18 internet protocols
DESCRIPTION
TRANSCRIPT
Data and Computer Data and Computer CommunicationsCommunications
Eighth EditionEighth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 18 – InternetChapter 18 – Internet ProtocolsProtocols
Protocol FunctionsProtocol Functions
have a smallhave a small set of functions that form basis of set of functions that form basis of all protocolsall protocols encapsulationencapsulation fragmentation and reassemblyfragmentation and reassembly connection controlconnection control ordered deliveryordered delivery flow controlflow control error controlerror control addressingaddressing multiplexingmultiplexing transmission servicestransmission services
EncapsulationEncapsulation
data usuallydata usually transferred in blocks transferred in blocks called Protocol called Protocol Data Units (PDUs)Data Units (PDUs) have three have three categoriescategories of control of control
addressaddress error-detecting codeerror-detecting code protocol controlprotocol control
encapsulationencapsulation is addition is addition of control information to dataof control information to data have many examples of PDU’s in previous chaptershave many examples of PDU’s in previous chapters
e.g. TFTP, HDLC, frame relay, ATMe.g. TFTP, HDLC, frame relay, ATM,, AAL5, LLC, IEEE 802.3, AAL5, LLC, IEEE 802.3, IEEE 802.11IEEE 802.11
Fragmentation and Fragmentation and ReassemblyReassembly
protocol exchanges protocol exchanges data between two entitiesdata between two entities lowerlower-level protocols may need to break data up into -level protocols may need to break data up into
smaller smaller blocks, called fragmentationblocks, called fragmentation for various reasonsfor various reasons
network only accepts blocks of a certain sizenetwork only accepts blocks of a certain size moremore efficient efficient error control & smallererror control & smaller retransmission unitsretransmission units fairer access to shared facilitiesfairer access to shared facilities smaller bufferssmaller buffers
disadvantagesdisadvantages smaller smaller buffersbuffers more interrupts & processing timemore interrupts & processing time
PDUS and FragmentationPDUS and Fragmentation
Connection ControlConnection Control
have connectionless data transferhave connectionless data transfer where each PDU treated independentlywhere each PDU treated independently
and connection-oriented data transferand connection-oriented data transfer involves a logical association, or connection, involves a logical association, or connection,
established between entitiesestablished between entities preferred (even required) preferred (even required) forfor lengthy data exchange lengthy data exchange or if or if protocol details are worked out dynamicallyprotocol details are worked out dynamically
three phases occur for connection-oriented three phases occur for connection-oriented connection establishmentconnection establishment data transferdata transfer connection terminationconnection termination
Phases of Connection Oriented TransferPhases of Connection Oriented Transfer
Connection EstablishmentConnection Establishment
entitiesentities agree to exchange dataagree to exchange data typically, one station issuetypically, one station issuess connection request connection request may involve may involve central authoritycentral authority receiving entity accepts or rejectsreceiving entity accepts or rejects (simple) (simple) maymay include negotiation include negotiation syntax, semantics, and timingsyntax, semantics, and timing both entities mustboth entities must use use same protocol same protocol may allow optional featuresmay allow optional features must be agreedmust be agreed
Data Transfer and Data Transfer and TerminationTermination
both data and control information both data and control information exchangedexchanged
data flow and acknowledgements may be data flow and acknowledgements may be in one or both directionsin one or both directions
one side one side may sendmay send termination request termination request oror central authority might terminate central authority might terminate
SequencingSequencing
used by many, but not all,used by many, but not all, connection-oriented connection-oriented protocolsprotocols e.g. HDLC, IEEE 802.11e.g. HDLC, IEEE 802.11
connection-oriented protocols include some way connection-oriented protocols include some way of identifying connectionof identifying connection
have PDUs have PDUs numbered numbered sequentiallysequentially each each side tracks seq numbers in and outside tracks seq numbers in and out to supportto support three main functions three main functions
ordered deliverordered deliveryy llow controlllow control error controlerror control
Ordered DeliveryOrdered Delivery
risk PDUs may arrive out of orderrisk PDUs may arrive out of order require PDU order require PDU order must must be maintainedbe maintained hence numberhence number PDU PDUss sequentially sequentially easy toeasy to reorder received PDUs reorder received PDUs use finiteuse finite sequence number fieldsequence number field
