DOCSLIB.ORG

Pf3e Index.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

INDEX Note: Pages numbers followed by f, n, priority-based queues, 136–145 or t indicate figures, notes, and tables, match rule for queue assignment, respectively. 137–138 overview, 134–135 Symbols performance improvement, 136–137 # (hash mark), 13, 15 queuing for servers in DMZ, ! (logical NOT) operator, 42 142–144 setting up, 135–136 A on FreeBSD, 135–136 on NetBSD, 136 Acar, Can Erkin, 173 on OpenBSD, 135 ACK (acknowledgment) packets transitioning to priority and class-based bandwidth allocation, queuing system, 131–133 139–140 anchors, 35–36 HFSC algorithm, 124, 126, 142 authpf program, 61, 63 priority queues, 132, 137–138 listing current contents of, 92 two-priority configuration, loading rules into, 92 120–121, 120n1 manipulating contents, 92 adaptive.end value, 188 relayd daemon, 74 adaptive firewalls, 97–99 restructuring rule set with, 91–94 adaptive.start value, 188 tagging to help policy routing, 93 advbase parameter, 153–154 ancontrol command, 46n1 advskew parameter, 153–154, 158–159 antispoof tool, 27, 193–195, 194f aggressive value, 192 ARP balancing, 151, 157–158 ALTQ (alternate queuing) framework, atomic rule set load, 21 9, 133–145, 133n2 authpf program, 59–63, 60 basic concepts, 134 basic authenticating gateways, class-based bandwidth allocation, 60–62 139–140 public networks, 62–63 overview, 135 queue definition, 139–140 tying queues into rule set, 140 B handling unwanted traffic, 144–145 bandwidth operating system-based queue actual available, 142–143 assignments, 145 class-based allocation of, 139–140 overloading to tiny queues, overview, 135 144 –145 queue definition, 139–140 HFSC algorithm, 140–142 tying queues into rule set, 140 overview, 135 queues for allocation of, 121–122 queue definition, 140–141 DMZ network with traffic tying queues into rule set, shaping, 128–130 141–142 fixed, 123–125 bandwidth, queues for allocation of load balancing, 157 (continued) load-balancing mode, 158 flexible, 125–128 setting up, 158–160 HFSC algorithm, 123 overview, 147–148 total usable, 122 carpdev option, 150, 152 Beck, Bob, 115 cbq (class-based) queues, 132–135 Berkeley Software Distributions. See definition, 139–140 BSDs (Berkeley Software tying into rule set, 140 Distributions); FreeBSD; cloneable interfaces, 55n4, 167 NetBSD; OpenBSD command succeeded message, 77 blacklisting, 101–103, 115 Common Address Redundancy block all rule, 19, 24, 61, 69 Protocol. See CARP block in all rule, 16 –17 complicated networks, 65–94 blocknonip option, 87–88 bridges, 86–91 block-policy option, 186–187 FreeBSD setup, 88–89 block rule, 13 NetBSD setup, 89–90 Brauer, Henning, 5, 133, 177 OpenBSD setup, 87–88 brconfig command, 87, 89 rule set, 90–91 bridges, 86–91, 86n5, 90f interface groups, 84–85 defined, 86 NAT, 79–84 pros and cons of, 86 DMZ, 80–81 rule set, 90–91 load balancing with setting up redirection, 81 on FreeBSD, 88–89 single NATed network, 81–84 on NetBSD, 89–90 nonroutable IPv4 addresses, 91–94 on OpenBSD, 87–88 establishing global rules, 91 brute-force attacks, 96–99 restructuring rule set with defined, 96 anchors, 91–94 expiring tables using pfctl, 99 packet tagging, 85–86 overview, 96 routable IPv4 addresses, 66–79, 67f setting up adaptive firewalls, 97–99 DMZ, 70–71, 70f BSDs (Berkeley Software load balancing with redirection, Distributions), 3–4, 3n3. 