1. Trang chủ
  2. » Công Nghệ Thông Tin

the internet encyclopedia volume phần 3 docx

98 159 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 98
Dung lượng 1,83 MB

Nội dung

P1: JDW PublicKey WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:56 Char Count= 0 POLICIES AND PROCEDURES 163 for the requesting, using, and handling of certificates and keys. The CP asserts that this security policy shall be im- plemented from certificate generation until its expiration or revocation. It does not specify how the policy shall be implemented. For example, a CP might state the follow- ing: “All subscribers shall be authenticated in person by an RA before a certificate is issued.” The CP excludes all operational details, because these may evolve over time. The CP should not identify the physical location of the CA or the products used in the CA. By excluding these details, the CP is a stable and high-level document. Multiple CAs may operate under a single CP. This is often the case when multiple CAs are maintained by a single enterprise, jointly supporting a single community. Different people will use the CP for different reasons. For example, the CP will be used to guide the development of the CPS for each CA that operates under its provisions. CAs from other enterprise PKIs will review the CP before cross-certification. Auditors and accreditors will use the CP as the basis for their review of CA operations. Applica- tion owners will review a CP to determine whether these certificates are appropriate for their application. The CPS is a highly detailed document that describes how a particular CA implements a specific CP. The CPS identifies the CP and specifies the mechanisms and proce- dures that are used to achieve the security policy. The CPS asserts that the specified products will be used in com- bination with the specified procedures. The CPS might state the following: “Users will receive their certificates and smartcards from the RA after presenting the fol- lowing credentials in person: (a) current driver’s license, (b) work identification card, (c) blood sample, and (d) hair sample.” A CPS includes sufficient operational details to demonstrate that the CP can be satisfied by this combina- tion of mechanisms and procedures. Each CPS applies to a single CA. The CPS may be con- sidered the overall operations manual for the CA. Specific portions of the CPS may be extracted to form the CA Op- erator’s Guide, RA Manual, PKI Users Guide, or other role- specific documentation. Auditors and accreditors will use the CPS to supplement the CP during their review of CA operations. Note that a CPS does not need to be published. The combination of a CP and the results of an accredita- tion process should be sufficient for external parties. RFC 2527 proposes an outline with eight major sec- tions and 185 second- and third-level topics. RFC 2527 established an outline with the following major sections: Introduction General Provisions Identification and Authentication Operational Requirements Physical, Procedural, and Personnel Security Controls Technical Security Controls Certificate and CRL Profiles Specification Administration Privilege Management Organizations seek improved access control. Public key certificates can be used to authenticate the identity of version serial number signature issuer validity issuerUniqueID extensions attributes holder Figure 6: X.509 attribute certificate structure. a user, and this identity can be used as an input to access control decision functions. In many contexts, however, the identity is not the criterion used for access control deci- sions. The access control decision may depend on role, security clearance, group membership, or ability to pay. Authorization information often has a shorter lifetime than the binding of the subject identity and the public key. Authorization information could be placed in a public key certificate extension; however, this is not usually a good strategy. First, the certificate is likely to be revoked be- cause the authorization information needs to be updated. Revoking and reissuing the public key certificate with up- dated authorization information can be expensive. Sec- ond, the CA that issues public key certificates is not likely to be authoritative for the authorization information. This results in additional steps for the CA to contact the author- itative authorization information source. The X.509 attribute certificate (AC) binds attributes to an AC holder. Because the AC does not contain a public key, the AC is used in conjunction with a public key certi- ficate. An access control function may make use of the attributes in an AC, but it is not a replacement for au- thentication. The public key certificate must first be used to perform authentication, then the AC is used to associate attributes with the authenticated identity. ACs may also be used in the context of a data origin authentication service and a non-repudiation service. In these contexts, the attributes contained in the AC provide additional information about the signing entity. This in- formation can be used to make sure that the entity is au- thorized to sign the data. This kind of checking depends either on the context in which the data is exchanged or on the data that has been digitally signed. Figure 6 illustrates an attribute certificate for Alice. This is a version 2 AC, and the AC holder is Alice. The AC was issued by the Hawk Data Attribute Authority, and was signed with DSA and SHA-1. The serial number is 4801, and the AC is valid from 8 a.m. on April 2, 2002, until noon that same day. The attributes indicate that Alice is VPN administrator. The AC extensions indicate that this certificate is targeted toward the Hawk VPN server, and that revocation information is not available for this certificate. ACs often have no revocation information. P1: JDW PublicKey WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:56 Char Count= 0 PUBLIC KEY INFRASTRUCTURE (PKI)164 ACs may be short- or long-lived. In Figure 6, the AC per- mits Alice to administer the VPN for 4 hours. As a result of the short validity period, the AC issuer does not need to maintain revocation information. By the time revocation information could be compiled and distributed, the AC would expire. So, with short-lived ACs, revocation infor- mation is not distributed. If an AC has a longer life span (for example, weeks or