Beruflich Dokumente
Kultur Dokumente
Redundant Array of Independent Disks (a less specific name, and thus now the
generally accepted one[2]) — is a technology that employs the simultaneous use of two or
more hard disk drives to achieve greater levels of performance, reliability, and/or larger
data volume sizes.
"RAID" is now used as an umbrella term for computer data storage schemes that can
divide and replicate data among multiple hard disk drives. RAID's various designs all
involve two key design goals: increased data reliability and increased input/output
performance. When several physical disks are set up to use RAID technology, they are
said to be in a RAID array. This array distributes data across several disks, but the array is
seen by the computer user and operating system as one single disk. RAID can be set up to
serve several different purposes.
Some arrays are "redundant" in a way that writes extra data derived from the original data
across the array organized so that the failure of one (sometimes more) disks in the array
will not result in loss of data; the bad disk is replaced by a new one, and the data on it
reconstructed from the remaining data and the extra data. A redundant array allows less
data to be stored. For instance, a 2-disk RAID 1 array loses half of the total capacity that
would have otherwise been available using both disks independently, and a RAID 5 array
with several disks loses the capacity of one disk.
Other RAID arrays are arranged so that they are faster to write to and read from than a
single disk.
There are various combinations of these approaches giving different trade offs of
protection against data loss, capacity, and speed. RAID levels 0, 1, and 5 are the most
commonly found, and cover most requirements.
• RAID 0 (striped disks) distributes data across several disks in a way that gives
improved speed and full capacity, but all data on all disks will be lost if any one
disk fails.
• RAID 5 (striped disks with parity) combines three or more disks in a way that
protects data against loss of any one disk; the storage capacity of the array is
reduced by one disk.
• RAID 6 (less common) can recover from the loss of two disks.
• RAID 10 (or 1+0) uses both striping and mirroring.
RAID involves significant computation when reading and writing information. With true
RAID hardware the controller does all of this computation work. In other cases the
operating system or simpler and less expensive controllers require the host computer's
processor to do the computing, which reduces the computer's performance on processor-
intensive tasks (see "Software RAID" and "Fake RAID" below). Simpler RAID
controllers may provide only levels 0 and 1, which require less processing.
RAID systems with redundancy continue working without interruption when one, or
sometimes more, disks of the array fail, although they are vulnerable to further failures.
When the bad disk is replaced by a new one the array is rebuilt while the system
continues to operate normally. Some systems have to be shut down when removing or
adding a drive; others support hot swapping, allowing drives to be replaced without
powering down. RAID with hot-swap drives is often used in high availability systems,
where it is important that the system keeps running as much of the time as possible.
RAID is not a good alternative to backing up data. Data may become damaged or
destroyed without harm to the drive(s) on which it is stored. For example, part of the data
may be overwritten by a system malfunction; a file may be damaged or deleted by user
error or malice and not noticed for days or weeks; and of course the entire array is at risk
of catastrophes such as theft, flood, and fire.
Principles
RAID combines two or more physical hard disks into a single logical unit by using either
special hardware or software. Hardware solutions often are designed to present
themselves to the attached system as a single hard drive, and the operating system is
unaware of the technical workings. Software solutions are typically implemented in the
operating system, and again would present the RAID drive as a single drive to
applications.
There are three key concepts in RAID: mirroring, the copying of data to more than one
disk; striping, the splitting of data across more than one disk; and error correction, where
redundant data is stored to allow problems to be detected and possibly fixed (known as
fault tolerance). Different RAID levels use one or more of these techniques, depending
on the system requirements. The main aims of using RAID are to improve reliability,
important for protecting information that is critical to a business, for example a database
of customer orders; or to improve speed, for example a system that delivers video on
demand TV programs to many viewers.
The configuration affects reliability and performance in different ways. The problem with
using more disks is that it is more likely that one will go wrong, but by using error
checking the total system can be made more reliable by being able to survive and repair
the failure. Basic mirroring can speed up reading data as a system can read different data
from both the disks, but it may be slow for writing if the configuration requires that both
disks must confirm that the data is correctly written. Striping is often used for
performance, where it allows sequences of data to be read from multiple disks at the same
time. Error checking typically will slow the system down as data needs to be read from
several places and compared. The design of RAID systems is therefore a compromise and
understanding the requirements of a system is important. Modern disk arrays typically
provide the facility to select the appropriate RAID configuration. PC Format Magazine
claims that "in all our real-world tests, the difference between the single drive
performance and the dual-drive RAID 0 striped setup was virtually non-existent. And in
fact, the single drive was ever-so-slightly faster than the other setups, including the RAID
5 system that we'd hoped would offer the perfect combination of performance and data
redundancy"[3].
A number of standard schemes have evolved which are referred to as levels. There were
five RAID levels originally conceived, but many more variations have evolved, notably
several nested levels and many non-standard levels (mostly proprietary).
Minimum #
Level Description Image
of disks
Many storage controllers allow RAID levels to be nested: the elements of a RAID may be
either individual disks or RAIDs themselves. Nesting more than two deep is unusual.
As there is no basic RAID level numbered larger than 9, nested RAIDs are usually
unambiguously described by concatenating the numbers indicating the RAID levels,
sometimes with a "+" in between. For example, RAID 10 (or RAID 1+0) consists of
several level 1 arrays of physical drives, each of which is one of the "drives" of a level 0
array striped over the level 1 arrays. It is not called RAID 01, to avoid confusion with
RAID 1, or indeed, RAID 01. When the top array is a RAID 0 (such as in RAID 10 and
RAID 50) most vendors omit the "+", though RAID 5+0 is clearer.
• RAID 0+1: striped sets in a mirrored set (minimum four disks; even number of
disks) provides fault tolerance and improved performance but increases
complexity. The key difference from RAID 1+0 is that RAID 0+1 creates a
second striped set to mirror a primary striped set. The array continues to operate
with one or more drives failed in the same mirror set, but if drives fail on both
sides of the mirror the data on the RAID system is lost.
• RAID 1+0: mirrored sets in a striped set (minimum four disks; even number of
disks) provides fault tolerance and improved performance but increases
complexity. The key difference from RAID 0+1 is that RAID 1+0 creates a
striped set from a series of mirrored drives. In a failed disk situation, RAID 1+0
performs better because all the remaining disks continue to be used. The array can
sustain multiple drive losses so long as no mirror loses all its drives.
Many configurations other than the basic numbered RAID levels are possible, and many
companies, organizations, and groups have created their own non-standard
configurations, in many cases designed to meet the specialised needs of a small niche
group. Most of these non-standard RAID levels are proprietary.
• Storage Computer Corporation uses RAID 7, which adds caching to RAID 3 and
RAID 4 to improve I/O performance.
• EMC Corporation offered RAID S as an alternative to RAID 5 on their Symmetrix
systems (which is no longer supported on the latest releases of Enginuity, the
Symmetrix's operating system).
• The ZFS filesystem, available in Solaris, OpenSolaris, FreeBSD and Mac OS X,
offers RAID-Z, which solves RAID 5's write hole problem.
• NetApp's Data ONTAP uses RAID-DP (also referred to as "double", "dual" or
"diagonal" parity), which is a form of RAID 6, but unlike many RAID 6
implementations, does not use distributed parity as in RAID 5. Instead, two
unique parity disks with separate parity calculations are used. This is a
modification of RAID 4 with an extra parity disk.
• Accusys Triple Parity (RAID TP) implements three independent parities by
extending RAID 6 algorithms on its FC-SATA and SCSI-SATA RAID controllers
to tolerate three-disk failure.
• Linux MD RAID10 (RAID10) implements a general RAID driver that defaults to
a standard RAID 1+0 with 4 drives, but can have any number of drives. MD
RAID10 can run striped and mirrored with only 2 drives with the f2 layout
(mirroring with striped reads, normal Linux software RAID 1 does not stripe
reads, but can read in parallel) [5].
• Infrant (Now part of Netgear) X-RAID offers dynamic expansion of a RAID5
volume without having to backup/restore the existing content. Just add larger
drives one at a time, let it resync, then add the next drive until all drives are
installed. The resulting volume capacity is increased without user downtime.
• BeyondRAID created by Data Robotics and used in the Drobo series of products,
implements both mirroring and striping simultaneously or individually dependent
on disk and data context. BeyondRAID is more automated and easier to use than
many standard RAID levels. It also offers instant expandability without
reconfiguration, the ability to mix and match drive sizes and the ability to reorder
disks. It is a block-level system and thus file system agnostic although today
support is limited to NTFS, HFS+, FAT32, and EXT3. It also utilizes thin
provisioning to allow for single volumes up to 16TB depending on the host
operating system support.
[edit] Implementations
The distribution of data across multiple drives can be managed either by dedicated
hardware or by software. When done in software the software may be part of the
operating system or it may be part of the firmware and drivers supplied with the card.
Microsoft's server operating systems support 3 RAID levels; RAID 0, RAID 1, and RAID
5. Some of the Microsoft desktop operating systems support RAID such as Windows XP
Professional which supports RAID level 0 in addition to spanning multiple disks but only
if using dynamic disks and volumes.
NetBSD supports RAID 0, RAID 1, RAID 4 and RAID 5 (and any nested combination of
those like 1+0) via its software implementation, named raidframe.
OpenSolaris and Solaris 10 supports RAID 0, RAID 1, RAID 5, and RAID 6 (and any
nested combination of those like 1+0) via ZFS and now has the ability to boot from a
ZFS volume on x86. Through SVM, Solaris 10 and earlier versions support RAID 0,
RAID 1, and RAID 5 on both system and data drives
The software must run on a host server attached to storage, and server's processor must
dedicate processing time to run the RAID software. This is negligible for RAID 0 and
RAID 1, but may be significant for more complex parity-based schemes. Furthermore all
the busses between the processor and the disk controller must carry the extra data
required by RAID which may cause congestion.
Another concern with operating system-based RAID is the boot process, it can be
difficult or impossible to set up the boot process such that it can failover to another drive
if the usual boot drive fails and therefore such systems can require manual intervention to
make the machine bootable again after a failure. Finally operating system-based RAID
usually uses formats specific to the operating system in question so it cannot generally be
used for partitions that are shared between operating systems as part of a multi-boot
setup.
[edit] Hardware-based
Hardware RAID controllers use different, proprietary disk layouts, so it is not usually
possible to span controllers from different manufacturers. They do not require processor
resources, the BIOS can boot from them, and tighter integration with the device driver
may offer better error handling.
Most hardware implementations provide a read/write cache, which, depending on the I/O
workload, will improve performance. In most systems the write cache is non-volatile (i.e.
battery-protected), so pending writes are not lost on a power failure.
Operating system-based RAID cannot easily be used to protect the boot process and is
generally impractical on desktop versions of Windows (as described above). Hardware
RAID controllers are expensive. To fill this gap, cheap "RAID controllers" were
introduced that do not contain a RAID controller chip, but simply a standard disk
controller chip with special firmware and drivers. During early stage bootup the RAID is
implemented by the firmware; when a protected-mode operating system kernel such as
Linux or a modern version of Microsoft Windows is loaded the drivers take over.