numbers repeat modulo maximum numbernumbers repeat modulo maximum number max sequence number greater than max max sequence number greater than max
number of PDUs that could be outstandingnumber of PDUs that could be outstanding
TCP/IP ConceptsTCP/IP Concepts
Flow ControlFlow Control
receiving entity limits amount / rate of data sentreceiving entity limits amount / rate of data sent simplest protocol is stopsimplest protocol is stop-and-wait-and-wait more efficient protocols use concept of creditmore efficient protocols use concept of credit
amount of data sent without acknowledgmentamount of data sent without acknowledgment
mustmust be implemented in several protocols be implemented in several protocols network traffic controlnetwork traffic control buffer spacebuffer space application overflowapplication overflow
Error ControlError Control
to guard against loss or damageto guard against loss or damage implemented as separate error detection and implemented as separate error detection and
retransmission functionsretransmission functions sender inserts error-detecting code in PDUsender inserts error-detecting code in PDU receiver checks code on incoming PDUreceiver checks code on incoming PDU if errorif error, discard, discard if transmitter doesn’t get if transmitter doesn’t get acknowledgment in acknowledgment in
reasonable time, retransmitreasonable time, retransmit can use an error-correction codecan use an error-correction code
enables receiver to detect enables receiver to detect and possiblyand possibly correct errors correct errors performed at various protocol layersperformed at various protocol layers
AddressingAddressing
addressing leveladdressing level addressing scopeaddressing scope connection identifiersconnection identifiers addressing modeaddressing mode
Addressing LevelAddressing Level
level in architecture where entity is namedlevel in architecture where entity is named have a unique addresshave a unique address for for each intermediate each intermediate
and end system and end system usually a network-level address to route PDUusually a network-level address to route PDU
e.g. IP address or internet addresse.g. IP address or internet address e.g. OSI e.g. OSI - - network service access point (NSAP)network service access point (NSAP)
at destinationat destination data data must routed to some processmust routed to some process e.g. TCP/IP porte.g. TCP/IP port e.g. OSI service access point (SAP)e.g. OSI service access point (SAP)
Addressing ScopeAddressing Scope
global addressglobal address which which identifies unique systemidentifies unique system unambiguousunambiguous synonyms permittedsynonyms permitted system may have more than one global addresssystem may have more than one global address global applicabilityglobal applicability enables internet to route data enables internet to route data between any two systems between any two systems
needneed unique address for each interface on network unique address for each interface on network MAC address on IEEE 802 network and ATM host addressMAC address on IEEE 802 network and ATM host address enablesenables network to route data units through networknetwork to route data units through network
only relevant for network-level addressesonly relevant for network-level addresses port or SAP above network level is unique within systemport or SAP above network level is unique within system
Connection IdentifiersConnection Identifiers
is used by both entities for future transmissionsis used by both entities for future transmissions advantages:advantages:
reduced overhead since smallerreduced overhead since smaller routing using a fixed route tagged by connection IDrouting using a fixed route tagged by connection ID multiplexing of multiple connectionsmultiplexing of multiple connections use of state informationuse of state information
Addressing ModeAddressing Mode
address usually refers to single systemaddress usually refers to single system individual or unicast addressindividual or unicast address
cancan refer to more than one system for refer to more than one system for multiple simultaneous recipients for datamultiple simultaneous recipients for data broadcast for all entities within domainbroadcast for all entities within domain multicast for specific subset of entitiesmulticast for specific subset of entities
MultiplexingMultiplexing
multiple connections into single systemmultiple connections into single system e.g.e.g. frame relay, can frame relay, can havehave multiple data link multiple data link
connections terminating in single end systemconnections terminating in single end system e.g. e.g. multiple TCP connections multiple TCP connections toto given system given system
upward multiplexingupward multiplexing have multiple higher level connections over a have multiple higher level connections over a
single lower level connectionsingle lower level connection downward downward multiplexingmultiplexing
have have single higher level connection built on single higher level connection built on multiple lower level connections multiple lower level connections
Transmission ServicesTransmission Services
