TCP / IP should be a protocol set, according to the seven-layer theory of OS, TCP / IP is divided into four layers. They are applications, transfer, INTERNE, and web interfaces, respectively.
We generally say TCP in the transport layer, while IP is in the Internet layer.
TCP / IP applications include ping, telnet, ftp, finger, usually usually used in us.
Configuring TCP / IP includes IP addresses, subnet masks, and default gateways
Correct TCP / IP four steps: ping 127.0.0.1 (loopback address) If the TCP / IP has been loaded, ping himself indicates that the client is normal (mainly the network card), the PING gateway indicates that the local area network is normal, the PING routing address Expressed is completely normal, of course, you can also carry out the fourth step, generally don't have this trouble, but theory is the foundation :-)
The IP address is composed of four-segment binary number, IP is divided into four types of addresses A, B, C, D, E E.
The high end of the A category is 0, from 1.xYZ ~ 126.xyz .b high end is 10, from 128.xYz ~ 191.xyz C high end of 110, from 192.xYz ~ 223.xyz D high end 1110 is reserved The IP address E high end is 1111, which is the IP address used by research.
Where 255 is a broadcast address, 127 is an internal return function
The above is started, and there is a little bit of a little bit, it is now there are still many things waiting to do, I am sorry :-)
The following is the setting of the subnet
If the company is not in the Internet, it will not worry about iPaddress, because all iPaddress can be used, whether it is aclass or bclass, this time does not think of the Subnet, but if the Ipaddress is precious, it is precious. At present, IPAddress has become more and less, and IPAddress applied is currently conservative, and IPADRESS can only be used in Internet, but can apply to a cclass to a cclass, Ipaddress for some companies. But there are multiple points to use, then the Subnet is required, this short document shows the principle of the Subnet and how to plan.
Introduction to SubnetMask
Setting any equipment on any online whether you are host, PC, Router, etc. need to set ipaddress, and follow the iPaddress's so-called NetMask, this NetMask's main purpose is to get NetWorkNumber in ipaddress, that is, iPaddress Get NetWorkNumber as Netmask, as shown below
Ipaddress 192.10.10.6110000000000001010.00001010.000001010
Netmask 255.255.255.011111111111111111111111111111.00000000
And ------------------------------------- ------------------
Etworknumber 192.10.10.011000000.00001010.000000000000001010.00001010.00000000
Netmask has a so-called preset value, as shown below
ClassipAddress range Netmask
A 1.0.0.0-126.255.255.255255.0.0.0
B 128.0.0.0-191.255.255.255255.255.0.0
C 192.0.0-223.255.255.255255.255.255.0
There is only 255 values in the preset NetMask, and this value is not necessarily 255 when talking to SubnetMask.
In a complete set of CCLASS, such as 203.67.10.0-203.67.10.255.0, 203.67.10.0 called NetWorkNumber (IPADDRESS and NETMASK as AND), and 203.67.10.255 is Broadcast's iPaddress, so this? Can't use, actually only 254 iPaddress, etc. 203.67.10.1--203.67.10.254, which is the result of Netmask at 255.255.255.0, and the so-called SubnetMSK can divide the entire set of C Class into the array of NetWorkNumber, which is in Netmask. Hand feet, if you want to divide the entire set of CCLASS to set to 255.255.255.192, if you want to divide the whole group CCLASS into 8 groups of NetWorkNumber, NetMask is 255.255.255.224, how come, from the above knowing NetWorkNumber is From IP Address and NetMask as And, NetMask knows that it is 1 will be reserved, and 0.10.10.193--11000000.00001010.00001010.1000000001
255.255.255.0--111111111111111111.11111111.00000000
-------------------------------------------------- ----------------
192.10.10.0--11000000.00001010.00001010.0000000000
The above is the result of 255.255.255.0 to Netmask, NetWorkNumber is 192.10.10.0, if using 255.255.255.24, the Netmask results are different.
192.10.10.193--11000000.00001010.00001010.10000000
255.255.255.224--1111111111111111111111111111.11100000
-------------------------------------------------- ----------------
192.10.10.192--11000000.00001010.00001010.10000000
At this point, NetWorkNumber became 192.10.10.192, which is an Subnet.
