rfc5938.Individual Session Control Feature for TWAMP

合集下载

中国电信集团公司技术标准(DPI综分系统)

5.3.1 5.3.2
流量分析结果上报策略 ............................................................................... １４
Web 类流量管理策略 ................................................................................... １５
用户/业务策略信息查询 .............................................................................. ２９用户/业务策略信息下发 .............................................................................. ２９
Web 信息推送策略....................................................................................... ２１
一拖 N 用户管理策略 .................................................................................. ２３非法路由用户管理策略 ............................................................................... ２４应用层 DDoS 异常流量管理策略 ................................................................ ２５应用层 DDoS 保护策略对象绑定 ................................................................ ２６

httpstaus汇总

httpstaus汇总常见HTTP状态码1.2.3.4.5.6.7.8.9.10.11.12.100 Continue初始的请求已经接受，客户应当继续发送请求的其余部分101 Switching Protocols服务器将遵从客户的请求转换到另外⼀种协议200 OK⼀切正常，对GET和POST请求的应答⽂档跟在后⾯201 Created服务器已经创建了⽂档，Location头给出了它的URL。

202 Accepted已经接受请求，但处理尚未完成。

203 Non-Authoritative Information⽂档已经正常地返回，但⼀些应答头可能不正确，因为使⽤的是⽂档的拷贝204 No Content没有新⽂档，浏览器应该继续显⽰原来的⽂档。

如果⽤户定期地刷新页⾯，⽽Servlet可以确定⽤户⽂档⾜够新，这个状态代码是很有⽤的205 Reset Content没有新的内容，但浏览器应该重置它所显⽰的内容。

⽤来强制浏览器清除表单输⼊内容206 Partial Content客户发送了⼀个带有Range头的GET请求，服务器完成了它300 Multiple Choices客户请求的⽂档可以在多个位置找到，这些位置已经在返回的⽂档内列出。

如果服务器要提出优先选择，则应该在Location应答头指明。

301 Moved Permanently客户请求的⽂档在其他地⽅，新的URL在Location头中给出，浏览器应该⾃动地访问新的URL。

302 Found类似于301，但新的URL应该被视为临时性的替代，⽽不是永久性的。

303 See Other类似于301/302，不同之处在于，如果原来的请求是POST，Location头指定的重定向⽬标⽂档应该通过GET提取304 Not Modified客户端有缓冲的⽂档并发出了⼀个条件性的请求（⼀般是提供If-Modified-Since头表⽰客户只想⽐指定⽇期更新的⽂档）。

rfc6238标准

rfc6238标准RFC 6238是一项具体指定了时间基础上的一次性密码（TOTP）算法的标准。

该算法以时间为基础，通过使用哈希函数生成一次性密码，以提高身份验证的安全性。

以下是与RFC 6238相关的参考内容：1. TOTP算法的定义：- TOTP算法是基于RFC 6238的一次性密码生成算法，该算法使用时间窗口以及预共享密钥生成一次性密码。

TOTP算法广泛应用于多因素身份验证中。

2. 时间同步性要求：- RFC 6238指定了一种时间同步性要求，要求使用TOTP算法的设备和验证服务器在时间上保持一致。

这确保了一次性密码的生成是基于准确的时间。

3. 哈希函数的应用：- RFC 6238指定了一种基于哈希函数的一次性密码生成方法。

常见的哈希函数包括SHA-1、SHA-256等。

哈希函数用于将时间和预共享密钥生成一次性密码的散列值。

4. 预共享密钥的生成与管理：- RFC 6238强调了预共享密钥的安全性和管理。

预共享密钥用于生成一次性密码，必须保持机密，并且需要在生成一次性密码的设备和验证服务器之间进行安全传输及存储。

5. 时间窗口的定义与使用：- RFC 6238定义了时间窗口的概念，用于控制一次性密码的有效期。

时间窗口指定了在某一个时间点前后允许认证的一次性密码数量。

6. 安全性考虑：- RFC 6238特别强调了一次性密码算法的安全性考虑。

例如，保护设备和服务器上的预共享密钥的机密性，防范重放攻击等。

此外，该标准还对一次性密码生成和验证过程中的潜在安全漏洞提出了一些建议。

7. 应用场景的拓展：- RFC 6238指定的TOTP算法可以应用于多种身份验证场景，例如互联网银行、VPN访问、云服务等。

该算法提供了一种简单且安全的方式，以提供额外的身份验证保护。

8. 其他相关标准和扩展：- RFC 6238不是独立的标准，它与其他相关身份验证标准和扩展相结合使用，以提供更全面的身份验证解决方案。

这些标准包括RFC 4226（HOTP：基于哈希的一次性密码）和RFC 6287（HOTP扩展）等。

AirNet空管自动化系统FDP备机MID程序异常案例分析

AirNet空管自动化系统FDP备机MID程序异常案例分析发布时间：2021-06-24T06:37:32.970Z 来源：《科技新时代》2021年3期作者：赵凤娟[导读] 重启后运行5分钟后再进行主备机的切换，减少维护带来的运行风险，确保设备的稳定运行。

中国民航贵州空中交通管理分局贵州贵阳 550012摘要：飞行数据服务器（FDP）作为自动化系统中重要的组成之一，其中间件MID主要具有数据通信、节点监控及时钟同步等功能。

本文阐述在对AirNet自动化系统进行一次例行维护时，发生了FDP备用服务器MID程序异常的情况，导致AIRNET自动化系统降级掉目标，使得AIRNET备用自动化系统切换为主用的工作中断的案例。

本文通过分析日志，结合厂家意见，查找到问题原因，并进行分析解决，以避免后续类似问题发生。

关键词：飞行数据服务器 AirNet自动化系统 MID程序异常分析日志1 引言目前，本单位所属自动化系统有两套，莱斯自动化NUMEN系统作为主用，二所自动化系统AIRNET作为备用，作为管制运行指挥重要的监视设备，根据《民用航空通信导航监视运行保障与维护维修规程》相关要求，设备维护部门应对所属相关设备进行定期维护，确保设备的稳定可靠。

而飞行数据服务器作为自动化系统中重要的组成部分，主要进行接收并预处理监视数据、一次气象雷达数据处理等多监视源航迹融合、高度跳变处理、目标QNH高度修正、航迹过载处理、安全告警计算等功能[1]。

