Network Working Group D. Turk Request for Comments: 3882 Bell Canada Category: Informational September 2004
Network Working Group D. Turk Request for Comments: 3882 Bell Canada Category: Informational September 2004
Configuring BGP to Block Denial-of-Service Attacks
配置BGP以阻止拒绝服务攻击
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004).
版权所有(C)互联网协会(2004年)。
Abstract
摘要
This document describes an operational technique that uses BGP communities to remotely trigger black-holing of a particular destination network to block denial-of-service attacks. Black-holing can be applied on a selection of routers rather than all BGP-speaking routers in the network. The document also describes a sinkhole tunnel technique using BGP communities and tunnels to pull traffic into a sinkhole router for analysis.
本文档描述了一种使用BGP社区远程触发特定目标网络的黑洞以阻止拒绝服务攻击的操作技术。黑洞可以应用于一系列路由器,而不是网络中所有讲BGP的路由器。该文档还描述了一种使用BGP社区和隧道将流量拉入天坑路由器进行分析的天坑隧道技术。
Table of Contents
目录
1. Existing BGP-Triggered Black holing Techniques . . . . . . . . 2 2. Enhanced BGP-Triggered Black holing Technique. . . . . . . . . 3 3. Sinkhole Tunnels . . . . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 7 6. Informative References . . . . . . . . . . . . . . . . . . . . 7 7. Author's Addresses . . . . . . . . . . . . . . . . . . . . . . 7 8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 8
1. Existing BGP-Triggered Black holing Techniques . . . . . . . . 2 2. Enhanced BGP-Triggered Black holing Technique. . . . . . . . . 3 3. Sinkhole Tunnels . . . . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 7 6. Informative References . . . . . . . . . . . . . . . . . . . . 7 7. Author's Addresses . . . . . . . . . . . . . . . . . . . . . . 7 8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 8
Current BGP-triggered black-holing techniques rely on altering the BGP next hop address of a network targeted by an attack throughout the iBGP network. A customized iBGP advertisement is generated from a router participating in the destination/attacked AS where the next hop address for the targeted network or host is modified to point to an RFC 1918 [RFC1918] (private internet) address. Most routers on the Internet, especially edge routers, have static routes pointing RFC 1918 addresses to the null interface. Those static routes drive all traffic destined to the network under attack to the null interface.
当前BGP触发的黑洞技术依赖于改变网络的BGP下一跳地址,该地址是iBGP网络中的攻击目标。从参与目的地/攻击AS的路由器生成定制iBGP广告,其中目标网络或主机的下一跳地址被修改为指向RFC 1918[RFC1918](专用互联网)地址。互联网上的大多数路由器,尤其是边缘路由器,都有静态路由,将RFC1918地址指向空接口。这些静态路由将所有发送到网络的流量驱动到空接口。
When an iBGP-speaking router inside the destination AS receives the iBGP update, the advertised prefix will be added to the routing table with a next hop of one of the networks listed in RFC 1918. The router will then attempt to resolve the RFC 1918 next-hop in order to qualify the route and derive a forwarding interface. This process will return a valid next hop as the null interface. Assuming the router is properly configured to direct RFC 1918 destined traffic to a null interface, traffic destined to the attacked network gets dropped, making the attacked network unreachable to the attacker and everyone else.
当目的地AS内的讲iBGP的路由器接收到iBGP更新时,播发的前缀将被添加到路由表中,并具有RFC 1918中列出的其中一个网络的下一跳。路由器随后将尝试解析RFC 1918下一跳,以限定路由并导出转发接口。此进程将返回一个有效的下一跳作为空接口。假设路由器正确配置为将RFC 1918目的地流量引导至空接口,则目的地为受攻击网络的流量将被丢弃,从而使攻击者和其他所有人无法访问受攻击网络。
While this technique shields the internal infrastructure from the attack, protecting a large number of devices, it has the undesirable side effect of rendering the targeted/attacked network unreachable throughout the entire destination AS. Even if a static route pointing an RFC 1918 address to a null interface is not configured on all routers within the destination AS, the modified next hop makes the traffic un-routable to its legitimate destination.
虽然这种技术可以保护内部基础设施免受攻击,保护大量设备,但它会产生不良的副作用,使目标/受攻击的网络在整个目的地都无法访问。即使在目的地AS内的所有路由器上未配置将RFC 1918地址指向空接口的静态路由,修改后的下一跳也会使流量无法路由到其合法目的地。
Network operators usually use the BGP-triggered black holes for a short period of time. The technique causes traffic drops on all ingress points of the AS for traffic destined to the attacked network. By default, routers dropping traffic into a null interface should send an "ICMP unreachable" message to the source address belonging to the origin/attacking AS.
