Rapidshare eros password your ass is happy

ZXR10 ZSR Router

Product Description

ZXR10 ZSR Router Product Description

ZTE Confidential Proprietary 1

ZXR10 ZSR Router

Product Description

Version Date Author Reviewer Notes

V2.3 2011/7/20 Chen Chixin Modify interface cards and parameters of

Chapter 5

V2.4 2011/2/28 Xie Huachao Use new template

V2.5 2012/4/30 Xie uachao Update

V2.6 2013/2/4 Chen Hongting Update new Template

© 2015 ZTE Corporation. All rights reserved.

ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be disclosed or used

without the prior written permission of ZTE.

Due to update and improvement of ZTE products and technologies, information in this document is subjected to

change without notice.


2 ZTE Confidential Proprietary

TABLE OF CONTENTS

1 Overview ............................................................................................................ 5

2 Highlight Features ............................................................................................. 6

2.1 Full modular design, various interface types and flexible scalability ..................... 6

2.2 Perfect integration of switching and routing .......................................................... 6

2.3 Various VPN functions ......................................................................................... 7

2.4 Built-in Firewall .................................................................................................... 7

2.5 Completely support IPv4/v6 dual stacking ............................................................ 8

2.6 Refined QoS features .......................................................................................... 9

2.7 Industry-leading Data Encryption Protection Feature ......................................... 10

2.8 Leading Multi-Function and Multi-Service Platform ............................................ 10

2.9 Carrier-class reliability ........................................................................................ 11

3 Features ........................................................................................................... 12

3.1 Narrowband and broadband in one .................................................................... 12

3.2 802.1X ............................................................................................................... 12

3.3 DHCP function ................................................................................................... 13

3.4 PPPoE-Client ..................................................................................................... 14

3.5 Compression and decompression ...................................................................... 15

3.5.1 Compressed RTP .............................................................................................. 15

3.5.2 Compressed TCP .............................................................................................. 15

3.6 Fast Forwarding ................................................................................................. 16

3.7 Network Address Translation (NAT) ................................................................... 16

3.7.1 Translation of Internal Source Address .............................................................. 17

3.7.2 Internal Global Address Overlapping .................................................................. 18

3.8 Switching and Routing in One ............................................................................ 19

3.8.1 Ethernet switching .............................................................................................. 19

3.8.2 V-switch ............................................................................................................. 20

3.8.3 IPv4 Features .................................................................................................... 20

3.8.4 IPv6 Features .................................................................................................... 22

3.9 Multicast route protocol ...................................................................................... 23

3.9.1 IGMP ................................................................................................................. 23

3.9.2 PIM-SM .............................................................................................................. 23

3.9.3 PIM-DM ............................................................................................................. 24

3.9.4 MSDP ................................................................................................................ 24

3.10 Access Control List ............................................................................................ 24

3.11 IP VPN ............................................................................................................... 26

3.11.1 L2TP VPN .......................................................................................................... 27

3.11.2 GRE VPN .......................................................................................................... 29



3.11.3 IPSec VPN ......................................................................................................... 29

3.12 MPLS VPN......................................................................................................... 32

3.12.1 MPLS L2 VPN .................................................................................................... 33

3.12.2 MPLS L3 VPN .................................................................................................... 33

3.12.3 Multi-VRF ........................................................................................................... 34

3.13 Security functions............................................................................................... 34

3.13.1 Defense against attacks ..................................................................................... 35

3.13.2 Application proxy................................................................................................ 40

3.13.3 Application filtering ............................................................................................. 44

3.14 Network management features .......................................................................... 47

3.14.1 Simple Network Management Protocol (SNMP) ................................................. 47

3.14.2 Remote Network Monitoring (RMON) ................................................................. 47

3.14.3 Statistics and Alarm Management Function ....................................................... 48

3.14.4 Log Management Function ................................................................................ 48

3.14.5 NetNumen™ Integrated Network Management Platform.................................... 48

3.14.6 Netflow ............................................................................................................... 50

3.14.7 Ethernet OAM .................................................................................................... 50

4 System Architecture ........................................................................................ 51

4.1 Product Physical Structure ................................................................................. 51

4.2 Hardware Architecture ....................................................................................... 53

4.3 Technical Specifications ..................................................................................... 55

5 Typical Networking ......................................................................................... 57

5.1 Access Router ................................................................................................... 57

5.2 Egress and Security Gateway of Enterprises ..................................................... 58



FIGURES

Figure 3-1 Ethernet interface application PPPoE-Client networking ...................................14

Figure 3-2 The internal source address is translated into external source address ............17

Figure 3-3 Internal global address overlapping ..................................................................18

Figure 3-4 Switching and Routing perfectly in one .............................................................19

Figure 3-5 VPN application ................................................................................................26

Figure 4-1 Front panel of ZXR10 ZSR1809 ........................................................................52

Figure 4-2 Front panel of ZXR10 ZSR1822E .....................................................................52

Figure 4-3 Front panel of ZXR10 ZSR 2842 .......................................................................52



Figure 4-6 General architecture of ZXR10 ZSR intelligent integrated multi-service router ..54

Figure 5-1 ZSR router is used as Access router .................................................................57

Figure 5-2 ZSR router is used as Egress and Security Gateway of Enterprises .................58

TABLES

Table 4-1 ZXR10 ZSR1800/2800/3800 series specifications and parameters ....................56

Table 4-2 ZXR10 ZSR1800/2800/3800 series interface boards .........................................57



1 Overview

ZXR10 ZSR series intelligent integrated multi-service router is based on ZXROS platform

and technology accumulation. It surpasses functions of router itself (by integrating

functions of multiple devices of access router, Ethernet switch, VPN safety gateway, and

firewall into one platform) as a high-level network integrated application platform. It

provides users with a comprehensive communication platform oriented to next

generation service application, integrating functions of routing, switching, security, high

QoS guarantee and service application. It implements secure and reliable user access

based on various ways and integration of various services. Additional intelligent

application modules can be added to implement more simple configuration and

deployment, more flexible service management, and more rich service application.

ZXR10 ZSR series intelligent integrated multi-service router includes models of 1809,

1822E, 2842, 3844 and 3884, satisfying networking requirements of different users. They

are suitable to work as carrier’s access router, work for small to medium size enterprise

and large enterprise branches. They can provide various integrated solutions for

connection between remote offices, mobile user, and external partner network or service

provider and for net cafe, campus network, and private networks.



2 Highlight Features

2.1 Full modular design, various interface types and

flexible scalability

Combining fixed interface and modular interface card, adopting high-performance

RISC forwarding and highly-efficient software design, adopting V-BUS intelligent

multiple bus and multiple processing engine, which can satisfy performance and

port requirements of different customers.

Integrating 2 GE Combo interfaces, 2 FE interfaces, supporting 2, 4, and 8

expanded slots.

Supporting different interface rate from 300bps to 1000Mbps on one platform with

universal slots on which various types of interface boards can be accepted.

Supporting for 3G WWAN interface card via USB card and supporting for three 3G

standard: WCDMA, CDMA2000 and TD-SCDMA. Providing wireless backup to

protect the user WAN network connection resiliency.

2.2 Perfect integration of switching and routing

According to enterprise internal network interconnection requirements, ZXR10 ZSR

proposes high-density Ethernet switching module and implements seamless

integration of router and Ethernet switch. It supports up to 68 Ethernet ports with

high-speed internal switching bus, reducing bandwidth bottleneck and security

sequela in external interconnection.

ZSR provides various interface types, integrates multiple services, and supports L2

security access technologies such as 802.1 x, Guest VLAN, and MAC/VLAN

binding, providing an integrated networking solution for access layer equipment. On



one hand management investment is low and network is simple and on the other

hand, long-term cost of operation and maintenance is effectively saved.

ZSR supports ADSL board, support G.DMT(G992.1),

G.Lite(G992.2),T1.413,ADSL2(G992.3) and ADSL2+(G992.5). Perfectly

integrated ADSL MODEM, reducing the user network construction investment.

2.3 Various VPN functions

With the wide application in various enterprises, VPN technology has been well known

by people. VPN can be built by IP network, frame relay network, and ATM network. It can

offer network services the same security, reliability, priority and manageability in virtual

private network with those in private network. Since virtual private network can provide

users with convenient and inexpensive remote access, VPN services have been wider

and wider.

ZXR10 ZSR series routers support three types of VPN technologies as follows:

Traditional IP VPN technology including L2TP, GRE, and IPSec VPN.

Main VPN technology provided for operators is MPLS L3/L2 VPN, satisfying VPN

networking requirements of different users.

Private line VPN, which is built on L2 link by frame relay, L2 MPLS, and virtual

circuit.

2.4 Built-in Firewall

ZXR10 ZSR deploys filtering network-inbuilt L4~L7 firewall function inside enterprise

network, supporting WEB filtering, and application state filtering. By combining AMAT

system with firewall and IDS/IPS, intelligent active network defense and protection can

be implemented on ZXR10 ZSR platform.



ZSR supports inbuilt anti-DDOS attack, application proxy and application filtering

covering

URPF

Anti Flood attack, including TCP/UDP/ICMP

Abnormal packet detection

Anti-scanning and anti-detection

Anti-ARP attack

URL/ActiveX/Java/Exe/Zip small program filtering

IM block

P2P software block

2.5 Completely support IPv4/v6 dual stacking

ZXR10 router series is a new generation router series from ZTE with the first IPv4/v6

dual stacks certification in China, which is also a global-leading one.

