Protocol stack diagrams
Layers all the way down
Published:
Updated:
A collection of ASCII-art protocol stack diagrams.
They can be used as a base for doing quick diagrams. Feel free to copy/reuse/adapt them for your own purpose. These diagrams are released as CC0 (“No Rights Reserved”).
Table of content
Concepts
Layers, PDUs and SDUs:
N+1 PDU
[N+1 Layer]<----------------->[N+1 Layer]
↑ ↑
| | N+1 SDU
↓ ↓
o N PDU o N SAP
[N Layer ]<----------------->[N Layer ]
↑ ↑
| | N SDU
↓ ↓
o N-1 PDU o N-1 SAP
[N-1 Layer]<----------------->[N-1 Layer]
Switches, bridges/hubs, routers, proxy:
[app. ]<------------------------------------------------>[app.]<-->[app.]
[TCP ]<------------------------------------------------>[TCP ]<-->[TCP ]
[IP ]<------------------------------>[IP ]<-->[IP ]<-->[IP ]
[Eth. MAC]<---------------->[Eth. MAC]<---[Eth. MAC|...]<-->[... ]<-->[... ]
[Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY|...]<-->[... ]<-->[... ]
Hub Switch/bridge Router Proxy
OSI
L7 [Application ]<-------------------------------->[Application ] L6 [Presentation]<-------------------------------->[Presentation] L5 [Session ]<-------------------------------->[Session ] L4 [Transport ]<-------------------------------->[Transport ] L3 [Network ]<-->[Network ]<-->[Network ]<-->[Network ] L2 [Data link ]<-->[Data link]<-->[Data link]<-->[Data link ] L1 [Physical ]<-->[Physical ]<-->[Physical ]<-->[Physical ]
IP
IPv4
[(DHCP)|DNS|app|DNS|app]
[ICMP|IGMP|UDP |TCP ]
[IPv4 |ARP]
| Protocol | SAP | Description |
|---|---|---|
| ICMP (Inter Control Message Protocol) | IP proto. 1 | |
| ARP (Address Resolution Protocol) | EtherType 0x0806 | Used for non-point-to-point networks. |
| DHCP (Dynamic Host Configuration Protocol) | UDP 67 (server) UDP 68 (client) | |
| IGMP (Internet Group Management Protocol) | IP proto. 2 | Support for multicast |
IP model:
[app.]<---------------------------------->[app.] (end to end)
[TCP ]<---------------------------------->[TCP ] (end to end)
[IP ]<--->[IP ]<--->[IP ]<--->[IP ]<--->[IP ]
[... ]<--->[...]<--->[...]<--->[... ]<--->[... ] (local network layers)
Router Router Router
IPv6
[(DHCPv6)|DNS|app|DNS|app]
[ICMPv6+NDP+MLD|UDP |TCP ]
[IPv6 ]
| Protocol | SAP | Description |
|---|---|---|
| ICMPv6 | IP next header 0x58 | |
| NDP | IP next header 0x58 | Part of ICMPv6. Replaces ARP in IPv6. |
| DHCPv6 | UDP 546 (client) UDP 547 (server) | Usually NDP is used instead for address allocation, routes, DNS configuration, etc. |
| [MLD](Multicast Listener Discovery) | IP next header 0x58 | Part of ICMPv6. Replaces IGMP in IPv6. |
IP Transport protocols
[app.]
[app.] [SCTP] [app.]
[app.] [app.] [app. ] [app.] [app.] [SCTP] [DTLS] [QUIC|TLS]
[TCP ] [UDP ] [UDP-lite] [DCCP] [SCTP] [UDP ] [UDP ] [UDP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
TCP UDP UDP-lite DCCP SCTP SCTP SCTP QUIC
/UDP /DTLS
| Protocol | Protocol number | Description |
|---|---|---|
| TCP | 6 | Connection oriented, stream-based, checksums, connection control. |
| UDP | 17 | Unreliable datagrams. Checksums (can be disabled in IPv4). |
| UDP-lite | 136 | Unreliable datagrams. Allows for partial checksums. |
| DCCP | 33 | Connection oriented, unreliable datagrams, with congestion control. |
| SCTP | 132 | Message-based (fragmentation, reliable, ordered), multiple-streams multiplexing over a single connection. Initially designed for PSTN signaling over IP. |
| SCTP over UDP | - | Useful for NAT traversal and userspace implementations of SCTP. |
| SCTP over DTLS | - | Used by WebRTC for transporting data channels. |
| QUIC | - | Protected communications (relies on TLS for the hanshake). Multiplexing of multiple streams per QUIC connection. Used by HTTP/3. |
Applications layers
DNS
[DNS ]
[DNS ] [DNS ] [Obliv. DNS]
[DNS ] [framing] [DNS ] [HTTP ] [DNS ] [HTTP ]
[DNS] [framing] [TLS ] [DTLS] [TLS / QUIC] [QUIC] [TLS / QUIC]
[UDP] [TCP ] [TCP ] [UDP ] [TCP / UDP ] [UDP ] [TCP / UDP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
“Do53” “Do53” “DoT” “DoH” “DoQ” “ODoH”
DNS DNS DNS DNS DNS DNS Oblivious DNS
over over over over over over over
UDP TCP TLS DTLS HTTPS QUIC HTTPS
| Protocol | Port | ALPN | Description |
|---|---|---|---|
| DNS over UDP (Do53) | UDP 53 | - | General DNS traffic. |
| DNS over TCP (Do53) | TCP 53 | - | Usually used when messages are too long for UDP. |
| DNS framing | - | - | When used on top of TCP or TLS, each DNS message is prefixed with a length field (2 bytes). |
| DNS over TLS (DoT) | TCP 853 | "dot" | DNS privacy. |
| DNS over DTLS | (UDP 853) | - | DNS privacy. Not used in practice, deprecated in favor of DoQ. |
| DNS over HTTPS (DoH) | TCP 443 | "http/1.1", "h2", "h3", etc. | DNS privacy. One HTTP request per request/response pair. |
| DNS over QUIC (DoQ) | UDP 853 | "doq" | DNS privacy. One QUIC stream per request/response pair. |
| Oblivious DNS over HTTPS (ODoH) | TCP/UDP 443 | "http/1.1", "h2", "h3", etc. | More DNS privacy. |
Oblivious DNS over HTTPS:
[DNS ]<--------------------->o[DNS ]<---->o[DNS] [Obliv. DNS]<=====================>o[Obliv. DNS|- ] [HTTP ]<--->o[HTTP ]<--->o[HTTP |- ] [TLS / QUIC]<===>o[TLS / QUIC]<===>o[TLS / QUIC|- ] [TCP / UDP ]<--->o[TCP / UDP ]<--->o[TCP / UDP |...]<----->[...] [IP ]<---->[IP ]<---->[IP ]<----->[IP ] Oblivious Oblivious Oblivious Client Relay Target
HTTP
[HTTP/1.x] [HTTP/2] [HTTP/3|TLS]
[HTTP/1.x] [HTTP/2] [TLS ] [TLS ] [QUIC ]
[TCP ] [TCP ] [TCP ] [TCP ] [UDP ]
[IP ] [IP ] [IP ] [IP ] [IP ]
HTTP/1.x HTTP/2 HTTP/1.x HTTP/2 HTTP/3
w/o TLS over TLS over TLS (over QUIC)
"h2c" "h2" "h3"
(HTTP) (HTTP) (HTTPS) (HTTPS) (HTTPS)
| Protocol | Port | TLS ALPN | HTTP Upgrade | Description |
|---|---|---|---|---|
| HTTP/1.x without TLS | TCP 80 | - | - | Text protocol. |
| HTTP/1.x over TLS (HTTPS) | TCP 443 | "http/1.1", "http/1.0" | ||
| HTTP/2 without TLS | TCP 80 | - | "h2c" | HTTP/2 without TLS is not widely supported and is deprecated. |
| HTTP/2 over TLS (HTTPS) | TCP 443 | "h2" | - | Binary protocol. Prevents head of line blocking (HOL)at the HTTP layer byt multiplexing multiple requests/responses over the same connection but does HOL blocking still present at the TCP layer. |
| HTTP/3 over QUIC (HTTPS) | UDP 443 | "h3" | - | Binary protocol. Prevents HOL blocking between streams of the same connection (which was happenning at the TCP layer with HTTP/2) by replacing TCP by UDP. Encryption/integrity provided by QUIC. TLS used for the handshake (ciphersuite negotiation, authentication, key exchange, etc.) |
WebSocket
[WebSocket] [WebSocket] [WebSocket] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 ] [(TLS) ] [(TLS) ] [QUIC ] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] WebSocket Websocket WebSocket (HTTP/1.x) (HTTP/2) (HTTP/3)
Notes:
- with HTTP/1, a HTTP upgrade (
GET) is used to upgrade the HTTP connection into a WebSocket connection; - with HTTP/2, a HTTP/2 upgrade (extended
CONNECT) is used to upgrade the HTTP/2 stream into a WebSocket stream; - with HTTP/3, a HTTP/3 upgrade (extended
CONNECT) is used to upgrade the HTTP/3 stream into a WebSocket stream.
