Posts

Showing posts from 2008

Intra-Cluster Communication Signaling (ICCS)

Intra-Cluster Communication Signaling (ICCS), which provides the communications with the Cisco CallManager Service process that is at the heart of the call processing in each server or node within the cluster. The intra-cluster traffic between the servers consists of the following: Database traffic from the IBM Informix Dynamic Server (IDS) database that provides the main configuration information. The IDS database is replicated from the publisher server to all other servers in the cluster using best-effort. The IDS traffic may be re-prioritized in line with Cisco QoS recommendations to a higher priority data service (for example, IP Precedence 1 if required by the particular business needs). An example of this is extensive use of Extension Mobility, which relies on IDS database configuration. Firewall management traffic, which is used to authenticate the subscribers to the publisher to access the publisher's database. The management traffic flows between all servers in a cluster....

Shared Line Appearance(SLA) vs Bridged Line Appearance(BLA)

Shared Line Appearances: SLAs allow you to place a call on hold at one set and pick it up easily at another set. SLA is also known as SCA: Shared Call Appearance. You can join an existing conversation be pressing the corresponding line button. Typically the phones will have dedicated buttons with LEDs for each of the shared lines. Bridged Line Appearance: BLA allows multiple devices to share a single directory number.

Facebook使用人數持續擴增(活躍使用者帳戶已達到1.4億個)

自從我接觸了Facebook之後,我就把Plaxo, Linkist, LinkedIn等社群網站冷落了,因為我觀察出來我的朋友對於Facebook接受程度遠大於其他社群網站,我認為其中有一個很大的原因,那就是Facebook的localize程度相當完整,完整到讓人以為Facebook是來自於local language的網站。以我周遭的朋友為例,我以往利用plaxo來維持人際關係,希望可以利用plaxo來隨時追蹤朋友的聯繫資料(與outlook 聯絡人同步),但是通常發出的邀請大約只有2/5會有回應,大約只有不到1/10的人會真的註冊到plaxo上。很多人跟我說他們看到英文信就砍了根本連內容都沒看...(沒錯,這是部份台灣人或是部份非西方語系國家的悲哀,他們拒絕接受英文相關資訊,因為有的人是看不懂有的人是懶得去翻譯)。 反觀Facebook,它不但中文化程度相當完整(唯一的缺點,雖然都是繁體中文,但是香港中文用語跟台灣中文用語有所差異…有時真的有看沒有懂,甚至不知道怎麼唸),它有著其他社群網站不同的特色,內建IM(這可以取代MSN/Yahoo Messenger)及web online game(有愈來愈多人從web online game找到朋友,而不用再去買online game軟體、買點數、安裝軟體等),讓許多人之間透過另一個朋友漸漸地認識到另外一群人或是N群人,只是因為某人在Facebook上發文或是進行其他的動作,造成了更多人的互動,這是以往IM及其他社群網站所沒有作到的(不過也有一些類似的社群網站出現,像是plurk or twitter,可惜他們不如Facebook收容這麼豐富的應用(也可以import許多其他社群資訊,甚至是提供無限量的照片上傳空間,因此Facebook社群會造成一種吸引力,讓你用了Facebook 之後就離不開它)。 不過Facebook也有缺點,那就是主頁介面過於複雜不容易上手,尤其是對於年紀稍長的35歲以上的網路使用者,很容易因為不知該如何使用Facebook或是來自太多方面的訊息flooding而放棄Facebook。但是相對地對於出生於網際網路世代的年輕人來說,Facebook是一個很方便的工具,隨時可以接收到各方的訊息,因為他們自小就已習慣數位訊息接收,所以相對地很容易接受新科技玩意,這也是Facebook上的年紀層遠...

Wireless AP SSID Cloaking

Remember in Star Trek when the Enterprise was "cloaked" but somehow the Klingons found the ship anyway? Well there is a way to "cloak" your wireless network. Your SOHO wireless device should have a setting called "Closed Network" or "Broadcast SSID". By either enabling a closed network or disabling the broadcast SSID feature you can hide or cloak your network. The SSID (network name) is transmitted in the air by your device in a broadcast called a "Beacon". Also, many wireless cards client utilities transmit empty "Probe Requests" looking for your device. There is a very popular and freely available software program called Network Stumbler that is used by individuals to discover wireless networks. Network Stumbler also sends out blank Probe Requests looking for wireless access points. When you implement a closed network, the SSID is no longer in the BEACON and your wireless gateway will not respond to blank Probe Requests. Ef...

