rfc3386.Network Hierarchy and Multilayer Survivability

White PaperArchitecture for Mobile Data Offload over Wi-Fi Access NetworksIntroductionMobile network traffic is growing exponentially, and service providers must manage their networks efficiently to meet consumer demand. The technology evolution of radio access networks is limited by the laws of physics, and significant growth in radio frequency (RF) efficiency can no longer be expected. Long-Term Evolution (LTE) radio access is reaching the limits of Shannon’s law, the spectrum available for mobile data applications is limited, and the only solution for increasing overall mobile network capacity is to increase the carrier-to-interference ratio while decreasing cell size and deploying small cell technologies. The most efficient way to use small cells is to position them in locations where significant amounts of data are generated (shopping malls, stadiums, university campuses, public transportation hubs, etc.) and where subscribers spend most of their time and therefore consume significant amounts of data (homes, offices, etc.). Wi-Fi, one of the small cell technologies, appeals to many operators as a cost-effective mean of offloading large amounts of mobile data traffic while delivering a variety of new services. It offers these features:● ● ● ●Widespread existing deployments Availability of user devices that support the technology Cost efficiency Capability to address new users and devices without mobile subscription (without a subscriber identity module [SIM])● ●Globally available spectrum capacity Standards availability for integration into mobile core networksThis document explores technical aspects of Wi-Fi offload architecture and its capabilities and integration into existing mobile networks to provide a viable and efficient way to offload subscriber traffic.Overview of Wi-Fi Offload ArchitectureThe Third-Generation Partnership Project (3GPP) standard differentiates two types of Wi-Fi access (also referred to as non-3GPP IP access):●Untrusted: Introduced in the early stages of the Wi-Fi specification in 3GPP Release 6 (2005), untrusted access includes any type of Wi-Fi access that either is not under control of the operator (public open hotspot, subscriber’s home WLAN, etc.) or that does not provide sufficient security (authentication, encryption, etc.).●Trusted: Trusted access generally refers to operator-built Wi-Fi access with over-the-air encryption and a secure authentication method. Trusted non-3GPP IP access was introduced only with the LTE standard in 3GPP Release 8 (2008). Although most of today’s offload designs are build on the trusted model, 3GPP does not currently offer guidance for integration with the 3G or 2G packet core. However, as discussed in this document, this type of access is natively integrated into LTE’s evolved packet core (EPC).© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 1 of 23Because most of today’s mobile networks are 3G based, a significant part of this document describes the possible methods of integrated trusted non-3GPP IP access into the 3G mobile packet core (MPC) together with its associated policy and charging control (PCC) architecture. Although the term “trusted non-3GPP IP access” is defined for EPC only, this document extends its definition in 3G contexts to describe Wi-Fi networks controlled by mobile operators. 3GPP 24.302 has the following definition: “For a trusted non-3GPP IP access network, the communication between the user equipment and the EPC is secure.” Thus, with the latest service provider Wi-Fi architectures encompassing Extensible Authentication Protocol (EAP) and IEEE 802.1X-based authentication, and with IEEE 802.11i-based RF encryption and optional use of control and provisioning of wireless access points and Datagram Transport Layer Security (DTLS) for secured user and control planes, all the elements exist for service provider Wi-Fi to be considered as trusted non-3GPP. After the 3G designs, this document describes the evolution of the architectures toward EPC integration as specified in 3GPP standards. Session mobility and, more generally, IP address persistence when moving between 3G, LTE, and Wi-Fi are also covered. The document also discusses the integration models for untrusted networks, although these are less commonly deployed in mobile networks. In the 3GPP specification, the Wi-Fi network is referred to as the Wi-Fi access network only. No details about the Wi-Fi network structure are specified. This document, however, separates the network into the access and gateway components. The Wi-Fi network infrastructure for mobile data offload consists of three parts:● ●Wi-Fi radio access network (Wi-Fi RAN) Wi-Fi access gateway (WAG) and Wi-Fi back-end systems (this document expands the definition from 3GPP TS 23.234 to refer also to non-3GPP WAG)●Packet core integration elements (multiple options)© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 2 of 23Figure 1 illustrates the architecture. It includes integration elements for 3G as well as LTE to show a summary of all designs built throughout this document.Figure 1. Wi-Fi Network ArchitectureIf the Wi-Fi network is used for mobile data offload, which is the topic of this document, it needs to take care of these tasks:● ●Authentication: To help ensure that only authorized subscribers can access the network PCC: For proper billing, quality of service (QoS), and policy enforcement for the traffic generated through Wi-Fi access, ideally compliant with 3GPP PCC●IP persistence: For service mobility between different access networks (3G to Wi-Fi, Wi-Fi to 3G, or across the Wi-Fi network)The following sections examine the details of each of these functions.AuthenticationTo control subscriber access to Wi-Fi networks, multiple authentication methods can be used. The choice of method is crucial to the usability of the network. The more transparent the authentication method is for the subscriber, the greater the likelihood that the subscriber will connect to the network. The authentication method also determines the subscriber and device types that can be addressed in a particular network (subscribers with or without SIM cards, the operator’s subscribers, visiting subscribers, etc.). In a typical modern Wi-Fi network, two types of authentication are available to address all possible subscribers and at the same time provide convenient access to the network for frequent Wi-Fi users. The first method, portalbased authentication, targets customers without a permanent contract with the operator (vouchers, time-limited© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 3 of 23access, SMS payments, etc.). Alternatively, EAP authentication provides transparent and easy access for the operator’s own subscribers with SIM cards or certificates.Portal-Based AuthenticationPortal-based authentication depends on Layer 3 connectivity to the network and HTTP communication before granting access to the subscriber. The Wireless Internet Service Provider Roaming (WISPr) standard also uses HTTP communication with the portal for automatic authentication, with the user device launching HTTP communication in the background without user intervention (Figure 2).Figure 2. Portal-Based Authentication ArchitectureThis method relies on the WAG in the Wi-Fi network, which blocks all IP communication for unknown (new) subscribers and redirects HTTP connections to a captive portal. The captive portal is responsible for requesting user credentials from the subscriber and triggering authentication, authorization, and accounting (AAA) to authenticate the subscriber. After successful login, the WAG will typically be signaled by the AAA server. From this moment, the subscriber is known in the AAA cache, and WAG allows the subscriber to send and receive data. Usually, the user’s IEEE 802.11 MAC address is also cached in the AAA server, together with the user data and granted service. If the subscriber leaves the Wi-Fi coverage area and then returns, the subscriber’s device will be recognized by the WAG based on the MAC address and automatically authenticated against the cached AAA record, so the subscriber is not repeatedly redirected to the portal after losing Wi-Fi coverage. This method of MAC address caching is also referred to as transparent automatic logon (TAL).© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 4 of 23A typical TAL attachment call flow is shown in Figure 3 for the case of a Layer 2 attached WAG.Figure 3. Typical Transparent Automatic Logon Call FlowEAP-Based AuthenticationEAP-based authentication uses EAP and IEEE 802.1x to provide Layer 2 authentication for subscribers accessing the network with EAP-capable devices. For actual authentication, multiple credentials can be used, depending on the capability of the device. Devices with SIM cards encapsulate the SIM application information exchange into the EAP message, and these are proxied by the AAA server to the home-location register (HLR) for authentication. EAP-SIM (RFC 4186) or EAP-Authentication and Key Agreement (EAP-AKA; RFC 4187) standards are used for the encapsulation, depending on the type of SIM card used and the HLR capabilities. Obviously, this method requires interconnection between the AAA server and the HLR or home-subscriber server (HSS). The architecture is shown in Figure 4.© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 5 of 23Figure 4.EAP-Based Authentication ArchitectureFor subscribers with non-SIM devices, the operator can distribute certificates for EAP-Transport Layer Security (EAP-TLS) or similar versions of EAP authentication. The typical call flow of EAP authentication (with HLR integration) is shown in Figure 5.Figure 5. Typical EAP Authentication Call Flow© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 6 of 23Note that EAP-based authentication offers a radio security advantage. Because the authentication is handled at Layer 2, EAP messages can be used to negotiate encryption keys for the IEEE 802.11i-based encryption of the radio interface. This approach provides much stronger security for radio communication compared to the unencrypted radio interface of portal-based authentication and is uniquely able to prevent simple MAC address spoofing attacks.Next Generation HotspotIn 2010, Cisco and industry leaders formed the Next Generation Hotspot Task Group in the Wireless Broadband Alliance (WBA). The goal was to rally the industry around a common set of Wi-Fi Alliance (WFA) standards called Hotspot 2.0 that would bring a 3G-like end-user experience to Wi-Fi authentication and roaming. The outcome of the Next Generation Hotspot Task Group is a set of operator guidelines and the Wi-Fi Certified Passpoint interoperability for operators and equipment vendors. The Cisco SP Wi-Fi solution features Next Generation Hotspot, enabling service providers to better manage and monetize their carrier-grade Wi-Fi networks. There are three main building blocks of the next-generation hotspot: IEEE 802.11u, Wi-Fi Protected Access 2 (WPA 2) Enterprise, and EAP-based authentication. For a detailed description of the initiative, see The Future of Hotspots: Making Wi-Fi as Secure and Easy to Use as Cellular.® ™program expected in 2012 from the Wi-Fi Alliance. The certification will help ensure authentication and roamingAuthentication SummaryBecause of the complementary functions of both authentication methods, mobile operators deploying Wi-Fi access networks usually implement both EAP and IEEE 802.1X authentication and portal-based authentication in their networks. Portal-based authentication is used to attract subscribers visiting the network who don’t yet have a relation to the operator. It allows typical public Wi-Fi use cases such as credit card payments, vouchers, and SMS passwords. In general, it enables generation of new revenue from Wi-Fi networks. EAP-based authentication targets primarily devices with the operator’s SIM card. It allows transparent authentication and secure communication without much interaction from the subscriber (only initial configuration of the service set ID (SSID) is needed when a device detects the Wi-Fi network for the first time). In real-life deployments, the introduction of EAP-SIM or EAP-AKA authentication leads to significantly better utilization of the network by subscribers and therefore enables much greater savings from offloading. With the introduction of Wi-Fi Certified Passpoint devices, operators will be able to simplify Wi-Fi network access even more. IEEE 802.11u devices do not need any intervention from the subscriber to connect to the Wi-Fi network (unlike traditional devices, which require SSID selection). Roaming agreements based on the Next Generation Hotspot recommendation (WLAN Roaming Inter-Exchange [WRIX]) enable user equipment with IEEE 802.11u support to choose the right SSID automatically, even in visited networks.Policy and Charging ControlAn important concern of mobile operators is the availability of similar or identical policy enforcement and charging rules for the subscriber, regardless of the RAN being used. Therefore, the design of PCC integration is a crucial part of Wi-Fi offload.© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 7 of 23Experience from live deployments shows that the most efficient approach to PCC integration is the reuse of the elements deployed for the 3GPP services. The actual integration option will depend on the PCC infrastructure implemented in the particular mobile operator network. If the operator uses a device with the standalone policy and charging enforcement function (PCEF), the WAG will be integrated as an additional gateway served by the PCEF. If the PCEF is integrated into the gateway General Packet Radio Service (GPRS) support node (GGSN), the WAG may emulate a serving GPRS support node (SGSN) and switch the Wi-Fi sessions to a GPRS Tunneling Protocol (GTP) tunnel to the traditional GGSN. The following sections discuss the details of these two options. Note that this document describes trusted non-3GPP access integration into 2G and 3G PCC. The 3GPP standard offers no guidance for this integration. Later this document explores standardized architecture for LTE integration and untrusted non-3GPP IP access integration.Standalone PCEFIn the standalone PCEF scenario, the WAG is set up to send user data traffic to the PCEF for PCC integration. At the same time, traffic that does not need policy control (traffic from visiting customers, wholesale traffic, onetime voucher users, etc.) is allowed to go directly to the Internet (Figure 6).Figure 6. Standalone PCEF ArchitectureBecause the PCEF needs to be able to correlate the user identity with the data flows passing the PCEF, a mechanism is needed that can synchronize the user identity with the IP address of the subscriber (so that individual data packets can be associated with the user data plan and processed accordingly). Commonly, the RADIUS proxy function on the PCEF is used to create user session information based on the attributes included in the accounting messages coming from the access gateway for a particular user. Figure 7 shows the typical call flow.© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 8 of 23Figure 7.Typical PCEF Authentication Call FlowIf this model is deployed, the operator needs to help ensure that all mandatory information needed by the PCEF is included in the RADIUS messages from the access gateway or proxied through AAA, where the necessary attributes are added to the message. In addition to the IP address of the subscriber session, information about the international mobile subscriber identity (IMSI), the mobile station international subscriber directory number (MSISDN), and the associated access point name (APN) is usually required.GTP to Traditional GGSNIf the PCEF is an integral part of the GGSN, the option of forcing Wi-Fi sessions into a GTP tunnel (packet data protocol [PDP] context) may provide the best solution for PCC integration. The traffic that does not belong to the mobile subscribers of the operator, and which therefore cannot be processed on the GGSN, is forwarded directly to the Internet (Figure 8).© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 9 of 23Figure 8.GTP-to-Traditional GGSN ArchitectureClearly, GTP support is required on the WAG for this deployment model. Also important to consider is the availability of the required attributes in the PDP context request, which are mandatory in the operator’s PCC system. Again, these attributes commonly include the IMSI, MSISDN, QoS profile, and APN. The call flow for this deployment model is shown in Figure 9.Figure 9. GTP-to-Traditional GGSN Call Flow© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 10 of 23Note that even though all sessions (3G and Wi-Fi) are anchored on the GGSN, this solution does not provide transparent handover of the IP sessions between the Wi-Fi and 3G radio networks. This limitation exists because the Wi-Fi and 3G PDP contexts are individual sessions, and the user device can open them simultaneously. Unfortunately, the 3GPP standard does not provide a mechanism to help ensure that the same GGSN is chosen for both of these PDP contexts, and therefore anchoring of the sessions on the same device cannot be achieved.PCC Integration ConsiderationsWhen performing PCC integration, note the following:●The options listed are valid and needed for 3G. As discussed later, LTE provides native integration into theEPC and therefore into the PCC●The critical element is the capability of the WAG to provide all necessary information for charging(specifically, some of these attributes are not part of EAP authentication and need to be retrievedseparately, if needed: for example, the MSISDN, the QoS profile, and optionally, the 3GPP chargingcharacteristics)●Usually, the PCEF does not handle traffic from users who are not mobile customers of the operator(non-SIM subscribers). This traffic is sent directly to the Internet. If these particular sessions need policy or charging functions, these are usually handled by the WAG and Wi-Fi back-end systems directlyLTEBefore describing the third function of the Wi-Fi offload architecture, session handover, this document examines the integration of PCC in an LTE scenario. This examination will help you later understand user session mobility and anchoring.3GPP TS 23.402 describes native integration of trusted and untrusted non-3GPP IP access networks into the EPC. The standard accepts that the Wi-Fi network is as valid an access network as any other 3GPP radio access network. This acceptance enables operators to use the standards-based EPC components for integration and therefore helps ensure a good level of interoperability between different access types.As mentioned earlier, this document concentrates first on the trusted part of the architecture. To force the Wi-Fi traffic to the EPC, two interfaces are defined, both of them terminating Wi-Fi sessions on the packet data network gateway (P-GW) as shown in Figure 10.Figure 10. 3GPP Architecture for Non-3GPP IP Access Integration into EPC, S2c OptionThe S2c interface is based on the Dual-Stack Mobile IP Version 6 (DSMIPv6) protocol and requires user equipment to support it. DSMIPv6 creates a tunneled connection between the user equipment and the P-GW, which is used to forward all traffic to and from the user equipment. The P-GW is responsible for assigning a virtual IP address to the tunnel during the setup process. This IP address is from the same IP pool that is used for LTE sessions. Because all traffic to and from the user equipment is sent through the tunnel, the P-GW has complete visibility of the user traffic and can apply PCC and other necessary functions to the traffic in the same manner as it does to the LTE sessions (Figure 11).Figure 11. 3GPP Architecture for Non-3GPP IP Access Integration into EPC, S2a OptionAnother option shown in Figure 11 is to choose the S2a interface for forwarding traffic from the Wi-Fi network to the EPC. This interface is based on the Proxy Mobile IPv6 (PMIPv6) protocol. As with S2c, the interface terminates on the P-GW and enables visibility into the user traffic. The difference is that the PMIPv6 protocol does not require any changes on the user equipment. The wireless access gateway (WAG) in the trusted non-3GPP IP access network provides the mobile IP functions transparently for the client. It creates the tunnel, requests the IP address from the P-GW, and then assigns this address to the Wi-Fi connection. In this way, the user equipment is assigned an IP address that is part of the P-GW pool, but it does not see the address as virtual but as a physical address directly on the Wi-Fi interface.Figure 12 shows an overview of LTE architecture. Again, in addition to tunneled traffic to the EPC, direct connection from the WAG to the Internet is enabled for users who are not mobile subscribers of the operator.Figure 12. LTE ArchitectureTwo methods of integration (S2a and S2c) have been used here, and each has different implications for the deployment. The S2c approach requires changes on the user equipment; therefore, it is considered client-based. This feature may not be trivial in a mobile network because of the need for client software for functions. The mobile operator must help ensure that large numbers of different handsets and operating systems can be addressed by the software, must keep the user equipment updated with new versions of software, and must motivate subscribers to use the client software. Figure 13 illustrates the attachment as defined by 3GPP. Phase A represents attachment to the Wi-Fi network. In phase B, the DSMIPv6 tunnel is opened to the P-GW; and in phase C, the session is signaled as the active one. Also illustrated is the establishment of policies for the session using the PCRF.Figure 13. S2c Network Attachment As Defined by 3GPPThe S2a approach eliminates the problem of the client software. The trade-off here is that the operator loses control of Wi-Fi activation and session handover on the user equipment. This loss of control may result in unexpected behavior of the user equipment during switchover from 3GPP access to Wi-Fi and back. Figure 14 shows the attachment as defined by 3GPP. The trusted non-3GPP IP access network represents the Wi-Fi network, with the WAG as part of this network. For a detailed description of the call flow, please refer to 3GPP TS 23.402.Figure 14. S2a Network Attachment As Defined by 3GPPInter-Radio HandoverBefore analyzing different methods of handover, it is important to understand the terms often used in this context. Specifically, you need to understand what session handover is and the types of handover that can be implemented depending on the requirements of the mobile operator.In mobile data networks, one of the most important procedures is handover - when a subscriber moves from one radio station to another. The handover procedure describes the behavior of the network when the subscriber switches from one radio type to another (for example, from 3G to Wi-Fi).Today, few handover types can be used. The one required in the operator’s network needs to balance the expectations of subscribers and the complexity of the architecture.●Handover without IP address persistency (connectivity handover): When a subscriber connects to the Wi-Fiaccess network, the subscriber is authenticated transparently and is assigned a new IP address by theWi-Fi network. All new communications can use the new IP address as the source. All established TCP and UDP connections can, however, still continue over the 3G network. If the user equipment logicdisables the 3G interface, then these established sockets will need to be (automatically) reestablished over Wi-Fi, using the new IP address.●Handover with IP persistency (IP handover): When a subscriber connects to the Wi-Fi network, thesubscriber will be assigned the same IP address as he used on the 3G or LTE network. If the established TCP and UDP connections are bound to a physical interface (because of the TCP/IP stack implementation of the UE), they will need to be (automatically) reestablished using the new Wi-Fi interface, even though they will use the same IP address.●Session handover (transparent handover): This type of handover is similar to IP handover, but thehandover must occur in a time range that allows real-time media applications (voice over IP, streamingvideo, etc.) - for example, using established UDP sockets for media and TCP sockets for the control-plane protocol - to continue without interruption or user-experience degradation as the device switches between Wi-Fi and 3G cellular connectivity.Note that seamless handover can be achieved only with user equipment cooperation, which means that software updating (for client software) is needed on terminals. At minimum, this software needs to provide a virtual interface adapter, to mask the physical interface structure for TCP and UDP sockets. The challenges of client software have already been discussed above.3GPP defines handover mechanisms for trusted Wi-Fi only as part of the LTE architecture. For untrusted Wi-Fi, proposals exist for 3G and LTE. This document starts with a look at trusted non-3GPP IP access networks in LTE.S2a-Based Handover (Clientless)The advantage of PMIPv6 as protocol for the S2a interface is that the protocol is built for network-based IP mobility. Therefore, it can provide, without client involvement, handover of the IP address between different access types. In this design, the P-GW is responsible for anchoring the session, assigning the IP addresses, and switching the PMIPv6 or Ga TP tunnels between different access gateways in the event of handover. The access gateways must support the mobile access gateway (MAG) function to fulfill all mobile IP-related mobile-node functions.Figure 15 illustrates the handover call flow as defined in 3GPP TS 23.402. The trusted non-3GPP IP access element is equivalent to a WAG.Figure 15. Handover Call Flow As Defined in 3GPP TS 23.402Although S2a-based handover is clientless, recall that the problems with Wi-Fi-to-3GPP handover are the existence of two radio interfaces on the user equipment and the role of the user equipment as the handover decision point. Because of these two factors, the network can never ensure that the user equipment is using the proper interface.Note: The definition of what constitutes a proper interface can change on an operator-by-operator basis.Also, at the user equipment, the TCP/IP stack needs to be able to cope with two physical interfaces that may eventually have identical IP addresses. Additionally, in some TCP/IP stack implementations, application sockets may be bound to a physical interface. Therefore, when the user equipment or application switches between interfaces, the application connections must be dropped and may need to be reestablished from the new interface.Given all of these dependencies, the PMIPv6-based architecture cannot (without user equipment support) guarantee operation of a transparent handover function on all user equipment types. This situation can be improved if a properly designed connection manager (with virtual adapters) is installed on all user equipment.Cisco is actively working with chipset and handset vendors to support standardization and development of user equipment that meets the requirements for smooth clientless handover.S2c-Based Handover (Client-based)For the S2c interface, 3GPP reuses the IETF-defined DSMIPv6 protocol between the user equipment and theP-GW as the anchor point. When on the non-3GPP network, the user equipment builds the DSMIPv6 to the appropriate P-GW and is assigned a virtual IP address, which is then used for application communication.The same IP address will be assigned to the user equipment over a 3GPP access network in the event of handover. The 3GPP network is treated as the home network, and therefore the user equipment does not need to set up a DSMIPv6 tunnel on the 3GPP access network.Figure 16, from 3GPP TS 23.402, summarizes the call flow during handover from an LTE access network to aWi-Fi access network.。

