Network Security PDF

Network Security
Rev 1.0
HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
All rights reserved
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
All rights reserved
Page 2
Ethernet Access List

Main function: ensure the distributed access
security over the whole network.

Server
Department B
Department A
Intranet
All rights reserved
Page 3
Filtering
Layer 2
IP header
TCP header
Application-level
Data
header
header
The ACL classifies packets according to series matching conditions.

The ACL is applied to a switch port to determine whether a packet
should be forwarded or discarded.

The matching rules defined by the ACL can also be quoted in other
occasions needing traffic differentiation, such as, definition of traffic

classification rule in QoS.
An access control rule can be composed of multiple sub-rules.
Time segment control can be defined.
All rights reserved
Page 4
ACL Example
202.1.5.1
192.168.1.10
acl number 3001

rule 10 permit tcp source 192.168.1.0 0.0.0.255
destination 202.1.5.1 0.0.0.0 source-port any
destination-port 80
rule 20 deny ip source any destination any
All rights reserved
Page 5
Features of ACL Application

Traffic Filtering
Routes Filtering
QoS
All rights reserved
Page 6
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
All rights reserved
Page 7
Private Addresses and Public

Address
192.168.1.0/24
192.168.0.0/24
LAN2
LAN1
Internet
192.168.0.0/24
The range of private address:
10.0.0.0
- 10.255.255.255
172.16.0.0
- 172.31.255.255
LAN3
192.168.0.0 - 192.168.255.255
All rights reserved
Page 8
Why NAT?
NAT (Network Address Translation)
Why do we use NAT?
Increasingly insufficient IP address resources.
Multiple hosts in a LAN to access Internet by a public IP address,
address translation can be used.
Network security protection: Address translation technology

can effectively hide the hosts of the internal LAN.
To provide such services as FTP, WWW and Telnet of the

internal network to external network
All rights reserved
Page 9
Principle of Address Translation

IP packet
PC1
3000
80
192.168.1.1
195.210.5.31
4000
80
202.1.1.5
195.210.5.31
Internet
4001
80
202.1.1.5
195.210.5.31
LAN
PC2
3000
80
192.168.1.2
195.210.5.31
Local Source
Destination
Outside Source
192.168.1.1:3000 195.210.5.31:80
202.1.1.5:4000
192.168.1.2:3000 195.210.5.31:80
202.1.1.5:4001
All rights reserved
Page 10
Address Pool
PC1
202.38.160.1
202.38.160.2
Address Pool
202.38.160.3
202.38.160.4
Internet
PC2
LAN
Address Pool is the collection of some continuous public IP addresses,
identified by a number.
NAT process will select an address from the address pool as the source
address after the translation.

Address pools enable more LAN users to access Internet simultaneously.
All rights reserved
Page 11
Application of Internal Server

Internal server
private address:10.0.1.1
port:80
Serial 0
E0
Internet
public address:202.38.160.1
map on router:
port:80
address:
10.0.1.1202.38.160.1
IP:202.39.2.3
port:
8080
Access the server
extranet user
referring to the map

All rights reserved
Page 12
Disadvantages of NAT
Since the IP address translation is needed for data
packets, the header of the data packet related to IP

address cannot be encrypted, nor to use encrypted
FTP connection in the application protocol. Otherwise,
FTP port command cannot be correctly translated.
Network debugging becomes more difficult. For
instance, while a router in internal network host

attempts to attack other networks, it is hard to point
out which computer is malicious, for the host IP
address is shielded.
All rights reserved
Page 13
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
All rights reserved
Page 14
Network Architecture and Position of

BRAS
Service
Platform
AAA
Platform
NMS
Core
Network
Core Layer
NAS (BRAS)
Convergence Layer
Access
Network
Access Layer
LAN Switch
AP
Ethernet
User
DSLAM
WLAN
ADSL
User
User
All rights reserved
Page 15
AAA
Authentication
Authorization
Accounting
All rights reserved
Page 16
Architecture of NAS(BRAS) device

