《TCPIP详解》是2012年5月机械工业出版社出版的图书,作者是KevinR.Fall、W.RichardStevens。
基本介绍
- 中文名:TCPIP详解
- 作者:KevinR.Fall,W.RichardStevens
- ISBN:978-7-111-38228-7
- 出版日期:2012年5月
- 出版社:机械工业出版社
编辑推荐
“我认为本书之所以领先群伦、独一无二,是源于其对细节的注重和对历史的关注。书中介绍了计算机网路的背景知识,并提供了解决不断演变的网路问题的各种方法。本书一直在不懈努力以获得精确的答案和探索剩余的问题域。对于致力于完善和保护网际网路运营或探究解决长期存在问题的可选方案的工程师,本书提供的见解将是无价的。作者对当今网际网路技术的全面阐述和透彻分析是值得称讚的。”
—VintCerf,网际网路先驱
对本书第2版的评论:
本书第1版自1994年出版以来,深受读者欢迎。但是时至今日,第1版的内容有些已经比较陈旧,而且没有涉及IPv6。现在,这部世界领先的TCP/IP畅销书已经被彻底更新,反映了新一代基于TCP/IP的网路技术。这本书仍保留了Stevens卓越的写作风格,简明、清晰,并且可以快速找到要点。这本书虽然超过一千页,但是并不啰嗦,每章解释一个协定或概念,複杂的TCP被分散到多章。我很欣赏本书的一个地方是每章都描述了已有的针对协定的攻击方法。如果你必须自己实现这些协定,并且不希望自己和前人一样遭受同样的攻击,这些信息将是无价的。这本书是日常工作中经常和TCP/IP打交道或进行网路软体开发的人必需的,即使你的工作并不基于IP协定,这本书仍然包含很多你可以用到的好想法。”
——摘自Amazon读者评论
对本书第1版的讚誉:
这本书必定是TCP/IP开发人员和用户的圣经。在我拿到本书并开始阅读的数分钟内,我就遇到了多个曾经困扰我的同事及我本人许久的难题,Stevens清晰和明确的阐述让我豁然开朗。他揭秘了此前一些网路专家讳莫如深的许多奥妙。我本人参与过几年TCP/IP的实现工作,以我的观点,这本书堪称目前最详尽的参考书了。
——RobertA.Ciampa,3COM公司网路工程师
《TCP/IP详解卷1》对于开发人员、网路管理员以及任何需要理解TCP/IP技术的人来说,都是极好的参考书。内容非常全面,既能提供足够的技术细节满足专家的需要,同时也为新手準备了足够的背景知识和相关注解。
——BobWilliams,NetManage公司行销副总裁
对本书第2版的评论:
本书第1版自1994年出版以来,深受读者欢迎。但是时至今日,第1版的内容有些已经比较陈旧,而且没有涉及IPv6。现在,这部世界领先的TCP/IP畅销书已经被彻底更新,反映了新一代基于TCP/IP的网路技术。这本书仍保留了Stevens卓越的写作风格,简明、清晰,并且可以快速找到要点。这本书虽然超过一千页,但是并不啰嗦,每章解释一个协定或概念,複杂的TCP被分散到多章。我很欣赏本书的一个地方是每章都描述了已有的针对协定的攻击方法。如果你必须自己实现这些协定,并且不希望自己和前人一样遭受同样的攻击,这些信息将是无价的。这本书是日常工作中经常和TCP/IP打交道或进行网路软体开发的人必需的,即使你的工作并不基于IP协定,这本书仍然包含很多你可以用到的好想法。”
——摘自Amazon读者评论
对本书第1版的讚誉:
这本书必定是TCP/IP开发人员和用户的圣经。在我拿到本书并开始阅读的数分钟内,我就遇到了多个曾经困扰我的同事及我本人许久的难题,Stevens清晰和明确的阐述让我豁然开朗。他揭秘了此前一些网路专家讳莫如深的许多奥妙。我本人参与过几年TCP/IP的实现工作,以我的观点,这本书堪称目前最详尽的参考书了。
——RobertA.Ciampa,3COM公司网路工程师
《TCP/IP详解卷1》对于开发人员、网路管理员以及任何需要理解TCP/IP技术的人来说,都是极好的参考书。内容非常全面,既能提供足够的技术细节满足专家的需要,同时也为新手準备了足够的背景知识和相关注解。
——BobWilliams,NetManage公司行销副总裁
内容简介
《TCP/IP详解》是已故网路专家、着名技术作家W.RichardStevens的传世之作,内容详尽且极具权威,被誉为TCP/IP领域的不朽名着。
本书是《TCP/IP详解》的第1卷,主要讲述TCP/IP协定,结合大量实例讲述TCP/IP协定族的定义原因,以及在各种不同的作业系统中的套用及工作方式。第2版在保留Stevens卓越的知识体系和写作风格的基础上,新加入的作者KevinR.Fall结合其作为TCP/IP协定研究领域领导者的尖端经验来更新本书,反映了最新的协定和最佳的实践方法。首先,他介绍了TCP/IP的核心目标和体系结构概念,展示了它们如何能连线不同的网路和支持多个服务同时运行。接着,他详细解释了IPv4和IPv6网路中的网际网路地址。然后,他採用自底向上的方式来介绍TCP/IP的结构和功能:从链路层协定(如Ethernet和Wi-Fi),经网路层、传输层到套用层。
书中依次全面介绍了ARP、DHCP、NAT、防火墙、ICMPv4/ICMPv6、广播、多播、UDP、DNS等,并详细介绍了可靠传输和TCP,包括连线管理、逾时、重传、互动式数据流和拥塞控制。此外,还介绍了安全和加密的基础知识,阐述了当前用于保护安全和隐私的重要协定,包括EAP、IPsec、TLS、DNSSEC和DKIM。
本书适合任何希望理解TCP/IP协定如何实现的人阅读,更是TCP/IP领域研究人员和开发人员的权威参考书。无论你是初学者还是功底深厚的网路领域高手,本书都是案头必备,将帮助你更深入和直观地理解整个协定族,构建更好的套用和运行更可靠、更高效的网路。
本书特色:
W.RichardStevens传奇般的TCP/IP指南,现在被顶级网路专家KevinR.Fall更新,反映了新一代的基于TCP/IP的网路技术。
展示每种协定的实际工作原理,并解释其来龙去脉。
新增加的内容包括RPC、访问控制、身份认证、隐私保护、NFS、SMB/CIFS、DHCP、NAT、防火墙、电子邮件、Web、Web服务、无线、无线安全等。
本书是《TCP/IP详解》的第1卷,主要讲述TCP/IP协定,结合大量实例讲述TCP/IP协定族的定义原因,以及在各种不同的作业系统中的套用及工作方式。第2版在保留Stevens卓越的知识体系和写作风格的基础上,新加入的作者KevinR.Fall结合其作为TCP/IP协定研究领域领导者的尖端经验来更新本书,反映了最新的协定和最佳的实践方法。首先,他介绍了TCP/IP的核心目标和体系结构概念,展示了它们如何能连线不同的网路和支持多个服务同时运行。接着,他详细解释了IPv4和IPv6网路中的网际网路地址。然后,他採用自底向上的方式来介绍TCP/IP的结构和功能:从链路层协定(如Ethernet和Wi-Fi),经网路层、传输层到套用层。
书中依次全面介绍了ARP、DHCP、NAT、防火墙、ICMPv4/ICMPv6、广播、多播、UDP、DNS等,并详细介绍了可靠传输和TCP,包括连线管理、逾时、重传、互动式数据流和拥塞控制。此外,还介绍了安全和加密的基础知识,阐述了当前用于保护安全和隐私的重要协定,包括EAP、IPsec、TLS、DNSSEC和DKIM。
本书适合任何希望理解TCP/IP协定如何实现的人阅读,更是TCP/IP领域研究人员和开发人员的权威参考书。无论你是初学者还是功底深厚的网路领域高手,本书都是案头必备,将帮助你更深入和直观地理解整个协定族,构建更好的套用和运行更可靠、更高效的网路。
本书特色:
W.RichardStevens传奇般的TCP/IP指南,现在被顶级网路专家KevinR.Fall更新,反映了新一代的基于TCP/IP的网路技术。
展示每种协定的实际工作原理,并解释其来龙去脉。
新增加的内容包括RPC、访问控制、身份认证、隐私保护、NFS、SMB/CIFS、DHCP、NAT、防火墙、电子邮件、Web、Web服务、无线、无线安全等。
作者简介
KevinR.Fall博士有超过25年的TCP/IP工作经验,并且是网际网路架构委员会成员。他是网际网路研究任务组中延迟容忍网路研究组(DTNRG)的联席主席,该组致力于在极端和挑战性能的环境中探索网路。他是一位IEEE院士。
W.RichardStevens博士(1951—1999)是国际知名的Unix和网路专家,受人尊敬的技术作家和谘询顾问。他教会了一代网路专业人员使用TCP/IP的技能,使网际网路成为人们日常生活的中心。Stevens于1999年9月1日去世,年仅48岁。在短暂但精彩的人生中,他着有多部经典的传世之作,包括《TCP/IP详解》(三卷本)、《UNIX网路编程》(两卷本)以及《UNIX环境高级编程》。2000年他被国际权威机构Usenix追授“终身成就奖”。
W.RichardStevens博士(1951—1999)是国际知名的Unix和网路专家,受人尊敬的技术作家和谘询顾问。他教会了一代网路专业人员使用TCP/IP的技能,使网际网路成为人们日常生活的中心。Stevens于1999年9月1日去世,年仅48岁。在短暂但精彩的人生中,他着有多部经典的传世之作,包括《TCP/IP详解》(三卷本)、《UNIX网路编程》(两卷本)以及《UNIX环境高级编程》。2000年他被国际权威机构Usenix追授“终身成就奖”。
目录
Forewordv
Chapter1
Introduction
1.1
ArchitecturalPrinciples2
1.1.1
Packets,Connections,andDatagrams3
1.1.2The
End-to-EndArgumentandFateSharing6
1.1.3
ErrorControlandFlowControl7
1.2Design andImplementation8
1.2.1
Layering8
1.2.2
Multiplexing,Demultiplexing,andEncapsulationinLayered Implementations 10
1.3The ArchitectureandProtocolsoftheTCP/IPSuite13
1.3.1The
ARPANETReferenceModel13
1.3.2
Multiplexing,Demultiplexing,andEncapsulationinTCP/IP16
1.3.3Port
Numbers17
1.3.4
Names,Addresses,andtheDNS19
1.4
Internets,Intranets,andExtranets19
1.5
DesigningApplications20
1.5.1
Client/Server20
1.5.2
Peer-to-Peer21
1.5.3
ApplicationProgrammingInterfaces(APIs)22
Prefaceto theSecondEditionvii
Adapted PrefacetotheFirstEditionxiii
1.6
StandardizationProcess22
