TCP/IP Tutorial and Technical Overview - IBM Redbooks

More documents

Recommendations

Info

Before describing the details of the key exchange and update messages, some explanations are necessary: ► Internet Security Association and Key Management Protocol (ISAKMP) A framework that defines the management of Security Associations (negotiate, modify, delete) and keys, and it also defines the payloads for exchanging key generation and authentication data. ISAKMP itself does not define any key exchange protocols, and the framework it provides can be applied to security mechanisms in the network, transport, or application layer, and also to itself. ► Oakley A key exchange protocol that can be used with the ISAKMP framework to exchange and update keying material for Security Associations. ► Domain of Interpretation (DOI) Definition of a set of protocols to be used with the ISAKMP framework for a particular environment; also a set of common definitions shared with those protocols regarding the syntax of SA attributes and payload contents, namespace of cryptographic transforms, and so on. In relation to IPSec, the DOI instantiates ISAKMP for use with IP. ► Internet Key Exchange (IKE) A protocol that uses parts of ISAKMP and parts of the Oakley and SKEME key exchange protocols to provide management of keys and Security Associations for the IPSec AH and ESP protocols and for ISAKMP itself. Protocol overview ISAKMP requires that all information exchanges must be both encrypted and authenticated, so that no one can eavesdrop on the keying material. The keying material will be exchanged only among authenticated parties. This is required because the ISAKMP procedures deal with initializing the keys, so they must be capable of running over links where no security can be assumed to exist. In addition, the ISAKMP methods have been designed with the explicit goals of providing protection against several well-known exposures: ► Denial of service: The messages are constructed with unique cookies that can be used to quickly identify and reject invalid messages without the need to execute processor-intensive cryptographic operations. ► Man-in-the-middle: Protection is provided against the common attacks such as deletion of messages, modification of messages, reflecting messages back to the sender, replaying of old messages, and redirection of messages to unintended recipients. 830 TCP/IP Tutorial and Technical Overview
► Perfect Forward Secrecy (PFS): Compromise of past keys provides no useful clues for breaking any other key, whether it occurred before or after the compromised key. That is, each refreshed key will be derived without any dependence on predecessor keys. The following authentication methods are defined for IKE: ► Pre-shared key ► Digital signatures (DSS and RSA) ► Public key encryption (RSA and revised RSA) The robustness of any cryptography-based solution depends much more strongly on keeping the keys secret than it does on the actual details of the chosen cryptographic algorithms. Therefore, the IETF IPSec Working Group has prescribed a set of extremely robust Oakley exchange protocols. It uses a two-phase approach. Phase 1 This set of negotiations establishes a master secret from which all cryptographic keys will be derived for protecting the users' data traffic. In the most general case, public key cryptography is used to establish an ISAKMP Security Association between systems and to establish the keys that will be used to protect the ISAKMP messages that will flow in the subsequent phase 2 negotiations. Phase 1 is concerned only with establishing the protection suite for the ISAKMP messages themselves, but it does not establish any Security Associations or keys for protecting user data. In phase 1, the cryptographic operations are the most processor-intensive, but need only be done infrequently, and a single phase 1 exchange can be used to support multiple subsequent phase 2 exchanges. As a guideline, phase 1 negotiations are executed once a day or maybe once a week, while phase 2 negotiations are executed once every few minutes. Phase 2 Phase 2 exchanges are less complex, because they are used only after the security protection suite negotiated in phase 1 has been activated. A set of communicating systems negotiate the Security Associations and keys that will protect user data exchanges. Phase 2 ISAKMP messages are protected by the ISAKMP Security Association generated in phase 1. Phase 2 negotiations generally occur more frequently than phase 1. For example, a typical application of a phase 2 negotiation is to refresh the cryptographic keys once every two to three minutes. Chapter 22. TCP/IP security 831
Page 1:
TCP/IP Tutorial and Technical Overv
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
2.7 Frame relay . . . . . . . . . .
Page 8 and 9:
5.4.2 RIP-2 limitations . . . . . .
Page 10 and 11:
8.4 RFCs relevant to this chapter .
Page 12 and 13:
12.4.7 LDAP and DCE . . . . . . . .
Page 14 and 15:
16.1 Web browsers . . . . . . . . .
Page 16 and 17:
21.1 IPTV overview . . . . . . . .
Page 18 and 19:
24.6.1 Introduction . . . . . . . .
Page 20 and 21:
Trademarks The following terms are
Page 22 and 23:
► TCP/IP and System p: http://www
Page 24 and 25:
Thanks to the following people for
Page 26 and 27:
xxiv TCP/IP Tutorial and Technical
Page 28 and 29:
Finally, other standard protocols e
Page 30 and 31:
1.1 TCP/IP architectural model 1.1.
Page 32 and 33:
To be able to identify a host withi
Page 34 and 35:
est-effort service. As a result, ap
Page 36 and 37:
The client/server model TCP is a pe
Page 38 and 39:
Gateway Interconnects networks at h
Page 40 and 41:
1.2.1 ARPANET the last release of t
Page 42 and 43:
Integrated Digital Network Exchange
Page 44 and 45:
1.2.4 Internet2 coordination. RIPE
Page 46 and 47:
1.2.5 The Open Systems Interconnect
Page 48 and 49:
The process of standardization is s
Page 50 and 51:
Protocol status can be any of the f
Page 52 and 53:
1.4 Future of the Internet Trying t
Page 54 and 55:
28 TCP/IP Tutorial and Technical Ov
Page 56 and 57:
2.1 Ethernet and IEEE 802 local are
Page 58 and 59:
► Introduced in 1985, RFC 948 - T
Page 60 and 61:
The mapping of 32-bit Internet addr
Page 62 and 63:
There are a large number of propose
Page 64 and 65:
2.5 Integrated Services Digital Net
Page 66 and 67:
► The value hex 81 (binary 100000
Page 68 and 69:
process the incoming packet (refer
Page 70 and 71:
frame size, retransmission timer, a
Page 72 and 73:
2.8.1 Physical layer PPP presents a
Page 74 and 75:
Basic InATMARP operates essentially
Page 76 and 77:
The client handles the table update
Page 78 and 79:
Page 80 and 81:
To be exact, the TCP/IP PDU is enca
Page 82 and 83:
The address resolution in an ATM ne
Page 84 and 85:
LANs. Each separate LE layer needs
Page 86 and 87:
services of a classic LAN; thus, th
Page 88 and 89:
2.11.3 MPOA functional components T
Page 90 and 91:
Destination resolution The action o
Page 92 and 93:
Page 94 and 95:
3.1 Internet Protocol (IP) 3.1.1 IP
Page 96 and 97:
There are five classes of IP addres
Page 98 and 99:
3.1.2 IP subnets Special use IP add
Page 100 and 101:
Therefore, it is normal to use a co
Page 102 and 103:
Because of the all bits 0 and all b
Page 104 and 105:
► Hosts or networks for which the
Page 106 and 107:
► The default route that contains
Page 108 and 109:
To differentiate between subnets, t
Page 110 and 111:
3.1.4 Methods of delivery: Unicast,
Page 112 and 113:
Anycasting Sometimes, the same IP s
Page 114 and 115:
212.0.0 - 213.255.255 RIPE NCC 214.
Page 116 and 117:
Originally, NAT was suggested as a
Page 118 and 119:
packet, the destination address is
Page 120 and 121:
As shown in Figure 3-14, Network Ad
Page 122 and 123:
class of the network number (thus t
Page 124 and 125:
3.1.9 IP datagram Therefore, a larg
Page 126 and 127:
► Service Type: The service type
Page 128 and 129:
► Destination IP Address: The 32-
Page 130 and 131:
Fragmentation When an IP datagram t
Page 132 and 133:
Pointer This field points to the op
Page 134 and 135:
► Because IP routers are not requ
Page 136 and 137:
3.2.1 ICMP messages ICMP messages a
Page 138 and 139:
5 Source route failed 6 Destination
Page 140 and 141:
Figure 3-34 ICMP: Router Solicitati
Page 142 and 143:
Timestamp Request (13) and Timestam
Page 144 and 145:
Record routes Record the route per
Page 146 and 147:
An exception to the rule is the asy
Page 148 and 149:
ARP packet reception When a host re
Page 150 and 151:
different physical device, it will
Page 152 and 153:
BOOTP is a draft standard protocol.
