Cheatsheet

= ARP vs MAC Table =

= Fragmentation =


 * Before fragmentation:


 * After fragmentation:

= Headers =

Hardware type Protocol type Hardware address length Protocol address length Operation Source MAC Source IP Dest MAC Dest IP
 * ARP Header

Code Checksum Rest of Header
 * ICMP Header

= TCP =

MSS WSF SACK Permitted
 * Parameters determined during Handshake:


 * MTU vs MSS



- Sender starts with cwnd = 1 MSS, Size increases 1 MSS each time one Ack arrives, Increases the rate exponentially(1,2,4,8....) until a threshold is reached
 * Congestion Control
 * Slow Start - Exponential Increase


 * Congestion Avoidance - Additive Increase

- Increases the cwnd Additively, When a “window” is Ack cwnd is increased by 1, Window = No of segments transmitted during RTT - The increase is based on RTT, not on the number of arrived ACKs, Congestion window increases additively until congestion is detected


 * Congestion Detection - Multiplicative Decrease

- If congestion occurs, Window size must be decreased, Sender knows about congestion via RTO or 3 Dup Acks received, Size of Threshold is dropped to half

- If RTO occured, TCP Reacts Strongly - Reduces cwnd back to 1 Segment, starts the slow start phase again
 * Tahoe

- If 3 Duplicate ACKs are received, TCP has a Weaker Reaction - Starts the Congestion Avoidance phase - This is called fast transmission and fast recovery
 * Reno


 * Silly Window Syndrome: Sender creates data slowly or Receiver consumes slowly or both.

Syndrome due to Sender: - Nagle’s Algorithm: Send data initially, accumulate data in output buffer, Wait for Ack or till 1 MSS Data in Buffer

Syndrome due to Receiver: - Clark’s Solution: Announce window size 0 till 1) enough space for 1 MSS in Buffer or Half Receive buffer is empty - Delayed Acknowledgment: Segment not acknowledged immediately, Sender TCP does not slide its window, reduces traffic, sender may unnecessarily retransmit, Not delay more than 500 ms.

- If RTO has a larger value - If sender receives four acknowledgments with same value (three duplicates) - Segment expected by all of these Ack is resent immediately
 * Fast Retransmission


 * Persistence Timer

- Issue of Deadlock created by Lost Ack, used to reset Window size 0 advertized earlier, is resolved by this timer - Sending TCP sends a special segment(1 byte of new data) called Probe, causes the receiving TCP to resend Ack - If no reply, another probe is sent and value of persistence timer is doubled and reset - Sender continues sending probes, doubling, resetting value of persistence timer until it reaches a threshold(generally 60s) - After that the sender sends one probe segment every 60s until the window is reopened

= VPN Messages =

Cookie,Proposal List Cookie,Accepted Proposal DH Key,Nonce DH Key,Nonce ID,ID Hash ID,ID Hash
 * Phase 1 - Main Mode

ID,Proposal List,DH Key,Nonce ID,Accepted Proposal,DH Key,Nonce,ID Hash ID Hash Ph1 Hash,Message ID,Proposal List,Nonce, DH Key,Proxy-ID Ph1 Hash,Message ID,Accepted Proposal,Nonce,DH Key,Proxy-ID Ph1 Hash,Message ID,Nonce
 * Phase 1 - Aggressive Mode
 * Phase 2 - Quick Mode

=HTTP Error Codes=

= HTTP Request Methods= GET:      Retrieve Data HEAD:     Header only without Response Body POST:     Submits Data to DB, web forum, etc PUT:      Replaces target resource with the uploaded content DELETE:   Removes target resource given by URI CONNECT:  Used when the client wants to establish a transparent connection to a remote host, usually to facilitate SSL-encrypted communication (HTTPS) through an HTTP proxy OPTIONS:  Returns the HTTP methods that the server supports for the specified URL TRACE:    Performs a message loop back test to see what (if any) changes or additions have been made by intermediate servers PATCH:

= SSL Handshake =



= NetScaler =

Least Connection   = Service with fewest active connections Round Robin        = Rotates a list of services Least Response time(LRTM) = Fewest active connections & lowest average response time Least Bandwidth     = Service serving least amount of traffic measured in mbps Least Packets       = Service that received fewest packets Source IP Hash      = Destination IP Hash =
 * LB Methods:

SOURCE IP = COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session. SSL Session   = Connections having same SSL session ID RULE           = All connection matching a user defined rule URL Passive   = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded Dest IP       = SRC IP DST IP = CALL ID       = Same Caller ID in SIP Header
 * Persistence Methods:


 * What is Stateful & Stateless Persistence? Which one is more scalable/Efficient?

Stateless Session Persistence: Cookie inserted by ADC is more efficient because no need to create a table, NS will insert cookie & forget, with reply, it will read cookie value, decrypt it & fwd request. State-full Session Persistence: Server will insert cookie, NS will hash it & fwd based on Hash value but will need to keep a table in memory with all hashes & IP Addresses. Same is true for Source IP based Persistence, Also inefficient behind NAT Using Set-cookie-header = by Server - insert Name & Value Fields Client sends cookie in Cookie Header Who ever generates cookie, will be able to read it

= OSPF = Down Attempt Init 2-Way ExStart Exchange Loading Full
 * States

Type 1 - Router LSAs Type 2 - Network LSAs Type 3 - Network Summary LSA Type 4 - ASBR summary LSA Type 5 - AS external LSA Type 7 - NSSA External LSA Type 1 - Hello Type 2 - Database Description (DBD) Type 3 - Link-State request (LSR) Type 4 - LSU Type 5 - LSAck Same area Same authentication config Same subnet Same hello/dead interval Matching stub flags
 * LSA Type
 * Packet Types
 * Neighbor Requirements:




 * OSPF path selection: O > O*IA > O*E1 > O*E2.
 * “area range” summarize type 3 LSA’.
 * “summary-address” summarize type 5 & 7 LSA’s.
 * Auto-cost reference BW (Default = 100mb), formula = 100000000/Int-Bw.

= BGP =


 * Route Selection Criteria

Idle Active        Attempting to connect Connect       TCP session established OpenSent      Open message sent OpenConfirm   Response received Established   Adjacency established
 * BGP States

Open Update Keepalive      Sent every 60 seconds Notification   Always indicate something is wrong
 * BGP Messages

=VPN Monitor vs DPD vs IKE Heartbeat =

=SRX Architecture= Screens Static NAT | Dest NAT Route ==> Forwarding Lookup Zones Policy Reverse Static NAT | Source NAT Service ALG Session
 * First Path:

Screens TCP NAT Service ALG
 * Fast Path:

= ScreenOS = Sanity Check Screening Session lookup Route Lookup Policy lookup Session creation ARP lookup
 * ScreenOS Flow order

Policy Based Routing Source Interface Based Routing Source Routing Destination Routing Mapped IP Virtual IP  Policy Based NAT (NAT-Src & NAT-Dst) Interface Based NAT
 * Route preference order
 * NAT Preference order

= SYN Flood Protection = Threshold = Proxy connections above this limit If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly Alarm Threshold = Alarm/Alert (to log) Queue Size = The number of proxied connections held in queue After this the firewall starts rejecting new connection requests Timeout Value is maximum time before a half-completed connection is dropped from the queue The range is 0–50s; default is 20s

= Linux =

Commands
netstat -s
 * netstat


 * ps

ps -aux ps -ant ps -anp


 * top
 * free


 * du


 * df


 * curl


 * wget


 * smem

= Flows =


 * Complete Flow of PC opening a Website