Network Working Group                                         O. Okamoto
Request for Comments: 3422                                   M. Maruyama
Category: Informational                                 NTT Laboratories
                                                               T. Sajima
                                                        Sun Microsystems
                                                           November 2002
        
Network Working Group                                         O. Okamoto
Request for Comments: 3422                                   M. Maruyama
Category: Informational                                 NTT Laboratories
                                                               T. Sajima
                                                        Sun Microsystems
                                                           November 2002
        

Forwarding Media Access Control (MAC) Frames over Multiple Access Protocol over Synchronous Optical Network/Synchronous Digital Hierarchy (MAPOS)

通过同步光网络/同步数字体系(MAPOS)通过多址协议转发媒体访问控制(MAC)帧

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

IESG Note

IESG注释

This memo documents a way of tunneling Ethernet frames over MAPOS networks. This document is NOT the product of an IETF working group nor is it a standards track document. It has not necessarily benefited from the widespread and in-depth community review that standards track documents receive.

本备忘录记录了通过MAPOS网络隧道以太网帧的方法。本文件不是IETF工作组的产品,也不是标准跟踪文件。它不一定从标准跟踪文件所接受的广泛和深入的社区审查中获益。

Abstract

摘要

This memo describes a method for forwarding media access control (MAC) frames over Multiple Access Protocol over Synchronous Optical Network/Synchronous Digital Hierarchy (MAPOS), thus providing a way to unify MAPOS network environment and MAC-based Local Area Network (LAN) environment.

本备忘录描述了通过同步光网络/同步数字体系(MAPOS)通过多址协议转发媒体访问控制(MAC)帧的方法,从而提供了统一MAPOS网络环境和基于MAC的局域网(LAN)环境的方法。

1. Network Model
1. 网络模型

In the Network model assumed in this memo, MAC-based LAN traffic is forwarded by a MAPOS switched network. This model allows distant LANs to be interconnected to form a single LAN segment. Transparent LAN Service (TLS) is provided by encapsulating MAC frames in MAPOS frames and by mapping MAC addresses to MAPOS addresses.

在本备忘录中假设的网络模型中,基于MAC的LAN流量由MAPOS交换网络转发。此模型允许远程LAN互连以形成单个LAN段。透明LAN服务(TLS)是通过将MAC帧封装在MAPOS帧中并将MAC地址映射到MAPOS地址来提供的。

This network model is shown in figure 1. "MAPOS network" is composed of MAPOS switches, SONET/SDH leased lines and optical fiber cables. A LAN is connected to a MAPOS network by a Network Adapter (NA) which has a MAPOS interface and an ethernet interface. A unique MAPOS address is assigned to each NA by NSP (Node-Switch Protocol) [2].

该网络模型如图1所示。“MAPOS网络”由MAPOS交换机、SONET/SDH专线和光缆组成。LAN通过具有MAPOS接口和以太网接口的网络适配器(NA)连接到MAPOS网络。NSP(节点交换协议)[2]为每个NA分配一个唯一的MAPOS地址。

                                +-----------+
      MAC-based LAN N1 +---+    |   MAPOS   |    +---+ MAC-based LAN N2
        ---------------|   |----|  network  |----|   |---------------
         |             +---+    |           |    +---+             |
      +-----+         Network   |    N0     |   Network         +-----+
      |     |         adapter   +-----------+   adapter         |     |
      +-----+            B1                       B2            +-----+
      Host H1                                                   Host H2
        
                                +-----------+
      MAC-based LAN N1 +---+    |   MAPOS   |    +---+ MAC-based LAN N2
        ---------------|   |----|  network  |----|   |---------------
         |             +---+    |           |    +---+             |
      +-----+         Network   |    N0     |   Network         +-----+
      |     |         adapter   +-----------+   adapter         |     |
      +-----+            B1                       B2            +-----+
      Host H1                                                   Host H2
        

Figure 1. VPN network service model with LANs N1 and N2

图1。具有局域网N1和N2的VPN网络服务模型

Host H1 in LAN N1 and host H2 in LAN N2 are connected to distinct MAC-based LANs. Transparent LAN service is provided by MAPOS network N0 exchanging MAC frames between Host H1 and Host H2.

LAN N1中的主机H1和LAN N2中的主机H2连接到不同的基于MAC的LAN。透明LAN服务由MAPOS网络N0提供,在主机H1和主机H2之间交换MAC帧。

Using this mechanism, a single VLAN segment can be setup from multiple LANs that may be geographically located far away from each other.

使用此机制,可以从地理位置可能彼此远离的多个LAN设置单个VLAN段。

The use of a switched technology is recommended for building a MAC-based LAN. In some cases, however, this becomes a requirement. A likely example is the situation where a MAC-based LAN having two network adapters, both attached to the same MAPOS network (for redundancy). If the LAN is built using shared (non-switched) technology, then this loop configuration is bound to be stormed by incessant broadcast traffic. This can only be circumvented by using switched technology with support for broadcast spanning tree [7].

建议使用交换技术来构建基于MAC的LAN。然而,在某些情况下,这成为一项要求。一个可能的例子是,一个基于MAC的LAN有两个网络适配器,都连接到同一个MAPOS网络(用于冗余)。如果LAN是使用共享(非交换)技术构建的,那么这种环路配置必然会受到不断广播流量的冲击。这只能通过使用支持广播生成树的交换技术来避免[7]。

2. Forwarding a MAC Frame
2. 转发MAC帧

This section describes the MAC frame forwarding mechanism in the MAPOS network.

