2 年之前 · 8c345177f6
--- a/aaa/freeipa.md
+++ b/aaa/freeipa.md
@@ -5,7 +5,7 @@ breadcrumbs:
 
				 ---
			
 
				 {% include header.md %}
			
 
				 
			
 
				-FreeIPA (Identity, Policy and Audit) is an identity management system and is the upstream of Red Hat Identity Management. It's a suite consisting of Kerberos, LDAP, DNS, NTP, DogTag (CA system), SSSD and more, as well as CLI and web management interfaces.
			
 
				+FreeIPA (Free Identity, Policy and Audit) is an identity management system and is the upstream of Red Hat Identity Management. It's a suite consisting of Kerberos, LDAP, DNS, NTP, DogTag (CA system), SSSD and more, as well as CLI and web management interfaces.
			
 
				 
			
 
				 **TODO**
			
 
				 
			
--- a/aaa/kerberos.md
+++ b/aaa/kerberos.md
@@ -10,21 +10,21 @@ It's designed to be run on top of an untrusted network using an appropriate set
 
				 
			
 
				 ## Terminology & Conventions
			
 
				 
			
 
				-- "Principal": Any user, machine and service.
			
 
				+- _Principal_: Any user, machine and service.
			
 
				     - Identified using `<principal>@<realm>` (e.g. `user1@EXAMPLE.NET`).
			
 
				     - The principal is typically the username.
			
 
				-- "Principal instance": Optional, special versions of existing, normal principals.
			
 
				+- _Principal instance_: Optional, special versions of existing, normal principals.
			
 
				     - Identified using `<principal>/<instance>@<realm>` (e.g. `user1/admin@EXAMPLE.NET`).
			
 
				     - May be used to e.g. access certain services using different credentials or for using different privileges, e.g. for when running scripts in "less trusted" environments.
			
 
				-- "Realm": An independent realm/domain of principals.
			
 
				+- _Realm_: An independent realm/domain of principals.
			
 
				     - Equivalent to an Active Directory domain.
			
 
				     - Should have upper-case name, typically the DNA domain (e.g. `EXAMPLE.NET`).
			
 
				-- "Key distribution center" (KDC): A three-part server consisting the principal database, the "authentication server" (AS) and the "ticket granting server" (TGS).
			
 
				+- _Key distribution center_ (KDC): A three-part server consisting the principal database, the _authentication server_ (AS) and the _ticket granting server_ (TGS).
			
 
				     - Each realm has exactly one KDC.
			
 
				     - The KDCs may be found using special SRV DNS records based on the realm name. They may also simply be configured in the hosts' configuration file.
			
 
				-- "Ticket granting ticket" (TGT): A ticket issued by the AS to a client after successfully authenticating a user.
			
 
				+- _Ticket granting ticket_ (TGT): A ticket issued by the AS to a client after successfully authenticating a user.
			
 
				     - It's symmetrically encrypted using the user password, which is only known to the user and the KDC.
			
 
				-- "Service ticket": A ticket granted from the TGS after requested by a client using the TGT.
			
 
				+- _Service ticket_: A ticket granted from the TGS after requested by a client using the TGT.
			
 
				 - Reliability:
			
 
				     - Kerberos (typically) depends on properly a configured DNS server.
			
 
				     - As both the DNS server and KDC are essential, you may want to set up high-availability pairs for both.
			
--- a/network/ipv6.md
+++ b/network/ipv6.md
@@ -111,10 +111,21 @@ breadcrumbs:
 
				     - Stateless address autoconfiguration (SLAAC).
			
 
				     - Stateless DHCP.
			
 
				     - Stateful DHCP.
			
 
				+- DHCP:
			
 
				+    - See the section below.
			
 
				+    - Similar to DHCPv6, but with some important changes.
			
 
				+    - Generally used when indicated by router advertisements that DHCP should be used (stateful or stateless).
			
 
				+    - Stateless DHCP instructs devices to use address autoconfiguration, but get additional data (e.g. DNS servers) from the DHCP server.
			
 
				 - SLAAC:
			
 
				-    - Unlike (stateful) DHCP **TODO**
			
 
				-    - EUI-64 (permanent): Deterministically based on the MAC address.
			
 
				-    - Privacy extensions (temporary): In addition to the permanent. Preferred for sending.
			
 
				+    - It's expected to have up to multiple addresses concurrently, in addition to the link-local address.
			
 
				+    - EUI-64 addresses:
			
 
				+        - The first method of autoconfiguring an address, giving a single interface ID deterministically based on the MAC address (i.e. expanding EUI-48 to a EUI-64 as the interface ID).
			
 
				+        - Typically no longer in use due to privacy concerns (MAC address indirectly visible when accessing remote services).
			
 
				+        - Useful for servers with autoconfigured addresses due to its stability, unlike temporary addresses that change over time.
			
 
				+    - Privacy extensions (RFCs 3041, 4841, 8981):
			
 
				+        - A set of extensions adding temporary, randomized addresses in order to preserve privacy by not revealing the MAC address (visble from the EUI-64) and to periodically change the address.
			
 
				+        - Mainly used for outbound connections. Rather useless for inbound connections due to its volatility.
			
 
				+    - **TODO**
			
 
				 - The unspecified address: `::`
			
 
				 - The loopback address: `::1`
			
 
				 - The first and last addresses in a subnet are not reserved and can be assigned to hosts, unlike IPv4.