rfc5366.Conference Establishment Using Request-Contained Lists in the Session Initiation Protocol (S

IPv6演进技术要求第2部分：基于IPv6段路由(SRv6)的IP承载网络1 范围本文件规定了基于SRv6的IP承载网络总体架构、基于SRv6的设备层技术要求及基于SRv6的管控层技术要求。

本文件适用于支持SRv6的IP承载网络。

2 规范性引用文件下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。

其中，注日期的引用文件，仅该日期对应的版本适用于本文件；不注日期的引用文件，其最新版本（包括所有的修改单）适用于本文件。

IETF RFC2493 IPv6规范中的通用报文隧道（Generic Packet Tunneling in IPv6 Specification）IETF RFC4659 IPv6 VPN场景中的BGP-MPLS IP虚拟私有网络扩展（BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN）IETF RFC5549 通告带有IPv6下一跳地址的IPv4网络层可达性信息（Advertising IPv4 Network Layer Reachability Information with an IPv6 Next Hop）IETF RFC6437 IPv6流标签规范（IPv6 Flow Label Specification）IETF RFC6514 MPLS/BGP IP VPN中提供组播服务的BGP编码与处理（BGP Encodings and Procedures for Multicast in MPLS/BGP IP VPNs）IETF RFC7432 基于BGP MPLS的EVPN（BGP MPLS-Based Ethernet VPN）IETF RFC7606 改进的BGP更新消息的错误处理（Revised Error Handling for BGP UPDATE Messages）IETF RFC8200 互联网协议第六版规范（Internet Protocol, Version 6 (IPv6) Specification）IETF RFC8402 分段路由架构（Segment Routing Architecure）IETF RFC8754 IPv6段路由报头(IPv6 Segment Routing Header)IETF RFC8986 SRv6网络编程（Segment Routing over IPv6 (SRv6) Network Programming）IETF RFC9252 基于SRv6的BGP overlay业务(BGP Overlay Services Based on Segment Routing over IPv6 (SRv6))IETF RFC9352 支持SRv6的ISIS扩展(IS-IS Extensions to Support Segment Routing over the IPv6 Data Plane）GB/T XXXXX IPv6演进技术要求第4部分：基于IPv6段路由(SRv6)的网络编程GB/T XXXXX IPv6演进技术要求第7部分：基于IPv6段路由(SRv6)的业务链GB/T XXXXX IPv6演进技术要求第8部分：基于IPv6段路由(SRv6)的报文头压缩GB/T XXXXX IPv6演进技术要求第9部分：基于IPv6段路由(SRv6)的网络故障保护3 术语、定义和缩略语3.1 术语和定义下列术语和定义适用于本文件。

Network Working Group J. Arkko Request for Comments: 3776 Ericsson Category: Standards Track V. Devarapalli Nokia Research Center F. Dupont GET/ENST Bretagne June 2004 Using IPsec to Protect Mobile IPv6 Signaling BetweenMobile Nodes and Home AgentsStatus of this MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited. Copyright NoticeCopyright (C) The Internet Society (2004).AbstractMobile IPv6 uses IPsec to protect signaling between the home agentand the mobile node. Mobile IPv6 base document defines the mainrequirements these nodes must follow. This document discusses these requirements in more depth, illustrates the used packet formats,describes suitable configuration procedures, and shows howimplementations can process the packets in the right order.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 32. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 53. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . 5 3.1 Binding Updates and Acknowledgements . . . . . . . . . 5 3.2 Return Routability Signaling . . . . . . . . . . . . . 7 3.3 Prefix Discovery . . . . . . . . . . . . . . . . . . . 83.4 Payload Packets . . . . . . . . . . . . . . . . . . . 94. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1 Mandatory Support . . . . . . . . . . . . . . . . . . 10 4.2 Policy Requirements . . . . . . . . . . . . . . . . . 10 4.3 IPsec Protocol Processing . . . . . . . . . . . . . . 134.4 Dynamic Keying . . . . . . . . . . . . . . . . . . . . 155. Example Configurations . . . . . . . . . . . . . . . . . . . 16 Arkko, et al. Standards Track [Page 1]5.1 Format . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2 Manual Configuration . . . . . . . . . . . . . . . . . 18 5.2.1 Binding Updates and Acknowledgements . . . . . . 18 5.2.2 Return Routability Signaling . . . . . . . . . . 19 5.2.3 Prefix Discovery . . . . . . . . . . . . . . . . 20 5.2.4 Payload Packets . . . . . . . . . . . . . . . . 21 5.3 Dynamic Keying . . . . . . . . . . . . . . . . . . . . 22 5.3.1 Binding Updates and Acknowledgements . . . . . . 22 5.3.2 Return Routability Signaling . . . . . . . . . . 23 5.3.3 Prefix Discovery . . . . . . . . . . . . . . . . 245.3.4 Payload Packets . . . . . . . . . . . . . . . . 256. Processing Steps within a Node . . . . . . . . . . . . . . . 25 6.1 Binding Update to the Home Agent . . . . . . . . . . . 25 6.2 Binding Update from the Mobile Node . . . . . . . . . 26 6.3 Binding Acknowledgement to the Mobile Node . . . . . . 27 6.4 Binding Acknowledgement from the Home Agent . . . . . 28 6.5 Home Test Init to the Home Agent . . . . . . . . . . . 29 6.6 Home Test Init from the Mobile Node . . . . . . . . . 30 6.7 Home Test to the Mobile Node . . . . . . . . . . . . . 30 6.8 Home Test from the Home Agent . . . . . . . . . . . . 31 6.9 Prefix Solicitation Message to the Home Agent . . . . 31 6.10 Prefix Solicitation Message from the Mobile Node . . . 31 6.11 Prefix Advertisement Message to the Mobile Node . . . 32 6.12 Prefix Advertisement Message from the Home Agent . . . 32 6.13 Payload Packet to the Home Agent . . . . . . . . . . . 32 6.14 Payload Packet from the Mobile Node . . . . . . . . . 32 6.15 Payload Packet to the Mobile Node . . . . . . . . . . 32 6.16 Payload Packet from the Home Agent . . . . . . . . . . 32 6.17 Establishing New Security Associations . . . . . . . . 32 6.18 Rekeying Security Associations . . . . . . . . . . . . 336.19 Movements and Dynamic Keying . . . . . . . . . . . . . 347. Implementation Considerations . . . . . . . . . . . . . . . 35 7.1 IPsec . . . . . . . . . . . . . . . . . . . . . . . . 35 7.2 IKE . . . . . . . . . . . . . . . . . . . . . . . . . 367.3 Bump-in-the-Stack . . . . . . . . . . . . . . . . . . 378. IANA Considerations . . . . . . . . . . . . . . . . . . . . 379. Security Considerations . . . . . . . . . . . . . . . . . . 3710 References . . . . . . . . . . . . . . . . . . . . . . . . . 38 10.1 Normative References . . . . . . . . . . . . . . . . . 3810.2 Informative References . . . . . . . . . . . . . . . . 3811. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 3912. Authors’ Addresses . . . . . . . . . . . . . . . . . . . . . 3913. Full Copyright Statement . . . . . . . . . . . . . . . . . . 40 Arkko, et al. Standards Track [Page 2]1. IntroductionThis document illustrates the use of IPsec in securing Mobile IPv6[7] traffic between mobile nodes and home agents. In Mobile IPv6, a mobile node is always expected to be addressable at its home address, whether it is currently attached to its home link or is away fromhome. The "home address" is an IP address assigned to the mobilenode within its home subnet prefix on its home link. While a mobile node is at home, packets addressed to its home address are routed to the mobile node’s home link.While a mobile node is attached to some foreign link away from home, it is also addressable at a care-of address. A care-of address is an IP address associated with a mobile node that has a subnet prefixfrom a particular foreign link. The association between a mobilenode’s home address and care-of address is known as a "binding" forthe mobile node. While away from home, a mobile node registers itsprimary care-of address with a router on its home link, requestingthis router to function as the "home agent" for the mobile node. The mobile node performs this binding registration by sending a "Binding Update" message to the home agent. The home agent replies to themobile node by returning a "Binding Acknowledgement" message.Any other nodes communicating with a mobile node are referred to as"correspondent nodes". Mobile nodes can provide information abouttheir current location to correspondent nodes, again using BindingUpdates and Acknowledgements. Additionally, return routability test is performed between the mobile node, home agent, and thecorrespondent node in order to authorize the establishment of thebinding. Packets between the mobile node and the correspondent node are either tunneled via the home agent, or sent directly if a binding exists in the correspondent node for the current location of themobile node.Mobile IPv6 tunnels payload packets between the mobile node and thehome agent in both directions. This tunneling uses IPv6encapsulation [6]. Where these tunnels need to be secured, they are replaced by IPsec tunnels [2].Mobile IPv6 also provides support for the reconfiguration of the home network. Here, the home subnet prefixes may change over time.Mobile nodes can learn new information about home subnet prefixesthrough the "prefix discovery" mechanism.This document discusses security mechanisms for the control trafficbetween the mobile node and the home agent. If this traffic is notprotected, mobile nodes and correspondent nodes are vulnerable toman-in-the-middle, hijacking, passive wiretapping, impersonation, and Arkko, et al. Standards Track [Page 3]denial-of-service attacks. Any third parties are also vulnerable to denial-of-service attacks, for instance if an attacker could directthe traffic flowing through the home agent to a innocent third party. These attacks are discussed in more detail in Section 15.1 of theMobile IPv6 base specification [7].In order to avoid these attacks, the base specification uses IPsecEncapsulating Security Payload (ESP) [3] to protect control trafficbetween the home agent and the mobile node. This control trafficconsists of various messages carried by the Mobility Header protocol in IPv6 [5]. The traffic takes the following forms:o Binding Update and Acknowledgement messages exchanged between the mobile node and the home agent, as described in Sections 10.3.1,10.3.2, 11.7.1, and 11.7.3 of the base specification [7].o Return routability messages Home Test Init and Home Test that pass through the home agent on their way to a correspondent node, asdescribed in Section 10.4.6 of the base specification [7].o ICMPv6 messages exchanged between the mobile node and the homeagent for the purposes of prefix discovery, as described inSections 10.6 and 11.4 of the base specification [7].The nodes may also optionally protect payload traffic passing through the home agent, as described in Section 5.5 of the base specification [7]. If multicast group membership control protocols or statefuladdress autoconfiguration protocols are supported, payload dataprotection support is required.The control traffic between the mobile node and the home agentrequires message authentication, integrity, correct ordering andanti-replay protection. The mobile node and the home agent must have an IPsec security association to protect this traffic. IPsec doesnot proving correct ordering of messages. Correct ordering of thecontrol traffic is ensured by a sequence number in the Binding Update and Binding Acknowledgement messages. The sequence number in theBinding Updates also provides protection to a certain extent. Itfails in some scenarios, for example, if the Home Agent loses theBinding Cache state. Full protection against replay attacks ispossible only when IKE is used.Great care is needed when using IKE [4] to establish securityassociations to Mobile IPv6 home agents. The right kind of addresses must be used for transporting IKE. This is necessary to avoidcircular dependencies in which the use of a Binding Update triggersthe need for an IKE exchange that cannot complete prior to theBinding Update having been completed.Arkko, et al. Standards Track [Page 4]The mobile IPv6 base document defines the main requirements themobile nodes and home agents must follow when securing the abovetraffic. This document discusses these requirements in more depth,illustrates the used packet formats, describes suitable configuration procedures, and shows how implementations can process the packets in the right order.We begin our description by showing the required wire formats for the protected packets in Section 3. Section 4 describes rules whichassociated Mobile IPv6, IPsec, and IKE implementations must observe. Section 5 discusses how to configure either manually keyed IPsecsecurity associations or how to configure IKE to establish themautomatically. Section 6 shows examples of how packets are processed within the nodes.All implementations of Mobile IPv6 mobile node and home agent MUSTsupport at least the formats described in Section 3 and obey therules in Section 4.The configuration and processing sections are informative, and should only be considered as one possible way of providing the requiredfunctionality.Note that where this document indicates a feature MUST be supportedand SHOULD be used, this implies that all implementations must becapable of using the specified feature, but there may be cases where, for instance, a configuration option disables to use of the featurein a particular situation.2. TerminologyThe keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].3. Packet Formats3.1. Binding Updates and AcknowledgementsWhen the mobile node is away from its home, the BUs sent by it to the home agent MUST support at least the following headers in thefollowing order:IPv6 header (source = care-of address,destination = home agent)Destination Options headerHome Address option (home address)ESP header in transport modeArkko, et al. Standards Track [Page 5]Mobility headerBinding UpdateAlternate Care-of Address option (care-of address)Note that the Alternate Care-of Address option is used to ensure that the care-of address is protected by ESP. The home agent considersthe address within this option as the current care-of address for the mobile node. The home address is not protected by ESP directly, but the use of a specific home address with a specific securityassociation is required by policy.The Binding Acknowledgements sent back to the mobile node when it is away from home MUST support at least the following headers in thefollowing order:IPv6 header (source = home agent,destination = care-of address)Routing header (type 2)home addressESP header in transport modeMobility headerBinding AcknowledgementWhen the mobile node is at home, the above rules are different as the mobile node can use its home address as a source address. Thistypically happens for the de-registration Binding Update when themobile is returning home. In this situation, the Binding UpdatesMUST support at least the following headers in the following order:IPv6 header (source = home address,destination = home agent)ESP header in transport modeMobility headerBinding UpdateThe Binding Acknowledgement messages sent to the home address MUSTsupport at least the following headers in the following order:IPv6 header (source = home agent,destination = home address)ESP header in transport modeMobility headerBinding AcknowledgementArkko, et al. Standards Track [Page 6]3.2. Return Routability SignalingWhen the Home Test Init messages tunneled to the home agent areprotected by IPsec, they MUST support at least the following headers in the following order:IPv6 header (source = care-of address,destination = home agent)ESP header in tunnel modeIPv6 header (source = home address,destination = correspondent node)Mobility HeaderHome Test InitThis format assumes that the mobile node’s current care-of address is used as the outer header destination address in the securityassociation. As discussed in Section 4.3, this requires the homeagent to update the destination address when the mobile node moves.Policy entries and security association selectors stay the same,however, as the inner packets do not change upon movements.Note that there are trade-offs in using care-of addresses as thedestination addresses versus using the home address and attaching an additional Home Address destination option and/or Routing header tothe packets. The basis for requiring support for at least thecare-of address case has been discussed in Section 7.Similarly, when the Home Test messages tunneled from the home agentare protected by IPsec, they MUST support at least the followingheaders in the following order:IPv6 header (source = home agent,destination = care-of address)ESP header in tunnel modeIPv6 header (source = correspondent node,destination = home address)Mobility HeaderHome TestThe format used to protect return routability packets relies on thedestination of the tunnel packets to change for the mobile node as it moves. The home agent’s address stays the same, but the mobilenode’s address changes upon movements, as if the securityassociation’s outer header destination address had changed. When the mobile node adopts a new care-of address, it adopts also a new source address for outgoing tunnel packets. The home agent accepts packets sent like this, as the outer source address in tunnel packets is not checked according to the rules in RFC 2401. (We note, however, that Arkko, et al. Standards Track [Page 7]some implementations are known to make source address checks.) For a discussion of the role of source addresses in outer tunnel headers,see Section 5.1.2.1 of RFC 2401 [2]. Note also that the home agentrequires the packets to be authenticated regardless of the sourceaddress change, hence the "new" sender must possess the same keys for the security association as it had in the previous location. Thisproves that the sender is the same entity, regardless of the changes in the addresses.The process is more complicated in the home agent side, as the homeagent has stored the previous care-of address in its SecurityAssociation Database as the outer header destination address. WhenIKE is being used, the mobile node runs it on top of its currentcare-of address, and the resulting tunnel-mode security associations will use the same addresses as IKE run over. In order for the homeagent to be able to tunnel a Home Test message to the mobile node, it uses the current care-of address as the destination of the tunnelpackets, as if the home agent had modified the outer headerdestination address in the security association used for thisprotection. This implies that the same security association can beused in multiple locations, and no new configuration orre-establishment of IKE phases is needed per movement. Section 5.2.2 discusses the security policy and security association databaseentries that are needed to accomplish this.3.3. Prefix DiscoveryIf IPsec is used to protect prefix discovery, requests for prefixesfrom the mobile node to the home agent MUST support at least thefollowing headers in the following order.IPv6 header (source = care-of address,destination = home agent)Destination Options headerHome Address option (home address)ESP header in transport modeICMPv6Mobile Prefix SolicitationAgain if IPsec is used, solicited and unsolicited prefix information advertisements from the home agent to the mobile node MUST support at least the following headers in the following order.IPv6 header (source = home agent,destination = care-of address)Routing header (type 2)home addressESP header in transport modeArkko, et al. Standards Track [Page 8]ICMPv6Mobile Prefix Advertisement3.4. Payload PacketsIf IPsec is used to protect payload packets tunneled to the homeagent from the mobile node, we use a format similar to the one inSection 3.2. However, instead of the MobilityHeader, these packetsmay contain any legal IPv6 protocol(s):IPv6 header (source = care-of address,destination = home agent)ESP header in tunnel modeIPv6 header (source = home address,destination = correspondent node)Any protocolSimilarly, when the payload packets are tunneled from the home agent to the mobile node with ESP encapsulation, they MUST support at least the following headers in the following order:IPv6 header (source = home agent,destination = care-of address)ESP header in tunnel modeIPv6 header (source = correspondent node,destination = home address)Any protocol4. RequirementsThis section describes mandatory rules for all Mobile IPv6 mobilenodes and home agents. These rules are necessary in order for it to be possible to enable IPsec communications despite movements,guarantee sufficient security, and to ensure correct processing order of packets.The rules in the following sections apply only to the communications between home agents and mobile nodes. They should not be taken asrequirements on how IPsec in general is used by mobile nodes.Arkko, et al. Standards Track [Page 9]4.1. Mandatory SupportThe following requirements apply to both home agents and mobilenodes:o Manual configuration of IPsec security associations MUST besupported. The configuration of the keys is expected to takeplace out-of-band, for instance at the time the mobile node isconfigured to use its home agent.o Automatic key management with IKE [4] MAY be supported. OnlyIKEv1 is discussed in this document. Other automatic keymanagement mechanisms exist and will appear beyond IKEv1, but this document does not address the issues related to them.o ESP encapsulation of Binding Updates and Acknowledgements between the mobile node and home agent MUST be supported and MUST be used. o ESP encapsulation of the Home Test Init and Home Test messagestunneled between the mobile node and home agent MUST be supported and SHOULD be used.o ESP encapsulation of the ICMPv6 messages related to prefixdiscovery MUST be supported and SHOULD be used.o ESP encapsulation of the payload packets tunneled between themobile node and home agent MAY be supported and used.o If multicast group membership control protocols or statefuladdress autoconfiguration protocols are supported, payload dataprotection MUST be supported for those protocols.4.2. Policy RequirementsThe following requirements apply to both home agents and mobilenodes:o As required in the base specification [7], when a packet destined to the receiving node is matched against IPsec security policy or selectors of a security association, an address appearing in aHome Address destination option is considered as the sourceaddress of the packet.Note that the home address option appears before IPsec headers.Section 11.3.2 of the base specification describes one possibleimplementation approach for this: The IPsec policy operations can be performed at the time when the packet has not yet been modified per Mobile IPv6 rules, or has been brought back to its normal form Arkko, et al. Standards Track [Page 10]after Mobile IPv6 processing. That is, the processing of the Home Address option is seen as a fixed transformation of the packetsthat does not affect IPsec processing.o Similarly, a home address within a Type 2 Routing header destined to the receiving node is considered as the destination address of the packet, when a packet is matched against IPsec security policy or selectors of a security association.Similar implementation considers apply to the Routing headerprocessing as was described above for the Home Address destination option.o When IPsec is used to protect return routability signaling orpayload packets, this protection MUST only be applied to thereturn routability packets entering the IPv6 encapsulated tunnelinterface between the mobile node and the home agent. This can be achieved, for instance, by defining the security policy databaseentries specifically for the tunnel interface. That is, thepolicy entries are not generally applied on all traffic on thephysical interface(s) of the nodes, but rather only on trafficthat enters this tunnel.o The authentication of mobile nodes MAY be based either on machine or user credentials. Note that multi-user operating systemstypically allow all users of a node to use any of the IP addresses assigned to the node. This limits the capability of the homeagent to restrict the use of a home address to a particular userin such environment. Where user credentials are applied in amulti-user environment, the configuration should authorize allusers of the node to control all home addresses assigned to thenode.o When the mobile node returns home and de-registers with the HomeAgent, the tunnel between the home agent and the mobile node’scare-of address is torn down. The security policy entries, which were used for protecting tunneled traffic between the mobile node and the home agent MUST be made inactive (for instance, byremoving them and installing them back later through an API). The corresponding security associations could be kept as they are ordeleted depending on how they were created. If the securityassociations were created dynamically using IKE, they areautomatically deleted when they expire. If the securityassociations were created through manual configuration, they MUST be retained and used later when the mobile node moves away fromhome again. The security associations protecting Binding Updates and Acknowledgements, and prefix discovery SHOULD NOT be deletedas they do not depend on care-of addresses and can be used again. Arkko, et al. Standards Track [Page 11]The following rules apply to mobile nodes:o The mobile node MUST use the Home Address destination option inBinding Updates and Mobile Prefix Solicitations, sent to the home agent from a care-of address.o When the mobile node receives a changed set of prefixes from thehome agent during prefix discovery, there is a need to configurenew security policy entries, and there may be a need to configure new security associations. It is outside the scope of thisspecification to discuss automatic methods for this.The following rules apply to home agents:o The home agent MUST use the Type 2 Routing header in BindingAcknowledgements and Mobile Prefix Advertisements sent to themobile node, again due to the need to have the home addressvisible when the policy checks are made.o It is necessary to avoid the possibility that a mobile node could use its security association to send a Binding Update on behalf of another mobile node using the same home agent. In order to dothis, the security policy database entries MUST unequivocallyidentify a single security association for protecting BindingUpdates between any given home address and home agent whenmanually keyed IPsec security associations are used. When dynamic keying is used, the security policy database entries MUSTunequivocally identify the IKE phase 1 credentials which can beused to authorize the creation of security associations forprotecting Binding Updates for a particular home address. Howthese mappings are maintained is outside the scope of thisspecification, but they may be maintained, for instance, as alocally administered table in the home agent. If the phase 1identity is a Fully Qualified Domain Name (FQDN), secure forms of DNS may also be used.o When the set of prefixes advertised by the home agent changes,there is a need to configure new security policy entries, andthere may be a need to configure new security associations. It is outside the scope of this specification to discuss automaticmethods for this, if new home addresses are required.Arkko, et al. Standards Track [Page 12]4.3. IPsec Protocol ProcessingThe following requirements apply to both home agents and mobilenodes:o When securing Binding Updates, Binding Acknowledgements, andprefix discovery, both the mobile nodes and the home agents MUSTsupport and SHOULD use the Encapsulating Security Payload (ESP)[3] header in transport mode and MUST use a non-null payloadauthentication algorithm to provide data origin authentication,connectionless integrity and optional anti-replay protection.Mandatory support for encryption and integrity protectionalgorithms is as defined in RFC 2401 [2], RFC 2402 [8], and RFC2406 [3]. Care is needed when selecting suitable encryptionalgorithms for ESP, however. Currently available integrityprotection algorithms are in general considered to be secure. The encryption algorithm, DES, mandated by the current IPsec standards is not, however. This is particularly problematic when IPsecsecurity associations are configured manually, as the same key is used for a long time.o Tunnel mode IPsec ESP MUST be supported and SHOULD be used for the protection of packets belonging to the return routabilityprocedure. A non-null encryption transform and a non-nullauthentication algorithm MUST be applied.Note that the return routability procedure involves two messageexchanges from the mobile node to the correspondent node. Thepurpose of these exchanges is to assure that the mobile node islive at the claimed home and care-of addresses. One of theexchanges is sent directly to and from the correspondent node,while another one is tunneled through the home agent. If anattacker is on the mobile node’s link and the mobile node’scurrent link is an unprotected wireless link, the attacker wouldable to see both sets of messages, and launch attacks based on it (these attacks are discussed further in Section 15.4 of the basespecification [7].) One can prevent the attack by making surethat the packets tunneled through the home agent are encrypted.Note that this specification concerns itself only with on-the-wire formats, and does not dictate specific implementations mechanisms. In the case of IPsec tunnel mode, the use of IP-in-IPencapsulation followed by IPsec transport mode encapsulation mayalso be possible.Arkko, et al. Standards Track [Page 13]。

