Protocol stack diagrams
Layers all the way down
Published:
Updated:
A collection of ASCII-art protocol stack diagrams.
They can be used as a base for doing quick diagrams. Feel free to copy/reuse/adapt them for your own purpose. These diagrams are released as CC0 (“No Rights Reserved”).
Table of content
Concepts
Layers, PDUs and SDUs:
N+1 PDU [N+1 Layer]<----------------->[N+1 Layer] ↑ ↑ | | N+1 SDU ↓ ↓ o N PDU o N SAP [N Layer ]<----------------->[N Layer ] ↑ ↑ | | N SDU ↓ ↓ o N-1 PDU o N-1 SAP [N-1 Layer]<----------------->[N-1 Layer]
Switches, bridges/hubs, routers, proxy:
[app. ]<------------------------------------------------>[app.]<-->[app.] [TCP ]<------------------------------------------------>[TCP ]<-->[TCP ] [IP ]<------------------------------>[IP ]<-->[IP ]<-->[IP ] [Eth. MAC]<---------------->[Eth. MAC]<---[Eth. MAC|...]<-->[... ]<-->[... ] [Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY|...]<-->[... ]<-->[... ] Hub Switch/bridge Router Proxy
OSI
L7 [Application ]<-------------------------------->[Application ] L6 [Presentation]<-------------------------------->[Presentation] L5 [Session ]<-------------------------------->[Session ] L4 [Transport ]<-------------------------------->[Transport ] L3 [Network ]<-->[Network ]<-->[Network ]<-->[Network ] L2 [Data link ]<-->[Data link]<-->[Data link]<-->[Data link ] L1 [Physical ]<-->[Physical ]<-->[Physical ]<-->[Physical ]
IP
IPv4
[(DHCP)|DNS|app|DNS|app] [ICMP|IGMP|UDP |TCP ] [IPv4 |ARP]
Protocol | SAP | Description |
---|---|---|
ICMP (Inter Control Message Protocol) | IP proto. 1 | |
ARP (Address Resolution Protocol) | EtherType 0x0806 | Used for non-point-to-point networks. |
DHCP (Dynamic Host Configuration Protocol) | UDP 67 (server) UDP 68 (client) | |
IGMP (Internet Group Management Protocol) | IP proto. 2 | Support for multicast |
IP model:
[app.]<---------------------------------->[app.] (end to end) [TCP ]<---------------------------------->[TCP ] (end to end) [IP ]<--->[IP ]<--->[IP ]<--->[IP ]<--->[IP ] [... ]<--->[...]<--->[...]<--->[... ]<--->[... ] (local network layers) Router Router Router
IPv6
[(DHCPv6)|DNS|app|DNS|app] [ICMPv6+NDP+MLD|UDP |TCP ] [IPv6 ]
Protocol | SAP | Description |
---|---|---|
ICMPv6 | IP next header 0x58 | |
NDP | IP next header 0x58 | Part of ICMPv6. Replaces ARP in IPv6. |
DHCPv6 | UDP 546 (client) UDP 547 (server) | Usually NDP is used instead for address allocation, routes, DNS configuration, etc. |
[MLD](Multicast Listener Discovery) | IP next header 0x58 | Part of ICMPv6. Replaces IGMP in IPv6. |
IP Transport protocols
[app.] [app.] [SCTP] [app.] [app.] [app.] [app. ] [app.] [app.] [SCTP] [DTLS] [QUIC|TLS] [TCP ] [UDP ] [UDP-lite] [DCCP] [SCTP] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] TCP UDP UDP-lite DCCP SCTP SCTP SCTP QUIC /UDP /DTLS
Protocol | Protocol number | Description |
---|---|---|
TCP | 6 | Connection oriented, stream-based, checksums, connection control. |
UDP | 17 | Unreliable datagrams. Checksums (can be disabled in IPv4). |
UDP-lite | 136 | Unreliable datagrams. Allows for partial checksums. |
DCCP | 33 | Connection oriented, unreliable datagrams, with congestion control. |
SCTP | 132 | Message-based (fragmentation, reliable, ordered), multiple-streams multiplexing over a single connection. Initially designed for PSTN signaling over IP. |
SCTP over UDP | - | Useful for NAT traversal and userspace implementations of SCTP. |
SCTP over DTLS | - | Used by WebRTC for transporting data channels. |
QUIC | - | Protected communications (relies on TLS for the hanshake). Multiplexing of multiple streams per QUIC connection. Used by HTTP/3. |
Applications layers
DNS
[DNS ] [DNS ] [DNS ] [Obliv. DNS] [DNS ] [framing] [DNS ] [HTTP ] [DNS ] [HTTP ] [DNS] [framing] [TLS ] [DTLS] [TLS / QUIC] [QUIC] [TLS / QUIC] [UDP] [TCP ] [TCP ] [UDP ] [TCP / UDP ] [UDP ] [TCP / UDP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] “Do53” “Do53” “DoT” “DoH” “DoQ” “ODoH” DNS DNS DNS DNS DNS DNS Oblivious DNS over over over over over over over UDP TCP TLS DTLS HTTPS QUIC HTTPS
Protocol | Port | ALPN | Description |
---|---|---|---|
DNS over UDP (Do53) | UDP 53 | - | General DNS traffic. |
DNS over TCP (Do53) | TCP 53 | - | Usually used when messages are too long for UDP. |
DNS framing | - | - | When used on top of TCP or TLS, each DNS message is prefixed with a length field (2 bytes). |
DNS over TLS (DoT) | TCP 853 | "dot" | DNS privacy. |
DNS over DTLS | (UDP 853) | - | DNS privacy. Not used in practice, deprecated in favor of DoQ. |
DNS over HTTPS (DoH) | TCP 443 | "http/1.1", "h2", "h3", etc. | DNS privacy. One HTTP request per request/response pair. |
DNS over QUIC (DoQ) | UDP 853 | "doq" | DNS privacy. One QUIC stream per request/response pair. |
Oblivious DNS over HTTPS (ODoH) | TCP/UDP 443 | "http/1.1", "h2", "h3", etc. | More DNS privacy. |
Oblivious DNS over HTTPS:
[DNS ]<--------------------->o[DNS ]<---->o[DNS] [Obliv. DNS]<=====================>o[Obliv. DNS|- ] [HTTP ]<--->o[HTTP ]<--->o[HTTP |- ] [TLS / QUIC]<===>o[TLS / QUIC]<===>o[TLS / QUIC|- ] [TCP / UDP ]<--->o[TCP / UDP ]<--->o[TCP / UDP |...]<----->[...] [IP ]<---->[IP ]<---->[IP ]<----->[IP ] Oblivious Oblivious Oblivious Client Relay Target
HTTP
[HTTP/1.x] [HTTP/2] [HTTP/3|TLS] [HTTP/1.x] [HTTP/2] [TLS ] [TLS ] [QUIC ] [TCP ] [TCP ] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] [IP ] [IP ] HTTP/1.x HTTP/2 HTTP/1.x HTTP/2 HTTP/3 w/o TLS over TLS over TLS (over QUIC) "h2c" "h2" "h3" (HTTP) (HTTP) (HTTPS) (HTTPS) (HTTPS)
Protocol | Port | TLS ALPN | HTTP Upgrade | Description |
---|---|---|---|---|
HTTP/1.x without TLS | TCP 80 | - | - | Text protocol. |
HTTP/1.x over TLS (HTTPS) | TCP 443 | "http/1.1", "http/1.0" | ||
HTTP/2 without TLS | TCP 80 | - | "h2c" | HTTP/2 without TLS is not widely supported and is deprecated. |
HTTP/2 over TLS (HTTPS) | TCP 443 | "h2" | - | Binary protocol. Prevents head of line blocking (HOL)at the HTTP layer byt multiplexing multiple requests/responses over the same connection but does HOL blocking still present at the TCP layer. |
HTTP/3 over QUIC (HTTPS) | UDP 443 | "h3" | - | Binary protocol. Prevents HOL blocking between streams of the same connection (which was happenning at the TCP layer with HTTP/2) by replacing TCP by UDP. Encryption/integrity provided by QUIC. TLS used for the handshake (ciphersuite negotiation, authentication, key exchange, etc.) |
WebSocket
[WebSocket] [WebSocket] [WebSocket] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 ] [(TLS) ] [(TLS) ] [QUIC ] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] WebSocket Websocket WebSocket (HTTP/1.x) (HTTP/2) (HTTP/3)
Notes:
- with HTTP/1, a HTTP upgrade (
GET
) is used to upgrade the HTTP connection into a WebSocket connection; - with HTTP/2, a HTTP/2 upgrade (extended
CONNECT
) is used to upgrade the HTTP/2 stream into a WebSocket stream; - with HTTP/3, a HTTP/3 upgrade (extended
CONNECT
) is used to upgrade the HTTP/3 stream into a WebSocket stream.