IEEE 802.11b 封包的種類

1. Beacon 封包 一般的無線 AP, 都會不斷的傳輸 Beacon 封包, Beacon 封包內會包含 SSID 訊息, 支援的傳輸速率, 此無線 AP 的 MAC 位址. 一般的 Beacon 封包速率是在 6~10 Beacon packets/sec. 為了安全性, 現在無線 AP 也提供了不包含 SSID 值的 Beacon 功能, 這種 SSID cloaking 的立意在於: 用戶端除非事先知道所使用 SSID, 否則無法使用這個無線 AP. 但是聰明的讀者一定想到了, 等到有用戶 要連接時, 就算有 WEP, 還是可以聽到所使用的 SSID :) (ref: dedicated sniffing) *另外也可以利用強波干擾 802.11b 的 2.4GHz 頻率(請參考 FCC 規範),當干擾強到無線 AP 或無線網卡需要重新 re-join, 此時就 可以主動聽到 SSID;這種方法造成的斷線情形,對用戶而言也可當 作是可能被探測的警訊 :) 2. Probe response 封包 當用戶端想要連上網路時,他會依據收到的 Beacon 封包,送出 probe response 封包,其中會包含: 所要加入網域的 SSID、所使用的傳輸 速率。 3. Data 封包 通常是封裝在 802.11b frames 中的 TCP/IP 封包 4. Ad hoc 封包 和 Data 封包相同, 但屬於網卡對網卡傳輸不需繞經無線 AP. BSSID: mac address of the BSS SSID: 辨示該 BSS 的 32 bytes 字串 DATA RATE: 包括 1Mbps 2Mbps 5.5Mbps 11Mbps HR/DSSS: High Rate Direct Sequence Spread Spectrum

威邁思延攬周勝鄰 明年第二季開台

Image
威邁思延攬周勝鄰 明年第二季開台 【經濟日報╱記者費家琪/台北報導】 2008.12.30 02:21 am   WiMAX北區業者威邁思,延攬前工研院資通所副所長周勝鄰為技術長,瞄準明年第一季要完成200個基地台的建設,以期在明年第二季開台,目前測試中的USB有友訊、華碩、三星與中興,同時明基與技嘉的手持式裝置(MID)也列為下波測試的產品。 威邁思的技術長彭集友離職後,初期網路建置是重頭戲,因此公司延攬周勝鄰為技術長,周勝鄰擅長於寬頻網路與網路電話,之前曾在東元集團擔任顧問,頗獲肯定,此次則是投入WiMAX 的領域,為威邁思籌建網路,威邁思的股東有東元、東訊、威寶與英特爾。 威邁思已經決定設備採購商,將由韓國三星與以色列奧維通兩家業者,拿下基地台等設備採購商機,三星已經完成簽約,奧維通還在洽談細節,三星之前已經為威寶建設基地台,已有合作基礎,奧維通則是之前曾下單東訊,更加深合作關係。這兩家業者都有和東訊簽訂WiMAX無線基地台製造合作意向書。三星也是Sprint-Nextel、日本UQ等業者的設備商。 威邁思初期將建設台北市200座基地台,由於北市既有3.5G網路覆蓋率完整,也促使威邁思必須強化網路建設,才能一別苗頭。 在終端設備上,目前測試中的USB有友訊、華碩、大陸的中興與三星,下一波也將導入MID產品,例如明基與技嘉。 目前取得WiMAX執照的業者紛紛延後開台時程,遠傳開台日期延後到明年底前,威邁思計畫在明年第二季,威達延到明年6月開台,全球一動在明年第三季開台,業者評估,WiMAX終端設備至今互通性仍有問題,價錢又太貴,再加上政府對於通訊監察的規範遲未出爐,讓WiMAX開台時程受到阻礙。

為什麼Traceroute時沒有發生packet lost但是總會出現 * 呢?

Image
說實話,關於這個問題我自己也常常覺得很納悶,剛好最近PacketLife.net(我真的愈來愈喜歡這個網站了,只要上過我課程的學生應該不陌生,給各位同學的cheatsheet都是從PacketLife上抓下來的)把這個issue提出來並且作了一份packet analyze報告,請參考! Traceroute timeouts Posted by stretch in Networking on Monday, 29 Dec 2008 at 2:26 a.m. GMT If you spend a lot of time performing traceroutes to Cisco routers you've probably noticed that they usually end like this: R1# traceroute 10.0.34.4 Type escape sequence to abort. Tracing the route to 10.0.34.4 1 10.0.12.2 16 msec 8 msec 12 msec 2 10.0.23.3 16 msec 16 msec 16 msec 3 10.0.34.4 16 msec * 20 msec Notice that the second reply from the last hop has timed out. This is easily repeated with subsequent traceroutes, and it is always the second attempt which times out. Strange, eh? The reason for this is IOS' default ICMP rate limiting. Back in May I wrote an article explaining the common "U.U.U" response that results from pinging an unreachable destination, and the same logic is at work here. Inspecting the d...

