Glossary
This glossary contains definitions of new terms in this book that are not
in the Sun Global Glossary available from the docs.sun.com web site.
3DESSee Triple-DES.
address poolIn Mobile IP, a set of addresses that are designated by the home
network administrator for use by mobile nodes that need a home address.
AESAdvanced Encryption Standard. A symmetric 128-bit block data encryption technique. The U.S. government
adopted the Rijndael variant of the algorithm as its encryption standard in October
2000. AES replaces DES encryption as the government standard.
agent advertisementIn Mobile IP, a message that is periodically sent by home agents and
foreign agents to advertise their presence on any attached link.
agent discoveryIn Mobile IP, the process by which a mobile node determines if it
has moved, its current location, and its care-of address on a foreign network.
anycast addressAn IPv6 address that is assigned to a group of interfaces (typically belonging
to different nodes). A packet that is sent to an anycast address is
routed to the nearest interface having that address. The packet's route is in
compliance with the routing protocol's measure of distance.
anycast groupA group of interfaces with the same anycast IPv6 address. The Solaris OS
implementation of IPv6 does not support the creation of anycast addresses and groups.
However, Solaris IPv6 nodes can send traffic to anycast groups.
asymmetric key cryptographyAn encryption system in which the sender and receiver of a message use
different keys to encrypt and decrypt the message. Asymmetric keys are used to
establish a secure channel for symmetric key encryption. The Diffie-Hellman protocol is an example of
an asymmetric key protocol. Contrast with symmetric key cryptography.
authentication headerAn extension header that provides authentication and integrity, without confidentiality, to IP datagrams.
autoconfigurationThe process where a host automatically configures its IPv6 address from the site
prefix and the local MAC address.
bidirectional tunnelA tunnel that can transmit datagrams in both directions.
binding tableIn Mobile IP, a home agent table that associates a home address with
a care-of address, including remaining lifetime and time granted.
BlowfishA symmetric block cipher algorithm that takes a variable-length key from 32 bits
to 448 bits. Its author, Bruce Schneier, claims that Blowfish is optimized for
applications where the key does not change often.
broadcast addressIPv4 network addresses with the host portion of the address having all zeroes
(10.50.0.0) or all one bits (10.50.255.255). A packet that is sent to a
broadcast address from a machine on the local network is delivered to all
machines on that network.
CASee certificate authority (CA).
care-of addressA mobile node's temporary address that is used as a tunnel exit point
when the mobile node is connected to a foreign network.
certificate authority (CA)A trusted third-party organization or company that issues digital certificates used to create
digital signatures and public-private key pairs. The CA guarantees the identity of the
individual who is granted the unique certificate.
certificate revocation list (CRL)A list of public key certificates that have been revoked by a CA.
CRLs are stored in the CRL database that is maintained through IKE.
classIn IPQoS, a group of network flows that share similar characteristics. You define
classes in the IPQoS configuration file.
classless inter-domain routing (CIDR) addressAn IPv4 address format that is not based on network classes (Class A,
B, and C). CIDR addresses are 32 bits in length. They use
the standard IPv4 dotted decimal notation format, with the addition of a network
prefix. This prefix defines the network number and the network mask.
datagramSee IP datagram.
DESData Encryption Standard. A symmetric-key encryption method developed in 1975 and standardized by
ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key.
Diffie-Hellman protocolAlso known as public key cryptography. An asymmetric cryptographic key agreement protocol that
was developed by Diffie and Hellman in 1976. The protocol enables two users
to exchange a secret key over an insecure medium without any prior secrets.
Diffie-Hellman is used by the IKE protocol.
diffserv modelInternet Engineering Task Force architectural standard for implementing differentiated services on IP networks.
The major modules are classifier, meter, marker, scheduler, and dropper. IPQoS implements the
classifier, meter, and marker modules. The diffserv model is described in RFC 2475,
An Architecture for Differentiated Services.
digital signatureA digital code that is attached to an electronically transmitted message that uniquely
identifies the sender.
domain of interpretation (DOI)A DOI defines data formats, network traffic exchange types, and conventions for naming
security-relevant information. Security policies, cryptographic algorithms, and cryptographic modes are examples of security-relevant information.