1.6.1
RequestforComments(RFC)23
1.6.2
OtherStandards24
1.7
ImplementationsandSoftwareDistributions24
1.8
AttacksInvolvingtheInternetArchitecture25
1.9
Summary26
1.10
References28
Chapter2
TheInternetAddressArchitecture3
2.1
Introduction31
2.2
ExpressingIPAddresses32
2.3Basic
IPAddressStructure34
2.3.1
CLASSFULAddressing34
2.3.2
SubnetAddressing36
2.3.3
SubnetMasks39
2.3.4
Variable-LengthSubnetMasks(VLSM)41
2.3.5
BroadcastAddresses42
2.3.6IPv6
AddressesandInterfaceIdentifiers43
2.4CIDR
andAggregation46
2.4.1
Prefixes47
2.4.2
Aggregation48
2.5
Special-UseAddresses50
2.5.1
AddressingIPv4/IPv6Translators52
2.5.2
MulticastAddresses53
2.5.3IPv4
MulticastAddresses54
2.5.4IPv6
MulticastAddresses57
2.5.5
ANYCASTAddresses62
2.6
Allocation62
2.6.1
unicast62
2.6.2
Multicast65
2.7
UnicastAddressAssignment65
2.7.1
SingleProvider/NoNetwork/SingleAddress66
2.7.2
SingleProvider/SingleNetwork/SingleAddress67
2.7.3
SingleProvider/MultipleNetworks/MultipleAddresses67
2.7.4
MultipleProviders/MultipleNetworks/MultipleAddresses (Multihoming)68
Contents xvii
2.8
AttacksInvolvingIPAddresses70
2.9
Summary71
2.10
References72
Chapter3
LinkLayer79
3.1
Introduction79
3.2
EthernetandtheIEEE802LAN/MANStandards80
3.2.1The
IEEE802LAN/MANStandards82
3.2.2The
EthernetFrameFormat84
3.2.3
802.1p/q:VirtualLANsandQoSTagging89
3.2.4
802.1AX:LinkAggregation(Formerly802.3ad)92
3.3Full
Duplex,PowerSave,Autonegotiation,and802.1XFlowControl94
3.3.1
Duplexmismatch96
3.3.2
Wake-onLAN(WoL),PowerSaving,andMagicPackets96
3.3.3
Link-LayerFlowControl98
3.4
BridgesandSwitches98
3.4.1
SpanningTreeProtocol(STP)102
3.4.2
802.1ak:MultipleRegistrationProtocol(MRP)111
3.5
WirelessLANs—IEEE802.11(Wi-Fi)111
3.5.1
802.11Frames113
3.5.2
PowerSaveModeandtheTimeSyncFunction(tsf)119
3.5.3
802.11MediaAccessControl120
3.5.4
Physical-LayerDetails:Rates,Channels,andFrequencies123
3.5.5
Wi-FiSecurity129
3.5.6
Wi-FiMesh(802.11s)130
3.6
Point-to-PointProtocol(PPP)130
3.6.1Link
ControlProtocol(LCP)131
3.6.2
MultilinkPPP(MP)137
3.6.3
CompressionControlProtocol(CCP)139
3.6.4PPP
Authentication140
3.6.5
NetworkControlProtocols(NCPs)141
3.6.6
HeaderCompression142
3.6.7
Example143
3.7
Loopback145
3.8MTU
andPathMTU148
3.9
TunnelingBasics149
3.9.1
UnidirectionalLinks153
xviii Contents
3.10
AttacksontheLinkLayer154
3.11
Summary156
3.12
References157
Chapter4
ARP:AddressResolutionProtocol165
4.1
Introduction165
4.2An
Example166
4.2.1
DirectDeliveryandARP167
4.3ARP
Cache169
4.4ARP
FrameFormat170
4.5ARP
Examples171
4.5.1
NormalExample171
4.5.2ARP
RequesttoaNonexistentHost173
4.6ARP
CacheTimeout174
4.7Proxy
ARP174
4.8
gratuitousARPandAddressConflictDetection(ACD)175
4.9Thearp Command177
4.10Using ARPtoSetanEmbeddedDevice’sIPv4Address178
4.11
AttacksInvolvingARP178
4.12
Summary179
4.13
References179
Chapter5
TheInternetProtocol(IP)18
5.1
Introduction181
5.2IPv4 andIPv6Headers183
5.2.1IP HeaderFields183
5.2.2The InternetChecksum186
5.2.3DS FieldandECN(FormerlyCalledtheToSByteorIPv6TrafficClass)188
5.2.4IP Options192
5.3IPv6 ExtensionHeaders194
5.3.1IPv6 Options196
5.3.2
RoutingHeader200
5.3.3
FragmentHeader203
5.4IP Forwarding208
5.4.1
ForwardingTable208
5.4.2IP ForwardingActions209
Contents xix
5.4.3
Examples210
5.4.4
Discussion215
5.5Mobile IP215
5.5.1The BasicModel:BidirectionalTunneling216
5.5.2
RouteOptimization(RO)217
5.5.3Discussion 220
5.6Host
ProcessingofIPDatagrams220
5.6.1Host Models220
5.6.2
AddressSelection222
5.7
AttacksInvolvingIP226
5.8
Summary226
5.9
References228
Chapter6
SystemConfiguration:DHCPandAutoconfiguration233
6.1
Introduction233
6.2Dynamic HostConfigurationProtocol(DHCP)234
6.2.1
AddresspoolsandLeases235
6.2.2DHCP andBOOTPMessageFormat236
6.2.3DHCP andBOOTPOptions238
6.2.4DHCP ProtocolOperation239
6.2.5
DHCPv6252
6.2.6
UsingDHCPwithRelays267
6.2.7DHCP Authentication271
6.2.8
ReconfigureExtension273
6.2.9
RapidCommit273
6.2.10
LocationInformation(LCIandLoST)274
6.2.11
MobilityandHandoffInformation(MoSandANDSF)275
6.2.12
DHCPSnooping276
6.3
statelessAddressAutoconfiguration(slaac)276
6.3.1
DynamicConfigurationofIPv4Link-LocalAddresses276
6.3.2IPv6 SLAACforLink-LocalAddresses276
6.4DHCP andDNSInteraction285
6.5PPP overEthernet(PPPoE)286
6.6
AttacksInvolvingSystemConfiguration292
6.7
Summary292
6.8References
293
xx Contents
Chapter7
FirewallsandNetworkAddressTranslation(NAT)299
7.1
Introduction299
7.2
Firewalls300
7.2.1
Packet-FilteringFirewalls300
7.2.2
ProxyFirewalls301
7.3
NetworkAddressTranslation(NAT)303
7.3.1
TraditionalNAT:BasicNATandNAPT305
7.3.2
AddressandPortTranslationBehavior311
7.3.3
FilteringBehavior313
7.3.4
ServersbehindNATs314
7.3.5
HairpinningandNATLoopback314
7.3.6NAT Editors315
7.3.7
ServiceProviderNAT(SPNAT)andServiceProviderIPv6 Transition 315
7.4NAT Traversal316
7.4.1
PinholesandHolePunching317