安全傳輸協定(Security Transport Protocols, SRTP)

安全傳輸協定(Security Transport Protocols)除了可應用在金融交易資料外,亦可應用於網路瀏覽所涉及之相關機密資料。在數位多媒體內容保護技術中,目前有數種安全協定可供使用在資料流(Data Traffic)的保護上,如作用在網路層(Network Level)的IP保護安全協議標準(Internet Protocol Security, IPSec);作用在傳送層(Transport Level)的安全傳輸層(Transport Layer Security)安全協定(Security Protocols)。但上述安全協定不一定適用各種型態的資料流。為了滿足異質環境(Heterogeneous Environment)及即時應用(Real-time Applications)上之需求,應用層(Application Level)上的安全協定運作更是當務之急。 數位多媒體在傳送的需求大致如上所述,但能應用一般資料安全傳送協定的媒體種類有限,如靜態圖檔或一般媒體檔案利用HTTP方式下載。但是對於如使用RTSP傳送協定的即時串流媒體而言,這些現有的資料安全傳送協定不見得適用。因為即時串流媒體對頻寬(Bandwidth)限制、傳送錯誤敏感性(Transmission-error Sensitivity)、延遲(Delay)與行動終端的運算複雜度等問題,皆異常敏感且容忍性低。也是即時串流媒體在是目前異質環境與即時應用上面對的四個主要問題。 目前關於上述問題的相關IP解決方案,均非針對異質性環境的需求所設計,尤其較少關注到頻寬的消耗與訊號傳遞的來回次數問題。這問題在無線3G網路上會更突顯,因為無線網路的資源有限且頻寬稀有,若使用目前標準IP上的安全協定,可能增加系統營運成本外,還可能無法達到預期的效果。換句話說,以標準IP傳送方式來傳送語音資料(Audio data),在一個典型的即時傳輸協定(Realtime Transport Protocol, RTP)語音費用負載約為33位元組的情況下,在頻寬使用上是缺乏效率的。 SRTP高彈性擴充解決適用性問題 SRTP的設計架構保留彈性的擴充功能以延長協定可使用的壽命,因此SRTP一開始設計時並非定位為單一產品,其乃以基礎建設骨架(Framework)的方式進行設計。所以在SRTP架構中可以獨立分開實作編碼部...

商業周刊:傳統即時通訊軟件的沒落

《商業周刊》網站日前發表分析文章稱,傳統即時通訊(以下簡稱『IM』)正在走向沒落。曾經在電腦桌面上風光無限的IM視窗正在讓位於一種使用更方便的即時聊天工具,互聯網公司希望借這種工具提高網站的粘性。   微軟11月13日宣布將更緊密地集成IM、Windows Live電子郵件和社交網站,就是這一趨勢的一個例証。在使用Hotmail時,用戶無需打開一個新視窗,下載客戶端軟件,就可以與其他用戶即時聊天了。   微軟是根據消費者需求的變化採取這一舉措的:用戶對獨立IM工具的興趣在日益減退,希望喜歡的站點集成有聊天功能。與電子郵件、遊戲和其他類型軟件一樣,IM也在向Web靠攏,用戶可以在任何電腦上使用網頁IM,而又不會占用硬盤空間。   嵌入式IM   據美國市場研究公司comScore稱,截至2008年9月份的一年中,AOL旗下AIM軟件獨立訪問用戶數量下滑了4%。同期內AOL旗下另外一款IM軟件ICQ和騰訊QQ的用戶使用時間也出現了滑坡。   互聯網用戶對傳統IM聊天視窗已經失去了興趣,紛紛『湧向』Facebook和Gmail等站點,這些站點的一個共同特徵是都集成有IM功能。對於互聯網公司而言,嵌入式IM增加了用戶訪問站點的時間,對廣告客戶也更有吸引力。   AOL People Networks高級副總裁大衛‧劉(David Liu)表示,大多數20歲以上網民最早使用的是AOL的IM軟件,但其他IM軟件削弱了AOL旗下IM軟件的競爭力,『AIM的用戶數量在下滑,因此我們需要增強AIM的社交特性。』AOL的舉措之一是將AIM與該公司旗下社交網站Bebo結合起來。AOL計劃2009年初在Bebo上發布一款IM面板,賣點就是AIM的3000萬用戶可以方便地訪問好友的Bebo網頁。   Facebook聊天工具條   Facebook也考慮到了IM。Facebook今年早些時候發布了一款工具條,用戶在瀏覽Facebook時可與其他用戶進行一對一的聊天。據Facebook產品經理彼得‧鄧(Peter Deng)表示,約7500萬人試用了這款工具條,相當於逾60%的Facebook活躍用戶。鄧說,『我們認為讓用戶進行一對一的聊天是非常必要的,這為朋友之間保持聯繫提供了一種渠道。』   一些小型社交網站也意識到了聊天的吸引力。電影粉絲社交網站Flixster CEO喬‧格林斯坦(Jo...