may have additional services to entities:may have additional services to entities: priority priority on on connection basis connection basis oror message basis message basis quality of servicequality of service
• e.g.e.g. minimum throughput or maximum delay minimum throughput or maximum delay thresholdthreshold
securitysecurity mechanisms, restricting accessmechanisms, restricting access these these depend on underlying transmission depend on underlying transmission
system and lower-level entitiessystem and lower-level entities
Internetworking TermsInternetworking Terms
communications Networkcommunications Network internetinternet the Internet the Internet intranetintranet End System (ES)End System (ES) Intermediate System (IS)Intermediate System (IS) bridgebridge routerrouter
Requirements of Requirements of InternetworkingInternetworking
link between networkslink between networks routing and delivery of data between routing and delivery of data between
processes on different networksprocesses on different networks accounting services and status infoaccounting services and status info independent of network architecturesindependent of network architectures
Network Architecture Network Architecture FeaturesFeatures
addressingaddressing packet sizepacket size access mechanismaccess mechanism timeoutstimeouts error recoveryerror recovery status reportingstatus reporting routingrouting user access controluser access control connection based or connectionlessconnection based or connectionless
Architectural ApproachesArchitectural Approaches
connection orientedconnection oriented virtual circuitvirtual circuit
connectionlessconnectionless datagramdatagram PDU’s routed independently from source ES PDU’s routed independently from source ES
to dest ES through routers and networksto dest ES through routers and networks share common network layer protocol, e.g. IPshare common network layer protocol, e.g. IP below have network access on each nodebelow have network access on each node
Connectionless Connectionless InternetworkingInternetworking
advantagesadvantages flexibilityflexibility robustrobust no unnecessary overheadno unnecessary overhead
unreliableunreliable not guaranteed deliverynot guaranteed delivery not guaranteed order of deliverynot guaranteed order of delivery
• packets can take different routespackets can take different routes reliability is responsibility of next layer up (e.g. TCP)reliability is responsibility of next layer up (e.g. TCP)
IP IP OperOperationation
Design IssuesDesign Issues
routingrouting datagram lifetimedatagram lifetime fragmentation and re-assemblyfragmentation and re-assembly error controlerror control flow controlflow control
The The Internet Internet
as a as a NetworkNetwork
RoutingRouting ES / routers maintain routing tablesES / routers maintain routing tables
indicate next router to which datagram is sentindicate next router to which datagram is sent static static dynamicdynamic
source routingsource routing source specifies route to be followedsource specifies route to be followed can be useful for security & prioritycan be useful for security & priority
route recordingroute recording
Datagram LifetimeDatagram Lifetime datagrams could loop indefinitelydatagrams could loop indefinitely
consumes resourcesconsumes resources transport protocol may need upper bound on transport protocol may need upper bound on
lifetime of a datagramlifetime of a datagram can mark datagram with lifetime can mark datagram with lifetime
Time To Live field in IPTime To Live field in IP when lifetime expires, datagram discardedwhen lifetime expires, datagram discarded simplest is hop countsimplest is hop count or time countor time count
Fragmentation and Fragmentation and Re-assemblyRe-assembly
may have different packet sizesmay have different packet sizes on networks along path used by datagramon networks along path used by datagram
issue of when to re-assembleissue of when to re-assemble at destinationat destination
• packets get smaller as data traverses internetpackets get smaller as data traverses internet intermediate re-assemblyintermediate re-assembly
• need large buffers at routersneed large buffers at routers• buffers may fill with fragmentsbuffers may fill with fragments• all fragments must go through same routerall fragments must go through same router
IP FragmentationIP Fragmentation
IP re-assembles at destination onlyIP re-assembles at destination only uses fields in headeruses fields in header
Data Unit Identifier (ID)Data Unit Identifier (ID)• identifies end system originated datagramidentifies end system originated datagram
Data lengthData length• length of user data in octetslength of user data in octets
OffsetOffset• position of fragment of user data in original datagramposition of fragment of user data in original datagram• in multiples of 64 bits (8 octets)in multiples of 64 bits (8 octets)
MoreMore flag flag• indicates that this is not the last fragmentindicates that this is not the last fragment
Fragmentation ExampleFragmentation Example
Dealing with FailureDealing with Failure