7.4.2
unilateralSelf-AddressFixing(UNSAF)317
7.4.3
SessionTraversalUtilitiesforNAT(STUN)319
7.4.4
TraversalUsingRelaysaroundNAT(TURN)326
7.4.5
InteractiveConnectivityEstablishment(ICE)332
7.5
ConfiguringPacket-FilteringFirewallsandNATs334
7.5.1
FirewallRules335
7.5.2NAT Rules337
7.5.3
DirectInteractionwithNATsandFirewalls:UPnP,NAT-PMP, andPCP 338
7.6NAT forIPv4/IPv6coexistenceandTransition339
7.6.1
Dual-StackLite(DS-Lite)339
7.6.2
IPv4/IPv6TranslationUsingNATsandALGs340
7.7
AttacksInvolvingFirewallsandNATs345
7.8
Summary346
7.9
References347
Chapter8
ICMPv4andICMPv6:InternetControlMessageProtocol353
8.1
Introduction353
8.1.1
EncapsulationinIPv4andIPv6354
8.2ICMP Messages355
8.2.1
ICMPv4Messages356
Contents xxi
8.2.2
ICMPv6Messages358
8.2.3
ProcessingofICMPMessages360
8.3ICMP ErrorMessages361
8.3.1
ExtendedICMPandMultipartMessages363
8.3.2
DestinationUnreachable(ICMPv4Type3,ICMPv6Type1) andPacket TooBig(ICMPv6Type2)364
8.3.3
Redirect(ICMPv4Type5,ICMPv6Type137)372
8.3.4ICMP
TimeExceeded(ICMPv4Type11,ICMPv6Type3)375
8.3.5
ParameterProblem(ICMPv4Type12,ICMPv6Type4)379
8.4ICMP Query/InformationalMessages380
8.4.1Echo Request/Reply(ping)(ICMPv4Types0/8,ICMPv6Types 129/128) 380
8.4.2
RouterDiscovery:RouterSolicitationandAdvertisement (ICMPv4 Types9,10)383
8.4.3Home AgentAddressDiscoveryRequest/Reply(ICMPv6Types 144/145) 386
8.4.4
MobilePrefixSolicitation/Advertisement(ICMPv6Types146/147)387
8.4.5
MobileIPv6FastHandoverMessages(ICMPv6Type154)388
8.4.6
MulticastListenerQuery/Report/Done(ICMPv6Types 130/131/132) 388
8.4.7
Version2MulticastListenerDiscovery(MLDv2)(ICMPv6 Type143) 390
8.4.8
MulticastRouterDiscovery(MRD)(IGMPTypes48/49/50, ICMPv6 Types151/152/153)394
8.5
neighborDiscoveryinIPv6395
8.5.1
ICMPv6RouterSolicitationandAdvertisement(ICMPv6Types 133,134) 396
8.5.2
ICMPv6NeighborSolicitationandAdvertisement(IMCPv6Types 135,136) 398
8.5.3
ICMPv6InverseNeighborDiscoverySolicitation/Advertisement (ICMPv6 Types141/142)401
8.5.4
NeighborUnreachabilityDetection(NUD)402
8.5.5
SecureNeighborDiscovery(SEND)403
8.5.6
ICMPv6NeighborDiscovery(ND)Options407
8.6
TranslatingICMPv4andICMPv6424
8.6.1
TranslatingICMPv4toICMPv6424
8.6.2
TranslatingICMPv6toICMPv4426
8.7
AttacksInvolvingICMP428
xxii Contents
8.8
Summary430
8.9
References430
Chapter9
BroadcastingandLocalMulticasting(IGMPandMLD)435
9.1
Introduction435
9.2
Broadcasting436
9.2.1
UsingBroadcastAddresses437
9.2.2
SendingBroadcastDatagrams439
9.3
Multicasting441
9.3.1
ConvertingIPMulticastAddressesto802MAC/EthernetAddresses442
9.3.2
Examples444
9.3.3
SendingMulticastDatagrams446
9.3.4
ReceivingMulticastDatagrams447
9.3.5Host
AddressFiltering449
9.4The
InternetGroupManagementProtocol(IGMP)andMulticastListener Discovery Protocol(MLD)451
9.4.1IGMP andMLDProcessingbyGroupMembers(“Group Member Part”)454
9.4.2IGMP andMLDProcessingbyMulticastRouters(“Multicast Router Part”)457
9.4.3
Examples459
9.4.4
LightweightIGMPv3andMLDv2464
9.4.5IGMP andMLDRobustness465
9.4.6IGMP andMLDCountersandVariables467
9.4.7IGMP andMLDSnooping468
9.5
AttacksInvolvingIGMPandMLD469
9.6
Summary470
9.7
References471
Chapter10
UserDatagramProtocol(UDP)andIPFragmentation473
10.1Introduction 473
10.2UDP
Header474
10.3UDP
Checksum475
10.4
Examples478
10.5UDP
andIPv6481
10.5.1
teredo:TunnelingIPv6throughIPv4Networks482
Contents xxiii
10.6
UDP-Lite487
10.7IP Fragmentation488
10.7.1
Example:UDP/IPv4Fragmentation488
10.7.2
ReassemblyTimeout492
10.8Path MTUDiscoverywithUDP493
10.8.1
Example493
10.9
InteractionbetweenIPFragmentationandARP/ND496
10.10
MaximumUDPDatagramSize497
10.10.1
ImplementationLimitations497
10.10.2
DatagramTruncation498
10.11UDP ServerDesign498
10.11.1IP AddressesandUDPPortNumbers499
10.11.2
RestrictingLocalIPAddresses500
10.11.3
UsingMultipleAddresses501
10.11.4
RestrictingForeignIPAddress502
10.11.5
UsingMultipleServersperPort503
10.11.6
SpanningAddressFamilies:IPv4andIPv6504
10.11.7
LackofFlowandCongestionControl505
10.12
TranslatingUDP/IPv4andUDP/IPv6Datagrams505
10.13UDP intheInternet506
10.14
AttacksInvolvingUDPandIPFragmentation507
10.15
Summary508
10.16
References508
Chapter11
NameResolutionandtheDomainNameSystem(DNS)51
11.1
Introduction511
11.2The DNSNameSpace512
11.2.1DNS NamingSyntax514
11.3Name ServersandZones516
11.4
Caching517
11.5The DNSProtocol518
11.5.1DNS MessageFormat520
11.5.2The DNSExtensionFormat(EDNS0)524
11.5.3UDP orTCP525
11.5.4
Question(Query)andZoneSectionFormat526
11.5.5
Answer,Authority,andAdditionalInformationSectionFormats526
11.5.6
ResourceRecordTypes527
xxiv Contents
11.5.7
DynamicUpdates(DNSUPDATE)555
11.5.8
ZoneTransfersandDNSNOTIFY558
11.6Sort Lists,Round-Robin,andSplitDNS565
11.7Open DNSServersandDynDNS567
11.8
TransparencyandExtensibility567
11.9
TranslatingDNSfromIPv4toIPv6(DNS64)568
