Nuclear comparison: 2.6 Improvity in the kernel
English original
content:
Network file system and security TCP improve IP security and compressed IP payload compression IPv6 Privacy Expansion Conclusion Reference About the author to the evaluation of this article
related information:
From 2.4 to 2.6 Inhand 2.6 kernel Improved Web Services on Memory Management 2.4 and 2.6 Trend to Linux 2.6 Test Linux Reactive Web 6
In the Linux area:
Tutorial Tools & Product Codes & Component Articles
Provide better security, telephone support and privacy protection
Level: Intermediate
Robbie Williamson
(Robbiew@us.ibm.com) Software Engineer, Linux Technology Center, IBM2004 April
From tunnel and better file security to encryption and privacy protection, the new Linux kernel introduces many support and improvements in the network. The contents of this article include how these improvements will affect users, and they make Linux more secure and more suitable for enterprises.
Relative to version 2.4, new Linux 2.6 kernel has many improvements. The kernel network option is one aspect of technological progress. Although most of the files related to the network options have improved, this article is only concerned about the improvement and increase of the main characteristics of the entire system, rather than paying attention to specific documents. Clearly, in this article we will introduce the improvement of Networking File System, NFS and Internet Protocol Security (IPSec). We will also contact two new members of the TCP / IP protocol, stream control transmission protocol (SCTP) and Internet Protocol version 6 (Internet Protocol Version 6, IPv6). Network file system and security 2.6 kernel improves the network file system (NFS) by introducing NFS version 4. This new version of NFS has better security and considers more support for different operating systems and reduces the server background process overhead. 2.6 Core The introduction of network file system version 4 (NFSV4) has brought improvements in security and functionality that NFS previous versions. Remote Procedure Call, RPC, using General Security Services (GSS) API, and NFS users can now perform secure transactions. The designer also introduced the thoughts of the composite process (combined multiple RPCs into a call). The combination of calls means that the file system operation requires fewer RPCs, making the NFS response speed faster. Further reducing NFS overhead is that NFS now uses file "handle to path" name mapping (LOCKD), which reduces the support background process required by the server. Quantity. To facilitate server implementation, NFSV4 introduces additional file handle types and provides classifications for files and file system properties. This new NFS version also adds support for server migration and replication, allowing users to seamlessly change the server while they need. Finally, NFSV4 now allows the server to authorize some of the clients in the cache state, and in that case this option is required. The NFS RPC request provides end-to-end NFS security support using password authentication. NFSV4 uses the RPCSec_GSS framework to extend the basic security of the RPC. This security framework allows NFSV4 to provide authentication, integrity, and privacy mechanisms between servers and clients. This union security negotiation allows clients to be safely matched to the server's security policy to meet the mechanisms of both servers and clients. The composite process is another improvement in NFS in version 4 design. The previous version of NFS has no way to let clients generate complex logic file system RPC. By using a composite process, the client can combine the Lookup, Open, and READ operations into an RPC request so that the client can read data from the file only one request. Older version of NFS requires the client to perform RPC for each of these three operations. The implementation of these composite requests in the server is very simple. The composite request is split by the server into a single request list, the server traverses and executes each of the lists in the list, until the end or fail, then return all the results to the customer machine. NFSV4 makes further simplification by reducing the number of non-NFS server protocols required by the server. With Version 4, NFS code can map file handles to the path name, which is made by the MountD protocol in the old version. The server provides a root file handle that corresponds to the top of the file system tree exported by the server.
The server supports multi-file systems, and the implementation path is to link them with a pseudo file system, which masks the potential difference between the path name between the real file system. This conversion is to support global hierarchical namespaces. In addition, this new version of the NFS protocol supports the file lock of the byte range, and the previous version is used by the LockD protocol provided by the Network Lock Manager. The reconstruction of file lock support allows the server to keep the file's lock state with a lease-based model. Basically, the client needs to submit a lock request to the server. If it is permitted, the client must update the lease within the lease term specified by the server. After the lease expires, the server can release the client's lock. Mountd and Lockd's abandonment of these two protocols reduced the processing overhead of running NFS servers. The new version of NFS also includes an improvement to simplify the implementation of NFS servers. The file handle has a long-lasting period in the life cycle of the file system object it refer to, which is a difficult request for some old NFS server implementations. A variable file handle type is added to the NFSv4, which is supplemented as a type of persistent file handle. With these two file handle types, the server implementation can have the ability to match the file system of the operating system on the server. The client can identify the type of file handle provided by the server and prepare it for each handle setting. Files and file system properties classification is another supplement to NFS, making the server more easily. The old NFS version uses a fixed set of properties, just mainly considering UNIX files and file systems. If the server or client does not support specific properties, it must try to simulate that property as much as possible. Version 4 divides attributes into three categories: mandatory, recommended, named. The mandatory attribute is the minimum