`Telecommunications
`Essentials
`The Complete Global Source
`for Communications Fundamentals,
`Data Networking and the Internet,
`and Next-Generation Networks
`
`Lillian Goleniewski
`
`vvAddison-Wesley
`Boston * San Francisco e New York * Toronto * Montreal
`London * Munich e Paris * Madrid
`Capetown * Sydney * Tokyo * Singapore * Mexico City
`
`
`
`AT&T, Exh. 1009, p. 1
`
`AT&T, Exh. 1009, p. 1
`
`

`

`
`
`
`
`Manyofthe designations used by manufacturersandsellers to distinguish their products are claimedas trade-
`marks. Where those designations appear in this book, and Addison-Wesley, Inc. was aware of a trademark claim,
`the designations have been printed withinitial capital letters or in all capitals.
`
`Lido Telecommunications Essentials® is the registered trademark of The Lido Organization, Inc.
`
`The authorand publisher have taken care in the preparation of this book, but make no expressed or implied war-
`ranty of any kind and assumenoresponsibility forerrors or omissions. Noliabilityis assumedfor incidental or con-
`sequential damages in connection with orarising outofthe use of the information or programs contained herein.
`
`Thepublisheroffers discounts on this book when orderedin quantity for special sales. For more information,
`please contact:
`
`Pearson Education Corporate Sales Division
`201 W. 103"Street
`Indianapolis, IN 46290
`(800) 428-5331
`corpsales@pearsoned.com
`
`Visit AW on the Web: www.aw.com/cseng/
`
`Library of Congress Cataloging-in-Publication Data
`
`Goleniewski, Lillian.
`Telecommunications essentials : the complete global source for communications
`fundamentals, data networking and the Internet, and next-generation networks/ Lillian Goleniewski.
`p. cm.
`Includes bibliographical references and index.
`ISBN 0-201-76032-0
`1. Telecommunication. I. Title.
`
`TK5101 G598 2002
`621.382—dc21
`
`Copyright © 2002 by Pearson Education,Inc.
`
`2001053752
`
`All rights reserved. No part of this publication maybe reproduced,stored in a retrieval system, or transmitted, in
`any form, or by any means,electronic, mechanical, photocopying, recording, or otherwise, withoutthe prior con-
`sent of the publisher. Printed in the United States of America. Published simultaneously in Canada.
`
`For information on obtaining permission for use of material from this work, please submit a written requestto:
`
`Pearson Education, Inc.
`Rights and Contracts Department
`75 Arlington Street, Suite 300
`Boston, MA 02116
`Fax: (617) 848-7047
`
`ISBN 0-201-76032-0
`Text printed on recycled paper
`
`123456789 10—CRS—0504030201
`First printing, December 2001
`
`|
`
`|
`
`|
`
`i
`
`AT&T, Exh. 1009, p. 2
`
`
`AT&T, Exh. 1009, p. 2
`
`

`

`LAN Characteristics
`
`Table 8.2 LAN Technologies and Cabling Requirements
`| Technology
`Type of Cable —_
`
`10Base5
`
`Ethernet (10Mbps)
`
`Thick coax
`Thinccoax
`
`10BaseFL
`
`2 strands of multimode optical fiber
`
`detect (CSMA/CD).
`
`Short-ie multimode mpeeafiber
`Long-weveinath singlemode eben fiber
`Coax erRecable
`alpae Cat 5 or Cat 5e UTP
`2-pair Cat 6 (curently aa TIAdealtcape
`
`Fast Ethernet (100Mbps)
`
`2-PeltCat5 UTP
`-4-pairCat 3 UTP
`
`2-pair Cat 3 UTP
`2 strands of multimode optical fiber
`
`Gigabit Ethernet (1 Gbps)
`
`1O0BaseTX
`100BaseT4
`
`100BaseT2
`100BaseFX
`
`10Q0Base5X
`1000BaseLX
`1O000BaseCX
`1000BaseT
`1000BaseTX
`
`The prevailing standard in the world is Ethernet. It generally appears as Fast
`Ethernet or Gigabit Ethernet in the backbone, connecting together individual
`Fast Ethernet or 1OMbps Ethernet LAN segments (see Figure 8.3).
`
`LAN Access Methods
`
`The third main LAN characteristic is the access methods, which are involved in
`determining who gets to use the network and whentheygetto use it. There are
`two main approaches:
`token passing and carrier-sense multiple-access/collision
`
`AT&T, Exh. 1009, p. 3
`
`

