Network Working Group                                       P. Srisuresh
Request for Comments: 3022                              Jasmine Networks
Obsoletes: 1631                                               K. Egevang
Category: Informational                                Intel Corporation
                                                            January 2001
        
Network Working Group                                       P. Srisuresh
Request for Comments: 3022                              Jasmine Networks
Obsoletes: 1631                                               K. Egevang
Category: Informational                                Intel Corporation
                                                            January 2001
        

Traditional IP Network Address Translator (Traditional NAT)

传统IP网络地址转换器(传统NAT)

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

Preface

前言

The NAT operation described in this document extends address translation introduced in RFC 1631 and includes a new type of network address and TCP/UDP port translation. In addition, this document corrects the Checksum adjustment algorithm published in RFC 1631 and attempts to discuss NAT operation and limitations in detail.

本文档中描述的NAT操作扩展了RFC1631中引入的地址转换,包括一种新型的网络地址和TCP/UDP端口转换。此外,本文修正了RFC1631中发布的校验和调整算法,并试图详细讨论NAT操作和限制。

Abstract

摘要

Basic Network Address Translation or Basic NAT is a method by which IP addresses are mapped from one group to another, transparent to end users. Network Address Port Translation, or NAPT is a method by which many network addresses and their TCP/UDP (Transmission Control Protocol/User Datagram Protocol) ports are translated into a single network address and its TCP/UDP ports. Together, these two operations, referred to as traditional NAT, provide a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses.

基本网络地址转换或基本NAT是一种将IP地址从一个组映射到另一个组的方法,对最终用户是透明的。网络地址端口转换(NAPT)是一种将许多网络地址及其TCP/UDP(传输控制协议/用户数据报协议)端口转换为单个网络地址及其TCP/UDP端口的方法。这两个操作(称为传统NAT)一起提供了一种机制,将具有私有地址的领域连接到具有全局唯一注册地址的外部领域。

1. Introduction
1. 介绍

The need for IP Address translation arises when a network's internal IP addresses cannot be used outside the network either for privacy reasons or because they are invalid for use outside the network.

当网络的内部IP地址由于隐私原因或在网络外部使用无效而无法在网络外部使用时,就需要进行IP地址转换。

Network topology outside a local domain can change in many ways. Customers may change providers, company backbones may be reorganized, or providers may merge or split. Whenever external topology changes

本地域之外的网络拓扑可以通过多种方式进行更改。客户可能会更换提供商,公司主干网可能会重组,或者提供商可能会合并或拆分。每当外部拓扑发生变化时

with time, address assignment for nodes within the local domain must also change to reflect the external changes. Changes of this type can be hidden from users within the domain by centralizing changes to a single address translation router.

随着时间的推移,本地域内节点的地址分配也必须更改,以反映外部更改。通过将更改集中到单个地址转换路由器,可以对域内的用户隐藏此类更改。

Basic Address translation would (in many cases, except as noted in [NAT-TERM] and section 6 of this document) allow hosts in a private network to transparently access the external network and enable access to selective local hosts from the outside. Organizations with a network setup predominantly for internal use, with a need for occasional external access are good candidates for this scheme.

基本地址转换(在许多情况下,除了[NAT-TERM]和本文件第6节中指出的情况外)允许专用网络中的主机透明地访问外部网络,并允许从外部访问选择性本地主机。网络设置主要为内部使用,偶尔需要外部访问的组织是此方案的理想选择。

Many Small Office, Home Office (SOHO) users and telecommuting employees have multiple Network nodes in their office, running TCP/UDP applications, but have a single IP address assigned to their remote access router by their service provider to access remote networks. This ever increasing community of remote access users would be benefited by NAPT, which would permit multiple nodes in a local network to simultaneously access remote networks using the single IP address assigned to their router.

许多小型办公室、家庭办公室(SOHO)用户和远程办公员工的办公室中有多个网络节点,运行TCP/UDP应用程序,但服务提供商为其远程访问路由器分配了一个IP地址,以访问远程网络。这个不断增加的远程访问用户社区将受益于NAPT,它将允许本地网络中的多个节点使用分配给其路由器的单个IP地址同时访问远程网络。

There are limitations to using the translation method. It is mandatory that all requests and responses pertaining to a session be routed via the same NAT router. One way to ascertain this would be to have NAT based on a border router that is unique to a stub domain, where all IP packets are either originated from the domain or destined to the domain. There are other ways to ensure this with multiple NAT devices. For example, a private domain could have two distinct exit points to different providers and the session flow from the hosts in a private network could traverse through whichever NAT device has the best metric for an external host. When one of the NAT routers fail, the other could route traffic for all the connections. There is however a caveat with this approach, in that, rerouted flows could fail at the time of switchover to the new NAT router. A way to overcome this potential problem is that the routers share the same NAT configuration and exchange state information to ensure a fail-safe backup for each other.

使用翻译方法有局限性。必须通过同一NAT路由器路由与会话相关的所有请求和响应。确定这一点的一种方法是基于存根域特有的边界路由器进行NAT,其中所有IP数据包要么来自该域,要么发往该域。对于多个NAT设备,还有其他方法可以确保这一点。例如,一个私有域可以有两个不同的出口点指向不同的提供者,并且来自私有网络中主机的会话流可以通过对外部主机具有最佳度量的NAT设备。当一个NAT路由器发生故障时,另一个可以路由所有连接的流量。然而,这种方法有一个警告,即重新路由的流可能在切换到新的NAT路由器时失败。克服此潜在问题的一种方法是,路由器共享相同的NAT配置并交换状态信息,以确保彼此的故障安全备份。

Address translation is application independent and often accompanied by application specific gateways (ALGs) to perform payload monitoring and alterations. FTP is the most popular ALG resident on NAT devices. Applications requiring ALG intervention must not have their payload encoded, as doing that would effectively disables the ALG, unless the ALG has the key to decrypt the payload.

地址转换是独立于应用程序的,通常伴随应用程序特定网关(ALG)来执行有效负载监视和更改。FTP是NAT设备上最流行的ALG。需要ALG干预的应用程序不得对其有效负载进行编码,因为这样做将有效禁用ALG,除非ALG拥有解密有效负载的密钥。

This solution has the disadvantage of taking away the end-to-end significance of an IP address, and making up for it with increased state in the network. As a result, end-to-end IP network level

这种解决方案的缺点是去掉了IP地址的端到端重要性,并用网络中增加的状态来弥补它。因此,端到端IP网络级别

security assured by IPSec cannot be assumed to end hosts, with a NAT device enroute. The advantage of this approach however is that it can be installed without changes to hosts or routers.