Check Point宣佈收購Nokia資訊安全設備業務

Image
2008.12.26 下午 12:55:12 Check Point宣佈收購Nokia資訊安全設備業務 林蔚文/編輯整理 Check Point軟體技術有限公司宣佈,與Nokia簽署協議收購其資訊安全設備(security appliance)部門。Check Point與Nokia已合作長達十年之久,並共同致力研發領導產業的企業安全解決方案。透過此次收購,Check Point將可增強其在資安硬體設備的支援和發展,擴大其在全球資安市場的版圖。 Check Point軟體技術有限公司首席執行長Gil Shwed表示,Nokia的資訊安全設備部門一直是Check Point重要的策略合作夥伴,更曾協助Check Point早一步成為安全設備的領導者。把Nokia深受市場肯定的資訊安全設備,整合到Check Point的強大安全解決方案中,是雙方長期合作下來必然的結果。 Check Point與Nokia長期提供客戶在關鍵環境中,擁有最高效能的資安解決方案。Nokia的資訊安全設備,為Check Point的防火牆、虛擬私人網路(VPN)和統一威脅管理系統(UTM),提供最有效的安全平台。目前財星雜誌500大企業中已有85%購買Nokia安全設備,超過220,000個Nokia安全設備,被全球逾23,000個客戶安裝使用。 而Check Point擁有多樣的安全閘道解決方案,如Check Point UTM-1 appliances和Check Point Power-1 appliances等,能夠帶給小型公司及大型企業完整的資料保護。目前,已有超過700,000個Check Point安全閘道授權給全球逾100,000個企業使用,Check Point客戶群包含100%的財星雜誌前100大企業,及98%的財星雜誌500大企業。 Check Point與Nokia的收購案,預計2009年第一季完成所有交易程序;詳細交易資料將不對外公開。 Check Point台灣區總經理簡淑真表示,Check Point期盼透過此次收購案,除拓展全球的資安市場外,Check Point也將繼續在台提供企業客戶與合作夥伴們優質的服務,及安全設備產品。

QoS Bandwidth/Priority Remaining Percent 保留頻寬計算

Image
很多人在學習QoS LLQ & CBWFQ的時候,遇到了頻寬保留分配問題都會有一些不太確定的感覺,因為Cisco在課程中並沒有非常詳細的說明不同的指令參數之間的搭配,會得到什麼樣的後果,所以我把這個問題在這邊提出來(這要感謝課堂上的同學問我這個問題,也順便釐清了這個不確定因素)。 假設我們現在在P1R1上有一路Serial頻寬為512k,現在我們要進行頻寬分配,分配的條件如下: Class TEST1使用LLQ(10%) Class TEST2使用CBWFQ剩下可用頻寬的(30%) Class TEST3使用CBWFQ剩下可用頻寬的(20%) 這個問題看似簡單,但是如果從來沒有認真去注意到的話就可以會有不同的解讀,到底TEST3可以使用多少的保留頻寬? 正確答案是: Class TEST1 LLQ使用頻寬上限=512k * 10%=51.2k Class TEST2 CBWFQ保留頻寬 = [(512k * 75%預設最大可分配的頻寬) - 51.2k] * 30% Class TEST3 CBWFQ保留頻寬 = [(512k * 75%預設最大可分配的頻寬) - 51.2k] * 20% 也就是說最後所有使用bandwidth percent remaining指令的總和不得超過100% 還有一點很重要的是,在這邊所謂的remaining並非指interface上現在實際流量的剩餘頻寬,Cisco QoS的指令在MQC中沒有這麼厲害可以隨時去監控現行使用流量來進行等比例的動態保留(maybe in the future) 為了證明真的是這個樣子,我進行了以下的實驗: P1R1(config)#policy-map TEST P1R1(config-pmap)#class TEST1 P1R1(config-pmap-c)#priority percent 10 P1R1(config-pmap-c)#class TEST2 P1R1(config-pmap-c)#bandwidth remaining percent 30 P1R1(config-pmap-c)#class TEST3 P1R1(config-pmap-c)#bandwidth remaining percent 80 Sum total of class bandwidths excee...

Management Plane Protection(MPP)

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device. Restricting management packets to designated interfaces provides greater control over management of a device, providing more security for that device. Other benefits include improved performance for data packets on nonmanagement interfaces, support for network scalability, need for fewer access control lists (ACLs) to restrict access to a device, and management packet floods on switching and routing interfaces are prevented from reaching the CPU. I...