网络运营商通常在短时间内使用BGP触发的黑洞。该技术会导致AS的所有入口点上的流量下降,从而导致发送到受攻击网络的流量下降。默认情况下,将流量丢弃到空接口的路由器应向属于源/攻击AS的源地址发送“ICMP不可访问”消息。
Once the procedure reaches this point, one of the source addresses of the attack traffic is hijacked by introducing a device with the same source IP address into the BGP domain of the destination/attacked AS. The device hijacking the source address collects the ICMP unreachable packets. The source addresses of these ICMP unreachable packets reveal which edge routers within the destination/attacked AS the attack is coming from. The network operator may then opt to manually stop the traffic on the routers from which attack traffic is entering.
一旦程序达到这一点,通过将具有相同源IP地址的设备引入目标/被攻击AS的BGP域,攻击流量的一个源地址被劫持。劫持源地址的设备收集ICMP无法访问的数据包。这些ICMP不可访问数据包的源地址显示了攻击来自目标/受攻击的边缘路由器。然后,网络运营商可以选择手动停止路由器上的流量,攻击流量正从路由器进入。
This paper describes a technique developed to instruct a selected set of routers to alter the next hop address of a particular prefix by use of the BGP protocol. The next hop can either be a null interface or, as discussed later on in this paper, a sinkhole tunnel interface. This technique does not invoke an access list or rate limiting statement to treat attack traffic, nor does it involve a network wide change of the attacked prefix next hop address. The next hop will only be changed on a selection of routers with the aid of BGP communities within the destination/attacked AS.
本文描述了一种通过使用BGP协议来指示选定路由器组改变特定前缀的下一跳地址的技术。下一个跃点可以是空接口,也可以是本文后面讨论的天坑隧道接口。该技术不调用访问列表或速率限制语句来处理攻击流量,也不涉及在网络范围内更改受攻击的前缀下一跳地址。下一跳将仅在目的地/受攻击AS内的BGP社区的帮助下在选定的路由器上更改。
To prepare the network for this technique, the network operator needs to define a unique community value for each destination AS border router that could potentially drive attack traffic to the victim. For example, a network with a BGP autonomous system number 65001 has two border routers (R1 and R2). Community value 65001:1 is assigned to identify R1, community value 65001:2 is assigned to identify R2, and community value 65001:666 is assigned to identify both R1 and R2.
为了使网络为这种技术做好准备,网络运营商需要为每个目的地定义一个唯一的社区值,作为边界路由器,它可能会驱动攻击流量流向受害者。例如,BGP自治系统号为65001的网络有两个边界路由器(R1和R2)。社区值65001:1用于标识R1,社区值65001:2用于标识R2,社区值65001:666用于标识R1和R2。
After the BGP community assignment, R1 and R2 must be configured with the following:
BGP社区分配后,R1和R2必须配置以下各项:
1. Static route pointing an RFC 1918 network to a null interface.
1. 将RFC1918网络指向空接口的静态路由。
2. AS-Path access list that matches local BGP prefix advertisement.
2. 与本地BGP前缀播发匹配的AS路径访问列表。
3. BGP community access list to match the community value assigned by the network operator for the particular router (i.e., 65001:1 for R1).
3. BGP社区访问列表,以匹配网络运营商为特定路由器分配的社区值(即,R1为65001:1)。
4. BGP community access list to match the community value assigned by the network operator for all routers (i.e., 65001:666 for R1 and R2)
4. BGP社区访问列表,以匹配网络运营商为所有路由器分配的社区值(即,R1和R2为65001:666)
5. Under the BGP process, an iBGP import route policy should be applied on received iBGP advertisements to do the following logic. (Statements are in a logical AND order)
5. 在BGP流程下,应在收到的iBGP播发上应用iBGP导入路由策略,以执行以下逻辑。(语句按逻辑AND顺序排列)
a. A policy statement to permit routes that match the following criteria and apply the following changes.
a. 允许符合以下条件并应用以下更改的路由的策略声明。
i. Match for a community specific to that router (i.e., 65001:1, for R1).
i. 匹配特定于该路由器的社区(即,对于R1,65001:1)。
ii. Match the AS-Path to locally generated BGP advertisements.