References:
- WebSocket JS API (W3C)
- WebSocket JS API (MDN)
HTTP Datagrams
[datagram ] [datagram] [ datagram ] [Capsule ] [Capsule ] [Capsule |- ] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 |H3 dgram] [(TLS) ] [(TLS) ] [QUIC +dgram] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] HTTP HTTP HTTP Datagrams Datagrams Datagrams (HTTP/1.X) (HTTP/2) (HTTP/3)
HTTP datagrams are unreliable datagrams, associated with a HTTP upgrade, transported over an HTTP connection. They can be sent after an upgrade to the Capsule protocol,
- either as part of the HTTP stream in a DATAGRAM capsules,
- or transported in QUIC datagrams (HTTP/3 Datagram), if supported by the peer.
HTTP datagrams are currently used for,
- UDP in HTTP (RFC9298);
- IP in HTTP (RFC9484);
- Ethernet in HTTP (draft);
- WebTransport datagrams.
HTTP CONNECT proxy
Without HTTP/3 datagrams:
[application] [IP ] [application] [Eth. MAC ] [UDP prox. ] [IP prox.|config.] [UDP-l prox.] [Eth. prox. ] [application] [HTTP Datag.] [Capsule ] [HTTP Datag.] [HTTP Datag.] [HTTP ] [HTTP ] [HTTP ] [HTTP ] [HTTP ] [(TLS)/ QUIC] [(TLS)/ QUIC] [(TLS) / QUIC ] [(TLS)/ QUIC] [(TLS)/ QUIC] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [IP. ] [IP ] [IP ] [IP ] [IP ] TCP in HTTP UDP in HTTP IP in HTTP UDP-listen in HTTP Ethernet in HTTP
With HTTP/3 datagrams:
[app. ] [config.|IP ] [application ] [Eth. MAC ] [UDP prox.] [Capsule|IP prox.] [UDP-listen prox.] [Eth. proxy.] [HTTP/3|H3 dgram ] [HTTP/3 |H3 dgram] [HTTP/3|H3. dgram ] [HTTP/3|H dgram ] [QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ] [UDP ] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] UDP in HTTP/3 IP in HTTP/3 UDP-listen in HTTP/3 Ethernet in HTTP/3 datagrams datagrams datagrams datagrams
Protocol | Upgrade token | Default URI template |
---|---|---|
Proxy TCP in HTTP (classic) (/1.x, /2, /3) | - | - |
Proxy TCP in HTTP (template-based) | "connect-tcp" | /.well-known/masque/tcp/{target_host}/{tcp_port}/ |
Proxy UDP in HTTP | "connect-udp" | /.well-known/masque/udp/{target_host}/{target_port}/ |
Proxy UDP listen in HTTP | "connect-udp-listen" | /.well-known/masque/udp/{target_host}/{target_port}/ |
Proxy IP in HTTP | "connect-ip" | /.well-known/masque/ip/{target}/{ipproto}/ |
Proxy Ethernet in HTTP | "connect-ethernet" | (/.well-known/masque/ethernet/) |
WebTransport
[streams|datagrams] [streams| datagrams ] [- |Capsule ] [- |Capsule|- ] [HTTP/2 ] [HTTP/3 |H3 dgram.] [TLS ] [QUIC (+dgram)] [TCP ] [UDP ] [IP ] [IP ] WebTransport (HTTP/2) WebTransport (HTP/3) HTTP/2
Features:
- multiple (reliable) streams per WebTransport sessions;
- datagrams can be exchanged over a WebTransport sessions;
- multiple WebTransport session may be multiplexed over a single transport (eg. HTTP/2 or HTTP/3 connection).
Notes:
- With HTTP/2, after an extended CONNECT, all streams and datagrams of a the WebTransport instance are transported over a single HTTP/2 stream.
- With HTTP/3, after an extended CONNECT, each WebTranport stream is transported over a different QUIC stream and WebTransport datagrams are sent a HTTP/3 (QUIC) datagrams.
- No specification for WebTransport over HTTP/1.
References:
- WebTransport JS API (W3C)
- WebTransport JS API (MDN)
File Transfer
[FTP ] [SFTP] [HTTP+WebDAV ] [SMB ] [(TLS)] [SSH ] [(TLS) / QUIC] [SMB] [QUIC] [NFS] [TCP ] [TCP ] [TCP / UDP ] [TCP] [UDP ] [TCP] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] FTP SFTP WebDAV SMB SMB NFSv4 /QUIC
Protocol | Port | Description |
---|---|---|
FTP (File Transfer Protocol) | TCP/21 (control) TCP/20 (data) | |
FTP over TLS | TCP/900 (control) TCP/989 (data) | |
WebDAV | TCP/80 (HTTP) | Extension of HTTP for remote resource (file) operation. |
WebDAV Secure | TCP/443 UDP/443 | WebDAV with HTTPS. |
SFTP (SSH File Transfer Protocol) | TCP/22 (SSH) | File transfer over SSH. Not related to FTP! This is not FTP over TLS! |
NFS v4 (Network File System) | TCP/2049 | |
SMB over IP (modern) | TCP/445 | Windows file sharing. |
SMB over NetBIOS over TCP (SMB/NBT) | TCP/139 | Windows file sharing over legacy Windows network protocols. |
SMB over QUIC | UDP/443 |
Notes:
- SFTP uses "sftp" as SSH subsystem.
- SMB over QUIC use "smb" as ALPN.
LDAP
[LDAP ] [(SASL sec.)] [(TLS) ] [TCP ] [IP ] LDAP
UPnP
[Device/service desc.] [SOAP/1.1] [UPnP event] [UPnP event] [XML ] [XML ] [XML ] [XML ] [HTTP+SSDP ] [HTTP ] [HTTP ] [HTTP+GENA ] [HTTP+GENA ] [UDP ] [TCP ] [TCP ] [TCP ] [UDP ] [IP (mcast)] [IP ] [IP ] [IP ] [IP (mcast)] Service Service Control Eventing Eventing Discovery Description (RPC) (unicast) (multicast)
CoAP
[CoAP ] [WebSocket ] [CoAP ] [CoAP ] [HTTP ] [(DTLS)] [(TLS)] [(TLS / DTLS)] [UDP ] [TCP ] [TCP / UDP ] [IP ] [IP ] [IP ] CoAP CoAP/TCP CoAP/WS(S)
Protocol | URI scheme | Port | ALPN | WebSocket protocol |
---|---|---|---|---|
CoAP over UDP | coap: | UDP 5683 | - | - |
CoAP over DTLS | coaps: | UDP 5684 | coap | - |
CoAP over TCP | coap+tcp: | TCP 5683 | - | - |
CoAP over TLS | coaps+tcp: | TCP 5684 | coap | . |
CoAP over WebSocket | coap+ws: | (80, HTTPS) | - | coap |
coaps+ws: | (443, HTTPS) | (http/1.x, …) | coap |
Notes:
- CoAP over TCP and TLS use a modfied message format compared to CoAP/UDP;
- CoAP over WebSocket uses yet another message format.