months), then the organizations would need to maintain AC status information. An AC can be obtained in two ways. The AC holder may provide the AC; this is known as the push model. Alternatively, the AC is requested from the AC issuer or a repository; this is known as the pull model. A major benefit of the pull model is that it can be implemented without changes to the client or to the communications protocol. The pull model is especially well suited to interdomain communication. The AC is linked to a public key certificate in one of two ways. The AC holder can contain the issuer and serial number of a particular public key certificate, or the AC holder can contain a subject name. In the first case, the AC is linked to a specific public key certificate. In the second case, the AC is linked to a particular subject, and the AC may be used in conjunction with any public key certificate held by that subject. FUTURE DEVELOPMENTS One of the criticisms of PKI is that CRLs can become too large. When this happens, the overhead associated with CRL distribution is unacceptable. Sliding window delta CRLs can be used to reduce this overhead. Another crit- icism of PKI is that certification path construction and validation can be difficult. By delegating these functions to a trusted server, the amount of processing an applica- tion needs to perform before it can accept a certificate can be significantly reduced. Sliding window delta CRLs and delegated path validation are not widely deployed today, but they are likely to be employed in the future. Sliding Window Delta CRLs For PKIs that rely on CRLs, the challenge is to provide the freshest information to certificate users while mini- mizing network bandwidth consumption. Unfortunately, when PKIs rely on full CRLs, these requirements are in direct conflict. To maximize the freshness, CRLs must be updated frequently. As the time interval between up- dates shrinks, the probability that a client will find a use- ful CRL in its cache diminishes. At the extreme, certifi- cate users will download a full CRL for each certificate validation. Most of the information on the CRL is the same, and identical information is transmitted repeatedly, consuming bandwidth without providing any benefit. To minimize the consumption of network bandwidth, CRLs should have reasonably long lifetimes. As the time inter- val between updates grows, the greater the probability that relying parties will have the appropriate CRL in their cache. In the simple case, delta CRLs and full CRLs are is- sued together, and the delta CRL lists all the certificates revoked since the last full CRL was issued. A certificate user, who has the previous full CRL, may obtain complete information by obtaining the delta CRL and combining it with the already cached, previous full CRL. The certifi- cate user obtains the freshest information available but consumes a fraction of the bandwidth. If the certificate user does not have the previous full CRL, the full CRL must be downloaded. A sliding window delta CRL lists all the certificates re- voked since an earlier full CRL, perhaps six generations earlier. This delta CRL may be combined with any of the full CRLs from the previous six generations. By repeating some of the revocation information in the delta CRL, there is a greater likelihood that the certificate user will have an acceptable full CRL in the cache, yet the amount of re- peated information is small enough to avoid consuming significant bandwidth. Most of the PKI-enabled applications do not exceed the limitations of full CRLs. As a result, delta CRLs are not widely deployed. Few commercial PKI client imple- mentations process delta CRLs. Fewer CA products can generate sliding window deltas. As PKIs grow, however, the incentive to deploy innovative certificate status will likely grow. Delegated Path Validation Some PKI implementers want to offload the entire cer- tification path construction and validation process to a trusted server. A relying party would provide a validation server with an end-entity certificate, one or more trust points, and the initial values for certification path valida- tion, then the path validation server would respond with a message informing the relying party whether the certifi- cate was acceptable. Standard protocols for these services have not yet been developed. This work is currently un- derway in the IETF PKIX Working Group. Delegating the certificate validation process to a trusted server has a number of advantages. The certifi- cate user achieves path construction and validation with a single roundtrip protocol, and then the certificate user verifies a single digital signature on the response. The single roundtrip is especially important in bandwidth- limited environments, especially wireless environments. If the certificate user has limited processing power, the reduction in signature verifications is also significant. Delegating the certificate validation process to a trus- ted server may also provide performance advantages. If the path validation server has cached the necessary cer- tificates and CRLs, the path validation server may be able to construct and validate a certification path quickly. These benefits are not free. The path validation server performs all of the security-relevant operations. The path validation server must be secure, because it is the sole trust point for the relying party. In addition, some of the performance enhancements are based on the ability of the server to obtain and cache information. PKIs that rely on OCSP may be counterproductive to this model. In such a case, the path validation server is not likely to hold the re- quired status information. The server will have to retrieve revocation information from the OCSP responder for each certificate in the certification path, mitigating much of the performance gain. P1: JDW PublicKey WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:56 Char Count= 0 FURTHER READING 165 Performance is not the only reason to centralize certifi- cation path validation. Some organizations want impose a centralized management discipline with consistent pol- icy enforcement. If applications use the same trusted path validation server, consistent results across the organiza- tion are ensured. GLOSSARY Attribute authority An entity that is responsible for the issuance of attribute certificates, assigning privileges to the certificate