DOCSLIB.ORG

Red Hat Enterprise Linux 3 Security Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Red Hat Enterprise Linux 3 Security Guide Red Hat Enterprise Linux 3 Security Guide Red Hat Enterprise Linux 3: Security Guide Copyright © 2003 by Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhel-sg(EN)-3-Print-RHI (2003-07-25T17:12) Copyright © 2003 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Red Hat, Red Hat Network, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Motif and UNIX are registered trademarks of The Open Group. XFree86 is a trademark of The XFree86 Project, Inc, and is pending registration. Intel and Pentium are registered trademarks of Intel Corporation. Itanium and Celeron are trademarks of Intel Corporation. AMD, Opteron, Athlon, Duron, and K6 are registered trademarks of Advanced Micro Devices, Inc. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Java and Swing are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. or other countries. Oracle is a registered trademark, and Oracle8i, Oracle9i, and interMedia are trademarks or registered trademarks of Oracle Corporation. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. FireWire is a trademark of Apple Computer Corporation. IBM, AS/400, OS/400, RS/6000, S/390, and zSeries are registered trademarks of International Business Machines Corporation. eServer, iSeries, and pSeries are trademarks of International Business Machines Corporation. All other trademarks and copyrights referred to are the property of their respective owners. The GPG fingerprint of the [email protected] key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E Table of Contents Introduction..........................................................................................................................................i 1. Document Conventions.........................................................................................................ii 2. More to Come ...................................................................................................................... iv 2.1. Send in Your Feedback ......................................................................................... iv I. A General Introduction to Security ................................................................................................i 1. Security Overview................................................................................................................. 1 1.1. What is Computer Security? .................................................................................. 1 1.2. Security Controls ................................................................................................... 5 1.3. Conclusion ............................................................................................................. 6 2. Attackers and Vulnerabilities................................................................................................ 7 2.1. A Quick History of Hackers .................................................................................. 7 2.2. Threats to Network Security .................................................................................. 7 2.3. Threats to Server Security...................................................................................... 8 2.4. Threats to Workstation and Home PC Security ................................................... 10 II. Configuring Red Hat Enterprise Linux for Security................................................................ 11 3. Security Updates ................................................................................................................. 13 3.1. Updating Packages............................................................................................... 13 4. Workstation Security........................................................................................................... 19 4.1. Evaluating Workstation Security ......................................................................... 19 4.2. BIOS and Boot Loader Security .......................................................................... 19 4.3. Password Security................................................................................................ 22 4.4. Administrative Controls....................................................................................... 27 4.5. Available Network Services................................................................................. 33 4.6. Personal Firewalls................................................................................................ 35 4.7. Security Enhanced Communication Tools........................................................... 36 5. Server Security.................................................................................................................... 37 5.1. Securing Services With TCP Wrappers and xinetd .......................................... 37 5.2. Securing Portmap................................................................................................. 40 5.3. Securing NIS........................................................................................................ 40 5.4. Securing NFS....................................................................................................... 42 5.5. Securing the Apache HTTP Server...................................................................... 43 5.6. Securing FTP ....................................................................................................... 44 5.7. Securing Sendmail ............................................................................................... 47 5.8. Verifying Which Ports Are Listening .................................................................. 48 6. Virtual Private Networks..................................................................................................... 51 6.1. VPNs and Red Hat Enterprise Linux................................................................... 51 6.2. Crypto IP Encapsulation (CIPE).......................................................................... 51 6.3. Why Use CIPE? ................................................................................................... 52 6.4. CIPE Installation.................................................................................................. 53 6.5. CIPE Server Configuration .................................................................................. 53 6.6. Configuring Clients for CIPE .............................................................................. 54 6.7. Customizing CIPE ............................................................................................... 56 6.8. CIPE Key Management ....................................................................................... 57 6.9. IPsec..................................................................................................................... 57 6.10. IPsec Installation................................................................................................ 58 6.11. IPsec Host-to-Host Configuration...................................................................... 58 6.12. IPsec Network-to-Network configuration.......................................................... 60 7. Firewalls.............................................................................................................................. 65 7.1. Netfilter and IPTables .......................................................................................... 66 7.2. Using IPTables ..................................................................................................... 66 7.3. Common iptables Filtering.............................................................................. 68 7.4. FORWARD and NAT Rules..................................................................................... 69 7.5. DMZs and iptables .......................................................................................... 70 7.6. Viruses and Spoofed IP Addresses ...................................................................... 70 7.7. IP6Tables.............................................................................................................. 70 7.8. Additional Resources........................................................................................... 71 III. Assessing Your Security............................................................................................................