Multimedia
SIP, RTP, RTSP
Signaling:
[SDP ] [(S/MIME) ] [SDP ] [SIP ] [SDP ] [SDP ] [(S/MIME)] [WebSocket] [RTSP ] [(S/MIME) ] [SIP ] [HTTP ] [(TLS)] [SIP ] [TLS ] [(TLS )] [TCP ] [UDP / TCP / SCTP] [TCP ] [TCP ] [IP ] [IP ] [IP ] [IP ] RTSP SIP SIP-TLS SIP/WebSocket
RTP (media transport):
[A/V] [A/V] [A/V ] [A/V ] [RTP|RTCP] [SRTP|SRTCP] [DTLS|SRTP|SRTCP] [ZRTP|SRTP|SRTCP] [UDP ] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] RTP, RTCP SRTP, SRTCP DTLS-SRTP ZRTP
Alternative transports for RTP:
[A/V] [A/V] [A/V] [RTP|RTCP |RTP|RTCP ] [RTP|RTCP ] [RoQ stream|RoQ Datag.] [framing ] [QUIC ] [TCP ] [UDP ] [IP ] [IP ] RTP over TCP RTP over QUIC (RoQ)
Protocol | Port | Description |
---|---|---|
RTSP (Real Time Streaming Protocol) | TCP 554 | Control RTP streams (PLAY/PAUSE, etc.) |
RTSPS (Secure RTSP) | TCP 322 | RTSP over TLS |
SIP (Session Initiation Protocol) | TCP 5060 UDP 5060 SCTP 5060 | |
SIP over TLS | TCP 5061 | |
SIP over WebSocket | TCP 80 TCP or UDP 443 |
Protocol | Description |
---|---|
RTP | Transport A/V streams |
RTCP | Flow/congestion control for RTP |
SRTP and SRTCP | |
DTLS-SRTP | DTLS handshake (with mutual authentication) for keying SRTP (and SRTCP). |
ZRTP | Diffie-Hellman key exchange on the same port as SRTP. |
S/MIME | May be used in SIP to provide end-to-end protection of SDP content |
Framing for RTP | When used over TCP, each RTP or RTCP packet is prefixed with a length field (2 bytes). |
RTP-MIDI | Send MIDI 1 data over RTP |
RTP-over-QUIC (RoQ) |
Notes:
- RTCP usually used the next (odd) UDP port after the (even) one used by RTP. Nowadays, they tend to be multiplexed over the same port.
- DTLS-SRT uses a DTLS handshake with mutual authentication and the
use_srtp
extension for key exchange and then switch to SRTP, SRCTP on the same port. - The SRTP keys are exported from DTLS (using the "EXTRACTOR-dtls_srtp" exporter label).
- RTP-over-QUIC uses "rtp-mux-quic" for ALPN.
Message multiplexing:
- A mix of (S)RTP, (S)RTCP, STUN, ZRTC and DTLS messages can be multiplexed over the same channel.
- RTP and RTCP can be distinguished using the M and PT fields.
- ZRTP messages can be can be distinguished from (S)RTP messages because the first two bits are zero.
- ZRTP messages can be can be distinguished from STUN messages because they use different magic cookies.
- See RFC5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
WebRTC
[DCEP|data. chan.] [DCEP|data. chan.] [SCTP |A/V ] [SCTP |A/V ] [STUN|mDTLS |SRTP|SRTCP] [STUN|mDTLS |SRTP|SRTCP] [framing ] [SDP ] [UDP (+ ICE) ] [TCP (+ ICE) ] [anything] [IP (+ ICE) ] [IP (+ ICE) ] WebRTC WebRTC over UDP WebRTC over TCP Signaling
Type of payloads:
[DCEP|data chan.] [DCEP|data chan.] [A/V ] [SCTP ] [A/V ] [SCTP ] [STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ] [STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ] [framing ] [framing ] [UDP (+ ICE) ] [UDP (+ICE) ] [TCP (+ ICE) ] [TCP (+ICE) ] [IP (+ ICE) ] [IP (+ICE) ] [IP (+ ICE) ] [IP (+ICE) ] WebRTC A/V streams WebRTC Data Channel WebRTC A/V streams WebRTC Data Channel (DTLS-SRTP) (SCTP/DTLS) (DTLS-SRTP) (SCTP/DTLS) proto=UDP/TLS/RTP/SAVPF proto=UDP/DTLS/SCTP proto=TCP/TLS/RTP/SAVPF proto=TCP/DTLS/SCTP
Example WebRTC stack with TURN tunneling:
[DCEP|data. chan.] [SCTP |A/V ] [STUN|mDTLS |SRTP|SRTCP] [TURN ] [(DTLS) ] [UDP ] [IP ] WebRTC with TURN tunnel
WebRTC Payload type | SCTP PPID | Description |
---|---|---|
SRTP-DTLS | - | |
DCEP (Data Channel Establishment Protocol) | 50 | Used to create WebRTC data channels. |
WebRTC String | 51 | |
WebRTC Binary | 53 | |
WebRTC Empty String | 56 | |
WebRTC Empty Binary | 57 |
Notes:
- In WebRTC, the DTLS peers authenticate based on X.509 certificates exchanged through the signaling protocol (eg. in the
identity
SDP attribute). - The DCEP
DATA_CHANNEL_OPEN
message may specify a protocol identifier (from the WebSocket subprotocol registry) to be used on this channel. - See RFC5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
- RTP/SAVPF combines RTP/SAVP (i.e. using SRTP) and RTP/AVPF (i.e. with RTCP-based Feedback).
References:
- WebRTC Protocol Layers
- WebRTC For The Curious
- RFC8834, Media Transport and Use of RTP in WebRTC
- RFC8827, WebRTC Security Architecture
- RFC8835, Transports for WebRTC
- Replacing WebRTC
Security Layers
TLS
TLS sublayers:
[Handshake | ChangecipherSpec | Alert | Application] [TLS Record Protocol: fragmentation ] [Handshake | Alert | Application ] [TLS Record Protocol: compression ] [TLS Record Protocol: fragmentation ] [TLS Record Protocol: record protection ] [TLS Record Protocol: record protection] [Transport layer ] [Transport layer ] TLS v1.2 TLS v1.3
Some protocol stacks using TLS:
[mTLS ] [HTTP] [HTTP/3|TLS] [SMTP] [IMAP] [TLS|IP / Eth.] [EAP-TLS] [mTLS ] [TLS ] [QUIC ] [TLS ] [TLS ] [OpenVPN ] [EAP ] [EAP-TLS] [TCP ] [UDP ] [TCP ] [TCP ] [TCP / UDP ] [EAPOL ] [EAP ] [IP ] [IP ] [IP ] [IP ] [IP ] [Wifi ] [PPP ] HTTPS HTTPS SMTPS IMAPS OpenVPN WPA2-EAP PPP (HTTP/3) with EAP-TLS with EAP-TLS
TLS Subprotocols | Description |
---|---|
Underlying transport layer | eg. TCP |
TLS Record Protocol: Record Protection | Encryption and message authentication (Cipher+MAC or AEAD). |
TLS Record Protocol: Compression | Message compression, if negotiated. Not available in TLS v1.3. |
TLS Record Protocol: Fragmentataion | Subprotocols multiplexing and framing. |
TLS Handshake Protocol | TLS handshake (version/ciphersuite negotiation, authentication, key exchange, etc.). |
TLS ChangecipherSpec | Enables communication protection for this direction |
TLS Alert | Errors. |
Application Layer | eg. HTTP, SMTP, etc. |
DTLS
Transports:
[app.] [app.] [app.] [DTLS] [DTLS] [DTLS] [UDP ] [SCTP] [DCCP] [IP ] [IP ] [IP ] DTLS DTLS DTLS over over over UDP SCTP DCCP
QUIC
[app.] [app. streams|app. dgrams] [QUIC|TLS] [QUIC +dgram. |TLS] [UDP ] [UDP ] [IP ] [IP ] QUIC QUIC with QUIC datagrams
Protocol | Description |
---|---|
QUIC | Protected transport. Provides multiple streams on top of a single connection. |
TLS | Used for the handshake (negotiation, keying) |
QUIC datagrams | Extension of QUIC for unreliable datagrams (not associated to any QUIC stream). |
QUIC is used by:
- HTTP/3 (mostly)
- SMB over QUIC
- RTP over QUIC (RoQ)
QUIC Datagrams are used by:
- HTTP/3 Datagrams (used by WebTransport, UDP/IP/Ethernet procying over HTTP/3)
References:
SSH
[(GSS-API)|shell|command|forwarding] [SSH Authentication Layer|SSH Connection Layer ] [SSH Transport Layer ] [TCP ] [IP ]
Protocol | Description |
---|---|
GSS-API authentication for SSH |
SSH sessions include:
SSH forwardings include:
- TCP/IP Port Forwarding;
- OpenSSH Tunnel forward extension (TUN/TAP);
- OpenSSH Unix domain socket forwarding.