SRv6（Segment Routing over IPv6）是一种基于IPv6网络的新型路由技术，它通过在IPv6数据包中添加一个24位的标签来标识不同的路径。

这种技术可以提高网络的可扩展性、灵活性和安全性。

以下是一些与SRv6相关的标准：1. RFC 8210：这是SRv6的基本规范，定义了SRv6的基本概念、操作和实现要求。

2. RFC 8365：这个文档描述了如何使用BGP-LS（Border Gateway Protocol - Link State）协议在IPv6网络中传播SRv6路由信息。

3. RFC 8402：这个文档描述了如何使用MP-BGP（Multiprotocol BGP）协议在IPv6网络中传播SRv6路由信息。

4. RFC 8415：这个文档描述了如何使用IS-IS（Intermediate System to Intermediate System）协议在IPv6网络中传播SRv6路由信息。

5. RFC 8475：这个文档描述了如何使用OSPF（Open Shortest Path First）协议在IPv6网络中传播SRv6路由信息。

6. RFC 8597：这个文档描述了如何使用BFD（Bidirectional Forwarding Detection）协议在IPv6网络中检测SRv6路径的状态。

7. RFC 8795：这个文档描述了如何使用LDP（Label Distribution Protocol）协议在IPv6网络中分发SRv6标签。

8. RFC 8879：这个文档描述了如何使用PCE（Path Computation Element）协议在IPv6网络中计算SRv6路径。

9. RFC 8915：这个文档描述了如何使用SDN（Software-Defined Networking）技术来实现SRv6网络。

10. RFC 9119：这个文档描述了如何使用SRv6技术来实现网络切片。

中国移动通信企业标准QB-╳╳-╳╳╳-╳╳╳╳家庭网关终端技术规范T e c h n i c a l S p e c i f i c a t i o n f o r H o m e G a t e w a y版本号：3.0.0╳╳╳╳-╳╳-╳╳发布╳╳╳╳-╳╳-╳╳实施中国移动通信集团公司发布目录1. 范围 ................................................................................................................................................2. 规范性引用文件 .............................................................................................................................3. 术语、定义和缩略语 .....................................................................................................................4. 设备总体定义.................................................................................................................................4.1.设备在网络中的位置 ..................................................................................................................4.2.接口定义 ......................................................................................................................................4.3.设备类型 ......................................................................................................................................5. 接入型家庭网关 .............................................................................................................................5.1.接口要求 ......................................................................................................................................网络侧接口......................................................................................................................................网络侧接口描述..........................................................................................................................................网络侧以太网接口要求..............................................................................................................................接口要求 .......................................................................................................................................................接口要求 .......................................................................................................................................................接口要求 .......................................................................................................................................................用户侧接口......................................................................................................................................用户侧以太网接口要求..............................................................................................................................接口 ...............................................................................................................................................................接口（可选）................................................................................................................................................5.2.功能要求 ......................................................................................................................................数据通信要求..................................................................................................................................协议要求 .......................................................................................................................................................数据转发功能要求......................................................................................................................................功能要求 .......................................................................................................................................................地址管理及拨号管理功能要求....................................................................................................................地址管理及拨号管理功能要求....................................................................................................................要求 ...............................................................................................................................................................要求 ...............................................................................................................................................................组播要求 .....................................................................................................................................................其他功能要求..............................................................................................................................................安全要求..........................................................................................................................................防火墙 .........................................................................................................................................................登陆WEB页面的安全要求..........................................................................................................................设备安全性 .................................................................................................................................................要求....................................................................................................................................................功能要求............................................................................................................................................扩展及管理（可选）........................................................................................................................设备发现要求.........................................................................................................................................................................................................................................................................................................（可选） .......................................................................................................................................................支持WLAN的开启和禁用............................................................................................................................基本要求 .....................................................................................................................................................多SSID要求................................................................................................................................................安全要求 .......................................................................................................................................................5要求 ............................................................................................................................................................要求 ...............................................................................................................................................................基本应用要求................................................................................................................................... WLAN共享 ..................................................................................................................................................家庭存储（可选）......................................................................................................................................5.3.性能要求 ......................................................................................................................................路由转发性能要求..........................................................................................................................吞吐量 .........................................................................................................................................................地址学习 .....................................................................................................................................................缓存大小 (23)连接数量要求.............................................................................................................................................. 无线性能要求....................................................................................................................................吞吐量性能要求 (23)覆盖性能要求................................................................................................................................................接收灵敏度要求............................................................................................................................................5.4.管理和维护要求 (24)本地管理和配置要求......................................................................................................................本地管理基本要求......................................................................................................................................用户分级管理 (24)系统信息管理..............................................................................................................................................基本配置 .....................................................................................................................................................高级配置 .....................................................................................................................................................设备管理 .....................................................................................................................................................网络诊断 .....................................................................................................................................................设备认证注册功能......................................................................................................................................远程管理要求..................................................................................................................................远程管理基本要求......................................................................................................................................远程参数配置和性能监测..........................................................................................................................远程故障诊断功能......................................................................................................................................设备告警功能..............................................................................................................................................远程链路维持功能......................................................................................................................................软件远程管理..............................................................................................................................................业务部署和控制..........................................................................................................................................上行家庭网关远程管理实现方式 ................................................................................................................日志功能要求..................................................................................................................................5.5.预配置要求 ..................................................................................................................................预配置要求......................................................................................................................................5.6.硬件要求 ......................................................................................................................................基本要求..........................................................................................................................................硬件基本框图示例..........................................................................................................................5.7.软件要求 ......................................................................................................................................基本要求..........................................................................................................................................软件基本架构................................................................................................. 错误!未定义书签。

