DOCSLIB.ORG

TCP/IP IP Ipv4 Packet Layout Ipv4 Packet Layout

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
TCP/IP IP Ipv4 Packet Layout Ipv4 Packet Layout IP • Internetworking protocol • Network layer TCP/IP • Common packet format for the Internet • Specifies what packets look like • Fragments long packets into shorter packets Emin Gun Sirer • Reassemblesfragments into original shape • Some parts are fundamental, and some are arbitrary • IPv4 is what most people use • IPv6 clears up some of the messy parts, but is not yet in wide use IPv4 packet layout IPv4 packet layout Version IHL TOS Total Length Version IHL TOS Total Length Identification Flags Fragment Offset Identification Flags Fragment Offset TTL Protocol Header Checksum TTL Protocol Header Checksum Source Address Source Address Destination Address Destination Address Options Options Data Data 1 IP Fragmentation IP Fragmentation Mechanics • Networks have different maximum packet sizes • IP divides a long datagram into N smaller • Big packets are sometimes desirable – less overhead datagrams • Huge packets are not desirable – reduced response time for others • Copies the header • Higher level protocols (e.g. TCP or UDP) could • Assigns a Fragment ID to each part figure out the max transfer unit and chop data into • Sets the More Fragments bit smaller packets • Receiving end puts the fragments together based • The endpoints do not necessarily know what the MTU is on the path on the new IP headers • The route can change underneath • Throws out fragments after a certain amount of • Consequently, IP transparently fragments and time if they have not be reassembled reassembles packets IP Options UDP • Source Routing: The source specifies the set of • Unreliable Datagram Protocol hosts that the packet should traverse • IP goes from host to host • Record Route: If this option appears in a packet, every router along a path attaches its own IP • We need a way to get datagrams from one address to the packet application to another • Timestamp: Every router along the route attaches • How do we identify applications on the a timestamp to the packet hosts ? • Security: Packets are marked with user info, and • Assign port numbers the security classification of the person on whose • E.g. port 13 belongs to the time service behalf they travel on the network • Most of these options pose security holes and are generally not implemented 2 UDP Packet Layout UDP Version IHL TOS Total Length • UDP is unreliable IP Identification Flags Fragment Offset • A UDP packet may get dropped at any time TTL Protocol Header Checksum • It may get duplicated Source Address • A series of UDP packets may get reordered Destination Address • Applications need to deal with reordering, UDP Source Port Destination Port duplicate suppression, reliable delivery Length Checksum • Some apps can ignore these effects and still function • Unreliable datagrams are the bare-bones network Data service • Good to build on, esp for multimedia applications • UDP adds Ports, Data Length and Data checksum TCP TCP/IP Packets • Transmission Control Protocol Version IHL TOS Total Length • Reliable, ordered communication IP Identification Flags Fragment Offset • Enough applications demand reliable ordered TTL Protocol Header Checksum delivery that they should not have to implement Source Address their own protocol Destination Address Source Port Destination Port • A standard, adaptive protocol that delivers good- Sequence Number enough performance and deals well with Acknowledgement Number congestion TCP Offset ACK|URG|SYN|FIN|RST Window • All web traffic travels over TCP/IP Checksum Urgent Pointer Options Padding Data 3 TCP Packets TCP Connections • Each packet carries a unique ID • TCP is connection oriented • The initial number is chosen randomly SYN • The ID is incremented by the data length • A connection is initiated with a three- • Each packet carries an acknowledgement SYN, ACK of SYN way handshake • Can acknowledge a set of packets by ack’ing the • Three-way handshake latest one received ensures against • Reliable transport is implemented using ACK of SYN duplicate SYN these identifiers packets • Takes 3 packets, 1.5 RTT Typical TCP Usage Reliable transport SYN • Three round-trips to set up a DATA, id=17 • TCP keeps a copy of all sent, SYN, ACK of SYN connection, send a data but unacknowledged packets packet, receive a response, DATA 23, ACK 17 • If acknowledgement does not ACK of SYN tear down connection arrive within a “send DATA • FINs work (mostly) like timeout” period, packet is SYNs to tear down DATA, id=18 resent connection DATA, ACK Send timeout • Send timeout adjusts to the • Need to wait after a FIN for round-trip delay FIN, ACK straggling packets FIN, ACK DATA, id=18 4 TCP timeouts TCP Windows • What is a