- Page 1: TCP/IP Tutorial and Technical Overv
- Page 5 and 6: Contents Notices . . . . . . . . .
- Page 7 and 8: 3.6.1 BOOTP forwarding . . . . . .
- Page 9 and 10: 6.5.2 Building and maintaining mult
- Page 11 and 12: 10.5.2 Hotspots . . . . . . . . . .
- Page 13 and 14: 14.2.4 Data modes. . . . . . . . .
- Page 15 and 16: 18.9 Wireless protocols . . . . . .
- Page 17 and 18: 22.5.1 SOCKS Version 5 (SOCKSv5) .
- Page 19 and 20: Notices This information was develo
- Page 21 and 22: Preface The TCP/IP protocol suite h
- Page 23 and 24: Chuck Davis is a Security Architect
- Page 25 and 26: Comments welcome Your comments are
- Page 27 and 28: Part 1 Core TCP/IP protocols Part 1
- Page 29 and 30: Chapter 1. Architecture, history, s
- Page 31 and 32: Figure 1-1 shows two examples of in
- Page 33 and 34: Figure 1-2 shows how the TCP/IP pro
- Page 35 and 36: A more detailed layering model is i
- Page 37 and 38: Bridges, routers, and gateways Ther
- Page 39 and 40: than a bit-per-bit parity function,
- Page 41 and 42: 1.2.2 NSFNET NSFNET, the National S
- Page 43 and 44: activities,” unless covered by th
- Page 45 and 46: ► Catalyze partnerships with gove
- Page 47 and 48: without requiring implementations.
- Page 49 and 50: whether two people are referring to
- Page 51 and 52: The following Internet standards ar
- Page 53 and 54:
virtual office environment. Virtual
- Page 55 and 56:
Chapter 2. Network interfaces 2 Thi
- Page 57 and 58:
Therefore, for all practical purpos
- Page 59 and 60:
2.1.1 Gigabit Ethernet Such impleme
- Page 61 and 62:
SLIP is just a very simple protocol
- Page 63 and 64:
2.4.1 Point-to-point encapsulation
- Page 65 and 66:
2.6 X.25 stuffing to bit stuffing c
- Page 67 and 68:
2.7 Frame relay 2.7.1 Frame format
- Page 69 and 70:
Figure 2-6 shows the format for a f
- Page 71 and 72:
in two different ways: NLPID value,
- Page 73 and 74:
2.10 Asynchronous transfer mode (AT
- Page 75 and 76:
Note: The ATMARP server mechanism r
- Page 77 and 78:
RFC 2225 also describes extensions
- Page 79 and 80:
The Logical IP Subnetwork (LIS) The
- Page 81 and 82:
The following figure shows the payl
- Page 83 and 84:
Refer to Figure 2-9 for the impleme
- Page 85 and 86:
Initialization During initializatio
- Page 87 and 88:
The MPOA solution has the following
- Page 89 and 90:
► Default Forwarder Function Grou
- Page 91 and 92:
► RFC 1356 - Multiprotocol Interc
- Page 93 and 94:
Chapter 3. Internetworking protocol
- Page 95 and 96:
The network number portion of the I
- Page 97 and 98:
A Class A address is suitable for n
- Page 99 and 100:
The host number part of the IP addr
- Page 101 and 102:
Static subnetting example Consider
- Page 103 and 104:
3.1.3 IP routing ► Subnet 4: 30 h
- Page 105 and 106:
Figure 3-5 shows an example of dire
- Page 107 and 108:
Because D is directly attached to n
- Page 109 and 110:
Figure 3-9 illustrates the entire I
- Page 111 and 112:
outers. Without this facility, a se
- Page 113 and 114:
Another way to look at these number
- Page 115 and 116:
The current rules are in RFC 2050,
- Page 117 and 118:
As shown in Figure 3-11, Basic NAT
- Page 119 and 120:
When the NAT service assigns IP add
- Page 121 and 122:
NAT is compute intensive even with
- Page 123 and 124:
► There will be a relatively smal
- Page 125 and 126:
IP can provide fragmentation and re
- Page 127 and 128:
Where: - 0: Reserved, must be zero.