Load more

Recommended publications
  • Design and Implementation of Port Scanner and Sniffer
    DESIGN AND IMPLEMENTATION OF PORT SCANNER AND SNIFFER 1Snehal Dhabarde, 2Reshma Zade,3Nayan Paraswar, 4Samruddhi Sonak, Department of Information Technology, Rajiv Gandhi College of Engineering and Research Nagpur Email:[email protected],[email protected],3nayanparaswar [email protected],[email protected] Abstract: A port scanner is a piece of software Port scanning has different legitimate uses that it designed to search a network host for open performs in a system. It can be used to send a ports. The only way to track open ports is by request to connect to the aimed computer and using a port scanner, and the most accurate note the ports that responds or appears to open. port scanner will be an online port scan. This Port scanning is also used to configure project aims at the creation of a applications for network security to inform the comprehensive application, which can be used administrators in case they detect some at corporate environments. The port scanner connections across a wide range of ports from a and sniffer software is as simple as possible so single host. Port scanning may involve all of the that it can be configured even by a 65,535 ports or only the ports that are well- nontechnical person. This is often used by known to provide services vulnerable to different administrators to check the security of their security related exploits. If a port on a remote networks and by hackers to compromise it. host is open for incoming connection requests The main objective of this project is to scan and you send it a SYN packet, the remote host the various ports within a specified range.
    [Show full text]
  • Porte TCP/IP 19/09/2021
    1 MarkOne Tools Porte TCP/IP 19/09/2021 1 PORTS 0F TCP/IP Protocols and Services Introduction The port numbers are divided into three ranges: the Well Known Ports: are those from 0 through 1023. DCCP Well Known ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9. the Registered Ports: are those from 1024 through 49151. DCCP Registered ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9. the Dynamic and/or Private Ports: are those from 49152 through 65535 PLEASE NOTE THE FOLLOWING: 1. UNASSIGNED PORT NUMBERS SHOULD NOT BE USED. THE IANA WILL ASSIGN THE NUMBER FOR THE PORT AFTER YOUR APPLICATION HAS BEEN APPROVED. 2. ASSIGNMENT OF A PORT NUMBER DOES NOT IN ANY WAY IMPLY AN ENDORSEMENT OF AN APPLICATION OR PRODUCT, AND THE FACT THAT NETWORK TRAFFIC IS FLOW- ING TO OR FROM A REGISTERED PORT DOES NOT MEAN THAT IT IS "GOOD" TRAFFIC. FIREWALL AND SYSTEM ADMINISTRATORS SHOULD CHOOSE HOW TO CONFIGURE THEIR SYSTEMS BASED ON THEIR KNOWLEDGE OF THE TRAFFIC IN QUESTION, NOT WHETHER THERE IS A PORT NUMBER REGISTERED OR NOT. Socket: è costituito dal concatenamento di un indirizzo IP con il numero di porta di una specifica applicazione (p.es. 10.65.10.13:2001) TCP/IP protocols Port Name Alias 0 IP IP 1 icmp ICMP 3 ggp GGP 6 tcp TCP 8 egp EGP 12 pup PUP 17 udp UDP 20 hmp HMP 22 xns-idp XNS-IDP 27 rdp RDP 66 rvd RVD 1 last updated 2007-01-24 2 MarkOne Tools Porte TCP/IP 19/09/2021 WELL KNOWN PORT NUMBERS The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users.