DS codepoint (DSCP)A 6-bit value that, when included in the DS field of an
IP header, indicates how a packet must be forwarded.
DSADigital Signature Algorithm. A public key algorithm with a variable key size from
512 to 4096 bits. The U.S. Government standard, DSS, goes up to 1024
bits. DSA relies on SHA-1 for input.
dual stackA TCP/IP protocol stack with both IPv4 and IPv6 at the network layer,
with the rest of the stack being identical. When you enable IPv6
during Solaris OS installation, the host receives the dual-stack version of TCP/IP.
dynamic packet filterSee stateful packet filter.
encapsulating security payload (ESP)An extension header that provides integrity and confidentiality to datagrams. ESP is one
of the five components of the IP Security Architecture (IPsec).
encapsulationThe process of a header and payload being placed in the first packet,
which is subsequently placed in the second packet's payload.
failbackThe process of switching back network access to an interface that has its
repair detected.
failoverThe process of switching network access from a failed interface to a good
physical interface. Network access includes IPv4 unicast, multicast, and broadcast traffic, as well
as IPv6 unicast and multicast traffic.
failure detectionThe process of detecting when an interface or the path from an interface
to an Internet layer device no longer works. IP network multipathing (IPMP) includes
two types of failure detection: link based (default) and probe based (optional).
filterA set of rules that define the characteristics of a class in the
IPQoS configuration file. The IPQoS system selects for processing any traffic flows that
conform to the filters in its IPQoS configuration file. See packet filter.
firewallAny device or software that isolates an organization's private network or intranet from
the Internet, thus protecting it from external intrusions. A firewall can include packet
filtering, proxy servers, and NAT (network address translation).
flow accountingIn IPQoS, the process of accumulating and recording information about traffic flows. You
establish flow accounting by defining parameters for the flowacct module in the IPQoS
configuration file.
foreign agentA router or server on the foreign network that the mobile node visits.
foreign networkAny network other than the mobile node's home network.
forward tunnelA tunnel that starts at the home agent and terminates at the mobile
node's care-of address.
Generic Routing Encapsulation (GRE)An optional form of tunneling that can be supported by home agents, foreign
agents, and mobile nodes. GRE enables a packet of any network-layer protocol to
be encapsulated within a delivery packet of any other (or the same) network-layer
protocol.
hash valueA number that is generated from a string of text. Hash functions are
used to ensure that transmitted messages have not been tampered with. MD5
and SHA-1 are examples of one-way hash functions.
headerSee IP header.
HMACKeyed hashing method for message authentication. HMAC is a secret key authentication algorithm.
HMAC is used with an iterative cryptographic hash function, such as MD5 or
SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC
depends on the properties of the underlying hash function.
home addressAn IP address that is assigned for an extended period to a mobile
node. The address remains unchanged when the node is attached elsewhere on the
Internet or an organization's network.
home agentA router or server on the home network of a mobile node.
home networkA network that has a network prefix that matches the network prefix of
a mobile node's home address.
hopA measure that is used to identify the number of routers that separate
two hosts. If three routers separate a source and destination, the hosts are
four hops away from each other.
hostA system that does not perform packet forwarding. Upon installation of the Solaris
OS, a system becomes a host by default, that is, the system cannot
forward packets. A host typically has one physical interface, although it can have
multiple interfaces.
ICMPInternet Control Message Protocol. Used to handle errors and exchange control messages.
ICMP echo request packetA packet sent to a machine on the Internet to solicit a
response. Such packets are commonly known as “ping” packets.
IKEInternet Key Exchange. IKE automates the provision of authenticated keying material for IPsec
security association (SA)s.
Internet Protocol (IP)The method or protocol by which data is sent from one computer to
another on the Internet.
IPSee Internet Protocol (IP), IPv4, IPv6.
