Транспортні мережі на основі технології MPLS, принципи, перспективи розвитку

Мета роботи – дослідження транспортних мереж на основі технології MPLS. Аналіз напрямків адаптації технології MPLS для досягнення відповідності вимогам транспортних мереж. У даній роботі розглядається транспортна мережа як невід’ємна частина телекомунікаційної системи, аналізуються технічні принципи функціювання мереж MPLS, проводиться огляд основних технічних принципів транспортних мереж MPLS TP та їх відмінностей від принципів MPLS, аналізується питання моніторингу і керування мережами MPLS TP та питання щодо напрямку подальшого розвитку мереж MPLS TP, зокрема, переходу до технології GMPLS.The purpose of the work is to study transport networks based on MPLS technology. Analysis of directions of MPLS technology adaptation to achieve compliance with the requirements of transport networks. This paper considers transport network as an integral part of telecommunication system, analyzes technical principles of MPLS networks operation, reviews main technical principles of MPLS TP transport networks and their differences from MPLS principles, analyzes the issue of monitoring and management of MPLS TP networks and the direction of further development of MPLS TP networks, in particular, the transition to GMPLS technology

On the resource abstraction, partitioning and composition for virtual GMPLS-controlled multi-layer optical networks

Virtual optical networking supports the dynamic provisioning of dedicated networks over the same network infrastructure, which has received a lot of attention by network providers. The stringent network requirements (e.g., Quality of Service -QoS-, Service Level Agreement -SLA-, dynamicity) of the emerging high bandwidth and dynamic applications such as high-definition video streaming (e.g., telepresence, television, remote surgery, etc.), and cloud computing (e.g., real-time data backup, remote desktop, etc.) can be supported by the deployment of dynamic infrastructure services to build ad-hoc Virtual Optical Networks (VON), which is known as Infrastructure as a Service (IaaS). Future Internet should support two separate entities: infrastructure providers (who manage the physical infrastructure) and service providers (who deploy network protocols and offer end-to-end services). Thus, network service providers shall request, on a per-need basis, a dedicated and application-specific VON and have full control over it. Optical network virtualization technologies allow the partitioning/composition of the network infrastructure (i.e., physical optical nodes and links) into independent virtual resources, adopting the same functionality as the physical resource. The composition of these virtual resources (i.e., virtual optical nodes and links) allows the deployment of multiple VONs. A VON must be composed of not only a virtual transport plane but also of a virtual control plane, with the purpose of providing the required independent and full control functionalities (i.e., automated connection provisioning and recovery (protection/restauration), traffic engineering (e.g., QoS, SLA), etc.). This PhD Thesis focuses on optical network virtualization, with three main objectives. The first objective consists on the design, implementation and evaluation of an architecture and the necessary protocols and interfaces for the virtualization of a Generalized Multi-Protocol Label Switching (GMPLS) controlled Wavelength Switched Optical Network (WSON) and the introduction of a resource broker for dynamic virtual GMPLS-controlled WSON infrastructure services, whose task is to dynamically deploy VONs from service provider requests. The introduction of a resource broker implies the need for virtual resource management and allocation algorithms for optimal usage of the shared physical infrastructure. Also, the deployment of independent virtual GMPLS control plane on top of each VON shall be performed by the resource broker. This objective also includes the introduction of optical network virtualization for Elastic Optical Networks (EON). The second objective is to design, implement and experimentally evaluate a system architecture for deploying virtual GMPLS-controlled Multi-Protocol Label Switching Transport Profile (MPLS-TP) networks over a shared WSON. With this purpose, this PhD Thesis also focuses on the design and development of MPLS-TP nodes which are deployed on the WSON of the ADRENALINE Testbed at CTTC premises. Finally, the third objective is the composition of multiple virtual optical networks with heterogeneous control domains (e.g., GMPLS, OpenFlow). A multi-domain resource broker has been designed, implemented and evaluated.La gestió de xarxes òptiques virtuals permet la provisió dinàmica de xarxes dedicades a sobre la mateixa infraestructura de xarxa i ha cridat molt l’atenció als proveïdors de xarxes. Els requisits de xarxa (per exemple la qualitat de servei, els acords de nivell de servei o la dinamicitat) són cada cop més astringents per a les aplicacions emergents d'elevat ample de banda i dinàmiques, que inclouen per exemple la reproducció en temps real de vídeo d'alta definició (telepresència, televisió, telemedicina) i serveis d’informàtica en núvol (còpies de seguretat en temps real, escriptori remot). Aquests requisits poden ser assolits a través del desplegament de serveis de infraestructura dinàmics per construir xarxes òptiques virtuals (VON, en anglès), fet que és conegut com a infraestructura com a servei (IaaS). La internet del futur hauria de suportar dos entitats diferenciades: els proveïdors d'infraestructures (responsables de gestionar la infraestructura física), i els proveïdors de serveis (responsables dels protocols de xarxa i d'oferir els serveis finals). D'aquesta