本节介绍MAPOS网络中的MAC帧转发机制。

2.1. Outline
2.1. 概述

In figure 2, LANs N1 and N2 communicates via MAPOS network N0. NAs B1 and B2 are gateways into Network N0, and they each have a MAPOS interface and an ethernet interface.

在图2中,LAN N1和N2通过MAPOS网络N0进行通信。NAs B1和B2是网络N0的网关,它们都有一个MAPOS接口和一个以太网接口。

                                +------------+
                                |MAPOS header|
      +-----------+             +------------+             +-----------+
      | MAC header| encapsulate | MAC  header| decapsulate | MAC header|
      +-----------+ ----------> +------------+ ----------> +-----------+
      |information|             | information|             |information|
      +-----------+             +------------+             +-----------+
        MAC frame             Bridged MAPOS frame             MAC frame
        
                                +------------+
                                |MAPOS header|
      +-----------+             +------------+             +-----------+
      | MAC header| encapsulate | MAC  header| decapsulate | MAC header|
      +-----------+ ----------> +------------+ ----------> +-----------+
      |information|             | information|             |information|
      +-----------+             +------------+             +-----------+
        MAC frame             Bridged MAPOS frame             MAC frame
        
                                +------------+
        LAN N1         +---+    |    MAPOS   |    +---+         LAN N2
        ---------------|   |----|   network  |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+            B1     |      N0    |      B2           +-----+
      |     |                   +------------+                   |     |
      +-----+                                                    +-----+
      Host H1                                                    Host H2
        
                                +------------+
        LAN N1         +---+    |    MAPOS   |    +---+         LAN N2
        ---------------|   |----|   network  |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+            B1     |      N0    |      B2           +-----+
      |     |                   +------------+                   |     |
      +-----+                                                    +-----+
      Host H1                                                    Host H2
        

Figure 2. Forwarding a MAC frame from H1 to H2 over the VPN

图2。通过VPN将MAC帧从H1转发到H2

The process of forwarding a MAC frame transparently from host H1 to host H2 is also shown in figure 2. NA B1 encapsulates a MAC frame from host H1, and forwards it to MAPOS network N0. NA B2 decapsulates the MAPOS frame, then forwards the MAC frame to host H2.

图2中还显示了将MAC帧从主机H1透明地转发到主机H2的过程。NA B1封装来自主机H1的MAC帧,并将其转发到MAPOS网络N0。NA B2解除MAPOS帧的封装,然后将MAC帧转发到主机H2。

2.2. MAPOS encapsulation format
2.2. MAPOS封装格式

To transmit a MAC frame into MAPOS network, the NA encapsulates the frame as shown in the following figures. This frame format is based on Bridged LAN Traffic for PPP [4]; only the fields with semantics specific to this document are described below. The fields are transmitted from left to right.

为了将MAC帧传输到MAPOS网络,NA封装了该帧,如下图所示。此帧格式基于PPP的桥接LAN流量[4];下面仅描述具有特定于此文档的语义的字段。字段从左向右传输。

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |  HDLC Flag    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        (reserved)             |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |   MAC Type    |    Destination MAC Address    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Source MAC Address        |          Length/Type          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |               potential line protocol pad                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |  HDLC Flag    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        (reserved)             |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |   MAC Type    |    Destination MAC Address    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Source MAC Address        |          Length/Type          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |               potential line protocol pad                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 3. 802.3 Frame format (IEEE 802 Un-tagged Frame)

图3。802.3帧格式(IEEE 802未标记帧)

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |   HDLC FLAG   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         (reserved)            |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |    MAC Type   |   Pad Byte    | Frame Control |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Destination MAC Address   |  Source MAC Address           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |              optional Data Link Layer padding                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |   HDLC FLAG   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         (reserved)            |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |    MAC Type   |   Pad Byte    | Frame Control |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Destination MAC Address   |  Source MAC Address           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |              optional Data Link Layer padding                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 4. 802.4/802.5/FDDI Frame format (IEEE 802 Un-tagged Frame)

图4。802.4/802.5/FDDI帧格式(IEEE 802未标记帧)

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |  HDLC Flag    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        (reserved)             |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |   MAC Type    |    Destination MAC address    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Source MAC Address       |     0x81      |      0x00     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Pri  |C| VLAN ID               |      Length/Type              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 potential line protocol pad                   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |  HDLC Flag    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        (reserved)             |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |   MAC Type    |    Destination MAC address    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Source MAC Address       |     0x81      |      0x00     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Pri  |C| VLAN ID               |      Length/Type              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 potential line protocol pad                   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 5. 802.3 Frame format (IEEE 802 Tagged Frame)

图5。802.3帧格式(IEEE 802标记帧)