IP datagramA packet of information that is carried over IP. An IP datagram contains
a header and data. The header includes the addresses of the source and
the destination of the datagram. Other fields in the header help identify and
recombine the data with accompanying datagrams at the destination.
IP headerTwenty bytes of data that uniquely identify an Internet packet. The header includes
source and destination addresses for the packet. An option exists within the header
to allow further bytes to be added.
IP in IP encapsulationThe mechanism for tunneling IP packets within IP packets.
IP linkA communication facility or medium over which nodes can communicate at the link
layer. The link layer is the layer immediately below IPv4/IPv6. Examples include Ethernets
(simple or bridged) or ATM networks. One or more IPv4 subnet numbers or
prefixes are assigned to an IP link. A subnet number or prefix cannot
be assigned to more than one IP link. In ATM LANE, an
IP link is a single emulated LAN. When you use ARP, the scope
of the ARP protocol is a single IP link.
IP stackTCP/IP is frequently referred to as a “stack.” This refers to the
layers (TCP, IP, and sometimes others) through which all data passes at both
client and server ends of a data exchange.
IPQoSA software feature that provides an implementation of the diffserv model standard, plus
flow accounting and 802.1 D marking for virtual LANs. Using IPQoS, you can
provide different levels of network services to customers and applications, as defined in
the IPQoS configuration file.
IPsecIP security. The security architecture that provides protection for IP datagrams.
IPv4Internet Protocol, version 4. IPv4 is sometimes referred to as IP. This version
supports a 32-bit address space.
IPv6Internet Protocol, version 6. IPv6 supports a 128-bit address space.
key managementThe way in which you manage security association (SA)s.
keystore nameThe name that an administrator gives to the storage area, or keystore, on
a network interface card (NIC). The keystore name is also called the token or the token
ID.
link layerThe layer immediately below IPv4/IPv6.
link-local addressIn IPv6, a designation that is used for addressing on a single link
for purposes such as automatic address configuration. By default, the link-local address is
created from the system's MAC address.
local-use addressA unicast address that has only local routability scope (within the subnet or
within a subscriber network). This address also can have a local or global
uniqueness scope.
marker1. A module in the diffserv architecture and IPQoS that marks the DS
field of an IP packet with a value that indicates how the
packet is to be forwarded. In the IPQoS implementation, the marker module is
dscpmk.
2. A module in the IPQoS implementation that marks the virtual LAN tag
of an Ethernet datagram with a user priority value. The user priority value
indicates how datagrams are to be forwarded on a network with VLAN devices.
This module is called dlcosmk.
MD5An iterative cryptographic hash function that is used for message authentication, including digital
signatures. The function was developed in 1991 by Rivest.
message authentication code (MAC)MAC provides assurance of data integrity and authenticates data origin. MAC does not
protect against eavesdropping.
meterA module in the diffserv architecture that measures the rate of traffic flow
for a particular class. The IPQoS implementation includes two meters, tokenmt and tswtclmt.
minimal encapsulationAn optional form of IPv4 in IPv4 tunneling that can be supported by
home agents, foreign agents, and mobile nodes. Minimal encapsulation has 8 or 12
bytes less of overhead than does IP in IP encapsulation.
mobile nodeA host or router that can change its point of attachment from one
network to another network while maintaining all existing communications by using its IP
home address.
mobility agentEither a home agent or a foreign agent.
mobility bindingThe association of a home address with a care-of address, along with the
remaining lifetime of that association.
mobility security associationA collection of security measures, such as an authentication algorithm, between a pair
of nodes, which are applied to Mobile IP protocol messages that are exchanged
between the two nodes.
MTUMaximum Transmission Unit. The size, given in octets, that can be transmitted over
a link. For example, the MTU of an Ethernet is 1500 octets.
multicast addressAn IPv6 address that identifies a group of interfaces in a particular way.
A packet that is sent to a multicast address is delivered to all
of the interfaces in the group. The IPv6 multicast address has similar functionality
to the IPv4 broadcast address.
multihomed hostA system that has more than one physical interface and that does not
perform packet forwarding. A multihomed host can run routing protocols.
