2014年7月31日 星期四

Certificate Management Protocol (CMP)v2

[wiki] Certificate Management Protocol (CMP)
http://en.wikipedia.org/wiki/Certificate_Management_Protocol

The Certificate Management Protocol (CMP) is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is described in RFC 4210 and is one of two protocols so far to use the Certificate Request Message Format (CRMF), described in RFC 4211, with the other protocol being Certificate Management over CMS (CMC), described in RFC 5273.
http://tools.ietf.org/html/rfc4210
http://tools.ietf.org/html/rfc6712


3GPP
http://www.3gpp.org/
3GPP Specifications Groups Home
http://www.3gpp.org/specifications-groups/specifications-groups
3GPP Specifications Groups - TSG SA - SA3 - Security Home
http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security/home

TS 133 310 - V12.2.0 - Universal Mobile Telecommunications System (UMTS); LTE; Network Domain Security (NDS); Authentication Framework (AF) (3GPP TS 33.310 version 12.2.0 Release 12) - ts_133310v120200p.pdf
http://www.etsi.org/deliver/etsi_ts/133300_133399/133310/12.02.00_60/ts_133310v120200p.pdf

CMP patch for OpenSSL | SourceForge.ne
http://sourceforge.net/projects/cmpforopenssl/

EJBCA - Open Source PKI Certificate Authority - Home
http://www.ejbca.org/


(2008.02.26)Re: CMPV2 - ReadList.com
http://readlist.com/lists/openssl.org/openssl-users/1/8423.html

CMP patch for OpenSSL | Free Security & Utilities software downloads at SourceForge.net
http://sourceforge.net/projects/cmpforopenssl/
An implementation of the Certificate Management Protocol (CMP) version 2, defined in RFC 4210, as a patch for OpenSSL. Long term goal is to provide an RFC compliant implementation and proof of concept client - and then offer it to the OpenSSL project





2014年7月30日 星期三

Abstract Syntax Notation One (ASN.1)

[wiki]  Abstract Syntax Notation One (ASN.1)
http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One

compiler - what does it mean "compile asn.1"? - Stack Overflow
http://stackoverflow.com/questions/14858838/what-does-it-mean-compile-asn-1

An ASN.1 specification describes messages that you would like to exchange with other machines. It does this in a manner that is independent of programming language or computer architecture. This means that to use the ASN.1 specification, a tool is needed to "compile" that ASN.1 specification, checking for syntax errors and some kinds of semantic errors before generating code for your target machine architecture in your target programming language to encode and decode the messages from the ASN.1 specification. Note that ASN.1 compilers generate C stuctures, Java classes, or C++ classes in addition to generating code for encoding and decoding messages based on the generated structures.

There is an excellent place to see an play with this process without dealing with actual generated code. There is an online ASN.1 compiler and runtime engine at http://asn1-playground.oss.com where you can compile ASN.1 specifications and encode/decode messages without writing any code in a target programming language.
ASN.1 Playground: free online compiler, encoder/decoder
http://asn1-playground.oss.com/

ASN.1 Tools
http://www.itu.int/en/ITU-T/asn1/Pages/Tools.aspx

asn1c: Lev Walkin → ASN.1 Exposed
http://lionet.info/asn1c/blog/

OSS Nokalva, Inc. — ASN.1 - Download Free Trial
http://www.oss.com/asn1/products/asn1-download.html






2014年7月27日 星期日

timezone

Sources for Time Zone and Daylight Saving Time Data
http://www.twinsun.com/tz/tz-link.htm

Olson database of timezones in posix.1 format
http://fixunix.com/ntp/68031-olson-database-timezones-posix-1-format.html

Zoneinfo contains historic and future timezone information and is not
limited to two offset values each year, or to algorithmic rules for
deciding when to change, which is why you can only substitute Posix format
code over limited time periods where those assumptions are valid.