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |   HDLC FLAG   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        (reserved)             |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |    MAC Type   |   Pad Byte    | Frame Control |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Destination MAC Address   |  Source MAC Address           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   SNAP-encoded TPID                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   SNAP-encoded TPID                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Pri  |C| VLAN ID               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |              optional Data Link Layer padding                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+
      |   HDLC FLAG   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Address and Control      |      0xFE     |      0x31     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        (reserved)             |     Source MAPOS Address      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |F|0|Z|0| Pads  |    MAC Type   |   Pad Byte    | Frame Control |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Destination MAC Address                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Destination MAC Address   |  Source MAC Address           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   SNAP-encoded TPID                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   SNAP-encoded TPID                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Pri  |C| VLAN ID               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    LLC data ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   LAN FCS (optional)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |              optional Data Link Layer padding                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Frame FCS (16/32bits)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 6. 802.4/802.5/FDDI Frame format (IEEE 802 Tagged Frame)

图6。802.4/802.5/FDDI帧格式(IEEE 802标记帧)

Address and Control

地址和控制

These fields contain the destination HDLC address as defined by MAPOS Version 1 [1] and MAPOS 16 [3].

这些字段包含由MAPOS版本1[1]和MAPOS 16[3]定义的目标HDLC地址。

Protocol Field

协议字段

0xFE31 for bridged LAN traffic for MAPOS. NA should only accept NSP (0xFE03) and bridged MAPOS frames (0xFE31) frames; others should be silently discarded.

0xFE31用于MAPOS的桥接LAN通信。NA应仅接受NSP(0xFE03)和桥接MAPOS帧(0xFE31)帧;其他人应该被默默地抛弃。

Source MAPOS address

源MAPOS地址

Contains the MAPOS address of the sending NA. For MAPOS version 1 [1] the 8-bit HDLC address is placed in the least significant place of the 16-bit field and the upper eight bits must be zero.

包含发送NA的MAPOS地址。对于MAPOS版本1[1],8位HDLC地址位于16位字段的最低有效位置,且高8位必须为零。

3. Determination of the Destination MAPOS Address
3. 目标MAPOS地址的确定

The destination MAPOS address for a MAC frame to be bridged is determined by searching the address table composed of entries of the form

要桥接的MAC帧的目标MAPOS地址是通过搜索由表单项组成的地址表来确定的

{destination MAC address, destination MAPOS address}

{目标MAC地址,目标MAPOS地址}

during the encapsulation phase.

在封装阶段。

For example, in figure 2, when a MAC frame to be sent to host H2 is encapsulated, the destination MAPOS address corresponding to NA B2 is used.

例如,在图2中,当要发送到主机H2的MAC帧被封装时,使用对应于nab2的目标MAPOS地址。

Determination of the destination MAPOS address for forwarding a MAC unicast frame is described in 3.1. The way for forwarding a MAC broadcast or multicast frame is described in 3.2. Methods for populating the address table are explained in 3.3.

3.1中描述了转发MAC单播帧的目的地MAPOS地址的确定。转发MAC广播或多播帧的方式如3.2所述。3.3中解释了填充地址表的方法。

3.1. Destination MAPOS address for forwarding a MAC unicast frame
3.1. 用于转发MAC单播帧的目标MAPOS地址

In NA, entries of the form

在NA中,表格的条目

{destination MAC address, destination MAPOS address}

{目标MAC地址,目标MAPOS地址}

are held in its address table. When a MAC frame is received by the ethernet interface, the address table is searched using the destination MAC address as the key. If a matching entry is found, the corresponding MAPOS address is used as the destination MAPOS address. If no matching entry exists, MAC broadcast forwarding (3.2) is used.

都保存在其地址表中。当以太网接口接收到MAC帧时,使用目标MAC地址作为密钥搜索地址表。如果找到匹配条目,则相应的MAPOS地址将用作目标MAPOS地址。如果不存在匹配项,则使用MAC广播转发(3.2)。

3.2. Forwarding a MAC broadcast or multicast frame
3.2. 转发MAC广播或多播帧

All MAC broadcast or multicast frames must be duplicated for transmission (via MAPOS unicast) to each of the peer network adapters in the same VLAN as the sending network adapter.

必须复制所有MAC广播或多播帧,以便传输(通过MAPOS单播)到与发送网络适配器位于同一VLAN中的每个对等网络适配器。

Consider an example shown in figure 7 where six LANs N1 through N6 are connected to the MAPOS network via network adapters B1 through B6.

考虑图7所示的一个例子,其中六个LAN N1到N6通过网络适配器B1到B6连接到MAPS网络。

                                +------------+
        LAN N1         +---+    |            |    +---+         LAN N2
        ---------------|   |----|            |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+         Network   |            |   Network         +-----+
      |     |         adapter   |            |   adapter         |     |
      +-----+            B1     |            |      B2           +-----+
      Host H1                   |            |                   Host H2
                                |            |
                                |            |
                                |            |
        LAN N3         +---+    |    MAPOS   |    +---+         LAN N4
        ---------------|   |----|   network  |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+         Network   |      N0    |   Network         +-----+
      |     |         Adapter   |            |   adapter         |     |
      +-----+            B3     |            |     B4            +-----+
      Host H3                   |            |                   Host H4
                                |            |
                                |            |
                                |            |
        LAN N5         +---+    |            |    +---+         LAN N6
        ---------------|   |----|            |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+         Network   |            |   Network         +-----+
      |     |         adapter   +------------+   adapter         |     |
      +-----+            B5                        B6            +-----+
      Host H5                                                    Host H6
        