IPSec保证的安全性不能假定为在NAT设备处于路由状态时的终端主机。然而,这种方法的优点是它可以在不改变主机或路由器的情况下安装。

Definition of terms such as "Address Realm", "Transparent Routing", "TU Ports", "ALG" and others, used throughout the document, may be found in [NAT-TERM].

在整个文档中使用的“地址域”、“透明路由”、“TU端口”、“ALG”等术语的定义可在[NAT-TERM]中找到。

2. Overview of traditional NAT
2. 传统NAT综述

The Address Translation operation presented in this document is referred to as "Traditional NAT". There are other variations of NAT that will not be explored in this document. Traditional NAT would allow hosts within a private network to transparently access hosts in the external network, in most cases. In a traditional NAT, sessions are uni-directional, outbound from the private network. Sessions in the opposite direction may be allowed on an exceptional basis using static address maps for pre-selected hosts. Basic NAT and NAPT are two variations of traditional NAT, in that translation in Basic NAT is limited to IP addresses alone, whereas translation in NAPT is extended to include IP address and Transport identifier (such as TCP/UDP port or ICMP query ID).

本文中介绍的地址转换操作称为“传统NAT”。本文档将不探讨NAT的其他变体。在大多数情况下,传统NAT允许专用网络中的主机透明地访问外部网络中的主机。在传统的NAT中,会话是单向的,从专用网络出站。在例外情况下,可以使用预选主机的静态地址映射来允许相反方向的会话。基本NAT和NAPT是传统NAT的两种变体,因为基本NAT中的转换仅限于IP地址,而NAPT中的转换扩展为包括IP地址和传输标识符(如TCP/UDP端口或ICMP查询ID)。

Unless mentioned otherwise, Address Translation or NAT throughout this document will pertain to traditional NAT, namely Basic NAT as well as NAPT. Only the stub border routers as described in figure 1 below may be configured to perform address translation.

除非另有说明,本文件中的地址转换或NAT将与传统NAT相关,即基本NAT和NAPT。只有下面图1中描述的存根边界路由器可以配置为执行地址转换。

        \ | /                 .                                /
   +---------------+  WAN     .           +-----------------+/
   |Regional Router|----------------------|Stub Router w/NAT|---
   +---------------+          .           +-----------------+\
                              .                      |         \
                              .                      |  LAN
                              .               ---------------
                        Stub border
        
        \ | /                 .                                /
   +---------------+  WAN     .           +-----------------+/
   |Regional Router|----------------------|Stub Router w/NAT|---
   +---------------+          .           +-----------------+\
                              .                      |         \
                              .                      |  LAN
                              .               ---------------
                        Stub border
        

Figure 1: Traditional NAT Configuration

图1:传统NAT配置

2.1 Overview of Basic NAT
2.1 基本NAT概述

Basic NAT operation is as follows. A stub domain with a set of private network addresses could be enabled to communicate with external network by dynamically mapping the set of private addresses to a set of globally valid network addresses. If the number of local nodes are less than or equal to addresses in the global set, each local address is guaranteed a global address to map to. Otherwise, nodes allowed to have simultaneous access to external network are

基本NAT操作如下所示。具有一组专用网络地址的存根域可以通过将该组专用地址动态映射到一组全局有效的网络地址来与外部网络通信。如果本地节点的数量小于或等于全局集中的地址,则保证每个本地地址都有一个要映射到的全局地址。否则,将删除允许同时访问外部网络的节点

limited by the number of addresses in global set. Individual local addresses may be statically mapped to specific global addresses to ensure guaranteed access to the outside or to allow access to the local host from external hosts via a fixed public address. Multiple simultaneous sessions may be initiated from a local node, using the same address mapping.

受全局集合中地址数的限制。单个本地地址可以静态映射到特定的全局地址,以确保对外部的访问得到保证,或者允许外部主机通过固定的公共地址访问本地主机。可以使用相同的地址映射从本地节点启动多个同时会话。

Addresses inside a stub domain are local to that domain and not valid outside the domain. Thus, addresses inside a stub domain can be reused by any other stub domain. For instance, a single Class A address could be used by many stub domains. At each exit point between a stub domain and backbone, NAT is installed. If there is more than one exit point it is of great importance that each NAT has the same translation table.

存根域内的地址是该域的本地地址,在域外无效。因此,存根域内的地址可以被任何其他存根域重用。例如,一个a类地址可以被许多存根域使用。在存根域和主干网之间的每个出口点,安装NAT。如果存在多个出口点,则每个NAT具有相同的转换表是非常重要的。

For instance, in the example of figure 2, both stubs A and B internally use class A private address block 10.0.0.0/8 [RFC 1918]. Stub A's NAT is assigned the class C address block 198.76.29.0/24, and Stub B's NAT is assigned the class C address block 198.76.28.0/24. The class C addresses are globally unique no other NAT boxes can use them.

例如,在图2的示例中,存根A和B在内部都使用A类专用地址块10.0.0.0/8[RFC 1918]。存根A的NAT分配给C类地址块198.76.29.0/24,存根B的NAT分配给C类地址块198.76.28.0/24。C类地址是全局唯一的,其他NAT盒无法使用它们。

                                    \ | /
                                  +---------------+
                                  |Regional Router|
                                  +---------------+
                                WAN |           | WAN
                                    |           |
                Stub A .............|....   ....|............ Stub B
                                    |           |
                  {s=198.76.29.7,^  |           |  v{s=198.76.29.7,
                   d=198.76.28.4}^  |           |  v d=198.76.28.4}
                    +-----------------+       +-----------------+
                    |Stub Router w/NAT|       |Stub Router w/NAT|
                    +-----------------+       +-----------------+
                          |                         |
                          |  LAN               LAN  |
                    -------------             -------------
                              |                 |
            {s=10.33.96.5, ^  |                 |  v{s=198.76.29.7,
             d=198.76.28.4}^ +--+             +--+ v d=10.81.13.22}
                             |--|             |--|
                            /____\           /____\
                          10.33.96.5       10.81.13.22
        