在对其进行维护时，技术人员会选择航班量较少的时段进行，并且对主、备机分开进行重启，重启后运行5分钟后再进行主备机的切换，减少维护带来的运行风险，确保设备的稳定运行。

2 异常情况说明按照工作计划，技术人员于23时15分对二所自动化系统进行例行月维护，重启FDP备机，23时22分，系统监控SMC上出现FDP备机红色告警状态，FDP主机同时出现了红色（告警状态）与绿色（正常状态）反复交替变换的现象。

Infoprint 250 導入と計画の手引き第 7 章ホスト

SUBNETMASK
255.255.255.128
Type of service...............: TOS
*NORMAL
Maximum transmission unit.....: MTU
*LIND
Autostart.....................:
AUTOSTART
*YES
: xx.xxx.xxx.xxx
: xx.xxx.xxx.xxx
*
(
)
IEEE802.3
60 1500
: xxxx
48 Infoprint 250
31. AS/400
IP
MTU
1
1
IPDS TCP
CRTPSFCFG (V3R2)
WRKAFP2 (V3R1 & V3R6)
RMTLOCNAME RMTSYS
MODEL
0
Advanced function printing............:
AFP
*YES
AFP attachment........................:
AFPATTACH
*APPC
Online at IPL.........................:
ONLINE
FORMFEED
*CONT
Separator drawer......................:
SEPDRAWER
*FILE
Separator program.....................:
SEPPGM
*NONE
Library.............................:

QOS质量管理体系

没有相应的RFC 按照客户采购标准任何 C of C 参数出现 OOS 必须启用 MRB 潜在新缺陷
产品有疑问（ questionable） –启用DRB 产品有疑问（ questionable） –启用DRB 产品有疑问（ questionable） –启用DRB
合格率低，同时没有找到原因
没有相应的RFC
RFC (反应流程图)
是一种已知解决问题最佳方法（BKMs）的文件化，它包含质量有疑问的产品以及尽快让生产程序或设备恢复正常运行状态的措施. 对出现的异常情况有一套详细的应对措施. 找出解决问题的方案，对同一问题可能会导出两个或更多的方案.
Power Stencil
使用RFC的优势
使问题的原因和历史解决方案形成文件化使制造工程师/ 专家在最短时间内采取措施来解决这些问题
控制产品 (不流入下道工序)
封锁
使用产品流程跟踪系统确定并通知 DRB成员
启动DRB
初步调查
一般来说第一次会议在 24 –48小时内举行风险估计 Consider: 严重性封锁检测风险的可靠性准备 DRB 报告, 分发给成员

风险估计
出现问题的产品如何识别或被提示,以及被控制住,不会继续流入下道工序或客户手中?
Power Stencil
Accuracy---准确度
Distribu tions M e asu re
Normal Quantile Plot
3
.99
Quantile s
100.0% maxi mum 99.5% 97.5% 90.0% 75.0% quarti le 50.0% medi an 25.0% quarti le 10.0% 2.5% 0.5% 0.0% mi ni mum 0.15810 0.15810 0.15810 0.15810 0.15807 0.15790 0.15782 0.15770 0.15770 0.15770 0.15770

RFC3918协议测试——网络测试仪实操

三、测试配置..................................................................................................................................... 4 3.1 准备工作: 添加机框............................................................................................................4 3.2 准备工作: 预约端口............................................................................................................5 3.3 选择向导............................................................................................................................... 5 3.4 选择混合吞吐量测试...........................................................................................................6 3.5 选择端口............................................................................................................................... 6 3.6 配置接口............................................................................................................................... 7 3.7 向导配置接口.......................................................................................................................7 3.8 向导配置关键-MAC.......................................................................................................... 8 3.9 向导配置关键-IP................................................................................................................8 3.10 向导接口配置结果.............................................................................................................9 3.11 选择接口............................................................................................................................. 9 3.12 配置组播流量...................................................................................................................10 3.13 配置组播参数................................................................................................................... 11 3.14 关键参数........................................................................................................................... 11 3.15 选择测试参数...................................................................................................................12 3.16 配置混合吞吐................................................................................13 3.17 关键参数...........................................................................................................................14 3.18 配置单播流量...................................................................................................................15 3.19 配置单播流-选择端口..................................................................................................... 15 3.20 配置单播流量-选择流量接口......................................................................................... 16 3.21 配置单播流-常规............................................................................................................. 16 3.22 配置单播流-配置帧......................................................................................................... 17 3.23 配置单播流.......................................................................................................................17 3.24 开始测试...........................................................................................................................18

和SIP有关的RFC

RFC 3666 SIP Public Switched Telephone Network (PSTN) Call Flows.
RFC 3680 SIP Event Package for Registrations
RFC 3702 Authentication, Authorization, and Accounting Requirements for the SIP
RFC 3515 The Session Initiation Protocol (SIP) Refer Method
RFC 3578 Mapping of Integrated Services Digital Network (ISDN) User Part (ISUP) Overlap Signalling to the SIP
RFC 4244 An Extension to the SIP for Request History Information
RFC 4245 High-Level Requirements for Tightly Coupled SIP Conferencing
RFC 4320 Actions Addressing Identified Issues with the SIP's Non-INVITE Transaction
RFC 3581 An Extension to the SIP for Symmetric Response Routing
RFC 3603 Private SIP Proxy-to-Proxy Extensions for Supporting the PacketCable Distributed Call Signaling Architecture.