`

`Telecommunications
`Essentials
`The Complete Global Source
`for Communications Fundamentals,
`Data Networking and the Internet,
`and Next-Generation Networks
`
`Lillian Goleniewski
`
`."T Addison-Wesley
`Boston • San Francisco • New York • Toronto • Montreal
`London • Munich • Paris • Madrid
`Capetown • Sydney • Tokyo • Singapore • Mexico City
`
`AT&T, Exh. 1009, p. 4
`
`

`

`Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trade(cid:173)
`marks. Wh ere those designations appear in this book, and Addison-Wesley, Inc. was aware of a trademark claim,
`the designations have been printed with initial capital letters or in all capitals.
`
`Lido Telecommunications Essentials® is the registered trademark of The Lido Organization, Inc.
`
`The author and publisher have taken care in the preparation of this book, but make no expressed or implied war(cid:173)
`ranty of any kind and assume no responsibility for errors or omissions. o liability is assumed for incidental or con(cid:173)
`sequential damages in connection with or arising out of the use of the information or programs contained herein.
`
`The publisher offers disco unts on this book when ordered in quantity for special sales. For more information,
`please contact:
`
`Pearson Education Corporate Sales Division
`201 W 103rd Street
`Indianapolis, IN 46290
`(800) 428-5331
`corpsales@pearsoned.com
`
`Visi t AW on the Web: www.aw.com/csengl
`
`Library of Congress Cataloging-in-Publication Data
`
`Golen iewski, Lillian .
`Telecommunications essentials : the complete global source for communications
`fundamentals, data networking and the Internet, and next-generation networks I Lillian Goleniewski.
`p. em.
`Includes bibliographical references and index.
`ISBN 0-201-76032-0
`1. Telecommunication . 1. Title.
`
`TK5l01 G598 2002
`621.382-dc21
`
`Copyrigh t© 2002 by Pearson Education, Inc.
`
`2001053752
`
`All rights reserved. No part of this publication may be reproduced , stared in a retrieval system, or transmitted, in
`any form , or by any means, electronic, mechani cal, photocopying, recording, or otherwise, without the prior con(cid:173)
`sent of the publisher. Printed in the United States of America. Published simultaneously in Canada.
`
`For information on obtaining permission for use of material from this work, please submit a written request to:
`
`Pearson Education, Inc.
`Rights and Contracts Department
`75 Arlington Street, Suite 300
`Boston, MA 02116
`Fax: (617) 848-7047
`
`ISBN 0-201-76032-0
`Text printed on recycled paper
`
`1 2 3 4 56 7 8 9 10-CRS-0504030201
`f irst printing, December 2001
`
`AT&T, Exh. 1009, p. 5
`
`

`

`Cha er
`
`Next-Generation Network
`Services
`
`This chapter investigates traditio nallnternet services, as well as new generations of
`applications and the networ k platforms that support those applications. It dis(cid:173)
`cusses virtual private networks (VPNs) , security, various uses of Voice over IP
`(VoiP) networks, and developments in the streaming media arena and emerging
`applications.
`
`• Traditional Internet Applications
`
`Traditional Internet applications are called elastic applications because they can
`work without guarantees of timely delivery. Because they can stretch in the face of
`greater delay, they can s till perform adequately, even when the network faces
`increased congestion and degradation in performance. The following are th e most
`widely used elastic applications:
`
`• E-mail-The most widely used of the Internet applications, generating sev(cid:173)
`eral gigabytes of traffic per month, is e-mail. Because there is a standardized
`convention for the e-mail address-usemame@domainname-various com(cid:173)
`panies can interoperate to support electronic messaging.
`• Telnet-Tel net is one of the original ARPANET applications. It enables
`remote login to another computer that's running a Telnet server and allows
`
`AT&T, Exh. 1009, p. 6
`
`