The Steps of QoS Preclassification Configuration with IPSec and GRE

The  qos pre-classify  mechanism allows Cisco routers to make a copy of the inner IP header and to run a QoS classification before encryption based on fields in the inner IP header. Without this feature, the classification engine sees only a single encrypted and tunneled flow since all packets that traverse across the same tunnel have the same tunnel header and receive the same treatment in the event of congestion. If your classification policy matches with the ToS byte, you do not need to use the  qos pre-classify  command since the ToS value is copied to the outer header by default. You can create a simple QoS policy which sorts traffic into classes based on IP precedence. However, to differentiate traffic within a class and to separate it into multiple flow-based queues, the  qos pre-classify  command is required. Note:  ToS byte copying is done by the tunneling mechanism and not by the  qos pre-classify  command. The  qos pre-classify  command can be applied at various points in yo...

「給我快!其餘免談!」 20M光纖上網服務98年登場

記者林睿康/台北報導 為了在明年能擴大光世代使用戶數量達180萬戶,中華電信除了推出10M光纖服務促銷方案外,中華電信數據通信分公司協理劉伴和今(19)天表示,明年第一季或第二季,中華電信將推出20M的光纖上網服務,以滿足需要高速飆網快感的消費者。 劉伴和說明,目前中華電信提供的光纖服務分為3M、10M、50M和100M四種。50M和100M以企業用戶為主要訴求對象,月租費從1700元起跳,至於3M的光纖服務,因速度和售價都與ADSL服務太貼近,較難吸引用戶採用,因此目前光世代用戶中,有九成以上都是採用10M的光纖服務。 劉伴和表示,因有消費者反應,10M的速度還不夠快,所以為了能讓9成以上的10M用戶能體驗更飆網的快感,中華電信預計在明年第一季或第二季,向國家傳播委員會提出申請審核通過後,就會推出20M的光纖上網服務。 劉伴和說,只要從中華電信交換機房拉出光纖網路,或者由路邊交接箱拉進大樓裡,現有的10M用戶都能夠提出申請,輕鬆升級為20M。 至於20M/2M收費多少,劉伴和表示,目前資費還沒確定,不過依照目前光纖10M/2M每月990元及50M每月1700元來看,20M/2M收費將介於兩者之間。 光纖上網是中華電信在2006年6月宣佈力推的網路建設,價格攻勢讓中華電信的網路市場上告捷,根據資策會公布的資料,台灣的光纖用戶數從2007年20萬戶快速增加到55萬戶,2008年更逼近100萬戶,也讓中華電信期望在2009年突破180萬戶。而根據光纖協會所發表針對全球各國光纖滲透率調查結果,台灣因光纖普及率逐年增加,已從去年第5名進步到第4名。

【好書推薦】軟技巧,還是硬道理? — 你會感謝有人告訴你的職場生存術

Image
工作了十幾年,看到許多同事來來去去,不同的職場人際關係導致截然不同的工作際遇,所以其實在共同工作的環境下,擁有基本的實力是應該的,但是了解人與人之間的交際溝通卻遠比實力更加地的重要,除非你離開這個大社會獨自一人生活,否則這本書是每個人在現在社會上打拼時都應該要先學習的"通識教育"! 曾經有人告訴我:"他"因為怕被別人罵"笨"而不敢問一些笨問題;也曾經有人告訴過我,"他"一切行事要求低調,不論事情好壞…,其實在這本書中都有很明白的述論,這些問題背後可能會引發其他人對這類行為處事的看法,甚至會影響到個人工作發展,所以一言一行都應該適時適度,而非一眛盲從所謂的"謙虛美德"、"沈默是金"這類我們自小耳濡目染的良好品德。因為時代在變社會在變人心也在變,美國總統都變黑人了,台灣總統都被羈押了,還有什麼事情不可能發生,唯有要求自己隨著時代變化而變化,才有辦法繼續生存下去! 【內容簡介】 最頂尖光鮮的律師、醫師、工程師、教授、新聞記者,以及成功主管都說,職場上應該要學會但也最難學的就是──軟技巧。 為什麼沒有人早點告訴我? ◆在職場上有熱情、天分和領悟力,成功的大門就會為你而開? 錯!沒認清自己,你不可能會心甘情願花八~十個小時做一份工作。 ◆待在同一家公司的年資很久是你的優勢? 錯!現在企業徵人只要看到有人在同一個地方待十年,心裡就會開始狂拉警報。 ◆怕主管和同事嫌我笨,所以不要問比較好? 錯!問蠢問題讓人嫌笨還算事小,沒搞清楚自己在說什麼或做什麼就悶著頭做,才真的是蠢到了極點。 ◆在職場上,我只想當好人? 錯!你不用當每一個人最好的朋友,那是上帝派給狗的任務。 ◆達到一點業績就到處宣傳,誰在乎啊? 錯!老闆很在乎。學會老王賣瓜的藝術才能將你的成就深深印在老闆心中。 ◆我的技能與專才受到大家的肯定,我當主管應該沒有問題? 錯!就算你有當管理者的天賦,管理的技巧還是需要「一分天才加上九十九分的努力」。 談到軟技巧,多半人想到的是熱情而立場模糊的人。沒錯,做人技巧的確不可或缺,但那只是開場白而已。所謂硬邦邦的基本功,是指工作時所需要擁有的技術及認知能力,然而軟技巧則可以讓人更有效率地運用技術及知識。這些技巧包含了個人的、社交的、人際間的,以及自我管理的行為,而這些行...