    [Show full text]
  • GL550 Enterprise Linux Security Administration
    EVALUATION COPY Unauthorized Reproduction or Distribution Enterprise LinuxProhibited Security Administration Student Workbook EVALUATION COPY Unauthorized Reproduction GL550 ENTERPRISE LINUX SECURITY ADMINISTRATION RHEL7 SLES12 or Distribution The contents of this course and all its modules and related materials, including handouts to audience members, are copyright ©2017 Guru Labs L.C. No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record, without the prior written permission of Guru Labs. This curriculum contains proprietary information which is for the exclusive use of customers of Guru Labs L.C., and is not to be shared with personnel other than those in attendance at this course. This instructional program, including all material provided herein, is supplied without any guarantees from Guru Labs L.C. Guru Labs L.C. assumes no liability for damages or legal action arising from Prohibited the use or misuse of contents or details contained herein. Photocopying any part of this manual without prior written consent of Guru Labs L.C. is a violation of federal law. This manual should not appear to be a photocopy. If you believe that Guru Labs training materials are being photocopied without permission, please email [email protected] or call 1-801-298-5227. Guru Labs L.C. accepts no liability for any claims, demands, losses, damages, costs or expenses suffered or incurred howsoever arising from or in
    [Show full text]
  • Prosafe Gigabit Quad WAN SSL VPN Firewall SRX5308 CLI Reference Manual
    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 CLI Reference Manual 350 East Plumeria Drive San Jose, CA 95134 USA August 2012 202-11138-01 v1.0 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 © 2012 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. Other brand and product names are registered trademarks or trademarks of their respective holders. © 2012 All rights reserved. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com. Phone (US & Canada only): 1-888-NETGEAR Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/app/answers/detail/a_id/984. Statement of Conditions To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use, or application of, the product(s) or circuit layout(s) described herein. Revision History Publication Part Number Version Publish Date Comments 202-11138-01 1.0 August 2012 First publication 2 Contents Chapter 1 Introduction Command Syntax and Conventions.
    [Show full text]
  • Presentations Made by Senders
    SES ���� ��� � �� � � � � � � � ������������� DomainKeys ��������� SPF ��������������������� ���������� ����������������� ������������������������������������������������ Contents Introduction 3 Deployment: For Email Receivers 6 Audience 3 Two Sides of the Coin 6 How to Read this White Paper 3 Recording Trusted Senders Who Passed Authentication 6 A Vision for Spam-Free Email 4 Whitelisting Incoming Forwarders 6 The Problem of Abuse 4 What To Do About Forgeries 6 The Underlying Concept 4 Deployment: For ISPs and Enterprises 7 Drivers; or, Who’s Buying It 4 Complementary considerations for ISPs 7 Vision Walkthrough 5 Deployment: For MTA vendors 8 About Sender Authentication 8 Which specification? 8 An Example 8 Conformance testing 8 History 8 Perform SRS and prepend headers when forwarding 8 How IP-based Authentication Works 9 Add ESMTP support for Submitter 8 The SPF record 9 Record authentication and policy results in the headers 8 How SPF Classic Works 9 Join the developers mailing list 8 How Sender ID works 9 Deployment: For MUA vendors 9 How Cryptographic Techniques Work 0 Displaying Authentication-Results 9 Using Multiple Approaches Automatic switching to port 587 9 Reputation Systems Deployment: For ESPs 20 Deployment: For Email Senders 2 Don’t look like a phisher! 20 First, prepare. 2 Delegation 20 Audit Your Outbound Mailstreams 2 Publish Appropriately 20 Construct the record 2 Deployment: For Spammers 2 Think briefly about PRA and Mail-From contexts. 3 Two Types of Spammers 2 Test the record, part 3 Publish SPF and sign with DomainKeys. 2 Put the record in DNS 3 Stop forging random domains. 2 Test the record, part 2 4 Buy your own domains. 2 Keep Track of Violations 4 Reuse an expired domain.
    [Show full text]
  • Annex Communications Server Network Administrator's Guide 166
    1\N"l:X COMMUNICATIONS SERVER Network Administrator's Guide )xy1og1ca] Copyright @ 1990 Xylogics, Inc. 166- 024- 000 Revision E November 1991 1\N-41:X COMMUNICATIONS SERVER Network Administrator's Guide 166-024-000 Revision E November 1991 Notice The information in this manual is subject to change without notice, and should not be construed as a commitment by Xylogics, Inc. Xylogics assumes no responsibility for any errors that may appear in this document. Annex, Annex II, Annex lie, Annexthree, and Annex 3 are trademarks of Xylogics, Inc. UNIX is a registered trademark of AT&T. Ethernet is a registered trademark of Xerox Corporation. IBM is a registered trademark of the International Business Machines Corporation. XENIX Is a trademark of Microsoft Corporation. LAT is a trademark of Digital Equipment Corporation. Postscript is a registered trademark of Adobe Systems Incorporated. Copyright© 1990 Xylogics, Inc. Printed in the USA. Contents Preface .................................................. xiii General . xiii Supported Version . xiv Printing Conventions . xiv Related Documents . xv Book A: Overview Chapter 1: Introduction to the Annex ....................... A-1 General . A-1 Annex Capabilities . A-2 Network Administrator (na) Utility . A-2 Command Line Interpreter (CLI) . A-3 Customizing the User Interface . A-3 Expedited Remote Procedure Call Daemon (erpcd) . A-3 Extensive Security System . A-3 Port Servers and Rotaries . A-4 UNIX Host-originated Connections.................................. A-5 Name Server Support . A-5 Network Management . A-6 Full Routing . A-6 Multi-protocol Support . A-7 Applications for the Annex . A-7 Connecting Terminals . A-7 Connecting Remote Hosts, Networks, and Annexes.................... A-8 Connecting PCs to the Network .