`

`330
`
`Chapter 11
`
`• Next-Generation Network Services
`
`you to run applications present on that computer, with their outputs
`appearing in the window on your computer.
`File Transfer Protocol (FTP)-FTP allows file transfers to and from remote
`hosts. That is, you can use FTP to download documents from a remote host
`onto your local device.
`The World Wide Web- Key aspects that identify the Web are the use of the
`uniform resource locator (URL) and the use of Hypertext Transfer Protocol
`(HTTP)-the client/server hypermedia system that enables the multimedia
`point-and-dick interface. HTTP provides hyperlinks to other documents,
`which are encoded in Hypertext Markup Language (HTML), providing a
`standardized way of displaying and viewing information contained on serv(cid:173)
`ers worldwide. Web browsers are another important part of the Web envi(cid:173)
`ronment-they interpret the HTML and display it, along with any images,
`on the user's local computer. The ease of using the Web popularized the use
`of URLs, w hich are available for just about any Internet service. (The URL
`is the syntax and semantics of formalized information for location and
`access of resources via the Internet. URLs are used to locate resources by
`providing an abstract identification of the resource location.)
`
`So, how are people actually using the Internet? Greenfield Online conducts
`polls online. In November 2000, Greenfield Online (www.greenfieldonline.com)
`reported that the Internet was being used as follows:
`
`98% of Internet users went online to check their e-mail.
`• 80% of Internet users were checking for local information, such as movie
`schedules, weather.updates, or traffic reports.
`• 66% of Internet users were looking for a site that provided images and
`sounds.
`• 66% of Internet users wanted to shop at sites that provided images of the
`products they were interest in.
`53% of Internet users downloaded some form of a large file.
`• 3 7% of Internet users listened to Internet radio.
`
`This shows that increasingly there is interest in imagery, multimedia, and
`entertainment-type aspects of the Internet. These are advanced real-time applica(cid:173)
`tions that are highly sensitive to timely data delivery. Therefore, any application
`that includes VolP, audio streaming, video streaming, or interactive multimedia
`needs to be addressed by the administration of Quality of Service (QoS). The lack
`
`AT&T, Exh. 1009, p. 7
`
`

`

`VPNs
`
`3 31
`
`of control over QoS in the public Internet is preventing the deployment of these
`new applications at a more rapid pace.
`Today's flat-rate pricing for Internet access is compatible with the Internet's
`lack of service differentiation, and it is partially responsible for that structure as
`well. The main appeal of a flat-rate pricing scheme is its simplicity. It means pre(cid:173)
`dictable fees for the users, and it means providers can avoid the administrative
`time and cost associated with tracking, allocating, and billing fo r usage. It also
`gives companies known expectations for payments , facilities planning, and bud(cid:173)
`geting. However, as QoS emerges within the Internet, the ability to differentiate
`services will result in differentiated pricing, thereby allowing revenue-generating
`service levels and packages-and that's extremely important. As we've discussed
`several times so far in this book , developments in optical networking and in wire(cid:173)
`less networking are providing more and more bandw idth. Hence, the cost-the
`cents per minute that you can charge for carrying traffic-is being reduced. lf net(cid:173)
`work operators are going to continue to make money in the future , they will n eed
`to do so through the administration of value-added services, differentiated perfor(cid:173)
`mance, and tiered pricing. Therefore, the QoS aspect is very important to the
`materialization of new revenue-generating services.
`Key applications from which service providers are expected to derive revenues
`include e-commerce, videoconferencing, distance learning and education net(cid:173)
`works, Webcasting, multiplayer gaming, unified messaging, call centers, interac(cid:173)
`tive voice response, and IP-based centrex systems. Evolving next-generation
`networks- such as VPNs, VoiP and Packet over IP, streaming audio and video,
`multimedia collaboration , network caching, application hosting, location-based
`online services, software downloads, and security services-are introducing a vari(cid:173)
`ety of Class of Service (CoS) and QoS differentiators.
`
`• VPNs
`
`A big driver of interest in VPNs is that customers increasingly need to communi(cid:173)
`cate with people outside their enterprise, not just those inside the enterprise. As
`mentioned in Chapter 6, "Data Communications Basics," in the 1980s, about 80%
`of the information that was used within a given address of a business came from
`within that address. Only 20% was exchanged outside the walls of that location.
`Today, the relationship has reversed. As much as 80% of information exchanged is
`with points outside a given business address.
`Another reason for interest in VPNs is that customers want to quickly and
`securely change their access points and needs as changes occur in their businesses.
`Many strategic alliances and partnerships require companies to exchange messages
`quickly. Some of these are temporary assignments-for example, a contractor
`
`AT&T, Exh. 1009, p. 8
`
`