SRv6（Segment Routing over IPv6）是一种基于IPv6网络的新型路由技术，它通过在IPv6数据包中添加一个24位的标签来标识不同的路径。

这种技术可以提高网络的可扩展性、灵活性和安全性。

以下是一些与SRv6相关的标准：1. RFC 8210：这是SRv6的基本规范，定义了SRv6的基本概念、操作和实现要求。

2. RFC 8365：这个文档描述了如何使用BGP-LS（Border Gateway Protocol - Link State）协议在IPv6网络中传播SRv6路由信息。

3. RFC 8402：这个文档描述了如何使用MP-BGP（Multiprotocol BGP）协议在IPv6网络中传播SRv6路由信息。

4. RFC 8415：这个文档描述了如何使用IS-IS（Intermediate System to Intermediate System）协议在IPv6网络中传播SRv6路由信息。

5. RFC 8475：这个文档描述了如何使用OSPF（Open Shortest Path First）协议在IPv6网络中传播SRv6路由信息。

6. RFC 8597：这个文档描述了如何使用BFD（Bidirectional Forwarding Detection）协议在IPv6网络中检测SRv6路径的状态。

7. RFC 8795：这个文档描述了如何使用LDP（Label Distribution Protocol）协议在IPv6网络中分发SRv6标签。

8. RFC 8879：这个文档描述了如何使用PCE（Path Computation Element）协议在IPv6网络中计算SRv6路径。

9. RFC 8915：这个文档描述了如何使用SDN（Software-Defined Networking）技术来实现SRv6网络。

10. RFC 9119：这个文档描述了如何使用SRv6技术来实现网络切片。

attack 攻击hacker 黑客exploit 漏洞测试工具Firlwall 防火墙Anti-Virus 杀毒软件Virus 病毒worm 蠕虫IDS 入侵监测系统security 安全tool 工具Trojan 木马拒绝服务攻击sniffer 嗅探,从网络中截取密码信息sec-tool 安全工具SQL-injection SQL注入,入侵网站常用password 密码ID 账号Cracker 破解,软件破解File 文件Edit 编辑View 查看Open 打开Message 消息share 共享port 端口IP 网络地址Send 发送Select 选择Source 资源code 代码programming 编程WEB 网站ASP/PHP/JSP 动态脚本语言.NET Framework 微软.NET框架JA V A 爪哇编程语言Options 配置Connection 连接Proxy 代理Advanced 高级Start 启动Stop 停止Vmware 虚拟机Close 关闭Exit 退出1tcpmux TCP Port Service Multiplexer 传输控制协议端口服务多路开关选择器2compressnet Management Utility compressnet 管理实用程序3compressnet Compression Process压缩进程5rje Remote Job Entry远程作业登录7echo Echo回显9discard Discard丢弃11systat Active Users在线用户13daytime Daytime时间17qotd Quote of the Day每日18msp Message Send Protocol消息发送协议19chargen Character Generator字符发生器20FTP-data File Transfer [Default Data]文件传输协议(默认数据口)21ftp File Transfer [Control]文件传输协议(控制)22ssh SSH Remote Login Protocol SSH远程登录协议23telnet Telnet终端仿真协议24?any private mail system预留给个人用邮件系统25smtp Simple Mail Transfer简单邮件发送协议27nsw-fe NSW User System FE NSW 用户系统现场工程师29msg-icp MSG ICP MSG ICP31msg-auth MSG Authentication MSG验证33dsp Display Support Protocol显示支持协议35?any private printer server预留给个人打印机服务37time Time时间38rap Route Access Protocol路煞梦市?39rlp Resource Location Protocol资源定位协议41graphics Graphics图形42nameserver WINS Host Name Server WINS 主机名服务43nicname Who Is"绰号" who is服务44mpm-flags MPM FLAGS Protocol MPM(消息处理模块)标志协议45mpm Message Processing Module [recv]消息处理模块46mpm-snd MPM [default send]消息处理模块(默认发送口)47ni-ftp NI FTP NI FTP48auditd Digital Audit Daemon数码音频后台服务49tacacs Login Host Protocol (TACACS)TACACS登录主机协议50re-mail-ck Remote Mail Checking Protocol远程邮件检查协议51la-maint IMP Logical Address Maintenance IMP(接口信息处理机)逻辑地址维护52xns-time XNS Time Protocol施乐网络服务系统时间协议53domain Domain Name Server域名服务器54xns-ch XNS Clearinghouse施乐网络服务系统票据交换55isi-gl ISI Graphics Language ISI图形语言56xns-auth XNS Authentication施乐网络服务系统验证57?any private terminal access预留个人用终端访问58xns-mail XNS Mail施乐网络服务系统邮件59?any private file service预留个人文件服务60?Unassigned未定义61ni-mail NI MAIL NI邮件?62acas ACA Services异步通讯适配器服务63whois+ whois+WHOIS+64covia Communications Integrator (CI)通讯接口65tacacs-ds TACACS-Database Service TACACS数据库服务66sql*net Oracle SQL*NET Oracle SQL*NET67bootps Bootstrap Protocol Server引导程序协议服务端68bootpc Bootstrap Protocol Client引导程序协议客户端69tftp Trivial File Transfer小型文件传输协议70gopher Gopher信息检索协议71netrjs-1Remote Job Service远程作业服务72netrjs-2Remote Job Service远程作业服务73netrjs-3Remote Job Service远程作业服务74netrjs-4Remote Job Service远程作业服务75?any private dial out service预留给个人拨出服务76deos Distributed External Object Store 分布式外部对象存储77?any private RJE service预留给个人远程作业输入服务78vettcp vettcp修正TCP?79finger Finger FINGER(查询远程主机在线用户等信息)80http World Wide Web HTTP全球信息网超文本传输协议81hosts2-ns HOSTS2 Name Server HOST2名称服务82xfer XFER Utility传输实用程序83mit-ml-dev MIT ML Device模块化智能终端ML设备84ctf Common Trace Facility公用追踪设备85mit-ml-dev MIT ML Device模块化智能终端ML设备86mfcobol Micro Focus Cobol Micro Focus Cobol编程语言87?any private terminal link预留给个人终端连接88kerberos Kerberos Kerberros安全认证系统89su-mit-tg SU/MIT Telnet Gateway SU/MIT终端仿真网关90dnsix DNSIX Securit Attribute Token Map DNSIX 安全属性标记图91mit-dov MIT Dover Spooler MIT Dover假脱机92npp Network Printing Protocol网络打印协议93dcp Device Control Protocol设备控制协议94objcall Tivoli Object Dispatcher Tivoli对象调度95supdup SUPDUP96dixie DIXIE Protocol Specification DIXIE协议规范97swift-rvf Swift Remote Virtural File Protocol快速远程虚拟文件协议98tacnews TAC News TAC(东京大学自动计算机?)新闻协议99metagram Metagram Relay。

TCP常⽤⽹络和⽊马使⽤端⼝对照表，常⽤和不常⽤端⼝⼀览表【开始-运⾏- CMD ，输⼊ netstat -an 然后回车就可以查看端⼝】 端⼝：0 服务：Reserved 说明：通常⽤于分析操作系统。

这⼀⽅法能够⼯作是因为在⼀些系统中“0”是⽆效端⼝，当你试图使⽤通常的闭合端⼝连接它时将产⽣不同的结果。

⼀种典型的扫描，使⽤IP地址为0.0.0.0，设置ACK位并在以太⽹层⼴播。

端⼝：1 服务：tcpmux 说明：这显⽰有⼈在寻找SGI Irix机器。

Irix是实现tcpmux的主要提供者，默认情况下tcpmux在这种系统中被打开。

Irix机器在发布是含有⼏个默认的⽆密码的帐户，如：IP、GUEST UUCP、NUUCP、DEMOS 、TUTOR、DIAG、OUTOFBOX等 端⼝：7 服务：Echo 说明：能看到许多⼈搜索Fraggle放⼤器时，发送到X.X.X.0和X.X.X.255的信息。