Some applications:
- SFTP uses "sftp" as SSH subsystem.
VPNs and tunnels
IPSec
SA (Security Associations) establishment:
[... ] [EAP ] [IKEv2] [IKEv2] [UDP ] [UDP ] [IP ] [IP ] IKEv2 IKEv2 w/ EAP
IPsec:
[UDP|TCP|...] [IP ] [UDP|TCP|...] [IP] [UDP|TCP|...] [IP ] [ESP ] [ESP] [AH ] [AH] [ESP ] [ESP] [UDP ] [UDP] [IP ] [IP] [IP ] [IP ] [IP ] [IP ] AH AH ESP ESP ESP/UDP ESP/UDP Transport Tunnel Transport Tunnel Transport Transport
Protocol | IP Protocol | Port | Notes |
---|---|---|---|
AH (Authentication Header) | 51 | - | integrity, data origin authentication, anti-replay (including the outer IP packet) |
ESP (Encapsulating Security Payload) | 50 | - | integrity, data origin authentication, anti-replay, confidentiality (of the payload) |
IKEv2 | - | UDP 500 | |
ESP over UDP (and IKDEv2) | - | UDP 4500 |
ESP transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [ESP ]<=========>[ESP ] [IP ]<--------->[IP ] correspondent correspondent
ESP tunnel mode:
[app.]<------------------------------>[app.] [TCP ]<------------------------------>[TCP ] [IP ]<-------->[IP ]<----->[IP ]<----[IP ] [ESP]<=====>[ES ] [IP ]<----->[IP ] correspondent Gateway Gateway correspondent
AH transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [AH ]<--------->[AH ] [IP ]<=-=-=-=-=>[IP ] correspondent correspondent
AH tunnel mode:
[app.]<---------------------------->[app.] [TCP ]<---------------------------->[TCP ] [IP ]<-------->[IP]<----->[IP]<--->[IP ] [AH]<----->[AH] [IP]<=-=-=>[IP] correspondent Gateway Gateway correspondent
References:
- RFC4301, Security Architecture for the Internet Protocol
VPNs
[IPv4|IPv6|(TLS)] [Eth. MAC|(TLS)] [IP ] [IP / Eth. MAC] [OpenVPN ] [OpenVPN ] [WireGuard] [SSH ] [TCP / UDP ] [TCP / UDP ] [UDP ] [TCP ] [IP ] [IP ] [IP ] [IP ] OpenVPN IP OpenVPN Ethernet WireGuard OpenSSH tunnel (TUN mode) (TAP mode) [IP ] [IP ] [IP ] [PPP ] [IP ] [Capsule] [Capsule|- ] [SSTP ] [PPP ] [HTTP ] [HTTP3 |H3 dgram.] [HTTP ] [HTTP ] [(TLS) ] [QUIC +dgram.] [TLS ] [TLS ] [TCP ] [UDP ] [TCP ] [TCP ] [IP ] [IP ] [IP ] [IP ] IP in HTTP IP in HTTP/3 MS-SSTP FortiSSL
Protocol | Port |
---|---|
OpenVPN | UDP 1194, TCP 1194 |
WireGuard | UDP 51820 |
OpenSSH tunnel | (over SSH, TCP 22) |
IP in HTTP | TCP/UDP 443 (HTTPS) |
MS-SSTP | TCP/UDP 443 (HTTPS) |
FortiSSL |
Notes:
- OpenVPN does not work on top of TLS (TLS over TCP). TLS is encapsulated in the OpenVPN protocol and is used for the handshake. The inner frame/packets are not encapsulated by TLS (no IP-over-TLS or Ethernet-over-TLS).
- MS-SSTP use a
SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
HTTPS request. The encapsulted protocol is chosen with the MS-SSTP Protocol ID field (0x0001 for PPP).
Simple Tunnels
[IP ] [IP ] [GRE ] [GRE ] [(UDP) ] [DTLS] [Eth. MAC] [IP] [(AH / ESP)] [UDP ] [EtherIP ] [IP] [IP ] [IP ] [IP ] IP in IP GRE GRE-UDP-DTLS EtherIP
Protocol | SAP | Description |
---|---|---|
GRE (Generic Routing Encapsulation) | IP proto 47 | Next protocol defined as an EtherType; Optional 32 bit key (tunnel ID); optional 32 bit sequence number |
GRE-in-UDP | UDP 4754 (dest.) | |
GRE-UDP-DTLS | UDP 4755 (dest.) | |
EtherIP | IP proto 97 |
L2TPv3
Pseudowires:
[PPP ] [Eth. MAC] [Frame Relay] [HDLC] [ATM ] [L2TP] [L2TP ] [L2TP ] [L2TP] [L2TP] [... ] [... ] [... ] [... ] [... ]
Transports:
[... ] [L2TP] [... ] [SNAP] [... ] [L2TP] [... ] [... ] [LLC ] [L2TP] [UDP ] [L2TP] [L2TP ] [AAL5] [AAL5] [IP ] [IP ] [Frame Relay] [ATM ] [ATM ] L2TP L2TP L2TP L2TP L2TP /UDP /IP /Frame Relay /ATM /ATM (LLC) (VC mux)
Protocol | SAP | Description |
---|---|---|
L2TP (Layer Two Tunneling Protocol) | 16 bit tunnel ID, optional 16 bit sequence numbers | |
L2TP over IP | IP proto. 115 | |
L2TP over UDP | UDP 1701 (control) |
Network virtualization
[Eth. MAC ] [Eth. / IP / ...] [Eth. / IP / ...] [VXLAN ] [GENEVE ] [GRE + Key ext. ] [UDP ] [UDP ] [(UDP) ] [(AH / ESP)] [(AH / ESP) ] [(AH / ESP) ] [IP ] [IP ] [IP ] VXLAN GENEVE NVGRE
Protocol | Port | Description |
---|---|---|
VXLAN (Virtual eXtensible LAN) | UDP 4789 (dest.) | 24 bit VNI (VXLAN Network Identifier), always encapsulates Ethernet |
GENEVE (Generic Network Virtualization Encapsulation) | UDP 6081 (dest.) | 24 bit VNI, can encapsulate different protocols (EtherType) |
NVGRE (Network Virtualization witg GRE) | 24-bit VSID (Virtual Subnet Identifier), can encapsulate different protocols (EtherType) |
Authentication, authorization
EAP
TLS-based EAP methods:
[... ] [EAP ] [PAP ] [CHAP ] [... ] [... ] [AVP ] [AVP ] [AVP ] [EAP ] [EAP ] [mTLS ] [TLS ] [TLS ] [TLS ] [TLS ] [TLS ] [EAP-TLS] [EAP-TTLS] [EAP-TTLS] [EAP-TTLS] [PEAP] [TEAP] [EAP ] [EAP ] [EAP ] [EAP ] [EAP ] [EAP ] [... ] [... ] [... ] [... ] [... ] [... ] EAP-TLS EAP PAP CHAP EAP EAP over over over over over EAP-TTLS EAP-TTLS EAP-TTLS PEAP TEAP
EAP transports:
[... ] [...] [... ] [... ] [... ] [... ] [EAP ] [EAP] [EAP ] [EAP ] [...] [EAP ] [EAP ] [PANA] [IKE] [RADIUS ] [Diameter ] [EAP] [802.1X ] [802.1X] [UDP ] [UDP] [UDP / TCP] [TCP / SCTP] [PPP] [Ethernet] [Wifi ] [IP ] [IP ] [IP ] [IP ] EAP 802.1X WPA-EAP PANA EAP EAP over EAP/Diameter for for RADIUS PPP IKE
Example full protocol stacks:
[EAP-MSCHAPV2] [EAP ] [mTLS ] [TLS ] [EAP-TLS] [TEAP ] [EAP ] [EAP ] [802.1X ] [802.1X ] [Wifi ] [Wifi ] WPA-EAP WPA-EAP with with EAP-TLS EAP-EAP and MSCHAPv2
EAP Method | Method Type | Description |
