Network Working Group                              G. Montenegro, Editor
Request for Comments: 2344                        Sun Microsystems, Inc.
Category: Standards Track                                       May 1998
        
Network Working Group                              G. Montenegro, Editor
Request for Comments: 2344                        Sun Microsystems, Inc.
Category: Standards Track                                       May 1998
        

Reverse Tunneling for Mobile IP

移动IP的反向隧道

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (1998). All Rights Reserved.

版权所有(C)互联网协会(1998年)。版权所有。

Abstract

摘要

Mobile IP uses tunneling from the home agent to the mobile node's care-of address, but rarely in the reverse direction. Usually, a mobile node sends its packets through a router on the foreign network, and assumes that routing is independent of source address. When this assumption is not true, it is convenient to establish a topologically correct reverse tunnel from the care-of address to the home agent.

移动IP使用从归属代理到移动节点转交地址的隧道,但很少反向。通常,移动节点通过外部网络上的路由器发送数据包,并假定路由独立于源地址。当该假设不成立时,可以方便地建立从转交地址到归属代理的拓扑正确的反向隧道。

This document proposes backwards-compatible extensions to Mobile IP in order to support topologically correct reverse tunnels. This document does not attempt to solve the problems posed by firewalls located between the home agent and the mobile node's care-of address.

本文档建议向后兼容移动IP扩展,以支持拓扑正确的反向隧道。本文档并不试图解决位于归属代理和移动节点转交地址之间的防火墙所带来的问题。

Table of Contents

目录

   1. Introduction ................................................   2
   1.1. Terminology ...............................................   3
   1.2. Assumptions ...............................................   4
   1.3. Justification .............................................   4
   2. Overview ....................................................   4
   3. New Packet Formats ..........................................   5
   3.1. Mobility Agent Advertisement Extension ....................   5
   3.2. Registration Request ......................................   5
   3.3. Encapsulating Delivery Style Extension ....................   6
   3.4. New Registration Reply Codes ..............................   7
   4. Changes in Protocol Behavior ................................   8
   4.1. Mobile Node Considerations ................................   8
        
   1. Introduction ................................................   2
   1.1. Terminology ...............................................   3
   1.2. Assumptions ...............................................   4
   1.3. Justification .............................................   4
   2. Overview ....................................................   4
   3. New Packet Formats ..........................................   5
   3.1. Mobility Agent Advertisement Extension ....................   5
   3.2. Registration Request ......................................   5
   3.3. Encapsulating Delivery Style Extension ....................   6
   3.4. New Registration Reply Codes ..............................   7
   4. Changes in Protocol Behavior ................................   8
   4.1. Mobile Node Considerations ................................   8
        
   4.1.1. Sending Registration Requests to the Foreign Agent ......   8
   4.1.2. Receiving Registration Replies from the Foreign Agent ...   9
   4.2. Foreign Agent Considerations ..............................   9
   4.2.1. Receiving Registration Requests from the Mobile Node ...   10
   4.2.2. Relaying Registration Requests to the Home Agent .......   10
   4.3. Home Agent Considerations ................................   10
   4.3.1. Receiving Registration Requests from the Foreign Agent .   11
   4.3.2. Sending Registration Replies to the Foreign Agent ......   11
   5. Mobile Node to Foreign Agent Delivery Styles ...............   12
   5.1. Direct Delivery Style ....................................   12
   5.1.1. Packet Processing ......................................   12
   5.1.2. Packet Header Format and Fields ........................   12
   5.2. Encapsulating Delivery Style .............................   13
   5.2.1 Packet Processing .......................................   13
   5.2.2. Packet Header Format and Fields ........................   14
   5.3. Support for Broadcast and Multicast Datagrams ............   15
   5.4. Selective Reverse Tunneling ..............................   15
   6. Security Considerations ....................................   16
   6.1. Reverse-tunnel Hijacking and Denial-of-Service Attacks ...   16
   6.2. Ingress Filtering ........................................   17
   7. Acknowledgements ...........................................   17
   References ....................................................   17
   Editor and Chair Addresses ....................................   18
   Full Copyright Statement ......................................   19
        
   4.1.1. Sending Registration Requests to the Foreign Agent ......   8
   4.1.2. Receiving Registration Replies from the Foreign Agent ...   9
   4.2. Foreign Agent Considerations ..............................   9
   4.2.1. Receiving Registration Requests from the Mobile Node ...   10
   4.2.2. Relaying Registration Requests to the Home Agent .......   10
   4.3. Home Agent Considerations ................................   10
   4.3.1. Receiving Registration Requests from the Foreign Agent .   11
   4.3.2. Sending Registration Replies to the Foreign Agent ......   11
   5. Mobile Node to Foreign Agent Delivery Styles ...............   12
   5.1. Direct Delivery Style ....................................   12
   5.1.1. Packet Processing ......................................   12
   5.1.2. Packet Header Format and Fields ........................   12
   5.2. Encapsulating Delivery Style .............................   13
   5.2.1 Packet Processing .......................................   13
   5.2.2. Packet Header Format and Fields ........................   14
   5.3. Support for Broadcast and Multicast Datagrams ............   15
   5.4. Selective Reverse Tunneling ..............................   15
   6. Security Considerations ....................................   16
   6.1. Reverse-tunnel Hijacking and Denial-of-Service Attacks ...   16
   6.2. Ingress Filtering ........................................   17
   7. Acknowledgements ...........................................   17
   References ....................................................   17
   Editor and Chair Addresses ....................................   18
   Full Copyright Statement ......................................   19
        
1. Introduction
1. 介绍

Section 1.3 of the Mobile IP specification [1] lists the following assumption:

移动IP规范[1]第1.3节列出了以下假设:

It is assumed that IP unicast datagrams are routed based on the destination address in the datagram header (i.e., not by source address).

假设IP单播数据报是基于数据报报头中的目的地地址(即,不是通过源地址)路由的。

Because of security concerns (for example, IP spoofing attacks), and in accordance with RFC 2267 [8] and CERT [3] advisories to this effect, routers that break this assumption are increasingly more common.

