Protocol stack diagrams
Layers all the way down
Published:
Updated:
A collection of ASCII-art protocol stack diagrams.
They can be used as a base for doing quick diagrams. Feel free to copy/reuse/adapt them for your own purpose. These diagrams are released as CC0 (“No Rights Reserved”).
Table of content
Concepts
Layers, PDUs and SDUs:
N+1 PDU [N+1 Layer]<----------------->[N+1 Layer] ↑ ↑ | | N+1 SDU ↓ ↓ o N PDU o N SAP [N Layer ]<----------------->[N Layer ] ↑ ↑ | | N SDU ↓ ↓ o N-1 PDU o N-1 SAP [N-1 Layer]<----------------->[N-1 Layer]
Switches, bridges/hubs, routers, proxy:
[app. ]<------------------------------------------------>[app.]<-->[app.] [TCP ]<------------------------------------------------>[TCP ]<-->[TCP ] [IP ]<------------------------------>[IP ]<-->[IP ]<-->[IP ] [Eth. MAC]<---------------->[Eth. MAC]<---[Eth. MAC|...]<-->[... ]<-->[... ] [Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY]<-->[Eth. PHY|...]<-->[... ]<-->[... ] Hub Switch/bridge Router Proxy
OSI
L7 [Application ]<-------------------------------->[Application ] L6 [Presentation]<-------------------------------->[Presentation] L5 [Session ]<-------------------------------->[Session ] L4 [Transport ]<-------------------------------->[Transport ] L3 [Network ]<-->[Network ]<-->[Network ]<-->[Network ] L2 [Data link ]<-->[Data link]<-->[Data link]<-->[Data link ] L1 [Physical ]<-->[Physical ]<-->[Physical ]<-->[Physical ]
IP
IPv4
[(DHCP)|DNS|app|DNS|app] [ICMP|IGMP|UDP |TCP ] [IPv4 |ARP]
Protocol | SAP | Description |
---|---|---|
ICMP (Inter Control Message Protocol) | IP proto. 1 | |
ARP (Address Resolution Protocol) | EtherType 0x0806 | Used for non-point-to-point networks. |
DHCP (Dynamic Host Configuration Protocol) | UDP 67 (server) UDP 68 (client) | |
IGMP (Internet Group Management Protocol) | IP proto. 2 | Support for multicast |
IP model:
[app.]<---------------------------------->[app.] (end to end) [TCP ]<---------------------------------->[TCP ] (end to end) [IP ]<--->[IP ]<--->[IP ]<--->[IP ]<--->[IP ] [... ]<--->[...]<--->[...]<--->[... ]<--->[... ] (local network layers) Router Router Router
IPv6
[(DHCPv6)|DNS|app|DNS|app] [ICMPv6+NDP+MLD|UDP |TCP ] [IPv6 ]
Protocol | SAP | Description |
---|---|---|
ICMPv6 | IP next header 0x58 | |
NDP | IP next header 0x58 | Part of ICMPv6. Replaces ARP in IPv6. |
DHCPv6 | UDP 546 (client) UDP 547 (server) | Usually NDP is used instead for address allocation, routes, DNS configuration, etc. |
[MLD](Multicast Listener Discovery) | IP next header 0x58 | Part of ICMPv6. Replaces IGMP in IPv6. |
IP Transport protocols
[app.] [app.] [SCTP] [app.] [app.] [app.] [app. ] [app.] [app.] [SCTP] [DTLS] [QUIC|TLS] [TCP ] [UDP ] [UDP-lite] [DCCP] [SCTP] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] TCP UDP UDP-lite DCCP SCTP SCTP SCTP QUIC /UDP /DTLS
Protocol | Protocol number | Description |
---|---|---|
TCP | 6 | Connection oriented, stream-based, checksums, connection control. |
UDP | 17 | Unreliable datagrams. Checksums (can be disabled in IPv4). |
UDP-lite | 136 | Unreliable datagrams. Allows for partial checksums. |
DCCP | 33 | Connection oriented, unreliable datagrams, with congestion control. |
SCTP | 132 | Message-based (fragmentation, reliable, ordered), multiple-streams multiplexing over a single connection. Initially designed for PSTN signaling over IP. |
SCTP over UDP | - | Useful for NAT traversal and userspace implementations of SCTP. |
SCTP over DTLS | - | Used by WebRTC for transporting data channels. |
QUIC | - | Protected communications (relies on TLS for the hanshake). Multiplexing of multiple streams per QUIC connection. Used by HTTP/3. |
Applications layers
DNS
[DNS ] [DNS ] [DNS ] [Obliv. DNS] [DNS ] [framing] [DNS ] [HTTP ] [DNS ] [HTTP ] [DNS] [framing] [TLS ] [DTLS] [TLS / QUIC] [QUIC] [TLS / QUIC] [UDP] [TCP ] [TCP ] [UDP ] [TCP / UDP ] [UDP ] [TCP / UDP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] “Do53” “Do53” “DoT” “DoH” “DoQ” “ODoH” DNS DNS DNS DNS DNS DNS Oblivious DNS over over over over over over over UDP TCP TLS DTLS HTTPS QUIC HTTPS
Protocol | Port | ALPN | Description |
---|---|---|---|
DNS over UDP (Do53) | UDP 53 | - | General DNS traffic. |
DNS over TCP (Do53) | TCP 53 | - | Usually used when messages are too long for UDP. |
DNS framing | - | - | When used on top of TCP or TLS, each DNS message is prefixed with a length field (2 bytes). |
DNS over TLS (DoT) | TCP 853 | "dot" | DNS privacy. |
DNS over DTLS | (UDP 853) | - | DNS privacy. Not used in practice, deprecated in favor of DoQ. |
DNS over HTTPS (DoH) | TCP 443 | "http/1.1", "h2", "h3", etc. | DNS privacy. One HTTP request per request/response pair. |
DNS over QUIC (DoQ) | UDP 853 | "doq" | DNS privacy. One QUIC stream per request/response pair. |
Oblivious DNS over HTTPS (ODoH) | TCP/UDP 443 | "http/1.1", "h2", "h3", etc. | More DNS privacy. |
Oblivious DNS over HTTPS:
[DNS ]<--------------------->o[DNS ]<---->o[DNS] [Obliv. DNS]<=====================>o[Obliv. DNS|- ] [HTTP ]<--->o[HTTP ]<--->o[HTTP |- ] [TLS / QUIC]<===>o[TLS / QUIC]<===>o[TLS / QUIC|- ] [TCP / UDP ]<--->o[TCP / UDP ]<--->o[TCP / UDP |...]<----->[...] [IP ]<---->[IP ]<---->[IP ]<----->[IP ] Oblivious Oblivious Oblivious Client Relay Target
HTTP
[HTTP/1.x] [HTTP/2] [HTTP/3|TLS] [HTTP/1.x] [HTTP/2] [TLS ] [TLS ] [QUIC ] [TCP ] [TCP ] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] [IP ] [IP ] HTTP/1.x HTTP/2 HTTP/1.x HTTP/2 HTTP/3 w/o TLS over TLS over TLS (over QUIC) "h2c" "h2" "h3" (HTTP) (HTTP) (HTTPS) (HTTPS) (HTTPS)
Protocol | Port | TLS ALPN | HTTP Upgrade | Description |
---|---|---|---|---|
HTTP/1.x without TLS | TCP 80 | - | - | Text protocol. |
HTTP/1.x over TLS (HTTPS) | TCP 443 | "http/1.1", "http/1.0" | ||
HTTP/2 without TLS | TCP 80 | - | "h2c" | HTTP/2 without TLS is not widely supported and is deprecated. |
HTTP/2 over TLS (HTTPS) | TCP 443 | "h2" | - | Binary protocol. Prevents head of line blocking (HOL)at the HTTP layer byt multiplexing multiple requests/responses over the same connection but does HOL blocking still present at the TCP layer. |
HTTP/3 over QUIC (HTTPS) | UDP 443 | "h3" | - | Binary protocol. Prevents HOL blocking between streams of the same connection (which was happenning at the TCP layer with HTTP/2) by replacing TCP by UDP. Encryption/integrity provided by QUIC. TLS used for the handshake (ciphersuite negotiation, authentication, key exchange, etc.) |
WebSocket
[WebSocket] [WebSocket] [WebSocket] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 ] [(TLS) ] [(TLS) ] [QUIC ] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] WebSocket Websocket WebSocket (HTTP/1.x) (HTTP/2) (HTTP/3)
Notes:
- with HTTP/1, a HTTP upgrade (
GET
) is used to upgrade the HTTP connection into a WebSocket connection; - with HTTP/2, a HTTP/2 upgrade (extended
CONNECT
) is used to upgrade the HTTP/2 stream into a WebSocket stream; - with HTTP/3, a HTTP/3 upgrade (extended
CONNECT
) is used to upgrade the HTTP/3 stream into a WebSocket stream.