Both hardware and software RAIDs with redundancy may support the use of hot spare
drives, a drive physically installed in the array which is inactive until an active drive fails,
when the system automatically replaces the failed drive with the spare, rebuilding the
array with the spare drive included. This reduces the mean time to recovery (MTTR),
though it doesn't eliminate it completely. A second drive failure in the same RAID
redundancy group before the array is fully rebuilt will result in loss of the data; rebuilding
can take several hours, especially on busy systems.
Rapid replacement of failed drives is important as the drives of an array will all have had
the same amount of use, and may tend to fail at about the same time rather than
randomly. RAID 6 without a spare uses the same number of drives as RAID 5 with a hot
spare and protects data against simultaneous failure of up to two drives, but requires a
more advanced RAID controller.
The theory behind the error correction in RAID assumes that failures of drives are
independent. Given these assumptions it is possible to calculate how often they can fail
and to arrange the array to make data loss arbitrarily improbable.
In practice, the drives are often the same ages, with similar wear. Since many drive
failures are due to mechanical issues which are more likely on older drives, this violates
those assumptions and failures are in fact statistically correlated. In practice then, the
chances of a second failure before the first has been recovered is not nearly as unlikely as
might be supposed, and data loss can in practice occur at significant rates.[8]
[edit] Atomicity
This is a little understood and rarely mentioned failure mode for redundant storage
systems that do not utilize transactional features. Database researcher Jim Gray wrote
"Update in Place is a Poison Apple" [9]during the early days of relational database
commercialization. However, this warning largely went unheeded and fell by the wayside
upon the advent of RAID, which many software engineers mistook as solving all data
storage integrity and reliability problems. Many software programs update a storage
object "in-place"; that is, they write a new version of the object on to the same disk
addresses as the old version of the object. While the software may also log some delta
information elsewhere, it expects the storage to present "atomic write semantics,"
meaning that the write of the data either occurred in its entirety or did not occur at all.
However, very few storage systems provide support for atomic writes, and even fewer
specify their rate of failure in providing this semantic. Note that during the act of writing
an object, a RAID storage device will usually be writing all redundant copies of the
object in parallel, although overlapped or staggered writes are more common when a
single RAID processor is responsible for multiple drives. Hence an error that occurs
during the process of writing may leave the redundant copies in different states, and
furthermore may leave the copies in neither the old nor the new state. The little known
failure mode is that delta logging relies on the original data being either in the old or the
new state so as to enable backing out the logical change, yet few storage systems provide
an atomic write semantic on a RAID disk.
While the battery-backed write cache may partially solve the problem, it is applicable
only to a power failure scenario.
Since transactional support is not universally present in hardware RAID, many operating
systems include transactional support to protect against data loss during an interrupted
write. Novell Netware, starting with version 3.x, included a transaction tracking system.
Microsoft introduced transaction tracking via the journaling feature in NTFS. NetApp
WAFL file system solves it by never updating the data in place, as does ZFS.
This can present as a sector read failure. Some RAID implementations protect against this
failure mode by remapping the bad sector, using the redundant data to retrieve a good
copy of the data, and rewriting that good data to the newly mapped replacement sector.
The UBE (Unrecoverable Bit Error) rate is typically specified at 1 bit in 1015 for
enterprise class disk drives (SCSI, FC, SAS) , and 1 bit in 1014 for desktop class disk
drives (IDE/ATA/PATA, SATA). Increasing disk capacities and large RAID 5
redundancy groups have led to an increasing inability to successfully rebuild a RAID
group after a disk failure because an unrecoverable sector is found on the remaining
drives. Double protection schemes such as RAID 6 are attempting to address this issue,
but suffer from a very high write penalty.
Often a battery is protecting the write cache, mostly solving the problem. If a write fails
because of power failure, the controller may complete the pending writes as soon as
restarted. This solution still has potential failure cases: the battery may have worn out, the
power may be off for too long, the disks could be moved to another controller, the
controller itself could fail. Some disk systems provide the capability of testing the battery
periodically, however this leaves the system without a fully charged battery for several
hours.
An additional concern about write cache reliability exists, and that is that a lot of them
are write-back cache; a caching system which reports the data as written as soon as it is
written to cache, as opposed to the non-volatile medium [10]. The safer cache technique is
write-through, which reports transactions as written when they are written to the non-
volatile medium.
The disk formats on different RAID controllers are not necessarily compatible, so that it
may not be possible to read a RAID on different hardware. Consequently a non-disk
hardware failure may require using identical hardware, or a data backup, to recover the
data. Software RAID however, such as implemented in the Linux kernel, alleviates this
concern, as the setup is not hardware dependent, but runs on ordinary disk controllers.
Additionally, Software RAID1 disks can be read like normal disks, so no RAID system is
required to retrieve the data.
[edit] History
Norman Ken Ouchi at IBM was awarded a 1978 U.S. patent 4,092,732[11] titled "System
for recovering data stored in failed memory unit." The claims for this patent describe
what would later be termed RAID 5 with full stripe writes. This 1978 patent also
mentions that disk mirroring or duplexing (what would later be termed RAID 1) and
protection with dedicated parity (that would later be termed RAID 4) were prior art at
that time.
The term RAID was first defined by David A. Patterson, Garth A. Gibson and Randy
Katz at the University of California, Berkeley in 1987. They studied the possibility of
using two or more drives to appear as a single device to the host system and published a
paper: "A Case for Redundant Arrays of Inexpensive Disks (RAID)" in June 1988 at the
SIGMOD conference.[1]
Fields
The four octets that make up an IP address are conventionally represented by a, b, c, and
d respectively. The following table shows how the octets are distributed in classes A, B,
and C.
Class A: Class A addresses are specified to networks with large number of total hosts.
Class A allows for 126 networks by using the first octet for the network ID. The first bit
in this octet, is always set and fixed to zero. And next seven bits in the octet is all set to
one, which then complete network ID. The 24 bits in the remaining octets represent the
hosts ID, allowing 126 networks and approximately 17 million hosts per network. Class
A network number values begin at 1 and end at 127.
Class B: Class B addresses are specified to medium to large sized of networks. Class B
allows for 16,384 networks by using the first two octets for the network ID. The two bits
in the first octet are always set and fixed to 1 0. The remaining 6 bits, together with the
next octet, complete network ID. The 16 bits in the third and fourth octet represent host
ID, allowing for approximately 65,000 hosts per network. Class B network number
values begin at 128 and end at 191.
Class C: Class C addresses are used in small local area networks (LANs). Class C allows
for approximately 2 million networks by using the first three octets for the network ID. In
class C address three bits are always set and fixed to 1 1 0. And in the first three octets 21
bits complete the total network ID. The 8 bits of the last octet represent the host ID
allowing for 254 hosts per one network. Class C network number values begin at 192 and
end at 223.
Class D and E: Classes D and E are not allocated to hosts. Class D addresses are used
for multicasting, and class E addresses are not available for general use: they are reserved
for future purposes.
A virtual private network (VPN) is a computer network in which some of the links
between nodes are carried by open connections or virtual circuits in some larger network
(e.g., the Internet) instead of by physical wires. The link-layer protocols of the virtual
network are said to be tunneled through the larger network when this is the case. One
common application is secure communications through the public Internet, but a VPN
need not have explicit security features, such as authentication or content encryption.
VPNs, for example, can be used to separate the traffic of different user communities over
an underlying network with strong security features.
A VPN may have best-effort performance, or may have a defined service level agreement
(SLA) between the VPN customer and the VPN service provider. Generally, a VPN has a
topology more complex than point-to-point.
It became useful first to distinguish among different kinds of IP VPN based on the
administrative relationships, not the technology, interconnecting the nodes. Once the
relationships were defined, different technologies could be used, depending on
requirements such as security and quality of service.
When an enterprise interconnected a set of nodes, all under its administrative control,
through an LAN network, that was termed an Intranet [2]. When the interconnected nodes
were under multiple administrative authorities, but were hidden from the public Internet,
the resulting set of nodes was called an extranet. Both intranets and extranets could be
managed by a user organization, or the service could be obtained as a contracted offering,
usually customized, from an IP service provider. In the latter case, the user organization
contracted for layer 3 services much as it had contracted for layer 1 services such as
dedicated lines, or multiplexed layer 2 services such as frame relay.
[edit] Routing
Tunneling protocols can be used in a point-to-point topology that would generally not be
considered a VPN, because a VPN is expected to support arbitrary and changing sets of
network nodes. Since most router implementations support software-defined tunnel
interface, customer-provisioned VPNs are often simply a set of tunnels over which
conventional routing protocols run. PPVPNs, however, need to support the coexistence of
multiple VPNs, hidden from one another, but operated by the same service provider.
Depending on whether the PPVPN is layer 2 or layer 3, the building blocks described
below may be L2 only, L3 only, or combinations of the two. MPLS functionality blurs
the L2-L3 identity.
While these terms were generalized to cover L2 and L3 VPNs in RFC 4026, they were
introduced in RFC 2547. [4]
A PE is a device or set of devices, at the edge of the provider network, which provides
the provider's view of the customer site. PEs are aware of the VPNs that connect through
them, and do maintain VPN state.
A P device is inside the provider's core network, and does not directly interface to any
customer endpoint. It might, for example, be used to provide routing for many provider-
operated tunnels that belong to different customers' PPVPNs. While the P device is a key
part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN
state. Its principal role is allowing the service provider to scale its PPVPN offerings, as,
for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in
such a role, often are high-capacity optical links between major locations of provide.
[edit] Virtual private wire and private line services (VPWS and VPLS)
In both of these services, the provider does not offer a full routed or bridged network, but
components from which the customer can build customer-administered networks. VPWS
are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated
circuits with no data link structure.
It is the customer that determines the overall customer VPN service, which can involve
routing, bridging, or host network elements.
There is an unfortunate acronym collision between Virtual Private Line Service and
Virtual Private LAN Service; the context should make it clear whether the layer 1 virtual
private line or the layer 2 virtual private LAN is meant.
A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains,
interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking
protocols have been used but are obsolete, including Inter-Switch Link (ISL), IEEE
802.10 (originally a security protocol but a subset was introduced for trunking), and
ATM LAN Emulation (LANE).
Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking.
VLANs frequently are composed only of customer-owned facilities. The former is a layer
1 technology that supports emulation of both point-to-point and point-to-multipoint
topologies. The method discussed here is an extension of Layer 2 technologies such as
802.1d and 802.1q LAN trunking, extended to run over transports such as Metro
Ethernet.
As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating
the full functionality of a traditional Local Area Network (LAN). From a user standpoint,
a VPLS makes it possible to interconnect several LAN segments over a packet-switched,
or optical, provider core; a core transparent to the user, making the remote LAN segments
behave as one single LAN.
In a VPLS, the provider network emulates a learning bridge, which optionally may
include VLAN service.
PW is similar to VPWS, but it can provide different L2 protocols at both ends. Typically,
its interface is a WAN protocol such as ATM or Frame Relay. In contrast, when the goal
is to provide the appearance of a LAN contiguous between two or more locations, the
Virtual Private LAN service or IPLS would be appropriate.
A subset of VPLS, the CE devices must have L3 capabilities; the IPLS presents packets
rather than frames. It may support IPv4 or IPv6.
This section discusses the main architectures for PPVPNs, one where the PE
disambiguates duplicate addresses in a single routing instance, and the other, virtual
router, in which the PE contains a virtual router instance per VPN. The former approach,
and its variants, have gained the most attention.