---|---|---|
EAP-TLS | 13 | Mutual TLS authentication |
EAP-TTLS | 21 | AVPs (attribute value pairs) in the Diameter format over TLS |
PEAP (Protected EAP) | 25 | Inner EAP exchange over a TLS tunnel |
EAP-FAST | 43 | |
TEAP (Tunnel EAP) | 55 | Inner EAP exchange over a TLS tunnel (standardized version of PEAP) |
EAP-SIM, EAP-AKA, EAP-AKA' | 18, 23, 50 | SIM-based authentication |
EAP-pwd | 52 | Authenticated key exchange based on a shared password |
EAP-NOOB | 56 | Authentication for IoT devices based on an initial out-of-band channel |
EAP Transport | Description |
---|---|
802.1X | Authetication of LAN/WLAN such as Ethernet and Wifi (WPA-EAP aka WPA-Entreprise) |
PANA (Protocol for Carrying Authentication for Network Access) | |
RADIUS support for EAP | EAP messages encapsulated in the EAP-Message attribute |
Diameter support for EAP | EAP messages encapsulated in EAP-Payload AVP |
Kerberos
[Kerberos] [MS-KKDCP] [HTTP ] [Kerberos] [TLS ] [UDP/TDP ] [TCP ] [IP ] [IP ] Kerberos MS-KKDCP
EAP Method | Port | Description |
---|---|---|
Kerberos | UDP or TCP 88 | |
MS-KKDCP (Kerberos Key Distribution Center Proxy) | TCP or UDP 443 (HTTPS) | Kerberos over HTTPS. |
SASL
General SASL stack:
[mechanism] [SASL ] [protocol ] [protocol ] → [(SASL sec.)] [... ] [... ]
Notes:
- Protocol with support for SASL include LDAP, IMAP, POP, SMTP, XMPP, MQTT, etc.
- SASL mechanisms include ANONYMOUS, PLAIN, EXTERNAL, etc.
- Some SASL mechanisms may install a SASL security layer (providing features such as encryption and/or integrity protection to the protocol). Nowadays, this is seen as redundant with the usage of TLS which should be used instead.
SASL Mechanism | Security Layer | Channel Binding | Description |
---|---|---|---|
GSSAPI | Optional (negotiated) | Yes | Kerberos 5 (not other mechanisms) with GSSAPI |
GSS2-* | No | No | GSS-API mechanisms (without support for channel binding) |
GSS2-*-PLUS | No | Yes | GSS-API mechanisms (with support for channel binding) |
OAUTHBEARER | No | No | Oauth 2.0 Bearer token |
GSSAPI
[Kerberos] [MS-NLMP ] [... ] [Kerberos] [SPNEGO ] [SPNEGO ] [EAP ] [GSS-API ] [GSS-API ] [GSS-API ] [GSS-API] [SASL ] [SASL ] [SASL ] [SASL ] [... ] [... ] [... ] [... ] GSS-API GSS-API NTLM with with with SNPEGO Kerberos SPNEGO /SASL / SASL /SASL
Protocol | Description |
---|---|
GSSAPI (Generic Security Service API) | GSSAPI defines a Mechanism-Independent Token Format which is required for the initial token but optional for the other tokens |
SPNEGO (Simple and Protected Negotiation Mechanism) | Negotiation of GSSAPI mechanism to use |
Kerberos 5 for GSSAPI mechanism | |
GSS mechanism for EAP |
Notes:
- GSS-API over SASL can use either the
GSSAPI
SASL mechanism or the newerGS2-*
mechanisms (eg. GS2-KRB5, GS2-KRB5-PLUS). - The newer
GS2-*
mechanisms must not use mechanisms negotiation (such as SPNEGO).
RADIUS and DIAMETER
[RADIUS] [Diameter] [Diameter] [RADIUS] [RADIUS] [TLS ] [Diameter] [Diameter] [TLS ] [DTLS ] [UDP ] [TCP ] [TCP ] [TCP ] [SCTP ] [TCP ] [SCTP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] RADIUS RADIUS RADIUS Diameter Diameter Diameter Diameter /UDP /TCP /TLS /TCP /SCTP /TLS /DTLS (RadSec)
Protocol | Port | SCTP PPID | Description |
---|---|---|---|
RADIUS (authentication and authorization) | UDP 1812, TCP 1812 | - | |
RADIUS Accounting | UDP 1813, TCP 1813 | - | |
RADIUS DynAuth | UDP 3799 | - | Disconnect and Change-of-Authorization (CoA) messages |
RADIUS over TLS (RadSec) | TCP 2083 | - | |
Diameter | TCP 3868, SCTP 3868 | 46 | |
Diameter over TLS/TCP | TCP 5658 | - | |
Diameter over DTLS/SCTP | SCTP 5658 | 47 |
NAT traversal
STUN and TURN
[UDP app. ] [STUN ] [TURN ] [TURN ] [TURN|app.] [(DTLS / TLS)] [(DTLS / TLS)] [(DTLS / TLS)] [(TLS) ] [UDP / TCP ] [UDP / TCP ] [UDP / TCP ] [TCP ] [IP ] [IP ] [IP ] → [IP ] STUN TURN (UDP) TURN-TCP TURN-TCP connection
Protocol | Description |
---|---|
STUN (Session Traversal Utilities for NAT) | |
STUN with DTLS | |
TURN (Traversal Using Relays around NAT) | Extension of STUN for relaying communications (UDP applications) over UDP or TCP. |
TURN-TCP | Extension of TURN for relaying TCP applications (over TCP). TCP connections are allocated over a control TURN channel. Each TCP connection is transported over a new dedicated connection after an initial ConnectionBind TURN request (and response). |
ICE
[SDP ] [STUN (+TURN)] [SDP] [HTTP] [STUN|app. ] [(DTLS / TLS)] [SIP] [TLS ] [(DTLS)/ (TLS)] [UDP / TCP ] [TCP] [TCP ] [UDP / TCP ] [IP ] [IP ] [IP ] [IP ] STUN, TURN ICE candidate ICE candidates ICE communications (candidate exchange exchange (direct) collection) with SIP with SDP/HTTPS
Protocol | Description |
---|---|
ICE (Interactive Connectivity Establishment) | Uses STUN, TURN and exchanges ICE candidates for establishing communications. |
ICE-TCP | Extends ICE for TCP streams. |
STUN | Used to help NAT traversal. |
TURN | Used for relaying communication when no direct communication are possible. |
SDP | May be used for exchanging ICE candidates (for example in SIP or WebRTC). Other methods may be used depending on the application (including non-SDP methods). |
Note:
- STUN Binding request/response are directly exchanged between the peers. Some method must be used for multiplexing STUN and the application protocol. See for example RFC5767 section 5.1.2.