72–73 See also FreeBSD; NetBSD; load balancing with relayd, OpenBSD 73–79 configuration files, 7 macros, 66–67 Linux versus, 6–7 configuration files network interface naming FreeBSD, 7, 14–15 conventions, 6 NetBSD, 15–16 online resources, 201–203 OpenBSD, 7, 13 print resources, 204–205 tools for managing, 7–8, 11 Bytes In/Out statistics, 23 connection refused message, 18 content filtering, 100, 105, 107 C Core Force project, 5n7 Core Security, 5n7 CARP (Common Address Redundancy Protocol), 79 failover, 150–154 D kernel options, 150 DDoS (distributed denial-of-service) network interface setup with attacks, 187, 187n1 ifconfig, 151–154 sysctl values, 151 212 Index debugging, 197–199. See also logging sysctl values, 151 debug option, 190–191 load balancing versus, 158 troubleshooting-friendly networks, pfsync protocol, 154–155 37–38 rule set, 155–156 debug option, 52, 190–191 false positives, 102, 106, 110, 115 deep packet inspection, 2 FIFO (first in, first out), 120, demilitarized zone (DMZ). See DMZ 132–134, 137 demotion counter, 79, 153 file servers denial-of-service (DoS) attacks, 91, NAT, 79 168, 193n2 routable IPv4 addresses, 66–67 de Raadt, Theo, 4n4 file transfer protocol. See FTP dhclient command, 56–57, 59 firewalls, 3. See also bridges dhcpd program, 54 adaptive, 97–99 distributed denial-of-service (DDoS) simple gateways, 25–27 attacks, 187, 187n1 first in, first out (FIFO), 120, divert(4) sockets, 2 132–134, 137 diver t-to component, 36 flags S/SA keep state rule, 21 Dixon, Jason, 10 floating state policy, 187 dmesg command, 48–49, 209 Floeter, Reyk, 183 DMZ (demilitarized zone) flowd collector daemon, 177–182 NAT, 80–81 flowd-reader program, 178 –181 queuing for servers in, 142–144 flow-tools program, 177 routable IPv4 addresses, 70–71, 70f flush global state-tracking option, 97 testing rule set, 195–196, 195f fragment reassembly options, 192–193 with traffic shaping, 128–130, 128f frag value, 188 DNS, 22, 34n4, 66, 68 FreeBSD, 3n3, 5 documentation, 8 configuration files, 7 domain name lookups, 163–164, online resources, 204 166, 169 pfSense, 8 domain name resolution, 18, 20 setting up ALTQ framework on, domain names, 34 135–136 DoS (denial-of-service) attacks, 91, setting up bridges, 88–89 168, 193n2 setting up PF on, 13–15 DragonFly BSD, 3n3, 5–6, 12 spamd spam-deferral daemon, dropped packets, 128 101, 105 drop value, 186 wireless interface configuration, 50 wireless network setup, 58–59 E WPA access points, 52–53 FreeBSD Handbook, 14 echo requests/replies, 38–41, 53, 69, from keyword, 33 82, 90, 92 FTP (file transfer protocol), 35–37, Engen, Vegard, 62n5 53–54 expiretable tool, 99n4 fetching list data via, 102 ftp-proxy with diversion or F redirection, 36–37 history of, 35, 35n5 failover, 148–156 security challenges, 35 CARP, 79, 150 variations on ftp-proxy setup, 37 kernel options, 150 ftp-proxy command, 13 network interface setup with enabling, 36 ifconfig, 151–154 redirection, 36–37 reverse mode, 36–37 Index 213 ftpproxy_flags variable, 36–37 I FTPS, 35n6 IBM Christmas Tree EXEC worm, 2n1 fw_update script, 48 ICMP, 37–41, 41n7, 