Routing is the process of taking data from one network and sending it to another network. A static routing environment is one in which all routing entries in a routing table are entered manually. In other words, if you want the router to know that the destination for all traffic is not local to the subnet that the router is connected to, you must manually enter the route into the router's table so it can be used. You create a dynamic routing table with a routing protocol such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF). Understanding the routing table first is key to understanding the protocol because the protocol is responsible for building the table for you from information it is configured to learn. In other words, if you turn on RIP, the router builds a table from information it learns from other routers that are adjacent to it. Routing tables are used to compute the next hop for a packet. Remember that a routing table must have two fields: the IP prefix and the next hop address, which also needs to be valid. The router in which the packet is leaving and going to must be able to reach this valid address. You must be connected; otherwise , the router will not work. Lastly, if you do not have a match (a packet comes in and does not have a routing table entry match), the packet is discarded, and you will most likely get an Internet Control Message Protocol (ICMP) notification that the destination host was unreachable. Following are some pros and cons of the different routing types:
A Link State routing protocol ensures that each router on the network maintains a map of the network. For example, say one of your WAN links has a problem that results in two routers losing contact with each other. Both can (through the routing protocol) adjust for this loss of the link between them because they are programmed to do so. When your router link fails, it is programmed to sense the loss of carrier on the line and then, through the routing protocol, send updates to the other routers adjacent to them so that they all know that the link is down and the IP subnet that they maintained is no longer available for destination packets on the wire. When a network link changes state (up to down, or vice versa), a notification, called a link state advertisement (LSA), is flooded throughout the network. Routers all over the network address this change and make sure that their routing tables are adjusted accordingly . Another configurable option of Link State protocols is that they can use something other than hop count to determine their path through the network. Link State protocols can also determine that going over more routers may be quicker if the available bandwidth is higher instead of choosing the shortest path deemed solely on how many routers away the destination is. Distance Vector protocols are easy to configure and maintain, but not as reliable or efficient as Link State protocols. Distance Vector protocols (such as RIP) allow for simple design and easy maintenance, but your bandwidth may suffer as a result. A Distance Vector protocol lets every router that is configured to use it inform every other adjacent router of its entire routing table. This means that each router on the network gets a full routing table from each neighboring router. These tables are used to create a metric based on hop count. Each router knows how far it is to another subnet in the network so that when incoming packets (when the router strips the header and reads the destination address) are read, the router will know the quickest way to get the packet there. RIP is a Distance Vector routing protocol. Following are some details about RIP:
RIP2, or RIP version 2, was created for RIP users to overcome problems with security. This version adds an option for authentication to the RIP packet as well as adding support for subnetted networks and allows for variable length subnetted networks to be passed through routing updates. Open Shortest Path First (OSPF) is a Link State “based nonproprietary routing protocol. Following are some details about OSPF:
OSPF divides the network (what it considers a routing domain) into areas. An area is a subdivision of the entire network and is given a label. Area 0 (zero) is considered the backbone of an OSPF network. If your network is small enough, you can set up the entire network to use Area 0, which is very important. For example, if the network becomes more subdivided (say you have three areas, including Area 0), you would need to know that if all traffic must travel between areas, the packets are first routed to the backbone, or Area 0. When you plan a network this way, the design keeps subnets consolidated to areas, thus reducing the size of the link state database that is updated on every router in an OSPF network. This keeps your OSPF network running optimally. Following is some other important information to remember about OSPF:
Three forms of traffic traverse a network:
Considering multicast routing is very important because your network must be able to build packet distribution trees that allow sources to send packets to all receivers. These trees are meant to make certain that each packet on the network exists one time only and is found only on a specific network. If this limitation did not exist, you would have problems with IP multicast routing. Also, multicast routing, which is the propagation of multicast listening information, is provided by multicast routing protocols such as Distance Vector Multicast Routing Protocol (DVMRP) and Multicast Open Shortest Path First (MOSPF), which is an extension to OSPF that allows it to support IP multicasting. Such protocols ease manual configuration of VPN- and OSPF-based networks and are becoming the standard for these types of networks. The Internet Group Management Protocol (IGMP) is an Internet protocol that allows nodes that are configured to use it to communicate as a group instead of individually. IGMP allows a node to report its multicast group