How to decide that NetMask used, 255.255.255.224 in binary notation as 11111111.11111111.11111111.11100000, a change in the final set, 11100000 is 224 to three Bit 3 may represent a convenient 2 is 8 NetworkNumber
Netmask binary representation can be divided into several networks
255.255.255.0 11111111.11111111.11111111.000000001
255.255.255.128 11111111.11111111.11111111.100000002
255.255.255.192 11111111.11111111.11111111.110000004
255.255.255.224 11111111.11111111.11111111.111000008
255.255.255.240 11111111111111111111111111111111000016
255.255.255.248 11111111111111111111111111111111111111111111111111111111111111111111111111111111111
255.255.255.252 11111111.11111111.11111111.1111110064
The following use 255.255.255.224 will be divided into 8 groups of NetWorkNumber, each NetWorkNumber, and its BroadcastIPAddress and iPaddress.
NETWORKNUMBERBROADCAST can be used by Ipaddress1 203.67.10.0 203.67.10.31 203.67.10.1-203.67.10.30
2 203.67.10.32 203.67.10.63 203.67.10.33-203.67.10.62
3 203.67.10.64 203.67.10.95 203.67.10.65-203.67.10.94
4 203.67.10.96 203.67.10.127 203.67.10.97-203.67.10.126
5 203.67.10.128 203.67.10.159 203.67.10.129-203.67.10.158
6 203.67.10.160 203.67.10.191 203.67.10.161-203.67.10.190
7 203.67.10.192 203.67.10.223 203.67.10.193-203.67.10.222
8 203.67.10.224 203.67.10.255 203.67.10.225-203.67.10.254
Verify that the iPadDress used is as shown in the above table.
203.67.10.115--11001011.01000011.00001010.01110011
255.255.255.224--1111111111111111111111111111.11100000
-------------------------------------------------- ----------------
203.67.10.96--11001011.01000011.00001010.01100000
203.67.10.55--11001011.01000011.00001010.00110111
255.255.255.224--1111111111111111111111111111.11100000
-------------------------------------------------- ----------------
203.67.10.32--11001011.01000011.00001010.00100000
The other NetMask divided into NetWorkNumber can be built by the above method.
Subnet application
Using Subnet is to solve the problem with only a group of CCLASS but require a few networkNumber, not to solve the problem of iPadDress is not enough, because the iPaddress that can be used with Subnet can be used, Subnet is usually used in Taipei in Taipei, but The company uses the Router connection between the two, and also on the Internet, but only to a group of cclassipaddress, after ROUTER needs to use different network, so this must be used, of course the second office can Remotebridge, REMOTEBRIDGE Connection, there is no problem with Subnet, which does not discuss this, so the online connection architecture and ipaddress use in the above cases.
TCP / IP (Transfer Control Protocol / Network Protocol) is a network communication protocol that specificallys all communication devices on the network, especially a host between the host and another host and the transmission method. TCP / IP is the foundation protocol of the Internet and a standard method for computer data packaging and addressing. In data transfer, it is possible to understand that there are two envelopes, TCP and IP are like envelopes. The information to be transmitted is divided into several segments. Each segment is plugged into a TCP envelope, and records on the letter cover The information of the section number, then put the TCP envelope into the IP large envelope, send the Internet. In the receiving end, a TCP package collects the envelope, extracts the data, restores the order before sending, and checks. If the error is found, the TCP will request retransmission. Therefore, TCP / IP can transmit data without error in the Internet.
In any physical network, each site has a machine identifiable address. The address is called a physical address. There are two features of the physical address:
The length, format, etc. of the physical address is part of the physical network technology, the physical network is different, the physical address is different.
Site on different networks may have the same physical address.
The above two points are determined, and network network communication cannot be performed with physical networks.
In the network term, in the protocol, the protocol is predetermined in advance to exchange data between two computers. TCP / IP is not one but a lot of protocols, which is why you often hear it represents a protocol set, while TCP and IP are just two basic protocols.
The TCP / IP software you put in computer provides a tool platform including TCP, IP, and TCP / IP protocol concentrated. In particular, it includes some high-level applications and FTP (file transfer protocols) that allow users to transmit network files on the command line.
TCP / IP is a research outcome of US government funded senior research programs (ARPA) in the 1970s, used to enable research networks together to form a virtual network, which is the Internet. original
The Internet is formed by converting existing networks to TCP / IP, and this Internet is ultimately a backbone of today's Internet.
