4 Ethernet Glossary PDF

Security for Transparent Ready
GLOSSARY
Dsignation du document
Designation of the document
GLOSSARY
Projet
Project or system
STR PROJECT SECURITY FOR TRANSPARENT READY
Action
Component
Autres
Abstract This document contains the GLOSSARY on security and TCP/IP protocol subjects
Edition du
Edition of the
21 02 2002
Version
Version
2.1
Rfrence 1 208 691

Reference
Diffusion interne
Internal dispatching
Diffusion externe
External dispatching
Rdig par
Written by
Vrifi par
Checked by
Approuv par
Approved by
Nom : J.M. BRUN Name : T. CHICHE Visa : draft

Signature
Nom : JM BRUN
Name :
Nom : JM BRUN / T. CHICHE

Name :
Visa :
Signature
Visa :
Signature
Page 1 of 65
GLOSSARY
TABLEAU DE MISE A JOUR Indice /date Rdig par

Issue/date Written by
Version, Pages modifies

Modified pages
Origine et dsignation de la modification

Origin and designation of the modification
Page 2 of 65
GLOSSARY
1 2 REFERENCE DOCUMENTS................................................................................................................................ 4 GLOSSARY AND ABBREVIATIONS ................................................................................................................. 5 2.1 LIST OF TERMS BY THEME (CHOOSEN TERMS) ........................................................................................ 5 2.1.1 Definition of Automation Cell, SCADA ........................................................................................................ 5 2.1.2 Definition of network connection devices ..................................................................................................... 6
2.1.2.1 2.1.2.2 Hub, Switch, Repeater, Bridge, Router, Gateway +( RIP, NAT) ..........................................................................6 Difference between VLAN switch function and routing function .......................................................................11
2.1.3 2.1.4
Definition of security devices: Firewall and Proxy server ........................................................................ 11 IP Protocol definitions ............................................................................................................................ 14
How ARP Works................................................................................................................................................................16
2.1.5 IP Applications or functions definitions ................................................................................................ 18 2.1.6 Security definitions ................................................................................................................................. 20 2.1.7 WEB definitions...................................................................................................................................... 23 2.1.8 Other definition........................................................................................................................................... 25 2.2 LIST OF TERMS BY ALPHABETIC ORDER (COMPLETE LIST) ............................................................... 28 3 APPENDIX............................................................................................................................................................. 62 3.1 HTTP CODE (OF HYPERTEXT TRANSFER PROTOCOL -- HTTP/1.1).................................................................... 62 3.1.1 Safe and Idempotent Methods..................................................................................................................... 62 3.1.2 Safe Methods............................................................................................................................................... 62 3.1.3 Idempotent Methods.................................................................................................................................... 62 3.1.4 OPTIONS.................................................................................................................................................... 62 3.1.5 GET............................................................................................................................................................. 63 3.1.6 HEAD.......................................................................................................................................................... 63 3.1.7 POST........................................................................................................................................................... 63 3.1.8 PUT............................................................................................................................................................. 64 3.1.9 DELETE...................................................................................................................................................... 64 3.1.10 TRACE.................................................................................................................................................... 65 3.1.11 CONNECT.............................................................................................................................................. 65 3.2 FTP ...................................................................................................................................................................... 65
Page 3 of 65
GLOSSARY
1 REFERENCE DOCUMENTS
This document defines acronyms, terms and vocabulary that is useful to master Transparent Ready Network and Security issues and context. Moreover, some definitions are really necessary to make sure that everybody shares the same understanding. The topic scope is really huge and complex. That's the reason why some definitions are possibly at the border of or outside the scope. Nevertheless, this is general culture around the topic. In LIST OF TERMS BY THEME chapter, you will find detailed explanations about TCP/IP Network and about Security. In LIST OF TERMS BY ALPHABETIC ORDER chapter, you will find complete list of terms around software, Network, . The terms are shortly described and the explanation could be redundant with the previous chapter
Page 4 of 65
GLOSSARY
2
2.1
2.1.1
GLOSSARY AND ABBREVIATIONS

LIST OF TERMS BY THEME (CHOOSEN TERMS)
Definition of Automation Cell, SCADA AUTOMATION CELL: An automation cell is composed by all resources like devices, computers, software applications and network(s) that have to exchange information and real time information to achieve an industrial task. This include the Level 1 (actuator, sensor) and 2 (PLC, process supervision) of the automation layer. This doesnt include resources(even automation software) located on Intranet network (called remote access). Commonly an automation cell is connected to the plant or Intranet network using a network connection component : a gateway(in sense of Application gateway) and more precisely a Router. This component is responsible for routing the communication data resulting or intended for the automation. It represents the border between the automation cell and the connected network. For remote diagnostic, an automation cell could be accessible through a PSTN connection. The remote client establish a temporary connection using its modem, and close this connection after his intervention. SCADA: SCADA (supervisory control and data acquisition) is a category of software application program for process control, the gathering of data in real time from remote locations in order to control equipment and conditions. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control. SCADA systems include hardware and software components. The hardware gathers and feeds data into a computer that has SCADA software installed. The computer then processes this data and presents it in a timely manner. SCADA also records and logs all events into a file stored on a hard disk or sends them to a printer. SCADA warns when conditions become hazardous by sounding alarms.
Page 5 of 65
GLOSSARY
2.1.2 Definition of network connection devices
2.1.2.1
Hub, Switch, Repeater, Bridge, Router, Gateway +( RIP, NAT)
HUB:
3 2 1 3 2 1
Network A
Network A
In general, a hub is the central part of a wheel where the spokes come together. The term is familiar to frequent fliers who travel through airport "hubs" to make connecting flights from one point to another. In data communications, a hub is a place of convergence where data arrives from one or more directions and is forwarded out in one or more other directions. A hub usually includes a switch of some kind. (And a product that is called a "switch" could usually be considered a hub as well.) The distinction seems to be that the hub is the place where data comes together and the switch is what determines how and where data is forwarded from the place where data comes together. Regarded in its switching aspects, a hub can also include a router. 1) In describing network topologies, a hub topology consists of a backbone (main circuit) to which a number of outgoing lines can be attached ("dropped"), each providing one or more connection port for device to attach to. For Internet users not connected to a local area network, this is the general topology used by your access provider. Other common network topologies are the bus network and the ring network. (Either of these could possibly feed into a hub network, using a bridge.) 2) As a network product, a hub may include a group of modem cards for dial-in users, a gateway card for connections to a local area network (for example, an Ethernet or a token ring), and a connection to a line (the main line in this example). SWITCH:
3 2 1 3 2 1
Network A
Network A
In telecommunications, a switch is a network device that selects a path or circuit for sending a unit of data to its next destination. A switch may also include the function of the router, a device or program that can determine the route and specifically what adjacent network point the data should be sent to. In general, a switch is a simpler and faster mechanism than a router, which requires knowledge about the network and how to determine the route. Relative to the layered Open Systems Interconnection (OSI) communication model, a switch is usually associated with layer 2, the Data-Link Layer. However, some newer switches also perform the routing functions of layer 3, the Network Layer. Layer 3 switches are also sometimes called IP switches. On larger networks, the trip from one switch point to another in the network is called a hop. The time a switch takes to figure out where to forward a data unit is called its latency. The price paid for having the flexibility that switches provide in a network is this latency. Switches are found at the backbone
Page 6 of 65
GLOSSARY
and gateway levels of a network where one network connects with another and at the subnetwork level where data is being forwarded close to its destination or origin. The former are often known as core switches and the latter as desktop switches. In the simplest networks, a switch is not required for messages that are sent and received within the network. For example, a local area network may be organized in a token ring or bus arrangement in which each possible destination inspects each message and reads any message with its address. Circuit-Switching version Packet-Switching A network's paths can be used exclusively for a certain duration by two or more parties and then switched for use to another set of parties. This type of "switching" is known as circuit-switching and is really a dedicated and continuously connected path for its duration. Today, an ordinary voice phone call generally uses circuit-switching. Most data today is sent, using digital signals, over networks that use packet-switching. Using packetswitching, all network users can share the same paths at the same time and the particular route a data unit travels can be varied as conditions change. In packet-switching, a message is divided into packets, which are units of a certain number of bytes. The network addresses of the sender and of the destination are added to the packet. Each network point looks at the packet to see where to send it next. Packets in the same message may travel different routes and may not arrive in the same order that they were sent. At the destination, the packets in a message are collected and reassembled into the original message. REPEATER:
2 1 2 1
Network A
Network B
An hardware device that extends a LAN. A repeater copies electrical signals from one physical network to another. BRIDGE:
3 2 1 3 2 1
Network A
Network B
In telecommunication networks, a bridge is a product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, Ethernet or token ring). You can envision a bridge as being a device that decides whether a message from you to someone else is going to the local area network in your building or to someone on the local area network in the building across the street. A bridge examines each message on a LAN, "passing" those known to be within the same LAN, and forwarding those known to be on the other interconnected LAN (or LANs). In bridging networks, computer or node addresses have no specific relationship to location. For this reason, messages are sent out to every address on the network and accepted only by the intended
Page 7 of 65
GLOSSARY
destination node. Bridges learn which addresses are on which network and develop a learning table so that subsequent messages can be forwarded to the right network. Bridging networks are generally always interconnected local area networks since broadcasting every message to all possible destinations would flood a larger network with unnecessary traffic. For this reason, router networks such as the Internet use a scheme that assigns addresses to nodes so that a message or packet can be forwarded only in one general direction rather than forwarded in all directions. A bridge works at the data-link (physical network) level of a network, copying a data frame from one network to the next network along the communications path. A bridge is sometimes combined with a router in a product called a brouter. Bridges differ from routers because bridges use physical address, while routers use IP addresses. ROUTER:
3 2 1 3 2 1
Network A
Network B
On the Internet, a router is a device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks it is connected to. A router is located at any gateway (where one network meets another), including each Internet point-of-presence. A router is often included as part of a network switch. A router may create or maintain a table of the available routes and their conditions and use this information along with distance and cost algorithms to determine the best route for a given packet. Typically, a packet may travel through a number of network points with routers before arriving at its destination. Routing is a function associated with the Network layer (layer 3) in the standard model of network programming, the Open Systems Interconnection (OSI) model. A layer-3 switch is a switch that can perform routing functions. An edge router is a router that interfaces with an asynchronous transfer mode (ATM) network. A brouter is a network bridge combined with a router.
Page 8 of 65
GLOSSARY
GATEWAY:
7 6 5 4 3 2 1 7 6 5 4 3 2 1
Network A
Network B
A gateway is a network point that acts as an entrance to another network. On the Internet, a node or stopping point can be either a gateway node or a host (end-point) node. Both the computers of Internet users and the computers that serve pages to users are host nodes. The computers that control traffic within your company's network or at your local Internet service provider (ISP) are gateway nodes. In the network for an enterprise, a computer server acting as a gateway node is often also acting as a proxy server and a firewall server. A gateway is often associated with both a router, which knows where to direct a given packet of data that arrives at the gateway, and a switch, which furnishes the actual path in and out of the gateway for a given packet. In Schneider area, gateway is often use in the meaning of Application Bridge RIP: RIP (Routing Information Protocol) is a widely-used protocol for managing router information within a self-contained network such as a corporate local area network () or an interconnected group of such LANs. RIP is classified by the Internet Engineering Task Force (IETF) as one of several internal gateway protocols (Interior Gateway Protocol). Using RIP, a gateway host (with a router) sends its entire routing table (which lists all the other hosts it knows about) to its closest neighbor host every 30 seconds. The neighbor host in turn will pass the information on to its next neighbor and so on until all hosts within the network have the same knowledge of routing paths, a state known as network convergence. RIP uses a hop count as a way to determine network distance. (Other protocols use more sophisticated algorithms that include timing as well.) Each host with a router in the network uses the routing table information to determine the next host to route a packet to for a specified destination. RIP is considered an effective solution for small homogeneous networks. For larger, more complicated networks, RIP's transmission of the entire routing table every 30 seconds may put a heavy amount of extra traffic in the network. The major alternative to RIP is the Open Shortest Path First Protocol (OSPF). NAT: NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world. Page 9 of 65
GLOSSARY
NAT is included as part of a router and is often part of a corporate firewall. Network administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses. Cisco's version of NAT lets an administrator create tables that map: A local IP address to one global IP address statically A local IP address to any of a rotating pool of global IP addresses that a company may have A local IP address plus a particular TCP port to a global IP address or one in a pool of them A global IP address to any of a pool of local IP addresses on a round-robin basis NAT is described in general terms in RFC 1631. which discusses NAT's relationship to Classless Interdomain Routing (CIDR) as a way to reduce the IP address depletion problem. NAT reduces the need for a large amount of publicly known IP addresses by creating a separation between publicly known and privately known IP addresses. CIDR aggregates publicly known IP addresses into blocks so that fewer IP addresses are wasted. In the end, both extend the use of IPv4 IP addresses for a few more years before IPv6 is generally supported. Spanning Tree Protocol: Where two bridges are used to interconnect the same two computer network segments, spanning tree is a protocol that allows the bridges to exchange information so that only one of them will handle a given message that is being sent between two computers within the network. The spanning tree protocol prevents the condition known as a bridge loop. In a local area network (LAN) such as an Ethernet or token ring network, computers compete for the ability to use the shared telecommunications path at any given time. If too many computers try to send at the same time, the overall performance of the network can be affected, even to the point of bringing all traffic to a near halt. To make this possibility less likely, the local area network can be divided into two or more network segments with a device called a bridge connecting any two segments. Each message (called a frame) goes through the bridge before being sent to the intended destination. The bridge determines whether the message is for a destination within the same segment as the sender's or for the other segment, and forwards it accordingly. A bridge does nothing more than look at the destination address and, based on its understanding of the two segments (which computers are on which segments), forwards it on the right path (which means to the correct outgoing port). The benefit of network segmentation (and the bridge) is that the amount of competition for use of the network path is reduced by half (assuming each segment has the same number of computers) and the possibility of the network coming to a halt is significantly reduced. Each bridge learns which computers are on which segment by sending any first-time message to both segments (this is known as flooding) and then noticing and recording the segment from which a computer replied to the message. Gradually, the bridge builds a picture for itself of which computers are in which segments. When a second and subsequent messages are sent, the bridge can use its table to determine which segment to forward it to. The approach of allowing the bridge to learn the network through experience is known as transparent bridging (meaning that bridging does not require setup by an administrator). In order to build into a network, it is typical to add a second bridge between two segments as a backup in case the primary bridge fails. Both bridges need to continually understand the topography of the network, even though only one is actually forwarding messages. And both bridges need to have some way to understand which bridge is the primary one. To do this, they have a separate path connection just between the bridges in which they exchange information, using bridge protocol data units (BPDUs). The program in each bridge that allows it to determine how to use the protocol is known as the spanning tree algorithm. The algorithm is specifically constructed to avoid bridge loops (multiple paths linking one segment to another, resulting in an infinite loop situation). The algorithm is responsible for a bridge using only the most efficient path when faced with multiple paths. If the best path fails, the algorithm recalculates the network and finds the next best route.
Page 10 of 65
GLOSSARY
The spanning tree algorithm determines the network (which computer hosts are in which segment) and this data is exchanged using Bridge Protocol Data Units (BPDUs). It is broken down into two steps: Step 1: The algorithm determines the best message a bridge can send by evaluating the configuration messages it has received and choosing the best option. Step 2: Once it selects the top message for a particular bridge to send, it compares its choice with possible configuration messages from the non-root-connections it has. If the best option from step 1 isn't better than what it receives from the non-root-connections, it will prune that port. The spanning tree protocol and algorithm were developed by a committe of the IEEE. Currently, the IEEE is attempting to institute enhancements to the spanning tree algorithm that will reduce network recovery time. The goal is to go from 30 to 60 seconds after a failure or change in link status to less than 10 seconds. The enhancement, called Rapid Reconfiguration or Fast Spanning Tree, would cut down on data loss and session timeouts when large, Ethernet networks recover after a topology change or a device failure.
2.1.2.2 Difference between VLAN switch function and routing function