124, 140 bandwidth allocation, 124 G letting pass unconditionally, 38 grep program, 113, 178 letting pass while stopping probes greyexp value, 107 from elsewhere, 39 greylisting, 104–108 path MTU discovery, 40–41 compensating for unusual ICMP6, 38 situations, 113–114 letting pass unconditionally, 38 defined, 104 letting pass while stopping probes keeping lists in sync, 112–113 from elsewhere, 39 online resources, 205–206 path MTU discovery, 41 in practice, 107–108 if-bound policy, 187–188 setting up, 104–105, 107 if_bridge module, 88 greytrapping, 109–111, 115 ifconfig command, 46n1, 59, 109, 148 adding to list, 111–112 bridge setup, 87–89 deleting from list, 112 interface groups, 84–85 logging, 167, 176 MTU, 40 H redundancy and resource Hail Mary Cloud sequence of brute- availability, 150–155, force attempts, 98, 98n2 158–160 hardware, 5, 207–210 running status of interfaces, 30 helping hardware support wireless networks, 49–53, 56–59 efforts, 210 ifstated interface state daemon, 157 issues facing hardware support ILOVEYOU worm, 2n1 developers, 209 inserts statistic, 23 pool memory, 190 interface groups, 84–85 selecting, 208–209 Interface Stats statistics, 23 selecting for wireless networks, 48 interval value, 188 Harris, Evan, 104 IP-based load balancing, 157–158 Hartmeier, Daniel, 4–5, 132, 136 IPFilter subsystem, 4–5, 4n4, 4n5, 8–9 hash mark (#), 13, 15 IPsec HFSC (Hierarchical Fair Service filtering on encapsulation Curve) algorithm, 123, interfaces, 55, 55n4 125–126, 134–135, 140–142 state synchronization, 155 queue definition, 140–141 with UDP key exchange, 55 transitioning from ALTQ to IPv4, 23–24 priority and queuing network address translation, system, 132–133 28–29, 54 tying queues into rule set, 141–142 nonroutable addresses, 91–94 high-latency value, 192 establishing global rules, 91 hostapd command, 52–53 restructuring rule set with host command, 18, 22, 34 anchors, 91–94 hostnames, 34 packet forwarding, 30 HTTP, 68, 75, 77–79, 99 routable addresses, 31–32, 66–79 fetching list data via, 102 DMZ, 70–71 NetFlow data collection, 181 load balancing with relayd, HTTPS, 77, 79 73–79 214 Index load balancing with redirection, NetFlow data collection, 176–182 72–73 flowd collector daemon, 177–182 wireless networks, 49–50, 54, 58 pfflowd tool, 182 IPv6, 24, 30, 37–38, 41, 67, 71, 73, 75, 81 setting up sensor, 176–177 NAT versus, 28–29 packet path through rule set, release of, 28 164–165 wireless networks, 49–50, 54, 56–59 to several pflog interfaces, 167 SNMP tools and MIBs, 182–183 K to syslog, 167–169 tracking statistics for each rule with KAME project, 28, 28n3 labels, 169–171 keep state flags S/SA rule, 17n3 logical NOT (!) operator, 42 keep state rules, 16–17, 17n3, 21, 26, log keyword, 162, 167 26n1, 41, 68, 188 log (m atches) clause, 164–165 kernel memory, 189–190 Knight, Joel, 183 M L MAC addresses bridges, 87 labels, 169–171 filtering, 46–47, 46n2, 60 leaf queues, 126–127 IP-based load balancing, 157–158 limit option, 189 Mac OS X, 3n3 linkshare value, 140–141 macros Linux defined, 18–19 BSD versus, 6–7 defining, 18–19 network interface naming defining local network, 29 conventions, 6 expanding into separate
Recommended publications
  • Working with DHCP in Oracle® Solaris 11.2