References:
- WebSocket JS API (W3C)
- WebSocket JS API (MDN)
HTTP Datagrams
[datagram ] [datagram] [ datagram ] [Capsule ] [Capsule ] [Capsule |- ] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 |H3 dgram] [(TLS) ] [(TLS) ] [QUIC +dgram] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] HTTP HTTP HTTP Datagrams Datagrams Datagrams (HTTP/1.X) (HTTP/2) (HTTP/3)
HTTP datagrams are unreliable datagrams, associated with a HTTP upgrade, transported over an HTTP connection. They can be sent after an upgrade to the Capsule protocol,
- either as part of the HTTP stream in a DATAGRAM capsules,
- or transported in QUIC datagrams (HTTP/3 Datagram), if supported by the peer.
HTTP datagrams are currently used for,
- UDP in HTTP (RFC9298);
- IP in HTTP (RFC9484);
- Ethernet in HTTP (draft);
- WebTransport datagrams.
HTTP CONNECT proxy
Without HTTP/3 datagrams:
[application] [IP ] [application] [Eth. MAC ]
[UDP prox. ] [IP prox.|config.] [UDP-l prox.] [Eth. prox. ]
[application] [HTTP Datag.] [Capsule ] [HTTP Datag.] [HTTP Datag.]
[HTTP ] [HTTP ] [HTTP ] [HTTP ] [HTTP ]
[(TLS)/ QUIC] [(TLS)/ QUIC] [(TLS) / QUIC ] [(TLS)/ QUIC] [(TLS)/ QUIC]
[TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ]
[IP. ] [IP ] [IP ] [IP ] [IP ]
TCP in HTTP UDP in HTTP IP in HTTP UDP-listen in HTTP Ethernet in HTTP
With HTTP/3 datagrams:
[app. ] [config.|IP ] [application ] [Eth. MAC ]
[UDP prox.] [Capsule|IP prox.] [UDP-listen prox.] [Eth. proxy.]
[HTTP/3|H3 dgram ] [HTTP/3 |H3 dgram] [HTTP/3|H3. dgram ] [HTTP/3|H dgram ]
[QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ]
[UDP ] [UDP ] [UDP ] [UDP ]
[IP ] [IP ] [IP ] [IP ]
UDP in HTTP/3 IP in HTTP/3 UDP-listen in HTTP/3 Ethernet in HTTP/3
datagrams datagrams datagrams datagrams
| Protocol | Upgrade token | Default URI template |
|---|---|---|
| Proxy TCP in HTTP (classic) (/1.x, /2, /3) | - | - |
| Proxy TCP in HTTP (template-based) | "connect-tcp" | /.well-known/masque/tcp/{target_host}/{tcp_port}/ |
| Proxy UDP in HTTP | "connect-udp" | /.well-known/masque/udp/{target_host}/{target_port}/ |
| Proxy UDP listen in HTTP | "connect-udp-listen" | /.well-known/masque/udp/{target_host}/{target_port}/ |
| Proxy IP in HTTP | "connect-ip" | /.well-known/masque/ip/{target}/{ipproto}/ |
| Proxy Ethernet in HTTP | "connect-ethernet" | (/.well-known/masque/ethernet/) |
WebTransport
[streams|datagrams] [streams| datagrams ] [- |Capsule ] [- |Capsule|- ] [HTTP/2 ] [HTTP/3 |H3 dgram.] [TLS ] [QUIC (+dgram)] [TCP ] [UDP ] [IP ] [IP ] WebTransport (HTTP/2) WebTransport (HTP/3) HTTP/2
Features:
- multiple (reliable) streams per WebTransport sessions;
- datagrams can be exchanged over a WebTransport sessions;
- multiple WebTransport session may be multiplexed over a single transport (eg. HTTP/2 or HTTP/3 connection).
Notes:
- With HTTP/2, after an extended CONNECT, all streams and datagrams of a the WebTransport instance are transported over a single HTTP/2 stream.
- With HTTP/3, after an extended CONNECT, each WebTranport stream is transported over a different QUIC stream and WebTransport datagrams are sent a HTTP/3 (QUIC) datagrams.
- No specification for WebTransport over HTTP/1.
References:
- WebTransport JS API (W3C)
- WebTransport JS API (MDN)
File Transfer
[FTP ] [SFTP] [HTTP+WebDAV ] [SMB ]
[(TLS)] [SSH ] [(TLS) / QUIC] [SMB] [QUIC] [NFS]
[TCP ] [TCP ] [TCP / UDP ] [TCP] [UDP ] [TCP]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
FTP SFTP WebDAV SMB SMB NFSv4
/QUIC
| Protocol | Port | Description |
|---|---|---|
| FTP (File Transfer Protocol) | TCP/21 (control) TCP/20 (data) | |
| FTP over TLS | TCP/900 (control) TCP/989 (data) | |
| WebDAV | TCP/80 (HTTP) | Extension of HTTP for remote resource (file) operation. |
| WebDAV Secure | TCP/443 UDP/443 | WebDAV with HTTPS. |
| SFTP (SSH File Transfer Protocol) | TCP/22 (SSH) | File transfer over SSH. Not related to FTP! This is not FTP over TLS! |
| NFS v4 (Network File System) | TCP/2049 | |
| SMB over IP (modern) | TCP/445 | Windows file sharing. |
| SMB over NetBIOS over TCP (SMB/NBT) | TCP/139 | Windows file sharing over legacy Windows network protocols. |
| SMB over QUIC | UDP/443 |
Notes:
- SFTP uses "sftp" as SSH subsystem.
- SMB over QUIC use "smb" as ALPN.
LDAP
[LDAP ] [(SASL sec.)] [(TLS) ] [TCP ] [IP ] LDAP
UPnP
[Device/service desc.] [SOAP/1.1] [UPnP event] [UPnP event]
[XML ] [XML ] [XML ] [XML ]
[HTTP+SSDP ] [HTTP ] [HTTP ] [HTTP+GENA ] [HTTP+GENA ]
[UDP ] [TCP ] [TCP ] [TCP ] [UDP ]
[IP (mcast)] [IP ] [IP ] [IP ] [IP (mcast)]
Service Service Control Eventing Eventing
Discovery Description (RPC) (unicast) (multicast)
CoAP
[CoAP ]
[WebSocket ]
[CoAP ] [CoAP ] [HTTP ]
[(DTLS)] [(TLS)] [(TLS / DTLS)]
[UDP ] [TCP ] [TCP / UDP ]
[IP ] [IP ] [IP ]
CoAP CoAP/TCP CoAP/WS(S)
| Protocol | URI scheme | Port | ALPN | WebSocket protocol |
|---|---|---|---|---|
| CoAP over UDP | coap: | UDP 5683 | - | - |
| CoAP over DTLS | coaps: | UDP 5684 | coap | - |
| CoAP over TCP | coap+tcp: | TCP 5683 | - | - |
| CoAP over TLS | coaps+tcp: | TCP 5684 | coap | . |
| CoAP over WebSocket | coap+ws: | (80, HTTPS) | - | coap |
| coaps+ws: | (443, HTTPS) | (http/1.x, …) | coap |
Notes:
- CoAP over TCP and TLS use a modfied message format compared to CoAP/UDP;
- CoAP over WebSocket uses yet another message format.