ZXR10 ZSR supports Ipv6 protocol with the following features:

Supporting IPv6 basic protocols including Ipv6 protocols, ICMPv6, ND (Neighbor

Discovery), DNS6 etc.

Support TCP6, UDP6 and Socket IPv6

Supporting PMTU Discovery (Path MTU Discovery)

Supporting IPv6 policy routing

Support RIPng, OSPFv2/v3, BGP4/4+, IS-ISv4/v6, etc.

Support various IPv4/v6 transition mechanisms, including manual tunnel

configuration, auto tunnel configuration, dual stacks, 4in6,6in4,6to4 tunnel, etc.



2.6 Refined QoS features

To satisfy the strict requirements of next generation network on real-time services such

as video and IPTV, ZXR10 ZSR intelligent integrated multi-service product provides

refined QoS functions.

Supporting various queue scheduling mechanisms such as PQ, CQ, WFQ, and

CBWFQ/LLQ.

Supporting congestion-avoidance technologies (RED, WRED)

Supporting port and traffic multilevel rate limit.

Supporting dynamic traffic-aware based load sharing.

Supporting CAR with bandwidth controlling granularity as accurate as 8kbit/s

Implementing different service level guarantee for delay, jitter, bandwidth, and

packet-dropping ratio for different services of data transmission and video services,

so as to meet the developing requirements of next generation network multiservice

bearing.

Support DiffServ for differentiated service, providing IP QoS to meet the

requirements of traffic management.

Supporting complicated traffic classification policy based on port, VLAN, 802.1p,

source/destination IP address, TOS, protocol type or port number.

Traffic engineering based upon MPLS TE is supported for network traffic

engineering, making network operation more stable and offering carriers the most

profitable bandwidth.

It supports RSVP protocol to provide sound SLA application.



2.7 Industry-leading Data Encryption Protection

Feature

The embedded hardware-based encryption engine, designed specifically for the data

forwarding engine of ZXR10 ZSR, offers users with effective IPSec encryption features.

Via ZXROS software and the embedded hardware-based encryption acceleration engine,

ZXR10 ZSR supports the following functions:

Supporting encryption/decryption of data.

Supporting IPSec IKE negotiation.

Supporting encryption algorithms including DES-CBC, 3DES-CBC, AES-CBC.

Supporting public key generation algorithms: DH.

Supporting HMAC-MD5 and HMAC-SHA-1, which can guarantee the information

security for government and financial institutes

2.8 Leading Multi-Function and Multi-Service Platform

ZXR10 ZSR is designed based upon ZXROSTM general routing software platform with

ZTE self-owned intellectual property.

This platform providing various router features and services.

Supporting IPv4/IPv6 dual stacks.

Supporting abundant routing protocols e.g. BGP, PIM.

Supporting MPLS and MPLS L2/L3 VPN technologies

Support QOS applications, such as CAR, etc.



2.9 Carrier-class reliability

Hardware reliability: key modules such as power supply and fan are 1+1

redundancy.

Function reliability: supporting VRRP and FRR. Supporting uRPF. Supporting MD5

information encryption. Supporting multilink binding. Supporting 8-link simultaneous

load sharing to ensure network reliability, supporting carrier-class network

management.

Maintenance reliability: WEB-GUI/SNMPv3 management, refined log management,

and hierarchical password setting.

Operational system reliability: integrated ROS platform which is mature and stable

in large-scale commercial use. It can provide continuous service development

capability to satisfy users’ changing networking requirements. It adopts modular

design for software and has strong error tolerance capability. The stability and

reliability of routing software, and security authentication mechanism of routing

protocol guarantee network secure and reliable operation.

Besides, ZXR10 ZSR series routers can provide carrier-class reliability with the following

features:

Supporting AAA authentication technologies such as Radius, and TACACS+.

IPSec support which ensures the security of user information and the irreversibility

of the operation.

Comprehensive policy-based packet filtering feature for avoiding DOS attack.

Providing hierarchical password setting and refined log management, completely

protecting router operation.

Complete environmental sensor system, including overheating, etc.

Convenient operation maintenance interface and multiple operation maintenance

modes.



All interface cards on routers are universal with good backward and forward

compatibility. User investment is well protected

3 Features

3.1 Narrowband and broadband in one

With the rapid development of broadband access technology, more and more network

edge access ways, higher and higher port rate of network access, ZXR10 ZSR provides

various interface types and interface rates for users to satisfy multiple access ways

requirements of small to medium enterprises, involving high-speed asynchronized serial

interface, E1/CE1, OC-3/STM-1c POS, fast Ethernet interface, GE Ethernet interface.

ZSR can support different Ethernet interface rates from low speed V24 (asynchronized)

300bps to GE Ethernet on one platform. It satisfies various broadband access

requirements of small to medium enterprises and help users to implement narrowband

and broadband in one.

3.2 802.1X

802.1X is a port based network access control protocol. Its authentication mode and

authentication architecture is optimized to solve the problems of the traditional

PPPoE and Web/Portal authentication method, which is more suitable for use in

broadband Ethernet.

IEEE 802.1x protocol consists of three important parts: Supplicant System,

Authenticator System and Authentication Server System.

1. Supplicant System initiates the certification process of the IEEE802.1x

protocol by launching the client software. In order to support port-based

access control, supplicant system needs to support the EAPOL (Extensible

Authentication Protocol Over LAN)

2. Authenticator System is usually the network device, which supports IEEE

802.1x protocol and corresponds to the different user ports (physical port,

MAC, VLAN and IP). For each user, the IEEE 802.1x protocol establishes of



a logic authentication channel, which other users can not use.

3. Authentication Server System is usually a RADIUS server, the server can

store information about users, such as the VLANs, the CAR parameters,

priority and ACL. When the user is authenticated, the authentication server

will send the information of the user to the authenticator system.

Authenticator system builds a dynamic access control list, and the follow-up

of the user's flow will accept the regulatory of the above parameters.

Authenticator system and the RADIUS server via RADIUS protocol

communication.

ZXR10 ZSR18/28/38 routers, the 802.1x authentication is limited to the L2 switching

interface board, authentication port must work on the L2 switching mode.

3.3 DHCP function

DHCP (Dynamic Host Configuration Protocol) can enable a host in network from a DHCP

server to obtain an IP address and its configuration information which could make the

host implement normal communication. DHCP adopts UDP as transmission protocol.

DHCP works with the following steps:

The host sends a request IP address and other configuration parameter

broadcasting packets DHCP-Discover.

DHCP server sends back a unicast packet DHCP-Offer containing effective IP

address and configuration.

The host selects the server DHCP-Offer first arrives, and sent a unicast packet

DHCP-Request to it, indicating the related configuration is accepted.

The selected DHCP server sends back an acknowledgement unicast packet

DHCP-Ack.

In this way, the host can implement communication with the IP address and its related

configuration obtained from DHCP server.

DHCP server distributes address randomly to host for a period of time. The valid



application time for address is called lease. Before the lease is due, the host must

request for renew from the server. It can go on use the address if the server accepts the

request. Otherwise it gives up.

Router won’t send broadcast packets received from one subnet to another in default

situation. When DHCP server and client host are not in one subnet, the router acting as

client host default gateway must send the broadcast packets to the subnet that DHCP

server locates in. this function is called DHCP relay.

3.4 PPPoE-Client

PPP over Ethernet (PPPoE, Point-to-Point Protocol over Ethernet) provides the function

to connect multiple hosts in a network to remote access concentrator by simply bridging

the access device. It implements control and accounting for each accessed host. Its high

performance price ratio makes PPPoE widely applied in community networking. In this

model, each host uses its own PPP protocol stack. It provides users with familiar user

interface. Access control, payment and type of service are based on each user, not site.

Adopting Client/Server, PPPoE protocol encrypts PPP packets inside Ethernet frame

and provides point-to-point connection on Ethernet. Thus each PPP session must have

the Ethernet address of the peer of remote communication, and create a sole session

identifier.

ZXR10 ZSR series routers implement PPPoE-Client (PPPoE client dialing). The

following diagram shows a typical PPPoE-Client networking application:

The computer in Ethernet connects to ZXR10 router, and implements PPPoE-Client on

the router. The data uploaded to internet arrives router first, get encrypted by PPPoE

protocol, directly get connected to access concentrator PPPoE-Server via Ethernet

connected with router, and get into Internet at last. The whole process can be

implemented without installing PPPoE client dialing software on computer by users.

Figure 3-1 Ethernet interface application PPPoE-Client networking



3.5 Compression and decompression

3.5.1 Compressed RTP

When the voice packets are encapsulated into IP format, add three headers as UDP, IP

and RTP (Realtime Transport Protocol). Typically, a voice packet will include 20 bytes of

voice payload traffic and 40 bytes of three headers. In the transmission process, many

fields remain unchanged or the difference between two adjacent packets is constant. It

can be compressed into 2 or 4 bytes, which is obviously to improve the efficiency of data

transmission.

Compression side and the decompression side maintain a state-reliable share

information collection. Each IP/UDP/RTP packet flow has a separate ‘Session Context’

including source IP address, destination IP address, A pair of UDP ports and the RTP

SSRC field. To maintain the number of session context is determined by mutual

agreement.