中移动CM-IMS测试规范

验证：P-CSCF可以支持用户在初始注册中的压缩协商。
测试预置条件：
IMS终端已经完成CSCF发现过程，用户在归属HSS中有签约信息，认证采用http digest机制。
测试步骤：
1、使用仪表跟踪P-CSCF的Gm接口和Mw接口。
2、UE向P-CSCF发送初始注册register消息，其中Via和Contact字段内含有comp=SigComp参数。
5.1.1
用户注册/注销
5.1.1.1
用户注册管理――用户初始注册
5.1.1.2
P-CSCF转发注册请求后接收的其它响应
5.1.1.3
P-CSCF隐式注册
5.1.1.4
P-CSCF识别完整性保护
5.1.1.5
P-CSCF支持注册过程中的压缩协商
5.1.1.6
用户发起的注销
5.1.1.7
网络发起的注销
2、
3、
4、P-CSCF记录下UE的IP地址和端口、用户的公有（IMPU）和私有标识（IMPI）等。
5、
6、注册完成后，保存200(OK)中的Service-Route消息头（对于重注册，则覆盖原先存储的值），并将Service-Route列表与注册的IMS公有标识相关联；存储P-Associated-URI消息头中携带的公有标识，并将第一个公有标识为缺省公有标识；
初始过滤规则
I-CSCF
Interrogating Call Session Control Function
查询呼叫会话控制功能
MGCF
Media Gateway Control Function
媒体网关控制功能
P-CSCF
Proxy Call Sessionห้องสมุดไป่ตู้Control Function

用户行为审计解决方案(UBAS)主打胶片

3
策略法规遵从
利用互联网进行犯罪、不健康网站泛滥、非法信息互联网传播，利用互联网进行犯罪、不健康网站泛滥、非法信息互联网传播，互联网的滥用迫使国家部委制定互联网安全规范措施－公安部号令号令《使国家部委制定互联网安全规范措施－公安部82号令《互联网安全保护技术措施强制要求保存三个月上网记录信息：规定》，强制要求保存三个月上网记录信息：
审计用户网络访问日志
访问网络的源IP、端口用户使用的协议类型产生了多少字节的流量 ……
掌握用户上网行为
何时访问了非法网站？
网络监控和决策支持的助手
何时访问了哪些网页？对什么感兴趣？发送了哪些Email ? 向外发送了哪些文件？ ……
发现可疑用户和网络异动
完整记录网络流量走向，完整记录网络流量走向，无信息传输死角详细记录网络访问明细和用户行为的信息摘要

13
基于任务的日志跟踪
多种审计任务模板：NAT地址转换、Web访问、文件传输、邮件等任务式自动跟踪审计：根据查询条件自定义审计任务，系统自动跟踪审计最新用户日志信息。

14
基于网络访问摘要信息的查询（DIG探针组件）基于网络访问摘要信息的查询（DIG探针组件）探针组件

10
提纲
内网用户行为审计的必要性用户行为审计解决方案（UBAS）介绍用户行为审计解决方案（UBAS） UBAS解决方案功能特点 UBAS解决方案功能特点 UBAS解决方案最佳实践 UBAS解决方案最佳实践

11
全面的日志采集
NAT日志日志 FLOW日志日志
用户行为审计解决方案(UBAS) 用户行为审计解决方案(UBAS)
日期：密级：杭州华三通信技术有限公司

sftp 消息认证算法

sftp 消息认证算法SFTP（Secure File Transfer Protocol）是一种安全的文件传输协议，它在SSH（Secure Shell）上构建。

SFTP使用SSH协议进行身份验证和加密，因此支持多种消息认证算法以确保通信的安全性。

以下是一些常见的SFTP消息认证算法：1. HMAC-SHA-2（HMAC with SHA-2）：- SFTP可以使用基于SHA-2系列的HMAC算法，如HMAC-SHA-256和HMAC-SHA-512，来进行消息认证。

这些算法提供了强大的安全性。

2. HMAC-SHA-1：-尽管SHA-1已经被认为是不安全的，但在某些情况下，仍然可能会使用HMAC-SHA-1进行消息认证。

然而，强烈建议使用更安全的算法，如SHA-256或SHA-512。

3. HMAC-MD5：-类似于HMAC-SHA-1，HMAC-MD5也是一种较旧的消息认证算法，不再被推荐用于安全性要求较高的环境。

4. UMAC-64和UMAC-128：- UMAC是一种基于Poly1305的消息认证码算法。

UMAC-64使用64位密钥，而UMAC-128使用128位密钥。

它们提供了高性能和良好的安全性。

5. AES-GCM：- Advanced Encryption Standard Galois/Counter Mode（AES-GCM）是一种组合加密和消息认证码的模式。

它结合了AES加密和GCM认证，提供了高度的安全性和效率。

6. AES-CCM：- Advanced Encryption Standard Counter with Cipher Block Chaining-Message Authentication Code（AES-CCM）也是一种组合加密和消息认证码的模式，类似于AES-GCM。

这些消息认证算法用于验证SFTP通信中传输的数据的完整性，防止数据被篡改。

在配置SFTP 服务器和客户端时，通常可以指定首选的消息认证算法和加密算法。

rfc中常用的测试协议

rfc中常用的测试协议摘要：1.RFC 简介2.RFC 中常用的测试协议a.网络协议测试1.网络数据包抓取和分析2.网络仿真和测试工具b.应用层协议测试1.HTTP 和HTTPS 测试2.FTP 和FTPS 测试3.SMTP 和SMTPS 测试c.安全协议测试1.TLS 和SSL 测试2.IPsec 测试d.传输协议测试1.TCP 和UDP 测试e.无线网络协议测试1.802.11 无线网络测试正文：RFC（Request for Comments）是一个用于讨论和记录互联网协议的标准文档系列。

在RFC 中，有许多常用的测试协议，这些协议用于确保互联网协议在实际应用中能够正常工作。

本文将详细介绍这些测试协议。

首先，RFC 中包含了大量的网络协议测试。

网络数据包抓取和分析是网络协议测试的基础，这对于诊断网络问题和优化网络性能至关重要。

此外，网络仿真和测试工具也是必不可少的，例如，网络模拟器（如NS-3）和测试平台（如Ixia）可以帮助工程师在实验室环境中模拟实际网络状况，从而对协议进行更严格的测试。

其次，应用层协议测试在RFC 中也占据重要地位。

HTTP 和HTTPS 是Web 应用中最常用的协议，有许多测试工具可以对它们的性能和安全性进行测试，例如，JMeter 和Locust 等负载测试工具。

此外，FTP 和FTPS、SMTP 和SMTPS 等传输协议也是常用的测试对象。

在安全协议方面，RFC 中包含了TLS 和SSL、IPsec 等协议的测试方法。

这些协议对于保护互联网数据传输的安全至关重要，因此需要进行严格的测试以确保其性能和安全性。

传输协议方面，TCP 和UDP 是互联网中最常用的传输协议，它们的测试方法也是RFC 中的重要内容。

TCP 测试关注可靠性和流量控制等方面，而UDP 测试则更注重数据传输速率和丢包率等指标。

最后，无线网络协议测试在RFC 中也有一定的比重。

例如，802.11 无线网络测试是评估无线局域网性能的关键。

黑客技术

最经典的黑客入门教材第一节、黑客的种类和行为以我的理解，“黑客”大体上应该分为“正”、“邪”两类，正派黑客依靠自己掌握的知识帮助系统管理员找出系统中的漏洞并加以完善，而邪派黑客则是通过各种黑客技能对系统进行攻击、入侵或者做其他一些有害于网络的事情，因为邪派黑客所从事的事情违背了《黑客守则》，所以他们真正的名字叫“骇客”（Cracker）而非“黑客”（Hacker），也就是我们平时经常听说的“黑客”（Cacker）和“红客”（Hacker）。