Multimedia
SIP, RTP, RTSP
Signaling:
[SDP ]
[(S/MIME) ]
[SDP ] [SIP ]
[SDP ] [SDP ] [(S/MIME)] [WebSocket]
[RTSP ] [(S/MIME) ] [SIP ] [HTTP ]
[(TLS)] [SIP ] [TLS ] [(TLS )]
[TCP ] [UDP / TCP / SCTP] [TCP ] [TCP ]
[IP ] [IP ] [IP ] [IP ]
RTSP SIP SIP-TLS SIP/WebSocket
RTP (media transport):
[A/V] [A/V] [A/V ] [A/V ] [RTP|RTCP] [SRTP|SRTCP] [DTLS|SRTP|SRTCP] [ZRTP|SRTP|SRTCP] [UDP ] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] RTP, RTCP SRTP, SRTCP DTLS-SRTP ZRTP
Alternative transports for RTP:
[A/V] [A/V]
[A/V] [RTP|RTCP |RTP|RTCP ]
[RTP|RTCP ] [RoQ stream|RoQ Datag.]
[framing ] [QUIC ]
[TCP ] [UDP ]
[IP ] [IP ]
RTP over TCP RTP over QUIC (RoQ)
| Protocol | Port | Description |
|---|---|---|
| RTSP (Real Time Streaming Protocol) | TCP 554 | Control RTP streams (PLAY/PAUSE, etc.) |
| RTSPS (Secure RTSP) | TCP 322 | RTSP over TLS |
| SIP (Session Initiation Protocol) | TCP 5060 UDP 5060 SCTP 5060 | |
| SIP over TLS | TCP 5061 | |
| SIP over WebSocket | TCP 80 TCP or UDP 443 |
| Protocol | Description |
|---|---|
| RTP | Transport A/V streams |
| RTCP | Flow/congestion control for RTP |
| SRTP and SRTCP | |
| DTLS-SRTP | DTLS handshake (with mutual authentication) for keying SRTP (and SRTCP). |
| ZRTP | Diffie-Hellman key exchange on the same port as SRTP. |
| S/MIME | May be used in SIP to provide end-to-end protection of SDP content |
| Framing for RTP | When used over TCP, each RTP or RTCP packet is prefixed with a length field (2 bytes). |
| RTP-MIDI | Send MIDI 1 data over RTP |
| RTP-over-QUIC (RoQ) |
Notes:
- RTCP usually used the next (odd) UDP port after the (even) one used by RTP. Nowadays, they tend to be multiplexed over the same port.
- DTLS-SRT uses a DTLS handshake with mutual authentication and the
use_srtpextension for key exchange and then switch to SRTP, SRCTP on the same port. - The SRTP keys are exported from DTLS (using the "EXTRACTOR-dtls_srtp" exporter label).
- RTP-over-QUIC uses "rtp-mux-quic" for ALPN.
Message multiplexing:
- A mix of (S)RTP, (S)RTCP, STUN, ZRTC and DTLS messages can be multiplexed over the same channel.
- RTP and RTCP can be distinguished using the M and PT fields.
- ZRTP messages can be can be distinguished from (S)RTP messages because the first two bits are zero.
- ZRTP messages can be can be distinguished from STUN messages because they use different magic cookies.
- See RFC5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
WebRTC
[DCEP|data. chan.]
[DCEP|data. chan.] [SCTP |A/V ]
[SCTP |A/V ] [STUN|mDTLS |SRTP|SRTCP]
[STUN|mDTLS |SRTP|SRTCP] [framing ]
[SDP ] [UDP (+ ICE) ] [TCP (+ ICE) ]
[anything] [IP (+ ICE) ] [IP (+ ICE) ]
WebRTC WebRTC over UDP WebRTC over TCP
Signaling
Type of payloads:
[DCEP|data chan.]
[DCEP|data chan.] [A/V ] [SCTP ]
[A/V ] [SCTP ] [STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ]
[STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ] [framing ] [framing ]
[UDP (+ ICE) ] [UDP (+ICE) ] [TCP (+ ICE) ] [TCP (+ICE) ]
[IP (+ ICE) ] [IP (+ICE) ] [IP (+ ICE) ] [IP (+ICE) ]
WebRTC A/V streams WebRTC Data Channel WebRTC A/V streams WebRTC Data Channel
(DTLS-SRTP) (SCTP/DTLS) (DTLS-SRTP) (SCTP/DTLS)
proto=UDP/TLS/RTP/SAVPF proto=UDP/DTLS/SCTP proto=TCP/TLS/RTP/SAVPF proto=TCP/DTLS/SCTP
Example WebRTC stack with TURN tunneling:
[DCEP|data. chan.]
[SCTP |A/V ]
[STUN|mDTLS |SRTP|SRTCP]
[TURN ]
[(DTLS) ]
[UDP ]
[IP ]
WebRTC with TURN tunnel
| WebRTC Payload type | SCTP PPID | Description |
|---|---|---|
| SRTP-DTLS | - | |
| DCEP (Data Channel Establishment Protocol) | 50 | Used to create WebRTC data channels. |
| WebRTC String | 51 | |
| WebRTC Binary | 53 | |
| WebRTC Empty String | 56 | |
| WebRTC Empty Binary | 57 |
Notes:
- In WebRTC, the DTLS peers authenticate based on X.509 certificates exchanged through the signaling protocol (eg. in the
identitySDP attribute). - The DCEP
DATA_CHANNEL_OPENmessage may specify a protocol identifier (from the WebSocket subprotocol registry) to be used on this channel. - See RFC5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
- RTP/SAVPF combines RTP/SAVP (i.e. using SRTP) and RTP/AVPF (i.e. with RTCP-based Feedback).
References:
- WebRTC Protocol Layers
- WebRTC For The Curious
- RFC8834, Media Transport and Use of RTP in WebRTC
- RFC8827, WebRTC Security Architecture
- RFC8835, Transports for WebRTC
- Replacing WebRTC
Security Layers
TLS
TLS sublayers:
[Handshake | ChangecipherSpec | Alert | Application] [TLS Record Protocol: fragmentation ] [Handshake | Alert | Application ] [TLS Record Protocol: compression ] [TLS Record Protocol: fragmentation ] [TLS Record Protocol: record protection ] [TLS Record Protocol: record protection] [Transport layer ] [Transport layer ] TLS v1.2 TLS v1.3
Some protocol stacks using TLS:
[mTLS ]
[HTTP] [HTTP/3|TLS] [SMTP] [IMAP] [TLS|IP / Eth.] [EAP-TLS] [mTLS ]
[TLS ] [QUIC ] [TLS ] [TLS ] [OpenVPN ] [EAP ] [EAP-TLS]
[TCP ] [UDP ] [TCP ] [TCP ] [TCP / UDP ] [EAPOL ] [EAP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [Wifi ] [PPP ]
HTTPS HTTPS SMTPS IMAPS OpenVPN WPA2-EAP PPP
(HTTP/3) with EAP-TLS with EAP-TLS
| TLS Subprotocols | Description |
|---|---|
| Underlying transport layer | eg. TCP |
| TLS Record Protocol: Record Protection | Encryption and message authentication (Cipher+MAC or AEAD). |
| TLS Record Protocol: Compression | Message compression, if negotiated. Not available in TLS v1.3. |
| TLS Record Protocol: Fragmentataion | Subprotocols multiplexing and framing. |
| TLS Handshake Protocol | TLS handshake (version/ciphersuite negotiation, authentication, key exchange, etc.). |
| TLS ChangecipherSpec | Enables communication protection for this direction |
| TLS Alert | Errors. |
| Application Layer | eg. HTTP, SMTP, etc. |
DTLS
Transports:
[app.] [app.] [app.] [DTLS] [DTLS] [DTLS] [UDP ] [SCTP] [DCCP] [IP ] [IP ] [IP ] DTLS DTLS DTLS over over over UDP SCTP DCCP
QUIC
[app.] [app. streams|app. dgrams] [QUIC|TLS] [QUIC +dgram. |TLS] [UDP ] [UDP ] [IP ] [IP ] QUIC QUIC with QUIC datagrams
| Protocol | Description |
|---|---|
| QUIC | Protected transport. Provides multiple streams on top of a single connection. |
| TLS | Used for the handshake (negotiation, keying) |
| QUIC datagrams | Extension of QUIC for unreliable datagrams (not associated to any QUIC stream). |
QUIC is used by:
- HTTP/3 (mostly)
- SMB over QUIC
- RTP over QUIC (RoQ)
QUIC Datagrams are used by:
- HTTP/3 Datagrams (used by WebTransport, UDP/IP/Ethernet procying over HTTP/3)
References:
SSH
[(GSS-API)|shell|command|forwarding]
[SSH Authentication Layer|SSH Connection Layer ]
[SSH Transport Layer ]
[TCP ]
[IP ]
| Protocol | Description |
|---|---|
| GSS-API authentication for SSH |
SSH sessions include:
SSH forwardings include:
- TCP/IP Port Forwarding;
- OpenSSH Tunnel forward extension (TUN/TAP);
- OpenSSH Unix domain socket forwarding.