DHCP Server
Policy Server
Address
Management
Service Control
BRAS
User Packet
Connection
Management
User
Identification
AAA&UM
AAA Server
All rights reserved
Page 17
User Identification Access types

PPP packet
Portal
Protocol
Packet
PPP User
EAPoL packet
HTTP
packet
802.1x User
NAS
IP/ARP/DHCP
packet
Web User
IP/ARP/DHCP
packet
Bind User
Web Server
All rights reserved
Page 18
PPP overview
Network
Network Protocol
Layer
Data Link
IP
IPX
Network Control Protocol
IPCP
IPXCP
BCP
Authentication Protocol
PAP
CHAP
EAP
Link Control Protocol
LCP
Layer
Physical
Physical Layer
Layer
All rights reserved
Page 19
PPP phase diagram

LCP
Up
PAP/CHAP
Opened
Dead
Establish
Authenticate
Fail
Down
Fail
Terminate
Closing
Network
IPCP
All rights reserved
Page 22
PAP & CHAP Authentication Process

Client
BRAS
PAP
Authentication_Req
(username, password)
Passwords
comparing
Accept/Reject
CHAP
Challenge
ChallengePwd
generation
Challenge
generation
Authentication_Req
(username, ChallengePwd)
Accept/Reject
All rights reserved
Page 24
ChallengePwds
comparing
Why we need PPPoE?
Subscriber
Access
Network
Subscriber
ETH IP DATA
Can identify device, not user
ETH PPP IP DATA
Can identify subscriber
All rights reserved
Page 26
Discovery and Session Stages

Discovery stage
Discover the AC (Access Concentrator) and acquiring ACs
MAC
Allocate Session ID
Session stage
PPP parameters negotiation
Data transmission
Maintain session
All rights reserved
Page 27
PPPoE Discovery phase diagram

Client
AC
PADI
(Service-Name, Session-ID=0x0000)
PADO
(Service-Name, AC-Name, Session-ID=0x0000)

PADR
(Service-Name, AC-Name, Session-ID=0x0000)
PADS
(Service-Name, AC-Name, Session-ID=0x055A)
All rights reserved
Page 28
DHCP Address allocation modes

Automatic allocation
DHCP server assign a permanent address to a client
Dynamic allocation
DHCP server assign an IP address to a client for a limited
period of time (or until the client explicitly relinquishes the
address)
Manual allocation
a client's IP address is assigned by the network administrator,
and DHCP is used simply to convey the assigned address to
the client
All rights reserved
Page 29
DHCP Working Flow

DHCP Server
DHCP Client
(selected)
DHCPDICOVER
DHCPOFFER
DHCPREQUEST
DHCPACK or NAK
DHCPRELEASE
All rights reserved
Page 30
Packet format
op (1)
htype (1)
hlen (1)
xid (4)
secs (2)
flags (2)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
All rights reserved
Page 31
hops (1)
Option 82
Preventing IP address from exhausting by DHCP
requests
Realizing static allocation of IP address by DHCP
Preventing static IP address cheating
Option 82:
Agent Circuit ID
{atm|eth} frame/slot/subslot/port[:vpi.vci|outer_vlan.inner_vlan]
Agent Remote ID
AccessNodeIdentifier
Example: Quidway Eth 0/1/0/1:0.0

All rights reserved
Page 32
Option 82
PC
DSLAM
DISCOVER
DISCOVER
Option 82
OFFER
OFFER
Option 82
REQUEST
REQUEST
Option 82
ACK
ACK
Option 82
DHCP Server
NAS
All rights reserved
DISCOVER
Option 82
OFFER
Option 82
REQUEST
Option 82
ACK
Option 82
Page 33
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
All rights reserved
Page 34
Networking Application of RADIUS

AAA
Server
Core Network
(Internet)
NAS
NAS
Access Networks
DSLAM
LAN Switch
User
All rights reserved
User
Page 35
Architecture of NAS device

