Protocol stack diagrams
Layers all the way down
Published:
Updated:
A collection of ASCII-art protocol stack diagrams.
They can be used as a base for doing quick diagrams. Feel free to copy/reuse/adapt them for your own purpose.
These diagrams are released as CC0 (“No Rights Reserved”).
2025-07-27: added a few things (SOAP, Varlink, HL7).
2025-12-04: add PSP.
2026-01-05: add details about TURN.
Table of content
Concepts
Layers, PDUs and SDUs:
N+1 PDU
[N+1 Layer]<----------------->[N+1 Layer]
↑ ↑
| | N SDU
↓ ↓
o N PDU o N SAP
[N Layer ]<----------------->[N Layer ]
↑ ↑
| | N-1 SDU
↓ ↓
o N-1 PDU o N-1 SAP
[N-1 Layer]<----------------->[N-1 Layer]
Switches, bridges/hubs, routers, proxy:
[app. ]<------------------------------------------------>[app.]<-->[app.]
[TCP ]<------------------------------------------------>[TCP ]<-->[TCP ]
[IP ]<------------------------------>[IP ]<-->[IP ]<-->[IP ]
[Eth. MAC]<---------------->[Eth. MAC]<---[Eth. MAC|...]<-->[... ]<-->[... ]
[Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY|...]<-->[... ]<-->[... ]
Hub Switch/bridge Router Proxy
OSI
L7 [Application ]<-------------------------------->[Application ] L6 [Presentation]<-------------------------------->[Presentation] L5 [Session ]<-------------------------------->[Session ] L4 [Transport ]<-------------------------------->[Transport ] L3 [Network ]<-->[Network ]<-->[Network ]<-->[Network ] L2 [Data link ]<-->[Data link]<-->[Data link]<-->[Data link ] L1 [Physical ]<-->[Physical ]<-->[Physical ]<-->[Physical ]
IP
[(DHCP)|DNS|app|DNS|app] [(DHCPv6)|DNS|app|DNS|app]
[ICMP|IGMP|UDP |TCP ] [ICMPv6+NDP+MLD|UDP |TCP ]
[IPv4 |ARP] [IPv6 ]
IP model:
[app.]<---------------------------------->[app.] (end to end)
[TCP ]<---------------------------------->[TCP ] (end to end)
[IP ]<--->[IP ]<--->[IP ]<--->[IP ]<--->[IP ]
[... ]<--->[...]<--->[...]<--->[... ]<--->[... ] (local network layers)
Router Router Router
IP transport protocols:
[app.]
[app.] [app.] [app.] [SCTP] [app.]
[app.] [app.] [app. ] [app.] [app.] [SCTP] [TLS ] [DTLS] [DTLS] [QUIC|TLS]
[TCP ] [UDP ] [UDP-lite] [DCCP] [SCTP] [UDP ] [TCP ] [UDP ] [UDP ] [UDP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
TCP UDP UDP-lite DCCP SCTP SCTP TLS DTLS SCTP QUIC
/UDP /TCP /UDP /DTLS
Application layers
DNS
[DNS ]
[DNS ] [DNS ] [Obliv. DNS]
[DNS ] [framing] [DNS ] [HTTP ] [DNS ] [HTTP ]
[DNS] [framing] [TLS ] [DTLS] [TLS / QUIC] [QUIC] [TLS / QUIC]
[UDP] [TCP ] [TCP ] [UDP ] [TCP / UDP ] [UDP ] [TCP / UDP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
“Do53” “Do53” “DoT” “DoH” “DoQ” “ODoH”
DNS DNS DNS DNS DNS DNS Oblivious DNS
over over over over over over over
UDP TCP TLS DTLS HTTPS QUIC HTTPS
Notes
- DNS framing: When used on top of TCP or TLS, each DNS message is prefixed with a length field (2 bytes).
Oblivious DNS over HTTPS:
[DNS ]<--------------------->o[DNS ]<---->o[DNS] [Obliv. DNS]<=====================>o[Obliv. DNS|- ] [HTTP ]<--->o[HTTP ]<--->o[HTTP |- ] [TLS / QUIC]<===>o[TLS / QUIC]<===>o[TLS / QUIC|- ] [TCP / UDP ]<--->o[TCP / UDP ]<--->o[TCP / UDP |...]<----->[...] [IP ]<---->[IP ]<---->[IP ]<----->[IP ] Oblivious Oblivious Oblivious Client Relay Target
NTP
([NTP])
[NTP] [TLS]
[UDP] [TCP]
[IP ] [IP ]
NTP NTS
KE
Notes:
- NTS-KE, Network Time Security Key Exchange
HTTP
[HTTP/1.x] [HTTP/2] [HTTP/3|TLS]
[HTTP/1.x] [HTTP/2] [TLS ] [TLS ] [QUIC ]
[TCP ] [TCP ] [TCP ] [TCP ] [UDP ]
[IP ] [IP ] [IP ] [IP ] [IP ]
HTTP/1.x HTTP/2 HTTP/1.x HTTP/2 HTTP/3
w/o TLS over TLS over TLS (over QUIC)
"h2c" "h2" "h3"
(HTTP) (HTTP) (HTTPS) (HTTPS) (HTTPS)
WebSocket
[WebSocket] [WebSocket] [WebSocket] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 ] [(TLS) ] [(TLS) ] [QUIC ] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] WebSocket Websocket WebSocket (HTTP/1.x) (HTTP/2) (HTTP/3)
Notes:
- with HTTP/1, a HTTP upgrade (
GET) is used to upgrade the HTTP connection into a WebSocket connection; - with HTTP/2, a HTTP/2 upgrade (extended
CONNECT) is used to upgrade the HTTP/2 stream into a WebSocket stream; - with HTTP/3, a HTTP/3 upgrade (extended
CONNECT) is used to upgrade the HTTP/3 stream into a WebSocket stream.
HTTP Datagrams
[datagram ] [datagram] [ datagram ] [Capsule ] [Capsule ] [Capsule |- ] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 |H3 dgram] [(TLS) ] [(TLS) ] [QUIC +dgram] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] HTTP HTTP HTTP Datagrams Datagrams Datagrams (HTTP/1.X) (HTTP/2) (HTTP/3)
HTTP CONNECT proxy
Without HTTP/3 datagrams:
[application] [IP ] [application] [Eth. MAC ]
[UDP prox. ] [IP prox.|config.] [UDP-l prox.] [Eth. prox. ]
[application] [HTTP Datag.] [Capsule ] [HTTP Datag.] [HTTP Datag.]
[HTTP ] [HTTP ] [HTTP ] [HTTP ] [HTTP ]
[(TLS)/ QUIC] [(TLS)/ QUIC] [(TLS) / QUIC ] [(TLS)/ QUIC] [(TLS)/ QUIC]
[TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ]
[IP. ] [IP ] [IP ] [IP ] [IP ]
TCP in HTTP UDP in HTTP IP in HTTP UDP-listen in HTTP Ethernet in HTTP
With HTTP/3 datagrams:
[app. ] [config.|IP ] [application ] [Eth. MAC ]
[UDP prox.] [Capsule|IP prox.] [UDP-listen prox.] [Eth. prox. ]
[HTTP/3|H3 dgram ] [HTTP/3 |H3 dgram] [HTTP/3|H3. dgram ] [HTTP/3|H dgram ]
[QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ]
[UDP ] [UDP ] [UDP ] [UDP ]
[IP ] [IP ] [IP ] [IP ]
UDP in HTTP/3 IP in HTTP/3 UDP-listen in HTTP/3 Ethernet in HTTP/3
datagrams datagrams datagrams datagrams
WebTransport
[streams|datagrams] [streams| datagrams ] [- |Capsule ] [- |Capsule|- ] [HTTP/2 ] [HTTP/3 |H3 dgram.] [TLS ] [QUIC (+dgram)] [TCP ] [UDP ] [IP ] [IP ] WebTransport WebTransport (HTTP/2) (HTTP/3)
File Transfer
[FTP ] [SFTP] [HTTP+WebDAV ] [SMB ]
[(TLS)] [SSH ] [(TLS) / QUIC] [SMB] [QUIC] [NFS]
[TCP ] [TCP ] [TCP / UDP ] [TCP] [UDP ] [TCP]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
FTP SFTP WebDAV SMB SMB NFSv4
/QUIC
Notes:
- FTPS (FTP over TLS) ≠ SFTP (a different protocol, over SSH)!
