Chapter 6 from Introducing Microsoft Windows 2000 Server, published by Microsoft Press
On This Page
Support for Standards
Virtual Private Networks (VPNs)
Network Driver Interface Specification (NDIS)
Quality of Service (QoS)
How Do Other Operating Systems Fit In?
Developed from the start as a network operating system, Microsoft Windows 2000 Server continues to improve its presence on networks and the Internet. Microsoft is following the worldwide trend of using the Internet for as much as possible.
Windows 2000 Server will help companies make better use of their Internet connections. By providing support for additional standardized features of TCP/IP, Microsoft has improved the performance of its premier network operating system both for communications with other Windows systems and with UNIX systems. Technologies such as virtual private networks (VPNs) will allow organizations to reduce costs without sacrificing security. The routing features built in to Windows 2000 servers allow those servers to act as routers, with graphical user interfaces far superior to those of hardware-based routers. The new Quality of Service (QoS) standards allow more consistent and reliable networking, especially when using real-time audio and video.
Support for Standards
With the first releases of the LAN Manager and Windows NT operating systems, Microsoft made an effort not only to support Internet standards but also to create its own protocols where standards did not meet the needs of its customers. NetBIOS Enhanced User Interface (NetBEUI), the networking foundation of the first versions of Windows NT, was proprietary in nature and the details of the protocol were well hidden. TCP/IP, on the contrary, is based entirely on committee-created, completely documented standards. TCP/IP is the standard of the Internet and the future of networking, and Windows 2000 is well designed to leverage these standards.
Microsoft is not simply following open standards; it is leading the development. For example, Microsoft has been working with Cisco, Ascend, IBM, and 3Com to create the Layer 2 Tunneling Protocol (L2TP) standards. Microsoft's active involvement in standards committees ensures that Windows will take advantage of these technologies just as soon as they are finalized—and sometimes before!
While the core of TCP/IP (Transmission Control Protocol/Internet Protocol) has been a standard for many years, not all TCP/IP implementations are alike. Many aspects of TCP/IP are considered optional, and software developers tend to add only those features they feel will benefit their customers. Microsoft has improved the TCP/IP stack included in Windows 2000 by adding optional, standardized features not found in previous versions of Windows. The end result is that users will enjoy improved network performance on both local area networks (LANs) and wide area networks (WANs).
Security-minded administrators will appreciate the new support for robust packet filtering. Windows 2000 can now filter packets based on TCP port, UDP port, IP protocol ID, ICMP type, ICMP code, source address, and destination address. An example of packet filtering is shown in Figure 6-1. With these filtering capabilities, you can control which networks are allowed to download mail from your Post Office Protocol (POP) server. This control would allow you to guarantee that only users on the local network can even attempt to establish network connections.
Filter lists make it easier to manage multiple filtering policies. Figure 6-2 shows how several lists can be used to provide separate policies for internal and external networks. You can create separate filters for each subnet in your network, if you so desire.
Windows 2000 now includes support for RFCs 1122, 1123, 1323, and Selective Acknowledgements. RFCs 1122 and 1123 were written in 1989 and summarize mandatory and optional features of TCP/IP stacks—support for these documents means better compatibility with other operating systems. RFC 1323 provides extensions to TCP that allow for better performance over high-bandwidth and high-delay networks, such as satellite links. Selective Acknowledgements improve performance when used with large TCP window sizes, by allowing only lost packets to be resent; packets that were already received are not retransmitted. For more information on Selective Acknowledgements, refer to RFC 2018.
Windows 2000 Server continues Microsoft's support of the Winsock 2.0 interface. Winsock provides an API for Internet applications and automatically handles tasks such as name resolution, QoS, establishing outgoing connections, and listening for incoming connections. Winsock 2.0 allows applications to specify QoS requirements, regardless of the underlying QoS mechanism in use.
Virtual Private Networks (VPNs)
A VPN allows data to travel securely across an untrusted network. In the Internet age, this means that companies that formerly required leased lines to ensure security can now leverage the public Internet for private communications. It also means that corporate users who travel can connect to a local Internet service provider (ISP) and communicate securely with the corporate network, without dialing in to a private bank of modems. See Figure 6-3 for an illustration of a VPN across the public Internet.
