F5 - Application Delivery Fundamentals

Exam 101 Study Guide

Objective 1.01 Explain, compare and contrast the OSI layers

- Describe the function of each OSI layer

- Differentiate between the OSI layers
- Describe the purpose of the various address types at different OSI layers

Objective 1.02 Explain the protocols and technologies specific to the data link layer

- Explain the purpose of a switch’s forwarding database:

o A switch received data packets on each segment of the network to which one of its ports is connected and learns the
location of nodes in the network by examining the source MAC address of each received data packet. Source MAC
address may be dynamically “learned”, that is, stored in a database once a packet is received that specifies the source
MAC address, or may be statically configured, that is, added by a network manager to the database rather than learned.
Each database entry includes, among other information, a source MAC address and a port number for the port via which
the switch received the data packet specifying the source MAC address. Traditionally, this database is referred to as a
Forwarding Database (FDB). The purpose of the FDB is to identify the location of each host, that is, the switch port
connected to the network segment via which a data packet sources by the host were received, so that when the switch
 thereafter receives a data packet specifying the host’s MAC address as the destination MAC address, it searches the FDB
for the MAC address and forwards the data packet to the appropriate destination host via the switch port specified in the
same entry in the FDB. (if the destination MAC address is not in the FDB, the packet is broadcast out all other interfaces
except for the interface from which it was received. If the destination MAC is valid, that host will respond, allowing the
switch to learn it’s location)
- Explain the purpose and functionality of ARP
o Address Resolution Protocol, or ARP, is used for the resolution of network layer IP addresses into link layer MAC
addresses
- Explain the purpose and functionality of MAC addresses
o A unique value associated with a network adapter. Also known as hardware or physical address. 12-digit hexadecimal
(48-bits in length). The first half of the address contains the ID of the manufacture; the second half represents the serial
number assigned by the manufacture. (00:A0:C9:14:C8:29 or 00a0:c914:c829)
- Explain the purpose and functionality of a broadcast domain
o First we must quickly explain a broadcast address: It is a logical data link (2) layer address packet (MAC), for which is
intended for all hosts on the network
o A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at
the data link (2) layer. Also considered a layer 2 network or subnet as in, without a default gateway, only hosts within
that network can talk to each other
- Explain the purpose and functionality of VLANs
o A virtual local area network (VLAN), is the concept of partitioning a network so that distinct broadcast domains are
created.
- Explain the purpose and functionality of link aggregation
o The practice of combining multiple network connections in parallel to increase throughput beyond what a single
connection could sustain, and to provide redundancy in case one of the links fail

Objective 1.03 Explain protocols and apply technologies specific to the Network Layer

- Explain the purpose and functionality of IP addressing and subnetting

o Cisco: IP Addressing and Subnetting for New Users
 http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml
o Microsoft: Understanding TCP/IP addressing and subnetting basics
 http://support.microsoft.com/kb/164015
o IP addressing is the application of Layer 3 (network) addresses to hosts within a network. It functions to provide interface
identification and location addressing. It is a 32 bit network layer address, represented in a dot-decimal notation
(172.16.254.1). There are four (8 bit) octets, each with a range of 0-255
o ASubnetwork, or subnet, isa logically visible
subdivision of an IP network. The practice of
dividing a network into two or more networks is called
subnetting.

- Given an IP address and net mask, determine the network IP and the broadcast IP
o WikiHow: How to calculate network and broadcast address
 http://www.wikihow.com/Calculate-Network-and-Broadcast-Address
o ANetmask, together with the IP address, define the network the computer belongs to, that is which other IP addresses
the computer can communicate with directly on the same VLAN/broadcast domain. By representing in binary format the
current IP address we can actually
“mask” the bits corresponding to a “1”
in the netmask, and understand that
all other bits unmasked
(corresponding to “0”) are valid
addresses in the same physical
network.
 o Should we include information about IP classes and Public/Private ranges?
- Given a routing table and a destination IP address, identify which routing table entry the
destination IP address will match
o A routing table, or Routing Information Base (RIB), is a data table stored in a router or a networked computer that lists
the routes to particular network destinations, and in some cases, metrics associated with those routes. The routing table
contains information about the topology of the network immediately around it or directly connected networks. The
construction of routing tables is the primary goal of routing protocols by exchanging information with other routers about
their directly connected networks. Static routes are entries made in a routing table by non-automatic means and which
are fixed rather than being the result of some network topology “discovery” procedure.
o A routing table, is used by routers to calculate the destinations of data for which it is responsible for forwarding to. If
contains a list of IP address or network gateways to which other networks can be found
o A routing table is typically sorted from most specific route to most general route, typically ending with a default route.
o The table below (F5/Linux perspective), shows no gateway to get to the 10.10.18.0 network because it is directly
connected. If the F5 needs to send traffic to an address that is not directly connected, say 172.16.30.25, it will use the
default route directed at 10.10.18.1 on the “Oustide_vlan”.

