Application of pppoe in Broadband Access Network
In recent years, network data services have developed rapidly and broadband users have experienced explosive growth. Operators are using multiple access methods, such as XDSL, lan, HFC, and wireless, to build an operational, manageable, and profitable broadband network, pppoe is one of the following authentication technologies, with great interest in how to effectively manage users.
1 pppoe protocol Overview
1. How pppoe works
Pppoe (PPP over Ethernet) is a PPP connection established over Ethernet. Due to its mature and widely used Ethernet technology, in traditional dial-up Internet applications, the PPP protocol shows good scalability and excellent management and control mechanisms. The pppoe protocol combined with the two has been recognized and widely used by broadband access operators.
The pppoe establishment process can be divided into the discovery phase and the PPP session phase. The discovery stage is a stateless stage. In this stage, the access server is selected to determine the session ID of the PPP session to be established and obtain the peer point-to-point connection information; standard PPP processes are implemented in the PPP session phase.
A typical discovery stage involves the following four steps:
(1) The host first actively sends the broadcast package padi to find the access server. padi must contain at least one service name tag to indicate the services required by the host.
(2) If the access server can provide host requirements after receiving the package
(3) The host selects an appropriate access server in response to pado and sends a padr notification to the Access Server. The padr must declare the service type requested to the access server.
(4) After receiving the padr package, the access server allocates a unique session identifier session ID to the user, starts the PPP state machine to prepare for starting the PPP session, and sends a session Validation Package pads.
After receiving the pads, the host enters the PPP session phase. In the session phase, the Ethernet domain of pppoe is set to 0x8864, the code is 0x00, and the session ID must be the value assigned by the discovery stage.
The PPP session phase mainly involves the negotiation process of LCP, authentication, and NCP protocols. The LCP phase mainly completes the establishment, configuration, and detection of data link connections, the authentication protocol type is negotiated by LCP (chap or PAP). NCP is a protocol family used to configure different network layer protocols. IP Control Protocol (ipcp) is commonly used ), it is responsible for configuring the user's IP address and DNS.
The PAdT package is a session stop package. It can be initiated by either party of the session, but must be valid after the session is established.
2 pppoe features
Pppoe not only features fast and simple Ethernet, but also powerful PPP features. Any protocol that can be encapsulated by PPP can be transmitted through pppoe. In addition, there are also the following
Features:
(1) pppoe can easily check that the user is offline. You can collect statistics on the user's duration or traffic through the establishment and release of a PPP session. The billing method is flexible and convenient.
(2) pppoe provides a dynamic IP Address Allocation Method. You do not need to configure any IP addresses, and the network management is easy to maintain. You can solve the IP address shortage problem without adding devices, it can well locate users' activities on this website.
(3) users can access the Internet by entering their usernames and passwords through free pppoe client software (such as enternet), similar to the traditional dial-up Internet access, which maximizes the user habits, from the operator's perspective, pppoe has made minor changes to its existing network structure.
Dslam is an ADSL aggregation device. Its kernel uses an ATM or IP address, but the uplink port is an Ethernet port. Bas is the access server that implements the pppoe function at the local end and ends the pppoe process initiated by the user side. Downlink Ethernet frames are sent from the Ip Man to the bas through routers. After the pppoe header is added, the Ethernet frames are sent to the dslam and encapsulated into AAL5 frames. the downlink Ethernet frames are sent to the ADSL modem through the crossover module, the AAL5 frame is restructured and the Ethernet frame is sent to the client. The client extracts the IP packet from the pppoe package.
The upstream pppoe package is encapsulated into AAL5 frames in the ADSL modem, which is transmitted by the ATM cell to the local dslam. The dslam is responsible for terminating the ATM and re-assembling the pppoe package, and transmit it to bas for processing through the set PVC (permanent virtual circuit.
From the above, we can see that pppoe hosts PPP over Ethernet, which provides a logical point-to-point link on the network of the shared media. for users, the ATM Transmission Between dslam and ADSL modem is transparent. If you replace the dslam and ADSL modem in the middle with the access device of the cable TV, it is a typical type of access device of the HFCs, bas does not change the pppoe package processing method.
3. Implementation of pppoe on BAS
Pppoe dial-up software is already very mature in applications (Windows XP self-carried). The following focuses on the implementation of pppoe in the Access Server bas.
