Protocol Lab is a free learning project for network protocols. Each lab starts from a small part of an RFC, turns it into a runnable experiment, and uses command output or packet captures to explain what happened.
日本語: Protocol Lab は、RFCを読み、手を動かし、パケットやログを見ながらネットワークプロトコルを学ぶための無料教材です。小さな実験を通して、読んだ仕様と観察できる挙動を結びつけます。
The first track is BGP/RPKI. Start with:
- BGP Lab 01: One Prefix Announcement You Can Explain
- RFC 4271 Reading Guide for BGP Lab 01
- BGP Lab 02: Watch a Route Appear, Disappear, and Come Back
- RFC 4271 Reading Guide for BGP Lab 02
- BGP Lab 03: Competing Origins and the First Route-Leak Question
- RFC 4271 Reading Guide for BGP Lab 03
- RPKI Lab 04: ROAs and Origin Validation
- RPKI Origin Validation Reading Guide for Lab 04
- DNS Lab 05: Recursive Resolution You Can Trace
- DNS Recursive Resolution Reading Guide for Lab 05
- DNS Lab 06: Caching, TTL, and the Answer That Wasn't There
- DNS Caching, TTL, and Negative Answers Reading Guide for Lab 06
- TCP Lab 07: One Connection, From SYN to FIN
- TCP Handshake and Teardown Reading Guide for Lab 07
- TCP Lab 08: Loss, Retransmission, and the Window
- TCP Retransmission and Windowing Reading Guide for Lab 08
- TLS Lab 09: What Is Visible Before Encryption
- TLS Handshake and Certificates Reading Guide for Lab 09
- HTTP Lab 10: One Exchange, Read in the Clear
- HTTP Requests, Responses, and Caching Reading Guide for Lab 10
- Lab 11: HTTP/2 Streams and the Jump to QUIC
- HTTP/2, HTTP/3, and QUIC Streams Reading Guide for Lab 11
- Lab 12: One Web Request, End to End
- End-to-End Web Request Reading Guide for Lab 12
- DNS Lab 13: DNSSEC — Signatures, Trust Anchors, and the AD Flag
- DNSSEC Validation Reading Guide for Lab 13
- DNS Lab 14: Encrypted DNS — DoT and DoH
- Encrypted DNS Reading Guide for Lab 14
- TLS Lab 15: Mutual TLS — Proving the Client Too
- Mutual TLS Reading Guide for Lab 15
- Lab 16: WireGuard — an Encrypted Tunnel You Can See Into
- WireGuard Reading Guide for Lab 16
- Lab 17: DANE — When DNS Vouches for the Certificate
- DANE / TLSA Reading Guide for Lab 17
- Lab 18: VXLAN — an Overlay You Can Read on the Wire
- VXLAN Overlay Reading Guide for Lab 18
- Lab 19: traceroute and TTL — Mapping a Path Hop by Hop
- traceroute and TTL Reading Guide for Lab 19
- Lab 20: NAT — One Public Address for Many
- NAT Reading Guide for Lab 20
- Lab 21: GRE — an Unencrypted Layer-3 Tunnel
- GRE Tunnel Reading Guide for Lab 21
- Lab 22: DHCP — Four Messages for an Address
- DHCP Reading Guide for Lab 22
- Lab 23: IPv6 Neighbor Discovery — ARP's Successor
- IPv6 Neighbor Discovery Reading Guide for Lab 23
- Lab 24: ARP — the IPv4 Original
- ARP Reading Guide for Lab 24
- Lab 25: MTU and Path MTU Discovery
- Path MTU Discovery Reading Guide for Lab 25
- Lab 26: VLANs — Two Networks on One Wire
- 802.1Q VLAN Reading Guide for Lab 26
- Lab 27: HTTP Redirects and Cookies
- HTTP Redirects and Cookies Reading Guide for Lab 27
- Lab 28: QoS — Shaping a Link with a Token Bucket
- Traffic Shaping Reading Guide for Lab 28
- Lab 29: Multicast and IGMP — One Sender, Many Receivers
- Multicast and IGMP Reading Guide for Lab 29
- Lab 30: TCP Congestion Control — CUBIC vs BBR on a Lossy Path
- TCP Congestion Control Reading Guide for Lab 30
- Lab 31: Anycast — One Address, Many Servers, Routing Decides
- Anycast Reading Guide for Lab 31
- Lab 32: ECMP — Two Equal Paths, and the Kernel Hashes Flows
- ECMP Reading Guide for Lab 32
- Lab 33: L4 Load Balancing — One VIP, a Pool of Servers
- L4 Load Balancing Reading Guide for Lab 33
- Lab 34: OSPF — Flood the Map, Compute the Shortest Path
- OSPF Reading Guide for Lab 34
- Lab 35: BFD — Catching a Silent Failure in Under a Second
- BFD Reading Guide for Lab 35
- Lab 36: Stateful Firewall — Decide by the Connection, Not the Packet
- Stateful Firewall Reading Guide for Lab 36
- Lab 37: TCP MSS Clamping — Fitting Segments to the Narrowest Link
- TCP MSS Clamping Reading Guide for Lab 37
- Lab 38: Policy Routing — Choosing the Path by Source, Not Just Destination
- Policy Routing Reading Guide for Lab 38
- Lab 39: Reverse Path Filtering — Dropping Spoofed Sources at Ingress
- Reverse Path Filtering Reading Guide for Lab 39
- Lab 40: DNAT — Publishing an Internal Service with Port Forwarding
- DNAT / Port Forwarding Reading Guide for Lab 40
- Lab 41: DNS Round-Robin — Spreading Clients at the Naming Layer
- DNS Round-Robin Reading Guide for Lab 41
- Lab 42: Split-Horizon DNS — One Name, Different Answers by Who Asks
- Split-Horizon DNS Reading Guide for Lab 42
- Full learning roadmap
Lab 01 builds a two-router eBGP topology, advertises one documentation prefix, and helps you explain the resulting route in terms of NLRI, AS_PATH, NEXT_HOP, and ORIGIN.
最初のトラックは BGP/RPKI です。Lab 01 では、2台の仮想ルータで eBGP を動かし、1つの documentation prefix を広告します。Lab 02 では、その route が現れ、withdraw で消え、再広告で戻るところを観察します。Lab 03 では、同じ prefix が複数の origin AS から見える状態を作ります。Lab 04 では、ROA/VRP と origin validation の3状態を観察します。全体像は 12-lab learning roadmap を見てください。
- Read the RFC sections that matter for one small concept.
- Run a minimal local experiment.
- Inspect routing tables, logs, and packet captures.
- Connect the observed output back to protocol terms.
- Answer short review questions before moving to the next lab.
日本語:
- 1つの概念に必要なRFCの章を読む。
- 小さなローカル実験を動かす。
- routing table、ログ、pcapを観察する。
- 観察結果をプロトコル用語に対応づける。
- 確認問題で理解を固めてから次へ進む。
Most hands-on labs assume a Linux environment with:
- Docker
- containerlab
- tcpdump
- Wireshark or tshark
On Ubuntu/Debian you can install all of these at once:
sudo bash scripts/install-lab-tools.sh --pullThen log out and back in (or run newgrp docker) so the docker group applies, and check with ./scripts/labctl.sh doctor tcp-07.
macOS users should run the labs inside a Linux VM, WSL-style environment, or another Linux host where containerlab can create network namespaces.
日本語: ハンズオンは Linux 環境を前提にしています。Ubuntu/Debian なら sudo bash scripts/install-lab-tools.sh --pull で必要なツール(Docker、containerlab、tshark など)を一括で導入できます。実行後は再ログイン(または newgrp docker)で docker グループを反映し、./scripts/labctl.sh doctor tcp-07 で確認します。macOS の場合は、Linux VM や Linux ホスト上で実行してください。containerlab が network namespace を作れる環境が必要です。
Labs use documentation address space such as 203.0.113.0/24 and private ASNs such as 65001. These examples are for closed local labs only. Do not announce them to the public Internet.
日本語: Labでは 203.0.113.0/24 のような documentation address と 65001 のような private ASN を使います。これは閉じたローカル実験用です。実インターネットへ広告しないでください。
| Path | What it contains |
|---|---|
labs/ |
Hands-on labs with commands, expected observations, explanations, and review questions |
rfc-notes/ |
Reading guides that map RFC sections to each lab |
examples/ |
Minimal containerlab, FRRouting, and script examples used by the labs |
scripts/ |
Small helper scripts for running labs in a Linux environment |
assets/ |
Optional diagrams, screenshots, and small packet captures referenced by lessons |
日本語:
| パス | 内容 |
|---|---|
labs/ |
コマンド、期待される観察結果、解説、確認問題を含むハンズオン |
rfc-notes/ |
Labと対応するRFC reading guide |
examples/ |
Labで使う containerlab / FRRouting / script の最小例 |
scripts/ |
Linux環境でLabを実行するための補助スクリプト |
assets/ |
教材で参照する図、スクリーンショット、小さなpcap |
Protocol Lab begins with BGP/RPKI and then expands toward the protocols that make up a web request. The full sequence is described in ROADMAP.md.
| Track | Labs | Outcome |
|---|---|---|
| BGP/RPKI | 01-04 | Explain route announcements, UPDATEs, competing origins, and origin validation |
| DNS | 05-06 | Trace recursive resolution, caching, TTLs, and negative answers |
| TCP | 07-08 | Read handshakes, teardown, retransmission, windowing, and loss recovery |
| TLS / HTTP / QUIC | 09-12 | Follow an encrypted web request across transport and application layers |
日本語: Protocol Lab は BGP/RPKI から始まり、Web request を構成する DNS、TCP、TLS、HTTP、QUIC へ進みます。全12回の流れは ROADMAP.md にあります。
| トラック | Lab | 到達点 |
|---|---|---|
| BGP/RPKI | 01-04 | 経路広告、UPDATE、competing origin、origin validation を説明する |
| DNS | 05-06 | 再帰問い合わせ、cache、TTL、negative answer を追う |
| TCP | 07-08 | handshake、切断、再送、windowing、loss recovery を packet trace から読む |
| TLS / HTTP / QUIC | 09-12 | 暗号化された Web request を transport と application layer に分けて追う |