                                +------------+
        LAN N1         +---+    |            |    +---+         LAN N2
        ---------------|   |----|            |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+         Network   |            |   Network         +-----+
      |     |         adapter   |            |   adapter         |     |
      +-----+            B1     |            |      B2           +-----+
      Host H1                   |            |                   Host H2
                                |            |
                                |            |
                                |            |
        LAN N3         +---+    |    MAPOS   |    +---+         LAN N4
        ---------------|   |----|   network  |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+         Network   |      N0    |   Network         +-----+
      |     |         Adapter   |            |   adapter         |     |
      +-----+            B3     |            |     B4            +-----+
      Host H3                   |            |                   Host H4
                                |            |
                                |            |
                                |            |
        LAN N5         +---+    |            |    +---+         LAN N6
        ---------------|   |----|            |----|   |---------------
         |             +---+    |            |    +---+             |
      +-----+         Network   |            |   Network         +-----+
      |     |         adapter   +------------+   adapter         |     |
      +-----+            B5                        B6            +-----+
      Host H5                                                    Host H6
        

Figure 7. Six networks connected to the MAPOS network

图7。连接到MAPOS网络的六个网络

If a VLAN is configured with LANs N1, N2, and N3, a MAC broadcast or multicast frame originating from LAN N1 must not be forwarded to LAN N4, N5, or N6 but only to LANs N1, N2, and N3. It is duplicated twice for encapsulation and delivery to B2 and B3 via MAPOS unicast.

如果VLAN配置了LAN N1、N2和N3,则源自LAN N1的MAC广播或多播帧不得转发到LAN N4、N5或N6,而只能转发到LAN N1、N2和N3。它被复制两次,用于封装,并通过MAPOS单播传送到B2和B3。

A set of network adapters that belongs to the same VLAN defines the broadcast scope of the VLAN. Before a VLAN is put to use, each NA in the VLAN must be configured with the MAPOS addresses of its peer NAs. A NA should silently discard bridged MAPOS frames with a MAPOS source address that is not among the peers that the NA knows about.

属于同一VLAN的一组网络适配器定义了VLAN的广播范围。在VLAN投入使用之前,VLAN中的每个NA必须配置其对等NAs的MAPOS地址。NA应该悄悄地丢弃带有MAPOS源地址的桥接MAPOS帧,该地址不在NA知道的对等方中。

The use of MAPOS multicast for forwarding MAC broadcast frames is under further study.

使用MAPOS多播转发MAC广播帧的问题正在进一步研究中。

3.3. Methods for configuring the address table
3.3. 用于配置地址表的方法

This section describes two methods for setting up an address table: static and dynamic. NA must implement the static method described in 3.3.1. The dynamic method (3.3.2) is optional, but an implementation must provide an option to disable this feature.

本节介绍设置地址表的两种方法:静态和动态。NA必须实施3.3.1中所述的静态方法。动态方法(3.3.2)是可选的,但实现必须提供禁用此功能的选项。

3.3.1. Static setup of address table
3.3.1. 地址表的静态设置

The address table can be set up statically. Before using a VLAN, address table entries for each NA in the VLAN must be populated manually.

地址表可以静态设置。在使用VLAN之前,必须手动填充VLAN中每个NA的地址表条目。

These entries are considered permanent until they are manually removed, and must not be "aged" or overwritten by the dynamic procedure described in 3.3.2.

在手动删除这些条目之前,这些条目被视为永久性条目,并且不得“老化”或被3.3.2中描述的动态程序覆盖。

3.3.2. Dynamic setup of address table
3.3.2. 地址表的动态设置

The address table can also be set up dynamically. A NA discovers entries for its address table from incoming encapsulated MAPOS frames.

地址表也可以动态设置。NA从传入的封装MAPOS帧中发现其地址表的条目。

The NA adds the pair

NA加了一对

{source MAC address, source MAPOS address}

{源MAC地址,源MAPOS地址}

to its address table when it receives an encapsulated MAPOS frame.

当它接收到封装的MAPOS帧时,将发送到其地址表。

Entries discovered this way are subject to aging timer (should be configurable with the default of 300 seconds). Once the timer for an entry expires, the entry is removed from the address table. The timer is reset each time an encapsulated MAPOS frame with the same source MAC address is received.

以这种方式发现的条目受老化计时器的影响(应可配置为默认值300秒)。条目的计时器过期后,该条目将从地址表中删除。每次接收到具有相同源MAC地址的封装MAPOS帧时,计时器都会重置。

There must be at most one entry for a source MAC address. If a discovered MAPOS address for a MAC address differs from the previously discovered address, the new one takes precedence and the address table entry must be overwritten. Under no circumstance may a discovered entry overwrite a statically created entry (3.3.1).

源MAC地址最多只能有一个条目。如果发现的MAC地址的MAPOS地址与以前发现的地址不同,则新地址优先,并且必须覆盖地址表条目。在任何情况下,发现的条目都不得覆盖静态创建的条目(3.3.1)。

Discovery process using ARP [6] packets between host H1 (the MAC address is h1) in LAN N1 and host H2 (the MAC address is h2) in LAN N2 is shown below.

在LAN N1中的主机H1(MAC地址为H1)和LAN N2中的主机H2(MAC地址为H2)之间使用ARP[6]数据包的发现过程如下所示。

The MAPOS addresses of NAs B1, B2, B3 are b1, b2, b3 respectively.