One of the challenges of PPVPNs is that different customers may use the same address
space, especially the IPv4 private address space[5]. The provider must be able to
disambiguate overlapping addresses in the multiple customers' PPVPNs.
[edit] BGP/MPLS PPVPN
In the method defined by RFC 2547, BGP extensions are used to advertise routes in the
IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-
byte Route Distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate
otherwise duplicate addresses in the same PE.
PEs understand the topology of each VPN, which are interconnected with MPLS tunnels,
either directly or via P routers. In MPLS terminology, the P routers are Label Switch
Routers without awareness of VPNs.
Virtual router architectures do not need to disambiguate addresses, because rather than a
PE router having awareness of all the PPVPNs, the PE contains multiple virtual router
instances, which belong to one and only one VPN.
Some ISPs now offer managed VPN service for business customers who want the
security and convenience of a VPN but prefer not to undertake administering a VPN
server themselves. Managed VPNs go beyond PPVPN scope, and are a contracted
security solution that can reach into hosts. In addition to providing remote workers with
secure access to their employer's internal network, other security and management
services are sometimes included as part of the package. Examples include keeping anti-
virus and anti-spyware programs updated on each client's computer.
A known trusted user, sometimes only when using trusted devices, can be provided with
appropriate security privileges to access resources not available to general users. Servers
may also need to authenticate themselves to join the VPN.
There are a wide variety of authentication mechanisms, which may be implemented in
devices including firewalls, access gateways, and other devices. They may use
passwords, biometrics, or cryptographic methods. Strong authentication involves
combining cryptography with another authentication mechanism. The authentication
mechanism may require explicit user action, or may be embedded in the VPN client or
the workstation.
Trusted VPNs (sometimes referred to APNs - Actual Private Networks)[citation needed] do not
use cryptographic tunneling, and instead rely on the security of a single provider's
network to protect the traffic. In a sense, these are an elaboration of traditional network
and system administration work.
• IPsec (IP security) - commonly used over IPv4, and a "standard option" in IPv6.
• SSL/TLS used either for tunneling the entire network stack, as in the OpenVPN
project, or for securing what is, essentially, a web proxy. SSL is a framework
more often associated with e-commerce, but it has been built-upon by a number of
vendors to provide remote access VPN capabilities. A major practical advantage
of an SSL-based VPN is that it can be accessed from the locations that restrict
external access to SSL-based e-commerce websites only, thereby preventing VPN
connectivity using IPsec protocols. SSL-based VPNs are vulnerable to trivial
Denial of Service attacks mounted against their TCP connections because latter
are inherently unauthenticated.
• OpenVPN, an open standard VPN. It is a variation of SSL-based VPN that is
capable of running over UDP. Clients and servers are available for all major
operating systems.
• L2TPv3 (Layer 2 Tunneling Protocol version 3), a new release.
• VPN Quarantine The client machine at the end of a VPN could be a threat and a
source of attack; this has no connection with VPN design and is usually left to
system administration efforts. There are solutions that provide VPN Quarantine
services which run end point checks on the remote client while the client is kept
in a quarantine zone until healthy. Microsoft ISA Server 2004/2006 together with
VPN-Q 2006 from Winfrasoft or an application called QSS (Quarantine Security
Suite) provide this functionality.
• MPVPN (Multi Path Virtual Private Network). MPVPN is a registered trademark
owned by Ragula Systems Development Company. See Trademark Applications
and Registrations Retrieval (TARR)
Mobile VPNs are VPNs designed for mobile and wireless users. They integrate
standards-based authentication and encryption technologies to secure data transmissions
to and from devices and to protect networks from unauthorized users. Designed for
wireless environments, Mobile VPNs are designed as an access solution for users that are
on the move and require secure access to information and applications over a variety of
wired and wireless networks. Mobile VPNs allow users to roam seamlessly across IP-
based networks and in and out of wireless coverage areas without losing application
sessions or dropping the secure VPN session. For instance, highway patrol officers
require access to mission-critical applications in order to perform their jobs as they travel
across different subnets of a mobile network, much as a cellular radio has to hand off its
link to repeaters at different cell towers.
In this section
• Related Information
The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory forest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through
multimaster replication. Searches that are directed to the global catalog are faster because they do not
involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain
directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an
object in a different domain would require the user or application to provide the domain of the requested
object.
The global catalog provides the ability to locate objects from any domain without having to know the
domain name. A global catalog server is a domain controller that, in addition to its full, writable domain
directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in
the forest. The additional domain directory partitions are partial because only a limited set of attributes is
included for each object. By including only the attributes that are most used for searching, every object in
every domain in even the largest forest can be represented in the database of a single global catalog
server.
Note
• A global catalog server can also store a full, writable replica of an application directory partition,
but objects in application directory partitions are not replicated to the global catalog as partial,
read-only directory partitions.
The global catalog is built and updated automatically by the Active Directory replication system. The
attributes that are replicated to the global catalog are identified in the schema as the partial attribute set
(PAS) and are defined by Microsoft. However, to optimize searching, you can edit the schema by adding or
removing attributes that are stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of
all attributes) of the global catalog. Windows Server 2003 reduces the impact of updating the global
catalog by replicating only the attributes that change.
In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not
store any partial replica. A global catalog server in a single-domain forest functions in the same manner as
a non-global-catalog server except for the processing of forestwide searches.
• Forestwide searches. The global catalog provides a resource for searching an Active Directory
forest. Forestwide searches are identified by the LDAP port that they use. If the search query
uses port 3268, the query is sent to a global catalog server.
• User logon. In a forest that has more than one domain, two conditions require the global catalog
• In a Windows 2000 native mode domain or a Windows Server 2003 domain at either the
Windows 2000 native or Windows Server 2003 domain functional level, domain controllers
must request universal group membership enumeration from a global catalog server.
• When a user principal name (UPN) is used at logon and the forest has more than one
• Universal Group Membership Caching: In a forest that has more than one domain, in sites that
have domain users but no global catalog server, Universal Group Membership Caching can be
used to enable caching of logon credentials so that the global catalog does not have to be
contacted for subsequent user logons. This feature eliminates the need to retrieve universal
group memberships across a WAN link from a global catalog server in a different site.
Note
Universal groups are available only in a Windows 2000 Server native mode domain or a
Windows Server 2003 domain at either the Windows 2000 native or Windows Server 2003
domain functional level.
• Exchange Address Book lookups. Servers running Microsoft Exchange 2000 Server and
Exchange Server 2003 rely on access to the global catalog for address information. Users use
global catalog servers to access the global address list (GAL).
Search Requests
Because a domain controller that acts as a global catalog server stores objects for all domains in the
forest, users and applications can use the global catalog to locate objects in any domain within a
multidomain Active Directory forest without a referral to a different server.
When a forest consists of a single domain, every domain controller has a full, writable copy of every object
in the domain and forest. However, it is important to retain the global catalog on at least one domain
controller because many applications use port 3268 for searching. For example, if you do not have any
global catalog servers, the Search command on the Start menu of Windows 2000 Professional,
Windows 2000 Server, Windows XP Professional, and Windows Server 2003 cannot locate objects in Active
Directory.
The replicas that are replicated to the global catalog also include the access permissions for each object
and attribute. If you are searching for an object that you do not have permission to access, you do not
see the object in the list of search results. Users can find only objects to which they are allowed access.
Note
• Universal groups are available only in a Windows 2000 Server native mode domain or a Windows
Server 2003 domain at either the Windows 2000 native or Windows Server 2003 domain
functional level.
The global catalog stores the membership (the member attribute) of only universal groups. The
membership of other groups can be ascertained at the domain level.
Because a universal group can have members from domains other than the domain where the group
object is stored and can be used to provide access to resources in any domain, only a global catalog
server is guaranteed to have all universal group memberships that are required for authentication.
For example, a user might be a member of a universal group that has its group object stored in a different
domain but provides access to resources in the user’s domain. To ensure that the user can be authorized
to access resources appropriately in this domain, the domain controller must have access to the
membership of all universal groups in the forest.
When a user account is created, the UPN suffix is generated by default as userName@DnsDomainName,
but it can be changed administratively. For example, in a forest that has four domains, the UPN suffix
might be configured to map to the external DNS name for the organization. The userPrincipalName
attribute of the user account identifies the UPN and is replicated to the global catalog.
When you use a UPN to log on to a domain, your workstation contacts a global catalog server to resolve
the name because the UPN suffix is not necessarily the domain for which the contacted domain controller
is authoritative. If the DNS domain name in the UPN suffix is not a valid DNS domain, the logon fails.
Assuming the UPN suffix is a valid DNS name, the global catalog server returns the name of the Active
Directory domain name to your workstation, which then queries DNS for a domain controller in that
domain.
If a company has more than one forest and uses trust relationships between the domains in the different
forests, a UPN cannot be used to log on to a domain that is outside the user’s forest because the UPN is
resolved in the global catalog of the user’s forest.
Use the following criteria to determine if a site is a good candidate for Universal Group Membership
Caching:
• Number of users and computers in the site: The site has less than 500 combined users and
computers, including transient users who log on occasionally but not on a regular basis. The
cache of a user who logs on once continues to be updated periodically for 180 days after the first
logon. A general limit of 500 membership caches can be updated at a time. If greater than
500 security principals have cached group memberships, some caches might not be updated.
• Number of domain controllers: Each domain controller performs a refresh on every user in its site
once every eight hours. Depending on the number of domains in the forest, 500 security
principles and two domain controllers could generate more WAN traffic than placing a global
catalog server in the site. Therefore, you need to rationalize the WAN costs when exceeding
500 security principals and two domain controllers.
• Tolerance for high latency in group updates. Because domain controllers in the site where
Universal Group Membership Caching is enabled update the membership caches every eight
hours, and because credentials are always taken from the cache, updates to group memberships
are not reflected in the security principal’s credentials for up to eight hours.
Global catalog servers have the following dependencies and interactions with other Windows Server
technologies:
• Active Directory installation. When Active Directory is installed on the first domain controller in a
forest, the installation application creates that domain controller as a global catalog server.
• Active Directory replication. The global catalog is built and maintained by Active Directory
replication:
catalog server, Active Directory replication automatically transfers PAS replicas to the domain
controller, including the partial replica of every domain in the forest other than the local
domain.
replication selects global catalog servers as bridgehead servers whenever a global catalog
server is present in a site and domains that are not present in the site exist in other sites in
the forest.
• Domain Name System (DNS). Global catalog server clients depend on DNS to provide the IP
address of global catalog servers. DNS is required to advertise global catalog servers for domain
controller location.
• Net Logon service. Global catalog advertisement in DNS depends on the Net Logon service to
perform DNS registrations. When replication of the global catalog is complete, or when a global
catalog server starts, the Net Logon service publishes service (SRV) resource records in DNS that
specifically advertise the domain controller as a global catalog server.
• Domain controller Locator: When a global catalog server is requested (by a user or application
that launches a search over port 3268, or by a domain controller that is authenticating a user
logon), the domain controller Locator queries DNS for a global catalog server.