无论那类黑客，他们最初的学习内容都将是本部分所涉及的内容，而且掌握的基本技能也都是一样的。

即便日后他们各自走上了不同的道路，但是所做的事情也差不多，只不过出发点和目的不一样而已。

很多人曾经问我：“做黑客平时都做什么？是不是非常刺激？”也有人对黑客的理解是“天天做无聊且重复的事情”。

实际上这些又是一个错误的认识，黑客平时需要用大量的时间学习，我不知道这个过程有没有终点，只知道“多多益善”。

由于学习黑客完全出于个人爱好，所以无所谓“无聊”；重复是不可避免的，因为“熟能生巧”，只有经过不断的联系、实践，才可能自己体会出一些只可意会、不可言传的心得。

在学习之余，黑客应该将自己所掌握的知识应用到实际当中，无论是哪种黑客做出来的事情，根本目的无非是在实际中掌握自己所学习的内容。

黑客的行为主要有以下几种：一、学习技术：互联网上的新技术一旦出现，黑客就必须立刻学习，并用最短的时间掌握这项技术，这里所说的掌握并不是一般的了解，而是阅读有关的“协议”（rfc）、深入了解此技术的机理，否则一旦停止学习，那么依靠他以前掌握的内容，并不能维持他的“黑客身份”超过一年。

初级黑客要学习的知识是比较困难的，因为他们没有基础，所以学习起来要接触非常多的基本内容，然而今天的互联网给读者带来了很多的信息，这就需要初级学习者进行选择：太深的内容可能会给学习带来困难；太“花哨”的内容又对学习黑客没有用处。

secretflow 安全参数

秘密流安全参数1. 背景介绍在网络安全领域，秘密流（SecretFlow）是一个重要的概念。

它指的是在网络通信中有效保护信息安全的机制，通常用于保护敏感数据在网络传输过程中不被未授权的第三方获取或篡改。

安全参数则是指秘密流机制中的一些关键参数，它们直接影响着信息传输的安全性。

2. 安全参数的作用安全参数是秘密流机制中的关键组成部分，它们的作用主要体现在以下几个方面：2.1 加密算法的选择加密算法是秘密流机制中最基础的安全参数之一。

不同的加密算法具有不同的安全性和性能表现，选用适合场景的加密算法对于保护信息安全至关重要。

2.2 密钥长度和安全性密钥长度直接影响着加密算法的安全性，通常情况下，密钥长度越长，加密的强度越高，但与之相对应的，加密和解密的时间也会更长。

选择适合的密钥长度是保障信息安全和性能的平衡。

2.3 安全参数协商在网络通信中，双方需要协商一致的安全参数，以确保彼此的通信安全。

安全参数协商需要保证安全性和唯一性，避免被攻击者篡改或伪造。

2.4 安全协议的支持安全参数还涉及到安全协议的支持情况，不同的安全协议在实现方式和安全性上都有所不同，合理选择适合的安全协议也是保障通信安全的重要因素。

3. 如何设置安全参数正确设置安全参数是保障秘密流机制的关键，以下是一些常见的设置建议：3.1 选择合适的加密算法在实际应用中，通常会根据不同的需求选择合适的加密算法。

比如对于对称加密算法来说，AES是目前应用最广泛的加密算法之一，而对于非对称加密算法，RSA则是一种常见的选择。

3.2 密钥长度和安全性平衡对于密钥长度，一般来说，对于对称加密算法，128位的密钥长度已经足够安全，而对于非对称加密算法，建议选择2048位的密钥长度。

3.3 安全参数协商过程安全参数的协商过程一般采用Diffie-Hellman密钥交换算法，确保通信双方都能协商出一致的安全参数。

3.4 安全协议的选择和配置对于安全协议的选择和配置，常见的做法是采用TLS/SSL协议来保障通信的安全性，同时在配置时要遵循最佳实践，禁用不安全的加密算法和弱密码，开启完整性保护和身份验证等功能。

多因素身份验证SAML协议深度解析

多因素身份验证SAML协议深度解析多因素身份验证是如今信息安全领域的重要议题之一，它通过结合多个验证因素，提高了身份验证的安全性。

而SAML（Security Assertion Markup Language）协议则是一种广泛应用于单点登录和身份管理系统的通信协议，它为企业提供了一种安全可靠的方式来实现用户身份验证和授权。

本文将对多因素身份验证SAML协议进行深度解析，重点探讨其工作原理、主要特点以及在信息安全领域的应用。

一、多因素身份验证介绍多因素身份验证是指通过结合用户所知、所持和所属的不同信息要素，来确认用户的身份。

常见的身份验证因素包括知识因素（如密码）、物理因素（如硬件令牌或智能卡）以及生物因素（如指纹或虹膜）。

多因素身份验证的目的是提高用户身份验证的安全性，降低被攻击或被冒充的风险。

二、SAML协议概述SAML是一种基于XML的开放标准，它定义了一组规范和协议，用于在不同的安全域之间传递身份验证和授权信息。

SAML协议在Web单点登录（SSO）和身份管理系统中发挥着重要的作用。

SAML协议的核心组成部分包括身份提供者（Identity Provider，简称IdP）、服务提供者（Service Provider，简称SP）和用户（User）。

