System Administration Guide: IP Services


This glossary contains only definitions of new terms in this book that are not in the Sun Global Glossary. For definitions of other terms, see the Sun Global Glossary at

address pool

A set of addresses that are designated by the home network administrator for use by mobile nodes that need a home address.


Advanced Encryption Standard. A symmetric 128-bit block data encryption technique. The U.S. government adopted the Rijndael variant of the algorithm as its encryption standard in October 2000. AES replaces DES encryption as the government standard.

agent advertisement

A message that is periodically sent by home agents and foreign agents to advertise their presence on any attached link.

agent discovery

The process by which a mobile node determines if it has moved, its current location, and its care-of address on a foreign network.

anycast address

An IP address that is assigned to more than one interface (typically belonging to different nodes). A packet that is sent to an anycast address is routed to the nearest interface having that address. The packet's route is in compliance with the routing protocol's measure of distance.

asymmetric key cryptography

An encryption system in which the sender and receiver of a message use different keys to encrypt and decrypt the message. Asymmetric keys are used to establish a secure channel for symmetric key encryption. Diffie–Hellman is an example of an asymmetric key protocol. Contrast with symmetric key cryptography.

authentication header

An extension header that provides authentication and integrity (without confidentiality) to IP datagrams.


The process of a host automatically configuring its interfaces in IPv6.

bidirectional tunnel

A tunnel that can transmit datagrams in both directions.

binding table

A home agent table that associates a home address with a care-of address, including remaining lifetime and time granted.


A symmetric block cipher algorithm that takes a variable-length key from 32 bits to 448 bits. Its author, Bruce Schneier, claims that Blowfish is optimized for applications where the key does not change often.

care-of address

A mobile node's temporary address that is used as a tunnel exit point when the mobile node is connected to a foreign network.

Certificate Authority (CA)

A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The CA guarantees that the individual granted the unique certificate is who she or he claims to be.


Data Encryption Standard. A symmetric-key encryption method developed in 1975 and standardized by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key.

digital signature

A digital code that is attached to an electronically transmitted message that uniquely identifies the sender.


Digital Signature Algorithm. A public key algorithm with a variable key size from 512 to 1024 bits. It relies on SHA-1 for input.

Diffie-Hellman protocol

Also known as public key cryptography. An asymmetric cryptographic key agreement protocol that was developed by Diffie and Hellman in 1976. The protocol enables two users to exchange a secret key over an insecure medium without any prior secrets. Diffie-Hellman is used by the IKE protocol.

dual stack

In the context of IPv6 transition, a protocol stack that contains both IPv4 and IPv6, with the rest of the stack being identical.

encapsulating security header

An extension header that provides integrity and confidentiality to datagrams.


The process of a header and payload being placed in the first packet, which is subsequently placed in the second packet's payload.


The process of switching back network access to an interface that has its repair detected.


The process of switching network access from a failed interface to a good physical interface. Network access includes IPv4 unicast, multicast, and broadcast traffic, as well as IPv6 unicast and multicast traffic.

failure detection

The process of detecting when a NIC or the path from the NIC to some layer 3 device starts operating correctly after a failure.


Any device or software that protects an organization's private network or intranet from intrusion by external networks such as the Internet.

foreign agent

A router or server on the foreign network that the mobile node visits.

foreign network

Any network other than the mobile node's home network.

forward tunnel

A tunnel that starts at the home agent and terminates at the mobile node's care-of address.

Generic Routing Encapsulation (GRE)

An optional form of tunneling that can be supported by home agents, foreign agents, and mobile nodes. GRE enables a packet of any network-layer protocol to be encapsulated within a delivery packet of any other (or the same) network-layer protocol.

hash value

A number that is generated from a string of text. Hash functions are used to ensure that transmitted messages have not been tampered with. MD5 and SHA-1 are examples of one-way hash functions.


Keyed hashing method for message authentication. HMAC is used with an iterative cryptographic hash function, such as MD5 or SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.

home address

An IP address that is assigned for an extended period to a mobile node. The address remains unchanged when the node is attached elsewhere on the Internet or an organization's network.

home agent

A router or server on the home network of a mobile node.

home network

A network that has a network prefix that matches the network prefix of a mobile node's home address.


A measure that is used to identify the number of routers that separate two hosts. If three routers separate a source and destination, the hosts are four hops away from each other.


Internet Key Exchange. IKE automates the provision of authenticated keying material for IPsec security associations.

IP-in-IP encapsulation

The Internet-standard protocol for tunneling IPv4 packets within IPv4 packets.

IP link

A communication facility or medium over which nodes can communicate at the link layer. The link layer is the layer immediately below IPv4/IPv6. Examples include Ethernets (simple or bridged) or ATM networks. One or more IPv4 subnet numbers or prefixes are assigned to an IP link. A subnet number or prefix cannot be assigned to more than one IP link. In ATM LANE, an IP link is a single emulated LAN. When you use ARP, the scope of the ARP protocol is a single IP link.


The security architecture (IPsec) that provides protection for IP datagrams.


Internet Protocol, version 4. Sometimes referred to as IP. This version supports a 32–bit address space.