forma els proveïdors de serveis podrien sol•licitar i gestionar en funció de les necessitats xarxes òptiques virtuals dedicades i específiques per les aplicacions. Les tecnologies de virtualització de xarxes òptiques virtuals permeten la partició i composició de infraestructura de xarxa (nodes i enllaços òptics) en recursos virtuals independents que adopten les mateixes funcionalitats que els recursos físics. La composició d'aquests recursos virtuals (nodes i enllaços òptics virtuals) permet el desplegament de múltiples VONs. Una VON no sols està composada per un pla de transport virtual, sinó també per un pla de control virtual, amb l'objectiu d'incorporar les funcionalitats necessàries a la VON (provisió de connexions automàtiques i recuperació (protecció/restauració), enginyeria de tràfic, etc.). Aquesta tesis es centra en la virtualització de xarxes òptiques amb tres objectius principals. El primer objectiu consisteix en el disseny, implementació i avaluació de l'arquitectura i els protocols i interfícies necessaris per la virtualització de xarxes encaminades a través de la longitud d'ona i controlades per GMPLS. També inclou la introducció d'un gestor de recursos per desplegar xarxes òptiques virtuals de forma dinàmica. La introducció d'aquest gestor de recursos implica la necessitat d'una gestió dels recursos virtuals i d’algoritmes d’assignació de recursos per a la utilització òptima dels recursos físics. A més el gestor de recursos ha de ser capaç del desplegament dels recursos assignats, incloent un pla de control GMPLS virtual independent per a cada VON desplegada. Finalment, aquest objectiu inclou la introducció de mecanismes de virtualització per a xarxes elàstiques òptiques (EON, en anglès). El segon objectiu és el disseny, la implementació i l’avaluació experimental d'una arquitectura de sistema per oferir xarxes MPLS-TP virtuals controlades per GMPLS sobre una infraestructura i WSON compartida. Per això, aquesta tesis també es centra en el disseny i desenvolupament d'un node MPLS-TP que ha estat desplegat al demostrador ADRENALINE, al CTTC. Finalment, el tercer objectiu és la composició de múltiples xarxes òptiques virtuals en dominis de control heterogenis (GMPLS i OpenFlow). Un gestor de recursos multi-domini ha estat dissenyat, implementat i avaluat.La gestión de redes ópticas virtuales permite la provisión dinámica de redes dedicadas encima la misma infraestructura de red y ha llamado mucho la atención a los proveedores de redes. Los requisitos de red (por ejemplo la calidad de servicio, los acuerdos de nivel de servicio o la dinamicidad) son cada vez más estringentes para las aplicaciones emergentes de elevado ancho de banda y dinámicas, que incluyen por ejemplo la reproducción en tiempo real de vídeo de alta definición (telepresencia, televisión, telemedicina) y servicios de computación en la nube (copias de seguridad en tiempo real, escritorio remoto). Estos requisitos pueden ser logrados a través del despliegue de servicios de infraestructura dinámicos para construir redes ópticas virtuales (VON, en inglés), hecho que es conocido como infraestructura como servicio (IaaS). La internet del futuro tendrá que soportar dos entidades diferenciadas: los proveedores de infraestructuras (responsables de gestionar la infraestructura física), y los proveedores de servicios (responsables de los protocolos de red y de ofrecer los servicios finales). De esta forma los proveedores de servicios podrán solicitar y gestionar en función de las necesitados redes ópticas virtuales dedicadas y específicas por las aplicaciones. Las tecnologías de virtualización de redes ópticas virtuales permiten la partición y composición de infraestructura de red (nodos y enlaces ópticos) en recursos virtuales independientes que adoptan las mismas funcionalidades que los recursos físicos. La composición de estos recursos virtuales (nodos y enlaces ópticos virtuales) permite el despliegue de múltiples VONs. Una VON no sólo está compuesta por un plan de transporte virtual, sino también por un plan de control virtual, con el objetivo de incorporar las funcionalidades necesarias a la VON (provisión de conexiones automáticas y recuperación (protección/restauración), ingeniería de tráfico, etc.). Esta tesis se centra en la virtualización de redes ópticas con tres objetivos principales. El primer objetivo consiste en el diseño, implementación y evaluación de la arquitectura y los protocolos e interfaces necesarios por la virtualización de redes encaminadas a través de la longitud de ola y controladas por GMPLS. También incluye la introducción de un gestor de recursos para desplegar redes ópticas virtuales de forma dinámica. La introducción de este gestor de recursos implica la necesidad de una gestión de los recursos virtuales y de algoritmos de asignación de recursos para la utilización óptima de los recursos físicos. Además el gestor de recursos tiene que ser capaz del despliegue de los recursos asignados, incluyendo un plan de control GMPLS virtual independiente para cada VON desplegada. Finalmente, este objetivo incluye la introducción de mecanismos de virtualización para redes elásticas ópticas (EON, en inglés). El segundo objetivo es el diseño, la implementación y la evaluación experimental de una arquitectura de sistema para ofrecer redes MPLS-TP virtuales controladas por GMPLS sobre una infraestructura WSON compartida. Por eso, esta tesis también se centra en el diseño y desarrollo de un nodo MPLS-TP que ha sido desplegado al demostrador ADRENALINE, en el CTTC. Finalmente, el tercer objetivo es la composición de múltiples redes ópticas virtuales en dominios de control heterogéneos (GMPLS y OpenFlow). Un gestor de recursos multi-dominio ha sido diseñado, implementado y evaluado