- Explain the purpose and functionality of Routing protocols

o Routing protocols are the software that allows routers to dynamically advertise and learn routes, determine which routes
are available and which are the most efficient routes to a destination.
o A routing protocol specifies how routers communicate with each other to share paths to different networks,
disseminating information that enables them to select routes between any two nodes on a computer network, the choice
of the route being done by routing algorithms
o Routing allows small local networks to be linked together to form potentially huge networks
o Routing Protocols: RIP, RIP-v2, OSPF, IS-IS, IGRP, EIGRP, BGP
o Routers are connected to the edge of two or more networks to provide connectivity between them.
- Explain the purpose of fragmentation
o Maximum Transmission Unit (MTU), is the largest size of an IP datagram which may be transferred using a specific data
link connection.
o IP fragmentation is the process by which a device may fragment a datagram or packet to conform within the MTU of a
specified link that it needs to traverse.
o An IP packet that is larger than the Maximum Transmission Unit (MTU) of an interface, is too large for transmission over
that interface. The packet must either be fragmented, or discarded (and an ICMP error message returned to the sender).
In either case, the original data will be fragmented into smaller packets (less than the smallest MTU) in order to allow it to
be received by the final destination system.
- Given a fragment, identify what information is needed for reassembly
o A receiver knows that a packet is a fragment if at least one of the following conditions are true:
 The “more fragments” flag is set. (This is true for all fragments except the last)
 The “fragment offset” field is nonzero. (This is true for all fragments except the first)
o The receiver identifies matching fragments using the identification field. The receiver will reassemble the data from
fragments with the same identification field using both the fragment offset and the more fragments flag. When the
receiver receives the last fragment (which has the “more fragments” flag set to 0), it can calculate the length of the
original data payload, by multiplying the last fragment’s offset by eight, and adding the last fragment’s data size.
o When the receiver has all the fragments, it can put them in the correct order, by using their offsets. It can then pass their
data up the stack for further processing.
 o IP fragmentation and reassembly employs updating and using the values in the second 32 bits of the IPv4 packet header.
An end system that accepts an IP packet (with a destination IP address that matches its own IP source address) will also
reassemble any fragmented IP packets before these are passed to the next higher protocol layer.
o The system stores all received fragments (i.e., IP packets with a more-fragments flag (MF) set to one, or where the
fragment offset is non-zero), in one of a number of buffers (memory space). Packets with the same 16-bit Identification
value are stored in the same buffer, at the offset specified by the fragment offset field specified in the packet header.
o Packets which are incomplete remain stored in the buffer until either all fragments are received, OR a timer expires,
indicating that the receiver does not expect to receive any more fragments. Completed packets are forwarded to the next
higher protocol layer.
o TCP/IP Guide: IP Datagram Size, MTU, Fragmentation and Reassembly
- Explain the purpose of TTL functionality
o Time To Live (TTL) is a mechanism that limits the lifespan or lifetime of data in a computer or network. TTL may be
implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or
timespan has elapsed, the data is discarded. TTL prevents a data packet from circulating indefinitely and is used to
improve performance of caching and improve privacy.
o Time To Live (TTL): Specifies how long the datagram is allowed to “live” on the network, in terms of router hops. Each
router decrements the value of the TTL field (reduces it by one) prior to transmitting it. If the TTL field drops to zero, the
datagram is assumed to have taken too long a route and is discarded.
- Given a packet traversing a topology, document the source/destination IP address/MAC address
changes at each hop
o InetDaemon: LAN to LAN Communications
 http://www.inetdaemon.com/tutorials/networking/lan/LAN_communication.shtml
o As a packet traverses a layer 2 hop (switch/hub)neither the MAC or IP will change.
o As a packet traverses a layer 3 hop the source/destination MACs will change to match the source/destination MAC
associated with the layer 3 addresses traversed on that network/VLAN/broadcast domain.
o As a packet traverses a NAT/PAT device the respective source/destination IP address will change.

Objective 1.04 Explain the features and functionality of protocols and technologies specific to
the Transport layer