ms33660标准
MS33660是美国军用航空标准（Military Standard）的一部分，也被称为“飞机接头标准”。

它涵盖了航空器上一系列电气连接器的设计、尺寸、性能和测试要求。

MS33660标准主要由几个部分组成，每个部分指定了不同类
型的连接器要求，例如圆形连接器、矩形连接器和多芯连接器。

这些连接器用于在飞机和其他航空器上连接不同的设备和系统，例如通信、雷达、导航和电子战装置。

标准规定了连接器的物理特性，如外形、安装方式、插拔力和密封性能。

它还要求连接器在恶劣的环境条件下具有耐腐蚀、耐振动和耐高温等特性。

此外，标准还涵盖了连接器的电气特性，如接触阻抗、传导性能和屏蔽效能。

为了确保连接器的质量和性能，MS33660还要求进行各种测
试和检查，包括物理尺寸测量、电气性能测量和环境试验。

这些测试和检查确保了连接器在正常和极端条件下的可靠性和稳定性。

总体而言，MS33660标准旨在提供一套统一的设计和性能要求，确保航空器上使用的连接器具有高可靠性和耐用性。

它在美国军用航空和航天领域得到广泛应用，并逐渐成为全球接头标准的参考。

rfc相关设置及使用RFC（Request for Comments）是一种用于定义互联网协议、标准和相关问题的文档。

RFC的格式由互联网工程任务组（IETF）统一规定，它们记录了网络技术的发展和演进过程。

在本文中，我们将介绍RFC相关的设置和使用。

1. 了解RFC的作用和历史：RFC是由IETF组织制定的一种标准化文档，它记录了互联网协议的设计、开发和演化过程。

RFC起源于20世纪60年代的ARPANET，是一种社区驱动的文档，通过共享和讨论来推动互联网技术的发展。

RFC文档旨在提供指南、建议和最佳实践，帮助网络技术人员解决问题。

2. 寻找和阅读RFC文档：RFC文档可以在互联网上免费获取，IETF的官方网站和其他资源库都有存档。

这些文档按照顺序编号，并且以RFC开头，比如RFC 791定义了IPv4协议。

通过搜索引擎或在IETF网站上使用关键词搜索，可以找到特定主题的RFC文档。

阅读RFC文档时，应该注意文档的状态，有一些可能已经被更新或废弃。

3. 使用RFC文档：RFC文档在网络技术的发展过程中起着重要的指导作用。

它们提供了协议规范、算法实现、安全性和隐私等方面的建议。

网络管理员、网络工程师和开发人员可以使用RFC文档来了解和理解特定协议或标准的设计原理和要求。

此外，RFC文档还常用于进行互联网协议的实现、编程和配置。

4. 参与RFC的制定过程：RFC并不是静止的文件，而是一个持续演进的过程。

任何人都可以参与到RFC的制定过程中。

要参与RFC的制定，可以加入IETF并参与相关的工作组或邮件列表。

通过这种方式，个人可以提出改进建议，参与讨论和标准化的制定。

5. 遵循RFC的指导原则：在网络技术领域，遵循RFC的指导原则是至关重要的。

这些指导原则包括设计原则、协议分层、安全性和互操作性等要求。

遵循RFC的指导原则可以确保网络协议的正确性、稳定性和可靠性，同时也可以促进网络技术的发展和创新。

总结起来，RFC在互联网技术领域起着重要的作用，它们记录了互联网协议的发展历程和指导原则。

Internet Engineering Task Force (IETF) J. Fischl Request for Comments: 5763 Skype, Inc. Category: Standards Track H. Tschofenig ISSN: 2070-1721 Nokia Siemens Networks E. Rescorla RTFM, Inc. May 2010 Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)AbstractThis document specifies how to use the Session Initiation Protocol(SIP) to establish a Secure Real-time Transport Protocol (SRTP)security context using the Datagram Transport Layer Security (DTLS)protocol. It describes a mechanism of transporting a fingerprintattribute in the Session Description Protocol (SDP) that identifiesthe key that will be presented during the DTLS handshake. The keyexchange travels along the media path as opposed to the signalingpath. The SIP Identity mechanism can be used to protect theintegrity of the fingerprint attribute from modification byintermediate proxies.Status of This MemoThis is an Internet Standards Track document.This document is a product of the Internet Engineering Task Force(IETF). It represents the consensus of the IETF community. It hasreceived public review and has been approved for publication by theInternet Engineering Steering Group (IESG). Further information onInternet Standards is available in Section 2 of RFC 5741.Information about the current status of this document, any errata,and how to provide feedback on it may be obtained at/info/rfc5763.Fischl, et al. Standards Track [Page 1]Copyright NoticeCopyright (c) 2010 IETF Trust and the persons identified as thedocument authors. All rights reserved.This document is subject to BCP 78 and the IETF Trust’s LegalProvisions Relating to IETF Documents(/license-info) in effect on the date ofpublication of this document. Please review these documentscarefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e ofthe Trust Legal Provisions and are provided without warranty asdescribed in the Simplified BSD License.This document may contain material from IETF Documents or IETFContributions published or made publicly available before November10, 2008. The person(s) controlling the copyright in some of thismaterial may not have granted the IETF Trust the right to allowmodifications of such material outside the IETF Standards Process.Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modifiedoutside the IETF Standards Process, and derivative works of it maynot be created outside the IETF Standards Process, except to formatit for publication as an RFC or to translate it into languages other than English.Table of Contents1. Introduction (4)2. Overview (5)3. Motivation (7)4. Terminology (8)5. Establishing a Secure Channel (8)6. Miscellaneous Considerations (10)6.1. Anonymous Calls (10)6.2. Early Media (11)6.3. Forking (11)6.4. Delayed Offer Calls (11)6.5. Multiple Associations (11)6.6. Session Modification (12)6.7. Middlebox Interaction (12)6.7.1. ICE Interaction (12)6.7.2. Latching Control without ICE (13)6.8. Rekeying (13)6.9. Conference Servers and Shared Encryptions Contexts (13)6.10. Media over SRTP (14)6.11. Best Effort Encryption (14)Fischl, et al. Standards Track [Page 2]7. Example Message Flow (14)7.1. Basic Message Flow with Early Media and SIP Identity (14)7.2. Basic Message Flow with Connected Identity (RFC 4916) (19)7.3. Basic Message Flow with STUN Check for NAT Case (23)8. Security Considerations (25)8.1. Responder Identity (25)8.2. SIPS (26)8.3. S/MIME (26)8.4. Continuity of Authentication (26)8.5. Short Authentication String (27)8.6. Limits of Identity Assertions (27)8.7. Third-Party Certificates (29)8.8. Perfect Forward Secrecy (29)9. Acknowledgments (29)10. References (30)10.1. Normative References (30)10.2. Informative References (31)Appendix A. Requirements Analysis (33)A.1. Forking and Retargeting (R-FORK-RETARGET,R-BEST-SECURE, R-DISTINCT) (33)A.2. Distinct Cryptographic Contexts (R-DISTINCT) (33)A.3. Reusage of a Security Context (R-REUSE) (33)A.4. Clipping (R-AVOID-CLIPPING) (33)A.5. Passive Attacks on the Media Path (R-PASS-MEDIA) (33)A.6. Passive Attacks on the Signaling Path (R-PASS-SIG) (34)A.7. (R-SIG-MEDIA, R-ACT-ACT) (34)A.8. Binding to Identifiers (R-ID-BINDING) (34)A.9. Perfect Forward Secrecy (R-PFS) (34)A.10. Algorithm Negotiation (R-COMPUTE) (35)A.11. RTP Validity Check (R-RTP-VALID) (35)A.12. Third-Party Certificates (R-CERTS, R-EXISTING) (35)A.13. FIPS 140-2 (R-FIPS) (35)A.14. Linkage between Keying Exchange and SIP Signaling(R-ASSOC) (35)A.15. Denial-of-Service Vulnerability (R-DOS) (35)A.16. Crypto-Agility (R-AGILITY) (35)A.17. Downgrading Protection (R-DOWNGRADE) (36)A.18. Media Security Negotiation (R-NEGOTIATE) (36)A.19. Signaling Protocol Independence (R-OTHER-SIGNALING) (36)A.20. Media Recording (R-RECORDING) (36)A.21. Interworking with Intermediaries (R-TRANSCODER) (36)A.22. PSTN Gateway Termination (R-PSTN) (36)A.23. R-ALLOW-RTP (36)A.24. R-HERFP (37)Fischl, et al. Standards Track [Page 3]1. IntroductionThe Session Initiation Protocol (SIP) [RFC3261] and the SessionDescription Protocol (SDP) [RFC4566] are used to set up multimediasessions or calls. SDP is also used to set up TCP [RFC4145] andadditionally TCP/TLS connections for usage with media sessions[RFC4572]. The Real-time Transport Protocol (RTP) [RFC3550] is used to transmit real-time media on top of UDP and TCP [RFC4571].Datagram TLS [RFC4347] was introduced to allow TLS functionality tobe applied to datagram transport protocols, such as UDP and DCCP.This document provides guidelines on how to establish SRTP [RFC3711] security over UDP using an extension to DTLS (see [RFC5764]).The goal of this work is to provide a key negotiation technique that allows encrypted communication between devices with no priorrelationships. It also does not require the devices to trust everycall signaling element that was involved in routing or session setup. This approach does not require any extra effort by end users and does not require deployment of certificates that are signed by a well-known certificate authority to all devices.The media is transported over a mutually authenticated DTLS sessionwhere both sides have certificates. It is very important to notethat certificates are being used purely as a carrier for the publickeys of the peers. This is required because DTLS does not have amode for carrying bare keys, but it is purely an issue of formatting. The certificates can be self-signed and completely self-generated.All major TLS stacks have the capability to generate suchcertificates on demand. However, third-party certificates MAY alsobe used if the peers have them (thus reducing the need to trustintermediaries). The certificate fingerprints are sent in SDP overSIP as part of the offer/answer exchange.The fingerprint mechanism allows one side of the connection to verify that the certificate presented in the DTLS handshake matches thecertificate used by the party in the signaling. However, thisrequires some form of integrity protection on the signaling. S/MIME signatures, as described in RFC 3261, or SIP Identity, as describedin [RFC4474], provide the highest level of security because they are not susceptible to modification by malicious intermediaries.However, even hop-by-hop security, such as provided by SIPS, offerssome protection against modification by attackers who are not incontrol of on-path signaling elements. Because DTLS-SRTP onlyrequires message integrity and not confidentiality for the signaling, the number of elements that must have credentials and be trusted issignificantly reduced. In particular, if RFC 4474 is used, only the Authentication Service need have a certificate and be trusted.Intermediate elements cannot undetectably modify the message and Fischl, et al. Standards Track [Page 4]therefore cannot mount a man-in-the-middle (MITM) attack. Bycomparison, because SDESCRIPTIONS [RFC4568] requires confidentiality for the signaling, all intermediate elements must be trusted.This approach differs from previous attempts to secure media traffic where the authentication and key exchange protocol (e.g., Multimedia Internet KEYing (MIKEY) [RFC3830]) is piggybacked in the signalingmessage exchange. With DTLS-SRTP, establishing the protection of the media traffic between the endpoints is done by the media endpointswith only a cryptographic binding of the media keying to the SIP/SDP communication. It allows RTP and SIP to be used in the usual manner when there is no encrypted media.In SIP, typically the caller sends an offer and the callee maysubsequently send one-way media back to the caller before a SIPanswer is received by the caller. The approach in thisspecification, where the media key negotiation is decoupled from the SIP signaling, allows the early media to be set up before the SIPanswer is received while preserving the important security propertyof allowing the media sender to choose some of the keying materialfor the media. This also allows the media sessions to be changed,rekeyed, and otherwise modified after the initial SIP signalingwithout any additional SIP signaling.Design decisions that influence the applicability of thisspecification are discussed in Section 3.2. OverviewEndpoints wishing to set up an RTP media session do so by exchanging offers and answers in SDP messages over SIP. In a typical use case, two endpoints would negotiate to transmit audio data over RTP usingthe UDP protocol.Figure 1 shows a typical message exchange in the SIP trapezoid. Fischl, et al. Standards Track [Page 5]+-----------+ +-----------+|SIP | SIP/SDP |SIP |+------>|Proxy |----------->|Proxy |-------+| |Server X | (+finger- |Server Y | || +-----------+ print, +-----------+ || +auth.id.) || SIP/SDP SIP/SDP || (+fingerprint) (+fingerprint,|| +auth.id.) || || v+-----------+ Datagram TLS +-----------+|SIP | <-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-> |SIP ||User Agent | Media |User Agent ||Alice@X | <=================================> |Bob@Y |+-----------+ +-----------+Legend:------>: Signaling Traffic<-+-+->: Key Management Traffic<=====>: Data TrafficFigure 1: DTLS Usage in the SIP TrapezoidConsider Alice wanting to set up an encrypted audio session withBob. Both Bob and Alice could use public-key-based authentication in order to establish a confidentiality protected channel using DTLS.Since providing mutual authentication between two arbitrary endpoints on the Internet using public-key-based cryptography tends to beproblematic, we consider more deployment-friendly alternatives. This document uses one approach and several others are discussed inSection 8.Alice sends an SDP offer to Bob over SIP. If Alice uses only self-signed certificates for the communication with Bob, a fingerprint is included in the SDP offer/answer exchange. This fingerprint bindsthe DTLS key exchange in the media plane to the signaling plane.The fingerprint alone protects against active attacks on the mediabut not active attacks on the signaling. In order to prevent active attacks on the signaling, "Enhancements for Authenticated IdentityManagement in the Session Initiation Protocol (SIP)" [RFC4474] may be used. When Bob receives the offer, the peers establish some numberof DTLS connections (depending on the number of media sessions) with mutual DTLS authentication (i.e., both sides provide certificates).At this point, Bob can verify that Alice’s credentials offered in TLS match the fingerprint in the SDP offer, and Bob can begin sending Fischl, et al. Standards Track [Page 6]media to Alice. Once Bob accepts Alice’s offer and sends an SDPanswer to Alice, Alice can begin sending confidential media to Bobover the appropriate streams. Alice and Bob will verify that thefingerprints from the certificates received over the DTLS handshakes match with the fingerprints received in the SDP of the SIP signaling. This provides the security property that Alice knows that the mediatraffic is going to Bob and vice versa without necessarily requiring global Public Key Infrastructure (PKI) certificates for Alice andBob. (See Section 8 for detailed security analysis.)3. MotivationAlthough there is already prior work in this area (e.g., SecurityDescriptions for SDP [RFC4568], Key Management Extensions [RFC4567]combined with MIKEY [RFC3830] for authentication and key exchange),this specification is motivated as follows:o TLS will be used to offer security for connection-oriented media. The design of TLS is well-known and implementations are widelyavailable.o This approach deals with forking and early media without requiring support for Provisional Response ACKnowledgement (PRACK) [RFC3262] while preserving the important security property of allowing theofferer to choose keying material for encrypting the media.o The establishment of security protection for the media path isalso provided along the media path and not over the signalingpath. In many deployment scenarios, the signaling and mediatraffic travel along a different path through the network.o When RFC 4474 is used, this solution works even when the SIPproxies downstream of the authentication service are not trusted. There is no need to reveal keys in the SIP signaling or in the SDP message exchange, as is done in SDESCRIPTIONS [RFC4568].Retargeting of a dialog-forming request (changing the value of the Request-URI), the User Agent (UA) that receives it (the User Agent Server, UAS) can have a different identity from that in the Toheader field. When RFC 4916 is used, then it is possible tosupply its identity to the peer UA by means of a request in thereverse direction, and for that identity to be signed by anAuthentication Service.o In this method, synchronization source (SSRC) collisions do notresult in any extra SIP signaling.Fischl, et al. Standards Track [Page 7]o Many SIP endpoints already implement TLS. The changes to existing SIP and RTP usage are minimal even when DTLS-SRTP [RFC5764] isused.4. TerminologyThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].DTLS/TLS uses the term "session" to refer to a long-lived set ofkeying material that spans associations. In this document,consistent with SIP/SDP usage, we use it to refer to a multimediasession and use the term "TLS session" to refer to the TLS construct. We use the term "association" to refer to a particular DTLS ciphersuite and keying material set that is associated with a single host/ port quartet. The same DTLS/TLS session can be used to establish the keying material for multiple associations. For consistency withother SIP/SDP usage, we use the term "connection" when what’s beingreferred to is a multimedia stream that is not specifically DTLS/TLS. In this document, the term "Mutual DTLS" indicates that both the DTLS client and server present certificates even if one or bothcertificates are self-signed.5. Establishing a Secure ChannelThe two endpoints in the exchange present their identities as part of the DTLS handshake procedure using certificates. This document uses certificates in the same style as described in "Connection-OrientedMedia Transport over the Transport Layer Security (TLS) Protocol inthe Session Description Protocol (SDP)" [RFC4572].If self-signed certificates are used, the content of thesubjectAltName attribute inside the certificate MAY use the uniformresource identifier (URI) of the user. This is useful for debugging purposes only and is not required to bind the certificate to one ofthe communication endpoints. The integrity of the certificate isensured through the fingerprint attribute in the SDP. ThesubjectAltName is not an important component of the certificateverification.The generation of public/private key pairs is relatively expensive.Endpoints are not required to generate certificates for each session. The offer/answer model, defined in [RFC3264], is used by protocolslike the Session Initiation Protocol (SIP) [RFC3261] to set upmultimedia sessions. In addition to the usual contents of an SDP Fischl, et al. Standards Track [Page 8][RFC4566] message, each media description ("m=" line and associatedparameters) will also contain several attributes as specified in[RFC5764], [RFC4145], and [RFC4572].When an endpoint wishes to set up a secure media session with another endpoint, it sends an offer in a SIP message to the other endpoint.This offer includes, as part of the SDP payload, the fingerprint ofthe certificate that the endpoint wants to use. The endpoint SHOULD send the SIP message containing the offer to the offerer’s SIP proxy over an integrity protected channel. The proxy SHOULD add anIdentity header field according to the procedures outlined in[RFC4474]. The SIP message containing the offer SHOULD be sent tothe offerer’s SIP proxy over an integrity protected channel. Whenthe far endpoint receives the SIP message, it can verify the identity of the sender using the Identity header field. Since the Identityheader field is a digital signature across several SIP header fields, in addition to the body of the SIP message, the receiver can also be certain that the message has not been tampered with after the digital signature was applied and added to the SIP message.The far endpoint (answerer) may now establish a DTLS association with the offerer. Alternately, it can indicate in its answer that theofferer is to initiate the TLS association. In either case, mutualDTLS certificate-based authentication will be used. After completing the DTLS handshake, information about the authenticated identities,including the certificates, are made available to the endpointapplication. The answerer is then able to verify that the offerer’s certificate used for authentication in the DTLS handshake can beassociated to the certificate fingerprint contained in the offer inthe SDP. At this point, the answerer may indicate to the end userthat the media is secured. The offerer may only tentatively acceptthe answerer’s certificate since it may not yet have the answerer’scertificate fingerprint.When the answerer accepts the offer, it provides an answer back tothe offerer containing the answerer’s certificate fingerprint. Atthis point, the offerer can accept or reject the peer’s certificateand the offerer can indicate to the end user that the media issecured.Note that the entire authentication and key exchange for securing the media traffic is handled in the media path through DTLS. Thesignaling path is only used to verify the peers’ certificatefingerprints.Fischl, et al. Standards Track [Page 9]The offer and answer MUST conform to the following requirements.o The endpoint MUST use the setup attribute defined in [RFC4145].The endpoint that is the offerer MUST use the setup attributevalue of setup:actpass and be prepared to receive a client_hellobefore it receives the answer. The answerer MUST use either asetup attribute value of setup:active or setup:passive. Note that if the answerer uses setup:passive, then the DTLS handshake willnot begin until the answerer is received, which adds additionallatency. setup:active allows the answer and the DTLS handshake to occur in parallel. Thus, setup:active is RECOMMENDED. Whichever party is active MUST initiate a DTLS handshake by sending aClientHello over each flow (host/port quartet).o The endpoint MUST NOT use the connection attribute defined in[RFC4145].o The endpoint MUST use the certificate fingerprint attribute asspecified in [RFC4572].o The certificate presented during the DTLS handshake MUST match the fingerprint exchanged via the signaling path in the SDP. Thesecurity properties of this mechanism are described in Section 8. o If the fingerprint does not match the hashed certificate, then the endpoint MUST tear down the media session immediately. Note that it is permissible to wait until the other side’s fingerprint hasbeen received before establishing the connection; however, thismay have undesirable latency effects.6. Miscellaneous Considerations6.1. Anonymous CallsThe use of DTLS-SRTP does not provide anonymous calling; however, it also does not prevent it. However, if care is not taken whenanonymous calling features, such as those described in [RFC3325] or[RFC5767] are used, DTLS-SRTP may allow deanonymizing an otherwiseanonymous call. When anonymous calls are being made, the followingprocedures SHOULD be used to prevent deanonymization.When making anonymous calls, a new self-signed certificate SHOULD be used for each call so that the calls cannot be correlated as to being from the same caller. In situations where some degree of correlation is acceptable, the same certificate SHOULD be used for a number ofcalls in order to enable continuity of authentication; seeSection 8.4.Fischl, et al. Standards Track [Page 10]Additionally, note that in networks that deploy [RFC3325], RFC 3325requires that the Privacy header field value defined in [RFC3323]needs to be set to ’id’. This is used in conjunction with the SIPidentity mechanism to ensure that the identity of the user is notasserted when enabling anonymous calls. Furthermore, the content of the subjectAltName attribute inside the certificate MUST NOT contain information that either allows correlation or identification of theuser that wishes to place an anonymous call. Note that followingthis recommendation is not sufficient to provide anonymization.6.2. Early MediaIf an offer is received by an endpoint that wishes to provide earlymedia, it MUST take the setup:active role and can immediatelyestablish a DTLS association with the other endpoint and beginsending media. The setup:passive endpoint may not yet have validated the fingerprint of the active endpoint’s certificate. The securityaspects of media handling in this situation are discussed inSection 8.6.3. ForkingIn SIP, it is possible for a request to fork to multiple endpoints.Each forked request can result in a different answer. Assuming that the requester provided an offer, each of the answerers will provide a unique answer. Each answerer will form a DTLS association with theofferer. The offerer can then securely correlate the SDP answerreceived in the SIP message by comparing the fingerprint in theanswer to the hashed certificate for each DTLS association.6.4. Delayed Offer CallsAn endpoint may send a SIP INVITE request with no offer in it. When this occurs, the receiver(s) of the INVITE will provide the offer in the response and the originator will provide the answer in thesubsequent ACK request or in the PRACK request [RFC3262], if bothendpoints support reliable provisional responses. In any event, the active endpoint still establishes the DTLS association with thepassive endpoint as negotiated in the offer/answer exchange.6.5. Multiple AssociationsWhen there are multiple flows (e.g., multiple media streams, non-multiplexed RTP and RTCP, etc.) the active side MAY perform the DTLS handshakes in any order. Appendix B of [RFC5764] provides someguidance on the performance of parallel DTLS handshakes. Note thatif the answerer ends up being active, it may only initiate handshakes on some subset of the potential streams (e.g., if audio and video are Fischl, et al. Standards Track [Page 11]offered but it only wishes to do audio). If the offerer ends upbeing active, the complete answer will be received before the offerer begins initiating handshakes.6.6. Session ModificationOnce an answer is provided to the offerer, either endpoint MAYrequest a session modification that MAY include an updated offer.This session modification can be carried in either an INVITE orUPDATE request. The peers can reuse the existing associations ifthey are compatible (i.e., they have the same key fingerprints andtransport parameters), or establish a new one following the samerules are for initial exchanges, tearing down the existingassociation as soon as the offer/answer exchange is completed. Note that if the active/passive status of the endpoints changes, a newconnection MUST be established.6.7. Middlebox InteractionThere are a number of potentially bad interactions between DTLS-SRTP and middleboxes, as documented in [MMUSIC-MEDIA], which also provides recommendations for avoiding such problems.6.7.1. ICE InteractionInteractive Connectivity Establishment (ICE), as specified in[RFC5245], provides a methodology of allowing participants inmultimedia sessions to verify mutual connectivity. When ICE is being used, the ICE connectivity checks are performed before the DTLShandshake begins. Note that if aggressive nomination mode is used,multiple candidate pairs may be marked valid before ICE finallyconverges on a single candidate pair. Implementations MUST treat all ICE candidate pairs associated with a single component as part of the same DTLS association. Thus, there will be only one DTLS handshakeeven if there are multiple valid candidate pairs. Note that this may mean adjusting the endpoint IP addresses if the selected candidatepair shifts, just as if the DTLS packets were an ordinary mediastream.Note that Simple Traversal of the UDP Protocol through NAT (STUN)packets are sent directly over UDP, not over DTLS. [RFC5764]describes how to demultiplex STUN packets from DTLS packets and SRTP packets.Fischl, et al. Standards Track [Page 12]6.7.2. Latching Control without ICEIf ICE is not being used, then there is potential for a badinteraction with Session Border Controllers (SBCs) via "latching", as described in [MMUSIC-MEDIA]. In order to avoid this issue, if ICE is not being used and the DTLS handshake has not completed uponreceiving the other side’s SDP, then the passive side MUST do asingle unauthenticated STUN [RFC5389] connectivity check in order to open up the appropriate pinhole. All implementations MUST beprepared to answer this request during the handshake period even ifthey do not otherwise do ICE. However, the active side MUST proceed with the DTLS handshake as appropriate even if no such STUN check is received and the passive MUST NOT wait for a STUN answer beforesending its ServerHello.6.8. RekeyingAs with TLS, DTLS endpoints can rekey at any time by redoing the DTLS handshake. While the rekey is under way, the endpoints continue touse the previously established keying material for usage with DTLS.Once the new session keys are established, the session can switch to using these and abandon the old keys. This ensures that latency isnot introduced during the rekeying process.Further considerations regarding rekeying in case the SRTP securitycontext is established with DTLS can be found in Section 3.7 of[RFC5764].6.9. Conference Servers and Shared Encryptions ContextsIt has been proposed that conference servers might use the sameencryption context for all of the participants in a conference. The advantage of this approach is that the conference server only needsto encrypt the output for all speakers instead of once perparticipant.This shared encryption context approach is not possible under thisspecification because each DTLS handshake establishes fresh keys that are not completely under the control of either side. However, it is argued that the effort to encrypt each RTP packet is small comparedto the other tasks performed by the conference server such as thecodec processing.Future extensions, such as [SRTP-EKT] or [KEY-TRANSPORT], could beused to provide this functionality in concert with the mechanismsdescribed in this specification.Fischl, et al. Standards Track [Page 13]。

