Network Working Group C. Perkins
Request for Comments: 3012 Nokia Research Center
Category: Standards Track P. Calhoun
Sun Microsystems Laboratories
November 2000
Network Working Group C. Perkins
Request for Comments: 3012 Nokia Research Center
Category: Standards Track P. Calhoun
Sun Microsystems Laboratories
November 2000
Mobile IPv4 Challenge/Response Extensions
移动IPv4质询/响应扩展
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent. Unfortunately, this extension does not provide ironclad replay protection for the foreign agent, and does not allow for the use of existing techniques (such as CHAP) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to use a challenge/response mechanism to authenticate the mobile node.
最初指定的移动IP定义了一个身份验证扩展(移动外部身份验证扩展),通过该扩展,移动节点可以向外部代理进行自身身份验证。不幸的是,此扩展没有为外部代理提供铁的重播保护,并且不允许使用现有技术(如CHAP)来验证便携式计算机设备。在本规范中,我们定义了移动IP代理广告和注册请求的扩展,允许外部代理使用质询/响应机制对移动节点进行身份验证。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Mobile IP Agent Advertisement Challenge Extension . . . . . 3
3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Mobile Node Processing for Registration Requests . . . 3
3.2. Foreign Agent Processing for Registration Requests . . 5
3.3. Foreign Agent Processing for Registration Replies . . 7
3.4. Home Agent Processing for the Challenge Extensions . . 7
4. MN-FA Challenge Extension . . . . . . . . . . . . . . . . . 7
5. Generalized Mobile IP Authentication Extension . . . . . . . 8
6. MN-AAA Authentication subtype. . . . . . . . . . . . . . . . 9
7. Reserved SPIs for Mobile IP. . . . . . . . . . . . . . . . . 9
8. SPI For RADIUS AAA Servers . . . . . . . . . . . . . . . . . 10
9. Configurable Parameters. . . . . . . . . . . . . . . . . . . 10
10. Error Values . . . . . . . . . . . . . . . . .. . . . . . . 10
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11
12. Security Considerations . . . . . . . . . . . . . . . . . . 12
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
A. Verification Infrastructure . . . . . . . . . . . . . . . . 14
Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Mobile IP Agent Advertisement Challenge Extension . . . . . 3
3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Mobile Node Processing for Registration Requests . . . 3
3.2. Foreign Agent Processing for Registration Requests . . 5
3.3. Foreign Agent Processing for Registration Replies . . 7
3.4. Home Agent Processing for the Challenge Extensions . . 7
4. MN-FA Challenge Extension . . . . . . . . . . . . . . . . . 7
5. Generalized Mobile IP Authentication Extension . . . . . . . 8
6. MN-AAA Authentication subtype. . . . . . . . . . . . . . . . 9
7. Reserved SPIs for Mobile IP. . . . . . . . . . . . . . . . . 9
8. SPI For RADIUS AAA Servers . . . . . . . . . . . . . . . . . 10
9. Configurable Parameters. . . . . . . . . . . . . . . . . . . 10
10. Error Values . . . . . . . . . . . . . . . . .. . . . . . . 10
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11
12. Security Considerations . . . . . . . . . . . . . . . . . . 12
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
A. Verification Infrastructure . . . . . . . . . . . . . . . . 14
Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 17
Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent.
最初指定的移动IP定义了一个身份验证扩展(移动外部身份验证扩展),通过该扩展,移动节点可以向外部代理进行自身身份验证。
Unfortunately, this extension does not provide ironclad replay protection, from the point of view of the foreign agent, and does not allow for the use of existing techniques (such as CHAP [12]) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to a use challenge/response mechanism to authenticate the mobile node.
不幸的是,从外部代理的角度来看,该扩展没有提供铁的重放保护,并且不允许使用现有技术(如CHAP[12])来验证便携式计算机设备。在本规范中,我们定义了移动IP代理广告和注册请求的扩展,允许外部代理使用质询/响应机制对移动节点进行身份验证。
All SPI values defined in this document refer to values for the Security Parameter Index, as defined in RFC 2002 [8]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1].
本文档中定义的所有SPI值均指RFC 2002[8]中定义的安全参数索引值。本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[1]中所述进行解释。
This section defines a new extension to the Router Discovery Protocol [3] for use by foreign agents that need to issue a challenge for authenticating mobile nodes.
本节定义了路由器发现协议[3]的新扩展,供需要发出验证移动节点质询的外部代理使用。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The Challenge Extension
图1:挑战扩展
Type 24
类型24
Length The length of the Challenge value in bytes; SHOULD be at least 4
Length质询值的长度,以字节为单位;应至少为4
Challenge A random value that SHOULD be at least 32 bits.
质询至少应为32位的随机值。
The Challenge extension, illustrated in figure 1, is inserted in the Agent Advertisements by the Foreign Agent, in order to communicate the latest challenge value that can be used by the mobile node to compute an authentication for its registration request message. The challenge is selected by the foreign agent to provide local assurance that the mobile node is not replaying any earlier registration request. Eastlake, et al. [4] provides more information on generating pseudo-random numbers suitable for use as values for the challenge.