Compressed RTP is divided into ordinary type and enhanced type, the two are not

compatible, and the enhanced type is more suitable for a link status unstable network.

Enhanced type of improvement is that when a field changes, will send the change of the

‘delta value’ repeatedly, so the change will not miss because of the packet loss. It is

called the number of ECRTP retransmission.

3.5.2 Compressed TCP

TCP/IP packet header is 40 bytes: 20 bytes of IP header and 20 bytes of TCP header.

While packet switching, more than half of the byte information of header remains

unchanged. For low-speed link, the CTCP is used to solve the limited bandwidth is

unnecessarily consumed. The CTCP can compress 40 bytes of IP/TCP header into 3-16

fei_1/1.

GAR1 GAR PC

fei_2/1

GAR2

PPPoE- Client PPPoE- Server

1 0.10.1.2/24. 1 0.10.1.1/24. Internet



bytes.

The ZSR10 ZSR does not support compression TCP, only supports the decompression

function. The CTCP sub-function module is embedded in the CRTP function module.

Compressed RTP and Compressed TCP only used in CE1, POS,CPOS,Serial and

Multilink interface, and must be configured for PPP protocol.

3.6 Fast Forwarding

Fast Forwarding improves forwarding performance by buffering forwarding messages

based on normal forwarding process. Fast forwarding subsystem is located in ZXR10

ZSR 18&/28/38 software forwarding subsystem. It is an important supplement for

software forwarding system. It helps to improve the performance of the whole system.

The main aim of Fast Forwarding subsystem is to improve the forwarding performance of

the whole system. In current normal data packets forwarding process, one data flow

needs to be checked from routing table every time. Ethernet packets need to be checked

from ARP table. Except the first checking, the following up checking repeats the

operations and greatly reduce forwarding performance of the system. Therefore,

exchanging message (combination of multiple key of data packet to determine a data

flow) and forwarding message buffer can be implemented in normal IP packet forwarding

process to adopt once table checking for multiple use, so as to improve the forwarding

performance of the system. When forwarding message changes, clear the buffer and

generate buffering message from the next checking.

3.7 Network Address Translation (NAT)

Network address translation (NAT) can translate an IP address used in one network into

a different IP address in another network. Usually, NAT is used to map IP addresses

used in private network or local enterprise network into one or multiple addresses in

public network or global internet. The features of NAT are:

Restrict the number of IP address requiring IANA registration used by private

network.



Save global IP address space required by intranet (for example, one organization

can use a single IP address for communication on internet)

Keep the confidentiality of LAN as the inner IP is not for public.

ZXR10 ZSR supports large-capacity NAT.

For using NAT, local network would be assigned as internal network, while the global

internet would be assigned as external network. In addition, ZXR10 routers also support

port address translation (PAT) for dynamic or static binding of port address.

3.7.1 Translation of Internal Source Address

When communicating to external network, this feature can translate internal IP address

into a global IP address from an IP address pool. The following methods can be used to

configure static or dynamic internal source address translation:

1 Static translation creates one-to-one mapping between internal local address and

internal global address. When an internal host should be accessed by a specified

external address, static translation will help the specified external address to access

the internal host.

2 Dynamic translation establishes dynamic mapping between internal local address

and the external address pool.

The following figure illustrates a NAT router translates an internal network source

address into external network source address

Figure 3-2 The internal source address is translated into external source address



3.7.2 Internal Global Address Overlapping

The router can share one global address for multiple local addresses, for which the

mapping will be stored in the internal global address pool. When address overlapping is

configured, the router would keep appropriate information from higher-level protocols

(e.g. TCP or UDP port numbers) and translates the global address into correct local

addresses. When multiple local addresses are mapped to one global address, the TCP

or UDP port number of each host between local addresses is distinguishable. The

following figure shows corresponding NAT operation when an inside global address is on

behalf of multiple inside local addresses. TCP port number is used for discrimination.

Figure 3-3 Internal global address overlapping



3.8 Switching and Routing in One

3.8.1 Ethernet switching

Figure 3-4 Switching and Routing perfectly in one

Based on the network connection requirements inside enterprise, ZXR10 ZSR promotes

high-density Ethernet switching module to implement seamless integration of router and

Ethernet switch. It supports up to 68 Ethernet switching ports by high-speed internal



switching bus and reduces bandwidth bottleneck and security risk of external connection.

ZSR provides various interface types. Integrating multiple services, ZSR provides access

layer devices with an integrated networking solution. On one hand, management

investment is small with simple network architecture and on the other hand, long-term

cost of operation and maintenance can be effectively saved.

3.8.2 V-switch

In ‘Router+BAS’ networking mode , the router has a dual role: First, forwarding

PPPoE packet to the BAS; Second, the data aggregation, supplying large customer

access (VPN), QoS, NAT, multicast, and other businesses. The ZXR10 ZSR uses

static V-Switch forwarding to achieve transmission of L2 packets between the

different VLANs.

ZXR10 ZSR supports V-Switch over Ethernet, V-Switch QinQ and V-Switch

heterogeneous, it can achieve on PPP interface, including E1/CE1/MPPP, and

sub-interface of Ethernet.

3.8.3 IPv4 Features

ZXR10 ZSR fully supports a variety of unicast routing protocols, including static routing,

RIP, OSPF, IS-IS and BGP.

3.8.3.1 Static Route

Static route is configured manually by an administrator to simplify network configuration

and improve network performance. It uses a scenario of simple network structure. When

a network failure or topology change happens, static route is not automatically changed,

but it is manually changed by an administrator.

ZXR10 ZSR supports static route configuration based on next hop and egress interface

as well as the correlation between static route and VRF instance.



3.8.3.2 RIP

RIP is a UDP-based distance vector dynamic routing protocol. It periodically broadcasts

route tables to neighbors to maintain the relationship between adjacent routers and

calculate its own route table according to the received routes. RIP runs simply and is

applied to small networks.

ZXR10 ZSR supports the following RIP functions:

Support RIPv1/v2 basic functions such as split horizon, poison reverse, interface

verification, route collection, and route protocol redistribution.

Support RIP load sharing.

Support RIP VPN access.

Support RIP MIB.

3.8.3.3 OSPF

OSPF routing protocol is used for route information exchange between routers in one

Autonomous System (AS), so it is an Interior Gateway Protocol (IGP) based on link

status. OSPF is one of the most widely used IPv4 IGP routing protocols. ZXR10 ZSR

supports the following OSPF functions:

Support OSPF basic functions such as neighbor certification, Virtual Link, STUB,

NSSA, Type-3 LSA aggregation, Type-5 LSA aggregation, and redistribution of

other route protocols.

Support OSPF route load sharing.

Support VPN access and advanced functions such as sham-link.

Support OSPF-TE.

Support OSPF MIB.

3.8.3.4 IS-IS

IS-IS is a routing protocol drafted by ISO to support Connectionless Network Service

(CLNS). IETF extends the IS-IS to support IP route information. ISIS is also an Interior

Gateway Protocol (IGP) based on link status.



IS-IS is one of the most widely used IPv4 IGP route protocols. ZXR10 ZSR supports the

following IS-IS functions:

Support IS-IS basic functions.

Support IS-IS extension functions such as hostname and overload-bit.

Support IS-IS route load sharing.

Support IS-IS VPN ACCESS.

Support IS-IS-TE.

Support IS-IS MIB.

3.8.3.5 BGP

Border Gateway Protocol (BGP) is an inter-AS routing protocol. It is used for network

reachability information exchange between AS running BGP.

ZXR10 ZSR supports the following BGP functions:

Support BGP basic function and such enhanced functions as session certification,

route oscillation suppression, route reflector, alliance, extension group attribute,

route aggregation, and route filtering.

Support BGP route load sharing.

Support MP-BGP functions such as IPv4 unicast, IPv4 multicast, IPv4

labeled-unicast, IPv4 mdt, IPv6 unicast, IPv6 multicast, IPv6 labeled-unicast, VPNv4,

and other AFIs.

Support BGP MIB.

3.8.4 IPv6 Features

3.8.4.1 Basic Function of IPv6

ZXR10 ZSR supports IPv4/IPv6 dual-stack:

IPv6 basic protocols: IPv6 protocol and ND (Neighbor Discovery) ,etc.

MLD (Multicast Listener Discover)



TCP6, UDP6.

PMTU Discovery (Path MTU Discovery).

3.8.4.2 IPv6 Unicast Routing Protocol

ZXR10 ZSR supports unicast routing protocols including IPv6 static route, RIPng,

OSPFv3, IS-ISv6, BGP4+, and IPv6 strategy routing.

3.8.4.3 IPv6 Tunnel

ZXR10 ZSR supports IPv6 tunnel protocols including manually configured tunnel,

automatic configuration tunnel, 4in6, 6in4 and 6to4 tunnels, etc.

3.9 Multicast route protocol

The multicast is a point-to-multipoint or multipoint-to-multipoint communications mode,

namely, multiple receivers receive the same information from single source.

Multicast-based applications include video conference, remote teaching, software

allocation, etc.

3.9.1 IGMP

The host uses Internet Group Management Protocol (IGMP) to inform the multicast

router on the network which group the router should join or leave. In this way, the

multicast router on the network knows whether a multicast group member is available on

the network, and decides whether to forward multicast packets to the network. When a

multicast router receives a multicast packet, it checks the multicast destination address

of the packet, and forward packets to the interfaces of all group members or downstream

routers.