    [Show full text]
  • Appendix a Protocol Filters
    APPENDIX A Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol. Cisco IOS Software Configuration Guide for Cisco Aironet Access Points A-1 Appendix A Protocol Filters Table A-1 EtherType Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk 0x80F3 AARP IPX 802.2 — 0x00E0 IPX 802.3 — 0x00FF Novell IPX (old) — 0x8137 Novell IPX (new) IPX 0x8138 EAPOL (old) — 0x8180 EAPOL (new) — 0x888E Telxon TXP TXP 0x8729 Aironet DDP DDP 0x872D Enet Config Test — 0x9000 NetBUI — 0xF0F0 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points A-2 Appendix A Protocol Filters Table A-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP 119 Spectralink raw
    [Show full text]
  • Nmap Tutorial 1/10 2004-10-10 Lätt Redigerad Av Jan-Erik Jonsson
    NMap tutorial 1/10 2004-10-10 Lätt redigerad av Jan-Erik Jonsson Basic Scan Types [-sT, -sS] TCP connect() Scans [-sT] SYN Stealth Scanning [-sS] FIN, Null and Xmas Tree Scans [- sF, -sN, -sX] Ping Scanning [-sP] UDP Scans [-sU] IP Protocol Scans [-sO] Idle Scanning [-sI] ACK Scan [-sA] Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] Timing And Hiding Scans Timing Decoys FTP Bounce Turning Pings Off Fragmenting Idle Scanning http://www.security-forums.com/forum/viewtopic.php?t=7872 NMAP - A Stealth Port Scanner by Andrew J. Bennieston 1 INTRODUCTION ................................................................................................................................................. 2 2 DISCLAIMER...................................................................................................................................................... 2 3 BASIC SCAN TYPES [-ST, -SS] ........................................................................................................................... 2 3.1 TCP connect() Scans [-sT]........................................................................................................................ 2 3.2 SYN Stealth Scanning [-sS]....................................................................................................................... 2 4 FIN, NULL AND XMAS TREE SCANS [-SF, -SN, -SX] ......................................................................................... 3 5 PING SCANNING [-SP] ......................................................................................................................................
    [Show full text]
  • TCP/IP Alapok II
    Windows Server 2008 TCP/IP Alapok 2. kötet V1.0 Petrényi József 2010, Petrényi József 1.0 verzió, első kiadás Minden jog fenntartva. A könyv írása során a szerző és a kiadó a legnagyobb gondossággal és körültekintéssel igyekezett eljárni. Ennek ellenére előfordulhat, hogy némely információ nem pontos vagy teljes, esetleg elavulttá vált. Az algoritmusokat és módszereket mindenki csak saját felelősségére alkalmazza. Felhasználás előtt próbálja ki és döntse el saját maga, hogy megfelel-e a céljainak. A könyvben foglalt információk felhasználásából fakadó esetleges károkért sem a szerző, sem a kiadó nem vonható felelősségre. A cégekkel, termékekkel, honlapokkal kapcsolatos listák, hibák és példák kizárólag oktatási jelleggel kerülnek bemutatásra, kedvező vagy kedvezőtlen következtetések nélkül. Az oldalakon előforduló márka- valamint kereskedelmi védjegyek bejegyzőjük tulajdonában állnak. Microsoft Magyarország 2010 Köszönetnyilvánítás: Továbbra is hatalmas köszönet illeti Joseph Davies-t, alias Cable Guy-t az alapos, szemléletformáló írásaiért. A wikipedia most sem hazudtolta meg önmagát, mindenhez hozzá tudott szólni, igaz, nem mindig sikerült érdemben. De becsületesen próbálkozott. "- Felejtsük el az egészet, kedves Tót - mondta nagylelkűen -, és lássunk hozzá a dobozoláshoz. Minden percért kár. Leültek. Tót is. Ugyanaz a Tót, aki az imént még lefitymálta és asszonypepecselésnek nézte ezt a munkát, most örült, hogy dobozolhatott... Pedig senki se hívta; épp csak, hogy helyet szorítottak neki. Persze, akárhogy vigyázott, csupa félresikerült, pofoncsapott doboz került ki a keze alól, de szerencsére ezen se akadt föl senki, legföljebb elnézően összemosolyogtak. Helyreállt a béke. Hosszú negyedórákig senki se beszélt, csak a margóvágó friss kattogása hallatszott. Később friss levegő jött a hegyekből. Szemközt, a Bábony tisztásain a gyantaszüretelők tűzrakásai hunyorogtak. Tóték ezt se látták.