Example of ICE through TURN:
[STUN¦app ]<-------------------->[STUN¦app] [TURN ]<--->o[TURN] [- ] [TLS ]<--->o[TLS ] [- ] [TCP ]<--->o[TCP |UDP]<---->[UDP ] [IP ]<---->[IP ]<---->[IP ] Appl. Peer Appl. Peer TURN client TURN server
Link Layer
Ethernet (802.1)
[... ] [IP|ARP|... ] [EAP ] [SNAP ] [IP|ARP|EAPOL] [LLC ] [(802.1Q )] [(802.1Q )] [(802.1ad )] [(802.1ad )] [Ethernet MAC] [Ethernet MAC] [Ethernet PHY] [Ethernet PHY] Ethernet II 802.1 with SNAP
Ethernet PHY sublayers (since Fast Ethernet):
[Ethernet PCS] [Ethernet PCS] (PHY) [Ethernet PMA] [Ethernet PMA] (PHY) [Ethernet PMD] [Ethernet PMD] (PHY)
Protocol | EtherType | Description |
---|---|---|
PMD (Physical Medium Dependent sublayer) | - | eg. 100BASE-FX, 10GBASE-E, 10GBASE-L, 10GBASE-S, 10GBASE-LX4 |
PMA (Physical Medium Attachment sublayer) | - | Framing, synchronization, etc. |
PCS (Physical coding sublayer sublayer) | - | Negotiation, coding (error detection) |
ARP (Address Resolution Protocol) | 0x0806 | Mapping between MAC addresses and IP addresses |
801.1Q | 0x8100 | VLAN (Q-tag) |
802.1ad (Q-in-Q) | 0x88A8 | VLAN in VLAN (outer 802.1ad tag is S-tag for service-tag; inner 802.1Q tag is c-tag for customer-tag) |
802.1X (EAPOL) | 0x888E | Port Authentication, used for WPA-Entreprise as well |
IPv4 | 0x0800 | |
IPv6 | 0x86DD | |
LLC (Logical Link Control) | (length ≤ 1500) | |
SNAP (Subnetwork Access Protocol) | - |
Wifi (802.11)
[... ] [EAP ] [EAPOL ] [IP |ARP] [SNAP ] [SNAP ] (Link) [LLC ] [LLC ] (Link) [(WEP / TKIP / CCMP / GCM)] (Link) [Wifi MAC ] [Wifi MAC ] (Link) [Wifi PLCP] [Wifi PLCP ] (Phy.) [Wifi PMD ] [Wifi PMD ] (Phy.) WPA-Entreprise Authentication (WPA-EAP)
Layer | Description |
---|---|
PMD (Physical Medium Dependent sublayer) | (eg. 802.11 FHSS, 802.11 DSSS, 802.11a OFDM, 802.11b HR/DSSS, 802.11g ERP) |
PLCP (Physical Layer Convergence Protocol sublayer) | |
WEP (Wired Equivalent Privacy) | Old encryption layer (based on RC4 and CRC-32) |
TKIP (Temporal Key Integrity Protocol) | Encryption layer of WPA1 (RC4 stream cipher with “Michael” MIC) |
CCMP | Encryption layer of WPA2 (AES with CCM mode) |
GCMP-256 | Encryption layer of WPA3 (56-bit Galois/Counter mode) |
LLC (Logical Link Control) | |
SNAP (Subnetwork Access Protocol) |
Access Point:
[app. ]<--------------------------->[app. ] [TCP ]<--------------------------->[TCP ] [IP ]<--------------------------->[IP ] [SNAP ]<--------------------------->[SNAP ] [LLC ]<--------------------------->[LLC ] [sec. #1 ]<===>[sec. #1 | sec. #2]<===>[sec. #2 ] [Wifi MAC]<--->[Wifi MAC ]<--->[Wifi MAC] [Wifi PHY]<--->[Wifi PHY ]<--->[Wifi PHY] Station 1 Access Point Station 2
Ethernet/Wireless bridge:
[app. ]<------------------------------->[app. ] [TCP ]<------------------------------->[TCP ] [IP ]<------------------------------->[IP ] [SNAP ]<----[SNAP ] [LLC ]<--->[LLC ] [security]<===>[security ] [Wifi MAC]<--->[Wifi MAC \-/ Eth. MAC]<--->[Eth. MAC] [Wifi PHY]<--->[Wifi PHY | Eth. PHY]<--->[Eth. PHY] Station 1 Ethernet/Wireless bridge Station 2
ATM
[... / ...] [NLPID / SNAP] [... ] [LLC ] [AAL5] [AAL5 ] [ATM ] [ATM ] [phy. ] [phy. ] VC Mux LLC Encap.
References:
- Multiprotocol Encapsulation over AAL5, RFC2684
PPP
Configuration:
[... ] [LCP] [CCP] [compression] [PPP] [PPP] [PPP ] [...] [...] → [... ] LCP CCP and compression
Authentication:
[...] [PAP] [CHAP] [EAP] [PPP] [PPP ] [PPP] [...] [... ] [...] PAP CHAP EAP
Applications:
[IPCP|IPv4] [IPv6CP|IPv6] [PPP ] [PPP ] [... ] [... ] IPv4/PPP IPv6/PPP
Transports:
[... ] [PPP ] [...] [... ] [... ] [... ] [(SNAP)] [... ] [PPP] [PPP ] [PPP ] [PPP ] [LLC ] [PPP ] [SSH] [HDLC ] [HDLC] [PPPoE ] [AAL5 ] [L2TP] [TCP] [RS-232] [V.92] [Ethernet] [ATM ] [... ] [IP ] PPP/RS-232 PPP/PSTN PPPoE PPPoA L2TP PPP /SSH
Protocol | PPP Protocol | EtherType | Description |
---|---|---|---|
PPP (Point-to-Point Protocol) | - | ||
LCP (Link Control Protocol) | 0xc021 | - | |
PAP (Password Authentication Protocol) | 0xc023 | - | Cleartext login/password |
CHAP (Challenge-Handshake Authentication Protocol) | 0xc223 | - | Includes MC-CHAP and MS-CHAPv2 as well. |
EAP (Extensible Authentication Protocol) | 0xc227 | - | |
IPCP (IP Configuration Protocol) | 0x0021 | - | Configuration of the IPv4 address |
IPv4 | 0x0021 | - | |
IPv6CP (IPv6 Configuration Protocol) | 0x8057 | - | |
IPv6 | 0x0057 | - | |
PPPoA, PPP-over-ATM (AAL5) | - | - | |
PPPoE, PPP-over-Ethernet | - | 0x8863 (discovery), 0x8864 (session) | |
L2TP (Layer Two Tunneling Protocol) | - | - | |
HDLC-like framing (RFC1662) for PPP | - | - | |
CCP (Compression Control Protocol) | - | - | |
PPP over SSH | - | - | It's not a standard thing but you can do it. |
GPON (G.984)
Gigabit Passive Optical Network:
[PWE3 ] [SIP |RTP ] [RTP ] [TCP |UDP ] [UDP ] [IP ] [IP ] [IP ] [MEF-8 ] [VLAN ] [VLAN ] [VLAN ] [VLAN ] [TDM|Eth. MAC] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ] [SDH ] [PLOAM|OMCI|ATM|GEM ] [GEM ] [GEM ] [GEM ] [GEM ] [GTC adaptation ] [GTC adaptation] [GTC adaptation] [GTC adaptation] [GTC adaptation] [GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ] [GPM ] [GPM ] [GPM ] [GPM ] [GPM ] General stack Voice (VoIP) Voice with PWE3 Voice with MEF-8 Voice (TDM)
Protocol | Description |
---|---|
GPM (GPON Physical Media Dependent layer) | |
GTC framing | |
PLOAM (Physical Layer Operations, Administration and Maintenance) | |
OMCI (ONU Management and Control Interface) | |
GEM (G-PON Encapsulation Mode) | |
TDM (Time Division Multiple Access) | Emulation of any TDM-based circuit |
PWE3, Pseudo Wire Emulation Edge-to-Edge | Frame Relay/ATM/Ethernet/TDM/SONET/SDH over IP or MPLS |
MEF-8 | Emulation of PDH over Ethernet |
References:
- G.984.1 : Gigabit-capable passive optical networks (GPON): General characteristics
- G.984.3 : Gigabit-capable passive optical networks (G-PON): Transmission convergence layer specification
XG-PON (G.987)
[PWE3 ] [SIP|RTP ] [RTP ] [TCP|UDP ] [UDP ] [IP ] [IP ] [IP ] [MEF-8 ] [802.1X|VLAN] [VLAN ] [VLAN ] [VLAN ] [Eth. MAC |MPLS] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ] [PLOAM|OMCI|XGEM ] [XGEM ] [XGEM ] [XGEM ] [XGTC framing ] [XGTC framing ] [XGTC framing ] [XGTC framing ] [XGTC PHY adaptation ] [XGTC PHY adaptation] [XGTC PHY adaptation] [XGTC PHY adaptation] [XGON PMD ] [XGON PMD ] [XGON PMD ] [XGON PMD ] General stack Voice (voIP) Voice with PWE3 Voice with MEF-8
References:
- G.987.1 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- G.987.2 : 10-Gigabit-capable passive optical networks (XG-PON): Physical media dependent (PMD) layer specification
- G.987.3 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- Implementation Agreement for the Emulation of PDH Circuits over Metro Ethernet Networks
Phone
SS7
[... ] [... ] [... ] [... ] [... ] [ISUP|TCAP] [TCAP] [TCAP ] [TCAP ] [TCAP] [TUP / ISUP|SCCP ] [SUA |ISUP] [SCCP ] [SCCP ] [SCCP|ISUP] [MTP-3 ] [- ] [MTP-3|ISUP] [MTP-3 ] [M3UA ] [MTP-2 ] [- ] [M2PA ] [M2UA ] [ - ] [MTP-1 ] [(DTLS) ] [(DTLS) ] [(DTLS) ] [(DTLS) ] [SCTP ] [SCTP ] [SCTP ] [SCTP ] [(IPSec) ] [(IPSec) ] [(IPSec)] [(IPSec) ] [IP ] [IP ] [IP ] [IP ] SS7 SUA M2PA M2UA M3UA ...
