What are IP Network Traffic Planes Anyway?

Gregg: We're back!  As promised last time, today's topic explores one of the main ideas of the book -- IP Network Traffic Planes...  So just what are IP Network Traffic Planes, and why is it important to look at packets in this manner?

Dave: IP Network Traffic Planes are "logical" segmentations for IP traffic based on functions performed in the network. Segmenting traffic into specific IP Network Traffic Planes provides a more consistent basis from which to derive and deploy security policies. This is important for IP in particular since all packets are carried in a common pipe.

Gregg: Right. So more granular segmentation provides a clearer way of defining different types of traffic, which can help you secure your network.  The common accepted practice and what we cover in the book is to include _four_ IP traffic planes: Data Plane, Control Plane, Management Plane, and Services Plane.  The reason we have four planes is explained below (and in greater detail in Chapter 1 of the book). For now, one very important reasons is because routers handle different packet types in different ways. So for both security and availability, it's critically important to understand (and control) how routers process packets. 

Dave: Agreed. Let's take a look at each of the four IP Network Traffic Planes now....

IP Data Plane: The data plane is the logical entity containing all “customer” application traffic. In this context, customer traffic refers to traffic generated by hosts, clients, servers, and applications that are intended to use the network as transport only. Thus, data plane traffic should never have destination IP addresses that belong to any networking devices (routers, switches), but rather should be sourced from and destined to other devices, such as PCs and servers, that are supported by the network. The primary job of the router in the case of the data plane is simply to forward these packets downstream as quickly as possible. The data plane consists of Transit IP packets and Exception IP packets as Gregg defined above.

IP Control Plane: The control plane is the logical entity associated with route processes and functions used to create and maintain the necessary intelligence about the state of the network and a router's interfaces. The control plane includes network protocols, such as routing, signaling and link state protocols that are used for communication between network elements, and other control protocols used to build network services. Thus, the control plane is how the network gets dynamically built, and provides the mechanisms for routers to understand forwarding topologies and the operational state of the network. Without the control plane, no other traffic planes would function. The control plane consists of Transit IP packets, Receive packets, Exception IP packets as well as Exception non-IP packets as defined above.

IP Management Plane: The management plane is the logical entity that describes the traffic used to access, manage, and monitor all of the network elements. The management plane supports all required provisioning, maintenance, and monitoring functions for the network. Like the other IP traffic planes, management plane traffic is handled in-band with all other IP traffic. Most service providers and many large enterprises also build separate, out-of-band (OOB) management networks to provide alternate reachability when the primary in-band IP path is not reachable. The management plane primarily consists of Receive packets and Transit IP packets. Exception IP packets and Exception non-IP packets may also apply in some environments, for example, MPLS OAM and CDP.

IP Services Plane: The services plane is the logical entity that includes customer traffic receiving dedicated network-based services such as VPN tunneling (MPLS, IPsec, and SSL), private-to-public interfacing (NAT, firewall, and IDS/IPS), QoS (Voice and Video), and many more. The services plane enables network convergence whereby multiple services of differing characteristics run over a common IP network core. It also ensures that each individual service is handled appropriately and consistently throughout the network. Services plane traffic is essentially “customer” (or transit) traffic, like data plane traffic, but with one major difference. The services plane includes traffic that is intended to have specialized network-based functions applied to the traffic (e.g., MPLS, IPsec, NAT), and to have consistent handling applied end-to-end. That is, services plane traffic may be processed in a very different manner than regular data plane traffic. Hence, it is distinct from the data plane.

Gregg: This is interesting and makes great sense. Segmenting traffic in this way provides a framework within which to develop and enforce specific security requirements.

Dave: Precisely. We can now discuss various types of router architectures and look at how packets are processed within each. These are the topics for the next blog.