11.10
LLMNRandmdns569
11.11LDAP 570
11.12
AttacksontheDNS571
11.13
Summary572
11.14
References573
Chapter12
TCP:TheTransmissionControlProtocol(Preliminaries)579
12.1
Introduction579
12.1.1ARQ andRetransmission580
12.1.2
WindowsofPacketsandSlidingWindows581
12.1.3
VariableWindows:FlowControlandCongestionControl583
12.1.4
SettingtheRetransmissionTimeout584
12.2
IntroductiontoTCP584
12.2.1The
TCPServiceModel585
12.2.2
ReliabilityinTCP586
12.3TCP HeaderandEncapsulation587
12.4
Summary591
12.5
References591
Chapter13
TCPConnectionManagement595
13.1
Introduction595
13.2TCP ConnectionEstablishmentandTermination595
13.2.1TCP Half-Close598
13.2.2
SimultaneousOpenandClose599
13.2.3
InitialSequenceNumber(ISN)601
13.2.4
Example602
13.2.5
TimeoutofConnectionEstablishment604
13.2.6
ConnectionsandTranslators605
13.3TCP Options605
13.3.1
MaximumSegmentSize(MSS)Option606
Contents xxv
13.3.2
SelectiveAcknowledgment(SACK)Options607
13.3.3
WindowScale(WSCALEorWSOPT)Option608
13.3.4
TimestampsOptionandProtectionagainstWrapped Sequence Numbers(PAWS)608
13.3.5
UserTimeout(UTO)Option611
13.3.6
AuthenticationOption(TCP-AO)612
13.4Path MTUDiscoverywithTCP612
13.4.1Example 613
13.5TCP StateTransitions616
13.5.1TCP StateTransitionDiagram617
13.5.2
TIME_WAIT(2MSLWait)State618
13.5.3
QuietTimeConcept624
13.5.4
FIN_WAIT_2State625
13.5.5
SimultaneousOpenandCloseTransitions625
13.6Reset Segments625
13.6.1
ConnectionRequesttoNonexistentPort626
13.6.2
AbortingaConnection627
13.6.3
Half-OpenConnections628
13.6.4
TIME-WAITAssassination(TWA)630
13.7TCP ServerOperation631
13.7.1TCP PortNumbers632
13.7.2
RestrictingLocalIPAddresses634
13.7.3
RestrictingForeignEndpoints635
13.7.4
incomingConnectionQueue636
13.8
AttacksInvolvingTCPConnectionManagement640
13.9
Summary642
13.10
References643
Chapter14
TCPTimeoutandRetransmission647
14.1
Introduction647
14.2
SimpleTimeoutandRetransmissionExample648
14.3
SettingtheRetransmissionTimeout(RTO)651
14.3.1The ClassicMethod651
14.3.2The StandardMethod652
14.3.3The LinuxMethod657
14.3.4RTT EstimatorBehaviors661
14.3.5
RTTMRobustnesstoLossandReordering662
xxvi Contents
14.4
Timer-BasedRetransmission664
14.4.1
Example665
14.5Fast Retransmit667
14.5.1
Example668
14.6
RetransmissionwithSelectiveAcknowledgments671
14.6.1
SACKReceiverBehavior672
14.6.2
SACKSenderBehavior673
14.6.3
Example673
14.7
spuriousTimeoutsandRetransmissions677
14.7.1
DuplicateSACK(DSACK)Extension677
14.7.2The EifelDetectionAlgorithm679
14.7.3
Forward-RTORecovery(F-RTO)680
14.7.4The EifelResponseAlgorithm680
14.8
PacketReorderingandDuplication682
14.8.1
Reordering682
14.8.2
Duplication684
14.9
DestinationMetrics685
14.10
Repacketization686
14.11
AttacksInvolvingTCPRetransmission687
14.12
Summary688
14.13
References689
Chapter15
TCPDataFlowandWindowManagement69
15.1
Introduction691
15.2
InteractiveCommunication692
15.3
DelayedAcknowledgments695
15.4Nagle Algorithm696
15.4.1
DelayedACKandNagleAlgorithmInteraction699
15.4.2
DisablingtheNagleAlgorithm699
15.5Flow ControlandWindowManagement700
15.5.1
SlidingWindows701
15.5.2
ZeroWindowsandtheTCPPersistTimer704
15.5.3
SillyWindowSyndrome(SWS)708
15.5.4
LargeBuffersandAuto-Tuning715
15.6
UrgentMechanism719
15.6.1
Example720
15.7
AttacksInvolvingWindowManagement723
Contentsxxvii
15.8
Summary723
15.9
References724
Chapter16
TCPCongestionControl727
16.1
Introduction727
16.1.1
DetectionofCongestioninTCP728
16.1.2
SlowingDownaTCPSender729
16.2The ClassicAlgorithms730
16.2.1
SlowStart732
16.2.2
CongestionAvoidance734
16.2.3
SelectingbetweenSlowStartandCongestionAvoidance736
16.2.4
Tahoe,Reno,andFastRecovery737
16.2.5
StandardTCP738
16.3
EvolutionoftheStandardAlgorithms739
16.3.1
Newreno739
16.3.2TCP CongestionControlwithSACK740
16.3.3
ForwardAcknowledgment(FACK)andRateHalving741
16.3.4
LimitedTransmit742
16.3.5
CongestionWindowValidation(CWV)742
16.4
HandlingSpuriousRTOs—theEifelResponseAlgorithm744
16.5An ExtendedExample745
16.5.1
SlowStartBehavior749
16.5.2
SenderPauseandLocalCongestion(Event1)750
16.5.3
StretchACKsandRecoveryfromLocalCongestion754
16.5.4
FastRetransmissionandSACKRecovery(Event2)757
16.5.5
AdditionalLocalCongestionandFastRetransmitEvents759
16.5.6
Timeouts,Retransmissions,andundoingcwndChanges762
16.5.7
ConnectionCompletion766
16.6
SharingCongestionState767
16.7TCP Friendliness768
16.8TCP inHigh-SpeedEnvironments770
16.8.1
HighSpeedTCP(HSTCP)andLimitedSlowStart770
16.8.2
BinaryIncreaseCongestionControl(BICandCUBIC)772
Chapter1
Introduction
1.1
ArchitecturalPrinciples2
1.1.1
Packets,Connections,andDatagrams3
1.1.2The
End-to-EndArgumentandFateSharing6
1.1.3
ErrorControlandFlowControl7
1.2Design andImplementation8
1.2.1
Layering8
1.2.2
Multiplexing,Demultiplexing,andEncapsulationinLayered Implementations 10