The primary advantages of VPNs are reduced costs and improved privacy. Companies can reduce costs by maintaining only a single WAN connection for each remote office—a connection to an ISP. The ISP forwards the traffic across the public Internet, in much the same way that frame relay providers have operated for many years, except at a greatly reduced cost. The VPN technologies included in Windows 2000 ensure that this data cannot be read or modified on its journey to the destination network.
While different VPN technologies vary in their specifics, they have many things in common. All VPNs transport data through a tunnel, as illustrated in Figure 6-4. The tunnel is created between two tunnel endpoints, which agree upon a set of protocols for the tunnel before any payload is transmitted. As data is sent through the tunnel, the frame or packet is encapsulated within another packet. Once the data reaches the opposite endpoint, the data is unencapsulated and processed as if it had been sent from a system on the same LAN.
Windows 2000 includes three technologies for creating virtual private networks. PPTP, the Point-to-Point Tunneling Protocol, is a familiar technology to those who have worked with Windows in the past. L2TP provides similar functionality but has the benefit of support from a variety of vendors. Internet Protocol security (IPSec) represents the future of tunneling. Though IPSec is still under development, Windows 2000 provides support for much of the published functionality.
Point-to-Point Tunneling Protocol (PPTP)
PPTP is a multiprotocol tunneling technology developed by Microsoft for Windows NT 4.0. It is based on the well-established Point-to-Point Protocol (PPP), which is used for the vast majority of dial-up connections. While PPP allows two computers to communicate over a single link, PPTP allows a virtual link to be created that can traverse public or private networks. PPTP was quick to develop because it borrows the authentication and handshaking mechanisms from PPP.
While only Windows NT 4.0 Server or Windows 2000 Server can act as the server end of a PPTP connection, any member of the Windows family can be a client. This allows traveling users to dial in to an ISP with a Windows 98 laptop and initiate a private connection across the Internet to the corporate server. This will work properly regardless of the protocol in use at the corporate network; the traveler can dial in to an ISP and connect to a NetWare server located on a private network, using only IPX/SPX.
Layer 2 Tunneling Protocol (L2TP)
L2TP, seen as an evolution of PPTP, is a multiprotocol tunneling technology developed by Microsoft, Cisco, Ascend, IBM, and 3Com. L2TP meets many of the same goals as PPTP and borrows heavily from Cisco's Layer-2 Forwarding (L2F).
One of the interesting features of L2TP is MPPP, or Multilink Point-to-Point Protocol. This differs from the MPPP technology built in to Windows NT 4.0. The MPPP built in to Windows NT 4.0 could be used only to connect to a dial-up server that specifically supported this technology. Unfortunately, the technology was not widely supported where it was needed most—by the ISPs. L2TP's MPPP technology allows a Windows 2000 system to dial in to two entirely separate ISP connections. Data can be transmitted through both of these links to a Windows 2000 server using L2TP MPPP, where the server will reassemble the traffic and transmit it onto the Internet or a private network. In this way, Windows 2000 Server and the L2TP MPPP allow multiple analog links to be combined for greater data throughput. This process is illustrated in Figure 6-5.
L2TP offers other advantages over PPTP. L2TP can be used over a variety of Internet connections, including frame relay, X.25, and Asynchronous Transfer Mode (ATM). L2TP allows multiple tunnels to be created, each with a different QoS. Header compression in L2TP reduces the header to 4 bytes, compared to the 6 bytes PPTP uses.
Both L2TP and PPTP are configured and managed in Windows 2000 using the Routing And Remote Access service. Figure 6-6 shows a screen shot of the management utility.
Windows Internet Protocol Security (IPSec)
One of the new standards that the Internet Engineering Task Force (IETF) has been working on is IPSec. The goal of the IPSec working group is to allow private and secure communications across the public Internet, regardless of the application or higher-level protocol being used. PPTP, L2TP, and several other technologies also accomplish these goals, but IPSec has one distinct advantage—it is an Internet standard. This single factor will allow IPSec to become one of the primary protocols used in VPNs in the years to come.
Microsoft, in a continuing effort to support international standards, has provided an implementation of IPSec in Windows 2000. When used with Windows 2000, IPSec provides transparent authentication of clients and servers, confidentiality of data transmitted across a network, and the flexibility to work with any IP-based application.
Encapsulating Security Payload (ESP) is IPSec's standard for encryption and validation. ESP operates at either the network layer or the transport layer of the Open Systems Interconnection (OSI) model, and therefore can encrypt data created by any higher-layer protocols. For example, a Telnet session could be tunneled within ESP, and all data transmitted during that Telnet session would be immune to eavesdropping. When ESP is used at the transport layer, an ESP header is inserted between the IP header and the TCP header. The TCP header information and all data contained within the packet are encrypted.