Today, TCP / IP is so important that it allows stand-alone grid to join the Internet or organization to form a private internal network (intranet). Each network constituting the internal network is physically coupled to a device that is a router or IP router. The router is a computer used from a network to another network to transfer packets. In an internal network using TCP / IP, information is transmitted by using a separate IP packet (IPPACKET) or IPDataGrams). The TCP / IP software makes each other on the network to "see" on the network, in fact it hides the router and basic network architecture and makes it look like a big network. Like a 48-bit Ethernet address, it is necessary to confirm a 32-bit IP address as if you need to confirm a 48-bit Ethernet address. We represent it with a point of decimal number, such as 128.10.2.3. Given the IP address of a remote computer, the local computer on an internal network or Internet can send data to the remote computer as two computers in the same physical network.
TCP / IP provides a solution to solve how to exchange data between two computers belonging to the same internal network and sub-physical networks. This program includes a number of parts, while each member of the TCP / IP protocol set is used to solve some part of the problem. For example, the most basic protocol of the TCP / IP protocol-I -IP protocol is used to exchange data in the internal network and perform an important feature: Routing - Select Datashers From A Host to the path to the path, the path will pass, and use appropriate The router completes the span (HOP) between different networks.
TCP is a higher level it allows running data streams to run on different hosts. TCP scores data streams into small segments called TCP data segments (TCPSEGMENTS) and transmits using IP protocols. In most cases, each TCP data segment is installed in an IP datagram. However, if desired, TCP will divide the data segment into multiple datagrams, and the IP data decomposition is compatible with the physical data frame of transmitting bitstream and byte streams between different hosts in the same network. Since IP does not guarantee the order in which the received datagram, TCP will match the TCP data segment and form an uninterrupted data stream. FTP and Telnet are two TCP / IP applications that rely on TCP.
Another important TCP / IP protocol set is a user Data Ravel Agreement (UDP), which is similar to TCP but is much larger than TCP. TCP is a reliable protocol because it has an error check and handshake confirmation to ensure the complete arrival destination. UDP is a "unreliable" protocol because it does not guarantee the same sequence of data reports, and even if they arrive. If there is a reliability requirement, the application avoids it. SNMP (Simple Network Management Protocol) with many TCP / IP tools is an application example of using UDP protocols. Other TCP / IP protocols work after the TCP / IP network, but also play an important role. For example, Address Translation Protocol (ARP) converts IP addresses to physical network addresses such as Ethernet addresses. Instead, the corresponding reverse address conversion protocol (RARP) is the opposite work, the physical network address is converted to an IP address. The Internet Control Packet Protocol (ICMP) is a support protocol that uses IP to complete the control information of IP datagram in transmission and error information. For example, if a router cannot send an IP datagram, it will use ICMP to tell the sender's problem here.
Network designers often use ISO / OSI (International Standardized Organization / Open System Interconnect) seven-layer model when solving network architecture, each of which represents a certain level of network function. The bottom is the physical layer, which represents the physical media that performs data transmissions, in other words, the network cable. It is the data link layer, which provides services through the network interface card. The uppermost layer is the application layer, which runs the application using the network service.
TCP / IP is equivalent to ISO / OSI model. When a data unit is flowing from the network application to the network interface card, it passes a list of TCP / IP modules. Each of this, the data unit will be packed together with the information required for the other end of the network. Thus when the data is finally transmitted to the NIC, it has become a standard Ethernet frame (assuming that the physical network is an Ethernet). The receiving TCP / IP software retakes the original data by stripping the Ethernet frame and transmitting the data over the TCP / IP stack to the receiving state (a method of understanding the TCP / IP work, It is information using the probe program to observe the information added by the different TCP / IP modules in the flow in the network).
In order to outline TCP / IP played in the Real Network World, consider the situation that occurs when you use the HTTP (Hyper Text Transfer Protocol) to get a page HTML data from the web server on the Internet. In order to form a virtual link with the web server, the browser uses a high-level software called a socket in abstraction. In order to get the web page, it writes the command to the web server by writing the httpget command to the socket to the socket. Next, the interface software uses the TCP protocol to issue the byte stream and bitstream containing the get command, TCP segment the data and transmits each independent segment to the IP module, which converts the data segment into a data report and sends it to Web server.