- Compare/Contrast purpose and functionality of MTU and MSS

o MTU is the maximum size of a datagram/packet can be on a specific link, anything bigger will be fragmented. It is applied
to the total size of the packet (TCP/IP headers +body)
o Maximum Segment Size (MSS), which defines the largest segment of data that can be transmitted or the payload of the
packet(before the TCP/IP headers are added).
o MTU = MSS + TCP & IP headers
o MSS = MTU-40  a standard 40 byte header (20 byte IP and 20 byte TCP)
- Explain the purpose and functionality of TCP
o Internet Protocol (IP) is responsible for moving packets of data from node to node. IP forwards each packet based on a
four byte destination address (the IP number). IP operates on gateway machines that move data from department to
organization to region and then around the world.
o Transmission Control Protocol (TCP) is responsible for verifying the correct delivery of data from client to server. Data
can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until
the data is correctly and completely received.
o TCP is referred to as “connection oriented”, because it opens a communication channel that allows for retransmission,
error checking, and connection management through a “handshake” dialog.
o TCP is a transport layer protocol used by applications that require guaranteed delivery. It is a sliding window protocol
that provides handling for both timeouts and retransmissions
o TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a
TCP port number. The operation of TCP is implemented as a finite state machine.
o The byte stream is transferred in segments. The window size determines the number of bytes of data that can be sent
before an acknowledgement from the receiver is necessary.
- Explain the purpose and functionality of UDP
 o User Datagram Protocol (UDP), computers can send messages, or datagrams, to other hosts without prior
communications to setup special transmission channels or data paths. Also known as “connectionless”.
o UDP provides a datagram service that emphasizes reduced latency over reliability (as with TCP)
- Explain the purpose and functionality of ports in general
o A Port is an application-specific or process-specific software construct serving as a communications endpoint in a
computer’s host operating system. Ports are used at the Transport layer and are associated with either the TCP or UDP
protocols. A port is associated with an IP address of the host, as well as the type of protocol used for communication. In
plain English, the purpose of ports is to uniquely identify different applications or processes running on a single computer
and thereby enable them to share a single physical connection to a packet-switches network.
o The port number, added to the computer’s IP address, completes the destination address for a communications session.
o Ports can range from 0 to 65535, with the first 250 typically reserved by convention to identify specific service types on a
host.
- Explain how retransmissions occur
o Retransmissions occur as a method for detecting lost segments and retransmitting them. Each time a segment is sent a
transmission timer is started. This timer starts at a predetermined value and counts down over time. If the timer expires
before an acknowledgment is received for a segment, we retransmit the segment.
o Retransmissions are used to qualify TCP as a reliable transport protocol.
o TCP will only retransmit a lost segment a certain number of times before concluding that there is a problem and
terminating the connection.
- Explain the purpose and process of a reset
o To allow TCP to live up to its job of being a reliable and robust protocol, it includes intelligence that allows it to detect
and respond to various problems that can occur during an established connection. One of the most common is the half-
open connection. This situation occurs due to some sort of problem, one device closes or aborts the connection without
the other one knowing about it. This means one device is in the ESTABLISHED state while the other may be in the CLOSED
state (no connection) or some other transient state. This could happen if, for example, one device had a software crash
and was restarted in the middle of a connection, or if some sort of glitch caused the states of the two devices to become
unsynchronized.
o To handle half-open connections and other problem situations, TCP includes a special reset function. A reset is a TCP
segment that is sent with the RST flag set to one in its header. Generally speaking, a reset is generated whenever
something happens that is “unexpected” by the TCP software. Some of the most common specific cases in which a reset
is generated include:
 Receipt of any TCP segment from any device with which the device receiving the segment does not currently
have a connection (other than a SYN requesting a new connection.)
 Receipt of a message with an invalid or incorrect Sequence Number or Acknowledgment Number field,
indicating the message may belong to a prior connection or is spurious in some other way.
 Receipt of a SYN message on a port where there is no process listening for connections.
o Should we include more detail about the TCP three way handshake?
- Describe various TCP options
o TCP has a provision for optional header fields identified by an option kind field. Options 0 and 1 are exactly one octet
which is their kind field. All other options have their one octet kind field, followed by a one octet length field, followed by
length-2 octets of option data
o End of Options list: We can see that this TCP/IP option has a “kind” value of 0 and its length is 1 byte. There are no
known security issues for this IP option and it is used only at the end of the IP options used in the header.
o Maximum Segment Size (MSS): Conveys the size of the largest segment the sender of the segment wishes to receive.
Used only in connection request (SYN) messages.
o No operation: This has a kind value of 1 and is also one byte in length. A “spacer” that can be included between options
to align a subsequent option on a 32-bit boundary if needed. Much like the IP headers NOP option this is also used to pad
out another option that was used to make sure that it falls within a 32 bit word. There are several options used by TCP
that don’t cleanly fall within a 32 bit word ie: they don’t all use four bytes.
o Window Scale: This option has a kind value of three and a byte size of three as well. It is used to increase the window
size from a 16 bit value to a 32 bit one. There are no known uses for this option as it impacts computer security. That
said, it is a very neat option and is also known to some as the “sliding window” when used. You should only ever see this
option though during the three way TCP/IP handshake.
 o Selective ACK ok: This TCP option has a kind value of 4 and a length of two bytes. There are no known computer security
issues to my knowledge associated with this option. This option allows for the acknowledgement of non-contiguous TCP
segments. The option should only be seen during the TCP/IP three way handshake.
o Timestamp: This TCP option has a kind value of eight and a variable length. There are two uses for this option as used by
TCP. One is to calculate the RTT or return trip time and the second is used to prevent the PAWS aka protect against
wrapped sequences, attack. This is an option which can be seen in a packet.
- Describe a TCP checksum error
o TCP checksum is a 16-bit header used to make sure the data transmitted was not corrupted during transit. The sending
device takes the TCP header and payload, adds the string of bits together to calculate the checksum, it then applies it to
the checksum field. The receiving side should be able to perform the same computation and arrive at the same value. If
not, the data is corrupt and therefore discarded.
o If the data gets where it needs to go but is corrupted and we do not detect the corruption, this is in some ways worse
than it never showing up at all. To provide basic protection against errors in transmission, TCP includes a 16-bit Checksum
field in its header. The idea behind a checksum is very straight-forward: take a string of data bytes and add them all
together. Then send this sum with the data stream and have the receiver check the sum. In TCP, a special algorithm is
used to calculate this checksum by the device sending the segment; the same algorithm is then employed by the recipient
to check the data it received and ensure that there were no errors.
o While performing a packet capture you may see a lot of TCP checksum errors within the capture. This is due to TCP
Checksum offloading often being implemented on those NICs and thus for packets being transmitted by the machine.
The checksum will not be calculated until the packet is send out by the NIC hardware, long long after your capture tool
intercepted the packet from the network stack.
- Describe how TCP addresses error correction
o TCP addresses error correction through the use of Automatic Repeat reQuest (ARQ) and Error-Correcting Code (ECC).
o Automatic Repeat reQuest (ARQ) is an error control method for data transmission that makes use of error-detection
codes, acknowledgment and/or negative acknowledgment messages, and timeouts to achieve reliable data transmission.
An acknowledgment is a message sent by the receiver to indicate that it has correctly received a data frame.
 Usually, when the transmitter does not receive the acknowledgment before the timeout occurs (i.e., within a
reasonable amount of time after sending the data frame), it retransmits the frame until it is either correctly
received or the error persists beyond a predetermined number of retransmissions.
 Three types of ARQ protocols are Stop-and-wait ARQ, Go-Back-N ARQ, and Selective Repeat ARQ.
 ARQ is appropriate if the communication channel has varying or unknown capacity, such as is the case on the
Internet. However, ARQ requires the availability of a back channel, results in possibly increased latency due to
retransmissions, and requires the maintenance of buffers and timers for retransmissions, which in the case of
network congestion can put a strain on the server and overall network capacity.
o An error-correcting code (ECC) or forward error correction (FEC) code is a system of adding redundant data, or parity
data, to a message, such that it can be recovered by a receiver even when a number of errors (up to the capability of the
code being used) were introduced, either during the process of transmission, or on storage. Since the receiver does not
have to ask the sender for retransmission of the data, a back-channel is not required in forward error correction, and it is
therefore suitable for simplex communication such as broadcasting. Error-correcting codes are frequently used in lower-
layer communication, as well as for reliable storage in media such as CDs, DVDs, hard disks, and RAM.
 Error-correcting codes are usually distinguished between convolutional codes and block codes:
 Convolutional codes are processed on a bit-by-bit basis. They are particularly suitable for
implementation in hardware, and the Viterbi decoder allows optimal decoding.
 Block codes are processed on a block-by-block basis. Early examples of block codes are repetition
codes, Hamming codes and multidimensional parity-check codes. They were followed by a number
of efficient codes, Reed-Solomon codes being the most notable due to their current widespread
use. Turbo codes and low-density parity-check codes (LDPC) are relatively new constructions that
can provide almost optimal efficiency.
o Shannon's theorem is an important theorem in forward error correction, and describes the maximum information rate at
which reliable communication is possible over a channel that has a certain error probability or signal-to-noise ratio (SNR).
This strict upper limit is expressed in terms of the channel capacity. More specifically, the theorem says that there exist
codes such that with increasing encoding length the probability of error on a discrete memoryless channel can be made
arbitrarily small, provided that the code rate is smaller than the channel capacity. The code rate is defined as the fraction
k/n of k source symbols and n encoded symbols.
- Describe how the flow control process occurs
 o TCP uses an end-to-end flow control protocol to avoid having the sender send data too fast for the TCP receiver to
receive and process it reliably. Having a mechanism for flow control is essential in an environment where machines of
diverse network speeds communicate. For example, if a PC sends data to a smartphone that is slowly processing received
data, the smartphone must regulate the data flow so as not to be overwhelmed.
o TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies in the receive window field
the amount of additionally received data (in bytes) that it is willing to buffer for the connection. The sending host can
send only up to that amount of data before it must wait for an acknowledgment and window update from the receiving
host.
o TCP sequence numbers and receive windows behave very much like a clock. The receive window shifts each time the
receiver receives and acknowledges a new segment of data. Once it runs out of sequence numbers, the sequence number
loops back to 0.
o When a receiver advertises a window size of 0, the sender stops sending data and starts the persist timer. The persist
timer is used to protect TCP from a deadlock situation that could arise if a subsequent window size update from the
receiver is lost, and the sender cannot send more data until receiving a new window size update from the receiver. When
the persist timer expires, the TCP sender attempts recovery by sending a small packet so that the receiver responds by
sending another acknowledgement containing the new window size.
o If a receiver is processing incoming data in small increments, it may repeatedly advertise a small receive window. This is
referred to as the silly window syndrome, since it is inefficient to send only a few bytes of data in a TCP segment, given
the relatively large overhead of the TCP header. TCP senders and receivers typically employ flow control logic to
specifically avoid repeatedly sending small segments. The sender-side silly window syndrome avoidance logic is referred
to as Nagle's algorithm.