3.9.2 PIM-SM

Protocol Independent Multicast-Sparse Mode (PIM-SM) is applied to the following

situations:



Group members are extended across a wide scope.

Network bandwidth resource is limited.

3.9.3 PIM-DM

PIM-DM (PIM-Dense-mode) is a dense-mode multicast route protocol and sends

multicast data in the ‘push’ mode. It usually applies to small network with dense multicast

group members.

3.9.4 MSDP

Multicast Source Discovery Protocol (MSDP) is a mechanism connecting several PIM

domains. It works on TCP to provide PIM-SM with multicast source information outside

PIM domain.

A MSDP speaker in one PIM-SM domain creates a session with other inter-domain

MSDP neighbors via TCP. When the MSDP speaker knows a new multicast source in

the MSDP domain (through the PIM register mechanism), it generates a Source Active

(SA) message and sends it to all MSDP neighbors.

:

3.10 Access Control List

Access control list is used to permit or reject packet based on criteria configured. The

packet filtering criteria determines the type of access control list. Packet filtering can be

defined based on the following conditions:

MAC

VLAN

Source IP address

Destination IP address



Source port number

Destination port number

Protocol number for transmission layer

Type of service (TOS)

Time-range

Highlights of ZXR10 ZSR ACL feature are:

For upper-layer protocols, it filters source and destination addresses and supports

multiple filtering conditions.

For lower-layer forwarding, it defines the maximum and minimum threshold for

source and destination addresses, so flows within this exclusive range can be

forwarded. By using the same scope for restricting all ports on the same line card, it

allows the lower-layer microcode software to be executed efficiently.

Support two types of access control list: standard access control list and extended

access control list.

For router interface, a configured access control list will only take effect when it is applied

on an interface. As data flow passing an interface is bidirectional, the access control list

should be adopted on the interface in one specific direction, which is egress direction (i.e.

data flow moves away from router) or ingress direction (i.e. data flow enters router)

There are three procedures for implementing access control list on an interface:

1 Define access control list

2 Define the interfaces on which the access control list will be implemented

3 Define the direction in which the access control list will be implemented on the

interface

While using ACL, firstly the type of ACL is classified via ACL number, and then packets

are compared with the configured ACL to see if the packets are permitted to pass

through the interface. The rule of ACL processing is, beginning items are given the



highest priority, in other words, as per the sequence of access control list. The

processing will stop when there is one item matching to the configured control list.

Therefore, the sequence is very important when configuring access control list, and

items with high priorities should be put in the beginning. If there is an exact match for the

packet, it will be permitted or denied to pass through the interface according to the

specified fields ‘permit’ or ‘deny’. If there is no exact match for the packet, it will follow the

default filtering principle, i.e. this unmatched packet will be denied to pass through the

interface.

3.11 IP VPN

ZXR10 ZSR series routers provide complete IP VPN features which offer reliable

security and service quality to branch offices, remote users, traveling staffs, partners and

headquarters.

ZXR10 ZSR series routers contain various features, including L2TP VPN, IPSec VPN,

and GRE VPN. ZXR10 ZSR support IPSec NAT Traversal.

Figure 3-5 VPN application

Building private network by Internet, enterprises can reduce the private line fee to a little

local call fee and Internet fee. VPN greatly reduces network complexity. VPN user

Internet

SoHo subscriber

Mobil subscriberBranch

Large customer

Enterprise

Headquarter

VPN Gateway



addresses can be integrated distributed inside enterprise. VPN networking flexibility

simplifies enterprise network management. VPN improves the interconnection of the

whole enterprise network. Its excellent scalability enables enterprise to adapt to Internet

economy development better and sooner, so as to grasp the business opportunities.

Besides, in VPN application, remote user authentication and tunnel data encryption

guarantee security of private data transmitted via public network.

3.11.1 L2TP VPN

L2TP (Layer 2 Tunneling Protocol) is a L2 tunnel protocol based upon point-to-point

protocol PPP. L2TP mainly consists of LAC (L2TP Access Concentrator) and LNS

(L2TP Network Server). LAC supporting client-end L2TP is used to initiate call, receive

call and establish tunnel. LNS is the end of all the tunnels to terminate all PPP flows.

Figure 3-6 Typical dialing VPN service

LAC: L2TP Access Concentrator is a PPP-initiator system with L2TP protocol processing

capability. Usually, LAC is a network access server (NAS), which supplies network

access service through PSTN/ISDN.

LNS: L2TP Network Server, the logical termination of PPP conversation, is used on the

PPP-end system for processing the software of L2TP protocol server.

PSTN/DSL/IP

Internet

Acess gateway Enterprise gateway

User Part

User

RadiusServer RadiusServer

ISP/Public Part Enterprise Part

L2TP



Between a pair of LNS and LAC there are two types of connection: one is tunnel

connection, which defines a LNS and LAC pair. The other is session connection, which is

multiplexed on tunnel connection, indicating each PPP session process in the tunnel.

One tunnel connection can bear multiple session connections. L2TP connection

maintenance and PPP data transmission are both implemented by exchange of L2TP

message, which uses UDP port 1701. L2TP message can be divided into two types:

control message and data message. Control message works to create and maintain

tunnel connection and session connection. Data message works to bear users’ PPP

session data packets.

L2TP is featured as follows:

Secure identity authentication mechanism: similar to PPP, L2TP can implement

tunnel endpoint verification. PPP CHAP verification is stipulated to be used.

Internal address distribution support: LNS is deployed behind enterprise network

firewall. It implements dynamic distribution and management of remote user

address and supports DHCP and private address application (RFC1918). Address

distributed for remote user is not Internet address but internal private address of

enterprise network, which facilitates address management and enhances security.

Network accounting flexibility: accounting could be implemented at LAC (usually is

ISP) and LNS (usually is enterprise) at the same time. The former accounting

generates bills and the latter is for payment and auditing. L2TP can provide

accounting data of data transmission such as incoming and outgoing packets

number, bytes number, beginning and ending time for connection.

Reliability: L2TP protocol supports LNS backup. When main LNS is unreachable,

LAC (access server) can re-establish connection with backup LNS to improve VPN

service reliability and error tolerance.

Integrated network management: L2TP protocol has become standard RFC

protocol. Related L2TP standard MIB has been established. In this way SNMP

network management solution can be integrated adopted to implement easy

network maintenance and management.



3.11.2 GRE VPN

In the simplest situation, router receives an original data packet (Payload) needs

encryption and routing, which is first encrypted to GRE packet by GRE, then encrypted in

IP protocol, and forwarded by IP layer. The original packet protocol is called Passenger

Protocol. GRE is called encryption protocol. The IP takes care of forwarding is called

Delivery or Transport protocol. It’s unnecessary to pay attention to specific format or

content for passenger protocol need during the above process.

GRE is featured with the following advantages:

Multi-protocol local network can implement transmission via backbone network with

a single protocol.

Connect some in continuous sub-networks to build VPN.

Expand network work scale, including the routing gateway limited protocols.

3.11.3 IPSec VPN

IPSec is the collective for a group of open protocols. Particular communication parties

guarantee the privacy, integrity and authenticity of data packets transmitted through

Internet by encryption and data source verification on IP layer.

IPSec is implemented by two security protocols of AH (Authentication Header) and ESP

(Encapsulating Security Payload). The implementation will not impact user, host or other

Internet components. User can also select different hardware and software encryption

algorithms without influencing the implementation of other parts.

AH (Authentication Header) is packet header authentication protocol. The functions it

provides include data source authentication, data integrity check and packet replay

protection. AH protocol by itself does not encrypt data packets.

ESP (Encapsulating Security Payload) protocol can provide not only authentication

function but also encryption function. It not only provides authentication function basically

similar to all functions of AH protocol, but also provides IP packet encryption function,

which can improve the privacy of data packets.



IPSec can effectively reduce network building and operation cost by constructing Intranet

and Extranet based on public network. IPSec has become virtual IP layer security

standards with wide application prospect.

ZXR10 ZSR series routers provide IPSec with services such as automatic negotiating

exchange key, creating and maintaining security association by manually configuring key

or IKE (Internet Key Exchange), so as to simplify IPSec application and management.

IKE indicates that IPSec implement SA dynamic negotiation and SADB database filling.

IKE applies two phases of ISAKMP. In the first phase IKE creates IKE security

association. In second phase IKE negotiates specific security association for IPSec

based on this particular association. The final result of IKE exchange is a verified key and

security service based on mutual agreement, which is called ‘IPSec Security Association

(SA)’.

IPSec compatible equipment provides encryption, verification, authentication, and

management at the third layer of OSI model. It’s transparent for users. There is no

difference in application for users. Key exchange, digital signature checking and

encryption are all implemented automatically in background. Besides, to build large scale

VPN, it’s necessary for authentication center to implement identity authentication and

public user key distribution.

IPSec can encrypt data flow in two ways: tunnel and transmission. The tunnel way

encrypts the whole IP packet and uses a new IPSec packet. The tunnel protocol is

implemented on IP thus it doesn’t support multiple protocols. In the transmission way,

address of IP packet is not processed. Only data payload is encrypted. Currently, IPSec

is the most effective way to guarantee IP security. Main IPSec application is to use IPSec

technology to create tunnel-based VPN. But IPSec technology is not restricted to VPN

building (IPSec also has transmission mode with good application scenarios).

IPSec supports networking between hosts, between host and site, and between sites.