VLAN: A virtual (or logical) LAN is a local area network with a definition that maps workstations on some other basis than geographic location (for example, by department, type of user, or primary application). The virtual LAN controller can change or add workstations and manage loadbalancing and bandwidth allocation more easily than with a physical picture of the LAN. Network management software keeps track of relating the virtual picture of the local area network with the actual physical picture. VLANs are considered likely to be used with campus environment networks. Among companies likely to provide products with VLAN support are Cisco, Bay Networks, and 3Com. VLAN function implemented in Switch products and VLAN is based on MAC address (Layer2): if we want to filter IP address (Layer3), we need router products. 2.1.3 Definition of security devices: Firewall and Proxy server PROXY SERVER: In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion. A proxy server receives a request for an Internet service (such as a Web page request) from a user. If it passes filtering requirements, the proxy server, assuming it is also a cache server, looks in its local cache of previously downloaded Web pages. If it finds the page, it returns it to the user without needing to forward the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it on to the user. To the user, the proxy server is invisible; all Internet requests and returned responses appear to be directly with the addressed Internet server. (The proxy is not quite invisible; its IP address has to be specified as a configuration option to the browser or other protocol program.) An advantage of a proxy server is that its cache can serve all users. If one or more Internet sites are frequently requested, these are likely to be in the proxy's cache, which will improve user response time. In fact, there are special servers called cache servers. A proxy can also do logging. The functions of proxy, firewall, and caching can be in separate server programs or combined in a single package. Different server programs can be in different computers. For example, a proxy server
Page 11 of 65
GLOSSARY
may in the same machine with a firewall server or it may be on a separate server and forward requests through the firewall. REVERSE PROXY: Reverse proxy is the name for certain alternate uses of a proxy server. It can be used outside the firewall to represent a secure content server to outside clients, preventing direct, unmonitored access to your server's data from outside your company. It can also be used for replication; that is, multiple proxies can be attached in front of a heavily used server for load balancing. How Reverse Proxying Works Reverse proxying with Netscape Proxy Server uses caching features to provide load balancing on a heavily used server. This model of reverse proxying differs from conventional proxy usage in that it doesn't operate strictly on a firewall. Proxy as a Stand-in for a Server If you have a content server that has sensitive information that must remain secure, such as a database of credit card numbers, you can set up a proxy outside the firewall as a stand-in for your content server. When outside clients try to access the content server, they are sent to the proxy server instead. The real content resides on your content server, safely inside the firewall. The proxy server resides outside the firewall, and appears to the client to be the content server. When a client makes a request to your site, the request goes to the proxy server. The proxy server then sends the client's request through a specific passage in the firewall to the content server. The content server passes the result through the passage back to the proxy. The proxy sends the retrieved information to the client, as if the proxy were the actual content server (see Figure 7.1). If the content server returns an error message, the proxy server can intercept the message and change any URLs listed in the headers before sending the message to the client. This prevents external clients from getting redirection URLs to the internal content server. In this way, the proxy provides an additional barrier between the secure database and the possibility of malicious attack. In the unlikely event of a successful attack, the perpetrator is more likely to be restricted to only the information involved in a single transaction, as opposed to having access to the entire database. The unauthorized user can't get to the real content server because the firewall passage allows only the proxy server to have access. Figure 7.1 A reverse proxy appears to be the real content server.
You can configure the firewall router to allow a specific server on a specific port (in this case, the proxy on its assigned port) to have access through the firewall without allowing any other machines in or out.
Page 12 of 65
GLOSSARY
Proxying for Load Balancing You can use multiple proxy servers within an organization to balance the network load among web servers. This model lets you take advantage of the caching features of the proxy server to create a server pool for load balancing. In this case, the proxy servers can be on either side of the firewall. If you have a web server that receives a high number of requests per day, you could use proxy servers to take the load off the web server and make the network access more efficient. The proxy servers act as go-betweens for client requests to the real server. The proxy servers cache the requested documents. If there is more than one proxy server, DNS can route the requests randomly using a "round-robin" selection of their IP addresses. The client uses the same URL each time, but the route the request takes might go through a different proxy each time. The advantage of using multiple proxies to handle requests to one heavily used content server is that the server can handle a heavier load, and more efficiently than it could alone. After an initial start-up period in which the proxies retrieve documents from the content server for the first time, the number of requests to the content server can drop dramatically. Only CGI requests and occasional new requests must go all the way to the content server. The rest can be handled by a proxy. Here's an example. Suppose that 90% of the requests to your server are not CGI requests (which means they can be cached), and that your content server receives 2 million hits per day. In this situation, if you connect three reverse proxies, and each of them handles 2 million hits per day, about 6 million hits per day would then be possible. The 10% of requests that reach the content server could add up to about 200,000 hits from each proxy per day, or only 600,000 total, which is far more efficient. The number of hits could increase from around 2 million to 6 million, and the load on the content server could decrease correspondingly from 2 million to 600,000. Your actual results would depend upon your situation. Figure 7.2 Proxy used for load balancing
FIREWALL: A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to. Page 13 of 65
GLOSSARY
Basically, a firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources. There are a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable (previously identified) domain name and Internet Protocol addresses. For mobile users, firewalls allow remote access in to the private network by the use of secure logon procedures and authentication certificates. A number of companies make firewall products. Features include logging and reporting, automatic alarms at given thresholds of attack, and a graphical user interface for controlling the firewall. 2.1.4 IP Protocol definitions IP address:
This definition is based on Internet Protocol Version 4. See Internet Protocol Version 6 (IPv6) for a description of the newer 128-bit IP address. Note that the system of IP address classes described here, while forming the basis for IP address assignment, is generally bypassed today by use of Classless Inter-Domain Routing (CIDR) addressing.
In the most widely installed level of the Internet Protocol (IP) today, an IP address is a 32-bit number that identifies each sender or receiver of information that is sent in packets across the Internet. When you request an HTML page or send e-mail, the Internet Protocol part of TCP/IP includes your IP address in the message (actually, in each of the packets if more than one is required) and sends it to the IP address that is obtained by looking up the domain name in the Uniform Resource Locator you requested or in the e-mail address you're sending a note to. At the other end, the recipient can see the IP address of the Web page requestor or the e-mail sender and can respond by sending another message using the IP address it received. An IP address has two parts: the identifier of a particular network on the Internet and an identifier of the particular device (which can be a server or a workstation) within that network. On the Internet itself - that is, between the router that move packets from one point to another along the route - only the network part of the address is looked at. The Network Part of the IP Address The Internet is really the interconnection of many individual networks (it's sometimes referred to as an internetwork). So the Internet Protocol (IP) is basically the set of rules for one network communicating with any other (or occasionally, for broadcast messages, all other networks). Each network must know its own address on the Internet and that of any other networks with which it communicates. To be part of the Internet, an organization needs an Internet network number, which it can request from the Network Information Center (NIC). This unique network number is included in any packet sent out of the network onto the Internet. The Local or Host Part of the IP Address In addition to the network address or number, information is needed about which specific machine or host in a network is sending or receiving a message. So the IP address needs both the unique network number and a host number (which is unique within the network). (The host number is sometimes called a local or machine address.) Part of the local address can identify a subnetwork or subnet address, which makes it easier for a network that is divided into several physical subnetworks (for examples, several different local area networks or ) to handle many devices. IP Address Classes and Their Formats Since networks vary in size, there are four different address formats or classes to consider when applying to NIC for a network number: Page 14 of 65
GLOSSARY
Class A addresses are for large networks with many devices. Class B addresses are for medium-sized networks. Class C addresses are for small networks (fewer than 256 devices). Class D addresses are multicast addresses. The first few bits of each IP address indicate which of the address class formats it is using. The address structures look like this: Class A 0 Network (7 bits) Local address (24 bits) Class B 10 Network (14 bits) Local address (16 bits) Class C 110 Network (21 bits) Local address (8 bits) Class D 1110 Multicast address (28 bits) The IP address is usually expressed as four decimal numbers, each representing eight bits, separated by periods. This is sometimes known as the dot address and, more technically, as dotted quad notation. For Class A IP addresses, the numbers would represent "network.local.local.local"; for a Class C IP address, they would represent "network.network.network.local". The number version of the IP address can (and usually is) represented by a name or series of names called the domain name. The Internet's explosive growth makes it likely that, without some new architecture, the number of possible network addresses using the scheme above would soon be used up (at least, for Class C network addresses). However, a new IP version, IPv6, expands the size of the IP address to 128 bits, which will accommodate a large growth in the number of network addresses. For hosts still using IPv4, the use of subnets in the host or local part of the IP address will help reduce new applications for network numbers. In addition, most sites on today's mostly IPv4 Internet have gotten around the Class C network address limitation by using the Classless Inter-Domain Routing (CIDR) scheme for address notation. Relationship of the IP Address to the Physical Address The machine or physical address used within an organization's local area networks may be different than the Internet's IP address. The most typical example is the 48-bit Ethernet address. TCP/IP includes a facility called the Address Resolution Protocol (ARP) that lets the administrator create a table that maps IP addresses to physical addresses. The table is known as the ARP cache. Static versus Dynamic IP Addresses The discussion above assumes that IP addresses are assigned on a static basis. In fact, many IP addresses are assigned dynamically from a pool. Many corporate networks and online services economize on the number of IP addresses they use by sharing a pool of IP addresses among a large number of users. If you're an America Online user, for example, your IP address will vary from one logon session to the next because AOL is assigning it to you from a pool that is much smaller than AOL's base of subscribers. MAC address: On a local area network (LAN) or other network, the MAC (Media Access Control) address is your computer's unique hardware number. (On an Ethernet LAN, it's the same as your Ethernet address.) When you're connected to the Internet from your computer (or host as the Internet protocol thinks of it), a correspondence table relates your IP address to your computer's physical (MAC) address on the LAN. The MAC address is used by the Media Access Control sublayer of the Data-Link Layer (DLC) layer of telecommunication protocol. There is a different MAC sublayer for each physical device type. The other sublayer level in the DLC layer is the Logical Link Control sublayer
Page 15 of 65
GLOSSARY
IPV6: IPv6 (Internet Protocol Version 6) is the latest level of the Internet Protocol (IP) and is now included as part of IP support in many products including the major computer operating systems. IPv6 has also been called "IPng" (IP Next Generation). Formally, IPv6 is a set of specifications from the Internet Engineering Task Force (IETF). IPv6 was designed as an evolutionary set of improvements to the current IP Version 4. Network hosts and intermediate nodes with either IPv4 or IPv6 can handle packets formatted for either level of the Internet Protocol. Users and service providers can update to IPv6 independently without having to coordinate with each other. The most obvious improvement in IPv6 over the IPv4 is that IP addresses are lengthened from 32 bits to 128 bits. This extension anticipates considerable future growth of the Internet and provides relief for what was perceived as an impending shortage of network addresses. IPv6 describes rules for three types of addressing: unicast (one host to one other host), anycast (one host to the nearest of multiple hosts), and multicast (one host to multiple hosts). Additional advantages of IPv6 are: Options are specified in an extension to the header that is examined only at the destination, thus speeding up overall network performance. The introduction of an "anycast" address provides the possibility of sending a message to the nearest of several possible gateway hosts with the idea that any one of them can manage the forwarding of the packet to others. Anycast messages can be used to update routing tables along the line. Packets can be identified as belonging to a particular "flow" so that packets that are part of a multimedia presentation that needs to arrive in "real time" can be provided a higher qualityof-service relative to other customers. The IPv6 header now includes extensions that allow a packet to specify a mechanism for authenticating its origin, for ensuring data integrity, and for ensuring privacy.
ARP : Address Resolution Protocol Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
How ARP Works