Objective 1.05 Explain the features and functionality of protocols and technologies specific to
the application layer
- Explain the purpose and functionality of HTTP
 o The Hypertext Transfer Protocol (HTTP) is an application-level proctol for distributed, collaborative, hypermedia
information systems (file transfers). It is a generic, stateless, protocol which can be used for many tasks beyond its use
for hypertext, such as name servers and distributed object management systems, through extension of its request
methods, error codes and headers.
o HyperText Transfer Protocol (HTTP) is an asymmetric request-response client-server protocol. Also known as a “pull”
protocol, meaning the HTTP client sends a request to the HTTP server. The server, then responds to the request with
information.
o HTTPS is the HTTP protocol with Secure Socket Layer (SSL) for security.
o http://www3.ntu.edu.sg/home/ehchua/programming/webprogramming/HTTP_Basics.html
- Differentiate between HTTP versions
o When the Internet Engineering Task Force finalized the specification for http version 1.0, they recognized that the
protocol had significant performance and scalability problems. The IETF’s parent body (the Internet Engineering Steering
Group, or EISG) insisted that version 1.0 be published as an “Informational” document only, and they went so far as to
insert the following comment in the standard itself:
o The EISG has concerns about this protocol, and expects this document to be replaced relatively soon by a standards track
document.
o The replacement for HTTP version 1.0, of course, is HTTP version 1.1. Version 1.1 offers several significant improvements
over version 1.0. These improvements enhance the extensibility, scalability, performance, and security of the protocol
and its systems. The most significant changes HTTP 1.1 introduces are persistent connections, the Host header, and
improved authentication procedures.
o Table a.1 lists the HTTP methods each version defines. Note that HTTP version 1.0 includes two methods—link and unlink
—that does not exist in version 1.1. Those methods, which were not widely supported by Web browsers or servers, allow
an HTTP client to modify information about an existing resource without changing the resource itself.