Teleprotection signalling over an IP/MPLS network

Protection of electricity networks have developed to incorporate communications, referred to as protection signalling. Due to the evolution of the electricity supply system, there are many developments pending within the scope of protection signalling and protection engineering in general. This project investigates the use of current and emerging communications technologies (i.e. packetised networks) being applied and incorporated into current protection signalling schemes and technologies. The purpose of the project is to provide a more cost-effective solution to protection schemes running obsolescent hardware. While the medium-term goal of the industry is to move entirely to IEC 61850 communications, legacy teleprotection relays using non-IP communications will still exist for many years to come. For companies to be ready for an IEC 61850 rollout a fully deployed IP/MPLS network will be necessary and it can be seen that various companies worldwide are readying themselves in this way. However, in the short-term for these companies, this means maintaining their existing TDM network (which runs current teleprotection schemes) and IP/MPLS network. This is a costly business outcome that can be minimised with the migration of services from and decommissioning of TDM networks. Network channel testing was the primary testing focus of the project. The testing proved that teleprotection traffic with correct QoS markings assured the system met latency and stability requirements. Furthermore, MPLS resiliency features (secondary LSPs & Fast-reroute) were tested and proved automatic path failover was possible under fault conditions at sub-30ms speeds

Layer 2 Ethernet Communication Tunneling Possibilities in Automation Systems

Future trends in energy generation are renewable energy sources and distributed energy generation. In control systems, these changes require higher automatization, more intelligent devices and secure and reliable communication. Another requirement is faster communication. Building a system that is able to fulfill real-time communication requirements over network layer is a hindrance to automation systems. There are multiple protocols that can manage the requirements, but many of them have limitations and requirements of their own. The limitations can be related to packet sizes, used devices or they may require a license. Tunneling protocols can bring a more general solution for the real-time problem. Tunneling Ethernet communication over network layer and letting the tunneling protocol to handle the network layer packaging instead of the communication protocol removes the need of a layer 3 protocol. Layer 2 tunneling provides a direct connection between separate local area networks. It enables a way for devices to communicate with each other over network layer using layer 2 communication protocols. Tunnel uses a pre-configured route to the destination gateway device making the routing of messages simpler and faster than with traditional IP routing. Layer 2 tunneling can be used in any communication system that utilizes layer 2 and layer 3 communication. This thesis focuses on use of tunneling in automation systems. The purpose of this thesis is to provide information and possible solutions for layer 2 Ethernet tunneling. The main focus is in suitable tunneling protocols and communication protocols, but also security and resilience solutions are studied. This thesis is composed of published studies, researches, articles and books that address the topic

