First, the user's ability to authenticate the meaning of broadband access
BRAS (Broadband Access Server) is a mature operation mode for reference to narrowband access, and the broadband network can be operated as narrowband access by narrowband broadband evolution. Unlike a narrowband network, the PSTN is required to provide PSTN, and the broadband network typically has a complete access network (ADSL, Ethernet, HFC), so BRAS's main function is to combine network devices such as routers or switches to complete 3A for broadband users. The access control is as follows:
(1) Authentication: Verify the user's identity and the available network services.
(2) Authorization: Open network service based on the certification results
(3) Accounting: Record the amount of users to various network services and provide the billing system
If there is no reasonable 3A access control, the broadband network can only provide port, monthly-rate tariff solution, and it is difficult to establish the development space of value-added services if there is no authentication based on user identity. Therefore, with the more intense business competition, 3A access control has become the primary service of broadband operators.
Second, the implementation process of broadband access
The implementation process of the broadband user 3A access control is as follows:
User Equipment - BRAS (AAA Client) -AAA Server (Radius) -billing system
Generally speaking, the implementation methods between BRAS to AAA Server are similar, usually using the RADIUS protocol, and AAA Server and Billing systems generally use centralized construction to support user roaming and reduce construction costs. What is most troubled by the operator is how effective connection from the user-end device to the BRAS, the main implementations are currently: Mac / VLAN, PPPoE, PPTP / L2TP, 802.1X, Web / VLAN, Web / IP .
It has its own characteristics about these certification methods, and its advantages and disadvantages are also a hot spot in discussions in the industry. This article will discuss them from the principle of implementation.
Third, Mac / VLAN technology assessment
The MAC / VLAN is confirmed by the user's MAC address or VLAN ID, which belongs to the earliest broadband authentication technology. Mac / VLAN certification does not require client software, nor does it require user input password and code, very friendly for users. However, because Mac / VLAN does not have a user-logged authentication process, it is unable to calculate the time-long, which can only support the monthly fee scheme, and there is also a large billing dispute in promoting value-added services, so this article will not be discussed.
Fourth, PPPoE technical assessment
PPPoE is usually combined with ATM Router as a Broadband RAS, and later starts with ports that provide GB or FE on BRAS to support broadband access based on Ethernet. PPPoE requires PPPoE client software to set up PPPoE client software. From the access authentication point of view, PPPoE is the same as the narrowband dial-in-in-in-in-one, which is a PPP online, dialing into the PPPoe server in dialing.
Although PPPoE technology is generally applied in ADSL access certification, it faces many issues on Ethernet:
Network planning problem
When the client is dial, the broadcast package will be sent to find the PPPoE server. After the response is received, the PPP connection is established, so the PPPoE server and the client must have a Layer 2 network. This is not a problem in ADSL because each client is between the PPPoE server exists a separate PVC circuit. But on the Ethernet, the PPPoE server needs to be with thousands of clients in the same Layer 2 network, and the more difficult the Layer 2 network is, the more problems. If each cell and even buildings use a three-layer network, there is a cost and management issue of the PPPoE server.
Packet segmentation problem
Usually the MTU of the router or client is set to 1500Byte, because PPPo is packaged in an Ethernet frame, so the package of PAYLOAD is only 1492byte, and the package is required to split the package when the package is 1500-TE. . According to the data displayed in the actual application, the packet segmentation causes more than 50% of the IP packet transmission of the router and the client. Client CPU load problem
Since PPPoE is packaged in Ethernet Frame for each IP packet, the larger network traffic, the more CPU performance consumers. Therefore, it is very disadvantageous for multimedia applications that require high bandwidth.
Customer support problem
Another problem with PPPoE technology is that the client will need to have special software, whether it is more complicated in installation, setting and upgrade, customer service cost is very expensive. Although this is not a technical problem, it is possible to cause great troubles on the implementation. The specific case is that a telecom operator with 700,000 ADSL users uses ENTERNET dial-up software on the client. When the Enternet is upgraded, the operator offers free download on the website. As a result, approximately 5% of users have difficulty in upgrading, and the operator's customer service center is busy for a few months.
V. PPTP / L2TP technology assessment
With the development of VPN technology, operators have begun to consider providing user access services using techniques such as PPTP / L2TP. Since PPTP / L2TP can provide user access through a three-layer network, it can effectively solve the difficulties of PPPoE network planning. At the same time, the customer service cost is low because the Windows 2000 has built-in VPN dial function.
It is indeed a very creative way to provide broadband access. At present, everyone is observing is an enterprise-level technical solution that will have some problems that cannot be presented on telecommunications services. So far, the problems that have been discovered are roughly similar to PPPoE:
Packet segmentation problem
PPTP is encapsulated in the GRE packet, and L2TP is encapsulated in the UDP package. Similar to PPPOE, when it comes into a package of 1500 -TE, it needs to be divided, and the transmission of the router and client IP packet transmission causes additional pressure.