o Table a.2 summarizes the HTTP headers available in each of the versions. Just to be complete, the table includes a
column for HTTP version 0.9, but, as we’ve noted, version 0.9 doesn’t actually use any headers. Three headers, Link,
Title, and url, exist in version 1.0 but not 1.1. Those methods are mainly associated with the link and unlink methods. Like
 the methods themselves, they have not seen support by popular Web browsers and clients.

- Interpret HTTP status codes

o As we’ve seen in many examples, an important part of every HTTP response is the status
code. That code defines whether a client’s request succeeded and can provide
additional information about the request’s outcome. Every status code value is a three-
digit number, and the HTTP specification classifies status codes based on the first digit of
these values. Status codes provide information (100-199), indicate success (200-299),
redirect a client (300-399), indicate a client error (400-499), or indicate a server problem
(500-599). In each class, the x00 status code is the master status for the class. If a client
 receives a status code value that it does not understand, it can safely treat it the same
as it would treat the x00 value in the class. For example, a status code value of 237
should be treated the same as 200.
o The table below provides a complete list of all status codes that HTTP defines, grouped
by their class. We’ll look at each code in more detail throughout this section.

Clas
s Code Description
1xx | Informational
100 Continue
101 SwitchingProtocols
2xx Successful
200 OK
201 Created
202 Accepted
203 Non-AuthoritativeInformation
204 NoContent
205 ResetContent
206 PartialContent
3xx Redirection
300 MultipleChoices
301 MovedPermanently
302 Found
303 SeeOther
304 NotModified
305 UseProxy
306 (unused)
307 TemporaryRedirect
4xx ClientError
400 BadRequest
401 Unauthorized
402 PaymentRequired
403 Forbidden
404 NotFound
405 MethodNotAllowed
406 NotAcceptable
407 ProxyAuthenticationRequired
408 RequestTimeout
409 Conflict
410 Gone
411 LengthRequired
412 PreconditionFailed
413 RequestEntityTooLarge
414 Request-URITooLong
415 UnsupportedMediaType
416 RequestedRangeNotSatisfiable
417 ExpectationFailed
426 UpgradeRequired
5xx ServerError
500 InternalServerError
501 NotImplemented
502 BadGateway
503 ServiceUnavailable
504 GatewayTimeout
505 VersionNotSupported

- Determine an HTTP request method for a given use case

o Each request begins with a Request-Line. This line of text indicates the method that the client is requesting, the resource
to which the method applies, and the version of HTTP that the client can support. The Request-Line may be followed by
one or more message headers and a message body. A blank line follows the Request-Line and any message headers that
are present. To make the figure more concrete, the text that follows shows the actual HTTP message that Microsoft’s
 Internet Explorer sends when a user accesses the home page of the Financial Times (www.ft.com). The first line is the
Request-Line, and message headers make up the rest of the text.

o The specific method appears first in the Request-Line. In the preceding example the method is a GET, but as table 3.1
indicates, http defines a total of eight different methods (each described in chapter 2). As the table also indicates, http
servers are required to support only the GET and HEAD methods; if they support other http methods, however, that
support must adhere to the rules of the http specifications. The http specifications also leave open the possibility that
other methods may be added in the future.