References:
- WebSocket JS API (W3C)
- WebSocket JS API (MDN)
HTTP Datagrams
[datagram ] [datagram] [ datagram ] [Capsule ] [Capsule ] [Capsule |- ] [HTTP/1.x ] [HTTP/2 ] [HTTP/3 |H3 dgram] [(TLS) ] [(TLS) ] [QUIC +dgram] [TCP ] [TCP ] [UDP ] [IP ] [IP ] [IP ] HTTP HTTP HTTP Datagrams Datagrams Datagrams (HTTP/1.X) (HTTP/2) (HTTP/3)
HTTP datagrams are unreliable datagrams, associated with a HTTP upgrade, transported over an HTTP connection. They can be sent after an upgrade to the Capsule protocol,
- either as part of the HTTP stream in a DATAGRAM capsules,
- or transported in QUIC datagrams (HTTP/3 Datagram), if supported by the peer.
HTTP datagrams are currently used for,
- UDP in HTTP (RFC 9298);
- IP in HTTP (RFC 9484);
- Ethernet in HTTP (draft);
- WebTransport datagrams.
HTTP CONNECT proxy
Without HTTP/3 datagrams:
[application] [IP ] [application] [Eth. MAC ] [UDP prox. ] [IP prox.|config.] [UDP-l prox.] [Eth. prox. ] [application] [HTTP Datag.] [Capsule ] [HTTP Datag.] [HTTP Datag.] [HTTP ] [HTTP ] [HTTP ] [HTTP ] [HTTP ] [(TLS)/ QUIC] [(TLS)/ QUIC] [(TLS) / QUIC ] [(TLS)/ QUIC] [(TLS)/ QUIC] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [TCP / UDP ] [IP. ] [IP ] [IP ] [IP ] [IP ] TCP in HTTP UDP in HTTP IP in HTTP UDP-listen in HTTP Ethernet in HTTP
With HTTP/3 datagrams:
[app. ] [config.|IP ] [application ] [Eth. MAC ] [UDP prox.] [Capsule|IP prox.] [UDP-listen prox.] [Eth. proxy.] [HTTP/3|H3 dgram ] [HTTP/3 |H3 dgram] [HTTP/3|H3. dgram ] [HTTP/3|H dgram ] [QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ] [QUIC +dgram ] [UDP ] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] UDP in HTTP/3 IP in HTTP/3 UDP-listen in HTTP/3 Ethernet in HTTP/3 datagrams datagrams datagrams datagrams
Protocol | Upgrade token | Default URI template |
---|---|---|
Proxy TCP in HTTP (classic) (/1.x, /2, /3) | - | - |
Proxy TCP in HTTP (template-based) | "connect-tcp" | /.well-known/masque/tcp/{target_host}/{tcp_port}/ |
Proxy UDP in HTTP | "connect-udp" | /.well-known/masque/udp/{target_host}/{target_port}/ |
Proxy UDP listen in HTTP | "connect-udp-listen" | /.well-known/masque/udp/{target_host}/{target_port}/ |
Proxy IP in HTTP | "connect-ip" | /.well-known/masque/ip/{target}/{ipproto}/ |
Proxy Ethernet in HTTP | "connect-ethernet" | (/.well-known/masque/ethernet/) |
WebTransport
[streams|datagrams] [streams| datagrams ] [- |Capsule ] [- |Capsule|- ] [HTTP/2 ] [HTTP/3 |H3 dgram.] [TLS ] [QUIC (+dgram)] [TCP ] [UDP ] [IP ] [IP ] WebTransport (HTTP/2) WebTransport (HTP/3) HTTP/2
Features:
- multiple (reliable) streams per WebTransport sessions;
- datagrams can be exchanged over a WebTransport sessions;
- multiple WebTransport session may be multiplexed over a single transport (eg. HTTP/2 or HTTP/3 connection).
Notes:
- With HTTP/2, after an extended CONNECT, all streams and datagrams of a the WebTransport instance are transported over a single HTTP/2 stream.
- With HTTP/3, after an extended CONNECT, each WebTranport stream is transported over a different QUIC stream and WebTransport datagrams are sent a HTTP/3 (QUIC) datagrams.
- No specification for WebTransport over HTTP/1.
References:
- WebTransport JS API (W3C)
- WebTransport JS API (MDN)
File Transfer
[FTP ] [SFTP] [HTTP+WebDAV ] [SMB ] [(TLS)] [SSH ] [(TLS) / QUIC] [SMB] [QUIC] [NFS] [TCP ] [TCP ] [TCP / UDP ] [TCP] [UDP ] [TCP] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] FTP SFTP WebDAV SMB SMB NFSv4 /QUIC
Protocol | Port | Description |
---|---|---|
FTP (File Transfer Protocol) | TCP/21 (control) TCP/20 (data) | |
FTP over TLS | TCP/900 (control) TCP/989 (data) | |
WebDAV | TCP/80 (HTTP) | Extension of HTTP for remote resource (file) operation. |
WebDAV Secure | TCP/443 UDP/443 | WebDAV with HTTPS. |
SFTP (SSH File Transfer Protocol) | TCP/22 (SSH) | File transfer over SSH. Not related to FTP! This is not FTP over TLS! |
NFS v4 (Network File System) | TCP/2049 | |
SMB over IP (modern) | TCP/445 | Windows file sharing. |
SMB over NetBIOS over TCP (SMB/NBT) | TCP/139 | Windows file sharing over legacy Windows network protocols. |
SMB over QUIC | UDP/443 |
Notes:
- SFTP uses "sftp" as SSH subsystem.
- SMB over QUIC use "smb" as ALPN.
LDAP
[LDAP ] [(SASL sec.)] [(TLS) ] [TCP ] [IP ] LDAP
UPnP
[Device/service desc.] [SOAP/1.1] [UPnP event] [UPnP event] [XML ] [XML ] [XML ] [XML ] [HTTP+SSDP ] [HTTP ] [HTTP ] [HTTP+GENA ] [HTTP+GENA ] [UDP ] [TCP ] [TCP ] [TCP ] [UDP ] [IP (mcast)] [IP ] [IP ] [IP ] [IP (mcast)] Service Service Control Eventing Eventing Discovery Description (RPC) (unicast) (multicast)
CoAP
[CoAP ] [WebSocket ] [CoAP ] [CoAP ] [HTTP ] [(DTLS)] [(TLS)] [(TLS / DTLS)] [UDP ] [TCP ] [TCP / UDP ] [IP ] [IP ] [IP ] CoAP CoAP/TCP CoAP/WS(S)
Protocol | URI scheme | Port | ALPN | WebSocket protocol |
---|---|---|---|---|
CoAP over UDP | coap: | UDP 5683 | - | - |
CoAP over DTLS | coaps: | UDP 5684 | coap | - |
CoAP over TCP | coap+tcp: | TCP 5683 | - | - |
CoAP over TLS | coaps+tcp: | TCP 5684 | coap | . |
CoAP over WebSocket | coap+ws: | (80, HTTPS) | - | coap |
coaps+ws: | (443, HTTPS) | (http/1.x, …) | coap |
Notes:
- CoAP over TCP and TLS use a modfied message format compared to CoAP/UDP;
- CoAP over WebSocket uses yet another message format.