holder. Attribute certificate A data structure that is digitally signed by an AA that binds attribute values with iden- tification about its holder. Certificate policy A named set of rules that indicates the applicability of a certificate to a particular com- munity or class of application with common security requirements. Certificate revocation list (CRL) A digitally signed list of certificate serial numbers associated with a set of certificates that are no longer considered valid by the certificate issuer. Certification authority An entity that is responsible for the issuance of public key certificates, trusted by one or more certificate users. Certification practices statement A description of the practices followed by a certification authority in issu- ing and managing public key certificates. Public key certificate A data structure that contains a user identity, the user’s public key, and other informa- tion, digitally signed by the CA. Online certificate status protocol (OCSP) response A digitally signed response from a trusted server that im- plements the OCSP that provides status information for a queried certificate. CROSS REFERENCES See Digital Signatures and Electronic Signatures; Elec- tronic Payment; Guidelines for a Comprehensive Security System. FURTHER READING Adams, C., & Farrell, S. (1999). Internet X.509 public key infrastructure—Certificate management protocols (RFC 2510). Retrieved March 2, 2003, from http:// www.ietf.org/rfc/rfc2510.txt Adams, C., & Lloyd, S. (1999). Understanding public-key infrastructure. Indianapolis, IN: Macmillan. Chokhani, S., & Ford W. (1999). Internet X.509 public key infrastructure—Certificate policy and certification prac- tices framework (RFC 2527). Retrieved March 2, 2003 from http://www.ietf.org/rfc/rfc2527.txt Cooper, D. (2000, May). An efficient use of delta CRLs. Pro- ceedings of the 2000 IEEE Symposium on Security and Privacy (pp. 190–202), Los Alamitos, CA: IEEE Com- puter Society Press. Housley, R. (2002). Cryptographic message syntax (CMS) (RFC 3369). Retrieved March 2, 2003, from http:// www.ietf.org/rfc/rfc3369.txt Housley, R., & Polk, T. (2001). Planning for PKI. New York: Wiley. Housley, R., Polk, W., Ford, W., & Solo, D. (2002). Internet X.509 public key infrastructure—Certificate and certificate revocation list (CRL) profile (RFC 3280). Retrieved March 2, 2003, from http://www.ietf. org/rfc/rfc3280.txt International Telecommunication Union-Telecommuni- cation Standardization Sector (ITU-T). (2000). The directory—Authentication framework (ITU-T Recom- mendation X.509). Kaliski, B. (1998). PKCS #7: Cryptographic message syntax, version 1.5 (RFC 2315). Retrieved March 2, 2003, from http://www.ietf.org/rfc/rfc2315.txt Kaliski, B. (1998). PKCS #10: Certification request syntax, version 1.5 (RFC 2314). Retrieved March 2, 2003, from http://www.ietf.org/rfc/rfc2314.txt Liu, X., Madson, C., McGrew, D., & Nourse, A. (2001, September 11). Cisco Systems’ simple certificate en- rollment protocol (SCEP) (work in progress). Re- trieved March 2, 2003, from http://www.vpnc.org/ draft-nourse-scep Myers, M., Adams, C., Solo, D., & Kemp, D. (1999). Internet X.509 certificate request message format (RFC 2511). Retrieved March 2, 2003, from http:// www.ietf.org/rfc/rfc2511.txt Myers, M., Ankney, R., Malpani, A., Galperin, S., & Adams, C. (1999). X.509 Internet public key infras- tructure—Online certificate status protocol (OCSP) (RFC 2560). Retrieved July 30, 2002, from http://www. ietf.org/rfc/rfc2560.txt Myers, M., Liu, X., Schaad, J., & Weinstein, J. (2000). Certificate management messages over CMS (RFC 2797). Retrieved from March 2, 2003, http://www. ietf.org/rfc/rfc2797.txt P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML Thompson2 WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 17:7 Char Count= 0 Public Networks Public Networks Dale R. Thompson, University of Arkansas Amy W. Apon, University of Arkansas Introduction 166 Overview of Public Network Concepts and Services 166 Structure of the Public Switched Telephone Network System 168 Access and Public Network Technologies 169 Voice-Grade Modems 169 Digital Subscriber Lines 169 Cable Modems 170 Satellite 171 Integrated Services Digital Network 171 Digital Leased Lines 171 Synchronous Optical Network 172 X.25 172 Frame Relay 172 Asynchronous Transfer Mode 172 Choosing a Private Network or a Public Network Provider 173 Reliability 174 Cost and Performance Tradeoffs 174 Support 174 Control 174 Other Factors 175 Public Networks in the Internet and E-commerce Environments 175 Conclusion 175 Glossary 176 Cross References 176 References 176 INTRODUCTION Networks for the transfer of data between computers, both public and private, are ubiquitous in today’s busi- ness world. A public network is one that is publicly avail- able to subscribers (Stallings, 2001). It provides service to multiple subscribers and is built and maintained by a public network provider. Internationally, the term “pub- lic network” is often applied to networks that are under government control or are a national monopoly. However, a network can also be a privately owned network whose services are sold to the public. Whether the network is un- der government control or is a privately owned network whose services are sold to the public, businesses access the network by installing an access device at each site and using an access line to the nearest point of presence (POP) of the public network provider (Panko, 2001). This chapter gives an overview of public network con- cepts and services and describes the structure of the public switched telephone network (PSTN) system, the technolo- gies used both for access to a public network and within the public network itself, issues related to choosing a pub- lic or a private network, and public networks in the Inter- net and e-commerce environments. OVERVIEW OF PUBLIC NETWORK CONCEPTS AND SERVICES Traditionally, companies desiring to connect business computers in different geographic locations have used private networks. That is, they have used point-to-point leased lines between business sites to create their own circuit-switching or packet-switching networks for their data communication requirements (Panko, 2001). Unlike telephone calls, which set up the required capacity as needed, leased lines provide dedicated transmission ca- pacity between sites. These networks are called private networks (Stallings, 