good timeout period ? • Want to improve throughput without unnecessary transmissions NewAverageRTT = (1 - ?) OldAverageRTT + ? LatestRTT NewAverageDev = (1 - ?) OldAverageDev+ ? LatestDev where LatestRTT = ( ack_receive_time – send_time), LatestDev = |LatestRTT– AverageRTT|, ? = 1/8, typically. Timeout = AverageRTT + 4*AverageDev • Multiple outstanding packets can increase • Timeout is thus a function of RTT and deviation throughput TCP Windows TCP Congestion Control • Can have more than one • TCP Increases its window size as long as no DATA, id=17 packet in transit packets are dropped DATA, id=18 DATA, id=19 • Especially over fat pipes, e.g. • It halves the window size when a packet drop DATA, id=20 satellite connection occurs • A packet drop is evident from the acknowledgements • Need to keep track of all ACK 17 • Therefore, it will slowly build up to the max packets within the window bandwidth, and hover around the max ACK 18 • Need to adjust window size • It doesn’t achieve the max possible though ACK 19 • Instead, it shares the bandwidth well with other TCP connections ACK 20 • This linear-increase, exponential backoff in the face of congestion is termed TCP-friendliness 5 A D Bottleneck TCP Window Size B Link TCP Fairness • Linear increase • Want to • Exponential Max Bandwidth share the backoff bottleneck link fairly • Assuming no other losses in between two the network flows Bandwidth for Host A Bandwidth except those due to bandwidth Time Bandwidth for Host B TCP Slow Start TCP Slow Start • Linear increase takes a long time to build up a • Initial phase of window size that matches the link exponential bandwidth*delay Max Bandwidth increase • Most file transactions are not long enough • Consequently, TCP can spend a lot of time with • Assuming no small windows, never getting the chance to reach other losses in a sufficiently large window size the network • Fix: Allow TCP to build up to a large window size Bandwidth except those initially by doubling the window size until first due to loss bandwidth Time 6 TCP Summary • Reliable ordered message delivery • Connection oriented, 3-way handshake • Transmission window for better throughput • Timeouts based on link parameters • Congestion control • Linear increase, exponential backoff • Fast adaptation • Exponential increase in the initial phase 7.
Load more

Recommended publications
  • Ipv6-Ipsec And
    IPSec and SSL Virtual Private Networks ITU/APNIC/MICT IPv6 Security Workshop 23rd – 27th May 2016 Bangkok Last updated 29 June 2014 1 Acknowledgment p Content sourced from n Merike Kaeo of Double Shot Security n Contact: [email protected] Virtual Private Networks p Creates a secure tunnel over a public network p Any VPN is not automagically secure n You need to add security functionality to create secure VPNs n That means using firewalls for access control n And probably IPsec or SSL/TLS for confidentiality and data origin authentication 3 VPN Protocols p IPsec (Internet Protocol Security) n Open standard for VPN implementation n Operates on the network layer Other VPN Implementations p MPLS VPN n Used for large and small enterprises n Pseudowire, VPLS, VPRN p GRE Tunnel n Packet encapsulation protocol developed by Cisco n Not encrypted n Implemented with IPsec p L2TP IPsec n Uses L2TP protocol n Usually implemented along with IPsec n IPsec provides the secure channel, while L2TP provides the tunnel What is IPSec? Internet IPSec p IETF standard that enables encrypted communication between peers: n Consists of open standards for securing private communications n Network layer encryption ensuring data confidentiality, integrity, and authentication n Scales from small to very large networks What Does IPsec Provide ? p Confidentiality….many algorithms to choose from p Data integrity and source authentication n Data “signed” by sender and “signature” verified by the recipient n Modification of data can be detected by signature “verification”
    [Show full text]
  • 1. Ipv4 Sites Reaching Global Ipv4 Internet
    1. IPv4 Sites Reaching Global IPv4 Internet Private IPv4 Internet IPv4 NAT • Keep IPv4 service as unchanged as possible, even without enough addresses • Single global IPv4 address shared across more than one subscriber SP IPv6 Network Private Tunnel for IPv4 (public, private, port-limited, etc....) IPv4 Internet IPv4 • Scenario #2 - Service Providers Running out of Private IPv4 space • IPv4 / IPv6 encapsulations/tunnels • Tunnels setup by DHCP, Routing, etc. between a GW and Router • Wherever the NAT lands, it is important that the user keeps control of it • Provides a path to delivering IPv6 SP IPv6 Network Tunnel for IPv4 (public, private, port-limited, etc....) IPv4 Internet • Scenario #3a “Wireless Greenfield” • IPv4 / IPv6 encapsulations/tunnels • Tunnels setup between