NAs B1、B2、B3的MAPOS地址分别为B1、B2、B3。

                              +-----------+
        LAN N1       +---+    |           |
        -------------|   |----|           |
         |           +---+    |           |
      +-----+       Network   |           |
      |     |       adapter   |   MAPOS   |    +---+         LAN N2
      +-----+          B1     |  network  |----|   |------------
      Host H1                 |           |    +---+          |
   (ARP request)              |    N0     |   Network      +-----+
                              |           |   adapter      |     |
                              |           |      B2        +-----+
        LAN N3       +---+    |           |                Host H2
        -------------|   |----|           |              (ARP reply)
         |           +---+    |           |
      +-----+       Network   +-----------+
      |     |       adapter
      +-----+          B3
      Host H3
        
                              +-----------+
        LAN N1       +---+    |           |
        -------------|   |----|           |
         |           +---+    |           |
      +-----+       Network   |           |
      |     |       adapter   |   MAPOS   |    +---+         LAN N2
      +-----+          B1     |  network  |----|   |------------
      Host H1                 |           |    +---+          |
   (ARP request)              |    N0     |   Network      +-----+
                              |           |   adapter      |     |
                              |           |      B2        +-----+
        LAN N3       +---+    |           |                Host H2
        -------------|   |----|           |              (ARP reply)
         |           +---+    |           |
      +-----+       Network   +-----------+
      |     |       adapter
      +-----+          B3
      Host H3
        

Figure 8. Three networks connected to the MAPOS network

图8。连接到MAPOS网络的三个网络

(1) Host H1 transmits an ARP request frame. An ARP request frame is a MAC broadcast Frame.

(1) 主机H1发送ARP请求帧。ARP请求帧是MAC广播帧。

(2) At NA B1, ARP request frame is received and is encapsulated. Because the VPN is composed of LANs N1, N2, and N3, the NA B1 must send a MAPOS frame that has destination MAPOS address b2 and another MAPOS frame that has destination MAPOS address b3. MAPOS address b1 is stored in the source MAPOS address field of each frame.

(2) 在nab1,接收并封装ARP请求帧。因为VPN由LAN N1、N2和N3组成,所以NA B1必须发送一个具有目标MAPOS地址b2的MAPOS帧和另一个具有目标MAPOS地址b3的MAPOS帧。MAPOS地址b1存储在每个帧的源MAPOS地址字段中。

(3) The bridged MAPOS frame arrives at NAs B2 and B3 from the MAPOS network.

(3) 桥接的MAPOS帧从MAPOS网络到达NAs B2和B3。

(4) NAs B2 and B3 receive the bridged MAPOS frame, and the pair

(4) NAs B2和B3接收桥接的MAPOS帧,以及该对

{h1, b1}

{h1,b1}

is added to their address tables.

被添加到他们的地址表中。

(5) In NA B2, the received MAPOS frame is decapsulated, and the MAC frame is forwarded to LAN N2. Similarly, in NA B3, the received MAPOS frame is decapsulated, and the MAC frame is forwarded to LAN N3.

(5) 在NA B2中,接收到的MAPOS帧被解封,并且MAC帧被转发到LAN N2。类似地,在NA B3中,接收到的MAPOS帧被解封,并且MAC帧被转发到LAN N3。

(6) At host H2, which exists in LAN N2, an ARP reply frame is transmitted to host H1.

(6) 在lann2中存在的主机H2,ARP应答帧被发送到主机H1。

(7) Via the ethernet interface on NA B2, the ARP reply frame is received, and MAPOS encapsulation is done.

(7) 通过NA B2上的以太网接口,接收ARP应答帧,并完成MAPOS封装。

Because the entry

因为这个条目

{h1, b1}

{h1,b1}

is registered in the address table, b1 is determined to be the destination MAPOS address. The bridged frame is forwarded to the MAPOS network.

在地址表中注册,b1被确定为目标MAPOS地址。桥接帧被转发到MAPOS网络。

(8) MAPOS network delivers the bridged MAPOS frame to NA B1.

(8) MAPOS网络将桥接的MAPOS帧传送到NA B1。

(9) NA B1 decapsulates the bridged MAPOS frame, and forwards the MAC frame to LAN N1. At the same time, the entry {h2 , b2} is registered into NA B1 address table.

(9) NA B1解除桥接MAPOS帧的封装,并将MAC帧转发到LAN N1。同时,条目{h2,b2}被注册到nab1地址表中。

(10) Host H1 receives the ARP reply frame.

(10) 主机H1接收ARP应答帧。

4. Connecting a MAPOS Host to the VLAN
4. 将MAPOS主机连接到VLAN

In order for a native MAPOS host to connect to a VLAN, it must have its own unique MAC address and implement all the features of a network adapter appropriate for the MAC framing that it wishes to use.

为了使本机MAPOS主机连接到VLAN,它必须具有自己的唯一MAC地址,并实现适合其希望使用的MAC帧的网络适配器的所有功能。

5. Security Considerations
5. 安全考虑

This section discusses some of the security factors that need to be considered when planning a transparent LAN service described in section 1, "Network Model."