                                    \ | /
                                  +---------------+
                                  |Regional Router|
                                  +---------------+
                                WAN |           | WAN
                                    |           |
                Stub A .............|....   ....|............ Stub B
                                    |           |
                  {s=198.76.29.7,^  |           |  v{s=198.76.29.7,
                   d=198.76.28.4}^  |           |  v d=198.76.28.4}
                    +-----------------+       +-----------------+
                    |Stub Router w/NAT|       |Stub Router w/NAT|
                    +-----------------+       +-----------------+
                          |                         |
                          |  LAN               LAN  |
                    -------------             -------------
                              |                 |
            {s=10.33.96.5, ^  |                 |  v{s=198.76.29.7,
             d=198.76.28.4}^ +--+             +--+ v d=10.81.13.22}
                             |--|             |--|
                            /____\           /____\
                          10.33.96.5       10.81.13.22
        

Figure 2: Basic NAT Operation

图2:基本NAT操作

When stub A host 10.33.96.5 wishes to send a packet to stub B host 10.81.13.22, it uses the globally unique address 198.76.28.4 as destination, and sends the packet to its primary router. The stub router has a static route for net 198.76.0.0 so the packet is forwarded to the WAN-link. However, NAT translates the source address 10.33.96.5 of the IP header to the globally unique 198.76.29.7 before the packet is forwarded. Likewise, IP packets on the return path go through similar address translations.

当存根A主机10.33.96.5希望向存根B主机10.81.13.22发送数据包时,它使用全局唯一地址198.76.28.4作为目的地,并将数据包发送到其主路由器。存根路由器具有用于网络198.76.0.0的静态路由,因此数据包被转发到WAN链路。但是,在转发数据包之前,NAT将IP报头的源地址10.33.96.5转换为全局唯一的198.76.29.7。同样,返回路径上的IP数据包也经过类似的地址转换。

Notice that this requires no changes to hosts or routers. For instance, as far as the stub A host is concerned, 198.76.28.4 is the address used by the host in stub B. The address translations are transparent to end hosts in most cases. Of course, this is just a simple example. There are numerous issues to be explored.

请注意,这不需要更改主机或路由器。例如,就存根A主机而言,198.76.28.4是存根B中主机使用的地址。在大多数情况下,地址转换对终端主机是透明的。当然,这只是一个简单的例子。有许多问题需要探讨。

2.2. Overview of NAPT
2.2. NAPT概述

Say, an organization has a private IP network and a WAN link to a service provider. The private network's stub router is assigned a globally valid address on the WAN link and the remaining nodes in the organization have IP addresses that have only local significance. In such a case, nodes on the private network could be allowed simultaneous access to the external network, using the single registered IP address with the aid of NAPT. NAPT would allow mapping of tuples of the type (local IP addresses, local TU port number) to tuples of the type (registered IP address, assigned TU port number).

比如说,一个组织有一个专用IP网络和一个到服务提供商的WAN链接。专用网络的存根路由器在WAN链路上分配了一个全局有效地址,组织中的其余节点具有仅具有本地意义的IP地址。在这种情况下,可以允许专用网络上的节点在NAPT的帮助下使用单个注册IP地址同时访问外部网络。NAPT允许将该类型的元组(本地IP地址、本地TU端口号)映射到该类型的元组(注册IP地址、分配的TU端口号)。

This model fits the requirements of most Small Office Home Office (SOHO) groups to access external network using a single service provider assigned IP address. This model could be extended to allow inbound access by statically mapping a local node per each service TU port of the registered IP address.

该模型适合大多数小型办公室-家庭办公室(SOHO)组使用单一服务提供商分配的IP地址访问外部网络的要求。该模型可以通过静态映射注册IP地址的每个服务端口的本地节点来扩展,以允许入站访问。

In the example of figure 3 below, stub A internally uses class A address block 10.0.0.0/8. The stub router's WAN interface is assigned an IP address 138.76.28.4 by the service provider.

在下面图3的示例中,存根A内部使用A类地址块10.0.0.0/8。存根路由器的WAN接口由服务提供商分配IP地址138.76.28.4。

                                     \ | /
                                   +-----------------------+
                                   |Service Provider Router|
                                   +-----------------------+
                                 WAN |
                                     |
                 Stub A .............|....
                                     |
         ^{s=138.76.28.4,sport=1024, |  v{s=138.76.29.7, sport = 23,
         ^ d=138.76.29.7,dport=23}   |  v d=138.76.28.4, dport = 1024}
                         +------------------+
                         |Stub Router w/NAPT|
                         +------------------+
                           |
                           |  LAN
     --------------------------------------------
        |        ^{s=10.0.0.10,sport=3017, |  v{s=138.76.29.7, sport=23,
        |        ^ d=138.76.29.7,dport=23} |  v d=10.0.0.10, dport=3017}
        |                                  |
       +--+      +--+                    +--+
       |--|      |--|                    |--|
      /____\    /____\                  /____\
     10.0.0.1  10.0.0.2   .....        10.0.0.10
        
                                     \ | /
                                   +-----------------------+
                                   |Service Provider Router|
                                   +-----------------------+
                                 WAN |
                                     |
                 Stub A .............|....
                                     |
         ^{s=138.76.28.4,sport=1024, |  v{s=138.76.29.7, sport = 23,
         ^ d=138.76.29.7,dport=23}   |  v d=138.76.28.4, dport = 1024}
                         +------------------+
                         |Stub Router w/NAPT|
                         +------------------+
                           |
                           |  LAN
     --------------------------------------------
        |        ^{s=10.0.0.10,sport=3017, |  v{s=138.76.29.7, sport=23,
        |        ^ d=138.76.29.7,dport=23} |  v d=10.0.0.10, dport=3017}
        |                                  |
       +--+      +--+                    +--+
       |--|      |--|                    |--|
      /____\    /____\                  /____\
     10.0.0.1  10.0.0.2   .....        10.0.0.10
        

Figure 3: Network Address Port Translation (NAPT) Operation

图3:网络地址端口转换(NAPT)操作

When stub A host 10.0.0.10 sends a telnet packet to host 138.76.29.7, it uses the globally unique address 138.76.29.7 as destination, and sends the packet to it's primary router. The stub router has a static route for the subnet 138.76.0.0/16 so the packet is forwarded to the WAN-link. However, NAPT translates the tuple of source address 10.0.0.10 and source TCP port 3017 in the IP and TCP headers into the globally unique 138.76.28.4 and a uniquely assigned TCP port, say 1024, before the packet is forwarded. Packets on the return path go through similar address and TCP port translations for the target IP address and target TCP port. Once again, notice that this requires no changes to hosts or routers. The translation is completely transparent.