二、将AS路径与本地生成的BGP播发匹配。
iii. Set the BGP next hop to an RFC 1918 network.
iii.将BGP下一跳设置为RFC 1918网络。
iv. Overwrite the BGP community with the well-known community (no-advertise).
iv.用知名社区覆盖BGP社区(无广告)。
b. A policy statement to permit routes that match the following criteria and apply the following changes.
b. 允许符合以下条件并应用以下更改的路由的策略声明。
i. Match for a community that covers all routers (i.e., 65001:666).
i. 匹配覆盖所有路由器的社区(即65001:666)。
ii. Match the AS-Path to locally generated BGP advertisements.
二、将AS路径与本地生成的BGP播发匹配。
iii. Set the BGP next hop to an RFC 1918 network.
iii.将BGP下一跳设置为RFC 1918网络。
iv. Overwrite the BGP community with the well-known community (no-advertise).
iv.用知名社区覆盖BGP社区(无广告)。
After the policies have been configured on R1 and R2, the network operator can, in the case of an attack, advertise the targeted network that could be one or more /32 "host" routes into iBGP of the destination/attacked AS. The advertisement must contain the community value associated with the router(s) where the attack is arriving in addition to the well-known community (no-export). Using BGP communities preserves the original next hop address of the targeted network on all routers where the special route policy configuration is not present. iBGP will then carry the prefix advertisement to all routers in the destination/attacked AS. All routers within the destination AS, except the ones that match the community stamped on the prefix, will be oblivious to the community value and will install the network route with the legitimate next hop address. Routers that match the community will also install the network route into their routing table but will alter the next hop address to an RFC 1918 network and then to a null interface as per the route policies configuration and recursive route lookup. The reason for matching locally announced networks is to make sure that no eBGP peer can misuse this community to drive any network to a null interface. Blackholing the targeted/attacked hosts is recommended, but not the entire address block they belong to so that the blackhole effect has the minimum impact on the attacked network.
在R1和R2上配置策略后,网络运营商可以在发生攻击的情况下,将可能是一个或多个/32“主机”路由的目标网络播发到目标/受攻击AS的iBGP。广告必须包含与攻击到达的路由器相关联的社区值,以及已知社区(无导出)。使用BGP社区在不存在特殊路由策略配置的所有路由器上保留目标网络的原始下一跳地址。然后,iBGP将把前缀广告传送到目的地/受攻击AS中的所有路由器。目标AS中的所有路由器(与前缀上标记的社区匹配的路由器除外)将忽略社区值,并将使用合法的下一跳地址安装网络路由。与社区匹配的路由器也会将网络路由安装到其路由表中,但会根据路由策略配置和递归路由查找将下一跳地址更改为RFC 1918网络,然后更改为空接口。匹配本地公布的网络的原因是确保没有eBGP对等方可以滥用此社区将任何网络驱动到空接口。建议对目标/受攻击的主机进行黑洞,但不要对其所属的整个地址块进行黑洞,以便使黑洞效应对受攻击网络的影响最小。
This technique stops traffic from getting forwarded to the legitimate destination on routers identified as transit routers for attack traffic and that have route map matches for the community value associated with the network advertisement. All other traffic on the network will still get forwarded to the legitimate destination thus minimizing the impact on the targeted network.
该技术阻止流量在被识别为攻击流量中转路由器且具有与网络广告相关联的社区值的路由地图匹配的路由器上转发到合法目的地。网络上的所有其他流量仍将转发到合法目的地,从而将对目标网络的影响降至最低。
Following the "Enhanced BGP-Triggered Black-holing Technique", it may become a requirement to take a look at the attack traffic for further analysis. This requirement adds to the complexity of the exercise. Usually with broadcast interfaces, network operators install network sniffers on a spanned port of a switch for analysis of traffic. Another method would be to announce a network prefix that covers the attack host address into iBGP, altering the next hop into a sinkhole device that can log traffic for analysis. The latter technique results in taking down the services offered on the targeted/attacked IP addresses. Inter-AS traffic will be sucked into the sinkhole, along with Intra-AS traffic. Packet level analysis involves redirecting traffic away from the destination host to a sniffer or a router. As a result, if the traffic being examined includes legitimate traffic, that legitimate traffic will never make it to the destination host. This will result in denial of service for the legitimate traffic.