In the following diagram, global catalog interactions include tracking a global catalog server through the
following interactions, which are indicated by boxes:
• Active Directory installation of a new forest: Global catalog creation occurs during Active
• Net Logon registration: Resource records are registered in DNS to advertise the domain
• DC1 in DomainA replicates changes for DomainA to DC2, and DC2 replicates updates to
• DC location: The dotted lines enclose the processes whereby two clients locate a global catalog
• A through C: (A) ClientX sends a query to the global catalog, which prompts (B) a DNS
query to locate the closest global catalog server, and then (C) the client contacts the returned
global catalog server DC2 to resolve the query.
• 1 through 5: (1) ClientY logs on to the domain, which prompts (2) a DNS query for the
closest domain controllers. (3) ClientY contacts the returned domain controller DC3 for
authentication. (4) DC3 queries DNS to find the closest global catalog server and then (5)
contacts the returned global catalog server DC2 to retrieve the universal groups for the user.
Related Information
Active Directory
From Wikipedia, the free encyclopedia
Using the same database, for use primarily in Windows environments, Active Directory
also allows administrators to assign policies, deploy software, and apply critical updates
to an organization. Active Directory stores information and settings in a central database.
Active Directory networks can vary from a small installation with a few hundred objects,
to a large installation with millions of objects.
Active Directory was previewed in 1996, released first with Windows 2000 Server
edition, and revised to extend functionality and improve administration in Windows
Server 2003. Additional improvements were made in both Windows Server 2003 R2 and
Windows Server 2008.
Active Directory was called NTDS (NT Directory Service) in older Microsoft
documents. This name can still be seen in some AD binaries.
• 1 [edit] Objects
Structur
e Active Directory is a directory service used to store
o 1 information about the network resources across a domain and
.
1 also centralize the network.
Role Name
Domain 1 per Controls the addition and removal of domains from the forest it
Naming Master forest present in root domain
PPDC Emulator
r
o
v
i
d
e
s
b
a
c
k
w
a
r
d
s
c
o
m
p
a
t
i
b
i
l
i
t
y
f
o
r
N
T
4
c
l
i
e
n
t
s
f
o
r
P
D
C
o
p
e
r
a
t
i
o
n
s
(
l
i
k
e
p
a
s
s
w
o
r
d
c
h
a
n
g
e
s
)
.
T
h
e
P
D
C
s
a
l
s
o
r
u
n
d
o
m
a
i
n
s
p
e
c
i
f
i
c
p
r
o
c
e
s
s
e
s
s
u
c
h
a
s
t
h
e
S
e
c
u
r
i
t
y
D
e
s
c
r
i
p
t
o
r
P
r
o
p
a
g
a
t
o
r
(
S
D
P
R
O
P
)
,
a
n
d
i
s
t
h
e
m
a
s
t
e
r
t
i
m
e
s
e
r
v
e
r
w
i
t
h
i
n
t
h
e
d
o
m
a
i
n
.
ARID Master
l
l
o
c
a
t
e
s
p
o
o
l
s
o
f
u
n
i
q
u
e
i
d
e
n
t
i
f
i
e
r
t
o
d
o
m
a
i
n
c
o
n
t
r
o
l
l
e
r
s
f
o
r
u
s
e
w
h
e
n
c
r
e
a
t
i
n
g
o
b
j
e
c
t
s
1
p
e
r
d
o
m
a
i
n
Infrastructure Synchronizes cross-domain group membership changes. The
1 per
Master1 per infrastructure master cannot run on a global catalog server
domain
domain (unless all DCs are also GCs.)
[edit] Naming
AD supports UNC (\), URL (/), and LDAP URL names for object access. AD internally
uses the LDAP version of the X.500 naming structure.
Every object has a Distinguished name (DN), so a printer object called HPLaser3 in the
OU Marketing and the domain foo.org, would have the DN:
CN=HPLaser3,OU=Marketing,DC=foo,DC=org where CN is common name and DC is
domain object class, DNs can have many more than four parts. The object can also have a
Canonical name, essentially the DN in reverse, without identifiers, and using slashes:
foo.org/Marketing/HPLaser3. To identify the object within its container the Relative
distinguished name (RDN) is used: CN=HPLaser3. Each object also has a Globally
Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD
for search and replication. Certain objects also have a User principal name (UPN), an
objectname@domain name form.
[edit] Trust
To allow users in one domain to access resources in another, AD uses trusts. Trusts inside
a forest are automatically created when domains are created. The forest sets the default
boundaries of trust, not the domain, and implicit, transitive trust is automatic for all
domains within a forest. As well as two-way transitive trust, AD trusts can be shortcut
(joins two domains in different trees, transitive, one- or two-way), forest (transitive, one-
or two-way), realm (transitive or nontransitive, one- or two-way), or external
(nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.
• One-way trust - One domain allows access to users on another domain, but the
other domain does not allow access to users on the first domain.
• Two-way trust - Two domains allow access to users on the other domain.
• Trusting domain - The domain that allows access to users from a trusted domain.
• Trusted domain - The domain that is trusted; whose users have access to the
trusting domain.
• Transitive trust - A trust that can extend beyond two domains to other trusted
domains in the tree.
• Intransitive trust - A one way trust that does not extend beyond two domains.
• Explicit trust - A trust that an admin creates. It is not transitive and is one way
only.
• Cross-link trust - An explicit trust between domains in different trees or in the
same tree when a descendant/ancestor (child/parent) relationship does not exist
between the two domains.
• Shortcut
Windows 2003 offers a new trust type - the forest root trust. This type of trust can be
used to connect Windows 2003 forests if they are operating at the 2003 forest functional
level. Authentication across this type of trust is Kerberos based (as opposed to NTLM).
Forest trusts are also transitive for all the domains in the forests that are trusted.
Like Active Directory, ADAM provides a Data Store, which is a hierarchical datastore
for storage of directory data, a Directory Service with an LDAP Directory Service
Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the
same server, with each instance having its own and required by applications making use
of the ADAM directory service.
In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory
Services).
There are also third-party vendors who offer Active Directory integration for Unix
platforms (including UNIX, Linux, Mac OS X, and a number of Java- and UNIX-based
applications). Some of these vendors include Thursby Software Systems (ADmitMac),
Quest Software (Vintela Authentication Services), Centrify (DirectControl), and
Likewise Software (Likewise Open and Likewise Enterprise). Microsoft is also in this
market with their free Microsoft Windows Services for UNIX product.
The schema additions shipped with Windows Server 2003 release 2 include attributes that
map closely enough to RFC 2307 to be generally usable. The reference implementation
of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, contains support for using
these attributes directly, provided they have been populated. The default Active Directory
schema for group membership complies with the proposed extension, RFC 2307bis.
RFC2307bis specifies storing Unix group membership using LDAP member attributes as
opposed to the base RFC 2307 which specified storing group membership as a comma-
separate list of user IDs (as was done in the Unix group file). Windows 2003R2 includes
an MMC snap-in that creates and edits the attributes.
An alternate option is to use another directory service such as Fedora Directory Server
(formerly Netscape Directory Server) or Sun Microsystems Sun Java System Directory
Server, which can perform a two-way synchronization with Active Directory and thus
provide a "deflected" integration with Active Directory as Unix and Linux clients will
authenticate to FDS and Windows Clients will authenticate to Active Directory. Another
option is to use OpenLDAP with its translucent overlay, which can extend entries in any
remote LDAP server with additional attributes stored in a local database. Clients pointed
at the local database will see entries containing both the remote and local attributes, while
the remote database remains completely untouched.
Samba 4, still in testing state as of August 8, 2008, plans to include an Active Directory
compatible server.
The Domain Name System makes it possible to assign domain names to groups of
Internet users in a meaningful way, independent of each user's physical location. Because
of this, World-Wide Web (WWW) hyperlinks and Internet contact information can
remain consistent and constant even if the current Internet routing arrangements change
or the participant uses a mobile device. Internet domain names are easier to remember
than IP addresses such as 208.77.188.166(IPv4) or
2001:db8:1f70::999:de8:7648:6e8 (IPv6). People take advantage of this when they
recite meaningful URLs and e-mail addresses without having to know how the machine
will actually locate them.
The Domain Name System distributes the responsibility for assigning domain names and
mapping them to Internet Protocol (IP) networks by designating authoritative name
servers for each domain to keep track of their own changes, avoiding the need for a
central register to be continually consulted and updated.
In general, the Domain Name System also stores other types of information, such as the
list of mail servers that accept email for a given Internet domain. By providing a world-
wide, distributed keyword-based redirection service, the Domain Name System is an
essential component of the functionality of the Internet.
Other identifiers such as RFID tags, UPC codes, International characters in email
addresses and host names, and a variety of other identifiers could all potentially utilize
DNS [1].
The Domain Name System also defines the technical underpinnings of the functionality
of this database service. For this purpose it defines the DNS protocol, a detailed
specification of the data structures and communication exchanges used in DNS, as part of
the Internet Protocol Suite (TCP/IP). The context of the DNS within the Internet
protocols may be seen in the following diagram. The DNS protocol was developed and
defined in the early 1980's and published by the Internet Engineering Task Force (cf.
History).
T •
h
e
p
r
a
c
t
i
c
e
o
f
u
s
i
n
g
n
a
m
e
a
s
m
o
r
e
h
u
m
a
n
-
l
e
g
i
b
l
e
a
b
s
t
r
a
c
t
i
o
n
o
f
m
a
c
h
i
n
e
'
s
n
u
m
e
r
i
c
a
l
a
d
d
r
e
s
s
o
n
t
h
e
n
e
t
w
o
r
k
p
r
e
d
a
t
e
s
e
v
e
n
T
C
P
/
I
P
.
T
h
i
s
p
r
a
c
t
i
c
e
d
a
t
e
s
b
a
c
k
t
o
t
h
e
A
R
P
A
n
e
t
e
r
a
.
B
a
c
k
t
h
e
n
,
d
i
f
f
e
r
e
n
t
s
y
s
t
e
m
w
a
s
u
s
e
d
.
T
h
e
D
N
S
w
a
s
i
n
v
e
n
t
e
d
i
n
1
9
8
3
,
s
h
o
r
t
l
y
a
f
t
e
r
T
C
P
/
I
P
w
a
s
d
e
p
l
o
y
e
d
.
W
i
t
h
t
h
e
o
l
d
e
r
s
y
s
t
e
m
,
e
a
c
h
c
o
m
p
u
t
e
r
o
n
t
h
e
n
e
t
w
o
r
k
r
e
t
r
i
e
v
e
d
f
i
l
e
c
a
l
l
e
d
H
O
S
T
S
.
T
X
T
f
r
o
m
c
o
m
p
u
t
e
r
a
t
S
R
I
(
n
o
w
S
R
I
I
n
t
e
r
n
a
t
i
o
n
a
l
)
[
2
]
[
3
]
T
h
e
H
O
S
T
S
.
T
X
T
f
i
l
e
m
a
p
p
e
d
n
u
m
e
r
i
c
a
l
a
d
d
r
e
s
s
e
s
t
o
n
a
m
e
s
.
A
h
o
s
t
s
f
i
l
e
s
t
i
l
l
e
x
i
s
t
s
o
n
m
o
s
t
m
o
d
e
r
n
o
p
e
r
a
t
i
n
g
s
y
s
t
e
m
s
,
e
i
t
h
e
r
b
y
d
e
f
a
u
l
t
o
r
t
h
r
o
u
g
h
c
o
n
f
i
g
u
r
a
t
i
o
n
,
a
n
d
a
l
l
o
w
s
u
s
e
r
s
t
o
s
p
e
c
i
f
y
a
n
I
P
a
d
d
r
e
s
s
(
e
g
.
