|
The
IPSec (Internet Protocol Security) in Windows 2000 uses a protocol called Kerberos.
In a communication system, authentication verifies that messages
actually come from their stated source, like the signature on
a paper letter. Kerberos was developed at the Massachusetts Institute of Technology (MIT)
and was designed to enable two parties to exchange private information
across an otherwise open network. It works by assigning a unique
key, called a ticket, to each user who logs on. The ticket is
then embedded in messages to identify the sender of the message.
Some sites attempt to use firewalls to solve their network security
problems.
Unfortunately, firewalls assume
that “the bad guys” are on the outside, which is often
a very bad assumption. Most of the damaging incidents of computer
crime are performed by insiders.
 Why
do they call it Kerberos?
In Greek mythology, Kerberos was
the three-headed dog that guarded the entrance to Hades. Some
of you who know Greek mythology may remember that the dog who
guarded the entrance was called Cerberus, not Kerberos. Cerberus
is the Latin spelling of the Greek Kerberos. In Latin, the letter
‘c’ is always hard. The letter ‘u’ in Cerberus
is also different-instead of being a long ‘u’ sound,
it is something between ‘oos’ and ‘ous’.
So Cerberus is pronounced ‘Ker-ber-ous’. I find it
interesting that the industry has chosen Kerberos (who guards
hell) to protect data instead of the Angel Gabriel (who guards
heaven). Who is trying to get into hell, anyway? I suppose it's
all a matter of perspective.
InterNIC (Internet Network Information
Center)
In April of 1992, the NSF (National
Science Foundation) developed and released a solicitation for
one or more Network Information Service (NIS) Managers to provide
and/or coordinate services for the NSFNet community.
Three organizations were selected
to receive cooperative agreements in the areas of Information
Services, Directory and Database Services, and Registration Services.
Together these three awards constitute the InterNIC. General Atomics provides information services,
AT&T (www.att.com)
provides directory and database services, and Network Solutions, Inc. provides registration
services.
IPv4 vs. IPv61
Today's IP addressing scheme uses
Internet Protocol Version 4 (IPv4), which is a 32-bit binary
address. There is a drive in the IT field to migrate to IP version
6 (IPv6). The most obvious reason is the depletion of IPv4 addresses.
Today, a commercial organization cannot apply for a Class C license
from the InterNIC. If a commercial organization needs an Internet
IP address, they must either lease or buy IP addresses from an
ISP (Internet Service Provider). The remaining Class C licenses
are reserved for not-for-profit and government agencies. The
InterNIC is trying to reclaim network IDs from organizations
that are not using all of the hosts available to them. Despite
these efforts, it won't be long before all of the available network
IDs will be used and IPv6 will become imperative.
IPv4 addresses are broken into two
levels of hierarchy: network and host. This is an inefficient
use of IP addresses. It is not uncommon for a company to have
a Class B license (65,000 hosts) and use only a few thousand
of them. This is a waste of nearly 60,000 host IDs! On the other
hand, IPv6 provides 128-bit addresses, which allows for 340,
282, 366, 920, 938, 463, 463, 374, 607, 431, 768, 211, 456 host
IDs (340 decillions). This means there are enough host IDs in
IPv6 for approximately 65,570,793,348,866,943,898,599 addresses
for every square meter on the surface of the earth!
The designers of the IPv6 protocol
chose to represent the 128-bit address as eight 16-bit integers
separated by colons. Each integer is represented in hexadecimal
form, skipping leading zeros. An example address would be 1075:3A:AEF3:0:0:0:210:A6EB.
You can abbreviate this further, since consecutive null (zero)
fields within an address can be marked with two colons, reducing
the above example to 1075:3A:AEF3::210:A6EB. Only one double-colon
can be used within an address, otherwise we would get ambiguous
addresses (::CA74::, for example). For more information on IPv6,
visit www.ipv6.org.
|
