[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 01 02 03 04 05

INTERNET DRAFT                               Cleve Mickles (Co-Author)
Document: draft-mickles-v6ops-isp-cases-05.txt        AOL Time Warner
Expires: Sept 2003                                          March 2003

                  Transition Scenarios for ISP Networks

Status of this Memo
   This document is an Internet-Draft and is subject to all
   Provisions of Section 10 of RFC2026.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its
   areas, and its working groups.  Note that other groups may also
   distribute working documents as Internet-Drafts.  Internet-Drafts
   are draft documents valid for a maximum of six months and may be
   updated, replaced, or obsoleted by other documents at any time.
   It is inappropriate to use Internet-Drafts as reference material
   or to cite them other than as "work in progress."
   The list of current Internet-Drafts can be accessed at
   The list of Internet-Draft Shadow Directories can be accessed at
   This document describes the different types of Internet Service
   Provider (ISP) networks in existence today.  It will provide
   design and operational considerations in delivering network
   services to customers for seven specific areas in an effort to
   better identify specific issues which may arise during a
   transition to IPv6.

Mickles, et al.        Expires - Sept. 2003                  [Page 1]

                Transition Scenarios for ISP Networks      Mar. 2003

Table of Contents
   1.  Introduction................................................4
   2.  Scope of the document.......................................4
   3.  Core/Backbone Networks......................................5
         3.1  Topology.............................................5
         3.2  Hardware.............................................6
         3.3  Routing..............................................6
         3.4  Traffic Engineering..................................9
         3.5  Security.............................................9
         3.6  Network Management..................................10
         3.7  Hosting Gear........................................11
    4.  Broadband  HFC/Coax Networks..............................12
         4.1  Terminology.........................................12
         4.2  Topology............................................12
         4.3  Hardware............................................13
         4.4  Routing.............................................15
         4.5  Policing............................................15
         4.6  Security............................................15
         4.7  Network Management..................................16
         4.8  Host Gear...........................................16
    5.  Broadband DSL Networks....................................17
         5.1  DSL physical architecture ..........................17
         5.2  Logical architectures used today for IPv4 access....19
         5.3  Addressing for today's IPv4 access..................24
         5.4  Routing.............................................25
         5.5  DNS.................................................25
         5.6  Network Management..................................25
    6.  Narrowband Dialup Networks................................26
         6.1  Topology............................................27
         6.2  Hardware............................................27
         6.3  Routing.............................................27
         6.4  Traffic Engineering.................................28
         6.5  Security............................................28
         6.6  Network Management..................................28
         6.7  Hosting Gear........................................29
    7.  Public Wireless LAN.......................................30
         7.1  Topology............................................30
         7.2  Routing and Addressing..............................31
         7.3  Traffic Engineering.................................31
         7.4  Security............................................32
         7.5  Network Management..................................33
         7.6  Hosting Gear........................................33

Mickles, et al.        Expires - Sept. 2003                  [Page 2]

                Transition Scenarios for ISP Networks      Mar. 2003

    8.  Broadband Ethernet .......................................34
         8.1  Topology............................................34
         8.2  Hardware............................................34
         8.3  Routing.............................................35
         8.4  Traffic Engineering.................................35
         8.5  Security............................................35
         8.6  Network Management..................................36
         8.7  Hosting Gear........................................36
     9. Internet Exchange Point...................................37
          9.1 Topology............................................37
          9.2 Routing and Addressing..............................38
          9.3 Traffic Engineering.................................38
          9.4 Security............................................39
          9.5 Network Management..................................39
          9.6 Hosting Gear........................................39
   10.0 Security Considerations...................................39
   11.0 Network Management Considerations.........................39
Author's Addresses................................................43

   (C) The Internet Society (2003).  All Rights Reserved.

Mickles, et al.        Expires - Sept. 2003                  [Page 3]

                Transition Scenarios for ISP Networks      Mar. 2003

1. Introduction

   This document will describe the basic design of ISP networks
   today.  It will be used to provide direction on what must be
   considered to transition IPv4 networks to IPv6.  The main
   purpose of this document is to identify, and document the issues
   that must be considered before transitioning a network to IPv6.
   This document is not meant to determine exactly how the
   transition will occur for the various ISP networks.  This document
   is not meant to describe how to build an IPv6 network from scratch.
   This document will not describe what is or is not a "Tier 1" or
   "Tier 2"..."Tier N" ISP.  The document focuses on IP capable
   network devices and may reference non-IP related devices for
   clarification purposes only.

2. Scope of the document

   The scope of this document is to cover the major topics ISPs must
   consider in building and running their IP networks.  The following
   sections include descriptions and design considerations for Core
   backbone networks, Broadband DSL
   networks, Broadband HFC Cable networks, Narrowband Dialup
   networks, Public Wireless LAN Networks, Broadband Ethernet and
   Public Exchange Point networks.  The document will also identify
   Security and Network Management concerns which in some cases will
   be common to all as well some areas that may be unique to the
   particular service.  In some cases a single ISP may provide
   services in more than one of the areas mentioned below.

   Although the Optical core is important in today's networks, that
   layer is generally transparent to the IP layer except in a few
   special cases where ISPs have allowed the IP core to be aware of
   the optical layer underneath.  Hence, this draft does not include
   further optical considerations.
   Each scenario will discuss issues related to network topology,
   network hardware, routing, policing, security, network management,
   configuration and host gear.

Mickles, et al.        Expires - Sept. 2003                  [Page 4]

                Transition Scenarios for ISP Networks      Mar. 2003

3. Core/Backbone Networks

   This section describes the general topologies of and
   characteristics of today's CORE networks.  Although there are
   numerous large scale networks out there today, most employ the
   same basic set of principles when designing and building their

                       Trunks to remote sites

                             ^               ^
                             |               |
                            /               /
                           /               /
                        /\/               /
                       /               /\/
                      /               /
                 ____/____       ____/____
                |         |     |         |
                |  CORE1  |     |  CORE2  |
                |_________|     |_________|
      ____________/ | \           | | |
     /              |  \          | | |
    /   +===========|===\=========+ | |
    |  /            |  +=\==========+ |
 ___|_/_         ___|_/_  \      _____|_
|       |       |       |  \____|       |
| BDR1  |       | BDR2  |       | BDR(n)|
|_______|       |_______|       |_______|\
    |               |               |     \
    |               |               |      \
    |               |               |       \_Peering( Direct & IX )
    |               |               |
 ___|___         ___|__          ___|___
|       |       |      |        |       |
| CPE1  |       | CPE2 |        | CPE(n)|
|_______|       |______|        |_______|

            Figure 3.1
3.1 Topology

   In terms of physical equipment, today's backbone networks consist
   mainly of high-speed routers that are configured in a basic core
   and edge configuration.  In most configurations, for redundancy,
   there are two or more core routers as well as two or more border
   routers.  The border routers provide any local connectivity and
   peering.  Generally filtering, routing policy and policing type
   functions are done on the border routers.  The core routers
   provide aggregation of border router traffic as well as
   aggregation of long haul   circuits to remote sites.  The
   physical topology is depicted in Figure 3.1.

Mickles, et al.        Expires - Sept. 2003                  [Page 5]

                Transition Scenarios for ISP Networks      Mar. 2003

   The logical topology includes the core routers being IBGP peers
   with every other POP in the mesh.  The local border routers are
   route reflector clients of the core.

3.2. Hardware

   The hardware deployed in the CORE Backbone is similar across ISPs
   and generally consists of high-speed routers.  The requirement
   for switches in the CORE network is for infrastructure type
   hosting gear.  In some cases CPE equipment is provided by the

3.3. Routing

   An assumption is that all routers in the core will have some IPv4
   reachability.  As the network grows additional routers may be added
   which only have IPv6 reachability but most routers which support
   IPv6 networking will be dual stack.

   In the routing area ISPs must consider how IPv6 traffic will be
   exchanged over the link layer of the network.  There are two cases
   which are available.  Either all routers within the network will
   be IPv6 capable or a disjoint subset of routers will have IPv6
   capabilties.  This decision will determine whether IPv6 addressing
   is configured over each IPv4 point to point link or the more
   likely scenario is configuring IPv6 on some point to point links
   and tunneling IPv6 over IPv4 to reach other network devices.

3.3.1  IGP

   Internally Core ISPs generally use OSPF or ISIS as an IGP.
   Loopback interfaces and point-to-point links are what make up
   routes within the IGP.

   Once the IPv6 link layer topology has be determined the IPv6
   IGP choice must be made.  The choices in the Core network include
   basically OSPF or ISIS for IPv6 routing.  For networks which have
   deployed one or the other for IPv4 traffic, the ISP must consider
   the ramifications of the choice.

   Case 1: Existing OSPF IPv4 network

   If the ISP chooses to build IPv6 capabilities using OSPFv3, then
   considerations of existing hardware and memory constraints must be
   made since OSPFv3 places additional load on network gear.  This
   IGP will operate in separate memory space and will need to be
   configured separately from any existing OSPFv1 implementation.