1.3The ArchitectureandProtocolsoftheTCP/IPSuite13
1.3.1The
ARPANETReferenceModel13
1.3.2
Multiplexing,Demultiplexing,andEncapsulationinTCP/IP16
1.3.3Port
Numbers17
1.3.4
Names,Addresses,andtheDNS19
1.4
Internets,Intranets,andExtranets19
1.5
DesigningApplications20
1.5.1
Client/Server20
1.5.2
Peer-to-Peer21
1.5.3
ApplicationProgrammingInterfaces(APIs)22
Prefaceto theSecondEditionvii
Adapted PrefacetotheFirstEditionxiii
1.6
StandardizationProcess22
1.6.1
RequestforComments(RFC)23
1.6.2
OtherStandards24
1.7
ImplementationsandSoftwareDistributions24
1.8
AttacksInvolvingtheInternetArchitecture25
1.9
Summary26
1.10
References28
Chapter2
TheInternetAddressArchitecture3
2.1
Introduction31
2.2
ExpressingIPAddresses32
2.3Basic
IPAddressStructure34
2.3.1
CLASSFULAddressing34
2.3.2
SubnetAddressing36
2.3.3
SubnetMasks39
2.3.4
Variable-LengthSubnetMasks(VLSM)41
2.3.5
BroadcastAddresses42
2.3.6IPv6
AddressesandInterfaceIdentifiers43
2.4CIDR
andAggregation46
2.4.1
Prefixes47
2.4.2
Aggregation48
2.5
Special-UseAddresses50
2.5.1
AddressingIPv4/IPv6Translators52
2.5.2
MulticastAddresses53
2.5.3IPv4
MulticastAddresses54
2.5.4IPv6
MulticastAddresses57
2.5.5
ANYCASTAddresses62
2.6
Allocation62
2.6.1
unicast62
2.6.2
Multicast65
2.7
UnicastAddressAssignment65
2.7.1
SingleProvider/NoNetwork/SingleAddress66
2.7.2
SingleProvider/SingleNetwork/SingleAddress67
2.7.3
SingleProvider/MultipleNetworks/MultipleAddresses67
2.7.4
MultipleProviders/MultipleNetworks/MultipleAddresses (Multihoming)68
Contents xvii
2.8
AttacksInvolvingIPAddresses70
2.9
Summary71
2.10
References72
Chapter3
LinkLayer79
3.1
Introduction79
3.2
EthernetandtheIEEE802LAN/MANStandards80
3.2.1The
IEEE802LAN/MANStandards82
3.2.2The
EthernetFrameFormat84
3.2.3
802.1p/q:VirtualLANsandQoSTagging89
3.2.4
802.1AX:LinkAggregation(Formerly802.3ad)92
3.3Full
Duplex,PowerSave,Autonegotiation,and802.1XFlowControl94
3.3.1
Duplexmismatch96
3.3.2
Wake-onLAN(WoL),PowerSaving,andMagicPackets96
3.3.3
Link-LayerFlowControl98
3.4
BridgesandSwitches98
3.4.1
SpanningTreeProtocol(STP)102
3.4.2
802.1ak:MultipleRegistrationProtocol(MRP)111
3.5
WirelessLANs—IEEE802.11(Wi-Fi)111
3.5.1
802.11Frames113
3.5.2
PowerSaveModeandtheTimeSyncFunction(tsf)119
3.5.3
802.11MediaAccessControl120
3.5.4
Physical-LayerDetails:Rates,Channels,andFrequencies123
3.5.5
Wi-FiSecurity129
3.5.6
Wi-FiMesh(802.11s)130
3.6
Point-to-PointProtocol(PPP)130
3.6.1Link
ControlProtocol(LCP)131
3.6.2
MultilinkPPP(MP)137
3.6.3
CompressionControlProtocol(CCP)139
3.6.4PPP
Authentication140
3.6.5
NetworkControlProtocols(NCPs)141
3.6.6
HeaderCompression142
3.6.7
Example143
3.7
Loopback145
3.8MTU
andPathMTU148
3.9
TunnelingBasics149
3.9.1
UnidirectionalLinks153
xviii Contents
3.10
AttacksontheLinkLayer154
3.11
Summary156
3.12
References157
Chapter4
ARP:AddressResolutionProtocol165
4.1
Introduction165
4.2An
Example166
4.2.1
DirectDeliveryandARP167
4.3ARP
Cache169
4.4ARP
FrameFormat170
4.5ARP
Examples171
4.5.1
NormalExample171
4.5.2ARP
RequesttoaNonexistentHost173
4.6ARP
CacheTimeout174
4.7Proxy
ARP174
4.8
gratuitousARPandAddressConflictDetection(ACD)175
4.9Thearp Command177
4.10Using ARPtoSetanEmbeddedDevice’sIPv4Address178
4.11
AttacksInvolvingARP178
4.12
Summary179
4.13
References179
Chapter5
TheInternetProtocol(IP)18
5.1
Introduction181
5.2IPv4 andIPv6Headers183
5.2.1IP HeaderFields183
5.2.2The InternetChecksum186
5.2.3DS FieldandECN(FormerlyCalledtheToSByteorIPv6TrafficClass)188
5.2.4IP Options192
5.3IPv6 ExtensionHeaders194
5.3.1IPv6 Options196
5.3.2
RoutingHeader200
5.3.3
FragmentHeader203
5.4IP Forwarding208
5.4.1
ForwardingTable208
5.4.2IP ForwardingActions209
Contents xix
5.4.3
Examples210
5.4.4
Discussion215
5.5Mobile IP215
5.5.1The BasicModel:BidirectionalTunneling216
5.5.2
RouteOptimization(RO)217
5.5.3Discussion 220
5.6Host
ProcessingofIPDatagrams220
5.6.1Host Models220
5.6.2
AddressSelection222
5.7
AttacksInvolvingIP226
5.8
Summary226
5.9
References228
Chapter6
SystemConfiguration:DHCPandAutoconfiguration233
6.1
Introduction233
6.2Dynamic HostConfigurationProtocol(DHCP)234
6.2.1
AddresspoolsandLeases235
6.2.2DHCP andBOOTPMessageFormat236
6.2.3DHCP andBOOTPOptions238
6.2.4DHCP ProtocolOperation239
6.2.5
DHCPv6252
6.2.6
UsingDHCPwithRelays267
6.2.7DHCP Authentication271
6.2.8
ReconfigureExtension273
6.2.9
RapidCommit273
6.2.10
LocationInformation(LCIandLoST)274
6.2.11
MobilityandHandoffInformation(MoSandANDSF)275
6.2.12
DHCPSnooping276
6.3
statelessAddressAutoconfiguration(slaac)276
6.3.1
DynamicConfigurationofIPv4Link-LocalAddresses276
6.3.2IPv6 SLAACforLink-LocalAddresses276
6.4DHCP andDNSInteraction285
6.5PPP overEthernet(PPPoE)286
6.6
AttacksInvolvingSystemConfiguration292
6.7
Summary292
6.8References
293
xx Contents
Chapter7
FirewallsandNetworkAddressTranslation(NAT)299