Some applications:
- SFTP uses "sftp" as SSH subsystem.
VPNs and tunnels
IPSec
SA (Security Associations) establishment:
[... ]
[EAP ]
[IKEv2] [IKEv2]
[UDP ] [UDP ]
[IP ] [IP ]
IKEv2 IKEv2
w/ EAP
IPsec:
[UDP|TCP|...] [IP ]
[UDP|TCP|...] [IP] [UDP|TCP|...] [IP ] [ESP ] [ESP]
[AH ] [AH] [ESP ] [ESP] [UDP ] [UDP]
[IP ] [IP] [IP ] [IP ] [IP ] [IP ]
AH AH ESP ESP ESP/UDP ESP/UDP
Transport Tunnel Transport Tunnel Transport Transport
| Protocol | IP Protocol | Port | Notes |
|---|---|---|---|
| AH (Authentication Header) | 51 | - | integrity, data origin authentication, anti-replay (including the outer IP packet) |
| ESP (Encapsulating Security Payload) | 50 | - | integrity, data origin authentication, anti-replay, confidentiality (of the payload) |
| IKEv2 | - | UDP 500 | |
| ESP over UDP (and IKDEv2) | - | UDP 4500 |
ESP transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [ESP ]<=========>[ESP ] [IP ]<--------->[IP ] correspondent correspondent
ESP tunnel mode:
[app.]<------------------------------>[app.]
[TCP ]<------------------------------>[TCP ]
[IP ]<-------->[IP ]<----->[IP ]<----[IP ]
[ESP]<=====>[ES ]
[IP ]<----->[IP ]
correspondent Gateway Gateway correspondent
AH transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [AH ]<--------->[AH ] [IP ]<=-=-=-=-=>[IP ] correspondent correspondent
AH tunnel mode:
[app.]<---------------------------->[app.]
[TCP ]<---------------------------->[TCP ]
[IP ]<-------->[IP]<----->[IP]<--->[IP ]
[AH]<----->[AH]
[IP]<=-=-=>[IP]
correspondent Gateway Gateway correspondent
References:
- RFC4301, Security Architecture for the Internet Protocol
VPNs
[IPv4|IPv6|(TLS)] [Eth. MAC|(TLS)] [IP ] [IP / Eth. MAC]
[OpenVPN ] [OpenVPN ] [WireGuard] [SSH ]
[TCP / UDP ] [TCP / UDP ] [UDP ] [TCP ]
[IP ] [IP ] [IP ] [IP ]
OpenVPN IP OpenVPN Ethernet WireGuard OpenSSH tunnel
(TUN mode) (TAP mode)
[IP ]
[IP ] [IP ] [PPP ] [IP ]
[Capsule] [Capsule|- ] [SSTP ] [PPP ]
[HTTP ] [HTTP3 |H3 dgram.] [HTTP ] [HTTP ]
[(TLS) ] [QUIC +dgram.] [TLS ] [TLS ]
[TCP ] [UDP ] [TCP ] [TCP ]
[IP ] [IP ] [IP ] [IP ]
IP in HTTP IP in HTTP/3 MS-SSTP FortiSSL
| Protocol | Port |
|---|---|
| OpenVPN | UDP 1194, TCP 1194 |
| WireGuard | UDP 51820 |
| OpenSSH tunnel | (over SSH, TCP 22) |
| IP in HTTP | TCP/UDP 443 (HTTPS) |
| MS-SSTP | TCP/UDP 443 (HTTPS) |
| FortiSSL |
Notes:
- OpenVPN does not work on top of TLS (TLS over TCP). TLS is encapsulated in the OpenVPN protocol and is used for the handshake. The inner frame/packets are not encapsulated by TLS (no IP-over-TLS or Ethernet-over-TLS).
- MS-SSTP use a
SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/HTTPS request. The encapsulted protocol is chosen with the MS-SSTP Protocol ID field (0x0001 for PPP).
Simple Tunnels
[IP ] [IP ]
[GRE ] [GRE ]
[(UDP) ] [DTLS] [Eth. MAC]
[IP] [(AH / ESP)] [UDP ] [EtherIP ]
[IP] [IP ] [IP ] [IP ]
IP in IP GRE GRE-UDP-DTLS EtherIP
| Protocol | SAP | Description |
|---|---|---|
| GRE (Generic Routing Encapsulation) | IP proto 47 | Next protocol defined as an EtherType; Optional 32 bit key (tunnel ID); optional 32 bit sequence number |
| GRE-in-UDP | UDP 4754 (dest.) | |
| GRE-UDP-DTLS | UDP 4755 (dest.) | |
| EtherIP | IP proto 97 |
L2TPv3
Pseudowires:
[PPP ] [Eth. MAC] [Frame Relay] [HDLC] [ATM ] [L2TP] [L2TP ] [L2TP ] [L2TP] [L2TP] [... ] [... ] [... ] [... ] [... ]
Transports:
[... ]
[L2TP]
[... ] [SNAP] [... ]
[L2TP] [... ] [... ] [LLC ] [L2TP]
[UDP ] [L2TP] [L2TP ] [AAL5] [AAL5]
[IP ] [IP ] [Frame Relay] [ATM ] [ATM ]
L2TP L2TP L2TP L2TP L2TP
/UDP /IP /Frame Relay /ATM /ATM
(LLC) (VC mux)
| Protocol | SAP | Description |
|---|---|---|
| L2TP (Layer Two Tunneling Protocol) | 16 bit tunnel ID, optional 16 bit sequence numbers | |
| L2TP over IP | IP proto. 115 | |
| L2TP over UDP | UDP 1701 (control) |
Network virtualization
[Eth. MAC ] [Eth. / IP / ...] [Eth. / IP / ...] [VXLAN ] [GENEVE ] [GRE + Key ext. ] [UDP ] [UDP ] [(UDP) ] [(AH / ESP)] [(AH / ESP) ] [(AH / ESP) ] [IP ] [IP ] [IP ] VXLAN GENEVE NVGRE
| Protocol | Port | Description |
|---|---|---|
| VXLAN (Virtual eXtensible LAN) | UDP 4789 (dest.) | 24 bit VNI (VXLAN Network Identifier), always encapsulates Ethernet |
| GENEVE (Generic Network Virtualization Encapsulation) | UDP 6081 (dest.) | 24 bit VNI, can encapsulate different protocols (EtherType) |
| NVGRE (Network Virtualization witg GRE) | 24-bit VSID (Virtual Subnet Identifier), can encapsulate different protocols (EtherType) |
Authentication, authorization
EAP
TLS-based EAP methods:
[... ]
[EAP ] [PAP ] [CHAP ] [... ] [... ]
[AVP ] [AVP ] [AVP ] [EAP ] [EAP ]
[mTLS ] [TLS ] [TLS ] [TLS ] [TLS ] [TLS ]
[EAP-TLS] [EAP-TTLS] [EAP-TTLS] [EAP-TTLS] [PEAP] [TEAP]
[EAP ] [EAP ] [EAP ] [EAP ] [EAP ] [EAP ]
[... ] [... ] [... ] [... ] [... ] [... ]
EAP-TLS EAP PAP CHAP EAP EAP
over over over over over
EAP-TTLS EAP-TTLS EAP-TTLS PEAP TEAP
EAP transports:
[... ] [...] [... ] [... ]
[... ] [... ] [EAP ] [EAP] [EAP ] [EAP ]
[...] [EAP ] [EAP ] [PANA] [IKE] [RADIUS ] [Diameter ]
[EAP] [802.1X ] [802.1X] [UDP ] [UDP] [UDP / TCP] [TCP / SCTP]
[PPP] [Ethernet] [Wifi ] [IP ] [IP ] [IP ] [IP ]
EAP 802.1X WPA-EAP PANA EAP EAP over EAP/Diameter
for for RADIUS
PPP IKE
Example full protocol stacks:
[EAP-MSCHAPV2]
[EAP ]
[mTLS ] [TLS ]
[EAP-TLS] [TEAP ]
[EAP ] [EAP ]
[802.1X ] [802.1X ]
[Wifi ] [Wifi ]
WPA-EAP WPA-EAP
with with
EAP-TLS EAP-EAP
and MSCHAPv2
| EAP Method | Method Type | Description |
|---|---|---|