Mickles, et al.        Expires - Sept. 2003                  [Page 6]

                Transition Scenarios for ISP Networks      Mar. 2003

   If the ISP chooses to build IPv6 capabilities using ISIS, then
   considerations of existing hardware and memory must constraints must
   be made as adding ISIS to an existing OSPFv1 implementation.  The
   amount of hardware resources are not as taxing.  As with the OSPF
   scenario,  ISIS would be configured separately from the existing
   OSPFv1 implementation.

   Case 2: Existing ISIS IPv4 network

   If the ISP chooses to build IPv6 capabilities using OSPFv3, then
   considerations of existing hardware and memory constraints must be
   made since OSPFv3 places additional load on network gear.  This
   IGP will operate in separate memory space and will need to be configured
   separately from any existing ISIS implementation.

   If the ISP chooses to build IPv6 capabilities using ISIS, then the
   amount of hardware resources are not as taxing since IPv6 is
   integrated within ISIS.  The protocol does not need to be configured

3.3.2  EGP

   Generally BGP4 is the Edge gateway protocol of choice.  The EGP
   routing table consists of networks, which are received via
   customer advertisements, statically configured for customers who
   are not running a dynamic routing protocol or networks that are
   nailed up as part of the ISP infrastructure.

   A decision must be made on whether the exchange IPv6 routes via
   BGP4+ or to use static addressing with each neighbor.

3.3.3  IRR & Routing Policy

   Routing policy on the core includes multiple peer-groups setup to
   represent a collection of customers, external peers or internal
   peers.  In the case of customer connections, there are peer
   groups that are configured to send FULL_ROUTES, CUSTOMER-ROUTES
   or DEFAULT-ROUTES to a particular set of customers.  To perform
   this function, the peer groups reference ROUTE-MAPs.  External
   peers generally fit into the CUSTOMER_ROUTES peer group.  In the
   case of internal peers an INTERNAL peer group is used to identify
   internal routers that carry backbone circuits and an RRCLIENT
   peer-group is created to group border routers with a common set
   of characteristics.

Mickles, et al.        Expires - Sept. 2003                  [Page 7]

                Transition Scenarios for ISP Networks      Mar. 2003

   Assuming most Core providers are using BGP4 to exchange IPv4 routes
   the providers will have multiple routing policies and various peer
   groups setup for IPv4 neighbors.  A sample of these various policies
   are noted above.  A choice must be made as to whether to create
   parallel sets of routing policy for IPv6 neighbors whether they
   are INTERNAL or EXTERNAL to the network.  A decision on where/how
   to register IPv6 routing policy in the IRR must be done as well.

3.3.4  Multicast

   PIM-SM is the generally accepted solution for deploying multicast.

   For IPv6, this is a hard problem.

3.3.5  Addressing

   Addressing in the Core of the network has two components. The
   infrastructure routers have requirements for loopback and
   point-to-point addresses.  These addresses are routed within the
   IGP.  Customer routes are pinned up on core routers.

   In the area of IPv6 addressing, the core providers should determine
   whether create additional IPv6 loopback interfaces as well as decide
   whether to add IPv6 addresses on all point to point links along side
   IPv4 addresses.  As with IPv4 aggregate routes, the core provider must
   determine whether IPv6 aggregate routes should be "pinned up" or
   advertised from the edge network.

3.3.6     NAT

   NAT may be deployed in the Core provider networks only in special

   In terms of IPv6 routing in the core, IPv4 NATs should be avoided
   when trying to exchange IPv6 traffic.

3.3.7  Aggregation

   Aggregation of routes in the Core networks should be done.
   Networks that are used for loopbacks and interfaces should be
   aggregated prior to being advertised externally.  Generally
   aggregated "pin up" routes are placed on routers that carry
   backbone trunks.

   For IPv6, ISPs must choose whether they will aggregate loopbacks
   and interfaces as is done in IPv4.

Mickles, et al.        Expires - Sept. 2003                  [Page 8]

                Transition Scenarios for ISP Networks      Mar. 2003

3.4. Traffic Engineering

   Core providers have few choices in terms of traffic engineering.
   One method is MPLS.  To use MPLS, a provider only needs a traffic
   matrix of next-hop data from within their network.  Once a
   provider knows how much traffic is sent between all routers in
   the network, MPLS tunnels can be built to steer traffic over the
   optimum path to deliver all traffic.  This scheme is analogous to
   the use of ATM PVCs over OC-12 circuits in prior years.  Most
   networks employ some type of traffic engineering mechanism to
   steer traffic around potentially congestive areas.  Beyond the
   standard methods of TE, some ISPs attempt to adjust metrics or
   cost on p2p links to perform TE.  An additional method involves
   using varying BGP routing announcements to increase or decrease
   traffic on a particular link.  Finally, there are also networks
   that employ an over provisioning model to limit packet loss.  This
   involves adding capacity above and beyond what is needed.

   Core ISPs must consider whether to deploy IPv6 traffic engineering
   mechanisms to control the flow of IPv6 traffic through the network.
   IPv6 has inherent advantages to perform native traffic
   engineering or the provider may use existing IPv4 "tweaks" to
   control IPv6 traffic flow.

3.5. Security

   In the Core provider's network, security has a specific scope.
   Securing a network is typically done on the border or edge router.
   Generally an attempt is made to filter BOGON(RFC 1918) routes,
   traffic sourced from unallocated address space or sourced from
   address ranges that are internal to the local ISP.  In some
   cases, hosts that support the infrastructure network equipment
   generally have filters in place to protect those hosts from
   outside attacks.

   In many Core networks, there is IPv4 filtering in place for many
   reasons.  The ISP must determine whether adding IPv6 filtering
   policy to the current set of policy will add the protection needed
   and allow the network to remain stable.

3.5.1 Intrusion Detection

   Intrusion detection mechanisms and systems are used to protect
   infrastructure and host gear.  Generally these intrusion
   detection systems are placed at various points within the network
   to search for vulnerabilities within the infrastructure as well
   as monitor activity that may be considered suspicious.

Mickles, et al.        Expires - Sept. 2003                  [Page 9]

                Transition Scenarios for ISP Networks      Mar. 2003

   For IPv6 intrusion detection may be more difficult to perform
   due to the large subnet size generally deployed in IPv6 networks.
   The average subnet is a /64 network which makes random scans by
   attackers less effective.  There are cases where known server
   systems which may be published in DNS may be targeted.  The ISP
   must choose whether to deploy IPv6 intrusion detection mechanisms
   prior to implementing IPv6.

3.5.2 Ingress Filtering

   Ingress filtering on Core networks comes in multiple flavors.
   For providers that do filter, the first level is EGP filtering.
   When a peering session is setup, ISPs require a peer to register
   their routes in an IRR and that data is used to create an EGP
   filter on the peering session to only accept registered
   advertised routes.  A step beyond this includes Reverse Path
   Forwarding (RPF) checks to verify that traffic sourced from the
   customer link is within the advertised range.  An alternative to
   the automated RPF checks is the brute force static packet filters
   which can be used to control traffic sourced from a particular
   customer link.

   For IPv6, Core providers must determine whether to implement
   similar ingress filtering mechanisms which are currently deployed
   in IPv4 networks.

3.6. Network Management

   Devices within the network must be monitored.  This is done over
   in-band connections to the network devices.  Generally there are
   filters on the routers to allow SNMP queries from the query

3.6.1 Out of band

   Out of band networks allow access to consoles of the network
   gear.  In some cases this access is done in-band.  There are also
   cases where separate networks are built to allow access.

   The Core ISP must determine whether to convert it's out of band
   network to IPv6 or not.

3.6.2 Configuration Tools

   Many ISPs have monitoring tools that query the network gear to
   gather data.  These scripts may be written in perl or expect and
   will access the device via the CLI over the in-band ipv4

Mickles, et al.        Expires - Sept. 2003                  [Page 10]

                Transition Scenarios for ISP Networks      Mar. 2003

   The ISP must determine whether support servers will have the
   ability to contact network gear over native IPv6 connections
   or not.

3.6.3 SNMP

   Statistical monitoring of network gear is done via SNMP queries.
   These queries are done via the in-band connection.

   The ISP must decide whether Network Management devices will contact
   infrastructure over native IPv6 or IPv4 connections.

3.7. Hosting Gear

   In terms of host gear, the Core networks maintain hosts for
   supporting and managing the network, but not necessarily the end
   user.  The standard set of hosts include DNS servers, mail
   gateways, authentication( RADIUS or TACACS), and network
   management servers.  The servers are distributed to strategic
   locations for diversity purposes.  Servers included in this model
   include DNS and TACACS servers that directly support the
   operator's network.  Reachability to the servers is over an IPv4
   routed connection.  Caching infrastructure is deployed in CORE
   provider networks in a very limited fashion to assist in reducing
   the traffic pulled from external sources.

   For IPv6, providers must decide whether to deploy parallel host
   infrastructure for IPv6.  Other considerations include whether
   all existing host infrastructure should have IPv6 reachability.