本节讨论在规划第1节“网络模型”中描述的透明LAN服务时需要考虑的一些安全因素

5.1 Management boundaries
5.1 管理边界

In a large network, different parts of the network are managed by different organizations, and it is essential to clearly define the boundaries of management responsibilities.

在一个大型网络中,网络的不同部分由不同的组织管理,必须明确定义管理职责的边界。

A probable scenario is that a common carrier provides transparent LAN service to a variety of customers. Each customer is a distinct organization, expecting virtual private network service. In such a case, the common carrier should take management responsibility for the MAPOS network, optical cables to customer sites, and the network adapters that reside in customer premises.

一种可能的情况是,公共运营商向各种客户提供透明的局域网服务。每个客户都是一个不同的组织,期望虚拟专用网络服务。在这种情况下,公共运营商应负责管理MAPOS网络、客户站点的光缆以及驻留在客户场所的网络适配器。

                                     +----+
     MAPOS Net +-------- ... --------+ NA +---- MAC-based LAN
                                     +----+
        Common Carrier Responsibility --->|<-- Customer Responsibility
        
                                     +----+
     MAPOS Net +-------- ... --------+ NA +---- MAC-based LAN
                                     +----+
        Common Carrier Responsibility --->|<-- Customer Responsibility
        

In essence, the customer is allowed to do no more than connecting the cable from their MAC-based LAN to the network adapters. Common carrier should be very careful to monitor and protect their assets, including SONET/SDH connections and network adapters. In particular, network adapters serve as the primary line of defense against attacks and should be closely guarded.

本质上,客户只允许将电缆从基于MAC的LAN连接到网络适配器。公共运营商应非常小心地监控和保护其资产,包括SONET/SDH连接和网络适配器。特别是,网络适配器作为抵御攻击的主要防线,应该受到严密的保护。

5.2 Risks
5.2 风险

Privacy of every customer connected to the carrier's MAPOS network may be compromised.

连接到运营商MAPOS网络的每个客户的隐私都可能受到损害。

5.3 Attack against network adapters
5.3 对网络适配器的攻击

A network adapter should be a dedicated device. This makes the device simple and easier to harden against break-in attempts. In the worst case, the device may crash causing network outage that only affects the customer that the failed network adapter serves. At this point, the privacy of other customers is still safe.

网络适配器应该是专用设备。这使得设备简单,更容易硬化,以防尝试磨合。在最坏的情况下,设备可能会崩溃,导致网络中断,仅影响故障网络适配器服务的客户。此时,其他客户的隐私仍然是安全的。

A more meaningful attack would be to replace a network adapter with some other intelligent agent that knows how network adapters work. This is possible because network adapters are customer premise equipment. Using such a device, an attacker can infiltrate the networks of other customers. Filtering based on source MAPOS address in bridging traffic is ineffective because this field is filled-in by network adapters -- MAPOS networks do not forward source addresses.

一种更有意义的攻击是用其他知道网络适配器工作原理的智能代理替换网络适配器。这是可能的,因为网络适配器是客户专用设备。使用此类设备,攻击者可以渗透到其他客户的网络。在桥接通信中基于源MAPOS地址的过滤无效,因为此字段由网络适配器填充--MAPOS网络不转发源地址。

5.4 Filtering at network adapters and MAPOS switches
5.4 在网络适配器和MAPOS交换机上进行筛选

Network adapters should have the following frame filtering functions.

网络适配器应具有以下帧过滤功能。

- Each NA in a VLAN is configured with the MAPOS addresses of its peer NAs that belongs to the same VLAN. A NA should only accept bridged MAPOS frames with a source MAPOS address of one of its VLAN peers.

- VLAN中的每个NA都配置有属于同一VLAN的对等NAs的MAPOS地址。NA应仅接受具有其VLAN对等方的源MAPOS地址的桥接MAPOS帧。

- A NA should never import discovered address table entries with a MAPOS address that is not the address of one of its VLAN peers.

- NA不应导入发现的地址表条目,其MAPOS地址不是其VLAN对等方的地址。

- If a NA detects that the amount of broadcast traffic from a host on MAC-base LAN exceeds a predefined threshold, the NA should stop forwarding traffic from that host.

- 如果NA检测到来自MAC基础LAN上主机的广播流量超过预定义阈值,则NA应停止转发来自该主机的流量。

By default, frame filtering by MAPOS switches is optional. It is desirable for a MAPOS switch to implement the following filtering features.

默认情况下,MAPOS开关的帧过滤是可选的。MAPOS交换机需要实现以下过滤功能。

- A line interface of a MAPOS switch is made aware of the MAPOS addresses in the VLAN to which the interface participates. The interface discards all incoming bridged traffic (from the NA) that is destined to addresses outside of the VLAN's set.

- MAPOS交换机的线路接口可了解接口参与的VLAN中的MAPOS地址。接口将丢弃(来自NA的)所有到达VLAN集合之外地址的传入桥接通信。

- MAPOS switch assigns a MAPOS address to a NA using NSP. The switch discards all incoming bridged traffic (from the NA) with the source MAPOS address different from the one that is assigned by NSP.

- MAPOS交换机使用NSP将MAPOS地址分配给NA。交换机丢弃源MAPOS地址与NSP分配的地址不同的所有传入桥接通信(来自NA)。

5.5 Additional protection measures
5.5 附加保护措施

A common carrier can implement additional protective measures such as the following.