    Working with DHCP in Oracle® Solaris 11.2

    ® Working With DHCP in Oracle Solaris 11.2 Part No: E36812 July 2014 Copyright © 1999, 2014, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications.
  • Active-Active Firewall Cluster Support in Openbsd

    Active-Active Firewall Cluster Support in Openbsd

    Active-Active Firewall Cluster Support in OpenBSD David Gwynne School of Information Technology and Electrical Engineering, University of Queensland Submitted for the degree of Bachelor of Information Technology COMP4000 Special Topics Industry Project February 2009 to leese, who puts up with this stuff ii Acknowledgements I would like to thank Peter Sutton for allowing me the opportunity to do this work as part of my studies at the University of Queensland. A huge thanks must go to Ryan McBride for answering all my questions about pf and pfsync in general, and for the many hours working with me on this problem and helping me test and debug the code. Thanks also go to Theo de Raadt, Claudio Jeker, Henning Brauer, and everyone else at the OpenBSD network hackathons who helped me through this. iii Abstract The OpenBSD UNIX-like operating system has developed several technologies that make it useful in the role of an IP router and packet filtering firewall. These technologies include support for several standard routing protocols such as BGP and OSPF, a high performance stateful IP packet filter called pf, shared IP address and fail-over support with CARP (Common Address Redundancy Protocol), and a protocol called pfsync for synchronisation of the firewalls state with firewalls over a network link. These technologies together allow the deployment of two or more computers to provide redundant and highly available routers on a network. However, when performing stateful filtering of the TCP protocol with pf, the routers must be configured in an active-passive configuration due to the current semantics of pfsync.
  • Programmer's Guide

    Programmer's Guide

    Programmer’s Guide Release 2.2.0 January 16, 2016 CONTENTS 1 Introduction 1 1.1 Documentation Roadmap...............................1 1.2 Related Publications..................................2 2 Overview 3 2.1 Development Environment..............................3 2.2 Environment Abstraction Layer............................4 2.3 Core Components...................................4 2.4 Ethernet* Poll Mode Driver Architecture.......................6 2.5 Packet Forwarding Algorithm Support........................6 2.6 librte_net........................................6 3 Environment Abstraction Layer7 3.1 EAL in a Linux-userland Execution Environment..................7 3.2 Memory Segments and Memory Zones (memzone)................ 11 3.3 Multiple pthread.................................... 12 3.4 Malloc.......................................... 14 4 Ring Library 19 4.1 References for Ring Implementation in FreeBSD*................. 20 4.2 Lockless Ring Buffer in Linux*............................ 20 4.3 Additional Features.................................. 20 4.4 Use Cases....................................... 21 4.5 Anatomy of a Ring Buffer............................... 21 4.6 References....................................... 28 5 Mempool Library 31 5.1 Cookies......................................... 31 5.2 Stats.......................................... 31 5.3 Memory Alignment Constraints............................ 31 5.4 Local Cache...................................... 32 5.5 Use Cases....................................... 33 6
  • The Qosbox: Quantitative Service Differentiation in BSD Routers∗

    The Qosbox: Quantitative Service Differentiation in BSD Routers∗

    The QoSbox: Quantitative Service Differentiation in BSD Routers∗ Nicolas Christin Jorg¨ Liebeherr Information Networking Institute and The Edward S. Rogers Sr. Department of CyLab Japan Electrical and Computer Engineering Carnegie Mellon University University of Toronto 1-3-3-17 Higashikawasaki-cho 10 King’s College Road Chuo-ku, Kobe 650-0044, Japan Toronto, ON M5S 3G4, Canada [email protected] [email protected] Abstract We describe the design and implementation of the QoSbox, a configurable IP router that provides per-hop service differentiation on loss, delays and throughput to classes of traffic. The novel aspects of the QoSbox are that (1) the QoSbox does not rely on any external component (e.g., no traffic shaping and no admission control) to provide the desired service differentiation, but instead, (2) dynamically adapts packet forwarding and dropping decisions as a function of the instantaneous traffic arrivals and allows for temporary relaxation of some service objectives; also, (3) the QoSbox can enforce both absolute and proportional service differentiation on queuing delays, loss rates, and throughput at the same time. We focus on a publicly available implementation of the QoSbox in BSD-based PC-routers. We evaluate our implementation in a testbed of BSD routers over a FastEthernet network, and we sketch how the QoSbox can be implemented in high speed architectures. Keywords: Quality-of-Service Implementations, Service Differentiation, PC-Routers, BSD, High-Speed Networks. ∗Most of this work was done while both authors were with the University of Virginia. This work was supported in part by the National Science Foundation through grants ANI-9730103 and ANI-0085955.
  • Freebsd and Netbsd on Small X86 Based Systems