When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. Since protocol details differ for each type of local area network, there are separate ARP Requests for Comments (RFC) for Ethernet, ATM, Fiber Distributed-Data Interface, HIPPI, and other protocols. There is a Reverse ARP (RARP) for host machines that don't know their IP address. RARP enables them to request their IP address from the gateway's ARP cache ICMP Page 16 of 65
GLOSSARY
ICMP (Internet Control Message Protocol) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the IP software and are not directly apparent to the application user PING (Packet Internet or Inter-Network Groper): To find out the dot address (such as 205.245.172.72) for a given domain name, Windows users can go to their MS DOS prompt screen and enter: ping xxx.yyy where xxx is the second-level domain name like "whatis" and yyy is the top-level domain name like "com"). Ping is a basic Internet program that lets you verify that a particular IP address exists and can accept requests. The verb ping means the act of using the ping utility or command. Ping is used diagnostically to ensure that a host computer you are trying to reach is actually operating. If, for example, a user can't ping a host, then the user will be unable to use the File Transfer Protocol (FTP) to send files to that host. Ping can also be used with a host that is operating to see how long it takes to get a response back. Using ping, you can learn the number form of the IP address from the symbolic domain name (see "Tip"). Loosely, ping means "to get the attention of" or "to check for the presence of" another party online. Ping operates by sending a packet to a designated address and waiting for a response. The computer acronym was contrived to match the submariners' term for the sound of a returned sonar pulse. Ping can also refer to the process of sending a message to all the members of a mailing list requesting an ACK (acknowledgement code). This is done before sending e-mail in order to confirm that all of the addresses are reachable LLC : In the Open Systems Interconnection (OSI) model of communication, the Logical Link Control layer is one of two sublayers of the Data-Link layer and is concerned with managing traffic over the physical medium. The Logical Link Control layer identifies a line protocol, such as SDLC, NetBIOS, or NetWare, and may also assign sequence numbers to frames and track acknowledgements. The other Data-Link sublayer is the Media Access Control layer MAC Layer : In the Open Systems Interconnection (OSI) model of communication, the Media Access Control layer is one of two sublayers of the Data Link Control layer and is concerned with sharing the physical connection to the network among several computers. Each computer has its own unique MAC address. Ethernet is an example of a protocol that works at the Media Access Control layer level. The other Data Link Control sublayer is the Logical Link Control layer. Network layer : In the Open Systems Interconnection (OSI) communications model, the Network layer knows the address of the neighboring nodes in the network, packages output with the correct network address information, selects routes and quality of service, and recognizes and forwards to the Transport layer incoming messages for local host domains. Among existing protocol that generally map to the OSI network layer are the Internet Protocol (IP) part of TCP/IP and NetWare IPX/SPX. Both IP Version 4 and IP Version 6 (IPv6) map to the OSI network layer. Transport Layer : In the Open Systems Interconnection (OSI) communications model, the transport layer ensures the reliable arrival of messages and provides error checking mechanisms and data flow controls. The transport layer provides services for both "connection-mode" transmissions and for "connectionlessmode" transmissions. For connection-mode transmissions, a transmission may be sent or arrive in the form of packets that need to be reconstructed into a complete message at the other end. The Transmission Control Protocol portion of TCP/IP is a program that can be mapped to the transport layer. Page 17 of 65
GLOSSARY
TCP: TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet. For example, when an HTML file is sent to you from a Web server, the Transmission Control Protocol (TCP) program layer in that server divides the file into one or more packets, numbers the packets, and then forwards them individually to the IP program layer. Although each packet has the same destination IP address, it may get routed differently through the network. At the other end (the client program in your computer), TCP reassembles the individual packets and waits until they have arrived to forward them to you as a single file. TCP is known as a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end. In the Open Systems Interconnection (OSI) communication model, TCP is in layer 4, the Transport Layer. UDP: UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like the Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in. This means that the application program that uses UDP must be able to make sure that the entire message has arrived and is in the right order. Network applications that want to save processing time because they have very small data units to exchange (and therefore very little message reassembling to do) may prefer UDP to TCP. The Trivial File Transfer Protocol (TFTP) uses UDP instead of TCP. UDP provides two services not provided by the IP layer. It provides port numbers to help distinguish different user requests and, optionally, a checksum capability to verify that the data arrived intact. In the Open Systems Interconnection (OSI) communication model, UDP, like TCP, is in layer 4, the Transport Layer.
2.1.5
IP Applications or functions definitions BOOTP: BOOTP (Bootstrap Protocol) is a protocol that lets a network user be automatically configured (receive an IP address) and have an operating system boot or initiated without user involvement. The BOOTP server, managed by a network administrator, automatically assigns the IP address from a pool of addresses for a certain duration of time. BOOTP is the basis for a more advanced network manager protocol, the Dynamic Host Configuration Protocol (DHCP). DHCP: Dynamic Host Configuration Protocol (DHCP) is a communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an Page 18 of 65
GLOSSARY
organization's network. Using the Internet Protocol, each machine that can connect to the Internet needs a unique IP address. When an organization sets up its computer users with a connection to the Internet, an IP address must be assigned to each machine. Without DHCP, the IP address must be entered manually at each computer and, if computers move to another location in another part of the network, a new IP address must be entered. DHCP lets a network administrator supervise and distribute IP addresses from a central point and automatically sends a new IP address when a computer is plugged into a different place in the network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. The lease time can vary depending on how long a user is likely to require the Internet connection at a particular location. It's especially useful in education and other environments where users change frequently. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses. DHCP supports static addresses for computers containing Web servers that need a permanent IP address. DHCP is an alternative to another network IP management protocol, Bootstrap Protocol (BOOTP). DHCP is a more advanced protocol, but both configuration management protocols are commonly used. Some organizations use both protocols, but understanding how and when to use them in the same organization is important. Some operating systems, including Windows NT/2000, come with DHCP servers. A DHCP or BOOTP client is a program that is located in (and perhaps downloaded to) each computer so that it can be configured. FTP: File Transfer Protocol (FTP), a standard Internet protocol, is the simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application protocol that uses the Internet's TCP/IP protocols. FTP is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers. As a user, you can use FTP with a simple command line interface (for example, from the Windows MS-DOS Prompt window) or with a commercial program that offers a graphical user interface. Your Web browser can also make FTP requests to download programs you select from a Web page. Using FTP, you can also update (delete, rename, move, and copy) files at a server. You need to logon to an FTP server. However, publicly available files are easily accessed using anonymous FTP. Basic FTP support is usually provided as part of a suite of programs that come with TCP/IP. However, any FTP client program with a graphical user interface usually must be downloaded from the company that makes it. TFTP: Trivial File Transfer Protocol (TFTP) is an Internet software utility for transferring files that is simpler to use than the File Transfer Protocol (FTP) but less capable. It is used where user authentication and directory visibility are not required. TFTP uses the User Datagram Protocol (UDP) rather than the Transmission Control Protocol (TCP). TFTP is described formally in Request for Comments (RFC) 1350. SNMP: Simple Network Management Protocol (SNMP) is the protocol governing network management and the monitoring of network devices and their functions. It is not necessarily limited to TCP/IP networks. SNMP is described formally in the Internet Engineering Task Force (IETF) Request for Comment (RFC) 1157 and in a number of other related RFCs
Page 19 of 65
GLOSSARY
2.1.6 Security definitions IPSEC: IPsec (Internet Protocol Security) is a developing standard for security at the network or packet processing layer of network communication. Earlier security approaches have inserted security at the Application layer of the communications model. IPsec will be especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. Cisco has been a leader in proposing IPsec as a standard (or combination of standards and technologies) and has included support for it in its network routers. IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol. Officially spelled IPsec by the IETF, the term often appears as IPSec and IPSEC SSL: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate. TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Any Web server can be enabled by using Netscape's SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use. TLS and SSL are not interoperable. However, a message sent with TLS can be handled by a client that handles SSL but not TLS. TLS: Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). TLS is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. The TLS Record Protocol provides connection security with some encryption method such as the Data Encryption Standard (DES). The TLS Record Protocol can also be used without encryption. The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. The TLS protocol is based on Netscape's SSL 3.0 protocol; however, TLS and SSL are not interoperable. The TLS protocol does contain a mechanism that allows TLS implementation to back down to SSL 3.0. The most recent browser versions support TLS. The TLS Working Group, established in 1996, continues to work on the TLS protocol and related applications. DES: Data Encryption Standard (DES) is a widely-used method of data encryption using a private (secret) key that was judged so difficult to break by the U.S. government that it was restricted for exportation Page 20 of 65
GLOSSARY
to other countries. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. DES applies a 56-bit key to each 64-bit block of data. The process can run in several modes and involves 16 rounds or operations. Although this is considered "strong" encryption, many companies use "triple DES", which applies three keys in succession. This is not to say that a DES-encrypted message cannot be "broken." Early in 1997, Rivest-Shamir-Adleman, owners of another encryption approach, offered a $10,000 reward for breaking a DES message. A cooperative effort on the Internet of over 14,000 computer users trying out various keys finally deciphered the message, discovering the key after running through only 18 quadrillion of the 72 quadrillion possible keys! Few messages sent today with DES encryption are likely to be subject to this kind of code-breaking effort. DES originated at IBM in 1977 and was adopted by the U.S. Department of Defense. It is specified in the ANSI X3.92 and X3.106 standards and in the Federal FIPS 46 and 81 standards. Concerned that the encryption algorithm could be used by unfriendly governments, the U.S. government has prevented export of the encryption software. However, free versions of the software are widely available on bulletin board services and Web sites. Since there is some concern that the encryption algorithm will remain relatively unbreakable, NIST has indicated DES will not be recertified as a standard and submissions for its replacement are being accepted. The next standard will be known as the Advanced Encryption Standard (AES). RSA: RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browser from Netscape and Microsoft. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system is owned by RSA Security. The company licenses the algorithm technologies and also sells development kits. The technologies are part of existing or proposed Web, Internet, and computing standards. How the RSA System Works The mathematical details of the algorithm used in obtaining the public and private keys are available at the RSA Web site. Briefly, the algorithm involves multiplying two large prime numbers (a prime number is a number divisible only by that number and 1) and through additional operations deriving a set of two numbers that constitutes the public key and another set that is the private key. Once the keys have been developed, the original prime numbers are no longer important and can be discarded. Both the public and the private keys are needed for encryption /decryption but only the owner of a private key ever needs to know it. Using the RSA system, the private key never needs to be sent across the Internet. The private key is used to decrypt text that has been encrypted with the public key. Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. A table might help us remember this. To do this Send an encrypted message Send an encrypted signature Use whose Use receiver's Use Kind of key the Public key the Private
Page 21 of 65
GLOSSARY
sender's Decrypt an encrypted message Use receiver's key the Private key the Public key
Decrypt an encrypted signature (and authenticate the Use sender) sender's
PKI: A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on. The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.) A public key infrastructure consists of: A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor One or more directories where the certificates (with their public keys) are held A certificate management system How Public and Private Key Cryptography Works In public key cryptography, a public and private key are created simultaneously using the same algorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. Here's a table that restates it: To do this Send an encrypted message Send an encrypted signature Use whose Use receiver's Use Kind of key the Public key the Private
Page 22 of 65
GLOSSARY
sender's Decrypt an encrypted message Use receiver's key the Private key the Public key
Decrypt an encrypted signature (and authenticate the Use sender) sender's
Who Provides the Infrastructure A number of products are offered that enable a company or group of companies to implement a PKI. The acceleration of e-commerce and business-to-business commerce over the Internet has increased the demand for PKI solutions. Related ideas are the virtual private network (VPN) and the IP Security (IPsec) standard. Among PKI leaders are: RSA, which has developed the main algorithms used by PKI vendors Verisign, which acts as a certificate authority and sells software that allows a company to create its own certificate authorities GTE CyberTrust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP) Netscape, whose Directory Server product is said to support 50 million objects and process 5,000 queries a second; Secure E-Commerce, which allows a company or extranet manager to manage digital certificates; and Meta-Directory, which can connect all corporate directories into a single directory for security management Pretty Good Privacy For e-mail, the Pretty Good Privacy (PGP) product lets you encrypt a message to anyone who has a public key. You encrypt it with their public key and they then decrypt it with their private key. PGP users share a directory of public keys that is called a key ring. (If you are sending a message to someone that doesn't have access to the key ring, you can't send them an encrypted message.) As another option, PGP lets you "sign" your note with a digital signature using your private key. The recipient can then get your public key (if they get access to the key ring) and decrypt your signature to see whether it was really you who sent the message. VPN: A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one company. The idea of the VPN is to give the company the same capabilities at much lower cost by using the shared public infrastructure rather than a private one. Phone companies have provided secure shared resources for voice messages. A virtual private network makes it possible to have the same secure sharing of public resources for data. Companies today are looking at using a private virtual network for both extranets and wide-area intranets. Using a virtual private network involves encrypting data before sending it through the public network and decrypting it at the receiving end. An additional level of security involves encrypting not only the data but also the originating and receiving network addresses. Microsoft, 3Com, and several other companies have developed the Point-to-Point Tunneling Protocol (PPTP) and Microsoft has extended Windows NT to support it. VPN software is typically installed as part of a company's firewall server. 2.1.7 WEB definitions
Page 23 of 65
GLOSSARY
URL: A URL (Uniform Resource Locator) (pronounced YU-AHR-EHL or, in some quarters, UHRL) is the address of a file (resource) accessible on the Internet. The type of resource depends on the Internet application protocol. Using the World Wide Web's protocol, the Hypertext Transfer Protocol (HTTP) , the resource can be an HTML page (like the one you're reading), an image file, a program such as a common gateway interface application or Java applet, or any other file supported by HTTP. The URL contains the name of the protocol required to access the resource, a domain name that identifies a specific computer on the Internet, and a hierarchical description of a file location on the computer. On the Web (which uses the Hypertext Transfer Protocol), an example of a URL is:
http://www.mhrcc.org/kingston
which describes a Web page to be accessed with an HTTP (Web browser) application that is located on a computer named www.mhrcc.org. The specific file is in the directory named /kingston and is the default page in that directory (which, on this computer, happens to be named index.html). An HTTP URL can be for any Web page, not just a home page, or any individual file. A URL for a program such as a forms-handling common gateway interface script written in PERL might look like this:
http://whatis.com/cgi-bin/comments.pl
A URL for a file meant to be downloaded would require that the "ftp" protocol be specified like this one:
ftp://www.somecompany.com/whitepapers/widgets.ps
A URL is a type of URI (Uniform Resource Identifier). URI: To paraphrase the World Wide Web Consortium, Internet space is inhabited by many points of content. A URI (Uniform Resource Identifier; pronounced YEW-AHR-EYE) is the way you identify any of those points of content, whether it be a page of text, a video or sound clip, a still or animated image, or a program. The most common form of URI is the Web page address, which is a particular form or subset of URI called a Uniform Resource Locator (URL). A URI typically describes: The mechanism used to access the resource The specific computer that the resource is housed in The specific name of the resource (a file name) on the computer For example, this URI:
http://www.w3.org/Icons/WWW/w3c_main.gif
identifies a file that can be accessed using the Web protocol application, Hypertext Transfer Protocol, ("http://") that is housed on a computer named "www.w3.org" (which can be mapped to a unique Internet address). In the computer's directory structure, the file is located at "/Icons/WWW/w3c_main.gif." Character strings that identify File Transfer Protocol FTP addresses and e-mail addresses are also URIs (and, like the HTTP address, are also the specific subset of URI called a URL). Another kind of URI is the Uniform Resource Name (URN). A URN is a form of URI that has "institutional persistence," which means that its exact location may change from time to time, but some agency will be able to find it. The URI rules of syntax, set forth in the Internet Engineering Task Force (IETF) Request for Comments 1630, apply for all Internet addresses. In Tim Berner-Lee's original working document, URI stood for Universal Resource Identifier. URN: A URN (Uniform Resource Name) is an Internet resource with a name that has persistent significance - that is, the user of the URN can expect that someone else (or a program) will be able to find the resource. A URN looks something like a Web page address or Uniform Resource Locator (URL). For example, here's a hypothetical URN:
urn:def://blue_laser
where "def://" might indicate an agency or an accessible directory of all dictionaries, glossaries, and encyclopedias on the Internet and "blue laser" was the name of a term. The result of using the agency Page 24 of 65
GLOSSARY
could be the "best definition," the "longest definition," or even all definitions that the agency could find of "blue laser." A comparable URL would need to specify one specific location for a definition such as:
http://www.whatis.com/bluelase.htm
In this case, the user has to know where the resource is located as well as how to spell the file name and suffix. With a URN, the user only needs to know the name of a resource. One or more agencies will presumably be able to locate the nearest copy of the resource and the user is freed from understanding where resources are located or relocated to. Both URN and URL are types of a concept called the Uniform Resource Identifier (URI). A URN is associated with another concept called Uniform Resource Characteristics (URC), which allows descriptive information to be associated with a URN, such as author, date, length, and so forth. It is possible to have a name that includes an address so, in some cases, a URN may also be a URL...but it doesn't have to be. The URN is still being developed by members of the Internet Engineering Task Force (IETF). DNS: The domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an Internet address. Because maintaining a central list of domain name/IP address correspondences would be impractical, the lists of domain names and IP addresses are distributed throughout the Internet in a hierarchy of authority. There is probably a DNS server within close geographic proximity to your access provider that maps the domain names in your Internet requests or forwards them to other servers in the Internet. 2.1.8 Other definition SYSTEM: A system is a collection of elements or components that are organized for a common purpose. The word sometimes describes the organization or plan itself (and is similar in meaning to method, as in "I have my own little system") and sometimes describes the parts in the system (as in "computer system"). A computer system consists of hardware components that have been carefully chosen so that they work well together and software components or programs that run in the computer. The main software component is itself an operating system that manages and provides services to other programs that can be run in the computer. A filing system is a group of files organized with a plan (for example, alphabetical by customer). All of nature and the universe can be said to be a system. We've coined a word, ecosystem, for the systems on Earth that affect life systems. The term can be very useful because so many things can be described as systems. It can also be very unuseful when a more specific term is needed. ACL: An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. Each object has a security attribute that identifies its access control list. The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file (or all the files in a directory), to write to the file or files, and to execute the file (if it is an executable file, or program). Microsoft Windows NT/2000, Novell's NetWare, Digital's OpenVMS, and UNIX-based systems are among the operating systems that use access control lists. The list is implemented differently by each operating system.
Page 25 of 65
GLOSSARY
In Windows NT/2000, an access control list (ACL) is associated with each system object. Each ACL has one or more access control entries (ACEs) consisting of the name of a user or group of users. The user can also be a role name, such as "programmer," or "tester." For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system administrator or the object owner creates the access control list for an object. LDAP: Lightweight Directory Access Protocol (LDAP) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. LDAP is lighter because in its initial version it did not include security features. LDAP originated at the University of Michigan and has been endorsed by at least 40 companies. Netscape includes it in its latest Communicator suite of products. Microsoft includes it as part of what it calls Active Directory in a number of products including Outlook Express. Novell's NetWare Directory Services interoperates with LDAP. Cisco also supports it in its networking products. In a network, a directory tells you where in the network something is located. On TCP/IP networks (including the Internet), the domain name system (DNS) is the directory system used to relate the domain name to a specific network address (a unique location on the network). However, you may not know the domain name. LDAP allows you to search for an individual without knowing where they're located (although additional information will help with the search). An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels: The root" directory (the starting place or the source of the tree), which branches out to Countries, each of which branches out to Organizations, which branch out to Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for) Individuals (which includes people, files, and shared resources such as printers) An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user. XML: XML (Extensible Markup Language) is a flexible way to create common information formats and share both the format and the data on the World Wide Web, intranets, and elsewhere. For example, computer makers might agree on a standard or common way to describe the information about a computer product (processor speed, memory size, and so forth) and then describe the product information format with XML. Such a standard way of describing data would enable a user to send an intelligent agent (a program) to each computer maker's Web site, gather data, and then make a valid comparison. XML can be used by any individual or group of individuals or companies that wants to share information in a consistent way. XML, a formal recommendation from the World Wide Web Consortium (W3C), is similar to the language of today's Web pages, the Hypertext Markup Language (HTML). Both XML and HTML contain markup symbols to describe the contents of a page or file. HTML, however, describes the content of a Web page (mainly text and graphic images) only in terms of how it is to be displayed and interacted with. For example, the letter "p" placed within markup tags starts a new paragraph. XML describes the content in terms of what data is being described. For example, the word "phonenum" placed within markup tags could indicate that the data that followed was a phone number. This means that an XML file can be processed purely as data by a program or it can be stored with similar data on another computer or, like an HTML file, that it can be displayed. For example, depending on how the
Page 26 of 65
GLOSSARY
application in the receiving computer wanted to handle the phone number, it could be stored, displayed, or dialed. XML is "extensible" because, unlike HTML, the markup symbols are unlimited and self-defining. XML is actually a simpler and easier-to-use subset of the Standard Generalized Markup Language (SGML), the standard for how to create a document structure. It is expected that HTML and XML will be used together in many Web applications. XML markup, for example, may appear within an HTML page. Early applications of XML include Microsoft's Channel Definition Format (CDF), which describes a channel, a portion of a Web site that has been downloaded to your hard disk and is then is updated periodically as information changes. A specific CDF file contains data that specifies an initial Web page and how frequently it is updated. Another early application is ChartWare, which uses XML as a way to describe medical charts so that they can be shared by doctors. Applications related to banking, e-commerce ordering, personal preference profiles, purchase orders, litigation documents, part lists, and many others are anticipated.
Page 27 of 65
GLOSSARY
2.2 LIST OF TERMS BY ALPHABETIC ORDER (COMPLETE LIST)
Term 802.1p Meaning Communication protocol. This extension of the MAC packet (e.g. 802.3 Ethernet) allows prioritization at level 2 (new priority field). Thus, high priority frames will be sent first by the sender. This extension includes a three-bit value that hubs and switches use to establish packet priority in shared-media 802 networks. Typically, when a network segment becomes congested, the hub-and-switch workload results in the delay or dropping of packets. On a network using the 802.1p MAC extension, a packet with a higher priority receives preferential treatment and is serviced before a packet with a lower priority. In order to work properly, devices (switches, bridges, routers etc.) have to be updated. It'll help implementing QoS regarding medium access with priority. Communication protocol. IEEE 802 Local Area Networks (LANs) of all types may be connected together with Media Access Control (MAC) Bridges, as specified in ISO/IEC 15802-3. This standard defines the operation of Virtual LAN (VLAN) Bridges that permit the definition, operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure. Wireless communication protocols. 802.11a is the first generation one (reduced bandwidth). 802.11b works at 11 Mbps (also called HR for High Rate). In the end, 802.11p will provide priorities (2 levels, one for the voice and one for data). The latest protocol is forecast 1T2001. HyperLAN II is a very serious competitor. A Microsoft component that, for example, is able to migrate from a web server to a client and be executed by this client (close to the Java Applet) inside the browser. More generally, an ActiveX component (also called OCX though an ActiveX is aimed to be smaller) is some kind of plug-in that plugs into a container (component application framework). The technology used to interface ActiveX is COM / DCOM. This type of component is an EXE or a DLL.
802.1q
802.11a 802.11b 802.11p ActiveX
Activity diagram
UML terminology: this is basically a flow chart that describes the flow of control from one activity to the next. Unlike interaction diagrams (sequence, collaboration) that emphasize the flow of control between objects, activity diagrams emphasize the flow of control between activities. Activities are atomic actions that cannot be further decomposed