- SFTP uses SSH with the "sftp" as SSH subsystem.
- SMB over QUIC use "smb" as ALPN.
LDAP
[LDAP ] [(SASL sec.)] [(TLS) ] [TCP ] [IP ] LDAP
UPnP
[Device/service desc.] [SOAP/1.1] [UPnP event] [UPnP event]
[XML ] [XML ] [XML ] [XML ]
[HTTP+SSDP ] [HTTP ] [HTTP ] [HTTP+GENA ] [HTTP+GENA ]
[UDP ] [TCP ] [TCP ] [TCP ] [UDP ]
[IP (mcast)] [IP ] [IP ] [IP ] [IP (mcast)]
Service Service Control Eventing Eventing
Discovery Description (RPC) (unicast) (multicast)
CoAP
[CoAP ]
[WebSocket ]
[CoAP ] [CoAP ] [HTTP ]
[(DTLS)] [(TLS)] [(TLS / DTLS)]
[UDP ] [TCP ] [TCP / UDP ]
[IP ] [IP ] [IP ]
CoAP CoAP/TCP CoAP/WS(S)
RPC
SOAP:
[SOAP+XOP ]
[SOAP ] [XML |...]
[XML ] [multipart ]
[HTTP ] [HTTP ] [SOAP ]
(TLS ) (TLS ) [XML ]
[TCP ] [TCP ] [email ]
[IP ] [IP ] [... ]
SOAP/HTTP SOAP/HTTP SOAP/email
with MOTM
Varlink:
[Varlink IDL]
[Varlink messages ]
[JSON ]
[NUL-framing ]
[TCP|UDS ]
[IP ]
Varlink
Query Languages
SPARQL:
[SPARQL ] [RDF ] (multipart) [XML|Turtle|...] [SPARQL res. ] [HTTP ] [HTTP ] [XML|JSON|CSV|TSV] (TLS ) (TLS ) [TLS ] [TCP ] [TCP ] [TCP ] [IP ] [IP ] [IP ] SPARQL SPARQL RDF SPARQL result request response response /HTTP /HTTP /HTTP
Multimedia
SIP, RTP, RTSP
Signaling:
[SDP ]
[(S/MIME) ]
[SDP ] [SDP ] [SIP ]
[SDP ] [SDP ] [SIP ] [(S/MIME)] [WebSocket]
[RTSP ] [(S/MIME) ] [S/MIME ] [SIP ] [HTTP ]
[(TLS)] [SIP ] [SIP ] [TLS ] [(TLS )]
[TCP ] [UDP / TCP / SCTP] [UDP / TCP / SCTP] [TCP ] [TCP ]
[IP ] [IP ] [IP ] [IP ] [IP ]
RTSP SIP Tunneling SIP SIP-TLS SIP/WebSocket
RTP (media transport):
[A/V] [A/V] [A/V ] [A/V ] [RTP|RTCP] [SRTP|SRTCP] [DTLS|SRTP|SRTCP] [ZRTP|SRTP|SRTCP] [UDP ] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] RTP, RTCP SRTP, SRTCP DTLS-SRTP ZRTP
Alternative transports for RTP:
[A/V] [A/V]
[A/V] [RTP|RTCP |RTP|RTCP ]
[RTP|RTCP ] [RoQ stream|RoQ Datag.]
[framing ] [QUIC ]
[TCP ] [UDP ]
[IP ] [IP ]
RTP over TCP RTP over QUIC (RoQ)
Notes:
- RTCP usually used the next (odd) UDP port after the (even) one used by RTP. Nowadays, they tend to be multiplexed over the same port.
- DTLS-SRT uses a DTLS handshake with mutual authentication and the
use_srtpextension for key exchange and then switch to SRTP, SRCTP on the same port. - The SRTP keys are exported from DTLS (using the "EXTRACTOR-dtls_srtp" exporter label).
- RTP-over-QUIC uses "rtp-mux-quic" for ALPN.
Message multiplexing:
- A mix of (S)RTP, (S)RTCP, STUN, ZRTC and DTLS messages can be multiplexed over the same channel.
- RTP and RTCP can be distinguished using the M and PT fields.
- ZRTP messages can be can be distinguished from (S)RTP messages because the first two bits are zero.
- ZRTP messages can be can be distinguished from STUN messages because they use different magic cookies.
- See RFC 5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
WebRTC
[DCEP|data. chan.]
[DCEP|data. chan.] [SCTP |A/V ]
[SCTP |A/V ] [STUN|mDTLS |SRTP|SRTCP]
[STUN|mDTLS |SRTP|SRTCP] [framing ]
[SDP ] [UDP (+ ICE) ] [TCP (+ ICE) ]
[anything] [IP (+ ICE) ] [IP (+ ICE) ]
WebRTC WebRTC over UDP WebRTC over TCP
Signaling
Type of payloads:
[DCEP|data chan.]
[DCEP|data chan.] [A/V ] [SCTP ]
[A/V ] [SCTP ] [STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ]
[STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ] [framing ] [framing ]
[UDP (+ ICE) ] [UDP (+ICE) ] [TCP (+ ICE) ] [TCP (+ICE) ]
[IP (+ ICE) ] [IP (+ICE) ] [IP (+ ICE) ] [IP (+ICE) ]
WebRTC A/V streams WebRTC Data Channel WebRTC A/V streams WebRTC Data Channel
(DTLS-SRTP) (SCTP/DTLS) (DTLS-SRTP) (SCTP/DTLS)
proto=UDP/TLS/RTP/SAVPF proto=UDP/DTLS/SCTP proto=TCP/TLS/RTP/SAVPF proto=TCP/DTLS/SCTP
Example WebRTC stack with TURN tunneling:
[DCEP|data. chan.]
[SCTP |A/V ]
[STUN|mDTLS |SRTP|SRTCP]
[TURN ]
[(DTLS) ]
[UDP ]
[IP ]
WebRTC with TURN tunnel
Notes:
- In WebRTC, the DTLS peers authenticate based on X.509 certificates exchanged through the signaling protocol (eg. in the
identitySDP attribute). - The DCEP
DATA_CHANNEL_OPENmessage may specify a protocol identifier (from the WebSocket subprotocol registry) to be used on this channel. - See RFC 5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
- RTP/SAVPF combines RTP/SAVP (i.e., using SRTP) and RTP/AVPF (i.e., with RTCP-based Feedback).