`

`332
`
`Chapter 11
`
`• Next-Generation Network Services
`
`Telecommuters
`•
`~
`:;;::~
`
`' -
`
`Dialu~ /
`
`Dialup /San Francisco
`/
`headquarters
`
`rill Mobile
`~users
`
`London
`branch office
`
`Figure 11.1 An enterprise network based on leased lines
`
`building out a fiber-optic loop or an applications developer building a new billing
`system-that migh t last a few months, during which time the individuals involved
`need to be incorporated into the network. Leased lines are infamous for requiring
`long waits for provisioning-often 6 months to 18 months! VPNs allow rapid pro(cid:173)
`visioning of capacity where and when needed.
`What we see emerging is a requirement for networks that can be very quickly
`provisioned and changed in relationship to organizational structures. This results in
`a steady migration of traffic away from the traditional networks, based on leased lines
`(see Figure ll.l), to public networks. As a result, we're seeing a steady growth in the
`pseudoprivate realm of the VPN (see Figure 11.2). A VPN is a logical network that
`isolates customer traffic on shared service provider facilities. In other words, the
`enterprises traffic is aggregated with the traffic of other companies. VPNs have been
`around for quite some time-since X.25 closed user groups on the packet-switched
`network, and with the AT&T Software-Defined Network (SDN) on the circuit(cid:173)
`switched networks. A VPN looks like a private network, but it runs across either the
`public circuit-switched network or public packet-switched data networks. Thus,
`VPNs are not just a solution within the IP realm- a VPN is a concept, not a specific
`set of technologies, and it can be deployed over a wide range of network technolo(cid:173)
`gies, including circuit-switched networks, X.25, lP, Frame Relay, and ATM.
`A VPN uses a shared carrier infrastructure. It can provide additional band(cid:173)
`width on demand, which is an incredible feat, as compared to the weeks that it
`normally takes to add bandwidth to dedicated networks. Carriers build VPNs with
`
`AT&T, Exh. 1009, p. 9
`
`

`

`VPNs
`
`Singapore
`branch office
`
`San Francisco
`headquarters
`
`London
`branch office
`
`Figure 11.2 An enterprise network using a VPN
`
`advanced survivability and restoration capabilities, as well as network management
`tools and support, so that QoS can be considered and service-level agreements
`(SLAs) can be administered and met.
`Two basic VPN deployment models exist: customer based and network based.
`In customer-based VPNs, carriers install gateways, routers, and other VPN equip(cid:173)
`ment on the customer premises. This is preferred w hen customers want to have
`control over all aspects of security. In network-based VPNs, the carrier houses all
`the necessary equipment at a point of presence (POP) near the customer's location.
`Customers that want to take advantage of the carrier's VPN economies of scale pre(cid:173)
`fer this type of VPN.
`
`VPN Frameworks
`Contemporary VPNs can be described as belonging to one of two categories: th e
`Internet-based VPN and the provisioned VPN.
`
`Internet-Based VPNs
`In an Intemet-based VPN (see Figure 11.3), smaller ISPs provide local access services
`in defined geographical regions, requiring an enterprise to receive end-to-end services
`from multiple suppliers. An Internet-based VPN uses encryption to create a form of
`closed user group, thereby isolaLing the enterprise traffic and providing acceptable
`security for the enterprise across the public shared packet network. However, because
`
`AT&T, Exh. 1009, p. 10
`
`