ESP can also be used at the network layer to provide VPN functionality and privacy. When ESP is used at the network layer, the exact IP address of the packets can be obscured. In this way, data can travel between remote networks, but the IP addresses within the networks will not be revealed to anyone watching the traffic.
The encryption ensures that the traffic cannot be monitored and used maliciously. Further, ESP provides protection from replay attacks by providing a sequencing number within the header. A replay attack is a scenario wherein an unauthorized user retransmits packets that had been intercepted. Windows Internet Protocol security leverages the Internet Security Association and Key Management Protocol (ISAKMP) using the Oakley key determination protocol to identify each packet uniquely and ensure that it can never be reused. Figure 6-7 shows an event log entry generated by an error associated with ISAKMP/Oakley.
The other significant standard being designed by the IPSec working group is the IP Authentication Header, or simply AH. AH allows the client and server to validate each other before they begin to exchange data, limiting the opportunity for a malicious third party to impersonate either end of the connection. AH and ESP together provide authentication and encryption of IP traffic.
The IETF provided a framework for data encryption and session authentication using the ESP and AH standards. It did not provide standards for the actual mechanisms used to encrypt the data or to authenticate the hosts. Fortunately, Microsoft has built a strong authentication mechanism into Windows 2000 Server—client and server certificates. The encryption is provided by mixing public key and secret key cryptography. By leveraging existing components of Windows 2000 Server, Microsoft has provided an easy-to-use and powerful method of network security.
Note: Figure 6-8 shows how administrators can configure custom IPSec security policies using the IP Security Policies MMC snap-in. If protocols other than IP must be tunneled, IPSec can be combined with L2TP. For more information on IPSec standards, please visit the IETF's Web site at http://www.ietf.org/ids.by.wg/ipsec.html.
Network Driver Interface Specification (NDIS)
NDIS is a layer of abstraction that exists between the network protocol driver (at the network layer of the OSI model) and the network card driver (at the data link layer of the OSI model). Among other features, it allows multiple network cards to work with a single network protocol. NDIS is an international standard, and providing NDIS support allows network card vendors to ensure that their driver will be compatible with Windows.
Both Windows 98 and Windows 2000 provide native support for NDIS 5.0. This is an upgrade from Windows NT 4.0 and Windows 95 (OSR2), which shipped with NDIS 4.0 support. NDIS 5.0 adds several features that were absent in NDIS 4.0:
Advanced network power management and network wake-up capabilities.
Plug and Play is now supported with network drivers.
Improved support for ATM and QoS.
Lower total cost of ownership (TCO).
Microsoft has built routing functionality into its server operating systems since Windows NT 3.51 was released. However, the multiprotocol router (MPR) built in to Windows NT 3.51 and Windows NT 4.0 was limited in functionality and found very little use on production networks. Microsoft recognized the need for a flexible, extensible routing technology, and began developing a replacement for the built-in routing in Windows NT 4.0. Windows 2000 Server continues to build on Windows NT's routing capabilities with the new Routing And Remote Access service.
With the routing functionality built in to Windows 2000 Server, Microsoft allows organizations to build entire network infrastructures based strictly on Microsoft products. By integrating routing features into the operating system, small companies will benefit by not having to purchase expensive routing hardware to segment networks. Large companies will benefit by being able to administer their routers using Windows 2000's graphical user interface (GUI), a major improvement over most routers' text-based interfaces.
Network Address Translation (NAT)
Network address translation, or NAT, is the process of transparently using a proxy to transfer packets between an internal and external network. With the NAT functionality built in to Windows 2000 Server, a single dial-up connection can be used to allow an entire network access to the Internet, without making a single change to the clients. Until now, administrators had to make use of application- or session-layer proxies, both of which require modifications to the client and support a limited number of applications.
For NAT to work properly, clients on the internal network must be using private IP addresses, such as those in the 192.168.0.0 range. The clients must have the NAT server configured as their default gateway. The NAT server will act as a router to the clients, forwarding packets from the internal network to the external network. However, NAT does more than a traditional router—it not only forwards the packets, it replaces the private source IP address with a valid public IP address. NAT also listens for reply packets and returns those responses to the client that initiated the connection.