Healthcare
HL7
[HL7v2 ] [HL7v3|CDA] [FHIR ]
[RE7 |XML] [XML ] [XML|JSON] [FHIR ]
-------------------------------------------- [XML|JSON|Turtle]
[HTTP] [SFTP] [FTP] [HTTP ]
[MLLP ] (TLS ) [SSH ] (TLS) (TLS )
[TCP ] [MLLP ] [TCP ] [TCP ] [TCP] [TCP ]
[IP ] [serial] [IP ] [IP ] [IP] [IP ]
MLLP MLLP HL7 HL7 HL7 FHIR API
/TCP /serial /HTTP /SFTP /FTP
LLMs and agents
MCP
MCP (Model Context Protocol):
[MCP ]
[JSON-RPC]
[JSON ]
[MCP ] [(SSE) ]
[JSON-RPC ] [HTTP ]
[JSON ] [(TLS) ]
[LF-framing] [TCP ]
[STDIO ] [IP ]
MCP MCP
/STDIO /Streamable
HTTP
A2A
A2A (Agent-to-agent) protocol:
[A2A ] [JSON-RPC ] [A2A ] [JSON ] [Protobuf ] [A2A ] [(SSE) ] [gRPC ] [JSON ] [HTTP ] [HTTP/2 ] [HTTP ] [(TLS) ] [TLS ] [(TLS) ] [TCP ] [TCP ] [TCP ] [IP ] [IP ] [IP ] A2A A2A A2A /JSON-RPC /gRPC /JSON REST
Security Layers
TLS
TLS sublayers:
[Handshake | ChangecipherSpec | Alert | Application] [TLS Record Protocol: fragmentation ] [Handshake | Alert | Application ] [TLS Record Protocol: compression ] [TLS Record Protocol: fragmentation ] [TLS Record Protocol: record protection ] [TLS Record Protocol: record protection] [Transport layer ] [Transport layer ] TLS v1.2 TLS v1.3
Some protocol stacks using TLS:
[... ] [... ] [email] [email] [mTLS ]
[HTTP] [HTTP/3|TLS] [SMTP ] [IMAP ] [TLS|IP / Eth.] [EAP-TLS] [mTLS ]
[TLS ] [QUIC ] [TLS ] [TLS ] [OpenVPN ] [EAP ] [EAP-TLS]
[TCP ] [UDP ] [TCP ] [TCP ] [TCP / UDP ] [EAPOL ] [EAP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [Wifi ] [PPP ]
HTTPS HTTPS SMTPS IMAPS OpenVPN WPA2-EAP PPP
(HTTP/3) with EAP-TLS with EAP-TLS
DTLS
Transports:
[app.] [app.] [app.] [DTLS] [DTLS] [DTLS] [UDP ] [SCTP] [DCCP] [IP ] [IP ] [IP ] DTLS DTLS DTLS over over over UDP SCTP DCCP
QUIC
[app.] [app. streams|app. dgrams] [QUIC|TLS] [QUIC +dgram. |TLS] [UDP ] [UDP ] [IP ] [IP ] QUIC QUIC with QUIC datagrams
SSH
Applications:
[SFTP] [SSH]
[SSH ] [SSH ] [SOCKS|SSH] [SSH]
[TCP ] [TCP ] [TCP ] [TCP]
[IP ] [IP ] [IP ] [IP ]
SSH SFTP OpenSSH SSH
dynamic proxy ProxyJump
Alternative transports:
[SSH ]
[SSH] [SSH ] [VSOCK-MUX]
[UDS] [VSOCK] [UDS ]
SSH/UDS SSH/VSOCK SSH-to-VSOCK
through VSOCK-MUX
(firecracker)
Internal protocol stack:
[(GSS-API)|shell|command|forwarding]
[SSH Authentication Layer|SSH Connection Layer ]
[SSH Transport Layer ]
[TCP ]
[IP ]
VPNs and tunnels
IPSec
SA (Security Associations) establishment:
[... ]
[EAP ]
[IKEv2] [IKEv2]
[UDP ] [UDP ]
[IP ] [IP ]
IKEv2 IKEv2
w/ EAP
IPsec:
[UDP|TCP|...] [IP ]
[UDP|TCP|...] [IP] [UDP|TCP|...] [IP ] [ESP ] [ESP]
[AH ] [AH] [ESP ] [ESP] [UDP ] [UDP]
[IP ] [IP] [IP ] [IP ] [IP ] [IP ]
AH AH ESP ESP ESP/UDP ESP/UDP
Transport Tunnel Transport Tunnel Transport Transport
ESP transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [ESP ]<=========>[ESP ] [IP ]<--------->[IP ] correspondent correspondent
ESP tunnel mode:
[app.]<------------------------------>[app.]
[TCP ]<------------------------------>[TCP ]
[IP ]<-------->[IP ]<----->[IP ]<----[IP ]
[ESP]<=====>[ES ]
[IP ]<----->[IP ]
correspondent Gateway Gateway correspondent
AH transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [AH ]<--------->[AH ] [IP ]<=-=-=-=-=>[IP ] correspondent correspondent
AH tunnel mode:
[app.]<---------------------------->[app.]
[TCP ]<---------------------------->[TCP ]
[IP ]<-------->[IP]<----->[IP]<--->[IP ]
[AH]<----->[AH]
[IP]<=-=-=>[IP]
correspondent Gateway Gateway correspondent
PSP
[TCP] [UDP] [IPc4] [IPv6] [PSP] [PSP] [PSP ] [PSP ] [UDP] [UDP] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ]
VPNs
[IPv4|IPv6|(TLS)] [Eth. MAC|(TLS)] [IP ] [IP ] [Eth. MAC]
[OpenVPN ] [OpenVPN ] [WireGuard] [SSH ] [SSH ]
[TCP / UDP ] [TCP / UDP ] [UDP ] [TCP ] [TCP ]
[IP ] [IP ] [IP ] [IP ] [IP ]
OpenVPN IP OpenVPN Ethernet WireGuard OpenSSH OpenSSH
(TUN mode) (TAP mode) tunnel tunnel
(IP) (Ethernet)
[IP ]
[IP ] [IP ] [PPP ] [IP ]
[Capsule] [Capsule|- ] [SSTP ] [PPP ]
[HTTP ] [HTTP3 |H3 dgram.] [HTTP ] [HTTP ]
[(TLS) ] [QUIC +dgram.] [TLS ] [TLS ]
[TCP ] [UDP ] [TCP ] [TCP ]
[IP ] [IP ] [IP ] [IP ]
IP in HTTP IP in HTTP/3 MS-SSTP FortiSSL
Notes:
- OpenVPN does not work on top of TLS (TLS over TCP). TLS is encapsulated in the OpenVPN protocol and is used for the handshake. The inner frame/packets are not encapsulated by TLS (no IP-over-TLS or Ethernet-over-TLS).
- MS-SSTP use a
SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/HTTPS request. The encapsulated protocol is chosen with the MS-SSTP Protocol ID field (0x0001 for PPP).
Simple Tunnels
[IP ] [IP ]
[GRE ] [GRE ]
[(UDP) ] [DTLS] [Eth. MAC]
[IP] [(AH / ESP)] [UDP ] [EtherIP ]
[IP] [IP ] [IP ] [IP ]
IP in IP GRE GRE-UDP-DTLS EtherIP
L2TPv3
Pseudowires:
[PPP ] [Eth. MAC] [Frame Relay] [HDLC] [ATM ] [L2TP] [L2TP ] [L2TP ] [L2TP] [L2TP] [... ] [... ] [... ] [... ] [... ]
Transports:
[... ]
[L2TP]
[... ] [SNAP] [... ]
[L2TP] [... ] [... ] [LLC ] [L2TP]
[UDP ] [L2TP] [L2TP ] [AAL5] [AAL5]
[IP ] [IP ] [Frame Relay] [ATM ] [ATM ]
L2TP L2TP L2TP L2TP L2TP
/UDP /IP /Frame Relay /ATM /ATM
(LLC) (VC mux)
Network virtualization
[Eth. MAC ] [Eth. / IP / ...] [Eth. / IP / ...] [VXLAN ] [GENEVE ] [GRE + Key ext. ] [UDP ] [UDP ] [(UDP) ] [(AH / ESP)] [(AH / ESP) ] [(AH / ESP) ] [IP ] [IP ] [IP ] VXLAN GENEVE NVGRE
Authentication, authorization
EAP
TLS-based EAP methods:
[... ]
[EAP ] [PAP ] [CHAP ] [... ] [... ]
[AVP ] [AVP ] [AVP ] [EAP ] [EAP ]
[mTLS ] [TLS ] [TLS ] [TLS ] [TLS ] [TLS ]
[EAP-TLS] [EAP-TTLS] [EAP-TTLS] [EAP-TTLS] [PEAP] [TEAP]
[EAP ] [EAP ] [EAP ] [EAP ] [EAP ] [EAP ]
[... ] [... ] [... ] [... ] [... ] [... ]
EAP-TLS EAP PAP CHAP EAP EAP
over over over over over
EAP-TTLS EAP-TTLS EAP-TTLS PEAP TEAP
EAP transports:
[... ] [...] [... ] [... ]
[... ] [... ] [EAP ] [EAP] [EAP ] [EAP ]
[...] [EAP ] [EAP ] [PANA] [IKE] [RADIUS ] [Diameter ]
[EAP] [802.1X ] [802.1X] [UDP ] [UDP] [UDP / TCP] [TCP / SCTP]
[PPP] [Ethernet] [Wifi ] [IP ] [IP ] [IP ] [IP ]
EAP 802.1X WPA-EAP PANA EAP EAP over EAP/Diameter
for for RADIUS
PPP IKE
Example full protocol stacks:
[EAP-MSCHAPV2]
[EAP ]
[mTLS ] [TLS ]
[EAP-TLS] [TEAP ]
[EAP ] [EAP ]
[802.1X ] [802.1X ]
[Wifi ] [Wifi ]
WPA-EAP WPA-EAP
with with
EAP-TLS EAP-EAP
and MSCHAPv2
Kerberos
[Kerberos]
[MS-KKDCP]
[HTTP ]
[Kerberos] [TLS ]
[UDP/TDP ] [TCP ]
[IP ] [IP ]
Kerberos MS-KKDCP
SASL
General SASL stack:
[mechanism] [SASL ] [protocol ] [protocol ] → [(SASL sec.)] [... ] [... ]
Notes:
- Protocol with support for SASL include LDAP, IMAP, POP, SMTP, XMPP, MQTT, etc.