DHCP Server
Policy Server
Address
Management
Service Control
NAS
User Packet
Connection
Management
User
Identification
AAA&UM
AAA Server
All rights reserved
Page 36
Client-Server Model
AAA
Server
NAS
User
(RADIUS Client)
RADIUS
Server
RADIUS = Remote Authentication Dial-In User Service
All rights reserved
Page 37
Key features
Network security
Shared secret
Flexible Authentication Mechanism

PAP
CHAP
Extensible Protocol
Attribute-Length-Value format
All rights reserved
Page 38
Radius Packet Format

Packet :
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Code
| Identifier
|
Length
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
Authenticator
|
|
|
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+Attribute :
0
1
2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|
Type
|
Length
| Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 39
Authentication and Accounting Procedure

User
NAS
RADIUS Server
User request
access
Access-Request
Configure user
Access-Reject
Authentication
Access-Accept
Accounting-Request
Accounting
(start)
Accounting-Response
start
Accounting-Request
(Interim update)
Accounting-Response
User request
termination
Accounting-Request
(stop)
Accounting-Response
All rights reserved
Page 40
Interim
Accounting
Accounting
stop
PAP and CHAP Interoperation

User
RADIUS
NAS
Server
PAP
Username
Access-Request
Password
Username, Password
Access-Accept
Configure user
Access-Reject
Challenge
CHAP
Username
Encrypted challenge
Configure user
Access-Request
Username, Challenge,
Encrypted Challenge
Access-Accept
Access-Reject
All rights reserved
Page 41
Check
Why UDP?
1. If the request to a primary Authentication server fails,
a secondary server must be queried

2. The timing requirements of this particular protocol
are significantly different than TCP provides

3. The stateless nature of this protocol simplifies the
use of UDP
4. UDP simplifies the server implementation
All rights reserved
Page 42
Whats Diameter?
Diameter protocol
An AAA protocol, provide Authentication, Authorization
and Accounting (AAA) function
Advanced than radius, so it is called diameter
AAA server
Radius
AAA server
Diameter
AAA client
NAS
PPP
WLAN
DSL
3G
Traditional network
Future network
All rights reserved
Page43
New demands on AAA protocols

Network access requirements for AAA protocols
Failover
Transmission-level security
Reliable transport
Agent support
Server-initiated messages
Capability negotiation
Peer discovery and configuration
All rights reserved
Page44
Diameter Framework
The Diameter protocol consists of the Diameter base protocol and
the Diameter application protocol.

Diameter base protocol: Provides a secure, reliable, and extensible
framework for various authentication, authorization, and accounting
services.
Diameter application protocol: Defines functional and data units for
particular applications.
SIP
application
MIP
Diameter Application
Diameter Stack
SCTP
TCP
NASREQ
application
EAP
application
application
Diameter base protocol

All rights reserved
Page 45
Diameter node type

Diameter node type
Client
A Diameter Client is a device at the edge of the network that
performs access control. An example of a Diameter client is a
Network Access Server (NAS) or a Foreign Agent (FA).
Server
A Diameter Server is one that handles authentication,
authorization and accounting requests for a particular realm. By
its very nature, a Diameter Server MUST support Diameter
applications in addition to the base protocol.
Agent
All rights reserved
Page46
Role of Diameter Agents

There are four kinds of Diameter Agents
Relay Agent or Relay
Proxy Agent or Proxy
Redirect Agent
Translation Agent
All rights reserved
Page47
Relay/Proxy Agent
All rights reserved
Page 48
Relay/Proxy Agent
All rights reserved
Page 49
Redirect Agent
All rights reserved
Page 50
Redirect Agent
All rights reserved
Page 51
Translation Agent
All rights reserved
Page 52
Diameter Message Structure