a host and a Router • IPv4 binding for host applications, transport over IPv6 • Wherever the NAT lands, it is important that the user keeps control of it 3 - 5 Translation Options IPv6 Internet IPv4 Internet IPv6 IPv4 My IPv6 Network IPv6 Internet IPv4 Internet • “Scenario #3” • NAT64/DNS64.... - Stateful, DNSSEC Challenges, DNS64 location, etc. My IPv6 Network IPv6 Internet IPv4 Internet • “Scenario #5” • IVI - NAT-PT..... Expose only certain IPv6 servers, etc. MY IPv4 Network IPv6 Internet IPv4 Internet • “Scenario #4” • NAT64 - 1:1, Stateless, DNSSEC OK, no DNS64 MY IPv4 Network IPv6 Internet IPv4 Internet • Already solved by existing transition mechanisms?? (teredo, etc). Scenarios 1 - 5 1. IPv4 Sites Reaching Global IPv4 Internet Private IPv4 Internet IPv4 NAT • Keep IPv4 service as unchanged as possible, even without enough addresses • Single global IPv4 address shared across more than one subscriber 2. Service Providers Running out of Private IPv4 space ISP Private IPv4 Private Network IPv4 IPv4 Internet • Service Providers with large, privately addressed, IPv4 networks • Organic growth plus pressure to free global addresses for customer use contribute to the problem • The SP Private networks in question generally do not need to reach the Internet at large 3.
    [Show full text]
  • Internet Protocol Suite
    InternetInternet ProtocolProtocol SuiteSuite Srinidhi Varadarajan InternetInternet ProtocolProtocol Suite:Suite: TransportTransport • TCP: Transmission Control Protocol • Byte stream transfer • Reliable, connection-oriented service • Point-to-point (one-to-one) service only • UDP: User Datagram Protocol • Unreliable (“best effort”) datagram service • Point-to-point, multicast (one-to-many), and • broadcast (one-to-all) InternetInternet ProtocolProtocol Suite:Suite: NetworkNetwork z IP: Internet Protocol – Unreliable service – Performs routing – Supported by routing protocols, • e.g. RIP, IS-IS, • OSPF, IGP, and BGP z ICMP: Internet Control Message Protocol – Used by IP (primarily) to exchange error and control messages with other nodes z IGMP: Internet Group Management Protocol – Used for controlling multicast (one-to-many transmission) for UDP datagrams InternetInternet ProtocolProtocol Suite:Suite: DataData LinkLink z ARP: Address Resolution Protocol – Translates from an IP (network) address to a network interface (hardware) address, e.g. IP address-to-Ethernet address or IP address-to- FDDI address z RARP: Reverse Address Resolution Protocol – Translates from a network interface (hardware) address to an IP (network) address AddressAddress ResolutionResolution ProtocolProtocol (ARP)(ARP) ARP Query What is the Ethernet Address of 130.245.20.2 Ethernet ARP Response IP Source 0A:03:23:65:09:FB IP Destination IP: 130.245.20.1 IP: 130.245.20.2 Ethernet: 0A:03:21:60:09:FA Ethernet: 0A:03:23:65:09:FB z Maps IP addresses to Ethernet Addresses
    [Show full text]
  • The Internet Protocol, Version 4 (Ipv4)
    Today’s Lecture I. IPv4 Overview The Internet Protocol, II. IP Fragmentation and Reassembly Version 4 (IPv4) III. IP and Routing IV. IPv4 Options Internet Protocols CSC / ECE 573 Fall, 2005 N.C. State University copyright 2005 Douglas S. Reeves 1 copyright 2005 Douglas S. Reeves 2 Internet Protocol v4 (RFC791) Functions • A universal intermediate layer • Routing IPv4 Overview • Fragmentation and reassembly copyright 2005 Douglas S. Reeves 3 copyright 2005 Douglas S. Reeves 4 “IP over Everything, Everything Over IP” IP = Basic Delivery Service • Everything over IP • IP over everything • Connectionless delivery simplifies router design – TCP, UDP – Dialup and operation – Appletalk – ISDN – Netbios • Unreliable, best-effort delivery. Packets may be… – SCSI – X.25 – ATM – Ethernet – lost (discarded) – X.25 – Wi-Fi – duplicated – SNA – FDDI – reordered – Sonet – ATM – Fibre Channel – Sonet – and/or corrupted – Frame Relay… – … – Remote Direct Memory Access – Ethernet • Even IP over IP! copyright 2005 Douglas S. Reeves 5 copyright 2005 Douglas S. Reeves 6 1 IPv4 Datagram Format IPv4 Header Contents 0 4 8 16 31 •Version (4 bits) header type of service • Functions version total length (in bytes) length (x4) prec | D T R C 0 •Header Length x4 (4) flags identification fragment offset (x8) 1. universal 0 DF MF s •Type of Service (8) e time-to-live (next) protocol t intermediate layer header checksum y b (hop count) identifier •Total Length (16) 0 2 2. routing source IP address •Identification (16) 3. fragmentation and destination IP address reassembly •Flags (3) s •Fragment Offset ×8 (13) e t 4. Options y IP options (if any) b •Time-to-Live (8) 0 4 ≤ •Protocol Identifier (8) s e t •Header Checksum (16) y b payload 5 •Source IP Address (32) 1 5 5 6 •Destination IP Address (32) ≤ •IP Options (≤ 320) copyright 2005 Douglas S.