If the browser and server are transported - on different physical networks (in general), the datagram passes from a network to another network until the network where the server is located. Finally, the data is transmitted to the destination address and is re-assemble so that the web server gets the data main dry by reading their own sockets, and then view the continuous data stream. For browser and servers, data is written to the socket at this end and the other end appears as magic, but this is only a variety of complex interactions that occur under the bottom, which creates data that is seamlessly transmitted by the network.
This is what TCP / IP is done: Many small nets into a big network. And on this big network is also the service of communication with each other's communication on the Internet.
comment:
There are many talks for TCP / IP, but only three key points here:
· TCP / IP is a protocol used to form different physical networks together to constitute the Internet. The TCP / IP is connected to separate networks form a virtual network, which is used to confirm that various independent is not physical network addresses, but an IP address. · TCP / IP uses multi-layer architecture, which clearly defines the responsibility of each protocol. TCP and UDP provide high-level data transfer services to web applications and require IP to transfer packets. IP is responsible for selecting the right route to the packet to the destination.
• On the Internet host, there are two running applications to move up and down by the TCP / IP stack of the host. Information on the transmitting end TCP / IP module is added to the data will be filtered off on the TCP / IP module corresponding to the receiving end and will eventually restore the original data.
If you are interested in learning more TCP / IP knowledge, there are two higher levels of information source RFC (RequestForcomment) 1180 - called "TCP / IP Tutorial" documentation, you can use many popular RFC Internet nodes Upload. The other is the first volume of Internetworkingwithtcp / IP: Principles, Protocols, And Architectures, author Douglase.comer (1995, Prentice-Hall). As the first part of the three trilog, many people think as a TCP / IP Bible. (Original published in Vol.15NO.20)
Second, the safety of the transport layer
In Internet Application Programming, you usually use a generalized process communication (IPC) mechanism to deal with different levels of security protocols. The more popular two IPC programming interfaces are BSD Sockets and Transportation Terminal (TLI), which can be found in the UNIX system V command.
The first idea of providing secure services in the Internet is to strengthen its IPC interface, such as BSD sockets, etc., the specific practices include the authentication of the dual-end entity, the exchange of data encryption keys, etc. Netscape Communications Follow this idea to develop a security jacketed protocol (SSL) based on a reliable transmission service (such as TCP / IP). SSL Version 3 (SSL V3) was developed in December 1995. It mainly includes the following two protocols:
SSL Record Protocol It involves segmentation, compression, data authentication, and encryption of information provided by the application. The SSL V3 provides support for the MD5 and SHA and SHA and data encrypted by data authentication, which can be negotiated with the data to authenticate and encrypt data can be negotiated through the SSL's handshake protocol.
SSL handshake protocol is used to exchange version numbers, encryption algorithms, (mutual) authentication and switch key. SSL V3 provides support for the Defie-Hellman key exchange algorithm, RSA-based key exchange mechanism and another key exchange mechanism that implements on Fortezza CHIP.
Netscape Communications has launched an SSL reference implementation (called SSLREF) to the public. Another free SSL implementation is called SSLEAY. SSLREF and SSLEAY provide any TCP / IP application to provide SSL features. The Internet Number Assignment Authority (IANA) has allocated a fixed port number for an application with SSL function, for example, the port number of HTTP (HTTPS) assigned by SSL is 443, and the port number assigned by SSL SMTP (SSMTP) is 465. The port number assigned by the NNTP (SNNTP) with SSL is 563.
Microsoft launched an improved version of SSL2 called PCT (private communication technology). At least from the record format it uses, SSL and PCT are very similar. Their main differences are different on the most significant position of the version number field: SSL This bit takes 0, and the PCT is taken 1. After this, you can support these two protocols.