Tecnologie MPLS per reti di trasporto e internet service provider. Implementazione di un testbed su piattaforma Linux

Il presente lavoro ha avuto come obiettivo quello di creare in laboratorio una rete pilota che permettesse di verificare le modalità di funzionamento delle tecnologie MPLS esistenti e che fornisse un ambiente per la sperimentazione di nuove tecnologie di trasporto. Tale piattaforma è stata sviluppata tramite lo studio preliminare delle tecnologie considerate e mediante la progettazione, la configurazione ed il test funzionale di una rete di PC operanti come apparati di rete, allo scopo di mantenere la necessaria flessibilità e configurabilità richieste da un ambiente sperimentale. A tale scopo sono stati selezionati ed impiegati dei software open source che implementassero gli stack protocollari richiesti, e tali software sono stati poi opportunamente integrati nell’ambiente di tes

Security Vulnerabilities of the Cisco IOS Implementation of the MPLS Transport Profile

We are interested in the security of the MPLS Transport Profile (MPLS-TP), in the context of smart-grid communication networks. The security guidelines of the MPLS-TP standards are written in a complex and indirect way, which led us to pose as hypothesis that vendor solutions might not implement them satisfactorily. To test this hypothesis, we investigated the Cisco implementation of two MPLS-TP OAM (Operations, Administration, and Maintenance) protocols: bidirectional forwarding detection (BFD), used to detect failures in label-switched paths (LSPs) and protection state coordination (PSC), used to coordinate protection switching. Critical smart grid applications, such as protection and control, rely on the protection switching feature controlled by BFD and PSC. We did find security issues with this implementation. We implemented a testbed with eight nodes that run the MPLS-TP enabled Cisco IOS; we demonstrated that an attacker who has access to only one cable (for two attacks) or two cables (for one attack) is able to harm the network at several points (e.g., disabling both working and protection LSPs). This occurred in spite of us implementing the security guidelines that are available from Cisco for IOS and MPLS-TP. The attacks use forged BFD or PSC messages, which induce a label-edge router (LER) into believing false information about an LSP. In one attack, the LER disables the operational LSP; in another attack, the LER continues to believe that a physically destroyed LSP is up and running; in yet another attack, both operational and backup LSPs are brought down. Our findings suggest that the MPLS-TP standard should be more explicit when it comes to security. For example, to thwart the attacks revealed here, it should mandate either hop by hop authentication (such as MACSec) at every node, or an ad-hoc authentication mechanism for BFD and PSC

Security Vulnerabilities of the Cisco IOS Implementation of the MPLS Transport Profile

We are interested in the security of the MPLS Transport Profile (MPLS-TP), in the context of smart-grid communication networks. The security guidelines of the MPLS-TP standards are written in a complex and indirect way, which led us to pose as hypothesis that vendor solutions might not implement them satisfactorily. To test this hypothesis, we investigated the Cisco implementation of two MPLS-TP OAM (Operations, Administration, and Maintenance) protocols: bidirectional forwarding detection (BFD), used to detect failures in label-switched paths (LSPs) and protection state coordination (PSC), used to coordinate protection switching. Critical smart grid applications, such as protection and control, rely on the protection switching feature controlled by BFD and PSC. We did find security issues with this implementation. We implemented a testbed with eight nodes that run the MPLS-TP enabled Cisco IOS; we demonstrated that an attacker who has access to only one cable (for two attacks) or two cables (for one attack) is able to harm the network at several points (e.g., disabling both working and protection LSPs). This occurred in spite of us implementing the security guidelines that are available from Cisco for IOS and MPLS-TP. The attacks use forged BFD or PSC messages, which induce a label-edge router (LER) into believing false information about an LSP. In one attack, the LER disables the operational LSP; in another attack, the LER continues to believe that a physically destroyed LSP is up and running; in yet another attack, both operational and backup LSPs are brought down. Our findings suggest that the MPLS-TP standard should be more explicit when it comes to security. For example, to thwart the attacks revealed here, it should mandate either hop by hop authentication (such as MACSec) at every node, or an ad-hoc authentication mechanism for BFD and PSC