2001). By using leased lines, compa- nies have a network capacity that is always available and are offered volume discounts for the bandwidth available on the leased line. An example of a private network is shown in Figure 1. There are several disadvantages to private networks. Private networks require higher initial costs. The leased line connections must be planned and installed. The switching devices must be provided. And, once a network is operational there are ongoing management and main- tenance costs of the networks (Panko, 2001). A public net- work is an alternative to a private network. There are advantages to using a public network. A pub- lic network does not require a complex network of leased lines and switching devices that the business must plan and install. There is commonly one access line installed per site. Even if a leased line is used to connect to the nearest POP, there are usually less leased lines required. For example, if there are 10 sites using the public net- work, then there are 10 leased lines. Compare this to a fully meshed private network that requires 45 leased lines. For N locations, N(N − 1)/2 leased lines are required for a connection to and from each site. Even if not every site is connected to every other site in the private network, but sites are connected through intermediate sites, the num- ber of leased lines for a public versus a private network is generally smaller. Finally, because of competitive pricing, public networks are less expensive than private networks (Stallings, 2001). Figure 2 illustrates an example of a pub- lic network. The global Internet is a network that is publicly acces- sible worldwide. The Internet is not one single network, but is composed of several networks connected together and communicating with standard Internet technologies (Moody, 2001). Access to the Internet is achieved via an Internet service provider (ISP). The Internet allows a busi- ness to have a worldwide presence. Through the use of 166 P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML Thompson2 WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 17:7 Char Count= 0 OVERVIEW OF PUBLIC NETWORK CONCEPTS AND SERVICES 167 56 Kbps Leased Line Site A Site B Site C Site D 56 Kbps Leased Line 56 Kbps Leased Line T1 Leased Line 56 Kbps Leased Line 56 Kbps Leased Line Site E T1 Leased Line Figure 1: A private switched data network. E-commerce purchases can be made automatically with software. A network that transfers data and information only within a single business is called an intranet (Moody, 2001). Intranets use the same technologies as the Internet but access is restricted to employees. They carry corporate information that can range from being routine such as e-mail, manuals, and directories or can be sensitive infor- mation such as that of project management and internal purchasing. An intranet can be built using a private or a public network. A private network is naturally an intranet. A business using a public network can ask that the data be restricted to only go to other locations of the same busi- ness. Of course, the bandwidth is still being shared with other businesses that use the same public network. An extranet is a hybrid between the public Internet and the private intranet (Moody, 2001). A portion of the in- tranet is extended to business partners in a controlled and restricted way. The extranet can be used for project man- agement of projects between partners. Another common and practical use of the extranet is to allow partners access to the stock levels and shipping status. Direct online pur- chasing of supplies and other applications are made pos- sible through the use of an extranet. The global Internet can be used to provide an intranet or an extranet by creating a virtual private network (VPN). A VPN is a private network that is deployed over public facilities, but provides the same levels of privacy, security, quality of service, and manageability as private networks (Cisco, 2001). A VPN can be created when all sites are already con- nected to the Internet. With a VPN, hosts at different sites communicate across the Internet using either a tun- nel mode between local networks, or by using a direct transport communication. However, there are two serious problems that can occur with VPNs since the company no longer has control of the entire data network (Panko, 2001). One problem is the security of the data, because the Internet was not designed to support secure transmission. This problem can be solved through the use of encryption and by using tunnel mode for communication. A second problem is congestion on the Internet. Congestion can T1 Leased Line Site A Site B Site C Site D T1 Leased Line 56 Kbps Leased Line Site E T1 Leased Line Public Switched Data Network T1 Leased Line Figure 2: A public switched data network. P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML Thompson2 WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 17:7 Char Count= 0 PUBLIC NETWORKS168 cause data to be delayed or even lost. A VPN uses a public network for site-to-site communication and added tech- nology to solve the problems of security and congestion (Panko, 2001). A public network provider has a value-added network if it owns the packet-switching nodes and leases trans- mission capacity from an interexchange carrier such as AT&T (Stallings, 2001). It is called a value-added network because the leased lines add value to the packet switching nodes. A network provider that provides a value-added network is sometimes called a value-added carrier. In many cases a public network provider will partner with companies that provide services that require network con- nectivity such as Web hosting and give discounts to them for using their network. A business which bundles a ser- vice with a particular public network provider is called a value-added reseller. Public network providers often offer services such as Web hosting to subscribers in addition to connectiv- ity between sites. These additional services are called value-added services. These services include asset man- agement, configuration control, fault management, moni- toring, Web-based reporting, Web hosting, e-mail services, and content delivery networks. Asset management is keeping inventory of devices that are connected to the network. As devices are added or taken off the network the asset management system will