- SASL mechanisms include ANONYMOUS, PLAIN, EXTERNAL, etc.
- Some SASL mechanisms may install a SASL security layer (providing features such as encryption and/or integrity protection to the protocol). Nowadays, this is seen as redundant with the usage of TLS which should be used instead.
GSSAPI
[Kerberos] [MS-NLMP ] [... ]
[Kerberos] [SPNEGO ] [SPNEGO ] [EAP ]
[GSS-API ] [GSS-API ] [GSS-API ] [GSS-API]
[SASL ] [SASL ] [SASL ] [SASL ]
[... ] [... ] [... ] [... ]
GSS-API GSS-API NTLM
with with with SNPEGO
Kerberos SPNEGO /SASL
/ SASL /SASL
Notes:
- GSS-API over SASL can use either the
GSSAPISASL mechanism or the newerGS2-*mechanisms (eg. GS2-KRB5, GS2-KRB5-PLUS). - The newer
GS2-*mechanisms must not use mechanisms negotiation (such as SPNEGO).
RADIUS and DIAMETER
[RADIUS] [Diameter] [Diameter]
[RADIUS] [RADIUS] [TLS ] [Diameter] [Diameter] [TLS ] [DTLS ]
[UDP ] [TCP ] [TCP ] [TCP ] [SCTP ] [TCP ] [SCTP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
RADIUS RADIUS RADIUS Diameter Diameter Diameter Diameter
/UDP /TCP /TLS /TCP /SCTP /TLS /DTLS
(RadSec)
NAT traversal
STUN and TURN
[App. ] [App. ]
[STUN ] [TURN ] [TURN ]
[(DTLS / TLS)] [(DTLS / TLS)] [(TLS)]
[UDP / TCP ] [UDP / TCP ] [TCP ]
[IP ] [IP ] [IP ]
STUN TURN (UDP) TURN-TCP
TURN:
Client's Client's Peer's Peer's
Host Reflexive Reflexive Host
Transport Transport Transport Transport
Address Address Address Address
| | | |
| | TURN Server's Relayed | |
| | Transport Transport | |
| | Address Address | |
| | | | | |
| | | | | |
[App. ]<------------------------------------------->[App.]
[STUN ]<--------->[STUN ]
([TLS / DTLS]<=========>[TLS / DTLS ])
[TCP / UDP ]<->[...]<->[TCP / UDP | UDP ]<----->[UDP]<->[UDP]
[IP ]<->[IP ]<->[IP ]<----->[IP ]<->[IP ]
STUN client NAT STUN server (NAT) Peer
TURN-TCP:
Client's Client's Peer's Peer's
Host Reflexive Reflexive Host
Transport Transport Transport Transport
Address Address Address Address
| | | |
| | TURN Server's Relayed | |
| | Transport Transport | |
| | Address Address | |
| | | | | |
| | | | | |
[App. ]<------------------------------------------>[App.]
[STUN ]<--------->[STUN ]
([TLS ]<=========>[TLS ])
[TCP ]<->[TCP]<->[TCP | TCP ]<----->[TCP]<->[TCP]
[IP ]<->[IP ]<->[IP ]<----->[IP ]<->[IP ]
STUN client NAT STUN server (NAT) Peer
ICE
[SDP ]
[STUN (+TURN)] [SDP] [HTTP] [STUN|app. ]
[(DTLS / TLS)] [SIP] [TLS ] [(DTLS)/ (TLS)]
[UDP / TCP ] [TCP] [TCP ] [UDP / TCP ]
[IP ] [IP ] [IP ] [IP ]
STUN, TURN ICE candidate ICE candidates ICE communications
(candidate exchange exchange (direct)
collection) with SIP with SDP/HTTPS
Example of ICE through TURN:
[STUN¦app ]<-------------------->[STUN¦app] [TURN ]<--->o[TURN] [- ] [TLS ]<===>o[TLS ] [- ] [TCP ]<--->o[TCP |UDP]<---->[UDP ] [IP ]<---->[IP ]<---->[IP ] Appl. Peer Appl. Peer TURN client TURN server
Link Layer
Ethernet (802.1)
[... ] [IP|ARP|... ]
[EAP ] [SNAP ]
[IP|ARP|EAPOL] [LLC ]
[(802.1Q )] [(802.1Q )]
[(802.1ad )] [(802.1ad )]
[Ethernet MAC] [Ethernet MAC]
[Ethernet PHY] [Ethernet PHY]
Ethernet II 802.1 with SNAP
Ethernet PHY sublayers (since Fast Ethernet):
[Ethernet PCS] [Ethernet PCS] (PHY) [Ethernet PMA] [Ethernet PMA] (PHY) [Ethernet PMD] [Ethernet PMD] (PHY)
Wifi (802.11)
[... ]
[EAP ]
[EAPOL ] [IP |ARP]
[SNAP ] [SNAP ] (Link)
[LLC ] [LLC ] (Link)
[(WEP / TKIP / CCMP / GCM)] (Link)
[Wifi MAC ] [Wifi MAC ] (Link)
[Wifi PLCP] [Wifi PLCP ] (Phy.)
[Wifi PMD ] [Wifi PMD ] (Phy.)
WPA-Entreprise
Authentication
(WPA-EAP)
Access Point:
[app. ]<--------------------------->[app. ] [TCP ]<--------------------------->[TCP ] [IP ]<--------------------------->[IP ] [SNAP ]<--------------------------->[SNAP ] [LLC ]<--------------------------->[LLC ] [sec. #1 ]<===>[sec. #1 | sec. #2]<===>[sec. #2 ] [Wifi MAC]<--->[Wifi MAC ]<--->[Wifi MAC] [Wifi PHY]<--->[Wifi PHY ]<--->[Wifi PHY] Station 1 Access Point Station 2
Ethernet/Wireless bridge:
[app. ]<------------------------------->[app. ] [TCP ]<------------------------------->[TCP ] [IP ]<------------------------------->[IP ] [SNAP ]<----[SNAP ] [LLC ]<--->[LLC ] [security]<===>[security ] [Wifi MAC]<--->[Wifi MAC \-/ Eth. MAC]<--->[Eth. MAC] [Wifi PHY]<--->[Wifi PHY | Eth. PHY]<--->[Eth. PHY] Station 1 Ethernet/Wireless bridge Station 2
ATM
[... / ...]
[NLPID / SNAP]
[... ] [LLC ]
[AAL5] [AAL5 ]
[ATM ] [ATM ]
[phy. ] [phy. ]
VC Mux LLC Encap.
PPP
Configuration:
[... ]
[LCP] [CCP] [compression]
[PPP] [PPP] [PPP ]
[...] [...] → [... ]
LCP CCP and compression
Authentication:
[...]
[PAP] [CHAP] [EAP]
[PPP] [PPP ] [PPP]
[...] [... ] [...]
PAP CHAP EAP
Applications:
[IPCP|IPv4] [IPv6CP|IPv6] [PPP ] [PPP ] [... ] [... ] IPv4/PPP IPv6/PPP
Transports:
[... ]
[PPP ] [...]