Some application protocols:
[MAP ] [ISUP ] [TCAP ] [TUP ] [ISUP ] [SCCP ] [SCCP ] [MTP-3] [MTP-3] [MTP-3] [MTP-3] [MTP-2] [MTP-2] [MTP-2] [MTP-2] [MTP-1] [MTP-1] [MTP-1] [MTP-1] TUP ISUP ISUP MAP /SCCP
Protocol | SCTP PPID | Description |
---|---|---|
MTP-1 (Message Transfer Part layer 1) | Physical layer | |
MTP-2 (Message Transfer Part layer 2) | Link layer | |
MTP-3 (Message Transfer Part layer 3) | Nework layer | |
TUP (Telephone User Part) | Signaling for classic PSTN, mostly replaced by ISUP | |
ISUP (ISDN User Part) | ||
SCCP (Signalling Connection Control Part) | ||
TCAP (Transaction Capabilities Application Part) | ||
CAP (CAMEL Application Part) | ||
MAP (Mobile Application Part) | Transport layer on top of IP | |
SCTP (Stream Control Transmission Protocol) | - | |
SUA (SCCP User Adaptation) | 4 | Replaces SCCP when used over SCTP/IP |
M2UA (MTP2 User Adaptation Layer) | 2 | |
M2PA (MTP2 User Peer-to-Peer Adaptation Layer) | 5 | |
M3UA (MTP3 User Adaptation Layer) | 3 |
References:
Mobile
User Equipment (i.e. the phone) stacks:
PDP contexts PDP contexts EPS bearers PDU sessions | | | | | | | | [SM ] ↓ ↓ | | | | ↓ ↓ [GMM ] [IP / PPP] [CM|SM ] ↓ ↓ [LTE NAS ] ↓ ↓ [5G NAS ] [IP|Eth.] [CM ] [SNDCP ] [SNDCP ] [MM|GMM ] [IP / PPP ] [LTE RRC ] [IP / PPP] [5G RRC ] [SDAP ] [MM ] [GPRS LLC] [GPRS LLC] [UMTS RRC] [UMTS PDCP] [LTE PDCP] [LTE PDCP] [5G PDCP] [5G PDCP] [RRM ] [GPRS RLC] [GPRS RLC] [UMTS RLC] [UMTS RLC ] [LTE RLC ] [LTE RLC ] [5G RLC ] [5G RLC ] [LAPDm ] [GPRS MAC] [GPRS MAC] [UMTS MAC] [UMTS MAC ] [LTE MAC ] [LTE MAC ] [5G MAC ] [5G MAC ] [GSM PHY] [GSM PHY ] [GSM PHY ] [UMTS PHY] [UMTS PHY ] [LTE PHY ] [LTE PHY ] [5G PHY ] [5G PHY ] CP CP UP CP UP CP UP CP UP -------- --------------------- ---------------------- --------------------- ----------------- GSM (2G) GPRS (2.5G) UMTS (3G) LTE (aka EPS) (4G) 5G NR (5G)
Authentication stacks at the user equipment:
[... ] [AVP ] [mTLS ] [TLS ] [EAP-AKA] [EAP-AKA'] [EAP-TLS] [EAP-TTLS] [EPS-AKA] [5G-AKA] [EAP ] [EAP ] [EAP ] [EAP ] [NAS ] [NAS ] [NAS ] [NAS ] [NAS ] [NAS ] EPS-AKA 5G-AKA EAP-AKA EAP-AKA' EAP-TLS EAP-TTLS (4G) (5G) (5G) (5G) (5G) (5G)
Notes:
- 5G primary authentication, access authentication;
- 5G secondary authentication, setting up user planes from other operators
References:
Protocol | Description |
---|---|
LAPDm (Link Access Procedures on the Dm channel) | Link layer for GSM used between the mobile station (i.e. the phone) and the BSC |
RR aka RMM (Radio Resource Management) | |
MM (Mobile Management) | |
CM (Connection Management) | |
RLC (Radio Link Control) | |
LLC (Logical Link Control) | (This is not the 802.2 LLC protocol used with Ethernet, Wifi, etc.) |
SNDCP (Subnetwork Dependent Convergence Protocol) | |
GMM (GPRS Mobility Management) | |
SM (Session Management) | |
PDCP (Packet Data Convergence Protocol) | |
RRC (Radio Resource Control) | |
NAS (Non-access stratum) | |
SDAP (Service Data Adaption Protocol) | |
SM (Session Management) | |
GMM (GPRS Mobile Management) |
References:
- PDP types
- PDU session types (5G)
- Extensible Authentication Protocol (EAP) in next-generation networks
- Long Term Evolution Protocol Overview
- SMS in 5GC
- ETSI TS 124 501, 5G NAS
- A Comparative Introduction to 4G and 5G Authentication
- 5G: focus on N3IWF, TNGF, TWIF and W-5GAN
Non-3GPP access
User equipment stacks for untrusted non-3GPP access (5G):
PDU sessions | | [EAP-AKA] | | [EAP / 5G-AKA] ↓ ↓ [NAS ] [NAS ] [IP|Eth.] ← Application IP (IMS, data) [EAP-5G ] [TCP ] [GRE ] [EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF) [IKEv2 ] [ESP ] [IKEv2] [ESP ] [UDP ] [(UDP)] [UDP ] [(UDP) ] [IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network [L2 ] [L2 ] [L2 ] [L2 ] [L1 ] [L1 ] [L1 ] [L1 ] CP CP UP UP (before SA) (after SA) establishment
Notes:
- ESP/UDP may be used for NAT traversal.
- Different IPSec SAs are established for:
- control plane (signaling) i.e. transporting NAS messages;
- user plane (one SA per PDU layer and QoS flow);
- N3IWF (Non-3GPP Interworking Function) is resonsible for the interworking of the non-3GPP access and the 5G core.
User equipment stacks for untrusted non-3GPP access with firewall traversal (5G):
PDU sessions | | [EAP-AKA] | | [EAP / 5G-AKA] ↓ ↓ [NAS ] [NAS] [IP|Eth.] ← Application IP (IMS, data) [EAP-5G ] [TCP] [GRE ] [EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF) [IKEv2 ] [ESP] [IKEv2] [ESP ] [TLS ] [TLS] [TLS ] [TLS ] [TCP ] [TCP] [TCP ] [TCP ] [IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network [L2 ] [L2 ] [L2 ] [L2 ] [L1 ] [L1 ] [L1 ] [L1 ] CP CP UP UP (before SA) (after SA) establishment
References:
- ETSI TS 123 402 v16
- A Tutorial on Trusted and Untrusted Non-3GPP Accesses in 5G Systems—First Steps Toward a Unified Communications Infrastructure
- Untrusted Non-3GPP Acccess Network Interworking with 5G Core
IMS
IMS (IP Multimedia Subsystem) is an SIP/IP based-service to transporting voice, SMS, video over 4G (VoLTE), 5G (VoNR) or non-3GPP access (VoWLAN/WoWifi).