In April 1996, IETF authorized a transport layer safety (TLS) working group to set up a transport layer security protocol (TLSP) so as to be officially submitted to IESG as a standard proposal. TLSP will look like SSL in many places. The main advantage of the Internet layer security mechanism, which has been described above is that its transparency, that is, the security service provides no change in the application layer. This is not available for the transport layer. In principle, any TCP / IP application, as long as the transport layer security protocol, such as SSL or PCT, you must perform several modifications to increase the corresponding function and use (slightly) different IPC interfaces. Thus, the main disadvantage of the transport layer safety mechanism is to modify the transmission layer IPC interface and the application. However, the modification here is quite small compared to the security mechanism of the Internet layer and the application layer. Another disadvantage is that UDP-based communications is difficult to establish a security mechanism in the transport layer. Compared with the network layer security mechanism, the main advantage of the transport layer security mechanism is that it provides process-based processes (rather than hosts) security services. This achievement can be quickly spanned forward if the application level security service is counted.
Third, the safety of the application layer
Must keep in mind (and carefully taste): The security protocol of the network layer (transport layer) allows for security properties to increase the data channel between the host (process). Essentially, this means that true (perhaps plus confidential) data channel is also built between the host (or process), but it is impossible to distinguish a security requirement of a specific file transmitted on the same channel. For example, if a host is established between another host, a secure IP channel is established, then all IP packets transmitted on this channel are automatically encrypted. Similarly, if a process and another process establishes a secure data channel through the transport layer security protocol, all messages transmitted between the two processes are automatically encrypted.
If you really want to distinguish a different security requirement of a specific file, you must use the security of the application layer. Providing application layer security services is actually the most flexible means of processing a single file security. For example, an email system may need to implement data signatures of individual paragraphs to be issued. The safety function provided by the lower layer protocol generally does not know any of the paragraph structure of the letter to be issued, so that it is impossible to know which part of the segment is signed. Only the application layer is the only level that can provide this security service.
In general, there are several possible practices that provide security services in the application layer, the first thing that is ideal is probably modified separately for each application (and application protocol). Some important TCP / IP applications have been doing this. In RFCs 1421 to 1424, IETF specifies private reinforcing mail (PEM) to provide security services for SMTP-based email systems. Due to various reasons, the Internet industry adopts PEM's step or slow, a primary reason is that PEM relies on a existing, fully operable PKI (public key infrastructure). PEM PKI is a hierarchical, consisting of three levels:
Top level is Internet Security Policy Registration Organization (IPRA)
The secondary is a security policy certificate authority (PCA)
The bottom layer is a certification authority (CA)
Building a PKI that conforms to PEM specifications is also a political process because it requires multi-party to reach trust in common. Unfortunately, history shows that political process always takes time, as an intermediate step, Phil Zimmermann has developed a package called PGP (PRETTY Good Privacy). PGP is in line with the vast majority of PEM, but does not have to ask PKI's presence. Instead, it uses a distributed trust model that determines which other users of trust by each user. Therefore, PGP is not to promote a global PKI, but let users build their own trust. This immediately produces a problem, which is to abolish it under the distributed trust model.
S-HTTP is a security enhancement version of Hypertext Transfer Protocol (HTTP) used on the Web, designed by corporate integration technology. S-HTTP provides a file-level security mechanism, so each file can be set to a private / signature. Algorithms used as encryption and signatures can be negotiated by both parties involved in communications. S-HTTP provides support for a variety of one-way hashing (HASH) functions, such as: MD2, MD5 and SHA; support for multiple single key systems, such as: des, ternary DES, RC2, RC4, and CDMF For support for digital signature institutions, such as RSA and DSS. There is currently no recognition standard for web security. Such standards can only be developed by WWW consortium, IETF, or other relevant standardized organizations. The official standardization process is long, it may be dragged in several years until all standardized organizations fully recognize the importance of Web security. S-HTTP and SSL provide Web security from different angles. S-HTTP is distinguished by a single file, while SSL is supervised by "private" and "certified" in the data channels involved in communication. Terisa's SecureWeb Tools package can be used to provide security features for any web application. The tool package provides an encrypted algorithm with RSA Data Security and provides comprehensive support for SSL and S-HTTP.
Another important application is e-commerce, especially credit card transactions. In order to make the credit card transaction security on the Internet, Mastercard has developed a secure electronic payment agreement (SEPP), VISA International and Microsoft (and other companies in the same way). (STT) protocol. At the same time, MasterCard, Visa International and Microsoft have agreed to join hands to launch a secure credit card trading service on the Internet. They released the appropriate security electronic transaction (SET) protocol, which specifies the method of paying the credit cardholder with its credit card through the Internet. The background of this mechanism has an infrastructure issued by a certificate to provide support for the X.509 certificate.