| EAP-TLS | 13 | Mutual TLS authentication |
| EAP-TTLS | 21 | AVPs (attribute value pairs) in the Diameter format over TLS |
| PEAP (Protected EAP) | 25 | Inner EAP exchange over a TLS tunnel |
| EAP-FAST | 43 | |
| TEAP (Tunnel EAP) | 55 | Inner EAP exchange over a TLS tunnel (standardized version of PEAP) |
| EAP-SIM, EAP-AKA, EAP-AKA' | 18, 23, 50 | SIM-based authentication |
| EAP-pwd | 52 | Authenticated key exchange based on a shared password |
| EAP-NOOB | 56 | Authentication for IoT devices based on an initial out-of-band channel |
| EAP Transport | Description |
|---|---|
| 802.1X | Authetication of LAN/WLAN such as Ethernet and Wifi (WPA-EAP aka WPA-Entreprise) |
| PANA (Protocol for Carrying Authentication for Network Access) | |
| RADIUS support for EAP | EAP messages encapsulated in the EAP-Message attribute |
| Diameter support for EAP | EAP messages encapsulated in EAP-Payload AVP |
Kerberos
[Kerberos]
[MS-KKDCP]
[HTTP ]
[Kerberos] [TLS ]
[UDP/TDP ] [TCP ]
[IP ] [IP ]
Kerberos MS-KKDCP
| EAP Method | Port | Description |
|---|---|---|
| Kerberos | UDP or TCP 88 | |
| MS-KKDCP (Kerberos Key Distribution Center Proxy) | TCP or UDP 443 (HTTPS) | Kerberos over HTTPS. |
SASL
General SASL stack:
[mechanism] [SASL ] [protocol ] [protocol ] → [(SASL sec.)] [... ] [... ]
Notes:
- Protocol with support for SASL include LDAP, IMAP, POP, SMTP, XMPP, MQTT, etc.
- SASL mechanisms include ANONYMOUS, PLAIN, EXTERNAL, etc.
- Some SASL mechanisms may install a SASL security layer (providing features such as encryption and/or integrity protection to the protocol). Nowadays, this is seen as redundant with the usage of TLS which should be used instead.
| SASL Mechanism | Security Layer | Channel Binding | Description |
|---|---|---|---|
| GSSAPI | Optional (negotiated) | Yes | Kerberos 5 (not other mechanisms) with GSSAPI |
| GSS2-* | No | No | GSS-API mechanisms (without support for channel binding) |
| GSS2-*-PLUS | No | Yes | GSS-API mechanisms (with support for channel binding) |
| OAUTHBEARER | No | No | Oauth 2.0 Bearer token |
GSSAPI
[Kerberos] [MS-NLMP ] [... ]
[Kerberos] [SPNEGO ] [SPNEGO ] [EAP ]
[GSS-API ] [GSS-API ] [GSS-API ] [GSS-API]
[SASL ] [SASL ] [SASL ] [SASL ]
[... ] [... ] [... ] [... ]
GSS-API GSS-API NTLM
with with with SNPEGO
Kerberos SPNEGO /SASL
/ SASL /SASL
| Protocol | Description |
|---|---|
| GSSAPI (Generic Security Service API) | GSSAPI defines a Mechanism-Independent Token Format which is required for the initial token but optional for the other tokens |
| SPNEGO (Simple and Protected Negotiation Mechanism) | Negotiation of GSSAPI mechanism to use |
| Kerberos 5 for GSSAPI mechanism | |
| GSS mechanism for EAP |
Notes:
- GSS-API over SASL can use either the
GSSAPISASL mechanism or the newerGS2-*mechanisms (eg. GS2-KRB5, GS2-KRB5-PLUS). - The newer
GS2-*mechanisms must not use mechanisms negotiation (such as SPNEGO).
RADIUS and DIAMETER
[RADIUS] [Diameter] [Diameter]
[RADIUS] [RADIUS] [TLS ] [Diameter] [Diameter] [TLS ] [DTLS ]
[UDP ] [TCP ] [TCP ] [TCP ] [SCTP ] [TCP ] [SCTP ]
[IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ]
RADIUS RADIUS RADIUS Diameter Diameter Diameter Diameter
/UDP /TCP /TLS /TCP /SCTP /TLS /DTLS
(RadSec)
| Protocol | Port | SCTP PPID | Description |
|---|---|---|---|
| RADIUS (authentication and authorization) | UDP 1812, TCP 1812 | - | |
| RADIUS Accounting | UDP 1813, TCP 1813 | - | |
| RADIUS DynAuth | UDP 3799 | - | Disconnect and Change-of-Authorization (CoA) messages |
| RADIUS over TLS (RadSec) | TCP 2083 | - | |
| Diameter | TCP 3868, SCTP 3868 | 46 | |
| Diameter over TLS/TCP | TCP 5658 | - | |
| Diameter over DTLS/SCTP | SCTP 5658 | 47 |
NAT traversal
STUN and TURN
[UDP app. ]
[STUN ] [TURN ] [TURN ] [TURN|app.]
[(DTLS / TLS)] [(DTLS / TLS)] [(DTLS / TLS)] [(TLS) ]
[UDP / TCP ] [UDP / TCP ] [UDP / TCP ] [TCP ]
[IP ] [IP ] [IP ] → [IP ]
STUN TURN (UDP) TURN-TCP TURN-TCP
connection
| Protocol | Description |
|---|---|
| STUN (Session Traversal Utilities for NAT) | |
| STUN with DTLS | |
| TURN (Traversal Using Relays around NAT) | Extension of STUN for relaying communications (UDP applications) over UDP or TCP. |
| TURN-TCP | Extension of TURN for relaying TCP applications (over TCP). TCP connections are allocated over a control TURN channel. Each TCP connection is transported over a new dedicated connection after an initial ConnectionBind TURN request (and response). |
ICE
[SDP ]
[STUN (+TURN)] [SDP] [HTTP] [STUN|app. ]
[(DTLS / TLS)] [SIP] [TLS ] [(DTLS)/ (TLS)]
[UDP / TCP ] [TCP] [TCP ] [UDP / TCP ]
[IP ] [IP ] [IP ] [IP ]
STUN, TURN ICE candidate ICE candidates ICE communications
(candidate exchange exchange (direct)
collection) with SIP with SDP/HTTPS
| Protocol | Description |
|---|---|
| ICE (Interactive Connectivity Establishment) | Uses STUN, TURN and exchanges ICE candidates for establishing communications. |
| ICE-TCP | Extends ICE for TCP streams. |
| STUN | Used to help NAT traversal. |
| TURN | Used for relaying communication when no direct communication are possible. |
| SDP | May be used for exchanging ICE candidates (for example in SIP or WebRTC). Other methods may be used depending on the application (including non-SDP methods). |
Note:
- STUN Binding request/response are directly exchanged between the peers. Some method must be used for multiplexing STUN and the application protocol. See for example RFC5767 section 5.1.2.