    Freebsd and Netbsd on Small X86 Based Systems

    FreeBSD and NetBSD on Small x86 Based Systems Dr. Adrian Steinmann <[email protected]> Asia BSD Conference in Tokyo, Japan March 17th, 2011 1 Introduction Who am I? • Ph.D. in Mathematical Physics (long time ago) • Webgroup Consulting AG (now) • IT Consulting Open Source, Security, Perl • FreeBSD since version 1.0 (1993) • NetBSD since version 3.0 (2005) • Traveling, Sculpting, Go AsiaBSDCon Tutorial March 17, 2011 in Tokyo, Japan “Installing and Running FreeBSD and NetBSD on Small x86 Based Systems” Dr. Adrian Steinmann <[email protected]> 2 Focus on Installing and Running FreeBSD and NetBSD on Compact Flash Systems (1) Overview of suitable SW for small x86 based systems with compact flash (CF) (2) Live CD / USB dists to try out and bootstrap onto a CF (3) Overview of HW for small x86 systems (4) Installation strategies: what needs special attention when doing installations to CF (5) Building your own custom Install/Maintenance RAMdisk AsiaBSDCon Tutorial March 17, 2011 in Tokyo, Japan “Installing and Running FreeBSD and NetBSD on Small x86 Based Systems” Dr. Adrian Steinmann <[email protected]> 3 FreeBSD for Small HW Many choices! – Too many? • PicoBSD / TinyBSD • miniBSD & m0n0wall • pfSense • FreeBSD livefs, memstick • NanoBSD • STYX. Others: druidbsd, Beastiebox, Cauldron Project, ... AsiaBSDCon Tutorial March 17, 2011 in Tokyo, Japan “Installing and Running FreeBSD and NetBSD on Small x86 Based Systems” Dr. Adrian Steinmann <[email protected]> 4 PicoBSD & miniBSD • PicoBSD (1998): Initial import into src/release/picobsd/ by Andrzej Bialecki <[email protected]
  • Install and Setup DHCP Service

    Install and Setup DHCP Service

    Install and setup DHCP Service Synopsis: DHCP or Dynamic Host Configuration Protocol allows for automatic management of IP addresses on your internal network. By providing DHCP on your LAN, you eliminate the bother of having to configure manually PCs, laptops, or smart phones. They will automatically get an IP address and be configured with default gateway and DNS server information. It is important that only one DHCP server be active on a network. So, check carefully any other network devices on your network, especially wireless Access Points, to be sure their DHCP service is disabled. I. Installation Log into the Freebsd system as root. (Assumes networking is already configured.) # # cd /usr/ports/net/isc-dhcp44-server && make install clean # II. Startup Configuration Enable DHCP daemon at startup and assign the internal LAN (sk0 in this project) interface; # # echo 'dhcpd_enable="YES"' >> /etc/rc.conf # echo 'dhcpd_ifaces="sk0"' >> /etc/rc.conf # III. Setup configuration file # # cd /usr/local/etc # If there is a dhcpd.conf file, rename it; # # mv dhcpd.conf dhcpd.conf.original # Copy the following text, modify for your personal use, and paste it into a new dhcpd.conf file. You will need to modify the subnet (i.e., your network zero) and mask, the IP pool range, the DNS server (in this case 8.8.8.8 is the Google DNS server), the domain name, the router/gateway and the broadcast address (i.e., your network 255). The settings shown assumes our LAN subnet will be the private range 192.168.1.0 to 192.168.1.255. This machine will have LAN address configured as 192.168.1.254 and will be the default gateway for the LAN network.
  • The Complete Freebsd

    The Complete Freebsd

    The Complete FreeBSD® If you find errors in this book, please report them to Greg Lehey <grog@Free- BSD.org> for inclusion in the errata list. The Complete FreeBSD® Fourth Edition Tenth anniversary version, 24 February 2006 Greg Lehey The Complete FreeBSD® by Greg Lehey <[email protected]> Copyright © 1996, 1997, 1999, 2002, 2003, 2006 by Greg Lehey. This book is licensed under the Creative Commons “Attribution-NonCommercial-ShareAlike 2.5” license. The full text is located at http://creativecommons.org/licenses/by-nc-sa/2.5/legalcode. You are free: • to copy, distribute, display, and perform the work • to make derivative works under the following conditions: • Attribution. You must attribute the work in the manner specified by the author or licensor. • Noncommercial. You may not use this work for commercial purposes. This clause is modified from the original by the provision: You may use this book for commercial purposes if you pay me the sum of USD 20 per copy printed (whether sold or not). You must also agree to allow inspection of printing records and other material necessary to confirm the royalty sums. The purpose of this clause is to make it attractive to negotiate sensible royalties before printing. • Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. • For any reuse or distribution, you must make clear to others the license terms of this work. • Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.
  • IP Filter - TCP/IP Firewall/NAT Software