2
0
8
.
7
7
.
1
8
8
.
1
6
6
)
t
o
u
s
e
f
o
r
h
o
s
t
n
a
m
e
(
e
g
.
w
w
w
.
e
x
a
m
p
l
e
.
n
e
t
)
w
i
t
h
o
u
t
c
h
e
c
k
i
n
g
D
N
S
.
S
y
s
t
e
m
s
b
a
s
e
d
o
n
h
o
s
t
s
f
i
l
e
h
a
v
e
i
n
h
e
r
e
n
t
l
i
m
i
t
a
t
i
o
n
s
,
b
e
c
a
u
s
e
o
f
t
h
e
o
b
v
i
o
u
s
r
e
q
u
i
r
e
m
e
n
t
t
h
a
t
e
v
e
r
y
t
i
m
e
g
i
v
e
n
c
o
m
p
u
t
e
r
'
s
a
d
d
r
e
s
s
c
h
a
n
g
e
d
,
e
v
e
r
y
c
o
m
p
u
t
e
r
t
h
a
t
s
e
e
k
s
t
o
c
o
m
m
u
n
i
c
a
t
e
w
i
t
h
i
t
w
o
u
l
d
n
e
e
d
a
n
u
p
d
a
t
e
t
o
i
t
s
h
o
s
t
s
f
i
l
e
.
T
h
e
g
r
o
w
t
h
o
f
n
e
t
w
o
r
k
i
n
g
r
e
q
u
i
r
e
d
m
o
r
e
s
c
a
l
a
b
l
e
s
y
s
t
e
m
t
h
a
t
r
e
c
o
r
d
e
d
c
h
a
n
g
e
i
n
h
o
s
t
'
s
a
d
d
r
e
s
s
i
n
o
n
e
p
l
a
c
e
o
n
l
y
.
O
t
h
e
r
h
o
s
t
s
w
o
u
l
d
l
e
a
r
n
a
b
o
u
t
t
h
e
c
h
a
n
g
e
d
y
n
a
m
i
c
a
l
l
y
t
h
r
o
u
g
h
a
n
o
t
i
f
i
c
a
t
i
o
n
s
y
s
t
e
m
,
t
h
u
s
c
o
m
p
l
e
t
i
n
g
g
l
o
b
a
l
l
y
a
c
c
e
s
s
i
b
l
e
n
e
t
w
o
r
k
o
f
a
l
l
h
o
s
t
s
'
n
a
m
e
s
a
n
d
t
h
e
i
r
a
s
s
o
c
i
a
t
e
d
I
P
A
d
d
r
e
s
s
e
s
.
A
t
t
h
e
r
e
q
u
e
s
t
o
f
J
o
n
P
o
s
t
e
l
,
P
a
u
l
M
o
c
k
a
p
e
t
r
i
s
i
n
v
e
n
t
e
d
t
h
e
D
o
m
a
i
n
N
a
m
e
s
y
s
t
e
m
i
n
1
9
8
3
a
n
d
w
r
o
t
e
t
h
e
f
i
r
s
t
i
m
p
l
e
m
e
n
t
a
t
i
o
n
.
T
h
e
o
r
i
g
i
n
a
l
s
p
e
c
i
f
i
c
a
t
i
o
n
s
a
p
p
e
a
r
i
n
R
F
C
8
8
2
a
n
d
R
F
C
8
8
3
.
I
n
N
o
v
e
m
b
e
r
1
9
8
7
,
t
h
e
p
u
b
l
i
c
a
t
i
o
n
o
f
R
F
C
1
0
3
4
a
n
d
R
F
C
1
0
3
5
u
p
d
a
t
e
d
t
h
e
D
N
S
s
p
e
c
i
f
i
c
a
t
i
o
n
a
n
d
m
a
d
e
R
F
C
8
8
2
a
n
d
R
F
C
8
8
3
o
b
s
o
l
e
t
e
.
S
e
v
e
r
a
l
m
o
r
e
-
r
e
c
e
n
t
R
F
C
s
h
a
v
e
p
r
o
p
o
s
e
d
v
a
r
i
o
u
s
e
x
t
e
n
s
i
o
n
s
t
o
t
h
e
c
o
r
e
D
N
S
p
r
o
t
o
c
o
l
s
.
I
n
1
9
8
4
,
f
o
u
r
B
e
r
k
e
l
e
y
s
t
u
d
e
n
t
s
—
D
o
u
g
l
a
s
T
e
r
r
y
,
M
a
r
k
P
a
i
n
t
e
r
,
D
a
v
i
d
R
i
g
g
l
e
a
n
d
S
o
n
g
n
i
a
n
Z
h
o
u
—
w
r
o
t
e
t
h
e
f
i
r
s
t
U
N
I
X
i
m
p
l
e
m
e
n
t
a
t
i
o
n
,
w
h
i
c
h
w
a
s
m
a
i
n
t
a
i
n
e
d
b
y
R
a
l
p
h
C
a
m
p
b
e
l
l
t
h
e
r
e
a
f
t
e
r
.
I
n
1
9
8
5
,
K
e
v
i
n
D
u
n
l
a
p
o
f
D
E
C
s
i
g
n
i
f
i
c
a
n
t
l
y
r
e
-
w
r
o
t
e
t
h
e
D
N
S
i
m
p
l
e
m
e
n
t
a
t
i
o
n
a
n
d
r
e
n
a
m
e
d
i
t
B
I
N
D
—
B
e
r
k
e
l
e
y
I
n
t
e
r
n
e
t
N
a
m
e
D
o
m
a
i
n
.
M
i
k
e
K
a
r
e
l
s
,
P
h
i
l
A
l
m
q
u
i
s
t
a
n
d
P
a
u
l
V
i
x
i
e
h
a
v
e
m
a
i
n
t
a
i
n
e
d
B
I
N
D
s
i
n
c
e
t
h
e
n
.
B
I
N
D
w
a
s
p
o
r
t
e
d
t
o
t
h
e
W
i
n
d
o
w
s
N
T
p
l
a
t
f
o
r
m
i
n
t
h
e
e
a
r
l
y
1
9
9
0
s
.
B
I
N
D
w
a
s
w
i
d
e
l
y
d
i
s
t
r
i
b
u
t
e
d
,
e
s
p
e
c
i
a
l
l
y
o
n
U
n
i
x
s
y
s
t
e
m
s
,
a
n
d
i
s
t
h
e
d
o
m
i
n
a
n
t
D
N
S
s
o
f
t
w
a
r
e
i
n
u
s
e
o
n
t
h
e
I
n
t
e
r
n
e
t
.
[
4
]
W
i
t
h
t
h
e
h
e
a
v
y
u
s
e
a
n
d
r
e
s
u
l
t
i
n
g
s
c
r
u
t
i
n
y
o
f
i
t
s
o
p
e
n
-
s
o
u
r
c
e
c
o
d
e
,
a
s
w
e
l
l
a
s
i
n
c
r
e
a
s
i
n
g
l
y
m
o
r
e
s
o
p
h
i
s
t
i
c
a
t
e
d
a
t
t
a
c
k
m
e
t
h
o
d
s
,
m
a
n
y
s
e
c
u
r
i
t
y
f
l
a
w
s
w
e
r
e
d
i
s
c
o
v
e
r
e
d
i
n
B
I
N
D
.
T
h
i
s
c
o
n
t
r
i
b
u
t
e
d
t
o
t
h
e
d
e
v
e
l
o
p
m
e
n
t
o
f
a
n
u
m
b
e
r
a
l
t
e
r
n
a
t
i
v
e
n
a
m
e
s
e
r
v
e
r
a
n
d
r
e
s
o
l
v
e
r
p
r
o
g
r
a
m
s
.
B
I
N
D
i
t
s
e
l
f
w
a
s
r
e
-
w
r
i
t
t
e
n
f
r
o
m
s
c
r
a
t
c
h
i
n
v
e
r
s
i
o
n
9
,
w
h
i
c
h
h
a
s
s
e
c
u
r
i
t
y
r
e
c
o
r
d
c
o
m
p
a
r
a
b
l
e
t
o
o
t
h
e
r
m
o
d
e
r
n
I
n
t
e
r
n
e
t
s
o
f
t
w
a
r
e
.
[
e
d
i
t
]
S
t
r
u
c
t
u
r
e
[
e
d
i
t
]
T
h
e
d
o
m
a
i
n
n
a
m
e
s
p
a
c
e
D
o
m
a
i
n
n
a
m
e
s
,
a
r
r
a
n
g
e
d
i
n
t
r
e
e
,
c
u
t
i
n
t
o
z
o
n
e
s
,
e
a
c
h
s
e
r
v
e
d
b
y
n
a
m
e
s
e
r
v
e
r
.
T
h
e
d
o
m
a
i
n
n
a
m
e
s
p
a
c
e
c
o
n
s
i
s
t
s
o
f
a
t
r
e
e
o
f
d
o
m
a
i
n
n
a
m
e
s
.
O
n
l
y
o
n
e
n
o
d
e
o
r
l
e
a
f
i
n
t
h
e
t
r
e
e
h
a
s
z
e
r
o
o
r
m
o
r
e
r
e
s
o
u
r
c
e
r
e
c
o
r
d
s
,
w
h
i
c
h
h
o
l
d
i
n
f
o
r
m
a
t
i
o
n
a
s
s
o
c
i
a
t
e
d
w
i
t
h
t
h
e
d
o
m
a
i
n
n
a
m
e
.
T
h
e
t
r
e
e
s
u
b
-
d
i
v
i
d
e
s
i
n
t
o
z
o
n
e
s
b
e
g
i
n
n
i
n
g
a
t
t
h
e
r
o
o
t
z
o
n
e
.
A
D
N
S
z
o
n
e
c
o
n
s
i
s
t
s
o
f
a
c
o
l
l
e
c
t
i
o
n
o
f
c
o
n
n
e
c
t
e
d
n
o
d
e
s
a
u
t
h
o
r
i
t
a
t
i
v
e
l
y
s
e
r
v
e
d
b
y
a
n
a
u
t
h
o
r
i
t
a
t
i
v
e
n
a
m
e
s
e
r
v
e
r
.
(
N
o
t
e
t
h
a
t
a
s
i
n
g
l
e
n
a
m
e
s
e
r
v
e
r
c
a
n
h
o
s
t
s
e
v
e
r
a
l
z
o
n
e
s
.
)
A
d
m
i
n
i
s
t
r
a
t
i
v
e
r
e
s
p
o
n
s
i
b
i
l
i
t
y
o
v
e
r
a
n
y
z
o
n
e
m
a
y
b
e
d
i
v
i
d
e
d
,
t
h
e
r
e
b
y
c
r
e
a
t
i
n
g
a
d
d
i
t
i
o
n
a
l
z
o
n
e
s
.