`

`334
`
`Chapter 11
`
`• Next-Generation Network Services
`
`Internet
`
`1
`
`~
`~ :' ... ,
`--
`). Tier 1
`.
`.
`ISP
`Peenng Po1nts
`,
`~ ~
`
`-
`
`Internet Exchange.
`Network Access Points
`(NAPs)
`
`. -;/~
`ISP v
`Tier 1
`"
`
`Peering Points
`
`Figure 11.3 An Internet-based VPN
`
`it involves multiple lSPs in the delivery of the VPN, the performance is unpredictable.
`The biggest problem of having multiple suppliers is the inability to define and meet
`consistent end-to-end bandwidth or performance objectives.
`Figure 11.4 shows what is involved in providing an Internet-based VPN. The
`customer would have on the premises a wide variety of servers that dish up the
`corporate content, the finance systems, the customer service systems, and so on . A
`VPN is responsible for the encapsulation of the information and hence the security
`aspects. Remote Authentication Dial-in User Services (RADIUS), an authentication
`and access control server, is used for purposes of authenticating wheth er a u ser is
`allowed access into the corporate resources. The RADIUS server connects to a fire(cid:173)
`wall, which is used to determine whether traffi c is allowed into or out of the net(cid:173)
`work. The router selects the optimum path for the messages to take, and the circuit
`physically terminates on a channel service unit/data service unit (CSU/DSU). A
`private line interfaces with the Internet provider's POP From that point, the VPN
`either uses the public Internet that's comprised of multiple lSPs, or it relies on lP
`backbones provided by a smaller group of providers. Users who are working on
`mobile devices would have laptops equipped with the client and VPN services nec(cid:173)
`essary for encapsulation and the administration of security.
`
`Provisioned VPNs
`VPNs rely on the capability to administer preferential treatment to applications, to
`users, and so on. The public In ternet does not support preferential treatment
`
`AT&T, Exh. 1009, p. 11
`
`

`

`VPNs
`
`Remote
`Users
`
`Laptops and PCs
`w ith client VPN
`encapsulation . - -""'
`and security software
`or Token cards
`
`Remote
`Site
`
`Private line
`to Internet POP
`
`VPN server
`
`Authentication and
`access control server
`
`Figure 11.4 The parts of an Internet-based VPN
`
`VPN server
`(encapsulation
`and security)
`
`Authentication and
`access control server
`(RADIUS)
`
`because it is subj ect to delay, j itter, and loss; it is therefore unsuitable for next(cid:173)
`generation services that require high performance. ln most cases, to accommodate
`business customers that are interested in such advanced services and who demand
`SLAs, the underlying transport is really Frame Relay or ATM. These Frame Relay
`and ATM VPNs offer greater levels of QoS and can fulfill the SLAs that customers
`and vendors agree to. They do, however, require that the cus tomer acquire an
`integrated access device (lAD) to have on the premises, which can increase the
`deployment cost significantly. lADs enable the enterprise to aggregate voice, data,
`and video traffic at the customer edge.
`A provisioned VPN (see Figure ll.S) is a packet-switched VPN that runs across
`the service provider's backbone, generally using Frame Relay or ATM. This type of
`VPN is built on OSl model Layer 2 virtual circuits, such as those used by Frame
`Relay, ATM , or Multiprotocol Label Switching (MPLS) , and it is provisioned based on
`customer orders. Virtual circuits based on predetermined locations create closed user
`groups and work well to carve out a VPN in a public shared network, by limiting
`access and usage to the provisioned VPN community. However, encryption is still
`required to securely protect the information from theft or modification by intruders.
`The provisioned VPN is differentiated from the lP VPN by its ability to support
`multiple protocols and by the fact that it offers improved performance and man(cid:173)
`agement. These VPNs are characterized as having excellent performance and secu(cid:173)
`rity, but the negative is that a single vendor offers both reach and breadth in terms
`of service offerings.
`
`AT&T, Exh. 1009, p. 12
`
`

