Internet Operations

DNS is the phone book of the internet. Every domain, email MX record, SPF/DKIM TXT record, and service discovery entry depends on it.

The record types (A, MX, TXT, CNAME) you configure in every DNS panel live in this spec. Know what you're setting.

Every URL in your app, API, auth redirect, webhook, or deep link is built on this grammar. Essential for routing, redirects, and OAuth callback validation.

Browsers parse URLs per this standard, not raw RFC 3986. Critical for client-side routing, form encoding, and cross-origin behavior.

Every HTTPS connection, SMTP/IMAP over TLS, OAuth token exchange, and API call uses TLS. It is the foundational security layer.

A one-line HTTP header that eliminates a class of downgrade attacks. Every public web app should set HSTS.

Governs every TLS certificate you buy or provision via Let's Encrypt/ACM/Digicert. Understanding BR helps with cert errors, CAA records, and domain validation requirements.

This is the core contract of every web API, browser request, and server response. You can't design or debug HTTP without knowing this.

Correct caching is the difference between a fast app and an expensive, slow one. Mis-configured cache headers cause stale data bugs and unnecessary origin load.

HTTP/1.1 is still the baseline. Load balancers, proxies, and debugging tools often present HTTP in this format. Understanding the wire format is essential.

Sessions, auth tokens, tracking, and CSRF defenses all run through cookies. Know SameSite, Secure, HttpOnly, and domain scoping to avoid security bugs.

Every browser-side API call to a different origin hits CORS. Misconfigured CORS is a top source of dev frustration and security holes.

A well-configured CSP is the strongest mitigation against XSS. Required by modern security audits and browser hardening.

IPsec is the dominant VPN technology for enterprise site-to-site links (AWS VPN, Azure VPN Gateway, on-prem firewalls). Understanding tunnel vs transport mode, SAs, and the SPD is essential for configuring and debugging VPN connectivity.

ESP is the workhorse of IPsec — every encrypted VPN tunnel uses it. When your cloud VPN shows 'Phase 2 SA established', that's an ESP SA. Understanding ESP's SPI, sequence numbers, and algorithm negotiation is key to VPN troubleshooting.

IKEv2 is how IPsec tunnels are established and rekeyed. Every cloud VPN gateway (AWS, GCP, Azure), enterprise firewall, and mobile VPN client uses IKEv2. Phase 1/Phase 2 failures are the #1 VPN debugging scenario.

WireGuard is replacing IPsec and OpenVPN for most new VPN deployments. Its simplicity (~4,000 lines of kernel code vs 400,000+ for OpenVPN/IPsec) makes it auditable. Used by Tailscale, Mullvad, Mozilla VPN, and most modern VPN services.

Your servers, load balancers, firewalls, and security groups are all defined in IPv4/CIDR. Know the addressing model.

ISPs and cloud providers are rolling out IPv6 dual-stack. AAAA records, IPv6 CIDR, and dual-stack routing are real concerns.

Every HTTP request your app makes rides on TCP. Understanding TCP helps with latency, timeouts, keep-alives, and connection pooling.

DNS runs over UDP. QUIC and HTTP/3 run over UDP. Media and gaming often use UDP for low-latency delivery.

HTTP/3 runs on QUIC. Modern CDNs and browsers use it by default. It fixes TCP's head-of-line blocking problem for multiplexed requests.

HTTP/3 is the current performance frontier for web delivery. CDNs enable it automatically; understand it for performance tuning and debugging.

Error response formats are the most inconsistent part of most APIs. RFC 9457 gives you a standard shape that clients can handle generically.

AH is mostly historical — ESP does everything AH does and adds encryption. However, AH appears in legacy configurations and exam material. Understanding why it was replaced helps explain modern IPsec design decisions.

GRE is the standard tunneling protocol for carrying routing protocols (OSPF, EIGRP) across IPsec links. AWS Transit Gateway, SD-WAN overlays, and many enterprise networks use GRE+IPsec. Also the basis for PPTP's data channel.

L2TP/IPsec was the default VPN protocol on every major OS for a decade. Understanding L2TP explains why many legacy VPN deployments use UDP port 1701, why they're always paired with IPsec, and how they differ from pure IPsec tunnel mode.

Mobile VPN clients constantly switch networks (Wi-Fi to cellular, roaming between APs). Without MOBIKE, every IP change tears down the VPN and forces a full IKEv2 re-handshake. MOBIKE is why modern mobile VPN clients reconnect instantly.

PPTP is a cautionary tale in protocol design. Understanding why it's broken (DES key space in MS-CHAPv2, RC4 key reuse in MPPE) teaches important lessons about protocol-level cryptographic failures. Never deploy it.

The IPsec RFC ecosystem is large and interconnected. When you need to find the right RFC for a specific algorithm, extension, or use case, this roadmap saves hours of cross-referencing.