re-assembly may fail if some fragments re-assembly may fail if some fragments get lostget lost
need to detect failureneed to detect failure re-assembly time outre-assembly time out
assigned to first fragment to arriveassigned to first fragment to arrive if timeout expires before all fragments arrive, if timeout expires before all fragments arrive,
discard partial datadiscard partial data use packet lifetime (time to live in IP)use packet lifetime (time to live in IP)
if time to live runs out, kill partial dataif time to live runs out, kill partial data
Error ControlError Control
no guaranteed deliveryno guaranteed delivery router should attempt to inform source if router should attempt to inform source if
packet discarded packet discarded source may modify transmission strategysource may modify transmission strategy may inform high layer protocolmay inform high layer protocol need datagram identificationneed datagram identification see ICMP in next sectionsee ICMP in next section
Flow ControlFlow Control
allows routers and/or stations to limit rate allows routers and/or stations to limit rate of incoming dataof incoming data
limited in connectionless systemslimited in connectionless systems send flow control packets to request send flow control packets to request
reduced flowreduced flow see ICMP in next sectionsee ICMP in next section
Internet Protocol (IP)Internet Protocol (IP) v4 v4
IP version 4IP version 4 defined in RFC 791defined in RFC 791 part of TCP/IP suitepart of TCP/IP suite two partstwo parts
specification of interface with a higher layerspecification of interface with a higher layer• e.g. TCPe.g. TCP
specification of actual protocol format and specification of actual protocol format and mechanismsmechanisms
will (eventually) be replaced by IPv6will (eventually) be replaced by IPv6
IP ServicesIP Services
PrimitivesPrimitives functions to be performedfunctions to be performed form of primitive implementation dependentform of primitive implementation dependent Send - request transmission of data unitSend - request transmission of data unit Deliver - notify user of arrival of data unitDeliver - notify user of arrival of data unit
ParametersParameters used to pass data and control infoused to pass data and control info
IP ParametersIP Parameters
source & destination addressessource & destination addresses protocolprotocol type of Servicetype of Service identificationidentification don’t fragment indicatordon’t fragment indicator time to livetime to live data lengthdata length option dataoption data user datauser data
IP OptionsIP Options
securitysecurity source routingsource routing route recordingroute recording stream identificationstream identification timestampingtimestamping
IPIPv4 Headerv4 Header
Header Fields (1)Header Fields (1)
VersionVersion currently 4currently 4 IP v6 - see laterIP v6 - see later
Internet header lengthInternet header length in 32 bit wordsin 32 bit words including optionsincluding options
DS/ECN (was type of service)DS/ECN (was type of service) total lengthtotal length
of datagram, in octetsof datagram, in octets
Header Fields (2)Header Fields (2)
IdentificationIdentification sequence numbersequence number identify datagram uniquely with addresses / protocolidentify datagram uniquely with addresses / protocol
FlagsFlags More bitMore bit Don’t fragmentDon’t fragment
Fragmentation offsetFragmentation offset Time to liveTime to live ProtocolProtocol
Next higher layer to receive data field at destinationNext higher layer to receive data field at destination
Header Fields (3)Header Fields (3)
Header checksumHeader checksum Re verified and recomputed at each routerRe verified and recomputed at each router 16 bit ones complement sum of all 16 bit words in 16 bit ones complement sum of all 16 bit words in
headerheader set to zero during calculationset to zero during calculation
Source addressSource address Destination addressDestination address OptionsOptions PaddingPadding
to fill to multiple of 32 bits longto fill to multiple of 32 bits long
Data FieldData Field
carries user data from next layer upcarries user data from next layer up integer multiple of 8 bits long (octet)integer multiple of 8 bits long (octet) max length of datagram (header plus data) max length of datagram (header plus data)
is 65,535 octetsis 65,535 octets
IPv4 Address FormatsIPv4 Address Formats
IP Addresses - Class AIP Addresses - Class A
start with binary 0start with binary 0 all 0 reservedall 0 reserved 01111111 (127) reserved for loopback01111111 (127) reserved for loopback range 1.x.x.x to 126.x.x.xrange 1.x.x.x to 126.x.x.x all allocatedall allocated
IP Addresses - Class BIP Addresses - Class B
start with binary 10start with binary 10 range 128.x.x.x to 191.x.x.xrange 128.x.x.x to 191.x.x.x second octet also included in network second octet also included in network
addressaddress 221414 = 16,384 class B addresses = 16,384 class B addresses all allocatedall allocated
IP Addresses - Class CIP Addresses - Class C
start with binary 110start with binary 110 range 192.x.x.x to 223.x.x.xrange 192.x.x.x to 223.x.x.x second and third octet also part of network second and third octet also part of network