3.1pppoe Efficiency
From the pppoe protocol model, we can see that bas aggregates all the user's data streams, and each pppoe package must be split for inspection and processing, this follows the traditional PPP processing method to a large extent. Although it provides good security, once there are many users, there are a large number of data packets, and the encapsulation speed needs to be fast, bas spends a lot of energy on detecting user data packets, which easily forms a "bottleneck" of access ".
Therefore, the distributed network processor (NP) and ASIC chip can be used in the Bas hardware structure. A network processor is a dedicated processor developed specifically for telecommunication network devices. It has a set of specialized instruction sets for processing various protocols and services of telecommunication networks, which can greatly improve the processing capability of devices. At the same time, when an ASIC chip forwards data packets, the performance is close to that of the hardware, far from being comparable to that of the CPU software. In this way, pppoe data stream processing and forwarding are separated, greatly improving the work efficiency. In addition, the software system structure should be combined with other technologies to better utilize the performance of pppoe.
3.2combination of pppoe and VLAN
VLAN is a virtual LAN technology that logically divides devices in a LAN into different network segments to implement virtual working groups. VLAN Division aims to improve network security. Data in different VLANs cannot communicate freely and must undergo layer-3 tests. Second, broadcast information is isolated. After VLAN division, the broadcast domain is reduced, improves network performance and controls broadcast storms within a VLAN.
Pppoe is a client/server protocol. The client needs to send a padi package to search for BAS. Therefore, it must be in the same broadcast L2 network as bas, the combination with VLAN solves the security risks in this aspect. In addition, users of different business types can be allocated to different VLANs for processing, so as to flexibly carry out services and speed up the processing process. Of course, VLAN planning must be uniformly coordinated between L2 devices and Bas.
After receiving the upstream pppoe package, Bas first identifies the category of the vlan id. If it is a common dial-up user, it determines whether it is a data packet in the discovery phase or session phase, and strictly follow the pppoe protocol. In the session phase, IP addresses are allocated to users from different address pools based on different user types. The address pool is configured by the upper-layer network management. If it is a user data packet that has passed the authentication, it is processed according to the user's service type. For example, if it is a locally authenticated dial-up user, and the other party applies for the same function, it is directly forwarded locally.
If you are a leased line user, you can directly enter the leased line user processing process based on the user's vlan id without going through the complicated pppoe authentication process. The access speed is greatly improved. In addition, to achieve unified network management, communication is required between bas and other devices. These data packets are internal data packets and can be identified by vlan id.
For downstream data, Bas is responsible for allocating and parsing the user's IP address, and also provides the gateway function. It receives the destination IP address of the data packet, therefore, it is much more convenient to search for user information based on IP addresses than on Mac. This is different from that of a common switch. The process is similar to that of uplink processing.
3.3pppoe's support for Multi-Service Selection
Multi-Service Selection refers to the user's self-selection of various services provided by the backend network operator through a PPP connection ending with BAS. The reason for supporting multiple services is that the specific implementation of various services has different technical focuses and different requirements on network performance, the previous fixed allocation method was inconvenient. On the other hand, from the perspective of the development of network applications, the separation of the Network Content Service Provider (ICP) and the ISP of the network access provider (ISP) is an inevitable trend. On the access aggregation side, the ISP must strictly ensure that the selected business flow is forwarded to the corresponding ICP.
The current method is to select the corresponding service in the pppoe dialing software, then confirm the user's business authorization, and then activate the corresponding processing module in the Bas. However, in this way, users can only know the business name and cannot intuitively and comprehensively learn the various business types provided by Bas, especially in the development of new businesses, it has many limitations.
Therefore, you can combine bas with the backend Service Selection gateway and RADIUS server to authenticate the server and then select the service. The specific operations are as follows:
(1) The host sends padi to search for BAS. padi contains a service name tag. Its value is null, indicating that the user can accept any type of service.
(2) BAS receives the package and sends it back to pado. pado contains the tags of all services that can be provided and a tag named General.
(3) The host sends padr messages. Select a known service name or a General Service.
(4) After receiving the padr package, Bas allocates resources to the user and starts the PPP negotiation process. During the PPP process, Bas sends the user-entered account and password to the RADIUS server for authentication.