NATSee network address translation.
neighbor advertisementA response to a neighbor solicitation message or the process of a node
sending unsolicited neighbor advertisements to announce a link-layer address change.
neighbor discoveryAn IP mechanism that enables hosts to locate other hosts that reside on
an attached link.
neighbor solicitationA solicitation that is sent by a node to determine the link-layer address
of a neighbor. A neighbor solicitation also verifies that a neighbor is still
reachable by a cached link-layer address.
Network Access Identifier (NAI)A designation that uniquely identifies the mobile node in the format of user@domain.
network address translationNAT. The translation of an IP address used within one network to a
different IP address known within another network. Used to limit the number of
global IP addresses that are needed.
network interface card (NIC)Network adapter card that is an interface to a network. Some NICs can
have multiple physical interfaces, such as the qfe card.
nodeIn IPv6, any system that is IPv6-enabled, whether a host or a router.
outcomeThe action to take as a result of metering traffic. The IPQoS meters
have three outcomes, red, yellow, and green, which you define in the IPQoS
configuration file.
packetA group of information that is transmitted as a unit over communications lines.
Contains an IP header plus a payload.
packet filterA firewall function that can be configured to allow or disallow specified packets
through a firewall.
packet headerSee IP header.
payloadThe data that is carried in a packet. The payload does not include
the header information that is required to get the packet to its
destination.
per-hop behavior (PHB)A priority that is assigned to a traffic class. The PHB indicates the
precedence which flows of that class have in relation to other traffic classes.
perfect forward secrecy (PFS)In PFS, the key that is used to protect transmission of data is
not used to derive additional keys. Also, the source of the key
that is used to protect data transmission is never used to derive additional
keys.
PFS applies to authenticated key exchange only. See also Diffie-Hellman protocol.
physical interfaceA system's attachment to a link. This attachment is often implemented as a
device driver plus a network interface card (NIC). Some NICs can have multiple
points of attachment, for example, qfe.
physical interface groupThe set of physical interfaces on a system that are connected to the
same link. These interfaces are identified by assigning the same (non-null) character string
name to all the physical interfaces in the group.
physical interface group nameA name that is assigned to a physical interface that identifies the group.
The name is local to a system. Multiple physical interfaces, sharing the same
group name, form a physical interface group.
PKIPublic Key Infrastructure. A system of digital certificates, Certificate Authorities, and other registration
authorities that verify and authenticate the validity of each party involved in an
Internet transaction.
plumbThe act of opening a device that is associated with a physical interface
name. When an interface is plumbed, streams are set up so that
the IP protocol can use the device. You use the ifconfig command to plumb
an interface during a system's current session.
private addressAn IP address that is not routable through the Internet. Private addresses can
used by internal networks on hosts that do not require Internet connectivity. These
addresses are defined in Address Allocation for Private Internets and often referred to as “1918” addresses.
protocol stackSee IP stack.
proxy serverA server that sits between a client application, such as a Web browser,
and another server. Used to filter requests—to prevent access to certain web sites,
for instance.
public key cryptographyA cryptographic system that uses two different keys. The public key is known
to everyone. The private key is known only to the recipient of the
message. IKE provides public keys for IPsec.
redirectIn a router, to inform a host of a better first-hop node
to reach a particular destination.
registrationThe process by which a mobile node registers its care-of address with its
home agent and foreign agent when it is away from home.
repair detectionThe process of detecting when a NIC or the path from the
NIC to some layer-3 device starts operating correctly after a failure.
replay attackIn IPsec, an attack in which a packet is captured by an
intruder. The stored packet then replaces or repeats the original at a later
time. To protect against such attacks, a packet can contain a field that
increments during the lifetime of the secret key that is protecting the packet.
reverse tunnelA tunnel that starts at the mobile node's care-of address and terminates at
the home agent.
routerA system that usually has more than one interface, runs routing protocols, and
forwards packets. You can configure a system with only one interface as a
router if the system is the endpoint of a PPP link.
router advertisementThe process of routers advertising their presence together with various link and Internet
parameters, either periodically or in response to a router solicitation message.
router discoveryThe process of hosts locating routers that reside on an attached link.
router solicitationThe process of hosts requesting routers to generate router advertisements immediately, rather than
at their next scheduled time.