IPSec also supports remote user access. IPSec also can be applied together with tunnel

protocols such as L2TP, and GRE, providing users with more flexibility and reliability.

Compared with other VPN solutions, VPN of IPSec has the following features:

Data privacy protection



IPSec sender encrypts the packets before they are sent to the public network, which

makes data unreadable during the transmission.

Data integrity verification

IPSec receiver verifies the hashes of re-calculated message sent by sender to

guarantee that data is not tampered in transmission.

Source authentication

Identify the data sender with the method of pre-shared key and RSA signature.

Anti-replacement protection

AH and ESP both contain a 32-bit sequence number. IPSec distinguishes whether

the data packets are duplicated by comparing sliding window on objective host and

the sequence number in received data packets. In this way attackers can be

prevented from intercepting IPSec data packets and then inserting them into

session again.

Automatic key management and security association management

This ensures that virtual network policies of the company can be implemented

conveniently and accurately on the extended network with a little or even no manual

configuration.

Network layer-based security protection

IPSec protects all data forwarded between terminal sites no matter what type of

network application is. IPSec can actually ‘put’ remote users virtually inside the

enterprise network to provide them with the same authority and operating function

with those of users of internal network.

Higher security level

IPSec is an end-to-end service which put any specific requirement on the backbone

network for bearing service-related functions. IPSec requires properly installing and

configuring IPSec client-side software and access equipment at the remote access

user-end, which will greatly improve the security level because the access is



controlled by specific access equipment, user software, and user verification

mechanism and pre-defined security rules.

Quick response

It can quickly response to market changes, and can be deployed over any existing

IP network. Users can use it at any location.

ZXR10 ZSR series routers provide two kinds of universal hash algorithms to guarantee

that data is not tampered in transmission.

1 HMAC-MD5: use 128-bit shared key to implement hash calculation.

2 HMAC-SHA-1: use 160-bit shared key to implement hash calculation.

The encryption algorithms support by ZXR10 ZSR router series are:

1 DES (Data Encryption Standard): Encrypt a 64bit clear text block using a 56bit key.

2 3DES (Triple DES): Encrypt a clear text using three 56bit DES key.

3 AES (Advanced Encryption Standard): ZXR10 ZSR implements the AES algorithm

for key length of 128bit.

:

3.12 MPLS VPN

ZXR10 ZSR supports MPLS (multi protocol label switching) technology. Its features are:

Supporting basic functions and label forwarding services of MPLS, realizing LDP

signaling protocol. MPLS signaling protocol is mainly responsible for offering all the

required parameters in distributing label, creating LSP and delivering LSP.

Supporting MPLS Ping/Tracert. MPLS echo request and MPLS echo reply are used

to test the usability of LSP.

Supporting load balance function of MPLS LSP.



Supporting the management of multi-layer label stacking.

Supporting MPLS CoS, mapping IP message from ToS domain to MPLS message

EXP domain

Supporting RSVP TE

Supporting L2/L3 VPN, including VPWS, VPLS, and BGP/MPLS-based L3 VPN.

3.12.1 MPLS L2 VPN

ZXR10 ZSR supports Martini MPLS-L2VPN by adopting VC-Type+VC-ID to identify a VC.

VC-Type identifies the type of this VC to be Ethernet or VLAN. VC-ID is used to solely

mark a VC. VC-ID for each VC of one same VC-Type should be sole. PE connecting two

CE exchange VC labels by LDP and bind the corresponding CE by VC-ID. When LSP

connecting two PE is successfully created, label exchanging and binding of two parties

are completed, a VC is established. Two CE can transmit L2 data via this VC. To

exchange VC label between PE, Martini draft extends LDP and adds VC FEC type.

Besides, two PE exchanging VC labels may not be directly connected, so LDP must use

remote peer to establish session via which VC FEC and VC label are transmitted.

L2 VPN service supports the following features:

Adopt LDP protocol as basic signaling.

Supports two L2 VPN services: VPWS and VPLS.

Supports L2 VPN MIB.

Supports 129 FEC coding.

HVPLS

Supports MAC address restriction.

3.12.2 MPLS L3 VPN

ZXR10 ZSR supports MPLS/BGP-based L3 VPN. Providing users with virtual private



network service by using existing public network resource, ZXR10 T600 satisfies users’

service requirement of private data transmission on public network and security

requirement. VPN end-to-end solution provided can meet these service requirements.

Be able to play the part of CE or PE.

Supports dynamic (BGP, RIP, OSPF, and IS-IS) and static (static route) VPN

access.

Supports policy control such as RT rewriting and SOO

Supports Option A/B inter-Area VPN.

3.12.3 Multi-VRF

Multi-VRF extends the capability of CE and makes it has VRF function, this device called

the VCE. In networking, form a distributed PE by using this combination of VCE and PE.

More than one VRF configured in VCE, corresponding to more than one VPN site. In

each VRF, there are a number of uplink ports, they are connected to the VCE, while one

(there can be multiple) uplink interface, this interface connects with PE. In the PE, the

configuration corresponding to the same VRF, each VRF a (there can be multiple)

interface, this interface is connected with the VCE. In this way, a characteristic of the

Multi-VRF CE is actually simulated more than one CE, each virtual CE isolated from

each other, multiple VPN users can access, while the PE device can not perceive there

is several CE or a VCE., and thus do not need any extensions.

3.13 Security functions

ZSR security technologies can be divided into the following categories based on the

firewall functions supported by ZSR:

4 Defense against internal/external attack

5 Application proxy

6 Application filtering



3.13.1 Defense against attacks

ZSR supports defense against firewall-oriented DoS attack, anti-scanning and

anti-detection, inspection of attributes of suspicious packets, prevention of ARP attack.

Here each technology is described in details.

3.13.1.1 Firewall DoS attack

If the attacker finds there is a firewall, he may initiate firewall DoS attack without

attacking the network behind the firewall. A successful firewall DoS attack is a successful

attack against the protected network since the attack can prevents legal messages from

going through the firewall. Usually there are two kinds of DoS attacks: session table flood

and SYN-ACK-ACK proxy flood.

Session table flood

Successful DoS attack use huge quantity of false simulated message flow to block

and consume the session resource on the firewall to make it unable to process legal

connection requests. ZSR supports the following measures to defense against the

attack:

i Source and destination-based session restriction. It restricts concurrent

sessions from the same source IP address, and concurrent sessions to the

same destination IP address.

ii TCP adjusts session time actively. ZSR can work in Syn proxy mode. It can

dynamically adjust TCP session timeout value after TCP session is established.

It speeds up timeout process when the sessions in session table exceed the

designated upper threshold. The timeout process will return to normal when

sessions drop below the designated lower threshold.

SYN-ACK-ACK proxy flood.

In TCP proxy mode, when an authorized user initiates Telnet or FTP connection, he

sends SYN segment to Telnet or FTP server. The security device intercepts the

segment and creates an item in its session table, and sends a SYN-ACL segment to

the user. The user replies with an ACK segment. Thus an initial three-way



handshake is completed. The device generates a login banner for the user. If a

malicious user doesn’t login but continues initiating SYN-ACK-ACK sessions,

security device session table will be filled in to the state in which occasion the

device would deny legal connection requests.

ZSR can start SYN-ACK-ACK proxy protection. The security device will reject other

connection requests from an IP address when the connections from the same IP

address reach the threshold of SYN-ACK-ACK proxy.

3.13.1.2 Network DoS attack

Denial of Service attack against network resource usually use large quantity of SYN,

ICMP or UDP packet flood to attack its object, or use large quantity of SYN fragments

flood to attack the object.

SYN Flood attack

SYN Flood implements attack by the defect of Three-way Handshake mechanism

when TCP link is created. It sends large quantity of SYN links to the attacked host,

which will gather a great deal of half-links in a short time. This will consume the

resource of the attacked host in a short time, which disables it to provide service for

normal user links so as to achieve its DoS attack goal.

ZSR implements effective protection by SYN proxy. SYN proxy implements proxy

Three-way Handshake and status monitoring of large quantity of half-links based on

protocol status. It guarantees TCP resource continuous availability by restricting

SYN fragments supported by firewall and controlling SYN aging and creating

speed.

ICMP Flood

ICMP flood occurs when large quantity of ICMP response requests exceeds the

maximum of victim so that the victim consumes all resource to respond and be

unable to deal with other effective network information flows.

ZSR monitors all ICMP information types instead of monitoring only response

requests. It set a critical value. Once the ICMP response requests exceeds the



value, ICMP flood attack protection will be invoked, and hereafter other ICMP

response requests will be ignored.

UDP Flood and Land Flood

Similar to ICMP flood, UDP flood occurs when the attacker sends a point IP packets

with UDP data packets with the purpose to slow down speed of the victim so that

the victim cannot deal with effective connections any more.

ZSR also supports a critical value. Once UDP packets exceed the value UDP flood

attack protection will be invoked. If UDP data packets sent from one or multiple

sources to a single objective exceeds the value, hereafter other UDP data packets

will be ignored.

LAND attack occurs when attacker sends spoofing SYN packets with the IP

address of the victim, which is taken as destination and source IP address. ZSR

organically combines SYN flood prevention and IP spoofing protection to detect and

block this attack.