出于安全考虑(例如,IP欺骗攻击),根据RFC 2267[8]和CERT[3]的建议,打破这一假设的路由器越来越常见。

In the presence of such routers, the source and destination IP address in a packet must be topologically correct. The forward tunnel complies with this, as its endpoints (home agent address and care-of address) are properly assigned addresses for their respective locations. On the other hand, the source IP address of a packet transmitted by the mobile node does not correspond to the network prefix from where it emanates.

在存在此类路由器的情况下,数据包中的源和目标IP地址必须在拓扑上正确。转发隧道符合这一点,因为其端点(归属代理地址和转交地址)是为其各自位置正确分配的地址。另一方面,由移动节点发送的分组的源IP地址不对应于其发出的网络前缀。

This document discusses topologically correct reverse tunnels.

本文档讨论拓扑正确的反向隧道。

Mobile IP does dictate the use of reverse tunnels in the context of multicast datagram routing and mobile routers. However, the source IP address is set to the mobile node's home address, so these tunnels are not topologically correct.

移动IP确实规定了在多播数据报路由和移动路由器的上下文中使用反向隧道。但是,源IP地址设置为移动节点的主地址,因此这些隧道在拓扑上不正确。

Notice that there are several uses for reverse tunnels regardless of their topological correctness:

请注意,反向隧道有多种用途,无论其拓扑正确性如何:

- Mobile routers: reverse tunnels obviate the need for recursive tunneling [1].

- 移动路由器:反向隧道消除了递归隧道的需要[1]。

- Multicast: reverse tunnels enable a mobile node away from home to (1) join multicast groups in its home network, and (2) transmit multicast packets such that they emanate from its home network [1].

- 多播:反向隧道使远离家乡的移动节点能够(1)加入其家庭网络中的多播组,以及(2)传输多播数据包,以便它们从其家庭网络发出[1]。

- The TTL of packets sent by the mobile node (for example, when sending packets to other hosts in its home network) may be so low that they might expire before reaching their destination. A reverse tunnel solves the problem as it represents a TTL decrement of one [5].

- 由移动节点发送的分组的TTL(例如,当向其家庭网络中的其他主机发送分组时)可能很低,以至于它们可能在到达目的地之前过期。反向隧道解决了这个问题,因为它表示TTL减量为1[5]。

1.1. Terminology
1.1. 术语

The discussion below uses terms defined in the Mobile IP specification. Additionally, it uses the following terms:

下面的讨论使用了移动IP规范中定义的术语。此外,它还使用以下术语:

Forward Tunnel

前方隧道

A tunnel that shuttles packets towards the mobile node. It starts at the home agent, and ends at the mobile node's care-of address.

将数据包传送到移动节点的隧道。它从归属代理开始,在移动节点的转交地址结束。

Reverse Tunnel

反向隧道

A tunnel that starts at the mobile node's care-of address and terminates at the home agent.

从移动节点的转交地址开始并在归属代理处终止的隧道。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [9].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[9]中所述进行解释。

1.2. Assumptions
1.2. 假设

Mobility is constrained to a common IP address space (that is, the routing fabric between, say, the mobile node and the home agent is not partitioned into a "private" and a "public" network).

移动性受限于公共IP地址空间(即,例如,移动节点和归属代理之间的路由结构未划分为“专用”和“公用”网络)。

This document does not attempt to solve the firewall traversal problem. Rather, it assumes one of the following is true:

本文档并不试图解决防火墙穿越问题。相反,它假设以下情况之一为真:

- There are no intervening firewalls along the path of the tunneled packets.

- 在隧道数据包的路径上没有中间防火墙。

- Any intervening firewalls share the security association necessary to process any authentication [6] or encryption [7] headers which may have been added to the tunneled packets.

- 任何介入防火墙共享处理可能已添加到隧道数据包的任何身份验证[6]或加密[7]头所需的安全关联。

The reverse tunnels considered here are symmetric, that is, they use the same configuration (encapsulation method, IP address endpoints) as the forward tunnel. IP in IP encapsulation [2] is assumed unless stated otherwise.

这里考虑的反向隧道是对称的,也就是说,它们使用与正向隧道相同的配置(封装方法、IP地址端点)。除非另有说明,否则假定IP封装[2]中的IP。

Route optimization [4] introduces forward tunnels initiated at a correspondent host. Since a mobile node may not know if the correspondent host can decapsulate packets, reverse tunnels in that context are not discussed here.

路由优化[4]引入了在对应主机上启动的前向隧道。由于移动节点可能不知道对应主机是否可以解除分组封装,因此在此不讨论该上下文中的反向隧道。

1.3. Justification
1.3. 正当理由

Why not let the mobile node itself initiate the tunnel to the home agent? This is indeed what it should do if it is already operating with a topologically correct co-located care-of address.

为什么不让移动节点本身启动到归属代理的隧道?这确实是它应该做的,如果它已经使用一个拓扑正确的同一位置的转交地址运行。

However, one of the primary objectives of the Mobile IP specification is not to require this mode of operation.

然而,移动IP规范的主要目标之一是不需要这种操作模式。

The mechanisms outlined in this document are primarily intended for use by mobile nodes that rely on the foreign agent for forward tunnel support. It is desirable to continue supporting these mobile nodes, even in the presence of filtering routers.

本文档中概述的机制主要用于依赖外部代理进行前向隧道支持的移动节点。希望继续支持这些移动节点,即使存在过滤路由器。

2. Overview
2. 概述

A mobile node arrives at a foreign network, listens for agent advertisements and selects a foreign agent that supports reverse tunnels. It requests this service when it registers through the selected foreign agent. At this time, and depending on how the

移动节点到达外部网络,侦听代理播发并选择支持反向隧道的外部代理。它通过选定的外部代理注册时请求此服务。此时,取决于

mobile node wishes to deliver packets to the foreign agent, it also requests either the Direct or the Encapsulating Delivery Style (section 5).

移动节点希望将数据包传递给外部代理,它还请求直接传递或封装传递样式(第5节)。

In the Direct Delivery Style, the mobile node designates the foreign agent as its default router and proceeds to send packets directly to the foreign agent, that is, without encapsulation. The foreign agent intercepts them, and tunnels them to the home agent.