Method Server Support Use

CONNECT Optional Asks server (usually a proxy) to estab-lish a tunnel.
DELETE Optional Asks server to delete the indicated resource.
GET Required Asks server to return requested re-source.
Asks server to reply as if it were going to return the requested resource but not to
HEAD Required
include the resource itself in the response.
OPTIONS Optional Asks server to indicate the options it supports for the indicated resource.
POST Optional Asks server to pass the message body to the indicated resource.
PUT Optional Asks server to accept the message body as the indicated resource.
TRACE Optional Asks server simply to respond to the request.

- Explain the purpose and functionality of HTTP keepalives

o HTTP persistent connection, also called HTTP keep-alive, or HTTP connection reuse, is the idea of using a single TCP
connection to send and receive multiple HTTP requests/responses, as opposed to opening a new connection for every
single request/response pair.
o HTTP/1.1 requests: HTTP Keep-Alive connections are enabled by default in HTTP/1.1. With HTTP/1.1 requests, the server
does not close the connection when the content transfer is complete, unless the client sends a Connection: close header
in the request. Instead, the connection remains active in anticipation of the client reusing the same connection to send
additional requests.
 o HTTP/1.0 requests: HTTP Keep-Alive connections are not enabled by default in HTTP/1.0. With HTTP/1.0 requests, the
client typically sends a Connection: close header to close the TCP connection after sending the request. Both the server
and client-side connections that contain the Connection: close header will be closed once the response is sent.
- Explain the purpose and functionality of HTTP headers

The HEAD operation is just like a GET operation, except that the server does not return the actual object requested. As figure 2.15 shows, the
server returns a status code but no data. (HEAD is short for “header,” as the server returns only message headers in response.) Clients can use
a HEAD message when they want to verify that an object exists, but they don’t need to actually retrieve the object. Programs that verify links in
Web pages, for example, can use the HEAD message to ensure that a link refers to a valid object without consuming the network bandwidth
and server resources that a full retrieval would require. Cache servers can also use the HEAD operation; it gives them a way to see if an object
has changed without actually retrieving the full object.

Chapter 10. HTTP Headers

This chapter explains the functions used to manipulate HTTP headers.

 About HTTP Headers

 Guide to Traffic Server HTTP Header System
 Duplicate MIME Fields Are Not Coalesced
 MIME Fields Always Belong to an Associated
MIME Header
 Release Marshal Buffer Handles
 Deprecated Functions
 Marshal Buffers
 HTTP Headers
 URLs
 MIME Header

About HTTP Headers

An HTTP message consists of the following:

 HTTP header
 body
 trailer

The HTTP header consists of:

 A request or response line

 An HTTP request line contains a method, URL,
and version
 A response line contains a version, status code,
and reason phrase
 A MIME header

A MIME header is comprised of zero or more MIME fields. A MIME field is composed of a field name, a
colon, and (zero or more) field values. The values in a field are separated by commas. An HTTP header
containing a request line is usually referred to as a request. The following example shows a typical
request header.

GET http://www.tiggerwigger.com/ HTTP/1.0

Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 [en] (X11; I; Linux 2.2.3 i686)
Host: www.tiggerwigger.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */
*

Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1, *, utf-8

The response header for the above request might look like the following:

HTTP/1.0 200 OK
Date: Fri, 13 Nov 2009 06:57:43 GMT
Content-Location: http://locutus.tiggerwigger.com/index.html
Etag: "07db14afa76be1:1074"
Last-Modified: Thu, 05 Nov 2009 20:01:38 GMT
Content-Length: 7931
Content-Type: text/html
Server: Microsoft-IIS/4.0
Age: 922
Proxy-Connection: close

The following figure illustrates an HTTP message with an expanded HTTP header.
Figure 10.1. HTTP Request/Response and Header Structure

The figure below shows example HTTP request and response headers.
Figure 10.2. Examples of HTTP Request and Response Headers
The marshal buffer or INKMBuffer is a heap data structure that stores parsed URLs, MIME headers, and HTTP headers. You can allocate new
objects out of marshal buffers and change the values within the marshal buffer. Whenever you manipulate an object, you must require the
handle to the object (INKMLoc) and the marshal buffer containing the object (INKMBuffer).

Figure 10.3. Marshal Buffers and Header Locations

The figure above shows the following:
 The marshal buffer containing the HTTP request,
reqest_bufp
 INKMLoc location pointer for the HTTP header
(http_hdr_loc)
 INKMLoc location pointer for the request URL
(url_loc)
 INKMLoc location pointers for the MIME header
(mime_hdr_loc)
  INKMLoc location pointers for MIME fields
(fieldi_loc)
 INKMLoc location pointer for the next duplicate MIME
field (next_dup_loc)
The diagram also shows that an HTTP header contains pointers to the URL location and the MIME header location. You can obtain the URL
location from an HTTP header using the function INKHttpHdrUrlGet. To work with MIME headers, you can pass either a MIME header location
or an HTTP header location to MIME header functions . If you pass an HTTP header to a MIME header function, then the system locates the
associated MIME header and executes the MIME header function on the MIME header location.

- Explain the purpose and functionality of DNS

- Explain the purpose and functionality of SIP
- Explain the purpose and functionality of FTP
- Differentiate between passive and active FTP
- Explain the purpose and functionality of SMTP
- Explain the purpose and functionality of a cookie
- Given a situation in which a client connects to a remote host, explain how the name resolution
process occurs
- Explain the purpose and functionality of a URL

Objective 2.01 Articulate the role of F5 products

- Explain the purpose, use, and benefits of APM

o BIG-IP Access Policy Manager is a flexible, high-performance access and security solution. BIG-IP APM drives identity into
your network to provide secure, context-aware user access to web applications while simplifying authentication,
authorization, and accounting (AAA) management.
o BIG-IP APM is available as an add-on module to BIG-IP LTM, bringing advanced authentication, authorization, layer 7
access controls, SSO, and endpoint security to web applications behind LTM local traffic virtuals. Simply create an Access
Policy via the next gen Visual Policy Editor and assign it to a configured HTTP(S) local traffic virtual on your BIG-IP LTM.
o BIG-IP Edge Gateway includes similar access control services providing the highest performance, most flexible remote
access solution on the market. BIG-IP Edge Gateway, brings all of the advanced authentication, authorization, access
controls, SSO, and endpoint securities described above, along with SSL VPN remote access services supporting up to 8
Gbps of throughput, 40,000 concurrent users, and more than 600 logins/sec. BIG-IP Edge Gateway also brings asymmetric
and symmetric acceleration for both remote access users and offices via the included Web Acceleration and WAN
Optimization services.
 Unified Global Access (SSL VPN)
 Supports Split Tunneling
 Client Side Checking
 Compression of Transferred Data
 Monitoring of Routing Table
 Auto App Start and Drive Mapping
 Traffic Classification and Prioritization
 Web Applications (Reverse Proxy)
 Client Computer requires no software
 Acts as an ‘intelligent’ proxy
 Communicates to backend servers and rewrites the links in the web page to direct further requests
back to the APM
 Provides refined control over the applications and data inspection
 Allows Compression and Caching
 Allows Single Sign On (SSO)
o NTLM v1, v2
o HTTP Basic Auth
o HTTP forms Based Auth
 MS OWA, MS Sharepoint, Lotus Domino Web Access and Sametime
  Application Access Control
 Application access control provides users the ability to access their web applications, through a
web browser, without the use of tunnels.
 Allows ACLs, endpoint security, and authentication ONLY.
 Can provide SSL Offloading and Compression
 Requires the configuration of both the LTM and APM
- Explain the purpose, use, and benefits of ASM
o BIG-IP Application Security Manager (ASM) is a flexible web application firewall that secures web application in
traditional, virtual, and private cloud environments.
 Comprehensive Attack Protection for the latest web 2.0 applications (AJAX, JSON)
 Unique blocking page with support ID for troubleshooting
 Protects against layer 7 DoS, SQL injection, cross-site scripting (XSS), brute force, and zero-day web
applications attacks.
 Shields websites from web scrapping and bots. Known IP addresses approved to web scrape can be
whitelisted for allowable scraping
 Provides application specific XML filtering and validation functions that ensure that the XML input of web-
based applications is properly structures. It provides schema validation, common attacks mitigation, and XML
parser denial-of-service prevention.
 Prevents the leakage of sensitive data (such as credit card numbers, Social Security Numbers, and more) by
stripping out the data and masking the information.
 Can block server error pages from being returned to the users, preventing hackers from discovering the
underlying architecture and launching a targeted attack.
 Groups violations into “incidents”
 Live update for attack signatures
 Geolocation-based blocking
 Provides antivirus security protocol support by stripping SOAP and SMTP files from HTTP requests and
validating the requests via an antivirus server sent over Internet Content Adaptation Protocol (ICAP).
 Provides FTP security through protocol validation, brute force mitigation, and whitelisting commands.
 Provides SMTP security through protocol validation, greylisting to prevent spam, blacklisting dangerous
commands, rate-limiting for DoS attacks, and prevents directory harvesting.
 Geolocation and PCI reporting
 Policy staging to allow full testing before deployment

o BIG-IP ASM is available as a standalone solution or as an add-on module for LTM, both appliance and Virtual Edition.
- Explain the purpose, use, and benefits of LTM
- Explain the purpose, use, and benefits of GTM
- Explain the purpose, use, and benefits of EM
- Explain the purpose, use, and benefits of WAM/WOM
- Explain the purpose, use, and benefits of ARX

Objective 2.02 Explain the purpose, use, and advantages of iRules

- Explain the purpose of iRules

- Explain the advantages of iRules
- Given a list of situations, determine which would be appropriate for the use of iRules

Objective 2.03 Explain the purpose, use, and advantages of iApps

- Explain the purpose of iApps

- Explain the advantages of iApps
- Given a list of situations, determine which would be appropriate for the use of iApps
Objective 2.04 Explain the purpose, use, and advantages of iControl

- Explain the purpose of iControl

o iControl is an open API that enables applications to work in concert with the underlying network based on true software
integration.
- Explain the advantages of iControl
o Utilizing SOAP/XML to ensure open communications between dissimilar systems, iControl helps F5 customers, leading
independent software vendors (ISVs), and Solutions Providers realize new levels of automation and configuration
management efficiency. Whether monitoring network-level traffic statistics, automating network configuration and
management, or facilitating next generation service-oriented architectures, iControl give organizations the power and
flexibility to ensure that applications and the network work together for increased reliability, security, and performance.
Further, iControl has proven itself as a valuable technology that can help reduce the cost of managing complex
environments.
- Given a list of situations, determine which would be appropriate for the use of iControl

Objective 2.05 Explain the purpose of and use cases for full proxy and packet
forwarding/packet based architectures

- Describe a full proxy architecture

- Describe a packet forwarding/packet based architecture
- Given a list of situations, determine which is appropriate for a full proxy architecture
- Given a list of situations, determine which is appropriate for a packet based architecture

Objective 2.06 Explain the advantages and configurations of high availability (HA)

- Explain active/active
- Explain active/passive
- Explain the benefits of deploying BIG-IPs in a redundant configuration

Objective 3.01 Discuss the purpose of, use cases for, and key considerations related to load
balancing

- Explain the purpose and distribution of load across multiple servers

- Given an environment, determine the appropriate load balancing algorithm that achieves a
desired result
- Explain the connect of persistence

Objective 3.02 Differentiate between a client and server

- Given a scenario, identify the client/server

- Explain the role of a client
- Explain the role of a server
o The client/server model is a computer model that acts as a distributed
application which partitions tasks or workloads between the providers
of a resource or service, called servers, and service requestors, called
clients. Examples of client-server systems on the Internet include Web
browser and Web servers, FTP clients and servers, and DNS.
Objective 4.01 Compare and contrast positive and negative security models

- Describe the concept of a positive security model

o A “positive” security model (also known as a “whitelist”) is one that defines what is allowed and rejects everything else.
- Describe the concept of a negative security model
o A “negative” security model (also known as a “blacklist”) is on that defines what is disallowed while implicitly allowing
everything else.
- Given a list of scenarios, identify which is a positive security model
- Given a list of scenarios, identify which is a negative security model
- Describe the benefits of a positive security model
- Describe the benefits of a negative security model

Objective 4.02 Explain the purpose of cryptographic services

- Describe the purpose of signing

- Describe the purpose of encryption
- Describe the purpose of certificates and the certificate chains
- Distinguish between private/public keys
- Compare and contrast symmetric/asymmetric encryption

Objective 4.03 Describe the purpose and advantage of authentication

- Explain the purpose of authentication

- Explain the advantages of single sign on
- Explain the concepts of multifactor authentication
- Describe the role authentication plays in AAA

Objective 4.04 Describe the purpose, advantages, and use cases of IPsec and SSL VPN

- Explain the purpose, advantages, and challenges associated with IPsec

- Explain the purpose, advantages, and challenges associated with SSL VPN
- Given a list of environments/situations, determine which is appropriate IPsec solution
- Given a list of environments/situations, determine which is appropriate SSL VPN solution

Objective 5.01 Describe the purpose, advantages, use cases, and challenges associated with
hardware based application delivery platforms and virtual machines

- Explain when a hardware based application delivery platform solution is appropriate

- Explain when a virtual machine solution is appropriate
- Explain the purpose, advantages, and challenges associated with hardware based application
delivery platform solutions
 - Explain the purpose, advantages, and challenges associated with virtual machines
- Given a list of environments/situations, determine which is appropriate for a hardware based
application delivery platform
- Given a list of environments/situations, determine which is appropriate for a virtual machine
solution
- Explain the advantages of dedicated hardware (SSL card, compression card)

Objective 5.02 Describe the purpose of the various types of advanced acceleration techniques

- Describe the purpose of TCP optimization

- Describe the purpose of HTTP keepalives
- Describe the purpose of Caching
- Describe the purpose of Compression
- Describe the purpose of pipelining