Network Working Group                                           D. Senie
Request for Comments: 2644                        Amaranth Networks Inc.
Updates: 1812                                                August 1999
BCP: 34
Category: Best Current Practice
        
Network Working Group                                           D. Senie
Request for Comments: 2644                        Amaranth Networks Inc.
Updates: 1812                                                August 1999
BCP: 34
Category: Best Current Practice
        

Changing the Default for Directed Broadcasts in Routers

更改路由器中定向广播的默认设置

Status of this Memo

本备忘录的状况

This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.

本文件规定了互联网社区的最佳现行做法,并要求进行讨论和提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

1. Introduction
1. 介绍

Router Requirements [1] specifies that routers must receive and forward directed broadcasts. It also specifies that routers MUST have an option to disable this feature, and that this option MUST default to permit the receiving and forwarding of directed broadcasts. While directed broadcasts have uses, their use on the Internet backbone appears to be comprised entirely of malicious attacks on other networks.

路由器要求[1]规定路由器必须接收和转发定向广播。它还指定路由器必须具有禁用此功能的选项,并且此选项必须默认为允许接收和转发定向广播。虽然定向广播有其用途,但它们在互联网主干上的使用似乎完全是由对其他网络的恶意攻击构成的。

Changing the required default for routers would help ensure new routers connected to the Internet do not add to the problems already present.

更改路由器所需的默认设置将有助于确保连接到Internet的新路由器不会增加已经存在的问题。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119中的说明进行解释。

2. Discussion
2. 讨论

Damaging denial of service attacks led to the writing of [2] on Ingress Filtering. Many network providers and corporate networks have endorsed the use of these methods to ensure their networks are not the source of such attacks.

破坏性拒绝服务攻击导致在入口过滤上写入[2]。许多网络提供商和公司网络都支持使用这些方法,以确保其网络不是此类攻击的来源。

A recent trend in Smurf Attacks [3] is to target networks which permit directed broadcasts from outside their networks. By permitting directed broadcasts, these systems become "Smurf Amplifiers."

Smurf攻击[3]最近的一个趋势是针对允许从网络外部定向广播的网络。通过允许定向广播,这些系统成为“蓝精灵放大器”

While the continued implementation of ingress filters remains the best way to limit these attacks, restricting directed broadcasts should also receive priority.

尽管继续实施入口过滤器仍然是限制这些攻击的最佳方式,但限制定向广播也应获得优先权。

Network service providers and corporate network operators are urged to ensure their networks are not susceptible to directed broadcast packets originating outside their networks.

敦促网络服务提供商和公司网络运营商确保其网络不易受到源自其网络外部的定向广播数据包的影响。

Mobile IP [4] had provisions for using directed broadcasts in a mobile node's use of dynamic agent discovery. While some implementations support this feature, it is unclear whether it is useful. Other methods of achieving the same result are documented in [5]. It may be worthwhile to consider removing the language on using directed broadcasts as Mobile IP progresses on the standards track.

移动IP[4]规定在移动节点使用动态代理发现时使用定向广播。虽然有些实现支持此功能,但尚不清楚它是否有用。[5]中记录了实现相同结果的其他方法。考虑到移动IP在标准轨道上的进展,考虑使用定向广播去除语言可能是值得的。

3. Recommendation
3. 正式建议

Router Requirements [1] is updated as follows:

路由器要求[1]更新如下:

Section 4.2.2.11 (d) is replaced with:

第4.2.2.11(d)节替换为:

      (d) { <Network-prefix>, -1 }
        
      (d) { <Network-prefix>, -1 }
        

Directed Broadcast - a broadcast directed to the specified network prefix. It MUST NOT be used as a source address. A router MAY originate Network Directed Broadcast packets. A router MAY have a configuration option to allow it to receive directed broadcast packets, however this option MUST be disabled by default, and thus the router MUST NOT receive Network Directed Broadcast packets unless specifically configured by the end user.

定向广播-定向到指定网络前缀的广播。它不能用作源地址。路由器可以发起网络定向广播分组。路由器可具有允许其接收定向广播数据包的配置选项,但是该选项在默认情况下必须被禁用,因此除非最终用户专门配置,否则路由器不得接收网络定向广播数据包。

Section 5.3.5.2, second paragraph replaced with:

第5.3.5.2节第二段替换为:

A router MAY have an option to enable receiving network-prefix-directed broadcasts on an interface and MAY have an option to enable forwarding network-prefix-directed broadcasts. These options MUST default to blocking receipt and blocking forwarding of network-prefix-directed broadcasts.

路由器可以具有能够在接口上接收网络前缀定向广播的选项,并且可以具有能够转发网络前缀定向广播的选项。这些选项必须默认为阻止接收和转发网络前缀定向广播。

4. Security Considerations
4. 安全考虑

The goal of this document is to reduce the efficacy of certain types of denial of service attacks.

本文档的目标是降低某些类型的拒绝服务攻击的有效性。

5. References
5. 工具书类

[1] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995.

[1] Baker,F.,“IP版本4路由器的要求”,RFC 1812,1995年6月。

[2] Ferguson, P. and D. Senie, "Ingress Filtering", RFC 2267, January 1998.

[2] Ferguson,P.和D.Senie,“入口过滤”,RFC 2267,1998年1月。

   [3] See the pages by Craig Huegen at:
       http://www.quadrunner.com/~chuegen/smurf.txt, and the CERT
       advisory at: http://www.cert.org/advisories/CA-98.01.smurf.html
        
   [3] See the pages by Craig Huegen at:
       http://www.quadrunner.com/~chuegen/smurf.txt, and the CERT
       advisory at: http://www.cert.org/advisories/CA-98.01.smurf.html
        

[4] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.

[4] Perkins,C.,“IP移动支持”,RFC 2002,1996年10月。

[5] P. Calhoun, C. Perkins, "Mobile IP Dynamic Home Address Allocation Extensions", Work in Progress.

[5] P.Calhoun,C.Perkins,“移动IP动态家庭地址分配扩展”,正在进行中。

6. Acknowledgments
6. 致谢

The author would like to thank Brandon Ross of Mindspring and Gabriel Montenegro of Sun for their input.

作者要感谢Mindspring的布兰登·罗斯(Brandon Ross)和Sun的加布里埃尔·黑山(Gabriel Montegon)的投入。

7. Author's Address
7. 作者地址

Daniel Senie Amaranth Networks Inc. 324 Still River Road Bolton, MA 01740

Daniel Senie Amaranth Networks Inc.马萨诸塞州博尔顿市斯蒂尔河路324号01740

Phone: (978) 779-6813 EMail: dts@senie.com

电话:(978)779-6813电子邮件:dts@senie.com

8. Full Copyright Statement
8. 完整版权声明

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。