`

`336
`
`Chapter 11
`
`• Next-Generation Network Services
`
`~- - - - ------ - ----- -
`
`Service
`Provider
`Networ k
`
`,. ,. ,. ,. Virtual Circuits ' ' ...
`Between Locations
`
`'
`
`TO - -+--.
`Internet
`
`,.
`-- - -- ------- ----- --- ---
`
`/-.._
`
`---
`
`Figure 11 .5 A provisioned VPN
`
`Figure 11.6 shows what the equipment would like look at a customer premise in
`support of a Frame Relay- or an ATM-based VPN. The customer would have an lAD
`that would allow voice and data to be converged at the customer premise. The lAD
`would feed into the data communications equipment, over which a circuit would go to
`the service provider's POP. At the service provider's POP would be a multiservice access
`device that enables multiple protocols and interfaces to be supported and that provides
`access into the service provider's core network, which would be based on the use of
`Frame Relay or ATM. To differentiate Frame Relay- and ATM-based VPNs from Internet(cid:173)
`based VPNs, service providers stress that multiple protocols are supported and that
`they rely on the use of virtual circuits or MPlS labels to facilitate the proper path,
`thereby ensuring better performance and providing traffic management capabilities.
`To further differentiate Frame Relay- or ATM-based VPNs from regular Frame
`Relay or ATM services, additional functions-such as packet classification and n·af(cid:173)
`fic isolation , the capability to hand le multiple separate packet-forwarding tables
`and instances of routing protocols for each customer-
`reside at the edge.
`
`VPN Applications
`A VPN is an architecture, a series of products and software functions that are tied
`together and tightly calibrated. Managing a VPN entails dealing primarily with two
`issues: security policies and parameters and making sure that applications function
`within the latency requirements.
`
`AT&T, Exh. 1009, p. 13
`
`

`

`VPNs
`
`Remote
`Users
`
`•
`
`Dialup to
`Internet POP
`~
`-~
`
`Service Provider POP FR or ATM
`Virtual Circuit (VC)
`
`Remote
`Access Device
`
`Service
`provider
`network
`manag~ment
`'
`
`Remote
`Site
`
`LAN
`traffic
`
`SNA
`traffic
`
`Voice Other
`traffic
`traffic types
`
`Customer access to .-----....J
`network management
`
`Figure 11 .6 A Frame Relay- o r ATM-based provisioned VPN
`
`VPN applications provide maximum opportunities to save money and to make
`money- by substituting leased lines with Internet connectivity, by reducing costs
`of dialup remote access, and by stimulating new applications, using extranets.
`These savings can be substantial. According to TeleChoice (www.telechoice.com) ,
`in the realm of remote access, savings over customer-owned and maintained sys(cid:173)
`tems can range from 30% to 70%; savings over traditional Frame Relay services can
`range from 20% to 60%; savings over leased lines or private lines can range from
`50% to 70%; and savings over international private lines can be up to 90%.
`l t is important to be able to effectively and easily manage the VPN environ(cid:173)
`ment. You need to consider the capability to track the tunnel traffic, the support for
`policy management, the capability to track QoS, the capability to track security
`infractions, and the support for public key certificate authorities (CAs).
`The one-stop-shopping approach
`is
`to VPNs- managed VPN services-
`designed to lock in users and to redu ce costly customer churn, but with this
`approach, interoperability is very restricted. Managed VPNs provide capabilities
`such as IP connection and transport services, routers, firewalls, and a VPN box at
`the customer site. Benefits of this approach include the fact that it involves a single
`service vendor, SLAs, guaran teed latency and band•vidth, and the security of traffic
`being confined to one network. Approximately one-third of VPN users opt for such
`a managed service.
`There are three maj or applications of VPNs-intranets (that is, site-to-site
`VPNs) remote access, and extranets-which are examined in the following sections.
`
`AT&T, Exh. 1009, p. 14
`
`