普通承运人可采取以下附加保护措施。

- SONET/SDH connection is closely monitored. Once a network adapter is detected to have gone down, subsequent attempts at re-connecting to the MAPOS network are refused until manually re-enabled.

- SONET/SDH连接受到密切监控。一旦检测到网络适配器已关闭,则在手动重新启用之前,将拒绝重新连接到MAPOS网络的后续尝试。

- Above method is effective against real attacks, but it also hinders timely recovery from accidents such as power outages. A reasonable trade-off solution is to implement an authentication mechanism between the MAPOS network and network adapters. Much like Challenge Handshake Authentication Protocol (CHAP) [8] used in PPP connection. Something similar may be implemented by defining additional message types to NSP.

- 上述方法对实际攻击是有效的,但也妨碍了从停电等事故中及时恢复。一个合理的折衷解决方案是在MAPOS网络和网络适配器之间实现身份验证机制。很像PPP连接中使用的质询握手认证协议(CHAP)[8]。可以通过为NSP定义其他消息类型来实现类似的功能。

6. References
6. 工具书类

[1] Murakami, K. and M. Maruyama, "MAPOS - Multiple Access Protocol over SONET/SDH, Version 1", RFC 2171, June 1997.

[1] Murakami,K.和M.Maruyama,“MAPOS-SONET/SDH上的多址协议,第1版”,RFC 2171,1997年6月。

[2] Murakami, K. and M. Maruyama, "A MAPOS version 1 Extension - Node-Switch Protocol", RFC 2173, June 1997.

[2] Murakami,K.和M.Maruyama,“MAPOS版本1扩展-节点切换协议”,RFC21731997年6月。

[3] Murakami, K. and M. Maruyama, "MAPOS16 - Multiple Access Protocol over SONET/SDH with 16 Bit Addressing", RFC 2175, June 1997.

[3] Murakami,K.和M.Maruyama,“MAPOS16-SONET/SDH上具有16位寻址的多址协议”,RFC 2175,1997年6月。

[4] Higashiyama, M. and F.Baker, "PPP Bridging Control Protocol (BCP)", RFC 2878, July 2000.

[4] Higashiyama,M.和F.Baker,“PPP桥接控制协议(BCP)”,RFC 28782000年7月。

[5] Reynolds, J., Ed., "Assigned Numbers: RFC 1700 is Replaced by an On-line Database", RFC 3232, January 2002.

[5] Reynolds,J.,Ed.,“分配号码:RFC 1700被在线数据库取代”,RFC 3232,2002年1月。

[6] Plummer, D.C., "Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware", STD 37, RFC 826, November 1982.

[6] Plummer,D.C.,“以太网地址解析协议:或将网络协议地址转换为48位以太网地址,以便在以太网硬件上传输”,STD 37,RFC 826,1982年11月。

[7] IEEE 802.1D-1993, "Media Access Control (MAC) Bridges," ISO/IEC 15802-3:1993 ANSI/IEEE Std 802.1D, 1993 edition, July 1993.

[7] IEEE 802.1D-1993,“媒体访问控制(MAC)网桥”,ISO/IEC 15802-3:1993 ANSI/IEEE Std 802.1D,1993年版,1993年7月。

[8] Simpson, W., "PPP Challenge Handshake Authentication Protocols", RFC 1994, August 1996.

[8] 辛普森,W.,“PPP挑战握手认证协议”,RFC 1994,1996年8月。

7. Acknowledgements
7. 致谢

The authors would like to acknowledge the contributions and thoughtful suggestions of Naohisa Takahashi, Tetsuo Kawano and Tsuyoshi Ogura.

作者要感谢高桥直久、川野铁雄和大仓昌吉的贡献和深思熟虑的建议。

Appendix - Validation of the MAC Frame Forwarding Mechanism

附录-MAC帧转发机制的验证

This appendix describes the configuration and procedure used to validate the soundness of the mechanism described in this document. The key points are:

本附录描述了用于验证本文件所述机构可靠性的配置和程序。重点是:

- MAC frames are correctly forwarded by MAPOS network, and

- MAC帧由MAPOS网络正确转发,并且

- Even if a network contains loops, broadcast packets do not storm the network. MAC-based networks must use broadcast spanning tree technology in order for this to work.

- 即使网络包含环路,广播数据包也不会冲击网络。基于MAC的网络必须使用广播生成树技术才能工作。

(1) Verification of MAC frame forwarding on MAPOS network

(1) MAPOS网络MAC帧转发的验证

Hosts H1 and H2, Ethernet switches S1 and S2, network adapters B1 and B2, and a MAPOS switch are connected as shown below. An ethernet protocol analyzer is placed between S1 and B1 for traffic monitoring.

主机H1和H2、以太网交换机S1和S2、网络适配器B1和B2以及MAPOS交换机的连接如下所示。以太网协议分析仪位于S1和B1之间,用于流量监控。

In the diagrams that follow, the hosts are x86 PC running FreeBSD 4.4-RELEASE, ethernet switches are Extreme Summit5i, network adapters are OKI Electric MA-1, and the MAPOS switch is CSR CoreSwitch80.