[... ] [... ] [... ] [(SNAP)] [... ] [PPP]
[PPP ] [PPP ] [PPP ] [LLC ] [PPP ] [SSH]
[HDLC ] [HDLC] [PPPoE ] [AAL5 ] [L2TP] [TCP]
[RS-232] [V.92] [Ethernet] [ATM ] [... ] [IP ]
PPP/RS-232 PPP/PSTN PPPoE PPPoA L2TP PPP
/SSH
GPON (G.984)
Gigabit Passive Optical Network:
[PWE3 ]
[SIP |RTP ] [RTP ]
[TCP |UDP ] [UDP ]
[IP ] [IP ] [IP ] [MEF-8 ]
[VLAN ] [VLAN ] [VLAN ] [VLAN ]
[TDM|Eth. MAC] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ] [SDH ]
[PLOAM|OMCI|ATM|GEM ] [GEM ] [GEM ] [GEM ] [GEM ]
[GTC adaptation ] [GTC adaptation] [GTC adaptation] [GTC adaptation] [GTC adaptation]
[GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ]
[GPM ] [GPM ] [GPM ] [GPM ] [GPM ]
General stack Voice (VoIP) Voice with PWE3 Voice with MEF-8 Voice (TDM)
XG-PON (G.987)
[PWE3 ]
[SIP|RTP ] [RTP ]
[TCP|UDP ] [UDP ]
[IP ] [IP ] [IP ] [MEF-8 ]
[802.1X|VLAN] [VLAN ] [VLAN ] [VLAN ]
[Eth. MAC |MPLS] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ]
[PLOAM|OMCI|XGEM ] [XGEM ] [XGEM ] [XGEM ]
[XGTC framing ] [XGTC framing ] [XGTC framing ] [XGTC framing ]
[XGTC PHY adaptation ] [XGTC PHY adaptation] [XGTC PHY adaptation] [XGTC PHY adaptation]
[XGON PMD ] [XGON PMD ] [XGON PMD ] [XGON PMD ]
General stack Voice (voIP) Voice with PWE3 Voice with MEF-8
Phone
SS7
[... ] [... ] [... ] [... ] [... ]
[ISUP|TCAP] [TCAP] [TCAP ] [TCAP ] [TCAP]
[TUP / ISUP|SCCP ] [SUA |ISUP] [SCCP ] [SCCP ] [SCCP|ISUP]
[MTP-3 ] [- ] [MTP-3|ISUP] [MTP-3 ] [M3UA ]
[MTP-2 ] [- ] [M2PA ] [M2UA ] [ - ]
[MTP-1 ] [(DTLS) ] [(DTLS) ] [(DTLS) ] [(DTLS) ]
[SCTP ] [SCTP ] [SCTP ] [SCTP ]
[(IPSec) ] [(IPSec) ] [(IPSec)] [(IPSec) ]
[IP ] [IP ] [IP ] [IP ]
SS7 SUA M2PA M2UA M3UA ...
Some application protocols:
[MAP ]
[ISUP ] [TCAP ]
[TUP ] [ISUP ] [SCCP ] [SCCP ]
[MTP-3] [MTP-3] [MTP-3] [MTP-3]
[MTP-2] [MTP-2] [MTP-2] [MTP-2]
[MTP-1] [MTP-1] [MTP-1] [MTP-1]
TUP ISUP ISUP MAP
/SCCP
Mobile
User Equipment (i.e., the phone) stacks:
PDP contexts PDP contexts EPS bearers PDU sessions
| | | | | | | |
[SM ] ↓ ↓ | | | | ↓ ↓
[GMM ] [IP / PPP] [CM|SM ] ↓ ↓ [LTE NAS ] ↓ ↓ [5G NAS ] [IP|Eth.]
[CM ] [SNDCP ] [SNDCP ] [MM|GMM ] [IP / PPP ] [LTE RRC ] [IP / PPP] [5G RRC ] [SDAP ]
[MM ] [GPRS LLC] [GPRS LLC] [UMTS RRC] [UMTS PDCP] [LTE PDCP] [LTE PDCP] [5G PDCP] [5G PDCP]
[RRM ] [GPRS RLC] [GPRS RLC] [UMTS RLC] [UMTS RLC ] [LTE RLC ] [LTE RLC ] [5G RLC ] [5G RLC ]
[LAPDm ] [GPRS MAC] [GPRS MAC] [UMTS MAC] [UMTS MAC ] [LTE MAC ] [LTE MAC ] [5G MAC ] [5G MAC ]
[GSM PHY] [GSM PHY ] [GSM PHY ] [UMTS PHY] [UMTS PHY ] [LTE PHY ] [LTE PHY ] [5G PHY ] [5G PHY ]
CP CP UP CP UP CP UP CP UP
-------- --------------------- ---------------------- --------------------- -----------------
GSM (2G) GPRS (2.5G) UMTS (3G) LTE (aka EPS) (4G) 5G NR (5G)
Authentication stacks at the user equipment:
[... ]
[AVP ]
[mTLS ] [TLS ]
[EAP-AKA] [EAP-AKA'] [EAP-TLS] [EAP-TTLS]
[EPS-AKA] [5G-AKA] [EAP ] [EAP ] [EAP ] [EAP ]
[NAS ] [NAS ] [NAS ] [NAS ] [NAS ] [NAS ]
EPS-AKA 5G-AKA EAP-AKA EAP-AKA' EAP-TLS EAP-TTLS
(4G) (5G) (5G) (5G) (5G) (5G)
Notes:
- 5G primary authentication, access authentication;
- 5G secondary authentication, setting up user planes from other operators
Non-3GPP access
User equipment stacks for untrusted non-3GPP access (5G):
PDU sessions
| |
[EAP-AKA] | |
[EAP / 5G-AKA] ↓ ↓
[NAS ] [NAS ] [IP|Eth.] ← Application IP (IMS, data)
[EAP-5G ] [TCP ] [GRE ]
[EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF)
[IKEv2 ] [ESP ] [IKEv2] [ESP ]
[UDP ] [(UDP)] [UDP ] [(UDP) ]
[IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network
[L2 ] [L2 ] [L2 ] [L2 ]
[L1 ] [L1 ] [L1 ] [L1 ]
CP CP UP UP
(before SA) (after SA) establishment
Notes:
- ESP/UDP may be used for NAT traversal.
- Different IPSec SAs are established for:
- control plane (signaling) i.e., transporting NAS messages;
- user plane (one SA per PDU layer and QoS flow);
- N3IWF (Non-3GPP Interworking Function) is responsible for the interworking of the non-3GPP access and the 5G core.
User equipment stacks for untrusted non-3GPP access with firewall traversal (5G):
PDU sessions
| |
[EAP-AKA] | |
[EAP / 5G-AKA] ↓ ↓
[NAS ] [NAS] [IP|Eth.] ← Application IP (IMS, data)
[EAP-5G ] [TCP] [GRE ]
[EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF)
[IKEv2 ] [ESP] [IKEv2] [ESP ]
[TLS ] [TLS] [TLS ] [TLS ]
[TCP ] [TCP] [TCP ] [TCP ]
[IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network
[L2 ] [L2 ] [L2 ] [L2 ]
[L1 ] [L1 ] [L1 ] [L1 ]
CP CP UP UP
(before SA) (after SA) establishment
IMS
IMS (IP Multimedia Subsystem) is an SIP/IP based-service to transporting voice, SMS, video over 4G (VoLTE), 5G (VoNR) or non-3GPP access (VoWLAN/WoWifi).
User equipment stacks for stacks for IMS:
[SMS] [SDP|A/V ] [SIP] [SIP|RTP |RTCP] [TCP] [TCP|UDP / TCP] [IP ] [IP ] SMS Audio/Video calls over IMS over IMs
Notes:
- SMS may be transported over NAS as well.
SMS
User equipment stacks for SMS:
[SM-AL ] [SMS ] [SM-TL ] [SIP ] [SM-RP ] [SMS] [TCP ] [SM-CP ] [NAS] [IP ] [CM ] [RRC] [(SDAP)] [MM ] [RLC] [PDCP ] [RR ] [RLC] [RLC ] [LDAPDm ] [MAC] [MAC ] [GSM PHY] [PHY] [PHY ] SMS/GSM SMS/NAS SMS/IMS (2G) (4G/5G) (4G/5G)
WAP
User equipment stacks for WAP (including MMS):
[WML | WMLScript | MMS] [WSP ] [XHTML MP|WAP CSS|MMS] [(WTP ) ] [(WP-)HTTP ] [(WTLS) ] [TLS ] [WDP / UDP ] [(WP-)TCP ] [SMS / IP ] [IP ] [... / ... ] [... ] WAP 1 WAP 2.0
Devices
BlueTooth
ACL SCO
/--------------------------------------------\ /---\
[IP ] [IP |... ] [HID|...]