    IP Filter - TCP/IP Firewall/NAT Software

    IP Filter - TCP/IP Firewall/NAT Software IP Filter Current version: 5.1.0 Next release status Patches for last release What's new ? Click here! Mailing list ? Send mail to [email protected] with "subscribe ipfilter" in the body of the mail. What is it ? IPFilter is a software package that can be used to provide network address translation (NAT) or firewall services. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required. To see an overview of how IP Filter fits into the overall picture of TCP/IP with your kernel and the order in which the various phases of packet processing is done, click here. The IPFilter FAQ by Phil Dibowitz! It comes as a part of the following operating systems: FreeBSD-current (post 2.2) NetBSD-current (post 1.2) xMach Solaris 10 Open Solaris http://coombs.anu.edu.au/~avalon/ip-filter.html (1 of 7)19.2.2011 •. 14:01:49 IP Filter - TCP/IP Firewall/NAT Software It has been tested and run on: Solaris/Solaris-x86 2.3 - 9 SunOS 4.1.4 - 4.1.4 NetBSD 1.0 - 1.4 FreeBSD 2.0.0 - 2.2.8 BSD/OS-1.1 - 4 IRIX 6.2, 6.5 OpenBSD 2.0 - 3.5 Linux(*) 2.4 - 2.6 HP-UX 11.00 Tru64 5.1a AIX 5.3 ML05 QNX 6 Port * - It has been tested and shown to work on RedHat 9.0, SuSE 9.1 and will, in general work with 2.4 and 2.6 kernels.
  • Freebsd Handbook

    Freebsd Handbook

    FreeBSD Handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/han... FreeBSD Handbook The FreeBSD Documentation Project Copyright © 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 The FreeBSD Documentation Project Welcome to FreeBSD! This handbook covers the installation and day to day use of FreeBSD 8.3-RELEASE and FreeBSD 9.1-RELEASE. This manual is a work in progress and is the work of many individuals. As such, some sections may become dated and require updating. If you are interested in helping out with this project, send email to the FreeBSD documentation project mailing list. The latest version of this document is always available from the FreeBSD web site (previous versions of this handbook can be obtained from http://docs.FreeBSD.org/doc/). It may also be downloaded in a variety of formats and compression options from the FreeBSD FTP server or one of the numerous mirror sites. If you would prefer to have a hard copy of the handbook, you can purchase one at the FreeBSD Mall. You may also want to search the handbook. REDISTRIBUTION AND USE IN SOURCE (XML DOCBOOK) AND 'COMPILED' FORMS (XML, HTML, PDF, POSTSCRIPT, RTF AND SO FORTH) WITH OR WITHOUT MODIFICATION, ARE PERMITTED PROVIDED THAT THE FOLLOWING CONDITIONS ARE MET: 1. REDISTRIBUTIONS OF SOURCE CODE (XML DOCBOOK) MUST RETAIN THE ABOVE COPYRIGHT NOTICE, THIS LIST OF CONDITIONS AND THE FOLLOWING DISCLAIMER AS THE FIRST LINES OF THIS FILE UNMODIFIED. 2. REDISTRIBUTIONS IN COMPILED FORM (TRANSFORMED TO OTHER DTDS, CONVERTED TO PDF, POSTSCRIPT, RTF AND OTHER FORMATS) MUST REPRODUCE THE ABOVE COPYRIGHT NOTICE, THIS LIST OF CONDITIONS AND THE FOLLOWING DISCLAIMER IN THE DOCUMENTATION AND/OR OTHER MATERIALS PROVIDED WITH THE DISTRIBUTION.
  • Implementing Ipv6: Experiences at KAME Project