User equipment stacks for stacks for IMS:
[SMS] [SDP|A/V ] [SIP] [SIP|RTP |RTCP] [TCP] [TCP|UDP / TCP] [IP ] [IP ] SMS Audio/Video calls over IMS over IMs
Notes:
- SMS may be transported over NAS as well.
References:
SMS
User equipment stacks for SMS:
[SM-AL ] [SMS ] [SM-TL ] [SIP ] [SM-RP ] [SMS] [TCP ] [SM-CP ] [NAS] [IP ] [CM ] [RRC] [(SDAP)] [MM ] [RLC] [PDCP ] [RR ] [RLC] [RLC ] [LDAPDm ] [MAC] [MAC ] [GSM PHY] [PHY] [PHY ] SMS/GSM SMS/NAS SMS/IMS (2G) (4G/5G) (4G/5G)
WAP
User equipment stacks for WAP (including MMS):
[WML | WMLScript | MMS] [WSP ] [XHTML MP|WAP CSS|MMS] [(WTP ) ] [(WP-)HTTP ] [(WTLS) ] [TLS ] [WDP / UDP ] [(WP-)TCP ] [SMS / IP ] [IP ] [... / ... ] [... ] WAP 1 WAP 2.0
Protocol | Description |
---|---|
Wireless Session Protocol (WSP) | Similar to HTTP |
Wireless Transaction Protocol (WTP) | Similar to TCP. Used for CO-WSP (Connection-oriented WSP), absent for CL-WSP (Connectionless WSP) |
Wireless Transport Layer Security (WTLS) | Protection (similar to TLS) |
Wireless Datagram Protocol (WDP) | Similar to UDP |
WML (Wireless Markup Language) | XML-based markup language, similar to HTML |
WMLScript | Scripting language based on ECMAScript but compiled to a bytecode |
XHTML MP (Mobile Profile) | |
WP-TCP | Profile of TCP |
WP-HTTP | Profile of HTTP |
References:
- Looking inside the MMS Exchange (With call flow and PCAP)
- WapProtocolFamily ~ Wireshark Wiki
- Wireless Datagram Protocol (WDP) ~ Wireshark Wifi
- Wireless Session Protocol (WSP) ~ Wireshark Wifi
- Wireless Datagram Protocol (WDP), v14
Devices
BlueTooth
ACL SCO /--------------------------------------------\ /---\ [IP ] [IP |... ] [HID|...] [PPP|AT|Eth. MAC] [GATT |GAP ] [SDP |RFCOMM|BNEP |OBEX|HIDP|AVCTP|AVDTP] [... ] [ATT |SM|- ] [L2CAP |voice] [L2CAP ] [L2CAP |- ] ↑Host ------------------(HCI)------------------------------- ---(HCI)--- ---(HCI)------------------ [LMP|- ] [Wifi PAL ] ↓Controler [LCP ] [Wifi MAC ] [LE LL ] [BR / EDR ] [Wifi PHY ] [LE 1M / LE 2M / LE Coded] Bluetooth Classic Bluetooth HS Bluetooth Low Energy (BLE) (High Speed)
Host/Controler interface (HCI) example (over USB):
[RFCOMM ]<-------------------------------------->[RFCOMM ] [L2CAP ]<-------------------------------------->[L2CAP ] [HCI ]<--->[HCI |LMP ]<--------------->[LMP ] [USB ]<--->[USB |LCP ]<--------------->[LCP ] [USB PHY] [USB PHY|BR / EDR]<--------------->[BR / EDR] Host Bluetooth Controler Device
Protocol | Description |
---|---|
BR (Basic Rate) | |
EDR (Extended Data Rate) | |
LE (Low Energy) 1M | |
LE (Low Energy) 2M | |
LE (Low Energy) Coded | |
LCP | |
LMP (Link Manager Protocol) | |
LE LL (LE Link Layer) | |
L2CAP (Logical Link Control and Adaptation Protocol) | |
SDP (Service Discovering Protocol) | |
RFCOMM (Radio frequency communication) | RS-232 port emulation |
BNEP (Bluetooth Network Encapsulation Protocol) | BNEP transports Ethernet traffic (but replaces the Ethernet header with its own header!) |
OBEX | |
HIDP (Bluetooth HID Protocol) | |
AVCTP (Audio/video control transport protocol) | |
AVDTP (Audio/video data transport protocol) | |
SM (Security Manager) | |
GAP | |
ATT | |
GATT | |
AT | Hayes Modem AT commands |
HCI (Host Controller Interface) | Communication between the host and the bluetooth controller |
Radio link types:
- ACL (Asynchronous Connection-Less), used for general data
- SCO (Synchronous Connection-Oriented), reserved time slots (used for voice data)
USB
[Eth|...|MIDI1 |MIDI1|MIDI2] [Std. Req.|HID|BOT|UAS|UASP|CCID|CDC |USB-MIDI|USB-MIDI2 |IPP|...] [USB Protocol layer ] [USB PHysical ]
Device Classes | Description |
---|---|
Standard Requests | |
HID (Human Interaction Device) | Keyboard, Mouse, Baseball and Golf clubs, etc. |
MSB (Mass Storage Device) | USB stick, etc. |
CDC (Commnication Device Class) | |
IPP (Internet Printing Protocol) | |
MTP (Media Transfer Protocol) | |
CCID (Chip Card Interface Device) | Smartcard, Yubikeys, etc. |
DFU (Device Firmware Upgrade) | |
BOT (Bulk Only Transfer) | |
UAS (USB Attached SCSI) | |
UASP (USB Attached SCSI Protocol) | Not the same as UAS! |
References:
Notations
[JSON \-/ CBOR] JSON/CBOR conversion [HTTP \-/ CoAP] HTTP/CoAP proxy/interworking [(TLS) |(DTLS)] Optional layers [TCP | UDP] TCP and UDP layers [IPv4 / IPv6] Either IPv4 or IPv6 [Eth. \-/ Wifi] Ethernet/Wifi bridge [STUN¦app ] STUN and and some application protocol used together between the same peers [HTTP+WebDAV ] HTTP with WebDAV [TLS + PSK ] TLS with PSK key exchange [ - ] Empty layer, not a protocol layer [app. ] Some undefined application layer [... ] Some protocol layer(s) <-----> Bidirectional communications <----->o Client/server relation, etc. ------> One-way communications <=====> Protected communications (usually both confidentiality and integrity) <=-=-=> Integrity-protected communications (possibly with anti-replay protection) K Interface name
References
Assignments:
- Hypertext Transfer Protocol (HTTP) Upgrade Token Registry
- TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs
- SSH Connection Protocol Subsystem Names
- Assigned Internet Protocol Numbers
- Service Name and Transport Protocol Port Number Registry
- PPP DLL Protocol Numbers
- L2TPv3 Pseudowire Types
- EtherTypes
- Logical Link Control (LLC) Public Listing
- SCTP Payload Protocol Identifiers
- TLS exporter labels
- SIP Table of Mappings From Service Field Values to Transport Protocols
- Simple Authentication and Security Layer (SASL) Mechanisms
- Network Layer Protocol Identifiers (NLPIDs) of Interest
- SDP proto
- PPP Authentication Algorithms
- Session Description Protocol (SDP) Parameters ~ proto
DNS:
- RFC9539, Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS
Samples:
- SampleCaptures from the WireShark website
Misc:
- EventHelix, has a lot of nice sequence diagrams and other useful information
- RF Wireless World Tutorial
- USB Document Library