[PPP|AT|Eth. MAC] [GATT |GAP ]
[SDP |RFCOMM|BNEP |OBEX|HIDP|AVCTP|AVDTP] [... ] [ATT |SM|- ]
[L2CAP |voice] [L2CAP ] [L2CAP |- ] ↑Host
------------------(HCI)------------------------------- ---(HCI)--- ---(HCI)------------------
[LMP|- ] [Wifi PAL ] ↓Controler
[LCP ] [Wifi MAC ] [LE LL ]
[BR / EDR ] [Wifi PHY ] [LE 1M / LE 2M / LE Coded]
Bluetooth Classic Bluetooth HS Bluetooth Low Energy (BLE)
(High Speed)
Host/Controler interface (HCI) example (over USB):
[RFCOMM ]<-------------------------------------->[RFCOMM ] [L2CAP ]<-------------------------------------->[L2CAP ] [HCI ]<--->[HCI |LMP ]<--------------->[LMP ] [USB ]<--->[USB |LCP ]<--------------->[LCP ] [USB PHY] [USB PHY|BR / EDR]<--------------->[BR / EDR] Host Bluetooth Controler Device
Radio link types:
- ACL (Asynchronous Connection-Less), used for general data
- SCO (Synchronous Connection-Oriented), reserved time slots (used for voice data)
USB
[Eth|...|MIDI1 |MIDI1|MIDI2]
[Std. Req.|HID|BOT|UAS|UASP|CCID|CDC |USB-MIDI|USB-MIDI2 |IPP|...]
[USB Protocol layer ]
[USB PHysical ]
Notations
[JSON \-/ CBOR] Format conversion, eg. JSON/CBOR conversion
[HTTP \-/ CoAP] Proxy/interworgin, eg. HTTP/CoAP proxy/interworking
[(TLS) |(DTLS)] Optional layers
[TCP | UDP] TCP and UDP layers
[IPv4 / IPv6] Either IPv4 or IPv6
[Eth. \-/ Wifi] Bridge, eg. Ethernet/Wifi bridge
[STUN¦app ] STUN and and some application protocol used together between the same peers
[HTTP + WebDAV] Protocol with some extension, eg. HTTP with WebDAV
[TLS + PSK ] Protocol with some feature, eg. TLS with PSK key exchange
[ - ] Empty layer, not a protocol layer
[app. ] Some undefined application layer
[... ] Some protocol layer(s)
Foo Entity name
<-----> Bidirectional communications
<----->o Client/server relation, etc.
------> One-way communications
<=====> Protected communications (usually both confidentiality and integrity)
<=-=-=> Integrity-protected communications (possibly with anti-replay protection)
K Interface name
Appendix, details
Ethernet
Ethernet sublayers:
- PMD (Physical Medium Dependent sublayer): eg. 100BASE-FX, 10GBASE-E, 10GBASE-L, 10GBASE-S, 10GBASE-LX4
- PMA (Physical Medium Attachment sublayer): Framing, synchronization, etc.
- PCS (Physical coding sublayer sublayer): Negotiation, coding (error detection)
Ethernet payloads:
| Protocol | EtherType | Description |
|---|---|---|
| ARP | 0x0806 | Address Resolution Protocol. Used for non-point-to-point networks. |
| 801.1Q | 0x8100 | VLAN (Q-tag) |
| 802.1ad (Q-in-Q) | 0x88A8 | VLAN in VLAN (outer 802.1ad tag is S-tag for service-tag; inner 802.1Q tag is c-tag for customer-tag) |
| 802.1X (EAPOL) | 0x888E | Port Authentication, used for WPA-Entreprise as well |
| IPv4 | 0x0800 | |
| IPv6 | 0x86DD | |
| LLC | (length ≤ 1500) | Logical Link Control |
| SNAP | - | Subnetwork Access Protocol |
| PPPoE | 0x8863 (discovery), 0x8864 (session) | PPP over Ethernet |
IP protocols
| Protocol | Protocol number | Description |
|---|---|---|
| ICMP | 1 | |
| IGMP | 2 | Support for multicast |
| TCP | 6 | Connection oriented, stream-based, checksums, connection control. |
| UDP | 17 | Unreliable datagrams. Checksums (can be disabled in IPv4). |
| UDP-lite | 136 | Unreliable datagrams. Allows for partial checksums. |
| DCCP | 33 | Connection oriented, unreliable datagrams, with congestion control. |
| SCTP | 132 | Message-based (fragmentation, reliable, ordered), multiple-streams multiplexing over a single connection. Initially designed for PSTN signaling over IP. |
| ICMPv6 | 0x58 | |
| NDP | 0x58 | Part of ICMPv6. Replaces ARP in IPv6. |
| MLD | 0x58 | Part of ICMPv6. Replaces IGMP in IPv6. |
| AH | 51 | IPsec. Integrity, data origin authentication, anti-replay (including the outer IP packet). |
| ESP | 50 | IPsec. Integrity, data origin authentication, anti-replay, confidentiality (of the payload). |
| GRE | 47 | (next protocol defined as an EtherType; Optional 32 bit key (tunnel ID); optional 32 bit sequence number) |
| EtherIP | 97 | |
| L2TP over IP | 115 |
Ports
| Protocol | Port(s) | ALPN | Description |
|---|---|---|---|
| DHCP (Dynamic Host Configuration Protocol) | UDP 67 (server) UDP 68 (client) | ||
| DHCPv6 | UDP 546 (client), UDP 547 (server) | Usually NDP is used instead for address allocation, routes, DNS configuration, etc. | |
| SCTP over UDP | - | Useful for NAT traversal and userspace implementations of SCTP. | |
| SCTP over DTLS | - | Used by WebRTC for transporting data channels. | |
| QUIC | - | Protected communications (relies on TLS for the hanshake). Multiplexing of multiple streams per QUIC connection. Used by HTTP/3. | |
| DNS over UDP (Do53) | UDP 53 | - | General DNS traffic. |
| DNS over TCP (Do53) | TCP 53 | - | Usually used when messages are too long for UDP. |
| DNS over TLS (DoT) | TCP 853 | "dot" | DNS privacy. |
| DNS over DTLS | (UDP 853) | - | DNS privacy. Not used in practice, deprecated in favor of DoQ. |
| DNS over HTTPS (DoH) | TCP 443 | "http/1.1", "h2", "h3", etc. | DNS privacy. One HTTP request per request/response pair. |
| DNS over QUIC (DoQ) | UDP 853 | "doq" | DNS privacy. One QUIC stream per request/response pair. |
| Oblivious DNS over HTTPS (ODoH) | TCP/UDP 443 | "http/1.1", "h2", "h3", etc. | More DNS privacy. |
| HTTP/1.x without TLS | TCP 80 | - | - |
| HTTP/1.x over TLS (HTTPS) | TCP 443 | "http/1.1", "http/1.0" | |
| HTTP/2 without TLS | TCP 80 | "h2c" | HTTP/2 without TLS is not widely supported and is deprecated. |
| HTTP/2 over TLS (HTTPS) | TCP 443 | "h2" | - |
| HTTP/3 over QUIC (HTTPS) | UDP 443 | "h3" | - |
| FTP (File Transfer Protocol) | TCP/21 (control) TCP/20 (data) | ||
| FTP over TLS | TCP/900 (control) TCP/989 (data) | ||
| WebDAV | TCP/80 (HTTP) | Extension of HTTP for remote resource (file) operation. | |
| WebDAV Secure | TCP/443 UDP/443 | WebDAV with HTTPS. | |
| SFTP (SSH File Transfer Protocol) | TCP/22 (SSH) | File transfer over SSH. Not related to FTP! This is not FTP over TLS! | |
| NFS v4 (Network File System) | TCP/2049 | ||
| SMB over IP (modern) | TCP/445 | Windows file sharing. | |
| SMB over NetBIOS over TCP (SMB/NBT) | TCP/139 | Windows file sharing over legacy Windows network protocols. | |
| SMB over QUIC | UDP/443 | ||
| RTSP (Real Time Streaming Protocol) | TCP 554 | Control RTP streams (PLAY/PAUSE, etc.) | |
| RTSPS (Secure RTSP) | TCP 322 | RTSP over TLS | |
| SIP (Session Initiation Protocol) | TCP 5060 UDP 5060 SCTP 5060 | ||
| SIP over TLS | TCP 5061 | ||
| SIP over WebSocket | TCP 80 TCP or UDP 443 | ||
| IKEv2 | UDP 500 | ||
| ESP over UDP (and IKDEv2) | UDP 4500 | ||
| OpenVPN | UDP 1194, TCP 1194 | ||
| WireGuard | UDP 51820 | ||
| GRE-in-UDP | UDP 4754 (dest.) | ||
| GRE-UDP-DTLS | UDP 4755 (dest.) | ||
| L2TP over UDP | UDP 1701 (control) | ||
| VXLAN | UDP 4789 (dest.) | (24 bit VNI (VXLAN Network Identifier), always encapsulates Ethernet) | |
| GENEVE | UDP 6081 (dest.) | (24 bit VNI, can encapsulate different protocols (EtherType)) | |
| Kerberos | UDP or TCP 88 | ||
| MS-KKDCP | TCP or UDP 443 (HTTPS) | Kerberos Key Distribution Center Proxy. Kerberos over HTTPS. |
CoAP
| Protocol | URI scheme | Port | ALPN | WebSocket protocol |
|---|---|---|---|---|
| CoAP over UDP | coap: | UDP 5683 | - | - |
| CoAP over DTLS | coaps: | UDP 5684 | coap | - |
| CoAP over TCP | coap+tcp: | TCP 5683 | - | - |
| CoAP over TLS | coaps+tcp: | TCP 5684 | coap | . |
| CoAP over WebSocket | coap+ws: | (80, HTTPS) | - | coap |
| coaps+ws: | (443, HTTPS) | (http/1.x, …) | coap |
HTTP Datagram
HTTP datagrams are unreliable datagrams, associated with a HTTP upgrade, transported over an HTTP connection. They can be sent after an upgrade to the Capsule protocol,
- either as part of the HTTP stream in a DATAGRAM capsules,
- or transported in QUIC datagrams (HTTP/3 Datagram), if supported by the peer.