Received Signal Strength Indication(RSSI)

In telecommunications, Received Signal Strength Indication (RSSI) is a measurement of the power present in a received radio signal. RSSI is generic radio receiver technology metric, which is usually invisible to the user of device containing the receiver, but is directly known to users of wireless networking of IEEE 802.11 protocol family. RSSI is often done in the intermediate frequency (IF) stage before the IF amplifier. In zero-IF systems, it is done in the baseband signal chain, before the baseband amplifier. RSSI output is often a DC analog level. It can also be sampled by an internal ADC and the resulting codes available directly or via peripheral or internal processor bus. RSSI in 802.11 implementations In an IEEE 802.11 system RSSI is the received signal strength in a wireless environment, in arbitrary units. RSSI can be used internally in a wireless networking card to determine when the amount of radio energy in the channel is below a certain threshold at which point the netwo...

Simple Object Access Protocol(SOAP)

SOAP的全名為Simple Object Access Protocol(簡易物件通訊協定),是一種以XML為基礎的通訊協定,其作用是編譯網路服務所需的要求或回應後,再將編譯後的訊息送出到網路,簡單來說就是應用程式和用戶之間傳輸資料的一種機制。 SOAP的全名為Simple Object Access Protocol(簡易物件通訊協定),是一種以XML為基礎的通訊協定,其作用是編譯網路服務所需的要求或回應後,再將編譯後的訊息送出到網路,簡單來說就是應用程式和用戶之間傳輸資料的一種機制。 SOAP是一個獨立的訊息,可以獨自運作在不同的作業系統與網路上面,例如在微軟的Windows或Linux的建構下運作,並可以使用各種不同的通訊方式來作傳輸,例如SMTP、MIME,或是HTTP等。 近來W3C對於建立網路服務的協定不遺於力,尤其W3C對於SOAP的1.2版更新工作更是已經接近完工的階段。在SOAP1.2版中,包含了一個用於簡化網路的工具包,這個工具包擁有許多1.1版未有的工具,例如可讓開發者建立管理SOAP訊息規則的「處理模型」,以及包含簡易管理大量的XML文檔功能。 不過因為SOAP還未到達完成的階段,所以W3C現今只定位SOAP1.2版為「建議性的網路服務開發工具」。 SOAP的架構為:Envelope、Header、Body,和Fault四個部份;其組織架構是與XML的語法相結合應用,換句話說SOAP是由XML語法所寫而成。 SOAP不但可以在不同的網路上運作,更可以在不同的網路間作傳輸,如圖3所示,SOAP可以透過HTTP發送訊息,再透過TCP、MSMQ,最後由SMTP收到訊息,途中可以透過四個不同的傳輸點傳達訊息。由此我們可以見到SOAP的透通性與實用性,遠比一般的通訊協定更為有彈性。

Cipher Block Chaining Message Authentication Code Protocol (CCMP)

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an encryption protocol that forms part of the 802.11i standard for wireless local area networks (WLANs), particularly those using WiMax technology. The CCMP algorithm is based on the U.S. federal government's Advanced Encryption Standard (AES). CCMP offers enhanced security compared with similar technologies such as Temporal Key Integrity Protocol (TKIP). CCMP employs 128-bit keys and a 48-bit initialization vector that minimizes vulnerability to replay attacks. The Counter Mode component provides data privacy. The Cipher Block Chaining Message Authentication Code component provides data integrity and authentication. The enhanced privacy and security of CCMP compared with TKIP requires additional processing power, often necessitating new or upgraded hardware. 802.11i is a standard for WLANs that provides encryption for networks that use the 802.11a, 802.11b and 802.11g standards. The AES is an en...