其中，身份提供者负责对用户进行身份验证，并颁发SAML断言（Assertion），而服务提供者则负责接收并验证这些断言，并据此为用户提供对应的服务。

三、多因素身份验证SAML协议的工作原理1. 用户请求访问服务用户向服务提供者发送访问请求，这可能是通过浏览器、移动应用或其他客户端发起的。

2. 服务提供者生成SAML请求服务提供者根据SAML协议创建一个SAML请求，并将其发送给身份提供者。

该请求包含了用户的身份信息以及服务提供者的需求。

3. 身份提供者验证身份身份提供者接收到SAML请求后，对用户进行身份验证，这可能涉及到多种因素，例如密码、硬件令牌或生物识别等。

构建港航企业动态网络安全防护体系研究与实践—以企业AUC为例

构建港航企业动态网络安全防护体系研究与实践—以企业 A UC 为例摘要随着信息技术和互联网应用的迅速应用和推广，网络安全形势日趋严峻，企业面临多方面网络安全风险和威胁。

因此，构建完善的网络安全防护体系、筑牢企业网络安全堡垒成为企业内控的关键组成部分。

本文以某港航企业为例（文中称为AUC）对网络安全管理现状分析并提出网络安全智能防护体系解决方案。

关键词：网络安全；网络安全体系；供应链安全当前，世界百年未有之大变局和新冠肺炎疫情全球大流行交织影响，网络空间安全斗争博弈日趋激烈，网络攻击无处不在，网络安全变得至关重要。

当前，港航业已成为网络安全的重灾区，地中海航运、马士基、达飞等船公司均曾遭受网络攻击，并造成业务运营停顿。

因此，保障港口网络安全，对港口稳定生产至关重要。

AUC积极推进网络安全工作，做到网络安全管理依法合规、落实责任、风险可控、提升能力、增强意识、制度体系全面覆盖，打造了动态智能网络安全防护体系。

1.原网络安全管理状况分析AUC主要从事集装箱及其他货物的装卸堆存业务，公司信息化网络辐射到公司所有区域，包含有线网、2.4G、5.8G、5G等网络；主要建设了码头生产指挥控制系统、财务管理系统、项目管理和邮件系统等应用系统。

最近几年互联网应用逐渐增多，比如箱区导航系统、网上订餐、企业微信号等逐渐上线，对网络安全管理提出了更高要求AUC一直非常重视绿色智能化码头建设，公司采购了防火墙、入侵防御设备等网络安全设备，实现了网络的基本安全防护，但是未实现这些网络安全设备信息的集中分析和设备联动；公司信息化管理办法也已经不适应当前严峻的网络安全形势；网络安全管理一直是网络管理人员兼管，存在管理不规范、不专业的问题。

近几年上级主管部门和公司领导高度重视网络安全，要求逐渐完善网络安全管理制度和管理体系，筑牢公司网络安全防线。

1.创建动态网络安全防护体系措施与实践在分析以上网络安全管理现状后， AUC建立了网络安全领导小组，制定了网络安全责任制，设立了网络安全专职管理人员，采取如下措施创建了智能动态网络安全防护体系。