HTTP datagrams are currently used for,
- UDP in HTTP (RFC 9298);
- IP in HTTP (RFC 9484);
- Ethernet in HTTP (draft);
- WebTransport datagrams.
HTTP Upgrade
| Protocol | Upgrade token | Default URI template |
|---|---|---|
| Proxy TCP in HTTP (classic) (/1.x, /2, /3) | - | - |
| Proxy TCP in HTTP (template-based) | "connect-tcp" | /.well-known/masque/tcp/{target_host}/{tcp_port}/ |
| Proxy UDP in HTTP | "connect-udp" | /.well-known/masque/udp/{target_host}/{target_port}/ |
| Proxy UDP listen in HTTP | "connect-udp-listen" | /.well-known/masque/udp/{target_host}/{target_port}/ |
| Proxy IP in HTTP | "connect-ip" | /.well-known/masque/ip/{target}/{ipproto}/ |
| Proxy Ethernet in HTTP | "connect-ethernet" | (/.well-known/masque/ethernet/) |
WebTransport
Features:
- multiple (reliable) streams per WebTransport sessions;
- datagrams can be exchanged over a WebTransport sessions;
- multiple WebTransport session may be multiplexed over a single transport (eg. HTTP/2 or HTTP/3 connection).
Notes:
- With HTTP/2, after an extended CONNECT, all streams and datagrams of a the WebTransport instance are transported over a single HTTP/2 stream.
- With HTTP/3, after an extended CONNECT, each WebTranport stream is transported over a different QUIC stream and WebTransport datagrams are sent a HTTP/3 (QUIC) datagrams.
- No specification for WebTransport over HTTP/1.
RTP
| Protocol | Description |
|---|---|
| RTP | Transport A/V streams |
| RTCP | Flow/congestion control for RTP |
| SRTP and SRTCP | |
| DTLS-SRTP | DTLS handshake (with mutual authentication) for keying SRTP (and SRTCP). |
| ZRTP | Diffie-Hellman key exchange on the same port as SRTP. |
| S/MIME | May be used in SIP to provide end-to-end protection of SDP content |
| Framing for RTP | When used over TCP, each RTP or RTCP packet is prefixed with a length field (2 bytes). |
| RTP-MIDI | Send MIDI 1 data over RTP |
| RTP-over-QUIC (RoQ) |
WebRTC
| WebRTC Payload type | SCTP PPID | Description |
|---|---|---|
| SRTP-DTLS | - | |
| DCEP (Data Channel Establishment Protocol) | 50 | Used to create WebRTC data channels. |
| WebRTC String | 51 | |
| WebRTC Binary | 53 | |
| WebRTC Empty String | 56 | |
| WebRTC Empty Binary | 57 |
TLS
| TLS Subprotocols | Description |
|---|---|
| Underlying transport layer | eg. TCP |
| TLS Record Protocol: Record Protection | Encryption and message authentication (Cipher+MAC or AEAD). |
| TLS Record Protocol: Compression | Message compression, if negotiated. Not available in TLS v1.3. |
| TLS Record Protocol: Fragmentataion | Subprotocols multiplexing and framing. |
| TLS Handshake Protocol | TLS handshake (version/ciphersuite negotiation, authentication, key exchange, etc.). |
| TLS ChangecipherSpec | Enables communication protection for this direction |
| TLS Alert | Errors. |
| Application Layer | eg. HTTP, SMTP, etc. |
EAP
| EAP Method | Method Type | Description |
|---|---|---|
| EAP-TLS | 13 | Mutual TLS authentication |
| EAP-TTLS | 21 | AVPs (attribute value pairs) in the Diameter format over TLS |
| PEAP | 25 | Protected EAP. Inner EAP exchange over a TLS tunnel |
| EAP-FAST | 43 | |
| TEAP | 55 | Tunnel EAP. Inner EAP exchange over a TLS tunnel (standardized version of PEAP) |
| EAP-SIM | 18 | SIM-based authentication |
| EAP-AKA | 23 | SIM-based authentication |
| EAP-AKA' | 50 | SIM-based authentication |
| EAP-pwd | 52 | Authenticated key exchange based on a shared password |
| EAP-NOOB | 56 | Authentication for IoT devices based on an initial out-of-band channel |
| EAP Transport | Description |
|---|---|
| 802.1X | Authentication of LAN/WLAN such as Ethernet and Wifi (WPA-EAP aka WPA-Entreprise) |
| PANA | Protocol for Carrying Authentication for Network Access. |
| RADIUS | EAP messages encapsulated in the EAP-Message attribute |
| Diameter | EAP messages encapsulated in EAP-Payload AVP |
SASL
| SASL Mechanism | Security Layer | Channel Binding | Description |
|---|---|---|---|
| GSSAPI | Optional (negotiated) | Yes | Kerberos 5 (not other mechanisms) with GSSAPI |
| GSS2-* | No | No | GSS-API mechanisms (without support for channel binding) |
| GSS2-*-PLUS | No | Yes | GSS-API mechanisms (with support for channel binding) |
| OAUTHBEARER | No | No | Oauth 2.0 Bearer token |
RADIUS
| Protocol | Port | SCTP PPID | Description |
|---|---|---|---|
| RADIUS (authentication and authorization) | UDP 1812, TCP 1812 | - | |
| RADIUS Accounting | UDP 1813, TCP 1813 | - | |
| RADIUS DynAuth | UDP 3799 | - | Disconnect and Change-of-Authorization (CoA) messages |
| RADIUS over TLS (RadSec) | TCP 2083 | - | |
| Diameter | TCP 3868, SCTP 3868 | 46 | |
| Diameter over TLS/TCP | TCP 5658 | - | |
| Diameter over DTLS/SCTP | SCTP 5658 | 47 |
Wifi
Sublayers:
- PMD (Physical Medium Dependent sublayer), (eg. 802.11 FHSS, 802.11 DSSS, 802.11a OFDM, 802.11b HR/DSSS, 802.11g ERP)
- PLCP (Physical Layer Convergence Protocol sublayer)
Encryption:
- WEP (Wired Equivalent Privacy), old encryption layer (based on RC4 and CRC-32)
- TKIP (Temporal Key Integrity Protocol), encryption layer of WPA1 (RC4 stream cipher with “Michael” MIC)
- CCMP, encryption layer of WPA2 (AES with CCM mode)
- GCMP-256, encryption layer of WPA3 (56-bit Galois/Counter mode)
PPP
PPP protocols:
| Protocol | PPP Protocol | Description |
|---|---|---|
| PPP (Point-to-Point Protocol) | - | |
| LCP (Link Control Protocol) | 0xc021 | |
| PAP (Password Authentication Protocol) | 0xc023 | Cleartext login/password |
| CHAP (Challenge-Handshake Authentication Protocol) | 0xc223 | Includes MC-CHAP and MS-CHAPv2 as well. |
| EAP (Extensible Authentication Protocol) | 0xc227 | |
| IPCP (IP Configuration Protocol) | 0x0021 | Configuration of the IPv4 address |
| IPv4 | 0x0021 | |
| IPv6CP (IPv6 Configuration Protocol) | 0x8057 | |
| IPv6 | 0x0057 |
PPP transports:
- PPPoA, PPP-over-ATM (AAL5)
- PPPoE, PPP-over-Ethernet
- L2TP (Layer Two Tunneling Protocol)
- HDLC-like framing (RFC 1662) for PPP
- CCP (Compression Control Protocol)
- PPP over SSH (it's not a standard thing but you can do it)
Optical
- GPM (GPON Physical Media Dependent layer)
- GTC framing
- PLOAM (Physical Layer Operations, Administration and Maintenance)
- OMCI (ONU Management and Control Interface)
- GEM (G-PON Encapsulation Mode)
- TDM (Time Division Multiple Access), emulation of any TDM-based circuit