当主机10.0.0.10向主机138.76.29.7发送telnet数据包时,它使用全局唯一地址138.76.29.7作为目的地,并将数据包发送到其主路由器。存根路由器具有子网138.76.0.0/16的静态路由,因此数据包被转发到WAN链路。然而,在转发数据包之前,NAPT将IP和TCP报头中的源地址10.0.0.10和源TCP端口3017的元组转换为全局唯一的138.76.28.4和唯一分配的TCP端口,例如1024。返回路径上的数据包对目标IP地址和目标TCP端口进行类似的地址和TCP端口转换。再次注意,这不需要更改主机或路由器。翻译是完全透明的。

In this setup, only TCP/UDP sessions are allowed and must originate from the local network. However, there are services such as DNS that demand inbound access. There may be other services for which an organization wishes to allow inbound session access. It is possible to statically configure a well known TU port service [RFC 1700] on the stub router to be directed to a specific node in the private network.

在此设置中,只允许TCP/UDP会话,并且必须来自本地网络。但是,有些服务(如DNS)需要入站访问。可能存在组织希望允许入站会话访问的其他服务。可以静态地将存根路由器上的众所周知的TU端口服务[RFC 1700]配置为定向到专用网络中的特定节点。

In addition to TCP/UDP sessions, ICMP messages, with the exception of REDIRECT message type may also be monitored by NAPT router. ICMP query type packets are translated similar to that of TCP/UDP packets, in that the identifier field in ICMP message header will be uniquely mapped to a query identifier of the registered IP address. The identifier field in ICMP query messages is set by Query sender and returned unchanged in response message from the Query responder. So, the tuple of (Local IP address, local ICMP query identifier) is mapped to a tuple of (registered IP address, assigned ICMP query Identifier) by the NAPT router to uniquely identify ICMP queries of all types from any of the local hosts. Modifications to ICMP error messages are discussed in a later section, as that involves modifications to ICMP payload as well as the IP and ICMP headers.

除了TCP/UDP会话之外,除了重定向消息类型之外,ICMP消息也可以由NAPT路由器监控。ICMP查询类型数据包的翻译与TCP/UDP数据包的翻译类似,因为ICMP消息头中的标识符字段将唯一映射到注册IP地址的查询标识符。ICMP查询消息中的标识符字段由查询发送方设置,并在来自查询响应方的响应消息中原封不动地返回。因此,NAPT路由器将(本地IP地址、本地ICMP查询标识符)的元组映射到(注册IP地址、分配的ICMP查询标识符)的元组,以唯一标识来自任何本地主机的所有类型的ICMP查询。对ICMP错误消息的修改将在后面的一节中讨论,因为这涉及对ICMP有效负载以及IP和ICMP头的修改。

In NAPT setup, where the registered IP address is the same as the IP address of the stub router WAN interface, the router has to be sure to make distinction between TCP, UDP or ICMP query sessions originated from itself versus those originated from the nodes on local network. All inbound sessions (including TCP, UDP and ICMP query sessions) are assumed to be directed to the NAT router as the end node, unless the target service port is statically mapped to a different node in the local network.

在NAPT设置中,当注册的IP地址与存根路由器WAN接口的IP地址相同时,路由器必须确保区分源于自身的TCP、UDP或ICMP查询会话与源于本地网络上节点的TCP、UDP或ICMP查询会话。假设所有入站会话(包括TCP、UDP和ICMP查询会话)都作为终端节点定向到NAT路由器,除非目标服务端口静态映射到本地网络中的不同节点。

Sessions other than TCP, UDP and ICMP query type are simply not permitted from local nodes, serviced by a NAPT router.

除了TCP、UDP和ICMP查询类型之外的会话,根本不允许来自本地节点,由NAPT路由器提供服务。

3.0. Translation phases of a session.

3.0. 会话的翻译阶段。

The translation phases with traditional NAT are same as described in [NAT-TERM]. The following sub-sections identify items that are specific to traditional NAT.

传统NAT的翻译阶段与[NAT-TERM]中描述的相同。以下小节确定了特定于传统NAT的项目。

3.1. Address binding:

3.1. 地址绑定:

With Basic NAT, a private address is bound to an external address, when the first outgoing session is initiated from the private host. Subsequent to that, all other outgoing sessions originating from the same private address will use the same address binding for packet translation.

使用基本NAT,当从专用主机启动第一个传出会话时,将专用地址绑定到外部地址。随后,来自相同私有地址的所有其他传出会话将使用相同的地址绑定进行数据包转换。

In the case of NAPT, where many private addresses are mapped to a single globally unique address, the binding would be from the tuple of (private address, private TU port) to the tuple of (assigned address, assigned TU port). As with Basic NAT, this binding is determined when the first outgoing session is initiated by the tuple of (private address, private TU port) on the private host. While not a common practice, it is possible to have an application on private host establish multiple simultaneous sessions originating from the

在NAPT的情况下,许多私有地址映射到单个全局唯一地址,绑定将从(私有地址,私有TU端口)的元组到(分配地址,分配TU端口)的元组。与基本NAT一样,当第一个传出会话由专用主机上的(专用地址,专用TU端口)元组启动时,会确定此绑定。虽然这不是一种常见做法,但也可以让专用主机上的应用程序同时建立多个源于主机的会话

same tuple of (private address, private TU port). In such a case, a single binding for the tuple of (private address, private TU port) may be used for translation of packets pertaining to all sessions originating from the same tuple on a host.

相同的元组(专用地址、专用TU端口)。在这种情况下,可以使用(私有地址、私有TU端口)的元组的单个绑定来转换与来自主机上相同元组的所有会话相关的分组。

3.2. Address lookup and translation:

3.2. 地址查找和转换:

After an address binding or (address, TU port) tuple binding in case of NAPT is established, a soft state may be maintained for each of the connections using the binding. Packets belonging to the same session will be subject to session lookup for translation purposes. The exact nature of translation is discussed in the follow-on section.

