The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
A point-to-point data communication channel provides a persistent, always-on connection between two or more sites that are connected to a wide area network (WAN). Point-to-point channels are attractive to enterprises with many personnel and data resources at multiple sites, so that resources can be shared among those sites. In addition, point-to-point connections add a level of security because they prevent delivery of traffic to points other than the enterprise sites that can be trusted.
Some independent WAN service providers (SPs) provide point-to-point channels for which a customer enterprise (a “customer”) can subscribe. Typically the customer pays the SP for a particular number of channels each supporting a specified level of service between two of the customer's sites. Each channel is associated with a channel identifier.
Point-to-point channels can be formed in both circuit switched and packet switched networks. A circuit switched network devotes all the data carrying capacity (“bandwidth”) of a physical medium link to a channel. A packet switched network allows sharing the bandwidth of a physical medium link among several channels. A physical circuit is composed of one or more physical links that are used to connect two customer sites.
Devices attached to a WAN fall into two general categories: data terminating equipment (DTE) that produces or consumes the data transported over the network; and data circuit-terminating equipment (DCE). DTE devices are typically located on the customer premises and are procured by the customer independently of the SP. Example DTE devices include terminals, personal computers, routers and bridges. DCE devices are SP-procured internetworking devices that provide clocking and switching service that actually transmit data through the WAN.
Two DCEs are directly connected by a physical link. A DCE that directly connects to a DTE is a service provider edge (PE) device. The DTE that directly connects to a DCE is a customer edge (CE) device. Some PE devices are physically located on customer premises, even though they are owned and operated by the SP; these are termed PE customer located equipment (PE-CLE).
Frame Relay (FR) is a high-performance packet-switched WAN protocol that provides point-to-point channels using virtual circuits. A virtual circuit is a logical connection created between two customer sites, such as two PE-CLEs, across the FR packet switched network. A virtual circuit is uniquely identified by a data-link connection identifier (DLCI) value. The DLCI values are typically assigned by the SP. Several virtual circuits can be multiplexed into a single physical circuit made up of a series of physical links between SP-procured networking devices. FR typically provisions virtual circuits with bandwidths in multiples of 0.064 Megabits per second (Mbps) up to about 1 Mbps, where a bit is a binary digit and a Megabit is a million bits.
A common implementation of a Frame Relay WAN involves an optical backbone that connects the DCEs of the WAN. An optical PE-CLE is typically located by an SP in the basement of a building that houses one or more customers of the SP. For each customer in the building, an optical cable is run from the PE-CLE to a FR communication processor (“FR box”). The optical cable carries only the channels to which the customer has subscribed. The FR box manages the DLCIs associated with those channels. When data packets arrive at the FR box destined for one of the customer's remote sites, the data packets are inserted into FR data packets with the correct DLCI. The FR data packets are sent on the optical cable to the optical PE-CLE, and from thence to the optical WAN.
For example, the Synchronous Optical Network (SONET) protocol is a standard adopted for optical WANs by many SPs. SONET is capable of transmission rates up to almost 10,000 Mbps, split among up to 192 levels of byte-interleaved synchronous transport signals (STS). Each level of STS is capable of carrying 51.84 Mbps. A signal that carries N levels is called an N level STS (STS-N) or an N level optical carrier (OC-N). In a typical FR implementation, the PE-CLE may handle OC-48 (about 2,488 Mbps) and the cable to the FR box may handle OC-12 signals (about 622 Mbps).
In the typical implementation, the FR box is a DTE connected to the customer's local area network (LAN) inside a customer premises or building. Typically, the FR box is a printed circuit card occupying a slot in a customer's router. The LAN can rely on any LAN protocol. Typically, the LAN uses the Ethernet protocol.
While suitable for many purposes, optical FR boxes suffer some disadvantages. They are expensive, bandwidth is limited, changes in bandwidth require re-provisioning the optical PE-CLE and the FR box and the optical cable connecting the two, and security is less than complete.
At present the cost of an FR router with an OC-12 optical connection is about ten times the cost an Ethernet router. FR channels are limited to bandwidths of 1 Mbps. The cheaper Ethernet devices can handle bandwidths of 10 Mbps, 100 Mbps, and even 1000 Mbps (“Gigabit Ethernet”). FR channels are defined for the whole WAN, so changing the number or bandwidth of the channels involves re-provisioning one or more of the PE-CLEs of the SP, the FR boxes, and perhaps replacing the cable between the PE-CLE and the FR box.
Security is less than complete, so the WAN might not be completely trusted. Much of the backbone of the SP WAN is physically secure, involving buried cable and proprietary equipment. However, in a building housing several customers, the PE-CLE may be accessible by multiple customers and often includes interfaces, like SONET interfaces, that follow an open standard. Compared to other parts of the WAN, it is relatively easy for a non-trusted party to snoop traffic from a customer at the PE-CLE.
To reduce snooping, the PE-CLE is often placed behind locked doors. Other factors that reduce snooping by non-trusted parties include the lack of electromagnetic emissions from optical cable, the limited knowledge of FR protocols among the community of hackers that demonstrate a readiness to snoop, and the expense of the equipment needed to interface with the PE-CLE. However, even if these factors that reduce snooping are completely effective, they do not prevent the SP itself from snooping. A customer is forced to trust the SP. In some circumstances, the customer may prefer not to completely trust the SP. Nonetheless, it is standard practice to assume that point-to-point connections provided by an SP provide sufficient security because the SP prevents traffic from being delivered to points other than the trusted customer sites and the SP is not motivated to snoop.
One approach to alleviate the cost and bandwidth and provisioning limitations of FR networks is to use more Ethernet equipment in the customer location. This can be accomplished by providing an Ethernet interface on the PE-CLE optical device or by replacing the optical device with an Ethernet device that uses as a network backbone multiple segments connected by Ethernet devices.
The Ethernet protocol allows traffic to traverse different segments separated by Ethernet devices by using virtual local area network (VLAN) tags on Ethernet data packets called frames. The VLAN tags allow an SP to assign interfaces on DCEs to logical groups and to communicate among these interfaces on DCEs across multiple LANs as though the interfaces on the DCEs were on a single LAN. Bridges and switches filter destination addresses and forward VLAN frames only to interfaces that serve the VLAN to which the traffic belongs. VLANs also can be used to connect multiple buildings in a metropolitan area WAN.
While advantageous from the perspective of cost, bandwidth and provisioning, use of Ethernet interfaces increases security vulnerability. The extension to Ethernet interfaces does not alleviate the security problems associated with physical control of the PE-CLE or the trustworthiness of the SP. In contrast to optical PE-CLEs, Ethernet cables do emit electromagnetic waves that can be snooped externally. Furthermore, in contrast to the FR protocol, the Ethernet protocol is widely known among the community of hackers who demonstrate a readiness to snoop. In addition, Ethernet cable and PE-CLE interfaces can be tapped with interface equipment, such as hubs, that are inexpensive.
Based on the foregoing, there is a clear need for using incompletely trusted service provider point-to-point networks without suffering the security disadvantages of the existing approaches. In particular, there is a clear need for using higher bandwidth, less expensive Ethernet equipment on service provider point-to-point networks without suffering the security disadvantages of the existing approaches.