addressaddress 222121 = 2,097,152 addresses = 2,097,152 addresses nearly all allocatednearly all allocated
see IPv6see IPv6
Subnets and Subnet MasksSubnets and Subnet Masks
allows arbitrary complexity of internetworked LANs allows arbitrary complexity of internetworked LANs within organizationwithin organization
insulate overall internet from growth of network insulate overall internet from growth of network numbers and routing complexitynumbers and routing complexity
site looks to rest of internet like single networksite looks to rest of internet like single network each LAN assigned subnet numbereach LAN assigned subnet number host portion of address partitioned into subnet host portion of address partitioned into subnet
number and host numbernumber and host number local routers route within subnetted networklocal routers route within subnetted network subnet mask indicates which bits are subnet subnet mask indicates which bits are subnet
number and which are host numbernumber and which are host number
Subnet Mask CalculationSubnet Mask Calculation
Binary Representation Dotted Decimal
IP address 11000000.11100100.00010001.00111001 192.228.17.57
Subnet mask 11111111 .11111111.11111111 .11100000 255.255.255.224
Bitwise AND ofaddress and mask(resultantnetwork/subnetnumber)
11000000.11100100.00010001.00100000 192.228.17.32
Subnet number 11000000.11100100.00010001.001 1
Host number 00000000.00000000.00000000.00011001 25
Routing Using SubnetsRouting Using Subnets
ICMP Message FormatsICMP Message Formats
ICMPICMP
Internet Control Message ProtocolInternet Control Message Protocol RFC 792 (get it and study it)RFC 792 (get it and study it) transfer of (control) messages from routers transfer of (control) messages from routers
and hosts to hostsand hosts to hosts feedback about problemsfeedback about problems
e.g. time to live expirede.g. time to live expired encapsulated in IP datagramencapsulated in IP datagram
hence not reliablehence not reliable
Common ICMP MessagesCommon ICMP Messages
destination unreachabledestination unreachable time exceededtime exceeded parameter problemparameter problem source quenchsource quench redirectredirect echo & echo replyecho & echo reply timestamp & timestamp replytimestamp & timestamp reply address mask request & replyaddress mask request & reply
Address Resolution Protocol Address Resolution Protocol (ARP)(ARP)
need MAC address to send to LAN hostneed MAC address to send to LAN host manualmanual included in network addressincluded in network address use central directoryuse central directory use address resolution protocoluse address resolution protocol
ARP (RFC 826) provides dynamic IP to ARP (RFC 826) provides dynamic IP to ethernet address mappingethernet address mapping source broadcasts ARP requestsource broadcasts ARP request destination replies with ARP responsedestination replies with ARP response
IP VersionsIP Versions
IP v 1-3 defined and replacedIP v 1-3 defined and replaced IP v4 - current versionIP v4 - current version IP v5 - streams protocolIP v5 - streams protocol IP v6 - replacement for IP v4IP v6 - replacement for IP v4
during development it was called IPng (IP during development it was called IPng (IP Next Generation)Next Generation)
Why Change IP?Why Change IP?
Address space exhaustionAddress space exhaustion two level addressing (network and host) wastes spacetwo level addressing (network and host) wastes space network addresses used even if not connectednetwork addresses used even if not connected growth of networks and the Internetgrowth of networks and the Internet extended use of TCP/IPextended use of TCP/IP single address per hostsingle address per host
requirements for new types of servicerequirements for new types of service
IPv6 RFCsIPv6 RFCs
RFC 1752 - Recommendations for the IP Next RFC 1752 - Recommendations for the IP Next Generation ProtocolGeneration Protocol requirementsrequirements PDU formatsPDU formats addressing, routing security issuesaddressing, routing security issues
RFC 2460 - overall specificationRFC 2460 - overall specification RFC 2373 - addressing structureRFC 2373 - addressing structure many othersmany others
IPv6 EnhancementsIPv6 Enhancements
expanded 128 bit address spaceexpanded 128 bit address space improved option mechanismimproved option mechanism
most not examined by intermediate routesmost not examined by intermediate routes dynamic address assignmentdynamic address assignment increased addressing flexibilityincreased addressing flexibility
anycast & multicastanycast & multicast support for resource allocationsupport for resource allocation
labeled packet flowslabeled packet flows
IPv6IPv6PDUPDU
(Packet) (Packet) StructureStructure
IP v6 HeaderIP v6 Header
IP v6 Flow LabelIP v6 Flow Label
related sequence of packetsrelated sequence of packets needing special handlingneeding special handling identified by src & dest addr + flow labelidentified by src & dest addr + flow label router treats flow as sharing attributesrouter treats flow as sharing attributes