    [Show full text]
  • SOCKS Protocol Version 6
    SOCKS Protocol Version 6 draft-olteanu-intarea-socks-6-08 Vladimir Olteanu IETF 106 What’s new ● DNS provided by SOCKS ● Options for Happy Eyeballs at the proxy Clients need DNS-like features ● A and AAAA – LD_PRELOAD for non-SOCKS-aware apps: gedaddrinfo() separate from connect() – Happy Eyeballs: need to do queries separately ● TXT – ESNI ● MX, Service Binding, etc. – <Insert future use case here> Providing DNS-like features ● Individual SOCKS options (removed in -08) – Have to keep up with use cases – Duplicate DNS functionality – Until -07: A, AAAA, PTR ● Having the client use DNS – Hard to convey policies: resolver IPs, plaintext / over TLS / over HTTPS etc., maybe credentials, etc. – Provide a DNS proxy Why not separate DNS from SOCKS? Client Proxy Server HTTP/SOCKS :1080 HTTP :80 DNS :53 Why not separate DNS from SOCKS? Client Proxy Server HTTP/SOCKS :1080 HTTP :80 DNS :53 WHICH TOR CIRCUIT? ● Need context for DNS query – Otherwise: privacy leaks, suboptimal CDN use DNS provided by SOCKS ● Clients make CONNECT request to 0.0.0.0:53 – Proxy needn’t provide a valid bind address ● Plaintext DNS over SOCKS (opt. over TLS) – TCP by default: SOCKS + UDP more cumbersome to use ● Implementation in Sixtysocks – Run separate DNS proxy locally – Translate 0.0.0.0:53 to 127.0.0.1:53 Happy Eyeballs ● RFC 8305: resolve and connect to a server using both IPv4 and IPv6, keep only one connection – Failover from IPv6 to IPv4 – Better responsiveness if one is faster ● Clients can implement Happy Eyeballs locally – Have DNS + CONNECT Happy Eyeballs:
    [Show full text]
  • 61A Lecture 35 Distributed Computing Internet Protocol Transmission
    Announcements • Homework 9 (6 pts) due Wednesday 11/26 @ 11:59pm ! Homework Party Monday 6pm-8pm in 2050 VLSB • Guest in live lecture, TA Soumya Basu, on Monday 11/24 • Optional Scheme recursive art contest due Monday 12/1 @ 11:59pm 61A Lecture 35 • No lecture on Wednesday 11/26 (turkey) • No lab on Tuesday 11/25 & Wednesday 11/26 • The week of 12/1: Homework 10 due Wednesday 12/3 & Quiz 3 due Thursday 12/4 on SQL Monday, November 24 ! The lab on SQL (12/2 & 12/3) will be an excellent place to get homework help 2 Distributed Computing A distributed computing application consists of multiple programs running on multiple computers that together coordinate to perform some task. • Computation is performed in parallel by many computers. • Information can be restricted to certain computers. • Redundancy and geographic diversity improve reliability. Distributed Computing Characteristics of distributed computing: • Computers are independent — they do not share memory. • Coordination is enabled by messages passed across a network. • Individual programs have differentiating roles. Distributed computing for large-scale data processing: • Databases respond to queries over a network. • Data sets can be partitioned across multiple machines (next lecture). 4 Network Messages Computers communicate via messages: sequences of bytes transmitted over a network. Messages can serve many purposes: • Send data to another computer • Request data from another computer • Instruct a program to call a function on some arguments. Internet Protocol • Transfer a program to be executed by another computer. Messages conform to a message protocol adopted by both the sender (to encode the message) & receiver (to interpret the message).