Mickles, et al.        Expires - Sept. 2003                 [Page 11]

                Transition Scenarios for ISP Networks      Mar. 2003

4.  Broadband HFC/Coax Networks

   This section describes the infrastructure that exists in today's
   HFC cable networks that support cable modem services to the home.
   Since many cable providers are regional they generally have used
   the backbone ISP networks for transit IP services beyond their

4.1  Terminology

   HFC network: Hybrid Fiber Coaxial network
   CM: Cable Modem
   CMTS: Cable Modem Termination System
   CPE: Customer Premises Equipment
   DOCSIS: Data Over Cable Service Interface Specification -- the
      standards defining how data should be carried on HFC networks

4.2 Topology

4.2.1 Physical

   HFC networks are a mix of fiber optic and coaxial cables
   originally designed for the delivery of cable television.  A
   single infrastructure can support video distribution, data
   networking and telephony.  Video and data signals are typically
   sourced from different systems and frequency division multiplexed
   over the HFC network.  Historically HFC networks were
   uni-directional and required some kind of telco-return path to
   support bi-directional data.  Today much of the cable
   infrastructure has been upgraded to support return paths over the
   HFC network.
   A CMTS can serve quite a large geographic area: 10s of miles
   radius is not uncommon and DOCSIS specifies a 100 mile diameter
   upper limit.
   In a DOCSIS system, down-stream and up-stream channels are
   distinct and occupy different frequency bands.  A CMTS may
   terminate multiple up and downstream channels and a CM must tune
   in to an up-stream and down-stream channels before communicating.
   All packets on the HFC network are forwarded via the CMTS.  Cable
   modems may forward packets between network segments attached to
   CPE.  Hundreds of hosts on a cable network may be part of the
   same broadcast domain.

Mickles, et al.        Expires - Sept. 2003                 [Page 12]

                Transition Scenarios for ISP Networks      Mar. 2003

4.2.2 Logical

   DOCSIS systems are designed to transport IP traffic.  The
   following two paragraphs are present in all current DOCSIS
   Section 1.3.1 [DOCSIS-1.1]:
       "The intended service will allow transparent bi-directional
       transfer of Internet Protocol (IP) traffic, between the cable
       system headed and customer locations, over an all-coaxial or
       hybrid-fiber/coax(HFC) cable network."
   Section [DOCSIS-1.1]:
       "Forwarding of IP traffic MUST be supported. Other network
   layer protocols MAY be supported. The ability to restrict the
   network layer to a single protocol such as IP MUST be supported."
   In the context of the [DOCSIS-1.0], [DOCSIS-1.1] and [DOCSIS-2.0]
   specifications "Internet Protocol (IP) traffic" means IPv4 traffic.
   The following diagram(Figure 5.2.2) has been reproduced from the
   DOCSIS RFI specification [DOCSIS-1.1] and slightly simplified:

                    |           |
                    |           |
              /-----+           |          +--------+
         WAN <------+   CMTS    |<========>| Modem  |<===> CPE
              \-----+           | Cable    +--------+  |
                |   |           | Network              |
                |   |           |                      |
                |   +-----------+                      |
                |                                      |
              "Transparent IP Traffic Through the System"
            Figure 4.2.2
   Note that between the WAN and the CPE, both forwarding at Layer-2
   (bridging) and at Layer-3 (routing) will meet the goal of
    transparent transport of IP traffic.

4.3. Hardware

4.3.1 Cable Modems

   Cable modems operate as transparent L2 bridges forwarding
   datagrams from the HFC network to the CPE network.

Mickles, et al.        Expires - Sept. 2003                 [Page  13]

                Transition Scenarios for ISP Networks      Mar. 2003

   Cable modems use a combination of policy settings and
   IGMPv2[RFC2236] to control multicast forwarding (see Section
   3.3.1 [DOCSIS-1.1]).
   Forwarding of IPv6 multicast datagrams may not occur properly as
   CMs are required to forward multicast datagrams only when CPE
   equipment has joined that group.  This is potentially a
   show-stopper if native IPv6 Neighbor Discovery[RFC2461] is being
   used through a CM.

4.3.2 CMTS Layer-2 Bridge

   A DOCSIS compliant CMTS may be implemented as a Layer-2
   transparent bridge.  Forwarding of IPv4 packets by the
   transparent bridge is mandatory and forwarding of other protocols
   may be supported.  It is likely that implementers using this
   approach will support forwarding of arbitrary protocols using
   802.1d hence forwarding of native IPv6 datagrams should just work.
   IPv6 is then deployed on the ISP router infrastructure natively
   or using an automatic tunneling scheme like 6to4[RFC3056].  As
   with the CM, a bridged CMTS that selectively forwards multicast
   datagrams on the basis of IGMPv2 will potentially break IPv6 ND.
   This behavior is recommended but not mandated for a     Layer-2
   CMTS.  Communication between CPE behind different cable modems is
   always forwarded by the CMTS.  IPv6 communication between the
   different  sites relies on multicast IPv6 Neighbor Discovery
   [RFC2461] frames being forwarded correctly by the CM and the CMTS.

4.3.3 CMTS IP Router

   A DOCSIS compliant CMTS may be implemented as a Layer-3 IPv4
   router.  In this case IPv6 packets passing from the WAN network
   to CPE must be encapsulated in IPv4.  Forwarding between channels
   on the HFC network (i.e.  within a CMTS) may still take place at
   L2 hence the comments in Section 3.2 may also apply.
   A CMTS may also be an IPv6 router and thus support IPv6 natively.

4.3.4 IPv4 NAT CPE routers

   A fairly common CPE device in HFC networks is the IPv4 NAT/DHCP
   router.  It is usually connected between the cable modem and all
   other CPE equipment allows multiple devices to share a single
   IPv4 address and cable modem connection with a minimum of
   configuration overhead.  The NAT/DHCP router is a directional
   IPv4-only device in the communication path between the CMTS and
   the CPE. Unfortunately the IPv4 NAT router prevents (or at least
   seriously complicates) the deployment of IPv6 in a number of ways:
   o  As an IPv4-only device it will block native IPv6 frames
   forwarded through the cable modem.

Mickles, et al.        Expires - Sept. 2003                 [Page 14]

                Transition Scenarios for ISP Networks      Mar. 2003

   o  The use of private addresses on the CPE network means that
      schemes relying on global IPv4 addresses (e.g.  6to4[RFC3056])
      cannot be used.
   o  Many NAT/DHCP routers only support forwarding of a limited
      number of IPv4 protocols (e.g.  TCP, UDP, ICMP) and will drop
      IPv4 encapsulated IPv6 with an "unknown" protocol number (e.g.
      6to4 packets).

   In an ideal world every IPv4 NAT router would be upgraded to
   additionally become a native IPv6 router using 6to4 automatic
   In general 6to4 residential gateway devices must be made as
   self-configuring as existing IPv4 NAT routers.

4.4 Routing

   There are no known HFC-specific routing issues.
   Cable networks are typically access networks.  If the CMTS is a
   native IPv6 router then it will likely need to participate in
   ISPs the IGP of choice.  If the CMTS is a bridge, the
   infrastructure router(s) that it connects to will need to speak
   an IGP.  If 6to4[RFC3056] is used, it is recommended that the ISP
   sink (and forward) traffic to the anycast 6to4 relay router address

4.5 Policing

   Cable networks are large shared subnets.  Filtering is extensively
   used in this environment to ensure stability of the network and to
   protect subscribers.  For example, filters are used to prevent CPE
   DHCP server responses from escaping from the CPE network.  As a
   security measure, filters are very often deployed to prevent file
   sharing protocols leaking between different CPE sites.
   IPv6 opens up a new communication channel.  Existing IPv4 filter
   software will not block IPv6 communication.  If IPv6 is tunneled
   over an IPv4 infrastructure filters may need to examine the
   contents of encapsulated packets.

4.6 Security

   CPE NAT boxes are rectifying routers.  This can be viewed as an
   implementation of an "outgoing only" security policy.  IPv6
   devices need to be able to support a similar kind of policy.

Mickles, et al.        Expires - Sept. 2003                 [Page 15]

                Transition Scenarios for ISP Networks      Mar. 2003

4.7 Network Management

   DOCSIS cable modems use an out of band, privately addressed IPv4
   network for configuration and network management functions.
   DOCSIS cable modems and CMTS are IPv4 hosts on the out of band
   management network.  At present there is no compelling need to
   update this network to support IPv6.
   DOCSIS cable modems use:
      SNMP [RFC1157] for network management.
      TFTP [RFC1350] for software and configuration parameter
      DHCP [RFC2131] for acquiring IPv4 address, etc allowing
      communication on the management network.
      ToD [RFC0868] for initial time synchronization.
   Various MIBs for RF and CPE filter configuration..  DOCSIS OSSI
   docs override the IETF MIB specifications.  Any IPv6 issues in

4.8  Host Gear

   Dual stack DNS server is necessary if you want to support
   IPv6-only CPE equipment.
   DDNS is pretty much mandatory if you want to give CPE devices DNS
   names.  This is because only the IPv6 host knows what its full
   IPv6 address is (esp when privacy addresses are used).
   Transition functionality..  which?  where?
   v4/v6 translation between devices in the home is done where? If
   RFC1918 addresses are in use (perhaps behind the NAT), then there
   isn't much choice but to do it inside the CPE box.
   Transparent proxy caches aren't going to cache IPv6 web traffic.

