rfc3936.Procedures for Modifying the Resource reSerVation Protocol (RSVP)

Polymer MaterialsTesting the Resistance to Components of Blowby GasesPrefacePart of the exhaust gases generated during the combustion process in the engine penetrates into the cylinder block and crankcase and is returned to the combustion process through a hose. These so-called blowby gases may condensate and cause damage to polymer materials used in exposed areas. The composition of the condensate varies considerably depending on the operating conditions of the engine. In vehicles equipped with an SI engine, for example, the condensate consists pre‐dominantly of the following three media: fuel (accounting for 3% to 93%), engine oil (accounting for 2% to 93%), aqueous, nitric acid phase (with pH values from 2 to 6, accounting for 0,2% to 70%).Previous issuesPV 3936: 1998-12, 2009-06ChangesThe following changes have been made compared with PV 3936: 2009-06:–Standard divided into test A (SI engine) and test B (diesel engine)–Referenced documents updated ScopeThis Test Specification (PV) describes a procedure for testing the resistance of polymer materials (in the form of finished parts and test plates, e.g., crankcase breather hoses, connecting hoses and pipes, intake hoses and pipes, seals, etc.) to constituents of blowby gases.1Group StandardPV 3936Issue 2010-10Class. No.:55104Descriptors:polymers, blowby gasVerify that you have the latest issue of the Standard before relying on it.This electronically generated Standard is authentic and valid without signature.The English translation is believed to be accurate. In case of discrepancies, the German version is alone authoritative and controlling.Page 1 of 6Confidential. All rights reserved. No part of this document may be provided to third parties or reproduced without the prior consent of the Standards Department of a Volkswagen Group member.This Standard is available to contracting parties solely via the B2B supplier platform .© Volkswagen AktiengesellschaftVWNORM-2010-08e–PV 3936-A for vehicles equipped with SI engines –PV 3936-B for vehicles equipped with diesel enginesRequirementsRequirements for and deviations from the test procedure according to the Technical Supply Specifi‐cation (TL), Volkswagen Group standard (VW) and/or drawing.DescriptionExample:Resistance to blowby gases acc. to PV 3936-A after n cycles permissible change of a required limit valueTestTest equipment–Forced air oven acc. to DIN 53508– 2 x 200-ml ground flask with cover and plug –Heating bath with reflux cooling – 1 x 200-ml beaker with glass cover – 1 × 500-ml round-bottom flask–Specimen holder acc. to PV 3323 (corrosion protected)–Universal testing machine (e.g. Zwick system)–Shore A and D hardness measuring devices acc. to DIN 53505–Analytical balance with an accuracy of ± 0,1 mg – 1 M nitric acid – 1 M acetic acid–Reference Engine Oil Lubrizol OS 304 206 acc. to TL 52185–FAM test fluid DIN 51604-2 - B (= FAM 2)–Diesel fuel consisting of 93 volume percent standard diesel Liquid F acc. to DIN ISO 1817 and 7 volume percent fatty acid methyl ester (FAME) acc. to DIN EN 14214ProcedureTest A - vehicles equipped with SI enginesThe tests are performed using S3A dumb-bell specimens acc. to DIN 53504 that may be prepared from both finished parts and plate material. If possible, specimens prepared from finished parts are to be preferred over specimens produced from plate material.In order to determine the initial values, the DUTs are measured, weighed, and then prepared ac‐cording to PV 3323. Subsequently, they are subjected to the test cycle described in the following (see Figure 1). The number of cycles is specified in the supply specifications.23 4 4.1 4.2 4.2.1Page 2PV 3936: 2010-10Page 3PV 3936: 2010-10 The dumb-bell specimens must be aged in 1 M of nitric acid in a 200-ml ground flask sealed with a plug in a forced air oven acc. to DIN 53508 for 4 h at 60 °C. The DUTs are then to be rinsed with distilled water. Remaining fluid must be dabbed off afterwards and the DUTs must be left to dry for 30 min at room temperature.Subsequently, the specimens must be aged in Reference Engine Oil Lubrizol OS 304 206 acc. to TL 52185 for 18 h at 135 °C in a 250-ml beaker (high type) sealed by a glass cover (e.g. watch glass). Once the aging period has elapsed, the parts are to be cleaned from remaining test fluid (using rags/pulp) and acclimatized for 30 min at room temperature.The DUTs are then to be aged in FAM test fluid DIN 51604-2 - B (= FAM 2) for 30 min at room temperature. The aging period is followed by a 15-minute flash-off period, after which the evaluation is to be performed. If additional test cycles are to follow, this period is to be extended to 30 min. Depending on the requirement, the above-mentioned cycle must be repeated accordingly.If the test has to be interrupted for work-related reasons (e.g. weekend, holiday, etc.), the specimens must be stored in an open receptacle under the flue. This storage period must be considered as one cycle.Figure 1 – Test plan for test ALegend 1 1 test cycle ≙ 24 h 230 min drying 3 4 h in HNO 34Temperature (°C)518 h in oil630 min drying, 30 min in FAM 2, 30 min drying 7Time in hTest B – vehicles equipped with diesel enginesThe tests are performed using S3A dumb-bell specimens acc. to DIN 53504 that may be prepared from both finished parts and plate material. If possible, specimens prepared from finished parts are to be preferred over specimens produced from plate material. In order to determine the initial values,the DUTs are measured, weighed, and then prepared according to PV 3323. Subsequently, they are subjected to the test cycle described in the following (see Figure 2). The number of cycles is specified in the supply specifications.The dumb-bell specimens must be aged in 1 M of acetic acid (pH value 2,4) in a 200-ml ground flask sealed with a plug in a forced air oven acc. to DIN 53508 for 4 h at 80 °C. The DUTs are then to be rinsed with distilled water. Remaining fluid must be dabbed off afterwards and the DUTs must be left to dry for 30 min at room temperature.Subsequently, the specimens must be aged in Reference Engine Oil Lubrizol OS 206 304 acc. to TL 52185 for 18 h at 135 °C in a 250-ml beaker (high type) sealed by a glass cover (e.g. watch glass).4.2.2Page 4PV 3936: 2010-10Once the aging period has elapsed, the parts are to be removed from the oil and cleaned from re‐maining test fluid (using rags/pulp).The DUTs are then to be aged for 2 hours at 100 °C in standard diesel Liquid F acc. toDIN ISO 1817 by Haltermann. A heating bath with reflux cooling must be used for this purpose. The aging period is followed by a 15-minute flash-off period, after which the evaluation is to be performed.If additional test cycles are to follow, this period is to be extended to 30 min. Depending on the requirement, the above-mentioned cycle must be repeated accordingly. If the test has to be inter‐rupted for work-related reasons (e.g. weekend, holiday, etc.), the specimens must be stored in anopen receptacle under the flue. This storage period must be considered as one cycle.Figure 2 – Test plan for test BLegend 1 1 test cycle ≙ 24 h 230 min drying 3 4 h in acid4Temperature in °C 517 h in oil 6 2 h in diesel 7Time in h EvaluationAfter completion of the tests, the physical properties of the DUTs must be examined. Tensile strength,elongation at tear, shore A hardness, and the change in weight are determined for this purpose.Changes to the components, e.g., crack formation, softening, etc. must be recorded in writing.NOTE 1 The volume swell and the evaluation of the specimen may also succeed each individual cycle. This must be agreed upon separately, if necessary.The test report must include the following information with reference to this standard, if required:–Number of cycles–Tensile strength, elongation at tear as well as changes according to DIN 535044.3Page 5PV 3936: 2010-10–Hardness and change of hardness acc. to DIN 53505–Change in weight –Visual evaluationOther applicable documentsThe following documents cited in this Standard are necessary to its application.Some of the cited documents are translations from the German original. The translations of German terms in such documents may differ from those used in this Standard, resulting in terminological inconsistency.Standards whose titles are given in German may be available only in German. Editions in other languages may be available from the institution issuing the standard.PV 3323Test Vessels and Specimen Holders for Aging Standard Specimens TL 52185Reference Engine Oil SAE 5W-30 for Testing of Compatibility with Respect to Elastomer Materials; Lubricant RequirementsDIN 51604-2Methanolic FAM testing fluid for polymer materials; composition and re‐quirementsDIN 53504Testing of rubber - determination of tensile strength at break, tensile stress at yield, elongation at break and stress values in a tensile test DIN 53505Testing of rubber - Shore A and Shore D hardness test DIN 53508Testing of rubber - Accelerated ageingDIN EN 14214Automotive fuels - Fatty acid methyl esters (FAME) for diesel engines -Requirements and test methodsDIN ISO 1817Rubber, vulcanized - Determination of the effect of liquids5Page 6PV 3936: 2010-10。

infoX-MASAPI接口说明（SOAP）目录目录1 WebService方式通信适配插件接口概述及总体说明............................................................. 1-11.1 Web服务公共数据定义............................................................................................................................... 1-11.1.1 WEB服务调用方式............................................................................................................................ 1-11.1.2 XML数据类型.................................................................................................................................... 1-11.1.3 公共异常定义..................................................................................................................................... 1-31.1.4 AnyUri格式说明................................................................................................................................. 1-91.1.5 插件管理接口................................................................................................................................... 1-101.1.6 接口定义 .......................................................................................................................................... 1-131.1.7 插件状态信息上报........................................................................................................................... 1-141.1.8 注销插件 .......................................................................................................................................... 1-151.1.9 插件暂停 .......................................................................................................................................... 1-161.1.10 应用系统服务通知接口................................................................................................................. 1-171.1.11 接口定义......................................................................................................................................... 1-181.1.12 短消息接口..................................................................................................................................... 1-191.1.13 数据类型......................................................................................................................................... 1-211.1.14 接口定义......................................................................................................................................... 1-231.1.15 服务策略......................................................................................................................................... 1-271.1.16 多媒体消息接口............................................................................................................................. 1-281.1.17 接口定义......................................................................................................................................... 1-311.1.18 定位接口......................................................................................................................................... 1-351.1.19 接口定义......................................................................................................................................... 1-401.1.20 接口定义......................................................................................................................................... 1-48infoX-MASAPI接口说明（SOAP）1 WebService方式通信适配插件接口概述及总体说明1 WebService方式通信适配插件接口概述及总体说明WebService方式通信适配插件提供了对各种通信能力的统一封装，供集团客户应用系统和MAS服务器应用插件进行调用。

Internet Engineering Task Force (IETF) S. Shen Request for Comments: 5930 Huawei Category: Informational Y. Mao ISSN: 2070-1721 Hangzhou H3C Tech. Co., Ltd. NSS. Murthy Freescale Semiconductor July 2010 Using Advanced Encryption Standard Counter Mode (AES-CTR)with the Internet Key Exchange version 02 (IKEv2) Protocol AbstractThis document describes the usage of Advanced Encryption StandardCounter Mode (AES-CTR), with an explicit Initialization Vector, bythe Internet Key Exchange version 2 (IKEv2) protocol, for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT exchange.Status of This MemoThis document is not an Internet Standards Track specification; it is published for informational purposes.This document is a product of the Internet Engineering Task Force(IETF). It represents the consensus of the IETF community. It hasreceived public review and has been approved for publication by theInternet Engineering Steering Group (IESG). Not all documentsapproved by the IESG are a candidate for any level of InternetStandard; see Section 2 of RFC 5741.Information about the current status of this document, any errata,and how to provide feedback on it may be obtained at/info/rfc5930.Shen, et al. Informational [Page 1]Copyright NoticeCopyright (c) 2010 IETF Trust and the persons identified as thedocument authors. All rights reserved.This document is subject to BCP 78 and the IETF Trust’s LegalProvisions Relating to IETF Documents(/license-info) in effect on the date ofpublication of this document. Please review these documentscarefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e ofthe Trust Legal Provisions and are provided without warranty asdescribed in the Simplified BSD License.Table of Contents1. Introduction (2)1.1. Conventions Used in This Document (3)2. IKEv2 Encrypted Payload (3)3. IKEv2 Conventions (4)4. Security Considerations (4)5. IANA Considerations (4)6. Acknowledgments (4)7. References (5)7.1. Normative References (5)7.2. Informative References (5)1. IntroductionThe Internet Key Exchange version 2 (IKEv2) protocol [RFC4306] is acomponent of IPsec used for performing mutual authentication andestablishing and maintaining security associations (SAs). [RFC4307] defines the set of algorithms that are mandatory to implement as part of IKEv2, as well as algorithms that should be implemented becausethey may be promoted to mandatory at some future time. [RFC4307]requires that an implementation "SHOULD" support Advanced Encryption Standard [AES] Counter Mode [MODES] (AES-CTR) as a Transform Type 1algorithm (encryption).Although [RFC4307] specifies that the AES-CTR encryption algorithmfeature SHOULD be supported by IKEv2, no existing document specifies how IKEv2 can support the feature. This document provides thespecification and usage of AES-CTR Counter Mode by IKEv2.Implementers need to carefully consider the use of AES-CTR over themandatory-to-implement algorithms in [RFC4307], because theperformance improvements of AES-CTR are minimal in the context of Shen, et al. Informational [Page 2]IKEv2. Furthermore, these performance improvements may be offset by the Counter Mode specific risk of a minor, hard-to-detectimplementation issue resulting in total security failure.1.1. Conventions Used in This DocumentThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].2. IKEv2 Encrypted PayloadSection 3.14 of IKEv2 [RFC4306] explains the IKEv2 Encrypted Payload. The Encrypted Payload, denoted SK{...}, contains other IKEv2 payloads in encrypted form.The payload includes an Initialization Vector (IV) whose length isdefined by the encryption algorithm negotiated. It also includesIntegrity Checksum data. These two fields are not encrypted.The IV field MUST be 8 octets when the AES-CTR algorithm is used for IKEv2 encryption. The requirements for this IV are the same as what is specified for the Encapsulating Security Payload (ESP) inSection 3.1 of [RFC3686].IKEv2 requires Integrity Check Data for the Encrypted Payload asdescribed in Section 3.14 of [RFC4306]. The choice of integrityalgorithms in IKEv2 is defined in [RFC4307] or documents that update it in the future.When AES-CTR is used in IKEv2, no padding is required. The Paddingfield of the Encrypted Payload SHOULD be empty, and the Pad Lengthfield SHOULD be zero. However, according to [RFC4306], the recipient MUST accept any length that results in proper alignment. It shouldbe noted that the ESP [RFC4303] Encrypted Payload requires alignment on a 4-byte boundary while the IKEv2 [RFC4306] Encrypted Payload does not have such a requirement.The Encrypted Payload is the XOR of the plaintext and key stream.The key stream is generated by inputting counter blocks into the AES algorithm. The AES counter block is 128 bits, including a 4-octetNonce, 8-octet Initialization Vector, and 4-octet Block Counter, inthat order. The Block Counter begins with the value of one andincrements by one to generate the next portion of the key stream.The detailed requirements for the counter block are the same as those specified in Section 4 of [RFC3686].Shen, et al. Informational [Page 3]3. IKEv2 ConventionsThe use of AES-CTR for the IKE SA is negotiated in the same way asAES-CTR for ESP. The Transform ID (ENCR_AES_CTR) is the same; thekey length transform attribute is used in the same way; and thekeying material (consisting of the actual key and the nonce) isderived in the same way. See Section 5 of [RFC3686] for detaileddescriptions.4. Security ConsiderationsSecurity considerations explained in Section 7 of [RFC3686] areentirely relevant to this document as well. The securityconsiderations on fresh keys and integrity protection in Section 7 of [RFC3686] are totally applicable to using AES-CTR in IKEv2; see[RFC3686] for details. As static keys are never used in IKEv2 forIKE_SA and integrity protection is mandatory for IKE_SA, these issues are not applicable for AES-CTR in IKEv2 when protecting IKE_SA.Additionally, since AES has a 128-bit block size, regardless of themode employed, the ciphertext generated by AES encryption becomesdistinguishable from random values after 2^64 blocks are encryptedwith a single key. Since IKEv2 SA cannot carry that much data(because of the size limit of the message ID of the IKEv2 message and the requirements for the message ID in Section 4 of [RFC4306]), this issue is not a concern here.For generic attacks on AES, such as brute force or precalculations,the key-size requirements provide reasonable security[Recommendations].5. IANA ConsiderationsIANA [IANA-Para] has assigned an Encryption Algorithm Transform IDfor AES-CTR encryption with an explicit IV for IKEv2: 13 as thenumber, and ENCR_AES_CTR as the name. IANA has added a reference to this RFC in that entry.6. AcknowledgmentsThe authors thank Yaron Sheffer, Paul Hoffman, Tero Kivinen, andAlfred Hoenes for their direction and comments on this document.This document specifies usage of AES-CTR with IKEv2, similar to usage of AES-CTR with ESP as specified in [RFC3686]. The reader isreferred to [RFC3686] for the same descriptions and definitions. The authors thank Russ Housley for providing the document.Shen, et al. Informational [Page 4]During the production and modification of this document, both Huawei and CNNIC supported one of the authors, Sean Shen. Both areappreciated as affiliations of the author.7. References7.1. Normative References[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3686] Housley, R., "Using Advanced Encryption Standard(AES) Counter Mode With IPsec EncapsulatingSecurity Payload (ESP)", RFC 3686, January 2004.[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2)Protocol", RFC 4306, December 2005.[RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)",RFC 4307, December 2005.[AES] National Institute of Standards and Technology,"Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, </publications/fips/fips197/fips-197.pdf>.[IANA-Para] Internet Assigned Numbers Authority, "Internet Key Exchange Version 2 (IKEv2) Parameters",<>.[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of Operation -- Methods and Techniques", NISTSpecial Publication 800-38A, December 2001,</publications/nistpubs/800-38a/sp800-38a.pdf>.7.2. Informative References[RFC4303] Kent, S., "IP Encapsulating Security Payload(ESP)", RFC 4303, December 2005.[Recommendations] Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid, "Recommendation for Key Management - Part 1: General (Revised)", NIST SpecialPublication 800-57, March 2007, <http:///publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf>.Shen, et al. Informational [Page 5]Authors’ AddressesSean ShenHuawei4, South 4th Street, ZhongguancunBeijing 100190ChinaEMail: shenshuo@Yu MaoHangzhou H3C Tech. Co., Ltd.Oriental Electronic Bld., No. 2Chuangye RoadShang-Di Information IndustryHai-Dian DistrictBeijing 100085ChinaEMail: yumao9@N S Srinivasa MurthyFreescale SemiconductorUMA PLAZA, NAGARJUNA CIRCLE, PUNJAGUTTAHYDERABAD 500082INDIAEMail: ssmurthy.nittala@Shen, et al. Informational [Page 6]。

网络安全技术英文习题集_网络安全技术精品管理制度、管理方案、合同、协议、一起学习进步《网络安全技术》英文习题集Chapter 1 IntroductionANSWERS NSWERS TO QUESTIONS1.1 What is the OSI security architecture?The OSI Security Architecture is a framework that provides a systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. The document defines security attacks, mechanisms, and services, and the relationships among these categories.1.2 What is the difference between passive and active security threats? Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Electronic mail, file transfers, and client/server exchanges are examples of transmissions that can be monitored. Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.1.3 Lists and briefly define categories of passive and active security attacks?Passive attacks: release of message contents and traffic analysis. Active attacks: masquerade, replay, modification of messages, and denial of service.1.4 Lists and briefly define categories of security service? Authentication: The assurance that the communicating entity is the one that it claims to be.Access contr ol: The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do). Data confidentiality: The protection of data from unauthorized disclosure. Data integrity: The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay). Nonrepudiation: Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.Availability service: The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system (i.e., a system is available if it provides services according to the system design whenever users request them).Chapter2 Symmetric Encryptionand Message ConfidentialityANSWERS NSWERS TO QUESTIONS2.1 What are the essential ingredients of a symmetric cipher? Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.2.2 What are the two basic functions used in encryption algorithms? Permutation and substitution.2.3 How many keys are required for two people to communicate via a symmetric cipher?One secret key.2.4 What is the difference between a block cipher and a stream cipher?A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.2.5 What are the two general approaches to attacking a cipher? Cryptanalysis and brute force.2.6 Why do some block cipher modes of operation only use encryption while others use both encryption and decryption?In some modes, the plaintext does not pass through the encryption function, but is XORed with the output of the encryption function. The math works out that for decryption in these cases, the encryption function must also be used.2.7 What is triple encryption?With triple encryption, a plaintext block is encrypted by passing it through an encryption algorithm; the result is then passed through the same encryption algorithm again; the result of the second encryption is passed through the same encryption algorithm a third time. Typically, the second stage uses the decryption algorithm rather than the encryption algorithm.2.8 Why is the middle portion of 3DES a decryption rather than an encryption?There is no cryptographic significance to the use of decryption for the second stage. Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES by repeating the key.2.9 What is the difference between link and end-to-end encryption?With link encryption, each vulnerable communications link is equipped on both ends with an encryption device. With end-to-end encryption, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data; the data in encrypted form are then transmitted unaltered across the network to the destination terminal or host.2.10 List ways in which secret keys can be distributed to two communicating parties.For two parties A and B, key distribution can be achieved in a number of ways, as follows:(1)A can select a key and physically deliver it to B.(2)A third party can select the key and physically deliver it to A and B.(3)If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key.(4)If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B.2.11 What is the difference between a session key and a master key?A session key is a temporary encryption key used between two principals. A master key is a long-lasting key that is used between a key distribution center and a principal for the purpose of encoding the transmission of session keys. Typically, the master keys are distributed by noncryptographic means.2.12 What is a key distribution center?A key distribution center is a system that is authorized to transmit temporary session keys to principals. Each session key is transmitted in encrypted form, using a master key that the key distribution center shares with the target principal.ANSWERS NSWERS TO PROBLEMS2.1 What RC4 key value will leave S unchanged during initialization? That is, after the initial permutation of S, the entries of S will be equal to the values from 0 through 255 in ascending order.Use a key of length 255 bytes. The first two bytes are zero; that is K[0] = K[1] = 0. Thereafter, we have: K[2] = 255; K[3] = 254; … K[255]= 2.2.2 If a bit error occurs in the transmission of a ciphertext character in 8-bit CFB mode, how far does the error propagate?Nine plaintext characters are affected. The plaintext character corresponding to the ciphertext character is obviously altered. In addition, the altered ciphertext character enters the shift register and is not removed until the next eight characters are processed.2.3 Key distribution schemes using an access control center and/or a key distribution center have central points vulnerable to attack. Discuss the security implications of such centralization.The central points should be highly fault-tolerant, should be physically secured, and should use trusted hardware/software.Chapter 3 Public-Key Cryptography and Message AuthenticationANSWERS NSWERS TO QUESTIONS3.1 List three approaches to message authentication.Message encryption, message authentication code, hash function.3.2 What is message authentication code?An authenticator that is a cryptographic function of both the data to be authenticated and a secret key.3.3 Briefly describe the three schemes illustrated in Figture3.2.(a) A hash code is computed from the source message, encrypted using symmetric encryption and a secret key, and appended to the message. At the receiver, the same hash code is computed. The incoming code is decrypted using the same key and compared with the computed hash code. (b) This is the same procedure as in (a) except that public-key encryption is used; the sender encrypts the hash code with the sender's private key, and the receiver decrypts the hash code with the sender's public key. (c) A secret value is appended to a message and then a hash code is calculated using the message plus secret value as input. Then the message (without the secret value) and the hash code are transmitted. The receiver appends the same secret value to the message and computes the hash value over the message plus secret value. This is then compared to the received hash code.3.4 What properties must a hash function have to be useful for message authentication?(1)H can be applied to a block of data of any size.(2)H produces a fixed-length output.(3)H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical.(4)For any given value h, it is computationally infeasible to find x such that H(x) = h. This is sometimes referred to in the literature as the one-way property. (5)For any given block x, it is computationally infeasible to find y ≠ x with H(y) =H(x).(6)It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).3.5 In the context of a hash function, what is a compression function? The compression function is the fundamental module, or basic building block, of a hash function. The hash function consists of iterated application of the compression function.3.6 What are the principal ingredients of a public-key cryptosystem? Plaintext: This is the readable message or data that is fed into the algorithmas input. Encryption algorithm: The encryption algorithm performs varioustransformations on the plaintext. Public and private keys: This is a pair of keys that have been selected so that if one is used for encryption, the other is used for decryption. The exact transformations performed by the encryption algorithm depend on the public or private key that is provided as input. Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the key. For a given message, two different keys will produce two different ciphertexts. Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original plaintext.3.7 List and briefly define three uses of a public-key cryptosystem. Encryption/decryption: The sender encrypts a message with the recipient's public key. Digital signature: The sender "signs" a message with its private key. Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message. Key exchange: Two sides cooperate to exchange a session key. Several different approaches are possible, involving the private key(s) of one or both parties.3.8 What is the difference between a private key and a secret key?The key used in conventional encryption is typically referred to as a secret key. The two keys used for public-key encryption are referred to as the public key and the private key.3.9 What is digital signature?A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. The signature is formed by taking the hash of the message and encrypting the message with the creator's private key. The signature guarantees the source and integrity of the message.3.10 What is a public-key certificate?A pubic-key certificate consists of a public key plus a User ID of the key owner, with the whole block signed by a trusted third party. Typically, the third party is a certificate authority (CA) that is trusted by the user community, such as a government agency or a financial institution.3.11 How can public-key encryption be used to distribute a secret key?Several different approaches are possible, involving the private key(s) of one or both parties. One approach is Diffie-Hellman key exchange. Another approach is for the sender to encrypt a secret key with the recipient's public key.ANSWERS NSWERS TO PROBLEMS3.1 Consider a 32-bit hash function defined as the concatenation of two 16-bit functions: XOR and RXOR, defined in Section 3.2 as “two simple hash function.”a. Will this checksum detect all errors caused by an odd number of error bits? Explain.b. Will this checksum detect all errors caused by an even number of error bits? If not, characterize the error patterns that will cause the checksum to fail.c. Comments on the effectiveness of this function for use a hash functions for authentication.a. Yes. The XOR function is simply a vertical parity check. If there is an odd number of errors, then there must be at least one column that contains an odd number of errors, and the parity bit for that column will detect the error. Note that the RXOR function also catches all errors caused by an odd number of error bits. Each RXOR bit is a function of a unique "spiral" of bits in the block of data. If there is an odd number of errors, then there must be at least one spiral that contains an odd number of errors, and the parity bit for that spiral will detect the error.b. No. The checksum will fail to detect an even number of errors when both the XOR and RXOR functions fail. In order for both to fail, the pattern of error bits must be at intersection points between parity spirals and parity columns such that there is an even number of error bits in each parity column and an even number of error bits in each spiral.c. It is too simple to be used as a secure hash function; finding multiple messages with the same hash function would be too easy.3.2 Suppose H (m) is a collision resistant hash function that maps a message of arbitrary bit length into an n-bit hash value. Is it true that, for all messages x, x’ with x≠x’,we have H(x)≠H(x’)?Explain your answer.The statement is false. Such a function cannot be one-to-one because the number of inputs to the function is of arbitrary, but the number of unique outputs is 2n. Thus, there are multiple inputs that map into the same output.3.3 Perform encryption and decryption using the RSA algorithm, as in Figture3.9, for the following:a. p=3;q=11;e=7;M=5b. p=5;q=11;e=3;M=9c. p=7;q=11;e=17;M=8d. p=11;q=13;e=11;M=7e. p=17;q=31;e=7;M=2.Hint: D ecryption is not as hard as you think; use some finesse.a. n = 33; ⎫(n) = 20; d = 3; C = 26.b. n = 55; ⎫(n) = 40; d = 27; C = 14.c. n = 77; ⎫(n) = 60; d = 53; C = 57.d. n = 143; ⎫(n) = 120; d = 11; C = 106.e. n = 527; ⎫(n) = 480; d = 343; C = 128. For decryption, we have128343 mod 527 = 128256 ⋅ 12864 ⋅ 12816 ⋅ 1284 ⋅ 1282 ⋅ 1281 mod 527= 35 ⋅ 256 ⋅ 35 ⋅ 101 ⋅ 47 ⋅ 128 = 2 mod 527= 2 mod 2573.4 In a public-key system using RSA, you intercept the cipher text C=10 sent to a user whose public key is e=5, n=35.What is the plaintext M?M = 53.5 In an RSA system, the public key of a given user is e=31,n=3599.What is the private key of this user?d = 30313.6 Suppose we have a set of blocks encoded with the RSA algorithm and we don’t have the private key, Assume n=pq, e is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n. Does this help us in any way?Yes. If a plaintext block has a common factor with n modulo n then the encoded block will also have a common factor with n modulo n. Because we encode blocks that are smaller than pq, the factor must be p or q and the plaintext block must be a multiple of p or q. We can test each block for primality. If prime, it is p or q. In this case we divide into n to find the other factor. If not prime, we factor it and try the factors as divisors of n.3.7 Consider a Diffie-Hellman scheme with a common prime q=11 and a primitive root a=2.a. If user A has public key YA=9, what is A’s private key XA?b. If user B has public key YB=3, what is the shared secret key K?a. XA = 6b. K = 3Chapter 4 Authentication ApplicationsANSWERS NSWERS TO QUESTIONS4.1 What problem was Kerberos designed to address?The problem that Kerberos addresses is this: Assume an open distributed environment in which users at workstations wish to access services on servers distributed throughout the network. We would like for servers to be able to restrict access to authorized users and to be able to authenticate requests for service. In this environment, a workstation cannot be trusted to identify its users correctly to network services.4.2 What are three threats associated with user authentication over a network or Internet?A user may gain access to a particular workstation and pretend to be another user operating from that workstation. 2. A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. 3. A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations.4.3 List three approaches to secure user authentication in a distributed environment.Rely on each individual client workstation to assure the identity of its user or users and rely on each server to enforce a security policy based on user identification (ID). 2. Require that client systems authenticate themselves to servers, but trust the client system concerning the identity of its user. 3. Require the user to prove identity for each service invoked. Also require that servers prove their identity to clients.4.4 What four requirements are defined for Kerberos?Secure: A network eavesdropper should not be able to obtain the necessary information to impersonate a user. More generally, Kerberos should be strong enough that a potential opponent does not find it to be the weak link. Reliable: For all services that rely on Kerberos for access control, lack of availability of the Kerberos service means lack of availability of the supported services. Hence, Kerberos should be highly reliable and should employ a distributed server architecture, with one system able to back up another. Transparent: Ideally, the user should not be aware that authentication is taking place, beyond the requirement to enter a password. Scalable: The system should be capable of supporting large numbers of clients and servers. This suggests a modular, distributed architecture.4.5 What entities constitute a full-service Kerberos environment?A full-service Kerberos environment consists of a Kerberos server, a number of clients, and a number of application servers.4.6 In the context of Kerberos, what is a realm?A realm is an environment in which: 1. The Kerberos server must have the user ID (UID) and hashed password of all participating users in its database. All users are registered with the Kerberos server. 2. The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server.4.7 What are the principal difference between version 4 and version 5 of Kerberos?Version 5 overcomes some environmental shortcomings and some technical deficiencies in Version 4.4.8 What is the purpose of the X.509 standard?X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The directory may serve as a repository of public-key certificates. Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority. In addition,X.509 defines alternative authentication protocols based on the use of public-key certificates.4.9 What is a chain of certificates?A chain of certificates consists of a sequence of certificates created by different certification authorities (CAs) in which each successive certificate is a certificate by one CA that certifies the public key of the next CA in the chain.4.10 How is an X.509 certificate revoked?The owner of a public-key can issue a certificate revocation list that revokes one or more certificates.ANSWERS NSWERS TO PROBLEMS4.1 Show that a random error in block of cipher text is propagated to all subsequent blocks of plaintext in PCBC mode (Figure 4.9).An error in C1 affects P1 because the encryption of C1 is XORed with IV to produceP1. Both C1 and P1 affect P2, which is the XOR of the encryption of C2 with the XOR of C1 and P1. Beyond that, P N–1 is one of the XORed inputs to forming P N.4.2 The 1988 version of X.509 lists properties that PSA keys must satisfy to be secure, given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus n: It must be ensured that e>log2 (n) to prevent attack by taking the eth root mod n to disclose the plaintext. Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?Taking the eth root mod n of a ciphertext block will always reveal the plaintext, no matter what the values of e and n are. In general this is a very difficult problem, and indeed is the reason why RSA is secure. The point is that, if e istoo small, then taking the normal integer eth root will be the same as taking the eth root mod n, and taking integer eth roots is relatively easy.Chapter 5 Electronic Mail SecurityANSWERS NSWERS TO QUESTIONS5.1 What are the five principal services provided by PGP? Authentication, confidentiality, compression, e-mail compatibility, and segmentation5.2 What is the utility of a detached signature?A detached signature is useful in several contexts. A user may wish to maintain a separate signature log of all messages sent or received. A detached signature of an executable program can detect subsequent virus infection. Finally, detached signatures can be used when more than one party must sign a document, such as a legal contract. Each person's signature is independent and therefore is applied only to the document. Otherwise, signatures would have to be nested, with the second signer signing both the document and the first signature, and so on.5.3 Why does PGP generate a signature before applying compression?a. It is preferable to sign an uncompressed message so that one can store only the uncompressed message together with the signature for future verification. If one signed a compressed document, then it would be necessary either to store a compressed version of the message for later verification or to recompress the message when verification is required.b. Even if one were willing to generate dynamically a recompressed message for verification, PGP's compression algorithm presents a difficulty. The algorithm is not deterministic; various implementations of the algorithm achieve different tradeoffs in running speed versus compression ratio and, as a result, produce different compressed forms. However, these different compression algorithms are interoperable because any version of the algorithm can correctly decompress the output of any other version. Applying the hash function and signature after compression would constrain all PGP implementations to the same version of the compression algorithm.5.4 What is R64conversion?R64 converts a raw 8-bit binary stream to a stream of printable ASCII characters. Each group of three octets of binary data is mapped into four ASCII characters.5.5 Why is R64 conversion useful for an e-mail application?When PGP is used, at least part of the block to be transmitted is encrypted. If only the signature service is used, then the message digest is encrypted (with the sender's private key). If the confidentiality service is used, the message plus signature (if present) are encrypted (with a one-time symmetric key). Thus, part or all of the resulting block consists of a stream of arbitrary 8-bit octets. However, many electronic mail systems only permit the use of blocks consisting of ASCII text.5.6 Why is the segmentation and reassembly function in PGP needed? E-mail facilities often are restricted to a maximum message length.5.7 How does PGP use the concept of trust?PGP includes a facility for assigning a level of trust to individual signers and to keys.5.8 What is RFC822?RFC 822 defines a format for text messages that are sent using electronic mail.5.9 What is MIME?MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP (Simple Mail Transfer Protocol) or some other mail transfer protocol and RFC 822 for electronic mail.5.10 What is S/MIME?S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security.ANSWERS NSWERS TO PROBLEMS5.1 In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced?This is just another form of the birthday paradox discussed in Appendix 11A. Let us state the problem as one of determining what number of session keys must be generated so that the probability of a duplicate is greater than 0.5. From Equation (11.6) in Appendix 11A, we have the approximation:k =1.18 ⋅ nFor a 128-bit key, there are 2128 possible keys. Thereforek =1.18 ⋅ 2128 =1.18 ⋅ 2645.2 The first 16 bits of the message digest in a PGP signature are translated in the clear.a. To what extent does this compromise the security of the hash algorithm?b. To what extent does it in fact perform its intended function, namely, to help determine if the correct RSA key was used to decrypt the digest?a. Not at all. The message digest is encrypted with the sender's private key. Therefore, anyone in possession of the public key can decrypt it and recover the entire message digest.b. The probability that a message digest decrypted with the wrong key would have an exact match in the first 16 bits with the original message digest is 2–16.5.3 In Figure 5.4, each entry in the public-key ring contains an owner trust field that indicates the degree of trust associated with this public-key owner. Why is that not enough? That is, if this owner is trusted and this is supposed to be the owner’s public key, why is no t that trust enough to permit PGP to use this public key?We trust this owner, but that does not necessarily mean that we can trust that we are in possession of that owner's public key.5.4 Consider radix-64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English textand did not guess it was R64. How effective would this algorithm be against cryptanalysis?It certainly provides more security than a monoalphabetic substitution. Because we are treating the plaintext as a string of bits and encrypting 6 bitsat a time, we are not encrypting individual characters. Therefore, the frequency information is lost, or at least significantly obscured.5.5 Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128as symmetric encryption algorithms for PGP.Give reasons why each of the following symmetric encryption algorithms for described in thisbook is suitable or unsuitable for PGP: DES, two-key triple DES, and AES.DES is unsuitable because of its short key size. Two-key triple DES, which has a key length of 112 bits, is suitable. AES is also suitable.Chapter 6 IP SecurityANSWERS NSWERS TO QUESTIONS6.1 Give examples of applications of IPSec.Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet service provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. Establishing extranetand intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPSec enhances that security.6.2 What service are provided by IPSec?。

Network Working Group H. Schulzrinne Request for Comments: 3966 Columbia University Obsoletes: 2806 December 2004 Category: Standards TrackThe tel URI for Telephone NumbersStatus of this MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited. Copyright NoticeCopyright (C) The Internet Society (2004).AbstractThis document specifies the URI (Uniform Resource Identifier) scheme "tel". The "tel" URI describes resources identified by telephonenumbers. This document obsoletes RFC 2806.Table of Contents1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 22. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 43. URI Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . 44. URI Comparisons . . . . . . . . . . . . . . . . . . . . . . . 65. Phone Numbers and Their Context . . . . . . . . . . . . . . . 6 5.1. Phone Numbers. . . . . . . . . . . . . . . . . . . . . 6 5.1.1. Separators in Phone Numbers . . . . . . . . . . 7 5.1.2. Alphabetic Characters Corresponding to Digits . 7 5.1.3. Alphabetic, *, and # Characters as Identifiers. 7 5.1.4. Global Numbers. . . . . . . . . . . . . . . . . 7 5.1.5. Local Numbers . . . . . . . . . . . . . . . . . 8 5.2. ISDN Subaddresses. . . . . . . . . . . . . . . . . . . 9 5.3. Phone Extensions . . . . . . . . . . . . . . . . . . . 105.4. Other Parameters . . . . . . . . . . . . . . . . . . . 106. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 107. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Why Not Just Put Telephone Numbers in SIP URIs?. . . . 11 7.2. Why Not Distinguish between Call Types?. . . . . . . . 11 7.3. Why tel. . . . . . . . . . . . . . . . . . . . . . . . 11 7.4. Do Not Confuse Numbers with How They Are Dialed. . . . 11 Schulzrinne Standards Track [Page 1]8. Usage of Telephone URIs in HTML . . . . . . . . . . . . . . . 119. Use of "tel" URIs with SIP (Informative). . . . . . . . . . . 1210. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 1411. Security Considerations . . . . . . . . . . . . . . . . . . . 1412. Changes Since RFC 2806. . . . . . . . . . . . . . . . . . . . 1413. References. . . . . . . . . . . . . . . . . . . . . . . . . . 15 13.1. Normative References . . . . . . . . . . . . . . . . . 15 13.2. Informative References . . . . . . . . . . . . . . . . 16 Author’s Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 171. IntroductionThis document defines the URI scheme "tel", which describes resources identified by telephone numbers. A telephone number is a string ofdecimal digits that uniquely indicates the network termination point. The number contains the information necessary to route the call tothis point. (This definition is derived from [E.164] but encompasses both public and private numbers.)The termination point of the "tel" URI telephone number is notrestricted. It can be in the public telephone network, a privatetelephone network, or the Internet. It can be fixed or wireless and address a fixed wired, mobile, or nomadic terminal. The terminaladdressed can support any electronic communication service (ECS),including voice, data, and fax. The URI can refer to resourcesidentified by a telephone number, including but not limited tooriginators or targets of a telephone call.The "tel" URI is a globally unique identifier ("name") only; it does not describe the steps necessary to reach a particular number anddoes not imply dialling semantics. Furthermore, it does not refer to a specific physical device, only to a telephone number.As commonly understood, telephone numbers comprise two related butdistinct concepts: a canonical address-of-record and a dial string.We define the concepts below:Address-of-record or identifier: The telephone number is understoodhere as the canonical address-of-record or identifier for atermination point within a specific network. For the publicnetwork, these numbers follow the rules in E.164 [E.164], whileprivate numbers follow the rules of the owner of the privatenumbering plan. Subscribers publish these identifiers so thatthey can be reached, regardless of the location of the caller.(Naturally, not all numbers are reachable from everywhere, for a Schulzrinne Standards Track [Page 2]variety of technical and local policy reasons. Also, a singletermination point may be reachable from different networks and may have multiple identifiers.)Dial string: "Dial strings" are the actual numbers, symbols, andpauses entered by a user to place a phone call. A dial string is consumed by one or more network entities and understood in thecontext of the configuration of these entities. It is used togenerate an address-of-record or identifier (in the sensedescribed above) so that a call can be routed. Dial strings mayrequire prepended digits to exit the private branch exchange (PBX) the end system is connected to, and they may include post-dialdual-tone multi-frequency (DTMF) signaling that could control aninteractive voice response (IVR) system or reach an extension.Dial strings are beyond the scope of this document.Both approaches can be expressed as a URI. For dial strings, thisURI is passed to an entity that can reproduce the actions specifiedin the dial string. For example, in an analog phone system, a dialer translates the dial string into a sequence of actions such as waiting for dial tone, sending DTMF digits, pausing, and generating post-dial DTMF digits after the callee picks up. In an integrated servicesdigital network (ISDN) or ISDN user part (ISUP) environment, thesignaling elements that receive protocol messages containing the dial string perform the appropriate protocol actions. As noted, thisapproach is beyond the scope of this specification.The approach described here has the URI specify the telephone number as an identifier, which can be either globally unique or only validwithin a local context. The dialling application is aware of thelocal context, knowing, for example, whether special digits need tobe dialed to seize an outside line; whether network, pulse, or tonedialling is needed; and what tones indicate call progress. Thedialling application then converts the telephone number into a dialsequence and performs the necessary signaling actions. The dialerdoes not have to be a user application as found in traditionaldesktop operating systems but could well be part of an IP-to-PSTNgateway.To reach a telephone number from a phone on a PBX, for example, theuser of that phone has to know how to convert the telephone numberidentifier into a dial string appropriate for that phone. Thetelephone number itself does not convey what needs to be done for aparticular terminal. Instructions may include dialling "9" beforeplacing a call or prepending "00" to reach a number in a foreigncountry. The phone may also need to strip area and country codes. Schulzrinne Standards Track [Page 3]The identifier approach described in this document has thedisadvantage that certain services, such as electronic banking orvoicemail, cannot be specified in a "tel" URI.The notation for phone numbers in this document is similar to that in RFC 3191 [RFC3191] and RFC 3192 [RFC3192]. However, the syntaxdiffers as this document describes URIs whereas RFC 3191 and RFC 3192 specify electronic mail addresses. RFC 3191 and RFC 3192 use "/" to indicate parameters (qualifiers). Since URIs use the forward slashto describe path hierarchy, the URI scheme described here uses thesemicolon, in keeping with Session Initiation Protocol (SIP) URIconventions [RFC3261].The "tel" URI can be used as a request URI in SIP [RFC3261] requests. The SIP specification also inherits the ’subscriber’ part of thesyntax as part of the ’user element’ in the SIP URI. Other protocols may also use this URI scheme.The "tel" URI does not specify the call type, such as voice, fax, or data call, and does not provide the connection parameters for a data call. The type and parameters are assumed to be negotiated eitherin-band by the telephone device or through a signaling protocol such as SIP.This document obsoletes RFC 2806.2. TerminologyIn this document, the key words "MUST", "MUST NOT", "REQUIRED","SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",and "OPTIONAL" are to be interpreted as described in BCP 14, RFC2119, [RFC2119] and indicate requirement levels for compliantimplementations.3. URI SyntaxThe URI is defined using the ABNF (augmented Backus-Naur form)described in RFC 2234 [RFC2234] and uses elements from the coredefinitions (appendix A of RFC 2234).The syntax definition follows RFC 2396 [RFC2396], indicating theactual characters contained in the URI. If the reserved characters"+", ";", "=", and "?" are used as delimiters between components ofthe "tel" URI, they MUST NOT be percent encoded. These charactersMUST be percent encoded if they appear in tel URI parameter values. Schulzrinne Standards Track [Page 4]Characters other than those in the "reserved" and "unsafe" sets (see RFC 2396 [RFC2396]) are equivalent to their "% HEX HEX" percentencoding.The "tel" URI has the following syntax:telephone-uri = "tel:" telephone-subscribertelephone-subscriber = global-number / local-numberglobal-number = global-number-digits *parlocal-number = local-number-digits *par context *parpar = parameter / extension / isdn-subaddressisdn-subaddress = ";isub=" 1*uricextension = ";ext=" 1*phonedigitcontext = ";phone-context=" descriptordescriptor = domainname / global-number-digitsglobal-number-digits = "+" *phonedigit DIGIT *phonedigitlocal-number-digits =*phonedigit-hex (HEXDIG / "*" / "#")*phonedigit-hexdomainname = *( domainlabel "." ) toplabel [ "." ]domainlabel = alphanum/ alphanum *( alphanum / "-" ) alphanumtoplabel = ALPHA / ALPHA *( alphanum / "-" ) alphanumparameter = ";" pname ["=" pvalue ]pname = 1*( alphanum / "-" )pvalue = 1*paramcharparamchar = param-unreserved / unreserved / pct-encodedunreserved = alphanum / markmark = "-" / "_" / "." / "!" / "˜" / "*" /"’" / "(" / ")"pct-encoded = "%" HEXDIG HEXDIGparam-unreserved = "[" / "]" / "/" / ":" / "&" / "+" / "$"phonedigit = DIGIT / [ visual-separator ]phonedigit-hex = HEXDIG / "*" / "#" / [ visual-separator ]visual-separator = "-" / "." / "(" / ")"alphanum = ALPHA / DIGITreserved = ";" / "/" / "?" / ":" / "@" / "&" /"=" / "+" / "$" / ","uric = reserved / unreserved / pct-encodedEach parameter name ("pname"), the ISDN subaddress, the ’extension’, and the ’context’ MUST NOT appear more than once. The ’isdn-subaddress’ or ’extension’ MUST appear first, if present, followed by the ’context’ parameter, if present, followed by any other parameters in lexicographical order.This simplifies comparison when the "tel" URI is comparedcharacter by character, such as in SIP URIs [RFC3261].Schulzrinne Standards Track [Page 5]4. URI ComparisonsTwo "tel" URIs are equivalent according to the following rules:o Both must be either a ’local-number’ or a ’global-number’, i.e.,start with a ’+’.o The ’global-number-digits’ and the ’local-number-digits’ must beequal, after removing all visual separators.o For mandatory additional parameters (section 5.4) and the ’phone- context’ and ’extension’ parameters defined in this document, the ’phone-context’ parameter value is compared as a host name if itis a ’domainname’ or digit by digit if it is ’global-number-digits’. The latter is compared after removing all ’visual-separator’ characters.o Parameters are compared according to ’pname’, regardless of theorder they appeared in the URI. If one URI has a parameter namenot found in the other, the two URIs are not equal.o URI comparisons are case-insensitive.All parameter names and values SHOULD use lower-case characters, astel URIs may be used within contexts where comparisons are casesensitive.Section 19.1.4 in the SIP specification [RFC3261] discusses one such case.5. Phone Numbers and Their Context5.1. Phone NumbersThe ’telephone-subscriber’ part of the URI indicates the number. The phone number can be represented in either global (E.164) or localnotation. All phone numbers MUST use the global form unless theycannot be represented as such. Numbers from private numbering plans, emergency ("911", "112"), and some directory-assistance numbers(e.g., "411") and other "service codes" (numbers of the form N11 inthe United States) cannot be represented in global (E.164) form andneed to be represented as a local number with a context. Localnumbers MUST be tagged with a ’phone-context’ (section 5.1.5).Implementations MUST NOT assume that telephone numbers have amaximum, minimum, or fixed length, or that they always begin with or contain certain digits.Schulzrinne Standards Track [Page 6]5.1.1. Separators in Phone NumbersPhone numbers MAY contain visual separators. Visual separators(’visual-separator’) merely aid readability and are not used for URI comparison or placing a call.Although it complicates comparisons, this specification retainsvisual separators in order to follow the spirit of RFC 2396[RFC2396], which remarks that "A URI often needs to be remembered by people, and it is easier for people to remember a URI when itconsists of meaningful components". Also, ISBN URNs documented inRFC 3187 [RFC3187] use visual separators in a manner similar to this specification.However, even though ITU-T E.123 [E.123] recommends the use of space characters as visual separators in printed telephone numbers, "tel"URIs MUST NOT use spaces in visual separators to avoid excessiveescaping.5.1.2. Alphabetic Characters Corresponding to DigitsIn some countries, it is common to write phone numbers withalphabetic characters corresponding to certain numbers on thetelephone keypad. The URI format does not support this notation, as the mapping from alphabetic characters to digits is not completelyuniform internationally, although there are standards [E.161][T1.703] addressing this issue.5.1.3. Alphabetic, *, and # Characters as IdentifiersAs called and calling terminal numbers (TNs) are encoded in BCD inISUP, six additional values per digit can be encoded, sometimesrepresented as the hexadecimal characters A through F. Similarly,DTMF allows for the encoding of the symbols *, #, and A through D.However, in accordance with E.164, these may not be included inglobal numbers. Their meaning in local numbers is not defined here, but they are not prohibited.5.1.4. Global NumbersGlobally unique numbers are identified by the leading "+" character. Global numbers MUST be composed with the country (CC) and national(NSN) numbers as specified in E.123 [E.123] and E.164 [E.164].Globally unique numbers are unambiguous everywhere in the world andSHOULD be used.Schulzrinne Standards Track [Page 7]5.1.5. Local NumbersLocal numbers are unique only within a certain geographical area or a certain part of the telephone network, e.g., a private branchexchange (PBX), a state or province, a particular local exchangecarrier, or a particular country. URIs with local phone numbersshould only appear in environments where all local entities cansuccessfully set up the call by passing the number to the diallingsoftware. Digits needed for accessing an outside line, for example, are not included in local numbers. Local numbers SHOULD NOT be used unless there is no way to represent the number as a global number.Local numbers SHOULD NOT be used for several reasons. Local numbers require that the originator and recipient are configuredappropriately so that they can insert and recognize the correctcontext descriptors. Since there is no algorithm to pick the samedescriptor independently, labelling numbers with their contextincreases the chances of misconfiguration so that valid identifiersare rejected by mistake. The algorithm to select descriptors waschosen so that accidental collisions would be rare, but they cannotbe ruled out.Local numbers MUST have a ’phone-context’ parameter that identifiesthe scope of their validity. The parameter MUST be chosen toidentify the local context within which the number is uniqueunambiguously. Thus, the combination of the descriptor in the’phone-context’ parameter and local number is again globally unique. The parameter value is defined by the assignee of the local number.It does NOT indicate a prefix that turns the local number into aglobal (E.164) number.There are two ways to label the context: via a global number or any number of its leading digits (e.g., "+33") and via a domain name,e.g., "". The choice between the two is left tothe "owner" of the local number and is governed by whether there is a global number or domain name that is a valid identifier for aparticular local number.The domain name does not have to resolve to any actual host but MUST be under the administrative control of the entity managing the local phone context.A global number context consists of the initial digits of a validglobal number. All global numbers with these initial digits must be assigned to the same organization, and no such matching number can be used by any other organization. For example, +49-6151-16 would be a suitable context for the Technical University of Darmstadt, as ituses all numbers starting with those digits. If such an initial Schulzrinne Standards Track [Page 8]string of digits does not exist, the organization SHOULD use thelowest number of the global number range assigned to it. (This canoccur if two organizations share the same decimal block of numbers.For example, assume an organization owns the number range +1-212-555-0100 through +1-212-555-0149. +1-212-555-1 would not be a valid global number context, but +1-212-555-0100 would work.) It is notrequired that local numbers within the context actually begin withthe chosen set of initial numbers.A context consisting of the initial digits of a global number doesnot imply that adding these to the local number will generate a valid E.164 number. It might do so by coincidence, but this cannot berelied upon. (For example, "911" should be labeled with the context "+1", but "+1-911" is not a valid E.164 number.)National freephone numbers do not need a context, even though theyare not necessarily reachable from outside a particular country code or numbering plan. Recall that "tel" URIs are identifiers; it issufficient that a global number is unique, but it is not requiredthat it be reachable from everywhere.Even non-freephone numbers may be out of date or may not bereachable from a particular location. For example, premiumservices such as "900" numbers in the North American numberingplan are often not dialable from outside the particular countrycode.The two label types were chosen so that, in almost all cases, alocal administrator can pick an identifier that is reasonablydescriptive and does not require a new IANA-managed assignednumber. It is up to the administrator to assign an appropriateidentifier and to use it consistently. Often, an organization can choose among several different identifiers.If the recipient of a "tel" URI uses it simply for identification,the receiver does not need to know anything about the contextdescriptor. It simply treats it as one part of a globally uniqueidentifier, with the other being the local number. If a recipient of the URI intends to place a call to the local number, it MUSTunderstand the context and be able to place calls within thatcontext.5.2. ISDN SubaddressesA phone number MAY also contain an ’isdn-subaddress’ parameter thatindicates an ISDN subaddress.Schulzrinne Standards Track [Page 9]ISDN subaddresses typically contain International Alphabet 5 (IA5[T.50]) characters but may contain any octet value.5.3. Phone ExtensionsPhone extensions identify stations behind a non-ISDN PBX and arefunctionally roughly equivalent to ISDN subaddresses. They areidentified with the ’extension’ parameter. At most, one of the’isdn-subaddress’ and ’extension’ parameters can appear in a "tel"URI, i.e., they cannot appear both at the same time.5.4. Other ParametersFuture protocol extensions to this URI scheme may add otherparameters (’parameter’ in the ABNF). Such parameters can be either mandatory or optional. Mandatory parameters start with "m-". Animplementation MAY ignore optional parameters and MUST NOT use theURI if it contains unknown mandatory parameters. The "m-" prefixcannot be added to parameters that were already registered (except to create a new, logically distinct parameter). The "phone-context"parameter in this document is mandatory, and "isub" and "ext" areoptional.New mandatory parameters must be described in a standards-track RFC, but an informational RFC is sufficient for optional parameters.For example, ’parameter’ parameters can be used to storeapplication-specific additional data about the phone number, itsintended use, or any conversions that have been applied to thenumber.Entities that forward protocol requests containing "tel" URIs withoptional parameters MUST NOT delete or modify parameters they do not understand.6. Examplestel:+1-201-555-0123: This URI points to a phone number in the United States. The hyphens are included to make the number more humanreadable; they separate country, area code and subscriber number. tel:7042;phone-context=: The URI describes a local phonenumber valid within the context "".tel:863-1234;phone-context=+1-914-555: The URI describes a localphone number that is valid within a particular phone prefix. Schulzrinne Standards Track [Page 10]7. Rationale7.1. Why Not Just Put Telephone Numbers in SIP URIs?The "tel" URI describes a service, reaching a telephone number, that is independent of the means of doing so, be it via a SIP-to-PSTNgateway, a direct SIP call via E.164 number ("ENUM") translation[RFC3761], some other signaling protocols such as H.323, or atraditional circuit-switched call initiated on the client side via,say, the Telephony Application Programming Interface (TAPI). Thus,in spirit, it is closer to the URN schemes that also leave theresolution to an external mechanism. The same "tel" URI may gettranslated to any number of other URIs in the process of setting upthe call.7.2. Why Not Distinguish between Call Types?Signaling protocols such as SIP allow negotiating the call type andparameters, making the very basic indication within the URI schememoot. Also, since the call type can change frequently, any suchindication in a URI is likely to be out of date. If such designation is desired for a device that directly places calls without asignaling protocol such as SIP, mechanisms such as the "type"attribute for the "A" element in HTML may be more appropriate.7.3. Why "tel"?"tel" was chosen because it is widely recognized that none of theother suggestions appeared appropriate. "Callto" was discardedbecause URI schemes locate a resource and do not specify an action to be taken. "Telephone" and "phone" were considered too long and noteasily recognized internationally.7.4. Do Not Confuse Numbers with How They Are DialedAs an example, in many countries the E.164 number "+1-212-555-3141"will be dialed as 00-1-212-555-3141, where the leading "00" is aprefix for international calls. (In general, a "+" symbol in E.164indicates that an international prefix is required.)8. Usage of Telephone URIs in HTMLLinks using the "tel" URI SHOULD enclose the telephone number so that users can easily predict the action taken when following the linkDial <a href="tel:+1-212-555-0101">+1-212-555-0101</a> forassistance.Schulzrinne Standards Track [Page 11]instead ofDial <a href="tel:+1-212-555-0101">this number</a> for assistance.On a public HTML page, the telephone number in the URI SHOULD always be in the global form, even if the text of the link uses some localformat:Telephone (if dialling in the United States):<a href="tel:+1-201-555-0111">(201) 555-0111</a>or evenFor having RFCs read aloud, call <ahref="tel:+1-555-438-3732">1-555-IETF-RFC</a>.9. Use of "tel" URIs with SIP (Informative)SIP can use the "tel" URI anywhere a URI is allowed, for example as a Request-URI, along with "sip" and "sips" URIs. For brevity, we will imply "sips" URIs when talking about SIP URIs. Both "tel" and SIPURIs can contain telephone numbers. In SIP URIs, they appear as the user part, i.e., before the @ symbol (section 19.1.6 in [RFC3261]).Unless a SIP UA connects directly to a PSTN gateway, one of the SIPproxy servers has to translate the "tel" URI to a SIP URI, with thehost part of that URI pointing to a gateway. Typically, the outbound proxy server, as the first proxy server visited by a call request,performs this translation. A proxy server can translate all "tel"URIs to the same SIP host name or select a different gateway fordifferent "tel" prefixes, based, for example, on information learned from TRIP [RFC3219]. However, a proxy server could also delegatethis translation task to any other proxy server, as proxy servers are free to apply whatever routing logic they desire. For local numbers, the proxy MUST NOT translate "tel" URIs whose contexts it does notunderstand.As noted earlier, all phone numbers MUST use the global form unlessthey cannot be represented as such. If the local-number format isused, it MUST be qualified by the ’phone-context’ parameter.Effectively, the combination of local number and phone context makes the "tel" URI globally unique.Although web pages, vCard business cards, address books, anddirectories can easily contain global "tel" URIs, users on twelve-button (IP) phones cannot dial such numbers directly and aretypically accustomed to dialling shorter strings, e.g., for PBXextensions or local numbers. These so-called dial strings (section Schulzrinne Standards Track [Page 12]。

Network Working Group R. Mahy Request for Comments: 3891 Cisco Systems, Inc. Category: Standards Track B. Biggs R. Dean September 2004 The Session Initiation Protocol (SIP) "Replaces" HeaderStatus of this MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited.Copyright NoticeCopyright (C) The Internet Society (2004).AbstractThis document defines a new header for use with Session InitiationProtocol (SIP) multi-party applications and call control. TheReplaces header is used to logically replace an existing SIP dialogwith a new SIP dialog. This primitive can be used to enable avariety of features, for example: "Attended Transfer" and "CallPickup". Note that the definition of these example features is non- normative.Mahy, et al. Standards Track [Page 1]Table of Contents1. Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . 22. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 43. User Agent Server Behavior: Receiving a Replaces Header . . . 44. User Agent Client Behavior: Sending a Replaces Header . . . . 65. Proxy Behavior. . . . . . . . . . . . . . . . . . . . . . . . 76. Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6.1. The Replaces Header . . . . . . . . . . . . . . . . . . 76.2. New Option Tag for Require and Supported Headers. . . . 87. Usage Examples. . . . . . . . . . . . . . . . . . . . . . . . 97.1. Replacing an Early Dialog at the Originator . . . . . . 98. Security Considerations . . . . . . . . . . . . . . . . . . . 119. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 9.1. Registration of "Replaces" SIP Header . . . . . . . . . 139.2. Registration of "replaces" SIP Option-tag . . . . . . . 1310. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 1311. References. . . . . . . . . . . . . . . . . . . . . . . . . . 13 11.1. Normative References. . . . . . . . . . . . . . . . . . 1311.2. Informative References. . . . . . . . . . . . . . . . . 1412. Authors’ Addresses. . . . . . . . . . . . . . . . . . . . . . 1513. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 16 1. OverviewThis document describes a SIP [1] extension header field as part ofthe SIP multiparty applications architecture framework [10]. TheReplaces header is used to logically replace an existing SIP dialogwith a new SIP dialog. This is especially useful in peer-to-peercall control environments.One use of the "Replaces" header is to replace one participant withanother in a multimedia conversation. While this functionality isalready available using 3rd party call control [11] style callcontrol, the 3pcc model requires a central point of control which may not be desirable in many environments. As such, a method ofperforming these same call control primitives in a distributed,peer-to-peer fashion is very desirable.Use of a new INVITE with a new header for dialog matching was chosen over making implicit associations in an incoming INVITE based oncall-id or other fields for the following reasons:o An INVITE already has the correct semantics for a new callo Using an explicit Replaces header in a new request makes theintent of the request obvious.Mahy, et al. Standards Track [Page 2]o A unique call-id may be given to the replacement call. Thisavoids dialog matching problems in any of the related User Agents. o There are no adverse effects if the header is unsupported.The Replaces header enables services such as attended call transfer, retrieve from park, and transition from locally mixed conferences to two party calls in a distributed peer-to-peer way. This list ofservices is not exhaustive. Although the Replaces header isfrequently used in combination with the REFER [8] method as used in a Transfer [12], they may be used independently.For example, Alice is talking to Bob from phone1. She transfers Bob to a Parking Place while she goes to the lab. When she gets thereshe retrieves the "parked" call from phone2 by sending an INVITE with a Replaces header field to Bob with the dialog information Bob shared with the Parking Place. Alice got this information using some out of band mechanism. Perhaps she subscribed to this information from the Parking Place (using the session dialog package [13]), or went to awebsite and clicked on a URI. A short call flow for this examplefollows. (Via and Max-Forwards headers are omitted for clarity.)Alice Alice Parkingphone1 phone2 Bob Place| | | ||<===============================>| || | | || Alice transfers Bob to Parking Place || | | ||------------REFER/200----------->| *1 *2 ||<--NOTIFY/200 (trying)-----------|--INVITE/200/ACK-->||<--NOTIFY/200 (success)----------|<=================>||------------BYE/200------------->| || | | || | | || Alice later retrieves call from another phone || | | || *3 |-INV w/Replaces->| || |<--200-----------| || |---ACK---------->|----BYE/200------->|| |<===============>| || | | |Mahy, et al. Standards Track [Page 3]Message *1: Bob-> Parking PlaceINVITE sip:parkingplace@ SIP/2.0To: <sip:parkingplace@>From: <sip:bob@>;tag=7743Call-ID: 425928@CSeq: 1 INVITEContact: <sip:bob@>Referred-By: <sip:alice@>Message *2: Parking Place -> BobSIP/2.0 200 OKTo: <sip:parkingplace@>;tag=6472From: <sip:bob@>;tag=7743Call-ID: 425928@CSeq: 1 INVITEContact: <sip:parkplace@>Message *3: Alice@phone2 -> BobINVITE sip:bob@To: <sip:bob@>From: <sip:alice@>;tag=8983Call-ID: 09870@CSeq: 1 INVITEContact: <sip:alice@>Require: replacesReplaces: 425928@;to-tag=7743;from-tag=64722. ConventionsThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [2]. This document refers frequently to the terms "confirmed dialog" and"early dialog". These are defined in Section 12 of SIP [1].3. User Agent Server Behavior: Receiving a Replaces HeaderThe Replaces header contains information used to match an existingSIP dialog (call-id, to-tag, and from-tag). Upon receiving an INVITE with a Replaces header, the User Agent (UA) attempts to match thisinformation with a confirmed or early dialog. The User Agent Server (UAS) matches the to-tag and from-tag parameters as if they were tags Mahy, et al. Standards Track [Page 4]present in an incoming request. In other words, the to-tag parameter is compared to the local tag, and the from-tag parameter is compared to the remote tag.If more than one Replaces header field is present in an INVITE, or if a Replaces header field is present in a request other than INVITE,the UAS MUST reject the request with a 400 Bad Request response.The Replaces header has specific call control semantics. If both aReplaces header field and another header field with contradictorysemantics are present in a request, the request MUST be rejected with a 400 "Bad Request" response.If the Replaces header field matches more than one dialog, the UAMUST act as if no match is found.If no match is found, the UAS rejects the INVITE and returns a 481Call/Transaction Does Not Exist response. Likewise, if the Replaces header field matches a dialog which was not created with an INVITE,the UAS MUST reject the request with a 481 response.If the Replaces header field matches a dialog which has alreadyterminated, the UA SHOULD decline the request with a 603 Declinedresponse. (If the matched invitation was just terminated, thereplacement request should fail as well. Declining the request with a 600-class response prevents an irritating race-condition where the UA rings or alerts for a replacement call which is not wanted.)If the Replaces header field matches an active dialog, the UA MUSTverify that the initiator of the new INVITE is authorized to replace the matched dialog. If the initiator of the new INVITE has beensuccessfully authenticated as equivalent to the user who is beingreplaced, then the replacement is authorized. For example, if theuser being replaced and the initiator of the replacement dialog share the same credentials for Digest authentication [6], or they sign the replacement request with S/MIME [7] with the same private key andpresent the (same) corresponding certificate used in the originaldialog, then the replacement is authorized.Alternatively, the Referred-By mechanism [4] defines a mechanism that the UAS can use to verify that a replacement request was sent onbehalf of the other participant in the matched dialog (in this case, triggered by a REFER request). If the replacement request contains a Referred-By header that corresponds to the user being replaced, theUA SHOULD treat the replacement as if the replacement was authorized by the replaced party. The Referred-By header SHOULD reference acorresponding, valid Refererred-By Authenticated Identity Body [5]. Mahy, et al. Standards Track [Page 5]The UA MAY apply other local policy to authorize the remainder of the request. In other words, the UAS may apply a different policy to the replacement dialog than was applied to the replaced dialog.In addition, the UA MAY use other authorization mechanisms definedfor this purpose in standards track extensions. Extensions coulddefine other mechanisms for transitively asserting authorization of a replacement.If authorization is successful, the UA attempts to accept the newINVITE, reassign the user interface and other resources of thematched dialog to the new INVITE, and shut down the replaced dialog. If the UA cannot accept the new INVITE (for example: it cannotestablish required QoS or keying, or it has incompatible media), the UA MUST return an appropriate error response and MUST leave thematched dialog unchanged.If the Replaces header field matches a confirmed dialog, it checksfor the presence of the "early-only" flag in the Replaces headerfield. (This flag allows the UAC to prevent a potentiallyundesirable race condition described in Section 7.1.) If the flag is present, the UA rejects the request with a 486 Busy response.Otherwise, it accepts the new INVITE by sending a 200-class response, and shuts down the replaced dialog by sending a BYE. If the Replaces header field matches an early dialog that was initiated by the UA, it accepts the new INVITE by sending a 200-class response, and shutsdown the replaced dialog by sending a CANCEL.If the Replaces header field matches an early dialog that was notinitiated by this UA, it returns a 481 (Call/Transaction Does NotExist) response to the new INVITE, and leaves the matched dialogunchanged. Note that since Replaces matches only a single dialog,the replacement dialog will not be retargeted according to the sameforking logic as the original request which created the early dialog. (Currently, no use cases have been identified for replacing just asingle dialog in this circumstance.)4. User Agent Client Behavior: Sending a Replaces HeaderA User Agent that wishes to replace a single existing early orconfirmed dialog with a new dialog of its own, MAY send the targetUser Agent an INVITE request containing a Replaces header field. The User Agent Client (UAC) places the Call-ID, to-tag, and from-taginformation for the target dialog in a single Replaces header fieldand sends the new INVITE to the target. If the user agent onlywishes to replace an early dialog (as in the Call Pickup example inSection 7.1), the UAC MAY also include the "early-only" parameter in Mahy, et al. Standards Track [Page 6]the Replaces header field. A UAC MUST NOT send an INVITE with aReplaces header field that attempts to replace an early dialog which was not originated by the target of the INVITE with a Replaces header field.Note that use of this mechanism does not provide a way to matchmultiple dialogs, nor does it provide a way to match an entire call, an entire transaction, or to follow a chain of proxy forking logic.For example, if Alice replaces Cathy in an early dialog with Bob, but Bob does not answer, Alice’s replacement request will not match other dialogs to which Bob’s UA redirects, nor other branches to which his proxy forwards. Although this specification takes reasonableprecautions to prevent unexpected behavior in the face of forking,implementations SHOULD only address replacement requests (i.e., setthe Request-URI of the replacement request) to the SIP Contact URI of the target.5. Proxy behaviorProxy Servers do not require any new behavior to support thisextension. They simply pass the Replaces header field transparently as described in the SIP specification.Note that it is possible for a proxy (especially when forking basedon some application layer logic, such as caller screening or time-of-day routing) to forward an INVITE request containing a Replacesheader field to a completely orthogonal set of Contacts other thanthe original request it was intended to replace. In this case, theINVITE request with the Replaces header field will fail.6. Syntax6.1. The Replaces HeaderThe Replaces header field indicates that a single dialog identifiedby the header field is to be shut down and logically replaced by the incoming INVITE in which it is contained. It is a request headeronly, and defined only for INVITE requests. The Replaces headerfield MAY be encrypted as part of end-to-end encryption. Only asingle Replaces header field value may be present in a SIP request.This document adds the following entry to Table 2 of [1]. Additions to this table are also provided for extension methods defined at the time of publication of this document. This is provided as a courtesy to the reader and is not normative in any way. MESSAGE, SUBSCRIBEand NOTIFY, REFER, INFO, UPDATE, PRACK, and PUBLISH are definedrespectively in [15], [16], [8], [17], [18], [19], and [20].Mahy, et al. Standards Track [Page 7]Header field where proxy ACK BYE CAN INV OPT REG MSG ------------ ----- ----- --- --- --- --- --- --- --- Replaces R - - - o - - -SUB NOT REF INF UPD PRA PUB --- --- --- --- --- --- --- Replaces R - - - - - - -The following syntax specification uses the augmented Backus-NaurForm (BNF) as described in RFC 2234 [3]. The syntax below relies on a number of productions from SIP [1].Replaces = "Replaces" HCOLON callid *(SEMI replaces-param) replaces-param = to-tag / from-tag / early-flag / generic-paramto-tag = "to-tag" EQUAL tokenfrom-tag = "from-tag" EQUAL tokenearly-flag = "early-only"A Replaces header field MUST contain exactly one to-tag and exactlyone from-tag, as they are required for unique dialog matching. Forcompatibility with dialogs initiated by RFC 2543 [9] compliant UAs, a tag of zero matches both tags of zero and null. A Replaces headerfield MAY contain the early-flag.Examples:Replaces: 98732@;from-tag=r33th4x0r;to-tag=ff87ffReplaces: 12adf2f34456gs5;to-tag=12345;from-tag=54321;early-onlyReplaces: 87134@171.161.34.23;to-tag=24796;from-tag=06.2. New Option Tag for Require and Supported HeadersThis specification defines a new Require/Supported header option tag "replaces". UAs which support the Replaces header MUST include the"replaces" option tag in a Supported header field. UAs that wantexplicit failure notification if Replaces is not supported MAYinclude the "replaces" option in a Require header field.Example:Require: replaces, 100relMahy, et al. Standards Track [Page 8]7. Usage ExamplesThe following non-normative examples are not intended to enumerateall the possibilities for the usage of this extension, but rather to provide examples or ideas only. For more examples, please see SIPService Examples [14]. Via and Max-Forwards headers are omitted for clarity and brevity.7.1. Replacing an Early Dialog at the OriginatorIn this example, Bob just arrived in the lab and hasn’t registeredthere yet. He hears his desk phone ring. He quickly logs into asoftware UA on a nearby computer. Among other things, the softwareUA has access to the dialog state of his desk phone. When it notices that his phone is ringing, it offers him the choice of taking thecall there. The software UA sends an INVITE with Replaces to Alice. When Alice’s UA receives this new INVITE, it CANCELs her originalINVITE and connects Alice to Bob.Bob BobAlice desk lab| | |*1 |-----INVITE----------->| |*2 |<----180---------------| Bob hears desk phone || | ringing from lab but || | isn’t REGISTERed yet || | || |<--fetch dialog state --|| |---response ----------->|*3/4 |<-----INVITE with Replaces/200/ACK--------------|*5/6 |------CANCEL/200------>| |*7 |<-----487--------------| ||------ACK------------->| || | || | |Message *1: Alice -> Bob’s desk phoneINVITE sip:bob@ SIP/2.0To: <sip:bob@>From: <sip:alice@>;tag=7743Call-ID: 425928@CSeq: 1 INVITEContact: <sip:alice@>Mahy, et al. Standards Track [Page 9]Message *2: Bob’s desk phone -> AliceSIP/2.0 180 RingingTo: <sip:bob@>;tag=6472From: <sip:alice@>;tag=7743Call-ID: 425928@CSeq: 1 INVITEContact: <sip:bob@>Message *3: Bob in lab -> AliceINVITE sip:alice@To: <sip:alice@>From: <sip:bob@>;tag=8983Call-ID: 09870@CSeq: 1 INVITEContact: <sip:bob@>Replaces: 425928@;to-tag=7743;from-tag=6472;early-onlyMessage *4: Alice -> Bob in labSIP/2.0 200 OKTo: <sip:alice@>;tag=9232From: <sip:bob@>;tag=8983Call-ID: 09870@CSeq: 1 INVITEContact: <sip:alice@>Message *5: Alice -> Bob’s deskCANCEL sip:bob@ SIP/2.0To: <sip:bob@>From: <sip:alice@>;tag=7743Call-ID: 425928@CSeq: 1 CANCELContact: <sip:alice@>Message *6: Bob’s desk -> AliceSIP/2.0 200 OKTo: <sip:bob@>From: <sip:alice@>;tag=7743Call-ID: 425928@CSeq: 1 CANCELContact: <sip:bob@>Mahy, et al. Standards Track [Page 10]Message *7: Bob’s desk -> AliceSIP/2.0 487 Request TerminatedTo: <sip:bob@>;tag=6472From: <sip:alice@>;tag=7743Call-ID: 425928@CSeq: 1 INVITE8. Security ConsiderationsThe extension specified in this document significantly changes therelative security of SIP devices. Currently in SIP, even if aneavesdropper learns the Call-ID, To, and From headers of a dialog,they cannot easily modify or destroy that dialog if Digestauthentication or end-to-end message integrity are used.This extension can be used to disconnect participants or replaceparticipants in a multimedia conversation. As such, invitations with the Replaces header MUST only be accepted if the peer requestingreplacement has been properly authenticated using a standard SIPmechanism (Digest or S/MIME), and authorized to request a replacement of the target dialog. All SIP implementations are already requiredto support Digest Authentication. In addition, implementations which support the Replaces header SHOULD also implement the Referred-Bymechanism.How a User Agent determines which requests are legitimatelyauthorized to make dialog replacements is non-trivial and depends on a considerable amount of local policy configuration. In general,there are four cases when an authorization for a replacement isreasonable or warranted.1. Replacement made by a party considered equivalent to the replaced party2. Replacement made on behalf of the replaced party (perhapstransitively)3. Replacement made by a former participant4. Replacement made by a specifically authorized partyStarting with #1 for example, if an executive and an assistant bothreceive requests for a shared address-of-record, if so configured,either should be able to replace dialogs of the other for the shared identity. Both could even share the same keying material (Digest or S/MIME), or one could hold an authorization document signed by the Mahy, et al. Standards Track [Page 11]other expressing this relationship. Likewise, in a call centerenvironment, each call center agent could possess credentials towhich supervisors also have access.The most common use case of a replacement is on the request of thereplaced participant (who no longer wants to be involved). This isthe case in many features, such as completing an Attended Transferand converting a 3-way call to a point-to-point call. Suchreplacements are typically triggered by a REFER [8] request from the replaced participant. The Referred-By [4] mechanism defines one way to identify the apparent original requester and can point to a SIPAuthenticated Identity Body [5] (an S/MIME-based signed assertion) to secure this information.In the example in section 1, Alice sends an INVITE with Replaces toBob. Alice was a former participant in the conversation and had aprevious dialog relationship with Bob. Alice can use the same Digest or S/MIME credentials she used to authenticate with Bob during theoriginal call to prove that she was a former participant. Note that this justification for replacing calls is more dangerous than theothers, and in most cases is another way to authorize that thereplacing participant is available. Implementations SHOULD NOT rely on this method as an authorization mechanism.The last scenario is the easiest to secure but the least likely to be useful in practice. It is unlikely that an arbitrary host in theInternet is aware of any special authorization relationship betweenthe replaced and the replacing parties. However, this use case maybe useful in some environments. Since this usage does noteffectively degrade the security of the solution, it is stillallowed.Some mechanisms for obtaining the dialog information needed by theReplaces header (Call-ID, to-tag, and from-tag) include URIs on a web page, subscriptions to an appropriate event package, andnotifications after a REFER request. Since manipulating this dialog information could cause User Agents to replace the wrong dialog, use of message integrity protection for this information is STRONGLYRECOMMENDED. Use of end-to-end security mechanisms to encrypt thisinformation is also RECOMMENDED.This extension was designed to take advantage of future signature or authorization schemes defined in standards track extensions. Ingeneral, call control features benefit considerably from such work. Mahy, et al. Standards Track [Page 12]9. IANA Considerations9.1. Registration of "Replaces" SIP headerName of Header: ReplacesShort form: noneNormative description: section 6.1 of this document9.2. Registration of "replaces" SIP Option-tagName of option: replacesDescription: Support for the SIP Replaces headerSIP headers defined: ReplacesNormative description: This document10. AcknowledgmentsThanks to Robert Sparks, Alan Johnston, Dan Petrie, Ben Campbell, and many other members of the SIP WG for their continued support of thecause of distributed call control in SIP.11. References11.1. Normative References[1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:Session Initiation Protocol", RFC 3261, June 2002.[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.[3] Crocker, D. and P. Overell, "Augmented BNF for SyntaxSpecifications: ABNF", RFC 2234, November 1997.[4] Sparks, R., "The Session Initiation Protocol (SIP) Referred-ByMechanism", RFC 3892, September 2004.[5] Peterson, J., "The Session Initiation Protocol (SIP)Authenticated Identity Body (AIB) Format", RFC 3893, September2004.Mahy, et al. Standards Track [Page 13][6] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication:Basic and Digest Access Authentication", RFC 2617, June 1999.[7] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions(S/MIME) Version 3.1 Message Specification", RFC 3851, July2004.11.2. Informative References[8] Sparks, R., "The Session Initiation Protocol (SIP) ReferMethod", RFC 3515, April 2003.[9] Handley, M., Schulzrinne, H., Schooler, E., and J. Rosenberg,"SIP: Session Initiation Protocol", RFC 2543, March 1999.[10] Mahy, R., "A Call Control and Multi-party usage framework forthe Session Initiation Protocol (SIP)", Work in Progress, March 2003.[11] Rosenberg, J., Peterson, J., Schulzrinne, H., and G. Camarillo, "Best Current Practices for Third Party Call Control (3pcc) inthe Session Initiation Protocol (SIP)", BCP 85, RFC 3725, April 2004.[12] Sparks, R. and A. Johnston, "Session Initiation Protocol CallControl - Transfer", Work in Progress, February 2003.[13] Rosenberg, J. and H. Schulzrinne, "An INVITE Initiated DialogEvent Package for the Session Initiation Protocol (SIP)", Workin Progress, March 2003.[14] Johnston, A. and S. Donovan, "Session Initiation ProtocolService Examples", Work in Progress, March 2003.[15] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., andD. Gurle, "Session Initiation Protocol (SIP) Extension forInstant Messaging", RFC 3428, December 2002.[16] Roach, A., "Session Initiation Protocol (SIP)-Specific EventNotification", RFC 3265, June 2002.[17] Donovan, S., "The SIP INFO Method", RFC 2976, October 2000.[18] Rosenberg, J., "The Session Initiation Protocol (SIP) UPDATEMethod", RFC 3311, October 2002.Mahy, et al. Standards Track [Page 14][19] Rosenberg, J. and H. Schulzrinne, "Reliability of ProvisionalResponses in Session Initiation Protocol (SIP)", RFC 3262, June 2002.[20] Campbell, B., "SIMPLE Presence Publication Mechanism", Work inProgress, February 2003.12. Authors’ AddressesRohan MahyCisco Systems, Inc.5617 Scotts Valley DrScotts Valley, CA 95066USAEMail: rohan@Billy BiggsEMail: bbiggs@Rick DeanEMail: rfc@Mahy, et al. Standards Track [Page 15]13. Full Copyright StatementCopyright (C) The Internet Society (2004).This document is subject to the rights, licenses and restrictionscontained in BCP 78, and except as set forth therein, the authorsretain all their rights.This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HEREPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OFTHE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual PropertyThe IETF takes no position regarding the validity or scope of anyIntellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described inthis document or the extent to which any license under such rightsmight or might not be available; nor does it represent that it hasmade any independent effort to identify any such rights. Information on the IETF’s procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.Copies of IPR disclosures made to the IETF Secretariat and anyassurances of licenses to be made available, or the result of anattempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of thisspecification can be obtained from the IETF on-line IPR repository at /ipr.The IETF invites any interested party to bring to its attention anycopyrights, patents or patent applications, or other proprietaryrights that may cover technology that may be required to implementthis standard. Please address the information to the IETF at ietf-ipr@.AcknowledgementFunding for the RFC Editor function is currently provided by theInternet Society.Mahy, et al. Standards Track [Page 16]。

Network Working Group J. Rosenberg Request for Comments: 3489 J. Weinberger Category: Standards Track dynamicsoft C. Huitema Microsoft R. Mahy Cisco March 2003 STUN - Simple Traversal of User Datagram Protocol (UDP)Through Network Address Translators (NATs)Status of this MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited. Copyright NoticeCopyright (C) The Internet Society (2003). All Rights Reserved. AbstractSimple Traversal of User Datagram Protocol (UDP) Through NetworkAddress Translators (NATs) (STUN) is a lightweight protocol thatallows applications to discover the presence and types of NATs andfirewalls between them and the public Internet. It also provides the ability for applications to determine the public Internet Protocol(IP) addresses allocated to them by the NAT. STUN works with manyexisting NATs, and does not require any special behavior from them.As a result, it allows a wide variety of applications to work through existing NAT infrastructure.Table of Contents1. Applicability Statement (3)2. Introduction (3)3. Terminology (4)4. Definitions (5)5. NAT Variations (5)6. Overview of Operation (6)7. Message Overview (8)8. Server Behavior (10)8.1 Binding Requests (10)RFC 3489 STUN March 20038.2 Shared Secret Requests (13)9. Client Behavior (14)9.1 Discovery (15)9.2 Obtaining a Shared Secret (15)9.3 Formulating the Binding Request (17)9.4 Processing Binding Responses (17)10. Use Cases (19)10.1 Discovery Process (19)10.2 Binding Lifetime Discovery (21)10.3 Binding Acquisition (23)11. Protocol Details (24)11.1 Message Header (25)11.2 Message Attributes (26)11.2.1 MAPPED-ADDRESS (27)11.2.2 RESPONSE-ADDRESS (27)11.2.3 CHANGED-ADDRESS (28)11.2.4 CHANGE-REQUEST (28)11.2.5 SOURCE-ADDRESS (28)11.2.6 USERNAME (28)11.2.7 PASSWORD (29)11.2.8 MESSAGE-INTEGRITY (29)11.2.9 ERROR-CODE (29)11.2.10 UNKNOWN-ATTRIBUTES (31)11.2.11 REFLECTED-FROM (31)12. Security Considerations (31)12.1 Attacks on STUN (31)12.1.1 Attack I: DDOS Against a Target (32)12.1.2 Attack II: Silencing a Client (32)12.1.3 Attack III: Assuming the Identity of a Client 32 12.1.4 Attack IV: Eavesdropping (33)12.2 Launching the Attacks (33)12.2.1 Approach I: Compromise a LegitimateSTUN Server (33)12.2.2 Approach II: DNS Attacks (34)12.2.3 Approach III: Rogue Router or NAT (34)12.2.4 Approach IV: MITM (35)12.2.5 Approach V: Response Injection Plus DoS (35)12.2.6 Approach VI: Duplication (35)12.3 Countermeasures (36)12.4 Residual Threats (37)13. IANA Considerations (38)14. IAB Considerations (38)14.1 Problem Definition (38)14.2 Exit Strategy (39)14.3 Brittleness Introduced by STUN (40)14.4 Requirements for a Long Term Solution (42)14.5 Issues with Existing NAPT Boxes (43)14.6 In Closing (43)RFC 3489 STUN March 200315. Acknowledgments (44)16. Normative References (44)17. Informative References (44)18. Authors' Addresses (46)19. Full Copyright Statement (47)1. Applicability StatementThis protocol is not a cure-all for the problems associated with NAT. It does not enable incoming TCP connections through NAT. It allowsincoming UDP packets through NAT, but only through a subset ofexisting NAT types. In particular, STUN does not enable incoming UDP packets through symmetric NATs (defined below), which are common inlarge enterprises. STUN's discovery procedures are based onassumptions on NAT treatment of UDP; such assumptions may proveinvalid down the road as new NAT devices are deployed. STUN does not work when it is used to obtain an address to communicate with a peer which happens to be behind the same NAT. STUN does not work when the STUN server is not in a common shared address realm. For a morecomplete discussion of the limitations of STUN, see Section 14.2. IntroductionNetwork Address Translators (NATs), while providing many benefits,also come with many drawbacks. The most troublesome of thosedrawbacks is the fact that they break many existing IP applications, and make it difficult to deploy new ones. Guidelines have beendeveloped [8] that describe how to build "NAT friendly" protocols,but many protocols simply cannot be constructed according to thoseguidelines. Examples of such protocols include almost all peer-to-peer protocols, such as multimedia communications, file sharing andgames.To combat this problem, Application Layer Gateways (ALGs) have beenembedded in NATs. ALGs perform the application layer functionsrequired for a particular protocol to traverse a NAT. Typically,this involves rewriting application layer messages to containtranslated addresses, rather than the ones inserted by the sender of the message. ALGs have serious limitations, including scalability,reliability, and speed of deploying new applications. To resolvethese problems, the Middlebox Communications (MIDCOM) protocol isbeing developed [9]. MIDCOM allows an application entity, such as an end client or network server of some sort (like a Session Initiation Protocol (SIP) proxy [10]) to control a NAT (or firewall), in orderto obtain NAT bindings and open or close pinholes. In this way, NATs and applications can be separated once more, eliminating the need for embedding ALGs in NATs, and resolving the limitations imposed bycurrent architectures.RFC 3489 STUN March 2003 Unfortunately, MIDCOM requires upgrades to existing NAT andfirewalls, in addition to application components. Complete upgrades of these NAT and firewall products will take a long time, potentially years. This is due, in part, to the fact that the deployers of NATand firewalls are not the same people who are deploying and usingapplications. As a result, the incentive to upgrade these deviceswill be low in many cases. Consider, for example, an airportInternet lounge that provides access with a NAT. A user connectingto the NATed network may wish to use a peer-to-peer service, butcannot, because the NAT doesn't support it. Since the administrators of the lounge are not the ones providing the service, they are notmotivated to upgrade their NAT equipment to support it, using either an ALG, or MIDCOM.Another problem is that the MIDCOM protocol requires that the agentcontrolling the middleboxes know the identity of those middleboxes,and have a relationship with them which permits control. In manyconfigurations, this will not be possible. For example, many cableaccess providers use NAT in front of their entire access network.This NAT could be in addition to a residential NAT purchased andoperated by the end user. The end user will probably not have acontrol relationship with the NAT in the cable access network, andmay not even know of its existence.Many existing proprietary protocols, such as those for online games(such as the games described in RFC 3027 [11]) and Voice over IP,have developed tricks that allow them to operate through NATs without changing those NATs. This document is an attempt to take some ofthose ideas, and codify them into an interoperable protocol that can meet the needs of many applications.The protocol described here, Simple Traversal of UDP Through NAT(STUN), allows entities behind a NAT to first discover the presenceof a NAT and the type of NAT, and then to learn the addressesbindings allocated by the NAT. STUN requires no changes to NATs, and works with an arbitrary number of NATs in tandem between theapplication entity and the public Internet.3. TerminologyIn this document, the key words "MUST", "MUST NOT", "REQUIRED","SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 [1] and indicate requirement levels for compliant STUNimplementations.RFC 3489 STUN March 2003 4. DefinitionsSTUN Client: A STUN client (also just referred to as a client)is an entity that generates STUN requests. A STUN client canexecute on an end system, such as a user's PC, or can run in anetwork element, such as a conferencing server.STUN Server: A STUN Server (also just referred to as a server)is an entity that receives STUN requests, and sends STUNresponses. STUN servers are generally attached to the publicInternet.5. NAT VariationsIt is assumed that the reader is familiar with NATs. It has beenobserved that NAT treatment of UDP varies among implementations. The four treatments observed in implementations are:Full Cone: A full cone NAT is one where all requests from thesame internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send apacket to the internal host, by sending a packet to the mappedexternal address.Restricted Cone: A restricted cone NAT is one where all requestsfrom the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal hostonly if the internal host had previously sent a packet to IPaddress X.Port Restricted Cone: A port restricted cone NAT is like arestricted cone NAT, but the restriction includes port numbers.Specifically, an external host can send a packet, with source IPaddress X and source port P, to the internal host only if theinternal host had previously sent a packet to IP address X andport P.Symmetric: A symmetric NAT is one where all requests from thesame internal IP address and port, to a specific destination IPaddress and port, are mapped to the same external IP address andport. If the same host sends a packet with the same sourceaddress and port, but to a different destination, a differentmapping is used. Furthermore, only the external host thatreceives a packet can send a UDP packet back to the internal host.RFC 3489 STUN March 2003 Determining the type of NAT is important in many cases. Depending on what the application wants to do, it may need to take the particular behavior into account.6. Overview of OperationThis section is descriptive only. Normative behavior is described in Sections 8 and 9./-----\// STUN \\| Server |\\ //\-----/+--------------+ Public Internet................| NAT 2 |.......................+--------------++--------------+ Private NET 2................| NAT 1 |.......................+--------------+/-----\// STUN \\| Client |\\ // Private NET 1\-----/Figure 1: STUN ConfigurationThe typical STUN configuration is shown in Figure 1. A STUN clientis connected to private network 1. This network connects to private network 2 through NAT 1. Private network 2 connects to the publicInternet through NAT 2. The STUN server resides on the publicInternet.STUN is a simple client-server protocol. A client sends a request to a server, and the server returns a response. There are two types of requests - Binding Requests, sent over UDP, and Shared SecretRequests, sent over TLS [2] over TCP. Shared Secret Requests ask the server to return a temporary username and password. This usernameand password are used in a subsequent Binding Request and BindingResponse, for the purposes of authentication and message integrity.RFC 3489 STUN March 2003 Binding requests are used to determine the bindings allocated byNATs. The client sends a Binding Request to the server, over UDP.The server examines the source IP address and port of the request,and copies them into a response that is sent back to the client.There are some parameters in the request that allow the client to ask that the response be sent elsewhere, or that the server send theresponse from a different address and port. There are attributes for providing message integrity and authentication.The trick is using STUN to discover the presence of NAT, and to learn and use the bindings they allocate.The STUN client is typically embedded in an application which needsto obtain a public IP address and port that can be used to receivedata. For example, it might need to obtain an IP address and port to receive Real Time Transport Protocol (RTP) [12] traffic. When theapplication starts, the STUN client within the application sends aSTUN Shared Secret Request to its server, obtains a username andpassword, and then sends it a Binding Request. STUN servers can bediscovered through DNS SRV records [3], and it is generally assumedthat the client is configured with the domain to use to find the STUN server. Generally, this will be the domain of the provider of theservice the application is using (such a provider is incented todeploy STUN servers in order to allow its customers to use itsapplication through NAT). Of course, a client can determine theaddress or domain name of a STUN server through other means. A STUN server can even be embedded within an end system.The STUN Binding Request is used to discover the presence of a NAT,and to discover the public IP address and port mappings generated by the NAT. Binding Requests are sent to the STUN server using UDP.When a Binding Request arrives at the STUN server, it may have passed through one or more NATs between the STUN client and the STUN server. As a result, the source address of the request received by the server will be the mapped address created by the NAT closest to the server. The STUN server copies that source IP address and port into a STUNBinding Response, and sends it back to the source IP address and port of the STUN request. For all of the NAT types above, this responsewill arrive at the STUN client.When the STUN client receives the STUN Binding Response, it compares the IP address and port in the packet with the local IP address andport it bound to when the request was sent. If these do not match,the STUN client is behind one or more NATs. In the case of a full-cone NAT, the IP address and port in the body of the STUN responseare public, and can be used by any host on the public Internet tosend packets to the application that sent the STUN request. Anapplication need only listen on the IP address and port from whichRFC 3489 STUN March 2003 the STUN request was sent. Any packets sent by a host on the publicInternet to the public address and port learned by STUN will bereceived by the application.Of course, the host may not be behind a full-cone NAT. Indeed, itdoesn't yet know what type of NAT it is behind. To determine that,the client uses additional STUN Binding Requests. The exactprocedure is flexible, but would generally work as follows. Theclient would send a second STUN Binding Request, this time to adifferent IP address, but from the same source IP address and port.If the IP address and port in the response are different from thosein the first response, the client knows it is behind a symmetric NAT. To determine if it's behind a full-cone NAT, the client can send aSTUN Binding Request with flags that tell the STUN server to send aresponse from a different IP address and port than the request wasreceived on. In other words, if the client sent a Binding Request to IP address/port A/B using a source IP address/port of X/Y, the STUNserver would send the Binding Response to X/Y using source IPaddress/port C/D. If the client receives this response, it knows it is behind a full cone NAT.STUN also allows the client to ask the server to send the BindingResponse from the same IP address the request was received on, butwith a different port. This can be used to detect whether the client is behind a port restricted cone NAT or just a restricted cone NAT.It should be noted that the configuration in Figure 1 is not the only permissible configuration. The STUN server can be located anywhere, including within another client. The only requirement is that theSTUN server is reachable by the client, and if the client is tryingto obtain a publicly routable address, that the server reside on the public Internet.7. Message OverviewSTUN messages are TLV (type-length-value) encoded using big endian(network ordered) binary. All STUN messages start with a STUNheader, followed by a STUN payload. The payload is a series of STUN attributes, the set of which depends on the message type. The STUNheader contains a STUN message type, transaction ID, and length. The message type can be Binding Request, Binding Response, Binding Error Response, Shared Secret Request, Shared Secret Response, or SharedSecret Error Response. The transaction ID is used to correlaterequests and responses. The length indicates the total length of the STUN payload, not including the header. This allows STUN to run over TCP. Shared Secret Requests are always sent over TCP (indeed, using TLS over TCP).RFC 3489 STUN March 2003 Several STUN attributes are defined. The first is a MAPPED-ADDRESSattribute, which is an IP address and port. It is always placed inthe Binding Response, and it indicates the source IP address and port the server saw in the Binding Request. There is also a RESPONSE-ADDRESS attribute, which contains an IP address and port. TheRESPONSE-ADDRESS attribute can be present in the Binding Request, and indicates where the Binding Response is to be sent. It's optional,and when not present, the Binding Response is sent to the source IPaddress and port of the Binding Request.The third attribute is the CHANGE-REQUEST attribute, and it contains two flags to control the IP address and port used to send theresponse. These flags are called "change IP" and "change port"flags. The CHANGE-REQUEST attribute is allowed only in the BindingRequest. The "change IP" and "change port" flags are useful fordetermining whether the client is behind a restricted cone NAT orrestricted port cone NAT. They instruct the server to send theBinding Responses from a different source IP address and port. TheCHANGE-REQUEST attribute is optional in the Binding Request.The fourth attribute is the CHANGED-ADDRESS attribute. It is present in Binding Responses. It informs the client of the source IP address and port that would be used if the client requested the "change IP"and "change port" behavior.The fifth attribute is the SOURCE-ADDRESS attribute. It is onlypresent in Binding Responses. It indicates the source IP address and port where the response was sent from. It is useful for detectingtwice NAT configurations.The sixth attribute is the USERNAME attribute. It is present in aShared Secret Response, which provides the client with a temporaryusername and password (encoded in the PASSWORD attribute). TheUSERNAME is also present in Binding Requests, serving as an index to the shared secret used for the integrity protection of the BindingRequest. The seventh attribute, PASSWORD, is only found in SharedSecret Response messages. The eight attribute is the MESSAGE-INTEGRITY attribute, which contains a message integrity check overthe Binding Request or Binding Response.The ninth attribute is the ERROR-CODE attribute. This is present in the Binding Error Response and Shared Secret Error Response. Itindicates the error that has occurred. The tenth attribute is theUNKNOWN-ATTRIBUTES attribute, which is present in either the Binding Error Response or Shared Secret Error Response. It indicates themandatory attributes from the request which were unknown. Theeleventh attribute is the REFLECTED-FROM attribute, which is present in Binding Responses. It indicates the IP address and port of theRFC 3489 STUN March 2003 sender of a Binding Request, used for traceability purposes toprevent certain denial-of-service attacks.8. Server BehaviorThe server behavior depends on whether the request is a BindingRequest or a Shared Secret Request.8.1 Binding RequestsA STUN server MUST be prepared to receive Binding Requests on fouraddress/port combinations - (A1, P1), (A2, P1), (A1, P2), and (A2,P2). (A1, P1) represent the primary address and port, and these are the ones obtained through the client discovery procedures below.Typically, P1 will be port 3478, the default STUN port. A2 and P2are arbitrary. A2 and P2 are advertised by the server through theCHANGED-ADDRESS attribute, as described below.It is RECOMMENDED that the server check the Binding Request for aMESSAGE-INTEGRITY attribute. If not present, and the server requires integrity checks on the request, it generates a Binding ErrorResponse with an ERROR-CODE attribute with response code 401. If the MESSAGE-INTEGRITY attribute was present, the server computes the HMAC over the request as described in Section 11.2.8. The key to usedepends on the shared secret mechanism. If the STUN Shared SecretRequest was used, the key MUST be the one associated with theUSERNAME attribute present in the request. If the USERNAME attribute was not present, the server MUST generate a Binding Error Response.The Binding Error Response MUST include an ERROR-CODE attribute with response code 432. If the USERNAME is present, but the serverdoesn't remember the shared secret for that USERNAME (because ittimed out, for example), the server MUST generate a Binding ErrorResponse. The Binding Error Response MUST include an ERROR-CODEattribute with response code 430. If the server does know the shared secret, but the computed HMAC differs from the one in the request,the server MUST generate a Binding Error Response with an ERROR-CODE attribute with response code 431. The Binding Error Response is sent to the IP address and port the Binding Request came from, and sentfrom the IP address and port the Binding Request was sent to.Assuming the message integrity check passed, processing continues.The server MUST check for any attributes in the request with valuesless than or equal to 0x7fff which it does not understand. If itencounters any, the server MUST generate a Binding Error Response,and it MUST include an ERROR-CODE attribute with a 420 response code.RFC 3489 STUN March 2003 That response MUST contain an UNKNOWN-ATTRIBUTES attribute listingthe attributes with values less than or equal to 0x7fff which werenot understood. The Binding Error Response is sent to the IP address and port the Binding Request came from, and sent from the IP address and port the Binding Request was sent to.Assuming the request was correctly formed, the server MUST generate a single Binding Response. The Binding Response MUST contain the same transaction ID contained in the Binding Request. The length in themessage header MUST contain the total length of the message in bytes, excluding the header. The Binding Response MUST have a message type of "Binding Response".The server MUST add a MAPPED-ADDRESS attribute to the BindingResponse. The IP address component of this attribute MUST be set to the source IP address observed in the Binding Request. The portcomponent of this attribute MUST be set to the source port observedin the Binding Request.If the RESPONSE-ADDRESS attribute was absent from the BindingRequest, the destination address and port of the Binding ResponseMUST be the same as the source address and port of the BindingRequest. Otherwise, the destination address and port of the Binding Response MUST be the value of the IP address and port in theRESPONSE-ADDRESS attribute.The source address and port of the Binding Response depend on thevalue of the CHANGE-REQUEST attribute and on the address and port the Binding Request was received on, and are summarized in Table 1.Let Da represent the destination IP address of the Binding Request(which will be either A1 or A2), and Dp represent the destinationport of the Binding Request (which will be either P1 or P2). Let Ca represent the other address, so that if Da is A1, Ca is A2. If Da is A2, Ca is A1. Similarly, let Cp represent the other port, so that if Dp is P1, Cp is P2. If Dp is P2, Cp is P1. If the "change port"flag was set in CHANGE-REQUEST attribute of the Binding Request, and the "change IP" flag was not set, the source IP address of theBinding Response MUST be Da and the source port of the BindingResponse MUST be Cp. If the "change IP" flag was set in the Binding Request, and the "change port" flag was not set, the source IPaddress of the Binding Response MUST be Ca and the source port of the Binding Response MUST be Dp. When both flags are set, the source IP address of the Binding Response MUST be Ca and the source port of the Binding Response MUST be Cp. If neither flag is set, or if theCHANGE-REQUEST attribute is absent entirely, the source IP address of the Binding Response MUST be Da and the source port of the BindingResponse MUST be Dp.RFC 3489 STUN March 2003 Flags Source Address Source Port CHANGED-ADDRESSnone Da Dp Ca:CpChange IP Ca Dp Ca:CpChange port Da Cp Ca:CpChange IP andChange port Ca Cp Ca:CpTable 1: Impact of Flags on Packet Source and CHANGED-ADDRESSThe server MUST add a SOURCE-ADDRESS attribute to the BindingResponse, containing the source address and port used to send theBinding Response.The server MUST add a CHANGED-ADDRESS attribute to the BindingResponse. This contains the source IP address and port that would be used if the client had set the "change IP" and "change port" flags in the Binding Request. As summarized in Table 1, these are Ca and Cp, respectively, regardless of the value of the CHANGE-REQUEST flags.If the Binding Request contained both the USERNAME and MESSAGE-INTEGRITY attributes, the server MUST add a MESSAGE-INTEGRITYattribute to the Binding Response. The attribute contains an HMAC[13] over the response, as described in Section 11.2.8. The key touse depends on the shared secret mechanism. If the STUN SharedSecret Request was used, the key MUST be the one associated with the USERNAME attribute present in the Binding Request.If the Binding Request contained a RESPONSE-ADDRESS attribute, theserver MUST add a REFLECTED-FROM attribute to the response. If theBinding Request was authenticated using a username obtained from aShared Secret Request, the REFLECTED-FROM attribute MUST contain the source IP address and port where that Shared Secret Request camefrom. If the username present in the request was not allocated using a Shared Secret Request, the REFLECTED-FROM attribute MUST containthe source address and port of the entity which obtained theusername, as best can be verified with the mechanism used to allocate the username. If the username was not present in the request, andthe server was willing to process the request, the REFLECTED-FROMattribute SHOULD contain the source IP address and port where therequest came from.The server SHOULD NOT retransmit the response. Reliability isachieved by having the client periodically resend the request, eachof which triggers a response from the server.。

RFC3376IGMPv3RFC3376 IGMPv31.简介1.1.IPv41.1.1.IGMPv1 RFC1112定义QueryReport1.1.2.IGMPv2 RFC2236增加Leave1.1.3.IGMPv3 RFC3376定义v3 Report，支持SSM（废弃Leave，统一采用Report）1.2.IPv6MLDv1（功能与IGMPv2相同）MLDv2（功能与IGMPv3相同）2.用于请求IP组播接收的服务接口系统服务接口操作要求IPMulticastListen( socket, interface, multicast-address,filter-mode, source-list )●Socket●Interface接收指定组播报文的网络接口ID。

接口可以是物理的（以太网接口）或者虚拟的（FR虚连续或IP-in-IP隧道）。

实现也许允许“未指定”值作为接口参数，此时，该请求应用在系统的第一个或者缺省接口（或●Multicast-addressIP多播地址或组。

如果给定接口要接收多个组播地址，每个组播地址调用IPMulticastListen。

●Filter-modeINCLUDE或者EXCLUDE。

在INCLUDE模式，仅接收IP源地址在source-list参数的报文。

在EXCLUDE模式，仅接收IP源地址不在source-list参数的报文。

●source-list未排序的零或者多个IP单播地址。

实现也许会限制IP地址个数，但不能小于64个。

当IP地址个数超过限制时，服务接口必须返回错误。

对于给定的socket、interface、multicast-address，每次仅能配置一种过滤模式和源列表。

但，后续的配置请求可以更改模式和列表。

以前版本的IGMP并不支持源过滤，仅支持加入和离开操作。

加入操作等效于IPMulticastListen(socket,interface,multicast-address,EXCLUDE,{})离开操作等效于IPMulticastListen(socket,interface,multicast-address,INCLUDE,{}){}表示空列表。

rfc4982.Supportf...Network Working Group M. Bagnulo Request for Comments: 4982 UC3M Updates: 3972 J. Arkko Category: Standards Track Ericsson July 2007 Support for Multiple Hash Algorithms in Cryptographically Generated Addresses (CGAs)Status of This MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited. Copyright NoticeCopyright (C) The IETF Trust (2007).AbstractThis document analyzes the implications of recent attacks on commonly used hash functions on Cryptographically Generated Addresses (CGAs)and updates the CGA specification to support multiple hash algorithms.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 22. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 23. Impact of Collision Attacks in CGAs . . . . . . . . . . . . . . 24. Options for Multiple Hash Algorithm Support in CGAs . . . . . . 34.1. Where to Encode the Hash Function? . . . . . . . . . . . . 45. CGA Generation Procedure . . . . . . . . . . . . . . . . . . . 66. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 67. Security Considerations . . . . . . . . . . . . . . . . . . . . 78. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 79. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 7 Bagnulo & Arkko Standards Track [Page 1]1. IntroductionRecent attacks to currently used hash functions have motivated aconsiderable amount of concern in the Internet community. Therecommended approach [6] [10] to deal with this issue is first toanalyze the impact of these attacks on the different Internet protocols that use hash functions and second to make sure that thedifferent Internet protocols that use hash functions are capable ofmigrating to an alternative (more secure) hash function without amajor disruption in the Internet operation.This document performs such analysis for the CryptographicallyGenerated Addresses (CGAs) defined in [2]. The first conclusion ofthe analysis is that the security of the protocols using CGAs is not affected by the recently available attacks against hash functions.The second conclusion of the analysis is that the hash function used is hard coded in the CGA specification. This document updates theCGA specification [2] to enable the support of alternative hashfunctions. In order to do so, this document creates a new registrymanaged by IANA to register the different hash algorithms used inCGAs.2. TerminologyThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].3. Impact of Collision Attacks in CGAsRecent advances in cryptography have resulted in simplified attacksagainst the collision-free property of certain commonly used hashfunctions [6] [10], including SHA-1 that is the hash function used by CGAs [2]. The result is that it is possible to obtain two messages, M1 and M2, that have the same hash value with much less than 2^(L/2) attempts. We will next analyze the impact of such attacks in thecurrently proposed usages of CGAs.As we understand it, the attacks against the collision-free property of a hash function mostly challenge the application of such hashfunctions, for the provision of non-repudiation capabilities. Thisis because an attacker would be capable to create two differentmessages that result in the same hash value and it can then presentany of the messages interchangeably (for example after one of themhas been signed by the other party involved in the transaction).However, it must be noted that both messages must be generated by the same party.Bagnulo & Arkko Standards Track [Page 2]As far as we understand, current usages of CGAs does not include the provision of non-repudiation capabilities, so attacks against thecollision-free property of the hash function do not enable any useful attack against CGA-based protocols.Current usages of the CGAs are basically oriented to prove theownership of a CGA and then bind it to alternative addresses that can be used to reach the original CGA. This type of application of theCGA include:o The application of CGAs to protect the shim6 protocol [7]. Inthis case, CGAs are used as identifiers for the establishedcommunications. CGA features are used to prove that the owner of the identifier is the one that is providing the alternative addresses that can be used to reach the initial identifier. Thisis achieved by signing the list of alternative addresses available in the multihomed host with the private key of the CGA.o The application of CGAs to secure the IPv6 mobility supportprotocol [8] as proposed in [9]. In this case, the CGAs are used as Home Addresses and they are used to prove that the owner of the Home Address is the one creating the binding with the new Care-off Address. Similarly to the previous case, this is achieved bysigning the Binding Update message carrying the Care-off Addresswith the private key of the CGA.o The application of CGA to Secure Neighbour Discovery [4]. In this case, the CGA features are used to prove the address ownership, so that it is possible to verify that the owner of the IP address is the one that is providing the layer 2 address information. Thisis achieved by signing the layer 2 address information with theprivate key of the CGA.Essentially, all the current applications of CGAs rely on CGAs toprotect a communication between two peers from third party attacksand not to provide protection from the peer itself. Attacks against the collision-free property of the hash functions suppose that one of the parties is generating two messages with the same hash value inorder to launch an attack against its communicating peer. Since CGAs are not currently used to providing this type ofprotection, it isthen natural that no additional attacks are enabled by a weakercollision resistance of the hash function.4. Options for Multiple Hash Algorithm Support in CGAsCGAs, as currently defined in [2], are intrinsically bound to theSHA-1 hash algorithm and no other hash function is supported.Bagnulo & Arkko Standards Track [Page 3]Even though the attacks against the collision-free property of thehash functions do not result in new vulnerabilities in the currentapplications of CGAs, it seems wise to enable multiple hash function support in CGAs. This is mainly for two reasons: first, potentialfuture applications of the CGA technology may be susceptible toattacks against the collision-free property of SHA-1. Supportingalternative hash functions would allow applications that have stricter requirements on the collision-free property to use CGAs.Second, one lesson learned from the recent attacks against hashfunctions is that it is possible that one day we need to start using alternative hash functions because of successful attacks againstother properties of the commonly used hash functions.Therefore, it seems wise to modify protocols in general and the CGAs in particular to support this transition to alternative hash functions as easy aspossible.4.1. Where to Encode the Hash Function?The next question we need to answer is where to encode the hashfunction that is being used. There are several options that can beconsidered:One option would be to include the hash function used as an input to the hash function. This basically means to create an extension tothe CGA Parameter Data Structure, as defined in [3], that codifiesthe hash function used. The problem is that this approach is vulnerable to bidding down attacks or downgrading attacks as defined in [10]. This means that even if a strong hash function is used, an attacker could find a CGA Parameter Data Structure that uses a weaker function but results in an equal hash value. This happens when theoriginal hash function H1 and CGA Parameters Data Structureindicating H1 result in value X, and another hash function H2 and CGA Parameters Data Structure indicating H2 also result in the same value X.In other words, the downgrading attack would work as follows: suppose that Alice generates a CGA CGA_A using the strong hash functionHashStrong and using a CGA Parameter Data StructureCGA_PDS_A. Theselected hash function HashStrong is encoded as an extension field in the CGA_PDS_A. Suppose that by using a brute force attack, anattacker X finds an alternative CGA Parameter Data Structure CGA_PDS_X whose hash value, by using a weaker hash function, isCGA_A. At this point, the attacker can pretend to be the owner ofCGA_A and the stronger hash function has not provided additionalprotection.The conclusion from the previous analysis is that the hash functionused in the CGA generation must be encoded in the address itself. Bagnulo & Arkko Standards Track [Page 4]Since we want to support several hash functions, we will likely need at least 2 or 3 bits for this.One option would be to use more bits from the hash bits of theinterface identifier. However, the problem with this approach isthat the resulting CGA is weaker because less hash information isencoded in the address. In addition, since those bits are currently used as hash bits, it is impossible to make this approach backwardcompatible with existent implementations.Another option would be to use the "u" and the "g" bits to encodethis information, but this is probably not such a good idea sincethose bits have been honoured so far in all interface identifiergeneration mechanisms, which allow them to be used for the originalpurpose (for instance we can still create a global registry for unique interface identifiers). Finally, another option is to encode the hash value used in the Sec bits. The Sec bits are used toartificially introduce additional difficulty in the CGA generationprocess in order to provide additional protection against brute force attacks. The Sec bits have been designed in a way that the lifetime of CGAs are extended, when it is feasible to attack 59-bits long hash values. However, this is not the case today, so in general CGA will have a Sec value of 000. The proposal is to encode in the Sec bits, not only information about brute force attack protection but also to encode the hash function used to generate the hash. So for instance, the Sec value 000 would mean that the hash function used is SHA-1 and the 0 bits of hash2 (as defined in RFC 3972) must be 0. Sec value of 001 could be that the hash function used is SHA-1 and the 16 bits of hash2 (as defined in RFC 3972) must be zero. However, the other values of Sec could mean that an alternative hash function needs tobe used and that a certain amount of bits of hash2 must be zero. The proposal is not to define any concrete hash function to be used forother Sec values, since it is not yet clear that we need to doso nor is it clear which hash function should be selected.Note that since there are only 8 Sec values, it may be necessary toreuse Sec values when we run out of unused Sec values. The scenario where such an approach makes sense is where there are some Sec values that are no longer being used because the resulting security hasbecome weak. In this case, where the usage of the Sec value has long been abandoned, it would be possible to reassign the Sec values.However, this must be a last resource option, since it may affectinteroperability. This is because two implementations using different meanings of a given Sec value would not be able to interoperate properly (i.e., if an old implementation receives a CGA generated with the new meaning of the Sec value, it will fail and the same for a new implementation receiving a CGA generated with the old meaning of the Sec value). In case the approach of reassigning a Sec Bagnulo & Arkko Standards Track [Page 5]value is followed, a long time is required between the deprecation of the old value and the reassignment in order to preventmisinterpretation of the value by old implementations.An erroneous interpretation of a reused Sec value, both on the CGAowner’s side and the CGA verifier’s side, would have the followingresult, CGA verification would fail in the worst case and both nodes would have to revert to unprotected IPv6 addresses. Thiscan happen only with obsolete CGA parameter sets, which would be consideredinsecure anyway. In any case, an implementation must not simultaneously support two different meanings of a Sec value.5. CGA Generation ProcedureThe SEC registry defined in the IANA considerations section of thisdocument contains entries for the different Sec values. Each ofthese entries points to an RFC that defines the CGA generationprocedure that MUST be used when generating CGAs with the associated Sec value.It should be noted that the CGA generation procedure may be changedby the new procedure not only in terms of the hash function used but also in other aspects, e.g., longer Modifier values may be requiredif the number of 0s required in hash2 exceed the currently definedbound of 112 bits. The new procedure (which potentially involves alonger Modifier value) would be described in the RFC pointed to bythe corresponding Sec registry entry.In addition, the RFC that defines the CGA generation procedure for a Sec value MUST explicitly define the minimum key length acceptablefor CGAs with that Sec value. This is to provide a coherentprotection both in the hash and the public key techniques.6. IANA ConsiderationsThis document defines a new registry entitled "CGA SEC" for the Secfield defined in RFC 3972 [2] that has been created and is maintained by IANA. The values in this name space are 3-bit unsigned integers. Initial values for the CGA Extension Type field are given below;future assignments are to be made through Standards Action [5].Assignments consist of a name, the value, and the RFC number wherethe CGA generation procedure is defined.Bagnulo & Arkko Standards Track [Page 6]The following initial values are assigned in this document:Name | Value | RFCs-------------------+-------+------------SHA-1_0hash2bits | 000 | 3972, 4982SHA-1_16hash2bits | 001 | 3972, 4982SHA-1_32hash2bits | 010 | 3972, 49827. Security ConsiderationsThis document is about security issues and, in particular, aboutprotection against potential attacks against hash functions.8. AcknowledgementsRuss Housley, James Kempf, Christian Vogt, Pekka Nikander, and Henrik Levkowetz reviewed and provided comments about this document.Marcelo Bagnulo worked on this document while visiting EricssonResearch Laboratory Nomadiclab.9. References9.1. Normative References[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.[2] Aura, T., "Cryptographically Generated Addresses (CGA)",RFC 3972, March 2005.[3] Bagnulo, M. and J. Arkko, "Cryptographically GeneratedAddresses (CGA) Extension Field Format", RFC 4581,October 2006.[4] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcureNeighbor Discovery (SEND)", RFC 3971, March 2005.9.2. Informative References[5] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANAConsiderations Section in RFCs", BCP 26, RFC 2434,October 1998.[6] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashesin Internet Protocols", RFC 4270, November 2005.Bagnulo & Arkko Standards Track [Page 7][7] Nordmark, E. and M. Bagnulo, "Multihoming L3 Shim Approach",Work in Progress, July 2005.[8] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support inIPv6", RFC 3775, June 2004.[9] Arkko, J., "Applying Cryptographically Generated Addresses and Credit-Based Authorization to Mobile IPv6", Work in Progress,June 2006.[10] Bellovin, S. and E. Rescorla, "Deploying a New Hash Algorithm", NDSS ’06, February 2006.Authors’ AddressesMarcelo BagnuloUniversidad Carlos III de MadridAv. Universidad 30Leganes, Madrid 28911SPAINPhone: 34 91 6249500EMail:***************.esURI: http://www.it.uc3m.esJari ArkkoEricssonJorvas 02420FinlandEMail: jari.arkko@/doc/3414001159.html, Bagnulo & Arkko Standards Track [Page 8]Full Copyright StatementCopyright (C) The IETF Trust (2007).This document is subject to the rights, licenses and restrictionscontained in BCP 78, and except as set forth therein, the authorsretain all their rights.This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOTLIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual PropertyThe IETF takes no position regarding the validity or scope of anyIntellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described inthis document or the extent to which any license under such rightsmight or might not be available; nor does it represent that it hasmade any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can befound in BCP 78 and BCP 79.Copies of IPR disclosures made to the IETF Secretariat and anyassurances of licenses to be made available, or the result of anattempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of thisspecification can be obtained from the IETF on-line IPR repository at /doc/3414001159.html,/ipr.The IETF invites any interested party to bring to its attention anycopyrights, patents or patent applications, or otherproprietaryrights that may cover technology that may be required to implementthis standard. Please address the information to the IETF at ietf-ipr@/doc/3414001159.html,.AcknowledgementFunding for the RFC Editor function is currently provided by theInternet Society.Bagnulo & Arkko Standards Track [Page 9]。

PIC/S 受法规约束的GMP/GDP环境下数据管理和完整2 INTRODUCTION 引言2.1 PIC/S Participating Authorities regularly undertake inspections of manufacturers anddistributors of API and medicinal products in order to determine the level of compliance with GMP/GDP principles。

These inspections are commonly performed on—site however may be performed through the remote or off-site evaluation of documentary evidence，in which case the limitations of remote review of data should be considered. PIC/S参与药监机构定期对原料药和制剂生产商和销售商进行检查,以确定其GMP/GDP符合性水平.这些检查通常是在现场实施，但也可以通过远程或离厂文件证据评估进行，这时要考虑远程数据审核的局限性。

2。

2 The effectiveness of these inspection processes is determined by the veracity of the evidence provided to the inspector and ultimately the integrity of the underlying data. It is critical to the inspection process that inspectors can determine and fully rely on the accuracy and completeness of evidence and records presented to them.这些检查流程的有效性是由提供给检查员的证据的真实性所决定的，并最终决定于数据背后的完整性。