继“增强的BGP触发的黑洞技术”之后,可能需要查看攻击流量以进行进一步分析。这一要求增加了演习的复杂性。通常通过广播接口,网络运营商在交换机的跨端口上安装网络嗅探器,以分析流量。另一种方法是将覆盖攻击主机地址的网络前缀公布到iBGP中,将下一跳更改到可以记录流量以进行分析的天坑设备中。后一种技术导致在目标/受攻击IP地址上提供的服务被删除。AS间的交通将与AS内的交通一起被吸入落水坑。数据包级分析涉及将通信量从目标主机重定向到嗅探器或路由器。因此,如果正在检查的流量包括合法流量,则该合法流量将永远不会到达目标主机。这将导致对合法流量的拒绝服务。
A better alternative would be to use a sinkhole tunnel. A sinkhole tunnel is implemented at all possible entry points from which attacks can pass into the destination/attacked AS. Using the BGP community technique, traffic destined to the attacked/targeted host could be re-routed to a special path (tunnel) where a sniffer could capture the traffic for analysis. After being analyzed, traffic will exit the tunnel and be routed normally to the destination host. In other words, the traffic will pass through the network to a sniffer without altering the next hop information of the destination network. All routers within the destination/attacked AS iBGP domain will have the proper next hop address. Only the entry point router will have the altered next hop information.
更好的替代方案是使用天坑隧道。天坑隧道在所有可能的入口点实施,攻击可以从这些入口进入目的地/被攻击的AS。使用BGP社区技术,发送到受攻击/目标主机的流量可以重新路由到特殊路径(隧道),嗅探器可以在该路径中捕获流量进行分析。经过分析后,流量将退出隧道并正常路由到目标主机。换句话说,流量将通过网络到达嗅探器,而不会改变目标网络的下一跳信息。目标/被攻击为iBGP域的所有路由器将具有正确的下一跳地址。只有入口点路由器将具有更改的下一跳信息。
To detail the procedure, a sinkhole router with an optional sniffer attached to its interface is installed and configured to participate in the IGP and iBGP of the attacked AS. Next, a tunnel is created, using MPLS Traffic Engineering as an example, from all border routers attacks can potentially enter from (Inter-AS traffic) to the sinkhole router. When a host or network is under attack, a customized iBGP advertisement is sent to announce the network address of the attacked host(s) with the proper next hop that insures traffic will reach those hosts or networks. The customized advertisement will also have a community string value that matches the set of border routers the attack is entering from, as described in section 2. The new next hop address configured within the route policy section of all border routers should be the sinkhole IP address. This IP address belongs to the /30 subnet assigned to the tunnel connecting the border router to the sinkhole router.
为了详细说明该过程,安装了一个带有可选嗅探器的天坑路由器,并将其配置为参与受攻击AS的IGP和iBGP。接下来,以MPLS流量工程为例创建一个隧道,从所有边界路由器攻击都可能从(内部as流量)进入天坑路由器。当主机或网络受到攻击时,会发送一个定制的iBGP公告,通过适当的下一跳来宣布受攻击主机的网络地址,以确保流量将到达这些主机或网络。定制广告还将具有一个社区字符串值,该值与攻击从中输入的边界路由器集相匹配,如第2节所述。在所有边界路由器的路由策略部分中配置的新下一跳地址应为天坑IP地址。此IP地址属于分配给将边界路由器连接到天坑路由器的隧道的/30子网。
Routers that do not have a match for the community string will do regular routing. Lack of a community string match on these routers will insure that the special route policy does not change the next hop address. Traffic entering from border routers that do not have a match to the special community will pass through regular router interfaces to the legitimate destination. It might also be required to allow the traffic to reach its destination after being captured. In this case, a default network route is configured to point to any interface attached and configured on the iBGP network. This would also include the same physical interface the tunnel is built on. Since the next hop address is not changed on the sinkhole device, traffic entering this device from the tunnel will be sent back to the network due to the presence of the default route. Routing protocols will then take care of properly routing the traffic to its original destination (attacked network).
没有与社区字符串匹配的路由器将执行常规路由。这些路由器上缺少社区字符串匹配将确保特殊路由策略不会更改下一跳地址。从与特殊社区不匹配的边界路由器进入的流量将通过常规路由器接口到达合法目的地。还可能需要允许流量在被捕获后到达其目的地。在这种情况下,默认网络路由配置为指向iBGP网络上连接和配置的任何接口。这还包括隧道所建的物理接口。由于天坑设备上的下一跳地址未更改,因此由于存在默认路由,从隧道进入该设备的流量将被发送回网络。然后,路由协议将负责将流量正确路由到其原始目的地(受攻击的网络)。
It becomes apparent that this technique can also be used for purposes other than analyzing attack traffic. Legitimate traffic could also be pulled out of normal routing into a tunnel and then reinserted into the backbone without altering the next hop addressing scheme throughout the iBGP network.