A
u
t
h
o
r
i
t
y
i
s
s
a
i
d
t
o
b
e
d
e
l
e
g
a
t
e
d
f
o
r
a
p
o
r
t
i
o
n
o
f
t
h
e
o
l
d
s
p
a
c
e
,
u
s
u
a
l
l
y
i
n
f
o
r
m
o
f
s
u
b
-
d
o
m
a
i
n
s
,
t
o
a
n
o
t
h
e
r
n
a
m
e
s
e
r
v
e
r
a
n
d
a
d
m
i
n
i
s
t
r
a
t
i
v
e
e
n
t
i
t
y
.
T
h
e
o
l
d
z
o
n
e
c
e
a
s
e
s
t
o
b
e
a
u
t
h
o
r
i
t
a
t
i
v
e
f
o
r
t
h
e
n
e
w
z
o
n
e
.
[
e
d
i
t
]
P
a
r
t
s
o
f
a
d
o
m
a
i
n
n
a
m
e
d
o
m
a
i
n
n
a
m
e
u
s
u
a
l
l
y
c
o
n
s
i
s
t
s
o
f
t
w
o
o
r
m
o
r
e
p
a
r
t
s
(
t
e
c
h
n
i
c
a
l
l
y
l
a
b
e
l
)
,
w
h
i
c
h
i
s
c
o
n
v
e
n
t
i
o
n
a
l
l
y
w
r
i
t
t
e
n
s
e
p
a
r
a
t
e
d
b
y
d
o
t
s
,
s
u
c
h
a
s
e
x
a
m
p
l
e
.
c
o
m
.
•
Th
•
Ea
•
A
•
[
•
ain
article
:
Name
server
•
Th
•
[
•
ee
also:
resolv.
conf
•
Th
•
A
•
A
•
A
•
Th
•
Re
•
[
•
This
descri
ption
delibe
rately
uses
the
fiction
al
.exam
ple
TLD
in
accor
dance
with
the
DNS
guidel
ines.)
•
In
•
A
•
As
1.
the
2.
qu
3.
qu
4.
rep
5.
Th
6.
Th
7.
[
8.
Na
9.
Fo
10.
[
11.
W
12.
[
13.
Be
14.
[
15.
As
16.
No
17.
So
18.
M
19.
[
20.
21.
22.
D
23.
Us
24.
Th
25.
[
26.
An
27.
As
28.
[
29.
Th
•
Ho
•
Th
•
Se
•
To
•
[
•
D
•
[
•
E
[
•
ain
article
:
of
DNS
record
types
•
W
•
The type of the record indicates what the format of the data is, and gives a hint of its
intended use; for instance, the A record is used to translate from a domain name to an
IPv4 address, the NS record lists which name servers can answer lookups on a DNS zone,
and the MX record is used to translate from a name in the right-hand side of an e-mail
address to the name of a machine able to handle mail for that address.
Many more record types exist and be found in the complete List of DNS record types.
While domain names technically have no restrictions on the characters they use and can
include non-ASCII characters, the same is not true for host names.[8] Host names are the
names most people see and use for things like e-mail and web browsing. Host names are
restricted to a small subset of the ASCII character set known as LDH, the Letters A–Z in
upper and lower case, Digits 0–9, Hyphen, and the dot to separate LDH-labels; see RFC
3696 section 2 for details. This prevented the representation of names and words of many
languages natively. ICANN has approved the Punycode-based IDNA system, which
maps Unicode strings into the valid DNS character set, as a workaround to this issue.
Some registries have adopted IDNA.
One class of vulnerabilities is DNS cache poisoning, which tricks a DNS server into
believing it has received authentic information when, in reality, it has not.
DNS responses are traditionally not cryptographically signed, leading to many attack
possibilities; DNSSEC modifies DNS to add support for cryptographically signed
responses. There are various extensions to support securing zone transfer information as
well.
Even with encryption, a DNS server could become compromised by a virus (or for that
matter a disgruntled employee) that would cause IP addresses of that server to be
redirected to a malicious address with a long TTL. This could have far-reaching impact to
potentially millions of Internet users if busy DNS servers cache the bad IP data. This
would require manual purging of all affected DNS caches as required by the long TTL
(up to 68 years).
Some domain names can spoof other, similar-looking domain names. For example,
"paypal.com" and "paypa1.com" are different names, yet users may be unable to tell the
difference when the user's typeface (font) does not clearly differentiate the letter l and the
number 1. This problem is much more serious in systems that support internationalized
domain names, since many characters that are different, from the point of view of ISO
10646, appear identical on typical computer screens. This vulnerability is often exploited
in phishing.
Techniques such as Forward Confirmed reverse DNS can also be used to help validate
DNS results.
Registrars usually charge an annual fee for the service of delegating a domain name to a
user and providing a default set of name servers. Often this transaction is termed a sale or
lease of the domain name, and the registrant is called an "owner", but no such legal
relationship is actually associated with the transaction, only the exclusive right to use the
domain name. More correctly authorized users are known as "registrants" or as "domain
holders".
ICANN publishes a complete list of TLD registries and domain name registrars in the
world. One can obtain information about the registrant of a domain name by looking in
the WHOIS database held by many domain registries.
For most of the more than 240 country code top-level domains (ccTLDs), the domain
registries hold the authoritative WHOIS (Registrant, name servers, expiration dates, etc.).
For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a .DE domain
name. Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) have adopted this
so-called "thick" registry approach, i.e. keeping the authoritative WHOIS in the central
registries instead of the registrars.
For .COM and .NET domain names, a "thin" registry is used: the domain registry (e.g.
VeriSign) holds a basic WHOIS (registrar and name servers, etc.). One can find the
detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars.
Some domain name registries, also called Network Information Centres (NIC), also
function as registrars, and deal directly with end users. But most of the main ones, such
as for .COM, .NET, .ORG, .INFO, etc., use a registry-registrar model. There are
hundreds of Domain Name Registrars that actually perform the domain name registration
with the end user (see lists at ICANN or VeriSign). By using this method of distribution,
the registry only has to manage the relationship with the registrar, and the registrar
maintains the relationship with the end users, or 'registrants' -- in some cases through
additional layers of resellers.
In the process of registering a domain name and maintaining authority over the new name
space created, registrars store and use several key pieces of information connected with a
domain:
Despite widespread criticism, VeriSign only reluctantly removed it after the Internet
Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its
contract to administer the root name servers. ICANN published the extensive set of letters
exchanged, committee reports, and ICANN decisions [10].
There is also significant disquiet regarding the United States' political influence over
ICANN. This was a significant issue in the attempt to create a .xxx top-level domain and
sparked greater interest in alternative DNS roots that would be beyond the control of any
single country.[citation needed]
Additionally, there are numerous accusations of domain name "front running", whereby
registrars, when given whois queries, automatically register the domain name for
themselves. Recently, Network Solutions has been accused of this.[11]
[edit] Truth in Domain Names Act
In the United States, the "Truth in Domain Names Act" (actually the "Anticybersquatting
Consumer Protection Act"), in combination with the PROTECT Act, forbids the use of a
misleading domain name with the intention of attracting people into viewing a visual
depiction of sexually explicit conduct on the Internet.
Windows Workgroups, by contrast, is the other model for grouping computers running
Windows in a networking environment which ships with Windows. Workgroup
computers are considered to be 'standalone' - i.e. there is no formal membership or
authentication process formed by the workgroup. A workgroup does not have servers and
clients, and as such, it represents the Peer-to-Peer (or Client-to-Client) networking
paradigm, rather than the centralised architecture constituted by Server-Client.
Workgroups are considered difficult to manage beyond a dozen clients, and lack single
sign on, scalability, resilience/disaster recovery functionality, and many security features.
Windows Workgroups are more suitable for small or home-office networks.
A domain does not refer to a single location or specific type of network configuration.
The computers in a domain can share physical proximity on a small LAN or they can be
located in different parts of the world. As long as they can communicate, their physical
position is irrelevant.
Computers inside an Active Directory domain can be assigned into organizational units
according to location, organizational structure, or other factors. In the original Windows
Server Domain system (shipped with Windows NT 3.x/4) machines could only be viewed
in two states from the administration tools, 1) computers detected (on the network), and
2) computers that actually belonged to the domain. Active Directory makes it easier for
administrators to manage and deploy network changes and policies (see Group Policy) to
all of the machines connected to the domain.
Computers can connect to a domain easily via LAN, or via WAN using a VPN
connection. Users of a domain are able to use enhanced security for their VPN
connection due to the support for a certification authority which is gained when a domain
is added to a network, and as a result smart cards and digital certificates can be used to
confirm identities and protect stored information.
Router
From Wikipedia, the free encyclopedia
Routers connect two or more logical subnets, which do not necessarily map one-to-one to
the physical interfaces of the router.[1] The term layer 3 switch often is used
interchangeably with router, but switch is really a general term without a rigorous
technical definition. In marketing usage, it is generally optimized for Ethernet LAN
interfaces and may not have other physical interface types.
• Control Plane, in which the router learns the outgoing interface that is most
appropriate for forwarding specific packets to specific destinations,
• Forwarding Plane, which is responsible for the actual process of sending a packet
received on a logical interface to an outbound logical interface.
It has
been
suggest
ed that
some of
the
informa
tion in
this
article's
Criticis
m or
Contro
versy
section(
s) be
merged
into
other
sections
to
achieve
a more
neutral
present
ation.
(Discus
s) [edit]
History
A
netwo
rk
bridge
,
operat
ing at
the
Media
Acces
s
Contr
ol
(MAC
)
sublay
er of
the
data
link
layer,
may
interc
onnect
a
small
numb
er of
device
s in a
home
or
office.
This
is a
trivial
case
of
bridgi
ng, in
which
the
bridge
learns
the
MAC
addres
s of
each
conne
cted
device
.
Single
bridge
s also
can
provid
e
extre
mely
high
perfor
mance
in
specia
lized
applic
ations
such
as
storag
e area
netwo
rks.Co
ntents
The
first
versio
n of
H.323
was
publis
hed
by the
ITU
in
Nove
mber
1996[1]
with
an
empha
sis of
enabli
ng
videoc
onfere
ncing
capabi
lities
over a
Local
Area
Netwo
rk
(LAN
), but
was
quickl
y
adopte
d by
the
indust
ry as a
means
of
trans
mittin
g
voice
comm
unicat
ion
over a
variet
y of
IP
netwo
rks,
includ
ing
WAN
s and
the
Intern
et (see
VoIP)
.
Over
the
years,
H.323
has
been
revise
d and
re-
publis
hed
with
enhan
cemen
ts
necess
ary to
better-
enable
both
voice
and
video
functi
onalit
y over
Packet
-
switch
ed
netwo
rks,
with
each
versio
n
being
backw
ard-
compa
tible
with
the
previo
us
versio
n.[2]
Recog
nizing
that
H.323
was
being
used
for
comm
unicat
ion,
not
only
on
LANs
, but
over
WAN
s and
within
large
carrier
netwo
rks,
the
title of
H.323
was
chang
ed
when
publis
hed in
1998.
[3]
The
title,
which
has
since
remai
ned
uncha
nged,
is
"Pack
et-
Based
Multi
media
Com
munic
ations
Syste
ms."
The
curren
t
versio
n of
H.323
,
comm
only
referre
d to as
"H.32
3v6",
was
publis
hed in
2006.
[4]
One
streng
th of
H.323
was
the
relativ
ely
early
availa
bility
of a
set of
standa
rds,
not
only
defini
ng the
basic
call
model
, but
also
the
supple
menta
ry
servic
es
neede
d to
addres
s
busine
ss
comm
unicat
ion
expect
ations.