Page 154 and 155:
Length Hardware address length in b
Page 156 and 157:
3. The value of the hops field is i
Page 158 and 159:
3.7.1 The DHCP message format The f
Page 160 and 161:
Options The first four bytes of the
Page 162 and 163:
3. The client receives one or more
Page 164 and 165:
Figure 3-46 shows the DHCP process
Page 166 and 167:
administration workload and removes
Page 168 and 169:
► RFC 2474 - Definition of the Di
Page 170 and 171:
4.1 Ports and sockets 4.1.1 Ports T
Page 172 and 173:
► An association is the 5-tuple t
Page 174 and 175:
The UDP datagram has an 8-byte head
Page 176 and 177:
4.3.1 TCP concept Communication, or
Page 178 and 179:
The window principle A simple trans
Page 180 and 181:
Imagine some special cases: ► Pac
Page 182 and 183:
TCP segment format Figure 4-10 show
Page 184 and 185:
158 TCP/IP Tutorial and Technical O
Page 186 and 187:
SACK option Selective Acknowledgmen
Page 188 and 189:
A problem now arises, because the s
Page 190 and 191:
► TIME-WAIT: FINs have been recei
Page 192 and 193:
sender, while the advertised window
Page 194 and 195:
most one segment each round-trip ti
Page 196 and 197:
2. Each time another duplicate ACK
Page 198 and 199:
Figure 5-1 shows an environment whe
Page 200 and 201:
Figure 5-2 on page 173 depicts the
Page 202 and 203:
► To provide more efficient resou
Page 204 and 205:
Figure 5-3 Shortest-Path First (SPF
Page 206 and 207:
5.2.5 Hybrid routing ► Unless the
Page 208 and 209:
The RIP packet format is shown in F
Page 210 and 211:
Figure 5-5 illustrates the distance
Page 212 and 213:
can be considerable. Figure 5-7 ill
Page 214 and 215:
The limitation to this rule is that
Page 216 and 217:
► Support for multicasting: RIP-2
Page 218 and 219:
5.4.2 RIP-2 limitations Authenticat
Page 220 and 221:
The use of the command field and th
Page 222 and 223:
5.6 Open Shortest Path First (OSPF)
Page 224 and 225:
Intra-area, area border, and AS bou
Page 226 and 227:
► Hello and dead intervals: The r
Page 228 and 229:
neighbors. This store and forward a
Page 230 and 231:
All OSPF packets share the common h
Page 232 and 233:
Step 1: Database exchange process T
Page 234 and 235:
Area 1 Area 0 Figure 5-18 OSPF virt
Page 236 and 237:
In this example, the ASBR is redist
Page 238 and 239:
In this figure, the ASBR is adverti
Page 240 and 241:
EIGRP processes the information in
Page 242 and 243:
5.9.1 BGP concepts and terminology
Page 244 and 245:
► Routes and paths: A route assoc
Page 246 and 247:
► Full mesh of BGP sessions withi
Page 248 and 249:
RFC 4271 recommends a 90 second hol
Page 250 and 251:
Each path attribute is placed into
Page 252 and 253:
► LOCAL_PREF (local preference):
Page 254 and 255:
5.9.6 BGP aggregation ► Redistrib
Page 256 and 257:
ecause AS 2 does not know this aggr
Page 258 and 259:
Figure 5-29 also illustrates the in
Page 260 and 261:
► Ease of implementation: Distanc
Page 262 and 263:
Page 264 and 265:
6.1 Multicast addressing Multicast
Page 266 and 267:
address. In this situation, multica
Page 268 and 269:
The fields in the IGMP message cont
Page 270 and 271:
Page 272 and 273:
In Figure 6-4 on page 245, the Type
Page 274 and 275:
To join a group, the host sends an
Page 276 and 277:
amount of processing involved in re
Page 278 and 279:
6.4 Multicast forwarding algorithms
Page 280 and 281:
The disadvantage to the center-base
Page 282 and 283:
When the routers exchange their rou
Page 284 and 285:
6.5.3 DVMRP tunnels Some IP routers
Page 286 and 287:
6.6.2 MOSPF and multiple OSPF areas
Page 288 and 289:
6.7.1 PIM dense mode The PIM-DM pro
Page 290 and 291:
Building the PIM-SM multicast deliv
Page 292 and 293:
RP selection An RP is selected as p
Page 294 and 295:
See Figure 6-14 for an overview of
Page 296 and 297:
6.9.1 MBONE routing MBONE will most
Page 298 and 299:
of multicast systems has accelerate
Page 300 and 301:
