Cisco Knowledge Suite Cisco SystemsCisco Press

Cutting Edge
Core Reference
Guided Learning
Networking Architecture
Internet Protocols (IP)
Network Protocols
Transport and Application Protocols
Desktop Protocols
Security and Troubleshooting
Network Resources and Management
Integrated Services

ATM Networks and Security

by Dr. Eva Bozoki - May 30, 2000

ATM Networks and Security

1. Introduction


2. ATM Connections


3. ATM Protocol Basics


4. Attacks


5. Security Measures


6. Placement of the User Plane Security Services


7. Secure Call Setup Protocol








About the Author


3. ATM Protocol Basics

3.1. ATM Architecture

The standard OSI reference model consists of seven layers, as shown in the first part of Figure 4. In ATM networks, the ATM layer replaces the physical, data link, and network layers. The second part of Figure 4 illustrates the ATM reference model, showing two end systems and two intermediate systems (ATM switches).

Figure 4

Layers of the standard OSI reference model (a) and the ATM view of protocol stacks with two end nodes and two switches (b)

The ATM switches switch the unit ATM message and the fixed-length ATM cell, so the ATM layer forms an end-to-end layer. The interfaces are user-to-network (UNI) and network-to-network (NNI).

Unlike IP networks, an ATM network is connection-oriented, so it requires establishment of a connection between the two end systems prior to data transfer. The network nodes assign the virtual channels and virtual path through which the cell will travel.

The ATM reference model consists of three main layers and three planes (see Figure 5). The layers are as follows:

  • The ATM adaptation layer (AAL) that converts the native user data (IP, IPX, token ring, voice, and so on) to and from ATM cells. This layer is further divided into sublayers:

    • The convergence sublayer (CS) presents a uniform interface to the higher-level protocols.

    • The segmentation and reassembly (SAR) sublayer breaks down higher-level data units (frames or packets) into ATM cells, and vice versa.

  • The ATM layer performs cell switching, virtual path and virtual connection translation, and cell multiplexing and demultiplexing.

  • PHY is the physical layer that transforms the ATM cell into a bit stream. This layer is further divided into sublayers:

    • The transmission convergence (TC) sublayer transforms the ATM cells into the appropriate transmission frames (and vice versa), performs error control function for the ATM header, and "smooths out" bursty data service.

    • The physical media dependent (PMD) sublayer decouples the dependence on the actual physical medium.

Planes are used to separate the different needs and functions the ATM model has to address:

  • The user plane transfers the data through the network.

  • The control plane sets up connections and performs various signaling tasks.

  • The management plane manages resources and performance of the networks.

Figure 5

The ATM reference model

3.2. ATM Cell Structure

An ATM cell consists of 53 bytes, divided into a 5-byte header and a 48-byte payload. The structure of the (UNI) header is shown in Figure 6. VPI and VCI are the virtual path and virtual channel identifiers. GFC, CLP, PTI, and HEC represent generic flow control, cell loss priority, payload type indicator, and header error control, respectively.

Figure 6

The structure of the (UNI) ATM cell

3.3. Signaling

Signaling is the process by which ATM users and the network exchange the control of information, request the use of network resources, or negotiate for the use of circuit parameters. The VPI-VCI pair and requested bandwidth are allocated as a result of a successful signaling exchange.

The following is a partial list of signals, grouped according to their functions:

  • Call establishment messages:

  • SETUP—Initial signaling message used to establish an ATM connection. This message specifies the parameters of the service, including the called and calling parties and the connection identifiers, in one direction. (CONNECT specifies the identifiers in the opposite direction.)

    CALL PROCEEDING—An optional response after a successful SETUP message. However, if used, it must to be issued within t1 seconds of SETUP.

    CONNECT—A signal issued by the called party to indicate that a connection has been established. It identifies the connection identifiers selected by the network. (This complements the selection of the identifiers by the SETUP signal.)

    CONNECT ACKNOWLEDGE—This signal, issued by the calling party, completes the connection. It must be issued within t2 seconds of SETUP.

  • Call clearing messages:

  • RELEASE—A signal issued after an unsuccessful SETUP.

    RELEASE COMPLETE—A signal issued by either the user or the network to indicate that the originator has released the call reference and virtual channel.

    RESTART—A signal that de-allocates all virtual resources associated with the virtual channel and path.

    RESTART ACKNOWLEDGE—A message sent to acknowledge the receipt of the RESTART message.

  • Point-to-multipoint messages:

  • ADD PARTY—A signal that adds a party to an existing connection.

    ADD PARTY ACKNOWLEDGE—A signal that acknowledges a successful ADD PARTY message.

    ADD PARTY REJECT—A signal that indicates an unsuccessful ADD PARTY message.

    DROP PARTY—A signal that drops a party from an existing point-to-multipoint connection.

    DROP PARTY ACKNOWLEDGE—A signal that acknowledges a successful DROP PARTY message.

3.4. Weaknesses in ATM Signaling

Because there is no caller authentication or proof of identity associated with SETUP, it is subject to masquerading (spoofing) attacks.

An attacker may delay a CALL PROCEEDING signal so that it is received after more than t1 seconds by the party that issued the SETUP signal. This has the effect of denial of service.

An attacker also may delay a CONNECT ACKNOWLEDGE signal so that it is received after more than t2 seconds by the party that issued the CONNECT signal. This also has the effect of denial of service.

No proof of identity is required for RELEASE or RESTART, so both can be a vehicle for denial of service.

An attacker may send an ADD PARTY signal, thereby adding an unauthorized or hostile party.

An attacker may send an ADD PARTY REJECT or a DROP PARTY signal, causing a denial of service attack.


Previous | Next


Breaking News

One of the primary architects of OpenCable, Michael Adams, explains the key concepts of this initiative in his book OpenCable Architecture.

Expert Advice

Ralph Droms, Ph.D., author of The DHCP Handbook and chair of the IETF Dynamic Host Configuration Working Group, guides you to his top picks for reliable DHCP-related information.

Just Published

Residential Broadband, Second Edition
by George Abe

Introduces the topics surrounding high-speed networks to the home. It is written for anyone seeking a broad-based familiarity with the issues of residential broadband (RBB) including product developers, engineers, network designers, business people, professionals in legal and regulatory positions, and industry analysts.


From the Brains at InformIT


Contact Us


Copyright, Terms & Conditions


Privacy Policy


© Copyright 2000 InformIT. All rights reserved.