RSAA method for obtaining digital signatures and public key cryptosystems. The method was
first described in 1978 by its developers, Rivest, Shamir, and Adleman.
SASee security association (SA).
SADBSecurity Associations Database. A table that specifies cryptographic keys and cryptographic algorithms. The
keys and algorithms are used in the secure transmission of data.
SCTPSee streams control transport protocol.
security association (SA)An association that specifies security properties from one host to a second host.
security parameter index (SPI)An integer that specifies the row in the security associations database (SADB) that
a receiver should use to decrypt a received packet.
security policy database (SPD)Database that specifies the level of protection to apply to a packet. The
SPD filters IP traffic to determine whether a packet should be discarded, should
be passed in the clear, or should be protected with IPsec.
selectorThe element that specifically defines the criteria to be applied to packets of
a particular class in order to select that traffic from the network stream.
You define selectors in the filter clause of the IPQoS configuration file.
SHA-1Secure Hashing Algorithm. The algorithm operates on any input length less than 264
to produce a message digest. The SHA-1 algorithm is input to DSA.
site-local-use addressA designation that is used for addressing on a single site.
smurf attackTo use ICMP echo request packets directed to an IP broadcast address or multiple broadcast addresses from remote
locations to create severe network congestion or outages.
sniffTo eavesdrop on computer networks—frequently used as part of automated programs to sift
information, such as clear-text passwords, off the wire.
SPDSee security policy database (SPD).
SPISee security parameter index (SPI).
spoofTo gain unauthorized access to a computer by sending a message to it
with an IP address indicating that the message is coming from a
trusted host. To engage in IP spoofing, a hacker must first use a
variety of techniques to find an IP address of a trusted host and
then modify the packet headers so that it appears that the packets are
coming from that host.
stackSee IP stack.
standbyA physical interface that is not used to carry data traffic unless some
other physical interface has failed.
stateful packet filterA packet filter that can monitor the state of active connections and use the
information obtained to determine which network packets to allow through the firewall. By
tracking and matching requests and replies, a stateful packet filter can screen for
a reply that doesn't match a request.
stateless autoconfigurationThe process of a host generating its own IPv6 addresses by combining its
MAC address and an IPv6 prefix that is advertised by a local IPv6
router.
stream control transport protocolA transport layer protocol that provides connection-oriented communications in a manner similar to
TCP. Additionally, SCTP supports multihoming, in which one of the endpoints of the
connection can have more than one IP address.
symmetric key cryptographyAn encryption system in which the sender and receiver of a message share
a single, common key. This common key is used to encrypt and decrypt
the message. Symmetric keys are used to encrypt the bulk of data
transmission in IPsec. DES is one example of a symmetric key system.
TCP/IPTCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of
the Internet. It can also be used as a communications protocol in a
private network (either an intranet or an extranet).
Triple-DESTriple-Data Encryption Standard. A symmetric-key encryption method. Triple-DES requires a key length of
168 bits. Triple-DES is also written as 3DES.
tunnelThe path that is followed by a datagram while it is encapsulated.
See encapsulation.
unicast addressAn IPv6 address that identifies a single interface of an IPv6-enabled node. The
parts of the unicast address are site prefix, subnet ID, and interface ID.
user-priorityA 3-bit value that implements class-of-service marks, which define how Ethernet datagrams are
forwarded on a network of VLAN devices.
virtual LAN (VLAN) deviceNetwork interfaces that provide traffic forwarding at the Ethernet (data link) level of
the IP protocol stack.
virtual private network (VPN)A single, secure, logical network that uses tunnels across a public network such
as the Internet.
visited networkA network other than a mobile node's home network, to which the mobile
node is currently connected.
visitor listThe list of mobile nodes that are visiting a foreign agent.