6.8 Architectural Considerations


6.8 Architectural Considerations

In developing our addressing and routing architecture, we need to evaluate the sets of internal and external relationships for this component architecture.

6.8.1 Internal Relationships

Depending on the type of network being developed, the set of candidate addressing and forwarding mechanisms for a component architecture can be quite different. For example, a service-provider network may focus on mechanisms such as supernetting, CIDR, multicasts, peering, routing policies, and confederations, whereas the focus of a medium-sized enterprise network would more likely be on private addressing and NAT, subnetting, VLANs, switching, and the choice and locations of routing protocols.

Two types of interactions are predominant within this component architecture: (1) trade-offs between addressing and forwarding mechanisms and (2) trade-offs within addressing or within forwarding. Addressing and forwarding mechanisms influence the choice of routing protocols and where they are applied. They also form an addressing hierarchy upon which the routing hierarchy is overlaid.

An example of this is shown in Figure 6.28. This figure illustrates interactions within the addressing/forwarding architecture. Within this architecture, routing protocol selection, either by itself or in combination with VLAN addressing, determines ISP path selection.

click to expand
Figure 6.28: Example of interactions within addressing/routing architecture.

Areas of the network where dynamic addressing, private addressing, and NAT mechanisms are applied will affect how routing will (or will not) be provided in those areas.

6.8.2 External Relationships

External relationships are trade-offs, dependencies, and constraints between the addressing/routing architecture and each of the other component architectures (network management, performance, security, and any other component architectures you may develop).

There are common external relationships between addressing/routing and each of the other component architectures, some of which are presented in the following subsections.

Interactions between Addressing/Routing and Network Management

Addressing/routing can be used to configure boundaries for network management. For example, AS boundaries indicate where one management domain ends and another begins.

Interactions between Addressing/Routing and Performance

Performance can be closely coupled with addressing/routing through mechanisms such as MPLS, differentiated and integrated services, and Resource Reservation Protocol. However, when routing protocol simplicity is a high priority, performance may be decoupled from addressing/routing.

Performance can also be coupled with addressing/routing through the use of IPv6, which provides information fields that can be used by performance mechanisms.

Interactions between Addressing/Routing and Security

Security mechanisms are often intrusive, intercepting, inspecting, and controlling network access and traffic. As such, they can have an impact on the routing behavior of the network. Just as security perimeters or zones bound performance (see Chapter 8), they can also bound routing.

NAT can be used to enhance security and provide private addressing space for a network. By forming a boundary between private and public address spaces, with translation of addresses between these spaces, outside access to the network can be more controlled. Addressing and routing can affect security in three ways:

  1. In terms of accessing the network from the outside (firewalls, IP hiding, and NAT)

  2. How protective measures are implemented on servers (e.g., access control lists restrict access based on IP address and subnet)

  3. Ability to trace an attack inside the perimeter

The use of dynamic addressing can create problems in tracing network events. Positioning some services (e.g. public address Web servers) outside the firewall or behind the firewall (with only http permitted through the firewall) is an important decision. Wrappers will not control access if the IP address space is dynamic. Also, permitting only certain protocols to talk to a server from a well-known address space is an option if the network is designed with this in mind. Last, properly routing hostile packets is an option with the right architecture.




Network Analysis, Architecture and Design
Network Analysis, Architecture and Design, Second Edition (The Morgan Kaufmann Series in Networking)
ISBN: 1558608877
EAN: 2147483647
Year: 2003
Pages: 161

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net