Page 302 and 303:
7.1 Mobile IP overview Mobile IP en
Page 304 and 305:
Figure 7-1 shows a mobile IP operat
Page 306 and 307:
The prefix lengths extension can fo
Page 308 and 309:
D Decapsulation by mobile node. The
Page 310 and 311:
7.2.1 Tunneling The home agent exam
Page 312 and 313:
When a mobile node moves from its h
Page 314 and 315:
8.1 Why QoS? In the Internet and in
Page 316 and 317:
Page 318 and 319:
8.2.1 Service classes The Integrate
Page 320 and 321:
a specific bandwidth, a maximum pac
Page 322 and 323:
obeying a token bucket (r,b) and be
Page 324 and 325:
If the path message reaches the fir
Page 326 and 327:
Figure 8-6 shows the reservation pr
Page 328 and 329:
Path and reservation states can als
Page 330 and 331:
RSVP message format An RSVP message
Page 332 and 333:
Style The Style object defines the
Page 334 and 335:
The RSVP Resv messages looks simila
Page 336 and 337:
Integrated Services, described in 8
Page 338 and 339:
different priorities, the DS field
Page 340 and 341:
Figure 8-15 shows the use of bounda
Page 342 and 343:
The traffic conditioner is mainly u
Page 344 and 345:
Figure 8-18 shows the traffic condi
Page 346 and 347:
Intserv model end-to-end across a n
Page 348 and 349:
2. HostA generates a RSVP PATH mess
Page 350 and 351:
Figure 8-21 shows the cooperation o
Page 352 and 353:
► RFC 2212 - Specification of Gua
Page 354 and 355:
9.1 IPv6 introduction 9.1.1 IP grow
Page 356 and 357:
Eventually, the specification for I
Page 358 and 359:
Page 360 and 361:
vers Figure 9-3 IPv6 packet contain
Page 362 and 363:
Where: Type The type of the option.
Page 364 and 365:
source routing, which operates in a
Page 366 and 367:
► It improves multicast scalabili
Page 368 and 369:
Global unicast address format IPv6
Page 370 and 371:
Scope 4-bit value indicating the sc
Page 372 and 373:
9.2.4 Flow labels Figure 9-10 Traff
Page 374 and 375:
Page 376 and 377:
9.2.6 Packet sizes If the algorithm
Page 378 and 379:
9.3 Internet Control Message Protoc
Page 380 and 381:
Address resolution Figure 9-15 show
Page 382 and 383:
The response to the neighbor solici
Page 384 and 385:
IP Header Option 2 Figure 9-18 Rout
Page 386 and 387:
(for example, a new workstation tha
Page 388 and 389:
outer A has forwarded the packet to
Page 390 and 391:
The stateless autoconfiguration pro
Page 392 and 393:
Note the following fields in the IP
Page 394 and 395:
The following extensions are specif
Page 396 and 397:
Site X is multihomed to two provide
Page 398 and 399:
DHCP Advertise This is a unicast me
Page 400 and 401:
On top of the native IPv6 support t
Page 402 and 403:
For further information about mobil
Page 404 and 405:
9.7.3 New research and development
Page 406 and 407:
► IPv4/IPv6 header translation.Th
Page 408 and 409:
► If the destination is not on th
Page 410 and 411:
IPv6/IPv4 Host Ethernet IPv6/IPv4 R
Page 412 and 413:
It is, of course, possible that aft
Page 414 and 415:
direction, the router adds the ::FF
Page 416 and 417:
► RFC 2675 - IPv6 Jumbograms, Aug
Page 418 and 419:
10.1 Wireless concepts Given the di
Page 420 and 421:
Isotropic radiation Actual radiatio
Page 422 and 423:
10.2.2 Reachability 10.2.3 Scalabil
Page 424 and 425:
802.11a An extension to 802.11 that
Page 426 and 427:
10.4 WiMax confidentiality function
Page 428 and 429:
10.5 Applications of wireless netwo
Page 430 and 431:
Page 432 and 433:
Protocol, which is defined by the O
Page 434 and 435:
11.1 Characteristics of application
Page 436 and 437:
11.2 Application programming interf
Page 438 and 439:
Definition of fields: sockfd This i
Page 440 and 441:
An example of a client/server scena
Page 442 and 443:
Figure 11-3 shows the conceptual mo
Page 444 and 445:
- DES authentication: In addition t
Page 446 and 447:
SNMP agent implementations provide
Page 448 and 449:
11.2.4 REXX sockets Note: SET reque
Page 450 and 451:
Page 452 and 453:
12.1 Domain Name System (DNS) The D
Page 454 and 455:
We discuss this hierarchical struct
Page 456 and 457:
12.1.6 Mapping IP addresses to doma
Page 458 and 459:
Note: Although domains within the n
Page 460 and 461:
Domain name stub resolver Figure 12
Page 462 and 463:
When a domain is registered with th
Page 464 and 465:
TTL The time-to-live (TTL) time in
Page 466 and 467:
Figure 12-5 DNS message format Head
Page 468 and 469:
Question section The next section c
Page 470 and 471:
Where the fields before the TTL fie
Page 472 and 473:
They are interconnected by an IP ga
Page 474 and 475:
; 4.1.112.129.in-addr.arpa. IN PTR
Page 476 and 477:
12.1.13 Transport Domain Name Syste
Page 478 and 479:
Page 480 and 481:
In addition to TSIG, and GSS-TSIG,
Page 482 and 483:
Page 484 and 485:
NOTIFY. Based on the RRs contained
Page 486 and 487:
12.4.1 LDAP: Lightweight access to
Page 488 and 489:
LDAP server must communicate using
Page 490 and 491:
12.4.4 LDAP models distinguished na
Page 492 and 493:
classes that a directory server can
Page 494 and 495:
It is usual to follow either a geog
Page 496 and 497:
Some example searches expressed inf
Page 498 and 499:
Page 500 and 501:
12.4.6 LDAP URLs agree on a common
Page 502 and 503:
LDAP interface for the GDA One way
Page 504 and 505:
key piece to building intelligent n
Page 506 and 507:
► RFC 4505 - Anonymous Simple Aut
Page 508 and 509:
Page 510 and 511:
13.1 Telnet Telnet is a standard pr
Page 512 and 513:
► The NVT provides a local echo f
Page 514 and 515:
Number Name State RFC STD 12 Output
Page 516 and 517:
The Interpret As Command (IAC) char
Page 518 and 519:
Send Reply Meaning The terminal typ
Page 520 and 521:
locks following the command. Howeve
Page 522 and 523:
Principle of operation REXECD is a
Page 524 and 525:
13.3.1 DCE directory service When w
Page 526 and 527:
In order to find a resource in anot
Page 528 and 529:
Login facility Provides the environ
Page 530 and 531:
4. Now the user needs the authoriza
Page 532 and 533:
e defined as single threading. A th
Page 534 and 535:
environment. It also provides a way
Page 536 and 537:
13.4.1 File naming DFS follows the
Page 538 and 539:
typically provided by an operating
Page 540 and 541:
14.1 File Transfer Protocol (FTP) F
Page 542 and 543:
► Navigate and manipulate the dir
Page 544 and 545:
Page 546 and 547:
14.1.3 The active data transfer Whe
Page 548 and 549:
command would receive an error when
Page 550 and 551:
long, with the first two digits hav
Page 552 and 553:
This command instructs the FTP serv
Page 554 and 555:
ADAT Passes Base64-encoded security
Page 556 and 557:
14.2.1 TFTP usage TFTP file transfe
Page 558 and 559:
14.2.4 Data modes The TFTP header c
Page 560 and 561:
Both the user ID needed to gain acc
Page 562 and 563:
-B buffer_size Specifies the size o
Page 564 and 565:
chmod mode path Changes the permiss
Page 566 and 567:
Where: options System-specific opti
Page 568 and 569:
14.4.2 File integrity REMOVE Delete
Page 570 and 571:
public file handles and the LOOKUP,
Page 572 and 573:
several directories away. WebNFS ca
Page 574 and 575:
Figure 14-11 on page 547 shows an e
Page 576 and 577:
Datagram Service Just as the Sessio
Page 578 and 579:
1 2 3 4 5 6 7 SMB/CIFS Client Figur
Page 580 and 581:
Page 582 and 583:
15.1 Simple Mail Transfer Protocol
Page 584 and 585:
RFC Description 3030 This introduce
Page 586 and 587:
user%remote-host@gateway-host For a
Page 588 and 589:
Figure 15-1 The SMTP model SMTP mai
Page 590 and 591:
Figure 15-2 illustrates the normal
Page 592 and 593:
TEST.MY.CORP. Instead, it must firs
Page 594 and 595:
15.2 Sendmail Using the Domain Name
Page 596 and 597:
the queue file, attempts to send an
Page 598 and 599:
MIME is a draft standard that inclu
Page 600 and 601:
3. The priority considered when des
Page 602 and 603:
mandatory ones, and some have both.