Multimedia
SIP, RTP, RTSP
Signaling:
[SDP ] [(S/MIME) ] [SDP ] [SIP ] [SDP ] [SDP ] [(S/MIME)] [WebSocket] [RTSP ] [(S/MIME) ] [SIP ] [HTTP ] [(TLS)] [SIP ] [TLS ] [(TLS )] [TCP ] [UDP / TCP / SCTP] [TCP ] [TCP ] [IP ] [IP ] [IP ] [IP ] RTSP SIP SIP-TLS SIP/WebSocket
RTP (media transport):
[A/V] [A/V] [A/V ] [A/V ] [RTP|RTCP] [SRTP|SRTCP] [DTLS|SRTP|SRTCP] [ZRTP|SRTP|SRTCP] [UDP ] [UDP ] [UDP ] [UDP ] [IP ] [IP ] [IP ] [IP ] RTP, RTCP SRTP, SRTCP DTLS-SRTP ZRTP
Alternative transports for RTP:
[A/V] [A/V] [A/V] [RTP|RTCP |RTP|RTCP ] [RTP|RTCP ] [RoQ stream|RoQ Datag.] [framing ] [QUIC ] [TCP ] [UDP ] [IP ] [IP ] RTP over TCP RTP over QUIC (RoQ)
Protocol | Port | Description |
---|---|---|
RTSP (Real Time Streaming Protocol) | TCP 554 | Control RTP streams (PLAY/PAUSE, etc.) |
RTSPS (Secure RTSP) | TCP 322 | RTSP over TLS |
SIP (Session Initiation Protocol) | TCP 5060 UDP 5060 SCTP 5060 | |
SIP over TLS | TCP 5061 | |
SIP over WebSocket | TCP 80 TCP or UDP 443 |
Protocol | Description |
---|---|
RTP | Transport A/V streams |
RTCP | Flow/congestion control for RTP |
SRTP and SRTCP | |
DTLS-SRTP | DTLS handshake (with mutual authentication) for keying SRTP (and SRTCP). |
ZRTP | Diffie-Hellman key exchange on the same port as SRTP. |
S/MIME | May be used in SIP to provide end-to-end protection of SDP content |
Framing for RTP | When used over TCP, each RTP or RTCP packet is prefixed with a length field (2 bytes). |
RTP-MIDI | Send MIDI 1 data over RTP |
RTP-over-QUIC (RoQ) |
Notes:
- RTCP usually used the next (odd) UDP port after the (even) one used by RTP. Nowadays, they tend to be multiplexed over the same port.
- DTLS-SRT uses a DTLS handshake with mutual authentication and the
use_srtp
extension for key exchange and then switch to SRTP, SRCTP on the same port. - The SRTP keys are exported from DTLS (using the "EXTRACTOR-dtls_srtp" exporter label).
- RTP-over-QUIC uses "rtp-mux-quic" for ALPN.
Message multiplexing:
- A mix of (S)RTP, (S)RTCP, STUN, ZRTC and DTLS messages can be multiplexed over the same channel.
- RTP and RTCP can be distinguished using the M and PT fields.
- ZRTP messages can be can be distinguished from (S)RTP messages because the first two bits are zero.
- ZRTP messages can be can be distinguished from STUN messages because they use different magic cookies.
- See RFC 5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
WebRTC
[DCEP|data. chan.] [DCEP|data. chan.] [SCTP |A/V ] [SCTP |A/V ] [STUN|mDTLS |SRTP|SRTCP] [STUN|mDTLS |SRTP|SRTCP] [framing ] [SDP ] [UDP (+ ICE) ] [TCP (+ ICE) ] [anything] [IP (+ ICE) ] [IP (+ ICE) ] WebRTC WebRTC over UDP WebRTC over TCP Signaling
Type of payloads:
[DCEP|data chan.] [DCEP|data chan.] [A/V ] [SCTP ] [A/V ] [SCTP ] [STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ] [STUN|mDTLS|SRTP|SRTCP] [STUN|mDTLS ] [framing ] [framing ] [UDP (+ ICE) ] [UDP (+ICE) ] [TCP (+ ICE) ] [TCP (+ICE) ] [IP (+ ICE) ] [IP (+ICE) ] [IP (+ ICE) ] [IP (+ICE) ] WebRTC A/V streams WebRTC Data Channel WebRTC A/V streams WebRTC Data Channel (DTLS-SRTP) (SCTP/DTLS) (DTLS-SRTP) (SCTP/DTLS) proto=UDP/TLS/RTP/SAVPF proto=UDP/DTLS/SCTP proto=TCP/TLS/RTP/SAVPF proto=TCP/DTLS/SCTP
Example WebRTC stack with TURN tunneling:
[DCEP|data. chan.] [SCTP |A/V ] [STUN|mDTLS |SRTP|SRTCP] [TURN ] [(DTLS) ] [UDP ] [IP ] WebRTC with TURN tunnel
WebRTC Payload type | SCTP PPID | Description |
---|---|---|
SRTP-DTLS | - | |
DCEP (Data Channel Establishment Protocol) | 50 | Used to create WebRTC data channels. |
WebRTC String | 51 | |
WebRTC Binary | 53 | |
WebRTC Empty String | 56 | |
WebRTC Empty Binary | 57 |
Notes:
- In WebRTC, the DTLS peers authenticate based on X.509 certificates exchanged through the signaling protocol (eg. in the
identity
SDP attribute). - The DCEP
DATA_CHANNEL_OPEN
message may specify a protocol identifier (from the WebSocket subprotocol registry) to be used on this channel. - See RFC 5764 section 5.1.2 for demultiplexing of DTLS, RTP/RTCP and STUN packets.
- RTP/SAVPF combines RTP/SAVP (i.e. using SRTP) and RTP/AVPF (i.e. with RTCP-based Feedback).
References:
- WebRTC Protocol Layers
- WebRTC For The Curious
- RFC 8834, Media Transport and Use of RTP in WebRTC
- RFC 8827, WebRTC Security Architecture
- RFC 8835, Transports for WebRTC
- Replacing WebRTC
Security Layers
TLS
TLS sublayers:
[Handshake | ChangecipherSpec | Alert | Application] [TLS Record Protocol: fragmentation ] [Handshake | Alert | Application ] [TLS Record Protocol: compression ] [TLS Record Protocol: fragmentation ] [TLS Record Protocol: record protection ] [TLS Record Protocol: record protection] [Transport layer ] [Transport layer ] TLS v1.2 TLS v1.3
Some protocol stacks using TLS:
[mTLS ] [HTTP] [HTTP/3|TLS] [SMTP] [IMAP] [TLS|IP / Eth.] [EAP-TLS] [mTLS ] [TLS ] [QUIC ] [TLS ] [TLS ] [OpenVPN ] [EAP ] [EAP-TLS] [TCP ] [UDP ] [TCP ] [TCP ] [TCP / UDP ] [EAPOL ] [EAP ] [IP ] [IP ] [IP ] [IP ] [IP ] [Wifi ] [PPP ] HTTPS HTTPS SMTPS IMAPS OpenVPN WPA2-EAP PPP (HTTP/3) with EAP-TLS with EAP-TLS
TLS Subprotocols | Description |
---|---|
Underlying transport layer | eg. TCP |
TLS Record Protocol: Record Protection | Encryption and message authentication (Cipher+MAC or AEAD). |
TLS Record Protocol: Compression | Message compression, if negotiated. Not available in TLS v1.3. |
TLS Record Protocol: Fragmentataion | Subprotocols multiplexing and framing. |
TLS Handshake Protocol | TLS handshake (version/ciphersuite negotiation, authentication, key exchange, etc.). |
TLS ChangecipherSpec | Enables communication protection for this direction |
TLS Alert | Errors. |
Application Layer | eg. HTTP, SMTP, etc. |
DTLS
Transports:
[app.] [app.] [app.] [DTLS] [DTLS] [DTLS] [UDP ] [SCTP] [DCCP] [IP ] [IP ] [IP ] DTLS DTLS DTLS over over over UDP SCTP DCCP
QUIC
[app.] [app. streams|app. dgrams] [QUIC|TLS] [QUIC +dgram. |TLS] [UDP ] [UDP ] [IP ] [IP ] QUIC QUIC with QUIC datagrams
Protocol | Description |
---|---|
QUIC | Protected transport. Provides multiple streams on top of a single connection. |
TLS | Used for the handshake (negotiation, keying) |
QUIC datagrams | Extension of QUIC for unreliable datagrams (not associated to any QUIC stream). |
QUIC is used by:
- HTTP/3 (mostly)
- SMB over QUIC
- RTP over QUIC (RoQ)
QUIC Datagrams are used by:
- HTTP/3 Datagrams (used by WebTransport, UDP/IP/Ethernet procying over HTTP/3)
References:
SSH
[(GSS-API)|shell|command|forwarding] [SSH Authentication Layer|SSH Connection Layer ] [SSH Transport Layer ] [TCP ] [IP ]
Protocol | Description |
---|---|
GSS-API authentication for SSH |
SSH sessions include:
SSH forwardings include:
- TCP/IP Port Forwarding;
- OpenSSH Tunnel forward extension (TUN/TAP);
- OpenSSH Unix domain socket forwarding.