端⼝：19 服务：Character Generator 说明：这是⼀种仅仅发送字符的服务。

UDP版本将会在收到UDP包后回应含有垃圾字符的包。

TCP连接时会发送含有垃圾字符的数据流直到连接关闭。

HACKER利⽤IP欺骗可以发动DoS攻击。

伪造两个chargen服务器之间的UDP包。

同样Fraggle 端⼝：21 服务：FTP 说明：FTP服务器所开放的端⼝，⽤于上传、下载。

最常见的攻击者⽤于寻找打开anonymous的FTP服务器的⽅法。

这些服务器带有可读写的⽬录。

⽊马Doly Trojan、Fore、Invisible FTP、WebEx、WinCrash和Blade Runner所开放的端⼝。

端⼝：22 服务：Ssh 说明：PcAnywhere建⽴的TCP和这⼀端⼝的连接可能是为了寻找ssh。

这⼀服务有许多弱点，如果配置成特定的模式，许多使⽤RSAREF库的版本就会有不少的漏洞存在。

端⼝：23 服务：Telnet 说明：远程登录，⼊侵者在搜索远程登录UNIX的服务。

计算机网络中英翻译ACK (ACKnowledgement) 确认帧ADSL (Asymmetric Digital Subscriber Line) 非对称数字用户线AN (Access Network ）接入网ANSI (American National Standards Institute) 美国国家标准协会AP (Access Point) 接入点API (Application Programming Interface) 应用编程接口APNIC (Asia Pacific Network Information Center) 亚太网络信息中心ARP （ Address Resolution Protocol ）地址解析协议ARPA (Advanced Research Project Agency)美国国防部远景研究规划局（高级研究计划署）ARQ (Automatic Repeat reQuest) 自动请求重发ATM (Asynchronous Transfer Mode) 异步传递方式ATU (Access Termination Unit) 接入端接单元ATU-C (Access Termination Unit Central Office ）端局接入端接单元ATU-R (Access Termination Unit Remote) 远端接入端接单元AUI (Attachment Unit Interface ）连接接口单元AWT （ Abstract Window Toolkit ）抽象窗口工具箱BECN (Backward Explicit Congestion Notification) 反向显式拥塞通知BER (Basic Encoding Rule) 基本编码规则BGP (Border Gateway Protocol) 边界网关协议BSA (Basic Service Area) 基本服务区BSS (Basic Service Set) 基本服务集BNA 宝来网络体系结构CAC (Connection Admission Control) 连接准许控制CAP (Carrierless Amplitude Phase) 无载波振幅相位调制CATV (Community Antenna TV, CAble TV) 有线电视CBR （ Constant Bit Rate ）恒定比特率CCIR (Consultative Committee，International Radio) 国际无线电咨询委员会CCITT (Consultative Committee, International Telegraph and Telephone)国际电报电话咨询委员会CCP 通信控制处理机CDM (Code Division Multiplexing) 码分复用CDMA (Code Division Multiplex Access) 码分多址CNNIC (Network Information Center of China) 中国互联网络信息中心CRC (Cyclic Redundancy Check) 循环冗余检验CSMA/CD (Carrier Sense Multiple Access ／ Collision Detection)载波监听多点接入/碰撞检测CSU/DSU （ Channel Service Unit/Data Service Unit) 信道服务单元／数据服务单元CTD (Cell Transfer Delay) 信元传送时延DACS (Digital Access and Cross-connect System) 数字交接系统DCA 数据通信体系结构DCE (Data Circuit-terminating Equipment) 数据电路端接设备DE (Discard Eligibility) 丢弃指示DES (Data Encryption Standard) 数据加密标准DHCP (Dynamic Host Configuration Protocol) 动态主机配置协议DLCI (Data Link Connection Identifier) 数据链路连接标识符DMT (Discrete Multi-Tone) 离散多音（调制）DNS (Domain Name System) 域名系统DNA 数据网络系统结构DSL (Digital Subscriber Line) 数字用户线DSLAM (DSL Access Multiplexer) 数字用户线接入复用器DSSS (Direct Sequence Spread Spectrum) 直接序列扩频DTE (Data Terminal Equipment) 数据终端设备DVMRP (Distance Vector Multicast Routing Protocol) 距离向量多播路由选择协议DWDM (Dense WDM) 密集波分复用EGP (External Gateway Protocol) 外部网关协议EIA (Electronic Industries Association ）美国电子工业协会ESP (Encapsulating Security Payload) 封装安全有效载荷ESS 伍 xtended Service Set) 扩展的服务集FCS (Frame Check Sequence) 帧检验序列FDDI (Fiber Distributed Data Interface ）光纤分布式数据接口FDM (Frequency Division Multiplexing) 频分复用FEC (Forwarding Equivalence Class) 转发等价类FEC (Forward Error Correction) 前向纠错FHSS (Frequency Hopping Spread Spectrum) 跳频扩频FIFO （ First In First Out) 先进先出FQ (Fair Queuing) 公平排队FR (Frame Relay) 帧中继FSK (Frequency Shift Keying) 移频键控FTP (File Transfer Protocol ）文件传送协议FTTB (Fiber To The Building) 光纤到大楼FTTC (Fiber To The Curb ）光纤到路边FTTH (Fiber To The Home) 光纤到家FTTD (Fiber To The Desk) 光纤到桌面FTTZ(Fiber To The Zone ）光纤到小区FTTO (Fiber To The Office) 光纤到办公室FTTF (Fiber To The Floor) 光纤到楼层GIF (Graphics Interchange Format) 图形交换格式GII (Global Information Infrastructure) 全球信息基础结构，全球信息基础设施GFC （ Generic Flow Control) 通用流量控制GSM (Group Special Mobile) 群组专用移动通信体制HDLC (High-level Data Link Control) 面向比特的链路控制规程HDSL (High speed DSL) 高速数字用户线HEC (Header Error Control) 首部差错控制HFC (Hybrid Fiber Coax) 光纤同轴混合（网）HTML (HyperText Markup Language) 超文本置标语言HTTP (HyperText Transfer Protocol) 超文本传送协议IAB (Internet Architecture Board) 因特网体系结构委员会IAC （ Interpret As Command ）作为命令解释IAHC (Internet International Ad Hoc Committee ）因特网国际特别委员会ICMP （ Internet Control Message Protocol ）因特网控制报文协议IDEA (International Data Encryption Algorithm) 国际数据加密算法IEEE电气和电子工程师协会IESG (Internet Engineering Steering Group) 因特网工程指导小组IETF (Internet Engineering Task Force) 因特网工程部IFS (Inter Frame Space) 帧间间隔IGMP (Internet Group Management Protocol) 因特网组管理协议IGP (Interior Gateway Protocol) 内部网关协议IM (Instant Messaging) 即时传信IMAP (Internet Message Access Protocol) 因特网报文存取协议IMP （ Interface Message Processor) 接口报文处理机IP (Internet Protocol ）网际协议IR (InfraRed ）红外技术IRTF （ Internet Research Task Force ）因特网研究部ISDN (Integrated Services Digital Network) 综合业务数字网ISO （ International Organization for Standardization ）国际标准化组织ISOC (Internet Society) 因特网协会ISP （ Internet Service Provider) 因特网服务提供者ITU （ International Telecommunication Union ）国际电信联盟ITU-T （ ITU Telecommunication Standardization Sector) 国际电信联盟电信标准化部门JPEG (Joint Photographic Expert Group) 联合图像专家组标准KDC (Key Distribution Center) 密钥分配中心LAN (Local Area Network ）局域网LANE (LAN Emulation ）局域网仿真LAPB (Link Access Procedure Balanced) 链路接入规程（平衡型）LCP (Link Control Protocol) 链路控制协议LDP (Label Distribution Protocol) 标记分配协议LLC (Logical Link Control) 逻辑链路控制LSP (Label Switched Path) 标记交换路径LSR (Label Switching Router) 标记交换路由器MAC (Medium Access Control) 媒体接入控制MAN (Metropolitan Area Network) 城域网MAU (Medium Attachment Unit) 媒体连接单元MBONE (Multicast Backbone On the InterNEt ）多播主干网MBS (Maximum Burst Size ）最大突发长度MCR (Minimum Cell Rate ）最小信元速率 MCU (Multipoint Control Unit)多点控制单元MD (Message Digest) 报文摘要MDI (Medium Dependent Interface ）媒体相关接口MIB (Management Information Base) 管理信息库MIME (Multipurpose Internet Mail Extensions) 通用因特网邮件扩充modem 调制解调器MOTIF (Message Oriented Text Interchange System) 面向报文的电文交换系统MPEG (Motion Picture Experts Group) 活动图像专家组标准MPOA (MultiProtocol Over ATM) 多协议在 ATM 上运行MPLS (MultiProtocol Label Switching) 多协议标记交换MRU (Maximum Receive Unit) 最大接收单元MSS (Maximum Segment Size) 最长报文段MTU (Maximum Transfer Unit) 最大传送单元NAK (Negative AcKnowlegement) 否认帧NAP （ Network Access Point) 网络接入点N.ISDN (Narrowband-ISDN) 窄带综合业务数字网NAT (Network Address Translation ）网络地址转换NAV (Network Al location Vector) 网络分配向量NCP (Network Control Protocol) 网络控制协议NFS (Network File System) 网络文件系统NGI 下一代因特网计划NIA 网络适配器NIC (Network Interface Card) 网络接口卡、网卡NII (National Information Infrastructure) 国家信息基础结构，国家信息基础设施NLRI (Network Layer Reachability Information) 网络层可达性信息NNI (Network-Node Interface) 网络结点接口NSF (National Science Foundation) （美国）国家科学基金会NVT (Network Virtual Terminal ）网络虚拟终端ODBC （Open Database Connection）开放数据库互连OSF （Open Software Fundation ）开放软件基金会OSI （Open System Interconnection ）开放系统互联PBX （Private Branch eXchange ）用户交换机PCM (Pulse Code Modulation ) 脉冲编码调制PCN (Personal Communications Network ) 个人通信网络PCR （Peak Cell Rate ）峰值信元速率PCS 个人通信服务 Personal Communications ServicePDH 准同步数字系列PDA 个人数字助理 Personal Digital AssistantPDN 公用数据网 Public Data NetworkPDU 协议数据单元 Protocol Data UnitPER 分组差错率 packet error ratePIR 分组插入率 packet insertion ratePLCP 物理层会聚协议 Physical Layer Convergence ProtocolPLR 分组丢失率 packet loss ratePMD 物理媒体相关（子层） Physical Medium DependentPPP 点到点协议 Point to Point ProtocolPPTP 点对点隧道协议PRM 协议参考模型 Protocol Reference ModelPRN 分组无线网 Packet Radio NetworkPSN 分组交换节点 Packet Switch NodePSTN 公用电话交换网 Public Switched Telephone NetworkRARP 逆向地址解析协议 Reverse Address Resolution ProtocolRAS 远程访问服务器RFC 请求评注 Request for CommentsRMON 远程网络管理Router 路由器RPC 远程过程调用 Remote Procedure CallRSVP 资源重复利用协议RTP 接收和发送端口RTS 往返样本 Round Trip SampleRTS 剩余时间标签SAP 业务接入点 Service Access PointSAP 服务公告协议 Service Advertising ProtocolSAR 分段和重组(子层) Segmentation and ReassemblySDH 同步数字系列 Synchronous Digital HierarchySDLC 同步数据链路控制(协议) Advanced Data Communication Control Procedure SDTV 标准数字电视SDU 业务数据单元 Service Data UnitSIPP 增强的简单因特网协议 Simple Internet Protocol PlusSLIP 串行线路IP Serial Line Interface ProtocolSMDS 交换式多兆比特数据业务 Switched Multimegabit Data ServicesSMF 单模光纤 Single-mode FiberSMT 站点管理 Station ManagementSMTP 简单邮件传输协议 Simple Mail Transfer ProtocolSNA 系统网络体系结构 System Network ArchitectureSNMP 简单网络管理协议 Simple Network Management ProtocolSNR 信噪比 Signal-Noise ratioSONET 同步光纤网络 Synchronous Optical NetworkSTM 同步传输方式 Synchronous Transfer ModeSTP 屏蔽双绞线 Shielded Twisted PairSTS 同步传输信号 Synchronous Transport SignalSVC 交换虚电路 Switched Virtual CircuitSwitch 交换机TCP 传输控制协议 Transmission Control ProtocolTDM 时分多路复用 Time Division MultiplexingTFTP 单纯文件传输协议 Trivial File Transfer protocolTelnet 远程登录协议TIP 终端接口处理机 Terminal Interface ProcessorTP 双绞线 Twisted PairTSAP 传输层服务访问点 Transport Service Access PointUDP 用户数据报协议 User Datagram ProtocolUSB 通用串行总线 Universal Serial BusUTP 非屏蔽双绞线 Unshielded Twisted PairVAN 增值网 Value Added NetworkVBR 可变比特率 Variable Bit RateVCC 虚信道连接 Virtual Channel ConnectionVLAN 虚拟局域网 Virtual LANVLSI 超大规模集成电路VOD 点播图像 Video on DemandVPC 虚路径连接 Virtual Path ConnectionVPI 虚路径标识 virtual path identifierVPN 虚拟专用网络 Virtual Private NetworkVRML 虚拟现实造型语言 Virtual Reality Modeling Language VTP 虚拟隧道协议WAN 广域网 Wide Area NetworkWDM 波分多路复用 Wavelength Division MultiplexingWWW 万维网 World Wide Web。