7.1
Introduction299
7.2
Firewalls300
7.2.1
Packet-FilteringFirewalls300
7.2.2
ProxyFirewalls301
7.3
NetworkAddressTranslation(NAT)303
7.3.1
TraditionalNAT:BasicNATandNAPT305
7.3.2
AddressandPortTranslationBehavior311
7.3.3
FilteringBehavior313
7.3.4
ServersbehindNATs314
7.3.5
HairpinningandNATLoopback314
7.3.6NAT Editors315
7.3.7
ServiceProviderNAT(SPNAT)andServiceProviderIPv6 Transition 315
7.4NAT Traversal316
7.4.1
PinholesandHolePunching317
7.4.2
unilateralSelf-AddressFixing(UNSAF)317
7.4.3
SessionTraversalUtilitiesforNAT(STUN)319
7.4.4
TraversalUsingRelaysaroundNAT(TURN)326
7.4.5
InteractiveConnectivityEstablishment(ICE)332
7.5
ConfiguringPacket-FilteringFirewallsandNATs334
7.5.1
FirewallRules335
7.5.2NAT Rules337
7.5.3
DirectInteractionwithNATsandFirewalls:UPnP,NAT-PMP, andPCP 338
7.6NAT forIPv4/IPv6coexistenceandTransition339
7.6.1
Dual-StackLite(DS-Lite)339
7.6.2
IPv4/IPv6TranslationUsingNATsandALGs340
7.7
AttacksInvolvingFirewallsandNATs345
7.8
Summary346
7.9
References347
Chapter8
ICMPv4andICMPv6:InternetControlMessageProtocol353
8.1
Introduction353
8.1.1
EncapsulationinIPv4andIPv6354
8.2ICMP Messages355
8.2.1
ICMPv4Messages356
Contents xxi
8.2.2
ICMPv6Messages358
8.2.3
ProcessingofICMPMessages360
8.3ICMP ErrorMessages361
8.3.1
ExtendedICMPandMultipartMessages363
8.3.2
DestinationUnreachable(ICMPv4Type3,ICMPv6Type1) andPacket TooBig(ICMPv6Type2)364
8.3.3
Redirect(ICMPv4Type5,ICMPv6Type137)372
8.3.4ICMP
TimeExceeded(ICMPv4Type11,ICMPv6Type3)375
8.3.5
ParameterProblem(ICMPv4Type12,ICMPv6Type4)379
8.4ICMP Query/InformationalMessages380
8.4.1Echo Request/Reply(ping)(ICMPv4Types0/8,ICMPv6Types 129/128) 380
8.4.2
RouterDiscovery:RouterSolicitationandAdvertisement (ICMPv4 Types9,10)383
8.4.3Home AgentAddressDiscoveryRequest/Reply(ICMPv6Types 144/145) 386
8.4.4
MobilePrefixSolicitation/Advertisement(ICMPv6Types146/147)387
8.4.5
MobileIPv6FastHandoverMessages(ICMPv6Type154)388
8.4.6
MulticastListenerQuery/Report/Done(ICMPv6Types 130/131/132) 388
8.4.7
Version2MulticastListenerDiscovery(MLDv2)(ICMPv6 Type143) 390
8.4.8
MulticastRouterDiscovery(MRD)(IGMPTypes48/49/50, ICMPv6 Types151/152/153)394
8.5
neighborDiscoveryinIPv6395
8.5.1
ICMPv6RouterSolicitationandAdvertisement(ICMPv6Types 133,134) 396
8.5.2
ICMPv6NeighborSolicitationandAdvertisement(IMCPv6Types 135,136) 398
8.5.3
ICMPv6InverseNeighborDiscoverySolicitation/Advertisement (ICMPv6 Types141/142)401
8.5.4
NeighborUnreachabilityDetection(NUD)402
8.5.5
SecureNeighborDiscovery(SEND)403
8.5.6
ICMPv6NeighborDiscovery(ND)Options407
8.6
TranslatingICMPv4andICMPv6424
8.6.1
TranslatingICMPv4toICMPv6424
8.6.2
TranslatingICMPv6toICMPv4426
8.7
AttacksInvolvingICMP428
xxii Contents
8.8
Summary430
8.9
References430
Chapter9
BroadcastingandLocalMulticasting(IGMPandMLD)435
9.1
Introduction435
9.2
Broadcasting436
9.2.1
UsingBroadcastAddresses437
9.2.2
SendingBroadcastDatagrams439
9.3
Multicasting441
9.3.1
ConvertingIPMulticastAddressesto802MAC/EthernetAddresses442
9.3.2
Examples444
9.3.3
SendingMulticastDatagrams446
9.3.4
ReceivingMulticastDatagrams447
9.3.5Host
AddressFiltering449
9.4The
InternetGroupManagementProtocol(IGMP)andMulticastListener Discovery Protocol(MLD)451
9.4.1IGMP andMLDProcessingbyGroupMembers(“Group Member Part”)454
9.4.2IGMP andMLDProcessingbyMulticastRouters(“Multicast Router Part”)457
9.4.3
Examples459
9.4.4
LightweightIGMPv3andMLDv2464
9.4.5IGMP andMLDRobustness465
9.4.6IGMP andMLDCountersandVariables467
9.4.7IGMP andMLDSnooping468
9.5
AttacksInvolvingIGMPandMLD469
9.6
Summary470
9.7
References471
Chapter10
UserDatagramProtocol(UDP)andIPFragmentation473
10.1Introduction 473
10.2UDP
Header474
10.3UDP
Checksum475
10.4
Examples478
10.5UDP
andIPv6481
10.5.1
teredo:TunnelingIPv6throughIPv4Networks482
Contents xxiii
10.6
UDP-Lite487
10.7IP Fragmentation488
10.7.1
Example:UDP/IPv4Fragmentation488
10.7.2
ReassemblyTimeout492
10.8Path MTUDiscoverywithUDP493
10.8.1
Example493
10.9
InteractionbetweenIPFragmentationandARP/ND496
10.10
MaximumUDPDatagramSize497
10.10.1
ImplementationLimitations497
10.10.2
DatagramTruncation498
10.11UDP ServerDesign498
10.11.1IP AddressesandUDPPortNumbers499
10.11.2
RestrictingLocalIPAddresses500
10.11.3
UsingMultipleAddresses501
10.11.4
RestrictingForeignIPAddress502
10.11.5
UsingMultipleServersperPort503
10.11.6
SpanningAddressFamilies:IPv4andIPv6504
10.11.7
LackofFlowandCongestionControl505
10.12
TranslatingUDP/IPv4andUDP/IPv6Datagrams505
10.13UDP intheInternet506
10.14
AttacksInvolvingUDPandIPFragmentation507
10.15
Summary508
10.16
References508
Chapter11
NameResolutionandtheDomainNameSystem(DNS)51
11.1
Introduction511
11.2The DNSNameSpace512
11.2.1DNS NamingSyntax514
11.3Name ServersandZones516
11.4
Caching517
11.5The DNSProtocol518
11.5.1DNS MessageFormat520