Some applications:
- SFTP uses "sftp" as SSH subsystem.
VPNs and tunnels
IPSec
SA (Security Associations) establishment:
[... ] [EAP ] [IKEv2] [IKEv2] [UDP ] [UDP ] [IP ] [IP ] IKEv2 IKEv2 w/ EAP
IPsec:
[UDP|TCP|...] [IP ] [UDP|TCP|...] [IP] [UDP|TCP|...] [IP ] [ESP ] [ESP] [AH ] [AH] [ESP ] [ESP] [UDP ] [UDP] [IP ] [IP] [IP ] [IP ] [IP ] [IP ] AH AH ESP ESP ESP/UDP ESP/UDP Transport Tunnel Transport Tunnel Transport Transport
Protocol | IP Protocol | Port | Notes |
---|---|---|---|
AH (Authentication Header) | 51 | - | integrity, data origin authentication, anti-replay (including the outer IP packet) |
ESP (Encapsulating Security Payload) | 50 | - | integrity, data origin authentication, anti-replay, confidentiality (of the payload) |
IKEv2 | - | UDP 500 | |
ESP over UDP (and IKDEv2) | - | UDP 4500 |
ESP transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [ESP ]<=========>[ESP ] [IP ]<--------->[IP ] correspondent correspondent
ESP tunnel mode:
[app.]<------------------------------>[app.] [TCP ]<------------------------------>[TCP ] [IP ]<-------->[IP ]<----->[IP ]<----[IP ] [ESP]<=====>[ES ] [IP ]<----->[IP ] correspondent Gateway Gateway correspondent
AH transport mode:
[app.]<--------->[app.] [TCP ]<--------->[TCP ] [AH ]<--------->[AH ] [IP ]<=-=-=-=-=>[IP ] correspondent correspondent
AH tunnel mode:
[app.]<---------------------------->[app.] [TCP ]<---------------------------->[TCP ] [IP ]<-------->[IP]<----->[IP]<--->[IP ] [AH]<----->[AH] [IP]<=-=-=>[IP] correspondent Gateway Gateway correspondent
References:
- RFC 4301, Security Architecture for the Internet Protocol
VPNs
[IPv4|IPv6|(TLS)] [Eth. MAC|(TLS)] [IP ] [IP / Eth. MAC] [OpenVPN ] [OpenVPN ] [WireGuard] [SSH ] [TCP / UDP ] [TCP / UDP ] [UDP ] [TCP ] [IP ] [IP ] [IP ] [IP ] OpenVPN IP OpenVPN Ethernet WireGuard OpenSSH tunnel (TUN mode) (TAP mode) [IP ] [IP ] [IP ] [PPP ] [IP ] [Capsule] [Capsule|- ] [SSTP ] [PPP ] [HTTP ] [HTTP3 |H3 dgram.] [HTTP ] [HTTP ] [(TLS) ] [QUIC +dgram.] [TLS ] [TLS ] [TCP ] [UDP ] [TCP ] [TCP ] [IP ] [IP ] [IP ] [IP ] IP in HTTP IP in HTTP/3 MS-SSTP FortiSSL
Protocol | Port |
---|---|
OpenVPN | UDP 1194, TCP 1194 |
WireGuard | UDP 51820 |
OpenSSH tunnel | (over SSH, TCP 22) |
IP in HTTP | TCP/UDP 443 (HTTPS) |
MS-SSTP | TCP/UDP 443 (HTTPS) |
FortiSSL |
Notes:
- OpenVPN does not work on top of TLS (TLS over TCP). TLS is encapsulated in the OpenVPN protocol and is used for the handshake. The inner frame/packets are not encapsulated by TLS (no IP-over-TLS or Ethernet-over-TLS).
- MS-SSTP use a
SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
HTTPS request. The encapsulted protocol is chosen with the MS-SSTP Protocol ID field (0x0001 for PPP).
Simple Tunnels
[IP ] [IP ] [GRE ] [GRE ] [(UDP) ] [DTLS] [Eth. MAC] [IP] [(AH / ESP)] [UDP ] [EtherIP ] [IP] [IP ] [IP ] [IP ] IP in IP GRE GRE-UDP-DTLS EtherIP
Protocol | SAP | Description |
---|---|---|
GRE (Generic Routing Encapsulation) | IP proto 47 | Next protocol defined as an EtherType; Optional 32 bit key (tunnel ID); optional 32 bit sequence number |
GRE-in-UDP | UDP 4754 (dest.) | |
GRE-UDP-DTLS | UDP 4755 (dest.) | |
EtherIP | IP proto 97 |
L2TPv3
Pseudowires:
[PPP ] [Eth. MAC] [Frame Relay] [HDLC] [ATM ] [L2TP] [L2TP ] [L2TP ] [L2TP] [L2TP] [... ] [... ] [... ] [... ] [... ]
Transports:
[... ] [L2TP] [... ] [SNAP] [... ] [L2TP] [... ] [... ] [LLC ] [L2TP] [UDP ] [L2TP] [L2TP ] [AAL5] [AAL5] [IP ] [IP ] [Frame Relay] [ATM ] [ATM ] L2TP L2TP L2TP L2TP L2TP /UDP /IP /Frame Relay /ATM /ATM (LLC) (VC mux)
Protocol | SAP | Description |
---|---|---|
L2TP (Layer Two Tunneling Protocol) | 16 bit tunnel ID, optional 16 bit sequence numbers | |
L2TP over IP | IP proto. 115 | |
L2TP over UDP | UDP 1701 (control) |
Network virtualization
[Eth. MAC ] [Eth. / IP / ...] [Eth. / IP / ...] [VXLAN ] [GENEVE ] [GRE + Key ext. ] [UDP ] [UDP ] [(UDP) ] [(AH / ESP)] [(AH / ESP) ] [(AH / ESP) ] [IP ] [IP ] [IP ] VXLAN GENEVE NVGRE
Protocol | Port | Description |
---|---|---|
VXLAN (Virtual eXtensible LAN) | UDP 4789 (dest.) | 24 bit VNI (VXLAN Network Identifier), always encapsulates Ethernet |
GENEVE (Generic Network Virtualization Encapsulation) | UDP 6081 (dest.) | 24 bit VNI, can encapsulate different protocols (EtherType) |
NVGRE (Network Virtualization witg GRE) | 24-bit VSID (Virtual Subnet Identifier), can encapsulate different protocols (EtherType) |
Authentication, authorization
EAP
TLS-based EAP methods:
[... ] [EAP ] [PAP ] [CHAP ] [... ] [... ] [AVP ] [AVP ] [AVP ] [EAP ] [EAP ] [mTLS ] [TLS ] [TLS ] [TLS ] [TLS ] [TLS ] [EAP-TLS] [EAP-TTLS] [EAP-TTLS] [EAP-TTLS] [PEAP] [TEAP] [EAP ] [EAP ] [EAP ] [EAP ] [EAP ] [EAP ] [... ] [... ] [... ] [... ] [... ] [... ] EAP-TLS EAP PAP CHAP EAP EAP over over over over over EAP-TTLS EAP-TTLS EAP-TTLS PEAP TEAP
EAP transports:
[... ] [...] [... ] [... ] [... ] [... ] [EAP ] [EAP] [EAP ] [EAP ] [...] [EAP ] [EAP ] [PANA] [IKE] [RADIUS ] [Diameter ] [EAP] [802.1X ] [802.1X] [UDP ] [UDP] [UDP / TCP] [TCP / SCTP] [PPP] [Ethernet] [Wifi ] [IP ] [IP ] [IP ] [IP ] EAP 802.1X WPA-EAP PANA EAP EAP over EAP/Diameter for for RADIUS PPP IKE
Example full protocol stacks:
[EAP-MSCHAPV2] [EAP ] [mTLS ] [TLS ] [EAP-TLS] [TEAP ] [EAP ] [EAP ] [802.1X ] [802.1X ] [Wifi ] [Wifi ] WPA-EAP WPA-EAP with with EAP-TLS EAP-EAP and MSCHAPv2
EAP Method | Method Type | Description |