UML terminology: actors are a representation of the outside world, and they could be people or computer systems. ActiveX Data Object Microsoft's interface used to access databases (some kind of object oriented ODBC). Active Directory Services Distributed directory (LDAP V3) system of W2K (Microsoft). A centralized central is duplicated in several point of the system. RAS, VPN (L2TP, IPSEC) are described in this directory. Advertisement and Discovery Services Protocol promoted by IBM whose aim is to discover dynamically WEB services (WSDL) on the WEB. Asynchronous Digital Subscriber Line Use of the PSTN network for Internet access. In fact a "fast" connection to Internet (above 1 Mbit/s). A box (board in your home PC) is necessary at the user side. Another box is useful at the auto-commutator (or distributor) side (i.e. where individual lines are gathered and connected to a big pipe). The distance between the user connection and the commutateur should be less than 5 Km. The signal for TCP/IP flow is modulated around the 30 MHz frequency, thus, the
Actor ADO ADS
ADSL
Page 28 of 65
GLOSSARY
phone is useable at the same time. Inside the commutator box, the signal is extracted and pushed to another dedicated medium (fiber optic etc). An ISP can connect you to the Internet at this point (ungrouping in France soon ~ the phone operator allows another Internet operator to extract the signal at this point either for data only or for both data and voice). An "ADSL light" is emerging (hardware modification is easier, lighter). The generic name for equivalent technologies is xDSL. SDSL means "symmetric DSL", the bandwidth is the same in both directions. This is not the case with ADSL (higher bandwidth in the descending direction, i.e. from Internet to end-user). Advanced Encryption Standard Security scope.
AES
The National Institute of Standards and Technology (NIST) has been working with industry and the cryptographic community to develop an Advanced Encryption Standard (AES). The overall goal is to develop a Federal Information Processing Standard (FIPS) that specifies an encryption algorithm(s) capable of protecting sensitive government information well into the next century. The algorithm(s) is expected to be used by the U.S. Government and, on a voluntary basis, by the private sector. NIST announces that Rijndael has been selected as the proposed AES (October 2000).
Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for the AES . The cipher has a variable block length and key length. We currently specified how to use keys with a length of 128, 192, or 256 bits to encrypt blocks with al length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily to multiples of 32 bits. Rijndael can be implemented very efficiently on a wide range of processors and in hardware. Rijndael is less CPU consuming than 3DES. Authentication Header IPSEC scope. It is based on the digital signature of IP addresses. A digest is computed from IP addresses (using MD-5 = Message Digest 5 or SHA-1 = Secure Hashing Algorithm 1). This digest is part of the encrypted IP data, so falsification of IP addresses can be detected. A Java ahead compiler is close to a Java JIT compiler because it translates Java bytecode into target machine native code. The difference is that this compiler runs offline (use of a profiler), possibly on a machine that does not know about a JVM. At load time, the class loader directly deals with a class file containing native code. Application Programming Interface An interface used by a program in order to communicate with an operating system, a component etc. A Java application downloaded from an HTTP server to a web browser using a dedicated HTML tag. This Java application (bytecode) runs in the JVM of the client browser, i.e. in the Java sandbox. This security constraint dramatically limits local machine resource access. However, the applet is able to communicate (over TCP or UDP ports) with the machine supporting the Web server that it comes from. A workaround is to use a proxy server / gateway on the Web server side. A Java application is loaded from the file system of the machine where the JVM runs. It has no sandbox restrictions. Address Resolution Protocol Protocol used to get the MAC address of a device (Ethernet layer) using its IP address (based on broadcast). Abstract Syntax Notation 1 Network scope. OSI standard defined by the ISO. This is a grammar (language) that helps defining a communication protocol regardless the way it is on-line encoded. Think of a source program (the protocol) written in C (the language). This encoding is defined by BER, other rules are applicable. Active Server Pages In the Microsoft world, a framework that empowers the ability of dynamically
AH
Ahead compiler
API Applet
ARP ASN.1
ASP
Page 29 of 65
GLOSSARY
building HTML pages (linked to the Microsoft IIS Web server technology). Equivalent to JSP in the Java community. Application Service Provider A rising IT means that enables a customer to rent an application for a given timeThis is a company that remotely leases a software through the Internet or a specialized link. Asynchronous Transfer Mode This communication protocol stack is aimed to support broadband multimedia communication services etc. It is able to guarantee bandwidth to applications, so it supports QoS. Upper layers introduce the virtual channel that relies on a virtual path. The notion of cell is also important in this standard. Lower layers (link, physical) are covered by the SDH, which introduces the transmission path. Today, TCP/IP networks seem to have won the battle against ATM. Security scope. The process of authenticating an entity that is part of an interaction in a (distributed) computer system. For example, providing a username and password to login your NT session is an authentication process. Today, authentication could be done by physical means (fingerprint, eyeprint, smartcard etc.). It is associated to public / private keys of asymmetric algorithms such as RSA, PGP etc. The idea is following. When you apply the encryption algorithm to a flow of data with one key, the result is assumed to be non-readable if your key is big enough (128 bits for example). The reverse operation is achieved by applying the same algorithm to the encrypted flow using the symmetric key. A public key is assumed to be authentic if it is associated to a certificate provided by a certification authority (e.g. www.verisign.com). This is part of the PKI scheme. In fact, the sender hashes the initial message (SAH-1 (Secure Hash Algorithm), the safest algorithm is RIPEMD-160), this process provides a "secure digest" (of fixed length) of the message. This is some kind of very advanced checksum. Then, the sender applies its private key to the digest, which is added (attached file) to the message, this is the "secure encrypted digest" also called electronic (digital) signature. Finally, the sender applies the public key of the receiver to the whole stuff (it ensures confidentiality). A digital timestamp may also be added. On reception, the receiver applies its private key to the whole stuff (the result is a neat message and the digital signature). Then, it applies the public key of the sender (provided by a certification authority connected to a LDAP directory, so with a certificate) to the "secure encrypted digest". The resulting "secure digest" is then matched against the received message hashed in the same way than performed at the sender side. If they are equal, we're sure that the message isn't corrupted and we know for sure the sender identity. In addition, this scheme is consistent with nonrepudiation (a digital signature associated to a certificate guarantied by a tier like Verisign cannot be rejected). The trend is to use centralized authentication servers (LDAP V3 + SSO) in order to store the profile of authorized user. This way, the user can access any authorized application (SSO ~ Single Sign On). This approach is consistent with the PKI one. Right now, authentication is rather supported by the Radius protocol or the Tacacs one. Radius works over UDP/IP, this is a client /server mechanism (radius server). The user sends a username + password and the server side validates. Encryption has been recently added. Tacacs is even older, it works over TCP/IP and comes from the Unix world (authentication of a user at a terminal); it has been leveraged with encryption recently too. Software suite based on Studio 2000 (from Microsoft) that covers the multi-station scope of Studio (topological editor, network variable definition etc). Scandinavian ERP provider. Security scope. A hidden gate on a software, created either by the software editor at software design time or by an intruder using a dedicated intrusion tool. This door is used to get information on the company using the software without the company's
ATM
Authentication
Automation suite Baans Back door
Page 30 of 65
GLOSSARY
Backplane Bandwidth monitoring BER knowledge or approval. On a PLC, it corresponds to the bus, which connects the CPU with extension boards. Control Intranet (TF) scope. Inside NOE/ETY (so Factory Cast) modules, the idea is to allocate processor resources (memory, CPU horsepowers, network throughput etc.) to software components (services). The Factory Cast function (JVM, Web server, tag access) has to be part of this initiative. Basic Encoding Rules Network scope and linked to ASN.1. These rules are used to indicate how a communication protocol is on-line encoded (i.e. the machine-code version of a source C program). We une a BER encoder at the source side and a BER decoder at the receiver side. This is part of layers 6-7 of OSI protocols. On Premium PLC range, a homemade variation (PER for Packed Encoding Rules) has been defined and used. This is a way to store integers in the memory of a computer (or to represent it on a communication wire). The most significant byte is stored first (i.e. at the lower memory address or the first byte of the on-line integer). This is the Motorola style. See also little-endian. A new protocol (1 Mbit/s, 2 frequencies over the GHz) that uses radio communications to connect slave devices to a master one (for example, a printer to a PC). It can connect up to 8 devices together (micro-network) if the distance is less than 5 meters (a 30-meter version exists). Theses micro-networks may be connected together. The forecast within a few years is hundreds of millions of connection points of this type! In France, one of the 2 frequencies used by this protocol was the property (used by) the French army. The army backtracked and freed the frequency. It shows how important it is. Bluetooth2 is aimed to work at 10 Mbs. Block Offset Length Unity scope. A way to access PLC data using the UMAS protocol extension. This is a semi-physical access. A located or unlocated variable symbol maps on a BOL. P-Server manages the symbolic information. BOOTstrap Protocol This protocol (over UDP) is used at power-up in order to get an IP address (based on the station MAC address). This address is provided by a Bootp server. In the communication world, it corresponds to a software or hardware device that is used to connect two link layers (level 2) together. This link layers are of the same type. Board Support Package Software package that maps a specific RTOS onto a specific hardware This is a special case of an infrastructure service. In this case, the customer develops his own infrastructure service (based on the EMOS frameworks and other services). A customer-made service is named this way. Business 2 (to) Business Business 2 (to) Customer / Consumer Back 2 (to) Computing C is the most famous structured programming language. C "plus plus" is the OO evolution of C. C "sharp" is the announced "Java killer" from Microsoft (in 2001?). It is based on an intermediate code and a virtual machine etc. C "shark"? Commercial Central Function of Schneider Automation whose main goal is to deal with project marketing (product short and mid-term policy). Connected Device Configuration Java scope. Have a look at J2ME. Concurrent Development Process Schneider Automation internal standard covering the development process from investigations to FCS.
Big-endian
Bluetooth
BOL
BOOTP Bridge BSP Business object B2B B2C C / C++ / C#
CC CDC CDP
Page 31 of 65
GLOSSARY
CDMA Code Division Multiple Access Cellular phone technology (GSM). CDMA is a second-generation technology (900 and 1800 MHz). TDMA is also a second-generation technology. The G3 (Generation Three) technology is based on W-CDMA or TD-SCDMA. Security scope (have a look at "authentication"). A certificate is provided on demand by an authentication authority together with a public key to make sure that the owner of the associated private key is the one he pretends to be (it could be also an organization, a company etc). The certification authority delivers the secret key to its owner. Communication Function Block Unity scope. A CFB is able to send (UMAS) request to other PLCs (entities). Such a function block is allowed to take a "name" in input. The Umas protocol propagates this name to the remote Umas server. In the target PLC, thanks to the local object dictionary (it stores (name,BOL) couples), the object access is possible. Common Gateway Interface This technology allows a Web server to extend static HTML pages capabilities by dynamically building pages (based on scripts). It is a way to interface the Web server with an external application (database access etc.). JVM provided by HP on several platforms. It has been ported on VxWorks and on a PowerPC, but not on both at the same time. VxWorks and PowerPC are the one used by NOE / ETY modules. Chai is close to the JDK 1.2 specification. It is even aimed to support SOAP in the future. A good level of performance is reached thanks to the ahead compiler (Turbo Chai environment). Good opportunity for the project? Compact HTML I-Mode world. This is an HTML derivative, so a quick adaptation of Web server pages access. The usage is dedicated to lightweight clients, it means: no frame, no script, no Java Applet, no flash animation). The act of changing of mobile operator. Control Intranet. Control Intranet is a concept that correspond to the use Schneider Automation makes from Ethernet open protocols in order to: Connect Ethernet I/Os (using Modbus) to Ethernet enabled PLCs, Synchronize PLCs (and other intelligent devices), Provide connectivity / integration to level 2/3 entities. This is part of the TF initiative. Complex Instruction Set Computer This is typically the Intel family (x86, Pentiums and now the Itanium). Instructions are more powerful than in the RISC case, but a CISC board is assumed to be less powerful (i.e. at the same frequency). It seems that the latest version of Intel processors use a RISK core.
Certificate
CFB
CGI
Chai
CHTML
Churn CI
CISC
Class diagram
CLDC Collaboration diagram
UML terminology: they show the static structure of the system, in particular, the things that exist (such as classes and types) and their internal structure. Class diagrams also depict collaborations and relationships between classes, and inheritance structures. A class diagram may also show instances (or objects) and links between objects, Connected, Limited Device Configuration
Java scope. Have a look at J2ME.
UML terminology: sequence and collaboration diagrams, sometimes called collectively interaction diagrams, are used to model the dynamic aspects of a system or subsystem. Both depict interactions consisting of a set of objects, their relationships, and messages exchanged between them. Collaboration diagrams emphasize the structural organization of objects, while sequence diagrams emphasize the time ordering of messages. Collaboration diagrams are essentially graphs; sequence diagrams are essentially tables with different objects and messages depicted across the X axis and increasing time down the Y axis.
Though semantically equivalent, the two diagrams do not necessarily show the same information.
Page 32 of 65
GLOSSARY
Component Object Model The famous Microsoft object model that defines interfaces between objects. COM+ is the latest evolution. CPU-copro interface. It corresponds to a data flow with a consistent semantic (global Communication data, express message, IO Scanner etc.). This logical data flow maps to the physical channel interface in such a way that independence between channels is more than a wish (it depends on the physical interface capabilities). Component diagram UML terminology: a component - as the main element in such a type of diagrams - is used to package other logical elements, and represents things that participate in the execution of a system. COM (COM+)
Components also use the services of another component via one of its interfaces. Usually, components are used to visualize logical packages of source code (work product components), binary code (deployment components) or executable files (execution components). A component diagram usually shows components, interfaces and relationships among them.
Concept Context diagram Cookies Copro CORBA Workshop of Schneider Automation dedicated to Quantum PLCs. UML terminology: it describes the system scope (i.e. external actors and basic system components + their mains interactions). Security scope. File written on the hard disk of the Web surfer at the time the surfer is connected to a Web site. Its aim is to store surfer coordinates and behavior from one session to the next. This is a security weakness. It corresponds to a CI board whose goal is to connect a Schneider Automation PLC to Ethernet using CI protocols (e.g. ETY, NOE, HECPU copro, ETZ on Micro etc). Common Object Request Broker Architecture An object oriented middleware defined by the OMG. Beside the COS, CORBA defines Corba Facilities, which means application objects. These component are pre-built and customized to a recurring usage in a company (e.g. user interface, administration tool, transactional tool etc.). In addition, Domain Services covers services common to a given industrial sector (automotive, chemistry etc.). Among around 15 services defined by the OMG, an ORB provider does not implement all of them. It often covers naming and events. Sometimes, options are added such as encryption using SSL, load balance, fault tolerance. CORBA 1.1 defined IDL and APIs necessary to interactions with ORBs. CORBA 2 covers interoperability between ORBs of various providers. This is the current version implemented by ORB vendors. CORBA 3 (defined but not yet really implemented) covers Internet communication and a Naming service based on URLs (+ QoS). So, there are add-ons in order to adapt to various needs such as thin clients, real-time computing and fault-tolerance to hardware failures. The ORB communication based relying a thin client is based on Applets and IIOP (the ORB is part of Netscape Communicator, this is not the case for Microsoft Explorer -> the ORB has to be uploaded from the Web site). Of course, the major problem is the Java sandbox. A proxy server could be used in this case (so the Applet thinks it is talking with its Web server machine). CORB3 3 also defines how it is possible to deal with firewalls in order to establish a bi-directional communication through it though IIOP is a rather exotic protocol for a firewall. Common Object Services In the CORBA scope, generic denomination of the set of standard services defined by the OMG. It includes naming, persistence, component life cycle, event manager, security, and transactions. Some kind of deviant hacker whose purpose is to steal secrets or destroy files etc. Motives are politics, money, destruction pleasure etc. Certificate Revocation List Security scope. This list contains certificate that are no more valid for various reasons. Customer Relationship Management New Internet paradigm that covers how to manage a good customer relation using Internet technologies.
COS
Cracker CRL CRM
Page 33 of 65
GLOSSARY
CSS Cascading Style Sheet HTML scope. This (old) technology is used to hold presentation information that are applied to HTML flow content. Thus, the HTML contains a minimum amount of display information. Comma Separated Value A specific EXCEL file format that contains values separated by comma (pure ASCII file). C Virtual Machine Java scope. This is Sun's JVM for embedded platforms (J2ME) for high-end devices (CDC). The CVM is a full-featured Java 2, "Blue Book" virtual machine (note: "blue book" is the Sun's specification of Java 2 VM). The first delivery of Sun targets Linux and VxWorks enabled devices. Development Central (Schneider Automation R&D) Daimler-Chrysler (company) Distributed COM
CSV CVM
DC DCOM DDoS
Distributed Denial of Service Security scope. Distributed version of the DoS. In this case, the attack is performed by a set of machines; it is more difficult to detect. Deadband FC IT or OFS trigger context. When an analog data is monitored for a value change, it isn't desired to notify a value change for a small change since the associated temperature, pressure etc. may oscillate around an average value. Using a deadband (positive value), a change isn't notified if the new value is equal to the new sample plus or minus this deadband. DECT Digital Enhanced Cordless Telecommunication Wireless protocol used between a phone and its fixed block (usually used at home). Deployment diagram UML terminology: this is a graph of nodes connected by communication associations and it shows the physical architecture of the hardware and software of the system.
DES / 3DES It indicates how to map components (+ interfaces) on system nodes. Data Encryption Standard The most popular symmetric encryption algorithm. The unique key is kept secret since it is used for encryption and decryption. 3DES is an evolution that provides better confidentiality (i.e. more difficult to crack) than DES. However, 3DES is less time-consuming than RSA. It means that RSA is restricted to key session exchange, DES or 3DES is then used (have a look at IPSEC, SSL, TLS etc.). Have also a look at AES (Rijndael). O-O scope. "Each pattern describes a problem which occurs over and over again in our environment, and then describes the core of the solution to that problem, in such a way that you can use this solution a million times over, without ever doing it the same way twice". So, the design pattern is identified by a name and provides a solution to a wellknown problem. The key idea is: do not invent a new solution, keep it quick and simple. There are a lot of books that deal with design patterns. It is very useful to use them at architecture and design time. For example, EMOS uses the Finder and the Factory design patterns (together with the MVC (Model View Controller) design pattern for a service). A very simple example is the Singleton that describes how to make sure that we'll have at most one instance object of a given object class. Dynamic Host Configuration Protocol An improved version of BOOTP (so a DHCP server etc). It includes more information. DISCOvery of web services. Protocol promoted by Microsoft whose aim is exactly the same than ADS of IBM. Directory Information Tree This is the LDAP database. It has a hierarchical structure whose nodes are described in an OO way (so instance of a class with attributes). Object class definitions and DIT structure (database building rules) are part of the DIT
Design pattern
DHCP DISCO DIT / DIT schema
Page 34 of 65
GLOSSARY
DM DMZ schema. This schema is also part of the DIT (some kind of self-describing means, introspection). Device Manager Software component which is central coordinator of a CI board. DeMilitarized Zone Security scope. This zone is located between the company's internal network and the Intrenet. A DMZ network is a network isolated from the enterprise network but protected by firewalls with filtering rules dedicated to the DMZ or the internal network. Desktop Management Interface agent This agent is used in a Windows desktop in order to make a remote inventory of the platform configuration (administration purpose). Domain Name System This is a distributed database used by TCP/IP applications in order to establish a correspondence between a machine name and an IP address (+ provide routing information to email). The name resolver is a DNS server, which is accessed using the DNS protocol (over UDP). Document Object Model Part of the XML world dedicated to document management. The XML document is completely parsed and represented in central memory as a tree. It means straight access. However, if the document is too big, it is better to access it using a stream and event based API (SAX). Denial of Service Security scope. This is a connection depletion attack that precludes a Web server to service incoming connections. We got famous examples recently with Yahoo and CNN Web sites. This massive attack is performed by a set of computers that flood the Web server with incoming connection openings. The result is that the Web server is unable to accept normal connections. Directory System Agent LDAP scope. An entity working on the server side of the LDAP protocol. It provides access to the DIT. Digital Signature Algorithm Security scope (have a look at "authentication", "encryption"). A popular public-key technique, though it can be used only for signatures, not encryption. Document Type Definition XML scope. It defines how an XML flow has to be interpreted (i.e. its syntax). It is used by XML encoders / parsers. It is now outdated and the trend is its replacement by XML schemas (enhanced type definition and XML description of the grammar). Dynamic Synchronous Transfer Mode Communication protocol. New promising technology promoted by the IEC (http://www.iec.org/tutorials/dtm_fund/index.html).
DMI agent DNS
DOM
DoS
DSA
DTD
DTM
Dynamic synchronous transfer mode (DTM) is an exciting networking technology. The idea behind it is to provide high-speed networking with topquality transmissions and the ability to adapt the bandwidth to traffic variations quickly. DTM is designed to be used in integrated service networks for both distribution and one-to-one communication. It can be used directly for application-to-application communication or as a carrier for higher-layer protocols such as Internet protocol (IP). DTM combines the two basic technologies used to build high-capacity networkscircuit and packet switchingand therefore offers many advantages. It also provides several service-access solutions to city networks, enterprises, residential and small offices, content providers, video production networks, and mobile network operators.
More details:
Over the last few years, the demand for network-transfer capacity has increased at an exponential rate. The impact of the Internet; the introduction of network services such as video and multimedia that require realtime support and multicast; and the globalization of network traffic enhance the need for cost-efficient
Page 35 of 65
GLOSSARY
networking solutions with support for real-time traffic and for the transmission of integrated data, both audio and video. At the same time, the transmission capacity of optical fibers is today growing significantly faster than the processing capacity of computers. Traditionally, the transmission capacity of the network links has been the main bottleneck in communication systems. Most existing network techniques are therefore designed to use available link capacity as efficiently as possible with the support of large network buffers and elaborate data processing at switch points and interfaces. However, with the large amount of data-transfer capacity offered today by fiber networks, a new bottleneck problem is caused by processing and buffering at switch and access points on the network. This problem has created a need for networking protocols that are not based on computer and storage capacity at the nodes but that instead limit complex operations to minimize processing on the nodes and maximize transmission capacity.
Against this background, the DTM protocol was developed. DTM is designed to increase the use of fiber's transmission capacity and to provide support for real-time broadband traffic and multicasting. It is also designed to change the distribution of resources to the network nodes dynamically, based on changes in transfer-capacity demand.
DTM is fundamentally a circuit-switched, time division multiplexing (TDM) scheme. It guarantees each host a certain bandwidth and uses a large fraction of available bandwidth for effective payload data transfer. In common with asynchronous schemes such as ATM, DTM supports dynamic reallocation of bandwidth between hosts. This means that the network can adapt to variations in the traffic and divide its bandwidth between nodes according to demand. In contrast to SDH/SONET, multirate channels or circuits can be established on demand in DTM, and the capacity of a channel can be changed according to traffic characteristics during operation.
DUA DWDM
DXML
ebXML
ELC
Electronic (digital) signature Encryption
Directory User Agent The application program running on the client side of an LDAP communication (so above the LDAP user/client communication stack). Dense Wavelength Division Multiplexing Communication technology. Cutting-edge technology applied to fiber optic. The idea is to aggregate several laser beams in the same fiber optic, so in one and only one light signal. Today, it is possible to perform 32 x 2.5 Gbit/s, 160 x 10 Gbit/s (1.6 Tbit/s). The theoretical limit is 15 Tbit/s. So, this technology enables very high bandwidth IP backbones. This is a subpart of the WDM technologies family. Dynamic XML Java library package (from Object Space Inc) whose goal is to provide a high level abstraction in order to manipulate an XML document (file). This is a toolkit. For example, the xgen command applied to a DTD file produces the Java code used to create, read, update and delete a corresponding XML file. xgen is a meta-compiler like YACC in the UNIX world (YACC is applied to a .y or .yacc file that describes the syntax of a source language or another structured file). electronic business XML There are a lot of XML usages in the e-business (biztalk1, eCO, cXML etc.). the ebXML initiative is aimed to help companies to talk B2B. So, a registry is accessed to get B2B interaction profiles (CRP = Collaborative Partner Profile) before establishing a communication between the two companies, then negotiating the type of interaction before starting talking XML for business purpose. Embedded Linux Consortium Non-profit, vendor neutral trade association whose goal is the advancement and promotion of Linux throughout the embedded, applied and appliance computing markets (www.embedded-linux.org). Have a look at "authentication". Security scope. A software (possibly hardware) algorithm used to convert a human (machine) readable information in an assumed non-forgeable and non-readable information (a file, a buffer, a message). The idea is to enforce data privacy and also to preclude data corruption. Most famous algorithms are RSA, DSA And PGP. They are based on asymmetric keys (one public and one private). DES is a symmetric algorithm.
Biztalk is the Microsoft solution that relies on XML and SOAP.
Page 36 of 65
GLOSSARY
The sender of the message encodes data with his private key and the receiver decodes it with the public key. This is a simple approach. The other way is also possible. Encryption is made with the public key and decryption is performed with the private key. Enhanced Network Driver Component that is able to attach itself to the multiplex interface of the WindRiver Systems TCP/IP stack (VxWorks) to provide access to a network interface (or serial interface or any specific communicating interface) EMbedded Object Server Name of the middleware / anticipation project supported by Schneider Automation (98-2000). Extensible Provisioning Protocol Have a look at XML Trust Services. Enterprise Resource Planning IT level of an enterprise that deals with resource planning (such as SAP) A link layer (+ physical layers) standard in the network world. It is based on CSMA/CD (try to transmit later on in case of collision). The transmission time of a packet is not deterministic due to collisions (back-off algorithm). The Ethernet maximum frame size is 1518 bytes. Communication network based on Ethernet that connects S7 PLCs. It mainly uses XWAY datagrams without IP. The new way is to encapsulate XWAY datagrams in a MBAP APDU over TCP/IP (outside the scope of ETHWAY). Ethernet / Internet enabled module for the Premium PLC range (based on VxWorks over an 860T PowerPC). Engineering Unit European Union PLC scope. This is the operating system of the PLC main board (CPU). It supports the user program execution, communication with the outside etc. In case of UNITY platforms, this Exec relies on VxWorks RTOS. Extension of the Intranet of a company / organization to customers or other entities. Generally, functionalities of an Extranet is a subset of the ones of the Intranet with possibly some extra features. Electronic (virtual) wallet used to buy through the Internet. Factory Cast IT This is the configuration of a FCIT server (embedded or not). It covers various information such as the IP address, the type of JVM etc. The code associated to services mapped onto a server is automatically determined at mapping time before deployment. The server configuration is part of the FCIT application definition, which also includes services selection and customization. Factory Cast Server A partial view of the Factory Cast product, which corresponds to the ability to provide access to control process data. First Customer Shipment In the CDP, final step which means that the product is ready for delivery to customers. Frame Check Sequence Ethernet protocol scope. The checksum field at the end of the link layer frame. Fault Device Replacement Control Intranet scope (so TF). The idea is to be able to replace a faulty (partially or completely out of order) device in the most simple way (possibly just plug & play a new device). It should cover the FCIT modules (ETY and NOE). Fast Ethernet Controller. Ethernet Controller of the PowerPC 860T (10/100 Mb/s) Communication network based on FIP standards. Fipway is used to connect S7 and Premium PLCs while Fipio is used to connect IOs and other devices to a S7, Premium or S1000 PLC. Software running on the front (gate) of a computer system (possibly distributed) at the
END
EMOS EPP ERP Ethernet (802.3)
ETHWAY ETY EU Exec Extranet E-wallet FCIT FCIT configuration of a server
FCS
FDR
FEC FIPWAY / FIPIO Firewall
Page 37 of 65
GLOSSARY
door of the system Internet access. This is an Internet gateway. The idea is to preclude virus intrusion, hacker / cracker intrusion etc. It is based on TCP / UDP port access restriction, port scan detection etc. There are more than 130 000 accessible ports! A firewall is necessary if the Internet connection is based on a fixed IP address, is permanent or lasts a significant time (let's say above one or two hours). This is an important piece of the security framework. In addition, we often find a proxy server in front of company firewalls (database used to manage access rights etc). This security proxy interfaces to the LDAP database on the Intranet in order to check credentials of a user together with its access rights. If it is ok, the proxy forwards IP frames to the right application on the right machine (i.e. IP address change on ongoing and outgoing accesses). It may be useful to use several firewalls in cascade so that one of them is able to compensate the security weaknesses of another one. Telephony and IP scope. Some American and Scandinavian companies promote a allin price way to use IP telephony based on fast Internet access. Some kind of giant design pattern that answers to a complex problem (though it isn't reusable since the problem is very specific). Other important criteria are the size, the modularity and the extensibility of the resulting solution. EMOS is a framework. File Transfer Protocol Client/server protocol (over TCP) used to read or write a file into a remote station (the FTP server side) Java Scope. Algorithm of the JVM that should free memory no more used by objects (i.e. no more reference to instance data of an object). This algorithm may block the JVM during its execution or may run more smoothly. So, system latency and performances are key factors. A gateway connects two protocol stacks at the layer 7 (application) level. For example, this technology is used to connect the HTML / HTTP world to the WAP world. Graphical Data Editor Applet of the current Factory Cast product that is used to define screen with graphical widgets linked to PLC data. Software component of a CI board whose purpose is to provide PLC synchronization services (network variables.). It relies on NDDS, the pubish / subscribe protocol of RTI. General Packet Radio Service Evolution of the GSM with more bandwidth (30 to 115 Kbit/s) based on packet oriented communication (so, we can separate voice and data). The deployment is envisioned in 2001. Global System for Mobile Current technology for cellular phones (9.6 Kbit/s, no separated channels for data and voice) Graphical User Interface A person who likes breaking security barriers of computer systems, especially through communication networks. This is a sport and a hobby, the real hacker does not destroy files, nor steal secrets. Handheld Device Markup Language The Handheld Device Markup Language (HDML V2.0) is a simple language used to create hypertext-like content for small display, handheld devices. The World Wide Web provides a robust, flexible, and ubiquitous model for information access. The adoption of the WWW as the preferred means of disseminating and accessing information from desktop PCs and workstations has created a demand for access to the same information for other devices. These devices or "alternate platforms" range from voice- and fax-based user agents to low-cost Network Computers to handheld devices such as mobile phones and PDAs. High End CPU New common hardware base for Premium and Quantum PLC ranges (Unity scope) It
Flat billing Framework
FTP Garbage collector
Gateway GDE Global Data GPRS
GSM GUI Hacker HDML
HE CPU
Page 38 of 65
GLOSSARY
embeds a CI copro. Host Interface Abstract Layer Interface common to all CI boards in order to access the host (i.e. the PLC). It hides real host interface differences. This concept is close to the HAL (Hardware Abstract Layer of Windows NT). High-speed Internet The speed is the one of the connection means to the Internet. It also means that Internet pipes are big enough. Current technologies that will provide common peoples with this fast access are: ADSL Cable Local radio loop Etc. Today, Ethernet 1 Gbit/s becomes a reality (a lot of boards). Ethernet 10 Gbit/s appears. In labs, fiber optic experiments reach 5 Tbit/s (several wavelengths on the same fiber). Theory indicates that we can go up to 15 Tbit/s. HMI Human Machine Interface Security scope. Emails spreading rumors or wrong information (e.g. false viral attack, Hoaxes free distribution of Ericsson WAP terminals etc.) Applies to JDK 1.2 JVM or later. This is a set of algorithms that boost the Sun's JVM Hotspot (runtime performance), thus covering the garbage collector etc. There is a variant for a server dedicated JVM (smooth and equal performance) and a client one (best performance most of the time). HTML HyperText Markup Language A language (syntax) based on tags (identification string) that is used to build pages (text + graphics). This is the basic HMI of a Web browser. An hyperlink is a special type of tag that identifies (URL) another page, possibly on another web site (Web navigator). HTTP HyperText Transport Protocol Protocol (over TCP) used to transfer HTML data (Web pages) from the Web server to the Web client (browser). HTTP 1.1 is the last widespread version. HTTPS HyperText Transport Protocol Secure HTTP secured by SSL or TLS. Because SSL and TLS are very similar but not interoperable, it is better to support both at the same time. Wireless communication protocol. HyperLAN II It works at the 5GHz frequency. The throughput is up to 54 Mbps and it includes 8 real priority levels (QoS). It is currently under validation by the ETSI (European Telecommunication Standards Initiative). This is a very serious competitor for 802.11b/p. A dedicated consortium is pushing each solution. Have a look at VoIP H.323 ICMP Internet Control Message Protocol A part of the IP protocol used to carry IP level errors. IAD Integrated Access Device Network scope. Such a device is able to provide a clever interface to networks. This is a new cutting-edge technology from America. For example, Alcatel provides such a device in order to connect the ADSL "ungrouping" box in the telephony building to the Internet using different flows such as Voice, VPN etc. See also MGCP. ICA Independent Computing Architecture Protocol from Citrix that is a competitor for RDP from Microsoft. IDA Interface for Distributed Automation A consortium (mainly German companies, RTI and Schneider Automation) whose aim is to specify interfaces for distributed automation based on various technologies. For example, NDDS is part of the discussions. Several DC people from Seligenstadt participate to this task. They are part of the TF architecture group. HIAL
Page 39 of 65
GLOSSARY
IDL Interface Definition Language CORBA and DCOM scope. Language used to define remote object interfaces (stub on client side / skeleton implementation interface on server side). The DCOM version is different from the CORBA one. Corba / Java scope. This tool is able to convert an IDL interface definition into a Java interface. This is a Corba enabler for Java. Have a look at RMIC (RMI wizard for Java enabled applications). Internet Engineering Task Force A set of persons from various origins that are mandated by the W3C to define Internet protocols. Internet Group Management Protocol This TCP/IP protocol is used by machines and routers that support multicast. It is more or less part of IP. So, all systems located on the same physical network are signaled that such a machine belongs to such a group (especially useful for multicast routers in order to select appropriate forward interfaces). This is done at the time a process joins a multicast group. So, IGMP is bound to UDP when dealing with publish / subscribe mechanisms. Internet Inter-Orb Protocol The TCP/IP based protocol used to support CORBA interactions (so mapping of GIOP (General Inter-Orb Protocol) over TCP/IP). Internet Information Server Web server technology from Microsoft. IIS5 is enhanced by WK2. A dedicated memory space and CPU bandwidth is allocated to IIS. In addition, a dedicated bandwidth is allocated to various WEB protocols (HTTP, FTP, SMTP, news, etc). Internet Key Exchange Communication protocol. IKE is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.
Idl2Java IETF IGMP
IIOP IIS
IKE
IKE is a hybrid protocol which implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
iMode IKE automatically negotiates IPSec security associations (SAs) and enables IPSec secure communications without costly manual preconfiguration. The Japanese equivalent of WML/WAP. However, the rising sun solution is much more successful since 11 millions cellular phones are iMode enabled (due to better performances and better services). iMode is promoted by NTT DoCoMo (the equivalent of Itineris of France Telecom). EMOS scope. Such a service (Java code) runs on one or several EMOS server(s). It is aimed to provide an added-value functionality to the customer. This service is provided by Schneider Automation. An infrastructure service interfaces the EMOS framework with the upper "user" level (MES, ERP, Web browser etc.). The "network of networks" based on IP (layer 3) protocol. The range of protocols that forms the Internet is called TCP/IP. Most famous protocols are UDP, TCP, HTTP (support for Web pages), SMTP (support for emails), FTP (file transfer) etc. "Private Internet" dedicated to a company, an organization etc. Security scope. Once the firewall and the authentication mechanism have failed, a hacker (cracker) may enter the Intranet of a company. Intrusion detection plays a role at this point in order to identify attacks. It is based on two types of tools. Probes are software that sniff the network flow at strategic points. They compare frames (e.g. a corrupted IP frame) or bundles of frames against attack signatures (parallel with virus detection). It means that the signatures database has to be regularly updated. Behavioral analysis relies on software agents that run on application servers. They are supposed to analyze (learn) the way users access and utilize applications. This is
Infrastructure service Internet Intranet Intrusion detection
Page 40 of 65
GLOSSARY
IO scanner IP also a good way to detect internal attacks (i.e. people from the company). Just remember that 70% of attacks come from inside the company. Software component that is in charge of scanning Ethernet based Momentum IO modules in order to get inputs and set outputs. It belongs to a CI copro profile. Internet Protocol Layer 3 of the Internet based on datagrams. Today, IP V4 is in use. Because of some restrictions, weaknesses, IP V6 is supposed to replace it within a few years. It'll become mandatory because of UMTS and the hundreds of millions of mobiles that will be connected to the Web soon (i.e. lack of IP V4 addresses). In case of IP V4 (current widespread version), this is a 4-byte unsigned integer that identifies the sender and the receiver of an IP datagram. So, it identifies a station at layer 3 level. We face 3 types of addresses: Unicast: it identifies a unique sender / receiver. Class A, B and C are unicast addresses. Broadcast: it means all receivers on the same sub-network (provided that routers filter them). This is 255.255.255.255 Multicat: class D address. A group of receivers may be configured to receive a given multicast message (configuration of UDP, IP and Ethernet layers -> a multicast hash filter (Ethernet controller) on the receiver prevents most of undesired frame to reach the IP level). Be aware of managing the TTL (Time To Live) field of the IP frame in case of multicast. The information may never reach the target if not infinite or big enough. Internet Protocol V4 The current cornerstone of the Internet ages. Several liftings have been applied following different directions: IP address on 4 bytes (32 bits) with address classes. 2 Giga addresses in theory, far less in practical (due to A, B, C classes). Despite mechanisms such as address translation, we'll be out of addresses soon. Security. The Internet (Arpanet at the beginning) was aimed to connect people from universities. The goal was to share information, not to steal or destroy them. Now, with Internet, business etc, it becomes important to add security. So, SSL, TLS, Diffserv and various mechanisms have been included. But this is never enough. The QoS is almost impossible to implement with IP V4. Routing table size. The dynamic routing nature of IP implies that routers have to maintain big routing tables. As the number of IP addresses, networks etc increases, these tables become really huge. So, the routing algorithm requires memory resources and time. Time isn't a good thing if we want to connect high-speed trunks to routers! (Just think of "light commutators" that are emerging in labs). Internet Protocol V6 The evolution of IP V4 in order to address known weaknesses. It has been already tested at a wide range inside the university and scientific community. We're waiting for its deployment in the business / industrial / residential world. IP V6 header is of a reasonable size in comparison with IP V4 ones. Improvements covers (non exhaustive): IP address: 128 bits (16 bytes). No more problems for a while! Security QoS Size of the routing tables Internet Printing Protocol This communication protocol has been specified by the IETF (shared with the IEEE). The current widespread version is 1.0, version 1.1 is emerging. This standard is also pushed by the PWG (Printer Working Group) that gathers a lot of printer providers. Some printers that embed an Ethernet card are able to print documents through this protocol. Another way is to use an external device connected to Ethernet, it is called a "print server". This device support IPP and is the gateway to various printers, depending on
IP address
IP V4
IP V6
IPP
Page 41 of 65
GLOSSARY
the provider. For example, HP sells such a device for around 250USD, this device is compatible with a lot of HP printers. Of course, the client side has to use IPP. This type of software is available for Windows and Unix OS. IP SECurity protocol This extension of the IP protocol has been defined by the IETF. It provides security through authentication and IP packet encryption. The idea is really different from encryption at transport layer level since encryption is offered to higher-level protocols once end-entities have established the secured link. This is why it is used for VPN (main know application of IPSEC). So, IPSEC covers authentication, data encryption and also protocol negotiation and key exchange (IKE = Internet Key Exchange). It allows communication parties to negotiate methods for a secure communication, it means an agreement on keys, security policy and encryption algorithms. Once keys have been exchanged using IKE (so RSA and private / public keys), a symmetric algorithm such as DES, 3DES and possibly Rijndael in the future) is used. They are less CPU resource consuming than RSA (reserved for strong authentication). IPSEC is naturally provided by IPV6. IPSec Remote Access Communication protocol (IETF) under specification. It covers AH, IKE and other features. The IETF dedicated working group is discussing how to handle remote access users with changing IP addresses in IPsec It'll have to fight against PPTP (Microsoft world) and L2TP (IETF). XWAY communication. This is the XWAY driver over the ISA bus on a PC (NT, 98 etc.). For example, it can be used to communicate with the PCX PLC board of the PC. Internet Security and Acceleration server Microsoft technology (W2K), security and cache. Internet Security and Acceleration (ISA) Server 2000 provides secure, fast, and manageable Internet connectivity. ISA Server integrates an extensible, multilayer enterprise firewall and a scalable high-performance Web cache. Drill into the features below for more information about how ISA Server provides secure Internet connectivity, fast Web access, and unified management. International Standard Organization This organization (companies etc) is aimed to define international standard (e.g. OSI). Internet Service Provider In case of an ordinary people at home with a PC connected to the PSTN by a modem, the ISP ensures the interconnection of the modem-based IP communication with the Internet. AOL (America On Line), Free etc. are ISPs. Information Technology Covers all technologies used to handle electronically information (hardware, software, networks etc). New generation of Intel 64-bit processors (still under development). It is also called IA64. Have a look at "Pentium". Internet Telephony Service Provider Close to an ISP. However, the main goal is to provide phone services over Internet (IP network). International Telecommunication Union Java ARchive A Java file format that encapsulates Java classes, especially for applets. When an applet is downloaded to a client browser, a JAR file is used. JAR files may be signed (security). Simple OO language promoted by Sun Microsystems (first release in 1995). Its main characteristic is that it could run anywhere provided that the target platform supports a JVM because of the use of an intermediate code called "bytecode". A JavaBean (or bean) is a component that enforces a design pattern, which includes component interactions, accessors, introspection, serialization, persistence etc. Why bean? Because a bean of coffee, Java is a beverage that J. Ghoslin (Java inventor) was drinking with the Java early definition team.
IPSEC protocol
IPSRA
Isaway ISA server
ISO ISP
IT Itanium (IA-64) ITSP ITU JAR
Java JavaBean (bean)
Page 42 of 65
GLOSSARY
Java OS JAXP An operating system developed by Sun Microsystems and dedicated to run Java applications. It was aimed to support the thin client paradigm. Java API for XML Parsing JAXP enables the reading, manipulating, and generating XML documents through Java APIs by providing a standard way to seamlessly integrate any XML-compliant parser with a Java technology-based application. JAXP v 1.1 supports the latest XML standards, including: the Document Object Model (DOM) level 2, a W3C recommendation; Simple API for XML (SAX) level 2, the industry standard for XML parsing; and XSL Transformations (XSLT), an integrated XML transformation standard defined by the W3C.
The draft specification for JAXP is available through the JCP, and the projected final shipping date of JAXP is calendar Q1 2001.
Jbuilder JCE JConsortium JCP A Java workshop from Inprise (formerly Borland). Java Cryptography Extension (1.2.1) Java and Security. This extension package (JDK 1.2 and above) provides cryptographic means. Java Consortium A group of companies that promotes the development and use of Java technologies. So, this entity is in charge of defining common standards around Java. Java Community Process
The JCP program is the formalization of the open process that Sun Microsystems, Inc. has been using since 1995 to develop and revise JavaTM technology specifications in cooperation with the international Java community. The JCP fosters evolution of the Java technology in Internet time, and in an open, participative manner.
JDBC JDK Java DataBase Connectivity An API in the Java world that is used to connect a Java program to a SQL database (like Oracle ones), so to a relational database. Java Development Kit This is more than just a development kit. The reference definition (leaded by Sun Microsystems) identifies a Java language environment functional level including the JVM, core classes and extensions. JDK 1.2 is called Java 2. JDK 1.3 already exists (even on Linux platforms). Java Embedded Server A Java specification (based on Personal Java, a downsized version of the standard JDK dedicated to medium range embedded targets) of an embedded server that defines an embedded application environment (frameworks etc.). It extends corporate applications to the devices. A lot of concepts are common with the one targeted by FactoryCast IT! Residential gateways are a good example of JES implementation. JES 2.0 is compliant with OSGi recommendations. An open source and free 100% pure Java HTTP server provided by Mortbay (www.jetty.mortbay.com). It covers the Servlet API 2.1 (dynamically build HTML pages), HTTP 1.0 and 1.1, modular architecture (so embeddable), GNU JSP, SSL support etc. Java G Library Library (from Object Space) implementing complex data type (chained list, tree, set, etc.) with associated operators and generic algorithm that allow their manipulation (sort a list, intersection of two sets etc.). Java scope. Jini[tm] network technology provides a simple infrastructure for delivering services in a network and for creating spontaneous interaction between programs that use these services regardless of their hardware/software implementation. Any kind of network made up of services (applications, databases, servers, devices, information systems, mobile appliances, storage, printers, etc.) and clients (requesters of services) of those services can be easily assembled, disassembled, and maintained on the network using Jini Technology. Services can be added or removed from the network, and new clients can find existing services - all without administration.
JES
Jetty
JGL
Jini
Page 43 of 65
GLOSSARY
JIT compiler Just In Time compiler A Java bytecode compiler that compiles "on the fly" this intermediate language into machine language in order to improve execution performances. The compiler works at load / execution time. Java Message Service A Java specification (interface) that allows Java applications to communicate together using messages (client / server, publish / subscribe). It maps onto real message providers of various types (but keep the same type of provider in the same domain). RTI provides a prototype of JMS over NDDS (RTI publish / subscribe protocol). It is called JMS RT (JMS Real Time) because it doesn't really implement JMS, but an optimized version that reduces the message overhead of 200..300 bytes. RTI is working the JConsortium to make it a Java standard. Today (December 2000), JMS RT does not run on a VxWorks enabled PowerPC. Java Naming and Directory Services A Java specification (interface) that defines naming and directory services for the Java world. A JNDI provider could be LDAP V3 based. EMOS (MOISE) uses its own implementation of JNDI. Java Native Interface This technology allows a Java application to call native code (viewed as methods of an object) and inversely. This is a weak point in the Java security model (i.e. execution outside the JVM). However, it is mandatory to connect to the underlying operating system, drivers etc together with non-Java applications. Java Network Launching Protocol & API This is a new Java specification (JSR-56) from the JCP. JNLP is a Web-centric provisioning2 protocol and application environment for Webdeployed Java 2 Technology-based applications. An application implementing this specification is called a JNLP client. The main concepts are: A Web-centric application model with no installation phase, which provides transparent and incremental updates, as well as incremental downloading of an application. A provisioning protocol that describes how to package an application on a Web server, so it can be delivered across the Web to a set of JNLP clients. The key component in this provisioning protocol is the JNLP file, which describes how to download and launch an application. A standard execution environment for the application. This environment includes both a safe environment where access to the local disk and the network is restricted for entrusted applications, and an unrestricted environment for trusted applications. This is similar to the well-known Applet sandbox, but extended with additional APIs. Java Print Service API Have a look at Unified Printing API. Java Remote Function Call A Java extension package promoted by SAP labs. This API provides the programmer with a way to interface a Java application with a SAP system. Java Remote Method Protocol The TCP/IP based protocol that supports Java RMI. Java Server Pages An encapsulation of servlets that is used to dynamically create HTML pages. Java Secure Socket Extension (1.0.2) Java, security and communication. This extension package (JDK 1.2 and above) supports SSL and TLS. So, secure communication over TCP is possible (HTTP, telnet, NNTP (news protocol), FTP). Java Virtual Machine
JMS
JNDI
JNI
JNLP
JPS JRFC JRMP JSP JSSE
JVM
2
The term "provisioning" is commonly used to denote the distribution of software, such as an application, from a central server to a set of client machines. This is sometime also referred to as deployment of an application.
Page 44 of 65
GLOSSARY
A virtual machine (software program) dedicated to a specific operating system / platform. It supports Java applications for this platform. The idea is that a Java application is compiled in an intermediate language (bytecode) that is interpreted by this JVM. "Write once, run anywhere". Java 2 Enterprise Edition -> for enterprise servers Java 2 Standard Edition -> basic version for PCs and workstations Java 2 Micro Edition -> embedded world Java platforms based on JDK 1.2 and above. They cover various types of platforms. Concerning J2ME Low-end devices are addressed by the CLDC, Java specification that covers small connected devices. For example, the J2ME wireless device stack is based on a CLDC that is the sum of the KVM and J2ME core classes. High-den devices (32-bit processors, > 2Mb of RAM for the virtual machine) are addressed by the CDC and the CVM. This CVM is now available under Linux and VxWorks under the Sun's Community source licensing (program). This is a good opportunity for the NOE / ETY Java implementation.
J2EE J2SE J2ME
More generally, J2ME is based on two concepts. The configuration defines the virtual machine and a set of core classes and APIs specifying a generalized runtime environment for consumer electronic and embedded devices. The profile is an industry-defined specification of the Java APIs used by manufacturers and developers to address a type of consumer electronic or embedded device.
Together, a configuration and a profile deliver a specification for consumer electronics and embedded device manufacturers to implement on their products. It also provides a Java Application Environment to which third party developers can write their applications. Keep It Small & Simple K Virtual Machine Java scope. This is Sun's JVM for embedded platforms (J2ME) for low-end devices (CLDC). Local Area Network A network connecting relatively close machines (in a building, between close buildings etc.). LANs are interconnected using WANs. LAN Emulation A standard paradigm for integrating legacy LANs and applications transparently with ATM networks. It works fine for IP networks. In order to make it possible to continue using existing LAN application software, while taking advantage of the increased bandwidth of ATM transmission, standards have been developed to allow the running of LAN layer protocols over ATM. LAN Emulation (LANE) is one such method, enabling the replacement of 10 Mbps Ethernet or 4/16 Mbps Token Ring LANs with dedicated ATM links. It also allows the integration of ATM networks with legacy LAN networks. The function of LANE is to emulate a LAN (either IEEE 802.3 Ethernet or 802.5 Token Ring) on top of an ATM network. Basically, the LANE protocol defines a service interface for higher layer protocols which is identical to that of existing LANs. Data is sent across the ATM network encapsulated in the appropriate LAN MAC packet format. Thus, the LANE protocols make an ATM network look and act like a LAN, only much faster. Lightweight Directory Access Protocol V3 A lightweight version of the X500 directory access protocol. The major evolution is that this protocol runs over TCP/IP (possibly secured by SSL/TLS). This is becoming a standard in the IT world (Active Directory of Microsoft is based on LDAP V3, iPlanet of Sun / Nescape too, IBM has its own solution with SecureWay Directory etc). Other key words are: DIT (and DIT schema), DSA, DUA, OID, OIT. Open Group scope (Directory Interoperability Forum). The LDAP 2000 Product Standard defines core requirements for Directory servers for interoperation with LDAP clients. It includes the mandatory requirements of IETF RFC 2251, IETF RFC 2252, and IETF RFC 2253 (have also a look at
KISS KVM LAN LANE
LDAP V3
LDAP 2000
Page 45 of 65
GLOSSARY
Legacy Linux http://www.opennc.org/directory/branding/ldap2000/x99di.htm). So, it is aimed to increase interoperability around LDAP V3. In the sense of network communication: Existing Components (PLC products etc.) that do not provide special (hardware) support for Control Intranet.
A Unix based open source operating system that is maintained by the community of developers. It runs on PC platforms and various other ones. It has been invented by Linus Torvalds. Though it is a free and open source software, L. Torvalds maintains control over official releases. This operating system is more and more popular, but its installation and settings are reserved to computer science people. Another advantage of its open source nature is that a developer can use only necessary components, reducing the footprint. It is also becoming a challenger for the embedded world (ELC ~ Embedded Linux Consortium). For example, have a look at www.redhat.com/embedded. The very last release of the Linux kernel is forecast 1T2001. It is based on a 64-bit processor and targets the IA-64 processor of Intel (64-bit Linux kernel exists for a while). This IA-64 Linux Project was formerly named Trillian. It is late (even for an open software and a community of developers, a big project remains a big project), this is also the case for the Itanium (64-bit Intel new processor). Have a look at www.linuxia64.com. Nevertheless, this next version of the kernel (V2.4) is promising, especially the one of Caldera (www.caldera.com), which embeds a JDK 1.3 JVM Hotspot enabled. A Linux machine is really able to run FactoryCast IT client side and possibly the server side too.
This is a way to store integers in the memory of a computer. The least significant byte is stored first (i.e. at the lower memory address).
Little-endian
This is the Intel style. See also big-endian.

Located variable Logical bomb LRMP Unity scope. A PLC variable is located if the corresponding symbol maps onto a defined language object such as a %MWi. Security scope. Malicious program whose "enter in action" is triggered at a specific date and time based on the machine system time or at the time a dedicated command is issued. Lightweight Reliable Multicast Protocol This protocol (running above UDP) is aimed to provide a reliable transfer means (unicast and multicast). This is a cornerstone for true multicast (push) applications (Webcasting) when associated with MIDP (Multipoint Information Distribution Protocol), which is in charge of publishing information over LRMP. Do not confuse "smart pull" (Pointcast, Marimba etc) with this real publish / subscribe scheme.
L2TP
Layer 2 Tunneling Protocol

The Layer 2 Tunneling Protocol (L2TP), defined in RFC2661 (http://www.ietf.org/rfc/rfc2661.txt) is a protocol for tunneling PPP (RFC 1661) sessions over various network types.
MAN
Manager
MBAP
Metropolitan Area Network Between the WAN and the LAN. In Paris , the "La Dfense" district uses this type of backbone. Today, the Gbit Ethernet, used in conjunction with an optical physical layer, is able to replace SDH+ATM on MANs. EMOS manager. Part of the framework used to define the configuration of EMOS servers on a domain. It relies on tag and infrastructure services instantiation and configuration. The manager is also in charge of supporting the deployment of services on servers. We're currently figuring out how to make it more modular. ModBus Application Protocol
Schneider protocol over port 502 (TCP and UDP). For example, it encapsulates
Page 46 of 65
GLOSSARY
Modbus APDUs and Xway datagrams. Manufacturing Executive Systems Production management etc. Above the supervision, so above the process control level. MGCP Media Gateway Control Protocol Communication / network / telephony scope. This protocol is used by softswitches in order to get information from IADs at the end of the xDSL line. This level-3 intelligence is useful to differentiate packets that covers voice, VPN and Internet. MIB Management Information Base Database that holds the configuration of a SNMP enabled device. Standard MIBs are defined (i.e. conformant implementations) but private MIB extensions could be defined by an organization, a company. E.G. we plan to have our own TF private MIB. PLC range developed and produced by Schneider Automation (France) Micro MID / MIDP Mobile Information Device / Mobile Information Device Profile MIDP is a set of JAVA API (J2ME) that supports Midlets (i.e. applications for J2ME targets). MIDP relies on the J2ME core APIs that typically runs inside a KVM. Here is a strict definition. This is a transport software that is used to move information Middleware from one program to one or more other programs, shielding the developer from dependencies on communication protocols, operating systems and hardware platforms. Java scope. An application component that runs above MIDP (so on a mobile). This is Midlet equivalent to an Applet for a Web Browser or a servlet for a Web server. MIME Multipurpose Internet Mail Extension Protocol extension to other mail protocols (SMTP). A simplified (restrained) version of HTML dedicated to PDAs. Mini-HTML Another way to call it is "HDML", so have a look at its definition. Internet (and / or Intranet) is accessible using mobiles (mainly cellular phones using Mobile Intranet / the WAP, PDAs). Internet Communication application protocol of Modicon PLC ranges. Several physical and link MODBUS layers provide this protocol (serial line RS485 / RS232, Modbus+ network and recently Modbus over TCP/IP). It also correponds to the link layer protocol in case of serial link. Evolution of the EMOS middelware. It is developed by Objectis. Another name is MOISE (deprecated) under definition. MOM Message-Oriented Middleware A middleware relying on inter-program communication based on queued messages. I.e. the receiver program processes a queue of incoming messages. Nowadays, publish / subscribe frameworks are also widely used, but the middleware is no more a pure MOM! MPLS MultiProtocol Label Switching Internet (IP) scope. This is an IETF standard. A protocol that, associated to IP, provides a new way of routing IP datagrams over the net. A first message will trace the "route" to the target station and will keep track of it (one label per crossed node). Following messages will embed the list of "labels" in order to follow the same track (tunnel). It means that router (switches) need to be updated in order to support this evolution. MPLS empowers the VPN technology because it is compatible with IP, ATM, Frame Relay etc. It is also very useful to implement QoS regarding bandwidth because a specific path may be associated to a given flow priority (real-time flow, email flow etc). In addition, MPLS is a good means to avoid spoofing (usurpation of an IP address or a packet) thanks to the label provided upstream. MTBF Mean Time Between Failures MTTF Mean Time To Failure VxWorks scope. The MUX interface allows an END driver to connect to any MUX communication stack (especially TCP/IP stack). M1E PLC belonging to the Momentum range and connected to Ethernet (Schneider MES
Page 47 of 65
GLOSSARY
.Net
N-tier architecture
N_PDU Nano NAS
Automation USA). New Microsoft paradigm that relies on "Internet everywhere". So, it covers Windows DNA, SOAP, C# etc. This is the counter-attack of Microsoft against Java technologies. In this type of distributed software architecture, two entities in relationship use n-tier to communicate together (brokers in a publish/subscribe case for example). So, this is not a direct communication. Protocol Data Unit exchanged at layer N level (OSI model)
PLC developed and produced by Schneider Automation. The future (replacement) one is called Kampai. Network Attached Storage A recent way to provide on-line storage (shared file system) using "boxes" that embeds an OS, network interfaces and hard disks. They support remote file access protocols (NFS etc.), Web oriented ones (FTP, HTTP), remote administration (SNMP), hard disk security and redundancy (RAID technology) etc. They are assumed to be quickly and easily installed. Their cost is cheaper than NT or Unix servers. The total cost of ownership is very good because of the very easy maintenance. Network Data Delivery Service A publish / subscribe solution provided by RTI and used to implement the global data service over UPD/IP (launch E and NOE / ETY).
NDDS NDDS Domain
NIC NOE Object dictionary
Network scope. A NDDS domain defines a scope of uniqueness for topic both in term of naming and publication / consumption. A application running above NDDS may use several domains, every domain being identified by an index that is shared by applications using this domain. Network Interface Card Ethernet / Internet enabled module for the Quantum PLC range (based on VxWorks over an 860T PowerPC).
Unity scope. Unity will enable an end user to identify data using a name (i.e. a symbol) of which mapping onto real memory (i.e. BOL association) is embedded in the PLC. Such a database is called "object dictionary". A name could be part of a UMAS request if the destination server relies on an object dictionary. In this case, there is no need to access the P-Server on client side before issuing the request. A typical case is the CFB that may take a name as input parameter. Name of the start-up that will develop and sell MOISE. Another name for ActiveX. Open DataBase Connectivity Microsoft driver equivalent to JDBC in the Java World. This is a relational database driver. In addition, there is a bridge between JDBC and ODBC in order to map to this Microsoft technology. OPC Factory Server Have a look at OPC. Object ID Identifies an object in the OIT (see below). This identifier corresponds to the series of node identifiers (a positive integer) using the path from the root of the OIT down to the object. Object Information Tree The OIT holds objects defined in the context of ISO (OSI). Part of this tree corresponds to the management base used by SNMP protocol (e.g. MIB-2). A subset of this base may map to the private MIB of a CI board (TF MIB). Object Linking and Embedding Old Microsoft standard that describes how a program can launch another one as part of it (e.g. launch Excel to edit a spreadsheet, which is part of a Word document). Applications communicate using COM. Object Management Group
Objectis OCX ODBC
OFS OID
OIT
OLE
OMG
Page 48 of 65
GLOSSARY
A group of companies (500) that works on the definition of standards linked to software objects (inter-operability etc). OSGi Open Services Gateway initiative Have a look at JES. OO Object Oriented OPC OLE for Process Control A COM/DCOM based standard for process control. It defines a COM/DCOM server that provides access to PLC data, so hiding protocols used between the OPC server and PLCs. Schneider Automation corresponding product is called OFS. ORB Object Request Broker Object oriented middleware relying on the request / response interaction model. OSI Open System Interconnection A set of communication standard (based on a 7-layer model) defined by the ISO. UML terminology: it identifies (in a class diagram) a set of classes that corresponds to Package a domain (a set of classes logically connected). PAN Personal Area Network For example, with the HP Jordana (PDA), Jet Send (an infrared based protocol) is able to connect the PDA to printer. Pattern subscription Network scope (NDDS). A subscriber of a NDDS node can subscribe to a set of topic by providing a pattern matching string instead on a single topic string. Any topic that matches the pattern (filter) will be consumed. PDA Personal Digital Assistant (or persona assistant) A mini laptop (size of a hand) running dedicated operating systems. One of the most famous are Palm Pilot, Psion and now the PocketPC. Big companies (like HP) are looking toward this technology. They are more flexible than mobile phones (WAP side) because it is easy to upgrade the client software running on such machines. Soon, we'll see PDAs connected to a GPRS mobile using Bluetooth (using the proper connection means). It'll enable a PDA to access Web resources in an efficient way with better display capabilities than mobile phones. Very well known generation of CISC Intel chips. The current widespread version is P Pentium X III. Pentium IV has just been released (1.2 and 1.5 GHz), this is still a 32-bit processor on the external point of view. The next generation is the Itanium, a true 64-bit processor (still under development). PGP Pretty Good Privacy A recent encryption algorithm (www.pgpinternational.com), which is available for free on some platforms (i.e. integrated in Outllook Express 4 and 5). Thus, it may become very popular. It is based on symmetric and asymmetric encryption. It does not seem to be part of the PKI. The lack of real authentication (i.e. with a certificate) isn't really a problem between private people. Network scope. Very small (pico) wireless network made of Bluetooth enabled Piconet devices. PIN Personal Identification Number Security scope. Authentication mechanism based on a password. It is used by mobiles and credit cards. PKI Public-Key Infrastructure Have a look at "authentication". This is the X-509 standard (ISO). In addition, regarding the Registration Authority and certificate (key) distribution, it is possible to get a lot a key at the same time (let's say a few thousands for Schneider Electric Legrand). Then, the company that owns these key is able to manage them using OCSP (Online Certificate Status Protocol -> IETF, i.e. the company is able to invalidate certificates). The ATOS company provides a lightweight PKI solution. PLC Programmable Logic Controller Name of the Schneider Automation workshop that programs Premium and Micro PL7 PLCs.
Page 49 of 65
GLOSSARY
POP3 (RFC 1939) Post Office Protocol Version 3 Network scope (email). In some cases, a computer (node) hasn't sufficient resources to run a resident SMTP server forever. POP3 is intended to permit a workstation to access a maildrop on a server host in a useful fashion (i.e. the server side is waiting on TCP port 110). Above TCP or UDP. A 16-bit unsigned number which identify one or more communication entities. These entities are accessed through sockets linked to the right port. Port 502 is reserved to Schneider Electric. Ports below 1024 are assigned to standard protocols or companies reserved ports). So better use ports above 1024 for a private use. Security scope. An algorithm that scan TCP / UDP ports on an IP address. If some are open or haven't been closed, they could be used to access the corresponding application, to access the machine. Such an algorithm in embedded in freewares (like SuperScan) on the Internet, anybody can use them. A good firewall is assumed to stop this type of attack. Of course, this mechanism works fine if the IP address of the station is fixed (so company Intranets, high speed Internet connections such as ADSL, cable etc.). Packet Over Wavelength Another way to name packet communication based on fiber optic (such as IP communication). Software suite from DAS CI that will deal with the new Optima products. Point to Point Protocol Serial link protocol that encapsulates IP datagrams. Point to Point Tunneling Protocol This communication protocol has been developed by the PPTP Forum (Microsoft etc.). V2 is aimed to provide a remote secured access using authentication and encryption to NT server. ProDuct Requirement Marketing requirements for a product in Schneider Automation company (C.F. CDP). Range of PLC developed and produced by Schneider Automation (France) A CORBA stub is some kind of proxy (substitute) because it represents the real remote object. The notion of proxy server is often used (e.g. in front of a firewall). Another example is a proxy ARP, which answers to an ARP request on an Ethernet segment because it represents a device (IP address) on another segment. Another close definition is the following. Entity (hard/soft) that represents another one. For example, if A wants to communicate with B, but B is not directly accessible, the C proxy entity may help. A communicates with C as if C was B, C emulates B or uses another means to reach B. A good example is the security proxy in front of an Intranet that should check for security, then forward the packet to the right application if OK. Public Switched Telephony Network The PLC application database for UNITY that is part of the P-Unit suite. This is a COM/DCOM server. New common workshop for Unity (unification of Concept and PL7). This is a software suite with variants: P-Unit Light: it covers Micro and Momentum CPUs with Unity Exec. P-Unit Medium: superset of the light version that also covers HECPUs, Quatum, Atrium and Premium with Unity Exec. P-Unit Pro: a superset of the medium version with more functionalities. P-Unit is a programming tool for one PLC. It includes various servers such as PServer, OFS, a security server etc. Depending on the variant, P-Unit also includes PL7, XBTL1000 The first launch of P-Unit won't cover softPLCs such as Concept and Steeplechase. This is forecast for a later launch.
Port (port 502)
Port scan
POW Power suite PPP PPTP
PRD Premium Proxy
PSTN P-Server P-Unit
QoS
Quality of Service Network scope. The quality of a service encompasses response time, guaranteed Page 50 of 65
GLOSSARY
Quantum RAD
bandwidth, security etc. Range of PLCs developed and produced by Schneider Automation (USA) Rapid Application Development
Software development technique based on prototype refinement (HMI world etc.). The end user provides a feed back to the developer in such a way that the new increment matches real needs a little more.
RADIUS RAE RDE RDP
Remote Authentication Dial In User Service Security scope. Have a look at authentication. Alarm viewer applet of the current Factory Cast product. Not documented. Row Data Editor A Factory Cast (current version) applet used to define PLC accessed data in a table. Remote Desktop Protocol
Microsoft protocol used between a server and a lightweight Windows client. The server side is NT + TSE (Terminal Server Edition) or W2K (it includes TSE).
RequisitePro RFC
In the future, a mobile lightweight Windows client could use RDP transported over GPRS. Tool from Rational (www.rational.com) whose aim is to help managing requirements of a software project, especially in the case of an OO project. Request For Comment
Paper identified by a number in the Internet world. They define the state of art regarding Internet protocols. (Ruled by the IETF)
Rijndael RISC
RLL
RMI
Rijmen'n Daemen Security scope. Have a look at AES. Reduces Instruction Set Computer A technology more recent than the CISC one. Instructions are short (only a few bytes) and execution is supposed to be faster (parallel computing). PowerPCs from Motorola are RISC processors (our CI boards). A drawback is the final code size that could be around 1.5 times greater (this is the case for the VxWorks operating system between a Pentium and a PowerPC). The very latest technology regarding microprocessors is Crusoe from Transmeta (www.transmeta.com) whose aim is to consume less power and to support RISC and CISC code based on code morphing. Radio Local Loop Communication scope. Emerging technology that will provide high-speed Internet to people in their house (in addition to fiber optic, xDSL etc). The emission center will cover a few square Km. It fits well high-density regions (towns) cases. This technology is part of the LMDS (Local Multipoint Distribution Service) with a symmetric bandwidth for ascending and descending flows. Remote Method Invocation RPC (Remote Procedure Call) in the Java OO world. It works over TCP/IP using JRMP.
RMI stub Compiler
RMIC
The RMIC compiler generates stub and skeleton class files for remote objects from the names of compiled Java classes that contain remote object implementations (a remote object is one that implements the interface java.rmi.Remote). See also Idl2Java (Corba enabler for Java).
Roaming Rose Round-trip development Network scope. Coverage zone of a cellular network. Tool from Rational (www.rational.com) which corresponds to an UML workshop (with application for C++, Java). It is connected to RequisitePro. Within the scope of UML software design, it corresponds to the ability to modify the code (e.g. C++) keeping the model consistent and vice versa. It allows easy incremental development together with great design flexibility. It is also applied to spiral development, which is based on "forward engineering" and
Page 51 of 65
GLOSSARY
"backward engineering". In this case, the first loop (iteration) is aimed to build the skeleton of the application. The Together workshop is able to do it. The problem with any UML workshop is that it is not possible to keep all information during the backward process if we process code that wasn't part of the initial UML design (e.g. a new design pattern corresponding to C++ code without UML diagrams -> no comments etc.) Router RSA
In our context, device (software enabled) that connects 2 Ethernet networks at the IP layer level (level 3).
Rivest Shamir and Adelman (inventors of the RSA cryptosystem) Pubic-key cryptosystem (asymmetric keys). This is the most popular form of publickey cryptosystem. Have a look at "authentication". RSA is now part of the public domain, so no fee ij case of usage. resource ReSerVation setup Protocol (IETF) RSVP is a resource reservation setup protocol for the Internet. Its major features include:
RSVP
(1) the use of ``soft state'' in the routers, (2) receiver-controlled reservation requests, (3) flexible control over sharing of reservations and forwarding of subflows, (4) the use of IP multicast for data distribution.
RTI RTOS RTPS SAN SAP SAX Real-Time Innovations A Californian company (www.rti.com) that provides the NDDS product (agreement with Schneider Automation). Real Time Operating System Real Time Publish Subscribe Protocol used to implement NDDS from RTI. Storage Area Network The fiber channel protocol (at speeds up to 1 Gbps) is able to connect these storage devices with servers. The world famous German ERP. Simple API for XML A basic interface whose purpose is to provide a simple way to encode / decode an XML flow of data based on a DTD. It relies on file stream parsing and event triggering when the right tag is encountered. The corresponding Java interface is org.xml.sax.parser regarding the parser. Supervisory Control And Data Acquisition Acronym corresponding to supervisor tools above the process control PLC level in a factory / installation. Synchronous Digital Hierarchy Communication world. This is a "link layer" technology used in optical networks. Usually, ATM is used above SDH. Software Development Kit Symmetric Digital Subscriber Line Have a look at ADSL. Network / computer scope. It is aimed to protect data / communications against malicious attacks (destruction, robbery of information etc) from crackers (and hackers). Firewalls, encryption, digital signatures, digital timestamps, anti-virus softwares, fingerprint detectors etc. are part of the security policy. Attacks may be based on the "Trojan horse trap", "port scan", worms etc. In general, the real risk comes from the inside (i.e. the Intranet of a company). It is odd to think that a good protection at the Intranet gate is sufficient! The BR203 project (hundreds of PC/PLC stations on the Intranet on 2 DaimlerChrysler shop floor) shows that security is a real concern that is often late detected by the customer. Scalable Enhanced Network Stack Ethernet communication stack provided by WindRiver System (VxWorks RTOS). This
SCADA SDH SDK SDSL Security policy
SENS (stack)
Page 52 of 65
GLOSSARY
Sequence diagram Servlet stack is based on 4.4 BSD TCP/IP release. UML terminology: have a look at "collaboration diagram".
SET
SGML
SIM
SIP SMS
SMTP SNMP
The symmetric concept of a Java Applet. This Java code (one or several classes) is loaded inside the JVM that implements an HTTP server (C.F. "Jetty") in order to extend the server capabilities (dynamic creation of pages etc.). So, plug and play at the server side. Secure Electronic Transaction Protocol proposed by Visa and Mastercard consortiums whose aim is to secure commercial transactions on the Internet. Standard Generalized Markup Language The father of all .ML standards. This is the most heavy (and powerful) one dedicated to the edition world. XML is a lightweight version whose SGML stuff dedicated to the edition world has been removed. Subscriber Identification Module Smart cards scope for mobiles. This card is used for user authentication and for security (it stores keys and encryption algorithms). It also stores the user profile. Today, a SIM could be plugged in a double-slot mobile phone together with a credit card such as a Visa. Session Initiation Protocol Have a look at VoIP. Short Message Service Communication in the mobile world (GSM etc.). It corresponds to the sending of a short message to the mobile (GSM). This is especially useful for itinerant workers. In order to connect SMS with email systems, a gateway is necessary. For example, HP uses SMS in its mobile Intranet. Once the maintenance technician has received its SMS messages containing an URL, he uses this URL through the WAP in order to connect the mobile Intranet and to get the right information. Simple Mail Transport Protocol A TCP/IP based protocol (over TCP) used to deliver emails. See also MIME. Simple Network Management Protocol
Protocol (over UDP) used to configure and diagnostic an Ethernet enabled device (server side). It relies on a MIB whose access is provided by the SNMP agent. CORBA scope. The IDL compiler generates a skeleton from the IDL interface definition file of a remote object. The skeleton is an interface on the remote server side that has to be implemented in order to connect the real object to the middleware, thus allowing the server object to execute the method and to return the result. Simple Object Access Protocol A Microsoft defined protocol (brand new) based on XML whose purpose is to provide software objects with a flexible way to communicate together. This is some kind of RPC (Remote Procedure Call) based on XML syntax. Though this Microsoft standard does not impose an underlying communication protocol (i.e. to carry XML data), Microsoft promotes the use of HTTP (transport protocol). As TCP or UDP socket. Number which identifies a communication entity over a TCP or UDP port. Network / communication scope. This new technology from the USA is a software switch. It analyses the incoming phone number and routes it towards the right destination. The trick is that it is possible to add smart services logic to this mechanism (toll free number etc). See also MGCP. Have a look at "round-trip" development.
Skeleton
SOAP
Socket Softswitch
Spiral development SPOF
Spamming or UCE
Single Point Of Failure In a distributed architecture, in case of a failure on a SPOF, the whole system is impacted. It could be a broken link that connects all Ethernet stations, for example. Unsolicited Commercial E-mail Page 53 of 65
GLOSSARY
Security scope. The act of flooding a system with commercial emails. For example, it may preclude a user to use his mobile phone for a phone call. A countermeasure could be to filter "spammer" domains at the email server level. Single Sign-On Security scope. Have also a look at authentication. This protocol is used to facilitate access to several resources based on a unique authentication for all of them. The user profile is generally stored in an LDAP V3 database (centralized security scheme). Scope is mobile (GSM) etc. Generally, these resources rely on heterogeneous technologies (mainframe, database, Unix etc.) Simple Query Language Language used to query database information in case of a relational database. Secure Socket Layer A communication layer between HTTP and TCP whose purpose is to secure HTTP flow (encryption, authentication etc). SSL 3.0 has been promoted by Netscape. See also "TLS".
SSO
SQL SSL
State-chart diagram UML terminology: it describes the operating modes of an object, a subsystem or the system itself. Steeplechase The company recently bought by Schneider Electric for AUT. This American Stub
Studio
Supranet
SVG Switch
S2ML S7 S1000 TACACS Tag
company provides a softPLC solution (www.steeplechase.com). CORBA scope. The IDL compiler generates a stub from the IDL interface definition file of a remote object. The stub represents the remote object on the client side. When one of its methods is called, it forwards the call to the sibling side (skeleton) using IIOP in case of a TCP/IP network. Have a look at skeleton. The multi-PLC (station) software suite of Unity. It includes P-Unit, PL7, XBTL1000, Power suite and Automation suite (multi-station tool). An interesting option is UPDE that will provide customers with the ability to develop their own application based on the COM / DCOM interface of P-Unit servers. New concept that corresponds to a link between the e-world and the p-world (p for "physical"), so between a PC, a TV set, a mobile etc. and smart cards or humans. Bluetooth is an example. Another is the ability to buy a coke from a slot machine using a mobile. Scalable Vector Graphics XML for 2D graphics (.SVG extension files). In a network context, this is a device that connects Ethernet segments using software means (ability to route between ports etc.). Switches define collision domains (Ethernet scope). It operates at level 2/3 of the OSI model. Security Services Markup Language Have a look at XML Trust Services. Old PLC ranges from Schneider Automation (France). Terminal Access Controller Access Control System Security scope. Have a look at authentication. XML / XHTML / HTML scope A tag is a string that uniquely defines an information in a given context (hyperlink, applet etc.) EMOS scope A tag represents PLC data in the EMOS server. These data are possibly post-processed (various algorithms) and provided to other Java applications on request or on event. So, a tag is a service that connects the EMOS framework to the process control level (PLC).
Target server / agent Tornado. Piece of code in charge of communicating with a target (real one or simulated). A Tornado tool communicates with the target server using the WTX protocol. The target server communicates with the target agent (on the target) using
Page 54 of 65
GLOSSARY
TD-SCDMA TCO TCP (TCP/IP) drivers adapted to the communication link based on RPC above a lightweight UDP/IP. TD - Synchronous CDMA Have a look at CDMA. Total Cost of Ownership
Transmission Control Protocol
Internet transport layer providing point to point connection. TCP/IP is the generic name of the set of protocols (stack) that empowers the Internet. A software component of a CI board whose aim is to support messaging over TCP/IP TCP-USER (MBAP protocol (Modbus, XWAY encapsulation) but also user defined protocols over TCP/IP. TDMA Time Division Multiple Access Have a look at CDMA. TFTP Trivial File Transfer Protocol In opposition to FTP that runs over TCP, TFTP uses UDP. So, it is simpler and smaller. However, no user / password. It means that this protocol is less secure than FTP. A lightweight machine / software that runs applications usually loaded from a remote Thin Client server. Sun promotes this concept thanks to Java, Java OS etc. The PC world (even Microsoft) also thinks of it. The TCO is minimized (hardware cost, administration). The Web browser concept is part of this scheme. This is a server centric approach. TLS Transport Layer Security (current version is 1.0), RFC 2246 The IETF evolution of Netscape SSL 3.0. This protocol is based on data cipher / decipher (encryption based on public / private keys etc) and authentication. This is a small evolution, however, SSL and TLS are not interoperable. An UML-based workshop from Together (www.together.com) that is completely Together written in Java. It is C++ and especially Java enabled (generation of interface files, code templates etc.). TOP AB Transparent Operator Panel ActiveX Beans A product of the Arc Informatique company that could become the HMI standard reference for Schneider Electric products. This is an ActiveX container (VB ones etc). What about Java Beans? Network scope and Voyager scope. Topic For NNDS, a topic defines an information type that is produced by one or more entities and consumed by one or more entities. It is identified (named) by a string that is unique inside a NNDS domain. Tornado 2 is the current workshop of WRS. It is used to develop VxWorks enabled Tornado applications (BSP, C/C++, target server etc). A transfer syntax is a set of rules that is applied to a protocol defined using ASN.1 in Transfer syntax order to get the network coded view of the PDU. A good example is BER. Transparent Factory The scope of this initiative is Schneider Automation product lines. It is aimed to support easy and open connectivity between control process devices (PLCs etc.) but Initiative (TF also with ERP and MES levels. Transparent Energy and Transparent Building are initiative) initiatives of the same type inside Schneider Electric. Security scope. A quiet and normal / useful file (image, extension file) that includes a Trojan horse latent weapon. This weapon enters in action depending on specific triggers (e.g. when the user opens the file, the virus is released into the computer). A Trojan Horse cannot replicate itself, so it spreads slowly. Network protocol scope. Encryption mechanism of a data frame (IP or other) in Tunneling another frame (IP), which is used to cross the Internet. This mechanism is used to create secure communication channels. Tux the penguin is the emblem of Linux operating system. Tux Communication protocols -> Fax. T30, T37, T38
T30 (defined by the UIT) is the fax protocol used on the switched public telephony network. T37 and T38 are recent counterparts above IP.
T37 is also called differed mode (or store and forward). It is based on TCP, SMTP and MIME. It could take tens of minutes before the fax is delivered.
T38 is also called the real time solution. Two variants are in use. The frame
Page 55 of 65
GLOSSARY
relay mode works over UDP/IP. It is acceptable if and only if the network latency isn't worst that one second (otherwise the communication is stopped). The spoofing mode is based on TCP/IP and can handle latencies up to 3.5 seconds (but the data flow is bigger). Unsolicited Commercial E-mail Have a look at spamming. Universal Description, Discovery and Integration The UDDI standard (registry) is a sweeping industry initiative (Ariba, Microsoft, IBM). The Standard creates a platform-independent, open framework for describing services, discovering businesses, and integrating business services using the Internet. UDDI is the first cross-industry effort driven by platform and software providers, marketplace operators and e-business leaders. These technology and business pioneers are acting as the initial catalysts to quickly develop the UDDI standard.
UCE UDDI
The UDDI standard takes advantage of WorldWide Web Consortium (W3C) and Internet Engineering Task Force (IETF) standards such as Extensible Markup Language (XML), and HTTP and Domain Name System (DNS) protocols. Additionally, cross platform programming features are addressed by adopting early versions of the proposed Simple Object Access Protocol (SOAP) messaging specifications (+WSDL = Web Service Description Language). The UDDI community gathers major IT companies. UDP User Datagram Protocol Internet datagram transport layer providing broadcast and multicast capabilities. However, the use of UDP is not reliable (unicast or multicast). Protocols such as NNDS or LRMP may cover this lack. UID Unique Identifier An identifier that uniquely identifies something (in a given domain of homogenous things) within a given scope. For example, an OID is some kind of UID that identifies a unique node in the OIT. A UID is also often used to identify an object in a distributed environment (e.g. distribution model of Chorus RTOS). Concerning EMOS, distributed objects are identified by a name (use of JNDI) but also internally by a GUID (Global UID). UMAS Unified Messaging Application Protocol Protocol defined within the scope of CI and Unity. Itll enhance Mobus and Uni-Te protocols because it corresponds to common extensions. It means that it isn't a new protocol on an external point of view. The nice thing is that it'll be supported by most of the existing mediums that supports Uni-Te or Modbus. UML Unified Modeling Language An OO design method promoted by the OMG. It is based on a context diagram, use cases, interaction diagrams etc. Tools such as Together or Rose provide a support for this method. UMTS Universal Mobile Telecommunication System Technology of the 3rd generation of mobile (1 & 2 Mbit/s). Deployment is forecast in 2003-2004. Tlmecanique unified application protocol (used in S7, Premium, Micro PLC ranges). Uni-Te Unified messaging Today, emails embed attached documents (files) of various natures. The unified messaging allows to add voice to written messages (wave format files) in order to deliver a vocal message and / or a written message. It also includes fax and telex. This is JSR 006 from the JCP. This API is also called JPS (Java Print Service). It is Unified Printing API aimed to help the JINI Print API and the Java.Awt.Print package to converge toward a solution that takes into account IPP. Today (01/01), this JSR is in "public review over" mode. It means that it'll require around one year before getting first implementations. Tlmecanique (S7 and later PLC ranges) link layer communication protocol. It Unitelway connects various devices to a PLC. The application layer is Uni-Te. Convergence project between Premium and Quantum PLC ranges (PLC, workshop Unity
Page 56 of 65
GLOSSARY
Unlocated variable UPDE and Ethernet) Unity scope. A PLC variable is unlocated if the corresponding symbol doesn't map onto a defined language object such as a %MWi. P-Unit performs the mapping at build time and the P-Server database stores the corresponding BOL. Unity Programming Development Environment Extension package of Studio that will allow a customer to develop its own applications based on Unity (P-Server, OFS, security server etc.). It means COM/DCOM interfaces. This package includes the definition of these interfaces and a 4-day training. This concept has some common ideas with FC IT. Universal Plug'n Play A standard that facilitate the access (monitoring) of devices. It is based on SOAP and it s complementary to WSDL. Unique Resource Locator In the Internet world, an URL is used to uniquely identify Web servers and other resources. It corresponds to a string whose words (atoms) are separated by dots. UML terminology: they provide a way of describing the external view of the system and its interactions with the outside world (actors). The set of use cases documents the user's requirements in a simple format that both the customer and the domain experts can agree on. The cope of a typical use case diagram includes all major functionality (use case) associated with the actor (external) that initiates a particular request. Visual Basic A programming language from Microsoft. It is optimized for HMI management. A VB application is an OCX container, it means that you can develop such an application relying on OCX components (that are COM / DCOM enabled). Security scope. A virus is meant to spread throughout one computer, often causing significant damage. It is to designed to spread from computer to computer, but if an infected file is copied from one computer to another via an external medium (floppy, CDROM, etc.), the virus can spread. So, a virus generally spreads slowly, except through the Internet if you don't use a good anti virus software. A Java workshop from IBM A Java workshop from Symantec The C / C++ / VB / Java workshop of Microsoft Voice over DSL (Digital Subscriber Ligne) The xDSL (ADSL, SDSL) technology is based on a pair of copper wires that connects a fixed phone to the public telephony system (closest concentration building). A box at the user side and another in the telephone building side is used to modulate a signal at a frequency different from the standard voice. This high bandwidth is used to exchange data with the Internet (high-speed Internet). It could also be used to convey a lot of "voice channel" in the same way, so possibly using VoIP between xDSL gateways. Voice over IP Various technologies that allow the transport of voice over IP networks (so the Internet). No real standard today. There are 3 types of voice communication over IP: PC to PC PC to Phone (e.g. a phone with an Ethernet RJ45 connector) Phone to Phone One of the biggest problems is the QoS in term of real-time bandwidth, or how to make sure that the voice flow at the receiver side will be the same than in case of a PSTN. MPLS, 802.1p etc. may help reaching this goal. Voice control protocols are: H.323: an "old" protocol from the ITU that is relatively heavy. Rather used by operators coming from the telecommunication world (Lucent, Alcatel, Nortel).
UPnP URL Use case diagram
VB
Virus
Visual Age Visual Cafe Visual Studio VoDSL
VoIP
Page 57 of 65
GLOSSARY
SIP (Session Initiation Protocol): a new protocol from the IETF that is more and more in use. It is rather used by network solution providers (Cisco, 3COM). The Java middleware, which is the cornerstone of EMOS. It is provided by Object Voyager Space. VPN Virtual Private Network A secured connection established between two stations over the Internet. It is based on encryption (RSA etc.). The use of MPLS is a way to add QoS to this connection (i.e. a dedicated path with a specific QoS depending on the data flow). The use of IPSEC provides security through encryption. In fact, there are three types of VPNs: Application layer VPN: based on SSL / TLS. HTTP, FTP and other client / server application protocols are encrypted. Network layer VPN: based on IPsec. Level two VPN: based on PPTP, L2TP. It encapsulates PPP frames (so IP frames). Real-time operating system provided by WindRiver System company. It is used on CI VxWorks boards. Security scope. Vulnerability This software / device scans a system, a network in order to detect vulnerabilities that scanner could be used y malicious people in case of attack. A vulnerability scanner is proactive. WAN Wide Area Network A network whose purpose it to connect device on a wide range (between towns, regions, states etc). It also covers LANs interconnection. WAP Wireless Application Protocol This is a set of technologies that enable a mobile phone (or PDA) to access the Web using a WAP gateway. This gateway is in charge of translating WSP (contains WML data) frames into HTTP (contains HTML data) frames and vice versa. On communication point of view, it matches the protocol stack TCP/SSL(TLS)/HTTP, so from layers 4 to 7. Here are examples of WAP session services Connectionless oriented, non-secure, transaction mode - WDP/WSP Connection oriented, non-secure, transaction mode - WDP/WTP/WSP Connectionless oriented, secure, transaction mode - WDP/WTLS/WSP Connection oriented, secure, transaction mode - WDP/WTLS/WTP/WSP WSP = top of stack and WDP relies on layer 3 of the WAP stack. If the WAP isn't a success in Europe today (wait for GPRS, UMTS), the Japanese counterpart (iMode) has more success. Is XHTML the future of both WML/WAP and iMode? W-CDMA Wideband - CDMA Have a look at CDMA. Worldwide interconnection of stations based on Internet protocols. The most famous WEB (WWW for one is HTTP (WEB server). WorldWide Web) WEP Wireless Equivalent Privacy Security scope. Encryption mechanism dedicated to wireless networks (40 to 128 bits for the encryption key, based on DES or 3DES). WDP Wireless Datagram Protocol Have a look at "WAP". The last avatar of Bill Gates. This is the name of the Windows Millenium and 2000 Whistler convergence due end of 2001. The very well known Microsoft suite of operating systems. They are based on a Windows 95 / 98 / Millenium / NT / NTE common programming interface and standard communications with OPC and DCOM. 95, 98 and Millenium (in 2000) are versions dedicated to desktops. Home computing / 2000 / CE is very familiar with 98. Windows NT (New Technology) and now 2000 are dedicated to developers, servers etc. This is the top level of the suite. NT isn't real time. Companies such as Nematron
Page 58 of 65
GLOSSARY
(HyperKernel, www.nematron.com), VenturCom (RTX, www.venturcom.com), TenaSys (Intime, www.tenasys.com) provides real time enabled NT solutions. It means real time extensions (i.e. real time part running in parallel with NT, most of the time based on a modification of the Hardware Abstract Layer (HAL) of NT). It seems that Microsoft chose RTX in order to provide real-time capabilities to NT. NT (NT Embedded) is dedicated to "big" embedded devices. For example, Steeplechase (www.steeplechase.com), the company that has just been bought by Schneider Automation, uses this technology. On the "small devices" embedded side, Windows CE (embedded CE, Micro-modular CE, Graphical CE) also targets the real time world. In fact, Windows CE 3.0 is aimed to be a real competitor to RTOS providers with the advantage of providing Windows API and communication technologies. Windows Distributed iNternet Architecture This is a modal and platform for building and deploying applications using the WEB as an integral part of the architecture. Key technologies are COM+ and XML. Have also a look an ".Net" Wireless Local Area Network Wireless Markup Language HTML for the WAP world (mobile phone). WML2.0 will become the XHTML adaptation for the mobile world. Security scope. This is a virus, which is part of a document attached to an email. If you open the document (not the email), the virus becomes virulent (the nature of the attack depends on the strain). Because it uses emails, a worm can spread very quickly. Recent famous examples are "I love you" and "Melissa". An anti-virus software is aimed to fight viruses, so to detect them before action in order to preclude damages. Wind River System The company that sells VxWorks. Web Service Description Language New "standard" pushed by Microsoft and IBM whose purpose is to identify a service on the WEB in a unique manner based on XML. Thus, once the WSDL definition of a service is known, the client side of an interaction can use any type of technology (C++, C#, Java etc.) in order to use this remote service. In fact, the access code template is automatically generated from the WSDL definition. Though the basic communication means is SOAP, others are possible (HTTP etc.). ADS and DISCO are intended to provide discovery services for WSDL defined Web services. Wireless Session Protocol Have a look at "WAP". Wireless Transport Protocol Have a look at "WAP". Wireless Transport Layer Security Have a look at "WAP". WorldWide Web Consortium A consortium whose aim is to promote the WWW (standard definition etc). A programming environment of DAS CI dedicated to XBT HMI. eXtensible Hypertext Markup Language An evolution of HTML (somewhere between XML and HTTP). So, XHTML is XML compliant (HTML isn't). The W3C is currently releasing a version of XHTML that is based on XML 1.0 and HTML 4.01. Xway communication. This is a PC driver (NT, 98 etc.) that enables an application to communicate with remote Premium PLCs on Ethernet TCP/IP (so using ETY modules). It uses XWAY datagrams inside MBAP APDUs. XML Key Management Specification Security scope. Have a look at XML Trust Services. It is suitable for use in conjunction with the proposed standard for XML Signature (XML-SIG) developed by the W3C and the IETF and an anticipated companion
Windows DNA
WLAN WML Worm
WRS WSDL
WSP WTP WTLS W3C XBTL1000 XHTML
Xip XKMS
Page 59 of 65
GLOSSARY
standard for XML encryption. It comprises two parts: The XML Key Information Service Specification (X-KISS). It defines a protocol for a trust service that resolves public key information contained in XML-SIG elements. The XML Key Registration Service Specification (X-KRSS). It defines a protocol for a Web service that accepts registration of public key information. Both protocols are defined in terms of structures expressed in the XML Schema Language, protocols employing the SOAP v1.1 and relationships among messages defined by the WSDL v1.0. eXtensible Markup Language eXcellent Marketing Language A metalanguage used to define syntaxes (such as HTML) that are used to encode information (XML parser / encoder). Based on tags (textual identifiers). This is the rising star of data exchange interoperability (equivalent to Java in the programming world). A new way to describe the grammar and vocabulary associated to an XML document (i.e. it replaces the DTD). The grammar description is pure XML and it supports strong type definition (accuracy constraints etc.). Security scope. This is a four-component suite of open specifications for application developers developed in partnership with leaders including Microsoft, Ariba, webMethods, Netegrity and Verisign makes it easier than ever to integrate a broad range of trust services into B2Ba and B2C applications. XML complements PLI and digital certificates, the standard method for securing Internet transactions. These components are: XKMS: this component simplifies the integration of PKI and certificates with XML applications. It is specified by Verisign, Microsoft and webMethods). This is achieved by delegating trust processing at the server side. S2ML: this specification is developed by Verisign, Netegrity and other vendors. It targets B2B and B2C. It offers a vendor-neutral, open XML standard for enabling secure e-commerce transactions by describing authentication, authorization , and profile information. XMLPay: Verisign, Ariba, and other vendors created XMLPay (specification) for sending payment requests and responses through financial networks. EPP: Verisign has developed EPP to support an XML-based domain name management utility. XML Protocol The reaction of the W3C against SOAP (XML transport protocol). However, because SAOP started first and is supported by very big companies, we're almost shure sthat XP will join SOAP at some point. XML PATH language (V1.0 is a recommendation from the W3C) XPath is a language for addressing parts of an XML document, designed to be used by both XSLT and XPointer. XML Pointer language (V1.0 is a recommendation from the W3C)
XML
XML schema XML Trust Services
XP
XPATH XPointer
The XML Pointer Language (Xpointer) is to be used as the basis for a fragment identifier for any URL reference that locates a resource of Internet media type text/xml or application/xml. XPointer, which is based on the XML Path Language (XPath), supports addressing into the internal structures of XML documents. It allows for examination of a hierarchical document structure and choice of its internal parts based on various properties, such as element types, attribute values, character content, and relative position.
XQL eXtensible Query Language A language based on queries that is dedicated to the task of looking for information in XML documents.
Page 60 of 65
GLOSSARY
XSL eXtensible Stylesheet Language XML scope. It is used to describe how XML data may be transformed in another format (possibly another XML one). The stylesheet is an XML document based on 2 technologies: XSLT which is an XML based language used to express transformation rules XPATH which is a language used to address parts of an XML document. So the XSL stylesheet document (XML document) contains transformation rules to be applied to specific parts of the input (source) XML document. The XSL transformation processor takes the source XML document and the XSL stylesheet in input and produces a resulting output document. Have a look at (www.xmlsoftware.com) for resources regarding XSLT engines, XPATH utilities. This sites provides Java references for free softwares (i.e. XSL transformation processor). eXtensible Stylesheet Language Translation
XSLT
The XSL Transformations (XSLT) specification defines an XML-based language for expressing transformation rules that map one XML document to another
XSLT describes transformations from XML documents into arbitrary text-based formats (which may or may not be XML). XSLT assumes that three documents are in use: the source document, the XSLT stylesheet document, and the result document. The source document is simply a well-formed XML document that provides the input for the transformation. The stylesheet document is an XML document that uses the XSLT vocabulary for expressing transformation rules (+XPATH). The result document is a text document that is produced by running the source document through the transformations found in the XSLT stylesheet. In addition, XML + XSLT is a means to produce dynamic Web pages. eXtensible Server Pages Technology used by Apache Web servers (so promoted by the Apache Group). Name of the S7, Premium, Micro network communication layer based on datagram (connectionless communication), which offers network transparency (like the IP layer for Internet). Recently, an XWAY datagram can cross IP networks thanks to XWAY over TCP/IP using MBAP. XML Key Information Service Specification Security scope. Have a look at XKMS. XML Key Registration Service Specification Security scope. Have a look at XKMS. Yet Another Compiler Compiler UNIX world. YACC is a meta-compiler that is able to generate parser code based on a grammar description file (.y or .yacc file). Have a look at DXML for analogy.
XSP XWAY
X_KISS X_KRSS YACC
Page 61 of 65
GLOSSARY
3
3.1
APPENDIX
HTTP CODE (of Hypertext Transfer Protocol -- HTTP/1.1)
The set of common methods for HTTP/1.1 is defined below. Although this set can be expanded, additional methods cannot be assumed to share the same semantics for separately extended clients and servers. The Host request-header field (section 14.23) MUST accompany all HTTP/1.1 requests. 3.1.1 Safe and Idempotent Methods
3.1.2 Safe Methods Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them. 3.1.3 Idempotent Methods Methods can also have the property of "idempotence" in that (aside from error or expiration issues) the sideeffects of N > 0 identical requests is the same as for a single request. The methods GET, HEAD, PUT and DELETE share this property. Also, the methods OPTIONS and TRACE SHOULD NOT have side effects, and so are inherently idempotent. However, it is possible that a sequence of several requests is non- idempotent, even if all of the methods executed in that sequence are idempotent. (A sequence is idempotent if a single execution of the entire sequence always yields a result that is not changed by a reexecution of all, or part, of that sequence.) For example, a sequence is non-idempotent if its result depends on a value that is later modified in the same sequence. A sequence that never has side effects is idempotent, by definition (provided that no concurrent operations are being executed on the same set of resources). 3.1.4 OPTIONS The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval. Responses to this method are not cacheable. If the OPTIONS request includes an entity-body (as indicated by the presence of Content-Length or Transfer-Encoding), then the media type MUST be indicated by a Content-Type field. Although this specification does not define any use for such a body, future extensions to HTTP might use the OPTIONS body to make more detailed queries on the server. A server that does not support such an extension MAY discard the request body. If the Request-URI is an asterisk ("*"), the OPTIONS request is intended to apply to the server in general rather than to a specific resource. Since a server's communication options typically depend on the resource, the "*" request is only useful as a "ping" or "no-op" type of method; it does nothing beyond allowing the client to test the capabilities of the server. For example, this can be used to test a proxy for HTTP/1.1 compliance (or lack thereof). If the Request-URI is not an asterisk, the OPTIONS request applies only to the options that are available when communicating with that resource.
Page 62 of 65
GLOSSARY
A 200 response SHOULD include any header fields that indicate optional features implemented by the server and applicable to that resource (e.g., Allow), possibly including extensions not defined by this specification. The response body, if any, SHOULD also include information about the communication options. The format for such a body is not defined by this specification, but might be defined by future extensions to HTTP. Content negotiation MAY be used to select the appropriate response format. If no response body is included, the response MUST include a Content-Length field with a field-value of "0". The Max-Forwards request-header field MAY be used to target a specific proxy in the request chain. When a proxy receives an OPTIONS request on an absoluteURI for which request forwarding is permitted, the proxy MUST check for a Max-Forwards field. If the Max-Forwards field-value is zero ("0"), the proxy MUST NOT forward the message; instead, the proxy SHOULD respond with its own communication options. If the Max-Forwards field-value is an integer greater than zero, the proxy MUST decrement the field-value when it forwards the request. If no Max-Forwards field is present in the request, then the forwarded request MUST NOT include a Max-Forwards field. 3.1.5 GET The GET method means retrieve whatever information (in the form of an entity) is identified by the RequestURI. If the Request-URI refers to a data-producing process, it is the produced data which shall be returned as the entity in the response and not the source text of the process, unless that text happens to be the output of the process. The semantics of the GET method change to a "conditional GET" if the request message includes an IfModified-Since, If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. A conditional GET method requests that the entity be transferred only under the circumstances described by the conditional header field(s). The conditional GET method is intended to reduce unnecessary network usage by allowing cached entities to be refreshed without requiring multiple requests or transferring data already held by the client. The semantics of the GET method change to a "partial GET" if the request message includes a Range header field. A partial GET requests that only part of the entity be transferred, as described in section 14.35. The partial GET method is intended to reduce unnecessary network usage by allowing partially-retrieved entities to be completed without transferring data already held by the client. The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching described in section 13. See section 15.1.3 for security considerations when used for forms. 3.1.6 HEAD The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. The metainformation contained in the HTTP headers in response to a HEAD request SHOULD be identical to the information sent in response to a GET request. This method can be used for obtaining metainformation about the entity implied by the request without transferring the entity-body itself. This method is often used for testing hypertext links for validity, accessibility, and recent modification. The response to a HEAD request MAY be cacheable in the sense that the information contained in the response MAY be used to update a previously cached entity from that resource. If the new field values indicate that the cached entity differs from the current entity (as would be indicated by a change in ContentLength, Content-MD5, ETag or Last-Modified), then the cache MUST treat the cache entry as stale. 3.1.7 POST The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. POST is designed to allow a uniform method to cover the following functions:
- Annotation of existing resources; - Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles; - Providing a block of data, such as the result of submitting a form, to a data-handling process;
Page 63 of 65
GLOSSARY
- Extending a database through an append operation.
The actual function performed by the POST method is determined by the server and is usually dependent on the Request-URI. The posted entity is subordinate to that URI in the same way that a file is subordinate to a directory containing it, a news article is subordinate to a newsgroup to which it is posted, or a record is subordinate to a database. The action performed by the POST method might not result in a resource that can be identified by a URI. In this case, either 200 (OK) or 204 (No Content) is the appropriate response status, depending on whether or not the response includes an entity that describes the result. If a resource has been created on the origin server, the response SHOULD be 201 (Created) and contain an entity which describes the status of the request and refers to the new resource, and a Location header (see section 14.30). Responses to this method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields. However, the 303 (See Other) response can be used to direct the user agent to retrieve a cacheable resource. POST requests MUST obey the message transmission requirements set out in section 8.2. See section 15.1.3 for security considerations. 3.1.8 PUT The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the RequestURI refers to an already existing resource, the enclosed entity SHOULD be considered as a modified version of the one residing on the origin server. If the Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI. If a new resource is created, the origin server MUST inform the user agent via the 201 (Created) response. If an existing resource is modified, either the 200 (OK) or 204 (No Content) response codes SHOULD be sent to indicate successful completion of the request. If the resource could not be created or modified with the Request-URI, an appropriate error response SHOULD be given that reflects the nature of the problem. The recipient of the entity MUST NOT ignore any Content-* (e.g. Content-Range) headers that it does not understand or implement and MUST return a 501 (Not Implemented) response in such cases. If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale. Responses to this method are not cacheable. The fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI. The URI in a POST request identifies the resource that will handle the enclosed entity. That resource might be a data-accepting process, a gateway to some other protocol, or a separate entity that accepts annotations. In contrast, the URI in a PUT request identifies the entity enclosed with the request -the user agent knows what URI is intended and the server MUST NOT attempt to apply the request to some other resource. If the server desires that the request be applied to a different URI, it MUST send a 301 (Moved Permanently) response; the user agent MAY then make its own decision regarding whether or not to redirect the request. A single resource MAY be identified by many different URIs. For example, an article might have a URI for identifying "the current version" which is separate from the URI identifying each particular version. In this case, a PUT request on a general URI might result in several other URIs being defined by the origin server. HTTP/1.1 does not define how a PUT method affects the state of an origin server. PUT requests MUST obey the message transmission requirements set out in section 8.2. Unless otherwise specified for a particular entity-header, the entity-headers in the PUT request SHOULD be applied to the resource created or modified by the PUT. 3.1.9 DELETE The DELETE method requests that the origin server delete the resource identified by the Request-URI. This method MAY be overridden by human intervention (or other means) on the origin server. The client cannot be guaranteed that the operation has been carried out, even if the status code returned from the origin server indicates that the action has been completed successfully. However, the server SHOULD NOT indicate success unless, at the time the response is given, it intends to delete the resource or move it to an inaccessible location. Page 64 of 65
GLOSSARY
A successful response SHOULD be 200 (OK) if the response includes an entity describing the status, 202 (Accepted) if the action has not yet been enacted, or 204 (No Content) if the action has been enacted but the response does not include an entity. If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale. Responses to this method are not cacheable. 3.1.10 TRACE The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity. TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information. The value of the Via header field (section 14.45) is of particular interest, since it acts as a trace of the request chain. Use of the Max-Forwards header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding messages in an infinite loop. If the request is valid, the response SHOULD contain the entire request message in the entity-body, with a Content-Type of "message/http". Responses to this method MUST NOT be cached. 3.1.11 CONNECT This specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a tunnel (e.g. SSL tunneling [44]).
3.2
FTP
File Transfer Protocol. RFC959: http://www.w3.org/Protocols/rfc959/4_FileTransfer.html File Transfer Protocol (FTP), a standard Internet protocol, is the simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application protocol that uses the Internet's TCP/IP protocols. FTP is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers. As a user, you can use FTP with a simple command line interface (for example, from the Windows MS-DOS Prompt window) or with a commercial program that offers a graphical user interface. Your Web browser can also make FTP requests to download programs you select from a Web page. Using FTP, you can also update (delete, rename, move, and copy) files at a server. You need to logon to an FTP server. However, publicly available files are easily accessed using anonymous FTP. Basic FTP support is usually provided as part of a suite of programs that come with TCP/IP. However, any FTP client program with a graphical user interface usually must be downloaded from the company that makes it.
Page 65 of 65

4 Ethernet Glossary PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

4 Ethernet Glossary PDF

Caricato da

Copyright:

Formati disponibili

Security for Transparent Ready

STR PROJECT SECURITY FOR TRANSPARENT READY

Rfrence 1 208 691

Nom : J.M. BRUN Name : T. CHICHE Visa : draft

Nom : JM BRUN / T. CHICHE

Security for Transparent Ready

TABLEAU DE MISE A JOUR Indice /date Rdig par

Version, Pages modifies

Origine et dsignation de la modification

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

GLOSSARY AND ABBREVIATIONS

Security for Transparent Ready

Hub, Switch, Repeater, Bridge, Router, Gateway +( RIP, NAT)

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

2.1.2.2 Difference between VLAN switch function and routing function

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

How ARP Works

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Decrypt an encrypted signature (and authenticate the Use sender) sender's

Security for Transparent Ready

Decrypt an encrypted signature (and authenticate the Use sender) sender's

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

Security for Transparent Ready

802.11a 802.11b 802.11p ActiveX

Actor ADO ADS

Security for Transparent Ready

Security for Transparent Ready

Automation suite Baans Back door

Security for Transparent Ready

BOOTP Bridge BSP Business object B2B B2C C / C++ / C#

Security for Transparent Ready

CLDC Collaboration diagram

Security for Transparent Ready

Cracker CRL CRM

Security for Transparent Ready

DHCP DISCO DIT / DIT schema

Security for Transparent Ready

DMI agent DNS

Security for Transparent Ready

Electronic (digital) signature Encryption

Biztalk is the Microsoft solution that relies on XML and SOAP.

Security for Transparent Ready

EMOS EPP ERP Ethernet (802.3)

ETHWAY ETY EU Exec Extranet E-wallet FCIT FCIT configuration of a server

FEC FIPWAY / FIPIO Firewall