    Implementing Ipv6: Experiences at KAME Project

    Implementing IPv6: experiences at KAME project Jun-ichiro Hagino, IIJ research laboratory itojun@{iijlab.net,kame.net} Outline What is IPv6, and why IPv6 (brief summary) What is KAME project Some technical insights observed at KAME Implmentation status What are the TODOs, issues from both specification/implementation What is IPv6? Expansion of address space - 32bit -> 128bit 32bit: 4.3 billion nodes maximum not sufficient, blocking new IP-based applications from appearing 128bit: 3.4 x 10^38 nodes maximum Make new technologies mandatory IPv4: designed in 1970’s IPv6: designed in 1990’s autoconfiguration, multicast, security, ... Why? - IPv4 address space is filled up, NAT is killing us all When? - Already there, so you should How? - (next slide) How to operate IPv6? IPv6 is "IP with bigger address space", almost no difference with IPv4 bigger address space makes a huge difference Base spec NAT-free 128bit address, simpler base header, extensible header format Enables many future application deployment and uses Routing - OSPFv3, RIPng, BGP4+ QoS - diffserv, RSVP (separate effort from IPv6 itself) more friendly than IPv4 Mobility - mobile-ip6 No foreign agent necessary Security - IPsec (separate effort from IPv6 itself) A "fully conformant IPv6 implementation" must have IPsec code Autoconfiguration stateless autoconf, DHCPv6 Multicast - PIM, MLD (= IGMP) Applications - HTTP, FTP, VoIP, whatever you do with IPv4 New applications would appear when IPv6 hits the critical mass Problem we had in 1995... IPv6 specification is out, but there’s
  • Utilising Configuration Management Node Data for Network Infrastructure

    Utilising Configuration Management Node Data for Network Infrastructure

    Aalto University School of Science Degree Programme in Computer Science and Engineering Lauri Tirkkonen Utilising configuration management node data for network infrastructure man- agement Master's Thesis Espoo, May 4, 2016 Supervisor: Professor Heikki Saikkonen Advisor: Jaakko Kotim¨akiM.Sc. (Tech.) Aalto University School of Science ABSTRACT OF Degree Programme in Computer Science and Engineering MASTER'S THESIS Author: Lauri Tirkkonen Title: Utilising configuration management node data for network infrastructure man- agement Date: May 4, 2016 Pages: 38 Major: Software Technology Code: T-106 Supervisor: Professor Heikki Saikkonen Advisor: Jaakko Kotim¨akiM.Sc. (Tech.) Configuration management software running on nodes solves problems such as configuration drift on the nodes themselves, but the necessary node configura- tion data can also be utilised in managing network infrastructure, for example to reduce configuration errors by facilitating node life cycle management. Many configuration management software systems depend on a working network, but we can utilise the data to create large parts of the network infrastructure config- uration itself using node data from the configuration management system before the nodes themselves are provisioned, as well as remove obsolete configuration as nodes are decommissioned. Keywords: configuration management, network infrastructure configura- tion, life cycle management Language: English 2 Aalto-yliopisto Perustieteiden korkeakoulu DIPLOMITYON¨ Tietotekniikan koulutusohjelma TIIVISTELMA¨ Tekij¨a: Lauri Tirkkonen
  • HP-UX Ipfilter Version A.03.05.13 Administrator's Guide

    HP-UX Ipfilter Version A.03.05.13 Administrator's Guide

    HP-UX IPFilter Version A.03.05.13 Administrator’s Guide HP-UX 11i v3 January 2007 HP Networking Manufacturing Part Number : 5991-7705 E0107 United States © Copyright 2001-2007 Hewlett-Packard Development Company, L.P. Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental, or consequential damages in connection with the furnishing, performance, or use of this material. Warranty A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Office. U.S. Government License Proprietary computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. Copyright Notice © Copyright 2001–2007 Hewlett-Packard Development Company, L.P. All rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws. Trademark Notices UNIX® is a registered trademark of The Open Group. ii Contents Preface: About This Document 1. Installing and Configuring HP-UX IPFilter Overview of HP-UX IPFilter Installation . 3 Installation and Configuration Checklist . 3 Step 1: Checking HP-UX IPFilter Installation Prerequisites .