ItaPac - A Brief Introduction
Written by Blade Runner on 08/11/88
A Telecom Computer Security Bulletin File
This text will represent a very complete tutorial about a packet switching
network used in Italy: ItaPac. The purpose of this file is to supply very
nteresting information to have secure use and VERY LONG ItaPac password
lifetime. It includes also a brief summary of what (shit) ItaPac is, techincal
terms, various news.
as it is because the data which travels through the network is assembled in
net traffic. All of which runs transparent to the users, which doesn't remark
of commutation, and works in an apparent "real time".
called PADs (packet assembly-disassembly) and work following the CCITT X.25
A PAD is very expensive to run. It is not the software or hardware that is so
expensive, but rather the continuous maintenance and supervision required to
keep the system running. Normally, most of the users prefer have the switching
col from X.25 to an X.28 asycronous, that is compatable with the normal modems
that we use.
The user becomes like a DTE (Data Terminal Equipment), he connects to an ACP
(Adapter/Concentretor of Packets) and can operate in trasparency without
any kind of problems.
The user can login to a pad in either of two ways:
but that guarantees a much higher transmission quality.
there are similarities); the cost is much lower, but the transmission
quality is unacceptable at times.
The direct X.28 user has his own network user address (NUA). Some users have
only one NUA while others have a multiplexed system. This system generally
consists of one NUA and a variable number of subaddresses. The actual number
of subaddresses depends on the number of doors he has into his pad.
The switched user (poor) can only call others DTE, but he cannot receive calls,
because he doesn't a network user address. In effect the only address where he
can answer is that of the PAD on which he is logged on. Thus the DTE call from
a phone number (of home, office, etc), if he can receive calls from another
DTE, means that the hardware is able to scan the call, and we will all be in
the shit (sorry for the hard expression).
Taking apart the quality in trasmission, there is no difference between the two
and the second to dedicated one.
For the rest of this file we will talk about the X.28 terminals of the second
type: the dedicated ItaPac PADs.
The ACP at their time, are connected to NCP (Nodes of Commutation of Packets)
NCP are connected between them at high speed (64k/second), and ACP are conn-
ected to NCP at 9600 bit/second.
| | | | | |
| User Class | Xmit Methods | Speeds | Protocols | Access Methods |
| | | | | |
| Char by Char | Start/Stop | 300/1200 | X28 | Via Phone or |
| Terminal | Full/Half Dup. | baud | | Direct |
| | | | | |
| Packet | HDLC | 2400 and | X25 | Direct |
| Terminals | Full Duplex | 9600 bps | | Only |
The CCITT standard makes it possible to interface ItaPac with other networks
around the world. In effect, the NCPs are connected as big telephonic centers.
Anyway, it seems that all European traffic to the USA and other countries, such
as Australia, Argentina, Japan, etc, will transmit by the centers that are in
NUIs, NUAs, and DNICs
Well, when you connect to one of ItaPac's entry points (of which there are 41
ACP sites on Italian terrain at 300/200 baud and full duplex (V21, V22)),
ACP:** I T A P A C ** GENOVA 32 PORTA: 4
The above is an example of the herald for an entry node in Genoa. In the exam-
the port to the node (the physical entry point to the node). "PORTA: 4" means
that you are connected to the fourth port of this particular Genoa ItaPac node.
You can also see from the above example that there are 3 other people connected
to the same node as you. Every ItaPac node can support at greatest a finite
number of ports. If all the ports of a node are in use then the PAD will
Frequently most (or all) of the ports until Friday night will not answer at
all. Until one logs you off you cannot enter a port that is in use. Very
often the first 2 or 3 ports will be busy from an internal console, or these
use a free door is to send to people that are probably the callers an Urgent
Call Income (UCI; in the States it is known as a BVC -- Busy Verification
Signal -- AKA emergency interrupt). The you can redial the node. This time
freeing it for our use. Eh eh. Now for some definitions.
NUI - Network User Identification: Nothing other than an ItaPac password.
Every time you call an NUA, ItaPac will charge the account of owner of the
contract signed with Italcable will allow a 300 baud at Genova on 2697, this
NUI will not work on the 2564 node. SYNTAX: the NUI must be preceded by
UPPERCASE "N" and finished by a minus "-". The NUI MUST BE TYPED IN UPPERCASE.
Between "N" and "-" the NUI will not be displayed (echoed). You will obtain
only "N-" on display.
