0 and 255 have special meanings. 0 is reserved for machines that don't know their address.

In certain circumstances it is possible for a machine not to know the number of the network it is on, or even its

own host address. For example, 0.0.0.23 would be a machine that knew it was host number 23, but didn't know on what network.

255 is used for "broadcast". A broadcast is a message that you want every system on the network to see. Broadcasts are used in some situations where you don't know who to talk to. For example, suppose

you need to look up a host name and get its Internet address. Sometimes you don't know the address of the nearest name server. In that case, you might send the request as a broadcast. There are also cases where a number of systems are interested in information. It is then less expensive to send a single broadcast than to send datagrams individually to each host that is interested in the information. In order to send a broadcast, you use an address that is made by using your network address, with all ones in the part of the address where the host number goes. For example, if you are on network 128.6.4, you would use 128.6.4.255 for broadcasts. How this is actually implemented depends upon the medium. It is not possible to send broadcasts on the Arpanet, or on point to point lines. However it is possible on an Ethernet. If you use an Ethernet address with all its bits on (all ones), every machine on the Ethernet is supposed to look at that datagram.

Although the official broadcast address for network 128.6.4 is now 128.6.4.255, there are some other addresses that may be treated as broadcasts by certain implementations. For convenience, the standard

also allows 255.255.255.255 to be used. This refers to all hosts on the local network. It is often simpler to use 255.255.255.255 instead of finding out the network number for the local network and forming a

broadcast address such as 128.6.4.255. In addition, certain older implementations may use 0 instead of 255 to form the broadcast address. Such implementations would use 128.6.4.0 instead of 128.6.4.255 as the broadcast address on network 128.6.4. Finally, certain older implementations may not understand about subnets. Thus they consider the network number to be 128.6. In that case, they will assume a broadcast address of 128.6.255.255 or 128.6.0.0. Until

support for broadcasts is implemented properly, it can be a somewhat dangerous feature to use.

Because 0 and 255 are used for unknown and broadcast addresses, normal hosts should never be given addresses containing 0 or 255. Addresses should never begin with 0, 127, or any number above 223. Addresses violating these rules are sometimes referred to as "Martians", because of rumors that the Central University of Mars is using network 225.

[2.1.9] Datagram Fragmentation and Reassembly

TCP/IP is designed for use with many different kinds of network. Unfortunately, network designers do not agree about how big packets can be. Ethernet packets can be 1500 octets long. Arpanet packets have a maximum of around 1000 octets. Some very fast networks have much larger packet sizes. At first, you might think that IP should simply settle on the smallest possible size. Unfortunately, this would cause serious performance problems. When transferring large files, big packets are far more efficient than small ones. So we want to be able to use the largest packet size possible. But we also want to be able to handle networks with small limits.

There are two provisions for this. First, TCP has the ability to "negotiate" about datagram size. When a TCP connection first opens, both ends can send the maximum datagram size they can handle. The

smaller of these numbers is used for the rest of the connection. This allows two implementations that can handle big datagrams to use them, but also lets them talk to implementations that can't handle them. However this doesn't completely solve the problem. The most serious problem is that the two ends don't necessarily know about all of the steps in between. For example, when sending data between Rutgers and Berkeley, it is likely that both computers will be on Ethernets. Thus they will both be prepared to handle 1500-octet datagrams. However the connection will at some point end up going over the Arpanet. It can't handle packets of that size. For this reason, there are provisions to split datagrams up into pieces. (This is referred to as "fragmentation".) The IP header contains fields indicating the datagram has been split, and enough information to let the pieces be put back together. If a gateway connects an Ethernet

to the Arpanet, it must be prepared to take 1500-octet Ethernet packets and split them into pieces that will fit on the Arpanet. Furthermore, every host implementation of TCP/IP must be prepared to accept pieces and put them back together. This is referred to as "reassembly".

TCP/IP implementations differ in the approach they take to deciding on datagram size. It is fairly common for implementations to use 576-byte datagrams whenever they can't verify that the entire path is able to

handle larger packets. This rather conservative strategy is used because of the number of implementations with bugs in the code to reassemble fragments. Implementors often try to avoid ever having fragmentation occur. Different implementors take different approaches to deciding when it is safe to use large datagrams. Some use them only for the local network. Others will use them for any network on the same campus. 576 bytes is a "safe" size, which every implementation must support.