- Page 129 and 130:
Where: - fc (Flag copy): This field
- Page 131 and 132:
At the destination host, the data i
- Page 133 and 134:
Where: 1001001 (Decimal 137) The va
- Page 135 and 136:
3.2 Internet Control Message Protoc
- Page 137 and 138:
Data Contains information for this
- Page 139 and 140:
Redirect (5) If this message is rec
- Page 141 and 142:
This process also provides a mechan
- Page 143 and 144:
Figure 3-38 ICMP: Address Mask Requ
- Page 145 and 146:
3.3 Internet Group Management Proto
- Page 147 and 148:
A R P P a c k e t Figure 3-39 ARP:
- Page 149 and 150:
3.4.3 ARP and subnets The ARP proto
- Page 151 and 152:
3.5.1 RARP concept The reverse addr
- Page 153 and 154:
- ARP on the server cannot be used
- Page 155 and 156:
Vendor-specific area Optional vendo
- Page 157 and 158:
egarding BOOTP, refer to 3.6, “Bo
- Page 159 and 160:
Hops The client sets this to 0. It
- Page 161 and 162:
The DHCP client/server interaction
- Page 163 and 164:
3.7.4 DHCP lease renewal process Th
- Page 165 and 166:
4. The client receives the DHCPACK
- Page 167 and 168:
► RFC 906 - Bootstrap loading usi
- Page 169 and 170:
Chapter 4. Transport layer protocol
- Page 171 and 172:
4.1.2 Sockets ► Ephemeral: Some c
- Page 173 and 174:
UDP is basically an application int
- Page 175 and 176:
4.2.2 UDP application programming i
- Page 177 and 178:
the destination host. The normal cl
- Page 179 and 180:
As shown in Figure 4-7, the sender
- Page 181 and 182:
The sender's data stream can now be
- Page 183 and 184:
SYN Synchronizes the sequence numbe
- Page 185 and 186:
Window scale option This option is
- Page 187 and 188:
Acknowledgments and retransmissions
- Page 189 and 190:
As shown in Figure 4-19, in the net
- Page 191 and 192:
4.3.3 TCP congestion control algori
- Page 193 and 194:
Congestion avoidance The assumption
- Page 195 and 196:
een lost. TCP then performs a retra
- Page 197 and 198:
Chapter 5. Routing protocols 5 This
- Page 199 and 200:
5.1 Autonomous systems The definiti
- Page 201 and 202:
5.2.1 Static routing However, these
- Page 203 and 204:
5.2.3 Link state routing The growth
- Page 205 and 206:
A route is defined as a pairing bet
- Page 207 and 208:
► Response packets: A response pa
- Page 209 and 210:
► The associated cost (distance)
- Page 211 and 212:
5.3.5 Convergence and counting to i
- Page 213 and 214:
infinity. To minimize this exposure
- Page 215 and 216:
5.3.6 RIP limitations There are a n
- Page 217 and 218:
Figure 5-9 illustrates the contents
- Page 219 and 220:
5.5.1 Differences between RIPng and
- Page 221 and 222:
RTE. The specified next hop applies
- Page 223 and 224:
Subdividing the network provides th
- Page 225 and 226:
AS boundary routers (ASBR) This cla
- Page 227 and 228:
Figure 5-15 illustrates the relatio
- Page 229 and 230:
Figure 5-16 illustrates the differe
- Page 231 and 232:
5.6.2 Neighbor communication OSPF i
- Page 233 and 234:
► Init: Communication with the ne
- Page 235 and 236:
The routes describe an end-to-end p
- Page 237 and 238:
maintained within the NSSA contain
- Page 239 and 240:
► EIGRP supports the ability to s
- Page 241 and 242:
► Request: These packets are used
- Page 243 and 244:
► Traffic type: BGP defines two t
- Page 245 and 246:
EBGP BGP R4 10.0.0.0/8 AS 3 AS 1 IB
- Page 247 and 248:
Figure 5-23 shows the flow of these
- Page 249 and 250:
5.9.4 Path selection The withdrawn
- Page 251 and 252:
172.16.1.1 BGP R4 10.0.0.0/8 AS 3 1
- Page 253 and 254:
if R3 needs to communicate with a d
- Page 255 and 256:
192.168.0.0/16 192.1.0.0/24 through
- Page 257 and 258:
A confederation divides the AS into
- Page 259 and 260:
5.10 Routing protocol selection The
- Page 261 and 262:
► Echo request/reply: A router mu
- Page 263 and 264:
Chapter 6. IP multicast 6 In early
- Page 265 and 266:
corresponding Ethernet address and
- Page 267 and 268:
Even though multicast routers will
- Page 269 and 270:
Figure 6-3 illustrates the expanded
- Page 271 and 272:
► Number of Sources (N): This fie
- Page 273 and 274:
6.2.2 IGMP operation - Filter-mode-
- Page 275 and 276:
2. Subset A is currently included.
- Page 277 and 278:
Figure 6-6 Multicast delivery tree
- Page 279 and 280:
To track the membership of individu
- Page 281 and 282:
eceived. This allows a DVMRP router
- Page 283 and 284:
messages from each of the dependent
- Page 285 and 286:
6.6.1 Protocol overview We present
- Page 287 and 288:
In this environment, an ASBR in the
- Page 289 and 290:
from the delivery tree. The ineffic
- Page 291 and 292:
3. The RP-based delivery tree can r
- Page 293 and 294:
Typically, each AS will contain one
- Page 295 and 296:
6.8.2 Border Gateway Multicast Prot
- Page 297 and 298:
Figure 6-16 MBONE tunnel metric A m
- Page 299 and 300:
► RFC 2362 - Protocol Independent
- Page 301 and 302:
Chapter 7. Mobile IP 7 The increasi
- Page 303 and 304:
7.1.1 Mobile IP operation Mobility
- Page 305 and 306:
Where: Type 16. Length (6+[4*N]), w
- Page 307 and 308:
► If the mobile node is using a c
- Page 309 and 310:
The mobility agent responds to a re
- Page 311 and 312:
7.2.4 Returning home from an aircra
- Page 313 and 314:
Chapter 8. Quality of service With
- Page 315 and 316:
For example, a flow might consist o
- Page 317 and 318:
Figure 8-1 shows the operation of t
- Page 319 and 320:
there are at least as many tokens i
- Page 321 and 322:
espect the token bucket rule that o
- Page 323 and 324:
To establish a reservation with RSV
- Page 325 and 326:
establish the resource reservation
- Page 327 and 328:
Figure 8-7 shows the reservation me
- Page 329 and 330:
Where: Wildcard-Filter (WF) The Wil
- Page 331 and 332:
The RSVP objects that follow the co
- Page 333 and 334:
All RSVP messages are built of a va
- Page 335 and 336:
Although RSVP can be used to reques
- Page 337 and 338:
passes DS-capable networks can rece
- Page 339 and 340:
PHBs will be defined in groups. A P
- Page 341 and 342:
possibly conditions packets that en
- Page 343 and 344:
Figure 8-17 shows an example of rem
- Page 345 and 346:
first router in the source domain t
- Page 347 and 348:
the transmitted packets and shape t
- Page 349 and 350:
information remains statically in t
- Page 351 and 352:
Processing of the DS field in the p
- Page 353 and 354:
Chapter 9. IP version 6 This chapte
- Page 355 and 356:
► The address space for networks
- Page 357 and 358:
Figure 9-2 IP header format Where:
- Page 359 and 360:
► Identification, fragmentation f
- Page 361 and 362:
forward. When the Next Header field
- Page 363 and 364:
Hop-by-hop header option types You
- Page 365 and 366:
9.2.2 IPv6 addressing Fragment head
- Page 367 and 368:
Allocation Prefix (bin) Start of ad
- Page 369 and 370:
Subnet ID An identifier of a subnet
- Page 371 and 372:
9.2.3 Traffic class duplicate addre
- Page 373 and 374:
9.2.5 IPv6 security There are two o
- Page 375 and 376:
This is a variable-length field tha
- Page 377 and 378:
IPv6 packet fragmentation The sourc
- Page 379 and 380:
3 Time (Hop Count) Exceeded 4 Param
- Page 381 and 382:
Notice the following important fiel
- Page 383 and 384:
Router and prefix discovery Figure
- Page 385 and 386:
Destination address This address is
- Page 387 and 388:
Each router that receives the solic
- Page 389 and 390:
Option 2 (target link layer address
- Page 391 and 392:
information. However, plug-and-play
- Page 393 and 394:
9.4 DNS in IPv6 A router periodical
- Page 395 and 396:
The proposed format of the data sec
- Page 397 and 398:
9.5 DHCP in IPv6 Although IPv6 intr
- Page 399 and 400:
At any traveling location, there ar
- Page 401 and 402:
► The IPv6 Neighbor Unreachabilit
- Page 403 and 404:
9.7.2 New services The basic featur
- Page 405 and 406:
► Network infrastructure and serv
- Page 407 and 408:
9.8.2 Tunneling DNS plays a key rol
- Page 409 and 410:
2. The receiving node's network int
- Page 411 and 412:
IPv6/IPv4 Host 4 (2) A Ethernet nxt
- Page 413 and 414:
IPv6 Host (1) A Ethernet 6 4 flow l
- Page 415 and 416:
9.9 RFCs relevant to this chapter T
- Page 417 and 418:
Chapter 10. Wireless IP 10 In an in
- Page 419 and 420:
Fixed versus mobile wireless There
- Page 421 and 422:
Line of sight (LOS) and non-line of
- Page 423 and 424:
10.2.4 Security One concern over an
- Page 425 and 426:
Security The airborne nature of WiF
- Page 427 and 428:
For additional information about th
- Page 429 and 430:
until a new path is achieved. This
- Page 431 and 432:
Part 2 TCP/IP application protocols
- Page 433 and 434:
Chapter 11. Application structure a
- Page 435 and 436:
Figure 11-1 The client/server model
- Page 437 and 438:
► Listen on a socket for inbound
- Page 439 and 440:
► Send and receive data on a sock
- Page 441 and 442:
The connectionless scenario is simp
- Page 443 and 444:
► User authentication might be ne
- Page 445 and 446:
Figure 11-4 RPC using portmap RPCGE
- Page 447 and 448:
The interaction between a subagent
- Page 449 and 450:
However, currently there is no stan
- Page 451 and 452:
Chapter 12. Directory and naming pr
- Page 453 and 454:
Pentagon mil Domain names are forme
- Page 455 and 456:
These names are registered with and
- Page 457 and 458:
names within the zone are administe
- Page 459 and 460:
Domain name full resolver Figure 12
- Page 461 and 462:
authority, it returns all of the re
- Page 463 and 464:
The following figure shows the gene
- Page 465 and 466:
Type Value Meaning RFC def NSAP-PTR
- Page 467 and 468:
Other values are reserved for futur
- Page 469 and 470:
For example, the domain name mydiv.