---|---|---|
EAP-TLS | 13 | Mutual TLS authentication |
EAP-TTLS | 21 | AVPs (attribute value pairs) in the Diameter format over TLS |
PEAP (Protected EAP) | 25 | Inner EAP exchange over a TLS tunnel |
EAP-FAST | 43 | |
TEAP (Tunnel EAP) | 55 | Inner EAP exchange over a TLS tunnel (standardized version of PEAP) |
EAP-SIM, EAP-AKA, EAP-AKA' | 18, 23, 50 | SIM-based authentication |
EAP-pwd | 52 | Authenticated key exchange based on a shared password |
EAP-NOOB | 56 | Authentication for IoT devices based on an initial out-of-band channel |
EAP Transport | Description |
---|---|
802.1X | Authetication of LAN/WLAN such as Ethernet and Wifi (WPA-EAP aka WPA-Entreprise) |
PANA (Protocol for Carrying Authentication for Network Access) | |
RADIUS support for EAP | EAP messages encapsulated in the EAP-Message attribute |
Diameter support for EAP | EAP messages encapsulated in EAP-Payload AVP |
Kerberos
[Kerberos] [MS-KKDCP] [HTTP ] [Kerberos] [TLS ] [UDP/TDP ] [TCP ] [IP ] [IP ] Kerberos MS-KKDCP
EAP Method | Port | Description |
---|---|---|
Kerberos | UDP or TCP 88 | |
MS-KKDCP (Kerberos Key Distribution Center Proxy) | TCP or UDP 443 (HTTPS) | Kerberos over HTTPS. |
SASL
General SASL stack:
[mechanism] [SASL ] [protocol ] [protocol ] → [(SASL sec.)] [... ] [... ]
Notes:
- Protocol with support for SASL include LDAP, IMAP, POP, SMTP, XMPP, MQTT, etc.
- SASL mechanisms include ANONYMOUS, PLAIN, EXTERNAL, etc.
- Some SASL mechanisms may install a SASL security layer (providing features such as encryption and/or integrity protection to the protocol). Nowadays, this is seen as redundant with the usage of TLS which should be used instead.
SASL Mechanism | Security Layer | Channel Binding | Description |
---|---|---|---|
GSSAPI | Optional (negotiated) | Yes | Kerberos 5 (not other mechanisms) with GSSAPI |
GSS2-* | No | No | GSS-API mechanisms (without support for channel binding) |
GSS2-*-PLUS | No | Yes | GSS-API mechanisms (with support for channel binding) |
OAUTHBEARER | No | No | Oauth 2.0 Bearer token |
GSSAPI
[Kerberos] [MS-NLMP ] [... ] [Kerberos] [SPNEGO ] [SPNEGO ] [EAP ] [GSS-API ] [GSS-API ] [GSS-API ] [GSS-API] [SASL ] [SASL ] [SASL ] [SASL ] [... ] [... ] [... ] [... ] GSS-API GSS-API NTLM with with with SNPEGO Kerberos SPNEGO /SASL / SASL /SASL
Protocol | Description |
---|---|
GSSAPI (Generic Security Service API) | GSSAPI defines a Mechanism-Independent Token Format which is required for the initial token but optional for the other tokens |
SPNEGO (Simple and Protected Negotiation Mechanism) | Negotiation of GSSAPI mechanism to use |
Kerberos 5 for GSSAPI mechanism | |
GSS mechanism for EAP |
Notes:
- GSS-API over SASL can use either the
GSSAPI
SASL mechanism or the newerGS2-*
mechanisms (eg. GS2-KRB5, GS2-KRB5-PLUS). - The newer
GS2-*
mechanisms must not use mechanisms negotiation (such as SPNEGO).
RADIUS and DIAMETER
[RADIUS] [Diameter] [Diameter] [RADIUS] [RADIUS] [TLS ] [Diameter] [Diameter] [TLS ] [DTLS ] [UDP ] [TCP ] [TCP ] [TCP ] [SCTP ] [TCP ] [SCTP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] [IP ] RADIUS RADIUS RADIUS Diameter Diameter Diameter Diameter /UDP /TCP /TLS /TCP /SCTP /TLS /DTLS (RadSec)
Protocol | Port | SCTP PPID | Description |
---|---|---|---|
RADIUS (authentication and authorization) | UDP 1812, TCP 1812 | - | |
RADIUS Accounting | UDP 1813, TCP 1813 | - | |
RADIUS DynAuth | UDP 3799 | - | Disconnect and Change-of-Authorization (CoA) messages |
RADIUS over TLS (RadSec) | TCP 2083 | - | |
Diameter | TCP 3868, SCTP 3868 | 46 | |
Diameter over TLS/TCP | TCP 5658 | - | |
Diameter over DTLS/SCTP | SCTP 5658 | 47 |
NAT traversal
STUN and TURN
[UDP app. ] [STUN ] [TURN ] [TURN ] [TURN|app.] [(DTLS / TLS)] [(DTLS / TLS)] [(DTLS / TLS)] [(TLS) ] [UDP / TCP ] [UDP / TCP ] [UDP / TCP ] [TCP ] [IP ] [IP ] [IP ] → [IP ] STUN TURN (UDP) TURN-TCP TURN-TCP connection
Protocol | Description |
---|---|
STUN (Session Traversal Utilities for NAT) | |
STUN with DTLS | |
TURN (Traversal Using Relays around NAT) | Extension of STUN for relaying communications (UDP applications) over UDP or TCP. |
TURN-TCP | Extension of TURN for relaying TCP applications (over TCP). TCP connections are allocated over a control TURN channel. Each TCP connection is transported over a new dedicated connection after an initial ConnectionBind TURN request (and response). |
ICE
[SDP ] [STUN (+TURN)] [SDP] [HTTP] [STUN|app. ] [(DTLS / TLS)] [SIP] [TLS ] [(DTLS)/ (TLS)] [UDP / TCP ] [TCP] [TCP ] [UDP / TCP ] [IP ] [IP ] [IP ] [IP ] STUN, TURN ICE candidate ICE candidates ICE communications (candidate exchange exchange (direct) collection) with SIP with SDP/HTTPS
Protocol | Description |
---|---|
ICE (Interactive Connectivity Establishment) | Uses STUN, TURN and exchanges ICE candidates for establishing communications. |
ICE-TCP | Extends ICE for TCP streams. |
STUN | Used to help NAT traversal. |
TURN | Used for relaying communication when no direct communication are possible. |
SDP | May be used for exchanging ICE candidates (for example in SIP or WebRTC). Other methods may be used depending on the application (including non-SDP methods). |
Note:
- STUN Binding request/response are directly exchanged between the peers. Some method must be used for multiplexing STUN and the application protocol. See for example RFC 5767 section 5.1.2.
Example of ICE through TURN:
[STUN¦app ]<-------------------->[STUN¦app] [TURN ]<--->o[TURN] [- ] [TLS ]<--->o[TLS ] [- ] [TCP ]<--->o[TCP |UDP]<---->[UDP ] [IP ]<---->[IP ]<---->[IP ] Appl. Peer Appl. Peer TURN client TURN server
Link Layer
Ethernet (802.1)
[... ] [IP|ARP|... ] [EAP ] [SNAP ] [IP|ARP|EAPOL] [LLC ] [(802.1Q )] [(802.1Q )] [(802.1ad )] [(802.1ad )] [Ethernet MAC] [Ethernet MAC] [Ethernet PHY] [Ethernet PHY] Ethernet II 802.1 with SNAP
Ethernet PHY sublayers (since Fast Ethernet):
[Ethernet PCS] [Ethernet PCS] (PHY) [Ethernet PMA] [Ethernet PMA] (PHY) [Ethernet PMD] [Ethernet PMD] (PHY)
Protocol | EtherType | Description |
---|---|---|
PMD (Physical Medium Dependent sublayer) | - | eg. 100BASE-FX, 10GBASE-E, 10GBASE-L, 10GBASE-S, 10GBASE-LX4 |
PMA (Physical Medium Attachment sublayer) | - | Framing, synchronization, etc. |
PCS (Physical coding sublayer sublayer) | - | Negotiation, coding (error detection) |
ARP (Address Resolution Protocol) | 0x0806 | Mapping between MAC addresses and IP addresses |
801.1Q | 0x8100 | VLAN (Q-tag) |
802.1ad (Q-in-Q) | 0x88A8 | VLAN in VLAN (outer 802.1ad tag is S-tag for service-tag; inner 802.1Q tag is c-tag for customer-tag) |
802.1X (EAPOL) | 0x888E | Port Authentication, used for WPA-Entreprise as well |
IPv4 | 0x0800 | |
IPv6 | 0x86DD | |
LLC (Logical Link Control) | (length ≤ 1500) | |
SNAP (Subnetwork Access Protocol) | - |
Wifi (802.11)
[... ] [EAP ] [EAPOL ] [IP |ARP] [SNAP ] [SNAP ] (Link) [LLC ] [LLC ] (Link) [(WEP / TKIP / CCMP / GCM)] (Link) [Wifi MAC ] [Wifi MAC ] (Link) [Wifi PLCP] [Wifi PLCP ] (Phy.) [Wifi PMD ] [Wifi PMD ] (Phy.) WPA-Entreprise Authentication (WPA-EAP)
Layer | Description |
---|---|
PMD (Physical Medium Dependent sublayer) | (eg. 802.11 FHSS, 802.11 DSSS, 802.11a OFDM, 802.11b HR/DSSS, 802.11g ERP) |
PLCP (Physical Layer Convergence Protocol sublayer) | |
WEP (Wired Equivalent Privacy) | Old encryption layer (based on RC4 and CRC-32) |
TKIP (Temporal Key Integrity Protocol) | Encryption layer of WPA1 (RC4 stream cipher with “Michael” MIC) |
CCMP | Encryption layer of WPA2 (AES with CCM mode) |
GCMP-256 | Encryption layer of WPA3 (56-bit Galois/Counter mode) |
LLC (Logical Link Control) | |
SNAP (Subnetwork Access Protocol) |
Access Point:
[app. ]<--------------------------->[app. ] [TCP ]<--------------------------->[TCP ] [IP ]<--------------------------->[IP ] [SNAP ]<--------------------------->[SNAP ] [LLC ]<--------------------------->[LLC ] [sec. #1 ]<===>[sec. #1 | sec. #2]<===>[sec. #2 ] [Wifi MAC]<--->[Wifi MAC ]<--->[Wifi MAC] [Wifi PHY]<--->[Wifi PHY ]<--->[Wifi PHY] Station 1 Access Point Station 2
Ethernet/Wireless bridge:
[app. ]<------------------------------->[app. ] [TCP ]<------------------------------->[TCP ] [IP ]<------------------------------->[IP ] [SNAP ]<----[SNAP ] [LLC ]<--->[LLC ] [security]<===>[security ] [Wifi MAC]<--->[Wifi MAC \-/ Eth. MAC]<--->[Eth. MAC] [Wifi PHY]<--->[Wifi PHY | Eth. PHY]<--->[Eth. PHY] Station 1 Ethernet/Wireless bridge Station 2
ATM
[... / ...] [NLPID / SNAP] [... ] [LLC ] [AAL5] [AAL5 ] [ATM ] [ATM ] [phy. ] [phy. ] VC Mux LLC Encap.
References:
- Multiprotocol Encapsulation over AAL5, RFC 2684
PPP
Configuration:
[... ] [LCP] [CCP] [compression] [PPP] [PPP] [PPP ] [...] [...] → [... ] LCP CCP and compression
Authentication:
[...] [PAP] [CHAP] [EAP] [PPP] [PPP ] [PPP] [...] [... ] [...] PAP CHAP EAP
Applications:
[IPCP|IPv4] [IPv6CP|IPv6] [PPP ] [PPP ] [... ] [... ] IPv4/PPP IPv6/PPP
Transports:
[... ] [PPP ] [...] [... ] [... ] [... ] [(SNAP)] [... ] [PPP] [PPP ] [PPP ] [PPP ] [LLC ] [PPP ] [SSH] [HDLC ] [HDLC] [PPPoE ] [AAL5 ] [L2TP] [TCP] [RS-232] [V.92] [Ethernet] [ATM ] [... ] [IP ] PPP/RS-232 PPP/PSTN PPPoE PPPoA L2TP PPP /SSH
Protocol | PPP Protocol | EtherType | Description |
---|---|---|---|
PPP (Point-to-Point Protocol) | - | ||
LCP (Link Control Protocol) | 0xc021 | - | |
PAP (Password Authentication Protocol) | 0xc023 | - | Cleartext login/password |
CHAP (Challenge-Handshake Authentication Protocol) | 0xc223 | - | Includes MC-CHAP and MS-CHAPv2 as well. |
EAP (Extensible Authentication Protocol) | 0xc227 | - | |
IPCP (IP Configuration Protocol) | 0x0021 | - | Configuration of the IPv4 address |
IPv4 | 0x0021 | - | |
IPv6CP (IPv6 Configuration Protocol) | 0x8057 | - | |
IPv6 | 0x0057 | - | |
PPPoA, PPP-over-ATM (AAL5) | - | - | |
PPPoE, PPP-over-Ethernet | - | 0x8863 (discovery), 0x8864 (session) | |
L2TP (Layer Two Tunneling Protocol) | - | - | |
HDLC-like framing (RFC 1662) for PPP | - | - | |
CCP (Compression Control Protocol) | - | - | |
PPP over SSH | - | - | It's not a standard thing but you can do it. |
GPON (G.984)
Gigabit Passive Optical Network:
[PWE3 ] [SIP |RTP ] [RTP ] [TCP |UDP ] [UDP ] [IP ] [IP ] [IP ] [MEF-8 ] [VLAN ] [VLAN ] [VLAN ] [VLAN ] [TDM|Eth. MAC] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ] [SDH ] [PLOAM|OMCI|ATM|GEM ] [GEM ] [GEM ] [GEM ] [GEM ] [GTC adaptation ] [GTC adaptation] [GTC adaptation] [GTC adaptation] [GTC adaptation] [GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ] [GTC framing ] [GPM ] [GPM ] [GPM ] [GPM ] [GPM ] General stack Voice (VoIP) Voice with PWE3 Voice with MEF-8 Voice (TDM)
Protocol | Description |
---|---|
GPM (GPON Physical Media Dependent layer) | |
GTC framing | |
PLOAM (Physical Layer Operations, Administration and Maintenance) | |
OMCI (ONU Management and Control Interface) | |
GEM (G-PON Encapsulation Mode) | |
TDM (Time Division Multiple Access) | Emulation of any TDM-based circuit |
PWE3, Pseudo Wire Emulation Edge-to-Edge | Frame Relay/ATM/Ethernet/TDM/SONET/SDH over IP or MPLS |
MEF-8 | Emulation of PDH over Ethernet |
References:
- G.984.1 : Gigabit-capable passive optical networks (GPON): General characteristics
- G.984.3 : Gigabit-capable passive optical networks (G-PON): Transmission convergence layer specification
XG-PON (G.987)
[PWE3 ] [SIP|RTP ] [RTP ] [TCP|UDP ] [UDP ] [IP ] [IP ] [IP ] [MEF-8 ] [802.1X|VLAN] [VLAN ] [VLAN ] [VLAN ] [Eth. MAC |MPLS] [Eth. MAC ] [Eth. MAC ] [Eth. MAC ] [PLOAM|OMCI|XGEM ] [XGEM ] [XGEM ] [XGEM ] [XGTC framing ] [XGTC framing ] [XGTC framing ] [XGTC framing ] [XGTC PHY adaptation ] [XGTC PHY adaptation] [XGTC PHY adaptation] [XGTC PHY adaptation] [XGON PMD ] [XGON PMD ] [XGON PMD ] [XGON PMD ] General stack Voice (voIP) Voice with PWE3 Voice with MEF-8
References:
- G.987.1 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- G.987.2 : 10-Gigabit-capable passive optical networks (XG-PON): Physical media dependent (PMD) layer specification
- G.987.3 : 10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) layer specification
- Implementation Agreement for the Emulation of PDH Circuits over Metro Ethernet Networks
Phone
SS7
[... ] [... ] [... ] [... ] [... ] [ISUP|TCAP] [TCAP] [TCAP ] [TCAP ] [TCAP] [TUP / ISUP|SCCP ] [SUA |ISUP] [SCCP ] [SCCP ] [SCCP|ISUP] [MTP-3 ] [- ] [MTP-3|ISUP] [MTP-3 ] [M3UA ] [MTP-2 ] [- ] [M2PA ] [M2UA ] [ - ] [MTP-1 ] [(DTLS) ] [(DTLS) ] [(DTLS) ] [(DTLS) ] [SCTP ] [SCTP ] [SCTP ] [SCTP ] [(IPSec) ] [(IPSec) ] [(IPSec)] [(IPSec) ] [IP ] [IP ] [IP ] [IP ] SS7 SUA M2PA M2UA M3UA ...
Some application protocols:
[MAP ] [ISUP ] [TCAP ] [TUP ] [ISUP ] [SCCP ] [SCCP ] [MTP-3] [MTP-3] [MTP-3] [MTP-3] [MTP-2] [MTP-2] [MTP-2] [MTP-2] [MTP-1] [MTP-1] [MTP-1] [MTP-1] TUP ISUP ISUP MAP /SCCP
Protocol | SCTP PPID | Description |
---|---|---|
MTP-1 (Message Transfer Part layer 1) | Physical layer | |
MTP-2 (Message Transfer Part layer 2) | Link layer | |
MTP-3 (Message Transfer Part layer 3) | Nework layer | |
TUP (Telephone User Part) | Signaling for classic PSTN, mostly replaced by ISUP | |
ISUP (ISDN User Part) | ||
SCCP (Signalling Connection Control Part) | ||
TCAP (Transaction Capabilities Application Part) | ||
CAP (CAMEL Application Part) | ||
MAP (Mobile Application Part) | Transport layer on top of IP | |
SCTP (Stream Control Transmission Protocol) | - | |
SUA (SCCP User Adaptation) | 4 | Replaces SCCP when used over SCTP/IP |
M2UA (MTP2 User Adaptation Layer) | 2 | |
M2PA (MTP2 User Peer-to-Peer Adaptation Layer) | 5 | |
M3UA (MTP3 User Adaptation Layer) | 3 |
References:
Mobile
User Equipment (i.e. the phone) stacks:
PDP contexts PDP contexts EPS bearers PDU sessions | | | | | | | | [SM ] ↓ ↓ | | | | ↓ ↓ [GMM ] [IP / PPP] [CM|SM ] ↓ ↓ [LTE NAS ] ↓ ↓ [5G NAS ] [IP|Eth.] [CM ] [SNDCP ] [SNDCP ] [MM|GMM ] [IP / PPP ] [LTE RRC ] [IP / PPP] [5G RRC ] [SDAP ] [MM ] [GPRS LLC] [GPRS LLC] [UMTS RRC] [UMTS PDCP] [LTE PDCP] [LTE PDCP] [5G PDCP] [5G PDCP] [RRM ] [GPRS RLC] [GPRS RLC] [UMTS RLC] [UMTS RLC ] [LTE RLC ] [LTE RLC ] [5G RLC ] [5G RLC ] [LAPDm ] [GPRS MAC] [GPRS MAC] [UMTS MAC] [UMTS MAC ] [LTE MAC ] [LTE MAC ] [5G MAC ] [5G MAC ] [GSM PHY] [GSM PHY ] [GSM PHY ] [UMTS PHY] [UMTS PHY ] [LTE PHY ] [LTE PHY ] [5G PHY ] [5G PHY ] CP CP UP CP UP CP UP CP UP -------- --------------------- ---------------------- --------------------- ----------------- GSM (2G) GPRS (2.5G) UMTS (3G) LTE (aka EPS) (4G) 5G NR (5G)
Authentication stacks at the user equipment:
[... ] [AVP ] [mTLS ] [TLS ] [EAP-AKA] [EAP-AKA'] [EAP-TLS] [EAP-TTLS] [EPS-AKA] [5G-AKA] [EAP ] [EAP ] [EAP ] [EAP ] [NAS ] [NAS ] [NAS ] [NAS ] [NAS ] [NAS ] EPS-AKA 5G-AKA EAP-AKA EAP-AKA' EAP-TLS EAP-TTLS (4G) (5G) (5G) (5G) (5G) (5G)
Notes:
- 5G primary authentication, access authentication;
- 5G secondary authentication, setting up user planes from other operators
References:
Protocol | Description |
---|---|
LAPDm (Link Access Procedures on the Dm channel) | Link layer for GSM used between the mobile station (i.e. the phone) and the BSC |
RR aka RMM (Radio Resource Management) | |
MM (Mobile Management) | |
CM (Connection Management) | |
RLC (Radio Link Control) | |
LLC (Logical Link Control) | (This is not the 802.2 LLC protocol used with Ethernet, Wifi, etc.) |
SNDCP (Subnetwork Dependent Convergence Protocol) | |
GMM (GPRS Mobility Management) | |
SM (Session Management) | |
PDCP (Packet Data Convergence Protocol) | |
RRC (Radio Resource Control) | |
NAS (Non-access stratum) | |
SDAP (Service Data Adaption Protocol) | |
SM (Session Management) | |
GMM (GPRS Mobile Management) |
References:
- PDP types
- PDU session types (5G)
- Extensible Authentication Protocol (EAP) in next-generation networks
- Long Term Evolution Protocol Overview
- SMS in 5GC
- ETSI TS 124 501, 5G NAS
- A Comparative Introduction to 4G and 5G Authentication
- 5G: focus on N3IWF, TNGF, TWIF and W-5GAN
Non-3GPP access
User equipment stacks for untrusted non-3GPP access (5G):
PDU sessions | | [EAP-AKA] | | [EAP / 5G-AKA] ↓ ↓ [NAS ] [NAS ] [IP|Eth.] ← Application IP (IMS, data) [EAP-5G ] [TCP ] [GRE ] [EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF) [IKEv2 ] [ESP ] [IKEv2] [ESP ] [UDP ] [(UDP)] [UDP ] [(UDP) ] [IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network [L2 ] [L2 ] [L2 ] [L2 ] [L1 ] [L1 ] [L1 ] [L1 ] CP CP UP UP (before SA) (after SA) establishment
Notes:
- ESP/UDP may be used for NAT traversal.
- Different IPSec SAs are established for:
- control plane (signaling) i.e. transporting NAS messages;
- user plane (one SA per PDU layer and QoS flow);
- N3IWF (Non-3GPP Interworking Function) is resonsible for the interworking of the non-3GPP access and the 5G core.
User equipment stacks for untrusted non-3GPP access with firewall traversal (5G):
PDU sessions | | [EAP-AKA] | | [EAP / 5G-AKA] ↓ ↓ [NAS ] [NAS] [IP|Eth.] ← Application IP (IMS, data) [EAP-5G ] [TCP] [GRE ] [EAP ] [IP ] [IP ] ← Inner IP (connect to the N3IWF) [IKEv2 ] [ESP] [IKEv2] [ESP ] [TLS ] [TLS] [TLS ] [TLS ] [TCP ] [TCP] [TCP ] [TCP ] [IP ] [IP ] [IP ] [IP ] ← Non-3GPP Access Network [L2 ] [L2 ] [L2 ] [L2 ] [L1 ] [L1 ] [L1 ] [L1 ] CP CP UP UP (before SA) (after SA) establishment
References:
- ETSI TS 123 402 v16
- A Tutorial on Trusted and Untrusted Non-3GPP Accesses in 5G Systems—First Steps Toward a Unified Communications Infrastructure
- Untrusted Non-3GPP Acccess Network Interworking with 5G Core
IMS
IMS (IP Multimedia Subsystem) is an SIP/IP based-service to transporting voice, SMS, video over 4G (VoLTE), 5G (VoNR) or non-3GPP access (VoWLAN/WoWifi).
User equipment stacks for stacks for IMS:
[SMS] [SDP|A/V ] [SIP] [SIP|RTP |RTCP] [TCP] [TCP|UDP / TCP] [IP ] [IP ] SMS Audio/Video calls over IMS over IMs
Notes:
- SMS may be transported over NAS as well.
References:
SMS
User equipment stacks for SMS:
[SM-AL ] [SMS ] [SM-TL ] [SIP ] [SM-RP ] [SMS] [TCP ] [SM-CP ] [NAS] [IP ] [CM ] [RRC] [(SDAP)] [MM ] [RLC] [PDCP ] [RR ] [RLC] [RLC ] [LDAPDm ] [MAC] [MAC ] [GSM PHY] [PHY] [PHY ] SMS/GSM SMS/NAS SMS/IMS (2G) (4G/5G) (4G/5G)
WAP
User equipment stacks for WAP (including MMS):
[WML | WMLScript | MMS] [WSP ] [XHTML MP|WAP CSS|MMS] [(WTP ) ] [(WP-)HTTP ] [(WTLS) ] [TLS ] [WDP / UDP ] [(WP-)TCP ] [SMS / IP ] [IP ] [... / ... ] [... ] WAP 1 WAP 2.0
Protocol | Description |
---|---|
Wireless Session Protocol (WSP) | Similar to HTTP |
Wireless Transaction Protocol (WTP) | Similar to TCP. Used for CO-WSP (Connection-oriented WSP), absent for CL-WSP (Connectionless WSP) |
Wireless Transport Layer Security (WTLS) | Protection (similar to TLS) |
Wireless Datagram Protocol (WDP) | Similar to UDP |
WML (Wireless Markup Language) | XML-based markup language, similar to HTML |
WMLScript | Scripting language based on ECMAScript but compiled to a bytecode |
XHTML MP (Mobile Profile) | |
WP-TCP | Profile of TCP |
WP-HTTP | Profile of HTTP |
References:
- Looking inside the MMS Exchange (With call flow and PCAP)
- WapProtocolFamily ~ Wireshark Wiki
- Wireless Datagram Protocol (WDP) ~ Wireshark Wifi
- Wireless Session Protocol (WSP) ~ Wireshark Wifi
- Wireless Datagram Protocol (WDP), v14
Devices
BlueTooth
ACL SCO /--------------------------------------------\ /---\ [IP ] [IP |... ] [HID|...] [PPP|AT|Eth. MAC] [GATT |GAP ] [SDP |RFCOMM|BNEP |OBEX|HIDP|AVCTP|AVDTP] [... ] [ATT |SM|- ] [L2CAP |voice] [L2CAP ] [L2CAP |- ] ↑Host ------------------(HCI)------------------------------- ---(HCI)--- ---(HCI)------------------ [LMP|- ] [Wifi PAL ] ↓Controler [LCP ] [Wifi MAC ] [LE LL ] [BR / EDR ] [Wifi PHY ] [LE 1M / LE 2M / LE Coded] Bluetooth Classic Bluetooth HS Bluetooth Low Energy (BLE) (High Speed)
Host/Controler interface (HCI) example (over USB):
[RFCOMM ]<-------------------------------------->[RFCOMM ] [L2CAP ]<-------------------------------------->[L2CAP ] [HCI ]<--->[HCI |LMP ]<--------------->[LMP ] [USB ]<--->[USB |LCP ]<--------------->[LCP ] [USB PHY] [USB PHY|BR / EDR]<--------------->[BR / EDR] Host Bluetooth Controler Device
Protocol | Description |
---|---|
BR (Basic Rate) | |
EDR (Extended Data Rate) | |
LE (Low Energy) 1M | |
LE (Low Energy) 2M | |
LE (Low Energy) Coded | |
LCP | |
LMP (Link Manager Protocol) | |
LE LL (LE Link Layer) | |
L2CAP (Logical Link Control and Adaptation Protocol) | |
SDP (Service Discovering Protocol) | |
RFCOMM (Radio frequency communication) | RS-232 port emulation |
BNEP (Bluetooth Network Encapsulation Protocol) | BNEP transports Ethernet traffic (but replaces the Ethernet header with its own header!) |
OBEX | |
HIDP (Bluetooth HID Protocol) | |
AVCTP (Audio/video control transport protocol) | |
AVDTP (Audio/video data transport protocol) | |
SM (Security Manager) | |
GAP | |
ATT | |
GATT | |
AT | Hayes Modem AT commands |
HCI (Host Controller Interface) | Communication between the host and the bluetooth controller |
Radio link types:
- ACL (Asynchronous Connection-Less), used for general data
- SCO (Synchronous Connection-Oriented), reserved time slots (used for voice data)
USB
[Eth|...|MIDI1 |MIDI1|MIDI2] [Std. Req.|HID|BOT|UAS|UASP|CCID|CDC |USB-MIDI|USB-MIDI2 |IPP|...] [USB Protocol layer ] [USB PHysical ]
Device Classes | Description |
---|---|
Standard Requests | |
HID (Human Interaction Device) | Keyboard, Mouse, Baseball and Golf clubs, etc. |
MSB (Mass Storage Device) | USB stick, etc. |
CDC (Commnication Device Class) | |
IPP (Internet Printing Protocol) | |
MTP (Media Transfer Protocol) | |
CCID (Chip Card Interface Device) | Smartcard, Yubikeys, etc. |
DFU (Device Firmware Upgrade) | |
BOT (Bulk Only Transfer) | |
UAS (USB Attached SCSI) | |
UASP (USB Attached SCSI Protocol) | Not the same as UAS! |
References:
Notations
[JSON \-/ CBOR] JSON/CBOR conversion [HTTP \-/ CoAP] HTTP/CoAP proxy/interworking [(TLS) |(DTLS)] Optional layers [TCP | UDP] TCP and UDP layers [IPv4 / IPv6] Either IPv4 or IPv6 [Eth. \-/ Wifi] Ethernet/Wifi bridge [STUN¦app ] STUN and and some application protocol used together between the same peers [HTTP+WebDAV ] HTTP with WebDAV [TLS + PSK ] TLS with PSK key exchange [ - ] Empty layer, not a protocol layer [app. ] Some undefined application layer [... ] Some protocol layer(s) <-----> Bidirectional communications <----->o Client/server relation, etc. ------> One-way communications <=====> Protected communications (usually both confidentiality and integrity) <=-=-=> Integrity-protected communications (possibly with anti-replay protection) K Interface name
References
Assignments:
- Hypertext Transfer Protocol (HTTP) Upgrade Token Registry
- TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs
- SSH Connection Protocol Subsystem Names
- Assigned Internet Protocol Numbers
- Service Name and Transport Protocol Port Number Registry
- PPP DLL Protocol Numbers
- L2TPv3 Pseudowire Types
- EtherTypes
- Logical Link Control (LLC) Public Listing
- SCTP Payload Protocol Identifiers
- TLS exporter labels
- SIP Table of Mappings From Service Field Values to Transport Protocols
- Simple Authentication and Security Layer (SASL) Mechanisms
- Network Layer Protocol Identifiers (NLPIDs) of Interest
- SDP proto
- PPP Authentication Algorithms
- Session Description Protocol (SDP) Parameters ~ proto
DNS:
- RFC 9539, Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS
Samples:
- SampleCaptures from the WireShark website
Misc:
- EventHelix, has a lot of nice sequence diagrams and other useful information
- RF Wireless World Tutorial
- USB Document Library