在下面的图表中,主机是运行FreeBSD 4.4-RELEASE的x86 PC,以太网交换机是Extreme Summit5i,网络适配器是OKI Electric MA-1,MAPOS交换机是CSR CoreSwitch80。

                               +--------------+
                        +------+ MAPOS SWITCH + ------+
                        |      +--------------+       |
                    +---+---+                     +---+---+
                    | NA B1 |                     | NA B2 |
                    +---+---+                     +---+---+
        +----------+    |                             |
        | Protocol |____|                             |
        | Analyzer |    |                             |
        +----------+    |                             |
                        | (P1)                   (P1) |
        +------+   +----+----+                   +----+----+   +------+
        | Host |___| EtherSW |                   | EtherSW |___| Host |
        |  H1  |   |    S1   |                   |    S2   |   |  H2  |
        +------+   +---------+                   +---------+   +------+
        
                               +--------------+
                        +------+ MAPOS SWITCH + ------+
                        |      +--------------+       |
                    +---+---+                     +---+---+
                    | NA B1 |                     | NA B2 |
                    +---+---+                     +---+---+
        +----------+    |                             |
        | Protocol |____|                             |
        | Analyzer |    |                             |
        +----------+    |                             |
                        | (P1)                   (P1) |
        +------+   +----+----+                   +----+----+   +------+
        | Host |___| EtherSW |                   | EtherSW |___| Host |
        |  H1  |   |    S1   |                   |    S2   |   |  H2  |
        +------+   +---------+                   +---------+   +------+
        

Correct forwarding of unicast MAC frames (ping) are observed between H1 and H2 through path (P1).

通过路径(P1)在H1和H2之间观察到单播MAC帧(ping)的正确转发。

(2) Verification of spanning tree operation

(2) 生成树运算的验证

- Enable spanning tree on S1 and S2.

- 在S1和S2上启用生成树。

- Connect S1 and S2 via path (P2) for redundancy.

- 通过路径(P2)连接S1和S2以实现冗余。

                               +--------------+
                        +------+ MAPOS SWITCH + ------+
                        |      +--------------+       |
                    +---+---+                     +---+---+
                    | NA B1 |                     | NA B2 |
                    +---+---+                     +---+---+
        +----------+    |                             |
        | Protocol |____|                             |
        | Analyzer |    |                             |
        +----------+    |                             |
                        | (P1)                   (P1) |
        +------+   +----+----+                   +----+----+   +------+
        | Host |___| EtherSW |                   | EtherSW |___| Host |
        |  H1  |   |    S1   |                   |    S2   |   |  H2  |
        +------+   +----+----+                   +----+----+   +------+
                    (P2)|                             |(P2)
                        +-----------------------------+
        
                               +--------------+
                        +------+ MAPOS SWITCH + ------+
                        |      +--------------+       |
                    +---+---+                     +---+---+
                    | NA B1 |                     | NA B2 |
                    +---+---+                     +---+---+
        +----------+    |                             |
        | Protocol |____|                             |
        | Analyzer |    |                             |
        +----------+    |                             |
                        | (P1)                   (P1) |
        +------+   +----+----+                   +----+----+   +------+
        | Host |___| EtherSW |                   | EtherSW |___| Host |
        |  H1  |   |    S1   |                   |    S2   |   |  H2  |
        +------+   +----+----+                   +----+----+   +------+
                    (P2)|                             |(P2)
                        +-----------------------------+
        

It is observed that broadcast packets are correctly exchanged between S1 and S2, and that broadcast forwarding loop does not exist.

观察到广播分组在S1和S2之间正确交换,并且广播转发循环不存在。

(3) Verification of spanning tree fail over

(3) 生成树故障转移的验证

- H1 and H2 communication takes place through path (P1). Spanning tree is configured such that Path (P2) is blocked.

- H1和H2通信通过路径(P1)进行。生成树的配置使得路径(P2)被阻塞。

It is observed that severing the link at any point along path (P1) makes the spanning tree configure itself to use path (P2).

可以观察到,在路径(P1)上的任意点断开链路会使生成树将自身配置为使用路径(P2)。

It is also observed that restoring path (P1) makes the spanning tree configures itself to use path (P1).

还可以观察到,恢复路径(P1)使生成树将自身配置为使用路径(P1)。

Authors' Addresses

作者地址

Osamu Okamoto NTT Network Service System Laboratories 3-9-11, Midori-cho Musashino-shi Tokyo 180-8585, Japan

Osamu Okamoto NTT网络服务系统实验室3-9-11,Midori cho Musashino shi东京180-8585

   EMail: okamoto.osamu@lab.ntt.co.jp
        
   EMail: okamoto.osamu@lab.ntt.co.jp
        

Mitsuru Maruyama NTT Network Innovation Laboratories 3-9-11, Midori-cho Musashino-shi Tokyo 180-8585, Japan

日本东京武藏野市中岛町3-9-11号丸山三郎NTT网络创新实验室,180-8585

   EMail: mitsuru@core.ecl.net
        
   EMail: mitsuru@core.ecl.net
        

Takahiro Sajima Sun Microsystems, K.K. 4-10-1, Yoga Setagaya-ku Tokyo 158-8633, Japan

日本东京Setagaya-ku瑜伽馆K.K.4-10-1三岛高弘太阳微系统公司158-8633

   EMail: tjs@sun.com
        
   EMail: tjs@sun.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。