3.13.1.3 Operation System DoS attack

Ping of Death: many ping solutions permit users to designate packets larger than 65,507

bytes. Oversized ICMP packets will cause a series of abnormal system reactions such as

DoS, system crash, breakdown and restart. ZSR detects and rejects these oversized and

irregular packets even if those similar attacks of concealing overall packet size by

intentional segmenting.

Teardrop attack takes advantage of IP packet reassembling. When a packet fragment

offset and sum of size are different from the next one, the packets are overlapped. The

attempt of server to reassemble packets will cause system crash, especially when the

server is operating an operation system of old version containing this kind of bugs. ZSR

detects packet fragment abnormality and discard it.

3.13.1.4 Anti-scanning and detection

ZSR in-built firewall supports anti-detection and spoofing technologies such as anti-IP

address scanning, port scanning, FIN scanning, IP spoofing, and IP source routing.



Anti-IP address scanning and port scanning

ZSR keeps a record from inside of ICMP packets number from a remote source site

to different addresses. If a remote host send ICMP information flow to multiple

addresses in a period of time, it is marked as address scanning attack. More ICMP

response requests from this host will be rejected within the rest of the designated

critical time period.

The principal of port scanning is similar to that of IP address scanning. If a host

sends TCP SYN segments to different ports during a period of time, it will be

marked as port scanning attack. All other IP packets from source are rejected

during the designated timeout period.

Anti-spoofing measures

FIN scanning sending set TCP fragments marked by FIN in an attempt to trigger

response (TCP segments set with RST mark) and hence find out the active port on

active host or host. The attacker may use this method to substitute address

scanning implementing ICMP response request or address scanning containing

SYN segments. ZSR will discard TCP segment packets set with FIN but without

ACK mark (which is abnormal for TCP segment).

uRPF includes loose mode and strict mode. This feature checks the integrity of the

IP source address of the packets transmitted inwards. In this way packets

transmitted to hosts out of the controlled area can be guaranteed with IP source

address which can be verified by route when local entity routing table is

implemented. ZSR can implement this.

Check and filtering of attributes for suspicious packets

Attackers may elaborately design packets to detect or launch DoS attack. These

packets will get filtered on ZSR.

The ICMP packets set with segment attributes may cause abnormity on some hosts.

Thus ZSR drops any ICMP packets set with ‘fragmented’ mark or any ICMP

packets containing the offset designated in offset field. If ICMP packet is singularly

large, it may cause abnormity. ZSR detects and drops ICMP packets with length

over 1024 bytes.



Abnormal IP options generate incomplete or malformed fields by incorrectly

configure IP options. Thus there is potential damage to the target receiver. When

there is any abnormal IP options in IP packet header, ZSR will discard these

packets.

Unknown protocol uses non-standard protocol field with ID number of 137 or even

larger, which may lead to abnormity of target receiver. When protocol field contains

protocol with ID number of 137 or larger, ZSR will discard these packets.

When packets go through different network, sometimes they need to be divided into

smaller parts (segments) based on the MTU for each network. The attacker may

take advantage of the bug in packet reassembling of IP stacking implementation

solution to attack by IP fragments, which may cause system crash. ZSR can be set

to discard all received IP packet fragments at the interface.

SYN fragments initiates connection and invokes SYN/ACK fragments when they

make response. Thus SYN segments usually don’t contain any data. IP packet is

small with no need to be put into fragments. The fragmented SYN packets are

abnormal can my cause abnormity. Thus ZSR will discard these packets when it

detects IP packet header indicating packets are fragmented and SYN mark is set in

TCP packet header.

3.13.1.5 Anti-ARP attack

ARP attack is a kind of abnormity easily occurs in the internal network. Sometimes it is

caused by ARP virus. But possibility exists that internal users may launch malicious

attack against gateway. ARP attacks could be implemented in two ways:

1 Modify gateway ARP, disable internal users to get access to gateway.

2 Modify internal user ARP. Update incorrect MAC address on gateway; make

incorrect forwarding of data packets sent back.

ZSR supports the following responding measures providing complete solutions against

these two kinds of attacks:

Free ARP packets



ZSR periodically sends ARP packets of local gateway and continuously broadcasts

its correct ARP message in a short time, which enables the attacked host in the

internal network get back to normal situation. It’s affirmed by the test that about

10-100MS sending interval could effectively solve abnormal attack ARP changed.

IP + MAC binding and ARP SCAN technology

ARP spoofing spoofs gateway by ARP dynamic real-time rule. Thus ARP is set to

be static on gateway. At this time internal network user’s ARP update could be

ignored on ZSR, which guarantees the correct accessibility of the packets sent

back.

There are usually some assisting technologies for this as follows, which can

guarantee normal and easy implementation of the system.

iii To guarantee large quantity of ARP attacks are not launched against gateway,

ZSR supports CPU processing rate limit. The quantity of ARP packets

processed by CPU could be set. Thus normal network update is guaranteed,

and at the same time the problem of large quantity of false ARP which leads to

abnormal high CPU utilization could be avoided.

iv In large scale network, configuring static IP+MAC binding is a complicated job.

ZSR supports ARP scanning. It broadcasts ARP request, collect messages of

corresponding IP and MAC, and generate static IP/MAC binding table inside

the system.

v In the environment where gateway also works as DHCP SERVER, ZSR

supports static IP address distribution in DHCP SERVER. It distributes IP

addresses to a fixed host by setting MAC addresses to prevent spoofing ARP

message from obtaining IP addresses of key equipment such as internal

network server.

3.13.2 Application proxy

ZSR implements TCP connection proxy as application proxy. It’s also called SYN proxy,

which can effectively solve SYN attack problem. Its details and implementation features

are described as follows:



3.13.2.1 TCP Three-way Handshake and SYN attack

TCP connection is created by three-way handshake mechanism. TCP three-way

handshake mechanism is described briefly as follows:

The client sends a SYN set packet to the server containing link information of SYN

number a, the client port number, and server port number etc.

Receiving SYN packet from the client, the server will send a packet with SYN and ACK

set to the client, in which ACK number is (a+1), and its initial SYN number is b. At the

same time buffer area and other necessary resource will be allocated for the link.

Upon receiving SYN and ACK set packet from server, the client will send back an ACK

set TCP packet to the server. At this time ACK number is (b+1). Then the client and the

server complete three-way handshake and establish the connection.

Figure 3-7 TCP three-way handshake

In SYN Flood attack, attacking host sends a large quantity of TCP SYN packets with

false source address to the victim host, which distributes necessary resource to each

TCP connection, returns SYN and ACK set SYN-ACK TCP packet to the source address

and waits for ACK packet returned by the client.

Since the source IP address of the attacking host is false, the SYN-ACK packet returned

by the server will not be able to arrive at the destination address and will be discarded.

Or even if the destination address is reachable, it doesn’t initiate TCP connection request,

the packet will also be discarded. Thus the server will never receive ACK packet.



For a certain server, the available TCP connections are limited since they only have

limited memory buffer area for connections. If the buffer area is full of initial information of

false connection, the server will stop responding to the following connections until the

connections timeout in buffer area. If the malicious attacker quickly sends this kind of

connection requests continuously, the available TCP connection queue of the server will

be quickly blocked. Available system resource will dramatically decrease and available

network bandwidth will be quickly reduced, which may disable the server to provide

normal legal service to users.

3.13.2.2 Work mode and features of SYN proxy

When ZSR receives a TCP connection request from Internet to the protected server in

internal network, it stores the packets instead of forwarding them to the server

immediately. It generates a TCP connection record and responds to the request taking

the place of the protected server. If the external host launching the request implements

normal access, it should send acknowledge packet to implement three-way handshake

after receiving ACK packet from ZSR. If the external host launching the request

implements a SYN attack, it will not send acknowledge packet.

If the external host implements normal access, ZSR will implement three-way handshake

taking the place of the protected server. Then ZSR will substitute the external host to

implement three-way handshake with the internal protected server to create TCP

connection by the TCP connection request packets sent by the external host. ZSR still

keeps TCP connection record after the connection is established. But TCP storage

status will change.

If the external host implements a SYN attack, ZSR will delete the TCP connection record

after waiting for a period of time for acknowledge packet without receiving it from the

external host. In this way the internal server won’t receive those half-open TCP

connections caused by SYN attack.

ZSR router permits a limited TCP interception quantity. If the current connections reach

the full quota (suppose it is n), when number n+1 TCP connection packet arrives, the

router reject the connection in usual situation. It will delete the oldest half connection item

when it is under attack.



Figure 3-8 SYN proxy

SYN proxy can monitor all TCP packets going through router. It can also implement

monitoring of particular TCP packets, which is decided by users’ configuration with

flexible application. SYN proxy can obtain the following information:

Source IP Address, Source IP Address for TCP connection

Destination IP Address, Destination IP Address for TCP connection

Source Port, Source Port number for TCP connection

Destination Port, Destination Port number for TCP connection

Create Time, the time to live of TCP connection

Timeout Time, timeout time for TCP connection

Connections in one minute, the TCP connections created in the latest one minute.

Work state: whether the currently configured resource is under attack

TCP connection state, you can check the current degree of connection creation for the

TCP Client TCP Server

Syn（A)

Initiate TCP Syn Message

Syn（B)/ACK(A+1)

ACK(B+1)Setup Connection

ZSR

Virtual Application

Proxy

I am the server for

internal network

Syn（A)

Syn（B)/A

CK(A+1)

ACK(B+1)

I am the client for

external access

Virtual TCP

connection



packets. That is to say, you can check whether the connection is in the state of

half-connection or connection completed.