keep an up-to-date log of the assets. Configuration control is about maintaining and keeping records of the configu- ration of networked devices. The network provider typi- cally maintains the configuration of the packet switching node that connects each of the subscriber locations to the network. A provider will also monitor devices to detect faults and either fix them or notify the appropriate on-site personnel. This is called fault management. A provider can invest in large network operation centers for moni- toring their subscribers’ network devices. This includes maintaining a firewall to prevent unwanted users into the network and intrusion detection systems for detect- ing activity that is consistent with common hacker tech- niques. With Web-based reporting the provider gives the subscriber reports about the status of their network and a history of its downtime and performance. One of the most popular value-added services is Web hosting. The provider maintains one or more servers and allocates space on them for the subscriber’s Web site. The provider maintains the server and performs backups. Sub- scribers are given access to their portions of the server to post their Web sites and control their content. An advan- tage to using this value-added service is that it is likely that the subscriber has other sites that are connected to the same public network. If the server is connected to the same public network, it provides faster response times to the end users. Medium to large users who have high volumes of content serving a distributed set of users may consider a value-added service called a content delivery network (CDN). A CDN intelligently distributes the content to mul- tiple locations and closer to the end user. By moving the customized content closer to the end user the end user receives faster response times (Allen, 2001). Queries to the main server or group of servers are routed to the location that can best respond to the query. Content is cached at each of the locations and future requests are serviced more quickly because the information traverses fewer links in the network. There are three main advan- tages to a CDN. First, end users receive faster response times. Second, it relieves congestion on the original server that maintains the master copy of the content. Finally, it reduces the amount of data transmission capacity re- quired on the network since the content is distributed to multiple locations and does not have to come from the original server. Some of the popular CDN providers are Akamai (http://www.akamai.com) and Mirror Image (http://www.mirror-image.com). STRUCTURE OF THE PUBLIC SWITCHED TELEPHONE NETWORK SYSTEM The public switched telephone network system is often used to provide the technology that a business uses to access a public network or is the technology of the public or private lines. The structure of the PSTN in the U.S. has evolved from one that was almost entirely controlled by a single company to one that allows competition in a free market. Before January 1, 1984, AT&T (also known as the Bell System) controlled 80% of the PSTN in the U.S. (Bellamy, 2000). A Justice Department antitrust suit filed in 1974 and a private antitrust case by MCI resulted in a breakup of AT&T (Noam, 2001). The suit argued that AT&T used its control of the local operation as an unfair advantage against competing long distance carriers. On January 1, 1984, AT&T was divided into smaller companies. The breakup involved the divestiture of seven Bell operating companies (BOCs) from AT&T. The seven regional BOCs were known as “Baby Bells” or regional BOCs (RBOCs) and initially carried only regional tele- phone and mobile service. The network was partitioned into two levels (Bellamy, 2000), and the remaining part of AT&T retained the transport of long distance telephone service. The U.S. was divided into local access and transport areas (LATAs), which are controlled by local exchange car- riers (LECs). LECs can transport telephone calls within a LATA, also called intra-LATA traffic, but are not permitted to transport traffic between different LATAs, also called inter-LATA traffic, even though the same BOC may con- trol both LATAs. The inter-LATA traffic is transported by interexchange carriers (IXCs), commonly known as long distance carriers. Each IXC interfaces at a single point in the LATA called a point of presence. At divestiture, AT&T became an IXC and it opened the door to competi- tion for other companies’ long distance service. The ma- jor IXCs in the U.S. include AT&T, MCI–WorldCom, and Sprint. The divestiture decree was supervised by District Judge Harold Greene and known as the modified final judgment (Noam, 2001). LECs had to grant equal access to all IXCs. The service offered by the LECs to the IXCs had to be equal in type, quality, and price (Bellamy, 2000). Also, users could specify their “primary” IXC to transport their long distance and international calls (Noam, 2001). Or, P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML Thompson2 WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 17:7 Char Count= 0 ACCESS AND PUBLIC NETWORK TECHNOLOGIES 169 users could use other IXCs on a call-by-call basis by dial- ing a prefix. Another major change in the U.S. PSTN occurred with the 1996 Telecommunications Act that amended the Com- munications Act of 1934 (Noam, 2001). RBOCs had to comply with a list of tasks before they were permitted to provide long-distance service within their regions. The list permitted competition in the RBOCs regions. It was ar- gued that it was necessary to induce competition in these local markets. RBOCs were required to provide intercon- nection to new market competitors, unbundle their net- work, permit competitors to resell their service, and pro- vide users with number portability. The new local service providers became known as competitive local exchange companies (CLECs) (pro- nounced “see-lecks”) (Noam, 2001). The incumbent LECs became known as ILECs. For a CLEC to be competitive with the ILEC requires that it be able to interconnect with the users cost effectively. Therefore, there came a great struggle between CLECs and ILECs on the issue of collocation since the ILEC had a significant advantage with the existing network. In “physical collocation” a CLEC places its cables and equipment inside the ILEC’s central office (CO) to hand off traffic. In another arrangement called “virtual collocation” the physical handoff of the traffic occurs inside or outside the CO, but uses ILEC-owned equipment and must be the economic equivalent of “physical collocation.” It may appear from the previous discussion that the breaking up of the U.S. PSTN is relevant only to the United States but the trend is happening in other parts of the world as well (Noam, 2001). Japan opened its markets to competition. Also, the Europeans have privatized their service. Noam argues that at first a network is not feasi- ble unless supported by outside sources such as govern- ments. As the network grows the average costs decline initially and then rise as a few high-cost users are added. Without regulation the network would not grow beyond a certain point because of the high cost of adding these high-cost users. From a political and societal point of view the network becomes a necessity instead of a convenience and should be offered to everyone. Therefore, the monop- olistic breakdown of the network is caused by its own success. ACCESS AND PUBLIC NETWORK TECHNOLOGIES To use a public network for data services, a user must access the public network through some network service from the user’s computing equipment to the nearest pub- lic network node. Factors in selecting a particular service include the cost of the service that is provided and the fea- tures, including the transmission speed, that are provided by the technology. Generally, the higher the transmission speed that a technology can support, the more costly the service becomes. Transmission speeds for networks are described in bits per second. Unlike when memory size is described, 1 Kbps is exactly equal to 10 3 bits per second, 1 Mbps is exactly equal to 10 6 bits per second, and 1 Gbps is exactly equal to 10 9 bits per second. Many technologies are available for access to a public network and for use within the public network. The most inexpensive network access is through a voice-grade mo- dem. A modem is used to convert a digital computer signal to an analog signal that can be sent across ordinary tele- phone lines. Voice-grade modems can receive data at up to 56 Kbps. In contrast, digital lines that are used to access the network range in transmission speed from 56 Kbps to 10 Gbps. Within the public network a few technolo- gies, including X.25, frame relay, asynchronous transfer mode (ATM), and synchronous optical network (SONET), have become the most commonly used technologies. Table 1 lists the most common technologies along with a comment about usage. Table 1 also compares the trans- mission speed and the time to download a 10-megabit (1.2 Megabyte) file. Voice-Grade Modems A modem is the most inexpensive and easiest to use access technology. The use of modems for data transmission will be substantial for many years to come (Stallings, 2001). Voice-grade modems use a 4-KHz bandwidth on an ordi- nary telephone line, the same bandwidth that is used for voice signals. Modems can be packaged inside an infor- mation product, such as a personal computer. Companies often have modem banks that allow employees to dial-in directly to the company intranet or to access a large com- puter system. On March 1, 1993, the International Telecommunica- tions Union (ITU) Telecommunications Standardization Sector (ITU-T) was created as a permanent organ of the ITU, an agency of the United Nations. The charter of the ITU-T is to standardize techniques and operations in telecommunications. Several standard specifications for voice-grade modems have been designated by the ITU-T. Two of the most significant modem specifications are V.32, which is a dial-up modem that transmits at 9600 bps, and V.90, also a dial-up modem. V.90 sends at 33.6 Kbps and receives at 56 Kbps, the highest rates available for voice- grade modems (Stallings, 2001). Digital Subscriber Lines A faster service than voice-grade modems that is begin- ning to be offered by telephone companies is the digital subscriber line (DSL). A widely publicized version of this is asymmetric digital subscriber line (ADSL). ADSL offers high-speed downstream access to the customer site, and a lower speed upstream access from the customer. The ITU-T has developed a standard for low-speed ADSL called G.992.2, or G.Lite. G.Lite specifies downstream speeds of 1.5 Mbps, but sometimes lower downstream speeds are used. Most users find asymmetric speeds to be acceptable, since upstream traffic frequently consists of keystrokes or the transmission of short e-mail messages, whereas downstream traffic may include Web pages, or large amounts of data. In addition to data speed, an advan- tage of DSL over voice-grade modems is that DSL modems allow voice traffic to be multiplexed onto the telephone wires coming into the customer site. A customer can talk on the telephone at the same time that data are being transferred. P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML Thompson2 WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 17:7 Char Count= 0 PUBLIC NETWORKS170 Table 1 Common Network Technologies Service Usage Comments Transmission Speed Download Voice-Grade Modem Modems are inexpensive, telephone rates reasonable for modest connect times Upload: Up to 33.6 Kbps Download: Up to 56 Kbps 3 min or more Digital Subscriber Line More expensive than voice-grade modems, downlink rates higher than uplink Upload: From 16 Kbps to 640 Kbps Download: From 768 Kbps to 9 Mbps 1.1–13 s Cable Modems Download rates depend on the number of simultaneous customers and configuration Upload: From 64 Kbps to 256 Kbps Download: From 10 Mbps to 30 Mbps 0.3–1 s Satellite A cost-effective choice in remote locations Upload: From 56 Kbps to 256 Kbps Download: From 150 Kbps to 1 Mbps 10–67 s Integrated Services Digital Network Charges generally based on duration of call Basic rate: 128 Kbps, higher rates available 1.3 min Digital leased lines: 56 Kbps (DS0), T1 (DS1), T3 (DS3), . . . Most common leased line for high-traffic voice and data; fixed price for a specific capacity DS0: 56 Kbps T1, DS1: 1.54 Mbps T3, DS3: 44.7 Mbps 56 Kbps: 3 min T1: 6.5 s T3: 0.22 s SONET Specification for optical links, highest speed From 155.52 Mbps to 2.488 Gbps leased 0.004–0.06 s X.25 Older technology, still in use in public networks 56 Kbps, but can be slower or faster 3 min or more Frame Relay Fixed price per month for a specific capacity, widely installed and used From 16 Kbps to 44.736 Mbps 0.22–625 s ATM Universal technology for wide area networking From 1.544 Mbps to 2.5 Gbps for access 0.004–6.5 s The telephone company does not have to install any special equipment to use voice-grade modems. However, when the telephone company offers DSL service it has to install digital subscriber line access multiplexers at the end offices. Figure 3 illustrates the equipment used for DSL (Panko, 2001). Because special equipment has to be installed, DSL service is not available in all areas. One fac- tor that determines the availability of ADSL is the distance to the central office. In general, if the distance is greater than 18,000 feet ADSL service is not available. Also, the prices are fluctuating as DSL becomes available in more and more areas. Cable Modems Cable modems are a service offered by cable televi- sion companies. Often, the cable television or telephone All digital internally Single twisted pair, ordinary telephone line DSL Modem DSU for computer Codec for telephone Telephone Company Service Provider Digital leased line , Megabit speeds DSL Access Multiplexer Figure 3: Asymmetric digital subscriber line. Source: Buisness Data Communications and Net- working, 3/E (Panko, 2001). Reprinted by permission of Pearson Education Inc., Upper Saddle River, NJ. P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML Thompson2 WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 17:7 Char Count= 0 ACCESS AND PUBLIC NETWORK TECHNOLOGIES 171 company operates as both a transmission carrier and a network provider. As with ADSL, the downstream speed of cable modem is much faster than the upstream speed. The upstream speeds are similar to ADSL, but the down- stream speeds can be several times faster. However, mul- tiple customers on the same cable line share the capacity. When many customers are accessing the network at the same time the real downstream transmission speed can be much lower. If network traffic is bursty, though, the chances are unlikely that all customers are downloading at exactly the same moment so that sharing does not be- come as issue until about 100 customers share the same cable service (Panko, 2001). Satellite An often cost-effective alternative for network access is the use of satellite technology. This may be particularly true in areas where other wire-based technologies are not yet available. For example, many rural areas do not have the density of potential users that can justify the cost of in- stallation of wire-based technologies such as DSL or cable modems. Satellites are characterized by the type of orbit they use. The most common type of satellite is the geosta- tionary satellite. These satellites orbit the Earth at about 22,300 miles directly above the equator at exactly the same speed as the Earth’s rotation. Because of this, the satellite always appears to be in the same position in the sky and tracking of the satellite by stations on Earth is simplified (Stallings, 2001). The disadvantage of this type of satel- lite is that the propagation time it takes for the signal to be sent from a transmission station on the Earth to the satellite, and then to be received back on the Earth is about 0.24 s. For large data downloads this is not noticeable since the time overlaps with the time to receive the en- tire message. However, for interactive computer use or for applications such as telephone calls the time is no- ticeable and can be annoying. In addition, geostationary satellite signals are not received well in very far northern or southern regions of the Earth. Two other types of orbits include low- and medium- Earth orbiting satellites. This technology is being pro- posed for use with mobile terminals and remote loca- tions that need stronger signals and less propagation time. Successful businesses that use this technology are rare. One company currently operating under bankruptcy reg- ulations, Iridium, provides global, mobile satellite voice and data solutions with complete coverage of the Earth through a constellation of 66 low-Earth orbiting satellites (Iridium, 2002). Large satellite dishes create narrow footprints for transmission, and large dishes are used for point-to-point trunk transmissions. A small dish creates a very large footprint that is suitable for television broadcasts in a large region. Today, very small aperture terminal systems are available and provide a low-cost alternative to expen- sive point-to-point satellite connections. These stations share satellite transmission capacity for transmission to a hub station (Stallings, 2001). Satellite access has some advantages over wire-based technologies. The technology is available now for all loca- tions in the United States, whereas DSL and cable modem technologies may not be available in some locations for some time. For the speeds and services available the tech- nology is cost-competitive. However, in order to use satel- lite, the user must have a clear view of the southern sky. The uploads speeds are modest, so satellite is not suit- able for businesses that require high-upload bandwidth for applications such as large upload data transfers or for hosting Web sites. Also, the download bandwidth is shared with all users at the site, and so the technology is not cur- rently suitable for more than five simultaneous users. At least one company offers packages with two-way, always-on, high-speed Internet access via satellite that is specifically designed to meet the needs of small busi- nesses (StarBand, 2002). StarBand uses a 24-by-36-inch dish and a special modem at the customer’s site to con- nect the user’s site to the network. StarBand also serves as a network provider. Fees include an initial equipment fee and a monthly fee for access. Value-added services such as domain registration and networking support for setting up small office networks can be a part of the package. Integrated Services Digital Network Many telephone companies offer integrated services dig- ital network (ISDN), a digital service that runs over or- dinary telephone lines. As with voice-grade modems the ITU-T has set standards for ISDN. ISDN can be used as an access technology and within a public network. Basic ISDN service includes two “B” channels, each at 64 Kbps, and a “D” channel that is used for signaling. It is possible to use one “B” channel for voice and one for data, but most service providers bond the