collection of files or file system properties that the server must provide and described in the server. The recommended attribute describes the different file system types and operating systems, considering better inclusion and interoperability between the operating system. Naming File System Properties classification is a byte stream associated with directory or file, referenced by a string name. Client applications can use these named properties to associate specific data to files and / or file systems. The creation of the attribute classification system has established a simple way to add new properties that can add new properties without the amendments to the code. To achieve better redundancy, NFSV4 supports server-side file system replication and migration. Using a special file system location property, the client can perform queries about the file system location to the server. If the server file system is copied for load balancing or other similar cause, the client can get all positions of the requested file system. The client uses its own policy to mount and access the appropriate location of the file system it requested. Similarly, if a file system is migrated, the client is a new location of the file system based on the incorrect position that is accessing the old position and makes the necessary changes to adaptively repositioning. The last highlight of NFSV4 is to allow the server to be authorized to give some responsibilities in the cache state, which is required for providing real data integrity. With NFSv4, the server can provide read or write authorization for a specific file. If a client gets a file read authorization, any other client is not allowed to write this file during this license. In addition, if a client gets a write authorization of a file, there is no other client to write or read this file during this authorization. When a client requests a file, this file is authorized to conflict with another client, and the authorization may be reclaimed by the server. In this case, the server notifies the authorized user through a callback path between the client and the server and collects the authorization. Authorization allows clients to use NFS to cache local service operations, without having to interact with the server, which reduces server load and network transmission. TCP Improved Flow Control Transfer Protocol (SCTP) is a new transport layer protocol added in the 2.6 core. In addition to the same characteristics with the Transmission Control Protocol (TCP), SCTP has additional characteristics for telephone, data communication, and high available applications.
SCTP provides a similar function with TCP to ensure unlolecular, serialized data transmission, and establish a session, end-to-end connection between the two endpoints during the entire process of data transmission. However, SCTP also provides features that TCPs, such as Multi-streaming and Multi-Homing, which is critical to certain tasks, such as telephone signals over IP networks. Multi-streaming allows data to be divided into multiple independent sequence streams. Such a result is that the loss of messages in any stream will only affect the stream itself, without affecting other streams. SCTP is a message (relatively, TCP is byte), supports construction independent message boundary, supports multiple data streams. If you use a single data stream method used in TCP, more delays are caused when messages are lost or sequence errors. The TCP must delay the transmission of the application layer until the correct sequence is resembled. The delay of this data transmission will affect the performance of applications that are not required to be sorted, such as a telephone signal or a web page with multimedia content. Although telephone signals need to be sorted with homologous (such as one call) message, the transmission of other related messages does not require sequence integrity. A web page containing multimedia objects with different types and sizes, which can be used to transmit this content in part ordered methods, rather than using rigorous or orderly methods. The flexibility of this data transmission increases the user's perceived user. In addition, the idea of data transmission in a single SCTP connection means that all streams can depend on a common traffic and congestion control mechanism, which reduces the work required by the transport layer. Multi-homing is another feature that makes SCTP different from traditional transport layer protocols. Multi-homing allows a single SCTP endpoint to support multiple IP addresses and provide redundancy with multiple routes to the target. TCP and UDP use Single-Homed sessions so that the local LAN access failed separated from the terminal system, and the failure within the entire network causes the failure of the 晢, until the IP routing protocol reroutes transmission. Multi-Homed SCTP and redundant LAN, considering the enhancement of local endpoint access. A plurality of different prefix addresses and / or routing, plus SCTP MULTI-HOMING, improved redundancy throughout the network. The Multi-Homing feature of SCTP does not provide network load balancing and sharing. The key purpose of this mechanism is to provide redundant connections for applications above SCTP. SCTP specifies an address as the "master" address and uses this address to perform all data communication. When retransmitted, the data will be sent to all addresses to increase the possibility of reaching another endpoint. All data is rerouted to another address in the case where the main connection is completely failed. Similar to the method used in standard high availability, a "heartbeat" signal will be sent to the failed main connection, which can be used to determine if the original connection can be re-established. IP Security and Compressed Internet Protocol Security (IPSec) is another enhancement to the 2.6 core. IPSec provides a method of authenticating and encrypting network communication on a local area network and an Internet. In addition to providing package plus, 2.6 kernel also provides improved transmission by IP payload compression (IPComp). IPComp is an agreement that uses compression and decompression algorithms to improve the transmission quality on slow and / or congestion. 2.6 Introduction to Internet Protocol Security (IPSec), the Internet Protocol (IP) layer provides users with secure transport services. IPsec provides a general solution for complex media and various applications that make up the Internet.