(5) authenticated users can enjoy the service provided by Bas. However, if General is selected, the user is forced to access the service directly connected to BAS and select the gateway. The backend Service Selection gateway is a server with the Web server function. You can obtain information about the selected services (including costs and bandwidth) through the web interactive interface ), the user account information is displayed.
(6) The user selects the corresponding business, and the service selection gateway defines the business scope and operation permissions of various users.
(7) The service selects a gateway to activate the corresponding internal business model of the Access Server to implement the service. The above methods are strictly implemented in accordance with the pppoe protocol and fully compatible with the popular dial-up software. If you are not interested in other services and are very familiar with the applications, does not affect users' habits.
From the perspective of BAS, the operation process of pppoe has not changed, but an additional service type has been added. If the carrier does not select a gateway for the service currently, you can configure it through the network management, so that the general service is not included in the response to the padi package.
For carriers, the above method not only greatly improves the transparency of user access operations, but also serves as a business portal to provide space for further service expansion, in addition, according to the future development trend of broadband access networks, it is inevitable that the bandwidth and QoS corresponding to the business type should be allocated on demand. The operation mode of pppoe is the future development direction of the business.
3.4pppoe support for Multicast
Pppoe is a Point-to-Point Protocol. Each user and Bas have a PPP link. The user and Bas transmit data through this link through a layer-2 device in the form of unicast. However, with the continuous development of online video services, the demand for bandwidth is growing, and pppoe is very important to support multicast. The multicast protocols supported by pppoe generally refer to the layer-2 multicast protocol IGMP proxy or IGMP snooping. The basic method is to send multicast packets in groups, the following describes the implementation methods of the two Protocols.
3.4.1igmp snooping
IGMP snooping maintains the ing between multicast addresses and VLAN tables by listening for IGMP messages that communicate between users and routers. It maps activity members of the same multicast group to a VLAN, after receiving the multicast packet, the packet is only forwarded to the VLAN member corresponding to the multicast group. The procedure is as follows:
(1) The host conducts pppoe negotiation with BAS and passes pppoe authentication.
(2) The host sends an IGMP member report packet to the router. The bas listens to the packet and obtains the multicast group address from the pppoe packet to add the user to the corresponding VLAN, if the user is the first user in the multicast group, a multicast entry is generated for the multicast group and the packet is forwarded to the top-layer router to update the multicast route table.
(3) When bas receives the multicast datagram from the vro, it finds the corresponding VLAN based on the relationship between the multicast MAC address and the multicast IP address, and then encapsulates the packet into a pppoe session packet, forward to a member in a VLAN.
(4) When receiving a packet from the host requesting to leave the multicast group, Bas deletes the port that received the packet from the corresponding VLAN, if the user is the last user in the multicast group (the VLAN is empty at this time), delete the VLAN and forward the packet content through the upstream port. The IGMP snooping rule is relatively simple. The query package is passthrough in the downstream direction, and the upstream direction is forwarded to or out of the package as needed. However, the bas must have a three-layer extraction function, it is transparent to hosts and routers.
3.4.2igmp proxy
IGMP proxy sets up a multicast table by intercept IGMP messages between the user and the router. the uplink port of the proxy device executes the role of the host, and the downlink port executes the role of the router.
The following is a brief process:
(1) The host conducts pppoe negotiation with BAS and passes pppoe authentication.
(2) the uplink port executes the host role and responds to the query from the vro. When a new user group or the last user in a group exits, it actively sends the member report package or leaves the package.
(3) Business packages in the downstream direction are forwarded according to the multicast table.
(4) The role of the downstream port to execute the vro is fully performed in accordance with the mechanism specified in IGMP V2, including the queryers' election mechanism, regularly sending General query information, and sending specific queries when receiving the exit package. IGMP proxy implements different functions on two ports, with a relatively large workload. The advantage is that when there is no router in the network, the IGMP proxy device can act as the queryer, in addition, if you want to extend the multicast routing function, proxy is more convenient than snooping. Considering the huge pressure of BAS to copy pppoe multicast data to underlying devices, the current switch and some dslam (especially IP-based dslam) have started to support layer-2 multicast, therefore, it is better to adopt IGMP Proxy from the perspective of development.
4 Conclusion
Using the hardware structure of NP and the design philosophy of pppoe + VLAN greatly improves the efficiency, security, and manageability of pppoe, and adds support for multiple pppoe services and multicast services, providing high-quality and flexible services to users will inject new vigor into the booming broadband construction.