SYN proxy configuration is flexible to alter. Interception mode, timeout time, waterline

attack configuration can be altered during in application without influencing any working

connections.

SYN proxy has alarm function. When current resource is detected to be attacked based

on waterline attack configuration, it will automatically alarm the user that the current

resource needs protection may under attack, so that the user can take further positive

measures.

At the same time timeout time could be dynamically adjusted to half based on the attack,

to get the attacked connections deleted quickly, so that the server can be better

protected.

3.13.3 Application filtering

ZSR supports application filtering technologies involving:

Web page address filtering

URL parameter filtering

Java/ActiveX block

MSN/QQ instant messenger block

P2P software block

3.13.3.1 Web page address filtering

URL web page address filtering can prevent internal users from accessing illegal and

unhealthy websites, or just permit users to get access to certain particular websites.

When receiving HTTP packets, router checks URL web page addresses in them. If the

address is permitted as user configures, the WEB request is accepted. If the web page

address is prohibited as user configures, the WEB request is rejected. At the same time



TCP reset packet is sent to the client and server sending WEB request. After enabling

URL web page address filtering, designate the default behavior for URL address filtering.

When URL web page address filtering is initiated, the system will by default reject all

WEB requests with direct website IP address. If website access by IP address is still

preferred, ZSR needs to initiate address group filtering.

ZSR URL filtering is based on key words customized by user, no matter the URL

character string and the set key words are completely matched or partially matched.

3.13.3.2 URL parameter filtering

At present web pages are usually dynamic and associated with database, querying or

modifying the data needed by WEB request in the database. This enables some

lawbreakers to steal confidential data from database or continuously alter the information

in database by constituting special SQL sentence in WEB page to cause database

breakdown. This is called SQL injection attack.

Manual SQL injection intrusion may cost half a day, one whole day or several days.

However, special tools can be applied to implement it in several minutes. With the

obtained administrator’s account and password, uploading a backdoor program

downloaded from internet, the management authority of the whole network, even that of

the server can be easily grabbed.

For gateway equipment, use keywords in SQL sentence or other characters which may

generate SQL sentence to match HTTP WEB request packets. If they are matched, it is

considered as SQL injection attack and prohibited to get through. This is called URL

parameter filtering.

WEB transmits parameters by multiple ways such as get and post, which are most

commonly applied. The way of parameter transmission determines its location. Obtain

parameter based on the position it locates, and implement matching and filtering.

Currently ZSR supports filtered WEB parameter transmission way of get, post and put. It

implements matching and filtering by checking URL parameter and the configured

filtering parameter items on router. If matching is completed, the request is rejected.

Otherwise the packets are permitted to get through.



3.13.3.3 Java/ActiveX block

ActiveX control, Java applet, .zip file and .exe file sent by HTTP pose threats to network

security: They provide a measure for un-trusted party to make it possible to load and

then control the application on the host in the protected network.

When small program block of ZSR is initiated, all requests for small programs in WEB

page will be filtered. If user still expects to obtain small programs in part of WEB pages,

they have to configure address group planning. If address group is permitted to access,

the corresponding address group request can get through.

java Applet is’. Jar’, ‘.class’,exe file is ‘.exe’,zip file is’. Zip’ The system provides ways to

add and delete extension names for each kind of application, so as to add configurable

command line with filtered suffix blocked for users. Java Applet is ‘.jar’, ‘.class’,exe file is

‘.exe’, and zip file is ‘.zip’ by default.

3.13.3.4 MSN/QQ instant messenger block

ZSR router supports instant messenger tool block. At present ZSR supports block of two

popular messengers: MSN and QQ. Unmonitored communication at the client via instant

messenger could be avoided by blocking MSN/QQ communication protocol,

communication port or communication server address. Besides, security weaknesses

imported by these tools are prevented from being attacked by some hacker.

3.13.3.5 P2P software block

Nowadays software download by P2P software is more and more popular such as Bit

Torrent, eDonkey, and eMule etc., which brings great convenience to data downloading

for users. But at the same time it consumes huge network resource including bandwidth

and concurrent connections.

ZSR provides P2P protocol software download blocking policy setting. It can block the

following tools: Bit Torrent, eDonkey, and eMule. At the same time it supports setting of

Session connections limit for single user to avoid too many concurrent connections for

single user consuming too much network resource. In this way DoS attack can also be

effectively prevented to provide guarantee for the smooth implementation of the network.



3.14 Network management features

3.14.1 Simple Network Management Protocol (SNMP)

SNMP (Simple Network Management Protocol) is a protocol on application layer. it is

used to exchange management information between network equipments. It is a part of

the TCP/IP protocol suit. it is used to ensure the normal operation of network protocols

and equipments. It enables the administrator to detect network problems and make

adjustment according to the commands exchanged between the client terminal and the

server. The SNMP runs on top of UDP.

Network management model of the SNMP comprises four key elements:

1 Management workstation

2 Management agent

3 Management information base

4 Network management protocol

MIB is a set of information which adopts a hierarchical structure. Network management

protocols (such as SNMP) can be adopted to access the MIB. MIB is consisted of

managed objects and is identified by object identifiers.

3.14.2 Remote Network Monitoring (RMON)

RMON is Remote Network Monitoring, which can monitor information such as overall

traffic of Ethernet and token ring networks. RMON is an important enhancement for

SNMP. In RFC, RMON is a MIB definition (RFC1757), and the defined MIB has been

further enhanced to MIB-II. In this way, overall traffic information of each specified

sub-network can be obtained.

ZXR10 RMON function module implements all functions of nine groups defined by

RFC1757. By properly configuring related functions, it can help network administrators to

master and analyze running status of the network, and get to know the network alarm

timely to maintain the network better.



3.14.3 Statistics and Alarm Management Function

Statistics and alarm management system informs network administrators about network

and equipment operation information. It provides the following information:

1 Collect traffic data for network traffic analysis

2 Detailed log files

3 Various configuration and operation information

The system can save real-time statistics and alarms information. In case when the router

is failed, it can quickly find the cause and solve the problem. In warning alarms,

according to the requirement of the administrator and working with diagnosis and testing

program, it can diagnose failed alarm spots, implement testing and record the testing for

the reference of the administrator.

3.14.4 Log Management Function

Log management mainly records configuration commands on the routers implemented

by users that logs on to the routers. It facilitates query of history configuration commands

on the router. This function can help to analyze fault causes in the router and provide

supports for system security.

In addition to record configuration command, operation log module of ZXR10 ZSR also

enables management on operation logs. It provides users with log addition function. It

also enables record query and storage according to user name, time, log terminal

number, and log address.

3.14.5 NetNumen™ Integrated Network Management Platform

3.14.5.1 Network Management Networking

ZTE NetNumen™ is a network management system constructed on the data

communication network. It can take integrated maintenance and management of various

types of network equipment in a wide area and complicated application environment.



In-band management and out-band network management can be adopted between

NetNumen™ network management system and ZXR10 ZSR.

In-band management

In-band management means network management information and service data are

transported in one channel. No extra DCN should be built. NetNumen™ network

management system can fulfill its task as long as it’s connected to the nearby network

equipment with related SNMP parameters configured.

Out-band management

Out-band management means network management information is independent from

service data. The network management information is transported inside network

management system. Extra DCN network is needed. NetNumen™ network management

is connected to ZXR10 ZSR via its out-band management interface. Network

management information and service information are transmitted independently and

respectively.

3.14.5.2 NetNumen™ Network Management System

The NetNumen™ U31 (BN) developed by ZTE is a unified network management system

aiming at managing SDH, MSTP, WDM, PTN, OTN and IP device (router and switch,

etc.). It includes the management of the network element, network, and service. The

network management provides the following services:

Fault management ensures stable network operation.

Performance management gives overall picture to the entire network service

situation.

Resource management enables rational network resource adoption.

View management makes the network running obvious.

Configuration management enables fast service deployment.

Security management makes the network safer.

Northbound interface supports third-party systems integration.



3.14.6 Netflow

The Netflow achieve measurement and statistics of high-speed forwarding IP data flow,

become the Internet field recognized and most important IP/MPLS traffic analysis and

measurement industry standard, and it is widely used in network security management. It

can be achieved through the analysis of IP packets under the seven attributes:

Source IP address

Destination IP address

Source port number

Destination port number

Layer 3 protocol type

TOS byte (DSCP)

Network equipment input (or output) of the logical network port (ifIndex)

Netflow technology is the use of analysis of the seven attributes of IP packets, you can

quickly distinguish a variety of different types of business flow transmitting in the network.

Distinguish each data flow, Netflow can separate tracking and accurate measurement to

record the flow features, such as the transmission direction and destination, statistics its

start and end time, type of service, including the traffic information, such as the number

of packets and the number of bytes. The Netflow periodically output the original records,

or output the aggregation statistics on the original records automatically.

3.14.7 Ethernet OAM

With IP bearer network to multi-service and broadband, traditional Ethernet lack of

carrier-class management capabilities, such as detect, alarm and isolate the Layer 2

network failure. Using the SNMP protocol network management can only manage the

link and the device status, cannot detect the end-to-end connection of the user service

performance and status, when a network failure, unable to locate positioning or not quick

enough.