Internet Protocol, version 6. This version supports a 128–bit address space.

key management

The way in which you manage security associations.

link-local-use address

A designation that is used for addressing on a single link for purposes such as automatic address configuration.

local-use address

A unicast address that has only local routability scope (within the subnet or within a subscriber network). This address also can have a local or global uniqueness scope.


An iterative cryptographic hash function that is used for message authentication, including digital signatures. The function was developed in 1991 by Rivest.

Minimal encapsulation

An optional form of IPv4 in IPv4 tunneling that can be supported by home agents, foreign agents, and mobile nodes. Minimal encapsulation has 8 or 12 bytes less of overhead than does IP-in-IP encapsulation.

mobile node

A host or router that can change its point of attachment from one network to another network while maintaining all existing communications by using its IP home address.

mobility agent

Either a home agent or a foreign agent.

mobility binding

The association of a home address with a care-of address, along with the remaining lifetime of that association.

mobility security association

A collection of security measures, such as an authentication algorithm, between a pair of nodes, which are applied to Mobile IP protocol messages that are exchanged between the two nodes.


Maximum Transmission Unit. The size, given in octets, that can be transmitted over a link. For example, the MTU of an Ethernet is 1500 octets.

multicast address

An IP address that identifies a group of interfaces in a particular way. A packet that is sent to a multicast address is delivered to all of the interfaces in the group.

neighbor advertisement

A response to a neighbor solicitation message or the process of a node sending unsolicited neighbor advertisements to announce a link-layer address change.

neighbor discovery

An IP mechanism that enables hosts to locate other hosts that reside on an attached link.

neighbor solicitation

A solicitation that is sent by a node to determine the link-layer address of a neighbor. A neighbor solicitation also verifies that a neighbor is still reachable by a cached link-layer address.

Network Access Identifier (NAI)

A designation that uniquely identifies the mobile node in the format of user@domain.

network interface card (NIC)

Network adapter that is either internal or a separate card that serves as an interface to a link.


A host or a router.


A group of information that is transmitted as a unit over communications lines. Contains a header plus payload.

physical interface

A node's attachment to a link. This attachment is often implemented as a device driver plus a network adapter. Some network adapters can have multiple points of attachment, for example, qfe. The usage of network adapter in this document refers to a "single point of attachment."

physical interface group

The set of physical interfaces on a system that are connected to the same link. These interfaces are identified by assigning the same (non-null) character string name to all the physical interfaces in the group.

physical interface group name

A name that is assigned to a physical interface that identifies the group. The name is local to a system. Multiple physical interfaces, sharing the same group name, form a physical interface group.


Public Key Infrastructure. A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

private address

An IP address that is not routable through the Internet.

public key cryptography

A cryptographic system that uses two keys - a public key known to everyone and a private key known only to the recipient of the message. IKE provides public keys for IPsec.


In a router, to inform a host of a better first-hop node to reach a particular destination.


The process by which a mobile node registers its care-of address with its home agent and foreign agent when it is away from home.

repair detection

The process of detecting when a NIC or the path from the NIC to some layer–3 device starts operating correctly after a failure.

reverse tunnel

A tunnel that starts at the mobile node's care-of address and terminates at the home agent.

router advertisement

The process of routers advertising their presence together with various link and Internet parameters, either periodically or in response to a router solicitation message.

router discovery

The process of hosts locating routers that reside on an attached link.

router solicitation

The process of hosts requesting routers to generate router advertisements immediately, rather than at their next scheduled time.


A method for obtaining digital signatures and public-key cryptosystems. The method was first described in 1978 by its developers, Rivest, Shamir, and Adleman.


Security Associations Database. A table that specifies cryptographic keys and algorithms that are used in the transmission of data.

security associations

Associations that specify security properties from one host to another.

Security Parameter Index (SPI)

An integer that specifies the row in the security associations database (SADB) that a receiver should use to decrypt a received packet.

SHA-1 algorithm

Secure Hashing Algorithm. The algorithm operates on any input length less than 264 to produce a message digest. It is input to DSA.

site-local-use address

A designation that is used for addressing on a single site.


Security Parameters Index. An integer that specifies the row in the SADB that a receiver should use to decrypt a received packet.


A physical interface that is not used to carry data traffic unless some other physical interface has failed.

stateful autoconfiguration

The process of a host obtaining interface addresses, configuration information, and parameters from a server.

stateless autoconfiguration

The process of a host generating its own addresses by using a combination of locally available information and information that is advertised by routers.

symmetric key cryptography

An encryption system in which the sender and receiver of a message share a single, common key that is used to encrypt and decrypt the message. Symmetric keys are used to encrypt the bulk of data transmission in IPsec. DES is one example of a symmetric key system.


Triple-Data Encryption Standard. A symmetric-key encryption method which provides a key length of 168 bits.


The path that is followed by a datagram while it is encapsulated.


The mechanism by which IPv6 packets are placed inside IPv4 packets and routed through the IPv4 routers. The term is specific to IPv6 only.

unicast address

An IP address that identifies a single interface.

Virtual Private Network (VPN)

A single, secure, logical network that uses tunnels across a public network such as the Internet.

visited network

A network other than a mobile node's home network, to which the mobile node is currently connected.

visitor list

The list of mobile nodes that are visiting a foreign agent.