membership (the group to which it is assigned) to adjacent routers. Multicasting allows a node to send data to many other nodes that have also identified themselves as being part of that group. This cuts down on broadcast traffic and bandwidth consumption. IGMP is detailed in RFC 2236. When you want to access a network remotely, you must provide credentials. If you did not, security would not exist, and anyone could freely enter your network and exploit it. Based on this fact, you could say that Windows Server 2003 handles network access authorization based on account dial-in properties as well as remote access policies. Remote access polices are sets of rules (applied in an order) that define how incoming requests for authentication are handled ”either accepted or rejected. Each policy is made up of profile settings and a remote access permissions setting. Windows Server 2003 includes a new feature called Network Access Quarantine Control. This feature allows the delay of a remote access connection attempt to the Remote Access Server (RAS) until a script that verifies the configuration of the remote access computer runs. The connection attempt goes into quarantine until verified. The actual process is as follows : When a remote computer attempts to connect to the Remote Access Server, the computer is assigned an IP address to participate on the network. Then the user credentials are verified and authenticated, but the connection stays in quarantine until the remote computer is verified against the script. A script runs, and after it is completed, the server hosting quarantine releases the connection from quarantine after this information is verified . Network Access Quarantine Control is one of the newest features of Remote Access Security provided by default with Windows Server 2003. Windows Server 2003 also provides Secure User Authentication. This means that security is obtained from the encrypted user credentials that are exchanged when you try to connect to a system. This can be done via the Point-to-Point Protocol (PPP) and its authentication-based protocols such as Extensible Authentication Protocol (EAP), Challenge Handshake Authentication Protocol (CHAP), and others. You can configure your Windows Server 2003 Remote Access Server to require specific secure authentication methods . The connection attempt is denied if the authentication credentials are not met. EAP is a commonly used protocol on networks today; it is good at authenticating. EAP is responsible for creating an authentication method in which the authentication scheme to be used is negotiated by the remote access client and the authenticator, which could be either the Remote Access Server or even a RADIUS server. Windows Server 2003 Routing and Remote Access (RRAS) includes support for EAP-TLS by default; TLS stands for Transport Layer Security. It could be considered an EAP type, much like the wireless access protocol, called LEAP, provided by Cisco systems. There are many types of EAP, although they all perform similar functions, such as authentication; they just use different methods to do so. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a nonreversible, encrypted password authentication protocol. MS-CHAP allows you to use Microsoft Point-to-Point Encryption (MPPE), which allows you to encrypt the data as well. Version 2 of the MS-CHAP protocol provides stronger security for remote access connection attempts to your Remote Access Server. MS-CHAP version 2 solves a major issue with the cryptographically weak LAN Manager encoding used for backward compatibility and password changes because backward compatibility is no longer supported. This way, you don't have problems with crypto-based attacks on your networks that may break your security posture . It is for reasons such as this that you should opt to use version 2 over version 1. Version 2 also solves other problems with version 1; for example, version 2 stops one-way authentication, which allows masquerading attacks on your Remote Access Server. Because two-way authentication is not available with version 1, such attacks are possible because the client that is trying to connect to a network remotely does not know whether it is dialing into the company's Remote Access Server or perhaps another server, one used for malicious intent. Again, you should use version 2 rather than version 1. MS-CHAP v2 provides two-way authentication, which is also called mutual authentication. Challenge Handshake Authentication Protocol (CHAP) uses the industry standard Message Digest 5 (MD5) protocol. MD5 is a hashing scheme that encrypts your data in transit over the remote access network. CHAP does not allow you to change passwords during the authentication process, which may be a major issue, and one of the major reasons you would not want to include CHAP as part of your network. The Shiva Password Authentication Protocol (SPAP) is an authentication protocol provided by a Shiva LAN Rover. If a Shiva client tries to connect to a Windows Server 2003 Remote Access Server, or a Windows client (such as XP) connects to a Shiva LAN Rover, SPAP is used. Because Shiva was prominent in the remote access market at one time, it is wise to include this support. Because PAP is used for cross-platform connectivity, it is not as secure as CHAP or even MS-CHAP. SPAP is even open to replay attacks (such attacks occur when data packets are captured in transit, examined, and then replayed to the server to gain access) because the same user password is always sent over the network in the same reversibly encrypted way each time. You should use SPAP only when you absolutely have to. Routers keep routing tables. You can edit routing tables because if you use static routes, you have to enter them yourself, maintain them, and so on. You can use the RRAS console to manipulate this data, but nothing is faster or easier than using the route command. Within seconds, you can add a route in the routing table, adjust one, or take one out. |