The docking of the router and the Layer 2 switch, a Layer 2 switch does not have the

Layer 3 function, so we cannot detect the point-to-point link between router and Layer 2

switch by ‘ping’ .To solve this problem, the ZXR10 ZSR supports the Ethernet OAM



function to detect point-to-point link detection: Ethernet OAM Discovery, Remote

loopback and Link monitoring.

Ethernet OAM discovery function:

1. Global and interfaces to open the Ethernet OAM, the interface working in active

mode sends the OAMPDU protocol packet to the other side on a regular basis

to initiate the OAM discovery process. Protocol packet contains local Ethernet

OAM configuration information and support information.

2. After OAMPDU response message is received, check the opposite side packets

carrying Ethernet OAM configuration parameters. Only pass checking both

ends of the Ethernet OAM configurations, establishment of the Ethernet OAM

connection.

3. After the connection is established, both ends stay connected through the

OAMPDU message. If not received the right side OAMPDU message within the

timeout period, the connection automatically interrupt.

Ethernet OAM Remote loopback:

Ethernet OAM connection is established, the port working in active mode can

initiate a remote loopback, and the right side response it. When the port is in remote

loopback state, all non-loopback and non-OAMPDU packets are discarded. Remote

loopback determine the link quality by comparing host port loopback count packets

(sent automatically) and loopback count packets received.

Ethernet OAM Link monitoring:

It is used for detection and discovery the link layer failure. When one side of the

Ethernet OAM detects a link failure, it will trigger a local ‘link event’, which will

record the fault and send this ‘link event’ via Ethernet OAMPDU message, and the

right side will record the event of a remote link too.

4 System Architecture

4.1 Product Physical Structure

1 Front panel diagram of ZSR1800



Figure 4-1 Front panel of ZXR10 ZSR1809

Figure 4-2 Front panel of ZXR10 ZSR1822E

2 Front panel diagram of ZSR 2800

Figure 4-3 Front panel of ZXR10 ZSR 2842

3 Front panel diagram of ZSR 3800





4.2 Hardware Architecture

ZXR10 ZSR hardware architecture integrates security, data compression, L2 switching,

USB intelligent service and large-capacity network storage is a new series of equipment

introduced by ZTE with considerations for the market requirement for service integration.

ZXR10 ZSR hardware is designed to realize different working modes as per users’

different configuration requirements via related hardware and software.

Compared to similar products on the market, ZXR10 ZSR not only implements modular

design, but also supports wide range of interface speed from low-end 300bit/s to

high-end 1000Mbit/s, which can satisfy users’ requirement for broadband upgrade.

The architecture and technology design is done with considerations for radiation and

EMC (Electromagnetic Compatibility) of modules and the entire equipment.

The three series of ZXR ZSR router are designed to be hardware compatible with each

other. Considering the trend towards network service integration nowadays, powerful

hardware foundation for equipment service expansion has been created via advanced

V-BUS architecture:

1 Advanced V-BUS architecture ensures real-time wire-speed concurrency of multiple

services and solves system performance bottleneck of traditional router caused by

single bus.

2 Industry-leading high-performance RISC processor provides powerful drive to

network service processing.

3 Large-capacity and high-performance system memory and flash provides network

service deep processing with stable foundation.

4 Embedded high-performance hardware security module fully meets users’ security

requirements.

5 High-performance USB2.0 interface module, support for 3G WWAN, and easy

access to wireless services.

6 Modular hardware architecture is completely compatible, which saves users’



investment.

The core processing system of ZXR10 ZSR router adopts high-performance RISC CPU

and propriety ASIC architecture based upon V-BUS multi-bus architecture. With modular

design, it meets users’ different demands by corresponding hardware or software. The

relationships between all functional modules are as follows:

Figure 4-6 General architecture of ZXR10 ZSR intelligent integrated multi-service

router

According to system hardware architecture, ZXR10 ZSR series routers can be divided

into the following hardware processing modules:

Central Processing module: It adopts high-performance single-core/multi-core CPU of

up to speed of 1.5GHz. The system uses high-performance DDR2 Memory module to

provide memory throughput of up to 30Gbps to fit the requirements of network service

processing. With embedded hardware-based encryption module and data compression



module in CPU, the implementation of system encryption and data compression service

have been greatly improved. By using fast internal switching between CPU and

hardware modules, the bus bottleneck caused by using external bus encryption and

module compression can be avoided, which improves service processing efficiency

greatly.

Fixed Interface Module: The basic system is designed to provide 2/4 10/100/1000M

Ethernet WAN interfaces.

USB Service Expansion Module: The system provides USB2.0 interface to reserve

adequate space for the service expansion.

Large-capacity Data Memory Unit: Via data interaction realized by high-speed bus,

large-capacity data memory unit module offers sufficient built-in memory space for

network security and service expansion applications, such as equipment log alarm,

anomaly traffic log, real-time memory of anomaly traffic, NAT log, customized voice

memory and FTP server, which solves local data memory problems existing in traditional

equipment.

Ethernet Switching Unit: The system is embedded with Ethernet switching unit to offer

non-blocking Ethernet switching capability of up to 24Gbps. Ethernet switching unit

enables the fast interconnection between all the slots avoiding inter-exchange between

Ethernet modules that other equipment has. Ethernet switching unit provides L3 to L7

services with a fast data tunnel via high-speed data bus and system internal switching

modules. It solves the problems in L2 data service.

Data Service Processing Unit: The system can implement hardware-based

large-capacity IPv4/v6 NAT feature trough the embedded data service processing center

module.

Data Security Processing Unit: The built-in data security processing center module of

the system can implement hardware-based IDS and IPS network security features.

4.3 Technical Specifications

As per different processing capability, ZXR10 ZSR series routers mainly consist of 5



products to meet different requirements, in order to enterprises with various network

scale, performance, and service feature requirement etc.

Table 4-1 ZXR10 ZSR1800/2800/3800 series specifications and parameters

Description ZSR1809 ZSR1822E ZSR2842 ZSR3844 ZSR3884

Model

RA-1809-A

C

RA-1822E-A

C RA-2842-AC RA-3844-AC RA-3884-AC

- RA-1822E-D

C RA-2842-DC RA-3844-DC RA-3884-DC

Fixed interface

1×Console

port

1×Console

port

1×Console

port

1×Console

port

1×Console

port

- 1×AUX port 1×AUX port 1×AUX port 1×AUX port

- 2×USB2.0

interface

2×USB2.0

interface

2×USB2.0

interface

2×USB2.0

interface

1×10/100/1

000M WAN

port and

8×10/100M

port, All can

be WAN

interface

2×GE

Combo port

2×GE Combo

port

2×10/100M

fast Ethernet

port

(electrical)

+2×GE

Combo port

2×10/100M

fast Ethernet

port (electrical)

+2×GE Combo

port

Number of

interface card slot - 2 4 4 8

Dimensions

(W×H×D)

360×44×28

7mm

442×44×320

mm

442×86.1×420

mm

442×86.1×42

0mm

442×130.5×42

0mm

Weight 3kg 5kg 10kg 10kg 15kg

Maximum power

consumption 25W 60W 110W 120W 180W

Heat dissipation

Silent

design, no

fan, natural

cooling

AC:Silent

design, no

fan, natural

cooling

DC:Forced

air-cooled

Forced air-cooled

Power supply

AC:100~24

0V(220V/11

0V)

50/60Hz

AC:100V~24

0V(220V/110

V) 50/60Hz

DC:-36V~-72

V(-48V)

AC:100V~240V(220V/110V) 50/60Hz

DC:-36V~-72V(-48V)

supply 1+1 redundancy

MTBF/MTTR 20,000 hours/0.5 hours



Temperature/humi

dity Temperature: -5~45 oC, Humidity: 20~90% (no condensation)

Table 4-2 ZXR10 ZSR1800/2800/3800 series interface boards

Interface Type

Ethernet

2/4-port10Base-T/100Base-TX interface

8-port 100M L2 switching board

1-port 100M optical interface+4-port 100M electrical interface

1-port 10/100/1000M electrical interface

1-port 1000M SFP optical interface

Serial 8× Asynchronous serial interface card (V.24)

E1

1/2/4/8-port channelized E1 interfaces(75/120Ω)

1/2/4/8-port unchannelized E1 interfaces (75/120Ω)

POS 1-port channelized OC-3/STM-1 POS interface

XDSL 1-port ADSL interface

WWAN 3G WWAN(USB inserted)

Service

card Network data encryption card(NDEC)

5 Typical Networking

5.1 Access Router

By providing rich interfaces ranging from the low-speed interface to the high-speed

interface and 3G interface, and supporting the rich L2TP/GRE/IPSec VPN and MPLS

VPN services, which greatly improves the network flexibility. ZSR router is used as the

access router of the enterprise headquarters, branch offices, business office and mobile

office.

Figure 5-1 ZSR router is used as Access router



5.2 Egress and Security Gateway of Enterprises

Inbuilt high-performance NAT service, supports NAT dual egresses. It uses the policy

route to realize load balance. ZSR is configured with in-built firewall. The design of the

software and hardware are safe, which effectively ensures the safety of the egress

gateway and the intranet. ZSR supports IPv4/IPv6 dual-stack technologies. ZSR router is

used as egress and security gateway of the enterprise network, campus network and

data center network.

Figure 5-2 ZSR router is used as Egress and Security Gateway of Enterprises

Rapidshare eros password your ass is happy

Documents

Transcript of Rapidshare eros password your ass is happy