双机热备技术（如群集、负载均衡、镜像等高可性性技术)）双机热备随着信息化建设的不断推进，各个企事业单位的活动越来越多的依赖于其关键的业务信息系统，这些业务信息系统对整个机构的运营和发展起着至关重要的作用，一旦发生宕机故障或应用停机，将给机构带来巨大的经济损失。

可见，对那些需要保障信息安全和提供不间断的信息服务的机构来说，业务系统的容错性和不间断性显得尤为重要。

如何保障各种关键应用持续运营，达到永续经营的良性循环，已成为当今企事业单位和IT领域急需解决的关键问题。

荟萃NEC技术精华的EXPRESSCLUSTER是一款专业的高可用集群软件产品(而不仅仅是一款双机热备软件)，它可为您提供Windows和Linux平台上完整的高可用性解决方案。

当集群中的某个节点由于软件或硬件原因发生故障时，集群系统可以把IP、客户业务等资源切换到其他健康的节点上，使整个系统能连续不间断的对外提供服务，从而为机构24x365的关键业务提供了可靠的保障，达到了系统99.999%的高可用性和可靠性。

支持共享和镜像两种方式的集群模式共享型基于多台服务器连接共享盘柜的方式来构筑多节点的集群系统，适用于大规模企业级系统；而镜像型基于非单点失效结构（shared-nothing），无需价格高昂的共享盘柜，只要使用2台服务器即可轻松构筑低成本的集群系统，适用于中小规模系统。

支持差分镜像在镜像型方案中，我们使用的差分备份和差分恢复技术,可直接对2台服务器的镜像盘中的差分数据进行同步和恢复，而不必通过全盘Copy，大幅缩短了镜像同步及恢复所需的时间，提高了镜像集群的性能。

支持多节点镜像支持多节点镜像技术，可以用一台服务器同时对多个节点进行镜像复制，实现多节点之间互为备份的构筑方式。

利用EXPRESSCLUSTER率先实现的多节点镜像技术，可以在不牺牲系统可靠性和性能的前提下，实现更为灵活的配置，进一步节省硬件投资。

支持镜像+共享的混合集群EXPRESSCLUSTER打破了原有因存储方式不同而不得不产生的镜像集群和共享集群的区分。

核心交换机双机热备解决方案一、项目背景稳定持续的系网络系统运行变得越来越重要，而原来有单机核心三层交换数据潜 伏巨大的崩溃风险。

VRRP （虚拟路由冗余协议）技术来解决该问题，以实现主、备核心三层交换设 备之间动态、无停顿的热切换。

二、方案设计：2.1、 简要介绍VRRP 的基本概念。

通常情况下，内部网络中的所有主机都设置一条相同的缺省路由，指向出口网关 （即图1中的交换机S9300A ），实现主机与外部网络的通信。

当出口网关发生 故障时，主机与外部网络的通信就会中断。

图1局域网缺省网关Gateway: 10,0.0.1 IP Address:10,0.0.4/24 4Ethernet 配置多个出口网关是提高系统可靠性的常见方法，但需要解决如何在多个出口网 关之间进行选路的问题。

VRRP （Virtual Router Redundancy Protocol ）是 RFC3768 定义的一种容错协议， 通过物理设备和逻辑设备的分离，实现在多个出口网关之间选路，很好地解决了 上述问题。

在具有多播或广播能力的局域网（如以太网）中，VRRP 提供逻辑网关确保高利 用度的传输链路，不仅能够解决因某网关设备故障带来的业务中断，而且无需修 改路由协议的配置。

2.2、 V RRP 工作原理：S93OOAGateway: 10.0.0.1IP Address:10,0.0.2/24Gateway: 10,0.0.1 IP Address;10.0.0.3/2410.0.0.1/24vrrp只定义了一种报文—- vrrp报文，这是一种组播报文，由主三层交换机定时发出来通告他的存在。

使用这些报文可以检测虚拟三层交换机各种参数，还可以用于主三层交换机的选举。

VRRP中定义了三种状态模型，初始状态Initialize，活动状态Master 和备份状态Backup，其中只有活动状态的交换机可以为到虚拟IP地址的的转发请求提供服务。

RFC 2865 RADIUS 中文翻译收藏Network Working Group C. Rigney Request for Comments: 2865 S. Willens Obsoletes: 2138 LivingstonCategory: Standards Track A. RubensMeritW. SimpsonDaydreamerJune 2000远程认证拨号用户服务（RADIUS）备忘录状态本文档描述了一种Internet社区的Internet标准跟踪协议，它需要进一步进行讨论和建议以得到改进。

请参考最新版的“Internet正式协议标准” (STD1)来获得本协议的标准化程度和状态。

本备忘录可以不受限制地传播。

版权说明Copyright (C) The Internet Society (2000). All Rights Reserved.IESG说明:本协议已经被广泛实现和使用，经验表明当本协议在一个大范围的系统中使用会降低性能和丢失数据。

部分原因是协议中没有提供拥塞控制的机制。

读者可以发现阅读本文对跟踪IETF组织的AAA工作组的工作进程有很大的帮助，AAA工作组可能会开发一个能够更好的解决扩展性和拥塞控制问题的成功的协议。

摘要本文描述了一个传输认证、授权和配置信息的协议。

这些信息在想要认证链路的网络接入服务器（Network Access Server）和共享的认证服务器务器之间传递。

实现说明本备忘录记录了RADIUS协议，RADIUS协议的早期版本使用的UDP端口是16 45，由于和"datametrics"服务冲突，官方为RADIUS协议分配了一个新的端口号1812。

Rigney, et al. Standards Track [Page 1]RFC 2865 RADIUS June 2000目录1. 简介 (3)1.1 描述文档的约定 (4)1.2 术语 (5)2. 操作 (5)2.1 挑战/回应 (7)2.2 使用PAP和CHAP互操作 (8)2.3 代理 (8)2.4 为什么使用UDP (11)2.5 重发提醒 (12)2.6 被证明是有害的心跳 (13)3. 报文格式 (13)4. 报文类型 (17)4.1 接入请求报文 (17)4.2 接入成功回应报文 (18)4.3 接入拒绝回应报文 (20)4.4 接入挑战报文 (21)5. 属性 (22)5.1 User-Name (26)5.2 User-Password (27)5.3 CHAP-Password (28)5.4 NAS-IP-Address (29)5.5 NAS-Port (30)5.6 Service-Type (31)5.7 Framed-Protocol (33)5.8 Framed-IP-Address (34)5.9 Framed-IP-Netmask (34)5.10 Framed-Routing (35)5.11 Filter-Id (36)5.12 Framed-MTU (37)5.13 Framed-Compression (37)5.14 Login-IP-Host (38)5.15 Login-Service (39)5.16 Login-TCP-Port (40)5.17 (unassigned) (41)5.18 Reply-Message (41)5.19 Callback-Number (42)5.20 Callback-Id (42)5.21 (unassigned) (43)5.22 Framed-Route (43)5.23 Framed-IPX-Network (44)5.24 State (45)5.25 Class (46)5.26 Vendor-Specific (47)5.27 Session-Timeout (48)5.28 Idle-Timeout (49)5.29 Termination-Action (49)Rigney, et al. Standards Track [Page 2] RFC 2865 RADIUS June 20005.30 Called-Station-Id (50)5.31 Calling-Station-Id (51)5.32 NAS-Identifier (52)5.33 Proxy-State (53)5.34 Login-LAT-Service (54)5.35 Login-LAT-Node (55)5.36 Login-LAT-Group (56)5.37 Framed-AppleTalk-Link (57)5.38 Framed-AppleTalk-Network (58)5.39 Framed-AppleTalk-Zone (58)5.40 CHAP-Challenge (59)5.41 NAS-Port-Type (60)5.42 Port-Limit (61)5.43 Login-LAT-Port (62)5.44 Table of Attributes (63)6. IANA注意事项 (64)6.1 术语定义 (64)6.2 推荐的注册策略 (65)7. 举例 (66)7.1 用户Telnet到指定主机上 (66)7.2 用户使用CHAP认证方式认证 (67)7.3 用户使用挑战-回应卡 (68)8. 安全事项 (71)9. 更新记录 (71)10. 参考文献 (73)11. 致谢 (74)12. AAA工作组主席地址 (74)13. 作者地址 (75)14. 版权声明 (76)1. 简介本文档废弃了RFC 2138 [1]。

rfc中常用的测试协议摘要：1.RFC 简介2.RFC 中常用的测试协议a.网络协议测试1.网络数据包抓取和分析2.网络仿真和测试工具b.应用层协议测试1.HTTP 和HTTPS 测试2.FTP 和FTPS 测试3.SMTP 和SMTPS 测试c.安全协议测试1.TLS 和SSL 测试2.IPsec 测试d.传输协议测试1.TCP 和UDP 测试e.无线网络协议测试1.802.11 无线网络测试正文：RFC（Request for Comments）是一个用于讨论和记录互联网协议的标准文档系列。