图1所示的质询扩展由外部代理插入代理播发中,以便传递最新的质询值,该质询值可由移动节点用于计算其注册请求消息的认证。外部代理选择质询以提供本地保证,即移动节点不会重播任何先前的注册请求。Eastlake等人[4]提供了有关生成适合用作挑战值的伪随机数的更多信息。
This section describes modifications to the Mobile IP registration process which may occur after the Foreign Agent issues a Mobile IP Agent Advertisement containing the Challenge on its local link.
本节描述对移动IP注册过程的修改,该修改可能发生在外部代理在其本地链路上发布包含质询的移动IP代理广告之后。
Whenever the Agent Advertisement contains the Challenge extension, if the mobile node does not have a security association with the Foreign Agent, then it MUST include the Challenge value in a MN-FA Challenge extension to the Registration Request message. If, on the other hand, the mobile node does have a security association with the foreign agent, it SHOULD include the Challenge value in its Registration Request message.
每当代理播发包含质询扩展时,如果移动节点与外部代理没有安全关联,则它必须在注册请求消息的MN-FA质询扩展中包括质询值。另一方面,如果移动节点确实与外部代理具有安全关联,则它应该在其注册请求消息中包括质询值。
If the Mobile Node has a security association with the Foreign Agent, it MUST include a Mobile-Foreign Authentication extension in its Registration Request message, according to the base Mobile IP specification [8]. When the Registration Request contains the MN-FA Challenge extension specified in section 4, the Mobile-Foreign Authentication MUST follow the Challenge extension in the Registration Request.
如果移动节点与外部代理具有安全关联,则根据基本移动IP规范[8],它必须在其注册请求消息中包含移动外部身份验证扩展。当注册请求包含第4节中指定的MN-FA质询扩展时,移动外部认证必须遵循注册请求中的质询扩展。
If the Mobile Node does not have a security association with the Foreign Agent, the Mobile Node MUST include the MN-AAA Authentication extension as defined in section 6. In addition, the Mobile Node SHOULD include the NAI extension [2], to enable the foreign agent to make use of any available verification infrastructure. The SPI field of the MN-AAA Authentication extension specifies the particular secret and algorithm (shared between the Mobile Node and the verification infrastructure) that must be used to perform the authentication. If the SPI value is chosen as CHAP_SPI (see section 9), then the mobile node specifies CHAP-style authentication [12] using MD5 [11].
如果移动节点与外部代理没有安全关联,则移动节点必须包括第6节中定义的MN-AAA认证扩展。此外,移动节点应包括NAI扩展[2],以使外部代理能够使用任何可用的验证基础设施。MN-AAA身份验证扩展的SPI字段指定必须用于执行身份验证的特定秘密和算法(在移动节点和验证基础设施之间共享)。如果选择SPI值作为CHAP_SPI(参见第9节),则移动节点使用MD5[11]指定CHAP样式的身份验证[12]。
In either case, the MN-FA Challenge extension and one of the above specified authentication extensions MUST follow the Mobile-Home Authentication extension, if present.
在任何一种情况下,MN-FA质询扩展和上述指定的身份验证扩展之一必须遵循移动家庭身份验证扩展(如果存在)。
A successful Registration Reply from the Foreign Agent MAY include a new Challenge value (see section 3.3). The Mobile Node MAY use either the value found in the latest Advertisement, or the one found in the last Registration Reply from the Foreign Agent. This approach enables the Mobile Node to make use of the challenge without having to wait for advertisements.
外国代理成功的注册回复可能包括新的质询值(见第3.3节)。移动节点可以使用在最新广告中找到的值,或者在来自外部代理的最后注册回复中找到的值。这种方法使移动节点能够在不必等待广告的情况下利用质询。
A Mobile Node might receive an UNKNOWN_CHALLENGE error (see section 9) if it moves to a new Foreign Agent that cannot validate the challenge provided in the Registration Request. In such instances, the Mobile Node MUST use a new Challenge value in any new registration, obtained either from an Agent Advertisement, or from a Challenge extension to the Registration Reply containing the error.
如果移动节点移动到无法验证注册请求中提供的质询的新外部代理,则可能会收到未知的_质询错误(请参阅第9节)。在这种情况下,移动节点必须在任何新的注册中使用新的质询值,该质询值是从代理广告或从对包含错误的注册应答的质询扩展中获得的。
A Mobile Node that does not include a Challenge when the Mobile-Foreign Authentication extension is present may receive a MISSING_CHALLENGE (see section 10) error. In this case, the foreign agent will not process the request from the mobile node unless the request contains a valid Challenge.
当存在移动外部认证扩展时,不包括质询的移动节点可能接收到丢失的_质询(参见第10节)错误。在这种情况下,外部代理将不会处理来自移动节点的请求,除非该请求包含有效的质询。
A Mobile Node that receives a BAD_AUTHENTICATION error code (see section 10) SHOULD include the MN-AAA Authentication Extension in the next Registration Request. This will make it possible for the Foreign Agent to use its AAA infrastructure in order to authenticate the Mobile Node.
接收到错误的_认证错误代码(参见第10节)的移动节点应在下一个注册请求中包括MN-AAA认证扩展。这将使外部代理能够使用其AAA基础设施来验证移动节点。
Upon receipt of the Registration Request, if the Foreign Agent has issued a Challenge as part of its Agent Advertisements, and it does not have a security association with the mobile node, then the Foreign Agent MUST check that the MN-FA Challenge extension exists, and that it contains a challenge value previously unused by the Mobile Node. This ensures that the mobile node is not attempting to replay a previous advertisement and authentication. If the challenge extension is needed and does not exist, the Foreign Agent MUST send a Registration Reply to the mobile node with the error code MISSING_CHALLENGE.