NUA-Network User Address: the physical address of a remote DTE. Similar to a
after the NUI (or a timeout will occur and ItaPac will hang up on you).
CUG - Close User Group: this is basically a high-security NUI. CUG stands for
Close User Group. CUG users have access to optional parameters that are used
for user recognition (and you know what that means). Having a CUG account is
very handy. CUG users have the ability to inibit hackers (after all, they are
there for network security, right?). There are less CUG users in Italy than
the USA and are generally rare (but I know of one). A typical example would
be the US Tymnet NUAs (03106nnnnnn). The PAS response will be ACP:CLR NA or
Call Not Accepted and shut down. Makes hacking on a CUG account a good way to
Now we will take a closer look at an ItaPac NUAs structure (the numbers are
DNIC = Data Network Identification Code; it contains the address of the country
to be called and the code for the network chosen. It is then divided into two
DCC is the Data Country Code; a three digit number that is the phone prefix.
Every country has different one.
NC is the Network Code; a country can have more than one data network. In
Follow with: the prefix of the called city, the DTE number, an eventual suffix
that is the "phone particular" (max 4 digit).
Note: The DCC is used only to call outside. DCC must be preceded by a zero.
Let's show a pratical example: The Cilea of Milan (Segrate).
The NUA is: 2220208
|||______ local address of DTE
||_______ 2 (02) = Milano
|________ NC: 2 = ItaPac
Now, another example: the Altos Unix (altger) in Munich, West Germany (note:
a favorite hangout of Xtension).
The NUA is: 026245890040004
|\ /|\_ _/|
| | | | |____ 40004: network address
| | | |_______ 5 8900: munich prefix
| | |__________ 4: DATEX-P (germany ItaPac)
| |____________ 262: DCC West Germany
|______________ foreign call
The NUA's structure isn't so all the time. NUAs can exist that don't appear to
that will provide the rerouting of the call. If the NCP has been instructed to
consider a certain address like another, the DTE can have a Rome NUA and be
located in Genoa. As call with the account to called...
like VAXs and UNIXs and some refer to not-interactive logins; NUAs are not
often completed. An NUA without a DNIC is like a phone number without an area
code: its meaning is nothing. Usually the system makes references to a subject
network, or it supplies other info in a less clear fashion. At this need I
are old hat, the new stuff is only for friends)...
Beware: many countries own more than one national network (GB, USA, etc) then
you will probably hear a thousand cries of "In USA where? On Tymnet, or
Autonet? or Telenet? or RCA? EtherNet?" And I can continue...
DNIC Network Name Country
This list may be in the hands of hackers everywhere. And, because the bread
for a hacker is done with ItaPac's floor, the minimum I suggest is to learn by
memory the main International DNICs. Not these for French Guiana, but the main
European and American ones.
Let's return to ItaPac. When you are connected to a remote system, the network
call and return in command mode (the star "*" prompt) must make some diff-
PAD, either to setup his parameters, close, reset or confirm the call. In
this case, often frequently, with the sequence CTRL-P ItaPac will reappear
with its "*" prompt and it accepts commands. Typing "CLR" ItaPac will
close the virtual call to host and answer "ACP: CLR CONF".
to the user. CTRL-P is not recognized, and the only way to logoff or catch
the control of the PAD is send a ten LONG-BREAK sequences. The BREAK, not
to be confused with CTRL-C, that is not in this site, is an INTERNAL signal
whic(BFs not an ASCII code. It is used by the communication program you
use to send that acknowledgment. If you don't have the capability to send
BREAK (short or long); beware not to use these black holes from where the
only way to exit will be the physical disconnect from the PAD (ie, drop
carrier on the modem).
problems to host machines. In effect, their software (or perhaps hardware)
is not able to translate correctly the loss of carrier and enters into a
"Wait-State Pending", that will finish only before a well-defined interval.
In the mean time, this door is unavailable. Network administrators never
like CTRL-P CLR.
Network Signals, Profiles (Outline, Shapes, Sketch), Parameters
A detailed description about all net signals, standard outlines and parameter
This manual can easily be "thieved" at kermesses in Italcables stands, in more
What is not written therein into from Italcable is the meaning about parameters
0 No padding inserted
1-15 When it is in the Data Transfer state, the pad inserts a time delay from
1 to 15 chars times the length after each LF that it inserts. The
normal setting is determined by the terminal in use.