`

`338
`
`Chapter 11
`
`• Next-Generation Network Services
`
`Headquarters
`
`Firewall
`
`Internal network
`
`/
`External network
`
`Figure 11.7 An intranet-based VPN
`
`_!.. _.!. ~~
`Users Laser printer
`Branch Office
`
`Intranet VPNs
`Intranet VPNs are site-to-site connections (see Figure ll . 7). The key objective of an
`intranet VPN is to replace or reduce the use of leased-line networks, traditional rout(cid:173)
`ers, and Frame Relay services. The cost savings in moving from private networks to
`Internet-based VPNs can be very high , in the neighborhood of 50% to 80% per year.
`Remember that Internet-based VPNs allow less control over the quality and perfor(cid:173)
`mance of applications than do provisioned VPNs; this is a bit of a deterrent, and
`many clients still want to consider the Frame Relay- or ATM-based ATMs, which
`would provide better QoS. The savings might drop a bit, but the cost of a provisioned
`VPN would be substantially less than the cost of using leased lines.
`There are a few key barriers to building out more intranets based on VPNs:
`
`No standardized approach to encryption
`• Variance between vendors' products, which leads to interoperability problems
`• Lack of standards regarding public key management
`•
`Inability of today's Internet to provide end-to-end QoS
`
`Remote Access VPNs
`The most interesting and immediate VPN solution for most customers is the
`replacement of remote access servers. VPN remote access implementations can
`
`AT&T, Exh. 1009, p. 15
`
`

`

`VPNs
`
`save customers from 30% to 70% over traditional dialup remote access server
`deployment. Remote access servers provide access to remote users, generally via
`analog plain old telephone service (POTS) lines, or, perhaps, ISDN connections ,
`including dialup protocols and access control for authentication (administered by
`the servers). However, a remote access server requires that you maintain racks of
`modems, the appropriate terminal adapters for ISDN services, or DSL-type
`modems for DSL services. You also need remote access routers, which connect
`remote sites via a private line or public carriers and provide protocol conversion
`between the LANs and WANs. To have an internal implementation of remote
`access, you have to acquire all these devices, as well as the talent to maintain them.
`If an enterprise needs remote access connections outside local calling areas,
`and/or if it needs encrypted communications, it is generally fairly easy to justify a
`VPN service over an enterprise-based remote access server. The initial cost of hard(cid:173)
`ware for a VPN approach is about 33% less than the cost of hardware for a tradi(cid:173)
`tional dialup remote-access server deployment. The customer also saves on charges
`for local access circuits, and costly toll and international charges are eliminated.
`By virtue of supporting a greater range of customers, a service provider that
`offers VPN-based remote access is more likely to support a wider variety of
`broadband access options, including xDSL, cable modems, and broadband wire(cid:173)
`less. VPN-based remote access also reduces th e management and maintenance
`required with modem banks and remote client dial-in problems. For these rea(cid:173)
`sons, remote access represents the primary application for which customers turn
`to VPNs. Figure ll.B shows an example of remote access VPN.
`
`VPN
`server
`
`Headquarters
`
`Figure 11 .8 A remote-access VPN
`
`AT&T, Exh. 1009, p. 16
`
`