Mickles, et al.        Expires - Sept. 2003                 [Page 16]

                Transition Scenarios for ISP Networks      Mar. 2003

5. Broadband DSL Networks

   This section describes the infrastructure that exists in todays
   High Speed DSL Networks.

5.1 DSL physical architecture

   Digital Subscriber Line (DSL) technology is a modem technology
   that allows subscribers to perform access from the home or office
   to broadband network services by using existing twisted-pair
   copper wire telephone lines.
   The term xDSL is the generic name that has been given to the
   family of digital subscriber line technologies, including ADSL,
   The POTS (Plain Old Telephone Service) takes only the frequency
   range 0-3000 Hz but there is considerably more bandwidth on these
   copper lines; DSL gets more from them by using sophisticated
   digital coding and splitting the line (reserving the higher
   frequencies for data, the lower for voice and fax) to achieve
   high-speed data transmission over the local loop from the
   customer site to a service provider's switching center. But the
   bandwidth a subscriber can receive depends on the quality of the
   line and on the distance to the service provider's center.
   Distance can be increased, but then speed is reduced. For
   instance, it is possible to use ADSL up to 18,000 feet, but the
   maximum downstream speed is then reduced to 1544 kbps.  Several
   models are used to deploy IP over DSL services, but all use the
   same components:

Mickles, et al.        Expires - Sept. 2003                 [Page 17]

                Transition Scenarios for ISP Networks      Mar. 2003

Customer Premises | Network Access Provider | Network Service Provider
       CP                     NAP                        NSP

+-----+  +-----+       +-----+
|Hosts|--| DSL +-------+DSLAM|
+-----+  |Modem|       |     +----+
         +-----+       +-----+    |
+-----+  +------+                 |  +-----+    +-------+
|Hosts|--|Router|                 +--+ BAS +----+  ISP  |         ISP
+-----+  +--+---+                 +--+     |    |  Edge +===> Network
            |                     |  +-----+    | Router|
         +--+--+                  |             +-------+
         | DSL +---+              |
         |Modem|   |              |
         +-----+   |              |
                   |   +-----+    |
+-----+  +------+  +---+DSLAM+----+
|Hosts|--|Router|  +---+     |
+-----+  +--+---+  |   +-----+
            |      |
         +--+--+   |
         | DSL +---+

            Figure 5.1
   The hosts are connected to the DSL network either directly
   through a modem, either through a router and a modem. The modems
   may be included in the hosts or in the routers. When it is not
   the case, the DSL modems may be accessed through ATM, Ethernet or
   USB.  It must be noted that when a router is used in customer
   premises, it often has only very limited resources in terms of
   memory or processing power.
   IP packets are then transported on twisted-pair telephone lines
   to the NAP's DSLAM (DSL Access Multiplexer), thanks to DSL
   technology. The DSLAM terminates and multiplexes several DSL
   accesses to the NAP's backbone. It forwards data to the BAS
   (Broadband Access Server = DSLAM aggregator), which is in charge
   of directing them to the POP (Point Of Presence = the ISP Edge
   Router) of the NSP that the client has subscribed to. Note that
   NAP and NSP can be the same organization. The technology used in
   the NAP network is usually ATM, but other types of layer 2
   technologies may be used.
   This model enables the local operator to make its local copper
   available to other companies. Operators are then able to offer
   DSL technology for broadband Internet access.

Mickles, et al.        Expires - Sept. 2003                 [Page 18]

                Transition Scenarios for ISP Networks      Mar. 2003

   As the access network puts service users in communication with
   their NSPs, security and access control are required.

5.2 Logical architectures used today for IPv4 access

   Data transport between the CPE and the service provider's point
   of presence (POP) generally relies on an ATM based infrastructure.
   Two types of use of this infrastructure are common:
   * ATM point-to-point model: one PVC connects each subscriber to
   its NSP. From the Broadband Access Server (BAS), there are
   exactly as many PVCs across the NAP network as the number of
   subscribers (i.e. one PVC per subscriber).  This model is
   detailed in section 5.2.1.
   * Aggregation model: the BAS aggregates multiple subscriber PVCs
   into trunk PVCs to reduce the number of PVC connections across
   the NAP core network (one PVC provisioned for many subscribers to
   the same destination NSP, or if the NSP offers multiple service
   levels, more than one PVC could be established across the core).
   There are two usual ways to aggregate connections:
   - PPP Terminated Aggregation (PTA): PPP sessions are opened
   between each subscriber and the BAS. The BAS terminates PPP
   sessions and transfers subscriber's traffic up to the POP.  This
   model is detailed in section 5.2.2.
   - L2TP Access Aggregation (LAA): PPP sessions are opened
     between each subscriber and the POP. The BAS dispatches PPP
     sessions up to the POP, by encapsulating them into L2TP tunnels.
     This model is detailed in section 5.2.3.


   This model is adapted to networks with few subscribers and static
   configuration. It is simple to deploy but it cannot be used in
   large networks.
   In this model, each subscriber is connected to its NSP via one
   PVC.  The user network IP packets are transmitted frames from the
   CPE to the DSL modem or router. There, RFC 2684 bridging occurs:
   The LAN frames are forwarded into an ATM PVC (segmenting them
   into ATM cells through AAL5).

   The following figure describes the protocol architecture of this

Mickles, et al.        Expires - Sept. 2003                 [Page 19]

                Transition Scenarios for ISP Networks      Mar. 2003

     Customer Premises              NAP                 NSP
<------------------------->  <---------------> <-------------------->

+-----+  +-------+  +-----+  +--------+        +-----------+
|Hosts|--+Router +--+ DSL +--+ DSLAM  +--------+    ISP    |      ISP
+-----+  +-------+  |Modem|  +--------+        |    Edge   +==> Network
                    +-----+                    |   Router  |

            Figure 5.2.1
   Since the CPE is in bridging mode, this model is
   layer 3-independent and the NAP is free of addressing and routing
   concerns.  The NSP edge router sees all subscribers as attached
   to the same Ethernet link. Very complex controls and restrictions
   must thus be performed to avoid spoofing and broadcast storms.
   Last, subscribers do not have access to multiple ISPs over a
   single DSL line.


   The PTA architecture relies on PPP-based technologies (PPPoA and
   PPPoE), terminated at the BAS. The BAS has at least one PVC
   opened to each NSP, but several PVCs are sometimes used when the
   NSP offers differentiated services (QoS...).
   In this architecture, the aggregator BAS provides PPP session
   termination and the subscriber data is then forwarded to the
   NSP's edge router using IP over ATM.

   Since the PPP session is terminated at the BAS, the BAS must
   perform per session authentication, authorization and accounting
   on behalf of the NSP, and perform layer 3 routing.  The PTA
   architecture has several advantages. First, it reduces the number
   of PVCs used in the NAP core network. Second, it offers the
   subscribers the capability to choose between several NSPs.
   However, it is not as flexible as the LAA model from this point
   of view: it requires strong coordination between the NSP and the
   NAP. This model is often used when the NSP is also the NAP. Connection using PPPoA

   The following figure describes the protocol architecture of this

Mickles, et al.        Expires - Sept. 2003                 [Page 20]

                Transition Scenarios for ISP Networks      Mar. 2003

  Customer Premises              NAP                   NSP
<--------------------> <----------------------> <----------------->

                                                     |    AAA    |
                                             +-------+   Radius  |
                                             |       |   TACACS  |
                                             |       +-----------+
+-----+  +-------+      +--------+ +----+-----+ +-----------+
|Hosts|--+Router +------+ DSLAM  +-+   BAS    +-+    ISP    |
+-----+  +-------+      +--------+ +----------+ |    Edge   +=>Core
                                                |   Router  |

   The PPP sessions initiated by the CPEs are terminated at the
   aggregation device (BAS), which authenticates users either by
   using a local database or by sending a request to a remote server
   located at the NSP (a RADIUS server for instance). When RADIUS is
   used, a user can be authenticated based on a username or based on
   the VPI/VCI used. There is only one PPP session per ATM PVC.