很明显,该技术也可用于分析攻击流量以外的目的。合法的通信量也可以从正常路由中拉入隧道,然后重新插入主干网,而不改变整个iBGP网络的下一跳寻址方案。
MPLS Traffic Engineering with its many features, is a good method of sliding traffic to the sinkhole device. Features like QoS policies can be applied on the attack traffic, thus preventing it from competing on resources with legitimate traffic.
MPLS流量工程以其众多的特点,是一种很好的将流量滑动到陷穴设备的方法。QoS策略等功能可应用于攻击流量,从而防止其在资源上与合法流量竞争。
To be able to alter the next hop on the border router, a subnet of an RFC 1918 network is statically routed to the tunnel interface. An example of the static route is:
为了能够改变边界路由器上的下一跳,RFC1918网络的子网被静态路由到隧道接口。静态路由的一个示例是:
ip route 192.168.0.12 255.255.255.255 Tunnel0
ip路由192.168.0.12 255.255.255.255.255隧道10
Setting the next hop of the target IP address to 192.168.0.12/32 will force the traffic to go through the tunnel.
将目标IP地址的下一个跃点设置为192.168.0.12/32将强制流量通过隧道。
Traffic is received at the sinkhole interface via the TE tunnel. Subsequently, three methods could be installed, namely rate-limiting policies, QoS policies, and access lists. These policies could rate limit or drop traffic classified as attack traffic. This process would be completed on the interface of the sinkhole device. Another useful application for a sinkhole router is to pull in traffic via tunnels to an inbound interface and have a default route statement forwarding the traffic out to an Ethernet interface. The Ethernet interface is connected to the iBGP network and guarantees proper delivery of traffic however, it still allows the use of a packet sniffer to further analyze the attack traffic.
交通通过TE隧道在天坑接口接收。随后,可以安装三种方法,即速率限制策略、QoS策略和访问列表。这些策略可以对分类为攻击流量的流量进行速率限制或丢弃。该过程将在天坑装置的接口上完成。天坑路由器的另一个有用应用是通过隧道将流量拉入入入站接口,并使用默认路由语句将流量转发到以太网接口。Ethernet接口连接到iBGP网络并保证通信量的正确传输,但是,它仍然允许使用数据包嗅探器进一步分析攻击通信量。
This becomes very useful when it is not feasible to apply an Access list or a rate limiting statement on the BGP border router or last hop router before the attacked host or network because of hardware or software limitations. Hence, instead of upgrading interfaces at the point of entry of attack traffic, the latter could be pulled into the sinkhole and treated on that device. Operational costs can be rendered minimal if the sinkhole router is a powerful device.
当由于硬件或软件限制,无法在受攻击主机或网络之前在BGP边界路由器或最后一跳路由器上应用访问列表或速率限制语句时,这将非常有用。因此,不必在攻击流量进入点升级接口,后者可以被拉入天坑并在该设备上处理。如果天坑路由器是一种功能强大的设备,那么运营成本可以降到最低。
It is very important to practice tight control over eBGP peering points before implementing the techniques described in this paper. eBGP customers might be able to blackhole a particular subnet using the Blackhole communities. To eliminate the risk, the match for locally generated BGP advertisements in the special route policy should not be neglected.
在实现本文描述的技术之前,严格控制eBGP对等点是非常重要的。eBGP客户可能能够使用黑洞社区对特定子网进行黑洞攻击。为了消除风险,不应忽略特殊路由策略中本地生成的BGP广告的匹配。
The author of this document would like to acknowledge the developers of the remotely triggered black-holing technique and the developers of the backscatter technique for collecting backscatter traffic. The author would also like to thank all members of the IP Engineering department for their help in verifying the functionality of this technique.
本文档的作者希望感谢远程触发黑洞技术的开发人员和收集反向散射流量的反向散射技术的开发人员。作者还要感谢IP工程部门的所有成员,感谢他们在验证该技术功能方面提供的帮助。
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996.
[RFC1918]Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.,和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,1996年2月。
Doughan Turk Bell Canada 100 Wynford Drive
Doughan Turk Bell Canada Wynford大道100号
EMail: doughan.turk@bell.ca
EMail: doughan.turk@bell.ca
Copyright (C) The Internet Society (2004).
版权所有(C)互联网协会(2004年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78 and at www.rfc-editor.org, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78和www.rfc-editor.org中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、其代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the ISOC's procedures with respect to rights in ISOC Documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关ISOC文件中权利的ISOC程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。