Gregg: We're back! In order to get to the point where we can discuss one of the main ideas of the book -- IP Network Traffic Planes -- we need to first examine little bit about how routers handle various packets found in IP networks. By the way, this information is in Chapter 1 of the book!
Dave: Right. Legacy network like ISDN, Frame Relay, and ATM define separate data and control channels. But IP networks carry all packets within a single pipe. So, IP network devices such as routers and switches must be able to distinguish between the packets they receive in order to treat them appropriately. At the most basic level, there are three groups of packet types that network devices deal with. And it's important to understand what these packet types are, and then why they are handled differently.
Gregg: Exactly. So the three basic categories of packets are:
Transit packets -- These include well-formed IP packets that are subjected to the standard, destination IP address-based forwarding processes of the network device. That is, no extra processing is required to forward these packets. In addition, the destination IP address of these packets is located downstream from the network device and thus, the packet is forwarded out an egress interface. In most networks and under normal operating conditions, transit packets handled by high speed processing, which for Cisco routers would be Cisco Express Forwarding (CEF), and typically by specialized forwarding hardware. The term "fast path" is used in Cisco documents to describe this type of forwarding.
Receive packets -- These include control plane and management plane packets that are destined to the network device itself. The term "receive" is related to the way addresses belonging to the network device itself are marked in the CEF table. Receive packets must be handled by the route processor CPU since they ultimately destined for and handled by applications running at the process level within the software - Cisco IOS in the case of a router. The term "punt" is often used in Cisco documents to describe the action of moving a packet from the fast path to the "punt path" in order to move the packet to the route processor for handling.
Exception IP and Non-IP packets - Two special sets of packets include 'exception IP' packets as well as non-IP packets. Exception IP packets include, for example, IPv4 packets containing IP header options, IP packets with expiring TTLs, and certain transit IP packets under specific conditions, such as the first packet of a multicast session or a new NAT session. Layer 2 keepalives, ISIS packets, Cisco Discovery Protocol (CDP) packets, and PPP Link Control Protocol (LCP) packets are examples of non-IP packets. All of the packets in this set must be handled by the route processor.
Dave: Wow. That's a lot to keep in mind. But unless we have a detailed understanding of how each packet type affects a network device, we'll never be able to adequately secure it.
Gregg: Definitely. And that's not all. This also plays a role in securing various services such as MPLS or IPsec VPNs (for example) that the device might be supporting.
Dave. Great. Ok. Now we're at the point where we can describe IP Network Traffic Planes. That's the topic for the next blog.
Gregg: Bye for now!
Gregg Schudel, CCIE No. 9591 is a Consulting System Engineer (CSE) supporting the Service Provider organization at Cisco. Gregg is a Cisco Certified Internet Expert (CCIE) in security, and holds an MS degree in engineering from George Washington University (1982), and a BS in engineering from Florida Institute of Technology (1980).
David J. Smith, CCIE No. 1986, is a Consulting System Engineer (CSE) within the Service Provider organization at Cisco. David holds a B.S. in Computer Engineering from Lehigh University (1989) as well as a M.S. in Information Networking from Carnegie Mellon University (1991). He is also CCIE No. 1986 for Routing/Switching.
Gregg and David are co-authors of the recently published Cisco Press book "Router Security Strategies: Securing IP Network Traffic Planes. Get a sneak peek of the book here and enter to win one of 15 copies here. Browse our library of free Cisco Press book chapters here.
|
|