在RFC 中，有许多常用的测试协议，这些协议用于确保互联网协议在实际应用中能够正常工作。

本文将详细介绍这些测试协议。

首先，RFC 中包含了大量的网络协议测试。

网络数据包抓取和分析是网络协议测试的基础，这对于诊断网络问题和优化网络性能至关重要。

此外，网络仿真和测试工具也是必不可少的，例如，网络模拟器（如NS-3）和测试平台（如Ixia）可以帮助工程师在实验室环境中模拟实际网络状况，从而对协议进行更严格的测试。

其次，应用层协议测试在RFC 中也占据重要地位。

HTTP 和HTTPS 是Web 应用中最常用的协议，有许多测试工具可以对它们的性能和安全性进行测试，例如，JMeter 和Locust 等负载测试工具。

此外，FTP 和FTPS、SMTP 和SMTPS 等传输协议也是常用的测试对象。

在安全协议方面，RFC 中包含了TLS 和SSL、IPsec 等协议的测试方法。

这些协议对于保护互联网数据传输的安全至关重要，因此需要进行严格的测试以确保其性能和安全性。

传输协议方面，TCP 和UDP 是互联网中最常用的传输协议，它们的测试方法也是RFC 中的重要内容。

TCP 测试关注可靠性和流量控制等方面，而UDP 测试则更注重数据传输速率和丢包率等指标。

最后，无线网络协议测试在RFC 中也有一定的比重。

例如，802.11 无线网络测试是评估无线局域网性能的关键。

Network Working Group T. Przygienda Request for Comments: 3358 Xebeo Category: Informational August 2002 Optional Checksums inIntermediate System to Intermediate System (ISIS)Status of this MemoThis memo provides information for the Internet community. It doesnot specify an Internet standard of any kind. Distribution of thismemo is unlimited.Copyright NoticeCopyright (C) The Internet Society (2002). All Rights Reserved. AbstractThis document describes an optional extension to the IntermediateSystem to Intermediate System (ISIS) protocol, used today by several Internet Service Proviers (ISPs) for routing within their clouds.ISIS is an interior gateway routing protocol developed originally by OSI and used with IP extensions as Interior Gateway Protocol (IGP).ISIS originally does not provide Complete Sequence Numbers ProtocolData (CSNP) and Partial Sequence Numbers Protocol Data Unit (PSNP)checksums, relying on the underlying layers to verify the integrityof information provided. Experience with the protocol shows thatthis precondition does not always hold and scenarios can be imagined that impact protocol functionality. This document introduces a newoptional Type, Length and Value (TLV) providing checksums.1. IntroductionISIS [ISO90, Cal90a, Cal90b] CSNPs and PSNPs and IIHs can becorrupted in case of faulty implementations of L2 hardware or lack of checksuming on a specific network technology. As a particularly ugly case, corruption of length and/or TLV length fields may lead to thegeneration of extensive numbers of "empty" LSPs in the receivingnode. Since we cannot rely on authentication as a checksummechanism, this document proposes an optional TLV to add checksums to the elements.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [Bra97].Przygienda Informational [Page 1]2. TLV DescriptionThis optional TLV MAY BE included in all CSNP, PSNP and IIH packetsand an implementation that implements optional checksums MUST accept PDUs if they do NOT contain the optional checksum. Implementationsthat receive an optional checksum TLV and support it MUST discard the PDU if the checksum is incorrect. An implementation that does NOTimplement optional checksums MUST accept a PDU that contains thechecksum TLV. An implementation that supports optional checksums and receives it within any other PDU than CSNP, PSNP or IIH MUST discard the PDU. Such an implementation MUST discard the PDU as well if more than one optional checksum TLVs are included within it.Additionally, any implementation supporting optional checksums MUSTaccept PDUs with an optional checksum with the value 0 and considersuch a checksum as correct.3. Checksum ComputationThe checksum is a fletcher checksum computed according to [ISO98],Annex C over the complete PDU. To compute the correct checksum, animplementation MUST add the optional checksum TLV to the PDU with the initial checksum value of 0 and compute the checksum over such a PDU.4. Interaction with TLVs using PDU Data to Compute SignaturesThe implementation MUST either omit the optional checksum on aninterface or send a 0 checksum value if it includes in the PDUsignatures that provide equivalent or stronger functionality, such as HMAC or MD5. Otherwise an implementation that handles suchsignatures but does not handle the optional checksums, may fail tocompute the MD5 signature on the packet. Such a failure would becaused by the fact that MD5 is computed with the checksum value setto 0 and only as a final step is the checksum value being filled in.5. TLV Format[Prz01] lists the according value of the TLV type and discussesissues surrounding the assignment of new TLV codepoints.0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| TLV Type =12 | TLV Length =2 | Checksum (16 bits) |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Przygienda Informational [Page 2]6. AcknowledgmentsTony Li mentioned the original problem. Mike Shand providedcomments. Somehow related problems with purging on LSP checksumerrors have been observed by others before. Nischal Sheth spelledout the issues of interaction between MD5 and the optional checksums.7. Security ConsiderationsISIS security applies to the work presented. No specific securityissues as to the new element are known.References[Bra97] Bradner, S., "Key Words for Use in RFCs to IndicateRequirement Levels", BCP 14, RFC 2119, March 1997.[Cal90a] Callon, R., "OSI ISIS Intradomain Routing Protocol", RFC1142, February 1990.[Cal90b] Callon, R., "Use of OSI ISIS for Routing in TCP/IP and Dual Environments", RFC 1195, December 1990.[ISO90] ISO. Information Technology - Telecommunications andInformation Exchange between Systems - Intermediate Systemto Intermediate System Routing Exchange Protocol for Use in Conjunction with the Protocol for Providing theConnectionless-Mode Network Service. ISO, 1990.[ISO98] ISO. Information Technology - Protocol for Providing theConnectionless-Mode Network Service: ProtocolSpecification. ISO, 1998.[Prz01] Przygienda, T., "Reserved Type, Length and Value (TLV)Codepoints in Intermediate System to Intermediate System",RFC 3359, August 2002.Author’s AddressTony PrzygiendaXebeoOne Cragwood RoadSouth Plainfield, NJ 07080Phone: (908) 222 4225Email: prz@Przygienda Informational [Page 3]Full Copyright StatementCopyright (C) The Internet Society (2002). All Rights Reserved.This document and translations of it may be copied and furnished toothers, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, publishedand distributed, in whole or in part, without restriction of anykind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, thisdocument itself may not be modified in any way, such as by removingthe copyright notice or references to the Internet Society or otherInternet organizations, except as needed for the purpose ofdeveloping Internet standards in which case the procedures forcopyrights defined in the Internet Standards process must befollowed, or as required to translate it into languages other thanEnglish.The limited permissions granted above are perpetual and will not berevoked by the Internet Society or its successors or assigns.This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERINGTASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDINGBUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATIONHEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.AcknowledgementFunding for the RFC Editor function is currently provided by theInternet Society.Przygienda Informational [Page 4]。

中国移动I P v6终端技术要求V1.0.0目录1 范围 (1)2 规范性引用文件 (1)3 术语、定义和缩略语 (2)3.1 术语和定义 (2)3.1.1 接入点名称Access Point Name (2)3.1.2 网关GPRS支持节点Gateway GPRS Support Node (2)3.1.3 分组数据协议上下文Packet Data Protocol Context (2)3.1.4 双栈终端Dual stack terminal (2)3.1.5 终端形态 (2)3.2 缩略语 (3)4 总体技术要求 (4)5 终端技术要求 (4)5.1 协议栈 (4)5.1.1 概述 (4)5.1.2 RFC 2460 IPv6协议规范 (4)5.1.3 RFC 4291 IPv6地址结构 (5)5.2 DNS客户端 (5)5.3 DHCP客户端 (5)5.4 IPv4/IPv6协议翻译技术 (5)5.4.1 BIH (5)5.4.2 464XLAT (8)5.5 隧道过渡技术 (9)5.5.1 Teredo技术 (9)5.5.2 6rd (9)6 PDP/PDN连接激活及IPv6地址获取过程 (10)6.1 IPv6地址配置 (10)6.2 PDP/PDN连接的建立和IP地址的获取 (10)6.2.1 3GPP Release 8之前终端PDP上下文的激活和IPv6地址获取过程 (10)6.2.2 3GPP Release 8之后（含Release 8）终端PDP/PDN连接的建立和IPv6地址获取过程 (11)7 终端PDP/PDN连接激活策略 (12)7.1 概述 (12)7.2 双栈终端PDP/PDN连接激活策略一：同时获取IPv4和IPv6地址 (12)7.3 双栈终端PDP/PDN连接激活策略二：按需建立IPv4或IPv6连接 (14)7.4 两种PDP/PDN连接激活策略的选择和使用 (15)8 WLAN网络中的IPv6地址获得 (15)9 DNS解析 (15)9.1 概述 (15)9.2 终端DNS解析流程 (15)9.3 DNS服务器地址的获取 (15)9.4 DNS解析承载类型的选择 (15)9.5 DNS解析目的地址类型的选择 (15)10 终端应用软件系统 (16)11 IP头压缩技术要求 (16)12 安全 (16)13 APN设定 (17)14 不同终端类型要求 (17)14.1 手机/平板电脑类终端 (17)14.2 MiFi/移动CPE终端 (17)14.3 数据卡终端 (17)前言本文档是依据3GPP、IETF发布的IPv6相关标准制定，并结合现阶段IPv6升级改造及试点项目需求所定义的手机、平板电脑、MiFi、移动CPE、数据卡等移动终端IPv6部分技术要求。