在建立地址绑定或NAPT情况下的(地址,TU端口)元组绑定之后,可以使用该绑定为每个连接保持软状态。出于翻译目的,属于同一会话的数据包将进行会话查找。翻译的确切性质将在下一节讨论。

3.3. Address unbinding:

3.3. 地址解除绑定:

When the last session based on an address or (address, TU port) tuple binding is terminated, the binding itself may be terminated.

当基于地址或(地址,TU端口)元组绑定的最后一个会话终止时,绑定本身可能会终止。

4.0. Packet Translations
4.0. 数据包翻译

Packets pertaining to NAT managed sessions undergo translation in either direction. Individual packet translation issues are covered in detail in the following sub-sections.

与NAT管理的会话相关的数据包在两个方向上进行转换。以下小节将详细介绍各个数据包翻译问题。

4.1. IP, TCP, UDP and ICMP Header Manipulations
4.1. IP、TCP、UDP和ICMP标头操作

In Basic NAT model, the IP header of every packet must be modified. This modification includes IP address (source IP address for outbound packets and destination IP address for inbound packets) and the IP checksum.

在基本NAT模型中,必须修改每个数据包的IP报头。此修改包括IP地址(出站数据包的源IP地址和入站数据包的目标IP地址)和IP校验和。

For TCP ([TCP]) and UDP ([UDP]) sessions, modifications must include update of checksum in the TCP/UDP headers. This is because TCP/UDP checksum also covers a pseudo header which contains the source and destination IP addresses. As an exception, UDP headers with 0 checksum should not be modified. As for ICMP Query packets ([ICMP]), no further changes in ICMP header are required as the checksum in ICMP header does not cover IP addresses.

对于TCP([TCP])和UDP([UDP])会话,修改必须包括TCP/UDP头中校验和的更新。这是因为TCP/UDP校验和还包括一个伪报头,其中包含源和目标IP地址。作为例外,不应修改校验和为0的UDP标头。对于ICMP查询数据包([ICMP]),由于ICMP报头中的校验和不包括IP地址,因此不需要对ICMP报头进行进一步更改。

In NAPT model, modifications to IP header are similar to that of Basic NAT. For TCP/UDP sessions, modifications must be extended to include translation of TU port (source TU port for outbound packets and destination TU port for inbound packets) in the TCP/UDP header. ICMP header in ICMP Query packets must also be modified to replace the query ID and ICMP header checksum. Private host query ID must be

在NAPT模型中,对IP报头的修改类似于对基本NAT的修改。对于TCP/UDP会话,必须扩展修改以在TCP/UDP报头中包括TU端口(出站数据包的源TU端口和入站数据包的目标TU端口)的转换。还必须修改ICMP查询数据包中的ICMP标头,以替换查询ID和ICMP标头校验和。专用主机查询ID必须为

translated into assigned ID on the outbound and the exact reverse on the inbound. ICMP header checksum must be corrected to account for Query ID translation.

在出站时转换为分配的ID,在入站时转换为完全相反的ID。必须更正ICMP标头校验和,以考虑查询ID转换。

4.2. Checksum Adjustment
4.2. 校验和调整

NAT modifications are per packet based and can be very compute intensive, as they involve one or more checksum modifications in addition to simple field translations. Luckily, we have an algorithm below, which makes checksum adjustment to IP, TCP, UDP and ICMP headers very simple and efficient. Since all these headers use a one's complement sum, it is sufficient to calculate the arithmetic difference between the before-translation and after-translation addresses and add this to the checksum. The algorithm below is applicable only for even offsets (i.e., optr below must be at an even offset from start of header) and even lengths (i.e., olen and nlen below must be even). Sample code (in C) for this is as follows.

NAT修改是基于每个数据包的,并且可能是计算密集型的,因为除了简单的字段转换之外,它们还涉及一个或多个校验和修改。幸运的是,我们下面有一个算法,它使IP、TCP、UDP和ICMP头的校验和调整变得非常简单和高效。由于所有这些头都使用一个补码和,因此计算翻译前和翻译后地址之间的算术差并将其添加到校验和就足够了。下面的算法仅适用于偶数偏移(即,下面的optr必须位于从标头开始的偶数偏移处)和偶数长度(即,下面的olen和nlen必须是偶数)。这方面的示例代码(C)如下所示。

   void checksumadjust(unsigned char *chksum, unsigned char *optr,
   int olen, unsigned char *nptr, int nlen)
   /* assuming: unsigned char is 8 bits, long is 32 bits.
     - chksum points to the chksum in the packet
     - optr points to the old data in the packet
     - nptr points to the new data in the packet
   */
   {
     long x, old, new;
     x=chksum[0]*256+chksum[1];
     x=~x & 0xFFFF;
     while (olen)
     {
         old=optr[0]*256+optr[1]; optr+=2;
         x-=old & 0xffff;
         if (x<=0) { x--; x&=0xffff; }
         olen-=2;
     }
     while (nlen)
     {
         new=nptr[0]*256+nptr[1]; nptr+=2;
         x+=new & 0xffff;
         if (x & 0x10000) { x++; x&=0xffff; }
         nlen-=2;
     }
     x=~x & 0xFFFF;
     chksum[0]=x/256; chksum[1]=x & 0xff;
   }
        
   void checksumadjust(unsigned char *chksum, unsigned char *optr,
   int olen, unsigned char *nptr, int nlen)
   /* assuming: unsigned char is 8 bits, long is 32 bits.
     - chksum points to the chksum in the packet
     - optr points to the old data in the packet
     - nptr points to the new data in the packet
   */
   {
     long x, old, new;
     x=chksum[0]*256+chksum[1];
     x=~x & 0xFFFF;
     while (olen)
     {
         old=optr[0]*256+optr[1]; optr+=2;
         x-=old & 0xffff;
         if (x<=0) { x--; x&=0xffff; }
         olen-=2;
     }
     while (nlen)
     {
         new=nptr[0]*256+nptr[1]; nptr+=2;
         x+=new & 0xffff;
         if (x & 0x10000) { x++; x&=0xffff; }
         nlen-=2;
     }
     x=~x & 0xFFFF;
     chksum[0]=x/256; chksum[1]=x & 0xff;
   }
        
4.3. ICMP error packet modifications
4.3. ICMP错误包修改

Changes to ICMP error message ([ICMP]) will include changes to IP and ICMP headers on the outer layer as well as changes to headers of the packet embedded within the ICMP-error message payload.