   Upon successful authentication, the customer premises equipment
   may then be configured dynamically. Of course, static
   configuration is also possible. When dynamic configuration is
   used, the BAS obtains the address of a DNS server and an IPv4
   address or prefix for the customer, usually through a DHCP server
   or a RADIUS server. The BAS then sends this information to the
   CPE via IPCP, and establishes a new route between the CPE and the
   BAS. Connection using PPPoE

   The following figure describes the protocol architecture of this

Mickles, et al.        Expires - Sept. 2003                 [Page 21]

                Transition Scenarios for ISP Networks      Mar. 2003

  Customer Premises              NAP                   NSP
<--------------------> <----------------------> <----------------->

                                                     |    AAA    |
                                             +-------+   Radius  |
                                             |       |   TACACS  |
                                             |       +-----------+
+-----+  +-------+ +--------+ +--------+ +----+-----+ +-----------+
|Hosts|--+Router +-+ Modem  +-+ DSLAM  +-+   BAS    +-+    ISP    |  C
+-----+  +-------+ +--------+ +--------+ +----------+ |    Edge   +=>O
                                                      |   Router  |  R
                                                      +-----------+  E


   The PPPoE-based PTA model is more flexible than the PPPoA based
   one:  several PPP sessions may be opened with the BAS at the same
   time, over as many PPPoE sessions. This allows subscriber to
   access several services at the same time, on the same VC.
   The authentication process is the same as the PPPoA one except
   that VPI/VCI-based authentication cannot be used.
   It must be noted that the extra PPPoE encapsulation reduces the
   IP MTU and MRU, because two PPP and PPPoE headers (2+6 bytes) are
   inserted between the IP packet and the Ethernet header. This also
   results in a decrease of the MSS of TCP that applications should


   While PTA model terminates PPP sessions at the aggregation device
   and then forwards IP traffic to its destination, LAA model allows
   forwarding PPP sessions from subscribers to the NSP's point of
   presence, via a L2TP tunnel.  When a CPE initiates a session with
   its NSP, the BAS intercepts the PPP connection request. It reads
   the PPP identities of the subscriber and of the NSP, and sends a
   request to the NSP's RADIUS server, asking for the address of the
   device to which the PPP connection should be forwarded.
   If not opened yet, a L2TP tunnel is established between the BAS
   and the NSP's server. The PPP connection is then encapsulated and
   forwarded into this tunnel.  User authentication and dynamic
   configuration are performed by the NSP itself.

Mickles, et al.        Expires - Sept. 2003                 [Page 22]

                Transition Scenarios for ISP Networks      Mar. 2003 Connection via PPPoA

   The following figure describes the protocol architecture of this

  Customer Premises              NAP                   NSP
<--------------------> <----------------------> <----------------->

                                                |    AAA    |
                                                +   Radius  |
                                                |   TACACS  |
+-----+  +-------+      +--------+ +----+-----+ +-----+-----+
|Hosts|--+Router +------+ DSLAM  +-+   BAS    +-+    ISP    |
+-----+  +-------+      +--------+ +----------+ |    Edge   +=>Core
                                                |   Router  |
            Figure Connection via PPPoE

   The following figure describes the protocol architecture of this

Mickles, et al.        Expires - Sept. 2003                 [Page 23]

                Transition Scenarios for ISP Networks      Mar. 2003

  Customer Premises              NAP                   NSP
<--------------------> <----------------------> <----------------->

                                                     |    AAA    |
                                                     |   Radius  |
                                                     |   TACACS  |
+-----+  +-------+ +--------+ +--------+ +----+-----+ +----+------+
|Hosts|--+Router +-+ Modem  +-+ DSLAM  +-+   BAS    +-+    ISP    |  C
+-----+  +-------+ +--------+ +--------+ +----------+ |    Edge   +=>O
                                                      |   Router  |  R
                                                      +-----------+  E



   While PPPoA does not impact the default MTU on an LAN environment
   (1500 bytes), PPPoE induces a smaller MTU (1492 bytes, 1500 bytes
   minus 2 bytes for PPP header and 6 bytes for PPPoE header).  This
   causes some problems, especially when ICMP error messages such as
   "Packet Too Big' are filtered by intermediate nodes.


   One of the benefits of DSL for the customer is the capability to
   enjoy a permanent connection to the Internet on the telephone
   line. This allows the customers to use peer-to-peer applications
   and to set up servers when they are given stable global IP
   addresses.  However, some service providers do not supply static
   addresses by default, and a lot of customers are using dynamic
   addresses today.  Customers are usually disconnected every day
   and are given a new address each time they reconnect.  Most of
   the times, customers use private addressing on their LAN and the
   access routers then perform NAT for Internet access.  Some small
   ISPs do not even provide global addresses to their customers.
   These ISPs then operate NATs on their backbones.

Mickles, et al.        Expires - Sept. 2003                 [Page 24]

                Transition Scenarios for ISP Networks      Mar. 2003

   Customers of DSL services may run routing protocols on their LAN
   (usually RIP or OSPF), but these LANs are usually small and do
   not require the use of a routing protocol.
   When a router is used in the customer premises, it is usually
   configured with a default route to the NSP's edge router. In case
   of multi-homing, the customer's router may use BGP.
   The NAP may have to run an IGP (OSPF or IS-IS).
   Usually, the NSP uses an IGP (OSPF or IS-IS) on its core network.

5.5 DNS

   Very often, the domain name of the customer is managed by the NSP
   and the domain name server is also hosted by the NSP.
   In fewer cases, the customer hosts the server on its own LAN.

5.6 Network management

   Usually, NSPs manage the edge routers by SNMP. The management
   stations are located on the core network.
   Very few service providers manage equipment located on customers
   LANs.  The use of NAT on the customer edge router forbids this
   type of service.

Mickles, et al.        Expires - Sept. 2003                 [Page 25]

                Transition Scenarios for ISP Networks      Mar. 2003

6.  Narrowband Dialup Networks

   This section describes Narrowband dialup networks that the
   majority of internet users use today to get online.  The
   scenarios will include solutions where the dial infrastructure is
   controlled by one entity as well as solutions where ISPs lease
   modems from a wholesale modem providers.
   There are multiple types of dialup services from plain/no frills
   access to the Internet, to wholesale dialup networks that can
   purchased by an organization wanting to resell internet services,
   and then there are the full service dialup providers that provide
   a long list of features to the end user.  Generally smaller
   dialup ISPs purchase a T1 or greater facility from a Local
   Exchange Carrier(LEC) to the facility where modem equipment is
   housed.  The choice in terms of the number of T1s (or other) is
   made dependent on how many simultaneous users are supported in
   the ISP's business model.  Depending on the coverage area
   multiple phone numbers may be provided for the end-user to dial
   and the LEC may choose to route all calls to a common termination
   point or provide the traffic across multiple T1 facilities.  When
   an end-user dials an access number, the LEC routes the call to
   the modem server location and is generally mapped by the LEC into
   a T1 facility that terminates on the modem server.  The modem
   server attempts to verify the user credentials by querying the
   authentication server via an IP interface on the modem server.
   The modem server is present on a LAN network segment along with
   any relevant hosts as well as the default gateway router.  Some
   services that are common to all dialup providers include the
   ability to provide DNS service either primary or secondary and an
   authentication server.  The wholesale dial provider builds out
   the dial network just as the small dialup provider does.
   Differences include the ability of the wholesale provider to hand
   off aggregated traffic to the organization purchasing wholesale
   access or to allow the aggregated traffic to reach the Internet
   at large without the purchasing organization needing major
   internet access facilities.  Each case has different implications.

   The infrastructure used in the foundation of these various
   offerings is somewhat similar although the deployments vary
   depending on the level of service offered.  The basic dialup
   service provider model that includes modem access to the Internet
   can be built from a terminal server (generally a digital modem
   bank), a Layer 2 switch and routers.  For global reachability the
   dialup provider must connect to a backbone provider.  The basic
   design calls for the terminal server to be attached to a layer 2
   switch that would in turn have connections to a router.  For
   redundancy, a dialup

Mickles, et al.        Expires - Sept. 2003                 [Page 26]

                Transition Scenarios for ISP Networks      Mar. 2003

   provider can spread multiple shelves of terminal servers across
   individual routers and manually shift traffic if a router becomes
   disabled.  A more robust redundant solution would be to deploy
   pairs of routers and use some Router Redundancy Protocol
   functionality to maintain traffic in the event of a failure of
   one router.

6.1 Topology

+-----+  +------+       +------+
|Hosts|--| 56K  +-------+Modem |          +----------+
+-----+  |Modem |       |Bank  +----------+  ISP 1   |         NSP 1
         +------+       +------+          |  Edge    +=====> Network
                        |      |          | Router   |
                        |      |          +----------+
                        |      |
                        |      |          +----------+
                +-------+      +----------+  ISP 2   |         NSP 2
                |Radius |      |          |  Edge    +=====> Network
                |Server |      |          | Router   |
                +-------+      |          +----------+
                               |          +----------+
                               +----------+  ISP 3   |         NSP 3
                                          |  Edge    +=====> Network
                                          | Router   |

            Figure 6.1

6.2. Hardware

   The hardware involved in dialup service provider connections
   include the CPE device that is usually a 56K modem, the Terminal
   server/modem bank and an authentication server.