- Page 471 and 472:
dnsname The name or IP address to b
- Page 473 and 474:
The zone data for the name server a
- Page 475 and 476:
12.1.12 Extended scenario Consider
- Page 477 and 478:
Dynamic DNS (DDNS) The Dynamic Doma
- Page 479 and 480:
-p port Specifies that dig should s
- Page 481 and 482:
Figure 12-13 DDNS UPDATE message fo
- Page 483 and 484:
Each list difference sequences is p
- Page 485 and 486:
Note that the speed of a network de
- Page 487 and 488:
RFC number Content 4519 Schema for
- Page 489 and 490:
point of view, any server that impl
- Page 491 and 492:
In addition to defining what data c
- Page 493 and 494:
The naming model The LDAP naming mo
- Page 495 and 496:
together in some way in order to fo
- Page 497 and 498:
12.4.5 LDAP security Time Limit The
- Page 499 and 500:
“Internet Message Access Protocol
- Page 501 and 502:
12.4.7 LDAP and DCE Additionally, s
- Page 503 and 504:
needed by clients that want to cont
- Page 505 and 506:
► RFC 1480 - The US Domain (June
- Page 507 and 508:
► RFC 4527 - Lightweight Director
- Page 509 and 510:
Chapter 13. Remote execution and di
- Page 511 and 512:
► A symmetric view of terminals a
- Page 513 and 514:
13.1.3 Telnet options Command ASCII
- Page 515 and 516:
Number Name State RFC STD 41 Telnet
- Page 517 and 518:
Command Code Comments WILL 251 Show
- Page 519 and 520:
A TN3270 server must support these
- Page 521 and 522:
Because the 3278 and 3287 are commo
- Page 523 and 524:
DCE is the result of work from the
- Page 525 and 526:
Replicas are stored in a clearingho
- Page 527 and 528:
The DCE security service ensures se
- Page 529 and 530:
The login and authentication proces
- Page 531 and 532:
13.3.3 DCE threads are then decrypt
- Page 533 and 534:
An application written using DCE RP
- Page 535 and 536:
The default for time servers is the
- Page 537 and 538:
Or, in DNS format: /.../itsc.ibm.co
- Page 539 and 540:
Chapter 14. File-related protocols
- Page 541 and 542:
The client FTP application is built
- Page 543 and 544:
ls Lists the contents of the remote
- Page 545 and 546:
An example of an FTP scenario A LAN
- Page 547 and 548:
14.1.4 The passive data transfer Co
- Page 549 and 550:
14.1.6 Reply codes FTP client Firew
- Page 551 and 552:
For each user command, shown as thi
- Page 553 and 554:
same IP address on which the contro
- Page 555 and 556:
Figure 14-6 shows an example of a c
- Page 557 and 558:
For a full list of these commands,
- Page 559 and 560:
14.2.6 Security issues multicast op
- Page 561 and 562:
14.3.2 SFTP syntax and usage SFTP a
- Page 563 and 564:
File manipulation The following com
- Page 565 and 566:
► The NFS protocol performs the f
- Page 567 and 568:
To better understand the MOUNT comm
- Page 569 and 570:
job to synchronize the writers and
- Page 571 and 572:
► Compound commands for performan
- Page 573 and 574:
► Replication Replication techniq
- Page 575 and 576:
If the client workstation initiatin
- Page 577 and 578:
Dialects Another characteristic of
- Page 579 and 580:
► RFC 1123 - Requirements for Int
- Page 581 and 582:
Chapter 15. Mail applications Elect
- Page 583 and 584:
RFC 2821 dictates that data sent th
- Page 585 and 586:
15.1.1 How SMTP works SMTP is based
- Page 587 and 588:
address” on page 559. You can see
- Page 589 and 590:
4. The second step of the actual ma
- Page 591 and 592:
An additional example In the follow
- Page 593 and 594:
capable. As IPv6 becomes more perva
- Page 595 and 596:
Figure 15-4 provides a diagram of h
- Page 597 and 598:
For additional information, refer t
- Page 599 and 600:
The MIME standard was designed with
- Page 601 and 602:
As with RFC 2822 headers, the case
- Page 603 and 604:
and two hyphens (for compatibility
- Page 605 and 606:
ecause mail server syntaxes vary wi