The Diameter message structure consists of two
parts:
Diameter message head
Diameter AVP
0
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
version
Message Length
command flags
Message
head
Command-Code
RPETr rr r
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
Message body
AVPs
All rights reserved
Page 53
Diameter PDU
Command code
Command-Name
Abbrev
Code
Abort-Session-Request
ASR
274
Abort-Session-Answer
ASA
274
Accounting-Request
ACR
271
Accounting-Answer
ACA
271
Capabilities-Exchange-Request
CER
257
Capabilities-Exchange- Answer
CEA
257
Device-Watchdog-Request
DWR
280
Device-Watchdog-Answer
DWA
280
Session-Termination- Request
STR
275
Session-Termination- Answer
STA
275
All rights reserved
Page54
Diameter AVP
AVP (attribute-value pair)
The Diameter message body is composed of Diameter AVPs. Each
AVP carries a specific message parameter value, and contains an
AVP head and data. The AVP carries the authentication information,
authorization information, charging information, routing
information, security information, and the request and response
configuration information.
AVP structure
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
AVP Code
AVP flags
AVP Length
VMPrr rr r
Vendor-ID (opt)
AVP data
All rights reserved
Page 58
Example
Use Cx message as an example
I-CSCF
HSS
Diameter message: UAA
Diameter header
AVPs
Command code
AVP header
AVP data
UAA
AVP code
AVP length
603
10415
603: server capabilities

All rights reserved
Page60
Diameter Link EstablishmentCapability Exchange

Client
Server
Connection
Establish
CER
CEA
CER / CEA (Capabilities-Exchange-Request / Answer)
When the two Diameter peers creates the connection, they need to
perform capability exchange. CER/CEA capability exchange is used to
notify the capability (such as protocol version, diameter application, and
security mechanism).
If the peer receives CER from the unknown peer, it will discard the
message or return the result code DIAMETER_UNKNOWN_PEER.
All rights reserved
Page61
Diameter Link Heartbeat Message

Node1
Node2
DWR
DWA
DWR/DWA (Device-Watchdog-Request / Answer)
DWR command code is 280. It is used to detect link, also called

heartbeat message or shake hand message.
If the Node sends several DWR messages continuously, but the peer
Node will not return DWA, the status of the link will be set down.
not release the link).
All rights reserved
Page62
Diameter Link Disconnection

Message
Node1
Node2
DPR
DPA
Connection
Release
DPR/DPA (Disconnect-Peer-Request / Answer)
Command code is 282.

DPR is used to notify the peer Node to disconnect the link, and the
peer Node return the DPA and then the link is disconnected.
All rights reserved
Page63
Diameter Link Management Process

PEER
DA
Capability
exchange is
successful
and link is
normal.
Sends
heartbeat
message
periodically
to maintain
the link
status
SCTP association
establishment
CER
CEA
DWR
DWA
PEER
DA
DA initiate
to
disconnect
link
The peer
initiate to
disconnect
link
1. Diameter link establishment process

process
DPR
DPA
SCTP association
disconnect
DPR
DPA
SCTP
association
disconnect
2.Diameter link disconnection
Diameter connection is established through the capability exchange with the

peer;
When DA or the peer want to release the diameter link, it need to send the
DPR message initially to disconnect the link.
All rights reserved
Page64
Diameter Message Routing Function

Diameter basic protocol layer
N
Check the
routing table
based on the
D-Realm and
forward the
mesage
Check the
adjacent peer
device based
on the D-Host?
Whether
carry the
D-Host?
M D-Host=
s D-Realm
g
All rights reserved
Page67
Choose
the route
and
forward
Diameter Message Routing Function

(Cont.)
RealmB
Request (ApplicationID,
DestRealm= RealmB,
3.Forwarding
2.Routing
DestHost=Server.RealmB
Request ()
DA2
5.Response()
Request ()
Server
4.Response
()
Hostname=Server.RealmB
1.Routing
Client
Request ()
DA1
6.Respons
e ()
Hostname=Client.RealmA
RealmA
IETF RFC3588 Diameter Base Protocol
Routingmessage routing based on

the Realm-Based Routing Table.
Forwardingmessage forwarding
based on the peer device table.
The response message does not carry
the target address information, it is
returned according to the path of the
corresponding request message.
All rights reserved
Switchover
Request
Queue
5.Response
DA2
2.Request
T bit is set to 1,
the message is
a retransmission
message
Server
1.Request
Client
Request
Queue
DA1
Due to link failure,