`

`340
`
`Chapter 11
`
`• Next-Generation Network Services
`
`Partner A
`Server 1
`
`Partner 8
`
`Firewall/Router/
`VPN Gateway
`
`Server 2
`
`User on Server 2
`
`Figure 11.9 An extranet-based VPN
`
`Extranet VPNs
`Extranet VPNs allow an external organization to have defined access into an enter(cid:173)
`prise's internal networks and resources (see Figure 11.9). There are three major
`categories of extranets: supplier extranets, which focus on speeding communica(cid:173)
`tions along the supply chain; distributor extranets, which focus on the demand
`side and provide great access to information; and peer extranets, which create
`increased intrainclustry competition.
`The key applications for extranets include distribution of marketing and
`product information , online ordering, billing and account history, training policy
`and standards, inventory management, collaborative research and development,
`and e-mail, chat, news, and content.
`A prime example of an extranet is the Automotive Industry Action Group's Auto(cid:173)
`matic Network Exchange (ANX). This exu·anet comprises some 50,000 members
`worldwide. In many ways ANX is producing de facto standards for how extranets
`should be deployed. Check with ANX (www.anxo.com) for the latest information on
`how extranets are evolving and how one of the world's largest extranets is performing.
`
`VPN Gateway Functions
`The main purpose of the VPN gateways that are required to enable VPNs is to set
`up and maintain secure logical connections, called tunnels, through the Internet.
`Key functions of VPN gateways include packet encapsulation, authentication, mes-
`
`AT&T, Exh. 1009, p. 17
`
`

`

`VPNs
`
`341
`
`sage integrity, encryption, key exchange and key management, as well as firewall(cid:173)
`ing, n etwork address
`translation, access control, routing, and bandwidth
`management. The following sections describe these functions in detail.
`
`Tunneling Protocols
`Tunneling is a method of encapsulating a data packet within an lP packet so that it
`can be transmitted securely over the public Internet or a private IP network. The
`remote ends of the tunnel can be in one of two places: They can both be at the edges
`of the service provider's network, or one can be at the remote user's PC and the
`other at the corporate boundary router. Between the two ends of the tunnel, Inter(cid:173)
`net routers route encrypted packets as they do all other lP traffic.
`Three key tunneling protocols are needed in VPNs:
`
`• Point-to-Point Tunneling Protocof (PPTP)- PPTP was developed by
`Microsoft, 3Com, and Ascend, and it is included in Windows 95, Windows
`98, Windows Me, Windows NT, Windows 2000, and Windows XP. PPTP is
`a Layer 2 protocol that can work in a non-lP enterprise environment, which
`is one of its strengths for customers that use multiple protocols rather than
`using only lP. PPTP provides low packet overhead and good compression,
`but its weaknesses are on the security front: It does not provide encryption
`or key management in the published specification, and it essentially relies
`on the user password to generate keys. But all implementations of PPTP
`include Microsoft Point-to-Point Encryption (MPPE).
`Layer 2 Tunneling Protocol (L2TP)- The IETF promotes L2TP, which is a
`merger between PPTP and Cisco's Layer 2 Forwarding (L2F) protocol.
`L2TP is another Layer 2 protocol that can work in a non-IP enterprise envi(cid:173)
`ronment. L2TP is used primarily by service providers to encapsulate and
`carry VPN traffic through their backbones. Like PPTP, it does not provide
`encryption or key management in the published specification (although it
`does recommend lPSec for encryption and key management).
`IP Security (IPSec)-JPSec is an IETF protocol suite that addresses basic
`data integrity and security. It covers encryption, authentication, and key
`exchange. lPSec involves a 168-bit encryption key, although the key size
`can vary, depending on the capabilities of each end of the connection.
`Recent drafts address encapsulating the secured payload, the key manage(cid:173)
`ment protocol, and key creation. lPSec emphasizes security by authenticat(cid:173)
`ing both ends of the tunnel connection, negotiating the encryption protocol
`and key for the encrypted session, and encrypting and decrypting the ses(cid:173)
`sion establishment data. However, IPSec is restricted to lP environments,
`each user is required to have a well-defined public IP address, and lPSec
`cannot run on networks that use network address translation.
`
`AT&T, Exh. 10