[citation
needed]
H.323
was
the
first
VoIP
standa
rd to
adopt
the
Intern
et
Engin
eering
Task
Force
(IETF
)
standa
rd
Real-
time
Trans
port
Protoc
ol
(RTP)
to
transp
ort
audio
and
video
over
IP
netwo
rks.
[citation
needed]
[edi
t
]
P
r
o
t
o
c
o
l
s
H.323
is a
syste
m
specifi
cation
that
descri
bes
the
use of
severa
l ITU-
T and
IETF
protoc
ols.
The
protoc
ols
that
compr
ise the
core
of
almost
any
H.323
syste
m are:
[5]
•
H.
•
H.
•
H.
•
Re
•
M
•
H.
•
H.
•
H.
•
H.
•
In
H.323
utilize
s both
ITU-
define
d
codec
s and
codec
s
define
d
outsid
e the
ITU.
Codec
s that
are
widel
y
imple
mente
d by
H.323
equip
ment
includ
es:
•
A
•
Te
•
Vi
[
The
H.323
syste
m
define
s
severa
l
netwo
rk
eleme
nts
that
work
togeth
er in
order
to
delive
r rich
multi
media
comm
unicat
ion
capabi
lities.
Those
eleme
nts are
Termi
nals,
Multi
point
Contr
ol
Units
(MCU
s),
Gatew
ays,
Gatek
eepers
, and
Borde
r
Eleme
nts.
Collec
tively,
termin
als,
multip
oint
contro
l units
and
gatew
ays
are
often
referre
d to as
endpo
ints.
While
not all
eleme
nts are
requir
ed, at
least
two
termin
als are
requir
ed in
order
to
enable
comm
unicat
ion
betwe
en
two
people
. In
most
H.323
deplo
yment
s, a
gateke
eper is
emplo
yed in
order
to,
amon
g
other
things
,
facilit
ate
addres
s
resolu
tion.
[edit]
[edit]
Figure
1-A
compl
ete,
sophis
ticated
protoc
ol
stack
Termi
nals in
an
H.323
netwo
rk are
the
most
funda
menta
l
eleme
nts in
any
H.323
syste
m, as
those
are
the
device
s that
users
would
norma
lly
encou
nter.
They
might
exist
in the
form
• [edit] Control PlaneThis section is missing citations or needs footnotes.
Using inline citations helps guard against copyright violations and factual inaccuracies. (August
2008)Passwords and file contents are sent in clear text, which can be intercepted by
eavesdroppers. There are protocol enhancements that remedy this, for instance by using SSL, TLS
or Kerberos.
• Multiple TCP/IP connections are used, one for the control connection, and one for
each download, upload, or directory listing. Firewalls may need additional logic
and/or configuration changes to account for these connections.
• It is hard to filter active mode FTP traffic on the client side by using a firewall,
since the client must open an arbitrary port in order to receive the connection.
This problem is largely resolved by using passive mode FTP.
• It is possible to abuse the protocol's built-in proxy features to tell a server to send
data to an arbitrary port of a third computer; see FXP.
• FTP is a high latency protocol due to the number of commands needed to initiate
a transfer.
• No integrity check on the receiver side. If a transfer is interrupted, the receiver has
no way to know if the received file is complete or not. Some servers support
undocumented extensions to calculate for example a file's MD5 sum (e.g. using
the SITE MD5 command), XCRC, XMD5, XSHA or CRC checksum, however
even then the client has to make explicit use of them. In the absence of such
extensions, integrity checks have to be managed externally.
• No date/timestamp attribute transfer. Uploaded files are given a new current
timestamp, unlike other file transfer protocols such as SFTP, which allow
attributes to be included. There is no way in the standard FTP protocol to set the
time-last-modified (or time-created) datestamp that most modern filesystems
preserve. There is a draft of a proposed extension that adds new commands for
this, but as of yet, most of the popular FTP servers do not support it.
FTP server return codes indicate their status by the digits within them. A brief
explanation of various digits' meanings are given below:
• 1xx: Positive Preliminary reply. The action requested is being initiated but there
will be another reply before it begins.
• 2xx: Positive Completion reply. The action requested has been completed. The
client may now issue a new command.
• 3xx: Positive Intermediate reply. The command was successful, but a further
command is required before the server can act upon the request.
• 4xx: Transient Negative Completion reply. The command was not successful, but
the client is free to try the command again as the failure is only temporary.
• 5xx: Permanent Negative Completion reply. The command was not successful
and the client should not attempt to repeat it again.
• x0x: The failure was due to a syntax error.
• x1x: This response is a reply to a request for information.
• x2x: This response is a reply relating to connection information.
• x3x: This response is a reply relating to accounting and authorization.
• x4x: Unspecified as yet
• x5x: These responses indicate the status of the Server file system vis-a-vis the
requested transfer or other file system action.
As modern FTP clients typically hide the anonymous login process from the user, the ftp
client will supply dummy data as the password (since the user's email address may not be
known to the application). For example, the following ftp user agents specify the listed
passwords for anonymous logins:
The Gopher protocol has been suggested as an alternative to anonymous FTP, as well as
Trivial File Transfer Protocol and File Service Protocol.[citation needed]
1. ASCII mode
2. Binary mode: In "Binary mode", the sending machine sends each file byte for
byte and as such the recipient stores the bytestream as it receives it. (The FTP
standard calls this "IMAGE" or "I" mode)
In "ASCII mode", any form of data that is not plain text will be corrupted. When a file is
sent using an ASCII-type transfer, the individual letters, numbers, and characters are sent
using their ASCII character codes. The receiving machine saves these in a text file in the
appropriate format (for example, a Unix machine saves it in a Unix format, a Windows
machine saves it in a Windows format). Hence if an ASCII transfer is used it can be
assumed plain text is sent, which is stored by the receiving computer in its own format.
Translating between text formats might entail substituting the end of line and end of file
characters used on the source platform with those on the destination platform, e.g. a
Windows machine receiving a file from a Unix machine will replace the line feeds with
carriage return-line feed pairs. It might also involve translating characters; for example,
when transferring from an IBM mainframe to a system using ASCII, EBCDIC characters
used on the mainframe will be translated to their ASCII equivalents, and when
transferring from the system using ASCII to the mainframe, ASCII characters will be
translated to their EBCDIC equivalents.
By default, most FTP clients use ASCII mode. Some clients try to determine the required
transfer-mode by inspecting the file's name or contents, or by determining whether the
server is running an operating system with the same text file format.
1. EBCDIC mode - this transfers bytes, except they are encoded in EBCDIC rather
than ASCII. Thus, for example, the ASCII mode server
2. Local mode - this is designed for use with systems that are word-oriented rather
than byte-oriented. For example mode "L 36" can be used to transfer binary data
between two 36-bit machines. In L mode, the words are packed into bytes rather
than being padded. Given the predominance of byte-oriented hardware nowadays,
this mode is rarely used. However, some FTP servers accept "L 8" as being
equivalent to "I".
In practice, these additional transfer modes are rarely used. They are however still used
by some legacy mainframe systems.
The text (ASCII/EBCDIC) modes can also be qualified with the type of carriage control
used (e.g. TELNET NVT carriage control, ASA carriage control), although that is rarely
used nowadays.
Note that the terminology "mode" is technically incorrect, although commonly used by
FTP clients. "MODE" in RFC 959 refers to the format of the protocol data stream
(STREAM, BLOCK or COMPRESSED), as opposed to the format of the underlying file.
What is commonly called "mode" is actually the "TYPE", which specifies the format of
the file rather than the data stream. FTP also supports specification of the file structure
("STRU"), which can be either FILE (stream-oriented files), RECORD (record-oriented
files) or PAGE (special type designed for use with TENEX). PAGE STRU is not really
useful for non-TENEX systems, and RFC1123 section 4.1.2.3 recommends that it not be
implemented.
For example: A client with an IP of 192.168.0.1, starting an active mode transfer on port
1025, will send the string "PORT 192,168,0,1,4,1". A NAT device masquerading this
client with an IP of 192.168.15.5, with a chosen port of 2000 for the data connection, will
need to replace the above string with "PORT 192,168,15,5,7,208".
The new string is 23 characters long, compared to 20 characters in the original packet.
The Acknowledgment field by the server to this packet will need to be decreased by 3
bytes by the NAT device for the client to correctly understand that the PORT command
has arrived to the server. If the NAT device is not capable of correcting the Sequence and
Acknowledgement fields, it will not be possible to use active mode FTP. Passive mode
FTP will work in this case, because the information about the IP and port for the data
connection is sent by the server, which doesn't need to be NATed. If NAT is performed
on the server by the NAT device, then the exact opposite will happen. Active mode will
work, but passive mode will fail.
It should be noted that many NAT devices perform this protocol inspection and modify
the PORT command without being explicitly told to do so by the user. This can lead to
several problems. First of all, there is no guarantee that the used protocol really is FTP, or
it might use some extension not understood by the NAT device. One example would be
an SSL secured FTP connection. Due to the encryption, the NAT device will be unable to
modify the address. As result, active mode transfers will fail only if encryption is used,
much to the confusion of the user.
The proper way to solve this is to tell the client which IP address and ports to use for
active mode. Furthermore, the NAT device has to be configured to forward the selected
range of ports to the client's machine.
Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still
in use), it is particularly difficult to tunnel over SSH. With many SSH clients, attempting
to set up a tunnel for the control channel (the initial client-to-server connection on port
21) will protect only that channel; when data is transferred, the FTP software at either end
will set up new TCP connections (data channels) which will bypass the SSH connection,
and thus have no confidentiality, integrity protection, etc.
If the FTP client is configured to use passive mode and to connect to a SOCKS server
interface that many SSH clients can present for tunneling, it is possible to run all the FTP
channels over the SSH connection.
Otherwise, it is necessary for the SSH client software to have specific knowledge of the
FTP protocol, and monitor and rewrite FTP control channel messages and autonomously
open new forwardings for FTP data channels. Version 3 of SSH Communications
Security's software suite, and the GPL licensed FONC are two software packages that
support this mode.
FTP over SSH is sometimes referred to as secure FTP; this should not be confused with
other methods of securing FTP, such as with SSL/TLS (FTPS). Other methods of
transferring files using SSH that are not related to FTP include SFTP and SCP; in each of
these, the entire conversation (credentials and data) is always protected by the SSH
protocol.
Control Plane processing leads to the construction of what is variously called a routing
table or routing information base (RIB). The RIB may be used by the Forwarding Plane
to look up the outbound interface for a given packet, or, depending on the router
implementation, the Control Plane may populate a separate Forwarding Information Base
(FIB) with destination information. RIBs are optimized for efficient updating with control
mechanisms such as routing protocols, while FIBs are optimized for the fastest possible
lookup of the information needed to select the outbound interface.
The Control Plane constructs the routing table from knowledge of the up/down status of
its local interfaces, from hard-coded static routes, and from exchanging routing protocol
information with other routers. It is not compulsory for a router to use routing protocols
to function, if for example it was configured solely with static routes. The routing table
stores the best routes to certain network destinations, the "routing metrics" associated
with those routes, and the path to the next hop router.