[2.2.0] Ethernet encapsulation: ARP

There was a brief discussion earlier about what IP datagrams look like on an Ethernet. The discussion showed the Ethernet header and checksum. However it left one hole: It didn't say how to figure out

what Ethernet address to use when you want to talk to a given Internet address. In fact, there is a separate protocol for this, called ARP ("address resolution protocol"). (Note by the way that ARP is not an IP protocol. That is, the ARP datagrams do not have IP headers.)

Suppose you are on system 128.6.4.194 and you want to connect to system 128.6.4.7. Your system will first verify that 128.6.4.7 is on the same network, so it can talk directly via Ethernet. Then it will look up 128.6.4.7 in its ARP table, to see if it already knows the Ethernet address. If so, it will stick on an Ethernet header, and send the packet. But suppose this system is not in the

ARP table. There is

no way to send the packet, because you need the Ethernet address. So it uses the ARP protocol to send an ARP request. Essentially an ARP request says "I need the Ethernet address for 128.6.4.7". Every system listens to ARP requests. When a system sees an ARP request for itself, it is required to respond. So 128.6.4.7 will see the request, and will respond with an ARP reply saying in effect "128.6.4.7 is

8:0:20:1:56:34". (Recall that Ethernet addresses are 48 bits. This is 6 octets. Ethernet addresses are conventionally shown in hex, using the punctuation shown.) Your system will save this information in its

ARP table, so future packets will go directly. Most systems treat the ARP table as a cache, and clear entries in it if they have not been used in a certain period of time.

Note by the way that ARP requests must be sent as "broadcasts". There is no way that an ARP request can be sent directly to the right system. After all, the whole reason for sending an ARP request is that

you don't know the Ethernet address. So an Ethernet address of all ones is used, i.e. ff:ff:ff:ff:ff:ff. By convention, every machine on the Ethernet is required to pay attention to packets with this as an

address. So every system sees every ARP requests. They all look to see whether the request is for their own address. If so, they respond. If not, they could just ignore it. (Some hosts will use ARP requests to

update their knowledge about other hosts on the network, even if the request isn't for them.) Note that packets whose IP address indicates broadcast (e.g. 255.255.255.255 or 128.6.4.255) are also sent with an Ethernet address that is all ones.

[3.0.0] Preface to the WindowsNT Registry

This section is not meant for NT engineers that already know the registry, and its not meant for people that have read the 800+ page books on the registry I've seen. This section is meant as a quick guide to get people understanding exactly what this registry thing is.

[3.0.1] What is the Registry?

The windows registry provides for a somewhat secure, unified database that stores configuration information into a hierarchical model. Until recently, configuration files such as WIN.INI, were the only way to configure windows applications and operating system functions. In todays NT 4 environment, the registry replaces these .INI files. Each key in the registry is similar to bracketed headings in an .INI file.

One of the main disadvantages to the older .INI files is that those files are flat text files, which are unable to support nested headings or contain data other than pure text. Registry keys can contain nested headings in the form of subkeys. These subkeys provide finer details and a greater range to the possible configuration information for a particular operating system. Registry values can also consist of executable code, as well as provide individual preferences for multiple users of the same computer. The ability to store executable code within the Registry extends its usage to operating system system and application developers. The ability to store user-specific profile information allows one to tailor the environment for specific individual users.

To view the registry of an NT server, one would use the Registry Editor tool. There are two versions of Registry Editor:

.:Regedt32.exe has the most menu items and more choices for the menu items. You can search

for keys and subkeys in the registry.

.:Regedit.exe enables you to search for strings, values, keys, and subkeys and export keys to .reg files. This feature is useful if you want to find specific data.

For ease of use, the Registry is divided into five seperate structures that represent the Registry database in its entirety. These five groups are known as Keys, and are discussed below:

[3.0.2] In Depth Key Discussion

HKEY_CURRENT_USER

This registry key contains the configuration information for the user that is currently logged in. The users folders, screen colors, and control panel settings are stored here. This information is known as a User Profile.

HKEY_USERS

In windowsNT 3.5x, user profiles were stored locally (by default) in the systemroot\system32\config directory. In NT4.0, they are stored in the systemroot\profiles directory. User-Specific information is kept there, as well as common, system wide user information.