在收到注册请求后,如果外部代理已发出质询作为其代理播发的一部分,并且它与移动节点没有安全关联,则外部代理必须检查MN-FA质询扩展是否存在,以及它是否包含移动节点先前未使用的质询值。这确保了移动节点不会试图重播以前的广告和身份验证。如果需要质询扩展且该扩展不存在,则外部代理必须向移动节点发送一个注册回复,其中错误代码缺少_质询。
A foreign agent that sends Agent Advertisements containing a Challenge value MAY send a Registration Reply message with a MISSING_CHALLENGE error if the mobile node sends a Registration Request with a Mobile-Foreign Authentication extension without including a Challenge. In other words, such a foreign agent MAY refuse to process a Registration Request request from the mobile node unless the request contains a valid Challenge.
如果移动节点在不包括质询的情况下发送具有移动外部认证扩展的注册请求,则发送包含质询值的代理播发的外部代理可以发送具有丢失的_质询错误的注册回复消息。换句话说,这样的外部代理可以拒绝处理来自移动节点的注册请求,除非该请求包含有效质询。
If a mobile node retransmits a Registration Request with the same Identification field and the same Challenge extension, and the Foreign Agent still has a pending Registration Request record in effect for the mobile node, then the Foreign Agent forwards the Registration Request to the Home Agent again. In all other circumstances, if the Foreign Agent receives a Registration Request with a Challenge extension containing a Challenge value previously used by that mobile node, the Foreign Agent SHOULD send a Registration Reply to the mobile node containing the Code value STALE_CHALLENGE.
如果移动节点重新传输具有相同标识字段和相同质询扩展的注册请求,并且外部代理仍然具有对移动节点有效的挂起注册请求记录,则外部代理再次将注册请求转发给归属代理。在所有其他情况下,如果外部代理接收到具有质询扩展的注册请求,该质询扩展包含该移动节点先前使用的质询值,则外部代理应向移动节点发送包含代码值STALE_Challenge的注册回复。
The Foreign Agent MUST NOT accept any Challenge in the Registration Request unless it was offered in last successful Registration Reply issued to the Mobile Node, or else advertised as one of the last CHALLENGE_WINDOW (see section 9) Challenge values inserted into the immediately preceding Agent advertisements. If the Challenge is not one of the recently advertised values, the foreign Agent SHOULD send a Registration Reply with Code UNKNOWN_CHALLENGE (see section 10).
外部代理不得接受注册请求中的任何质询,除非该质询是在向移动节点发出的最后一次成功注册回复中提供的,或者是作为插入前一个代理公告中的最后质询_窗口(见第9节)质询值之一发布的。如果质询不是最近公布的值之一,则外国代理应发送带有代码未知的注册回复(见第10节)。
Furthermore, the Foreign Agent MUST check that there is either a Mobile-Foreign, or a MN-AAA Authentication extension after the Challenge extension. Any registration message containing the Challenge extension without either of these authentication extensions MUST be silently discarded. If the registration message contains a Mobile-Foreign Authentication extension with an incorrect authenticator that fails verification, the Foreign Agent MAY send a Registration Reply to the mobile node with Code value BAD_AUTHENTICATION (see Section 10).
此外,外部代理必须检查在质询扩展之后是否存在移动外部或MN-AAA认证扩展。任何包含质询扩展但没有这些身份验证扩展的注册消息都必须以静默方式丢弃。如果注册消息包含具有不正确的验证器且未通过验证的移动外部认证扩展,则外部代理可向移动节点发送具有代码值BAD_认证的注册回复(参见第10节)。
If the MN-AAA Authentication extension (see Section 6) is present in the message, or if an NAI extension is included indicating that the mobile node belongs to a different administrative domain, the foreign agent may take actions outside the scope of this protocol specification to carry out the authentication of the mobile node. The Foreign Agent MUST NOT remove the MN-AAA Authentication Extension from the Registration Request prior to the completion of the authentication performed by the AAA infrastructure. The appendix provides an example of an action that could be taken by a foreign agent.
如果消息中存在MN-AAA认证扩展(参见第6节),或者如果包括指示移动节点属于不同管理域的NAI扩展,则外部代理可以采取本协议规范范围之外的操作来执行移动节点的认证。在AAA基础设施执行的身份验证完成之前,外部代理不得从注册请求中删除MN-AAA身份验证扩展。附录提供了外国代理可以采取的行动的示例。
In the event that the Challenge extension is authenticated through the Mobile-Foreign Authentication Extension, the Foreign Agent MAY remove the Challenge Extension from the Registration Request without disturbing the authentication value computed by the Mobile Node for use by the AAA or the Home Agent. If the Challenge extension is not removed, it MUST precede the Foreign-Home Authentication extension.
在通过移动外部认证扩展对质询扩展进行认证的情况下,外部代理可以从注册请求中移除质询扩展,而不干扰由移动节点计算的供AAA或归属代理使用的认证值。如果未删除质询扩展,则它必须位于外国家庭身份验证扩展之前。
If the Foreign Agent does not remove the Challenge extension, then the Foreign Agent SHOULD store the Challenge value as part of the pending registration request list [8]. Also in this case, the Foreign Agent MUST reject any Registration Reply message coming from the Home Agent that does not also include the Challenge Extension with the same Challenge Value that was included in the Registration Request. The Foreign Agent MUST send the rejected Registration message to the mobile node, and change the status in the Registration Reply to the value MISSING_CHALLENGE (see section 10).
如果外部代理未删除质询扩展,则外部代理应将质询值存储为挂起注册请求列表的一部分[8]。同样在这种情况下,外国代理必须拒绝来自本国代理的任何注册回复消息,该消息不包括具有注册请求中包含的相同质询值的质询扩展。外部代理必须向移动节点发送被拒绝的注册消息,并将注册回复中的状态更改为值MISSING_CHALLENGE(参见第10节)。
If the Foreign Agent does remove the Challenge extension and applicable authentication from the Registration Request message, then it SHOULD insert the Identification field from the Registration Request message along with its record-keeping information about the particular Mobile Node in order to protect against replays.
如果外部代理确实从注册请求消息中删除了质询扩展和适用的身份验证,那么它应该插入注册请求消息中的标识字段以及关于特定移动节点的记录保存信息,以防止重播。
The Foreign Agent MAY include a new Challenge extension in any Registration Reply, successful or not. If the foreign agent includes this extension in a successful Registration Reply, the extension SHOULD precede a MN-FA authentication extension.
外国代理可以在任何注册回复中包括新的质疑扩展,无论成功与否。如果外国代理在成功注册回复中包含此扩展,则扩展应先于MN-FA身份验证扩展。
Suppose the Registration Reply includes a Challenge extension from the Home Agent, and the foreign agent wishes to include another Challenge extension with the Registration Reply for use by the mobile node. In that case, the foreign agent MUST delete the Challenge extension from the Home Agent from the Registration Reply, along with any FA-HA authentication extension, before appending the new Challenge extension to the Registration Reply.
假设注册应答包括来自归属代理的质询扩展,并且外部代理希望将另一质询扩展与注册应答一起包括以供移动节点使用。在这种情况下,在将新的质询扩展添加到注册回复之前,外国代理必须从注册回复中删除来自本国代理的质询扩展以及任何FA-HA身份验证扩展。
If the Home Agent receives a Registration Request with the MN-FA Challenge extension, and recognizes the extension, the Home Agent MUST include the Challenge extension in the Registration Reply. The Challenge Extension MUST be placed after the Mobile-Home authentication extension, and the extension SHOULD be authenticated by a Foreign-Home Authentication extension.
如果归属代理收到MN-FA质询扩展的注册请求,并识别该扩展,则归属代理必须在注册回复中包含质询扩展。质询扩展必须放在移动家庭身份验证扩展之后,并且该扩展应该由外部家庭身份验证扩展进行身份验证。
Since the extension type for the Challenge extension is within the range 128-255, the Home Agent MUST process such a Registration Request even if it does not recognize the Challenge extension [8]. In this case, the Home Agent will send a Registration Reply to the Foreign Agent that does not include the Challenge extension.
由于质询扩展的扩展类型在128-255范围内,因此归属代理必须处理此类注册请求,即使它不识别质询扩展[8]。在这种情况下,本国代理将向不包括质询扩展的外国代理发送注册回复。
This section specifies a new Mobile IP Registration extension that is used to satisfy a Challenge in an Agent Advertisement. The Challenge extension to the Registration Request message is used to indicate the challenge that the mobile node is attempting to satisfy.
本节指定一个新的移动IP注册扩展,用于满足代理广告中的质询。注册请求消息的质询扩展用于指示移动节点正试图满足的质询。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The MN-FA Challenge Extension
图2:MN-FA挑战扩展
Type 132 (skippable) (see [8])
132型(可跳过)(见[8])
Length Length of the Challenge value
挑战值的长度
Challenge The Challenge field is copied from the Challenge field found in the Agent Advertisement Challenge extension (see section 2).
质询质询字段是从代理广告质询扩展中的质询字段复制而来的(参见第2节)。
Several new authentication extensions have been designed for various control messages proposed for extensions to Mobile IP (see, for example, [9]). A new authentication extension is required for a mobile node to present its credentials to any other entity other than the ones already defined; the only entities defined in the base Mobile IP specification [8] are the home agent and the foreign agent. It is the purpose of the generalized authentication extension defined here to collect together data for all such new authentication applications into a single extension type with subtypes.
针对移动IP扩展中提出的各种控制消息设计了几个新的身份验证扩展(例如,请参见[9])。移动节点需要一个新的身份验证扩展来向除已定义的实体之外的任何其他实体提供其凭证;基本移动IP规范[8]中定义的唯一实体是归属代理和外部代理。此处定义的通用身份验证扩展的目的是将所有此类新身份验证应用程序的数据收集到一个具有子类型的扩展类型中。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: The Generalized Mobile IP Authentication Extension
图3:通用移动IP认证扩展
Type 36 (not skippable) (see [8])
类型36(不可跳过)(参见[8])
Subtype a number assigned to identify the kind of endpoints or characteristics of the particular authentication strategy
子类型指定用于标识端点类型或特定身份验证策略特征的编号
Length 4 plus the number of bytes in the Authenticator; MUST be at least 20.
长度4加上验证器中的字节数;必须至少20岁。
SPI Security Parameters Index
安全参数索引
Authenticator The variable length Authenticator field
Authenticator可变长度验证器字段
In this document, only one subtype is defined:
在本文档中,仅定义了一个子类型:
1 MN-AAA Authentication subtype (see section 6)
1 MN-AAA认证子类型(见第6节)
The Generalized Authentication extension with subtype 1 will be referred to as a MN-AAA Authentication extension. If the mobile node does not include a Mobile-Foreign Authentication [8] extension, then it MUST include the MN-AAA Authentication extension whenever the Challenge extension is present. If the MN-AAA Authentication extension is present, then the Registration Message sent by the mobile node MUST contain the Mobile-HA Authentication extension [8] if it shares a security association with the Home Agent. If present, the Mobile-HA Authentication Extension MUST appear prior to the MN-AAA Authentication extension. The mobile node MAY include a MN-AAA Authentication extension in any Registration Request. The corresponding response MUST include the MN-HA Authentication Extension, and MUST NOT include the MN-AAA Authentication Extension.
子类型为1的通用身份验证扩展将被称为MN-AAA身份验证扩展。如果移动节点不包括移动外部认证[8]扩展,则无论何时存在质询扩展,它都必须包括MN-AAA认证扩展。如果存在MN-AAA认证扩展,则移动节点发送的注册消息必须包含移动HA认证扩展[8],前提是它与归属代理共享安全关联。如果存在,移动HA认证扩展必须出现在MN-AAA认证扩展之前。移动节点可以在任何注册请求中包括MN-AAA认证扩展。相应的响应必须包括MN-HA身份验证扩展,并且不得包括MN-AAA身份验证扩展。
The default algorithm for computation of the authenticator is HMAC-MD5 [5] computed on the following data, in the order shown:
验证器的默认计算算法为HMAC-MD5[5],根据以下数据按所示顺序计算:
Preceding Mobile IP data || Type, Subtype, Length, SPI
前面的移动IP数据| |类型、子类型、长度、SPI
where the Type, Length, Subtype, and SPI are as shown in section 5. The resulting function call, as described in [5], would be:
其中类型、长度、子类型和SPI如第5节所示。结果函数调用(如[5]所述)将是:
hmac_md5(data, datalen, Key, KeyLength, authenticator);
hmac_md5(数据、数据长度、密钥、密钥长度、验证器);
Each mobile node MUST support the ability to produce the authenticator by using HMAC-MD5 as shown. Just as with Mobile IP, this default algorithm MUST be able to be configured for selection at any arbitrary 32-bit SPI outside of the SPIs in the reserved range 0-255.
每个移动节点都必须支持使用HMAC-MD5生成验证器的能力,如图所示。与移动IP一样,此默认算法必须能够配置为在保留范围0-255内SPI之外的任意32位SPI上进行选择。
Mobile IP defines several authentication extensions for use in Registration Requests and Replies. Each authentication extension carries a Security Parameters Index (SPI) which should be used to index a table of security associations. Values in the range 0 - 255 are reserved for special use. A list of reserved SPI numbers is to be maintained by IANA at the following URL:
移动IP定义了几个用于注册请求和回复的身份验证扩展。每个身份验证扩展都带有一个安全参数索引(SPI),该索引应用于索引安全关联表。0-255范围内的值保留用于特殊用途。IANA将在以下URL维护保留SPI编号列表:
http://www.iana.org/numbers.html
http://www.iana.org/numbers.html
Some AAA servers only admit a single security association, and thus do not use the SPI numbers for Mobile IP authentication extensions for use when determining the security association that would be necessary for verifying the authentication information included with the Authentication extension.
一些AAA服务器仅允许单个安全关联,因此在确定验证包含在认证扩展中的认证信息所需的安全关联时,不使用移动IP认证扩展的SPI号码。
SPI number CHAP_SPI (see section 9) is reserved (see section 7) for indicating the following procedure for computing authentication data (called the "authenticator"), which is used by many RADIUS servers [10] today.
SPI编号CHAP_SPI(见第9节)是保留的(见第7节),用于指示以下计算身份验证数据的过程(称为“验证器”),目前许多RADIUS服务器[10]都在使用该过程。
To compute the authenticator, apply MD5 [11] computed on the following data, in the order shown:
要计算验证器,请按所示顺序应用对以下数据计算的MD5[11]:
High-order byte from Challenge || Key || MD5(Preceding Mobile IP data || Type, Subtype (if present), Length, SPI) || Least-order 237 bytes from Challenge
来自质询| |键| | | MD5的高阶字节(前面的移动IP数据| | |类型、子类型(如果存在)、长度、SPI)| |来自质询的最低阶237字节
where the Type, Length, SPI, and possibly Subtype, are the fields of the authentication extension in use. For instance, all four of these fields would be in use when SPI == CHAP_SPI is used with the Generalized Authentication extension. Since the RADIUS protocol cannot carry attributes greater than 253 in size, the preceding Mobile IP data, type, subtype (if present), length and SPI are hashed using MD5. Finally, the least significant 237 bytes of the challenge are concatenated.