Routers do maintain state on the routes in the RIB/routing table, but this is quite distinct
from not maintaining state on individual packets that have been forwarded.
For the pure Internet Protocol (IP) forwarding function, router design tries to minimize
the state information kept on individual packets. Once a packet is forwarded, the router
should no longer retain statistical information about it. It is the sending and receiving
endpoints that keeps information about such things as errored or missing packets.
Forwarding decisions can involve decisions at layers other than the IP internetwork layer
or OSI layer 3. Again, the marketing term switch can be applied to devices that have
these capabilities. A function that forwards based on data link layer, or OSI layer 2,
information, is properly called a bridge. Marketing literature may call it a layer 2 switch,
but a switch has no precise definition.
Among the most important forwarding decisions is deciding what to do when congestion
occurs, i.e., packets arrive at the router at a rate higher than the router can process. Three
policies commonly used in the Internet are Tail drop, Random early detection, and
Weighted random early detection. Tail drop is the simplest and most easily implemented;
the router simply drops packets once the length of the queue exceeds the size of the
buffers in the router. Random early detection (RED) probabilistically drops datagrams
early when the queue exceeds a configured size. Weighted random early detection
requires a weighted average queue size to exceed the configured size, so that short bursts
will not trigger random drops.
[edit] Types of routers
Routers may provide connectivity inside enterprises, between enterprises and the Internet,
and inside Internet Service Providers (ISP). The largest routers (for example the Cisco
CRS-1 or Juniper T1600) interconnect ISPs, are used inside ISPs, or may be used in very
large enterprise networks. The smallest routers provide connectivity for small and home
offices.
Routers intended for ISP and major enterprise connectivity will almost invariably
exchange routing information with the Border Gateway Protocol. RFC 4098[3] defines
several types of BGP-speaking routers:
• Provider Edge Router: Placed at the edge of an ISP network, it speaks external
BGP (eBGP) to a BGP speaker in another provider or large enterprise
Autonomous System (AS).
• Subscriber Edge Router: Located at the edge of the subscriber's network, it speaks
eBGP to its provider's AS(s). It belongs to an end user (enterprise) organization.
• Inter-provider Border Router: Interconnecting ISPs, this is a BGP speaking router
that maintains BGP sessions with other BGP speaking routers in other providers'
ASes.
• Core router: A router that resides within the middle or backbone of the LAN
network rather than at its periphery.
• Within an ISP: Internal to the provider's AS, such a router speaks internal
BGP (iBGP) to that provider's edge routers, other intra-provider core routers, or
the provider's inter-provider border routers.
• "Internet backbone:" The Internet does not have a clearly identifiable
backbone, as did its predecessors. See default-free zone (DFZ). Nevertheless, it is
the major ISPs' routers that make up what many would consider the core. These
ISPs operate all four types of the BGP-speaking routers described here. In ISP
usage, a "core" router is internal to an ISP, and used to interconnect its edge and
border routers. Core routers may also have specialized functions in virtual private
networks based on a combination of BGP and Multi-Protocol Label Switching
(MPLS)[4].
[edit] Small Office Home Office (SOHO) connectivity
Residential gateways (often called routers) are frequently used in homes to connect to a
broadband service, such as IP over cable or DSL. A home router may allow connectivity
to an enterprise via a secure Virtual Private Network.
While functionally similar to routers, residential gateways use port address translation in
addition to routing. Instead of connecting local computers to the remote network directly,
a residential gateway makes multiple local computers appear to be a single computer.
[edit] Enterprise Routers
All sizes of routers may be found inside enterprises. The most powerful routers tend to be
found in ISPs but academic and research facilities, as well as large businesses, may also
need large routers.
A three-layer model is in common use, not all of which need be present in smaller
networks [5].
[edit] Access
Access routers,including SOHO, are located at customer sites such as branch offices that
do not need hierarchical routing of their own. Typically, they are optimized for low cost.
[edit] Distribution
Distribution routers aggregate traffic from multiple access routers, either at the same site,
or to collect the data streams from multiple sites to a major enterprise location.
Distribution routers often are responsible for enforcing quality of service across a WAN,
so they may have considerable memory, multiple WAN interfaces, and substantial
processing intelligence.
They may also provide connectivity to groups of servers or to external networks. In the
latter application, the router's functionality must be carefully considered as part of the
overall security architecture. Separate from the router may be a Firewall or VPN
concentrator, or the router may include these and other security functions.
When an enterprise is primarily on one campus, there may not be a distinct distribution
tier, other than perhaps off-campus access. In such cases, the access routers, connected to
LANs, interconnect via core routers.
[edit] Core
When an enterprise is widely distributed with no central location(s), the function of core
routing may be subsumed by the WAN service to which the enterprise subscribes, and the
distribution routers become the highest tier.
[edit] History
Leonard Kleinrock and the first IMP. Taken from
http://www.lk.cs.ucla.edu/personal_history.html
The very first device that had fundamentally the same functionality as a router does
today, i.e a packet switch, was the Interface Message Processor (IMP); IMPs were the
devices that made up the ARPANET, the first packet switching network. The idea for a
router (although they were called "gateways" at the time) initially came about through an
international group of computer networking researchers called the International Network
Working Group (INWG). Set up in 1972 as an informal group to consider the technical
issues involved in connecting different networks, later that year it became a
subcommittee of the International Federation for Information Processing. [6]
These devices were different from most previous packet switches in two ways. First, they
connected dissimilar kinds of networks, such as serial lines and local area networks.
Second, they were connectionless devices, which had no role in assuring that traffic was
delivered reliably, leaving that entirely to the hosts (although this particular idea had been
previously pioneered in the CYCLADES network).
The idea was explored in more detail, with the intention to produce real prototype system,
as part of two contemporaneous programs. One was the initial DARPA-initiated program,
which created the TCP/IP architecture of today. [7] The other was a program at Xerox
PARC to explore new networking technologies, which produced the PARC Universal
Packet system, although due to corporate intellectual property concerns it received little
attention outside Xerox until years later. [8]
The earliest Xerox routers came into operation sometime after early 1974. The first true
IP router was developed by Virginia Strazisar at BBN, as part of that DARPA-initiated
effort, during 1975-1976. By the end of 1976, three PDP-11-based routers were in service
in the experimental prototype Internet. [9]
The first multiprotocol routers were independently created by staff researchers at MIT
and Stanford in 1981; the Stanford router was done by William Yeager, and the MIT one
by Noel Chiappa; both were also based on PDP-11s. [10] [11] [12] [13]
As virtually all networking now uses IP at the network layer, multiprotocol routers are
largely obsolete, although they were important in the early stages of the growth of
computer networking, when several protocols other than TCP/IP were in widespread use.
Routers that handle both IPv4 and IPv6 arguably are multiprotocol, but in a far less
variable sense than a router that processed AppleTalk, DECnet, IP, and Xerox protocols.
In the original era of routing (from the mid-1970s through the 1980s), general-purpose
mini-computers served as routers. Although general-purpose computers can perform
routing, modern high-speed routers are highly specialized computers, generally with extra
hardware added to accelerate both common routing functions such as packet forwarding
and specialised functions such as IPsec encryption.
Still, there is substantial use of Linux and Unix machines, running open source routing
code, for routing research and selected other applications. While Cisco's operating system
was independently designed, other major router operating systems, such as those from
Juniper Networks and Extreme Networks, are extensively modified but still have Unix
ancestry.
The term commonly refers to a Network bridge that processes and routes data at the Data
link layer (layer 2) of the OSI model. Switches that additionally process data at the
Network layer (layer 3) (and above) are often referred to as Layer 3 switches or
Multilayer switches.
The term Network switch does not generally encompass unintelligent or passive network
devices such as hubs and repeaters.
Function
As with hubs, Ethernet implementations of network switches support either
10/100 Mbit/s or 10/100/1000 Mbit/s ports Ethernet standards. Large switches may have
10 Gbit/s ports. Switches differ from hubs in that they can have ports of different speed.
The network switch, packet switch (or just switch) plays an integral part in most
Ethernet local area networks or LANs. Mid-to-large sized LANs contain a number of
linked managed switches. Small office, home office (SOHO) applications typically use a
single switch, or an all-purpose converged device such as gateway access to small
office/home office broadband services such as DSL router or cable, Wi-Fi router. In most
of these cases, the end user device contains a router and components that interface to the
particular physical broadband technology, as in the Linksys 8-port and 48-port devices.
User devices may also include a telephone interface to VoIP.
In simple terms, in the context of a standard 10/100 Ethernet switch, a switch operates at
the data-link layer of the OSI model to create a different collision domain per switch port.
This basically says that if you have 4 computers A/B/C/D on 4 switch ports, then A and B
can transfer data between them as well as C and D at the same time, and they will never
interfere with each others' conversations. That is the basic idea. In the case of a "hub"
then they would all have to share the bandwidth, run in half-duplex and there would be
collisions and retransmissions. Using a switch is called micro-segmentation - it allows
you to have dedicated bandwidth on point to point connections with every computer and
to therefore run in full duplex with no collisions.
In switches intended for commercial use, built-in or modular interfaces make it possible
to connect different types of networks, for example Ethernet, Fibre Channel, ATM, and
802.11. This connectivity can be at any of the layers mentioned. While Layer 2
functionality is adequate for speed-shifting within one technology, interconnecting
technologies such as Ethernet and token ring are easier at Layer 3.
In some service provider and other environments where there is a need for much analysis
of network performance and security, switches may be connected between WAN routers
as places for analytic modules. Some vendors provide firewall,[2][3] network intrusion
detection,[4] and performance analysis modules that can plug into switch ports. Some of
these functions may be on combined modules.[5]
In other cases, the switch is used to create a "mirror" image of data that can go to an
external device. Since most switch port mirroring provides only one mirrored stream,
network hubs can be useful for fanning out data to several read-only analyzers, such as
intrusion detection systems and packet sniffers.
A modular network switch with three network modules (a total of 24 Ethernet and 14
Fast Ethernet ports) and one power supply.
While switches may learn about topologies at many layers, and forward at one or more
layers, they do tend to have common features. Other than for computer-room very high
performance applications, modern commercial switches use primarily Ethernet interfaces,
which can have different input and output speeds of 10, 100, 1000 or 10,000 megabits per
second. Switch ports almost always default to full-duplex operation, unless there is a
requirement for interoperability with devices that are strictly half duplex. Half-duplex
means that the device can only send or receive at any given time, whereas full-duplex can
send and receive at the same time.
At any layer, a modern switch may implement power over Ethernet (PoE), which avoids
the need for attached devices, such as an IP telephone or wireless access point, to have a
separate power supply. Since switches can have redundant power circuits connected to
uninterruptible power supplies, the connected device can continue operating even when
regular office power fails.
A network hub, or repeater, is a fairly unsophisticated cast device, and rapidly becoming
obsolete. Hubs do not manage any of the traffic that comes through them. Any packet
entering a port is broadcast out or "repeated" on every other port, except for the port of
entry. Since every packet is repeated on every other port, packet collisions result, which
slows down the network.
Hubs have actually become hard to find, due to the widespread use of switches[citation needed].
There are specialized applications where a hub can be useful, such as copying traffic to
multiple network sensors. High end switches have a feature which does the same thing
called port mirroring. There is no longer any significant price difference between a hub
and a low-end switch.
[edit] Layer 2