If you want to enumerate all the possible timezone codes used by the
Olsen package, you should look at the source code for the rules.
Even if you don't have the source of the tables (which is free to download),
you can use zdump to enumerate all the changes for a particular file.
POSIX and Olson time zone formats
http://www.ibm.com/developerworks/aix/library/au-aix-posix/index.html?ca=dat
AIX Health Check - Olson time zone support
http://www.aixhealthcheck.com/blog?id=291
One of the biggest advantages is that Olson database maintains a historical record of what the time zone rules were at given points in time, so that if the rules change in a particular location, dates and times can be interpreted correctly both in the present and past. A good example of this is the US state of Indiana, which just began using daylight saving time in the year 2006. Under the POSIX implementation, Indiana would have to set its time zone value to EST5EDT, which would format current dates correctly using daylight saving time, but would also format times from previous years as though they were on daylight saving time, which is incorrect. Use of the ICU API set for time zones also allows for localized display names for time zones. For example, Central Daylight Saving Time would have an abbreviation of CDT for all locales under a POSIX implementation, but under ICU/Olson, it displays properly as HAC (Heure Avancée du Centre) in a French locale.
tz database - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Tz_database

time - organization of zoneinfo folder - Ask Ubuntu
http://askubuntu.com/questions/34925/organization-of-zoneinfo-folder
If you install the tzdata source package, you will find all your answers:
sudo apt-get install apt-src
mkdir tzdata && cd tzdata
apt-src install tzdata
Specifically:
posix and right:
Two different versions are provided: - The "posix" version is based on the Coordinated Universal Time (UTC). - The "right" version is based on the International Atomic Time (TAI), and it includes the leap seconds.
Etc:
These entries are mostly present for historical reasons, so that people in areas not otherwise covered by the tz files could "zic -l" to a time zone that was right for their area. These days, the tz files cover almost all the inhabited world, and the only practical need now for the entries that are not on UTC are for ships at sea that cannot use POSIX TZ settings.
EST5EDT, ...:
GB, GB-Eire, GMT, GMT+0, GMT-0, GMT0, NZ, NZ-CHAT, PRC, ROC, ROK, UCT, UTC are there because the time zone names changed:
This file provides links between current names for time zones and their old names. Many names changed in late 1993.
CET, CST6CDT, EET, EST, EST5EDT, HST, MET, MST, MST7MDT, PST8PDT, WET are there for backwards compatibility.
From Arthur David Olson, 2005-12-19 We generate the files specified below to guard against old files with obsolete information being left in the time zone binary directory. We limit the list to names that have appeared in previous versions of this time zone package. We do these as separate Zones rather than as Links to avoid problems if a particular place changes whether it observes DST. We put these specifications here in the northamerica file both to increase the chances that they'll actually get compiled and to avoid the need to duplicate the US rules in another file.
dpkg - How do I change my timezone to UTC/GMT? - Ask Ubuntu
http://askubuntu.com/questions/138423/how-do-i-change-my-timezone-to-utc-gmt
$ date
Wed Jul 16 22:52:47 EDT 2014

$ cat /etc/timezone
America/New_York

$ sudo dpkg-reconfigure tzdata
$ service cron stop && service cron start
How to change timezone on Linux server? | Linux cPanel WebHosting Blog
http://www.theperfectarts.com/2009/11/how-to-change-timezone-on-linux-server/
root@admin[~]#date
Wed Nov 11 19:30:29 EST 2009
For example we are changing time zone  from EST to GMT.
root@admin[~]#ln -sf /usr/share/zoneinfo/GMT /etc/localtime
UbuntuTime - Changing the Time Zone
https://help.ubuntu.com/community/UbuntuTime

linux - Does NTP daemon set the host timezone? - Server Fault
http://serverfault.com/questions/194402/does-ntp-daemon-set-the-host-timezone
NTP does not handle time zones. All time data handled by NTP is in UTC; your local time zone setting determines the offset from there.
How time zones are handled with NTP?
http://www.meinbergglobal.com/english/faq/faq_32.htm
NTP does not regconize time zones, instead it manages all time informations based on UTC. In general the handling of time zones is a job of a computer's operating system. Under Windows, Linux and FreeBSD the system clock is based on UTC, the configured local time zone only is applied when a time information has to be displayed somewhere. Example: If you configure Windows to use your local time zone, the system clock continues with using UTC time. Only when the date/time is shown (e.g. in a clock application), it will be transformed from UTC into the locally configured timezone.