在直接传递样式中,移动节点将外部代理指定为其默认路由器,并继续直接向外部代理发送数据包,即不进行封装。外国特工截获了他们,并通过隧道将他们交给本国特工。

In the Encapsulating Delivery Style, the mobile node encapsulates all its outgoing packets to the foreign agent. The foreign agent decapsulates and re-tunnels them to the home agent, using the foreign agent's care-of address as the entry-point of this new tunnel.

在封装传递样式中,移动节点将其所有传出数据包封装到外部代理。外国代理使用外国代理的转交地址作为此新隧道的入口点,将其解封并重新隧道至本国代理。

3. New Packet Formats
3. 新的数据包格式
3.1. Mobility Agent Advertisement Extension
3.1. 移动代理广告扩展
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |        Sequence Number        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Lifetime            |R|B|H|F|M|G|V|T|  reserved     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                  zero or more Care-of Addresses               |
   |                              ...                              |
        
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |        Sequence Number        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Lifetime            |R|B|H|F|M|G|V|T|  reserved     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                  zero or more Care-of Addresses               |
   |                              ...                              |
        

The only change to the Mobility Agent Advertisement Extension [1] is the additional 'T' bit:

Mobility Agent广告扩展[1]的唯一更改是附加的“T”位:

T Agent offers reverse tunneling service.

T代理提供反向隧道服务。

A foreign agent that sets the 'T' bit MUST support the two delivery styles currently supported: Direct and Encapsulating Delivery Style (section 5).

设置“T”位的外部代理必须支持当前支持的两种交付样式:直接交付样式和封装交付样式(第5节)。

Using this information, a mobile node is able to choose a foreign agent that supports reverse tunnels. Notice that if a mobile node does not understand this bit, it simply ignores it as per [1].

使用此信息,移动节点能够选择支持反向隧道的外部代理。请注意,如果移动节点不理解该位,它将根据[1]忽略该位。

3.2. Registration Request
3.2. 注册申请

Reverse tunneling support is added directly into the Registration Request by using one of the "rsvd" bits. If a foreign or home agent that does not support reverse tunnels receives a request with the 'T' bit set, the Registration Request fails. This results in a registration denial (failure codes are specified in section 3.4).

反向隧道支持通过使用“rsvd”位之一直接添加到注册请求中。如果不支持反向隧道的外国或本国代理接收到设置了“T”位的请求,则注册请求失败。这将导致注册被拒绝(第3.4节规定了故障代码)。

Most home agents would not object to providing reverse tunnel support, because they "SHOULD be able to decapsulate and further deliver packets addressed to themselves, sent by a mobile node" [1]. In the case of topologically correct reverse tunnels, the packets are not sent by the mobile node as distinguished by its home address. Rather, the outermost (encapsulating) IP source address on such datagrams is the care-of address of the mobile node. Nevertheless, home agents probably already support the required decapsulation and further forwarding.

大多数家庭代理不会反对提供反向隧道支持,因为他们“应该能够解除封装,并进一步传递由移动节点发送给自己的数据包”[1]。在拓扑正确的反向隧道的情况下,分组不是由移动节点发送的,因为移动节点通过其归属地址进行区分。相反,这种数据报上最外层(封装)的IP源地址是移动节点的转交地址。然而,家庭代理可能已经支持所需的去封装和进一步转发。

In Registration Requests sent by a mobile node, the Time to Live field in the IP header MUST be set to 255. This limits a denial of service attack in which malicious hosts send false Registration Requests (see Section 6).

在移动节点发送的注册请求中,IP头中的生存时间字段必须设置为255。这限制了恶意主机发送虚假注册请求的拒绝服务攻击(请参阅第6节)。

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |S|B|D|M|G|V|T|-|          Lifetime             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Home Address                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Home Agent                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Care-of Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         Identification                        |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Extensions ...
   +-+-+-+-+-+-+-+-
        
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |S|B|D|M|G|V|T|-|          Lifetime             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Home Address                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Home Agent                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Care-of Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         Identification                        |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Extensions ...
   +-+-+-+-+-+-+-+-
        

The only change to the Registration Request packet is the additional 'T' bit:

对注册请求数据包的唯一更改是附加的“T”位:

T If the 'T' bit is set, the mobile node asks its home agent to accept a reverse tunnel from the care-of address. Mobile nodes using a foreign agent care-of address ask the foreign agent to reverse-tunnel its packets.

T如果设置了“T”位,则移动节点要求其归属代理接受来自转交地址的反向隧道。使用外部代理转交地址的移动节点要求外部代理反向隧道其数据包。

3.3. Encapsulating Delivery Style Extension
3.3. 封装交付样式扩展

The Encapsulating Delivery Style Extension MAY be included by the mobile node in registration requests to further specify reverse tunneling behavior. It is expected to be used only by the foreign agent. Accordingly, the foreign agent MUST consume this extension (that is, it must not relay it to the home agent or include it in

移动节点可以在注册请求中包括封装传递样式扩展,以进一步指定反向隧道行为。预计只能由外国代理商使用。因此,外国代理必须使用此扩展(即,不得将其转发给本国代理或将其包含在本地代理中)

replies to the mobile node). As per Section 3.6.1.3 of [1], the mobile node MUST include the Encapsulating Delivery Style Extension after the Mobile-Home Authentication Extension, and before the Mobile-Foreign Authentication Extension, if present.

对移动节点的回复)。根据[1]的第3.6.1.3节,移动节点必须在移动归属认证扩展之后、移动外部认证扩展之前(如果存在)包含封装交付样式扩展。

The Encapsulating Delivery Style Extension MUST NOT be included if the 'T' bit is not set in the Registration Request.

如果在注册请求中未设置“T”位,则封装传递样式扩展不得包括在内。

If this extension is absent, Direct Delivery is assumed. Encapsulation is done according to what was negotiated for the forward tunnel (that is, IP in IP is assumed unless specified otherwise). For more details on the delivery styles, please refer to section 5.