Proactive Key Caching(PKC)

PKC is an IEEE 802.11i extension that allows for the proactive caching (before the client roaming event) of the WPA/WPA2 PMK that is derived during a client IEEE 802.1 x/EAP authentication at the AP. If a PMK (for a given WLAN client) is already present at an AP when presented by the associating client, full IEEE 802.1X/EAP authentication is not required. Instead, the WLAN client can simply use the WPA 4-way handshake process to securely derive a new session encryption key for communication with that AP. Note PKC is an IEEE 802.11i extension and so is supported in WPA2—not WPA.

Basic Service Set(BSS)

Image
The Basic Service Set is a term used to describe the collection of Stations which may communicate together within an 802.11 WLAN (Wireless Local Area Network). The BSS may or may not include AP (Access Point) which provide a connection onto a fixed distribution system such as an Ethernet network. Two types of BSS exist; IBSS (Independent Basic Service Set) and Infrastructure Basic Service Set.

EAP-TTLS(Extensible Authentication Protocol-Tunneled Transport Layer Security)

EAP-Tunneled Transport Layer Security, or EAP-TTLS is an EAP protocol that extends TLS. It was co-developed by Funk Software and Certicom. It is widely supported across platforms, although there is no native OS support for this EAP protocol in Microsoft Windows, it requires the installation of small extra programs such as SecureW2. EAP-TTLS offers very good security. The client does not need be authenticated via a CA-signed PKI certificate to the server, but only the server to the client. This greatly simplifies the setup procedure as a certificate does not need to be installed on every client. After the server is securely authenticated to the client via its CA certificate, the server can then use the established secure connection ("tunnel") to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eav...

EAP-MD5(Extensible Authentication Protocol-Message Digest 5)

EAP-MD5, defined in RFC 3748, is the only IETF Standards Track based EAP method. It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks.

EAP-SIM(Extensible Authentication Protocol-Subscriber Identity Module)

Extensible Authentication Protocol Method for GSM Subscriber Identity, or EAP-SIM, is an Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM is described in RFC 4186.

Public Key Infrastructure(PKI)

In cryptography, a public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA) . For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA. The term trusted third party (TTP) may also be used for certificate authority (CA). The term PKI is sometimes erroneously used to denote public key algorithms, which do not require the use of a CA.

Protected Access Credentials(PAC)

Protected Access Credentials (PACs) are credentials that are distributed to clients for optimized network authentication. PACs can be used to establish an authentication tunnel between the client and the authentication server (the first phase of authentication as described in the "Two-Phase Tunneled Authentication" section). A PAC consists of, at most, three components: a shared secret, an opaque element, and other information. The shared secret component contains the pre-shared key between the client and authentication server. Called the PAC-Key, this pre-shared key establishes the tunnel in the first phase of authentication. The opaque component is provided to the client and is presented to the authentication server when the client wants to obtain access to network resources. Called the PAC-Opaque, this component is a variable length field that is sent to the authentication server during tunnel establishment. The EAP server interprets the PAC-Opaque to obtain the required i...

Cisco Centralized Key Management(CCKM)

CCKM is a term used in wireless networks. It stands for Cisco Centralized Key Management, which is a form of Fast Roaming. When a wireless LAN is configured for fast reconnection, a LEAP enabled client device can roam from one access point to another without involving the main server. Using Cisco (TM) Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client without perceptible delay in voice or other time-sensitive applications. Actually, the WDS (which can be run as a service on a Cisco Access Point or on various router modules) caches the user credentials after the initial log-on. The user must authenticate with the Radius server the first time - then he can roam between access points using cached credentials. This saves time in the roaming process, especially valuable for IP Telephones. The current implementation of CCKM requires Cisco compatible hardware and either LEAP,...

Network Access Identifier(NAI) - RFC2486

RFC2486 - The Network Access Identifier Network Working Group B. Aboba Request for Comments: 2486 Microsoft Category: Standards Track M. Beadles WorldCom Advanced Networks January 1999 The Network Access Identifier Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. 1. Abstract In order to enhance the interoperability of roaming and tunneling s...

070網路電話的牛肉在哪?!