Client CPU load problem
PPTP is similar to PPPoE, and it has to occupy the CPU of the client to make the package. Especially if encrypted transmission (such as IPSEC), the CPU is more pressure. For enterprise VPN, confidentiality is higher than performance consideration, but it is a very important consideration for broadband operators.
Customer support problem
Although Windows 2000 has built PPTP / L2TP client software, the setting of VPN dialing features is still a more complex problem with ordinary users who have no IT support, so the support for users will ultimately fall to operators. On the body, there is still a biggest pressure for the customer service.
Sixth, 802.1X technology assessment
Unlike a wired network, the network space of the wireless network has an open and terminal mobility, so it is difficult to define the network through a fixed line. The 802.1x protocol originated from the 802.11 protocol, the latter is a standard wireless LAN protocol, and the main purpose of the 802.1x protocol is to prevent illegal access to the enterprise wireless network through authentication and encryption.
Similar to PPTP / L2TP, everyone is observing that 802.1x is originally an enterprise-level technical solution, which will have some problems that cannot be presented on telecommunications services. The problems that have been discovered are as follows:
Client CPU load problem
802.1X In order to solve the security problem of wireless networks in air transmission, highly encrypted specification is used, which requires a large number of CPU efficiency to be used for plus decryption. In response to this problem, the current understanding is that the next 802.1x reinforcement must be implemented on the NIC through the hardware, and 802.1x can support broadband applications and services.
Standard specification
There are currently 802.1x specification, more than 70% have not been confirmed, so all manufacturers claiming to support 802.1x are based on guessing to design products, and operators deploy 802.1x risks are still high. Although many switch vendors promised to support 802.1x through software upgrades, most switches CPU performance is more poor than the client's Pentium, so the industry's view is the future support for 802.1x switches must have hardware and decryption. Practicality of broadband operations. Network planning problem
Based on the current confirmed specification, 802.1x authentication technology operates to operate the port. After the legal user access port is in an open state, the user can access the network without authentication. Therefore, on the implementation, it is necessary to support the 802.1x protocol on the building layer switch. In implementation, these low prices are not equipped to upgrade 802.1x in the future of the building layer switch of hardware add-on, or can provide sufficient network performance after upgrading.
Customer support problem
Similar to PPPOE, PPTP / L2TP, 802.1x must install specific client software or use Windows XP, which is still a more complex problem for ordinary users without IT support, so operators still have considerable customer support pressure. .
Seven, Web / VLAN technology assessment
WEB / VLAN technology is an access control technology that is improved from Mac / VLAN. When the user has not completed the authentication, the user's VLAN can only reach the built-in or external Web authentication module of the switch. When the user passes the authentication, the Web authentication module will then command the switch to open the user's VLAN ID. Web / VLAN technology provides authentication based on user identity and does not need to configure special client software in the client. However, Web / VLAN still has the following problems:
Implementation conditions
The authorization of the web / vlan is implemented through the VLAN switch, so the basic condition of implementation is that each user must have a separate VLAN and to end on a web / VLAN switch. When the deployed building layer switch does not support the VLAN TRUNK function, WEB / VLAN-based user authentication is not implemented.
Network planning problem
Web / VLAN is similar to PPPoE, requiring a Layer 2 network with the web / vlan server, the more difficult the Layer 2 network is, the more problems. If each community even the building uses a Web / VLAN switch, there is a deployment cost and management issue.
Boot explosion problem
This problem appears on the earlier web / vlan switch, mainly because the early Web / VLAN switch adopts an external web authentication module. After the user completes the authentication, the web authentication module must pass the Telnet Script or SNMP SET command to put users. VLAN opens. Since the power-on instant is a large number of users simultaneously authenticated, the switch cannot withstand a large number of commands.
8. Web / IP technology assessment
Web / IP is very similar to Web / VLAN technology. When the user has not completed authentication, the user's IP can only reach the Router's built-in web authentication module. When the user passes the authentication, the web authentication module adds the user's IP address to the authorization form of the Web / IP router. Compared with other technologies, Web / IP technology has the following characteristics:
Project implementation
The authorization particle size of Web / IP technology is IP, which is seamlessly connected to the DHCP architecture of the Ethernet station, so it is implemented quickly. In addition, due to the three-layer structure, the Web / IP router can be deployed in the POP point to bring together the authentication requirements of multiple cells, and the metropolitan network with low initial opening rate can be effectively saved.
Customer Support
Web / IP does not require specific client software, the workload of customer service is greatly reduced.
Network performance
Web / IP does not have PPPoE / PPTP / L2TP package package issues, no burden on client CPU, can effectively support broadband applications such as VOD.
Packet segmentation
Web / IP does not have PPPoE / PPTP / L2TP package package issues, and there is no problem that the router or client is not increased because of the packet segmentation problem generated by the MTU change. In the early days of the development of Web / IP technology, there are some cases such as inaccurate the user's Internet time, which cannot be controlled by users, and these issues are currently a good solution to the access controller designed by some company.