2.6 Core supports two IPSEC mechanisms: Authentication header, AH and packaged secure payload (ESP). They all rely on the authentication algorithm provided by the Cryptographic API included in the 2.6 core. The certification header (AH) is an additional header after the addition of the IP header to provide package certification. The package level certification allows the user to ensure that the received package is from a particular machine, and its content is not changed on the transmission path. This mechanism does not try to hide or protect the package. The main feature provided by AH is the integrity of the package. To better utilize encryption techniques, users should also use ESP. The packaged safety payload (ESP) header has the ability to provide encryption and package authentication. The features provided by the ESP include encryption, authentication, "Anti-Replay" service (one form of partial sequence integrity) "and" limited transport stream confidential ". Users can choose to encrypt without specific authentication, but this will make the package to be attacked, causing others to destroy the encryption. The ESP header is located after the IP header, before the transmission mode (UDP or TCP), or before the tunnel is used in the packaged IP header. ESP protects the entire internal IP package and header. In tunnel mode, internal IP header carries preset source and initial destination addresses, and external IP headers include IP addresses for jumping points, such as security gateways. IP payload compression IP payload compression (IPCOMP) reduces the size of IP datagram. If both end machines have sufficient computing power, communication occurs in congestion and / or slow connection, this 2.6 network characteristic will increase the performance of communication between two endpoints. The IPComp protocol is particularly suitable for IPSCE, because when using IPSec provides and needs with the additional headers required, the size of the package increases. IPComp has two phases: compressed packets sent outward, and unpacking the package. The data integrity of the original IP package is maintained during compression and decompression. The compression and decompression of each package is done independently because the uncertainty of Internet memory will cause the order of the package to be disrupted. IPv6 Privacy Extension 2.6 The kernel feature improves the security option for IPv6. In addition to extending IPSec, IPComp, the 2.6 core also provides IPv6 privacy extensions. IPSec provides IPv6 with the same level of authentication and security as IPv4. The support of the IPv6 to IPv6 tunnel allows both endpoints to communicate with secure seamless communication, such as transmission over Virtual private networks (VPN). IPv6 privacy expansion This feature is particularly focused on increasing the anonymity of the Internet, allowing users to choose to protect their identity when using IPv6 addresses. The current unordance-free address auto configuration mode is the prefix of the 128-bit IPv6 address using the device (in other words, an Ethernet card or mobile phone) MAC address. The use of the unchanged identifier forms the address allows the data to be tracked, and this may be utilized by unexpected motivation. For example, as long as you know the MAC address of a machine, you can track which machines and when which machine communicates with this machine. The data of the network sniffer is easy to collect, because regardless of the network topology, the MAC address is always constant, even if the machine is a mobile phone or a laptop. People who record these data can track work modes, locations, and so on through this information. IPv6 Privacy Extensions allows users to create additional IPv6 global addresses using a random interface identifier. One machine uses these temporary addresses within a specific time period until it is reset to another random address. After resetting, the current connection can continue to keep communications; however, all new connections must be established with new temporary addresses.
Most of the associations will find that one or more of these new or enhanced features can improve their way they use Linux in their respective system environments. NFS users migrate to version 4 to get improved performance and security in the expectation. Developers with CARIER-GRADE and telephone applications can help them ensure better, more reliable services to consumers and customers with the features provided by SCTP. IPsec provides solutions for people and companies that need to transmit security data through unsafe networks, and IPComp allows those and businesses to improve data communication on the Internet by using smaller packages in transmission. Enhancements to IPv6 can provide better security and privacy for those who use this next-generation INETERNET protocol, while allowing more IPv4 application developers to turn this improved version of IP. In short, 2.6 Linux kernel network enhancements is a positive step towards the large-scale use of Linux in the enterprise environment. References Generic Packet Tunneling In IPv6 Specification, or RFC 2473, IPv6 is summarized and a general mechanism for packaged Internet packages. A special working group in the United States is currently studying IPv6 deployment. Read this Request for Comments in the relevant departments to get more information. IP Authentication Header, or RFC 2402, processing connection integrity and data source authentication for IP datagrams. IP Encapsulating Security PayLoad (ESP), that is, the RFC 2406 well known to the followers describe how the ESP provides a secure service mixed signature in IPv4 and IPv6. Privacy Extensions for Stateless Address AutoConfiguration In IPv6, that is, the RFC 3041 you know, summarizing the method of IPv6 privacy extension to generate an address using a stateless automatically configured without a DHCP server. An Introduction To The Stream Control Transmission Protocol (SCTP), that is, well-known RFC 3286, provides a high-level introduction to SCTP. IP PayLoad Compression Protocol (IPComp), or RFC 3173, describes how and why IP payload compression is performed prior to encryption. Network File System (NFS) Version 4 Protocol, or RFC 3530 describes NFS file locking and security. Learn the basic principles of TCP / IP and Linux networks through IBM Global Services Linux TCP / IP Administration classroom or virtual courses. Basic principles are also covered in the AIX Security Guide, which is related to TCP / IP Security, Internet Protocol (IP) Security, Network File System (NFS) security, etc. TCP / IP Tutorial and Technical Overview Red Books A total of 980 pages, all of which are important basic concepts for TCP / IP protocol clusters. Internet Security is the theme of iSeries and AS / 400 white paper, which involves these topics, such as certification headers (AH) and package safety payloads, as well as cryptography, auditing, log analysis, and more. More reference materials for Linux developers can be found in the developerWorks Linux zone. A lot of selection of Linux books can be found in the Linux area of Developer Bookstore.