This parameter and the following parameters (16, 17, and 18) determines
how editing of data is perfomed when the pad is in the Data Transfer
0 editing of data is not possible
1 Must be set to this value if the editing facility required
0 characted deletion is not possible
normal setting is 127 (for RUBOUT or DEL)
0 Buffer deletion is not possible
setting is 24 (CTRL-X) or (CAN)
0 Buffer display is not possible
normal setting is 18 (CTRL-R) or (TAPE-ON)
s typed in command mode via the DEL key. If you use the Backspace (ASCII 8)
key ItaPac will not accept corrections but it will translate these as true
full duplex) the packet transmission will slow in a drastic way the number of
ncoming and outgoing characters from your DTE.
are really macro rests between packets. At lower transmission speeds (ie, 300
baud) the switching does not feel right, but at 1200 it does. We have computed
that the speed of real transfers and receiving can, at maximum performance,
s very heavy. Via Xmodem, the PAD will try to destroy time-out signals, or
confuse all. Public computer systems such as Delphi know that also. If you
aren't able to download correctly using the Xmodem protocol then that means
that only the remote host isn't detecting the differences between packets
and asybchronous terminals.
The question is: will it happen only on ItaPac (not new) or is a common
There are nights in which every address you call is "NC". The Network Conges-
tion state is very frequent on ItaPac, and will disallow the use of the network
used from NCP. The causes are very mysterious. At night Firms aren't using
Service center they negate all, but this is reality. ItaPac, at the end, is an
times it doesn't work. How does it not work? Ha! To them everything is
always ok. And then someone will cry scandal if you try to bypass them!
Usually, NUIs that are used (or had been used) are demo NUIs. It hasn't an
account, and then -in theory- cannot exaust. Operators cannot ever notify
their use, because they don't have a record of calls...If a demo NUI will die,
the cause can be one of only two:
noted abnormal traffic and has controlled, or from an external (a son of
a bitch spy!)
An historical NUA- it has been working for over 2 years, and for a SPY...
HOW GET AN NUI
The more simple and safe method is to copy that from kermesses where Italcable,
or otherwise, use X.28 wires. The dedicated X28 DOESN'T NEED AN NUI because
they are directly connected.
Go near the operator and ask "That is a MODEM?"
Operator (if they have the time) will be moved to pity, in front of so much
ngnorance, and he feels so relaxed, types in his pw. You, with an optimum
eye, must read the keyboard and memorize the NUI. This is called shoulder
block notes left near terminals. If the stand is owned by Italcable, ALL you
can catch, must BE, without differences.
A new scanning technique, based on trying statistically calculated, is in exam
between DTE222. This technique may guarantee, if applied to a long scan time,
less than to 100,000 (1 hundred thousand), causing cost and time problems.
At large lines, that rule is like: a NUI generator will provide to create a
very likely NUI following the same criteria. A scanner will try all in an
automatic manner. It tries 8, then it uses a valid NUI to connect to 22000
(Echo pad), immediatly it logs off (CLR CONF), putting zero thanks to ACP:COM
the ACP:ERR ILL counter (how we know, to 10th ERR ILL the pad will logoff
average. This, is all talk! In addition, it seems that before 700 ERR ILL,
not looking counter reset, ItaPac will hang up. That will make it more diff-
cult for our computer; it araises at times (will redial number) and make the
Net can send several mesages:
- as answer to a command
- for his own decision
- following an action performed byt remote terminal
ERR CNA syntax of command is correct, but not allowed in this state
ERR ILL command is not syntactically correct or the hit is not recognized
ERR EXP timeout and command was not completed
ERR PNA the requested outline is not assigned yet
CLR OCC the called number is busy
CLR NC Network congestion or temporaly failure of hardaware cannot allow new
CLR INV Requested performance is not valid
CLR NA The calling number cannot have connection to DTE (ex: Close User
Group not compatable)
CLR ERR Call is hung for a local procedure error
CLR RPE Call is hung for a remote DTE error
CLR NP Called NUA is not assigned
CLR DER Called NUA is out of order
CLR PAD PAD has hung the call because he had received am invitation to
"clear" from DTE
CLR DTE Remote DTE hung call
CLR RNA Remote DTE cannot accept charged calls
RESET DTE Remote has resetted virtual circuit
RESET RPE Call is putt in reset state for remote DTE error
RESET ERR Call is reset for a local error
RESET NC Call is hung for a network congestion
RATES AND DUTIES
For whoever wants to subscribe ItaPac, here are the rates. For whoever uses it
as Portoguese it might be interesting to have an idea about how much it costs
the real owner of an NUI. The, if you have one, don't abuse and don't tell it
to the four winds. Remember that real owner can, at any moment, change it!