    [Show full text]
  • Domain Name System 1 Domain Name System
    Domain Name System 1 Domain Name System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service translates queries for domain names (which are easier to understand and utilize when accessing the internet) into IP addresses for the purpose of locating computer services and devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.43.10 (IPv4) and 2620:0:2d0:200::10 (IPv6). The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them. The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain.
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Guidelines for the Secure Deployment of Ipv6
    Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks NIST Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Director GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-119 Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.
    [Show full text]
  • Towards Securing the Internet of Things with QUIC
    Towards securing the Internet of Things with QUIC Lars Eggert Technical Director, Networking 2020-2-23 QUIC: a fast, secure, evolvable transport protocol for the Internet § Fast better user experience than TCP/TLS for HTTP and other content § Secure always-encrypted end-to-end security, resist pervasive monitoring § Evolvable prevent network from ossifying, can deploy new versions easily § Transport support TCP semantics & more (realtime media, etc.) provide better abstractions, avoid known TCP issues UDP CC TLS HTTP 2 © 2020 NetApp, Inc. All rights reserved. What motivated QUIC? 3 © 2020 NetApp, Inc. All rights reserved. The Internet hourglass Classical version email WWW phone... § Inspired by OSI “seven-layer” model Layer 7 § Minus presentation (6) and session (5) SMTP HTTP RTP... § “IP on everything” TCP UDP… Layer 4 § All link tech looks the same (approx.) § Transport layer provides IP Layer 3 communication abstractions to apps § Unicast/multicast ethernet PPP… § Multiplexing Layer 2 § Streams/messages CSMA async sonet... § Reliability (full/partial) Boardwatch Magazine, Aug. 1994. § Flow/congestion control copper fiber radio... Layer 1 § … Steve Deering. Watching the Waist of the Protocol Hourglass. Keynote, IEEE ICNP 1998, Austin, TX, USA. http://www.ieee- 4 © 2020 NetApp, Inc. All rights reserved. icnp.org/1998/Keynote.ppt The Internet hourglass 2015 version (ca.)In the meantime... § The waist has split: IPv4 and IPv6 • The interface at the endpoint is Applications Layer 7 largely§ TCP theis samedrowning as itout has UDP been: § HTTP and TLS are de facto part of HTTP • "Thetransport network is a file descriptor" TLS Layer 4 • The§ waistConsequence: of the hourglass web apps has on creptIPv4/6 TCP up to HTTP: even less flexible.
    [Show full text]
  • Internet Address Space: Economic Considerations in the Management of Ipv4”, OECD Digital Economy Papers, No
    Please cite this paper as: OECD (2008-06-18), “Internet Address Space: Economic Considerations in the Management of IPv4”, OECD Digital Economy Papers, No. 145, OECD Publishing, Paris. http://dx.doi.org/10.1787/230461618475 OECD Digital Economy Papers No. 145 Internet Address Space ECONOMIC CONSIDERATIONS IN THE MANAGEMENT OF IPV4 OECD DSTI/ICCP(2007)20/FINAL FOREWORD The report provides an analysis of economic considerations associated with the transition from IPv4 to IPv6. It provides background analysis supporting the forthcoming ICCP-organised Ministerial-level meeting on ―The Future of the Internet Economy‖, to take place in Seoul, Korea on 17-18 June 2008. This report was prepared by Ms. Karine Perset of the OECD‘s Directorate for Science Technology and Industry. It was declassified by the ICCP Committee at its 54th Session on 5-7 March 2008. It is published under the responsibility of the Secretary-General of the OECD. This paper has greatly benefited from the expert input of Geoff Huston from APNIC, David Conrad from the IANA, Patrick Grossetête from CISCO Systems, Bill Woodcock from Packet Clearing House, Marcelo Bagnulo Braun from the University of Madrid, Alain Durand from Comcast, and Vincent Bataille from Mulot Déclic, although interpretations, unless otherwise stated, are those of the author. 2 DSTI/ICCP(2007)20/FINAL TABLE OF CONTENTS FOREWORD ................................................................................................................................................... 2 MAIN POINTS ..............................................................................................................................................
    [Show full text]
  • Guidelines on Firewalls and Firewall Policy
    Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Revision 1 Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director GUIDELINES ON FIREWALLS AND FIREWALL POLICY Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-41 Revision 1 Natl. Inst. Stand. Technol. Spec. Publ. 800-41 rev1, 48 pages (Sep. 2009) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.
    [Show full text]