如果没有此扩展,则假定直接交付。封装是根据为转发隧道协商的内容进行的(即,除非另有规定,否则假定IP中的IP)。有关交付样式的更多详细信息,请参阅第5节。

    0                   1
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Length    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
    0                   1
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Length    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Type

类型

130

130

Length

0

0

3.4. New Registration Reply Codes
3.4. 新注册回复码

Foreign and home agent registration replies MUST convey if the reverse tunnel request failed. These new reply codes are defined:

如果反向隧道请求失败,外国和本国代理注册回复必须传达。这些新的回复代码定义如下:

Service denied by the foreign agent:

外国代理拒绝的服务:

74 requested reverse tunnel unavailable 75 reverse tunnel is mandatory and 'T' bit not set 76 mobile node too distant

74请求的反向通道不可用75反向通道是必需的,且“T”位未设置76移动节点太远

and

Service denied by the home agent:

本地代理拒绝的服务:

137 requested reverse tunnel unavailable 138 reverse tunnel is mandatory and 'T' bit not set 139 requested encapsulation unavailable

137请求的反向通道不可用138反向通道是必需的且未设置“T”位139请求的封装不可用

In response to a Registration Request with the 'T' bit set, mobile nodes may receive (and MUST accept) code 70 (poorly formed request) from foreign agents and code 134 (poorly formed request) from home agents. However, foreign and home agents that support reverse tunneling MUST use codes 74 and 137, respectively.

响应于设置了“T”位的注册请求,移动节点可以从外部代理接收(并且必须接受)代码70(格式不良的请求),从本地代理接收(并且必须接受)代码134(格式不良的请求)。但是,支持反向隧道的外国和本国代理必须分别使用代码74和137。

Absence of the 'T' bit in a Registration Request MAY elicit denials with codes 75 and 138 at the foreign agent and the home agent, respectively.

注册请求中缺少“T”位可能导致外国代理和本国代理分别拒绝代码为75和138的申请。

Forward and reverse tunnels are symmetric, that is, both are able to use the same tunneling options negotiated at registration. This implies that the home agent MUST deny registrations if an unsupported form of tunneling is requested (code 139). Notice that Mobile IP [1] already defines the analogous failure code 72 for use by the foreign agent.

正向和反向隧道是对称的,也就是说,两者都能够使用注册时协商的相同隧道选项。这意味着,如果请求不受支持的隧道形式,则归属代理必须拒绝注册(代码139)。请注意,移动IP[1]已经定义了类似的故障代码72,以供外部代理使用。

4. Changes in Protocol Behavior
4. 协议行为的变化

Unless otherwise specified, behavior specified by Mobile IP [1] is assumed. In particular, if any two entities share a mobility security association, they MUST use the appropriate Authentication Extension (Mobile-Foreign, Foreign-Home or Mobile-Home Authentication Extension) when exchanging registration protocol datagrams. The Mobile-Home Authentication Extension MUST always be present.

除非另有规定,否则假定移动IP[1]规定的行为。特别是,如果任何两个实体共享移动安全关联,则它们在交换注册协议数据报时必须使用适当的身份验证扩展(移动外部、外部家庭或移动家庭身份验证扩展)。移动家庭身份验证扩展必须始终存在。

Reverse tunneling imposes additional protocol processing requirements on mobile entities. Differences in protocol behavior with respect to Mobile IP [1] are specified in the subsequent sections.

反向隧道对移动实体提出了额外的协议处理要求。关于移动IP[1]的协议行为差异在后续章节中有详细说明。

4.1. Mobile Node Considerations
4.1. 移动节点注意事项

This section describes how the mobile node handles registrations that request a reverse tunnel.

本节描述移动节点如何处理请求反向隧道的注册。

4.1.1. Sending Registration Requests to the Foreign Agent
4.1.1. 向外国代理发送注册请求

In addition to the considerations in [1], a mobile node sets the 'T' bit in its Registration Request to petition a reverse tunnel.

除了[1]中的注意事项外,移动节点在其注册请求中设置“T”位以请求反向隧道。

The mobile node MUST set the TTL field of the IP header to 255. This is meant to limit the reverse tunnel hijacking attack (Section 6).

移动节点必须将IP头的TTL字段设置为255。这是为了限制反向隧道劫持攻击(第6节)。

The mobile node MAY optionally include an Encapsulating Delivery Style Extension.

移动节点可任选地包括封装递送样式扩展。

4.1.2. Receiving Registration Replies from the Foreign Agent
4.1.2. 接收外国代理的注册回复

Possible valid responses are:

可能的有效答复如下:

- A registration denial issued by either the home agent or the foreign agent:

- 由本国代理或外国代理签发的注册拒绝:

a. The mobile node follows the error checking guidelines in [1], and depending on the reply code, MAY try modifying the registration request (for example, by eliminating the request for alternate forms of encapsulation), and issuing a new registration.

a. 移动节点遵循[1]中的错误检查准则,并且根据回复代码,可以尝试修改注册请求(例如,通过消除对替代封装形式的请求),并发布新的注册。

b. Depending on the reply code, the mobile node MAY try zeroing the 'T' bit, eliminating the Encapsulating Delivery Style Extension (if one was present), and issuing a new registration. Notice that after doing so the registration may succeed, but due to the lack of a reverse tunnel data transfer may not be possible.

b. 根据回复代码,移动节点可能会尝试将“T”位归零,消除封装传递样式扩展(如果存在),并发出新的注册。请注意,这样做后,注册可能会成功,但由于缺少反向通道,可能无法进行数据传输。

- The home agent returns a Registration Reply indicating that the service will be provided.

- 归属代理返回一个注册回复,指示将提供该服务。

In this last case, the mobile node has succeeded in establishing a reverse tunnel between its care-of address and its home agent. If the mobile node is operating with a co-located care-of address, it MAY encapsulate outgoing data such that the destination address of the outer header is the home agent. This ability to selectively reverse-tunnel packets is discussed further in section 5.4.

在最后一种情况下,移动节点成功地在其转交地址和其归属代理之间建立了反向隧道。如果移动节点使用共同定位的转交地址操作,则其可以封装传出数据,使得外部报头的目的地地址是归属代理。第5.4节将进一步讨论选择性反转隧道数据包的能力。

If the care-of address belongs to a separate foreign agent, the mobile node MUST employ whatever delivery style was requested (Direct or Encapsulating) and proceed as specified in section 5.

如果转交地址属于单独的外部代理,则移动节点必须采用所请求的任何交付方式(直接或封装),并按照第5节的规定进行处理。

A successful registration reply is an assurance that both the foreign agent and the home agent support whatever alternate forms of encapsulation (other than IP in IP) were requested. Accordingly, the mobile node MAY use them at its discretion.

成功的注册回复保证了外国代理和本国代理都支持所请求的任何其他封装形式(IP中的IP除外)。因此,移动节点可自行决定使用它们。

4.2. Foreign Agent Considerations
4.2. 外国代理人的考虑

This section describes how the foreign agent handles registrations that request a reverse tunnel.

本节描述外部代理如何处理请求反向隧道的注册。

4.2.1. Receiving Registration Requests from the Mobile Node
4.2.1. 从移动节点接收注册请求

A foreign agent that receives a Registration Request with the 'T' bit set processes the packet as specified in the Mobile IP specification [1], and determines whether it can accomodate the forward tunnel request. If it cannot, it returns an appropriate code. In particular, if the foreign agent is unable to support the requested form of encapsulation it MUST return code 72.

接收具有“T”位集的注册请求的外部代理按照移动IP规范[1]中的规定处理数据包,并确定其是否能够容纳前向隧道请求。如果不能,则返回相应的代码。特别是,如果外部代理无法支持请求的封装形式,它必须返回代码72。

The foreign agent MAY reject Registration Requests without the 'T' bit set by denying them with code 75 (reverse tunnel is mandatory and 'T' bit not set).

外国代理可以通过代码75拒绝未设置“T”位的注册请求(反向隧道是强制性的,未设置“T”位)。

The foreign agent MUST verify that the TTL field of the IP header is set to 255. Otherwise, it MUST reject the registration with code 76 (mobile node too distant). The foreign agent MUST limit the rate at which it sends these registration replies to a maximum of one per second.

外部代理必须验证IP标头的TTL字段是否设置为255。否则,它必须拒绝代码为76的注册(移动节点太远)。外国代理必须将其发送这些注册回复的速率限制为每秒最多一次。

As a last check, the foreign agent verifies that it can support a reverse tunnel with the same configuration. If it cannot, it MUST return a Registration Reply denying the request with code 74 (requested reverse tunnel unavailable).

作为最后一项检查,外部代理验证它是否可以支持具有相同配置的反向隧道。如果不能,则必须返回注册回复,拒绝代码为74的请求(请求的反向隧道不可用)。

4.2.2. Relaying Registration Requests to the Home Agent
4.2.2. 将注册请求转发给Home Agent

Otherwise, the foreign agent MUST relay the Registration Request to the home agent.

否则,外国代理必须将注册请求转发给本国代理。

Upon receipt of a Registration Reply that satisfies validity checks, the foreign agent MUST update its visitor list, including indication that this mobile node has been granted a reverse tunnel and the delivery style expected (section 5).

在收到满足有效性检查的注册回复后,外国代理必须更新其访客列表,包括该移动节点已被授予反向隧道和预期交付方式的指示(第5节)。

While this visitor list entry is in effect, the foreign agent MUST process incoming traffic according to the delivery style, encapsulate it and tunnel it from the care-of address to the home agent's address.

当此访客列表条目生效时,外国代理必须根据交付样式处理传入流量,将其封装并将其从转交地址传输到本国代理的地址。

4.3. Home Agent Considerations
4.3. 国内代理考虑事项

This section describes how the home agent handles registrations that request a reverse tunnel.

本节描述归属代理如何处理请求反向隧道的注册。

4.3.1. Receiving Registration Requests from the Foreign Agent
4.3.1. 接收外国代理的注册请求

A home agent that receives a Registration Request with the 'T' bit set processes the packet as specified in the Mobile IP specification [1] and determines whether it can accomodate the forward tunnel request. If it cannot, it returns an appropriate code. In particular, if the home agent is unable to support the requested form of encapsulation it MUST return code 139 (requested encapsulation unavailable).

接收具有“T”位集的注册请求的归属代理按照移动IP规范[1]中的规定处理分组,并确定其是否能够容纳前向隧道请求。如果不能,则返回相应的代码。特别是,如果归属代理无法支持请求的封装形式,它必须返回代码139(请求的封装不可用)。

The home agent MAY reject registration requests without the 'T' bit set by denying them with code 138 (reverse tunnel is mandatory and ' T' bit not set).

归属代理可以通过使用代码138拒绝未设置“T”位的注册请求(反向隧道是强制性的,未设置“T”位)。

As a last check, the home agent determines whether it can support a reverse tunnel with the same configuration as the forward tunnel. If it cannot, it MUST send back a registration denial with code 137 (requested reverse tunnel unavailable).

作为最后一项检查,归属代理确定它是否可以支持与前向隧道具有相同配置的反向隧道。如果不能,则必须发回代码为137的注册拒绝(请求的反向隧道不可用)。

Upon receipt of a Registration Reply that satisfies validity checks, the home agent MUST update its mobility bindings list to indicate that this mobile node has been granted a reverse tunnel and the type of encapsulation expected.

在收到满足有效性检查的注册回复后,归属代理必须更新其移动绑定列表,以指示此移动节点已被授予反向隧道和预期的封装类型。

4.3.2. Sending Registration Replies to the Foreign Agent
4.3.2. 向外国代理发送注册回复

In response to a valid Registration Request, a home agent MUST issue a Registration Reply to the mobile node.

为了响应有效的注册请求,归属代理必须向移动节点发出注册回复。

After a successful registration, the home agent may receive encapsulated packets addressed to itself. Decapsulating such packets and blindly injecting them into the network is a potential security weakness (section 6.1). Accordingly, the home agent MUST implement, and, by default, SHOULD enable the following check for encapsulated packets addressed to itself:

在成功注册之后,归属代理可以接收寻址到自身的封装包。将此类数据包解封并将其盲目注入网络是一个潜在的安全弱点(第6.1节)。因此,归属代理必须实现,并且在默认情况下,应该启用以下针对寻址到自身的封装数据包的检查:

The home agent searches for a mobility binding whose care-of address is the source of the outer header, and whose mobile node address is the source of the inner header.

归属代理搜索其转交地址是外部报头的源并且其移动节点地址是内部报头的源的移动绑定。

If no such binding is found, or if the packet uses an encapsulation mechanism that was not negotiated at registration the home agent MUST silently discard the packet and SHOULD log the event as a security exception.

如果未找到此类绑定,或者如果数据包使用在注册时未协商的封装机制,则归属代理必须悄悄地丢弃该数据包,并应将该事件记录为安全异常。

Home agents that terminate tunnels unrelated to Mobile IP (for example, multicast tunnels) MAY turn off the above check, but this practice is discouraged for the aforementioned reasons.

终止与移动IP无关的隧道(例如,多播隧道)的归属代理可能会关闭上述检查,但出于上述原因,不鼓励这种做法。

While the registration is in effect, a home agent MUST process each valid reverse tunneled packet (as determined by checks like the above) by decapsulating it, recovering the original packet, and then forwarding it on behalf of its sender (the mobile node) to the destination address (the correspondent host).

当注册生效时,归属代理必须处理每个有效的反向隧道数据包(由上述检查确定),方法是将其解封,恢复原始数据包,然后代表其发送方(移动节点)将其转发到目标地址(对应主机)。

5. Mobile Node to Foreign Agent Delivery Styles
5. 移动节点到外部代理的交付方式

This section specifies how the mobile node sends its data traffic via the foreign agent. In all cases, the mobile node learns the foreign agent's link-layer address from the link-layer header in the agent advertisement.

本节指定移动节点如何通过外部代理发送其数据流量。在所有情况下,移动节点从代理广告中的链路层报头学习外部代理的链路层地址。

5.1. Direct Delivery Style
5.1. 直接交付方式

This delivery mechanism is very simple to implement at the mobile node, and uses small (non-encapsulated) packets on the link between the mobile node and the foreign agent (potentially a very slow link). However, it only supports reverse-tunneling of unicast packets, and does not allow selective reverse tunneling (section 5.4).

这种传递机制非常容易在移动节点上实现,并且在移动节点和外部代理(可能是非常慢的链路)之间的链路上使用小的(非封装的)数据包。但是,它只支持单播数据包的反向隧道,不允许选择性反向隧道(第5.4节)。

5.1.1. Packet Processing
5.1.1. 数据包处理

The mobile node MUST designate the foreign agent as its default router. Not doing so will not guarantee encapsulation of all the mobile node's outgoing traffic, and defeats the purpose of the reverse tunnel. The foreign agent MUST:

移动节点必须将外部代理指定为其默认路由器。不这样做将不能保证封装所有移动节点的传出流量,并破坏反向隧道的目的。外国代理人必须:

- detect packets sent by the mobile node, and

- 检测由移动节点发送的分组,以及

- modify its forwarding function to encapsulate them before forwarding.

- 修改其转发功能,以便在转发前对其进行封装。

5.1.2. Packet Header Format and Fields
5.1.2. 数据包头格式和字段

This section shows the format of the packet headers used by the Direct Delivery style. The formats shown assume IP in IP encapsulation [2].

本节显示直接传递样式使用的数据包头的格式。所示格式假定IP封装中的IP[2]。

Packet format received by the foreign agent (Direct Delivery Style):

国外代理收到的数据包格式(直接交付方式):

IP fields: Source Address = mobile node's home address Destination Address = correspondent host's address Upper Layer Protocol

IP字段:源地址=移动节点的家庭地址目标地址=对应主机的地址上层协议

Packet format forwarded by the foreign agent (Direct Delivery Style):

外部代理转发的数据包格式(直接交付方式):

IP fields (encapsulating header): Source Address = foreign agent's care-of address Destination Address = home agent's address Protocol field: 4 (IP in IP) IP fields (original header): Source Address = mobile node's home address Destination Address = correspondent host's address Upper Layer Protocol

IP字段(封装标头):源地址=外部代理的转交地址目标地址=归属代理的地址协议字段:4(IP中的IP)IP字段(原始标头):源地址=移动节点的归属地址目标地址=对应主机的地址上层协议

These fields of the encapsulating header MUST be chosen as follows:

封装标头的这些字段必须按如下方式选择:

IP Source Address

IP源地址

Copied from the Care-of Address field within the Registration Request.

从注册请求中的转交地址字段复制。

IP Destination Address

IP目的地址

Copied from the Home Agent field within the Registration Request.

从注册请求中的Home Agent字段复制。

IP Protocol Field

IP协议字段

Default is 4 (IP in IP [2]), but other methods of encapsulation MAY be used as negotiated at registration time.

默认值为4(IP中的IP[2]),但在注册时可以使用协商的其他封装方法。

5.2. Encapsulating Delivery Style
5.2. 封装交付方式

This mechanism requires that the mobile node implement encapsulation, and explicitly directs packets at the foreign agent by designating it as the destination address in a new outermost header. Mobile nodes that wish to send either broadcast or multicast packets MUST use the Encapsulating Delivery Style.

该机制要求移动节点实现封装,并通过在新的最外层报头中将数据包指定为目标地址,显式地将数据包定向到外部代理。希望发送广播或多播数据包的移动节点必须使用封装传递样式。

5.2.1 Packet Processing
5.2.1 数据包处理

The foreign agent does not modify its forwarding function. Rather, it receives an encapsulated packet and after verifying that it was sent by the mobile node, it:

外部代理不修改其转发功能。相反,它接收封装的分组,并且在验证它是由移动节点发送的之后,它:

- decapsulates to recover the inner packet,

- 解除封装以恢复内部数据包,

- re-encapsulates, and sends it to the home agent.

- 重新封装,并将其发送给home agent。

If a foreign agent receives an un-encapsulated packet from a mobile node which had explicitly requested the Encapsulated Delivery Style, then the foreign agent MUST NOT reverse tunnel such a packet and rather MUST forward it using standard, IP routing mechanisms.

如果外部代理从已明确请求封装传递样式的移动节点接收到未封装的数据包,则外部代理不得反向隧道这样的数据包,而必须使用标准的IP路由机制转发它。

5.2.2. Packet Header Format and Fields
5.2.2. 数据包头格式和字段

This section shows the format of the packet headers used by the Encapsulating Delivery style. The formats shown assume IP in IP encapsulation [2].

本节显示封装传递样式使用的数据包头的格式。所示格式假定IP封装中的IP[2]。

Packet format received by the foreign agent (Encapsulating Delivery Style):

外部代理接收的数据包格式(封装交付样式):

IP fields (encapsulating header): Source Address = mobile node's home address Destination Address = foreign agent's address Protocol field: 4 (IP in IP) IP fields (original header): Source Address = mobile node's home address Destination Address = correspondent host's address Upper Layer Protocol

IP字段(封装标头):源地址=移动节点的家庭地址目标地址=外部代理的地址协议字段:4(IP中的IP)IP字段(原始标头):源地址=移动节点的家庭地址目标地址=对应主机的地址上层协议

The fields of the encapsulating IP header MUST be chosen as follows:

封装IP报头的字段必须选择如下:

IP Source Address

IP源地址

The mobile node's home address.

移动节点的主地址。

IP Destination Address

IP目的地址

The address of the agent as learned from the IP source address of the agent's most recent registration reply.

从代理最近的注册回复的IP源地址得知的代理地址。

IP Protocol Field

IP协议字段

Default is 4 (IP in IP [2]), but other methods of encapsulation MAY be used as negotiated at registration time.

默认值为4(IP中的IP[2]),但在注册时可以使用协商的其他封装方法。

Packet format forwarded by the foreign agent (Encapsulating Delivery Style):

外部代理转发的数据包格式(封装交付样式):

IP fields (encapsulating header): Source Address = foreign agent's care-of address Destination Address = home agent's address Protocol field: 4 (IP in IP) IP fields (original header): Source Address = mobile node's home address Destination Address = correspondent host's address Upper Layer Protocol

IP字段(封装标头):源地址=外部代理的转交地址目标地址=归属代理的地址协议字段:4(IP中的IP)IP字段(原始标头):源地址=移动节点的归属地址目标地址=对应主机的地址上层协议

These fields of the encapsulating IP header MUST be chosen as follows:

封装IP报头的这些字段必须按如下方式选择:

IP Source Address

IP源地址

Copied from the Care-of Address field within the Registration Request.

从注册请求中的转交地址字段复制。

IP Destination Address

IP目的地址

Copied from the Home Agent field within the Registration Request.

从注册请求中的Home Agent字段复制。

IP Protocol Field

IP协议字段

Default is 4 (IP in IP [2]), but other methods of encapsulation MAY be used as negotiated at registration time.

默认值为4(IP中的IP[2]),但在注册时可以使用协商的其他封装方法。

5.3. Support for Broadcast and Multicast Datagrams
5.3. 支持广播和多播数据报

If a mobile node is operating with a co-located care-of address, broadcast and multicast datagrams are handled according to Sections 4.3 and 4.4 of the Mobile IP specification [1]. Mobile nodes using a foreign agent care-of address MAY have their broadcast and multicast datagrams reverse-tunneled by the foreign agent. However, any mobile nodes doing so MUST use the encapsulating delivery style.

如果移动节点使用同一位置的转交地址运行,则根据移动IP规范[1]第4.3节和第4.4节处理广播和多播数据报。使用外部代理转交地址的移动节点可以由外部代理对其广播和多播数据报进行反向隧道传输。但是,任何这样做的移动节点都必须使用封装传递样式。

This delivers the datagram only to the foreign agent. The latter decapsulates it and then processes it as any other packet from the mobile node, namely, by reverse tunneling it to the home agent.

这只将数据报传递给外部代理。后者将其解封,然后将其作为来自移动节点的任何其他数据包进行处理,即通过反向隧道将其传输到归属代理。

5.4. Selective Reverse Tunneling
5.4. 选择性反向隧穿

Packets destined to local resources (for example, a nearby printer) might be unaffected by ingress filtering. A mobile node with a co-located care-of address MAY optimize delivery of these packets by not reverse tunneling them. On the other hand, a mobile node using a foreign agent care-of address MAY use this selective reverse tunneling capability by requesting the Encapsulating Delivery Style, and following these guidelines:

发送到本地资源(例如,附近的打印机)的数据包可能不受入口过滤的影响。具有共同定位的转交地址的移动节点可以通过不反向隧道它们来优化这些分组的递送。另一方面,使用外部代理转交地址的移动节点可以通过请求封装交付样式并遵循以下准则来使用该选择性反向隧道功能:

Packets NOT meant to be reversed tunneled:

不打算反向隧道传输的数据包:

Sent using the Direct Delivery style. The foreign agent MUST process these packets as regular traffic: they MAY be forwarded but MUST NOT be reverse tunneled to the home agent.

使用直接送达方式发送。外部代理必须将这些数据包作为常规通信进行处理:它们可以被转发,但不能反向隧道到本地代理。

Packets meant to be reverse tunneled:

要反向隧道的数据包:

Sent using the Encapsulating Delivery style. The foreign agent MUST process these packets as specified in section 5.2: they MUST be reverse tunneled to the home agent.

使用封装传递样式发送。外部代理必须按照第5.2节的规定处理这些数据包:它们必须通过反向隧道传输到本地代理。

6. Security Considerations
6. 安全考虑

The extensions outlined in this document are subject to the security considerations outlined in the Mobile IP specification [1]. Essentially, creation of both forward and reverse tunnels involves an authentication procedure, which reduces the risk for attack.

本文档中概述的扩展受移动IP规范[1]中概述的安全注意事项的约束。本质上,创建正向和反向隧道都涉及身份验证过程,从而降低了攻击风险。

6.1. Reverse-tunnel Hijacking and Denial-of-Service Attacks
6.1. 反向隧道劫持和拒绝服务攻击

Once the tunnel is set up, a malicious node could hijack it to inject packets into the network. Reverse tunnels might exacerbate this problem, because upon reaching the tunnel exit point packets are forwarded beyond the local network. This concern is also present in the Mobile IP specification, as it already dictates the use of reverse tunnels for certain applications.

一旦建立了隧道,恶意节点可能会劫持它,将数据包注入网络。反向隧道可能会加剧此问题,因为到达隧道出口点后,数据包将转发到本地网络之外。移动IP规范中也存在这一问题,因为它已经规定在某些应用中使用反向隧道。

Unauthenticated exchanges involving the foreign agent allow a malicious node to pose as a valid mobile node and re-direct an existing reverse tunnel to another home agent, perhaps another malicious node. The best way to protect against these attacks is by employing the Mobile-Foreign and Foreign-Home Authentication Extensions defined in [1].

涉及外部代理的未经验证的交换允许恶意节点冒充有效的移动节点,并将现有反向隧道重新定向到另一个归属代理,可能是另一个恶意节点。防范这些攻击的最佳方法是使用[1]中定义的移动国外和国外家庭身份验证扩展。

If the necessary mobility security associations are not available, this document introduces a mechanism to reduce the range and effectiveness of the attacks. The mobile node MUST set to 255 the TTL value in the IP headers of Registration Requests sent to the foreign agent. This prevents malicious nodes more than one hop away from posing as valid mobile nodes. Additional codes for use in registration denials make those attacks that do occur easier to track.

如果没有必要的移动安全关联,本文档将引入一种机制来减少攻击的范围和有效性。移动节点必须将发送到外部代理的注册请求的IP头中的TTL值设置为255。这可以防止恶意节点冒充有效的移动节点一跳以上。在注册拒绝中使用的附加代码使那些确实发生的攻击更容易跟踪。

With the goal of further reducing the attacks the Mobile IP Working Group considered other mechanisms involving the use of unauthenticated state. However, these introduce the possibilities of denial-of-service attacks. The consensus was that this was too much of a trade-off for mechanisms that guarantee no more than weak (non-cryptographic) protection against attacks.

为了进一步减少攻击,移动IP工作组考虑了使用未经验证状态的其他机制。然而,这些都引入了拒绝服务攻击的可能性。大家一致认为,对于那些仅能保证针对攻击的弱(非加密)保护的机制来说,这是一种太多的折衷。

6.2. Ingress Filtering
6.2. 入口过滤

There has been some concern regarding the long-term effectiveness of reverse-tunneling in the presence of ingress filtering. The conjecture is that network administrators will target reverse-tunneled packets (IP in IP encapsulated packets) for filtering. The ingress filtering recommendation spells out why this is not the case [8]:

在存在入口过滤的情况下,存在一些关于反向隧道的长期有效性的担忧。推测是网络管理员将反向隧道包(IP封装包中的IP)作为过滤的目标。入口过滤建议阐明了为什么情况并非如此[8]:

Tracking the source of an attack is simplified when the source is more likely to be "valid."

当攻击源更有可能“有效”时,可以简化对攻击源的跟踪

7. Acknowledgements
7. 致谢

The encapsulating style of delivery was proposed by Charlie Perkins. Jim Solomon has been instrumental in shaping this document into its present form.

封装式交付是由Charlie Perkins提出的。吉姆·所罗门(Jim Solomon)在将本文件塑造成当前形式方面发挥了重要作用。

References

工具书类

[1] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.

[1] Perkins,C.,“IP移动支持”,RFC 2002,1996年10月。

[2] Perkins, C., "IP Encapsulation within IP", RFC 2003, October 1996.

[2] Perkins,C.,“IP内的IP封装”,RFC 2003,1996年10月。

[3] Computer Emergency Response Team (CERT), "IP Spoofing Attacks and Hijacked Terminal Connections", CA-95:01, January 1995. Available via anonymous ftp from info.cert.org in/pub/cert_advisories.

[3] 计算机应急响应小组(CERT),“IP欺骗攻击和被劫持的终端连接”,CA-95:01,1995年1月。可通过匿名ftp从info.cert.org的/pub/cert\u advisories获得。

[4] Johnson, D., and C. Perkins, "Route Optimization in Mobile IP", Work in Progress.

[4] Johnson,D.和C.Perkins,“移动IP中的路由优化”,正在进行中。

[5] Manuel Rodriguez, private communication, August 1995.

[5] Manuel Rodriguez,《私人通讯》,1995年8月。

[6] Atkinson, R., "IP Authentication Header", RFC 1826, August 1995.

[6] 阿特金森,R.,“IP认证头”,RFC 1826,1995年8月。

[7] Atkinson, R., "IP Encapsulating Security Payload", RFC 1827, August 1995.

[7] 阿特金森,R.,“IP封装安全有效载荷”,RFC 1827,1995年8月。

[8] Ferguson, P., and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", RFC 2267, January 1998.

[8] Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,RFC 2267,1998年1月。

[9] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[9] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

Editor and Chair Addresses

编辑和主席致辞

Questions about this document may be directed at:

有关本文件的问题,请联系:

Gabriel E. Montenegro Sun Microsystems, Inc. 901 San Antonio Road Mailstop UMPK 15-214 Mountain View, California 94303

加布里埃尔E.黑山太阳微系统公司,加利福尼亚州山景城圣安东尼奥路901号邮递站UMPK 15-214 94303

   Voice:  +1-415-786-6288
   Fax:    +1-415-786-6445
   EMail: gabriel.montenegro@eng.sun.com
        
   Voice:  +1-415-786-6288
   Fax:    +1-415-786-6445
   EMail: gabriel.montenegro@eng.sun.com
        

The working group can be contacted via the current chairs:

可通过现任主席联系工作组:

Jim Solomon Motorola, Inc. 1301 E. Algonquin Rd. - Rm 2240 Schaumburg, IL 60196

吉姆·所罗门·摩托罗拉公司,地址:伊利诺伊州绍姆堡市阿尔冈金东路1301号2240室,邮编60196

   Voice:  +1-847-576-2753
   Fax:    +1-847-576-3240
   EMail: solomon@comm.mot.com
        
   Voice:  +1-847-576-2753
   Fax:    +1-847-576-3240
   EMail: solomon@comm.mot.com
        

Erik Nordmark Sun Microsystems, Inc. 901 San Antonio Road Mailstop UMPK17-202 Mountain View, California 94303

Erik Nordmark Sun Microsystems,Inc.加利福尼亚州山景城圣安东尼奥路901号邮政站UMPK17-202 94303

   Voice:  +1-415-786-5166
   EMail: erik.nordmark@eng.sun.com
        
   Voice:  +1-415-786-5166
   EMail: erik.nordmark@eng.sun.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (1998). All Rights Reserved.

版权所有(C)互联网协会(1998年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。