Image
蔡宜秀 2008/12/09 06:00:00 歷經多年延宕,強調可與公眾電信網路(PSTN)互通的070網路電話(VoIP)終於上個月(11月) 由遠傳電信率先開通。 別於Skype及IPOX 070等網路電話,由國家傳播委員會(NCC)審議通過的070網路電話除有11個號碼(指070-BCDE-FGHI)外,由於070網路電話是走國際電信聯盟(ITU)的E.164通信編碼格式,因此可與同走E.164格式的公眾電信網路(PSTN)互通,如市話等。 070網路電話之於企業,究竟有何意義?可讓企業大幅降低通訊成本,抑或是其他?答案是,若070網路電話可與企業既有的網路電話(VoIP)互通,確實有助於企業降低通話費,畢竟,企業已部署的網路電話只能撥出(Out-bound)無法撥入(In-bound),而070網路電話則無此問題。 但若070網路電話業者欲以有助降低通訊成本一點吸引企業轉使用070網路電話,有其困難性,理由是,企業除得先整合070網路電話與企業內的VoIP PBX等外,還必需進一步向員工宣導與改變其使用習慣等,在這樣的狀況下,建議取得070網路電話執照的業者在祭出各項優惠通話費率之外,如070網路電話使用者可以極低費用撥接行動電話等,亦需要提供更多元的加值服務。 加值服務最為關鍵 為何加值服務對於070網路電話業者來說,極為重要?我想,這可從以下兩個層面來看: 第一,費率競爭將日趨激烈。為吸引企業客戶青睞,遠傳在推出070網路電話之後,即祭出可整合ADSL與MVPN行動服務、免費贈送遠傳070軟體電話,以及享網路閘道器(IP Gateway)免租金、免設定及安裝費等優惠的「遠傳070企業方案」,由這,不難預測,是方通訊等070網路電話業者為弭補晚入070網路電話市場一事,即可能提供更優惠的費資方案,如可與非E.164網路電話互通等。 第二,市場趨勢使然。從美國、日本、南韓、新加坡與香港等地的070網路電話(非每個國家都是以070為網路電話號碼的前綴碼,如下述的Yahoo!BB網路電話的前綴碼即為050)推動狀況來看,加值服務已成為E.164網路電話業者擴大業務範疇的關鍵作法,如日本的第一大網路電話業者Yahoo!BB為擴大事業版圖,繼推出隨選視訊(MOD)─BBTV後,還與微軟及日本電信(Japan Telecom)合作推出整合網路電話、電子郵件(E-m...

How to calculate fragment size or fragment delay (FRF.12 or MLPPP)?

Serialization Delay = frame size (bits) / link bandwidth (bits per second [bps]) 在QoS中我們可以利用LLQ(Low Latency Queueing)來提供VoIP封包低延遲(delay)及減少抖動(jitter)發生的情況。雖然VoIP封包總是傳送到software queue的前端,serialization delay(Layer 2 Frame encoded into Layer 1 Bits)的問題仍無可避免。一個大型封包可能正在hardware queue中使用FIFO。當VoIP封包被傳送至software queue的前端,在hardware transmit queue中的大型封包進行serialization時會導致VoIP封包必須等待一段較長的時間之後才能被傳送出去。 這時我們就可以使用fragment將大型封包切割成許多的小型封包,同時搭配interleaving的方式,將VoIP封包穿插在這些被切割之後的小型封包之間,藉此減少抖動(jitter)情況的發生。 當你在某鏈結上要設置適合的fragment size(切割尺寸)時,比較常見的目標是使得最大serialization delay維持在10~15ms之間。 假設實體連接埠線路速度為512Kpbs,所需要的serialization delay不應該超過10ms(記住,fragment size是根據實體連接埠線路速度而計算出來的!),fragment size(切割尺寸)必須設定為: 512000(bps)/8*0.01(sec)=640 bytes 我們可以使用下列指令來進行設置: Router(config-if)# ppp multilink fragment 640 or Router(config-map-class)# frame-relay fragment 640 如果在Cisco IOS CLI上如果今天要使用的是fragment delay數值(milliseconds),那就必須再乘上所使用的interface頻寬(假設MLPPP virtual-template上的頻寬為384Kbps)。 因此,我們使用virtual-template interface上的頻寬(384Kp...

IP RTP Priority

在還沒有發明LLQ(Low Latency Queue)之前,我們要在interface上調整Voice RTP的保留頻寬,只能使用 Router(config-if)# ip rtp priority starting-rtp-port-number port-number-range bandwidth 設定完成之後,我們可以使用以下的指令來檢查我們的配置: Router# show queue interface-type interface-number 以下是Cisco官網上的說明: Feature Overview The IP RTP Priority feature provides a strict priority queueing scheme for delay-sensitive data such as voice. Voice traffic can be identified by its Real-Time Transport Protocol (RTP) port numbers and classified into a priority queue configured by the ip rtp priority command. The result is that voice is serviced as strict priority in preference to other nonvoice traffic. The IP RTP Priority feature extends and improves on the functionality offered by the ip rtp reserve command by allowing you to specify a range of User Datagram Protocol (UDP)/RTP ports whose traffic is guaranteed strict priority service over any other queues or classes using the same output interface. Strict priority means that if packets exist in the p...