计算机网络名词英文缩写解释大全计算机网络名词英文缩写解释大全AAL ATM适配层ATM Adaptation LayerABR可用比特率Available Bit RateACR 衰减串扰比ADPCM 自适应差分PCMADSL 非对称数字环路Asymmetric Digital Subscriber LineAMI ATM Management InterfaceAMPS 先进型移动电话系统Advanced Mobile Phone SystemANS 高级网络与服务Advanced Networks and ServicesANSI 美国国家标准协会American National Standard InstituteAPON 无源光纤网络ARP 地址解析协议Address Resolution ProtocolARQ 自动重发请求Automatic Repeat RequestAS 自制系统Autonomous SystemASIC Application Specific Integrated Circuit(Chip)ASN.1 Abstract Syntax Notation OneATD 异步时分复用Asynchronous Time DivisionATM 异步传输模式Asynchronous Transfer ModeBBS 电子公告板Bulletin Board SystemBER 误比特率bit error rateBGP 边界网关协议Border Gateway ProtocolBICMOS 双极型CMOSBIP-8 Bit Interleaved Parity-8B-ISDN 宽带综合业务数字网Broadband Integrated Services Digital Network BMI Bus-Memory InterfaceBOOTP 引导协议BOOTstrapping ProtocolBRI 单一ISDN基本速率BUS 广播和未知服务器Broadcast/Unknown ServerCAC 连接接纳控制Connection Admission ControlCATV 公用天线电视CBDS 无连接宽带数据服务CBR 连续比特率Continuous Bit RateCCITT 国际电话电报咨询委员会CD Carrier DetectCDB Configuration DatabaseCDMA 码分多址Code Division Multiple AccessCDPD 蜂窝数字分组数据Cellular Digital Packet DataCDV 信元延时变化Cell Delay VariationCEC Common Equipment CardCERNET 中国教育科研网CIDR 无类型域间路由Classless InterDomain RoutingCLIP Classical IPCLP 信元丢失优先级CMIS/CMIP the Common Management Information Service/ProtocolCMOS 互补型金属氧化物半导体CMOT CMIS/CMIP on TCP/IPCNOM 网络营运与管理专业委员会Committee of Network Operation and Manag ementCORBA 公共对象请求代理结构Common Object Request Broker Architecture CPAN Comprehensive Perl archieve NetworkCPE Customer Premises EquipmentCPCS 公共部分会聚子层Common Part Convergence SublayerCR Carriage ReturnCS 会聚子层Convergence SublayerCSDN 电路交换数据网CSMA/CD 载波侦听多路访问/冲突检测Carrier Sense Multi-Access/Collision Det ectionDAC Dual Attach ConcentratorDAS Dual Attach StationDCD Data Carrier DetectDCE 数据电路端接设备Digital Circuit-terminating EquipmentDHCP 动态主机控制协议DIME 直接内存执行Direct Memory ExecuteDME 分布式管理环境Distributed Management EnvironmentDNS 域名系统Domain Name SystemDPI 每英寸可打印的点数Dot Per InchDQDB 分布式队列双总线Distributed Queue Dual BusDS-3 Digital Standard-3DSMA 数字侦听多重访问Digital Sense Multiple AccessDSP Digital Signal ProcessingDTE 数据终端设备Data Terminal EquipmentDTR Data Terminal ReadyDVMRP 距离向量多目路径协议Distance Vector Multicast Routing ProtocolECL 硅双极型ECSRN 华东南地区网EGP 外部网关协议Exterior Gateway ProtocolEIA/TIA Electronic Industries Association and the Telecommunication Indust ries AssociationEMA 以太网卡Ethernet Media AdapterE-mail 电子邮件Electronic MailEPD 提前舍弃分组数据包FAQ 常见问题解答Frequently Answer QuestionFCS 快速电路交换Fast Circuit SwitchingFDDI 光纤分布式数据接口Fiber Distributed Data InterfaceFDM 频分多路复用Frequency Division MultiplexingFEC 前向差错纠正Forward Error CorrectionFEMA 快速以太网卡Fast Ethernet Media AdapterFEXT 远端串扰FITL 光纤环路FMA FDDI网卡FDDI Media AdapterFOIRL Fiber Optic Inter-repeater LinkFTP 文件传输协议File Transfer ProtocolFTTC 光纤到楼群Fiber To The CurbFTTH 光纤到户Fiber To The HomeGCRA 通用信元速率算法Generic Cell Rate AlgorithmGGP 网关-网关协议Gateway-Gateway ProtocolGSM 移动通信全球系统(全球通) Global Systems for Mobile communications HEC 信头错误控制Header Error ControlHCS 头校验序列Header Check SequenceHDLC 高级数据链路控制（协议）High-Level Data Link ControlHDTV 数字高清晰度电视High Definition TeleVisionHFC 混合光纤同轴Hybrid Fiber CoaxHIPPI 高性能并行接口High Performance Parallel InterfaceHOL 队头阻塞HTTP 超文本传输协议HyperText Transfer ProtocolHub 集线器IAB 因特网结构委员会Internet Architecture BoardIAP 因特网接入提供商Internet Access ProviderICCB Internet控制与配置委员会Internet Control and Configuration Board ICMP 因特网控制信息协议Internet Control Message ProtocolICP Internet Content ProviderICX 部件间交换Inter-Cartridge ExchangeIDP 网间数据报协议Internetwork Datagram ProtocolIDU 接口数据单元Interface Data UnitIEEE 电子和电气工程师协会Institute of Electrical and Electronics Engineers IETF 因特网工程特别任务组Internet Engineering Task ForceIGMP Internet组管理协议Internet Group Management ProtocolIGP 内部网关协议Interior Gateway ProtocolIISP 间歇交换机信令协议ILMI 过渡性局域管理界面(?)IMP 接口信息处理机Interface Message ProcessorIMTS 改进型移动电话系统Emproved Mobile Telephone SystemIP 因特网协议Internet ProtocolIRC Internet Relay ChatIRTF 因特网研究特别任务组Internet Research Task ForceISDN 综合业务数字网Integrated Services Digital NetworkISO 国际标准化组织International Organization for Standardization（或简称International Standard Organization）ISP 因特网服务提供商Internet Service ProvederIT 信息技术Information TechnologyITU 国际电信联盟International Telecommunications UnionJPEG 图像专家联合小组Joint Photographic Experts GroupL2F 第二层转发L2TP 第二层隧道协议LAN 局域网Local Area NetworkLANE 局域网仿真LAN EmulationLAP 链路访问过程Link Access ProcedureLCP 链路控制协议Link Control ProtocolLE_ARP LAN仿真地址转换协议LEC 局域网仿真客户端LAN Emulation ClientLECS 局域网仿真配置服务LAN Emulation Configure ServiceLED 发光二极管LES 局域网仿真服务器LAN Emulation ServerLF Line FeedLI 长度指示LIM 插件板LLC 逻辑链路控制Logical Link ControlMAC 介质访问控制Media Access ControlMAN 城域网Metropolitan Area NetworkMACA 避免冲突的多路访问(协议)(IEEE802.11无线局域网标准的基础) Multiple Access with Access Avoidance MAU Medium Access UnitMIB 管理信息库Management Information BaseMIC Media interface connectorModem 调制解调器MOTD 当日消息Message Of The DayMPC MPOA ClientMPEG 活动图像专家组Motion Picture Experts GroupMRFCS 多速率快速电路交换Multirate Fast Circuit SwitchingMPOA Multi-Protocol Over ATMMPS MPOA ServerMRCS 多速率电路交换Multirate Circuit SwitchingMSC 移动交换中心Mobile Switching CenterMTBF 两次故障间的平均时间Media Time Between FaultsMTOR 故障修复所需平均时间Media Time of RepairMTP 邮件传输协议Mail Transfer ProtocolMTSO 移动电话交换站Mobile Telephone Switching OfficeMTTD 故障诊断所需平均时间Media Time to DiagnoseMTU 最大传输单元Maximum Transfer UnitNAP 网络接入点Network Access PointNCA 网络计算结构Network Computing ArchitectureNCFC 中国国家计算机网络设施，国内也称中关村网The National Computing and Network Facility of ChinaNCP 网络控制协议Network Control ProtocolNCP 网络核心协议Network Core ProtocolNEXT 近端串扰NFS 网络文件系统Network File SystemNHRP 下一个节点路由协议NHS NHRP ServerNIC Null-Attach ConcentratorNIC 网卡Network Interface CardNIC 网络信息中心Network Information CentreNIM 网络接口模块Network Interface ModuleNISDN 窄带ISDN Narrowband Integrited Services Digital NetworkNLAM 网络层地址管理NNI 网络-网络接口Network-Network InterfaceNOMS 网络营运与管理专题讨论会Network Operation and Management Sympo siumNREN （美国）国家研究和教育网National Research and Education Network NSAP 网络服务接入点Network Service Access PointNSF （美国）国会科学基金会NVRAM Non-volatile RAMNVT 网络虚拟终端Network Virtual TerminalOAM 操作与维护Operation And MaintenanceODBC 开放数据库互连Open Database ConnectionORB 对象请求代理Object REquest BrokerOSF 开放软件基金会Open Software FundationOSI 开放系统互联Open System InterconnectionOSPF 开放最短路径优先(协议) Open Shortest Path FirstPBX 用户交换机*** Branch eXchangePCM 脉冲编码调制Pulse Code ModulationPCN 个人通信网络Personal Communications NetworkPCR 峰值信元速率Peak Cell RatePCS 个人通信服务Personal Communications ServicePDH 准同步数字系列PDA 个人数字助理Personal Digital AssistantPDN 公用数据网Public Data NetworkPDU 协议数据单元Protocol Data UnitPER 分组差错率packet error ratePEM Port Expansion ModulePIR 分组插入率packet insertion ratePI/SO Primary In/Secondary OutPLCP 物理层会聚协议Physical Layer Convergence ProtocolPLR 分组丢失率packet loss ratePMD 物理媒体相关（子层）Physical Medium DependentPOH 通道开销PON 无源光纤网POP Post Office ProtocolPO/SI Primary Out/Secondary InPOTS 普通老式电话业务Plain Old Telephone ServicePPD 部分舍弃分组数据包Partial Packet DiscardPPP 点到点协议Point to Point ProtocolPPTP 点对点隧道协议PRM 每分钟可打印输出的页数Page Per MinutePRM 协议参考模型Protocol Reference ModelPRN 分组无线网Packet Radio NetworkPSN 分组交换节点Packet Switch NodePSDN 分组交换数据网PSTN 公用电话交换网Public Switched Telephone NetworkPVC 永久虚电路（包括PVPC和PVCC）Permanent Virtual CircuitPVPC permanent virtual path connectionPVCC permanent virtual channel connectionPVP 永久虚路径Permanent Virtual PathQoS 服务质量Quality of ServiceRADIUS 远端授权拨号上网用户服务RARP 逆向地址解析协议Reverse Address Resolution ProtocolRAS 远程访问服务器RFC 请求评注Request for CommentsRFT Request for TechnologyRIP Routing Information ProtocolRMON 远程网络管理Router 路由器RPC 远程过程调用Remote Procedure CallRSVP 资源重复利用协议RTMP Routing Table Maintenance Protocol(用于Appletalk)RTP 接收和发送端口RTS 往返样本Round Trip SampleRTS 剩余时间标签SAP 业务接入点Service Access PointSAP 服务公告协议Service Advertising ProtocolSAR 分段和重组(子层) Segmentation and ReassemblySAS Single Attached StationSC Stick and Click connectorSCR 信号串扰比SCR 持续信元速率Sustained Cell RateSCS 交换控制软件SDH 同步数字系列Synchronous Digital HierarchySDLC 同步数据链路控制(协议) Advanced Data Communication Control Procedu reSDTV 标准数字电视SDU 业务数据单元Service Data UnitSIPP 增强的简单因特网协议Simple Internet Protocol PlusSLIP 串行线路IP Serial Line Interface ProtocolSMDS 交换式多兆比特数据业务Switched Multimegabit Data Services SMF 单模光纤Single-mode FiberSMI Structure of Management Information（MIB的结构）SMT 站点管理Station ManagementSMTP 简单邮件传输协议Simple Mail Transfer ProtocolSNA 系统网络体系结构System Network ArchitectureSNMP 简单网络管理协议Simple Network Management ProtocolSNR 信噪比Signal-Noise ratioSOH 段开销SONET 同步光纤网络Synchronous Optical NetworkSPE 同步净荷包Synchronous Payload EnvelopeSPP 定序分组协议（XNS中，相当于TCP）Sequential Packet ProtocolSRTS 同步剩余时间标签法SSCS 业务特定部分会聚子层SSI 服务器端包含Server Side IncludeST Stick and Turn connectorSTM 同步传输方式Synchronous Transfer ModeSTP 屏蔽双绞线Shielded Twisted PairSTS 同步传输信号Synchronous Transport SignalSVC 交换虚电路Switched Virtual CircuitSwitch 交换机TAC Technical Assistance CenterTAST 时间分配话音插空技术Time Assignment by Speech Interpolation TC 传输汇集(子层) Transmission ConvergenceTCP 传输控制协议Transmission Control ProtocolTDM 时分多路复用Time Division MultiplexingTFTP 单纯文件传输协议Trivial File Transfer protocolTIP 终端接口处理机Terminal Interface ProcessorTP 双绞线Twisted PairTSAP 传输层服务访问点Transport Service Access PointTTL 生存时间Time To LiveTTR 定时令牌旋转UBR 未定义比特率Undefined Bit RateUEM 通用以太网模块Universal Ethernet ModuleUDP 用户数据报协议User Datagram ProtocolUI Unix国际UNI 用户-网络接口User-Network InterfaceUPC 使用参数控制Usage Parameter ControlURL 统一资源定位Universal Resource LocatorUSB 通用串行总线Universal Serial BusUTP 非屏蔽双绞线Unshielded Twisted PairUUCP Unix to Unix Copy ProgramVAN 增值网Value Added NetworkVBR 可变比特率Variable Bit RateVCC 虚信道连接Virtual Channel ConnectionVCI virtual channel identifierV-D 向量-距离（算法）又叫Bellman-Ford算法）vector-distanceVLAN Virtual LANVLSI 超大规模集成电路VOD 点播图像Video on DemandVPC 虚路径连接Virtual Path ConnectionVPI 虚路径标识virtual path identifierVPN 虚拟专用网络Virtual *** NetworkVRML 虚拟现实造型语言Virtual Reality Modeling Language VTP 虚拟隧道协议WAN 广域网Wide Area NetworkWDM 波分多路复用Wavelength Division Multiplexing WDMA 波分多路访问Wavelength Division Multiple Access WRB Web请求代理Web Request BrokerWWW 万维网World Wide WebXNS Xerox Network System。