11.5.2The DNSExtensionFormat(EDNS0)524
11.5.3UDP orTCP525
11.5.4
Question(Query)andZoneSectionFormat526
11.5.5
Answer,Authority,andAdditionalInformationSectionFormats526
11.5.6
ResourceRecordTypes527
xxiv Contents
11.5.7
DynamicUpdates(DNSUPDATE)555
11.5.8
ZoneTransfersandDNSNOTIFY558
11.6Sort Lists,Round-Robin,andSplitDNS565
11.7Open DNSServersandDynDNS567
11.8
TransparencyandExtensibility567
11.9
TranslatingDNSfromIPv4toIPv6(DNS64)568
11.10
LLMNRandmdns569
11.11LDAP 570
11.12
AttacksontheDNS571
11.13
Summary572
11.14
References573
Chapter12
TCP:TheTransmissionControlProtocol(Preliminaries)579
12.1
Introduction579
12.1.1ARQ andRetransmission580
12.1.2
WindowsofPacketsandSlidingWindows581
12.1.3
VariableWindows:FlowControlandCongestionControl583
12.1.4
SettingtheRetransmissionTimeout584
12.2
IntroductiontoTCP584
12.2.1The
TCPServiceModel585
12.2.2
ReliabilityinTCP586
12.3TCP HeaderandEncapsulation587
12.4
Summary591
12.5
References591
Chapter13
TCPConnectionManagement595
13.1
Introduction595
13.2TCP ConnectionEstablishmentandTermination595
13.2.1TCP Half-Close598
13.2.2
SimultaneousOpenandClose599
13.2.3
InitialSequenceNumber(ISN)601
13.2.4
Example602
13.2.5
TimeoutofConnectionEstablishment604
13.2.6
ConnectionsandTranslators605
13.3TCP Options605
13.3.1
MaximumSegmentSize(MSS)Option606
Contents xxv
13.3.2
SelectiveAcknowledgment(SACK)Options607
13.3.3
WindowScale(WSCALEorWSOPT)Option608
13.3.4
TimestampsOptionandProtectionagainstWrapped Sequence Numbers(PAWS)608
13.3.5
UserTimeout(UTO)Option611
13.3.6
AuthenticationOption(TCP-AO)612
13.4Path MTUDiscoverywithTCP612
13.4.1Example 613
13.5TCP StateTransitions616
13.5.1TCP StateTransitionDiagram617
13.5.2
TIME_WAIT(2MSLWait)State618
13.5.3
QuietTimeConcept624
13.5.4
FIN_WAIT_2State625
13.5.5
SimultaneousOpenandCloseTransitions625
13.6Reset Segments625
13.6.1
ConnectionRequesttoNonexistentPort626
13.6.2
AbortingaConnection627
13.6.3
Half-OpenConnections628
13.6.4
TIME-WAITAssassination(TWA)630
13.7TCP ServerOperation631
13.7.1TCP PortNumbers632
13.7.2
RestrictingLocalIPAddresses634
13.7.3
RestrictingForeignEndpoints635
13.7.4
incomingConnectionQueue636
13.8
AttacksInvolvingTCPConnectionManagement640
13.9
Summary642
13.10
References643
Chapter14
TCPTimeoutandRetransmission647
14.1
Introduction647
14.2
SimpleTimeoutandRetransmissionExample648
14.3
SettingtheRetransmissionTimeout(RTO)651
14.3.1The ClassicMethod651
14.3.2The StandardMethod652
14.3.3The LinuxMethod657
14.3.4RTT EstimatorBehaviors661
14.3.5
RTTMRobustnesstoLossandReordering662
xxvi Contents
14.4
Timer-BasedRetransmission664
14.4.1
Example665
14.5Fast Retransmit667
14.5.1
Example668
14.6
RetransmissionwithSelectiveAcknowledgments671
14.6.1
SACKReceiverBehavior672
14.6.2
SACKSenderBehavior673
14.6.3
Example673
14.7
spuriousTimeoutsandRetransmissions677
14.7.1
DuplicateSACK(DSACK)Extension677
14.7.2The EifelDetectionAlgorithm679
14.7.3
Forward-RTORecovery(F-RTO)680
14.7.4The EifelResponseAlgorithm680
14.8
PacketReorderingandDuplication682
14.8.1
Reordering682
14.8.2
Duplication684
14.9
DestinationMetrics685
14.10
Repacketization686
14.11
AttacksInvolvingTCPRetransmission687
14.12
Summary688
14.13
References689
Chapter15
TCPDataFlowandWindowManagement69
15.1
Introduction691
15.2
InteractiveCommunication692
15.3
DelayedAcknowledgments695
15.4Nagle Algorithm696
15.4.1
DelayedACKandNagleAlgorithmInteraction699
15.4.2
DisablingtheNagleAlgorithm699
15.5Flow ControlandWindowManagement700
15.5.1
SlidingWindows701
15.5.2
ZeroWindowsandtheTCPPersistTimer704
15.5.3
SillyWindowSyndrome(SWS)708
15.5.4
LargeBuffersandAuto-Tuning715
15.6
UrgentMechanism719
15.6.1
Example720
15.7
AttacksInvolvingWindowManagement723
Contentsxxvii
15.8
Summary723
15.9
References724
Chapter16
TCPCongestionControl727
16.1
Introduction727
16.1.1
DetectionofCongestioninTCP728
16.1.2
SlowingDownaTCPSender729
16.2The ClassicAlgorithms730
16.2.1
SlowStart732
16.2.2
CongestionAvoidance734
16.2.3
SelectingbetweenSlowStartandCongestionAvoidance736
16.2.4
Tahoe,Reno,andFastRecovery737
16.2.5
StandardTCP738
16.3
EvolutionoftheStandardAlgorithms739
16.3.1
Newreno739
16.3.2TCP CongestionControlwithSACK740
16.3.3
ForwardAcknowledgment(FACK)andRateHalving741
16.3.4
LimitedTransmit742
16.3.5
CongestionWindowValidation(CWV)742
16.4
HandlingSpuriousRTOs—theEifelResponseAlgorithm744
16.5An ExtendedExample745
16.5.1
SlowStartBehavior749
16.5.2
SenderPauseandLocalCongestion(Event1)750
16.5.3
StretchACKsandRecoveryfromLocalCongestion754
16.5.4
FastRetransmissionandSACKRecovery(Event2)757
16.5.5
AdditionalLocalCongestionandFastRetransmitEvents759
16.5.6
Timeouts,Retransmissions,andundoingcwndChanges762
16.5.7
ConnectionCompletion766
16.6
SharingCongestionState767
16.7TCP Friendliness768
