what is KDB
http://www.ibm.com/developerworks/linux/library/l-kdbug/
Q Can we put assembly code in C ?
Ans Yes by asm(" ");
Q How to compile SO?
Ans -f PIC (Position independent code )
http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
Wednesday, February 24, 2010
IPSec , IPsec and NAT
IPSec types its uses?
Problem with IPSec and NAT?
The IPSec Authentication Header (AH) . AH runs the entire IP packet, including invariant header fields such as source and destination IP address, through a message digest algorithm to produce a keyed hash. This hash is used by the recipient to authenticate the packet. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. But NAT, by definition, modifies IP packets. Therefore, AH + NAT simply cannot work.
When TCP or UDP are involved--as they are in transport mode ESP--there is a catch-22. Because NAT modifies the TCP packet, NAT must also recalculate the checksum used to verify integrity. If NAT updates the TCP checksum, ESP authentication will fail. If NAT does not update the checksum (for example, payload encrypted), TCP verification will fail.
If the transport endpoint is under your control, you might be able to turn off checksum verification. In other words, ESP can pass through NAT in tunnel mode, or in transport mode with TCP checksums dis- abled or ignored by the receiver.
Key Exchange mechanism?
IPSEC transport mode and tunnel mode does IP header encrypted??
Diff in IKE1and IKE 2
http://www.netbsd.org/docs/network/ipsec/
Good information
http://unixwiz.net/techtips/iguide-ipsec.html
http://www.kame.net/newsletter/20001119/
Commands
setkey -D : to see SAD entries d--dump
setkey -PD : Dumps all SPD entries, See Policy Database
setkey - F : flush SAD entries
setkey - FP : flush SPD Policy entries
# IPsec with IKE, with pre-shared secret
Racoon.conf
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
Problem with IPSec and NAT?
The IPSec Authentication Header (AH) . AH runs the entire IP packet, including invariant header fields such as source and destination IP address, through a message digest algorithm to produce a keyed hash. This hash is used by the recipient to authenticate the packet. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. But NAT, by definition, modifies IP packets. Therefore, AH + NAT simply cannot work.
When TCP or UDP are involved--as they are in transport mode ESP--there is a catch-22. Because NAT modifies the TCP packet, NAT must also recalculate the checksum used to verify integrity. If NAT updates the TCP checksum, ESP authentication will fail. If NAT does not update the checksum (for example, payload encrypted), TCP verification will fail.
If the transport endpoint is under your control, you might be able to turn off checksum verification. In other words, ESP can pass through NAT in tunnel mode, or in transport mode with TCP checksums dis- abled or ignored by the receiver.
Key Exchange mechanism?
IPSEC transport mode and tunnel mode does IP header encrypted??
Diff in IKE1and IKE 2
http://www.netbsd.org/docs/network/ipsec/
Good information
http://unixwiz.net/techtips/iguide-ipsec.html
http://www.kame.net/newsletter/20001119/
Commands
setkey -D : to see SAD entries d--dump
setkey -PD : Dumps all SPD entries, See Policy Database
setkey - F : flush SAD entries
setkey - FP : flush SPD Policy entries
# IPsec with IKE, with pre-shared secret
Racoon.conf
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
What is Diameter ? how it is better than Radius
Diameter is Advanced protocol than Radius
* Its More Reliable uses TCP or SCTP
* Larger address space for attribute-value pairs (AVPs) and identifiers is 4 Bytes (32 bits instead of 8 bits)
Radius
* uses UDP
* identifiers is 1 Byte only 256 Attributes supported
---Remote Authentication Dial In User Service (RADIUS)
RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP
NAS (Network Access Server (ASNGW) ) sends Access request to AAA
RADIUS -UDP ports
1812 for RADIUS Authentication and
1813 for RADIUS Accounting
* Its More Reliable uses TCP or SCTP
* Larger address space for attribute-value pairs (AVPs) and identifiers is 4 Bytes (32 bits instead of 8 bits)
Radius
* uses UDP
* identifiers is 1 Byte only 256 Attributes supported
---Remote Authentication Dial In User Service (RADIUS)
RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP
NAS (Network Access Server (ASNGW) ) sends Access request to AAA
RADIUS -UDP ports
1812 for RADIUS Authentication and
1813 for RADIUS Accounting
dig utility for dns lookup
The dig command includes some timing stats and the actual query that will be performed.
ns lookup is also there :
but dig (Domain Information Groper)gives more Packet level information.
OPCODE etc ..
host command is also useful
Ref:
http://uw713doc.sco.com/en/NET_tcpip/dnsC.nslook.html
ns lookup is also there :
but dig (Domain Information Groper)gives more Packet level information.
OPCODE etc ..
host command is also useful
Ref:
http://uw713doc.sco.com/en/NET_tcpip/dnsC.nslook.html
Friday, February 19, 2010
Subscribe to:
Posts (Atom)