Network Working Group R. P. Swale
Request for Comments: 3304 BTexact Technologies
Category: Informational P. A. Mart
Marconi Communications
P. Sijben
Lucent Technologies
S. Brim
M. Shore
Cisco Systems
August 2002
Network Working Group R. P. Swale
Request for Comments: 3304 BTexact Technologies
Category: Informational P. A. Mart
Marconi Communications
P. Sijben
Lucent Technologies
S. Brim
M. Shore
Cisco Systems
August 2002
Middlebox Communications (midcom) Protocol Requirements
中间盒通信(midcom)协议要求
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
Abstract
摘要
This document specifies the requirements that the Middlebox Communication (midcom) protocol must satisfy in order to meet the needs of applications wishing to influence the middlebox function. These requirements were developed with a specific focus on network address translation and firewall middleboxes.
本文件规定了中间箱通信(midcom)协议必须满足的要求,以满足希望影响中间箱功能的应用程序的需求。制定这些要求时,特别关注网络地址转换和防火墙中间件。
This document is one of two developed by the Middlebox Communication (midcom) working group to address the requirements and framework for a protocol between middleboxes and "midcom agents." This document presents midcom requirements; [MCFW] presents the context and framework. [MCFW] also presents terminology and definitions and should be read in tandem with this one.
本文件是Middlebox Communication(midcom)工作组开发的两份文件之一,旨在解决Middlebox和“midcom代理”之间协议的要求和框架;[MCFW]介绍了上下文和框架。[MCFW]还提供了术语和定义,应与本手册一起阅读。
These requirements were developed by examining the midcom framework and extracting requirements, both explicit and implicit, that appeared there.
这些需求是通过检查midcom框架并提取其中出现的显式和隐式需求来开发的。
Each requirement is presented as a statement, followed by brief explanatory material as appropriate. Terminology is defined in [MCFW]. There may be overlap between requirements.
每项要求都以陈述的形式提出,然后是适当的简要说明材料。术语定义见[MCFW]。需求之间可能存在重叠。
2.1.1.
2.1.1.
The Midcom protocol must enable a Midcom agent requiring the services of a middlebox to establish an authorized association between itself and the middlebox.
Midcom协议必须允许需要中间箱服务的Midcom代理在其自身和中间箱之间建立授权关联。
This states that the protocol must allow the middlebox to identify an agent requesting services and make a determination as to whether or not the agent will be permitted to do so.
该协议规定,协议必须允许中间箱识别请求服务的代理,并确定是否允许该代理这样做。
2.1.2.
2.1.2.
The Midcom protocol must allow a Midcom agent to communicate with more than one middlebox simultaneously.
Midcom协议必须允许Midcom代理同时与多个中间盒通信。
In any but the most simple network, an agent is likely to want to influence the behavior of more than one middlebox. The protocol design must not preclude the ability to do this.
在除最简单的网络外的任何网络中,代理都可能想要影响多个中间箱的行为。协议设计不得排除这样做的能力。
2.1.3.
2.1.3.
The Midcom protocol must allow a middlebox to communicate with more than one Midcom agent simultaneously.
Midcom协议必须允许中间盒同时与多个Midcom代理通信。
There may be multiple instances of a single application or multiple applications desiring service from a single middlebox, and different agents may represent them. The protocol design must not preclude the ability to do so.
一个应用程序可能有多个实例,或者多个应用程序希望从一个中间盒获得服务,不同的代理可以代表它们。协议设计不得排除这样做的能力。
2.1.4.
2.1.4.
Where a multiplicity of Midcom Agents are interacting with a given middlebox, the Midcom protocol must provide mechanisms ensuring that the overall behavior is deterministic.
当多个Midcom代理与给定的中间盒交互时,Midcom协议必须提供确保整体行为具有确定性的机制。
This states that the protocol must include mechanisms for avoiding race conditions or other situations in which the requests of one agent may influence the results of the requests of other agents in an unpredictable manner.
这说明协议必须包括避免竞争条件或一个代理的请求可能以不可预测的方式影响其他代理的请求结果的其他情况的机制。
2.1.5.
2.1.5.
The Midcom protocol must enable the middlebox and any associated Midcom agents to establish a known and stable state. This must include the case of power failure, or other failure, where the protocol must ensure that any resources used by a failed element can be released.