Example of ICE through TURN:
[STUN¦app ]<-------------------->[STUN¦app] [TURN ]<--->o[TURN] [- ] [TLS ]<--->o[TLS ] [- ] [TCP ]<--->o[TCP |UDP]<---->[UDP ] [IP ]<---->[IP ]<---->[IP ] Appl. Peer Appl. Peer TURN client TURN server
Link Layer
Ethernet (802.1)
[... ] [IP|ARP|... ]
[EAP ] [SNAP ]
[IP|ARP|EAPOL] [LLC ]
[(802.1Q )] [(802.1Q )]
[(802.1ad )] [(802.1ad )]
[Ethernet MAC] [Ethernet MAC]
[Ethernet PHY] [Ethernet PHY]
Ethernet II 802.1 with SNAP
Ethernet PHY sublayers (since Fast Ethernet):
[Ethernet PCS] [Ethernet PCS] (PHY) [Ethernet PMA] [Ethernet PMA] (PHY) [Ethernet PMD] [Ethernet PMD] (PHY)
| Protocol | EtherType | Description |
|---|---|---|
| PMD (Physical Medium Dependent sublayer) | - | eg. 100BASE-FX, 10GBASE-E, 10GBASE-L, 10GBASE-S, 10GBASE-LX4 |
| PMA (Physical Medium Attachment sublayer) | - | Framing, synchronization, etc. |
| PCS (Physical coding sublayer sublayer) | - | Negotiation, coding (error detection) |
| ARP (Address Resolution Protocol) | 0x0806 | Mapping between MAC addresses and IP addresses |
| 801.1Q | 0x8100 | VLAN (Q-tag) |
| 802.1ad (Q-in-Q) | 0x88A8 | VLAN in VLAN (outer 802.1ad tag is S-tag for service-tag; inner 802.1Q tag is c-tag for customer-tag) |
| 802.1X (EAPOL) | 0x888E | Port Authentication, used for WPA-Entreprise as well |
| IPv4 | 0x0800 | |
| IPv6 | 0x86DD | |
| LLC (Logical Link Control) | (length ≤ 1500) | |
| SNAP (Subnetwork Access Protocol) | - |
Wifi (802.11)
[... ]
[EAP ]
[EAPOL ] [IP |ARP]
[SNAP ] [SNAP ] (Link)
[LLC ] [LLC ] (Link)
[(WEP / TKIP / CCMP / GCM)] (Link)
[Wifi MAC ] [Wifi MAC ] (Link)
[Wifi PLCP] [Wifi PLCP ] (Phy.)
[Wifi PMD ] [Wifi PMD ] (Phy.)
WPA-Entreprise
Authentication
(WPA-EAP)
| Layer | Description |
|---|---|
| PMD (Physical Medium Dependent sublayer) | (eg. 802.11 FHSS, 802.11 DSSS, 802.11a OFDM, 802.11b HR/DSSS, 802.11g ERP) |
| PLCP (Physical Layer Convergence Protocol sublayer) | |
| WEP (Wired Equivalent Privacy) | Old encryption layer (based on RC4 and CRC-32) |
| TKIP (Temporal Key Integrity Protocol) | Encryption layer of WPA1 (RC4 stream cipher with “Michael” MIC) |
| CCMP | Encryption layer of WPA2 (AES with CCM mode) |
| GCMP-256 | Encryption layer of WPA3 (56-bit Galois/Counter mode) |
| LLC (Logical Link Control) | |
| SNAP (Subnetwork Access Protocol) |
Access Point:
[app. ]<--------------------------->[app. ] [TCP ]<--------------------------->[TCP ] [IP ]<--------------------------->[IP ] [SNAP ]<--------------------------->[SNAP ] [LLC ]<--------------------------->[LLC ] [sec. #1 ]<===>[sec. #1 | sec. #2]<===>[sec. #2 ] [Wifi MAC]<--->[Wifi MAC ]<--->[Wifi MAC] [Wifi PHY]<--->[Wifi PHY ]<--->[Wifi PHY] Station 1 Access Point Station 2
Ethernet/Wireless bridge:
[app. ]<------------------------------->[app. ] [TCP ]<------------------------------->[TCP ] [IP ]<------------------------------->[IP ] [SNAP ]<----[SNAP ] [LLC ]<--->[LLC ] [security]<===>[security ] [Wifi MAC]<--->[Wifi MAC \-/ Eth. MAC]<--->[Eth. MAC] [Wifi PHY]<--->[Wifi PHY | Eth. PHY]<--->[Eth. PHY] Station 1 Ethernet/Wireless bridge Station 2
ATM
[... / ...]
[NLPID / SNAP]
[... ] [LLC ]
[AAL5] [AAL5 ]
[ATM ] [ATM ]
[phy. ] [phy. ]
VC Mux LLC Encap.
References:
- Multiprotocol Encapsulation over AAL5, RFC2684
PPP
Configuration:
[... ]
[LCP] [CCP] [compression]
[PPP] [PPP] [PPP ]
[...] [...] → [... ]
LCP CCP and compression
Authentication:
[...]
[PAP] [CHAP] [EAP]
[PPP] [PPP ] [PPP]
[...] [... ] [...]
PAP CHAP EAP
Applications:
[IPCP|IPv4] [IPv6CP|IPv6] [PPP ] [PPP ] [... ] [... ] IPv4/PPP IPv6/PPP
Transports:
[... ]
[PPP ] [...]
[... ] [... ] [... ] [(SNAP)] [... ] [PPP]
[PPP ] [PPP ] [PPP ] [LLC ] [PPP ] [SSH]
[HDLC ] [HDLC] [PPPoE ] [AAL5 ] [L2TP] [TCP]
[RS-232] [V.92] [Ethernet] [ATM ] [... ] [IP ]
PPP/RS-232 PPP/PSTN PPPoE PPPoA L2TP PPP
/SSH
| Protocol | PPP Protocol | EtherType | Description |
|---|---|---|---|
| PPP (Point-to-Point Protocol) | - | ||
| LCP (Link Control Protocol) | 0xc021 | - | |
| PAP (Password Authentication Protocol) | 0xc023 | - | Cleartext login/password |
| CHAP (Challenge-Handshake Authentication Protocol) | 0xc223 | - | Includes MC-CHAP and MS-CHAPv2 as well. |
| EAP (Extensible Authentication Protocol) | 0xc227 | - | |
| IPCP (IP Configuration Protocol) | 0x0021 | - | Configuration of the IPv4 address |
| IPv4 | 0x0021 | - | |
| IPv6CP (IPv6 Configuration Protocol) | 0x8057 | - | |
| IPv6 | 0x0057 | - | |
| PPPoA, PPP-over-ATM (AAL5) | - | - | |
| PPPoE, PPP-over-Ethernet | - | 0x8863 (discovery), 0x8864 (session) | |
| L2TP (Layer Two Tunneling Protocol) | - | - | |
| HDLC-like framing (RFC1662) for PPP | - | - | |
| CCP (Compression Control Protocol) | - | - | |
| PPP over SSH | - | - | It's not a standard thing but you can do it. |
GPON (G.984)
Gigabit Passive Optical Network:
[PWE3 ]
[SIP |RTP ] [RTP ]
[TCP |UDP ] [UDP ]
[IP ] [IP ] [IP ] [MEF-8 ]
[VLAN ] [VLAN ] [VLAN ] [VLAN ]
[TDM|Eth. MAC] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ] [SDH ]
[PLOAM|OMCI|ATM|GEM ] [GEM ] [GEM ] [GEM ] [GEM ]
[GTC adaptation ] [GTC adaptation] [GTC adaptation] [GTC adaptation] [GTC adaptation]
[GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ]
[GPM ] [GPM ] [GPM ] [GPM ] [GPM ]
General stack Voice (VoIP) Voice with PWE3 Voice with MEF-8 Voice (TDM)
| Protocol | Description |
|---|---|
| GPM (GPON Physical Media Dependent layer) | |
| GTC framing | |
| PLOAM (Physical Layer Operations, Administration and Maintenance) | |
| OMCI (ONU Management and Control Interface) | |
| GEM (G-PON Encapsulation Mode) | |
| TDM (Time Division Multiple Access) | Emulation of any TDM-based circuit |
| PWE3, Pseudo Wire Emulation Edge-to-Edge | Frame Relay/ATM/Ethernet/TDM/SONET/SDH over IP or MPLS |
| MEF-8 | Emulation of PDH over Ethernet |
References:
- G.984.1 : Gigabit-capable passive optical networks (GPON): General characteristics
- G.984.3 : Gigabit-capable passive optical networks (G-PON): Transmission convergence layer specification
XG-PON (G.987)
[PWE3 ]
[SIP|RTP ] [RTP ]
[TCP|UDP ] [UDP ]
[IP ] [IP ] [IP ] [MEF-8 ]
[802.1X|VLAN] [VLAN ] [VLAN ] [VLAN ]
[Eth. MAC |MPLS] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ]
[PLOAM|OMCI|XGEM ] [XGEM ] [XGEM ] [XGEM ]
[XGTC framing ] [XGTC framing ] [XGTC framing ] [XGTC framing ]
[XGTC PHY adaptation ] [XGTC PHY adaptation] [XGTC PHY adaptation] [XGTC PHY adaptation]
[XGON PMD ] [XGON PMD ] [XGON PMD ] [XGON PMD ]
General stack Voice (voIP) Voice with PWE3 Voice with MEF-8
References:
- G.987.1 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- G.987.2 : 10-Gigabit-capable passive optical networks (XG-PON): Physical media dependent (PMD) layer specification
- G.987.3 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- Implementation Agreement for the Emulation of PDH Circuits over Metro Ethernet Networks
Phone
SS7
[... ] [... ] [... ] [... ] [... ]
[ISUP|TCAP] [TCAP] [TCAP ] [TCAP ] [TCAP]
[TUP / ISUP|SCCP ] [SUA |ISUP] [SCCP ] [SCCP ] [SCCP|ISUP]
[MTP-3 ] [- ] [MTP-3|ISUP] [MTP-3 ] [M3UA ]
[MTP-2 ] [- ] [M2PA ] [M2UA ] [ - ]
[MTP-1 ] [(DTLS) ] [(DTLS) ] [(DTLS) ] [(DTLS) ]
[SCTP ] [SCTP ] [SCTP ] [SCTP ]
[(IPSec) ] [(IPSec) ] [(IPSec)] [(IPSec) ]
[IP ] [IP ] [IP ] [IP ]
SS7 SUA M2PA M2UA M3UA ...
