ipsec: Authentication Header (AH) and Encapsulating Security Payload (ESP)
The IPsec suite is a framework of open standards. IPsec uses the following protocols to perform various functions:
- Internet key exchange (IKE and IKEv2) to set up a security association (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec.
- Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks.
- Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.
The IPSec headers (AH and ESP) can be used in transport mode or tunnel mode. In transport mode, the original IP header is followed by the AH or ESP header. If ESP is used in transport mode, only the upper-layer (e.g., TCP, UDP, IGMP) is encrypted. The IP header is not encrypted.
Additional Reading:
http://www.networksorcery.com/enp/protocol/esp.htm
http://www.networksorcery.com/enp/protocol/ah.htm
Virtual Private Dialup Network (VPDN)
A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network. VPDNs are a cost effective method of establishing a long distance, point-to-point connection between remote dial users and a private network.
Reading:
http://www.cisco.com/en/US/tech/tk801/tk703/tsd_technology_support_protocol_home.html
l2tp: layer 2 tunneling protocol
In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.[1]
Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in fact a Session Layer protocol,[2] and uses the registered UDP port 1701. (see List of TCP and UDP port numbers).
(shamelessly copied from wikipedia)
Additional Reading:
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/l2tpT.html
http://www.cisco.com/en/US/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml
Iptables : Remove an entry
Sorry it's been a while.
You can either delete by number or by recreating the rule. "iptables -D INPUT 3" will remove the 3rd (counting from 1) rule. Or "iptables -D INPUT -s 65.75.152.40 -j DROP" will remove the corresponding entry independent of location. The rules must match exactly though or you'll get a "Bad rule" error. http://www.plug.org/pipermail/plug/2004-November/010606.html http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-iptables-options.html http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html
policy based routing
When a router receives a packet it normally decides where to forward it based on the destination address in the packet, which is then used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria. For example, a network administrator might want to forward a packet based on the source address, not the destination address.
Additional Reading:
http://en.wikipedia.org/wiki/Policy-based_routing
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
linux iptables port forwarding (PAT)
# Forward an external port to a different internal port on a NAT'd IP # 1.2.3.4 is the Linux WAN IP # 10029 is the opened WAN port on the Linux Router # 192.168.0.12:22 is the private IP and port number to forward port 10029 traffic to # iptables -I PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 10029 -j DNAT --to 192.168.0.12:22 iptables -I POSTROUTING -t nat -p tcp -s 192.168.0.12 --sport 22 -j SNAT --to 1.2.3.4:10029 iptables -I OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 10029 -j DNAT --to 192.168.0.12:22 iptables -I INPUT -p tcp -d 192.168.0.12 --dport 22 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.0.12 --dport 22 -j ACCEPT iptables -I FORWARD -p tcp -s 192.168.0.12 --sport 22 -j ACCEPT
Additional Reading:
wpa encryption and bridge-utils
As far as I can tell, my wireless NICs do not allow bridging to happen alongside WPA encryption. Something about how frames leaving the radio have to have spoofed MACs when they come from the bridge does not work with wpa_supplicant.
I just want a wireless bridge with WPA. I tried this:
<get wlan0 associated w/ encryption>
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 wlan0
<association via wpa_supplicat immediately drops and fails to re-auth>
TCP Congestion Avoidance
Congestion can occur when data arrives on a big pipe (a fast LAN) and gets sent out a smaller pipe (a slower WAN). Congestion can also occur when multiple input streams arrive at a router whose output capacity is less than the sum of the inputs. Congestion avoidance is a way to deal with lost packets.
The assumption of the algorithm is that packet loss caused by damage is very small (much less than 1%), therefore the loss of a packet signals congestion somewhere in the network between the source and destination. There are two indications of packet loss: a timeout occurring and the receipt of duplicate ACKs.
Congestion avoidance and slow start are independent algorithms with different objectives. But when congestion occurs TCP must slow down its transmission rate of packets into the network, and then invoke slow start to get things going again. In practice they are implemented together.
Reading Subjects:
http://en.wikipedia.org/wiki/Fast_retransmit
http://en.wikipedia.org/wiki/TCP_congestion_avoidance_algorithm