BY X.28 Switched Phone
Class (baud) Lire/Month
NUI duties: 7,200 / month
to these must be added:
mail and telegraph duties
contributions and trafic (counter turns!)
The amount of the first two isn't clearly specified on the rates-sheets, but it
s marked as:
Following the current rates. Last, is so divided: they will consider the
Class (baud) Lire/Month
To these must be added:
duties foryouse of area to area circuitery
duties for new wires
Time rates for Ports Taken
class (baud) Lire/Minute (or fract)
6.80 Lire/minute or fraction
1.78 Lire/segment or fraction thereof (1 segment= 64 octets)
Rates to call
30 lire / call
Addings per NUI
7,200 / month
For time and volume rates there is a 30% discount from 9 PM to 8 AM every day,
ncluding Saturday and non-working days
54,000 Lire / Month
Class of Max Charge of line
9,000 * KB / Month
Master 56,700 Lire / Month
Users 900 Lire / Month
8,100 / Month
Change Options Parms
Speed Class Change
Lire 30 each voice in list
GF 0.107 / min or fraction thereof
GF 0.3333 / min or fract (1)
GF 0.4 / min or fract (2)
GF 0.5 / min or fract (3)
(1) North America or Middle East directly connected to Italy
(2) Other countries out from Europe directly connected to Italy
(3) All others
charge a 20 years money loan to be able to afford ItaPac.
The Network is also able to receive characters following international Alphabet
from CCITT No. 5 (IA5) with 1 or 2 stop bits and it will produce even chars
net, ItaPac will translate characters dropping out the parity and send chars
ng parity and bits.
TO CONNECT VIA THE SWITCHED WAY
must switch to data within 10 seconds from the first ItaPac tone.
characters optional). E.g: if the NUI is AAAAAA and the NUA is 2345678 you
must type: NAAAAAA-2345678 . The NUI is never echoed on screen. All
Typing 'D' before string the following data will be echoed, with 'P'.
From this moment starts the data exchange phase and, until you disconnect, all
commands to the net must be preceded with the ^P sequence. If the call is not
correct, the net will answer by sending a disconnect signal to specify the
cause of it. After 10 times of unsuccessfully placed calls, the net will hang
up the carrier. If the call is possible, the NUA will receive an ACP: (caller
The following commands can be issued prior to having a connection, meanwhile
t's considered as data itself). At end of command send . Beware that in
a start-stop terminals calls (X.28) commands must sent also from TH in packet
- if call is on : ACP: ENGAGED
- if call is off : ACP: FREE
network will put on that (see later). At start the #3 is default outline.
reset request: ^P RESET
That command will cancel call followings data on line.
This packet will go over travelling data. Then, the action taked by host
s software depending on.
THE EDITING FEATURE.
By the Editing Feature, you can delete a char or a line to make editing the PAD
and the ACP xmit. To have it meanwhile data transfer you must choose parm 15.
to request editing function and he can, via par 19, editing signals send by
To make the deletion of the last type character you must send parm 16 defines
the character (default DEL) before receving this char, the PAD will erase last
character in the editing buffer, and, if parm 16 is different from 0, it send
the signal about the erased char as said from par 19:
if parm 19 is set to 0, no signal sent
if parm 19 is set to 1, pad sent IA5 signal; this procedure is suggested
for printer like terminals
If parm 19 is set to 2, pad will sent a BS SP BS sequence of IA5. This
procedure will locate cursor at inserting point of new char and is
therefore suggested for video terminals.
To erase a line you must send the char set into parm 17 (def: CAN). Before
to anything save 0, it will send the line deletion character, following par-
if parm 19 is set to 0 : nothing sent
if parm 19 is set to 1 : pad send XXX
if parm 19 is set to 2 : pad will send SP BS SP of IA5 for a number times
as the number of chars in the buffer
To obtain a line display you must send char defined by parm 12 (def: DC2).
Before receive this char pad will sent to terminal all chars stored in the