对ICMP错误消息([ICMP])的更改将包括对外层IP和ICMP头的更改,以及对嵌入ICMP错误消息有效负载中的数据包头的更改。

In order for NAT to be transparent to end-host, the IP address of the IP header embedded within the payload of ICMP-Error message must be modified, the checksum field of the embedded IP header must be modified, and lastly, the ICMP header checksum must also be modified to reflect changes to payload.

为了使NAT对终端主机透明,必须修改嵌入ICMP错误消息有效负载中的IP报头的IP地址,必须修改嵌入IP报头的校验和字段,最后,还必须修改ICMP报头校验和以反映有效负载的更改。

In a NAPT setup, if the IP message embedded within ICMP happens to be a TCP, UDP or ICMP Query packet, you will also need to modify the appropriate TU port number within the TCP/UDP header or the Query Identifier field in the ICMP Query header.

在NAPT设置中,如果ICMP中嵌入的IP消息恰好是TCP、UDP或ICMP查询数据包,则还需要修改TCP/UDP标头中的相应TU端口号或ICMP查询标头中的查询标识符字段。

Lastly, the IP header of the ICMP packet must also be modified.

最后,还必须修改ICMP数据包的IP报头。

4.4. FTP support
4.4. FTP支持

One of the most popular applications, "FTP" ([FTP]) would require an ALG to monitor the control session payload to determine the ensuing data session parameters. FTP ALG is an integral part of most NAT implementations.

最流行的应用程序之一,“FTP”([FTP])需要ALG来监控控制会话有效负载,以确定随后的数据会话参数。FTP ALG是大多数NAT实现不可或缺的一部分。

The FTP ALG would require a special table to correct the TCP sequence and acknowledge numbers with source port FTP or destination port FTP. The table entries should have source address, destination address, source port, destination port, delta for sequence numbers and a timestamp. New entries are created only when FTP PORT commands or PASV responses are seen. The sequence number delta may be increased or decreased for every FTP PORT command or PASV response. Sequence numbers are incremented on the outbound and acknowledge numbers are decremented on the inbound by this delta.

FTP ALG需要一个特殊的表来更正TCP序列,并确认源端口FTP或目标端口FTP的编号。表项应具有源地址、目标地址、源端口、目标端口、序列号的增量和时间戳。只有在看到FTP端口命令或PASV响应时,才会创建新条目。对于每个FTP端口命令或PASV响应,序列号增量可以增加或减少。序列号在出站时递增,确认号在入站时按此增量递减。

FTP payload translations are limited to private addresses and their assigned external addresses (encoded as individual octets in ASCII) for Basic NAT. For NAPT setup, however, the translations must be extended to include the TCP port octets (in ASCII) following the address octets.

FTP有效负载转换仅限于基本NAT的专用地址及其分配的外部地址(在ASCII中编码为单个八位字节)。但是,对于NAPT设置,必须扩展转换以包括地址八位字节后的TCP端口八位字节(ASCII)。

4.5 DNS support
4.5 DNS支持

Considering that sessions in a traditional NAT are predominantly outbound from a private domain, DNS ALG may be obviated from use in conjunction with traditional NAT as follows. DNS server(s) internal to the private domain maintain mapping of names to IP addresses for

考虑到传统NAT中的会话主要是从私有域出站的,可以如下避免DNS ALG与传统NAT结合使用。私有域内部的DNS服务器维护名称到IP地址的映射

internal hosts and possibly some external hosts. External DNS servers maintain name mapping for external hosts alone and not for any of the internal hosts. If the private network does not have an internal DNS server, all DNS requests may be directed to external DNS server to find address mapping for the external hosts.

内部主机,可能还有一些外部主机。外部DNS服务器仅维护外部主机的名称映射,而不维护任何内部主机的名称映射。如果专用网络没有内部DNS服务器,则可以将所有DNS请求定向到外部DNS服务器以查找外部主机的地址映射。

4.6. IP option handling
4.6. IP选项处理

An IP datagram with any of the IP options Record Route, Strict Source Route or Loose Source Route would involve recording or using IP addresses of intermediate routers. A NAT intermediate router may choose not to support these options or leave the addresses untranslated while processing the options. The result of leaving the addresses untranslated would be that private addresses along the source route are exposed end to end. This should not jeopardize the traversal path of the packet, per se, as each router is supposed to look at the next hop router only.

具有任何IP选项记录路由、严格源路由或松散源路由的IP数据报将涉及记录或使用中间路由器的IP地址。NAT中间路由器可以选择不支持这些选项,或者在处理选项时不转换地址。不翻译地址的结果将是源路由上的私有地址端到端地公开。这本身不应危及数据包的遍历路径,因为每个路由器应该只查看下一跳路由器。

5. Miscellaneous issues
5. 杂项问题
5.1. Partitioning of Local and Global Addresses
5.1. 本地和全局地址的分区

For NAT to operate as described in this document, it is necessary to partition the IP address space into two parts - the private addresses used internal to stub domain, and the globally unique addresses. Any given address must either be a private address or a global address. There is no overlap.

为了使NAT按本文所述运行,有必要将IP地址空间划分为两部分—存根域内部使用的专用地址和全局唯一地址。任何给定地址必须是专用地址或全局地址。没有重叠。

The problem with overlap is the following. Say a host in stub A wished to send packets to a host in stub B, but the global addresses of stub B overlapped the private addressees of stub A. In this case, the routers in stub A would not be able to distinguish the global address of stub B from its own private addresses.

重叠的问题如下。假设存根a中的主机希望向存根B中的主机发送数据包,但存根B的全局地址与存根a的专用地址重叠。在这种情况下,存根a中的路由器将无法区分存根B的全局地址与其自身的专用地址。

5.2. Private address space recommendation
5.2. 专用地址空间建议

[RFC 1918] has recommendations on address space allocation for private networks. Internet Assigned Numbers Authority (IANA) has three blocks of IP address space, namely 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for private internets. In pre-CIDR notation, the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B networks, and the third block is a set of 256 contiguous class C networks.