Request message is not
sent to the peer or did not
receive the response
message
Request
Queue
6.Response
Diameter cache for each

request message, its
purpose is to retransmit
the message when the
link is fault, to ensure
that the message can be
sent to the destination as
soon as possible, to
reduce delay.
All rights reserved
Objectives
ACL
NAT
Access Methods (PPP, PPPoE, DHCP)
AAA
RADIUS + DIAMETER
All rights reserved
Page 72
VPN Definition
Partner
Headquarter
Remote office
Tunnel
Internet
Leased line
Employees in
business trips
Office
VPN Virtual Private Network

All rights reserved
Page 73
Branch
Classification of VPN
Based on the applications
Access VPN
Intranet VPN
Extranet VPN
Based on Realization Layer

Layer 2 VPN
Layer 3 VPN
All rights reserved
Page 74
Access VPN
Tunnel
Originated by ISP
POP
POP
POP
HQ
Originated by user
Dial network expansion:

Employees on errands
Remote small office
All rights reserved
Page 75
Intranet VPN
HQ
Research Institute
Internet/ ISP IP
ATM/FR
Branch
Tunnel
Office
All rights reserved
Page 76
Extranet VPN
HQ
Remote Office
Internet/ ISP IP
ATM/FR
Branch
Partner
All rights reserved
Page 77
Classification Based on Realization

Layer
Layer 2 VPN
L2TP: Layer 2 Tunnel Protocol (RFC 2661)
PPTP: Point To Point Tunnel Protocol
L2F: Layer 2 Forwarding
Layer 3 VPN
GRE : General Routing Encapsulation
IPSEC : IP Security Protocol
All rights reserved
Page 78
Principle of VPN Design

Security
Tunnel and Encryption
Data Authentication
User Authentication
Fire Wall and Attack Examination
Reliability
Economical Efficiency
Expansibility
All rights reserved
Page 79
GRE Overview
GRE is generic routing encapsulation protocol. It will
encapsulate datagram of some network layer protocol

(e.g. IP, IPX, AppleTalk, etc.) and enable these
datagram to transmit on IP network
GRE is the layer 3 tunnel protocol of VPN (Virtual
Private Network), that is, a technique called as Tunnel

is adopted between protocol layers
All rights reserved
Page 80
GRE Protocol Stack

Passenger Protocol
IP/IPX
GRE
Encapsulation Protocol
IP
Transmission Protocol
Link Layer
GRE Protocol Stack
Data Link Layer
IP
GRE
IP/IPX
Payload
Tunnel Interface Message Format

All rights reserved
Page 81
GRE Build VPN

Original Data Packet
GRE Header
Transfer Protocol Header
Tunnel
Internet
Branch
HQ
All rights reserved
Page 82
IPSec Overview
IPSecIP Security is a framework of open
standards developed by the Internet Engineering Task

Force (IETF)
IPSec include two protocol: AH (Authentication
Header ) protocol and ESP (Encapsulating Security

Payload ) protocol
IPSec provides security services at the IP layer, there
are two types of work mode: tunnel mode and

transport mode
All rights reserved
Page 83
Compose of IPSec Protocol

IPSec provides two security protocols
AH (Authentication Header)
MD5(Message Digest 5)
SHA1(Secure Hash Algorithm)
ESP (Encapsulation Security Payload)

DES (Data Encryption Standard)
3DES
The other algorithm: Blowfish, cast ...
All rights reserved
Page 84
Security Feature of IPSec

Confidentiality: encrypt a client data and then transmit
it in cipher text.
Data Integrity: authenticate the received data so as to
determine whether the packet has been modified.

Data Authentication: to authenticate the data source
to make sure that the data is sent from a real sender.

