Transcript LDAP (Lightweight Directory Access Protocol)

LDAP (Lightweight Directory Access Protocol)
• LDAP (Lightweight Directory Access Protocol) is a
software protocol for enabling anyone to locate
organizations, individuals, and other resources such
as files and devices in a network, whether on the
public Internet or on a corporate Intranet.
• LDAP is a "lightweight" (smaller amount of code)
version of Directory Access Protocol (DAP), which is
part of X.500, a standard for directory services in a
network. LDAP is lighter because in its initial version it
did not include security features.
LDAP (Lightweight Directory Access
Protocol)
• LDAP originated at the University of Michigan and has
been endorsed by at least 40 companies. Netscape
includes it in its latest Communicator suite of products.
Microsoft includes it as part of what it calls Active
Directory in a number of products including Outlook
Express. Novell's NetWare Directory Services
interoperates with LDAP. Cisco also supports it in its
networking products.
• In a network, a directory tells you where in the network
something is located. On TCP/IP networks (including the
Internet), the domain name system (DNS) is the
directory system used to relate the domain name to a
specific network address (a unique location on the
network). However, you may not know the domain name.
LDAP allows you to search for an individual without
knowing where they're located (although additional
information will help with the search).
LDAP (Lightweight Directory Access Protocol)
An LDAP directory is organized in a simple "tree" hierarchy consisting
of the following levels:
• The root directory (the starting place or the source of the tree), which branches
out to
• Countries, each of which branches out to
• Organizations, which branch out to
• Organizational units (divisions, departments, and so forth), which branches out to
(includes an entry for)
• Individuals (which includes people, files, and shared resources such as printers)
An LDAP directory can be distributed among many servers. Each server can have
a replicated version of the total directory that is synchronized periodically. An LDAP
server is called a Directory System Agent (DSA). An LDAP server that receives
a request from a user takes responsibility for the request, passing it to other DSAs as
necessary, but ensuring a single coordinated response for the user.
Authentication, Authorization, Accounting (AAA)
• Authentication, Authorization, Accounting (AAA) is a term
for a framework for intelligently controlling access to computer
resources, enforcing policies, auditing usage, and providing the
information necessary to bill for services. These combined
processes are considered important for effective network
management and security.
• As the first process, authentication provides a way of identifying
a user, typically by having the user enter a valid user name and
valid password before access is granted. The process of
authentication is based on each user having a unique set of
criteria for gaining access. The AAA server compares a user's
authentication credentials with other user credentials stored in a
database. If the credentials match, the user is granted access
to the network. If the credentials are at variance, authentication
fails and network access is denied.
Authentication, Authorization, Accounting (AAA)
• Following authentication, a user must gain
authorization for doing certain tasks. After logging into
a system, for instance, the user may try to issue
commands. The authorization process determines
whether the user has the authority to issue such
commands. Simply put, authorization is the process of
enforcing policies: determining what types or qualities
of activities, resources, or services a user is permitted.
Usually, authorization occurs within the context of
authentication. Once you have authenticated a user,
they may be authorized for different types of access or
activity.
Authentication, Authorization, Accounting (AAA)
• The final term in the AAA framework is accounting, which
measures the resources a user consumes during access. This
can include the amount of system time or the amount of data a
user has sent and/or received during a session. Accounting is
carried out by logging of session statistics and usage
information and is used for authorization control, billing, trend
analysis, resource utilization, and capacity planning activities.
• Authentication, authorization, and accounting services are often
provided by a dedicated AAA server, a program that performs
these functions. A current standard by which network access
servers interface with the AAA server is the Remote
Authentication Dial-In User Service (RADIUS).
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a
client/server protocol and software that enables remote access
servers to communicate with a central server to authenticate
dial-in users and authorize their access to the requested
system or service. RADIUS allows a company to maintain user
profiles in a central database that all remote servers can share.
It provides better security, allowing a company to set up a policy
that can be applied at a single administered network point.
Having a central service also means that it's easier to track
usage for billing and for keeping network statistics. Created by
Livingston (now owned by Lucent), RADIUS is a de facto
industry standard used by a number of network product
companies and is a proposed IETF standard.
F. NGN signaling protocols and QoS
mechanisms
Signaling Protocols
• H.323
• SIP
• MGCP
• Megaco/H.248
• SIP-T
• SIGTRAN
• BICC
Mechanisms (QoS, Resource Allocation)
• MPLS
• IntServ
• DiffServ
VoIP protocols:
1. H.323, ITU-T
• H.323 - first call control standard for multimedia networks.
Was adopted for VoIP by the ITU in 1996
• H.323 is actually a set of recommendations that define how
voice, data and video are transmitted over IP-based networks
• The H.323 recommendation is made up of multiple call control
protocols. The audio streams are transacted using
the RTP/RTCP
• In general, H.323 was too broad standard without sufficient
efficiency. It also does not guarantee business voice quality
VoIP protocols:
2. SIP - Session Initiation Protocol, IETF (Internet
Engineering Task Force)
• SIP - standard protocol for initiating an interactive user session
that involves multimedia elements such as video, voice, chat,
gaming, and virtual reality. Protocol claims to deliver faster callestablishment times.
• SIP works in the Session layer of IETF/OSI model. SIP can
establish multimedia sessions or Internet telephony calls. SIP
can also invite participants to unicast or multicast sessions.
• SIP supports name mapping and redirection services. It makes
it possible for users to initiate and receive communications and
services from any location, and for networks to identify the
users wherever they are.
VoIP protocols :
2. SIP - Session Initiation Protocol, IETF (Internet
Engineering Task Force) (Cntd)
•SIP – client-server protocol, Rq from clients, Rs from servers.