Beyond providing outside access to clients within a private network, the NAT services included with Windows 2000 Server are also capable of acting as a reverse-proxy. This allows administrators to create publicly available Web and e-mail services without placing the servers on a public network. NAT can also be configured to use a range of public IP addresses, assign clients private IP addresses using Dynamic Host Configuration Protocol (DHCP), and act as a proxy for DNS (Domain Name System) requests to the outside world. All of these features combined allow administrators to easily provide a private network access to the public Internet or any other network.
NAT is configured using the Routing And Remote Access MMC snap-in. It is treated as a routing protocol, though it is not a true routing protocol. Enabling NAT can be as simple as adding the protocol and selecting the proper radio button, as shown in Figure 6-9.
Routers forward traffic one hop at a time. For a router to correctly forward traffic in networks where multiple paths exist, the router must be configured to know where the next hop is for any given destination network. Routing protocols allow routers to automatically learn their way around a network, but routing protocols require administrative overhead and may not be worthwhile in small networks and networks that do not require dynamic redundancy. If an administrator wants to manually configure each router in a network with a list of paths to different destination networks, he or she can do so using static routing.
Static routing is useful in small networks and extremely stable networks. Static routes can be configured on a Windows 2000 Server using the ROUTE command-line interface or the Routing And Remote Access GUI, as shown in Figure 6-10. For those familiar with the command-line interface included in previous versions of Windows, this graphical interface is a great improvement.
In many small networks, all network segments connect to a single router. This router knows where to forward packets because it has a direct connection to every network segment. In this situation, only a very simple router is required. However, larger networks require multiple routers. This presents a bit of a challenge—how will the routers know where to forward packets that are not destined for directly attached networks? Consider Figure 6-11, which shows a network with two routers. Router A is directly connected to Networks W and X, and therefore knows how to forward packets from Network W destined for Network X. However, how will it know where to forward packets for Network Y or Network Z?
There are two correct answers to the question: either the network administrator can implement static routes, or a routing protocol can be used. A routing protocol enables Router B to tell Router A that it has a direct connection to Network Y and Network Z. That way, when Router A receives packets destined for Network Z, Router A will know to forward the packets directly to Router B for delivery.
For routers to exchange information about networks, they must use the same routing protocol. Routing protocols each have specific advantages and disadvantages. Windows 2000 Server includes support for a variety of routing protocols and provides an open API for the development of additional routing protocols. Using this open API, Microsoft or third-party vendors can write code that allows Windows 2000 servers to communicate with other routers on the network, regardless of the routing protocol.
The following section describes the routing protocols included with Windows 2000 Server: Routing Information Protocol (RIP) and Open Shortest Path First (OSPF).
RIP version 1, RIP version 2, and RIP for IPX
RIP (Routing Information Protocol) has been in use since 1982 and is still commonly used today. RIP is a member of the distance-vector routing protocol family. Distance-vector routing protocols learn a limited amount of information about the surrounding network and tend to suffer from problems such as routing loops. RIP version 1 is based on RFC 1058; RIP version 2 is based on RFC 1723.
While RIP is considered to be an outdated routing protocol, it is simple to configure and is widely supported by routing software. Many people still use RIP for backward compatibility with older routers. Indeed, RIP was the only dynamic routing protocol supported by Windows NT 3.51.
You should use RIP only if you have to. If your organization requires the use of RIP as the routing protocol, RIP version 2 is the better choice. RIP version 2 has several advantages over RIP version 1. The newer version of the protocol allows classless networks to be used; RIP version 1 required that all subnets be divided into standard Class A, Class B, or Class C networks. While RIP version 1 sent all updates between routers on a timed basis, RIP version 2 sends updates only as required. Finally, RIP version 1 was susceptible to attacks because it lacked a method to authenticate other routers; RIP version 2 adds simple clear-text authentication.
RIP for IPX is a variant of the RIP standard, modified to work with Novell's native network protocol. It is the only routing protocol Windows 2000 Server supports that is compatible with IPX.
OSPF (Open Shortest Path First) is a robust protocol, well suited to medium-to-large networks. It is a member of the link-state routing protocol family—a family characterized by complete knowledge of surrounding networks and sophisticated router-to-router communications. While distance-vector routing protocols such as RIP typically communicate only with directly neighboring routers, OSPF-based routers communicate with all other routers in their network. This allows the router to build a map of the network, providing for more intelligent path choices when traffic must be redirected around a failed router or network.