- PWE3 (pseudo Wire Emulation Edge-to-Edge) ,frame Relay/ATM/Ethernet/TDM/SONET/SDH over IP or MPLS
- MEF-8, emulation of PDH over Ethernet
Phone
| Protocol | SCTP PPID | Description |
|---|---|---|
| MTP-1 (Message Transfer Part layer 1) | Physical layer | |
| MTP-2 (Message Transfer Part layer 2) | Link layer | |
| MTP-3 (Message Transfer Part layer 3) | Nework layer | |
| TUP (Telephone User Part) | Signaling for classic PSTN, mostly replaced by ISUP | |
| ISUP (ISDN User Part) | ||
| SCCP (Signalling Connection Control Part) | ||
| TCAP (Transaction Capabilities Application Part) | ||
| CAP (CAMEL Application Part) | ||
| MAP (Mobile Application Part) | Transport layer on top of IP | |
| SCTP (Stream Control Transmission Protocol) | - | |
| SUA (SCCP User Adaptation) | 4 | Replaces SCCP when used over SCTP/IP |
| M2UA (MTP2 User Adaptation Layer) | 2 | |
| M2PA (MTP2 User Peer-to-Peer Adaptation Layer) | 5 | |
| M3UA (MTP3 User Adaptation Layer) | 3 |
Mobile
Mobile network:
- LAPDm (Link Access Procedures on the Dm channel), Link layer for GSM used between the mobile station (i.e., the phone) and the BSC
- RR aka RMM (Radio Resource Management)
- MM (Mobile Management)
- CM (Connection Management)
- RLC (Radio Link Control)
- LLC (Logical Link Control)
- This is not the 802.2 LLC protocol used with Ethernet, Wifi, etc.
- SNDCP (Subnetwork Dependent Convergence Protocol)
- GMM (GPRS Mobility Management)
- SM (Session Management)
- PDCP (Packet Data Convergence Protocol)
- RRC (Radio Resource Control)
- NAS (Non-access stratum)
- SDAP (Service Data Adaption Protocol)
- SM (Session Management)
- GMM (GPRS Mobile Management)
WAP:
- Wireless Session Protocol (WSP), Similar to HTTP
- Wireless Transaction Protocol (WTP), similar to TCP. Used for CO-WSP (Connection-oriented WSP), absent for CL-WSP (Connectionless WSP).
- Wireless Transport Layer Security (WTLS), protection (similar to TLS)
- Wireless Datagram Protocol (WDP), similar to UDP
- WML (Wireless Markup Language), XML-based markup language, similar to HTML
- WMLScript, Scripting language based on ECMAScript but compiled to a bytecode
- XHTML MP (Mobile Profile)
- WP-TCP, Profile of TCP
- WP-HTTP, Profile of HTTP
Bluetooth
- BR (Basic Rate)
- EDR (Extended Data Rate)
- LE (Low Energy) 1M
- LE (Low Energy) 2M
- LE (Low Energy) Coded
- LCP
- LMP (Link Manager Protocol)
- LE LL (LE Link Layer)
- L2CAP (Logical Link Control and Adaptation Protocol)
- SDP (Service Discovering Protocol)
- RFCOMM (Radio frequency communication), RS-232 port emulation
- BNEP (Bluetooth Network Encapsulation Protocol),
- transports Ethernet traffic
- replaces the Ethernet header with its own header!
- OBEX
- HIDP (Bluetooth HID Protocol)
- AVCTP (Audio/video control transport protocol)
- AVDTP (Audio/video data transport protocol)
- SM (Security Manager)
- GAP
- ATT
- GATT
- AT, Hayes Modem AT commands
- HCI (Host Controller Interface), Communication between the host and the bluetooth controller
USB
| Device Classes | Description |
|---|---|
| Standard Requests | |
| HID (Human Interaction Device) | Keyboard, Mouse, Baseball and Golf clubs, etc. |
| MSB (Mass Storage Device) | USB stick, etc. |
| CDC (Commnication Device Class) | |
| IPP (Internet Printing Protocol) | |
| MTP (Media Transfer Protocol) | |
| CCID (Chip Card Interface Device) | Smartcard, Yubikeys, etc. |
| DFU (Device Firmware Upgrade) | |
| BOT (Bulk Only Transfer) | |
| UAS (USB Attached SCSI) | |
| UASP (USB Attached SCSI Protocol) | Not the same as UAS! |
References
General:
- EventHelix, has a lot of nice sequence diagrams and other useful information
- SampleCaptures from the WireShark website
Assignments:
- Hypertext Transfer Protocol (HTTP) Upgrade Token Registry
- TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs
- SSH Connection Protocol Subsystem Names
- Assigned Internet Protocol Numbers
- Service Name and Transport Protocol Port Number Registry
- PPP DLL Protocol Numbers
- L2TPv3 Pseudowire Types
- EtherTypes
- Logical Link Control (LLC) Public Listing
- SCTP Payload Protocol Identifiers
- TLS exporter labels
- SIP Table of Mappings From Service Field Values to Transport Protocols
- Simple Authentication and Security Layer (SASL) Mechanisms
- Network Layer Protocol Identifiers (NLPIDs) of Interest
- SDP proto
- PPP Authentication Algorithms
- Session Description Protocol (SDP) Parameters ~ proto
DNS:
- RFC 9539, Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS
WebSocket:
- WebSocket JS API (W3C)
- WebSocket JS API (MDN)
WebTransport:
- WebTransport JS API (W3C)
- WebTransport JS API (MDN)
WebRTC:
- WebRTC Protocol Layers
- WebRTC For The Curious
- RFC 8834, Media Transport and Use of RTP in WebRTC
- RFC 8827, WebRTC Security Architecture
- RFC 8835, Transports for WebRTC
- Replacing WebRTC
QUIC:
Tunnels, VPNS:
- RFC 4301, Security Architecture for the Internet Protocol
- PSP Security Protocol
SSH:
References:
ATM:
- Multiprotocol Encapsulation over AAL5, RFC 2684
Wireless:
USB:
Optical:
- G.984.1 : Gigabit-capable passive optical networks (GPON): General characteristics
- G.984.3 : Gigabit-capable passive optical networks (G-PON): Transmission convergence layer specification
- G.987.1 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- G.987.2 : 10-Gigabit-capable passive optical networks (XG-PON): Physical media dependent (PMD) layer specification
- G.987.3 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- Implementation Agreement for the Emulation of PDH Circuits over Metro Ethernet Networks
Phone:
Mobile:
- PDP types
- PDU session types (5G)
- Extensible Authentication Protocol (EAP) in next-generation networks
- Long Term Evolution Protocol Overview
- SMS in 5GC
- ETSI TS 124 501, 5G NAS
- A Comparative Introduction to 4G and 5G Authentication
- 5G: focus on N3IWF, TNGF, TWIF and W-5GAN References:
Non-3GPP access:
- ETSI TS 123 402 v16
- A Tutorial on Trusted and Untrusted Non-3GPP Accesses in 5G Systems—First Steps Toward a Unified Communications Infrastructure
- Untrusted Non-3GPP Acccess Network Interworking with 5G Core
IMS:
WAP:
- Looking inside the MMS Exchange (With call flow and PCAP)
- WapProtocolFamily ~ Wireshark Wiki
- Wireless Datagram Protocol (WDP) ~ Wireshark Wifi
- Wireless Session Protocol (WSP) ~ Wireshark Wifi
- Wireless Datagram Protocol (WDP), v14
LLMs and agents: