Network Working Group S. Glass
Request for Comments: 2977 Sun Microsystems
Category: Informational T. Hiller
Lucent Technologies
S. Jacobs
GTE Laboratories
C. Perkins
Nokia Research Center
October 2000
Network Working Group S. Glass
Request for Comments: 2977 Sun Microsystems
Category: Informational T. Hiller
Lucent Technologies
S. Jacobs
GTE Laboratories
C. Perkins
Nokia Research Center
October 2000
Mobile IP Authentication, Authorization, and Accounting Requirements
移动IP身份验证、授权和记帐要求
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
The Mobile IP and Authentication, Authorization, Accounting (AAA) working groups are currently looking at defining the requirements for Authentication, Authorization, and Accounting. This document contains the requirements which would have to be supported by a AAA service to aid in providing Mobile IP services.
移动IP和身份验证、授权、计费(AAA)工作组目前正在研究定义身份验证、授权和计费的要求。本文档包含AAA服务必须支持的要求,以帮助提供移动IP服务。
Clients obtain Internet services by negotiating a point of attachment to a "home domain", generally from an ISP, or other organization from which service requests are made, and fulfilled. With the increasing popularity of mobile devices, a need has been generated to allow users to attach to any domain convenient to their current location. In this way, a client needs access to resources being provided by an administrative domain different than their home domain (called a "foreign domain"). The need for service from a foreign domain requires, in many models, Authorization, which leads directly to Authentication, and of course Accounting (whence, "AAA"). There is some argument which of these leads to, or is derived from the others, but there is common agreement that the three AAA functions are closely interdependent.
客户通过协商“主域”的连接点来获得Internet服务,通常来自ISP或提出服务请求的其他组织,并得到满足。随着移动设备的日益普及,人们需要允许用户连接到任何方便其当前位置的域。通过这种方式,客户机需要访问由不同于其主域(称为“外域”)的管理域提供的资源。在许多模型中,对来自外部域的服务的需求需要授权,这直接导致身份验证,当然还有记帐(从那里“AAA”)。有一些观点认为,这三种功能导致了其他功能,或是从其他功能中衍生出来的,但大家一致认为,这三种AAA功能是密切相关的。
An agent in a foreign domain, being called on to provide access to a resource by a mobile user, is likely to request or require the client to provide credentials which can be authenticated before access to resources is permitted. The resource may be as simple as a conduit to the Internet, or may be as complex as access to specific private resources within the foreign domain. Credentials can be exchanged in many different ways, all of which are beyond the scope of this document. Once authenticated, the mobile user may be authorized to access services within the foreign domain. An accounting of the actual resources may then be assembled.
外域中的代理被移动用户调用以提供对资源的访问,可能会请求或要求客户端提供可在允许访问资源之前进行身份验证的凭据。该资源可能像通向互联网的管道一样简单,也可能像访问外域内的特定私有资源一样复杂。凭证可以以多种不同的方式交换,所有这些都超出了本文档的范围。一旦认证,移动用户可以被授权访问外域内的服务。然后可以对实际资源进行核算。
Mobile IP is a technology that allows a network node ("mobile node") to migrate from its "home" network to other networks, either within the same administrative domain, or to other administrative domains. The possibility of movement between domains which require AAA services has created an immediate demand to design and specify AAA protocols. Once available, the AAA protocols and infrastructure will provide the economic incentive for a wide-ranging deployment of Mobile IP. This document will identify, describe, and discuss the functional and performance requirements that Mobile IP places on AAA protocols.
移动IP是一种允许网络节点(“移动节点”)从其“家庭”网络迁移到同一管理域内的其他网络或其他管理域的技术。在需要AAA服务的域之间移动的可能性已经立即产生了设计和指定AAA协议的需求。一旦可用,AAA协议和基础设施将为广泛部署移动IP提供经济激励。本文档将确定、描述和讨论移动IP对AAA协议的功能和性能要求。
The formal description of Mobile IP can be found in [13,12,14,17].
移动IP的形式描述见[13,12,14,17]。
In this document, we have attempted to exhibit requirements in a progressive fashion. After showing the basic AAA model for Mobile IP, we derive requirements as follows:
在本文档中,我们试图以渐进的方式展示需求。在展示了移动IP的基本AAA模型后,我们得出如下要求:
- requirements based on the general model - requirements based on providing IP service for mobile nodes - requirements derived from specific Mobile IP protocol needs
- 基于通用模型的需求.基于为移动节点提供IP服务的需求.源自特定移动IP协议需求的需求
Then, we exhibit some related AAA models and describe requirements derived from the related models.
然后,我们展示了一些相关的AAA模型,并描述了从相关模型派生的需求。
This document frequently uses the following terms in addition to those defined in RFC 2002 [13]:
除了RFC 2002[13]中定义的术语外,本文件还经常使用以下术语:
Accounting The act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation.
会计收集资源使用信息的行为,用于趋势分析、审计、计费或成本分配。
Administrative Domain An intranet, or a collection of networks, computers, and databases under a common administration. Computer entities operating in a common administration may be assumed to share administratively created security associations.
管理域在一个共同管理下的内部网或网络、计算机和数据库的集合。可以假设在公共管理中运行的计算机实体共享管理创建的安全关联。
Attendant A node designed to provide the service interface between a client and the local domain.
Attendant设计用于在客户端和本地域之间提供服务接口的节点。
Authentication The act of verifying a claimed identity, in the form of a pre-existing label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication).
身份验证——以相互已知的名称空间中预先存在的标签形式,验证作为消息发起人(消息身份验证)或作为通道终点(实体身份验证)的声明身份的行为。
Authorization The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential.
授权确定是否可以将特定权利(如访问某些资源)授予特定凭证的演示者的行为。
Billing The act of preparing an invoice.
开票准备发票的行为。
Broker An intermediary agent, trusted by two other AAA servers, able to obtain and provide security services from those AAA servers. For instance, a broker may obtain and provide authorizations, or assurances that credentials are valid.
代理由另外两台AAA服务器信任的中间代理,能够从这些AAA服务器获得并提供安全服务。例如,经纪人可以获得并提供授权,或保证凭证有效。
Client A node wishing to obtain service from an attendant within an administrative domain.
客户端希望从管理域内的助理获取服务的节点。
Foreign Domain An administrative domain, visited by a Mobile IP client, and containing the AAA infrastructure needed to carry out the necessary operations enabling Mobile IP registrations. From the point of view of the foreign agent, the foreign domain is the local domain.
外来域一个管理域,由移动IP客户端访问,包含执行必要操作所需的AAA基础设施,以实现移动IP注册。从外国代理人的角度来看,外国域名是本地域名。
Inter-domain Accounting Inter-domain accounting is the collection of information on resource usage of an entity with an administrative domain, for use within another administrative domain. In inter-domain accounting, accounting packets and session records will typically cross administrative boundaries.
域间核算域间核算是关于具有管理域的实体的资源使用情况的信息的集合,供在另一个管理域内使用。在域间记帐中,记帐数据包和会话记录通常会跨越管理边界。
Intra-domain Accounting Intra-domain accounting is the collection of information on resource within an administrative domain, for use within that domain. In intra-domain accounting, accounting packets and session records typically do not cross administrative boundaries.
域内核算域内核算是管理域内资源信息的集合,供该域内使用。在域内记帐中,记帐数据包和会话记录通常不跨越管理边界。
Local Domain An administrative domain containing the AAA infrastructure of immediate interest to a Mobile IP client when it is away from home.
本地域一个管理域,包含移动IP客户端在离家时直接感兴趣的AAA基础设施。
Real-time Accounting Real-time accounting involves the processing of information on resource usage within a defined time window. Time constraints are typically imposed in order to limit financial risk.
实时会计实时会计包括在规定的时间窗口内处理有关资源使用情况的信息。时间限制通常是为了限制金融风险。
Session record A session record represents a summary of the resource consumption of a user over the entire session. Accounting gateways creating the session record may do so by processing interim accounting events.
会话记录会话记录表示整个会话中用户资源消耗的摘要。创建会话记录的记帐网关可以通过处理临时记帐事件来实现。
In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [4].
在本文件中,关键词“可能”、“必须”、“不得”、“可选”、“建议”、“应该”和“不应该”的解释如[4]所述。
In this section, we attempt to capture the main features of a basic model for operation of AAA servers that seems to have good support within the Mobile IP working group. Within the Internet, a client belonging to one administrative domain (called the home domain) often needs to use resources provided by another administrative domain (called the foreign domain). An agent in the foreign domain that attends to the client's request (call the agent the "attendant") is likely to require that the client provide some credentials that can be authenticated before access to the resources is permitted. These credentials may be something the foreign domain understands, but in most cases they are assigned by, and understood only by the home domain, and may be used for setting up secure channels with the mobile node.
在本节中,我们试图捕捉AAA服务器运行的基本模型的主要功能,该模型在移动IP工作组中似乎得到了很好的支持。在Internet中,属于一个管理域(称为主域)的客户端通常需要使用另一个管理域(称为外域)提供的资源。外域中负责处理客户端请求的代理(称该代理为“助理”)可能会要求客户端提供一些可以在允许访问资源之前进行身份验证的凭据。这些凭证可能是外域能够理解的,但在大多数情况下,它们由归属域分配,并且仅由归属域理解,并且可以用于与移动节点建立安全通道。
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | | +------+ |
| | | | | | | |
| | AAAL | | | | AAAH | |
| | +-------------------+ | |
| +---+--+ | | +------+ |
| | | | |
| | | +----------------------+
+------+ | +---+--+ |
| | | | | | C = client
| C |- -|- -| A | | A = attendant
| | | | | | AAAL = local authority
+------+ | +------+ | AAAH = home authority
| |
+--------------+
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | | +------+ |
| | | | | | | |
| | AAAL | | | | AAAH | |
| | +-------------------+ | |
| +---+--+ | | +------+ |
| | | | |
| | | +----------------------+
+------+ | +---+--+ |
| | | | | | C = client
| C |- -|- -| A | | A = attendant
| | | | | | AAAL = local authority
+------+ | +------+ | AAAH = home authority
| |
+--------------+
Figure 1: AAA Servers in Home and Local Domains
图1:家庭域和本地域中的AAA服务器
The attendant often does not have direct access to the data needed to complete the transaction. Instead, the attendant is expected to consult an authority (typically in the same foreign domain) in order to request proof that the client has acceptable credentials. Since the attendant and the local authority are part of the same administrative domain, they are expected to have established, or be able to establish for the necessary lifetime, a secure channel for the purposes of exchanging sensitive (access) information, and keeping it private from (at least) the visiting mobile node.
助理通常无法直接访问完成事务所需的数据。相反,助理应该咨询权威机构(通常在同一个外部域中),以请求证明客户端具有可接受的凭据。由于话务员和地方当局是同一管理域的一部分,因此期望它们已经建立或能够在必要的生存期内建立安全通道,以便交换敏感(访问)信息,并使其从(至少)访问的移动节点保持私有。
The local authority (AAAL) itself may not have enough information stored locally to carry out the verification for the credentials of the client. In contrast to the attendant, however, the AAAL is expected to be configured with enough information to negotiate the verification of client credentials with external authorities. The local and the external authorities should be configured with sufficient security relationships and access controls so that they, possibly without the need for any other AAA agents, can negotiate the authorization that may enable the client to have access to any/all requested resources. In many typical cases, the authorization depends only upon secure authentication of the client's credentials.
地方当局(AAAL)本身可能没有足够的信息存储在本地,无法对客户端的凭据进行验证。但是,与助理不同,AAAL需要配置足够的信息,以便与外部机构协商验证客户端凭据。本地和外部机构应配置足够的安全关系和访问控制,以便它们(可能不需要任何其他AAA代理)可以协商授权,使客户端能够访问任何/所有请求的资源。在许多典型情况下,授权仅取决于客户端凭据的安全身份验证。
Once the authorization has been obtained by the local authority, and the authority has notified the attendant about the successful negotiation, the attendant can provide the requested resources to the client.
一旦地方当局获得授权,并且当局已通知服务员协商成功,服务员即可向客户提供请求的资源。
In the picture, there might be many attendants for each AAAL, and there might be many clients from many different Home Domains. Each Home Domain provides a AAAH that can check credentials originating from clients administered by that Home Domain.
在图中,每个AAAL可能有许多服务员,并且可能有许多来自许多不同家庭域的客户。每个主域都提供一个AAAH,可以检查来自该主域管理的客户端的凭据。
There is a security model implicit in the above figure, and it is crucial to identify the specific security associations assumed in the security model.
上图中隐含着一个安全模型,识别安全模型中假定的特定安全关联是至关重要的。
First, it is natural to assume that the client has a security association with the AAAH, since that is roughly what it means for the client to belong to the home domain.
首先,假设客户机与AAAH有安全关联是很自然的,因为这大致就是客户机属于主域的含义。
Second, from the model illustrated in figure 1 it is clear that AAAL and AAAH have to share a security association, because otherwise they could not rely on the authentication results, authorizations, nor even the accounting data which might be transacted between them. Requiring such bilateral security relationships is, however, in the end not scalable; the AAA framework MUST provide for more scalable mechanisms, as suggested below in section 6.
其次,从图1所示的模型可以清楚地看出,AAAL和AAAH必须共享一个安全关联,因为否则它们就不能依赖身份验证结果、授权,甚至不能依赖可能在它们之间进行交易的记帐数据。然而,要求这种双边安全关系最终是不可扩展的;AAA框架必须提供更具可伸缩性的机制,如下文第6节所述。
Finally, in the figure, it is clear that the attendant can naturally share a security association with the AAAL. This is necessary in order for the model to work because the attendant has to know that it is permissible to allocate the local resources to the client.
最后,在图中,显然助理可以自然地与AAAL共享安全关联。这是模型工作所必需的,因为助理必须知道允许将本地资源分配给客户机。
As an example in today's Internet, we can cite the deployment of RADIUS [16] to allow mobile computer clients to have access to the Internet by way of a local ISP. The ISP wants to make sure that the mobile client can pay for the connection. Once the client has provided credentials (e.g., identification, unique data, and an unforgeable signature), the ISP checks with the client's home authority to verify the signature, and to obtain assurance that the client will pay for the connection. Here, the attendant function can be carried out by the NAS, and the local and home authorities can use RADIUS servers. Credentials allowing authorization at one attendant SHOULD be unusable in any future negotiations at the same or any other attendant.
作为当今互联网的一个例子,我们可以引用RADIUS[16]的部署,允许移动计算机客户端通过本地ISP访问互联网。ISP希望确保移动客户端能够为连接付费。一旦客户提供了凭据(例如,标识、唯一数据和不可伪造的签名),ISP将与客户的国内机构进行检查,以验证签名,并确保客户将支付连接费用。在这里,助理功能可以由NAS执行,并且本地和本地当局可以使用RADIUS服务器。在同一个助理或任何其他助理的任何未来协商中,允许在一个助理上进行授权的凭据应不可用。
From the description and example above, we can identify several requirements.
通过上面的描述和示例,我们可以确定几个需求。
- Each local attendant has to have a security relationship with the local AAA server (AAAL) - The local authority has to share, or dynamically establish, security relationships with external authorities that are able to check client credentials
- 每个本地助理必须与本地AAA服务器(AAAL)建立安全关系-本地机构必须与能够检查客户端凭据的外部机构共享或动态建立安全关系
- The attendant has to keep state for pending client requests while the local authority contacts the appropriate external authority - Since the mobile node may not necessarily initiate network connectivity from within its home domain, it MUST be able to provide complete, yet unforgeable credentials without ever having been in touch with its home domain. - Since the mobile node's credentials have to remain unforgeable, intervening nodes (e.g., neither the attendant or the local authority (AAAL) or any other intermediate nodes) MUST NOT be able to learn any (secret) information which may enable them to reconstruct and reuse the credentials.
- 当本地机构联系适当的外部机构时,话务员必须保持挂起客户端请求的状态-因为移动节点不一定从其主域内启动网络连接,所以它必须能够提供完整的,然而,从未接触过它的主域名的不可伪造的证书。-由于移动节点的凭证必须保持不可伪造,因此介入节点(例如,无论是话务员或地方当局(AAAL)还是任何其他中间节点)都不能学习任何(秘密)信息,这些信息可能使它们能够重建和重用凭证。
From this last requirement, we can see the reasons for the natural requirement that the client has to share, or dynamically establish, a security relationship with the external authority in the Home Domain. Otherwise, it is technically infeasible (given the implied network topology) for the client to produce unforgeable signatures that can be checked by the AAAH. Figure 2 illustrates the natural security associations we understand from our proposed model. Note that, according to the discussion in section 6, there may, by mutual agreement between AAAL and AAAH, be a third party inserted between AAAL and AAAH to help them arbitrate secure transactions in a more scalable fashion.
从最后一个需求中,我们可以看到客户机必须与本地域中的外部机构共享或动态建立安全关系的自然需求的原因。否则,客户端生成可由AAAH检查的不可伪造签名在技术上是不可行的(考虑到隐含的网络拓扑)。图2说明了我们从提议的模型中了解到的自然安全关联。请注意,根据第6节中的讨论,通过AAAL和AAAH之间的相互协议,可能会在AAAL和AAAH之间插入第三方,以帮助他们以更可扩展的方式仲裁安全交易。
+------+ +------+
| | | |
| AAAL +--------------+ AAAH |
| | | |
+---+--+ +--+---+
| |
| |
+---+--+ +--+---+
C = client | | | |
A = attendant | A | | C |
AAAL = local authority | | | |
AAAH = home authority +------+ +------+
+------+ +------+
| | | |
| AAAL +--------------+ AAAH |
| | | |
+---+--+ +--+---+
| |
| |
+---+--+ +--+---+
C = client | | | |
A = attendant | A | | C |
AAAL = local authority | | | |
AAAH = home authority +------+ +------+
Figure 2: Security Associations
图2:安全关联
In addition to the requirements listed above, we specify the following requirements which derive from operational experience with today's roaming protocols.
除了上面列出的要求外,我们还指定了以下要求,这些要求源自当今漫游协议的运营经验。
- There are scenarios in which an attendant will have to manage requests for many clients at the same time. - The attendant MUST protect against replay attacks.
- 在某些情况下,助理必须同时管理多个客户端的请求。-助理必须防止重播攻击。
- The attendant equipment should be as inexpensive as possible, since it will be replicated as many times as possible to handle as many clients as possible in the foreign domain. - Attendants SHOULD be configured to obtain authorization, from a trusted local AAA server (AAAL) for Quality of Service requirements placed by the client.
- 助理设备应尽可能便宜,因为它将被复制尽可能多的次数,以处理尽可能多的外域客户端。-应将助理配置为从受信任的本地AAA服务器(AAAL)获得授权,以满足客户提出的服务质量要求。
Nodes in two separate administrative domains (for instance, AAAH and AAAL) often must take additional steps to verify the identity of their communication partners, or alternatively to guarantee the privacy of the data making up the communication. While these considerations lead to important security requirements, as mentioned above in the context of security between servers, we consider the exact choice of security associations between the AAA servers to be beyond the scope of this document. The choices are unlikely even to depend upon any specific features of the general model illustrated in figure 1. On the other hand, the security associations needed between Mobile IP entities will be of central importance in the design of a suitable AAA infrastructure for Mobile IP. The general model shown above is generally compatible with the needs of Mobile IP. However, some basic changes are needed in the security model of Mobile IP, as detailed in section 5.
两个独立管理域(例如,AAAH和AAAL)中的节点通常必须采取额外的步骤来验证其通信伙伴的身份,或者保证构成通信的数据的隐私。虽然这些考虑导致了重要的安全性要求,如上所述,在服务器之间的安全性的上下文中,我们考虑AAA服务器之间的安全关联的准确选择超出本文档的范围。这些选择甚至不太可能取决于图1所示的通用模型的任何特定特性。另一方面,移动IP实体之间所需的安全关联在为移动IP设计合适的AAA基础设施时至关重要。上面显示的通用模型通常与移动IP的需求兼容。然而,移动IP的安全模型需要一些基本的改变,详见第5节。
Lastly, recent discussion in the mobile-ip working group has indicated that the attendant MUST be able to terminate service to the client based on policy determination by either AAAH or AAAL server.
最后,移动ip工作组最近的讨论表明,话务员必须能够根据AAAH或AAAL服务器的策略确定来终止对客户端的服务。
In this section we will detail additional requirements based on issues discovered through operational experience of existing roaming RADIUS networks. The AAA protocol MUST satisfy these requirements in order for providers to offer a robust service. These requirements have been identified by TR45.6 as part of their involvement with the Mobile IP working group.
在本节中,我们将根据通过现有漫游RADIUS网络的运营经验发现的问题,详细说明其他要求。AAA协议必须满足这些要求,以便提供商提供健壮的服务。TR45.6确定了这些要求,作为其参与移动IP工作组的一部分。
- Support a reliable AAA transport mechanism. * There must be an effective hop-by-hop retransmission and failover mechanism so that reliability does not solely depend on end-to-end retransmission * This transport mechanism will be able indicate to an AAA application that a message was delivered to the next peer AAA application or that a time out occurred. * Retransmission is controlled by the reliable AAA transport mechanism, and not by lower layer protocols such as TCP.
- 支持可靠的AAA传输机制。*必须有一个有效的逐跳重传和故障切换机制,以便可靠性不完全依赖于端到端重传*此传输机制将能够向AAA应用程序指示消息已传递到下一个对等AAA应用程序或发生超时。*重传由可靠的AAA传输机制控制,而不是由较低层协议(如TCP)控制。
* Even if the AAA message is to be forwarded, or the message's options or semantics do not conform with the AAA protocol, the transport mechanism will acknowledge that the peer received the AAA message. * Acknowledgements SHOULD be allowed to be piggybacked in AAA messages * AAA responses have to be delivered in a timely fashion so that Mobile IP does not timeout and retransmit - Transport a digital certificate in an AAA message, in order to minimize the number of round trips associated with AAA transactions. Note: This requirement applies to AAA applications and not mobile stations. The certificates could be used by foreign and home agents to establish an IPSec security association to secure the mobile node's tunneled data. In this case, the AAA infrastructure could assist by obtaining the revocation status of such a certificate (either by performing online checks or otherwise validating the certificate) so that home and foreign agents could avoid a costly online certificate status check. - Provide message integrity and identity authentication on a hop-by-hop (AAA node) basis. - Support replay protection and optional non-repudiation capabilities for all authorization and accounting messages. The AAA protocol must provide the capability for accounting messages to be matched with prior authorization messages. - Support accounting via both bilateral arrangements and via broker AAA servers providing accounting clearinghouse and reconciliation between serving and home networks. There is an explicit agreement that if the private network or home ISP authenticates the mobile station requesting service, then the private network or home ISP network also agrees to reconcile charges with the home service provider or broker. Real time accounting must be supported. Timestamps must be included in all accounting packets.
*即使要转发AAA消息,或者消息的选项或语义不符合AAA协议,传输机制也会确认对等方收到了AAA消息。*应允许在AAA消息中携带确认信息*AAA响应必须及时发送,以便移动IP不会超时并在AAA消息中重新传输-传输数字证书,从而最大限度地减少与AAA事务相关的往返次数。注:此要求适用于AAA应用程序,而非移动站。外国和本国代理可以使用这些证书建立IPSec安全关联,以保护移动节点的隧道数据。在这种情况下,AAA基础设施可以通过获取此类证书的吊销状态(通过执行在线检查或以其他方式验证证书)来提供帮助,以便国内和国外代理可以避免昂贵的在线证书状态检查。-在逐跳(AAA节点)的基础上提供消息完整性和身份验证。-支持所有授权和记帐消息的重播保护和可选的不可否认性功能。AAA协议必须提供记帐消息与先前授权消息匹配的功能。-通过双边协议和代理AAA服务器支持会计,提供会计清算所,并在服务网络和家庭网络之间进行对账。有一项明确的协议,即如果专用网络或家庭ISP认证了请求服务的移动站,则专用网络或家庭ISP网络也同意与家庭服务提供商或经纪人核对费用。必须支持实时会计。时间戳必须包含在所有记帐数据包中。
The requirements listed in the previous section pertain to the relationships between the functional units, and don't depend on the underlying network addressing. On the other hand, many nodes (mobile or merely portable) are programmed to receive some IP-specific resources during the initialization phase of their attempt to connect to the Internet.
上一节中列出的要求与功能单元之间的关系有关,不依赖于底层网络寻址。另一方面,许多节点(移动或仅便携式)被编程为在其尝试连接到因特网的初始化阶段接收一些特定于IP的资源。
We place the following additional requirements on the AAA services in order to satisfy such clients.
我们对AAA服务提出以下附加要求,以满足此类客户的需求。
- Either AAA server MUST be able to obtain, or to coordinate the allocation of, a suitable IP address for the customer, upon request by the customer.
- AAA服务器必须能够根据客户的请求为客户获取或协调合适的IP地址的分配。
- AAA servers MUST be able to identify the client by some means other than its IP address.
- AAA服务器必须能够通过IP地址以外的其他方式识别客户端。
Policy in the home domain may dictate that the home agent instead of the AAAH manages the allocation of an IP address for the mobile node. AAA servers MUST be able to coordinate the allocation of an IP address for the mobile node at least in this way.
归属域中的策略可以指示归属代理而不是AAAH管理移动节点的IP地址的分配。AAA服务器必须能够至少以这种方式协调移动节点的IP地址分配。
AAA servers today identify clients by using the Network Access Identifier (NAI) [1]. A mobile node can identify itself by including the NAI along with the Mobile IP Registration Request [6]. The NAI is of the form "user@realm"; it is unique and well suited for use in the AAA model illustrated in figure 1. Using a NAI (e.g., "user@realm") allows AAAL to easily determine the home domain (e.g., "realm") for the client. Both the AAAL and the AAAH can use the NAI to keep records indexed by the client's specific identity.
如今,AAA服务器通过使用网络访问标识符(NAI)[1]来识别客户端。移动节点可以通过包括NAI和移动IP注册请求来识别自身[6]。NAI的形式为“user@realm"; 它是独特的,非常适合在图1所示的AAA模型中使用。使用NAI(例如,“user@realm)允许AAAL轻松确定客户端的主域(例如,“域”)。AAAL和AAAH都可以使用NAI来保存按客户特定身份编制索引的记录。
Clients using Mobile IP require specific features from the AAA services, in addition to the requirements already mentioned in connection with the basic AAA functionality and what is needed for IP connectivity. To understand the application of the general model for Mobile IP, we consider the mobile node (MN) to be the client in figure 1, and the attendant to be the foreign agent (FA). If a situation arises that there is no foreign agent present, e.g., in the case of an IPv4 mobile node with a co-located care of address or an IPv6 mobile node, the equivalent attendant functionality is to be provided by the address allocation entity, e.g., a DHCP server. Such an attendant functionality is outside the scope of this document. The home agent, while important to Mobile IP, is allowed to play a role during the initial registration that is subordinate to the role played by the AAAH. For application to Mobile IP, we modify the general model (as illustrated in figure 3). After the initial registration, the mobile node is authorized to continue using Mobile IP at the foreign domain without requiring further involvement by the AAA servers. Thus, the initial registration will probably take longer than subsequent Mobile IP registrations.
使用移动IP的客户端需要AAA服务的特定功能,此外还需要基本AAA功能以及IP连接所需的功能。为了理解移动IP的一般模型的应用,我们考虑移动节点(MN)是图1中的客户端,以及作为外部代理(FA)的从业者。如果出现不存在外部代理的情况,例如,在具有共同定位的转交地址的IPv4移动节点或IPv6移动节点的情况下,将由地址分配实体(例如,DHCP服务器)提供等效的助理功能。此类辅助功能不在本文档的范围内。归属代理虽然对移动IP很重要,但允许在初始注册期间扮演从属于AAAH角色的角色。对于移动IP的应用,我们修改了通用模型(如图3所示)。初始注册后,移动节点被授权在外域继续使用移动IP,而无需AAA服务器进一步参与。因此,初始注册可能需要比后续移动IP注册更长的时间。
In order to reduce this extra time overhead as much as possible, it is important to reduce the time taken for communications between the AAA servers. A major component of this communications latency is the time taken to traverse the wide-area Internet that is likely to separate the AAAL and the AAAH. This leads to a further strong motivation for integration of the AAA functions themselves, as well as integration of AAA functions with the initial Mobile IP registration. In order to reduce the number of messages that traverse the network for initial registration of a Mobile Node, the
为了尽可能减少额外的时间开销,减少AAA服务器之间的通信所需的时间非常重要。这种通信延迟的一个主要组成部分是穿越广域互联网所需的时间,这可能会将AAAL和AAAH分开。这进一步推动了AAA功能本身的集成,以及AAA功能与初始移动IP注册的集成。为了减少移动节点初始注册时穿越网络的消息数量
AAA functions in the visited network (AAAL) and the home network (AAAH) need to interface with the foreign agent and the home agent to handle the registration message. Latency would be reduced as a result of initial registration being handled in conjunction with AAA and the mobile IP mobility agents. Subsequent registrations, however, would be handled according to RFC 2002 [13]. Another way to reduce latency as to accounting would be the exchange of small records.
访问网络(AAAL)和家庭网络(AAAH)中的AAA功能需要与外部代理和家庭代理接口以处理注册消息。由于与AAA和移动IP移动代理一起处理初始注册,延迟将减少。然而,随后的注册将根据RFC 2002[13]进行处理。另一种减少记帐延迟的方法是交换小记录。
As there are many different types of sub-services attendants may provide to mobile clients, there MUST be extensible accounting formats. In this way, the specific services being provided can be identified, as well as accounting support should more services be identified in the future.
由于服务员可能向移动客户端提供许多不同类型的子服务,因此必须有可扩展的记帐格式。通过这种方式,可以确定所提供的具体服务,以及未来确定更多服务时的会计支持。
The AAA home domain and the HA home domain of the mobile node need not be part of the same administrative domain. Such an situation can occur if the home address of the mobile node is provided by one domain, e.g., an ISP that the mobile user uses while at home, and the authorization and accounting by another (specialized) domain, e.g., a credit card company. The foreign agent sends only the authentication information of the mobile node to the AAAL, which interfaces to the AAAH. After a successful authorization of the mobile node, the foreign agent is able to continue with the mobile IP registration procedure. Such a scheme introduces more delay if the access to the AAA functionality and the mobile IP protocol is sequentialized. Subsequent registrations would be handled according to RFC 2002 [13] without further interaction with the AAA. Whether to combine or separate the Mobile IP protocol data with/from the AAA messages is ultimately a policy decision. A separation of the Mobile IP protocol data and the AAA messages can be successfully accomplished only if the IP address of the mobile node's home agent is provided to the foreign agent performing the attendant function.
移动节点的AAA主域和HA主域不必是同一管理域的一部分。如果移动节点的家庭地址由一个域(例如,移动用户在家时使用的ISP)提供,并且授权和记帐由另一个(专门的)域(例如,信用卡公司)提供,则可能发生这种情况。外部代理仅向AAAL发送移动节点的认证信息,AAAL与AAAH连接。成功授权移动节点后,外部代理能够继续执行移动IP注册过程。如果对AAA功能和移动IP协议的访问是顺序的,则这样的方案引入更多的延迟。随后的注册将根据RFC 2002[13]进行处理,无需与AAA进一步互动。是否将移动IP协议数据与AAA消息合并或从中分离最终是一项政策决策。仅当移动节点的归属代理的IP地址被提供给执行助理功能的外部代理时,移动IP协议数据和AAA消息的分离才能成功地实现。
All needed AAA and Mobile IP functions SHOULD be processed during a single Internet traversal. This MUST be done without requiring AAA servers to process protocol messages sent to Mobile IP agents. The AAA servers MUST identify the Mobile IP agents and security associations necessary to process the Mobile IP registration, pass the necessary registration data to those Mobile IP agents, and remain uninvolved in the routing and authentication processing steps particular to Mobile IP registration.
所有需要的AAA和移动IP功能都应该在一次互联网穿越过程中处理。这必须在不要求AAA服务器处理发送到移动IP代理的协议消息的情况下完成。AAA服务器必须识别处理移动IP注册所需的移动IP代理和安全关联,将必要的注册数据传递给这些移动IP代理,并且不参与特定于移动IP注册的路由和身份验证处理步骤。
For Mobile IP, the AAAL and the AAAH servers have the following additional general tasks:
对于移动IP,AAAL和AAAH服务器具有以下额外的一般任务:
- enable [re]authentication for Mobile IP registration
- 为移动IP注册启用[重新]身份验证
- authorize the mobile node (once its identity has been established) to use at least the set of resources for minimal Mobile IP functionality, plus potentially other services requested by the mobile node - initiate accounting for service utilization - use AAA protocol extensions specifically for including Mobile IP registration messages as part of the initial registration sequence to be handled by the AAA servers.
- 授权移动节点(一旦其身份建立)使用至少一组资源来实现最低限度的移动IP功能,加上移动节点可能请求的其他服务—启动服务利用率的计费—使用AAA协议扩展,专门用于将移动IP注册消息作为AAA服务器要处理的初始注册序列的一部分。
These tasks, and the resulting more specific tasks to be listed later in this section, are beneficially handled and expedited by the AAA servers shown in figure 1 because the tasks often happen together, and task processing needs access to the same data at the same time.
这些任务以及本节后面列出的更具体的任务都由图1所示的AAA服务器进行了有益的处理和加速,因为这些任务经常同时发生,并且任务处理需要同时访问相同的数据。
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | | +------+ |
| | | | | | | |
| | AAAL | | | | AAAH | |
| | +-------------------+ | |
| +---+--+ | | +--+---+ |
| | | | | |
| | | | | |
+------+ | +---+--+ | | +--+---+ |
| | | | | | | | | |
| MN +- -|- -+ FA + -- -- -- -- - + HA | |
| | | | | | | | | |
+------+ | +------+ | | +------+ |
| | | |
+--------------+ +----------------------+
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | | +------+ |
| | | | | | | |
| | AAAL | | | | AAAH | |
| | +-------------------+ | |
| +---+--+ | | +--+---+ |
| | | | | |
| | | | | |
+------+ | +---+--+ | | +--+---+ |
| | | | | | | | | |
| MN +- -|- -+ FA + -- -- -- -- - + HA | |
| | | | | | | | | |
+------+ | +------+ | | +------+ |
| | | |
+--------------+ +----------------------+
Figure 3: AAA Servers with Mobile IP agents
图3:带有移动IP代理的AAA服务器
In the model in figure 1, the initial AAA transactions are handled without needing the home agent, but Mobile IP requires every registration to be handled between the home agent (HA) and the foreign agent (FA), as shown by the sparse dashed (lower) line in figure 3. This means that during the initial registration, something has to happen that enables the home agent and foreign agent to perform subsequent Mobile IP registrations. After the initial registration, the AAAH and AAAL in figure 3 would not be needed, and subsequent Mobile IP registrations would only follow the lower control path between the foreign agent and the home agent.
在图1中的模型中,处理初始AAA事务时不需要归属代理,但移动IP要求在归属代理(HA)和外部代理(FA)之间处理每个注册,如图3中稀疏的虚线(下方)所示。这意味着在初始注册期间,必须发生一些事情,使归属代理和外部代理能够执行后续的移动IP注册。在初始注册之后,图3中的AAAH和AAAL将不再需要,后续的移动IP注册将只遵循外部代理和本地代理之间的较低控制路径。
Any Mobile IP data that is sent by FA through the AAAL to AAAH MUST be considered opaque to the AAA servers. Authorization data needed by the AAA servers then MUST be delivered to them by the foreign
FA通过AAAL向AAAH发送的任何移动IP数据必须被视为对AAA服务器不透明。然后,AAA服务器所需的授权数据必须由外部服务器交付给它们
agent from the data supplied by the mobile node. The foreign agent becomes a translation agent between the Mobile IP registration protocol and AAA.
来自移动节点提供的数据的代理。外部代理成为移动IP注册协议和AAA之间的转换代理。
As mentioned in section 3, nodes in two separate administrative domains often must take additional steps to guarantee their security and privacy,, as well as the security and privacy of the data they are exchanging. In today's Internet, such security measures may be provided by using several different algorithms. Some algorithms rely on the existence of a public-key infrastructure [8]; others rely on distribution of symmetric keys to the communicating nodes [9]. AAA servers SHOULD be able to verify credentials using either style in their interactions with Mobile IP entities.
如第3节所述,两个独立管理域中的节点通常必须采取额外的步骤来保证其安全性和隐私性,以及它们交换的数据的安全性和隐私性。在今天的互联网上,这种安全措施可以通过使用几种不同的算法来提供。一些算法依赖于公钥基础设施的存在[8];另一些依赖于向通信节点分发对称密钥[9]。AAA服务器应该能够在与移动IP实体的交互中使用任何一种方式来验证凭据。
In order to enable subsequent registrations, the AAA servers MUST be able to perform some key distribution during the initial Mobile IP registration process from any particular administrative domain.
为了支持后续注册,AAA服务器必须能够在初始移动IP注册过程中从任何特定管理域执行一些密钥分发。
This key distribution MUST be able to provide the following security functions:
此密钥分发必须能够提供以下安全功能:
- identify or create a security association between MN and home agent (HA); this is required for the MN to produce the [re]authentication data for the MN--HA authentication extension, which is mandatory on Mobile IP registrations. - identify or create a security association between mobile node and foreign agent, for use with subsequent registrations at the same foreign agent, so that the foreign agent can continue to obtain assurance that the same mobile node has requested the continued authorization for Mobile IP services. - identify or create a security association between home agent and foreign agent, for use with subsequent registrations at the same foreign agent, so that the foreign agent can continue to obtain assurance that the same home agent has continued the authorization for Mobile IP services for the mobile node. - participate in the distribution of the security association (and Security Parameter Index, or SPI) to the Mobile IP entities - The AAA server MUST also be able to validate certificates provided by the mobile node and provide reliable indication to the foreign agent. - The AAAL SHOULD accept an indication from the foreign agent about the acceptable lifetime for its security associations with the mobile node and/or the mobile node's home agent. This lifetime for those security associations SHOULD be an integer multiple of registration lifetime offered by the foreign agent to the mobile node. This MAY allow for Mobile IP reauthentication to take place
- 确定或创建MN和归属代理(HA)之间的安全关联;这是MN为MN--HA身份验证扩展生成[重新]身份验证数据所必需的,这在移动IP注册中是强制性的。-识别或创建移动节点和外部代理之间的安全关联,用于同一外部代理的后续注册,以便外部代理可以继续获得同一移动节点已请求移动IP服务的持续授权的保证。-识别或创建归属代理和外部代理之间的安全关联,用于同一外部代理的后续注册,以便外部代理可以继续获得同一归属代理已继续授权移动节点的移动IP服务的保证。-参与向移动IP实体分发安全关联(和安全参数索引,或SPI)-AAA服务器还必须能够验证移动节点提供的证书,并向外部代理提供可靠指示。-AAAL应接受来自外部代理的关于其与移动节点和/或移动节点的归属代理的安全关联的可接受生存期的指示。这些安全关联的生存期应该是外部代理向移动节点提供的注册生存期的整数倍。这可能允许进行移动IP重新验证
without the need for reauthentication to take place on the AAA level, thereby shortenning the time required for mobile node reregistration. - The AAA servers SHOULD be able to condition their acceptance of a Mobile IP registration authorization depending upon whether the registration requires broadcast or multicast service to the mobile node tunneled through the foreign agent. - In addition, reverse tunneling may also be a necessary requirement for mobile node connectivity. Therefore, AAA servers SHOULD also be able to condition their acceptance of Mobile IP registration authorization depending upon whether the registration requires reverse tunnelling support to the home domain through the foreign agent.
无需在AAA级别进行重新验证,从而缩短移动节点重新注册所需的时间。-AAA服务器应能够根据注册是否需要通过外部代理隧道传输到移动节点的广播或多播服务来调节其对移动IP注册授权的接受情况。-此外,反向隧道也可能是移动节点连接的必要条件。因此,AAA服务器还应能够根据注册是否需要通过外部代理向主域提供反向隧道支持,来调节其对移动IP注册授权的接受情况。
The lifetime of any security associations distributed by the AAA server for use with Mobile IP SHOULD be great enough to avoid too-frequent initiation of the AAA key distribution, since each invocation of this process is likely to cause lengthy delays between [re]registrations [5]. Registration delays in Mobile IP cause dropped packets and noticeable disruptions in service. Note that any key distributed by AAAH to the foreign agent and home agent MAY be used to initiate Internet Key Exchange (IKE) [7].
AAA服务器为与移动IP一起使用而分发的任何安全关联的生存期应足够长,以避免频繁启动AAA密钥分发,因为此过程的每次调用都可能导致[重新]注册之间的长时间延迟[5]。移动IP中的注册延迟会导致数据包丢失和明显的服务中断。请注意,AAAH分发给外部代理和本地代理的任何密钥可用于启动Internet密钥交换(IKE)[7]。
Note further that the mobile node and home agent may well have a security association established that does not depend upon any action by the AAAH.
进一步注意,移动节点和归属代理很可能建立了不依赖于AAAH的任何动作的安全关联。
According to section 4, many people would like their mobile nodes to be identified by their NAI, and to obtain a dynamically allocated home address for use in the foreign domain. These people may often be unconcerned with details about how their computers implement Mobile IP, and indeed may not have any knowledge of their home agent or any security association except that between themselves and the AAAH (see figure 2). In this case the Mobile IP registration data has to be carried along with the AAA messages. The AAA home domain and the HA home domain have to be part of the same administrative domain.
根据第4节,许多人希望他们的移动节点通过NAI识别,并获得动态分配的家庭地址,以便在外域中使用。这些人可能经常不关心他们的计算机如何实现移动IP的细节,实际上除了他们自己和AAAH之间的信息外,他们可能不知道他们的家庭代理或任何安全关联(见图2)。在这种情况下,移动IP注册数据必须与AAA消息一起携带。AAA主域和HA主域必须是同一管理域的一部分。
Mobile IP requires the home address assigned to the mobile node belong to the same subnet as the Home Agent providing service to the mobile node. For effective use of IP home addresses, the home AAA (AAAH) SHOULD be able to select a home agent for use with the newly allocated home address. In many cases, the mobile node will already know the address of its home agent, even if the mobile node does not already have an existing home address. Therefore, the home AAA (AAAH) MUST be able to coordinate the allocation of a home address
移动IP要求分配给移动节点的归属地址与向移动节点提供服务的归属代理属于同一子网。为了有效地使用IP家庭地址,家庭AAA(AAAH)应该能够选择家庭代理与新分配的家庭地址一起使用。在许多情况下,移动节点将已经知道其归属代理的地址,即使移动节点还没有现有的归属地址。因此,家庭AAA(AAAH)必须能够协调家庭地址的分配
with a home agent that might be designated by the mobile node.
使用可能由移动节点指定的归属代理。
Allocating a home address and a home agent for the mobile would provide a further simplification in the configuration needs for the client's mobile node. Currently, in the Proposed Standard Mobile IP specification [13] a mobile node has to be configured with a home address and the address of a home agent, as well as with a security association with that home agent. In contrast, the proposed AAA features would only require the mobile node to be configured with its NAI and a secure shared secret for use by the AAAH. The mobile node's home address, the address of its home agent, the security association between the mobile node and the home agent, and even the identity (DNS name or IP address) of the AAAH can all be dynamically determined as part of Mobile IP initial registration with the mobility agent in the foreign domain (i.e., a foreign agent with AAA interface features). Nevertheless, the mobile node may choose to include the MN-HA security extension as well as AAA credentials, and the proposed Mobile IP and AAA server model MUST work when both are present.
为移动设备分配归属地址和归属代理将进一步简化客户端移动节点的配置需求。目前,在提议的标准移动IP规范[13]中,移动节点必须配置有归属地址和归属代理的地址,以及与该归属代理的安全关联。相比之下,所提议的AAA特性将只要求移动节点配置其NAI和安全共享秘密以供AAAH使用。移动节点的归属地址、其归属代理的地址、移动节点和归属代理之间的安全关联,甚至AAAH的身份(DNS名称或IP地址)都可以作为在外域中向移动代理的移动IP初始注册的一部分来动态地确定(即,具有AAA接口功能的外部代理)。然而,移动节点可以选择包括MN-HA安全扩展以及AAA凭据,并且当两者都存在时,建议的移动IP和AAA服务器模型必须工作。
The reason for all this simplification is that the NAI encodes the client's identity as well as the name of the client's home domain; this follows existing industry practice for the way NAIs are used today (see section 4). The home domain name is then available for use by the local AAA (AAAL) to locate the home AAA serving the client's home domain. In the general model, the AAAL would also have to identify the appropriate security association for use with that AAAH. Section 6 discusses a way to reduce the number of security associations that have to be maintained between pairs of AAA servers such as the AAAL and AAAH just described.
所有这些简化的原因是NAI编码了客户的身份以及客户的主域的名称;这遵循了当前NAI使用方式的现有行业惯例(见第4节)。然后本地AAA(AAAL)可以使用主域名来定位服务于客户端主域的主AAA。在通用模型中,AAAL还必须确定与该AAAH一起使用的适当安全关联。第6节讨论了减少AAA服务器对之间必须维护的安全关联数量的方法,如刚才描述的AAAL和AAAH。
Mobile IP has encountered some deployment difficulties related to firewall traversal; see for instance [11]. Since the firewall and AAA server can be part of the same administrative domain, we propose that the AAA server SHOULD be able to issue control messages and keys to the firewall at the boundary of its administrative domain that will configure the firewall to be permeable to Mobile IP registration and data traffic from the mobile node.
移动IP遇到了一些与防火墙穿越相关的部署困难;例如,见[11]。由于防火墙和AAA服务器可以是同一管理域的一部分,我们建议AAA服务器应该能够在其管理域的边界处向防火墙发出控制消息和密钥,从而将防火墙配置为可通过移动节点的移动IP注册和数据通信。
+-------------------------+ +--------------+
| +------+ +------+ | | +------+ |
| | | | | | | | | |
| | HA +----+ AAAL | | | | AAAH | |
| | | | +-------------------+ | |
| +-+----+ +---+--+ | | +------+ |
| | | | | Home Domain |
| | +- - - - - + | +--------------+
+------+ | +-+--+-+ |
| | | | | |
| MN +------+ FA | |
| | | | | Local Domain |
+------+ | +------+ |
+-------------------------+
+-------------------------+ +--------------+
| +------+ +------+ | | +------+ |
| | | | | | | | | |
| | HA +----+ AAAL | | | | AAAH | |
| | | | +-------------------+ | |
| +-+----+ +---+--+ | | +------+ |
| | | | | Home Domain |
| | +- - - - - + | +--------------+
+------+ | +-+--+-+ |
| | | | | |
| MN +------+ FA | |
| | | | | Local Domain |
+------+ | +------+ |
+-------------------------+
Figure 4: Home Agent Allocated by AAAL
图4:AAAL分配的Home Agent
In some Mobile IP models, mobile nodes boot on subnets which are technically foreign subnets, but the services they need are local, and hence communication with the home subnet as if they were residing on the home is not necessary. As long as the mobile node can get an address routable from within the current domain (be it publicly, or privately addressed) it can use mobile IP to roam around that domain, calling the subnet on which it booted its temporary home. This address is likely to be dynamically allocated upon request by the mobile node.
在某些移动IP模型中,移动节点在技术上属于外来子网的子网上启动,但它们所需的服务是本地的,因此不需要像驻留在家中一样与家庭子网进行通信。只要移动节点可以从当前域中获得可路由的地址(无论是公共地址还是私人地址),它就可以使用移动IP在该域中漫游,调用启动它的子网的临时主页。该地址很可能根据移动节点的请求动态分配。
In such situations, when the client is willing to use a dynamically allocated IP address and does not have any preference for the location of the home network (either geographical or topological), the local AAA server (AAAL) may be able to offer this additional allocation service to the client. Then, the home agent will be located in the local domain, which is likely to be offer smaller delays for new Mobile IP registrations.
在这种情况下,当客户端愿意使用动态分配的IP地址并且对家庭网络的位置(地理或拓扑)没有任何偏好时,本地AAA服务器(AAAL)可以向客户端提供该附加分配服务。然后,归属代理将位于本地域,这可能为新的移动IP注册提供较小的延迟。
In figure 4, AAAL has received a request from the mobile node to allocate a home agent in the local domain. The new home agent receives keys from AAAL to enable future Mobile IP registrations. From the picture, it is evident that such a configuration avoids problems with firewall protection at the domain boundaries, such as were described briefly in section 5.2. On the other hand, this configuration makes it difficult for the mobile node to receive data from any communications partners in the mobile node's home administrative domain. Note that, in this model, the mobile node's home address is affiliated with the foreign domain for routing purposes. Thus, any dynamic update to DNS, to associate the mobile
在图4中,AAAL收到了来自移动节点的请求,请求在本地域中分配一个归属代理。新的归属代理从AAAL接收密钥,以支持将来的移动IP注册。从图中可以明显看出,这种配置避免了域边界的防火墙保护问题,如第5.2节中简要描述的。另一方面,该配置使得移动节点难以从移动节点的归属管理域中的任何通信伙伴接收数据。注意,在这个模型中,移动节点的家庭地址出于路由目的与外域相关联。因此,任何对DNS的动态更新,都会将移动设备关联起来
node's home FQDN (Fully Qualified Domain Name [10]) with its new IP address, will require insertion of a foreign IP address into the home DNS server database.
节点的主FQDN(完全限定域名[10])及其新IP地址将需要将外部IP地址插入主DNS服务器数据库。
Since the AAAL is expected to be enabled to allocate a local home agent upon demand, we can make a further simplification. In cases where the AAAL can manage any necessary authorization function locally (e.g., if the client pays with cash or a credit card), then there is no need for an AAA protocol or infrastructure to interact with the AAAH. The resulting simple configuration is illustrated in figure 5.
由于AAAL预计能够根据需要分配本地本地代理,因此我们可以进一步简化。如果AAAL可以在本地管理任何必要的授权功能(例如,如果客户使用现金或信用卡支付),则无需AAA协议或基础设施与AAAA交互。图5显示了由此产生的简单配置。
In this simplified model, we may consider that the role of the AAAH is taken over either by a national government (in the case of a cash payment), or by a card authorization service if payment is by credit card, or some such authority acceptable to all parties. Then, the AAAL expects those external authorities to guarantee the value represented by the client's payment credentials (cash or credit). There are likely to be other cases where clients are granted access to local resources, or access to the Internet, without any charges at all. Such configurations may be found in airports and other common
在这个简化的模型中,我们可以考虑AAAH的作用是由国民政府(在现金支付的情况下),或由信用卡授权服务,如果支付是由信用卡,或一些这样的权力可以接受各方。然后,AAAL希望这些外部机构保证客户支付凭证(现金或信用)所代表的价值。可能还有其他情况,客户可以免费访问本地资源或互联网。此类配置可在机场和其他公共场所找到
+-------------------------+
| +------+ +------+ |
| | | | | |
| | HA +----+ AAAL | |
| | | | | |
| +--+---+ +----+-+ |
| | | |
| +- - - - - + | |
+------+ | +-+--+-+ |
| | | | | |
| MN +- -|- - - - - - - + FA | |
| | | Local Domain | | |
+------+ | +------+ |
+-------------------------+
+-------------------------+
| +------+ +------+ |
| | | | | |
| | HA +----+ AAAL | |
| | | | | |
| +--+---+ +----+-+ |
| | | |
| +- - - - - + | |
+------+ | +-+--+-+ |
| | | | | |
| MN +- -|- - - - - - - + FA | |
| | | Local Domain | | |
+------+ | +------+ |
+-------------------------+
Figure 5: Local Payment for Local Mobile IP services
图5:本地移动IP服务的本地支付
areas where business clients are likely to spend time. The service provider may find sufficient reward in the goodwill of the clients, or from advertisements displayed on Internet portals that are to be used by the clients. In such situations, the AAAL SHOULD still allocate a home agent, appropriate keys, and the mobile node's home address.
业务客户可能花费时间的领域。服务提供商可以从客户的善意中,或从客户使用的互联网门户上显示的广告中获得足够的报酬。在这种情况下,AAAL仍应分配归属代理、适当的密钥和移动节点的归属地址。
Since the movement from coverage area to coverage area may be frequent in Mobile IP networks, it is imperative that the latency involved in the handoff process be minimized. See, for instance, the Route Optimization document [15] for one way to do this using Binding Updates. When the mobile node enters a new visited subnet, it would be desirable for it to provide the previous foreign agent's NAI. The new FA can use this information to either contact the previous FA to retrieve the KDC session key information, or it can attempt to retrieve the keys from the AAAL. If the AAAL cannot provide the necessary keying information, the request will have to be sent to the mobile node's AAAH to retrieve new keying information. After initial authorization, further authorizations SHOULD be done locally within the Local Domain.
由于在移动IP网络中,从覆盖区域到覆盖区域的移动可能是频繁的,因此必须最小化切换过程中涉及的延迟。例如,请参阅路由优化文档[15],了解使用绑定更新实现此目的的一种方法。当移动节点进入一个新的访问子网时,它最好提供以前的外部代理的NAI。新FA可以使用此信息联系以前的FA以检索KDC会话密钥信息,也可以尝试从AAAL检索密钥。如果AAAL不能提供必要的键控信息,则必须将请求发送到移动节点的AAAH以检索新的键控信息。初始授权后,应在本地域内本地执行进一步授权。
When a MN moves into a new foreign subnet as a result of a handover and is now served by a different FA, the AAAL in this domain may contact the AAAL in the domain that the MN has just been handed off from to verify the authenticity of the MN and/or to obtain the session keys. The new serving AAAL may determine the address of the AAAL in the previously visited domain from the previous FA NAI information supplied by the MN.
当MN由于切换而移入新的外部子网并且现在由不同的FA服务时,该域中的AAAL可以联系MN刚刚从中切换过来的域中的AAAL以验证MN的真实性和/或获取会话密钥。新的服务AAAL可以根据MN提供的先前FA-NAI信息来确定先前访问的域中的AAAL的地址。
The picture in Figure 1 shows a configuration in which the local and the home authority have to share trust. Depending on the security model used, this configuration can cause a quadratic growth in the number of trust relationships, as the number of AAA authorities (AAAL and AAAH) increases. This has been identified as a problem by the roamops working group [3], and any AAA proposal MUST solve this problem. Using brokers solves many of the scalability problems associated with requiring direct business/roaming relationships between every two administrative domains. In order to provide scalable networks in highly diverse service provider networks in which there are many domains (e.g., many service providers and large numbers of private networks), multiple layers of brokers MUST be supported for both of the broker models described.
图1中的图片显示了一种配置,其中本地和归属机构必须共享信任。根据使用的安全模型,随着AAA权限(AAAL和AAAH)数量的增加,此配置可能导致信任关系数量的二次增长。roamops工作组已确定这是一个问题[3],任何AAA提案都必须解决这个问题。使用代理解决了与每两个管理域之间需要直接业务/漫游关系相关的许多可伸缩性问题。为了在具有多个域(例如,许多服务提供商和大量专用网络)的高度多样化的服务提供商网络中提供可扩展的网络,所述两种代理模型都必须支持多层代理。
Integrity or privacy of information between the home and serving domains may be achieved by either hop-by-hop security associations or end-to-end security associations established with the help of the broker infrastructure. A broker may play the role of a proxy between two administrative domains which have security associations with the broker, and relay AAA messages back and forth securely.
家庭域和服务域之间信息的完整性或隐私性可以通过在代理基础设施的帮助下建立的逐跳安全关联或端到端安全关联来实现。代理可以在与代理具有安全关联的两个管理域之间扮演代理角色,并安全地来回传递AAA消息。
Alternatively, a broker may also enable the two domains with which it has associations, but the domains themselves do not have a direct association, in establishing a security association, thereby bypassing the broker for carrying the messages between the domains. This may be established by virtue of having the broker relay a shared secret key to both the domains that are trying to establish secure communication and then have the domains use the keys supplied by the broker in setting up a security association.
或者,代理还可以在建立安全关联时启用与其有关联但域本身没有直接关联的两个域,从而绕过代理在域之间承载消息。这可以通过让代理将共享密钥中继到试图建立安全通信的两个域,然后让域在建立安全关联时使用代理提供的密钥来建立。
Assuming that AAAB accepts responsibility for payment to the serving domain on behalf of the home domain, the serving domain is assured of receiving payments for services offered. However, the redirection broker will usually require a copy of authorization messages from the home domain and accounting messages from the serving domain, in order for the broker to determine if it is willing to accept responsibility for the services being authorized and utilized. If the broker does not accept such responsibility for any reason, then it must be able to terminate service to a mobile node in the serving network. In the event that multiple brokers are involved, in most situations all brokers must be so copied. This may represent an additional burden on foreign agents and AAALs.
假设AAAB代表主域接受向服务域支付的责任,则服务域将被保证收到所提供服务的付款。然而,重定向代理通常需要来自主域的授权消息和来自服务域的记帐消息的副本,以便代理确定它是否愿意为正在授权和使用的服务承担责任。如果代理出于任何原因不接受这种责任,那么它必须能够终止对服务网络中的移动节点的服务。如果涉及多个代理,在大多数情况下,必须复制所有代理。这可能会给外国代理商和AAL带来额外负担。
Though this mechanism may reduce latency in the transit of messages between the domains after the broker has completed its involvement, there may be many more messages involved as a result of additional copies of authorization and accounting messages to the brokers involved. There may also be additional latency for initial access to the network, especially when a new security association needs to be created between AAAL and AAAH (for example, from the use of ISAKMP). These delays may become important factors for latency-critical applications.
虽然此机制可以在代理完成参与后减少域之间消息传输的延迟,但由于向相关代理提供了授权和记帐消息的额外副本,可能会涉及更多消息。对网络的初始访问可能还有额外的延迟,特别是当需要在AAAL和AAAH之间创建新的安全关联时(例如,通过使用ISAKMP)。这些延迟可能成为延迟关键型应用程序的重要因素。
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | +------+ | +------+ |
| | | | | | | | | |
| | AAAL +-------+ AAAB +--------+ AAAH | |
| | | | | | | | | |
| +------+ | +------+ | +------+ |
| | | | |
| | | +----------------------+
+------+ | +---+--+ |
| | | | | | C = client
| C +- -|- -+ A | | A = attendant
| | | | | | AAAL = local authority
+------+ | +------+ | AAAH = home authority
| | AAAB = broker authority
+--------------+
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | +------+ | +------+ |
| | | | | | | | | |
| | AAAL +-------+ AAAB +--------+ AAAH | |
| | | | | | | | | |
| +------+ | +------+ | +------+ |
| | | | |
| | | +----------------------+
+------+ | +---+--+ |
| | | | | | C = client
| C +- -|- -+ A | | A = attendant
| | | | | | AAAL = local authority
+------+ | +------+ | AAAH = home authority
| | AAAB = broker authority
+--------------+
Figure 6: AAA Servers Using a Broker
图6:使用代理的AAA服务器
The AAAB in figure 6 is the broker's authority server. The broker acts as a settlement agent, providing security and a central point of contact for many service providers and enterprises.
图6中的AAAB是代理的授权服务器。经纪人充当结算代理,为许多服务提供商和企业提供安全保障和中心联络点。
The AAAB enables the local and home domains to cooperate without requiring each of the networks to have a direct business or security relationship with all the other networks. Thus, brokers offer the needed scalability for managing trust relationships between otherwise independent network domains. Use of the broker does not preclude managing separate trust relationships between domains, but it does offer an alternative to doing so. Just as with the AAAH and AAAL (see section 5), data specific to Mobile IP control messages MUST NOT be processed by the AAAB. Any credentials or accounting data to be processed by the AAAB must be present in AAA message units, not extracted from Mobile IP protocol extensions.
AAAB使本地域和家庭域能够协作,而不需要每个网络与所有其他网络建立直接的业务或安全关系。因此,代理为管理其他独立网络域之间的信任关系提供了所需的可扩展性。使用代理并不排除管理域之间的独立信任关系,但它确实提供了一种替代方法。正如AAAH和AAAL(见第5节)一样,AAAB不得处理特定于移动IP控制消息的数据。要由AAAB处理的任何凭证或记帐数据必须存在于AAA消息单元中,而不是从移动IP协议扩展中提取。
The following requirements come mostly from [2], which discusses use of brokers in the particular case of authorization for roaming dial-up users.
以下要求主要来自[2],其中讨论了在漫游拨号用户授权的特定情况下代理的使用。
- allowing management of trust with external domains by way of brokered AAA. - accounting reliability. Accounting data that traverses the Internet may suffer substantial packet loss. Since accounting packets may traverse one or more intermediate authorization points (e.g., brokers), retransmission is needed from intermediate points to avoid long end-to-end delays.
- 允许通过代理AAA管理与外部域的信任。-会计可靠性。通过互联网的会计数据可能会遭受严重的数据包丢失。由于记帐数据包可能穿过一个或多个中间授权点(例如,代理),因此需要从中间点重新传输以避免长的端到端延迟。
- End to End security. The Local Domain and Home Domain must be able to verify signatures within the message, even though the message is passed through an intermediate authority server. - Since the AAAH in the home domain MAY be sending sensitive information, such as registration keys, the broker MUST be able to pass encrypted data between the AAA servers.
- 端到端安全。本地域和主域必须能够验证消息中的签名,即使消息是通过中间授权服务器传递的。-由于主域中的AAAH可能正在发送敏感信息,例如注册密钥,代理必须能够在AAA服务器之间传递加密数据。
The need for End-to-End security results from the following attacks which were identified when brokered operation uses RADIUS [16] (see [2] for more information on the individual attacks):
对端到端安全的需求源于以下攻击,这些攻击是在代理操作使用RADIUS[16]时识别的(有关单个攻击的更多信息,请参见[2]):
+ Message editing + Attribute editing + Theft of shared secrets + Theft and modification of accounting data + Replay attacks + Connection hijacking + Fraudulent accounting
+ 消息编辑+属性编辑+窃取共享机密+窃取和修改会计数据+重播攻击+连接劫持+欺诈性会计
These are serious problems which cannot be allowed to persist in any acceptable AAA protocol and infrastructure.
这些都是严重的问题,不允许在任何可接受的AAA协议和基础设施中持续存在。
This is a requirements document for AAA based on Mobile IP. Because AAA is security driven, most of this document addresses the security considerations AAA MUST make on behalf of Mobile IP. As with any security proposal, adding more entities that interact using security protocols creates new administrative requirements for maintaining the appropriate security associations between the entities. In the case of the AAA services proposed however, these administrative requirements are natural, and already well understood in today's Internet because of experience with dial up network access.
这是一个基于移动IP的AAA要求文档。因为AAA是安全驱动的,所以本文档的大部分内容解决了AAA代表移动IP必须考虑的安全问题。与任何安全方案一样,添加更多使用安全协议进行交互的实体会产生新的管理要求,以维护实体之间的适当安全关联。然而,就拟议的AAA服务而言,这些管理要求是自然的,并且由于拨号网络接入的经验,在今天的互联网中已经得到了很好的理解。
The main difference between Mobile IP for IPv4 and Mobile IPv6 is that in IPv6 there is no foreign agent. The attendant function, therefore, has to be located elsewhere. Logical repositories for that function are either at the local router, for stateless address autoconfiguration, or else at the nearest DHCPv6 server, for stateful address autoconfiguration. In the latter case, it is possible that there would be a close relationship between the DHCPv6 server and the AAALv6, but we believe that the protocol functions should still be maintained separately.
IPv4移动IP和IPv6移动IP的主要区别在于IPv6中没有外部代理。因此,助理功能必须位于其他位置。该功能的逻辑存储库位于本地路由器(用于无状态地址自动配置),或者位于最近的DHCPv6服务器(用于有状态地址自动配置)。在后一种情况下,DHCPv6服务器和AAALv6之间可能存在密切关系,但我们认为协议功能仍应单独维护。
The MN-NAI would be equally useful for identifying the mobile node to the AAALv6 as is described in earlier sections of this document.
MN-NAI对于识别AAALv6的移动节点同样有用,如本文档前面部分中所述。
Thanks to Gopal Dommety and Basavaraj Patil for participating in the Mobile IP subcommittee of the aaa-wg which was charged with formulating the requirements detailed in this document. Thanks to N. Asokan for perceptive comments to the mobile-ip mailing list. Some of the text of this document was taken from a draft co-authored by Pat Calhoun. Patrik Flykt suggested text about allowing AAA home domain functions to be separated from the domain managing the home address of the mobile computer.
感谢Gopal Dommety和Basavaraj Patil参与aaa工作组的移动IP小组委员会,该小组委员会负责制定本文件中详述的要求。感谢N.Asokan对移动ip邮件列表的敏锐评论。本文件的部分文本摘自Pat Calhoun合著的草稿。Patrik Flykt建议将AAA主域功能与管理移动计算机主地址的域分离。
The requirements in section 5.5 and section 3.1 were taken from a draft submitted by members of the TIA's TR45.6 Working Group. We would like to acknowledge the work done by the authors of that draft: Tom Hiller, Pat Walsh, Xing Chen, Mark Munson, Gopal Dommety, Sanjeevan Sivalingham, Byng-Keun Lim, Pete McCann, Brent Hirschman, Serge Manning, Ray Hsu, Hang Koo, Mark Lipford, Pat Calhoun, Eric Jaques, Ed Campbell, and Yingchun Xu.
第5.5节和第3.1节中的要求取自TIA TR45.6工作组成员提交的草案。我们要感谢该草案的作者所做的工作:汤姆·希勒、帕特·沃尔什、陈兴、马克·蒙森、戈帕尔·多梅蒂、桑吉万·西瓦林厄姆、林秉强、皮特·麦肯、布伦特·赫希曼、谢尔盖·曼宁、许雷、杭辜、马克·利普福德、帕特·卡尔霍恩、埃里克·贾克斯、埃德·坎贝尔和徐迎春。
References
工具书类
[1] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999.
[1] Aboba,B.和M.Beadles,“网络接入标识符”,RFC 2486,1999年1月。
[2] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.
[2] Aboba,B.和J.Vollbrecht,“漫游中的代理链接和策略实施”,RFC 2607,1999年6月。
[3] Aboba, B. and G. Zorn, "Criteria for Evaluating Roaming Protocols", RFC 2477, December 1998.
[3] Aboba,B.和G.Zorn,“评估漫游协议的标准”,RFC 24771998年12月。
4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
4] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[5] Ramon Caceres and Liviu Iftode. Improving the Performance of Reliable Transport Protocols in Mobile Computing Environments. IEEE Journal on Selected Areas in Communications, 13(5):850-- 857, June 1995.
[5] Ramon Caceres和Liviu Iftode。提高移动计算环境中可靠传输协议的性能。IEEE通信选定领域杂志,13(5):850-857,1995年6月。
[6] Calhoun, P. and C. Perkins, "Mobile IP Network Address Identifier Extension, RFC 2794, March 2000.
[6] Calhoun,P.和C.Perkins,“移动IP网络地址标识符扩展,RFC 2794,2000年3月。
[7] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
[7] Harkins,D.和D.Carrel,“互联网密钥交换(IKE)”,RFC 2409,1998年11月。
[8] Housley, R., Ford, W., Polk, T. and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC 2459, January 1999.
[8] Housley,R.,Ford,W.,Polk,T.和D.Solo,“Internet X.509公钥基础设施证书和CRL配置文件”,RFC 2459,1999年1月。
[9] Kohl, J. and C. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993.
[9] Kohl,J.和C.Neuman,“Kerberos网络身份验证服务(V5)”,RFC15101993年9月。
[10] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.
[10] Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 10351987年11月。
[11] Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal for Mobile IP", RFC 2356, June 1998.
[11] 黑山,G.和V.Gupta,“Sun的移动IP跳过防火墙穿越”,RFC 2356,1998年6月。
[12] Perkins, C., "IP Encapsulation within IP", RFC 2003, October 1996.
[12] Perkins,C.,“IP内的IP封装”,RFC 2003,1996年10月。
[13] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
[13] Perkins,C.,“IP移动支持”,RFC 2002,1996年10月。
[14] Perkins, C., "Minimal Encapsulation within IP", RFC 2004, October 1996.
[14] Perkins,C.,“IP内的最小封装”,RFC 2004,1996年10月。
[15] Perkins, C. and D. Johnson, "Route Optimization in Mobile IP", Work in Progress.
[15] Perkins,C.和D.Johnson,“移动IP中的路由优化”,正在进行中。
[16] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[16] Rigney,C.,Rubens,A.,Simpson,W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 21381997年4月。
[17] Solomon, J. and S. Glass, "Mobile-IPv4 Configuration Option for PPP IPCP", RFC 2290, February 1998.
[17] Solomon,J.和S.Glass,“PPP IPCP的移动IPv4配置选项”,RFC 2290,1998年2月。
Addresses
地址
The working group can be contacted via the current chairs:
可通过现任主席联系工作组:
Basavaraj Patil Nokia 6000 Connection Drive Irving, TX 75039 USA
美国德克萨斯州欧文市Basavaraj Patil诺基亚6000连接驱动器75039
Phone: +1 972-894-6709
EMail: Basavaraj.Patil@nokia.com
Phone: +1 972-894-6709
EMail: Basavaraj.Patil@nokia.com
Phil Roberts Motorola 1501 West Shure Drive Arlington Heights, IL 60004 USA
美国伊利诺伊州阿灵顿高地舒尔西路1501号菲尔·罗伯茨摩托罗拉60004
Phone: +1 847-632-3148
EMail: QA3445@email.mot.com
Phone: +1 847-632-3148
EMail: QA3445@email.mot.com
Questions about this memo can be directed to:
有关本备忘录的问题,请联系:
Pat R. Calhoun Network and Security Center Sun Microsystems Laboratories 15 Network Circle Menlo Park, California 94025 USA
Pat R.Calhoun网络和安全中心太阳微系统实验室美国加利福尼亚州门罗公园网络圈15号94025
Phone: +1 650-786-7733
Fax: +1 650-786-6445
EMail: pcalhoun@eng.sun.com
Phone: +1 650-786-7733
Fax: +1 650-786-6445
EMail: pcalhoun@eng.sun.com
Gopal Dommety IOS Network Protocols Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
Gopal Dommety IOS网络协议思科系统公司,美国加利福尼亚州圣何塞西塔斯曼大道170号,邮编95134-1706
Phone: +1-408-525-1404
Fax: +1 408-526-4952
EMail: gdommety@cisco.com
Phone: +1-408-525-1404
Fax: +1 408-526-4952
EMail: gdommety@cisco.com
Steven M. Glass Sun Microsystems 1 Network Drive Burlington, MA 01803 USA
Steven M.Glass Sun Microsystems美国马萨诸塞州伯灵顿市网络大道1号01803
Phone: +1-781-442-0504
EMail: steven.glass@sun.com
Phone: +1-781-442-0504
EMail: steven.glass@sun.com
Stuart Jacobs Secure Systems Department GTE Laboratories 40 Sylvan Road Waltham, MA 02451-1128 USA
斯图尔特·雅各布斯安全系统部GTE实验室美国马萨诸塞州沃尔瑟姆西尔万路40号02451-1128
Phone: +1 781-466-3076
Fax: +1 781-466-2838
EMail: sjacobs@gte.com
Phone: +1 781-466-3076
Fax: +1 781-466-2838
EMail: sjacobs@gte.com
Tom Hiller Lucent Technologies Rm 2F-218 263 Shuman Blvd Naperville, IL 60566 USA
美国伊利诺伊州纳珀维尔舒曼大道263号2F-218室,邮编:60566
Phone: +1 630 979 7673
Fax: +1 630 713 3663
EMail: tomhiller@lucent.com
Phone: +1 630 979 7673
Fax: +1 630 713 3663
EMail: tomhiller@lucent.com
Peter J. McCann Lucent Technologies Rm 2Z-305 263 Shuman Blvd Naperville, IL 60566 USA
Peter J.McCann-Lucent Technologies美国伊利诺伊州纳珀维尔舒曼大道263号2Z-305室,邮编60566
Phone: +1 630 713 9359
Fax: +1 630 713 4982
EMail: mccap@lucent.com
Phone: +1 630 713 9359
Fax: +1 630 713 4982
EMail: mccap@lucent.com
Basavaraj Patil Nokia 6000 Connection Drive Irving, TX 75039 USA
美国德克萨斯州欧文市Basavaraj Patil诺基亚6000连接驱动器75039
Phone: +1 972-894-6709
Fax : +1 972-894-5349
EMail: Basavaraj.Patil@nokia.com
Phone: +1 972-894-6709
Fax : +1 972-894-5349
EMail: Basavaraj.Patil@nokia.com
Charles E. Perkins Communications Systems Lab Nokia Research Center 313 Fairchild Drive Mountain View, California 94043 USA
Charles E.Perkins通信系统实验室诺基亚研究中心313 Fairchild Drive Mountain View,加利福尼亚94043
Phone: +1-650 625-2986
Fax: +1 650 625-2502
EMail: charliep@iprg.nokia.com
Phone: +1-650 625-2986
Fax: +1 650 625-2502
EMail: charliep@iprg.nokia.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。