相关主题

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

Internet Engineering Task Force (IETF) A. Morton Request for Comments: 5938 AT&T Labs Updates: 5357 M. Chiba Category: Standards Track Cisco Systems ISSN: 2070-1721 August 2010 Individual Session Control Featurefor the Two-Way Active Measurement Protocol (TWAMP)AbstractThe IETF has completed its work on the core specification of TWAMP -- the Two-Way Active Measurement Protocol. This memo describes anOPTIONAL feature for TWAMP, that gives the controlling host theability to start and stop one or more individual test sessions using Session Identifiers. The base capability of the TWAMP protocolrequires all test sessions that were previously requested andaccepted to start and stop at the same time.Status of This MemoThis is an Internet Standards Track document.This document is a product of the Internet Engineering Task Force(IETF). It represents the consensus of the IETF community. It hasreceived public review and has been approved for publication by theInternet Engineering Steering Group (IESG). Further information onInternet Standards is available in Section 2 of RFC 5741.Information about the current status of this document, any errata,and how to provide feedback on it may be obtained at/info/rfc5938.Copyright NoticeCopyright (c) 2010 IETF Trust and the persons identified as thedocument authors. All rights reserved.This document is subject to BCP 78 and the IETF Trust’s LegalProvisions Relating to IETF Documents(/license-info) in effect on the date ofpublication of this document. Please review these documentscarefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e ofthe Trust Legal Provisions and are provided without warranty asdescribed in the Simplified BSD License.Morton & Chiba Standards Track [Page 1]This document may contain material from IETF Documents or IETFContributions published or made publicly available before November10, 2008. The person(s) controlling the copyright in some of thismaterial may not have granted the IETF Trust the right to allowmodifications of such material outside the IETF Standards Process.Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modifiedoutside the IETF Standards Process, and derivative works of it maynot be created outside the IETF Standards Process, except to formatit for publication as an RFC or to translate it into languages other than English.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 31.1. Requirements Language . . . . . . . . . . . . . . . . . . 42. Purpose and Scope . . . . . . . . . . . . . . . . . . . . . . 43. TWAMP Control Extensions . . . . . . . . . . . . . . . . . . . 4 3.1. Connection Setup with Individual Session Control . . . . . 5 3.2. Start-N-Sessions Command with Individual SessionControl . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Start-N-Ack Command with Individual Session Control . . . 7 3.4. Stop-N-Sessions Command with Individual Session Control . 9 3.5. Stop-N-Ack Command with Individual Session Control . . . . 10 3.6. SERVWAIT Timeout Operation . . . . . . . . . . . . . . . . 123.7. Additional Considerations . . . . . . . . . . . . . . . . 124. TWAMP Test with Individual Session Control . . . . . . . . . . 13 4.1. Sender Behavior . . . . . . . . . . . . . . . . . . . . . 134.2. Reflector Behavior . . . . . . . . . . . . . . . . . . . . 135. Security Considerations . . . . . . . . . . . . . . . . . . . 146. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 6.1. Registry Specification . . . . . . . . . . . . . . . . . . 14 6.2. Registry Management . . . . . . . . . . . . . . . . . . . 14 6.3. Experimental Numbers . . . . . . . . . . . . . . . . . . . 156.4. Registry Contents . . . . . . . . . . . . . . . . . . . . 157. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 168. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 8.1. Normative References . . . . . . . . . . . . . . . . . . . 16 8.2. Informative References . . . . . . . . . . . . . . . . . . 16 Morton & Chiba Standards Track [Page 2]1. IntroductionThe IETF has completed its work on the core specification of TWAMP -- the Two-Way Active Measurement Protocol [RFC5357]. TWAMP is anextension of the One-way Active Measurement Protocol, OWAMP[RFC4656]. The TWAMP specification gathered wide review as itapproached completion, and the by-products were severalrecommendations for new features in TWAMP. There are a growingnumber of TWAMP implementations at present, and widespread usage isexpected. There are even devices that are designed to testimplementations for protocol compliance.This memo describes an OPTIONAL feature for TWAMP. [RFC5357] TWAMP(and OWAMP) start all previously requested and accepted test sessions at once. This feature allows the Control-Client to controlindividual test sessions on the basis of their Session Identifier(SID). This feature permits a short-duration TWAMP test to start(and/or stop) during a longer test. This feature permits a specific diagnostic test to begin if intermediate results indicate that thetest is warranted, for example.This feature requires a Modes field bit position assignment and theuse of two new TWAMP command numbers (for the augmented Start andStop commands). This feature also specifies the use of a new Stop-N- ACK Server response, to complete the symmetry of the session-stopping process in the same way as the Start-ACK (Start-N-ACK when used with this feature) response.The Individual Session Control feature gives the Control-Client newflexibility to manage any number of test sessions once they areestablished. However, [RFC5357] test sessions are established inserial order and the total establishment time grows with the numberof sessions and the round-trip time. Therefore, implementers of this feature may also wish to implement the "Reflect Octets" feature,described in [REFLECT]. This feature allows a Control-Client todistinguish between parallel Request-TW-Session commands because aparticipating Server can return octets (e.g., the Control-Client’slocal index) in its reply to the request. Thus, the Reflect Octetsfeature supports the efficient establishment of many simultaneoustest sessions that the Individual Session Control feature can thenmanage (start/stop).This memo is an update to the TWAMP core protocol specified in[RFC5357]. Measurement systems are not required to implement thefeature described in this memo to claim compliance with [RFC5357]. Morton & Chiba Standards Track [Page 3]Throughout this memo, the bits marked MBZ (Must Be Zero) MUST be set to zero by senders and MUST be ignored by receivers. Also, the HMAC (Hashed Message Authentication Code) MUST be calculated as defined in Section 3.2 of [RFC4656].1.1. Requirements LanguageThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].2. Purpose and ScopeThe purpose of this memo is to describe an additional OPTIONALfunction and feature for TWAMP [RFC5357].The scope of the memo is limited to specifications of the followingfeatures:1. extension of the modes of operation through assignment of a newvalue in the Modes field to communicate feature capability anduse,2. the definitions of augmented start session and stop sessioncommands (with corresponding acknowledgements), and3. the definition of related procedures for TWAMP entities.The motivation for this feature is the ability to start and stopindividual test sessions at will, using a single TWAMP-Controlconnection.When the Server and Control-Client have agreed to use the Individual Session Control mode during control connection setup, then theControl-Client, the Server, the Session-Sender, and the Session-Reflector MUST all conform to the requirements of that mode, asidentified below. The original TWAMP-Control Start and Stop commands MUST NOT be used.3. TWAMP Control ExtensionsThe TWAMP-Control protocol is a derivative of the OWAMP-Controlprotocol, and provides two-way measurement capability. TWAMP[RFC5357] uses the Modes field to identify and select specificcommunication capabilities, and this field is a recognized extension mechanism. The following sections describe one such extension. Morton & Chiba Standards Track [Page 4]3.1. Connection Setup with Individual Session ControlTWAMP-Control connection establishment follows the procedure defined in Section 3.1 of [RFC4656] OWAMP. The Individual Session Controlmode requires one new bit position (and value) to identify theability of the Server/Session-Reflector to start and stop specificsessions (according to their Session Identifier, or SID). This newfeature requires an additional TWAMP mode bit assignment as follows: Value Description Reference/Explanation0 Reserved1 Unauthenticated RFC 4656, Section 3.12 Authenticated RFC 4656, Section 3.14 Encrypted RFC 4656, Section 3.18 Unauth. TEST protocol, RFC 5618, Section 3.1Encrypted CONTROL--------------------------------------------------------16 Individual Session RFC 5938, bit position 4ControlIn the original OWAMP Modes field, setting bit positions 0, 1, or 2indicated the security mode of the Control protocol, and the Testprotocol inherited the same mode (see Section 4 of [RFC4656]). Inthe [RFC5618] memo, bit position (3) allows a different security mode in the Test protocol and uses the unauthenticated test packet format. If the Server sets the new bit position (bit position 4) in theServer Greeting message to indicate its capabilities, then the Server and Session-Reflector MUST comply with the requirements of this memo to control sessions on an individual basis if desired.If the Control-Client intends to control sessions on an individualbasis (according to the requirements in this memo), it MUST set themode bit (4, corresponding to the new mode) in the Setup Responsemessage. This means that:1. The Control-Client and the Server MUST use the start and stopcommands intended for individual session control and thecorresponding acknowledgements, as defined in the sections thatfollow.2. The Control-Client and the Server MUST NOT use the start and stop commands (2 and 3) and the acknowledgement defined in [RFC5357]. The Control-Client MUST also set one mode bit to indicate the chosen security mode (currently bits 0, 1, 2, or 3), consistent with themodes offered by the Server. The Control-Client MAY also set Modes Morton & Chiba Standards Track [Page 5]field bit 4 with other features and bit positions (such as thereflect octets feature).3.2. Start-N-Sessions Command with Individual Session ControlHavingo initiated Individual Session Control mode in the Setup Response,o requested one or more test sessions, ando received affirmative Accept-Session response(s),a TWAMP Client MAY start the execution of one or more test sessionsby sending a Start-N-Sessions message to the Server (note that "N"indicates that this command is applicable to one or more sessions,and does not change with the number of sessions identified in thecommand).The format of the Start-N-Sessions message is as follows:0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| 7 | |+-+-+-+-+-+-+-+-+ +| MBZ (11 octets) || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Number of Sessions |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || First SID (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| |. remaining SIDs (16 octets each) .. .| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || HMAC (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+BNote: In figures, "B" indicates the boundary of a 16-octet word. Morton & Chiba Standards Track [Page 6]The Command Number value of 7 indicates that this is a Start-N-Sessions command. The Control-Client MUST compose this command, and the Server MUST interpret this command, according to the fielddescriptions below.The Number of Sessions field indicates the count of sessions thatthis Start command applies to, and MUST be one or greater. Thenumber of SID fields that follow MUST be equal to the value in theNumber of Sessions field (otherwise, the command MUST NOT be affirmed with a zero Accept field in the Start-N-Ack response).All SID fields are constructed as defined in the last paragraph ofSection 3.5 of OWAMP [RFC4656] (and referenced in TWAMP). Note that the SID is assigned by the Server during the session requestexchange.The message is terminated with a single block HMAC, as illustratedabove.The Server MUST respond with one or more Start-N-Ack messages (which SHOULD be sent as quickly as possible). Start-N-Ack messages SHALLhave the format defined in the next session.When using Individual Session Control mode and its Start-N-Ackcommand as described in the next section, multiple Start-N-Sessionscommands MAY be sent without waiting for acknowledgement, and theStart-N-sessions commands MAY arrive in any order.3.3. Start-N-Ack Command with Individual Session ControlThe Server responds to the Start-N-Sessions command (for one or more specific sessions referenced by their SIDs) with one or more Start-N- Ack commands with Accept fields corresponding to one or more of theSIDs. This allows for the possibility that a Server cannotimmediately start one or more of the sessions referenced in aparticular Start-N-Sessions command, but can start one or more of the sessions.Morton & Chiba Standards Track [Page 7]The format of the message is as follows:0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| 8 | Accept | MBZ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| MBZ (8 octets) || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Number of Sessions |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || First SID (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| |. remaining SIDs (16 octets each) .. .| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || HMAC (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+The Command Number value of 8 indicates that this is a Start-N-Ackmessage. The Server MUST compose this command, and the Control-Client MUST interpret this command, according to the fielddescriptions below.The Accept field values are defined in Section 3.3 of OWAMP[RFC4656].The Number of Sessions field indicates the count of sessions thatthis Start-N-Ack command applies to, and MUST be one or greater. The number of SID fields that follow MUST be equal to the value in theNumber of Sessions field.All SID fields are constructed as defined in the last paragraph ofSection 3.5 of OWAMP [RFC4656] (and referenced in TWAMP). Note that the SID is assigned by the Server during the session requestexchange.The message is terminated with a single block HMAC, as illustratedabove.Morton & Chiba Standards Track [Page 8]Note that the SIDs for all Sessions with the same ’Accept’ code canbe acknowledged using the same Start-N-Ack message.For example, say that the Server receives a Start-N-Sessions command for SIDs 1, 2, 3, and 4. The Server determines that the resourcesfor SID=3 are temporarily unavailable. The Server responds with two Start-N-Ack commands with fields as follows:Accept = 0 Number of Sessions = 3 SIDs 1, 2, 4Accept = 5 Number of Sessions = 1 SID 33.4. Stop-N-Sessions Command with Individual Session ControlThe Stop-N-Sessions command can only be issued by the Control-Client. The command MUST contain at least one SID.The TWAMP Stop-N-Sessions command for use in Individual SessionControl mode is formatted as follows:0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| 9 | |+-+-+-+-+-+-+-+-+ +| MBZ (11 octets) || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Number of Sessions |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || First SID (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| |. remaining SIDs (16 octets each) .. .| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || HMAC (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B Morton & Chiba Standards Track [Page 9]The Command Number value of 9 indicates that this is a Stop-N-Sessions command. The Control-Client MUST compose this command, and the Server MUST interpret this command, according to the fielddescriptions below.The Number of Sessions field indicates the count of sessions to which this Stop-N-Sessions command applies. The SID is as defined inSection 3.5 of OWAMP [RFC4656] (and TWAMP), and the value MUST be one or greater. The number of SID fields that follow MUST be equal tothe value in the Number of Sessions field.The message is terminated with a single block HMAC, as illustratedabove.The Server MUST respond with one or more Stop-N-Ack messages (whichSHOULD be sent as quickly as possible). Stop-N-Ack messages SHALLhave the format defined in the next session.3.5. Stop-N-Ack Command with Individual Session ControlIn response to the Stop-N-Sessions command (for one or more specific sessions referenced by their SIDs), the Server MUST reply with one or more Stop-N-Ack commands with Accept fields corresponding to one ormore of the SIDs. This allows for the possibility that a Servercannot immediately stop one or more of the sessions referenced in aparticular Stop-N-Sessions command, but can stop one or more of thesessions.Morton & Chiba Standards Track [Page 10]The format for the Stop-N-Ack command is as follows:0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| 10 | Accept | MBZ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| MBZ (8 octets) || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Number of Sessions |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || First SID (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| |. remaining SIDs (16 octets each) .. .| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+B| || HMAC (16 octets) || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+The Command Number value of 10 indicates that this is a Stop-N-Ackmessage. The Server MUST compose this command, and the Control-Client MUST interpret this command, according to the fielddescriptions below.The Accept Field values are defined in Section 3.3 of OWAMP[RFC4656].The Number of Sessions field indicates the count of sessions thatthis Stop-N-Ack command applies to, and MUST be one or greater. The number of SID fields that follow MUST be equal to the value in theNumber of Sessions field.All SID fields are constructed as defined in the last paragraph ofSection 3.5 of OWAMP [RFC4656] (and referenced in TWAMP). Note that the SID is assigned by the Server during the session requestexchange.The message is terminated with a single block HMAC, as illustratedabove.Morton & Chiba Standards Track [Page 11]Note that the SIDs for all Sessions with the same ’Accept’ code canbe acknowledged using the same Stop-N-Ack message.3.6. SERVWAIT Timeout OperationSection 3.1 of [RFC5357] describes the operation of the optionalSERVWAIT timer. In normal TWAMP operation, the Server suspendsmonitoring the SERVWAIT timer while test sessions are in progress.When the Individual Session Control feature is utilized, thissuspension is extended to cover the time when ANY test session is in progress.Thus, the Server SHALL suspend monitoring control connection activity after receiving any Start-N-Sessions command, and after receiving aStop-N-Sessions command for all corresponding SIDs (and no testsessions are in progress), OR when REFWAIT expires on ALL testsessions initiated by a TWAMP-Control connection, then the SERVWAITmonitoring SHALL resume (as though a Stop-N-Sessions command had been received). An implementation that supports the SERVWAIT timeoutoption SHOULD also implement the REFWAIT timeout option.The diagram below illustrates the operation of timers SERVWAIT andREFWAIT.SERVWAIT REFWAIT SERVWAIT+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+(no sessionsin progress)+-+-+-+-+-+-+-+-+-+-+-+SID="1"+-+-+-+-+SID="2"+-+-+-+-+-+-+-+-+SID="3">>>>>>>>>> Time >>>>>>>>>>>>>>>>>>> Time >>>>>>>>>>>>>>>> Time >>>>> 3.7. Additional ConsiderationsThe value of the Modes field sent by the Server (in the ServerGreeting message) is the bit-wise OR of the mode values that it iswilling to support during this session.With the publication of this feature, bit positions 0 through 4 ofthe 32-bit Modes field are used. A Control-Client MAY ignore bitpositions greater than 2 in the Modes field, or it MAY supportMorton & Chiba Standards Track [Page 12]OPTIONAL features that are communicated in bit positions 3 andhigher. (The unassigned bits are available for future protocolextensions.)Other ways in which TWAMP extends OWAMP are described in [RFC5357]. 4. TWAMP Test with Individual Session ControlThe TWAMP test protocol is similar to the OWAMP [RFC4656] testprotocol with the exception that the Session-Reflector transmits test packets to the Session-Sender in response to each test packet itreceives. TWAMP [RFC5357] defines two different test packet formats, one for packets transmitted by the Session-Sender and one for packets transmitted by the Session-Reflector. As with the OWAMP-Testprotocol, there are three security modes: unauthenticated,authenticated, and encrypted. The unauthenticated mode has one test packet format, while the authenticated and encrypted modes useanother (common) format.4.1. Sender BehaviorThe individual session control feature requires that the sender MUST manage test sessions according to their SID. Otherwise, the senderbehavior is as described in Section 4.1 of [RFC5357].4.2. Reflector BehaviorThe TWAMP Reflector follows the procedures and guidelines in Section 4.2 of [RFC5357], with the following additional functions required by this feature:o The Session-Reflector MUST manage all test sessions acceptedaccording to their SID.o Upon receipt of a TWAMP-Control Stop-N-Sessions commandreferencing a specific session/SID, the Session-Reflector MUSTignore TWAMP-Test packets (in the same session/SID) that arrive at the current time plus the Timeout (in the Request-TW-Sessioncommand and assuming subsequent acknowledgement). The Session-Reflector MUST NOT generate a test packet to the Session-Senderfor packets that are ignored. (Note: The Request-TW-Sessioncommand includes sender address + port and receiver address +port, and this is usually sufficient to distinguish sessions.)o If the REFWAIT timer is implemented, it SHOULD be enforced whenany test session is in progress (started and not stopped).Morton & Chiba Standards Track [Page 13]5. Security ConsiderationsThe security considerations that apply to any active measurement oflive networks are relevant here as well. See the securityconsiderations in [RFC4656] and [RFC5357].6. IANA ConsiderationsAs a result of this document, IANA has assigned one mode bitposition/value for a mode in the IANA registry for the TWAMP Modesfield, and this memo describes the behavior when the new mode isused. This field is a recognized extension mechanism for TWAMP.As a result of this document, IANA has assigned four command numbers in the "TWAMP-Control Command Numbers" registry, and this memodescribes the use of the new commands. The command number field is a recognized extension mechanism for TWAMP.6.1. Registry SpecificationIANA has created a "TWAMP-Modes" registry (as requested in[RFC5618]). TWAMP-Modes are specified in TWAMP Server Greetingmessages and Set-Up-Response messages, as described in Section 3.1 of [RFC5357], consistent with Section 3.1 of [RFC4656], and extended by this memo. Modes are indicated by setting bits in the 32-bit Modesfield that correspond to values in the "TWAMP-Modes" registry. Forthe "TWAMP-Modes" registry, we expect that new features will beassigned increasing registry values that correspond to single bitpositions, unless there is a good reason to do otherwise (morecomplex encoding than single bit positions may be used in the future to access the 2^32 value space).IANA has also created the "TWAMP-Control Command Numbers" registry.TWAMP-Control commands are specified by the first octet in TWAMP-Control messages as specified in Section 3.5 of [RFC5357], andaugmented by this memo. This registry may contain 256 possiblevalues.6.2. Registry ManagementBecause the "TWAMP-Control Command Numbers" registry can contain only 256 values and "TWAMP-Modes" are based on only 32 bit positions with a maximum of 2^32 values, and because TWAMP is an IETF protocol,these registries must be updated only by "IETF Consensus" asspecified in [RFC5226] (an RFC that documents registry use and isapproved by the IESG). Management of these registries is describedin Section 8.2 of [RFC5357] and [RFC5618].Morton & Chiba Standards Track [Page 14]The values 7, 8, 9, and 10 have been assigned in the "TWAMP-ControlCommand Numbers" Registry. The value 16 corresponding to the nextavailable bit position (4) (as described in Sections 3.1 and 3.7) has been assigned in the "TWAMP-Modes" registry.6.3. Experimental NumbersOne experimental value has been assigned in the "TWAMP-ControlCommand Numbers" registry.No additional experimental values are assigned in the TWAMP-Modesregistry.6.4. Registry ContentsTWAMP-Control Command Numbers RegistryValue Description Semantics Definition0 Reserved1 Forbidden2 Start-Sessions RFC 4656, Section 3.73 Stop-Sessions RFC 4656, Section 3.84 Reserved5 Request-TW-Session RFC 5357, Section 3.56 Experimentation RFC 5357, Section 8.3------------------------------------------------------------------7 Start-N-Sessions RFC 5938, Section 3.28 Start-N-Ack RFC 5938, Section 3.39 Stop-N-Sessions RFC 5938, Section 3.410 Stop-N-Ack RFC 5938, Section 3.5TWAMP-Modes RegistryValue Description Reference/Explanation0 Reserved1 Unauthenticated RFC 4656, Section 3.12 Authenticated RFC 4656, Section 3.14 Encrypted RFC 4656, Section 3.18 Unauth. TEST protocol, RFC 5618, Section 3.1Encrypted CONTROL--------------------------------------------------------16 Individual Session RFC 5938, Section 3.1Control bit position 4Morton & Chiba Standards Track [Page 15]。