The LECS retains a short-term memory of all client assignments so that it can
alternately direct an LE client to a primary and backup LES. This simple heuristic
makes the correct assignment in the nominal case of no failure and is
self-correcting. At worst, the heuristic causes the LE client to repeat the
configuration phase of joining an ELAN.
LECS robustness can be achieved by establishing duplicate LECSs on multiple
platforms and including their ATMaddresses in the ILMI database. LE clients will
then connect to the backup LECS if the primary is unavailable. could be on MSS
Server 1, while
LAN Emulation Security
Traditional LANs offer security in the sense that a physical connection implies that
two stations are on the same LAN. Because multiple emulated LANs can exist on a
single ATMnetwork, stations that are not on the ELAN can be physically connected
to stations that are on the ELAN. This situation presents a security risk in that
unauthorized stations can connect to the LES and attempt to use its services.
Tocontrol ELAN membership, an MSS LES can be configured to validate
LE_JOIN_REQUESTswith the LECS. In this mode the LES forms an
LE_CONFIGURE_REQUEST on behalf of the LE client using information from the
LE_JOIN_REQUEST.These LE_CONFIGURE_REQUESTs include the source LAN
destination, source ATMaddress, ELAN type, max frame size, and ELAN name
from the LE_JOIN_REQUEST,along with an IBM Security TLV. The security
requests are transmitted to the LECS by a multiplexing component called the LECS
interface, and the LECS must validate the requests using its ELAN assignment
database before LE clients are allowed to join the ELAN.
A LECS interface is associated with anATM interface, and all LESs configured on
the ATMinterface use the same LECS interface. The LECS interface conserves
VCC resources by multiplexing security requests from multiple LESs onto a single
VCC to the LECS. The LECS interface locates the LECS dynamically using the
ILMI and well-known LECS address mechanisms. After the VCC to the LECS is
established, the LECS interface issues a local query to determine whether the
LECS is located on the same router. If the LECS is located on the same router,a
local interface is used to confirm requests to join without transmitting requests onto
the ATM network.
With the LECS interface, the router may ensure that an LE Client joins an ELAN
only if the LECS approves of the join. This shifts the security burden from the LES
to the LECS. Unfortunately, the LECS is also non-secure.The LECS accepts
connections and queries from any station without verification. An intruder station
may connect to the LECS and repeatedly query it for various configurations. The
intruder may also pose as some other station and download another station’s
configuration.
LECS Access Controls permit the user to configure a list ofATM address prefixes
which are not allowed access to the LECS configuration database. All LECS
connection attempts and LE_CONFIGURE_REQUESTsfrom matching ATM
addresses are automatically rejected. When used in conjunction with the LECS
interface, a secure LANE environment is provided.
Tomaximize the security of an ELAN, the following steps are recommended:
Overview of LAN Emulation
Chapter20. Overview of LAN Emulation 271