All of these plus security functions mentioned above face a major problem, that is, each such applications are individually modified. Therefore, if there is a unified modification, it is much better. One step to this direction is the safety shell (SSH) developed by the University of Helsinki University. SSH allows its users to securely log in to the remote host, execute commands, and transfer files. It implements a key exchange protocol, as well as the host and client authentication protocol. SSH has free versions on the popular multi-Unix system platform today, as well as commercialized versions of Data Fellows.
Push the SSH's idea to first, and go to the authentication and key distribution system. Essentially, the authentication and key distribution system provides an Application Programming Interface (API) that can be used to provide security services for any network application, such as authentication, data confidentiality, and integrity, access control, and non-denial services. . There is already a practical authentication and key allocation system, such as: MIT's Kerberos (V4 and V5), IBM Cryptoknight and NetWrok Security Program, DEC's SPX, Karlsruhe University's Index Safety System (TESS), etc. Examples widely used. You can even see the modifications and expansion of some authentication and key allocation systems. For example, SESAME and OSF DCE have added an increase in access control services to Kerberos V5, and Yaksha has added an increase in non-denial of service for Kerberos V5.
One of the frequent encountered issues about the authentication and key allocation system is about the cold encountered on the Internet. One reason is that it still requires a change to the application itself. Considering this, a standardized security API provides a standardized security API for an authentication and key distribution system. At this point, developers don't have to increase the overall application of the entire application for the addition of few safety features. Therefore, one of the most important progress in the field of certification system design is to develop standardized security APIs, which is a general security service API (GSS-API). GSS-API (V1 and V2) may still be too technored by programmers of a non-security expert, but the safety network programming (SNP) developed by researchers in Texas Austin University, which makes the interface than GSS -API higher levels make the programming related to network security more convenient. What is the unsecure place in the network layer?
NAI
Unsafe place
Due to the broadcast mode in the LAN, if all the packets can be listened to a broadcast domain, hackers can analyze the packets, and the information transfer of this broadcorn domain will be exposed to hackers.
Network segmentation
Network segmentation is an important measure to ensure security, and it is also a basic measure that the illegal users are separated from network resources to limit the illegal access to users.
Network segmentation can be divided into two ways of physical segments and logic:
Physical segmentation generally refers to the network from a physical layer and a data link layer (the first layer and the second layer in the ISO / OSI model) into several network segments, and each network segment cannot communicate with each other. Currently, many switches have certain access control capabilities that enable physical segments for the network. Logic segmentation refers to segmenting the entire system on a network layer (the third layer in the ISO / OSI model). For example, for TCP / IP networks, networks can be divided into several IP subnets, each subnet must be connected via router, routing switches, gateways or firewalls, using these intermediate equipment (including software, hardware) security mechanisms. Control accesses between each subnet. During practical applications, physical segments are typically taken in combination with logic segments to achieve security control of network systems.
VLAN implementation
Virtual network technology is based primarily based on LAN exchange technology (ATM and Ethernet exchange) in recent years. Switching technology develops traditional broadcasting local area network technologies into connection-oriented technologies. Therefore, the network management system has the ability to limit the scope of the local area network without the need for a large router.
Ethernet is essentially broadcast mechanism, but after application of exchanger and VLAN technology, it is actually converted to point-to-point communication unless the monitoring port is set, and information exchange does not have listening and insertion (changing) issues.
The benefits of network security brought by the above operating mechanisms are obvious:
The information is only to the location that should arrive. Therefore, most of the intrusion means based on network monitors is prevented.
Access control through the virtual network settings that cannot directly access the virtual network node directly outside the network node outside the virtual network.
However, virtual network technology also brings new security issues:
Devices that perform virtual network exchange are more complicated to become an object being attacked. Invasion monitoring technology based on network broadcast principles requires special settings within the high speed switching network. Mac-based VLANs cannot prevent Mac spoofing attacks.
The use of Mac-based VLAN will face attacks of counterfeit MAC addresses. Therefore, the division of the VLAN is best based on the switch port. But this requires the entire network desktop using the switching port or the network segment machine in which each switch port is the same VLAN.
Dividing principles between VLANs