Participants are identified by SIP URLs. Requests can be sent
through any transport protocol, such as UDP, or TCP.
•SIP defines the end system to be used for the session, the
communication media and media parameters, and the called
party's desire to participate in the communication.
•Once these are assured, SIP establishes call parameters at
either end of the communication, and handles call transfer and
termination.
•The Session Initiation Protocol is specified in IETF Request
for Comments (RFC) 2543.
VoIP protocols :
3. MGCP/Megaco/H.248
• MGCP - Media Gateway Control Protocol, IETF
[Telcordia (formerly Bellcore)/Level 3/Cisco]
• MGCP – control protocol that specifically addresses the
control of media gateways
• Megaco/H.248 (IETF, ITU) - standard that combines
elements of the MGCP and the H.323, ITU (H.248)
• The main features of Megaco - scaling (H.323) and
multimedia conferencing (MGCP)
SIP-T
• SIP-T (SIP for telephones, previously SIP-BCP-T) is a
mechanism that uses SIP to facilitate the interconnection of the
PSTN with IP. SIP-T defines SIP functions that map to ISUP
interconnection requirements.
• This is intended to allow traditional IN-type services to be
seamlessly handled in the Internet environment. It is essential
that SS7 information be available at the points of PSTN
interconnection to ensure transparency of features not
otherwise supported in SIP. SS7 information should be
available in its entirety and without any loss to the SIP network
across the PSTN-IP interface.
SIGTRAN
• SIGTRAN (for Signaling Transport) is the standard
Telephony Protocol used to transport Signaling System 7
signals over the Internet. SS7 signals consist of special
commands for handling a telephone call.
• Internet telephony uses the IP PS connections to
exchange voice, fax, and other forms of information that
have traditionally been carried over the dedicated CS
connections of the public switched telephone network
(PSTN). Calls transmitted over the Internet travel as
packets of data on shared lines, avoiding the tolls of
PSTN.
SIGTRAN
A telephone company switch transmits SS7 signals to a SG. The gateway,
in turn, converts the signals into SIGTRAN packets for transmission over IP
to either the next signaling gateway.
The SIGTRAN protocol is actually made up of several components (this is
what is sometimes referred to as a protocol stack):
• standard IP
• common signaling transport protocol (used to ensure that the data
required for signaling is delivered properly), such as the Streaming
Control Transport Protocol (SCTP)
• adaptation protocol that supports "primitives" that are required by
another protocol.
SIGTRAN
• The IETF Signaling Transport working group has
developed SIGTRAN to address the transport of
packet-based PSTN signaling over IP Networks,
taking into account functional and performance
requirements of the PSTN signaling. For
interworking with PSTN, IP networks will need to
transport signaling such as Q.931 or SS7 ISUP
messages between IP nodes such as a
Signaling Gateway and Media Gateway
Controller or Media Gateway. Applications of
SIGTRAN include Internet dial-up remote access
and IP telephony interworking with PSTN.
Bearer Independent Call Control
• Bearer Independent Call Control (BICC) is a signaling protocol
based on N-ISUP that is used to support NB-ISDN service over
a BB backbone network without interfering with interfaces to the
existing network and end-to-end services. Specified by the ITUT in recommendation Q.1901, BICC was designed to be fully
compatible with existing networks and any system capable of
carrying voice messages. BICC supports narrowband ISDN
services independently of bearer and signaling message
transport technology.
Bearer Independent Call Control (Cntd.)
ISUP messages carry both call control and bearer control
information, identifying the physical bearer circuit by a Circuit
Identification Code (CIC). However, CIC is specific to timedivision multiplexed TDM networks. BICC was developed to be
interoperable with any type of bearer, such as those based on
asynchronous transfer mode ATM and IP technologies, as well
as TDM.
BICC separates call control and bearer connection control,
transporting BICC signaling independently of bearer control
signaling. The actual bearer transport used is transparent to the
BICC signaling protocol - BICC has no knowledge of the
specific bearer technology.
Bearer Independent Call Control (Cntd.)
• The ITU announced the completion of the second set of BICC protocols
(BICC Capability Set 2, or CS 2) in July 2001; these are expected to help
move networks from the current model - which is based on public-switching
systems - to a server-based model. The BICC deployment architecture
comprises a proxy server and a media gateway to support the current
services over networks based on circuit-switched, ATM, and IP technologies,
including third-generation wireless.
•
The completion of the BICC protocols is an real and important ITU step
toward broadband multimedia networks, because it will enable the seamless
of circuit-switched TDM networks to high-capacity broadband multimedia
networks. The 3GPP has included BICC CS 2 in the UMTS release 4.
Among the future ITU-T plans for BICC are the inclusion of more advanced
service support and more utilization of proxies, such as the SIP proxy.
SCTP
TCP transmits data in a single stream (sometimes
called a byte stream) and guarantees that data will be
delivered in sequence to the application or user at the
end point.
If there is data loss, or a sequencing error, delivery
must be delayed until lost data is retransmitted or an
out-of-sequence message is received. SCTP's multistreaming allows data to be delivered in multiple,
independent streams, so that if there is data loss in
one stream, delivery will not be affected for the other
streams.
SCTP
For some transmissions, such as a file or record,
sequence preservation is essential. However, for
some applications, it is not absolutely necessary to
preserve the precise sequence of data.
For example, in signaling transmissions, sequence
preservation is only necessary for messages that
affect the same resource (such as the same channel
or call). Because multi-streaming allows data in errorfree streams to continue delivery when one stream
has an error, the entire transmission is not delayed.
G. NGN as converged networks:
concluding remarks
PSTN
Switch
Switch
Data networks
Switch
Switch
Flexible
bandwidth
QoS
Effective transmission
Services
SOFTSWITCH
Voice services for IP-users
VoIP