This change in storage location has been brought about to parallel the way in which Windows95 handles its user profiles. In earlier releases of NT, the user profile was stored as a single file either locally in the \config directory or centrally on a server. In windowsNT 4, the single user profile has been broken up into a number of subdirectories located below the \profiles directory. The reason for this is mainly due to the way in which the Win95 and WinNT4 operating systems use the underlying directory structure to form part of their new user interface.

A user profile is now contained within the NtUser.dat (and NtUser.dat.log) files, as well as the following subdirectories:

* Application Data: This is a place to store application data specific to this particular user.

* Desktop: Placing an icon or a shortcut into this folder causes the that icon or shortcut to appear on the desktop of the user.

* Favorites: Provides a user with a personlized storage place for files, shortcuts and other information.

* NetHood: Maintains a list of personlized network connections.

* Personal: Keeps track of personal documents for a particular user.

* PrintHood: Similar to NetHood folder, PrintHood keeps track of printers rather than network connections.

* Recent: Contains information of recently used data.

* SendTo: Provides a centralized store of shortcuts and output devices.

* Start Menu: Contains configuration information for the users menu items.

* Templates: Storage location for document templates.

HKEY_LOCAL_MACHINE

This key contains configuration information particular to the computer. This information is stored in the systemroot\system32\config directory as persistent operating system files, with the exception of the volatile hardware key.

The information gleaned from this configuration data is used by applications, device drivers, and the WindowsNT 4 operating system. The latter usage determines what system configuration data to use, without respect to the user currently logged on. For this reason the HKEY_LOCAL_MACHINE regsitry key is of specific importance to administrators who want to support and troubleshoot NT 4.

HKEY_LOCAL_MACHINE is probably the most important key in the registry and it contains five subkeys:

* Hardware: Database that describes the physical hardware in the computer, the way device drivers use that hardware, and mappings and related data that link kernel-mode drivers with various user-mode code. All data in this sub-tree is re-created everytime the system is started.

* SAM: The security accounts manager. Security information for user and group accounts and for the domains in NT 4 server.

* Security: Database that contains the local security policy, such as specific user rights. This key is used only by the NT 4 security subsystem.

* Software: Pre-computer software database. This key contains data about software installed on the local computer, as well as configuration information.

* System: Database that controls system start-up, device driver loading, NT 4 services and OS behavior.

Information about the HKEY_LOCAL_MACHINE\SAM Key

This subtree contains the user and group accounts in the SAM database for the local computer. For a computer that is running NT 4, this subtree also contains security information for the domain. The information contained within the SAM registry key is what appears in the user interface of the User Manager utility, as well as in the lists of users and groups that appear when you make use of the Security menu commands in NT4 explorer.

Information about the HKEY_LOCAL_MACHINE\Security key

This subtree contains security information for the local computer. This includes aspects such as assigning user rights, establishing password policies, and the membership of local groups, which are configurable in User Manager.

HKEY_CLASSES_ROOT

The information stored here is used to open the correct application when a file is opened by using Explorer and for Object Linking and Embedding. It is actually a window that reflects information from the HKEY_LOCAL_MACHINE\Software subkey.

HKEY_CURRENT_CONFIG

The information contained in this key is to configure settings such as the software and device drivers to load or the display resolution to use. This key has a software and system subkeys, which keep track of configuration information.

[3.0.3] Understanding Hives

The registry is divided into parts called hives. These hives are mapped to a single file and a .LOG file. These files are in the systemroot\system32\config directory.

Registry Hive

File Name

=================================================================

HKEY_LOCAL_MACHINE\SAM

SAM and SAM.LOG

HKEY_LOCAL_MACHINE\SECURITY

Security and Security.LOG

HKEY_LOCAL_MACHINE\SOFTWARE

Software and Software.LOG

HKEY_LOCAL_MACHINE\SYSTEM

System and System.ALT

=================================================================

Although I am not gauranteeing that these files will be easy to understand, with a little research and patience, you will learn what you want to learn. I have been asked to write a file on how to decipher the contents of those files, but I have yet to decide weather I will do it or not.

QuickNotes

Ownership = The ownership menu item presents a dialog box that identifies the user who owns the selected registry key. The owner of a key can permit another user to take ownership of a key. In addition, a system administrator can assign a user the right to take ownership, or outright take ownership himself.

REGINI.EXE = This utility is a character based console application that you can use to add keys to the NT registry by specifying a Registry script.