其中,类型、长度、SPI以及可能的子类型是正在使用的身份验证扩展的字段。例如,当SPI==CHAP_SPI与通用身份验证扩展一起使用时,将使用这四个字段。由于RADIUS协议不能携带大小大于253的属性,因此前面的移动IP数据、类型、子类型(如果存在)、长度和SPI使用MD5散列。最后,串接质询的最低有效237字节。
Every Mobile IP agent supporting the extensions defined in this document SHOULD be able to configure each parameter in the following table. Each table entry contains the name of the parameter, the default value, and the section of the document in which the parameter first appears.
支持本文档中定义的扩展的每个移动IP代理都应该能够配置下表中的每个参数。每个表条目都包含参数的名称、默认值以及参数首次出现的文档部分。
Parameter Name Default Value Section(s) of Document
-------------- ------------- ----------------------
CHALLENGE_WINDOW 2 3.2
CHAP_SPI 2 8
Parameter Name Default Value Section(s) of Document
-------------- ------------- ----------------------
CHALLENGE_WINDOW 2 3.2
CHAP_SPI 2 8
Each entry in the following table contains the name of Code [8] to be returned in a Registration Reply, the value for the Code, and the section in which the error is first mentioned in this specification.
下表中的每个条目都包含注册回复中要返回的代码[8]的名称、代码的值以及本规范中首次提到错误的部分。
Error Name Value Section of Document
---------------------- ----- -------------------
UNKNOWN_CHALLENGE 104 3.2
BAD_AUTHENTICATION 67 3.2 - also see [8]
MISSING_CHALLENGE 105 3.1,3.2
STALE_CHALLENGE 106 3.2
Error Name Value Section of Document
---------------------- ----- -------------------
UNKNOWN_CHALLENGE 104 3.2
BAD_AUTHENTICATION 67 3.2 - also see [8]
MISSING_CHALLENGE 105 3.1,3.2
STALE_CHALLENGE 106 3.2
The Generalized Mobile IP Authentication extension defined in Section 5 is a Mobile IP registration extension as defined in RFC 2002 [8] and extended in RFC 2356 [7]. IANA should assign a value of 36 for this extension.
第5节中定义的通用移动IP认证扩展是RFC 2002[8]中定义的移动IP注册扩展,并在RFC 2356[7]中进行了扩展。IANA应为此扩展指定36的值。
A new number space is to be created for enumerating subtypes of the Generalized Authentication extension (see section 5). New subtypes of the Generalized Authentication extension, other than the number (1) for the MN-AAA authentication extension specified in section 6, must be specified and approved by a designated expert.
将创建一个新的数字空间,用于枚举通用身份验证扩展的子类型(请参见第5节)。通用认证扩展的新子类型(第6节中规定的MN-AAA认证扩展的编号(1))必须由指定专家指定和批准。
The MN-FA Challenge Extension defined in Section 4 is a router advertisement extension as defined in RFC 1256 [3] and extended in RFC 2002 [8]. IANA should assign a value of 132 for this purpose.
第4节中定义的MN-FA质询扩展是RFC 1256[3]中定义的路由器广告扩展,并在RFC 2002[8]中扩展。为此,IANA应指定一个值132。
The Code values defined in Section 10 are error codes as defined in RFC 2002 [8] and extended in RFC 2344 [6] and RFC 2356 [7]. They correspond to error values conventionally associated with rejection by the foreign agent (i.e., values from the range 64-127). The Code value 67 is a pre-existing value which is to be used in some cases with the extension defined in this specification. IANA should record the values as defined in Section 10.
第10节中定义的代码值是RFC 2002[8]中定义的错误代码,并在RFC 2344[6]和RFC 2356[7]中扩展。它们对应于通常与外国代理拒绝相关的错误值(即,范围64-127的值)。代码值67是预先存在的值,在某些情况下将与本规范中定义的扩展一起使用。IANA应记录第10节中定义的值。
A new section for enumerating algorithms identified by specific SPIs within the range 0-255 is to be added to
将添加一个新的部分,用于枚举0-255范围内特定SPI识别的算法
http://www.isi.edu/in-notes/iana/assignments/mobileip-numbers.
http://www.isi.edu/in-notes/iana/assignments/mobileip-numbers.
The CHAP_SPI number (2) discussed in section 8 is to be assigned from this range of reserved SPI numbers. New assignments from this reserved range must be specified and approved by the Mobile IP working group. SPI number 1 should not be assigned unless in the future the Mobile IP working group decides that SKIP is not important for enumeration in the list of reserved numbers. SPI number 0 should not be assigned.
第8节中讨论的CHAP_SPI编号(2)将从此保留SPI编号范围中分配。此保留范围内的新分配必须由移动IP工作组指定和批准。除非将来移动IP工作组决定跳过对于保留号码列表中的枚举不重要,否则不应分配SPI号码1。不应分配SPI编号0。
In the event that a malicious mobile node attempts to replay the authenticator for an old MN-FA Challenge, the Foreign Agent would detect it since the agent always checks whether it has recently advertised the Challenge (see section 3.2). Allowing mobile nodes with different IP addresses or NAIs to use the same Challenge value does not represent a security vulnerability, because the authentication data provided by the mobile node will be computed over data that is different (at least by the bytes of the mobile nodes' IP addresses).
如果恶意移动节点试图重播旧MN-FA质询的身份验证器,则外部代理将检测到该质询,因为该代理始终检查其最近是否公布了该质询(参见第3.2节)。允许具有不同IP地址或NAI的移动节点使用相同的质询值并不代表安全漏洞,因为移动节点提供的认证数据将根据不同的数据(至少通过移动节点IP地址的字节)进行计算。
Whenever a Foreign Agent updates a field of the Registration Reply (as suggested in section 3.2), it invalidates the authentication data supplied by the Home Agent in the MN-HA Authentication extension to the Registration Reply. Thus, this opens up a security exposure whereby a node might try to supply a bogus Registration Reply to a mobile node that causes the mobile node to act as if its Registration Reply were rejected. This might happen when, in fact, a Registration Reply showing acceptance of the registration might soon be received by the mobile node.
每当外国代理更新注册回复的字段时(如第3.2节所建议的),它将使注册回复的MN-HA认证扩展中由本国代理提供的认证数据无效。因此,这打开了一个安全暴露,其中节点可能试图向移动节点提供虚假的注册回复,从而导致移动节点表现得好像其注册回复被拒绝一样。事实上,当移动节点可能很快接收到表示接受注册的注册回复时,可能会发生这种情况。
If the foreign agent chooses a Challenge value (see section 2) with fewer than 4 bytes, the foreign agent SHOULD maintain records that also the Identification field for the mobile node. The foreign agent can then find assurance that the Registration messages using the short Challenge value are in fact unique, and thus assuredly not replayed from any earlier registration.
如果外部代理选择小于4字节的质询值(参见第2节),则外部代理应维护记录,该记录也包含移动节点的标识字段。然后,外部代理可以确定使用短质询值的注册消息实际上是唯一的,因此肯定不会从任何早期注册中重播。
Section 8 (SPI For RADIUS AAA Servers) defines a method of computing the Generalized Mobile IP Authentication Extension's authenticator field using MD5 in a manner that is consistent with RADIUS [10]. The use of MD5 in the method described in Section 8 is less secure than HMAC-MD5 [5], and should be avoided whenever possible.
第8节(RADIUS AAA服务器的SPI)定义了使用MD5以与RADIUS一致的方式计算通用移动IP认证扩展的验证器字段的方法[10]。在第8节所述方法中使用MD5的安全性不如HMAC-MD5[5],应尽可能避免使用。
The authors would like to thank Tom Hiller, Mark Munson, the TIA TR45-6 WG, Gabriel Montenegro, Vipul Gupta, and Pete McCann for their useful discussions. A recent draft by Mohamed Khalil, Raja Narayanan, Emad Qaddoura, and Haseeb Akhtar has also suggested the definition of a generalized authentication extension similar to the specification contained in section 5.
作者要感谢Tom Hiller、Mark Munson、TIA TR45-6工作组、Gabriel Montegon、Vipul Gupta和Pete McCann的有益讨论。穆罕默德·哈利勒(Mohamed Khalil)、拉贾·纳拉亚南(Raja Narayan)、埃马德·卡杜拉(Emad Qaddoura)和哈塞布·阿赫塔尔(Haseeb Akhtar)最近的一份草案也提出了广义认证扩展的定义,类似于第5节中包含的规范。
References
工具书类
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[2] Calhoun, P. and C. Perkins. "Mobile IP Network Access Identifier Extension for IPv4", RFC 2794, January 2000.
[2] 卡尔霍恩,P.和C.珀金斯。“IPv4移动IP网络访问标识符扩展”,RFC 2794,2000年1月。
[3] Deering, S., "ICMP Router Discovery Messages", RFC 1256, September 1991.
[3] Deering,S.,“ICMP路由器发现消息”,RFC 1256,1991年9月。
[4] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.
[4] Eastlake,D.,Crocker,S.和J.Schiller,“安全性的随机性建议”,RFC 1750,1994年12月。
[5] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[5] Krawczyk,H.,Bellare,M.和R.Canetti,“HMAC:用于消息身份验证的键控哈希”,RFC2104,1997年2月。
[6] Montenegro, G., "Reverse Tunneling for Mobile IP", RFC 2344, May 1998.
[6] 黑山G.“移动IP的反向隧道”,RFC 2344,1998年5月。
[7] Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal for Mobile IP", RFC 2356, June 1998.
[7] 黑山,G.和V.Gupta,“Sun的移动IP跳过防火墙穿越”,RFC 2356,1998年6月。
[8] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
[8] Perkins,C.,“IP移动支持”,RFC 2002,1996年10月。
[9] Perkins, C. and D. Johnson, "Route Optimization in Mobile IP", Work in Progress.
[9] Perkins,C.和D.Johnson,“移动IP中的路由优化”,正在进行中。
[10] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[10] Rigney,C.,Rubens,A.,Simpson,W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 21381997年4月。
[11] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[11] Rivest,R.,“MD5消息摘要算法”,RFC1321,1992年4月。
[12] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.
[12] 辛普森,W.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。
A. Verification Infrastructure
A.核查基础设施
The Challenge extensions in this protocol specification are expected to be useful to help the Foreign Agent manage connectivity for visiting mobile nodes, even in situations where the foreign agent does not have any security association with the mobile node or the mobile node's home agent. In order to carry out the necessary authentication, it is expected that the foreign agent will need the assistance of external administrative systems, which have come to be called AAA systems. For the purposes of this document, we call the external administrative support the "verification infrastructure". The verification infrastructure is described to motivate the design of the protocol elements defined in this document, and is not strictly needed for the protocol to work. The foreign agent is free to use any means at its disposal to verify the credentials of the mobile node. This could, for instance, rely on a separate protocol between the foreign agent and the Mobile IP home agent, and still be completely invisible to the mobile node.
本协议规范中的质询扩展预计将有助于帮助外部代理管理访问移动节点的连接,即使在外部代理与移动节点或移动节点的归属代理没有任何安全关联的情况下也是如此。为了进行必要的认证,预计外国代理将需要外部管理系统的协助,这些系统被称为AAA系统。在本文件中,我们将外部管理支持称为“验证基础设施”。描述验证基础设施是为了激励本文件中定义的协议元素的设计,协议工作并不严格需要验证基础设施。外部代理可以自由使用其可支配的任何手段来验证移动节点的凭据。例如,这可能依赖于外部代理和移动IP归属代理之间的单独协议,并且仍然对移动节点完全不可见。
In order to verify the credentials of the mobile node, we imagine that the foreign agent has access to a verification infrastructure that can return a secure notification to the foreign agent that the authentication has been performed, along with the results of that authentication. This infrastructure may be visualized as shown in figure 4.
为了验证移动节点的凭证,我们设想外部代理可以访问验证基础设施,该基础设施可以向外部代理返回安全通知,告知已执行了验证,以及该验证的结果。此基础结构可以可视化,如图4所示。
+----------------------------------------------------+
| |
| Verification and Key Management Infrastructure |
| |
+----------------------------------------------------+
^ | ^ |
| | | |
| v | v
+---------------+ +---------------+
| | | |
| Foreign Agent | | Home Agent |
| | | |
+---------------+ +---------------+
+----------------------------------------------------+
| |
| Verification and Key Management Infrastructure |
| |
+----------------------------------------------------+
^ | ^ |
| | | |
| v | v
+---------------+ +---------------+
| | | |
| Foreign Agent | | Home Agent |
| | | |
+---------------+ +---------------+
Figure 4: The Verification Infrastructure
图4:验证基础设施
After the foreign agent gets the Challenge authentication, it MAY pass the authentication to the (here unspecified) infrastructure, and await a Registration Reply. If the Reply has a positive status (indicating that the registration was accepted), the foreign agent
在外部代理获得质询身份验证后,它可以将身份验证传递给(此处未指定)基础设施,并等待注册回复。如果回复状态为肯定(表明注册已被接受),则外国代理人
accepts the registration. If the Reply contains the Code value BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions indicated for rejected registrations.
接受注册。如果回复包含代码值BAD_AUTHENTICATION(参见第10节),则外国代理将采取针对被拒绝注册的措施。
Implicit in this picture, is the important observation that the Foreign Agent and the Home Agent have to be equipped to make use of whatever protocol is made available to them by the challenge verification and key management infrastructure shown in the figure.
这幅图中隐含着一个重要的观察结果,即必须为外国代理和本国代理配备设备,以利用图中所示的质询验证和密钥管理基础设施提供给他们的任何协议。
The protocol messages for handling the authentication within the verification infrastructure, and identity of the agent performing the verification of the Foreign Agent challenge, are not specified in this document, because those operations do not have to be performed by any Mobile IP entity.
本文档中未指定用于在验证基础设施内处理身份验证的协议消息以及执行外部代理质询验证的代理的身份,因为这些操作不必由任何移动IP实体执行。
Addresses
地址
The working group can be contacted via the current chairs:
可通过现任主席联系工作组:
Basavaraj Patil Nokia Corporation 6000 Connection Drive M/S M8-540 Irving, Texas 75039 USA
美国德克萨斯州欧文市Basavaraj Patil诺基亚公司6000连接驱动器M/S M8-540,邮编75039
Phone: +1 972-894-6709
Fax : +1 972-894-5349
EMail: Basavaraj.Patil@nokia.com
Phone: +1 972-894-6709
Fax : +1 972-894-5349
EMail: Basavaraj.Patil@nokia.com
Phil Roberts Motorola 1501 West Shure Drive Arlington Heights, IL 60004 USA
美国伊利诺伊州阿灵顿高地舒尔西路1501号菲尔·罗伯茨摩托罗拉60004
Phone:+1 847-632-3148
EMail: QA3445@email.mot.com
Phone:+1 847-632-3148
EMail: QA3445@email.mot.com
Questions about this memo can also be directed to the authors:
有关本备忘录的问题也可向作者提出:
Charles E. Perkins Communications Systems Lab Nokia Research Center 313 Fairchild Drive Mountain View, California 94043 USA
Charles E.Perkins通信系统实验室诺基亚研究中心313 Fairchild Drive Mountain View,加利福尼亚94043
Phone: +1-650 625-2986
Fax: +1 650 625-2502
EMail: charliep@iprg.nokia.com
Phone: +1-650 625-2986
Fax: +1 650 625-2502
EMail: charliep@iprg.nokia.com
Pat R. Calhoun Network & Security Center Sun Microsystems Laboratories 15 Network Circle Menlo Park, California 94025 USA
Pat R.Calhoun网络与安全中心太阳微系统实验室美国加利福尼亚州门罗公园网络圈15号94025
Phone: +1 650-786-7733
Fax: +1 650-786-6445
EMail: pcalhoun@eng.sun.com
Phone: +1 650-786-7733
Fax: +1 650-786-6445
EMail: pcalhoun@eng.sun.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。