Page 604 and 605:
Page 606 and 607:
videos. Only part of the data is sh
Page 608 and 609:
One such addition defined in RFC 37
Page 610 and 611:
Quoted-Printable encoding uses the
Page 612 and 613:
Base64 value ASCII char Base64 valu
Page 614 and 615:
► Message relaying programs frequ
Page 616 and 617:
3. After the client sends the QUIT
Page 618 and 619:
15.5.2 IMAP4 states The disconnecte
Page 620 and 621:
15.5.3 IMAP4 commands and response
Page 622 and 623:
- EXPUNGE: Permanently removes all
Page 624 and 625:
other sessions. This allows a clien
Page 626 and 627:
► RFC 3030 - SMTP Service Extensi
Page 628 and 629:
“Ports” on page 144 for more in
Page 630 and 631:
16.2 Web servers Web browsers are r
Page 632 and 633:
16.3.2 HTTP operation desirable fas
Page 634 and 635:
esponse chain. Therefore, if the se
Page 636 and 637:
- Upgrade - Via Request A request m
Page 638 and 639:
► Successful (2xx) This class of
Page 640 and 641:
Content negotiation In order to fin
Page 642 and 643:
computer, an AIX 5L or UNIX machine
Page 644 and 645:
alternative dynamic portion each ti
Page 646 and 647:
HTTP-Based Client Java Application
Page 648 and 649:
Page 650 and 651:
Given these circumstances, this cha
Page 652 and 653:
Group name Description of objects w
Page 654 and 655:
As an example, consider the object
Page 656 and 657:
This if further illustrated in Figu
Page 658 and 659:
getBulkRequest Performs the same fu
Page 660 and 661:
Messages sent between SNMP agents a
Page 662 and 663:
To illustrate the process of queryi
Page 664 and 665:
17.1.6 SNMP traps In this illustrat
Page 666 and 667:
► User-based Security Model (USM)
Page 668 and 669:
► A single authentication protoco
Page 670 and 671:
InformRequest An InformRequest is g
Page 672 and 673:
SnmpAuthMsg This field is used as a
Page 674 and 675:
Data origin authentication Provided
Page 676 and 677:
Local Socket The local IP address a
Page 678 and 679:
► RFC 1213 - Management Informati
Page 680 and 681:
Page 682 and 683:
advance, we now have fourth generat
Page 684 and 685:
► The Extended Hypertext Markup L
Page 686 and 687:
User Agent Profile Manager Used mai
Page 688 and 689:
Here, we give a brief description o
Page 690 and 691:
18.6 WAP push architecture The desi
Page 692 and 693:
► Client control As owner of the
Page 694 and 695:
18.6.4 Service indication The servi
Page 696 and 697:
18.7 The Wireless Application Envir
Page 698 and 699:
► WAP-specific data, such as the
Page 700 and 701:
The primitive types and their abbre
Page 702 and 703:
implementing an end-to-end connecti
Page 704 and 705:
and allows WPT-TCP to send acknowle
Page 706 and 707:
datagrams. For that functionality,
Page 708 and 709:
Example of a WSP-WTP sequence flow
Page 710 and 711:
exchange of information and control
Page 712 and 713:
peer layer). The dashed line repres
Page 714 and 715:
The peer who starts the negotiation
Page 716 and 717:
2. The server uses the S-Connect.re
Page 718 and 719:
Normal session establishment Figure
Page 720 and 721:
Normal method invocation Figure 18-
Page 722 and 723:
Wireless client HTTP WTLS WP-TCP Fi
Page 724 and 725:
WTLS layer goals The primary goal i
Page 726 and 727:
CipherSpec Specifies the bulk data
Page 728 and 729:
WIM is used to store permanent priv
Page 730 and 731:
► WAP-229_001-HTTP-20011031-a - W
Page 732 and 733:
Page 734 and 735:
The following terminology is used w
Page 736 and 737:
Page 738 and 739:
Changes to presence information are
Page 740 and 741:
19.2 Presence Information Data Form
Page 742 and 743:
19.3 Presence protocols The Extensi
Page 744 and 745:
19.3.1 Binding to TCP client-to-ser
Page 746 and 747:
Page 748 and 749:
networks in such a manner, organiza
Page 750 and 751:
20.1 Voice over IP (VoIP) introduct
Page 752 and 753:
20.1.2 VoIP functional components F
Page 754 and 755:
is a set of international CODEC sta
Page 756 and 757:
Operational support system OSS prov
Page 758 and 759:
► The proxy server provides appli
Page 760 and 761:
Figure 20-2 An example of SIP reque
Page 762 and 763:
► Stream Control Transmission Pro
Page 764 and 765:
MDCX “ModifyConnection” changes
Page 766 and 767:
Terminals Terminals are the LAN cli
Page 768 and 769:
RTP RTCP audio G.711, G.723.1, etc.
Page 770 and 771:
► RFC 3266 - Support for IPv6 in
Page 772 and 773:
21.1 IPTV overview IPTV is an IP ne
Page 774 and 775:
► Communication context This is s
Page 776 and 777:
21.2 Functional components Figure 2
Page 778 and 779:
21.2.4 IP (TV) transport IPTV requi
Page 780 and 781:
► Congestion control SCTP maintai
Page 782 and 783:
Type Description s Session name i*
Page 784 and 785:
RTP header format The header of an
Page 786 and 787:
1 1016 25 CelB 2 G726-32 26 JPEG 3
Page 788 and 789:
Application RTP 12 1 10 2 9 3 8 4 7
Page 790 and 791:
Receiver report An RTCP receiver re
Page 792 and 793:
Length Contains the packet length.
Page 794 and 795:
It allows weighted prediction, enab
Page 796 and 797:
21.4 RFCs relevant to this chapter
Page 798 and 799:
22.1 Security exposures and solutio
Page 800 and 801:
Problem/exposure Remedy How to ensu
Page 802 and 803:
Application proxy Access control En
Page 804 and 805:
Encryption and decryption: Cryptogr
Page 806 and 807: eighth bit serving as parity bit. F
Page 808 and 809: cleartext clea cle Cleartext Alice'
Page 810 and 811: e and d are called the public and p
Page 812 and 813: A hash function that takes a key as
Page 814 and 815: Examples of hash functions The most
Page 816 and 817: Digital Signature Standard (DSS) As
Page 818 and 819: public key and identification, a di
Page 820 and 821: 22.3 Firewalls In September 1998, t
Page 822 and 823: time. The network administrator mus
Page 824 and 825: Service level filtering Because mos
Page 826 and 827: etween the secure and the non-secur
Page 828 and 829: In normal mode, the FTP client firs
Page 830 and 831: circuit-level gateway (see Figure 2
Page 832 and 833: Generally, a packet-filtering firew
Page 834 and 835: Internal DNS and Mail server Secure
Page 836 and 837: 22.4.1 Concepts IPSec adds integrit
Page 838 and 839: Tunneling Tunneling or encapsulatio
Page 840 and 841: AH format The AH format is describe
Page 842 and 843: AH in transport mode In this mode,
Page 844 and 845: connectionless, in that they operat
Page 846 and 847: Padding Most encryption algorithms
Page 848 and 849: The tunnel mode is used whenever ei
Page 850 and 851: When designing a VPN, limit the num
Page 852 and 853: Figure 22-33 illustrates the simple
Page 854 and 855: Figure 22-36 shows in detail how th
Page 858 and 859: Permanent identifiers The IKE proto
Page 860 and 861: Note: For ISAKMP phase 1 messages,
Page 862 and 863: 836 TCP/IP Tutorial and Technical O
Page 864 and 865: authority using a protocol such as
Page 866 and 867: IKE phase 2: Setting up protocol Se
Page 868 and 869: Hash A Hash payload must immediatel
Page 870 and 871: Generating the keys (phase 2) Using
Page 872 and 873: 22.5 SOCKS intranet is considered t
Page 874 and 875: 22.5.1 SOCKS Version 5 (SOCKSv5) SO
Page 876 and 877: Where: VER Indicates the version of
Page 878 and 879: X'03' Network unreachable X'04' Hos
Page 880 and 881: X Window System’s clients. SSH fo
Page 882 and 883: 22.7.2 SSL protocol Authentication
Page 884 and 885: CipherSpec message after processing
Page 886 and 887: The client then sends a finished me
Page 888 and 889: In this chapter, we begin by defini
Page 890 and 891: usiness partner's and supplier's VP
Page 892 and 893: name the principal. Both the realm
Page 894 and 895: The authentication process consists
Page 896 and 897: After the server has validated a cl
Page 898 and 899: ► Authorization and accounting in
Page 900 and 901: modem connection is made, the NAS p
Page 902 and 903: 22.14.1 Terminology Before describi
Page 904 and 905: PPP Data Figure 22-54 L2TP packet c
Page 906 and 907:
complementary use of IPSec, an L2TP
Page 908 and 909:
The diagram shows the following tra
Page 910 and 911:
Key management on such a large scal
Page 912 and 913:
► RFC 2405 - The ESP DES-CBC Ciph
Page 914 and 915:
Page 916 and 917:
23.1 Port based network access cont
Page 918 and 919:
23.3 Port based network access cont
Page 920 and 921:
Figure 23-3 illustrates the control
Page 922 and 923:
802.1x authentication process The a
Page 924 and 925:
Figure 23-6 and Figure 23-7 show sn
Page 926 and 927:
Request and response type Value TLS
Page 928 and 929:
Figure 23-15 EAP-Success packet EAP
Page 930 and 931:
Figure 23-21 shows the sniffer trac
Page 932 and 933:
► Multicast propagation If authen
Page 934 and 935:
The Internet business has grown so
Page 936 and 937:
Generic techniques to enhance scala
Page 938 and 939:
24.5 Virtualization Virtualization
Page 940 and 941:
Network virtualization Network virt
Page 942 and 943:
24.6.2 VRRP definitions 24.6.3 VRRP
Page 944 and 945:
24.6.4 Sample configuration Figure
Page 946 and 947:
The fields of the VRRP header are d
Page 948 and 949:
24.8.1 Network Address Translation
Page 950 and 951:
24.9 RFCs relevant to this chapter
Page 952 and 953:
A.1 MPLS: An introduction The idea
Page 954 and 955:
MPLS also provides the ability to a
Page 956 and 957:
Layer 2 Header MPLS Header Figure A
Page 958 and 959:
Label switched path (LSP) An LSP re
Page 960 and 961:
► The packet does not contain a l
Page 962 and 963:
7. R22 reviews the level-2 label ap
Page 964 and 965:
A.2.5 Label distribution protocols
Page 966 and 967:
Emulated Ethernet MUX MPLS Figure A
Page 968 and 969:
► The effort can provide a single
Page 970 and 971:
A generalized label only carries a
Page 972 and 973:
Fault management The LMP fault mana
Page 974 and 975:
Note: GMPLS allows SP to dynamicall
Page 976 and 977:
Furthermore, because the labels can
Page 978 and 979:
A.5 RFCs relevant to this chapter T
Page 980 and 981:
DLCI Data Link Connection Identifie
Page 982 and 983:
MTU Maximum Transmission Unit MVS M
Page 984 and 985:
VRML Virtual Reality Modeling Langu
Page 986 and 987:
► TCP/IP and System i http://www.
Page 988 and 989:
Page 990 and 991:
DHCP interoperability 140 forwardin
Page 992 and 993:
fingerprint 785 firewall 12, 776, 8
Page 994 and 995:
Security Parameter Index (SPI) 810
Page 996 and 997:
latency 61 Layer 2 Forwarding (L2F)
Page 998 and 999:
RFC 1483 53 RFC 1492 873 RFC 1510 8
Page 1000 and 1001:
subnet number 73 subnets 72 subnett
Page 1004:
TCP/IP Tutorial and Technical Overv
show all

TCP/IP Tutorial and Technical Overview - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?