[3.0.4] Default Registry Settings

The Following table lists the major Registry hives and some subkeys and the DEFAULT access permissions assigned:

\\ denotes a major hive

\denotes a subkey of the prior major hive

\\HKEY_LOCAL_MACHINE

Admin-Full Control

Everyone-Read Access

System-Full Control

\HARDWARE

Admin-Full Control

Everyone-Read Access

System-Full Control

\SAM

Admin-Full Control

Everyone-Read Access

System-Full Control

\SECURITY

Admin-Special (Write DAC, Read Control)

System-Full Control

\SOFTWARE

Admin-Full Control

Creator Owner-Full Control

Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)

System-Full Control

\SYSTEM

Admin-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)

Everyone-Read Access

System-Full Control

\\HKEY_CURRENT_USER

Admin-Full Control

Current User-Full Control

System-Full Control

\\HKEY_USERS

Admin-Full Control

Current User-Full Control

System-Full Control

\\HKET_CLASSES_ROOT

Admin-Full Control

Creator Owner-Full Control

Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)

System-Full Control

\\HKEY_CURRENT CONFIG

Admin-Full Control

Creator Owner-Full Control

Everyone-Read Access

System-Full Control

[4.0.0] Introduction to PPTP

Point-To-Point Tunneling Protocol (PPTP) is a protocol that allows the secure exchange of data from a client to a server by forming a Virtual Private Network (VPN) via a TCP/IP based network. The strong point of PPTP is its ability to provide on demand, multi-protocol support over existing network infrastructure, such as the Internet. This ability would allow a company to use the Internet to establish a virtual private network without the expense of a leased line.

The technology that makes PPTP possible is an extension of the remote access Point-To-Point Protocol (PPP- which is defined and documented by the Internet Engineering Task Force in RFC 1171). PPTP technology encapsulates PPP packets into IP datagrams for transmission over

TCP/IP based networks. PPTP is currently a protocol draft awaiting standardization. The companies involved in the PPTP forum are Microsoft, Ascend Communications, 3Com/Primary Access, ECI Telematics, and US Robotics.

[4.0.1] PPTP and Virtual Private Networking

The Point-To-Point Tunneling Protocol is packaged with WindowsNT 4.0 Server and Workstation. PC's that are running this protocol can use it to securely connect to a private network as a remote access client using a public data network such as the Internet.

A major feature in the use of PPTP is its support for virtual private networking. The best part of this feature is that it supports VPN's over public-switched telephone networks (PSTNs). By using PPTP a company can greatly reduce the cost of deploying a wide area, remote access solution for mobile users because it provides secure and encrypted communications over existing network structures like PSTNs or the Internet.

[4.0.2] Standard PPTP Deployment

In general practice, there are normally three computers involved in a deployment:

* a PPTP client

* a Network Access Server

* a PPTP Server

note: the network access server is optional, and if NOT needed for PPTP deployment. In normal deployment however, they are present.

In a typical deployment of PPTP, it begins with a remote or mobile PC that will be the PPTP client. This PPTP client needs access to a private network by using a local Internet Service Provider (ISP). Clients who are running the WindowsNT Server or Workstation operating systems will use Dial-up networking and the Point-To-Point protocol to connect to their ISP. The client will then connect to a network access server which will be located at the ISP (Network Access Servers are also known as Front-End Processors (FEPs) or Point-Of-Presence servers (POPs)). Once connected, the client has the ability to exchange data over the Internet. The Network Access Server uses the TCP/IP protocol for the handling of all traffic.

After the client has made the initial PPP connection to the ISP, a second Dial-Up networking call is made over the existing PPP connection. Data sent using the second connection is in the form of IP datagrams that contain PPP packets, referred to as encapsulated PPP. It is this second call that creates the virtual private network connection to a PPTP server on the private company network. This is called a tunnel.

Tunneling is the process of exchanging data to a computer on a private network by routing them over some other network. The other network routers cannot access the computer that is on the private network. However, tunneling enables the routing network to transmit the packet to an intermediary computer, such as a PPTP server. This PPTP server is connected to both the company private network and the routing network, which is in this case, the Internet. Both the PPTP client and the PPTP server use tunneling to securely transmit packets to a computer on the private network.

When the PPTP server receives a packet from the routing network (Internet), it sends it across the private network to the destination computer. The PPTP server does this by processing the PPTP packet to obtain the private network computer name or address information which is encapsulated in the PPP packet.