[RFC 1918]对专用网络的地址空间分配提出了建议。互联网分配号码管理局(IANA)有三块IP地址空间,即10.0.0.0/8、172.16.0.0/12和192.168.0.0/16,用于私人互联网。在pre-CIDR表示法中,第一个块只不过是单个a类网络编号,而第二个块是一组16个连续的B类网络,第三个块是一组256个连续的C类网络。

An organization that decides to use IP addresses in the address space defined above can do so without any coordination with IANA or an Internet registry. The address space can thus be used privately by

决定在上面定义的地址空间中使用IP地址的组织可以在不与IANA或Internet注册表进行任何协调的情况下这样做。因此,地址空间可由用户私自使用

many independent organizations at the same time, with NAT operation enabled on their border routers.

许多独立组织同时在其边界路由器上启用NAT操作。

5.3. Routing Across NAT
5.3. 跨NAT路由

The router running NAT should not advertise the private networks to the backbone. Only the networks with global addresses may be known outside the stub. However, global information that NAT receives from the stub border router can be advertised in the stub the usual way.

运行NAT的路由器不应将专用网络播发到主干网。只有具有全局地址的网络可以在存根之外知道。然而,NAT从存根边界路由器接收到的全局信息可以以通常的方式在存根中进行广告。

Typically, the NAT stub router will have a static route configured to forward all external traffic to service provider router over WAN link, and the service provider router will have a static route configured to forward NAT packets (i.e., those whose destination IP address fall within the range of NAT managed global address list) to NAT router over WAN link.

通常,NAT存根路由器将具有配置为通过WAN链路将所有外部通信转发到服务提供商路由器的静态路由,并且服务提供商路由器将具有配置为转发NAT分组(即,目的地IP地址在NAT管理的全局地址列表范围内的分组)的静态路由通过WAN链路连接到NAT路由器。

5.4. Switch-over from Basic NAT to NAPT
5.4. 从基本NAT切换到NAPT

In Basic NAT setup, when private network nodes outnumber global addresses available for mapping (say, a class B private network mapped to a class C global address block), external network access to some of the local nodes is abruptly cut off after the last global address from the address list is used up. This is very inconvenient and constraining. Such an incident can be safely avoided by optionally allowing the Basic NAT router to switch over to NAPT setup for the last global address in the address list. Doing this will ensure that hosts on private network will have continued, uninterrupted access to the external nodes and services for most applications. Note, however, it could be confusing if some of the applications that used to work with Basic NAT suddenly break due to the switch-over to NAPT.

在基本NAT设置中,当专用网络节点的数量超过可用于映射的全局地址(例如,映射到C类全局地址块的B类专用网络)时,在地址列表中的最后一个全局地址用完后,对某些本地节点的外部网络访问会突然中断。这是非常不方便和限制的。通过选择性地允许基本NAT路由器切换到地址列表中最后一个全局地址的NAPT设置,可以安全地避免此类事件。这样做将确保专用网络上的主机能够持续、不间断地访问大多数应用程序的外部节点和服务。但是,请注意,如果一些用于处理基本NAT的应用程序由于切换到NAPT而突然中断,则可能会造成混乱。

6.0. NAT limitations
6.0. NAT限制

[NAT-TERM] covers the limitations of all flavors of NAT, broadly speaking. The following sub-sections identify limitations specific to traditional NAT.

[NAT-TERM]从广义上讲涵盖了NAT所有口味的局限性。以下小节确定了特定于传统NAT的限制。

6.1. Privacy and Security
6.1. 隐私和安全

Traditional NAT can be viewed as providing a privacy mechanism as sessions are uni-directional from private hosts and the actual addresses of the private hosts are not visible to external hosts.

传统的NAT可以被视为提供了一种隐私机制,因为会话是来自私有主机的单向会话,并且私有主机的实际地址对外部主机不可见。

The same characteristic that enhances privacy potentially makes debugging problems (including security violations) more difficult. If a host in private network is abusing the Internet in some way (such

增强隐私的相同特性可能会使调试问题(包括安全违规)更加困难。如果专用网络中的主机以某种方式滥用Internet(例如

as trying to attack another machine or even sending large amounts of spam) it is more difficult to track the actual source of trouble because the IP address of the host is hidden in a NAT router.

由于主机的IP地址隐藏在NAT路由器中,因此在试图攻击另一台机器,甚至发送大量垃圾邮件时,更难跟踪实际的故障源。

6.2. ARP responses to NAT mapped global addresses on a LAN interface
6.2. 对LAN接口上NAT映射的全局地址的ARP响应

NAT must be enabled only on border routers of a stub domain. The examples provided in the document to illustrate Basic NAT and NAPT have maintained a WAN link for connection to external router (i.e., service provider router) from NAT router. However, if the WAN link were to be replaced by a LAN connection and if part or all of the global address space used for NAT mapping belongs to the same IP subnet as the LAN segment, the NAT router would be expected to provide ARP support for the address range that belongs to the same subnet. Responding to ARP requests for the NAT mapped global addresses with its own MAC address is a must in such a situation with Basic NAT setup. If the NAT router did not respond to these requests, there is no other node in the network that has ownership to these addresses and hence will go unresponded.

NAT只能在存根域的边界路由器上启用。本文件中提供的用于说明基本NAT和NAPT的示例维护了WAN链路,用于从NAT路由器连接到外部路由器(即服务提供商路由器)。但是,如果WAN链路将由LAN连接替换,并且如果用于NAT映射的部分或全部全局地址空间与LAN段属于同一IP子网,则NAT路由器将为属于同一子网的地址范围提供ARP支持。在这种具有基本NAT设置的情况下,必须使用自己的MAC地址响应NAT映射全局地址的ARP请求。如果NAT路由器没有响应这些请求,则网络中没有其他节点拥有这些地址的所有权,因此将无法响应。

This scenario is unlikely with NAPT setup except when the single address used in NAPT mapping is not the interface address of the NAT router (as in the case of a switch-over from Basic NAT to NAPT explained in 5.4 above, for example).

NAPT设置不太可能出现这种情况,除非NAPT映射中使用的单个地址不是NAT路由器的接口地址(例如,在上面5.4中解释的从基本NAT切换到NAPT的情况下)。

Using an address range from a directly connected subnet for NAT address mapping would obviate static route configuration on the service provider router.

使用直接连接子网的地址范围进行NAT地址映射将避免服务提供商路由器上的静态路由配置。

It is the opinion of the authors that a LAN link to a service provider router is not very common. However, vendors may be interested to optionally support proxy ARP just in case.

作者认为,连接到服务提供商路由器的局域网并不常见。不过,供应商可能有兴趣选择支持代理ARP,以防万一。

6.3. Translation of outbound TCP/UDP fragmented packets in NAPT setup
6.3. NAPT设置中出站TCP/UDP碎片数据包的转换

Translation of outbound TCP/UDP fragments (i.e., those originating from private hosts) in NAPT setup are doomed to fail. The reason is as follows. Only the first fragment contains the TCP/UDP header that would be necessary to associate the packet to a session for translation purposes. Subsequent fragments do not contain TCP/UDP port information, but simply carry the same fragmentation identifier specified in the first fragment. Say, two private hosts originated fragmented TCP/UDP packets to the same destination host. And, they happened to use the same fragmentation identifier. When the target host receives the two unrelated datagrams, carrying same fragmentation id, and from the same assigned host address, it is unable to determine which of the two sessions the datagrams belong to. Consequently, both sessions will be corrupted.

NAPT设置中出站TCP/UDP片段(即源自专用主机的片段)的转换注定会失败。原因如下。只有第一个片段包含TCP/UDP报头,该报头是将数据包与会话关联以进行转换所必需的。后续片段不包含TCP/UDP端口信息,只携带第一个片段中指定的相同片段标识符。例如,两个专用主机将碎片化的TCP/UDP数据包发送到同一个目标主机。而且,他们碰巧使用了相同的碎片标识符。当目标主机接收到两个不相关的数据报(带有相同的碎片id)并且来自相同的分配主机地址时,它无法确定数据报属于这两个会话中的哪一个。因此,两个会话都将被损坏。

7.0. Current Implementations
7.0. 当前实现

Many commercial implementations are available in the industry that adhere to the NAT description provided in this document. Linux public domain software contains NAT under the name of "IP masquerade". FreeBSD public domain software has NAPT implementation running as a daemon. Note however that Linux source is covered under the GNU license and FreeBSD software is covered under the UC Berkeley license.

行业中有许多商业实现遵循本文档中提供的NAT描述。Linux公共域软件包含名为“IP伪装”的NAT。FreeBSD公共域软件的NAPT实现作为守护进程运行。但是请注意,Linux源代码包含在GNU许可证中,FreeBSD软件包含在UC Berkeley许可证中。

Both Linux and FreeBSD software are free, so you can buy CD-ROMs for these for little more than the cost of distribution. They are also available on-line from a lot of FTP sites with the latest patches.

Linux和FreeBSD软件都是免费的,所以你可以为它们购买CD-ROM,只需略高于发行成本。他们也可以在线从许多FTP站点获得最新的补丁。

8.0. Security Considerations
8.0. 安全考虑

The security considerations described in [NAT-TERM] for all variations of NATs are applicable to traditional NAT.

[NAT-TERM]中描述的所有NAT变体的安全注意事项适用于传统NAT。

References

工具书类

[NAT-TERM] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999.

[NAT-TERM]Srisuresh,P.和M.Holdrege,“IP网络地址转换器(NAT)术语和注意事项”,RFC 2663,1999年8月。

[RFC 1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996.

[RFC 1918]Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,1996年2月。

[RFC 1700] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.

[RFC 1700]Reynolds,J.和J.Postel,“分配的数字”,标准2,RFC 1700,1994年10月。

[RFC 1122] Braden, R., "Requirements for Internet Hosts -- Communication Layers", STD 3, RFC 1122, October 1989.

[RFC 1122]Braden,R.,“互联网主机的要求——通信层”,STD 3,RFC 1122,1989年10月。

[RFC 1123] Braden, R., "Requirements for Internet Hosts -- Application and Support", STD 3, RFC 1123, October 1989.

[RFC 1123]Braden,R.,“互联网主机的要求——应用和支持”,STD 3,RFC 1123,1989年10月。

[RFC 1812] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995.

[RFC 1812]Baker,F.,“IP版本4路由器的要求”,RFC 1812,1995年6月。

[FTP] Postel, J. and J. Reynolds, "FILE TRANSFER PROTOCOL (FTP)", STD 9, RFC 959, October 1985.

[FTP]Postel,J.和J.Reynolds,“文件传输协议(FTP)”,STD 9,RFC 959,1985年10月。

[TCP] Defense Advanced Research Projects Agency Information Processing Techniques Office, "TRANSMISSION CONTROL PROTOCOL (TCP) SPECIFICATION", STD 7, RFC 793, September 1981.

[TCP]国防高级研究计划局信息处理技术办公室,“传输控制协议(TCP)规范”,STD 7,RFC 793,1981年9月。

[ICMP] Postel, J., "INTERNET CONTROL MESSAGE (ICMP) SPECIFICATION", STD 5, RFC 792, September 1981.

[ICMP]Postel,J.,“互联网控制信息(ICMP)规范”,STD 5,RFC 792,1981年9月。

[UDP] Postel, J., "User Datagram Protocol (UDP)", STD 6, RFC 768, August 1980.

[UDP]Postel,J.,“用户数据报协议(UDP)”,STD 6,RFC 768,1980年8月。

[RFC 2101] Carpenter, B., Crowcroft, J. and Y. Rekhter, "IPv4 Address Behaviour Today", RFC 2101, February 1997.

[RFC 2101]Carpenter,B.,Crowcroft,J.和Y.Rekhter,“今天的IPv4地址行为”,RFC 2101,1997年2月。

Authors' Addresses

作者地址

Pyda Srisuresh Jasmine Networks, Inc. 3061 Zanker Road, Suite B San Jose, CA 95134 U.S.A.

美国加利福尼亚州圣何塞市赞克路3061号B套房Pyda Srisuresh Jasmine Networks,Inc.邮编:95134。

Phone: (408) 895-5032 EMail: srisuresh@yahoo.com

电话:(408)895-5032电子邮件:srisuresh@yahoo.com

Kjeld Borch Egevang Intel Denmark ApS

丹麦英特尔公司

   Phone: +45 44886556
   Fax:   +45 44886051
   EMail: kjeld.egevang@intel.com
   http:  //www.freeyellow.com/members/kbe
        
   Phone: +45 44886556
   Fax:   +45 44886051
   EMail: kjeld.egevang@intel.com
   http:  //www.freeyellow.com/members/kbe
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。