6.3. Routing

   From the host device the user connects to the terminal server
   using Point-to-Point Protocol (PPP).  Once the PPP connection is
   made the user credentials are sent to the Authentication server.
   The user is then assigned an IP address and then the connection
   is forwarded to the appropriate Internet Service Provider (ISP)
   and then on to a Network Service Provider (NSP).  The NSP and ISP
   network can be external or internal to the dialup service

Mickles, et al.        Expires - Sept. 2003                 [Page 27]

                Transition Scenarios for ISP Networks      Mar. 2003

   In some cases Dial-up service providers will use Network Address
   Translation (NAT) to connect to external networks.  NAT is only
   required if the address assigned by the authentication server is
   not a public address.  Routing protocols such as an IGP or EGP
   will only come into play between the ISP and NSP networks. The
   address space required at a point of presence (POP) is determined
   by summing the number of modem ports available at a POP.  IRR
   routing policy is generally registered by the ISP or NSP but in
   some cases the dialup provider may register policy.

   For IPv6, the Dial-up provider must consider the location of
   IPv4 NAT devices since IPv6 traffic does not pass through NAT
   devices.  This ISP must also consider how traffic will be
   exchanged with the NSP.  The choice will be determined by
   whether the existing NSP router has IPv6 reachability.  If the
   NSP does not provide IPv6 access, the Dial-up provider may install
   additional connectivity to alternate NSP providers of IPv6
   reachability to deliver IPv6 traffic or build IPv6 tunnels over
   IPv4 to reach an IPv6 router which has global IPv6 reachability.

6.4. Traffic Engineering

   Traffic Engineering (TE) at the dialup ISP level is closer to
   connection load balancing.  TE is generally done by the
   authentication servers, which monitor the number of active
   connections and balance connections across available ISP routed

   There are no considerations for IPv6 in terms of traditional
   traffic engineering in the dialup scenario.  There may be a need to
   balance incoming IPv6 dialup connections across a radius server
   via a load-balancing switch device.

6.5. Security

   Security in the dialup ISP model is mainly meant to protect the
   network gear from intrusion.  By default the terminal servers
   prevent connections between users.

   For IPv6, the Dial-up ISP must determine whether to protect all
   devices on local segments from being attacked via a native IPv6

6.6. Network Management

   Accounting and statistical information is collected on a per-user
   basis for billing purposes and the tools required need to
   support gathering IPv6 data.

Mickles, et al.        Expires - Sept. 2003                  [Page 28]

                Transition Scenarios for ISP Networks      Mar. 2003

6.7. Hosting Gear

   There are a number of hosts that support the dialup ISP model.
   All servers do not necessarily reside at the terminal server
   point of connection.  Servers included in this model include DNS,
   Radius, and Mail servers that directly support the end user but
   are deployed in an optimum location.  Reachability to the servers
   is over an IPv4 routed connection.  Servers indirectly related to
   supporting the user include TACACS servers used to authenticate
   access to network equipment, tool servers to query and monitor,
   and cache servers that assist in handling web requests.  Cache
   servers are typically used transparently in between the user and
   the Internet.

   The Dial-up ISP must determine which host infrastructure must be
   reachable via IPv6.  The devices in question may include all
   the servers mentioned above depending on the service offering.

Mickles, et al.        Expires - Sept. 2003                 [Page 29]

                Transition Scenarios for ISP Networks      Mar. 2003

7. Public Wireless LAN

   This section describes the infrastructure that exists in today's
   public wireless LAN services.

7.1 Topology

7.1.1 Physical architecture of public wireless LAN

   Public wireless LAN (WLAN) enables subscribers within home,
   office or the outdoors to perform Internet access by using WLAN
   technology. WLAN technology is standardized by IEEE 802.11, and
   its maximum transmission speed varies from 1 or 2 Mbps
   (IEEE 802.11) and 11 Mbps (IEEE 802.11b) to 54 Mbps
   (IEEE 802.11a).
   Figure 7.1.1 describes the physical architecture of wireless LAN

                                                      | AAA   |
                                                      | Radius|
                                                      | TACACS|
             '---'                                    +-------+
            (      )                                       |
  +-----+  (Wireless)   +----+     /------------\     +-------+
  |Hosts+--(  LAN   )---| AP |----|  Underlying  \--- | ISP   |=>Core
  +-----+  (        )   +----+     \ technology  |    | Edge  |
            (      )                \-----------/     | Router|
             '---'                                    +-------+

           Figure 7.1.1. Physical architecture of WLAN model.
   Hosts can connect to WLAN by using WLAN network interface card
   (NIC), by using PCI or PCMCIA slot. WLAN is basically a broadcast
   network, and several hosts can share the network by using carrier
   sense multiple access with collision avoidance (CSMA/CA) access
   mechanism. Legacy WLAN does not consider authentication and
   security, but allow any subscriber to connect the network at any
   time.  However, in order for WLAN to be used as public access
   network, such authentication and security mechanisms are required.
   Access point (AP) acts as an authentication client, and sends
   host's authentication parameter to authentication server. Such
   mechanisms are presented in 3.x.5 in detail.  Once the host is
   authenticated, AP acts as a bridge in order to relay host's
   information to ISP or vice versa. Various access network
   technologies can be used between AP and ISP.  Lease line, xDSL
   and HFC/cable are few examples.

7.1.2 Logical architecture of WLAN for data transmission

Mickles, et al.        Expires - Sept. 2003                 [Page 30]

                Transition Scenarios for ISP Networks      Mar. 2003

Figure 7.1.2 describes protocol architecture of WLAN model.

                                                      | AAA   |
                                                      | Radius|
                                                      | TACACS|
             '---'                                    +-------+
            (      )                                       |
  +-----+  (Wireless)   +----+     /------------\     +-------+
  |Hosts+--(  LAN   )---| AP |----|    Access    \--- | ISP   |=>Core
  +-----+  (        )   +----+     \ technology  |    | Edge  |
            (      )                \-----------/     | Router|
             '---'                                    +-------+

+----------+                                          +-------+
|   IP     |                                          |  IP   |
+----------+         +-----------+                    +-------+
| Wireless |         | Bridging  |                    |   |   |
|   LAN    |         +-----------+                    | X | Y |
|          |         |WLAN |  X  |                    |   |   |
+----------+         +-----+-----+                    +---+---+

       Figure 7.1.2 Logical architecture of WLAN for data transmission
   X is subscriber technology (leased line, xDSL, HFC/cable, etc.).
   Y is WAN technology (SONET/SDH, ATM, etc.).

7.2 Routing and Addressing

   Public wireless LANs are usually configured in small area (aka,
   hot spots) and basically broadcast networks. Thus, they do not
   require the use of a routing protocol.  One of benefits of public
   WLAN is to provide for customers convenient Internet access.
   This allows the customers in the outdoors to connect to public
   access networks.  ISPs supply not static addresses by default but
   dynamic addresses by DHCP.  The customers are usually
   disconnected every time and are given a new address each time
   they reconnect.  Most of the times, customers use private
   addressing and the access routers then perform NAT for Internet

7.3 Traffic Engineering

   ISPs may need to configure traffic filtering or provisioning on
   demand of their customers.

Mickles, et al.        Expires - Sept. 2003                 [Page 31]

                Transition Scenarios for ISP Networks      Mar. 2003

7.4 Security

   Like ethernet, IEEE 802.11 standard dose not define
   authentication and security mechanisms. Moreover, WLAN is
   basically a broadcast network and each host can listen
   information of another host within the same AP service area.
   Therefore, in order for ISPs to use WLAN as public access
   network, they should provide authentication and data privacy
   mechanisms. Authentication mechanism is used to identify whether
   a subscriber is registered to access the Internet. There can be
   two authentication mechanisms: (1) IEEE 802.1x and
  (2) non-standard MAC address based authentication. Once a
   subscriber is considered as valid, information exchanged between
   AP and the subscriber should be encrypted in order not to be
   understood by others. IEEE 802.11i is being standardized on new
   form of robust security network (RSN) architecture.

7.4.1 IEEE 802.1x based authentication

   IEEE 802.1x enables edge devices such as bridge or AP to perform
   authentication mechanism, and determines whether to allow or
   block data transmitted by hosts.  It uses extended authentication
   protocol (EAP) as a standard protocol to transmit subscriber's
   authentication data. Authentication is based of userID and/or
   password, and packets transmitted by un-authenticated hosts are
   filtered and dropped by AP
   Figure 8.4.1 describes logical architecture of 802.1x based
                                                      | AAA   |
                                                      | Radius|
                                                      | TACACS|
             '---'                                    +-------+
            (      )                                       |
  +-----+  (Wireless)   +----+     /------------\     +-------+
  |Hosts+--(  LAN   )---| AP |----|  Underlying  \--- | ISP   |=>Core
  +-----+  (        )   +----+     \ technology  |    | Edge  |
            (      )                \-----------/     | Router|
             '---'                                    +-------+
+----------+        +------------+
|   EAP    |        |     EAP    |
+----------+        +------------+
|  EAPoW   |        |EAPoW|Auth- |
|          |        |     |client|
+----------+        +-----+------+
| Wireless |        |WLAN | UDP  |
|  LAN     |        |     |      |
+----------+        +-----+------+                    +-------+
                          |  IP  |                    |  IP   |
                          +------+                    +-------+
                          |  X   |                    | X | Y |
                          +------+                    +-------+
       Figure 7.4.1 Logical architecture for authentication

Mickles, et al.        Expires - Sept. 2003                 [Page 32]

                Transition Scenarios for ISP Networks      Mar. 2003

   The operation of IEEE 802.11 is as follows. Host trying to access
   the Internet sends EAP-start message to AP. Then AP requests to
   host subscriber ID information necessary for user authentication.
   In this case, subscriber ID follows network access ID (NAI)
   similar to e-mail address format, in order to support global
   roaming and accounting.  Subscriber ID is inserted in
   AAA EAP-attribute message and transmitted to authentication
   server (such as Radius or TACACS server). Finally, authentication
   procedure is completed when AP receives authentication
   success/failure message from authentication server.