16.8TCP inHigh-SpeedEnvironments770
16.8.1
HighSpeedTCP(HSTCP)andLimitedSlowStart770
16.8.2
BinaryIncreaseCongestionControl(BICandCUBIC)772
16.9 Delay-BasedCongestionControl777
16.9.1
Vegas777
16.9.2
FAST778
xxviii Contents
16.9.3TCP WestwoodandWestwood+779
16.9.4
CompoundTCP779
16.10
Bufferbloat781
16.11
ActiveQueueManagementandECN782
16.12
AttacksInvolvingTCPCongestionControl785
16.13
Summary786
16.14
References788
Chapter17
TCPKeepalive793
17.1
Introduction793
17.2
Description795
17.2.1
KeepaliveExamples797
17.3
AttacksInvolvingTCPKeepalives802
17.4
Summary802
17.5
References803
Chapter18
Security:EAP,IPsec,TLS,DNSSEC,andDKIM805
18.1
Introduction805
18.2Basic PrinciplesofInformationSecurity806
18.3
ThreatstoNetworkCommunication807
18.4Basic cryptographyandSecurityMechanisms809
18.4.1
Cryptosystems809
18.4.2
Rivest,Shamir,andAdleman(RSA)PublicKeyCryptography812
18.4.3
Diffie-Hellman-MerkleKeyAgreement(akaDiffie-HellmanorDH)813
18.4.4
SigncryptionandEllipticCurveCryptography(ECC)814
18.4.5Key DerivationandPerfectForwardSecrecy(PFS)815
18.4.6
PseudorandomNumbers,Generators,andFunctionFamilies815
18.4.7
NoncesandSalt816
18.4.8
CryptographicHashFunctionsandMessageDigests817
18.4.9
MessageAuthenticationCodes(MACs,HMAC,CMAC,andGMAC)818
18.4.10Cryptographic SuitesandCipherSuites819
18.5
Certificates,CertificateAuthorities(CAs),andPKIs821
18.5.1
PublicKeyCertificates,CertificateAuthorities,andX.509822
18.5.2
ValidatingandRevokingCertificates828
18.5.3
AttributeCertificates831
Contents xxix
18.6
TCP/IPSecurityProtocolsandLayering832
18.7
NetworkAccessControl:802.1X,802.1AE,EAP,andPANA833
18.7.1EAP MethodsandKeyDerivation837
18.7.2The EAPRe-authenticationProtocol(ERP)839
18.7.3
ProtocolforCarryingAuthenticationforNetworkAccess(PANA)839
18.8Layer 3IPSecurity(IPsec)840
18.8.1
InternetKeyExchange(IKEv2)Protocol842
18.8.2
AuthenticationHeader(AH)854
18.8.3
EncapsulatingSecurityPayload(ESP)858
18.8.4Multicast 864
18.8.5
L2TP/IPsec865
18.8.6
IPsecNATTraversal865
18.8.7
Example867
18.9
TransportLayerSecurity(TLSandDTLS)876
18.9.1TLS 1.2877
18.9.2TLS withDatagrams(DTLS)891
18.10DNS Security(DNSSEC)894
18.10.1
DNSSECResourceRecords896
18.10.2
DNSSECOperation902
18.10.3
TransactionAuthentication(TSIG,TKEY,andSIG(0))911
18.10.4
DNSSECwithDNS64915
18.11
DomainKeysIdentifiedMail(DKIM)915
18.11.1
DKIMSignatures916
18.11.2
Example916
18.12
AttacksonSecurityProtocols918
18.13
Summary919
18.14
References922
Glossary ofAcronyms933
Index963
16.9.1
Vegas777
16.9.2
FAST778
xxviii Contents
16.9.3TCP WestwoodandWestwood+779
16.9.4
CompoundTCP779
16.10
Bufferbloat781
16.11
ActiveQueueManagementandECN782
16.12
AttacksInvolvingTCPCongestionControl785
16.13
Summary786
16.14
References788
Chapter17
TCPKeepalive793
17.1
Introduction793
17.2
Description795
17.2.1
KeepaliveExamples797
17.3
AttacksInvolvingTCPKeepalives802
17.4
Summary802
17.5
References803
Chapter18
Security:EAP,IPsec,TLS,DNSSEC,andDKIM805
18.1
Introduction805
18.2Basic PrinciplesofInformationSecurity806
18.3
ThreatstoNetworkCommunication807
18.4Basic cryptographyandSecurityMechanisms809
18.4.1
Cryptosystems809
18.4.2
Rivest,Shamir,andAdleman(RSA)PublicKeyCryptography812
18.4.3
Diffie-Hellman-MerkleKeyAgreement(akaDiffie-HellmanorDH)813
18.4.4
SigncryptionandEllipticCurveCryptography(ECC)814
18.4.5Key DerivationandPerfectForwardSecrecy(PFS)815
18.4.6
PseudorandomNumbers,Generators,andFunctionFamilies815
18.4.7
NoncesandSalt816
18.4.8
CryptographicHashFunctionsandMessageDigests817
18.4.9
MessageAuthenticationCodes(MACs,HMAC,CMAC,andGMAC)818
18.4.10Cryptographic SuitesandCipherSuites819
18.5
Certificates,CertificateAuthorities(CAs),andPKIs821
18.5.1
PublicKeyCertificates,CertificateAuthorities,andX.509822
18.5.2
ValidatingandRevokingCertificates828
18.5.3
AttributeCertificates831
Contents xxix
18.6
TCP/IPSecurityProtocolsandLayering832
18.7
NetworkAccessControl:802.1X,802.1AE,EAP,andPANA833
18.7.1EAP MethodsandKeyDerivation837
18.7.2The EAPRe-authenticationProtocol(ERP)839
18.7.3
ProtocolforCarryingAuthenticationforNetworkAccess(PANA)839
18.8Layer 3IPSecurity(IPsec)840
18.8.1
InternetKeyExchange(IKEv2)Protocol842
18.8.2
AuthenticationHeader(AH)854
18.8.3
EncapsulatingSecurityPayload(ESP)858
18.8.4Multicast 864
18.8.5
L2TP/IPsec865
18.8.6
IPsecNATTraversal865
18.8.7
Example867
18.9
TransportLayerSecurity(TLSandDTLS)876
18.9.1TLS 1.2877
18.9.2TLS withDatagrams(DTLS)891
18.10DNS Security(DNSSEC)894
18.10.1
DNSSECResourceRecords896
18.10.2
DNSSECOperation902
18.10.3
TransactionAuthentication(TSIG,TKEY,andSIG(0))911
18.10.4
DNSSECwithDNS64915
18.11
DomainKeysIdentifiedMail(DKIM)915
18.11.1
DKIMSignatures916
18.11.2
Example916
18.12
AttacksonSecurityProtocols918
18.13
Summary919
18.14
References922
Glossary ofAcronyms933
Index963