渗透测试如何找出工控系统脆弱环节随着“两化”融合的不断深入，传统IT的安全威胁不断涌向工业控制系统，让原本封闭和脆弱的工业控制系统雪上加霜。

据美国国土安全部下属的工业控制系统网络应急响应小组（ICS－CERT）发布的报告披露，2014年9月至2015年2月期间共发生了245起网络安全事件，其中的154起影响了关键制造业、能源系统、化工和核设施。

这些事件在发生频率、复杂性和严重性上均有不同程度增加，且超过一半属于高级持续性威胁（APT）。

尽管企业在安全防护、监控和检测能力上已有所增强，但伴随着工控系统攻击行为的集团化、精准性特点越来越显著，可被利用的安全漏洞在过去几年逐年增多，充分了解自身安全风险显得尤为必要。

渗透测试作为发现工控系统脆弱性的有效补充手段，可验证安全管理流程和技术防护措施的有效性，增强工业控制系统网络安全性。

 图1 ICS－CERT公布的发生在2014年9月到2015年2月期间的网络安全事件 图2 ISA－99／IEC 62443 Purdue模型 尽管ISA－99／IEC 62443等对数据流向进行了规定，但不遵守安全分区和数据流向规则的网络大量存在，多网卡以及允许全网ICMP通讯的情况也非常普遍，外部渗透测试方法依旧可行。

 其它可选渗透测试方法 除了上面提到的互联网和相邻连接网络渗透测试方法，其它可考虑的渗透点包括物理安全脆弱性和社会工程学。

社会工程学利用了任何安全程序中最薄弱的环节之一：人的因素。

技术性社会工程学方法（如钓鱼网站）结合专业的工具可实现最有效的渗透测试，工业控制系统需综合终端防护、入侵检测及加强人员安全意识培训等来防范社会工程学攻击。

 测试模拟的真实工业控制网络 在实验室或者测试环境搭建模拟真实生产控制系统的平台，采用相同的设备类型、型号和版本，并尽可能采用真实系统的备份镜像进行测试，采取各项渗透测试手段，尽最大可能发现模拟环境的问题，而无需太关心安全问题。

 测试工控设备 取得控制设备操作权限或破坏控制设备是黑客攻击的重要目的。

ROS-vrrp冗余文档作者：动网运维组创建日期：2011-05-12备注：1.本文档的内容都是在真实环境中实现！2.在实际应用中如果有什么好的建议可以向运维部提供！版本控制：一、概述VRRP协议原理：虚拟路由冗余协议Virtual Router，Redundancy Protocol（VRRP）。

VRRP 协议时保证访问一些资源不会中断，即通过多台路由器组成一个网关集合，如果其中一台路由器出现故障，会自动启用另一台。

两个或多个路由器建立起一个动态的虚拟集合，每一个路由器都可以参与处理数据，这个集合最大不能超过255 个虚拟路由器（可参考虚拟路由协议）。

一般现在的路由器都支持该协议。

利用VRRP 集合功能提供高效的路由器运行方式，不在需要复杂的脚本ping 监测。

许多VRRP 路由器可用组成一个虚拟路由器集合。

在一个网络中最大可用支持相同VRID（虚拟路由IP）255 个。

每个路由器都必须设置一个优先参数，每个VRRP 配置通一个虚拟的网卡绑定在一个真实的网卡上。

VRRP 地址放入虚拟的VRRP 网卡上。

VRRP Master 状态显示为running 标志，虚拟网卡上的地址被激活，其他属于backup（即优先级低的VRRP 路由）停止运行。

虚拟路由冗余协议时一种为路由提供高效率的路由选择协议。

一个或多个IP 地址可以分配到一个虚拟路由上，一个虚拟路由节点应该具备以下状态：MASTER 状态，一个节点回答所有的请求给相应请求的IP 地址。

仅只有一个MASTER 路由器在虚拟路由中。

每隔一段时间这个节点发出VRRP 广播包所有backup 路由器。

BACKUP 状态，VRRP 路由器监视Master 路由器的状态。

它不会回答任何来至相应IP 地址的请求，当MASTER 路由器无法工作时（假设至少三次VRRP 数据链接丢失），选择过程发生，新的MASTER 会根据优先级产生。

PS：VRRP 不能运行在VLAN 接口上，VLAN 的接口MAC 地址于与运行在物理网卡MAC地址是不同的。

QB/CU 中国联通公司企业标准QB/CU S11-116(2015)中国联通国际虚拟以太专线业务规范The Enterprise Specification of International Virtual Ethernet Private Line Servicefor China UnicomV1.02015-08-31发布2015-08-31实施目次前言 (III)1 范围 (1)2 规范性引用文件 (1)3 缩略语和术语 (1)3.1 缩略语 (1)3.2 术语和定义 (2)4 中国联通国际虚拟以太专线业务描述 (3)4.1 中国联通国际虚拟以太专线业务定义 (3)4.1.1 业务定义 (3)4.1.2 业务类型 (3)4.1.2.1 业务类型与技术实现 (3)4.1.2.2 业务描述 (4)4.1.3 面向的客户群体 (5)4.2 中国联通国际虚拟以太专线业务特征 (6)4.2.1 业务接入特性 (6)4.2.1.1接入方式 (6)4.2.1.2用户接口 (6)4.2.1.3覆盖范围 (7)4.2.2 业务带宽定义 (7)4.2.2.1接入电路方式和带宽 (7)4.2.2.2业务带宽（虚电路带宽） (7)4.2.2.3虚拟以太专线业务的带宽（速率）开销 (7)4.2.3 业务特性 (8)4.2.3.1 MTU (8)4.2.3.2 VLAN TAG处理方式 (9)4.2.3.3 二层协议透传 (10)4.2.4 服务品质保证（SLA） (10)4.2.4.1开通时限（Provisioning Lead Time） (10)4.2.4.2 业务可用率(Service Avalability) (10)5 中国联通国际虚拟以太专线业务技术方案描述 (11)5.1 国内业务接入及组织方式 (11)5.1.1 技术方案 (11)5.1.2 接入方式 (11)5.2 国外业务接入及组织方式 (12)5.2.1 技术方案 (12)5.2.2 接入方式 (12)5.3 国际运营商互联方案 (12)5.4 虚拟以太专线可靠性部署 (13)6 中国联通国际虚拟以太专线产品服务 (13)6.1 服务模式 (13)6.1.1 一站服务模式（One Stop Shopping Mode） (13)6.1.1.1 分类 (13)6.1.1.2 适用情况 (14)6.1.2 双端服务模式（Bilateral Mode） (14)6.2 签约流程 (14)6.3 业务开通要求 (14)6.4 中国联通国际虚拟以太专线业务故障受理流程 (15)6.4.1 故障处理原则 (15)6.4.2 客户报障接口 (15)6.4.3 客户报障时需提供的信息 (15)6.4.4 故障处理流程 (15)附录 A （资料性附录）中国联通承载A网覆盖范围 (15)附录 B （资料性附录）技术对比 (18)前言为了规范中国联通国际虚拟以太专线业务，促进业务健康、快速地发展，确保业务服务质量，特制定本规范。