Network Working Group R. Sivaramu Request for Comments: 5060 Cisco Systems Category: Standards Track J. Lingard Arastra, Inc D. McWalter Data Connection Ltd B. Joshi Infosys Technologies Ltd A. Kessler Cisco Systems January 2008 Protocol Independent Multicast MIBStatus of This MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited.AbstractThis memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects used for managing theProtocol Independent Multicast (PIM) protocols: PIM-SM (Sparse Mode), BIDIR-PIM (Bidirectional), and PIM-DM (Dense Mode). This document is part of work in progress to obsolete RFC 2934, and is to be preferred where the two documents overlap. This document does not obsolete RFC 2934.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 22. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 23. The Internet-Standard Management Framework . . . . . . . . . . 24. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 35. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 46. Security Considerations . . . . . . . . . . . . . . . . . . . 827. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 868. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 869. References . . . . . . . . . . . . . . . . . . . . . . . . . . 86 9.1. Normative References . . . . . . . . . . . . . . . . . . . 86 9.2. Informative References . . . . . . . . . . . . . . . . . . 87 Sivaramu, et al. Standards Track [Page 1]1. IntroductionThis memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects used for managing theProtocol Independent Multicast (PIM) protocols (PIM-SM [RFC4601],BIDIR-PIM [RFC5015], and PIM-DM [RFC3973]).This document is part of work in progress to obsolete RFC 2934[RFC2934]. RFC 2934 defined an experimental MIB module for managing the PIM protocols. The MIB module defined by this document is a re- working of the MIB module from RFC 2934, with major changes thatinclude the following.o This MIB module is independent of IP version, whereas RFC 2934only supported IPv4.o This MIB module includes support for managing BIDIR-PIM.o This MIB module retains limited support for managing PIM-DM[RFC3973], but that is no longer its primary purpose.o This MIB module does not include support for managing PIM-SM v1.o This MIB module does not depend on the IPv4 Multicast Routing MIB defined in RFC 2932 [RFC2932].o This MIB module includes support for configuring static Rendezvous Points (RPs).o This MIB module includes support for configuring anycast RPs[RFC4610].2. TerminologyThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].3. The Internet-Standard Management FrameworkFor a detailed overview of the documents that describe the currentInternet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410].Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generallyaccessed through the Simple Network Management Protocol (SNMP). Sivaramu, et al. Standards Track [Page 2]Objects in the MIB are defined using the mechanisms defined in theStructure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580[RFC2580].4. OverviewThis MIB module contains the following tables.1. The PIM Interface Table, which contains one row per IP versionfor each interface of the router which is running PIM.2. The PIM Neighbor Table, which contains one row for each of therouter’s PIM neighbors.3. The PIM Neighbor Secondary Address Table, which contains one row for each secondary address advertised by each of the router’sPIM neighbors.4. The PIM (*,G) State Table, which contains one row for each group for which PIM has (*,G) state.5. The PIM (*,G,I) State Table, which contains one row for eachgroup and interface for which PIM has interface-specific (*,G)state.6. The PIM (S,G) State Table, which contains one row for eachsource and group for which PIM has (S,G) state.7. The PIM (S,G,I) State Table, which contains one row for eachsource, group, and interface for which PIM has interface-specific (S,G) state.8. The PIM (S,G,rpt) State Table, which contains one row for eachsource and group for which PIM has (S,G,rpt) state.9. The PIM (S,G,rpt,I) State Table, which contains one row for each source, group, and interface for which PIM has interface-specific (S,G,rpt) state.10. The PIM Bidir DF-Election Table, which contains one row perinterface for each Rendezvous Point (RP) for whichBidirectional-PIM Designated Forwarder (DF) election state ismaintained.Sivaramu, et al. Standards Track [Page 3]11. The PIM Static RP Table, which contains one row per range ofmulticast group addresses for which a particular configured RPshould be used.12. The PIM Group Mapping Table, which contains one row for eachmapping from a multicast group address prefix to the PIM modeand RP address to use for groups within that group prefix,regardless of the source of the group mapping information.13. The PIM Anycast-RP Set Table, which contains one row for each RP within each Anycast-RP set of which the local router is amember.This MIB module uses textual conventions defined in the IF-MIB[RFC2863], the INET-ADDRESS-MIB [RFC4001], and the IANA-RTPROTO-MIB[RTPROTO]. This MIB module REFERENCEs [RFC3376], [RFC3569],[RFC3618], [RFC3810], [RFC3956], [RFC3973], [RFC4601], [RFC4610],[RFC5015], [RFC5059], and [IPMCAST-MIB].5. DefinitionsPIM-STD-MIB DEFINITIONS ::= BEGINIMPORTSMODULE-IDENTITY, OBJECT-TYPE, mib-2,NOTIFICATION-TYPE, Unsigned32,Counter32, Counter64, Gauge32,TimeTicks FROM SNMPv2-SMI -- [RFC2578] TEXTUAL-CONVENTION,RowStatus, TruthValue,StorageType FROM SNMPv2-TC -- [RFC2579] MODULE-COMPLIANCE, OBJECT-GROUP,NOTIFICATION-GROUP FROM SNMPv2-CONF -- [RFC2580] InterfaceIndexOrZero,InterfaceIndex FROM IF-MIB -- [RFC2863] InetAddressType,InetAddressPrefixLength,InetAddress, InetVersion FROM INET-ADDRESS-MIB -- [RFC4001] IANAipRouteProtocol FROM IANA-RTPROTO-MIB; -- [RTPROTO] pimStdMIB MODULE-IDENTITYLAST-UPDATED "200711020000Z" -- 2 November 2007ORGANIZATION"IETF Protocol Independent Multicast (PIM) Working Group"CONTACT-INFO"Email: pim@WG charter:Sivaramu, et al. Standards Track [Page 4]/html.charters/pim-charter.html"DESCRIPTION"The MIB module for management of PIM routers.Copyright (C) The IETF Trust (2007). This version of thisMIB module is part of RFC 5060; see the RFC itself for full legal notices."REVISION "200711020000Z" -- 2 November 2007DESCRIPTION "Initial version, published as RFC 5060."::= { mib-2 157 }---- Textual Conventions--PimMode ::= TEXTUAL-CONVENTIONSTATUS currentDESCRIPTION"The PIM mode in which a group is operating.none(1) The group is not using PIM, which may be thecase if, for example, it is a link-local orunroutable group address.ssm(2) Source-Specific Multicast (SSM) with PIM Sparse Mode.asm(3) Any Source Multicast (ASM) with PIM SparseMode.bidir(4) Bidirectional PIM.dm(5) PIM Dense Mode.other(6) Any other PIM mode."SYNTAX INTEGER {none(1),ssm(2),asm(3),bidir(4),dm(5),other(6)}PimGroupMappingOriginType ::= TEXTUAL-CONVENTIONSTATUS currentDESCRIPTIONSivaramu, et al. Standards Track [Page 5]"The mechanism by which a PIM group mapping was learned.fixed(1) Link-local or unroutable group mappings.configRp(2) Local static RP configuration.configSsm(3) Local SSM Group configuration.bsr(4) The PIM Bootstrap Router (BSR) mechanism.autoRP(5) Cisco’s Auto-RP mechanism.embedded(6) The Embedded-RP mechanism where the RP address is embedded in the multicast group address.other(7) Any other mechanism."REFERENCE "RFC 3569, RFC 3956, and RFC 5059"SYNTAX INTEGER {fixed(1),configRp(2),configSsm(3),bsr(4),autoRP(5),embedded(6),other(7)}---- Top-level structure--pimNotifications OBJECT IDENTIFIER ::= { pimStdMIB 0 }pim OBJECT IDENTIFIER ::= { pimStdMIB 1 }pimKeepalivePeriod OBJECT-TYPESYNTAX Unsigned32 (0..65535)UNITS "seconds"MAX-ACCESS read-writeSTATUS currentDESCRIPTION"The duration of the Keepalive Timer. This is the periodduring which the PIM router will maintain (S,G) state in the absence of explicit (S,G) local membership or (S,G) joinmessages received to maintain it. This timer period iscalled the Keepalive_Period in the PIM-SM specification. It is called the SourceLifetime in the PIM-DM specification. Sivaramu, et al. Standards Track [Page 6]The storage type of this object is determined bypimDeviceConfigStorageType."REFERENCE "RFC 4601 section 4.11"DEFVAL { 210 }::= { pim 14 }pimRegisterSuppressionTime OBJECT-TYPESYNTAX Unsigned32 (0..65535)UNITS "seconds"MAX-ACCESS read-writeSTATUS currentDESCRIPTION"The duration of the Register Suppression Timer. This isthe period during which a PIM Designated Router (DR) stopssending Register-encapsulated data to the Rendezvous Point(RP) after receiving a Register-Stop message. This objectis used to run timers both at the DR and at the RP. Thistimer period is called the Register_Suppression_Time in the PIM-SM specification.The storage type of this object is determined bypimDeviceConfigStorageType."REFERENCE "RFC 4601 section 4.11"DEFVAL { 60 }::= { pim 15 }pimStarGEntries OBJECT-TYPESYNTAX Gauge32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of entries in the pimStarGTable."::= { pim 16 }pimStarGIEntries OBJECT-TYPESYNTAX Gauge32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of entries in the pimStarGITable."::= { pim 17 }pimSGEntries OBJECT-TYPESYNTAX Gauge32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of entries in the pimSGTable."Sivaramu, et al. Standards Track [Page 7]::= { pim 18 }pimSGIEntries OBJECT-TYPESYNTAX Gauge32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of entries in the pimSGITable."::= { pim 19 }pimSGRptEntries OBJECT-TYPESYNTAX Gauge32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of entries in the pimSGRptTable."::= { pim 20 }pimSGRptIEntries OBJECT-TYPESYNTAX Gauge32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of entries in the pimSGRptITable."::= { pim 21 }pimOutAsserts OBJECT-TYPESYNTAX Counter64MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of Asserts sent by this router.Discontinuities in the value of this counter can occur atre-initialization of the management system, for example,when the device is rebooted."REFERENCE "RFC 4601 section 4.6"::= { pim 22 }pimInAsserts OBJECT-TYPESYNTAX Counter64MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of Asserts received by this router. Assertsare multicast to all routers on a network. This counter is incremented by all routers that receive an assert, not only those routers that are contesting the assert.Sivaramu, et al. Standards Track [Page 8]Discontinuities in the value of this counter can occur atre-initialization of the management system, for example,when the device is rebooted."REFERENCE "RFC 4601 section 4.6"::= { pim 23 }pimLastAssertInterface OBJECT-TYPESYNTAX InterfaceIndexOrZeroMAX-ACCESS read-onlySTATUS currentDESCRIPTION"The interface on which this router most recently sent orreceived an assert, or zero if this router has not sent orreceived an assert."REFERENCE "RFC 4601 section 4.6"::= { pim 24 }pimLastAssertGroupAddressType OBJECT-TYPESYNTAX InetAddressTypeMAX-ACCESS read-onlySTATUS currentDESCRIPTION"The address type of the multicast group address in the most recently sent or received assert. If this router has notsent or received an assert, then this object is set tounknown(0)."::= { pim 25 }pimLastAssertGroupAddress OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The multicast group address in the most recently sent orreceived assert. The InetAddressType is given by thepimLastAssertGroupAddressType object."::= { pim 26 }pimLastAssertSourceAddressType OBJECT-TYPESYNTAX InetAddressTypeMAX-ACCESS read-onlySTATUS currentDESCRIPTION"The address type of the source address in the most recently sent or received assert. If the most recent assert was(*,G), or if this router has not sent or received an assert, then this object is set to unknown(0)."::= { pim 27 }Sivaramu, et al. Standards Track [Page 9]pimLastAssertSourceAddress OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The source address in the most recently sent or receivedassert. The InetAddressType is given by thepimLastAssertSourceAddressType object."::= { pim 28 }pimNeighborLossNotificationPeriod OBJECT-TYPESYNTAX Unsigned32 (0..65535)UNITS "seconds"MAX-ACCESS read-writeSTATUS currentDESCRIPTION"The minimum time that must elapse between pimNeighborLossnotifications originated by this router. The maximum value 65535 represents an ’infinite’ time, in which case, nopimNeighborLoss notifications are ever sent.The storage type of this object is determined bypimDeviceConfigStorageType."DEFVAL { 0 }::= { pim 29 }pimNeighborLossCount OBJECT-TYPESYNTAX Counter32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of neighbor loss events that have occurred.This counter is incremented when the neighbor timer expires, and the router has no other neighbors on the same interface with the same IP version and a lower IP address than itself. This counter is incremented whenever a pimNeighborLossnotification would be generated.Discontinuities in the value of this counter can occur atre-initialization of the management system, for example,when the device is rebooted."REFERENCE "RFC 4601 section 4.3.2"::= { pim 30 }pimInvalidRegisterNotificationPeriod OBJECT-TYPESYNTAX Unsigned32 (10..65535)Sivaramu, et al. Standards Track [Page 10]UNITS "seconds"MAX-ACCESS read-writeSTATUS currentDESCRIPTION"The minimum time that must elapse betweenpimInvalidRegister notifications originated by this router. The default value of 65535 represents an ’infinite’ time, in which case, no pimInvalidRegister notifications are eversent.The non-zero minimum allowed value provides resilienceagainst propagation of denial-of-service attacks from thedata and control planes to the network management plane.The storage type of this object is determined bypimDeviceConfigStorageType."DEFVAL { 65535 }::= { pim 31 }pimInvalidRegisterMsgsRcvd OBJECT-TYPESYNTAX Counter32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of invalid PIM Register messages that have been received by this device.A PIM Register message is invalid if eithero the destination address of the Register message does notmatch the Group to RP mapping on this device, oro this device believes the group address to be within anSSM address range, but this Register implies ASM usage.These conditions can occur transiently while RP mappingchanges propagate through the network. If this counter isincremented repeatedly over several minutes, then there is a persisting configuration error that requires correction.The active Group to RP mapping on this device is specifiedby the object pimGroupMappingPimMode. If there is no suchmapping, then the object pimGroupMappingPimMode is absent.The RP address contained in the invalid Register ispimInvalidRegisterRp.Multicast data carried by invalid Register messages isdiscarded. The discarded data is from a source directly Sivaramu, et al. Standards Track [Page 11]connected to pimInvalidRegisterOrigin, and is addressed topimInvalidRegisterGroup.Discontinuities in the value of this counter can occur atre-initialization of the management system, for example,when the device is rebooted."REFERENCE "RFC 4601 section 4.4.2, RFC 3569, and’IP Multicast MIB’ (August 2007) ipMcastSsmRangeTable"::= { pim 32 }pimInvalidRegisterAddressType OBJECT-TYPESYNTAX InetAddressTypeMAX-ACCESS read-onlySTATUS currentDESCRIPTION"The address type stored in pimInvalidRegisterOrigin,pimInvalidRegisterGroup, and pimInvalidRegisterRp.If no invalid Register messages have been received, thenthis object is set to unknown(0)."::= { pim 33 }pimInvalidRegisterOrigin OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The source address of the last invalid Register messagereceived by this device."::= { pim 34 }pimInvalidRegisterGroup OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The IP multicast group address to which the last invalidRegister message received by this device was addressed."::= { pim 35 }pimInvalidRegisterRp OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The RP address to which the last invalid Register messagereceived by this device was delivered."::= { pim 36 }Sivaramu, et al. Standards Track [Page 12]pimInvalidJoinPruneNotificationPeriod OBJECT-TYPESYNTAX Unsigned32 (10..65535)UNITS "seconds"MAX-ACCESS read-writeSTATUS currentDESCRIPTION"The minimum time that must elapse betweenpimInvalidJoinPrune notifications originated by this router. The default value of 65535 represents an ’infinite’ time, in which case, no pimInvalidJoinPrune notifications are eversent.The non-zero minimum allowed value provides resilienceagainst propagation of denial-of-service attacks from thecontrol plane to the network management plane.The storage type of this object is determined bypimDeviceConfigStorageType."DEFVAL { 65535 }::= { pim 37 }pimInvalidJoinPruneMsgsRcvd OBJECT-TYPESYNTAX Counter32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of invalid PIM Join/Prune messages that havebeen received by this device.A PIM Join/Prune message is invalid if eithero the Group to RP mapping specified by this message does not match the Group to RP mapping on this device, oro this device believes the group address to be within anSSM address range, but this Join/Prune (*,G) or (S,G,rpt) implies ASM usage.These conditions can occur transiently while RP mappingchanges propagate through the network. If this counter isincremented repeatedly over several minutes, then there is a persisting configuration error that requires correction.The active Group to RP mapping on this device is specifiedby the object pimGroupMappingPimMode. If there is no suchmapping, then the object pimGroupMappingPimMode is absent.The RP address contained in the invalid Join/Prune ispimInvalidJoinPruneRp.Sivaramu, et al. Standards Track [Page 13]Invalid Join/Prune messages are discarded. This may result in loss of multicast data affecting listeners downstream of pimInvalidJoinPruneOrigin, for multicast data addressed topimInvalidJoinPruneGroup.Discontinuities in the value of this counter can occur atre-initialization of the management system, for example,when the device is rebooted."REFERENCE "RFC 4601 section 4.5.2, RFC 3569, and’IP Multicast MIB’ (August 2007) ipMcastSsmRangeTable"::= { pim 38 }pimInvalidJoinPruneAddressType OBJECT-TYPESYNTAX InetAddressTypeMAX-ACCESS read-onlySTATUS currentDESCRIPTION"The address type stored in pimInvalidJoinPruneOrigin,pimInvalidJoinPruneGroup, and pimInvalidJoinPruneRp.If no invalid Join/Prune messages have been received, thisobject is set to unknown(0)."::= { pim 39 }pimInvalidJoinPruneOrigin OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The source address of the last invalid Join/Prune messagereceived by this device."::= { pim 40 }pimInvalidJoinPruneGroup OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The IP multicast group address carried in the lastinvalid Join/Prune message received by this device."::= { pim 41 }pimInvalidJoinPruneRp OBJECT-TYPESYNTAX InetAddress (SIZE (0|4|8|16|20))MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The RP address carried in the last invalid Join/Prune Sivaramu, et al. Standards Track [Page 14]message received by this device."::= { pim 42 }pimRPMappingNotificationPeriod OBJECT-TYPESYNTAX Unsigned32 (0..65535)UNITS "seconds"MAX-ACCESS read-writeSTATUS currentDESCRIPTION"The minimum time that must elapse betweenpimRPMappingChange notifications originated by this router. The default value of 65535 represents an ’infinite’ time, in which case, no pimRPMappingChange notifications are eversent.The storage type of this object is determined bypimDeviceConfigStorageType."DEFVAL { 65535 }::= { pim 43 }pimRPMappingChangeCount OBJECT-TYPESYNTAX Counter32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of changes to active RP mappings on this device. Information about active RP mappings is available inpimGroupMappingTable. Only changes to active mappings cause this counter to be incremented. That is, changes thatmodify the pimGroupMappingEntry with the highest precedence for a group (lowest value of pimGroupMappingPrecedence).Such changes may result from manual configuration of thisdevice, or from automatic RP mapping discovery methodsincluding the PIM Bootstrap Router (BSR) mechanism.Discontinuities in the value of this counter can occur atre-initialization of the management system, for example,when the device is rebooted."REFERENCE "RFC 5059"::= { pim 44 }pimInterfaceElectionNotificationPeriod OBJECT-TYPESYNTAX Unsigned32 (0..65535)UNITS "seconds"MAX-ACCESS read-writeSTATUS currentSivaramu, et al. Standards Track [Page 15]DESCRIPTION"The minimum time that must elapse betweenpimInterfaceElection notifications originated by thisrouter. The default value of 65535 represents an ’infinite’ time, in which case, no pimInterfaceElection notificationsare ever sent.The storage type of this object is determined bypimDeviceConfigStorageType."DEFVAL { 65535 }::= { pim 45 }pimInterfaceElectionWinCount OBJECT-TYPESYNTAX Counter32MAX-ACCESS read-onlySTATUS currentDESCRIPTION"The number of times this device has been elected DR or DFon any interface.Elections occur frequently on newly-active interfaces, astriggered Hellos establish adjacencies. This counter is not incremented for elections on an interface until the firstperiodic Hello has been sent. If this router is the DR orDF at the time of sending the first periodic Hello afterinterface activation, then this counter is incremented(once) at that time.Discontinuities in the value of this counter can occur atre-initialization of the management system, for example,when the device is rebooted."REFERENCE "RFC 4601 section 4.3.2 and RFC 5015 section 3.5.2"::= { pim 46 }pimRefreshInterval OBJECT-TYPESYNTAX Unsigned32 (0..65535)UNITS "seconds"MAX-ACCESS read-writeSTATUS currentDESCRIPTION"The interval between successive State Refresh messages sent by an Originator. This timer period is called theRefreshInterval in the PIM-DM specification. This object is used only by PIM-DM.The storage type of this object is determined bypimDeviceConfigStorageType."REFERENCE "RFC 3973 section 4.8"Sivaramu, et al. Standards Track [Page 16]DEFVAL { 60 }::= { pim 47 }pimDeviceConfigStorageType OBJECT-TYPESYNTAX StorageTypeMAX-ACCESS read-writeSTATUS currentDESCRIPTION"The storage type used for the global PIM configuration ofthis device, comprised of the objects listed below. If this storage type takes the value ’permanent’, write-access tothe listed objects need not be allowed.The objects described by this storage type are:pimKeepalivePeriod, pimRegisterSuppressionTime,pimNeighborLossNotificationPeriod,pimInvalidRegisterNotificationPeriod,pimInvalidJoinPruneNotificationPeriod,pimRPMappingNotificationPeriod,pimInterfaceElectionNotificationPeriod, andpimRefreshInterval."DEFVAL { nonVolatile }::= { pim 48 }---- The PIM Interface Table--pimInterfaceTable OBJECT-TYPESYNTAX SEQUENCE OF PimInterfaceEntryMAX-ACCESS not-accessibleSTATUS currentDESCRIPTION"The (conceptual) table listing the router’s PIM interfaces. PIM is enabled on all interfaces listed in this table."::= { pim 1 }pimInterfaceEntry OBJECT-TYPESYNTAX PimInterfaceEntryMAX-ACCESS not-accessibleSTATUS currentDESCRIPTION"An entry (conceptual row) in the pimInterfaceTable. Thisentry is preserved on agent restart."INDEX { pimInterfaceIfIndex,pimInterfaceIPVersion }::= { pimInterfaceTable 1 }Sivaramu, et al. Standards Track [Page 17]PimInterfaceEntry ::= SEQUENCE {pimInterfaceIfIndex InterfaceIndex,pimInterfaceIPVersion InetVersion,pimInterfaceAddressType InetAddressType,pimInterfaceAddress InetAddress,pimInterfaceGenerationIDValue Unsigned32,pimInterfaceDR InetAddress,pimInterfaceDRPriority Unsigned32,pimInterfaceDRPriorityEnabled TruthValue,pimInterfaceHelloInterval Unsigned32,pimInterfaceTrigHelloInterval Unsigned32,pimInterfaceHelloHoldtime Unsigned32,pimInterfaceJoinPruneInterval Unsigned32,pimInterfaceJoinPruneHoldtime Unsigned32,pimInterfaceDFElectionRobustness Unsigned32,pimInterfaceLanDelayEnabled TruthValue,pimInterfacePropagationDelay Unsigned32,pimInterfaceOverrideInterval Unsigned32,pimInterfaceEffectPropagDelay Unsigned32,pimInterfaceEffectOverrideIvl Unsigned32,pimInterfaceSuppressionEnabled TruthValue,pimInterfaceBidirCapable TruthValue,pimInterfaceDomainBorder TruthValue,pimInterfaceStubInterface TruthValue,pimInterfacePruneLimitInterval Unsigned32,pimInterfaceGraftRetryInterval Unsigned32,pimInterfaceSRPriorityEnabled TruthValue,pimInterfaceStatus RowStatus,pimInterfaceStorageType StorageType}pimInterfaceIfIndex OBJECT-TYPESYNTAX InterfaceIndexMAX-ACCESS not-accessibleSTATUS currentDESCRIPTION"The ifIndex value of this PIM interface."::= { pimInterfaceEntry 1 }pimInterfaceIPVersion OBJECT-TYPESYNTAX InetVersionMAX-ACCESS not-accessibleSTATUS currentDESCRIPTION"The IP version of this PIM interface. A physical interface may be configured in multiple modes concurrently, e.g., IPv4 and IPv6; however, the traffic is considered to be logically separate."Sivaramu, et al. Standards Track [Page 18]。

中国移动通信企业标准QB-╳╳-╳╳╳-╳╳╳╳家庭网关终端技术规范T e c h n i c a l S p e c i f i c a t i o n f o r H o m e G a t e w a y版本号：╳╳╳╳-╳╳-╳╳发布╳╳╳╳-╳╳-╳╳实施中国移动通信集团公司发布目录前言本标准明确了中国移动家庭网关需求，是家庭网关终端需要遵从的技术文件。

供中国移动内部和厂商共同使用，是实施家庭业务的依据之一。

本标准主要包括以下几方面内容：接口要求、功能要求、性能要求、网管和维护要求、软硬件系统要求以及运行环境等要求。

本标准是家庭网关设备系列标准之一，该系列标准的结构、名称或预计的名称如下：序号标准编号标准名称[1] 家庭网关业务技术规范[2] 家庭网关业务技术规范—WLAN共享分册[3] 宜居通业务技术规范[4] 家庭网关终端技术规范[5] 家庭网关管理技术规范[6] 宜居通终端技术规范本标准需与《家庭网关业务技术规范》、《家庭网关业务技术规范—WLAN 共享分册》、《宜居通业务技术规范》、《家庭宽带类业务技术规范》、《家庭网关管理技术规范》、《宜居通终端技术规范》配套使用。

本标准的附录A、附录B为标准性附录。

本标准由中移号文件印发。

本标准由中国移动通信集团公司数据部提出，集团公司技术部归口。

本标准起草单位：中国移动通信研究院本标准主要起草人：张勇浩、梅海波、李建坤、刘聪、郭毅峰、陈心昕、黄薇、周丹、殷端、张彪、杨彦、刘松鹏、封栋梁、金波、叶朝阳1.范围本标准规定了中国移动家庭网关的设备形态、接口、功能、管理、安全、性能、运行环境、设备软硬件、基本应用和用户界面等要求，供中国移动通信集团内部使用，是开发研制接入型和宽带应用型家庭网关的技术依据。

本标准适用于2G/3G/4G移动网络、有线宽带网络环境。

2.规范性引用文件下列文件中的条款通过本标准的引用而成为本标准的条款。

凡是注日期的引用文件，其随后所有的修改单（不包括勘误的内容）或修订版均不适用于本标准，然而，鼓励根据本标准达成协议的各方研究是否可使用这些文件的最新版本。

rfc5245 中文翻译
摘要：
1.RFC5245 概述
2.RFC5245 的内容
3.RFC5245 的中文翻译
正文：
RFC5245 是一个关于互联网协议的标准文档，它详细描述了一种新的协议，这种协议可以用于在互联网上进行数据传输和通信。

RFC5245 的内容涵盖了很多方面，包括协议的基本原理、协议的实现方式、协议的使用方法等。

为了更好地理解和使用RFC5245，我们需要对其进行中文翻译。

中文翻译可以帮助我们更好地理解RFC5245 的内容，同时也可以让更多的中文用户了解和使用这种协议。

RFC5245 的中文翻译可以分为以下几个步骤：
1.首先，需要找到一个合适的翻译人员。

翻译人员需要熟悉互联网协议，并且具备良好的中文表达能力。

2.其次，需要对RFC5245 进行仔细阅读和理解。

在理解过程中，需要注意协议的细节和术语的准确性。

3.在理解了RFC5245 的内容后，可以开始进行翻译。

翻译的过程中，需要注意保持原文的准确性，并且尽可能地使用通俗易懂的中文表达方式。

4.翻译完成后，需要对翻译的文本进行仔细检查和校对。

校对的过程中，需要注意协议的准确性和中文表达的流畅性。

Network Working Group V. Devarapalli Request for Comments: 5266 Wichorus BCP: 136 P. Eronen Category: Best Current Practice Nokia June 2008 Secure Connectivity and Mobility Using Mobile IPv4 andIKEv2 Mobility and Multihoming (MOBIKE)Status of This MemoThis document specifies an Internet Best Current Practices for theInternet Community, and requests discussion and suggestions forimprovements. Distribution of this memo is unlimited.AbstractEnterprise users require mobility and secure connectivity when theyroam and connect to the services offered in the enterprise. Secureconnectivity is required when the user connects to the enterprisefrom an untrusted network. Mobility is beneficial when the usermoves, either inside or outside the enterprise network, and acquires a new IP address. This document describes a solution using MobileIPv4 (MIPv4) and mobility extensions to IKEv2 (MOBIKE) to providesecure connectivity and mobility.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 22. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 33. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Access Modes . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.1. Access Mode: ’c’ . . . . . . . . . . . . . . . . . . . 6 3.1.2. Access Mode: ’f’ . . . . . . . . . . . . . . . . . . . 6 3.1.3. Access Mode: ’mc’ . . . . . . . . . . . . . . . . . . 6 3.2. Mobility within the Enterprise . . . . . . . . . . . . . . 7 3.3. Mobility When outside the Enterprise . . . . . . . . . . . 7 3.4. Crossing Security Boundaries . . . . . . . . . . . . . . . 7 3.4.1. Operation When Moving from an Untrusted Network . . . 83.4.2. Operation When Moving from a Trusted Network . . . . . 94. NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . 105. Security Considerations . . . . . . . . . . . . . . . . . . . 106. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 107. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 Appendix A. Applicability to a Mobile Operator Network . . . . . 13 Devarapalli & Eronen Best Current Practice [Page 1]1. IntroductionA typical enterprise network consists of users connecting to theservices from a trusted network (intranet), and from an untrustednetwork (Internet). The trusted and untrusted networks are typically separated by a demilitarized zone (DMZ). Access to the intranet iscontrolled by a firewall and a Virtual Private Network (VPN) gateway in the DMZ.Enterprise users, when roaming on untrusted networks, most often have to authenticate themselves to the VPN gateway and set up a securetunnel in order to access the intranet. The use of IPsec VPNs isvery common to enable such secure connectivity to the intranet. When the user is on the trusted network, VPNs are not used. However, the users benefit tremendously when session mobility between subnets,through the use of Mobile IPv4, is available.There has been some work done on using Mobile IPv4 and IPsec VPNs to provide roaming and secure connectivity to an enterprise [RFC5265][RFC4093]. The solution described in [RFC5265] was designed withcertain restrictions, including requiring no modifications to the VPN gateways, and involves the use of two layers of MIPv4, with one home agent inside the intranet and one in the Internet or in the DMZbefore the VPN gateway. The per-packet overhead is very high in this solution. It is also challenging to implement and have two instances of MIPv4 active at the same time on a mobile node. However, thesolution described here is only applicable when Internet Key Exchange Protocol version 2 (IKEv2) IPsec VPNs are used.This document describes an alternate solution that does not requiretwo layers of MIPv4. The solution described in this document usesMobile IPv4 when the mobile node is on the trusted network andMOBIKE-capable IPsec VPNs when the mobile node is on the untrustednetwork. The mobile node uses the tunnel inner address (TIA) givenout by the IPsec VPN gateway as the co-located care-of address (CoA) for MIPv4 registration. This eliminates the need for using anexternal MIPv4 home agent and the need for encapsulating the VPNtunnel inside a MIPv4 tunnel.The following assumptions are made for the solution described in this document.o IKEv2 [RFC4306] and IPsec [RFC4301] are used to set up the VPNtunnels between the mobile node and the VPN gateway.o The VPN gateway and the mobile node support MOBIKE extensions asdefined in [RFC4555].Devarapalli & Eronen Best Current Practice [Page 2]o When the mobile node is on the trusted network, traffic should not go through the DMZ. Current deployments of firewalls and DMZsconsider the scenario where only a small amount of the totalenterprise traffic goes through the DMZ. Routing through the DMZ typically involves stateful inspection of each packet by thefirewalls in the DMZ. Moreover, the DMZ architecture assumes that the DMZ is less secure than the internal network. Therefore, the DMZ-based architecture allows the least amount of traffic totraverse the DMZ, that is, only traffic between the trustednetwork and the external network. Requiring all normal traffic to the mobile nodes to traverse the DMZ would negate thisarchitecture.o When the mobile node is on the trusted network and uses a wireless access technology, confidentiality protection of the data traffic is provided by the particular access technology. In somenetworks, confidentiality protection MAY be available between the mobile node and the first hop access router, in which case it isnot required at layer 2.This document also presents a solution for the mobile node to detect when it is on a trusted network, so that the IPsec tunnel can bedropped and the mobile node can use Mobile IP in the intranet.IPsec VPN gateways that use IKEv1 [RFC2409] are not addressed in this document.2. TerminologyThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].Many of the following terms are defined in [RFC5265], but arerepeated here to make this document self-contained.FA: Mobile IPv4 foreign agent.Co-CoA: co-located care-of address.FA-CoA: foreign agent care-of address.FW: firewall.i-FA: Mobile IPv4 foreign agent residing in the trusted (intranet)network.Devarapalli & Eronen Best Current Practice [Page 3]i-HA: Mobile IPv4 home agent residing in the trusted (intranet)network.i-MIP: The mobile node uses the home agent in the internal network.VPN-TIA: VPN tunnel inner address. This address is given out by the VPN gateway during IKE negotiation and is routable in the trusted network.mVPN: VPN with MOBIKE functionality.The following access modes are used in explaining the protocol. The access modes are explained in more detail in [RFC5265].f: i-MIP with FA-CoAc: i-MIP with Co-CoAmc: i-MIP with MOBIKE-enabled VPN, with VPN-TIA as Co-CoA3. Solution OverviewThe mobile node is configured with a home address that remains thesame irrespective of whether the mobile node is inside or outside the enterprise network. The mobile node is also reachable at the samehome address irrespective of its current point of attachment. Whenthe mobile node is connected to the intranet directly, it uses Mobile IP for internal mobility.When the mobile node roams and connects to an untrusted networkoutside the enterprise, it sets up a VPN tunnel to the VPN gateway.However, it still maintains a valid binding cache entry at the i-HA. It uses the VPN-TIA, allocated by the VPN gateway, as the co-located CoA for registration with the i-HA. If the VPN-TIA changes or if the mobile node moves and connects to another VPN gateway, then it sends a Registration Request to the i-HA using the new co-located CoA.If the mobile node moves while outside the enterprise and its access network changes, it uses the MOBIKE protocol to update the VPNgateway of its current address. The internal home agent is not aware of the mobile node’s movement as long as the mobile node is attached to the same VPN gateway and the TIA remains the same.Figure 1 depicts the network topology assumed for the solution. Italso shows the possible mobile node locations and access modes. Devarapalli & Eronen Best Current Practice [Page 4]{home} (MN) [i-HA]\ /.-+---+-.( )[mVPN] ‘--+----’! !.--+--. [R]( DMZ ) !.-+-------+--. ‘--+--’ .-----+------.( ) ! ( )( external net +---[R]----[FW]----[R]--+ internal net )( ) ( )‘--+---------’ ‘---+---+----’/ / \[DHCP] [R] [DHCP] [R] [R] [i-FA] \ / \ / \ /.+--+---. .-+-+--. .--+--+-.( ) ( ) ( )‘---+---’ ‘--+---’ ‘---+---’! ! !(MN) {mc} (MN) {c} (MN) {f}Figure 1: Network Topology Using MIPv4 and MOBIKEThe solution described above results in a Mobile IP tunnel inside an IPsec tunnel. The Mobile IP tunnel is between the mobile node andthe home agent, and the IPsec tunnel is between the mobile node (MN) and the mVPN gateway. The mobile node MUST reverse tunnel throughthe home agent [RFC3024] when the Mobile IP tunnel is inside an IPsec tunnel.The overhead of running a Mobile IP tunnel inside an IPsec tunnel can be avoided by having the Mobile IP foreign agent functionality on the VPN gateway. This is out of scope for this document and is furtherdescribed in [MEGHANA].Whenever the mobile node attaches to a new link, it may encounter aforeign agent. The mobile node MUST not use the foreign agentcare-of address with the i-HA when attached to an untrusted accessnetwork. The default behavior for the mobile node is to alwaysconfigure an address from the access link using DHCP. The mobilenode then checks if it is attached to a trusted access network bysending a Registration Request to the i-HA in the co-located care-of address mode. If the mobile node discovers that it is attached to a trusted access network, then it MAY start using a foreign agentcare-of address with the i-HA. In order to do this, the mobile node has to perform a new registration with the i-HA.Devarapalli & Eronen Best Current Practice [Page 5]The mobile node can use a foreign agent on a untrusted accessnetwork, if there is an external home agent that the mobile node isable to use. The use of an external home agent in the untrustedaccess network and a home agent in the trusted access network at the same time is described in detail in [RFC5265].Some IPsec VPN implementations allow a host to send traffic directly to the Internet when attached to an untrusted network. This traffic bypasses the IPsec tunnel with the VPN gateway. This document doesnot prevent such traffic from being sent out from the host, but there will be no mobility or session continuity for the traffic. Any data traffic that is sent through the Mobile IP tunnel with the home agent is always sent through the VPN gateway.3.1. Access ModesThe following access modes are used in the solution described in this document.3.1.1. Access Mode: ’c’This access mode is standard Mobile IPv4 [RFC3344] with a co-located care-of address. The mobile node must detect that it is connected to an internal trusted network before using this mode. The co-locatedcare-of address is assigned by the access network to which the mobile node is attached.3.1.2. Access Mode: ’f’This access mode is standard Mobile IPv4 [RFC3344] with a foreignagent care-of address. The mobile node can use this mode only whenit detects that it is connected to an internal trusted network andalso detects a foreign agent on the access network.3.1.3. Access Mode: ’mc’This access mode involves using both Mobile IPv4 and a MOBIKE-enabled IPsec VPN gateway, resulting in a Mobile IP tunnel inside an IPsectunnel. The mobile node uses the VPN-TIA as the co-located CoA forregistering with the home agent. This mode is used only when themobile node is attached to an untrusted network and is required toset up an IPsec tunnel with a VPN gateway to gain access to thetrusted network.Devarapalli & Eronen Best Current Practice [Page 6]3.2. Mobility within the EnterpriseWhen the mobile node is inside the enterprise network and attached to the intranet, it uses Mobile IPv4 [RFC3344] for subnet mobility. The mobile node always configures a care-of address through DHCP on theaccess link and uses it as the co-located care-of address. Themobile node MAY use a foreign agent care-of address, if a foreignagent is available. However, the foreign agent care-of address isused only when the mobile node is attached to the trusted accessnetwork. The mobile node attempts Foreign Agent discovery and CoAaddress acquisition through DHCP simultaneously in order to avoid the delay in discovering a foreign agent when there is no foreign agentavailable. The mobile node maintains a valid binding cache entry at all times at the home agent mapping the home address to the currentCoA. Whenever the mobile node moves, it sends a Registration Request to update the binding cache entry.The Mobile IP signaling messages between the mobile node and the home agent are authenticated as described in [RFC3344].The mobile node maintains a valid binding cache entry at the homeagent even when it is outside the enterprise network.3.3. Mobility When outside the EnterpriseWhen the mobile node is attached to an untrusted network, it sets up an IPsec VPN tunnel with the VPN gateway to gain access to theenterprise network. If the mobile node moves and its IP addresschanges, it initiates the MOBIKE protocol [RFC4555] to update theaddress on the VPN gateway.The mobile node maintains a binding at the home agent even when it is outside the enterprise network. If the TIA changes due to the mobile node re-connecting to the VPN gateway or attaching to a different VPN gateway, the mobile node should send a Registration Request to itshome agent to update the binding cache with the new TIA.3.4. Crossing Security BoundariesSecurity boundary detection is based on the reachability of the i-HA from the mobile node’s current point of attachment. Whenever themobile node detects a change in network connectivity, it sends aRegistration Request to the i-HA without any VPN encapsulation. Ifthe mobile node receives a Registration Reply with the TrustedNetworks Configured (TNC) extension from the i-HA, then it assumesthat it is on a trusted network. The TNC extension is described in[RFC5265]. The mobile node MUST check that the Registration Reply is integrity protected using the mobile node-home agent mobility Devarapalli & Eronen Best Current Practice [Page 7]security association before concluding it is attached to a trustednetwork. This security boundary detection is based on the mechanism described in [RFC5265] to detect attachment to the internal trustednetwork. The mobile node should re-transmit the Registration Request if it does not receive the Registration Reply within a timeoutperiod. The number of times the mobile node should re-transmit theRegistration Request and the timeout period for receiving theRegistration Reply are configurable on the mobile node.When the mobile node is attached to an untrusted network and is using an IPsec VPN to the enterprise network, the ability to send aRegistration Request to the i-HA without VPN encapsulation wouldrequire some interaction between the IPsec and MIPv4 modules on themobile node. This is local to the mobile node and out of scope forthis document.If the mobile node has an existing VPN tunnel to its VPN gateway, it MUST send a MOBIKE message at the same time as the registrationrequest to the i-HA whenever the IP address changes. If the mobilenode receives a response from the VPN gateway, but not from the i-HA, it assumes it is outside the enterprise network. If it receives aresponse from the i-HA, then it assumes it is inside the enterprisenetwork.There could also be some out-of-band mechanisms that involveconfiguring the wireless access points with some information that the mobile node can recognize as access points that belong to the trusted network in an enterprise network. Such mechanisms are beyond thescope of this document.The mobile node should not send any normal traffic while it is trying to detect whether it is attached to the trusted or untrusted network. This is described in more detail in [RFC5265].3.4.1. Operation When Moving from an Untrusted NetworkWhen the mobile node is outside the enterprise network and attachedto an untrusted network, it has an IPsec VPN tunnel with its mobility aware VPN gateway, and a valid registration with a home agent on the intranet with the VPN-TIA as the care-of address.If the mobile node moves and its IP address changes, it performs the following steps:1a. Initiate an IKE mobility exchange to update the VPN gateway with the current address. If the new network is also untrusted, this will be enough for setting up the connectivity. If the newnetwork is trusted, and if the VPN gateway is reachable, this Devarapalli & Eronen Best Current Practice [Page 8]exchange will allow the mobile node to keep the VPN state alive while on the trusted side. If the VPN gateway is not reachable from inside, then this exchange will fail.1b. At the same time as step 1, send a Mobile IPv4 RegistrationRequest to the internal home agent without VPN encapsulation.2. If the mobile node receives a Registration Reply to the request sent in step 1b, then the current subnet is a trusted subnet,and the mobile node can communicate without VPN tunneling. The mobile node MAY tear down the VPN tunnel.3.4.2. Operation When Moving from a Trusted NetworkWhen the mobile node is inside the enterprise and attached to theintranet, it does not use a VPN tunnel for data traffic. It has avalid binding cache entry at its home agent. If the VPN gateway isreachable from the trusted network, the mobile node MAY have validIKEv2 security associations with its VPN gateway. The IPsec security associations can be created when required. The mobile node may have to re-negotiate the IKEv2 security associations to prevent them from expiring.If the mobile node moves and its IP address changes, it performs the following steps:1. Initiate an IKE mobility exchange to update the VPN gateway with the current address, or if there is no VPN connection, thenestablish a VPN tunnel with the gateway from the new local IPaddress. If the new network is trusted, and if the VPN gatewayis reachable, this exchange will allow the mobile node to keepthe VPN state alive, while in the trusted side. If the newnetwork is trusted and if the VPN gateway is not reachable frominside, then this exchange will fail.2. At the same time as step 1, send a Mobile IPv4 RegistrationRequest to the internal home agent without VPN encapsulation.3. If the mobile node receives a Registration Reply to the requestsent in step 2, then the current subnet is a trusted subnet, and the mobile node can communicate without VPN tunneling, using only Mobile IP with the new care-of address.4. If the mobile node didn’t receive the response in step 3, and if the VPN tunnel is successfully established and registered in step 1, then the mobile node sends a Registration Request over the VPN tunnel to the internal home agent. After receiving aRegistration Reply from the home agent, the mobile node can start Devarapalli & Eronen Best Current Practice [Page 9]communicating over the VPN tunnel with the Mobile IP homeaddress.4. NAT TraversalThere could be a Network Address Translation (NAT) device between the mobile node and the home agent in any of the access modes, ’c’, ’f’, and ’mc’, and between the mobile node and the VPN gateway in theaccess mode ’mc’. Mobile IPv4 NAT traversal, as described in[RFC3519], should be used by the mobile node and the home agent inaccess modes ’c’ or ’f’, when there is a NAT device present. Whenusing access mode, ’mc’, IPsec NAT traversal [RFC3947] [RFC3948]should be used by the mobile node and the VPN gateway, if there is a NAT device present. Typically, the TIA would be a routable addressinside the enterprise network. But in some cases, the TIA could befrom a private address space associated with the VPN gateway. Insuch a case, Mobile IPv4 NAT traversal should be used in addition to IPsec NAT traversal in the ’mc’ mode.5. Security ConsiderationsEnterprise connectivity typically requires very strong security, and the solution described in this document was designed keeping this in mind.Security concerns related to the mobile node detecting that it is on a trusted network and thereafter dropping the VPN tunnel aredescribed in [RFC5265].When the mobile node sends a Registration Request to the i-HA from an untrusted network that does not go through the IPsec tunnel, it will reveal the i-HA’s address, its own identity including the NAI and the home address, and the Authenticator value in the authenticationextensions to the untrusted network. This may be a concern in somedeployments.Please see [RFC4555] for MOBIKE-related security considerations, and [RFC3519], [RFC3947] for security concerns related to the use of NAT traversal mechanisms for Mobile IPv4 and IPsec.6. AcknowledgmentsThe authors would like to thank Henry Haverinen, Sandro Grech, Dhaval Shah, and John Cruz for their participation in developing thissolution.Devarapalli & Eronen Best Current Practice [Page 10]The authors would also like to thank Henrik Levkowetz, Jari Arkko, TJ Kniveton, Vidya Narayanan, Yaron Sheffer, Hans Sjostrand, JouniKorhonen, and Sami Vaarala for reviewing the document.7. References7.1. Normative References[RFC2119] Bradner, S., "Key words for use in RFCs to IndicateRequirement Levels", BCP 14, RFC 2119, March 1997.[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,August 2002.[RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol(MOBIKE)", RFC 4555, June 2006.[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",RFC 4306, December 2005.[RFC4301] Kent, S. and K. Seo, "Security Architecture for theInternet Protocol", RFC 4301, December 2005.[RFC5265] Vaarala, S. and E. Klovning, "Mobile IPv4 Traversal across IPsec-Based VPN Gateways", RFC 5265, June 2008.7.2. Informative References[RFC4093] Adrangi, F. and H. Levkowetz, "Problem Statement: MobileIPv4 Traversal of Virtual Private Network (VPN) Gateways", RFC 4093, August 2005.[RFC3024] Montenegro, G., "Reverse Tunneling for Mobile IP,revised", RFC 3024, January 2001.[MEGHANA] Sahasrabudhe, M. and V. Devarapalli, "Optimizations toSecure Connectivity and Mobility", Work in Progress,February 2008.[RFC3519] Levkowetz, H. and S. Vaarala, "Mobile IP Traversal ofNetwork Address Translation (NAT) Devices", RFC 3519,April 2003.[RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe,"Negotiation of NAT-Traversal in the IKE", RFC 3947,January 2005.Devarapalli & Eronen Best Current Practice [Page 11][RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. Stenberg, "UDP Encapsulation of IPsec ESP Packets",RFC 3948, January 2005.[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange(IKE)", RFC 2409, November 1998.Devarapalli & Eronen Best Current Practice [Page 12]Appendix A. Applicability to a Mobile Operator NetworkThe solution described in this document can also be applied to aMobile Operator’s network when the Operator deploys heterogeneousaccess networks and some of the access networks are considered astrusted networks and others as untrusted networks. Figure 2illustrates such a network topology.+----------------------+| +----+ |+----------------+ | |i-HA| || | | +----+ |(MN)----+ trusted +---+ || access network | | internal network |+----------------+ | || |+----------+-----------+|||[mVPN]+----------------+ || | |(MN)----+ untrusted +--------------+{mc} | access network |+----------------+Figure 2: Network Topology of a Mobile Operator with Trusted andUntrusted NetworksAn IPsec VPN gateway provides secure connectivity to the Operator’sinternal network for mobile nodes attached to an untrusted accessnetwork. The VPN gateway supports MOBIKE extensions so that theIPsec tunnels survive any IP address change when the mobile nodemoves while attached to the untrusted access networks.When the mobile node is attached to the trusted access network, ituses Mobile IP with the i-HA. It uses the IP address obtained fromthe trusted access network as the co-located care-of address toregister with the i-HA. If a foreign agent is available in thetrusted access network, the mobile node may use a foreign agentcare-of address. If the mobile node moves and attaches to anuntrusted access network, it sets up an IPsec tunnel with the VPNgateway to access the Operator’s internal network. It uses the IPsec TIA as the co-located care-of address to register with the i-HAthereby creating a Mobile IP tunnel inside an IPsec tunnel.Devarapalli & Eronen Best Current Practice [Page 13]When the mobile node is attached to the trusted access network, itcan either be attached to a foreign link in the trusted network or to the home link directly. This document does not impose anyrestrictions.Authors’ AddressesVijay DevarapalliWichorus3590 North First StreetSan Jose, CA 95134USAEMail: vijay@Pasi EronenNokia Research CenterP.O. Box 407FIN-00045 Nokia GroupFinlandEMail: pasi.eronen@Devarapalli & Eronen Best Current Practice [Page 14]Full Copyright StatementCopyright (C) The IETF Trust (2008).This document is subject to the rights, licenses and restrictionscontained in BCP 78, and except as set forth therein, the authorsretain all their rights.This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual PropertyThe IETF takes no position regarding the validity or scope of anyIntellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described inthis document or the extent to which any license under such rightsmight or might not be available; nor does it represent that it hasmade any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can befound in BCP 78 and BCP 79.Copies of IPR disclosures made to the IETF Secretariat and anyassurances of licenses to be made available, or the result of anattempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of thisspecification can be obtained from the IETF on-line IPR repository at /ipr.The IETF invites any interested party to bring to its attention anycopyrights, patents or patent applications, or other proprietaryrights that may cover technology that may be required to implementthis standard. Please address the information to the IETF atietf-ipr@.Devarapalli & Eronen Best Current Practice [Page 15]。

CS-SD 考试参考c 1. (单选)为了解决技术问题而引发的软件补丁实施操作，应该选择以下哪类 SR TypeA. RFC-Software UpdateB. RFC-Software UpgradeC. RFC-Solution ImplementationD. CS- Technical Requestabcd 2. (多选) 技术审批环节，审批人员需从技术角度对实施方案进行评审，重点关注：()A. 方案与客户网络是否匹配B. 实施步骤是否合理C. 倒回措施是否完备D. 操作时间是否合理及操作风险abcd 3. (多选)以下场景建议不进行网络变更操作： ()A. 同一局点、同一时间已计划了其他网络变更操作B. 近期发生重大事故C. 客户网络所在地有重大政治 /国际会议召开D. 市场部有重大合同签订abcdeg 4. (多选)对于软件更新实施 SR，在创建 SR 时，以下哪些信息是必填的A. 客户组织B. ProductC. RevisionD. RFC Target RevisionE. SR OwnerF. SR GroupG. RFC Plan End Datec 5. (单选)从哪里可以下载流程文件和指导书？A. Support 网站B. 3MS-DocumentC. W3-PDMCD. iLearningf 6. (判断)软件更新实施流程范围包含了为解决现网问题而进行的补丁安装操作对错abd 7. (多选)值守方案需至少包含以下几个关键内容： ()A. XX 产品值守 checklistB. 网络应急预案C. 客户责任人值班表D. 值守管理要求a 8. (单选) 对于 RFC-Application 任务，任务 Owner 应该将任务分派给A. 运营经理/CS 经理B. TDC. NSED. PSEb 9. (单选)系统自动创建的 RFCTask默认的 Owner 为A. RFC SR OwnerB. RFC SR 创建人C. TLD. ODd 10. (单选)对于整改，责任人需要根据整改实施计划，统计整改所需的人力及物料并通过()进行整改物料的申请。

RFC 2865 RADIUS 中文翻译收藏Network Working Group C. Rigney Request for Comments: 2865 S. Willens Obsoletes: 2138 LivingstonCategory: Standards Track A. RubensMeritW. SimpsonDaydreamerJune 2000远程认证拨号用户服务（RADIUS）备忘录状态本文档描述了一种Internet社区的Internet标准跟踪协议，它需要进一步进行讨论和建议以得到改进。

请参考最新版的“Internet正式协议标准” (STD1)来获得本协议的标准化程度和状态。

本备忘录可以不受限制地传播。

版权说明Copyright (C) The Internet Society (2000). All Rights Reserved.IESG说明:本协议已经被广泛实现和使用，经验表明当本协议在一个大范围的系统中使用会降低性能和丢失数据。

部分原因是协议中没有提供拥塞控制的机制。

读者可以发现阅读本文对跟踪IETF组织的AAA工作组的工作进程有很大的帮助，AAA工作组可能会开发一个能够更好的解决扩展性和拥塞控制问题的成功的协议。

摘要本文描述了一个传输认证、授权和配置信息的协议。

这些信息在想要认证链路的网络接入服务器（Network Access Server）和共享的认证服务器务器之间传递。

实现说明本备忘录记录了RADIUS协议，RADIUS协议的早期版本使用的UDP端口是16 45，由于和"datametrics"服务冲突，官方为RADIUS协议分配了一个新的端口号1812。

Rigney, et al. Standards Track [Page 1]RFC 2865 RADIUS June 2000目录1. 简介 (3)1.1 描述文档的约定 (4)1.2 术语 (5)2. 操作 (5)2.1 挑战/回应 (7)2.2 使用PAP和CHAP互操作 (8)2.3 代理 (8)2.4 为什么使用UDP (11)2.5 重发提醒 (12)2.6 被证明是有害的心跳 (13)3. 报文格式 (13)4. 报文类型 (17)4.1 接入请求报文 (17)4.2 接入成功回应报文 (18)4.3 接入拒绝回应报文 (20)4.4 接入挑战报文 (21)5. 属性 (22)5.1 User-Name (26)5.2 User-Password (27)5.3 CHAP-Password (28)5.4 NAS-IP-Address (29)5.5 NAS-Port (30)5.6 Service-Type (31)5.7 Framed-Protocol (33)5.8 Framed-IP-Address (34)5.9 Framed-IP-Netmask (34)5.10 Framed-Routing (35)5.11 Filter-Id (36)5.12 Framed-MTU (37)5.13 Framed-Compression (37)5.14 Login-IP-Host (38)5.15 Login-Service (39)5.16 Login-TCP-Port (40)5.17 (unassigned) (41)5.18 Reply-Message (41)5.19 Callback-Number (42)5.20 Callback-Id (42)5.21 (unassigned) (43)5.22 Framed-Route (43)5.23 Framed-IPX-Network (44)5.24 State (45)5.25 Class (46)5.26 Vendor-Specific (47)5.27 Session-Timeout (48)5.28 Idle-Timeout (49)5.29 Termination-Action (49)Rigney, et al. Standards Track [Page 2] RFC 2865 RADIUS June 20005.30 Called-Station-Id (50)5.31 Calling-Station-Id (51)5.32 NAS-Identifier (52)5.33 Proxy-State (53)5.34 Login-LAT-Service (54)5.35 Login-LAT-Node (55)5.36 Login-LAT-Group (56)5.37 Framed-AppleTalk-Link (57)5.38 Framed-AppleTalk-Network (58)5.39 Framed-AppleTalk-Zone (58)5.40 CHAP-Challenge (59)5.41 NAS-Port-Type (60)5.42 Port-Limit (61)5.43 Login-LAT-Port (62)5.44 Table of Attributes (63)6. IANA注意事项 (64)6.1 术语定义 (64)6.2 推荐的注册策略 (65)7. 举例 (66)7.1 用户Telnet到指定主机上 (66)7.2 用户使用CHAP认证方式认证 (67)7.3 用户使用挑战-回应卡 (68)8. 安全事项 (71)9. 更新记录 (71)10. 参考文献 (73)11. 致谢 (74)12. AAA工作组主席地址 (74)13. 作者地址 (75)14. 版权声明 (76)1. 简介本文档废弃了RFC 2138 [1]。

rfc5245 中文翻译RFC5245是一种名为"中继和端到端点对点协议：基于用户数据报协议(UDP)的实时通信协议（RTP）扩展"的技术规范文档。

它描述了如何使用RTP和用户数据报协议（UDP）实现实时通信应用程序的传输和中继功能。

RF5245的用法非常广泛，特别适用于需要实时性和低延迟的应用场景，例如音频通信、视频通信和多媒体流传输等。

它提供了一系列功能和协议扩展，以改善传输的可靠性、效率和安全性。

以下是十个双语例句，展示了RFC5245的用法和场景：1. The application uses RFC5245 to establish a direct peer-to-peer connection for real-time audio communication.应用程序使用RFC5245来建立实时音频通信的直接点对点连接。

2. With the help of RFC5245, the video conferencing system achieves low-latency and high-quality video streaming.在RFC5245的帮助下，视频会议系统实现了低延迟和高质量的视频流传输。

3. The RFC5245 extension provides secure and encrypted transmission of multimedia data over the internet.RFC5245的扩展提供了在互联网上安全加密的多媒体数据传输。

4. Using RFC5245, the application can seamlessly switch between relayed and direct connections based on network conditions.利用RFC5245，应用程序可以根据网络条件无缝切换中继连接和直接连接。

Network Working Group G. Camarillo Request for Comments: 5369 Ericsson Category: Informational October 2008 Framework for Transcoding with the Session Initiation Protocol (SIP) Status of This MemoThis memo provides information for the Internet community. It doesnot specify an Internet standard of any kind. Distribution of thismemo is unlimited.AbstractThis document defines a framework for transcoding with SIP. Thisframework includes how to discover the need for transcoding services in a session and how to invoke those transcoding services. Twomodels for transcoding services invocation are discussed: theconference bridge model and the third-party call control model. Both models meet the requirements for SIP regarding transcoding servicesinvocation to support deaf, hard of hearing, and speech-impairedindividuals.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 22. Discovery of the Need for Transcoding Services . . . . . . . . 23. Transcoding Services Invocation . . . . . . . . . . . . . . . . 4 3.1. Third-Party Call Control Transcoding Model . . . . . . . . 43.2. Conference Bridge Transcoding Model . . . . . . . . . . . . 64. Security Considerations . . . . . . . . . . . . . . . . . . . . 75. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 86. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Normative References . . . . . . . . . . . . . . . . . . . 8 6.2. Informative References . . . . . . . . . . . . . . . . . . 9 Camarillo Informational [Page 1]1. IntroductionTwo user agents involved in a SIP [RFC3261] dialog may find itimpossible to establish a media session due to a variety ofincompatibilities. Assuming that both user agents understand thesame session description format (e.g., SDP [RFC4566]),incompatibilities can be found at the user agent level and at theuser level. At the user agent level, both terminals may not support any common codec or may not support common media types (e.g., a text- only terminal and an audio-only terminal). At the user level, a deaf person will not understand anything said over an audio stream.In order to make communications possible in the presence ofincompatibilities, user agents need to introduce intermediaries that provide transcoding services to a session. From the SIP point ofview, the introduction of a transcoder is done in the same way toresolve both user level and user agent level incompatibilities. So, the invocation mechanisms described in this document are generallyapplicable to any type of incompatibility related to how theinformation that needs to be communicated is encoded.Furthermore, although this framework focuses on transcoding, themechanisms described are applicable to media manipulation ingeneral. It would be possible to use them, for example, to invoke a server that simply increases the volume of an audio stream.This document does not describe media server discovery. That is anorthogonal problem that one can address using user agent provisioning or other methods.The remainder of this document is organized as follows. Section 2deals with the discovery of the need for transcoding services for aparticular session. Section 3 introduces the third-party callcontrol and conference bridge transcoding invocation models, whichare further described in Sections 3.1 and 3.2, respectively. Bothmodels meet the requirements regarding transcoding servicesinvocation in RFC 3351 [RFC3351], which support deaf, hard ofhearing, and speech-impaired individuals.2. Discovery of the Need for Transcoding ServicesAccording to the one-party consent model defined in RFC 3238[RFC3238], services that involve media manipulation invocation arebest invoked by one of the endpoints involved in the communication,as opposed to being invoked by an intermediary in the network.Following this principle, one of the endpoints should be the onedetecting that transcoding is needed for a particular session. Camarillo Informational [Page 2]In order to decide whether or not transcoding is needed, a user agent needs to know the capabilities of the remote user agent. A useragent acting as an offerer [RFC3264] typically obtains this knowledge by downloading a presence document that includes media capabilities(e.g., Bob is available on a terminal that only supports audio) or by getting an SDP description of media capabilities as defined in RFC3264 [RFC3264].Presence documents are typically received in a NOTIFY request[RFC3265] as a result of a subscription. SDP media capabilitiesdescriptions are typically received in a 200 (OK) response to anOPTIONS request or in a 488 (Not Acceptable Here) response to anINVITE.In the absence of presence information, routing logic that involvesparallel forking to several user agents may make it difficult (orimpossible) for the caller to know which user agent will answer thenext call attempt. For example, a call attempt may reach the user’s voicemail while the next one may reach a SIP phone where the user is available. If both terminating user agents have differentcapabilities, the caller cannot know, even after the first callattempt, whether or not transcoding will be necessary for thesession. This is a well-known SIP problem that is referred to asHERFP (Heterogeneous Error Response Forking Problem). ResolvingHERFP is outside the scope of this document.It is recommended that an offerer does not invoke transcodingservices before making sure that the answerer does not support thecapabilities needed for the session. Making wrong assumptions about the answerer’s capabilities can lead to situations where twotranscoders are introduced (one by the offerer and one by theanswerer) in a session that would not need any transcoding servicesat all.An example of the situation above is a call between two GSM(Global System for Mobile Communications) phones (without usingtranscoding-free operation). Both phones use a GSM codec, but the speech is converted from GSM to PCM (Pulse Code Modulation) by the originating MSC (Mobile Switching Center) and from PCM back to GSM by the terminating MSC.Note that transcoding services can be symmetric (e.g., speech-to-text plus text-to-speech) or asymmetric (e.g., a one-way speech-to-texttranscoding for a hearing-impaired user that can talk).Camarillo Informational [Page 3]3. Transcoding Services InvocationOnce the need for transcoding for a particular session has beenidentified as described in Section 2, one of the user agents needs to invoke transcoding services.As stated earlier, transcoder location is outside the scope of thisdocument. So, we assume that the user agent invoking transcodingservices knows the URI of a server that provides them.Invoking transcoding services from a server (T) for a session between two user agents (A and B) involves establishing two media sessions;one between A and T and another between T and B. How to invoke T’sservices (i.e., how to establish both A-T and T-B sessions) dependson how we model the transcoding service. We have considered twomodels for invoking a transcoding service. The first is to usethird-party call control [RFC3725], also referred to as 3pcc. Thesecond is to use a (dial-in and dial-out) conference bridge thatnegotiates the appropriate media parameters on each individual leg(i.e., A-T and T-B).Section 3.1 analyzes the applicability of the third-party callcontrol model, and Section 3.2 analyzes the applicability of theconference bridge transcoding invocation model.3.1. Third-Party Call Control Transcoding ModelIn the 3pcc transcoding model, defined in [RFC4117], the user agentinvoking the transcoding service has a signalling relationship withthe transcoder and another signalling relationship with the remoteuser agent. There is no signalling relationship between thetranscoder and the remote user agent, as shown in Figure 1.Camarillo Informational [Page 4]+-------+| || T |**| | **+-------+ **^ * **| * **| * **SIP * **| * **| * **v * **+-------+ +-------+| | | || A |<-----SIP----->| B || | | |+-------+ +-------+<-SIP-> Signalling******* MediaFigure 1: Third-Party Call Control ModelThis model is suitable for advanced endpoints that are able toperform third party call control. It allows endpoints to invoketranscoding services on a stream basis. That is, the media streamsthat need transcoding are routed through the transcoder while thestreams that do not need it are sent directly between the endpoints. This model also allows invoking one transcoder for the sendingdirection and a different one for the receiving direction of the same stream.Invoking a transcoder in the middle of an ongoing session is alsoquite simple. This is useful when session changes occur (e.g., anaudio session is upgraded to an audio/video session) and theendpoints cannot cope with the changes (e.g., they had common audiocodecs but no common video codecs).The privacy level that is achieved using 3pcc is high, since thetranscoder does not see the signalling between both endpoints. Inthis model, the transcoder only has access to the information that is strictly needed to perform its function.3.2. Conference Bridge Transcoding ModelIn a centralized conference, there are a number of media streamsbetween the conference server and each participant of a conference.For a given media type (e.g., audio) the conference server sends, Camarillo Informational [Page 5]over each individual stream, the media received over the rest of the streams, typically performing some mixing. If the capabilities ofall the endpoints participating in the conference are not the same,the conference server may have to send audio to differentparticipants using different audio codecs.Consequently, we can model a transcoding service as a two-partyconference server that may change not only the codec in use, but also the format of the media (e.g., audio to text).Using this model, T behaves as a B2BUA (Back-to-Back User Agent) and the whole A-T-B session is established as described in [RFC5370].Figure 2 shows the signalling relationships between the endpoints and the transcoder.+-------+| |**| T | **| |\ **+-------+ \\ **^ * \\ **| * \\ **| * SIP **SIP * \\ **| * \\ **| * \\ **v * \ **+-------+ +-------+| | | || A | | B || | | |+-------+ +-------+<-SIP-> Signalling******* MediaFigure 2: Conference Bridge ModelIn the conferencing bridge model, the endpoint invoking thetranscoder is generally involved in less signalling exchanges than in the 3pcc model. This may be an important feature for endpoints using low-bandwidth or high-delay access links (e.g., some wirelessaccesses).On the other hand, this model is less flexible than the 3pcc model.It is not possible to use different transcoders for different streams or for different directions of a stream.Camarillo Informational [Page 6]Invoking a transcoder in the middle of an ongoing session or changing from one transcoder to another requires the remote endpoint tosupport the Replaces [RFC3891] extension. At present, not many user agents support it.Simple endpoints that cannot perform 3pcc and thus cannot use the3pcc model, of course, need to use the conference bridge model.4. Security ConsiderationsThe specifications of the 3pcc and the conferencing transcodingmodels discuss security issues directly related to the implementation of those models. Additionally, there are some considerations thatapply to transcoding in general.In a session, a transcoder has access to at least some of the mediaexchanged between the endpoints. In order to avoid rogue transcoders getting access to those media, it is recommended that endpointsauthenticate the transcoder. TLS [RFC5246] and S/MIME [RFC3850] can be used for this purpose.To achieve a higher degree of privacy, endpoints following the 3pcctranscoding model can use one transcoder in one direction and adifferent one in the other direction. This way, no single transcoder has access to all the media exchanged between the endpoints.The fact that transcoders need to access media exchanged between the endpoints implies that endpoints cannot use end-to-end media security mechanisms. Media encryption would not allow the transcoder toaccess the media, and media integrity protection would not allow the transcoder to modify the media (which is obviously necessary toperform the transcoding function). Nevertheless, endpoints can still use media security between the transcoder and themselves.5. ContributorsThis document is the result of discussions amongst the conferencingdesign team. The members of this team include Eric Burger, HenningSchulzrinne, and Arnoud van Wijk.6. References6.1. Normative References[RFC3238] Floyd, S. and L. Daigle, "IAB Architectural and PolicyConsiderations for Open Pluggable Edge Services",RFC 3238, January 2002.Camarillo Informational [Page 7][RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,A., Peterson, J., Sparks, R., Handley, M., and E.Schooler, "SIP: Session Initiation Protocol", RFC 3261,June 2002.[RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Modelwith Session Description Protocol (SDP)", RFC 3264,June 2002.[RFC3265] Roach, A.B., "Session Initiation Protocol (SIP)-SpecificEvent Notification", RFC 3265, June 2002.[RFC3351] Charlton, N., Gasson, M., Gybels, G., Spanner, M., and A. van Wijk, "User Requirements for the Session InitiationProtocol (SIP) in Support of Deaf, Hard of Hearing andSpeech-impaired Individuals", RFC 3351, August 2002.[RFC3725] Rosenberg, J., Peterson, J., Schulzrinne, H., and G.Camarillo, "Best Current Practices for Third Party CallControl (3pcc) in the Session Initiation Protocol (SIP)", BCP 85, RFC 3725, April 2004.[RFC3850] Ramsdell, B., "Secure/Multipurpose Internet MailExtensions (S/MIME) Version 3.1 Certificate Handling",RFC 3850, July 2004.[RFC3891] Mahy, R., Biggs, B., and R. Dean, "The Session Initiation Protocol (SIP) "Replaces" Header", RFC 3891,September 2004.[RFC4117] Camarillo, G., Burger, E., Schulzrinne, H., and A. vanWijk, "Transcoding Services Invocation in the SessionInitiation Protocol (SIP) Using Third Party Call Control(3pcc)", RFC 4117, June 2005.[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.[RFC5370] Camarillo, G., "The Session Initiation Protocol (SIP)Conference Bridge Transcoding Model", RFC 5370,October 2008.6.2. Informative References[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: SessionDescription Protocol", RFC 4566, July 2006.Camarillo Informational [Page 8]Author’s AddressGonzalo CamarilloEricssonHirsalantie 11Jorvas 02420FinlandEMail: Gonzalo.Camarillo@Camarillo Informational [Page 9]Full Copyright StatementCopyright (C) The IETF Trust (2008).This document is subject to the rights, licenses and restrictionscontained in BCP 78, and except as set forth therein, the authorsretain all their rights.This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual PropertyThe IETF takes no position regarding the validity or scope of anyIntellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described inthis document or the extent to which any license under such rightsmight or might not be available; nor does it represent that it hasmade any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can befound in BCP 78 and BCP 79.Copies of IPR disclosures made to the IETF Secretariat and anyassurances of licenses to be made available, or the result of anattempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of thisspecification can be obtained from the IETF on-line IPR repository at /ipr.The IETF invites any interested party to bring to its attention anycopyrights, patents or patent applications, or other proprietaryrights that may cover technology that may be required to implementthis standard. Please address the information to the IETF atietf-ipr@.Camarillo Informational [Page 10]。

标准参考文档链路层协议PPP(Point-to-Point Protocol)：RFC 1332： The PPP Internet Protocol Control Protocol (IPCP)RFC 1334： PPP Authentication ProtocolsRFC 1552： The PPP Internetworking Packet Exchange Control Protocol (IPXCP) RFC 1570： PPP LCP Extensions(实现了其中的callback选项)RFC 1661： The Point-to-Point Protocol (PPP)RFC 1877： PPP Internet Protocol Control Protocol Extensions for Name Server AddressesRFC 1990： The PPP Multilink Protocol (MP)RFC 1994： PPP Challenge Handshake Authentication Protocol (CHAP)RFC 2509： IP Header Compression over PPPRFC 1962： The PPP Compression Control Protocol (CCP)RFC 1974： PPP Stac LZS Compression ProtocoldX25、LAPB(Link Access Protocol Balanced)：RFC1613：Cisco Systems X.25 over TCP(XOT)RFC1598：PPP in X.25RFC1461：SNMP MIB extension for MultiProtocol Interconnect over X.25RFC1382： SNMP MIB Extension for the X.25 Packet LayerRFC1381： SNMP MIB Extension for X.25 LAPBRFC1356： Multiprotocol Interconnect on X.25 and ISDN in the Packet ModeRFC1236： IP to X.121 Address Mapping for DDNRFC1226： Internet Protocol Encapsulation of AX.25 FramesRFC1090： SMTP on X.25RFC1086： ISO-TP0 bridge between TCP and X.25RFC874： Critique of X.25RFC1236： IP to X.121 Address Mapping for DDNRFC1133： Routing between the NSFNET and the DDNCisco-HDLC：Cisco-HDLC是CISCO自己设计的一个协议,没有可参考的标准Frame Relay：RFC1294/1490： Multiprotocol Interconnect over Frame RelayRFC1293： Inverse Address Resolution Protocol(INARP)RFC1315： Management Information Base for Frame Relay DTEsITU-T Q933附录A：帧中继本地管理接口（LMI）协议ANSI T1.617附录D：帧中继本地管理接口（LMI）协议ISDN(Integrated Services Digital Network)：ITU-T Q.931建议(网络层)ITU-T Q.921建议(链路层)IP层协议RFC791： Internet Protocol. (IP)RFC792： Internet Control Message Protocol (ICMP)RFC793： TRANSMISSION CONTROL PROTOCOL (TCP)RFC896： Congestion Control in IP/TCP InternetworksRFC768： User Datagram Protocol (UDP)RFC 826： An Ethernet Address Resolution Protocol (ARP)Socket： Unix标准路由协议RIP(Routing Information Protocol)：RFC1058： Routing Information ProtocolRFC1723： RIP Version 2RFC2082： RIP-2 MD5 AuthenticationOSPF(Open Shortest Path First)：RFC2328： OSPF Version 2RFC1793： Extending OSPF to Support Demand CircuitsIGRP(Interior Gateway Routing Protocol)：IGRP协议无标准RFC，与CISCO保持兼容BGP(Border Gateway Protocol)：RFC1771： A Border Gateway Protocol 4(BGP-4)RFC1772： Application of the Border Gateway Protocol in the Internet (BGP-4) RFC1965： Autonomous System Confederations for BGPRFC1966： BGP Route Reflection -- An alternative to full mesh IBGPRFC1997： BGP Community AttributeRFC2439： BGP Route Flap Damping网络安全RADIUS(Remote Authentication Dial In User Service)：RFC2138： Remote Authentication Dial In User Service (RADIUS)RFC2139： RADIUS AccountingGRE(Generic Routing Encapsulation)：RFC1701： Generic Roouting Encapsulation (老版本)RFC1702： Generic Routing Encapsulation over IPv4 networksRFC2784： Generic Roouting Encapsulation (新版本)RFC2667： IP Tunnel MIBIPSEC(IP Security)：RFC1825： Security Architechure for the Internet Protocol (老版本)RFC2401： Security Architechure for the Internet Protocol (新版本)AH(Authentication Header)协议：RFC2402： IP Authentication HeaderRFC1321： The MD5 Message-Digest AlgorithmRFC2104： HMAC: Keyed-Hashing for Message AuthenticationRFC2085： IP Authentication with Replay PreventionRFC2403： The Use of HMAC-MD5-96 within ESP and AHRFC2404： The Use of HMAC-SHA-1-96 within ESP and AHESP(Encapsulating Security Payload)：RFC2406： IP Encapsulating Security Payload (ESP)RFC2405： The ESP DES-CBC Cipher Algorithm With Explicit IVIKE(Internet Key Exchange)：RFC2408：Internet Security Association and Key Management Protocol (ISAKMP) RFC2409：The Internet Key Exchange (IKE)RFC2407：The Internet IP Security Domain of Interpretation for ISAKMP (IPSEC DOI)L2TP(Layer 2 Tunnel Protocol)：RFC2661：Layer 2 Tunnel ProtocolNAT(Network Address Translator)：RFC1631：The IP Network Address Translator (NAT)RFC2663：IP Network Address Translator (NAT) Terminology and Considerations 网络管理SNMP(Simple Network Management Protocol)：RFC 1157： Simple Network Management Protocol (SNMP)。