e.g. path, resource allocation, discard requirements, e.g. path, resource allocation, discard requirements, accounting, securityaccounting, security
may treat flows differentlymay treat flows differently buffer sizes, different forwarding precedence, different buffer sizes, different forwarding precedence, different
quality of servicequality of service alternative to including all info in every headeralternative to including all info in every header have requirements on flow label processinghave requirements on flow label processing
IPv6 AddressesIPv6 Addresses
128 bits long128 bits long assigned to interfaceassigned to interface single interface may have multiple unicast single interface may have multiple unicast
addressesaddresses three types of addresses:three types of addresses:
unicast - single interface addressunicast - single interface address anycast - one of a set of interface addressesanycast - one of a set of interface addresses multicast - all of a set of interfacesmulticast - all of a set of interfaces
IPv6 Extension HeadersIPv6 Extension Headers
Hop-by-Hop OptionsHop-by-Hop Options
must be examined by every routermust be examined by every router if unknown discard/forward handling is specifiedif unknown discard/forward handling is specified
next headernext header header extension lengthheader extension length optionsoptions
Pad1Pad1 PadNPadN Jumbo payloadJumbo payload Router alertRouter alert
Fragmentation HeaderFragmentation Header
fragmentation only allowed at sourcefragmentation only allowed at source no fragmentation at intermediate routersno fragmentation at intermediate routers node must perform path discovery to find node must perform path discovery to find
smallest MTU of intermediate networkssmallest MTU of intermediate networks set source fragments to match MTUset source fragments to match MTU otherwise limit to 1280 octetsotherwise limit to 1280 octets header includesheader includes
fragment offsetfragment offset more fragments bitmore fragments bit identificationidentification
Routing HeaderRouting Header
list of one or more intermediate nodes to visitlist of one or more intermediate nodes to visit header includesheader includes
Next HeaderNext Header Header extension lengthHeader extension length Routing typeRouting type Segments leftSegments left
Type 0 routing provides a list of addressesType 0 routing provides a list of addresses initial destination address is first on listinitial destination address is first on list current destination address is next on listcurrent destination address is next on list final destination address will be last in listfinal destination address will be last in list
Destination Options HeaderDestination Options Header
carries optional info for destination nodecarries optional info for destination node format same as hop-by-hop headerformat same as hop-by-hop header
Virtual Private NetworksVirtual Private Networks
set of computers interconnected using an set of computers interconnected using an insecure networkinsecure network e.g. linking corporate LANs over Internete.g. linking corporate LANs over Internet
using encryption & special protocols to using encryption & special protocols to provide securityprovide security to stop eavesdropping & unauthorized usersto stop eavesdropping & unauthorized users
proprietary solutions are problematicalproprietary solutions are problematical hence development of IPSec standardhence development of IPSec standard
IPSecIPSec
RFC 1636 (1994) identified security needRFC 1636 (1994) identified security need encryption & authentication to be IPv6encryption & authentication to be IPv6 but designed also for use with current IPv4but designed also for use with current IPv4 applications needing security include:applications needing security include:
branch office connectivitybranch office connectivity remote access over Internetremote access over Internet extranet & intranet connectivity for partnersextranet & intranet connectivity for partners electronic commerce securityelectronic commerce security
IPSec ScenarioIPSec Scenario
IPSec BenefitsIPSec Benefits
provides strong security for external trafficprovides strong security for external traffic resistant to bypassresistant to bypass below transport layer hence transparent to below transport layer hence transparent to
applicationsapplications can be transparent to end userscan be transparent to end users can provide security for individual users if can provide security for individual users if
neededneeded
IPSec FunctionsIPSec Functions
Authentication HeaderAuthentication Header for authentication onlyfor authentication only
Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP) for combined authentication/encryption for combined authentication/encryption
a key exchange functiona key exchange function manual or automatedmanual or automated
VPNs usually need combined functionVPNs usually need combined function see chapter 21see chapter 21
SummarySummary
basic protocol functionsbasic protocol functions internetworking principlesinternetworking principles connectionless internetworkingconnectionless internetworking IPIP IPv6IPv6 IPSecIPSec