    [Show full text]
  • Surveying Port Scans and Their Detection Methodologies
    Surveying Port Scans and Their Detection Methodologies Monowar H Bhuyan1, D K Bhattacharyya1 and J K Kalita2 1Department of Computer Science & Engineering Tezpur University Napaam, Tezpur, Assam, India 2Department of Computer Science University of Colorado at Colorado Springs CO 80933-7150, USA Email: mhb,dkb @tezu.ernet.in, [email protected] { } Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of IP addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection, and other characteristics. This survey also reports on the available datasets and evaluation criteria for port scan detection approaches. Keywords: TCP/IP, UDP, OS fingerprinting, coordinated scanning Received 21 May 2010; revised 23 August 2010 1. INTRODUCTION similar, except that a positive response from the target results in further communication to determine whether The Internet is a complex entity comprised of diverse the target is vulnerable to a particular exploit. As can networks, users, and resources. Most users are oblivious be found in [3], most attacks are preceded by some form to the design of the Internet and its components and of scanning activity, particularly vulnerability scanning.
    [Show full text]
  • VMG4825-B10A User's Guide
    VMG4825-B10A Wireless N VDSL2 IAD with USB Version 5.11 Edition 1, 05/2016 Quick Start Guide User’s Guide Default Login Details LAN IP Address http://192.168.1.1 Login admin, user www.zyxel.com Password 1234, user Copyright © 2016 ZyXEL Communications Corporation IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate. Related Documentation •Quick Start Guide The Quick Start Guide shows how to connect the VMG and access the Web Configurator. •More Information Go to support.zyxel.com to find other information on the VMG. VMG4825-B10A User’s Guide 2 Contents Overview Contents Overview User’s Guide .......................................................................................................................................14 Introducing the VMG ...............................................................................................................................15 The Web Configurator .............................................................................................................................22 Quick Start ...............................................................................................................................................29 Tutorials ..................................................................................................................................................32
    [Show full text]
  • 440GX Application Note
    440GX Application Note Overview of TCP/IP Acceleration Hardware January 22, 2008 Introduction Modern interconnect technology offers Gigabit/second (Gb/s) speed that has shifted the bottleneck in communica- tion from the physical connection to the protocol stack. In traditional systems, message processing by the operating system can use a significant number of CPU cycles. The TCP/IP Acceleration Hardware (TAH) sub- system of the 440GX offloads the checksum and segmentation aspects of protocol processing from the operating system, leaving the CPU free to dedicate more cycles to the application. This application note describes the fea- tures and benefits of TAH and its implementation in the 440GX. For additional information on the 440GX, please refer to http://www.amcc.com. TCP/IP Acceleration Hardware In the 440GX, TAH provides hardware acceleration functions for the two 10/100/gigabit Ethernet Media Access Controllers (EMACs) to improve bandwidth and lower CPU utilization. TAH provides checksum verification for TCP/ UDP/IP headers in the receive path, checksum generation for TCP/UDP/IP headers in the transmit path, and TCP segmentation support in the transmit path. TAH provides support for standard and jumbo packets. No acceleration functions are available for the two 10/100 EMACs. For receive packets, setting the Checksum Verification on Receive (CVR) bit in the accelerate mode register, TAHx_MR, enables hardware checksum verification for all incoming packets for a given EMAC/TAH. For transmitted packets, hardware generated checksums and/or packet segmentation is done on a per-packet basis. This is accomplished by setting the proper bits in the descriptor control/status field of the buffer descriptor.
    [Show full text]