OSPF is an Internet standard defined by RFC 1583.
Internet Group Membership Protocol (IGMP)
Windows 2000 Server supports version 2 of IGMP as defined in RFC 1112. IGMP, often called IP multicasting, is an Internet standard protocol that allows a single packet to be delivered to multiple hosts. Further, it shifts part of the responsibility for identifying those hosts from the server to the network. Using IGMP, a server can transmit a real-time data stream, such as a video presentation, to any number of subscribers on the network—while transmitting only a single copy of the data. While IGMP is gaining wider acceptance, it is still usable only on the part of the Internet called the multicast backbone (MBONE). The MBONE is a special part of the Internet that is multicast compatible.
Multicasting is similar to broadcasting because both multicast and broadcast packets can be received by multiple hosts. However, broadcast packets interrupt every system on the network, while multicast packets only interrupt those systems that listen for specific multicast IP addresses. Further, broadcasts are generally limited to a single network segment. When used with IGMP, multicast packets can traverse large, routed networks. Multicast packets make use of a special range of IP addresses called Class D addresses, which have a first octet between 224 and 239.
Windows 2000 Server includes an IGMP router and an IGMP proxy. Using these two services, a Windows 2000 Server connected to the MBONE can receive and forward multicast packets on behalf of an intranet. Do not confuse the IGMP router capability with an IGMP routing protocol—Windows 2000 Server is currently not capable of acting as an IGMP router in multirouter environments. IGMP router and proxy settings can be configured from within the Routing And Remote Access snap-in by opening the IGMP Properties dialog box, shown in Figure 6-12.
DHCP (Dynamic Host Configuration Protocol) Relay Agent
Windows 2000 Server continues to provide DHCP relay agent functionality. Using the DHCP relay agent, administrators can have all hosts on multiple network segments retrieve their IP address information from a single DHCP server.
Upon startup, a DHCP client transmits a broadcast query requesting an IP address to be used. If a DHCP server is on the same network segment, it will respond with an IP address and any additional information the administrator has configured. However, broadcast queries do not normally pass through routers, so Microsoft provides the DHCP relay agent. By placing a computer with the DHCP relay agent installed on every network segment in a network, DHCP clients do not need to be on the same network segment as the DCHP server. The DHCP relay agent will listen for DHCP requests and forward them to the DHCP server.
To configure the DHCP relay agent in Windows 2000 Server, add the service as a routing protocol using the Routing And Remote Access interface.
Quality of Service (QoS)
If you have ever experienced choppy audio and video across a network, you will appreciate QoS. Windows 2000 uses QoS to prioritize network traffic and make the most efficient use of bandwidth. Further, the QoS features built in to Windows 2000 allow it to request and reserve bandwidth from network hardware.
Real-time applications will see the greatest benefit from the use of QoS. Audio and video streams do not have the opportunity to retransmit packets that are dropped, and they deserve a higher priority than a file transfer that occurs in the background and is not time-sensitive. Applications written specifically to take advantage of the QoS API can benefit by specifying requirements on a per-session basis. For example, Microsoft Windows 2000 Server Media Services can request from the network a specific amount of bandwidth for a given data stream.
Administrators can use the QoS features built in to Windows 2000 Server to give specific users priority on the network, prioritize different types of traffic, guarantee that specific applications receive a dedicated amount of bandwidth, and prevent protocols that don't support QoS (such as UDP) from stealing too many resources. QoS is a complex topic. To work correctly, every piece of equipment on a network must support the same QoS standards. Windows 2000 adds QoS support, but that is only a small part of what is required. Even if the switches and routers on your corporate network support QoS, that will not be sufficient to use QoS across the Internet—your ISP and all ISPs between you and the destination computer must support the standards. Even if this is not the case currently, you can still benefit from using QoS.
To understand QoS, it is important to understand latency and jitter. Latency is a measure of delay on a network. Routers are the biggest cause of latency—each router takes a small amount of time to process a packet and forward it to the next network. While an individual router might not add an appreciable amount of latency, the combined latency of all the routers between a client and a server can be significant. In general, the busier a router is, the more latency it adds. Latency is not a problem for real-time audio and video presentations if they are one-way communications (each packet is delayed the same amount and received in appropriate intervals). However, latency presents a serious problem if the communication is two-way, as is the case with Internet telephony and video conferencing. Video conferencing across a high-latency network leads to unnatural pauses that can be frustrating to the participants.