7.4.2 MAC address based authentication (non-standard)

   This mechanism supports host that does not support IEEE 802.1x.
   In this mechanism, AP inserts MAC address of hosts into username
   field and sends authentication message to authentication server.
   The server determines authentication based on MAC address of host.
   This mechanism can be considered as unsafe method because
   subscriber can lose the WLAN card and MAC address can be changed.

7.4.3 Data privacy

   WLAN is basically broadcast network. Therefore, every host within
   service area of an AP can listen another host's communication
   contents. Therefore, very complicated data privacy mechanism must
   be provided in order not to be revealed by other hosts except
   intended host. One method to accomplish privacy is to use
   extension of IEEE 802.1x.  Once the subscriber is successfully
   authenticated, master session key generated during authentication
   procedure is inserted in authentication success message and
   transmitted to AP. Then, AP exchanges the key with end host by
   using EAPoL-key message and synchronizes when to use the key. And
   then, AP encrypts EAP-success message with the key and sends it to
   the host in order to notify that the host is allowed to connect
   WLAN by using IEEE 802.1x. After that, host and AP use
   dynamically distributed key in order to guarantee privacy within
   wireless area.

7.4.4 Intrusion Detection, Ingress Filtering, and Prevention

   Moreover, intrusion detection, ingress filtering and prevention
   should be considered.

7.5 Network Management

   ISPs manage the edge routers by SNMP. As well, ISPs need the
   management of AP by means of its configuration tools.

7.6 Hosting Gear

   The mail, dns, caching, etc. servers for the customer is usually
   managed by the ISPs.
Mickles, et al.        Expires - Sept. 2003                 [Page 33]

                Transition Scenarios for ISP Networks      Mar. 2003

8.0 Broadband Ethernet

   This section describes the Ethernet based residential access.

8.1. Topology

   The layouts of Ethernet based accesses to the home are all almost
   identical. They usually consist in a star topology terminated in
   the apartment building or at a central point in the network. The
   latter is probably not a common case and is used only for fiber
   based access. The termination point usually consists of a switch
   with varying functionality and in some cases a router. At this
   termination point the network can be connected directly to a
   metro network or to an aggregation point and a network access

   The logical architecture for an Ethernet based access varies but
   is fundamentally the same. A common practice is to use layer 2
   Ethernet VLANs to separate the customers up to the network access
   server. This is done to assure traceability and prevent
   eavesdropping by customers as well as to be able to block
   services such as local file sharing.
   User authentication, other than the physical connection, is in
   some cases used. It can consist of web login or PPPoE. Web login
   can be done in two ways, one time login where the device's MAC-
   address is registered and kept or session login where login is
   done to activate the connection every time the user starts to use
   The simplest solution is a pure switched network where the users
   are assigned static addresses and the only controlled device is a
   router servicing one or several apartment buildings. In this case
   PPPoE can be used for user authentication if any authentication
   is used at all.

8.2 Hardware

   Routers are used in the apartment buildings or centralized to
   control the user traffic in addition to the actual routing. The
   most common case is to have only switches in the apartment
   buildings and the routers at an aggregation point since this
   allows for one router to service several apartment buildings.

   Switches are common in an Ethernet based home access. Usually
   only layer 2 functionality is used such as Ethernet VLAN.

Mickles, et al.        Expires - Sept. 2003                  [Page 34]

                Transition Scenarios for ISP Networks      Mar. 2003

   CPE (router, modem, pc, gateway, appliance, etc)
   There is no actual CPEs used if not the actual appliances used by
   the customer is included.

8.3 Routing

   The interior routing for Ethernet access doesn't differ to any
   other routing used with in one particular ISP.
   The routing protocols normally used are IS-IS or OSPF.

   BGP is used for exchanging external routes.
   Exterior routing is not used towards the end customers since the
   customer networks are seen as being directly connected to the
   edge router and not having a CPE router in between. This means
   that the customer network is routed directly to an interface on
   the edge router and not to a customer router.

   Sometimes locally enabled to support services like IP-TV. At the
   moment multicast is not commonly deployed and it is therefore no
   general way of implementing it.

   Usually one address is assigned to the user, dynamically by DHCP
   or statically by manual configuration. Some operators may allow
   the use of multiple addresses.

   Used in some cases when the operator doesn't have enough

   Aggregation of routes is usually done in several stages in the

8.4 Traffic Engineering

   Traffic engineering is sometime used in the form of bandwidth
   throttling. This sometimes adds equipment to the network due to
   the need of an enforcer. The enforcer could be integrated in the
   edge router or in a separate entity.
   Filtering of traffic is also implemented in many networks mostly
   as a simple protection of the users or in other cases as a way of
   preventing certain services such as mail servers.

Mickles, et al.        Expires - Sept. 2003                  [Page 35]

                Transition Scenarios for ISP Networks      Mar. 2003

8.5 Security

   Security is usually implemented in the form of Ethernet VLAN to
   separate the users and to enable traceability. The use of VLAN is
   then used instead of any form of login since the users can be
   traced through their VLAN TAG. A database mapping VLAN to IP-
   address is used to allow historical traceability.
   To prevent misuse of addresses anti spoofing is implemented in
   the network, usually on a per user level to prevent a user from
   *borrowing* another users address.

   If PPPoE is used it provides both user authentication and
   Filtering of well known file sharing ports to prevent
   unintentional services is used as mentioned earlier.

8.6 Network Management

   Usually out of band management is used to configure both routers
   and switches located in the apartment buildings. This is normally
   done through a separate Ethernet VLAN. The management tools are
   more or less the same as in the core network.

8.7 Hosting Gear

   DNS is managed by the operator as well as any additional services
   such as mail and web servers. The latter can also in some cases be
   run by the customer but for the mainstream user this is not the

Mickles, et al.        Expires - Sept. 2003                 [Page 36]

                Transition Scenarios for ISP Networks      Mar. 2003

 9.0 Internet Exchange (IX)

   This section describes the infrastructure that exists in IPv4
   Internet exchanges (IX).
   An IPv6 IX, unlike current NAPs, may assign independent long-haul
   provider addresses, according to [RFC2374]. An organization
   subscribing such addresses will be able to change long-haul
   provider without having to renumber.

 9.1  Topology

   An IX is based on a layer 2 infrastructure that can be, either
   local to given building, or distributed over a large are by the
   way multiple interconnected point of presence. This layer 2
   infrastructure enables players (e.g. long haul providers) that are
   connected to the IX to exchange routes.
   Figure  9.1a below, describes a typical single sited IX.

        ____________    +----+              /              \
       /            \  /     |           +-(   LHP2 router  )
      (  LHP1 router )+   +--+----+     /   \______________/
       \____________/     |       |----+
                      +---| L2 SW |
     ______________  /    |       |-+    ______________
    /              \+     +-------+  \  /              \
   (   LHP3 router  )                 +(   LHP4 router  )
    \______________/                    \______________/

                         Figure  9.1a

   According to [RFC2374] aggreatable addresses are organized into a
   three level hierarchy. IXs, together with long haul providers,
   belong the higher one called "Public Topology". IXs will allocate
   IPv6 addresses to its directly connected subscribers, providing
   them addressing independence from long haul providers.  IX will
   then have to include layer 3 functions, e.g. by the means of a
   router, in order to exchange routes with long haul provider, for
   gaining global connectivity to its subscribers. The figure below,
   describes such a new type of IX introducing layer 3 functions,
   and that topology differs from regular IPv4 IX.

Mickles, et al.        Expires - Sept. 2003                 [Page 37]

                Transition Scenarios for ISP Networks      Mar. 2003

        ____________    +----+              /              \
       /            \  /     |           +-(   LHP2 router  )
      (  LHP1 router )+   +--+----+     /   \______________/
       \____________/     |       |----+
                      +---| L2 SW |
     ______________  /    |       |-+    ______________
    /              \+     +---+---+  \  /              \
   (   LHP3 router  )         |       +(   LHP4 router  )
    \______________/          |         \______________/
                          |        |        ____________
                          |   IX   |       /            \
                          | router +------(IX subscriber )
                          |        |       \____________/

                         Figure  9.1b

 9.1.1  Hardware

   Basically, a regular IX is based on a layer 2 switch, or set of
   layer 2 switches that may either local to a building, or
   distributed over larger area. It provides also room space and
   power supply to enable long haul providers to install their own
   routers and to exchange routes to each other according to a
   peering agreement.