Some application protocols:
[MAP ]
[ISUP ] [TCAP ]
[TUP ] [ISUP ] [SCCP ] [SCCP ]
[MTP-3] [MTP-3] [MTP-3] [MTP-3]
[MTP-2] [MTP-2] [MTP-2] [MTP-2]
[MTP-1] [MTP-1] [MTP-1] [MTP-1]
TUP ISUP ISUP MAP
/SCCP
| Protocol | SCTP PPID | Description |
|---|---|---|
| MTP-1 (Message Transfer Part layer 1) | Physical layer | |
| MTP-2 (Message Transfer Part layer 2) | Link layer | |
| MTP-3 (Message Transfer Part layer 3) | Nework layer | |
| TUP (Telephone User Part) | Signaling for classic PSTN, mostly replaced by ISUP | |
| ISUP (ISDN User Part) | ||
| SCCP (Signalling Connection Control Part) | ||
| TCAP (Transaction Capabilities Application Part) | ||
| CAP (CAMEL Application Part) | ||
| MAP (Mobile Application Part) | Transport layer on top of IP | |
| SCTP (Stream Control Transmission Protocol) | - | |
| SUA (SCCP User Adaptation) | 4 | Replaces SCCP when used over SCTP/IP |
| M2UA (MTP2 User Adaptation Layer) | 2 | |
| M2PA (MTP2 User Peer-to-Peer Adaptation Layer) | 5 | |
| M3UA (MTP3 User Adaptation Layer) | 3 |
References:
Mobile
User Equipment (i.e. the phone) stacks:
PDP contexts PDP contexts EPS bearers PDU sessions
| | | | | | | |
[SM ] ↓ ↓ | | | | ↓ ↓
[GMM ] [IP / PPP] [CM|SM ] ↓ ↓ [LTE NAS ] ↓ ↓ [5G NAS ] [IP|Eth.]
[CM ] [SNDCP ] [SNDCP ] [MM|GMM ] [IP / PPP ] [LTE RRC ] [IP / PPP] [5G RRC ] [SDAP ]
[MM ] [GPRS LLC] [GPRS LLC] [UMTS RRC] [UMTS PDCP] [LTE PDCP] [LTE PDCP] [5G PDCP] [5G PDCP]
[RRM ] [GPRS RLC] [GPRS RLC] [UMTS RLC] [UMTS RLC ] [LTE RLC ] [LTE RLC ] [5G RLC ] [5G RLC ]
[LAPDm ] [GPRS MAC] [GPRS MAC] [UMTS MAC] [UMTS MAC ] [LTE MAC ] [LTE MAC ] [5G MAC ] [5G MAC ]
[GSM PHY] [GSM PHY ] [GSM PHY ] [UMTS PHY] [UMTS PHY ] [LTE PHY ] [LTE PHY ] [5G PHY ] [5G PHY ]
CP CP UP CP UP CP UP CP UP
-------- --------------------- ---------------------- --------------------- -----------------
GSM (2G) GPRS (2.5G) UMTS (3G) LTE (aka EPS) (4G) 5G NR (5G)
Authentication stacks at the user equipment:
[... ]
[AVP ]
[mTLS ] [TLS ]
[EAP-AKA] [EAP-AKA'] [EAP-TLS] [EAP-TTLS]
[EPS-AKA] [5G-AKA] [EAP ] [EAP ] [EAP ] [EAP ]
[NAS ] [NAS ] [NAS ] [NAS ] [NAS ] [NAS ]
EPS-AKA 5G-AKA EAP-AKA EAP-AKA' EAP-TLS EAP-TTLS
(4G) (5G) (5G) (5G) (5G) (5G)
Notes:
- 5G primary authentication, access authentication;
- 5G secondary authentication, setting up user planes from other operators
References:
| Protocol | Description |
|---|---|
| LAPDm (Link Access Procedures on the Dm channel) | Link layer for GSM used between the mobile station (i.e. the phone) and the BSC |
| RR aka RMM (Radio Resource Management) | |
| MM (Mobile Management) | |
| CM (Connection Management) | |
| RLC (Radio Link Control) | |
| LLC (Logical Link Control) | (This is not the 802.2 LLC protocol used with Ethernet, Wifi, etc.) |
| SNDCP (Subnetwork Dependent Convergence Protocol) | |
| GMM (GPRS Mobility Management) | |
| SM (Session Management) | |
| PDCP (Packet Data Convergence Protocol) | |
| RRC (Radio Resource Control) | |
| NAS (Non-access stratum) | |
| SDAP (Service Data Adaption Protocol) | |
| SM (Session Management) | |
| GMM (GPRS Mobile Management) |
References:
- PDP types
- PDU session types (5G)
- Extensible Authentication Protocol (EAP) in next-generation networks
- Long Term Evolution Protocol Overview
- SMS in 5GC
- ETSI TS 124 501, 5G NAS
- A Comparative Introduction to 4G and 5G Authentication
- 5G: focus on N3IWF, TNGF, TWIF and W-5GAN
Non-3GPP access
User equipment stacks for untrusted non-3GPP access (5G):
PDU sessions
| |
[EAP-AKA] | |
[EAP / 5G-AKA] ↓ ↓
[NAS ] [NAS ] [IP|Eth.] ← Application IP (IMS, data)
[EAP-5G ] [TCP ] [GRE ]
[EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF)
[IKEv2 ] [ESP ] [IKEv2] [ESP ]
[UDP ] [(UDP)] [UDP ] [(UDP) ]
[IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network
[L2 ] [L2 ] [L2 ] [L2 ]
[L1 ] [L1 ] [L1 ] [L1 ]
CP CP UP UP
(before SA) (after SA) establishment
Notes:
- ESP/UDP may be used for NAT traversal.
- Different IPSec SAs are established for:
- control plane (signaling) i.e. transporting NAS messages;
- user plane (one SA per PDU layer and QoS flow);
- N3IWF (Non-3GPP Interworking Function) is resonsible for the interworking of the non-3GPP access and the 5G core.