Jitter is the measurement of change in latency. For example, if the average latency of a packet traveling between a client and server is one-half of a second, some packets might take as long as a full second to travel, while others take only a quarter of a second. Jitter is not an important consideration for file transfers, but it has a profound impact on real-time network applications such as audio and video. One of the primary causes of high jitter is a feature of IP networks: different packets in a single session can follow different paths through a network. If different paths have different latency, high jitter results. Clients often compensate for jitter by buffering network traffic, thereby increasing overall delay.
Consistent with Microsoft's goal of making Windows more extensible, Windows 2000 Server provides several APIs to allow third-party software vendors to develop their own QoS standards. There are several QoS standards supported by Windows 2000 Server.
Resource Reservation Setup Protocol (RSVP)
When you place a telephone call, you are never concerned that the quality of your telephone call is going to degrade because your provider becomes busy. Telephone service providers never get that busy; once their network has reached capacity, new telephone calls are rejected completely. Each telephone call that you place is guaranteed a high-quality connection until you hang up your telephone.
This is certainly not the case with most IP networks. If you have ever tried to carry on an audio conversation across a busy IP network, you know that the sound might break up when other network applications steal your bandwidth. Windows 2000 adds the IETF RSVP to provide QoS. RSVP is one method of making IP networks perform more like telephone networks. RSVP allows a system to reserve a predetermined amount of bandwidth along a specific path in the network—eliminating the possibility of bandwidth starvation and reducing jitter. The specific path, combined with the QoS specifications, is called a flow.
To reserve a flow, the client and server must have resources allocated from every piece of network hardware that will participate. The client starts the reservation process by sending a PATH message to the receiver. As each piece of network hardware receives the PATH message, it adds itself to the list and forwards the message on. This list allows future packets in the same session to follow the same route. Any piece of hardware that does not speak RSVP will forward the message on like any other packet, without adding itself to the list of hardware.
The receiving station then sends a response to the PATH message called an RESV (for reservation) message. The RESV message is guaranteed to travel the same route as the PATH message, because each hop in the path is listed in the message. As each piece of hardware forwards the RESV message toward the client, it verifies that it really does have the requested bandwidth and actually reserves it. The entire RSVP reservation process is illustrated in Figure 6-13. If one of the pieces of hardware cannot reserve the resources, an error message indicates the problem. The jitter that can occur by using varying paths is reduced because all packets in that session will pass through exactly the same routers.
The sender automatically resends a PATH message on a regular basis to adapt to changing states in the network. By default, this resend of the PATH message occurs every 30 seconds. If the network hardware that has reserved resources does not see a PATH message within a certain amount of time (defaulting to 90 seconds), it will remove the reservation. This prevents a failed connection from tying up resources unnecessarily. When the session is complete, the station that breaks the connection will send a special PATH message instructing the network hardware to release the resources. This is called a PATH-tear message.
Traffic control is analogous to assigning priorities to different processes within the operating system—the most important processes receive the most processor time, and therefore become more responsive to the user. The traffic control API provides the operating system with finer control over the packets it generates, allowing it to make better use of network bandwidth.
Traffic control and RSVP are not mutually exclusive. On the contrary, they complement each other well. Traffic control can be used across parts of the network that do not support RSVP. In fact, RSVP and traffic control can be used together on a single session where only some of the network components support RSVP.
Not all network traffic is created equal. If you are uploading a large file via File Transfer Protocol (FTP), it would be nice if this transfer would not hurt the performance of the Telnet session you have open. In this scenario, you are not concerned about the time the FTP transfer takes, but you do want Telnet to be more responsive. The operating system should be able to prioritize your Telnet packets so that they are sent before FTP packets.
The QoS Packet Scheduler does just this. It retrieves packets from the outgoing queue and transmits them according to QoS parameters. These parameters allow users and applications to specify that certain applications have a higher priority in the packet queue. If congestion exists, higher priority packets will be bumped to the front of the queue, reducing for these packets latency caused by the local network segment.
External Prioritization (Diff-Serv, 802.1p, and IP Precedence)
IETF Diff-Serv is an IETF working group whose mission is to make use of the 6-bit Type Of Service field included in the IP header. The Type Of Service field was included to be used by network hardware to prioritize packets, but it was never implemented. Windows 2000 Server now allows applications to set priority, allowing this field to specify a level of QoS when compatible network hardware is used.