   In the case of an IX providing independent addresses to its
   directly connected subscribers, the needed layer 3 function will
   be based on a regular IPv6 router.

 9.2  Routing

   The main goal of an IX, is to enable long haul provider to
   exchange routes by the way of BGP4+ peering. An IX implementing
   layer 2 devices only will not participate to into routing and
   BGP4+ peering.

   An IX providing independent addresses to its directly connected
   subscribers, will exchange routes with long haul provider by the
   way of BGP4+ peering.

 9.3 Traffic Engineering/Policing

   In the case of an IX providing independent addresses to its
   directly connected subscribers, specific rules may be introduced
   in order to filter the traffic from a given subscriber to a
   provider (or a set of provider) according to a given subscription

Mickles, et al.        Expires - Sept. 2003                 [Page 38]

                Transition Scenarios for ISP Networks      Mar. 2003

 9.4 Security

 9.5 Network Management

   This section does not apply to regular layer 2 based IX, since
   only local direct peering between third parties is involved.

 9.6 Host gear

   Do not apply.


   Security concerns will be described within the context of each
   scenario.  After the various scenarios are documented, a
   summarized section including all of the security considerations
   may be provided.


   Network Management concerns will be described within the context
   of each scenario.  After the various scenarios are documented, a
   summarized section including all of the Network Management
   considerations may be provided.

Mickles, et al.        Expires - Sept. 2003                 [Page 39]

                Transition Scenarios for ISP Networks      Mar. 2003

   [1] The comments from the V6OPS working group are appreciated.

   [01] TR-025 Core Network Architecture for Access to Legacy Data
        Networks over ADSL, TR-025 - ADSL Forum, September 1999

   [02] RFC 1661  The Point-to-Point Protocol (PPP)
   [03] RFC 2684  Multiprotocol Encapsulation over ATM Adaptation
        Layer 5
   [04] RFC 2364  PPP Over AAL5
   [05] RFC 2516  A Method for Transmitting PPP Over Ethernet (PPPoE)
   [06] RFC 2661  Layer Two Tunneling Protocol "L2TP"
   [07] RFC 2138  Remote Authentication Dial In User Service (RADIUS)
   [08] RFC 3162  RADIUS and IPv6
   [09] ANSI/IEEE Std 802.11, 1999 Edition: "Wireless LAN Medium
        Access Control (MAC) and Physical Layer (PHY) Specifications".
   [10] IEEE Std 802.11b-1999 (Supplement to IEEE 802.11, 1999
        Edition): "Wireless LAN Medium Access Control (MAC) and
        Physical Layer (PHY) Specifications: Higher-Speed Physical
        Layer Extension in the 2.4GHz Band".
   [11] IEEE Std 802.11a-1999 (Supplement to IEEE 802.11, 1999
        Edition): "Wireless LAN Medium Access Control (MAC) and
        Physical Layer (PHY) Specifications: High-speed Physical
        Layer in the 5GHz Band".
   [12] IEEE Std 802.1x-2001, "Port-based Network Access Control".
   [13] IEEE Std 802.11i/D2.0, "Specification for Enhanced Security",
        Mar. 2002.
   [14] B. Aboba and M. Beadles, "The Network Access Identifier",
        IETF RFC 2486, Jan. 1999.
   [15] P. Calhoun and C. Perkins, "Mobile IP Network Access
        Identifier Extension for IPv4", IETF RFC 2794, Mar. 2000.
   [16] L. Blink and J. Vollbrecht, "PPP Extensible Authentication
        Protocol (EAP)", IETF RFC 2284, Mar. 1998.
   [17] B. Aboba and D. Simon, "PPP EAP TLS Authentication Protocol",
        IETF RFC 2716, Oct. 1999.
   [18] Society of Cable Telecommunications Engineers
        (SCTE), "SCTE 22-1 2002 DOCSIS 1.0 Radio Frequency
        Interface", Nov 2001,
   [19] Society of Cable Telecommunications Engineers (SCTE),
        "SCTE 23-1 2002 DOCSIS 1.1 Part 1: Radio Frequency
        Interface", Aug 2002, <http://www.scte.org/standards/
   [20] Cable Labs, "Radio Frequency Interface Specification
        SP-RFIv2.0-I02-020617", Jun 2002, <http://

Mickles, et al.        Expires - Sept. 2003                 [Page 40]

                Transition Scenarios for ISP Networks      Mar. 2003

   [21] Postel, J. and K. Harrenstien, "Time Protocol",
        STD 26, RFC 868, May 1983.

   [22] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple
        Network Management Protocol (SNMP)", STD 15,
        RFC 1157, May 1990.

   [23] Sollins, K., "The TFTP Protocol (Revision 2)",
        STD 33, RFC 1350, July 1992.

   [24] Droms, R., "Dynamic Host Configuration Protocol",
        RFC 2131, Aug  1997.

   [25] Fenner, W., "Internet Group Management Protocol,
        Version 2", RFC 2236, November 1997.

   [26] Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery
        for IP Version 6 (IPv6)", RFC 2461, December 1998.

   [27] Thomson, S. and T. Narten, "IPv6 Stateless Address
        Autoconfiguration", RFC 2462, December 1998.

   [28] Durand, A., Fasano, P., Guardini, I. and D. Lento,
        "IPv6 Tunnel Broker", RFC 3053, February 2001.

   [29] Carpenter, B. and K. Moore, "Connection of IPv6
        Domains via IPv4 Clouds", RFC 3056, February 2001.

   [30] Huitema, C., "An Anycast Prefix for 6to4 Relay
        Routers", RFC 3068, Aug  2001.

Mickles, et al.        Expires - Sept. 2003                 [Page 41]

                Transition Scenarios for ISP Networks      Mar. 2003

   AAL5 ATM Adaptation Layer 5
   ADSL Asymmetric Digital Subscriber Line
   BAS Broadband Access Server
   CPE Customer Premises Equipment
   DSL Digital Subscriber Line
   DSLAM DSL Access Multiplexer
   L2TP Layer Two Tunneling Protocol
   LAA L2TP Access Aggregation (model)
   LAC L2TP Access Concentrator
   LNS L2TP Network Server
   MSS Maximum Segment Size (MTU - 40 bytes for IP and TCP headers)
   MTU Maximum Transmission Unit
   NAP Network Access Provider
   NAT Network Address and Port Translation
   NSP Network Service Provider
   POP Point Of Presence
   POTS Plain Old Telephone Service
   PPP Point-to-Point Protocol
   PPPoA PPP over ATM
   PPPoE PPP over Ethernet
   PSTN Public Switched Telephone Network
   PTA  PPP Terminated Aggregation (model)
   PVC Permanent Virtual Circuit
   RADIUS Remote Authentication Dial In User Service
   USB Universal Serial Bus
   VPI/VCI Virtual Path Identifier with Virtual Channel Identifier
   VPN Virtual Private Network

Mickles, et al.        Expires - Sept. 2003                 [Page 42]

                Transition Scenarios for ISP Networks      Mar. 2003

 Author's Addresses

   Vladimir Ksinant
   1 place Charles de Gaulle - 78180     Phone: +33139309236
   Montigny Le Bretonneux - France  Email:vladimir.ksinant@6wind.com

   Jae-Hwoon Lee
   Dongguk Univ.
   26, 3 Pil-Dong, Chung-gu,               Phone: +82 2 2260 3849
   Seoul 100-715, Korea                    Email: jaehwoon@dgu.ac.kr

   Myung-Ki Shin
   161 Kajong-Dong, Yusong-Gu,          Phone: +82 42 860 4847
   Taejon 305-350, Korea                Email: mkshin@pec.etri.re.kr

   Aidan Williams
   Motorola Australian Research Centre
   Locked Bag 5028                     Phone: +61 2 9666 0500
   Botany, NSW  1455              Email: Aidan.Williams@motorola.com
   URI:   http://www.motorola.com.au/marc/

   Alain Baudot
   France Telecom R&D
   42, rue des coutures           Phone:  +33
   BP 6243                        Email:  alain.baudot@rd.francetelecom.com
   14066 Caen, FRANCE

   Mikael Lind
   Telia Research
   Vitsandsgatan 9B
   123 86 Farsta                   Phone: +46 70 2406140
   Sweden                          Email: Mikael.e.lind@telia.se

   Cleveland Mickles
   America Online, Inc (owned by AOL Time Warner)
   12100 Sunrise Valley Drive.          Phone:  +1 703-265-5618
   Reston, VA 20191, USA                Email:  micklesc@aol.net

Mickles, et al.        Expires - Sept. 2003                 [Page 43]

Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/