- Page 607 and 608:
► Application This type is intend
- Page 609 and 610:
We describe these in the sections t
- Page 611 and 612:
characters that are known to be mai
- Page 613 and 614:
sequence. (For example, when decodi
- Page 615 and 616:
An encoded word can be used in the
- Page 617 and 618:
- NOOP: Do nothing. The server retu
- Page 619 and 620:
Logout state In this state, the con
- Page 621 and 622:
► In the authenticated state: - S
- Page 623 and 624:
PREAUTH This response is one of thr
- Page 625 and 626:
15.6 RFCs relevant to this chapter
- Page 627 and 628:
Chapter 16. The Web 16 This chapter
- Page 629 and 630:
16.1 Web browsers Generally, a brow
- Page 631 and 632:
16.3 Hypertext Transfer Protocol (H
- Page 633 and 634:
Request User Agent Origin Server Fi
- Page 635 and 636:
► HTTP URL The HTTP URL scheme en
- Page 637 and 638:
Method definitions Currently define
- Page 639 and 640:
- 413 Request Entity Too Large - 41
- Page 641 and 642:
16.4 Content 16.4.1 Static content
- Page 643 and 644:
JavaScript JavaScript is an HTML ex
- Page 645 and 646:
JavaBeans can only be manipulated a
- Page 647 and 648:
► Session EJBs They encapsulate e
- Page 649 and 650:
Chapter 17. Network management With
- Page 651 and 652:
17.1.1 The Management Information B
- Page 653 and 654:
These fields are defined as follows
- Page 655 and 656:
- 2 for CCITT - 3 for the joint ISO
- Page 657 and 658:
agent is typically responsible for
- Page 659 and 660:
17.1.5 The SNMP model The interacti
- Page 661 and 662:
Request ID Serializes request/respo
- Page 663 and 664:
SNMP Manager walk ifType ifMtu.1=d
- Page 665 and 666:
17.1.7 SNMP versions linkUpEvent No
- Page 667 and 668:
► Administrative framework Defini
- Page 669 and 670:
Assume the following ARP table in a
- Page 671 and 672:
Figure 17-7 The SNMPv2 message form
- Page 673 and 674:
y adding the new SNMPv3 message mod
- Page 675 and 676:
17.2.1 Common NETSTAT options Commo
- Page 677 and 678:
Again, the columns above are define
- Page 679 and 680:
► RFC 3416 - Version 2 of the Pro
- Page 681 and 682:
Chapter 18. Wireless Application Pr
- Page 683 and 684:
18.1 The WAP environment Wireless d
- Page 685 and 686:
Feature and performance-enhancing p
- Page 687 and 688:
Components of the WAP architecture
- Page 689 and 690:
Other services and applications The
- Page 691 and 692:
This kind of transaction, where the
- Page 693 and 694:
18.6.3 Push access control protocol
- Page 695 and 696:
18.6.7 Security In a trusted enviro
- Page 697 and 698:
power and for lower bandwidth usage
- Page 699 and 700:
WAP Terminal WAE WSP WTP WDP Bearer
- Page 701 and 702:
The split-TCP approach The split-TC
- Page 703 and 704:
The profiling of TCP for WP-TCP sou
- Page 705 and 706:
WCMP message structure The message
- Page 707 and 708:
4. The initiator sends back an ackn
- Page 709 and 710:
content between the client and serv
- Page 711 and 712:
RESUME The session was resumed whil
- Page 713 and 714:
WSP connection-mode Connection-mode
- Page 715 and 716:
► S-MethodResult This service pri
- Page 717 and 718:
S-PushAbort Rejects a push operatio
- Page 719 and 720:
Normal session suspend and resume F
- Page 721 and 722:
► Server address ► Server port
- Page 723 and 724:
protection. For Web applications th
- Page 725 and 726:
► SEC-Exchange: Performs public k
- Page 727 and 728:
architecture still allows proxies t
- Page 729 and 730:
► RFC 1122 - Requirements for Int
- Page 731 and 732:
► WAP-219_100-TLS-20011029-a - WA
- Page 733 and 734:
Chapter 19. Presence over IP This c
- Page 735 and 736:
Subscriber A form of watcher that h
- Page 737 and 738:
The presence service has two distin
- Page 739 and 740:
As illustrated in Figure 19-5 The c
- Page 741 and 742:
► deviceID: Indicates that this d
- Page 743 and 744:
XMPP server An XMPP server acts as
- Page 745 and 746:
► RFC 3859 - Common Profile for P
- Page 747 and 748:
Part 3 Advanced concepts and new te
- Page 749 and 750:
Chapter 20. Voice over Internet Pro
- Page 751 and 752:
large-scale data networks, expectin
- Page 753 and 754:
Call Agent The Call Agent serves se
- Page 755 and 756:
technology is ideal for Internet vi
- Page 757 and 758:
Users capabilities Used for feature
- Page 759 and 760:
SIP 4xx Client failure responses (f
- Page 761 and 762:
SIP protocol stack Figure 20-3 depi
- Page 763 and 764:
20.3.1 MGCP architecture An alterna
- Page 765 and 766:
Terminations Terminations represent
- Page 767 and 768:
Multipoint control units (MCUs) A m
- Page 769 and 770:
Transport and Quality RTP/RTCP RSVP
- Page 771 and 772:
Chapter 21. Internet Protocol Telev
- Page 773 and 774:
► The IP packets flow through a c
- Page 775 and 776:
Real-Time Control Protocol, and Str
- Page 777 and 778:
► Encryption Content providers wa
- Page 779 and 780:
► QoS technologies including RSVP
- Page 781 and 782:
session announcement, session invit
- Page 783 and 784:
Consider an application using both
- Page 785 and 786:
Sequence number The sequence number
- Page 787 and 788:
Sequence numbering Sequence numbers
- Page 789 and 790:
network provider can then act as a
- Page 791 and 792:
The format of the sender report is
- Page 793 and 794:
Delay since last SR (DLSR) Contains
- Page 795 and 796:
21.3.7 H.261 Due to its historical
- Page 797 and 798:
Chapter 22. TCP/IP security 22 This
- Page 799 and 800:
these solutions only solve a single
- Page 801 and 802:
Figure 22-1 illustrates where these
- Page 803 and 804:
Remote access servers should provid
- Page 805 and 806:
Authentication, integrity, and non-
- Page 807 and 808:
corresponding public key. Therefore
- Page 809 and 810:
Another public key algorithm, the v
- Page 811 and 812:
2. Alice generates a large random n
- Page 813 and 814:
See Figure 22-6 for an illustration
- Page 815 and 816:
HMAC-MD5-96 and HMAC-SHA-1-96 A str
- Page 817 and 818:
6. The sender signs the message as
- Page 819 and 820:
explicit initialization vector and
- Page 821 and 822:
22.3.1 Firewall concept A firewall
- Page 823 and 824:
Packet-filtering router Most of the
- Page 825 and 826:
network security policy. Therefore,
- Page 827 and 828:
example, when using FTP and Telnet
- Page 829 and 830:
A much more firewall-friendly mode
- Page 831 and 832:
SOCKS-enabled client program Figure
- Page 833 and 834:
Internal DNS and mail server Secure
- Page 835 and 836:
demilitarized zone (DMZ) between th
- Page 837 and 838:
An SA can be in either of two modes
- Page 839 and 840:
22.4.2 Authentication Header (AH) A
- Page 841 and 842:
Sequence number This 32-bit field i
- Page 843 and 844:
Gateways often also support transpo
- Page 845 and 846:
Authenticated IP Hdr ESP Payload ES
- Page 847 and 848:
ESP in transport mode In this mode,
- Page 849 and 850:
well? There is no official answer t
- Page 851 and 852:
Case 1: End-to-end security As show
- Page 853 and 854:
Note: ESP authentication data was n
- Page 855 and 856:
Case 4: Remote access This case, sh
- Page 857 and 858:
► Perfect Forward Secrecy (PFS):
- Page 859 and 860:
A detailed description of the phase
- Page 861 and 862:
Proposal Payload Host-B's Proposal
- Page 863 and 864:
- For authentication with public ke
- Page 865 and 866:
IKE phase 1, message 6 After receiv
- Page 867 and 868:
IKE phase 2, message 1 Message 1 of
- Page 869 and 870:
KE This is the key exchange payload
- Page 871 and 872:
When Host-B receives this message a
- Page 873 and 874:
Secure net Figure 22-42 SOCKS serve
- Page 875 and 876:
Client host SOCKS host Client Ident
- Page 877 and 878:
Where: VER Socks protocol version.
- Page 879 and 880:
Where: RSV Reserved for future use.
- Page 881 and 882:
Figure 22-49 SSL: Comparison of sta
- Page 883 and 884:
When either party sends a change Ci
- Page 885 and 886:
- Time information (the current tim
- Page 887 and 888:
can be used in software exported ou
- Page 889 and 890:
Corporate Intranet VPN Figure 22-51
- Page 891 and 892:
22.11.1 Assumptions 22.11.2 Naming
- Page 893 and 894:
Figure 22-52 shows the authenticati
- Page 895 and 896:
4. TGS → client The ticket-granti
- Page 897 and 898:
The entity responsible for managing
- Page 899 and 900:
Accounting This is typically the th
- Page 901 and 902:
EAP typically runs over the link la
- Page 903 and 904:
22.14.2 Protocol overview Because t
- Page 905 and 906:
Data L2 Net L2TP Code Figure 22-55
- Page 907 and 908:
The certificate authority SET proce
- Page 909 and 910:
5. Capture Up to this point, no mon
- Page 911 and 912:
equest application on the browser,
- Page 913 and 914:
► RFC 3852 - Cryptographic Messag
- Page 915 and 916:
23 Chapter 23. Port based network a
- Page 917 and 918:
Supplicant An entity at one end of
- Page 919 and 920:
permits only the exchange of authen
- Page 921 and 922:
EAP is defined in RFC 3478. EAP has
- Page 923 and 924:
3. The authentication server sends
- Page 925 and 926:
esponse, success, and failure packe
- Page 927 and 928:
Figure 23-13 shows the EAP Request/
- Page 929 and 930:
Figure 23-18 shows the EAPOL-Start
- Page 931 and 932:
Edge authentication The IEEE 802.1x
- Page 933 and 934:
Chapter 24. Availability, scalabili
- Page 935 and 936:
24.1 Availability 24.2 Scalability
- Page 937 and 938:
The clustering technique dispatches
- Page 939 and 940:
completely isolated from each other
- Page 941 and 942:
gateway. However, this creates a si
- Page 943 and 944:
A virtual router is defined by its
- Page 945 and 946:
Figure 24-4 on page 918 shows a con
- Page 947 and 948:
IP address(es) One or more IP addre
- Page 949 and 950:
24.8.2 Encapsulation As shown in Fi
- Page 951 and 952:
Appendix A. Multiprotocol Label Swi
- Page 953 and 954:
A.1.2 Benefits table. This comparis
- Page 955 and 956:
A.1.3 Terminology The following sec
- Page 957 and 958:
Next hop label forwarding entry (NH
- Page 959 and 960:
stack. Using this information, the
- Page 961 and 962:
For example, a network might contai
- Page 963 and 964:
► The IGP maintains a host route
- Page 965 and 966:
A.2.6 Stream merge Label distributi
- Page 967 and 968:
A.4 Generalized Multiprotocol Label
- Page 969 and 970:
In a GMPLS environment, it is possi
- Page 971 and 972:
fast keepalive mechanism between th
- Page 973 and 974:
► Before sending Hello messages,
- Page 975 and 976:
A.4.6 GMPLS considerations Because
- Page 977 and 978:
► The UNI specifies a way for a c
- Page 979 and 980:
Abbreviations and acronyms AAA Auth
- Page 981 and 982:
IMAP Internet Message Access Protoc
- Page 983 and 984:
RARP Reverse Address Resolution Pro
- Page 985 and 986:
Related publications IBM Redbooks T
- Page 987 and 988:
► Information about the most curr
- Page 989 and 990:
Index A A5 algorithm 780 AAA securi
- Page 991 and 992:
Domain of Interpretation (DOI) 833-
- Page 993 and 994:
Parameter Problem 115 Path MTU Disc
- Page 995 and 996:
Message 3 835, 844 Message 4 836 Me
- Page 997 and 998:
PGP 780 physical layer 62 Ping 117
- Page 999 and 1000:
header format 758 S SA bundle 811,
- Page 1001:
(1.5” spine) 1.5” 1.998” 789