QoS extends to layer 2 of the OSI model for Ethernet networks. Windows 2000 supports the IEEE 802.1p priority standard to allow switches to prioritize frames. The priority is carried as a 2-byte tag in the data portion of the frame. This allows switches to drop low-priority frames when their queue is full, increasing the chance for high-priority frames to be carried successfully on a busy network segment.
The OSI Model
Computers communicate on networks by agreeing on standard languages, also known as protocols. Each network communication relies on several protocols. To make it even more confusing, protocols are hierarchical—they rely on one another. Fortunately, there's a standard way of organizing them—the OSI model. The OSI model consists of seven distinct layers, and all network protocols exist at one of these seven layers:
Application layer (layer 7). This highest level is used directly by applications to communicate on a network. Examples of protocols at this layer are HTTP, SMTP, and FTP.
Presentation layer (layer 6). Rarely used. It is intended to act as an interface between the session layer and the application layer.
Session layer (layer 5). Provides complex conversation controls. NetBIOS over TCP/IP is the best example of a session layer protocol.
Transport layer (layer 4). Allows for connection-oriented communications, error-checking, and guaranteed delivery. TCP and UDP are the most common examples.
Network layer (layer 3). Provides for routing, navigation, and addressing. IP and IPX are the most popular examples.
Data link layer (layer 2). Provides communications within a single network segment. Protocols can include collision avoidance and error checking. Ethernet, token ring, and FDDI (Fiber Distributed Data Interface) are all layer 2 protocols.
Physical layer (layer 1). The format of the cables and electrical signals. Cat 5 copper wire, fiber optics, and repeaters live at this level.
At layer 3 of the OSI model, IP Precedence allows routers to prioritize traffic and to better select packets that must be dropped. IP Precedence is simpler than the RSVP protocol because it does not require the PATH and RECV messages, nor does it require network hardware to preallocate the necessary resources. However, bandwidth is not guaranteed and jitter is still prevalent.
ISSLOW—Latency Reduction on Slow Links
Using ISSLOW, large packets can be fragmented to improve performance. Consider the example of audio and video being transmitted simultaneously. Video packets are much larger than audio packets, and the delay while the packet is transmitted over a slow link can be as much as half a second. If audio packets are separated by half-second intervals, the quality of the audio becomes unacceptable.
ISSLOW solves this problem by fragmenting large packets into multiple, smaller packets. This way, many smaller audio packets can be transmitted in the middle of the big packets, ensuring a smooth service quality. ISSLOW is the name of an IETF working group—the actual letters represent "ISSLL subgroup on low bitrate links."
Quality of Service Admission Control Service (QoS ACS)
The Quality of Service Admission Control Service (QoS ACS) allows administrators to control which users and groups can reserve bandwidth on the network. Naturally, RSVP could be dangerous if control wasn't provided—a user could request so much bandwidth that the rest of the organization suffered! QoS ACS uses policies to determine whether resource requests should be approved or disapproved. QoS ACS controls RSVP, SBM (Subnet Bandwidth Management), IP Precedence, and 802.1p usage to prevent bandwidth overcommitment on both routers and network segments.
QoS ACS policies can be based on network topology, available resources, users, groups, and applications. These policies are stored in Active Directory, so they are available across the enterprise. QoS ACS is an open standard, so third-party switches and routers can make use of Windows 2000 Active Directory to determine policy.
How Do Other Operating Systems Fit In?
Windows 2000 Server is intended to provide network services to a variety of clients, including Windows for Workgroups, Windows 95, Windows 98, Windows 2000 Professional, and UNIX operating systems. More recent versions of the Windows operating systems will benefit the most from the network advances added to Windows 2000 Server. For example, Windows 98 systems are shipped ready to participate in Active Directories and to use Microsoft Distributed file system (Dfs) shares.
As the Internet continues to evolve, so does Windows. The new networking features of Windows 2000 Server enable administrators to take better advantage of their existing network and of the Internet. Virtual private networking technologies like PPTP, L2TP, and IPSec improve security and increase the usefulness of the Internet. The routing features of Windows 2000 Server expand the operating system's functionality past that of merely a file and application server. Finally, system-level support for Quality of Service technologies makes real-time multimedia over IP networks a reality. Ultimately, all these technological advancements lead to more productive and happier users.
The above article is courtesy of Microsoft Press. Copyright 1999, Microsoft Corporation.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.
International rights = English only.