User equipment stacks for untrusted non-3GPP access with firewall traversal (5G):
PDU sessions
| |
[EAP-AKA] | |
[EAP / 5G-AKA] ↓ ↓
[NAS ] [NAS] [IP|Eth.] ← Application IP (IMS, data)
[EAP-5G ] [TCP] [GRE ]
[EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF)
[IKEv2 ] [ESP] [IKEv2] [ESP ]
[TLS ] [TLS] [TLS ] [TLS ]
[TCP ] [TCP] [TCP ] [TCP ]
[IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network
[L2 ] [L2 ] [L2 ] [L2 ]
[L1 ] [L1 ] [L1 ] [L1 ]
CP CP UP UP
(before SA) (after SA) establishment
References:
- ETSI TS 123 402 v16
- A Tutorial on Trusted and Untrusted Non-3GPP Accesses in 5G Systems—First Steps Toward a Unified Communications Infrastructure
- Untrusted Non-3GPP Acccess Network Interworking with 5G Core
IMS
IMS (IP Multimedia Subsystem) is an SIP/IP based-service to transporting voice, SMS, video over 4G (VoLTE), 5G (VoNR) or non-3GPP access (VoWLAN/WoWifi).
User equipment stacks for stacks for IMS:
[SMS] [SDP|A/V ] [SIP] [SIP|RTP |RTCP] [TCP] [TCP|UDP / TCP] [IP ] [IP ] SMS Audio/Video calls over IMS over IMs
Notes:
- SMS may be transported over NAS as well.
References:
SMS
User equipment stacks for SMS:
[SM-AL ] [SMS ] [SM-TL ] [SIP ] [SM-RP ] [SMS] [TCP ] [SM-CP ] [NAS] [IP ] [CM ] [RRC] [(SDAP)] [MM ] [RLC] [PDCP ] [RR ] [RLC] [RLC ] [LDAPDm ] [MAC] [MAC ] [GSM PHY] [PHY] [PHY ] SMS/GSM SMS/NAS SMS/IMS (2G) (4G/5G) (4G/5G)
WAP
User equipment stacks for WAP (including MMS):
[WML | WMLScript | MMS] [WSP ] [XHTML MP|WAP CSS|MMS] [(WTP ) ] [(WP-)HTTP ] [(WTLS) ] [TLS ] [WDP / UDP ] [(WP-)TCP ] [SMS / IP ] [IP ] [... / ... ] [... ] WAP 1 WAP 2.0
| Protocol | Description |
|---|---|
| Wireless Session Protocol (WSP) | Similar to HTTP |
| Wireless Transaction Protocol (WTP) | Similar to TCP. Used for CO-WSP (Connection-oriented WSP), absent for CL-WSP (Connectionless WSP) |
| Wireless Transport Layer Security (WTLS) | Protection (similar to TLS) |
| Wireless Datagram Protocol (WDP) | Similar to UDP |
| WML (Wireless Markup Language) | XML-based markup language, similar to HTML |
| WMLScript | Scripting language based on ECMAScript but compiled to a bytecode |
| XHTML MP (Mobile Profile) | |
| WP-TCP | Profile of TCP |
| WP-HTTP | Profile of HTTP |
References:
- Looking inside the MMS Exchange (With call flow and PCAP)
- WapProtocolFamily ~ Wireshark Wiki
- Wireless Datagram Protocol (WDP) ~ Wireshark Wifi
- Wireless Session Protocol (WSP) ~ Wireshark Wifi
- Wireless Datagram Protocol (WDP), v14
Devices
BlueTooth
ACL SCO
/--------------------------------------------\ /---\
[IP ] [IP |... ] [HID|...]
[PPP|AT|Eth. MAC] [GATT |GAP ]
[SDP |RFCOMM|BNEP |OBEX|HIDP|AVCTP|AVDTP] [... ] [ATT |SM|- ]
[L2CAP |voice] [L2CAP ] [L2CAP |- ] ↑Host
------------------(HCI)------------------------------- ---(HCI)--- ---(HCI)------------------
[LMP|- ] [Wifi PAL ] ↓Controler
[LCP ] [Wifi MAC ] [LE LL ]
[BR / EDR ] [Wifi PHY ] [LE 1M / LE 2M / LE Coded]
Bluetooth Classic Bluetooth HS Bluetooth Low Energy (BLE)
(High Speed)
Host/Controler interface (HCI) example (over USB):
[RFCOMM ]<-------------------------------------->[RFCOMM ] [L2CAP ]<-------------------------------------->[L2CAP ] [HCI ]<--->[HCI |LMP ]<--------------->[LMP ] [USB ]<--->[USB |LCP ]<--------------->[LCP ] [USB PHY] [USB PHY|BR / EDR]<--------------->[BR / EDR] Host Bluetooth Controler Device
| Protocol | Description |
|---|---|
| BR (Basic Rate) | |
| EDR (Extended Data Rate) | |
| LE (Low Energy) 1M | |
| LE (Low Energy) 2M | |
| LE (Low Energy) Coded | |
| LCP | |
| LMP (Link Manager Protocol) | |
| LE LL (LE Link Layer) | |
| L2CAP (Logical Link Control and Adaptation Protocol) | |
| SDP (Service Discovering Protocol) | |
| RFCOMM (Radio frequency communication) | RS-232 port emulation |
| BNEP (Bluetooth Network Encapsulation Protocol) | BNEP transports Ethernet traffic (but replaces the Ethernet header with its own header!) |
| OBEX | |
| HIDP (Bluetooth HID Protocol) | |
| AVCTP (Audio/video control transport protocol) | |
| AVDTP (Audio/video data transport protocol) | |
| SM (Security Manager) | |
| GAP | |
| ATT | |
| GATT | |
| AT | Hayes Modem AT commands |
| HCI (Host Controller Interface) | Communication between the host and the bluetooth controller |
Radio link types:
- ACL (Asynchronous Connection-Less), used for general data
- SCO (Synchronous Connection-Oriented), reserved time slots (used for voice data)
USB
[Eth|...|MIDI1 |MIDI1|MIDI2]
[Std. Req.|HID|BOT|UAS|UASP|CCID|CDC |USB-MIDI|USB-MIDI2 |IPP|...]
[USB Protocol layer ]
[USB PHysical ]
| Device Classes | Description |
|---|---|
| Standard Requests | |
| HID (Human Interaction Device) | Keyboard, Mouse, Baseball and Golf clubs, etc. |
| MSB (Mass Storage Device) | USB stick, etc. |
| CDC (Commnication Device Class) | |
| IPP (Internet Printing Protocol) | |
| MTP (Media Transfer Protocol) | |
| CCID (Chip Card Interface Device) | Smartcard, Yubikeys, etc. |
| DFU (Device Firmware Upgrade) | |
| BOT (Bulk Only Transfer) | |
| UAS (USB Attached SCSI) | |
| UASP (USB Attached SCSI Protocol) | Not the same as UAS! |
References:
Notations
[JSON \-/ CBOR] JSON/CBOR conversion [HTTP \-/ CoAP] HTTP/CoAP proxy/interworking [(TLS) |(DTLS)] Optional layers [TCP | UDP] TCP and UDP layers [IPv4 / IPv6] Either IPv4 or IPv6 [Eth. \-/ Wifi] Ethernet/Wifi bridge [STUN¦app ] STUN and and some application protocol used together between the same peers [HTTP+WebDAV ] HTTP with WebDAV [TLS + PSK ] TLS with PSK key exchange [ - ] Empty layer, not a protocol layer [app. ] Some undefined application layer [... ] Some protocol layer(s) <-----> Bidirectional communications <----->o Client/server relation, etc. ------> One-way communications <=====> Protected communications (usually both confidentiality and integrity) <=-=-=> Integrity-protected communications (possibly with anti-replay protection) K Interface name
References
Assignments:
- Hypertext Transfer Protocol (HTTP) Upgrade Token Registry
- TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs
- SSH Connection Protocol Subsystem Names
- Assigned Internet Protocol Numbers
- Service Name and Transport Protocol Port Number Registry
- PPP DLL Protocol Numbers
- L2TPv3 Pseudowire Types
- EtherTypes
- Logical Link Control (LLC) Public Listing
- SCTP Payload Protocol Identifiers
- TLS exporter labels
- SIP Table of Mappings From Service Field Values to Transport Protocols
- Simple Authentication and Security Layer (SASL) Mechanisms
- Network Layer Protocol Identifiers (NLPIDs) of Interest
- SDP proto
- PPP Authentication Algorithms
- Session Description Protocol (SDP) Parameters ~ proto
DNS:
- RFC9539, Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS
Samples:
- SampleCaptures from the WireShark website
Misc:
- EventHelix, has a lot of nice sequence diagrams and other useful information
- RF Wireless World Tutorial
- USB Document Library