Stuff

aaa/freeipa.md

@@ -5,7 +5,7 @@ breadcrumbs:
 ---
 {% include header.md %}
 
-FreeIPA (Identity, Policy and Audit) is an identity management system and is the upstream of Red Hat Identity Management. It's a suite consisting of Kerberos, LDAP, DNS, NTP, DogTag (CA system), SSSD and more, as well as CLI and web management interfaces.
+FreeIPA (Free Identity, Policy and Audit) is an identity management system and is the upstream of Red Hat Identity Management. It's a suite consisting of Kerberos, LDAP, DNS, NTP, DogTag (CA system), SSSD and more, as well as CLI and web management interfaces.
 
 **TODO**
 

aaa/kerberos.md

@@ -10,21 +10,21 @@ It's designed to be run on top of an untrusted network using an appropriate set
 
 ## Terminology & Conventions
 
-- "Principal": Any user, machine and service.
+- _Principal_: Any user, machine and service.
     - Identified using `<principal>@<realm>` (e.g. `user1@EXAMPLE.NET`).
     - The principal is typically the username.
-- "Principal instance": Optional, special versions of existing, normal principals.
+- _Principal instance_: Optional, special versions of existing, normal principals.
     - Identified using `<principal>/<instance>@<realm>` (e.g. `user1/admin@EXAMPLE.NET`).
     - May be used to e.g. access certain services using different credentials or for using different privileges, e.g. for when running scripts in "less trusted" environments.
-- "Realm": An independent realm/domain of principals.
+- _Realm_: An independent realm/domain of principals.
     - Equivalent to an Active Directory domain.
     - Should have upper-case name, typically the DNA domain (e.g. `EXAMPLE.NET`).
-- "Key distribution center" (KDC): A three-part server consisting the principal database, the "authentication server" (AS) and the "ticket granting server" (TGS).
+- _Key distribution center_ (KDC): A three-part server consisting the principal database, the _authentication server_ (AS) and the _ticket granting server_ (TGS).
     - Each realm has exactly one KDC.
     - The KDCs may be found using special SRV DNS records based on the realm name. They may also simply be configured in the hosts' configuration file.
-- "Ticket granting ticket" (TGT): A ticket issued by the AS to a client after successfully authenticating a user.
+- _Ticket granting ticket_ (TGT): A ticket issued by the AS to a client after successfully authenticating a user.
     - It's symmetrically encrypted using the user password, which is only known to the user and the KDC.
-- "Service ticket": A ticket granted from the TGS after requested by a client using the TGT.
+- _Service ticket_: A ticket granted from the TGS after requested by a client using the TGT.
 - Reliability:
     - Kerberos (typically) depends on properly a configured DNS server.
     - As both the DNS server and KDC are essential, you may want to set up high-availability pairs for both.

network/ipv6.md

@@ -111,10 +111,21 @@ breadcrumbs:
     - Stateless address autoconfiguration (SLAAC).
     - Stateless DHCP.
     - Stateful DHCP.
+- DHCP:
+    - See the section below.
+    - Similar to DHCPv6, but with some important changes.
+    - Generally used when indicated by router advertisements that DHCP should be used (stateful or stateless).
+    - Stateless DHCP instructs devices to use address autoconfiguration, but get additional data (e.g. DNS servers) from the DHCP server.
 - SLAAC:
-    - Unlike (stateful) DHCP **TODO**
-    - EUI-64 (permanent): Deterministically based on the MAC address.
-    - Privacy extensions (temporary): In addition to the permanent. Preferred for sending.
+    - It's expected to have up to multiple addresses concurrently, in addition to the link-local address.
+    - EUI-64 addresses:
+        - The first method of autoconfiguring an address, giving a single interface ID deterministically based on the MAC address (i.e. expanding EUI-48 to a EUI-64 as the interface ID).
+        - Typically no longer in use due to privacy concerns (MAC address indirectly visible when accessing remote services).
+        - Useful for servers with autoconfigured addresses due to its stability, unlike temporary addresses that change over time.
+    - Privacy extensions (RFCs 3041, 4841, 8981):
+        - A set of extensions adding temporary, randomized addresses in order to preserve privacy by not revealing the MAC address (visble from the EUI-64) and to periodically change the address.
+        - Mainly used for outbound connections. Rather useless for inbound connections due to its volatility.
+    - **TODO**
 - The unspecified address: `::`
 - The loopback address: `::1`
 - The first and last addresses in a subnet are not reserved and can be assigned to hosts, unlike IPv4.