Midcom协议必须使middlebox和任何相关的Midcom代理能够建立已知的稳定状态。这必须包括电源故障或其他故障,协议必须确保故障元件使用的任何资源都可以释放。
This states that the protocol must provide clear identification for requests and results and that protocol operations must be atomic with respect to the midcom protocol.
这说明协议必须为请求和结果提供清晰的标识,协议操作必须是midcom协议的原子操作。
2.1.6.
2.1.6.
The middlebox must be able to report its status to a Midcom agent with which it is associated.
中间盒必须能够向与其关联的Midcom代理报告其状态。
2.1.7.
2.1.7.
The protocol must support unsolicited messages from middlebox to agent, for reporting conditions detected asynchronously at the middlebox.
协议必须支持从中间箱到代理的未经请求的消息,以报告在中间箱异步检测到的条件。
It may be the case that exceptional conditions or other events at the middlebox (resource shortages, intrusion mitigation) will cause the middlebox to close pinholes or release resources without consulting the associated Midcom agent. In that event, the protocol must allow the middlebox to notify the agent.
在这种情况下,中间箱的异常情况或其他事件(资源短缺、入侵缓解)可能会导致中间箱在未咨询相关的Midcom代理的情况下关闭针孔或释放资源。在这种情况下,协议必须允许中间盒通知代理。
2.1.8.
2.1.8.
The Midcom protocol must provide for the mutual authentication of Midcom agent and middlebox to one another.
Midcom协议必须提供Midcom代理和中间盒之间的相互身份验证。
In addition for the more obvious need for the Midcom agent to authenticate itself to the middlebox, there are some attacks against the protocol which can be mitigated by having the middlebox authenticate to the agent. See [MCFW].
除了更明显地需要Midcom代理向中间箱进行身份验证之外,还存在一些针对协议的攻击,可以通过让中间箱向代理进行身份验证来缓解这些攻击。见[MCFW]。
2.1.9.
2.1.9.
The Midcom protocol must allow either the Midcom agent or the middlebox to terminate the Midcom session between a Midcom Agent and a middlebox. This allows either entity to close the session for maintenance, security, or other reasons.
Midcom协议必须允许Midcom代理或中间盒终止Midcom代理和中间盒之间的Midcom会话。这允许任一实体出于维护、安全或其他原因关闭会话。
2.1.10.
2.1.10.
A Midcom agent must be able to determine whether or not a request was successful.
Midcom代理必须能够确定请求是否成功。
This states that a middlebox must return a success or failure indication to a request made by an agent.
这表明,中间箱必须向代理发出的请求返回成功或失败指示。
2.1.11.
2.1.11.
The Midcom protocol must contain version interworking capabilities to enable subsequent extensions to support different types of middlebox and future requirements of applications not considered at this stage.
Midcom协议必须包含版本互通功能,以支持后续扩展,以支持不同类型的中间盒以及本阶段未考虑的应用程序的未来需求。
We assume that there will be later revisions of this protocol. The initial version will focus on communication with firewalls and NATs, and it is possible that the protocol will need to be modified, as support for other middlebox types is added. These version interworking capabilities may include (but are not limited to) a protocol version number.
我们假设该协议将在以后进行修订。初始版本将侧重于与防火墙和NAT的通信,并且可能需要修改协议,因为添加了对其他中间包类型的支持。这些版本互通功能可能包括(但不限于)协议版本号。
2.1.12.
2.1.12.
It must be possible to deterministically predict the behavior of the middlebox in the presence of overlapping rules.
在存在重叠规则的情况下,必须能够确定地预测中间盒的行为。
The protocol must preclude nondeterministic behavior in the case of overlapping rulesets, e.g. by ensuring that some known precedence is imposed.
在规则集重叠的情况下,协议必须排除不确定性行为,例如,通过确保施加某些已知的优先级。
2.2.1.
2.2.1.
The syntax and semantics of the Midcom protocol must be extensible to allow the requirements of future applications to be adopted.
Midcom协议的语法和语义必须是可扩展的,以允许采用未来应用程序的要求。
This is related to, but different from, the requirement for versioning support. As support for additional middlebox types is added there may be a need to add new message types.
这与版本控制支持的要求有关,但不同。随着对其他中间包类型的支持的增加,可能需要添加新的消息类型。
2.2.2.
2.2.2.
The Midcom protocol must support the ability of an agent to install a ruleset that governs multiple types of middlebox actions (e.g. firewall and NAT).
Midcom协议必须支持代理安装规则集的能力,该规则集管理多种类型的中间盒操作(例如防火墙和NAT)。
This states that a the protocol must support rules and actions for a variety of types of middleboxes. A Midcom agent ought to be able to have a single Midcom session with a middlebox and use the Midcom interface on the middlebox to interface with different middlebox functions on the same middlebox interface.
这说明协议必须支持各种类型的中间盒的规则和操作。Midcom代理应该能够与一个中间箱进行单个Midcom会话,并使用中间箱上的Midcom接口与同一中间箱接口上的不同中间箱功能进行接口。
2.2.3.
2.2.3.
The protocol must support the concept of a ruleset group comprising a multiple of individual rulesets to be treated as an aggregate.
协议必须支持规则集组的概念,该规则集组由多个单独的规则集组成,并被视为一个集合。
Applications using more than one data stream may find it more convenient and more efficient to be able to use single messages to tear down, extend, and manipulate all middlebox rulesets being used by one instance of the application.
使用多个数据流的应用程序可能会发现,能够使用单个消息来分解、扩展和操作应用程序的一个实例所使用的所有中间盒规则集更方便、更高效。
2.2.4.
2.2.4.
The protocol must allow the midcom agent to extend the lifetime of an existing ruleset that otherwise would be deleted by the middlebox.
协议必须允许midcom代理延长现有规则集的生存期,否则将被middlebox删除。
2.2.5.
2.2.5.
If a peer does not understand an option, it must be clear whether the action required is to proceed without the unknown attribute being taken into account or the request is to be rejected. Where attributes may be ignored if not understood, a means may be provided to inform the client about what has been ignored.
如果对等方不理解某个选项,则必须清楚所需操作是在不考虑未知属性的情况下继续进行,还是拒绝请求。如果不理解属性可能会被忽略,则可以提供一种方法来通知客户忽略了什么。
This states that failure modes must be robust, providing sufficient information for the agent or middlebox, to be able to accommodate the failure or to retry with a new option that is more likely to succeed.
这说明故障模式必须是健壮的,为代理或中间盒提供足够的信息,以便能够适应故障或使用更可能成功的新选项重试。
2.2.6.
2.2.6.
To enable management systems to interact with the Midcom environment, the protocol must include failure reasons that allow the Midcom Agent behavior to be modified as a result of the information contained in the reason. Failure reasons need to be chosen such that they do not make an attack on security easier.
为了使管理系统能够与Midcom环境交互,协议必须包含故障原因,允许Midcom代理行为根据原因中包含的信息进行修改。需要选择失败原因,使其不会使对安全性的攻击更容易。
2.2.7.
2.2.7.
The Midcom protocol must not preclude multiple authorized agents from working on the same ruleset.
Midcom协议不得阻止多个授权代理在同一规则集上工作。
2.2.8.
2.2.8.
The Midcom protocol must be able to carry filtering rules, including but not limited to the 5-tuple, from the midcom agent to the middlebox.
Midcom协议必须能够将过滤规则(包括但不限于5元组)从Midcom代理传送到中间盒。
By "5-tuple", we refer to the standard <source address, source port, destination address, destination port, transport protocol> tuple. Other filtering elements may be carried, as well.
通过“5元组”,我们指的是标准的<源地址、源端口、目的地址、目的端口、传输协议>元组。也可携带其他过滤元件。
2.2.9.
2.2.9.
When the middlebox performs a port mapping function, the protocol should allow the Midcom agent to request that the external port number have the same oddity as the internal port.
当中间盒执行端口映射功能时,协议应允许Midcom代理请求外部端口号与内部端口号具有相同的奇数。
This requirement is to support RTP and RTCP [RFC1889] "oddity" requirements.
此要求是为了支持RTP和RTCP[RFC1889]“古怪”要求。
2.2.10.
2.2.10.
When the middlebox performs a port mapping function, the protocol should allow the Midcom agent to request that a consecutive range of external port numbers be mapped to consecutive internal ports. This requirement is to support RTP and RTCP "sequence" requirements.
当middlebox执行端口映射功能时,协议应允许Midcom代理请求将连续范围的外部端口号映射到连续的内部端口。该要求旨在支持RTP和RTCP“顺序”要求。
2.2.11.
2.2.11.
It should be possible to define rulesets that contain a more specific filter spec than an overlapping ruleset. This should allow agents to request actions for the subset that contradict those of the overlapping set.
应该可以定义包含比重叠规则集更具体的筛选器规范的规则集。这应该允许代理请求与重叠集的操作相矛盾的子集的操作。
This should allow a Midcom agent to request to a Midcom server controlling a firewall function that a subset of the traffic that would be allowed by the overlapping ruleset be specifically disallowed.
这应该允许Midcom代理向控制防火墙功能的Midcom服务器请求明确禁止重叠规则集允许的流量子集。
2.3.1.
2.3.1.
The Midcom protocol must provide for message authentication, confidentiality, and integrity.
Midcom协议必须提供消息身份验证、机密性和完整性。
2.3.2.
2.3.2.
The Midcom protocol must allow for optional confidentiality protection of control messages. If provided, the mechanism should allow a choice in the algorithm to be used.
Midcom协议必须允许对控制消息进行可选的保密保护。如果提供,该机制应允许选择要使用的算法。
2.3.3.
2.3.3.
The Midcom protocol must operate across un-trusted domains, between the Midcom agent and middlebox in a secure fashion.
Midcom协议必须以安全的方式在Midcom代理和middlebox之间跨不受信任的域运行。
2.3.4.
2.3.4.
The Midcom protocol must define mechanisms to mitigate replay attacks on the control messages.
Midcom协议必须定义减轻对控制消息的重播攻击的机制。
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use other technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat.
IETF对可能声称与本文件中描述的实施或使用其他技术有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。
The security requirements for a midcom protocol are discussed in section 2.3.
第2.3节讨论了midcom协议的安全要求。
[MCFW] Srisuresh, S., Kuthan, J., Rosenberg, J., Molitor, A. and A. Rayhan, "Middlebox communication architecture and framework", RFC 3303, Date.*
[MCFW]Srisuresh,S.,Kuthan,J.,Rosenberg,J.,Molitor,A.和A.Rayhan,“中间箱通信架构和框架”,RFC 3303,日期*
[RFC1889] Schulzrinne, H., Casner, S., Frederick, R. and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", RFC 1889, January 1996.
[RFC1889]Schulzrinne,H.,Casner,S.,Frederick,R.和V.Jacobson,“RTP:实时应用的传输协议”,RFC 1889,1996年1月。
[RFC2026] Bradner, S. "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026. October 1996.
[RFC2026]Bradner,S.“互联网标准过程——第3版”,BCP 9,RFC 2026。1996年10月。
Authors' Addresses
作者地址
Richard Swale BTexact Technologies Callisto House Adastral Park Ipswich United Kingdom EMail: richard.swale@bt.com
Richard Swale BTexact Technologies Callisto House Adastral Park Ipswich英国电子邮件:Richard。swale@bt.com
Paul Sijben Lucent Technologies EMEA BV Huizen Netherlands EMail: paul.sijben@picopoint.com
Paul Sijben Lucent Technologies EMEA BV Huizen荷兰电子邮件:Paul。sijben@picopoint.com
Philip Mart Marconi Communications Ltd. Edge Lane Liverpool United Kingdom EMail: philip.mart@marconi.com
菲利普·马特·马可尼通信有限公司英国利物浦边缘巷电子邮件:菲利普。mart@marconi.com
Scott Brim Cisco Systems 146 Honness Lane Ithaca, NY 14850 EMail: sbrim@cisco.com
Scott Brim Cisco Systems 146 Honness Lane Ithaca,NY 14850电子邮件:sbrim@cisco.com
Melinda Shore Cisco Systems 809 Hayts Road Ithaca, NY 14850 EMail: mshore@cisco.com
纽约州伊萨卡海茨路809号梅林达海岸思科系统公司14850电子邮件:mshore@cisco.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。