2014年7月23日 星期三

2014年7月8日 星期二

QCI and DSCP mapping

How QoS is managed in LTE system | beyond3g
http://beyond3g.wordpress.com/2010/12/21/how-qos-is-managed-in-lteeps-system/

  • On the radio interface
    1. Radio bearer control
    2. Scheduling
    3. Admission control
    4. Congestion control
    5. ICIC
  • On the transport (backhaul)
    1. DSCP
    2. Mapping DSCP with P-bit in VLAN
Quality of Service Overview - Technical Documentation - Support - Juniper Networks
http://www.juniper.net/techpubs/en_US/junos-mobility12.1/topics/concept/service-parameters-mobility-overview.html

Quality of Service (QoS) and Policy Management in Mobile Data Networks
http://www.ixiacom.com/pdfs/library/white_papers/policy_management.pdf

3GPP TR 29.839: Home (e)Node B - security gateway interface (Release 11)
http://www.qtc.jp/3GPP/Specs/29839-b00.pdf
5.2 H(e)NB procedures
5.2.1 General
The H(e)NB shall support DSCP marking on the IPsec header when forwarding the UE uplink traffic.
Based on H(e)NB configuration either the QCI mapping or the Reflective QoS may be used.
5.2.2 QCI mapping
The QCI mapping table contains a one-to-one mapping from QCI value to DSCP marking value. The QCI mapping
table is configured in the H(e)NB by the operator.
QCI | 4G University
http://4g-university.com/tag/qci/
Do we have DSCP marking on the outer IP header (the one above GTP) and how do they look? What specification relate to this topic?

Answer:
Specifications that relate to the S1 interface (also touching the QoS aspects) are TS 36.410, TS 36.411, TS 36.412, TS 36.413 and TS 36.414.

The technical specification TS 36.414 section 5.4 Diffserv code point marking says:
“IP Differentiated Services code point marking [4] shall be supported. The mapping between traffic categories and Diffserv code points shall be configurable by O&M based on QoS Class Identifier (QCI) Characteristics and others E-UTRAN traffic parameters. Traffic categories are implementation-specific and may be determined from the application parameters”

which means, that there is DSCP marking, but it is defined by a specific implementation.

how QCI map to the DSCP ??? And DSCP mapping table will be made in router ?? | LinkedIn
http://www.linkedin.com/groups/how-QCI-map-DSCP-DSCP-1180727.S.246097683
The SGW, PGW, and eNB all contain QCI to DSCP markings. During bearer setup, the QCI values are communicated from the HSS/PCRF to the PGW, SGW, & eNB. The adjacent routers need only to enforce the DSCP markings set by the EPC elements.

(.......)

QCI-to-DSCP mapping cannot be fixed by 3GPP standard as it depends on transmission network design. Transmission equipments must prioritze the IP packets according to the service they are carrying, so the mapping must be configured according to TX network.

(.......)

QCI DSCP Example 3GPP service
-------------------------------------
1 EF conversational voice
2 EF conversational video
3 EF real-time gaming
4 AF41 buffered streaming
5 AF31 IMS signaling
6 AF31 buffered streaming
7 AF21 interactive gaming
8 AF11 web access
9 BE e-mail

(.......)

QCI DSCP
1 EF
2 EF
3 EF
4 AF41
5 AF31
6 AF32
7 AF21
8 AF11
9 BE

(.......)

DSCP is field in IP header, QCI is end to end parameter mapped in each part of the network in different parameters or group of parameters (in radio interface, transmission network..). DSCP value mapping to QCI is mapping for prioritizing bearers in transmission network and can be (and will be) done on P-GW, S-GW and eNB: Mapping which you configure on eNB will take place in up-link: when eNodeB has to transmit IP packet which carries GTP packet corresponding to bearer with CQIQCI 7, eNB will add DSCP value which (according to what you have configured on eNB) corresponds to QCI7 in IP header of that IP package. Important is to emphasize that eNB itself, when receive down-link package, does not care for received DSCP in IP header (placed by S-GW), eNB does not compare recieved DSCP with configured DSCP on eNB for that QCI - moreover, those 2 DSCP values (for UL and DL) can be different, depending of transmission network. What you configure on S-GW for S1 will take place on S1 down-link in the same way as described for eNB... And analogically for other cases...


IPSec and DSCP

QoS and IPSec interactions | CCIE, the beginning!
http://cciethebeginning.wordpress.com/2011/02/02/qos-and-ipsec-interactions/

Enterprise QoS Solution Reference Network Design Guide - IPSec VPN QoS Design [Design Zone for IPv6] - Cisco
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book/IPSecQoS.html#pgfId-44642

Feature #166: DSCP config in StrongSwan
http://wiki.strongswan.org/issues/166

strongSwan does not provide DSCP specific functionality but the DSCP example in our test suite might give you an idea how to configure it using iptables and XFRM marks.
Test ikev2/net2net-psk-dscp
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/index.html

[strongSwan] DSCP support in new version of strongswan
https://lists.strongswan.org/pipermail/users/2010-October/000853.html