비밀번호