two “B” channels together to provide a 128 Kbps data rate. Standards for higher rates also exist. Like ADSL, ISDN requires that the telephone company install special equipment at the end office before an ISDN service can be offered. A special ISDN “modem” is used at the customer site. ISDN is the result of efforts in the early 1980s by the world’s telephone companies to design and build a fully digital, circuit-switched telephone system (Tanen- baum, 1996). Because ISDN is circuit-switched, there is never any congestion on the line from the customer to the network service provider. However, since data traffic is generally bursty the user pays for bandwidth that may not be used. ISDN is expensive compared to the modest gain in transmission speed. The customer generally has to pay for the ISDN line to the telephone company and then has to pay an additional fee to a network service provider. The use of ISDN is likely to decline as other higher speed and more economical technologies become available. Digital Leased Lines In terms of number of circuits, the most common leased lines are 56 Kbps (Panko, 2001). The transmission capac- ity of a 56 Kbps is actually 64 Kbps but one bit out of eight is used for signaling, leaving the user with 56 Kbps. A 56 Kbps line is the same as digital signal zero (DS0). The next higher transmission speed is a T1 (DS1), which provides 1.544 Mbps. While a 56 Kbps leased line is rela- tively inexpensive, the difference in cost and performance between a 56 Kbps and a T1 line is large. Therefore, frac- tional T1’s are also available at 128 Kbps, 256 Kbps, 384 Kbps, and so on. In Europe and other parts of the world [...]... bit rate on the line At the POP, the leased access line connects to a port on the frame relay switch of the public network The fee for the port is usually the largest single element in frame relay pricing To prevent wasting port capacity, the speed of the leased line should be at least as fast as the port speed There is usually a monthly fee for each PVC and this fee depends on the speed of the PVC Finally,... Performance Tradeoffs The choice between a public and private network includes determining the tradeoffs between the cost and performance of the network The performance of the network is defined by throughput and delay The throughput is the actual data speed seen by the user in bits per second The delay is the maximum end-to-end delay that a packet will incur in the network The costs of the network may vary... low frequency (VLF) < 30 kHz Low attenuation day and night; high atmospheric noise level Low frequency (LF) 30 30 0 kHz Medium frequency (MF) 0 .3 3 MHz High frequency (HF) 3. 0 30 MHz Very high frequency (VHF) 30 30 0 MHz Ultra high frequency (UHF) 0 .3 3 GHz Super high frequency (SHF) 3. 0 30 GHz 30 30 0 GHz ρ L Typical Use Low Long ↑ Baseband signals; power line; home control systems; navigation and submarine... frame relay service The price of a network is usually divided up into a fixed cost and a variable cost The fixed access cost depends on the type of access technology that a user connects to the POP with and the distance the user is from the POP There may not be a variable cost, but if there is the price is dependent on the volume of traffic A user may subscribe to a certain data rate from the network for... object, the incident wave (perpendicular wave) propagates into the lossy medium and the radio energy experiences exponential decay with distance as it travels into the material The wave either is totally dissipated or will reemerge from the material with a smaller amplitude and continue the propagation The skin depth, δ, is the distance for the field strength to be reduced to 37 % of its original value the. .. include a The need to reference large databases to perform credit checks on the individual and the appraisal on the property; b The timely nature of the credit approval process, since the buyer will want authority to proceed with the purchase as soon as possible; and c The large menu of choices for mortgage contracts, and the need to update these daily to reflect the most current market conditions From the. .. public network the organization does not have strategic control over the configuration of the network The public network provider designs the network for the average subscriber Growth control of the network is the ability to expand and make modifications to meet the changing requirements of the organization It includes adding switching nodes and leased lines, modifying the capacities of the leased lines,... far the satellite is from the earth The closer the satellite is to the earth, the shorter the time it takes to send signals to the satellite There are three satellite orbits, namely, low earth orbit (LEO), medium earth orbit (MEO), and geosynchronous earth orbit (GEO) LEO satellites are closest to the earth, beginning about 100 miles above the surface, and only take a couple of hours to circle the. .. propagate around the edges and corners and behind the obstruction This is illustrated in Figure 5 The height or dimension of the obstruction has to be comparable to the wavelength of the transmission The same obstruction height may produce lower diffraction loss at higher wavelength than at lower wavelength The result of this effect is that the object shadows the radio wave The field strength of the wave decreases... from the properties of the two media This is known as the reflection coefficient, = (η2 − η1 )/(η2 + η1 ), where η1 and η2 are the intrinsic impedance of the two media Note that depending on the values of η1 and η2 , there could be partial reflection, full reflection, or no reflection at all If the incident object is a good conductor, the wave is totally reflected and the angle of incidence is the same as the . the type of access technology that a user connects to the POP with and the distance the user is from the POP. There may not be a variable cost, but if there is the price is dependent on the volume. called the transmitter, the channel or means by which the signal travels, another hardware subsystem called the receiver, and a destination of the information (the sink). The source supplies the. satellite. These satellites orbit the Earth at about 22 ,30 0 miles directly above the equator at exactly the same speed as the Earth’s rotation. Because of this, the satellite always appears to be in the

Ngày đăng: 14/08/2014, 09:22

w