Data integrity
Data origin authentication
Anti-Replay : prevent some malicious client from
repeatedly sending a data packet. In other words, the

receiver will deny old or repeated data packets.
All rights reserved
Page 85
Basic Concept of IPSec
Security Association
Security Parameter Index
Sequence Number
Life Time
Data Flow
Security Proposal
All rights reserved
Page 86
AH Protocol
IP HDR
Data
IP HDR
AH
Data
AH
Org IP HDR
Data
Transport mode
Tunnel mode
New IP HDR
AH Format
0
Next Header
16
Payload Len
31
RESERVED
Security Parameters Index (SPI)

Sequence Number Field
Authentication Data (variable)
All rights reserved
Page 87
ESP Protocol
IP HDR
Data
Transport mode
IP HDR
ESP Hdr
Encryption Data
Encryption part
Tunnel mode
New IP HDR
ESP format
ESP Trailer ESP Auth
Data
Org IP HDR
ESP Hdr
ESP Trailer ESP Auth
16
24
Security Parameters Index (SPI)

Sequence Number
Payload Data* (variable)
Padding (0-255 bytes)
Pad Length
Next Header
Authentication Data (variable)

All rights reserved
Page 88
IKE
IKE (Internet Key Exchange), an Internet key exchange
protocol, implements hybrid protocol of both Oakley

and SKEME key exchanges
This protocol defines standards for automatically
authenticating IPSec peer end, negotiating security

service and generating shared key
IKE calculate the key, not transmit the key
All rights reserved
Page 89
IKE Security Mechanism

Perfect Forward Security
Authentication
Identity Authentication
Identity protection
DH Exchange and key
distribute
All rights reserved
Page 90
IKE Exchange Process

Peer1
Peer2
Send local
IKE strategy
Strategy of sender
Search the
Confirm the
algorithm used
by both sides
Matched
Strategy of receiver conformed
SA Exchange
strategy
Strategy
confirmed
Generate Key
The key information of sender

Key
generation
Key Exchange
Key
The key information of

receiver
Authentication
Generation
The ID and auth data of sender
Peer Identity
ID and
Exchange
ID Exchange
ID and
and authentication
Exchange
The ID and auth data of receiver
auth
auth
All rights reserved
Page 91
DH Exchange and Key Product

peer1
(g ,p)
peer2
c=gamodp
d=gbmodp
damodp
cbmodp
damodp= cbmodp=gabmodp
All rights reserved
Page 92
The Function of IKE in IPSec

Reduce the complex of configuration by manual
Update the IPSec SA after an Interval time
Update the encryption key after an Interval time
Permit IPSec to provide anti-replay
Permit dynamic authentication between the Peers
All rights reserved
Page 93
Relation Between IPSec and

IKE
IKE SA negotiation
IKE
TCP UDP
IKE
SA
SA
IPSec
TCP UDP
IPSec
IP
Encrypted IP Packet
All rights reserved
Page 94
Thank you
www.huawei.com

Network Security PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security PDF

Uploaded by

Copyright:

Available Formats

Network Security

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Ethernet Access List

security over the whole network.

HUAWEI TECHNOLOGIES CO., LTD.

The ACL classifies packets according to series matching conditions.

should be forwarded or discarded.

occasions needing traffic differentiation, such as, definition of traffic

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

acl number 3001

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Features of ACL Application

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Private Addresses and Public

All rights reserved

Network security protection: Address translation technology

To provide such services as FTP, WWW and Telnet of the

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Principle of Address Translation

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Address Pool is the collection of some continuous public IP addresses,

address after the translation.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Application of Internal Server

Access the server

referring to the map

All rights reserved

packets, the header of the data packet related to IP

instance, while a router in internal network host

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Network Architecture and Position of

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Architecture of NAS(BRAS) device

All rights reserved

User Identification Access types

All rights reserved

Network Control Protocol

Link Control Protocol

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PPP phase diagram

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PAP & CHAP Authentication Process

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved