System Administration Guide: Network Interfaces and Network Virtualization


This glossary contains definitions of new terms in this book that are not in the Sun Global Glossary available from the web site.


See Triple-DES.


Advanced Encryption Standard. A symmetric 128-bit block data encryption technique. The U.S. government adopted the Rijndael variant of the algorithm as its encryption standard in October 2000. AES replaces DES encryption as the government standard.

anycast address

An IPv6 address that is assigned to a group of interfaces (typically belonging to different nodes). A packet that is sent to an anycast address is routed to the nearest interface having that address. The packet's route is in compliance with the routing protocol's measure of distance.

anycast group

A group of interfaces with the same anycast IPv6 address. The Solaris OS implementation of IPv6 does not support the creation of anycast addresses and groups. However, Solaris IPv6 nodes can send traffic to anycast groups.

asymmetric key cryptography

An encryption system in which the sender and receiver of a message use different keys to encrypt and decrypt the message. Asymmetric keys are used to establish a secure channel for symmetric key encryption. The Diffie-Hellman protocol is an example of an asymmetric key protocol. Contrast with symmetric key cryptography.

authentication header

An extension header that provides authentication and integrity, without confidentiality, to IP datagrams.


The process where a host automatically configures its IPv6 address from the site prefix and the local MAC address.

bidirectional tunnel

A tunnel that can transmit datagrams in both directions.


A symmetric block cipher algorithm that takes a variable-length key from 32 bits to 448 bits. Its author, Bruce Schneier, claims that Blowfish is optimized for applications where the key does not change often.

broadcast address

IPv4 network addresses with the host portion of the address having all zeroes ( or all one bits ( A packet that is sent to a broadcast address from a machine on the local network is delivered to all machines on that network.


See certificate authority (CA).

certificate authority (CA)

A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The CA guarantees the identity of the individual who is granted the unique certificate.

certificate revocation list (CRL)

A list of public key certificates that have been revoked by a CA. CRLs are stored in the CRL database that is maintained through IKE.


In IPQoS, a group of network flows that share similar characteristics. You define classes in the IPQoS configuration file.

classless inter-domain routing (CIDR) address

An IPv4 address format that is not based on network classes (Class A, B, and C). CIDR addresses are 32 bits in length. They use the standard IPv4 dotted decimal notation format, with the addition of a network prefix. This prefix defines the network number and the network mask.

data address

An IP address which can be used as the source or destination address for data. Data addresses are part of an IPMP group and can be used to send and receive traffic on any interface in the group. Moreover, the set of data addresses in an IPMP group can be used continuously provided that one interface in the group is functioning.


See IP datagram.


An IP address that cannot be used as the source address for data in an IPMP group. Typically, IPMP test addresses are DEPRECATED. However, any address can be marked DEPRECATED to prevent the address from being used as a source address.


Data Encryption Standard. A symmetric-key encryption method developed in 1975 and standardized by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key.

Diffie-Hellman protocol

Also known as public key cryptography. An asymmetric cryptographic key agreement protocol that was developed by Diffie and Hellman in 1976. The protocol enables two users to exchange a secret key over an insecure medium without any prior secrets. Diffie-Hellman is used by the IKE protocol.

diffserv model

Internet Engineering Task Force architectural standard for implementing differentiated services on IP networks. The major modules are classifier, meter, marker, scheduler, and dropper. IPQoS implements the classifier, meter, and marker modules. The diffserv model is described in RFC 2475, An Architecture for Differentiated Services.

digital signature

A digital code that is attached to an electronically transmitted message that uniquely identifies the sender.

domain of interpretation (DOI)

A DOI defines data formats, network traffic exchange types, and conventions for naming security-relevant information. Security policies, cryptographic algorithms, and cryptographic modes are examples of security-relevant information.

DS codepoint (DSCP)

A 6-bit value that, when included in the DS field of an IP header, indicates how a packet must be forwarded.


Digital Signature Algorithm. A public key algorithm with a variable key size from 512 to 4096 bits. The U.S. Government standard, DSS, goes up to 1024 bits. DSA relies on SHA-1 for input.

dual stack

A TCP/IP protocol stack with both IPv4 and IPv6 at the network layer, with the rest of the stack being identical. When you enable IPv6 during Solaris OS installation, the host receives the dual-stack version of TCP/IP.

dynamic packet filter

See stateful packet filter.

dynamic reconfiguration (DR)

A feature that allows you to reconfigure a system while the system is running, with little or no impact on ongoing operations. Not all Sun platforms support DR. Some Sun platforms might only support DR of certain types of hardware such as NICs.

encapsulating security payload (ESP)

An extension header that provides integrity and confidentiality to datagrams. ESP is one of the five components of the IP Security Architecture (IPsec).


The process of a header and payload being placed in the first packet, which is subsequently placed in the second packet's payload.

failure detection

The process of detecting when an interface or the path from an interface to an Internet layer device no longer works. IP network multipathing (IPMP) includes two types of failure detection: link based (default) and probe based (optional).


A set of rules that define the characteristics of a class in the IPQoS configuration file. The IPQoS system selects for processing any traffic flows that conform to the filters in its IPQoS configuration file. See packet filter.


Any device or software that isolates an organization's private network or intranet from the Internet, thus protecting it from external intrusions. A firewall can include packet filtering, proxy servers, and NAT (network address translation).

flow accounting

In IPQoS, the process of accumulating and recording information about traffic flows. You establish flow accounting by defining parameters for the flowacct module in the IPQoS configuration file.

hash value

A number that is generated from a string of text. Hash functions are used to ensure that transmitted messages have not been tampered with. MD5 and SHA-1 are examples of one-way hash functions.


See IP header.


Keyed hashing method for message authentication. HMAC is a secret key authentication algorithm. HMAC is used with an iterative cryptographic hash function, such as MD5 or SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.


A measure that is used to identify the number of routers that separate two hosts. If three routers separate a source and destination, the hosts are four hops away from each other.


A system that does not perform packet forwarding. Upon installation of the Solaris OS, a system becomes a host by default, that is, the system cannot forward packets. A host typically has one physical interface, although it can have multiple interfaces.


Internet Control Message Protocol. Used to handle errors and exchange control messages.

ICMP echo request packet

A packet sent to a machine on the Internet to solicit a response. Such packets are commonly known as “ping” packets.


Internet Key Exchange. IKE automates the provision of authenticated keying material for IPsec security association (SA)s.

Internet Protocol (IP)

The method or protocol by which data is sent from one computer to another on the Internet.


See Internet Protocol (IP), IPv4, IPv6.

IP datagram

A packet of information that is carried over IP. An IP datagram contains a header and data. The header includes the addresses of the source and the destination of the datagram. Other fields in the header help identify and recombine the data with accompanying datagrams at the destination.

IP header

Twenty bytes of data that uniquely identify an Internet packet. The header includes source and destination addresses for the packet. An option exists within the header to allow further bytes to be added.

IP in IP encapsulation

The mechanism for tunneling IP packets within IP packets.

IP link

A communication facility or medium over which nodes can communicate at the link layer. The link layer is the layer immediately below IPv4/IPv6. Examples include Ethernets (simple or bridged) or ATM networks. One or more IPv4 subnet numbers or prefixes are assigned to an IP link. A subnet number or prefix cannot be assigned to more than one IP link. In ATM LANE, an IP link is a single emulated LAN. When you use ARP, the scope of the ARP protocol is a single IP link.

IP stack

TCP/IP is frequently referred to as a “stack.” This refers to the layers (TCP, IP, and sometimes others) through which all data passes at both client and server ends of a data exchange.

IPMP group

IP multipathing group, composed of a set of network interfaces with a set of data addresses that are treated as interchangeable by the system to improve network availability and utilization. The IPMP group, including all its underlying IP interfaces and data addresses, is represented by an IPMP interface.


A software feature that provides an implementation of the diffserv model standard, plus flow accounting and 802.1 D marking for virtual LANs. Using IPQoS, you can provide different levels of network services to customers and applications, as defined in the IPQoS configuration file.


IP security. The security architecture that provides protection for IP datagrams.


Internet Protocol, version 4. IPv4 is sometimes referred to as IP. This version supports a 32-bit address space.


Internet Protocol, version 6. IPv6 supports a 128-bit address space.

key management

The way in which you manage security association (SA)s.

keystore name

The name that an administrator gives to the storage area, or keystore, on a network interface card (NIC). The keystore name is also called the token or the token ID.

link layer

The layer immediately below IPv4/IPv6.

link-local address

In IPv6, a designation that is used for addressing on a single link for purposes such as automatic address configuration. By default, the link-local address is created from the system's MAC address.

load spreading

The process of distributing inbound or outbound traffic over a set of interfaces. With load spreading, higher throughput is achieved. Load spreading occurs only when the network traffic is flowing to multiple destinations that use multiple connections. Two types of load spreading exists: inbound load spreading for inbound traffic and outbound load spreading for outbound traffic.

local-use address

A unicast address that has only local routability scope (within the subnet or within a subscriber network). This address also can have a local or global uniqueness scope.


1. A module in the diffserv architecture and IPQoS that marks the DS field of an IP packet with a value that indicates how the packet is to be forwarded. In the IPQoS implementation, the marker module is dscpmk.

2. A module in the IPQoS implementation that marks the virtual LAN tag of an Ethernet datagram with a user priority value. The user priority value indicates how datagrams are to be forwarded on a network with VLAN devices. This module is called dlcosmk.


An iterative cryptographic hash function that is used for message authentication, including digital signatures. The function was developed in 1991 by Rivest.

message authentication code (MAC)

MAC provides assurance of data integrity and authenticates data origin. MAC does not protect against eavesdropping.


A module in the diffserv architecture that measures the rate of traffic flow for a particular class. The IPQoS implementation includes two meters, tokenmt and tswtclmt.

minimal encapsulation

An optional form of IPv4 in IPv4 tunneling that can be supported by home agents, foreign agents, and mobile nodes. Minimal encapsulation has 8 or 12 bytes less of overhead than does IP in IP encapsulation.


Maximum Transmission Unit. The size, given in octets, that can be transmitted over a link. For example, the MTU of an Ethernet is 1500 octets.

multicast address

An IPv6 address that identifies a group of interfaces in a particular way. A packet that is sent to a multicast address is delivered to all of the interfaces in the group. The IPv6 multicast address has similar functionality to the IPv4 broadcast address.

multihomed host

A system that has more than one physical interface and that does not perform packet forwarding. A multihomed host can run routing protocols.


See network address translation.

neighbor advertisement

A response to a neighbor solicitation message or the process of a node sending unsolicited neighbor advertisements to announce a link-layer address change.

neighbor discovery

An IP mechanism that enables hosts to locate other hosts that reside on an attached link.

neighbor solicitation

A solicitation that is sent by a node to determine the link-layer address of a neighbor. A neighbor solicitation also verifies that a neighbor is still reachable by a cached link-layer address.

network address translation

NAT. The translation of an IP address used within one network to a different IP address known within another network. Used to limit the number of global IP addresses that are needed.

network interface card (NIC)

Network adapter card that is an interface to a network. Some NICs can have multiple physical interfaces, such as the qfe card.


In IPv6, any system that is IPv6-enabled, whether a host or a router.


The action to take as a result of metering traffic. The IPQoS meters have three outcomes, red, yellow, and green, which you define in the IPQoS configuration file.


A group of information that is transmitted as a unit over communications lines. Contains an IP header plus a payload.

packet filter

A firewall function that can be configured to allow or disallow specified packets through a firewall.

packet header

See IP header.


The data that is carried in a packet. The payload does not include the header information that is required to get the packet to its destination.

per-hop behavior (PHB)

A priority that is assigned to a traffic class. The PHB indicates the precedence which flows of that class have in relation to other traffic classes.

perfect forward secrecy (PFS)

In PFS, the key that is used to protect transmission of data is not used to derive additional keys. Also, the source of the key that is used to protect data transmission is never used to derive additional keys.

PFS applies to authenticated key exchange only. See also Diffie-Hellman protocol.

physical interface

A system's attachment to a link. This attachment is often implemented as a device driver plus a network interface card (NIC). Some NICs can have multiple points of attachment, for example, qfe.


Public Key Infrastructure. A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.


The act of opening a device that is associated with a physical interface name. When an interface is plumbed, streams are set up so that the IP protocol can use the device. You use the ifconfig command to plumb an interface during a system's current session.

private address

An IP address that is not routable through the Internet. Private addresses can used by internal networks on hosts that do not require Internet connectivity. These addresses are defined in Address Allocation for Private Internets and often referred to as “1918” addresses.

protocol stack

See IP stack.

proxy server

A server that sits between a client application, such as a Web browser, and another server. Used to filter requests – to prevent access to certain web sites, for instance.

public key cryptography

A cryptographic system that uses two different keys. The public key is known to everyone. The private key is known only to the recipient of the message. IKE provides public keys for IPsec.


In a router, to inform a host of a better first-hop node to reach a particular destination.

repair detection

The process of detecting when a NIC or the path from the NIC to some layer-3 device starts operating correctly after a failure.

replay attack

In IPsec, an attack in which a packet is captured by an intruder. The stored packet then replaces or repeats the original at a later time. To protect against such attacks, a packet can contain a field that increments during the lifetime of the secret key that is protecting the packet.

reverse tunnel

A tunnel that starts at the mobile node's care-of address and terminates at the home agent.


A system that usually has more than one interface, runs routing protocols, and forwards packets. You can configure a system with only one interface as a router if the system is the endpoint of a PPP link.

router advertisement

The process of routers advertising their presence together with various link and Internet parameters, either periodically or in response to a router solicitation message.

router discovery

The process of hosts locating routers that reside on an attached link.

router solicitation

The process of hosts requesting routers to generate router advertisements immediately, rather than at their next scheduled time.


A method for obtaining digital signatures and public key cryptosystems. The method was first described in 1978 by its developers, Rivest, Shamir, and Adleman.


See security association (SA).


Security Associations Database. A table that specifies cryptographic keys and cryptographic algorithms. The keys and algorithms are used in the secure transmission of data.


See streams control transport protocol.

security association (SA)

An association that specifies security properties from one host to a second host.

security parameter index (SPI)

An integer that specifies the row in the security associations database (SADB) that a receiver should use to decrypt a received packet.

security policy database (SPD)

Database that specifies the level of protection to apply to a packet. The SPD filters IP traffic to determine whether a packet should be discarded, should be passed in the clear, or should be protected with IPsec.


The element that specifically defines the criteria to be applied to packets of a particular class in order to select that traffic from the network stream. You define selectors in the filter clause of the IPQoS configuration file.


Secure Hashing Algorithm. The algorithm operates on any input length less than 264 to produce a message digest. The SHA-1 algorithm is input to DSA.

site-local-use address

A designation that is used for addressing on a single site.

smurf attack

To use ICMP echo request packets directed to an IP broadcast address or multiple broadcast addresses from remote locations to create severe network congestion or outages.


To eavesdrop on computer networks – frequently used as part of automated programs to sift information, such as clear-text passwords, off the wire.


See security policy database (SPD).


See security parameter index (SPI).


To gain unauthorized access to a computer by sending a message to it with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.


See IP stack.


A physical interface that is not used to carry data traffic unless some other physical interface has failed.

stateful packet filter

A packet filter that can monitor the state of active connections and use the information obtained to determine which network packets to allow through the firewall. By tracking and matching requests and replies, a stateful packet filter can screen for a reply that doesn't match a request.

stateless autoconfiguration

The process of a host generating its own IPv6 addresses by combining its MAC address and an IPv6 prefix that is advertised by a local IPv6 router.

stream control transport protocol

A transport layer protocol that provides connection-oriented communications in a manner similar to TCP. Additionally, SCTP supports multihoming, in which one of the endpoints of the connection can have more than one IP address.

symmetric key cryptography

An encryption system in which the sender and receiver of a message share a single, common key. This common key is used to encrypt and decrypt the message. Symmetric keys are used to encrypt the bulk of data transmission in IPsec. DES is one example of a symmetric key system.


TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an intranet or an extranet).

test address

An IP address in an IPMP group which must be used as the source or destination address for probes, and must not be used as a source or destination address for data traffic.


Triple-Data Encryption Standard. A symmetric-key encryption method. Triple-DES requires a key length of 168 bits. Triple-DES is also written as 3DES.


The path that is followed by a datagram while it is encapsulated. See encapsulation.

unicast address

An IPv6 address that identifies a single interface of an IPv6-enabled node. The parts of the unicast address are site prefix, subnet ID, and interface ID.


A 3-bit value that implements class-of-service marks, which define how Ethernet datagrams are forwarded on a network of VLAN devices.

virtual LAN (VLAN) device

Network interfaces that provide traffic forwarding at the Ethernet (data link) level of the IP protocol stack.

virtual network

A combination of software and hardware network resources and functionality that are administered together as a single software entity. An internal virtual network consolidates network resources onto a single system, sometimes referred to as a “network in a box.”

virtual network interface (VNIC)

A pseudo-interface that provides virtual network connectivity whether or not it is configured on a physical network interface. Containers such as exclusive IP zones or xVM domains are configured above VNICs to form a virtual network.

virtual private network (VPN)

A single, secure, logical network that uses tunnels across a public network such as the Internet.