Network Working Group B. Quinn Request for Comments: 4570 BoxnArrow.com Category: Standards Track R. Finlayson Live Networks, Inc. July 2006
Network Working Group B. Quinn Request for Comments: 4570 BoxnArrow.com Category: Standards Track R. Finlayson Live Networks, Inc. July 2006
Session Description Protocol (SDP) Source Filters
会话描述协议(SDP)源筛选器
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
Abstract
摘要
This document describes how to adapt the Session Description Protocol (SDP) to express one or more source addresses as a source filter for one or more destination "connection" addresses. It defines the syntax and semantics for an SDP "source-filter" attribute that may reference either IPv4 or IPv6 address(es) as either an inclusive or exclusive source list for either multicast or unicast destinations. In particular, an inclusive source-filter can be used to specify a Source-Specific Multicast (SSM) session.
本文档描述了如何调整会话描述协议(SDP)以将一个或多个源地址表示为一个或多个目标“连接”地址的源筛选器。它定义了SDP“源筛选器”属性的语法和语义,该属性可以引用IPv4或IPv6地址作为多播或单播目的地的包含或排他的源列表。具体而言,可使用包含源筛选器指定源特定多播(SSM)会话。
The Session Description Protocol [SDP] provides a general purpose format for describing multimedia sessions in announcements or invitations. SDP uses an entirely textual data format (the US-ASCII subset of [UTF-8]) to maximize portability among transports. SDP does not define a protocol, but only the syntax to describe a multimedia session with sufficient information to discover and participate in that session. Session descriptions may be sent using any number of existing application protocols for transport (e.g., Session Announcement Protocol (SAP), SIP, Real Time Streaming Protocol (RTSP), email, and HTTP).
会话描述协议[SDP]提供了一种通用格式,用于描述公告或邀请中的多媒体会话。SDP使用完全文本数据格式(UTF-8的US-ASCII子集)来最大化传输之间的可移植性。SDP不定义协议,只定义描述多媒体会话的语法,该会话具有足够的信息来发现和参与该会话。会话描述可以使用任意数量的现有传输应用协议(例如,会话公告协议(SAP)、SIP、实时流协议(RTSP)、电子邮件和HTTP)发送。
Typically, session descriptions reference an IP multicast address for the "connection-address" (destination), though unicast addresses or fully qualified domain names (FQDNs) MAY also be used. The "source-
通常,会话描述引用“连接地址”(目的地)的IP多播地址,但也可以使用单播地址或完全限定域名(FQDN)。“来源”-
filter" attribute defined in this document qualifies the session traffic by identifying the address (or FQDN) of legitimate sources (senders). The intent is for receivers to use the source and destination address pair(s) to filter traffic, so that applications receive only legitimate session traffic.
本文档中定义的“筛选器”属性通过标识合法源(发送方)的地址(或FQDN)来限定会话流量。其目的是让接收方使用源和目标地址对过滤流量,以便应用程序只接收合法会话流量。
Receiver applications are expected to use the SDP source-filter information to identify traffic from legitimate senders, and discard traffic from illegitimate senders. Applications and hosts may also share the source-filter information with network elements (e.g., with routers using [IGMPv3]) so they can potentially perform the traffic filtering operation further "upstream," closer to the source(s).
接收方应用程序预计将使用SDP源过滤器信息来识别来自合法发送方的流量,并丢弃来自非法发送方的流量。应用程序和主机还可以与网络元件(例如,与使用[IGMPv3]的路由器)共享源过滤信息,以便它们可以潜在地执行进一步“上游”的流量过滤操作,更靠近源。
The "source-filter" attribute can appear at the session level and/or the media level.
“源过滤器”属性可以出现在会话级别和/或媒体级别。
The purpose of a source-filter is to help protect receivers from traffic sent from illegitimate source addresses. Filtering traffic can help to preserve content integrity and protect against Denial of Service (DoS) attacks.
源过滤器的目的是帮助保护接收器免受来自非法源地址的流量的影响。过滤流量有助于保持内容完整性并防止拒绝服务(DoS)攻击。
For multicast destination addresses, receiver applications MAY apply source-filters using the Multicast Source Filter APIs [MSF-API]. Hosts are likely to implement these APIs using protocol mechanisms to convey the source filters to local multicast routers. Other "upstream" multicast routers MAY apply the filters and thereby provide more explicit multicast group management and efficient utilization of network resources. The protocol mechanisms to enable these operations are beyond the scope of this document, but their potential provided motivation for SDP source-filters.
对于多播目标地址,接收器应用程序可以使用多播源过滤器API[MSF-API]应用源过滤器。主机可能使用协议机制来实现这些API,以将源过滤器传送到本地多播路由器。其他“上游”多播路由器可以应用过滤器,从而提供更明确的多播组管理和网络资源的有效利用。支持这些操作的协议机制超出了本文的范围,但它们的潜力为SDP源过滤器提供了动力。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [REQMNT].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119【要求】中的说明进行解释。
The SDP source-filter attribute does not change any existing SDP syntax or semantics, but defines a format for additional session description information. Specifically, source-filter syntax can prescribe one or more unicast addresses as either legitimate or illegitimate sources for any (or all) SDP session description "connection-address" field values.
SDP source filter属性不会更改任何现有SDP语法或语义,但会定义附加会话描述信息的格式。具体而言,源筛选器语法可以为任何(或所有)SDP会话描述“连接地址”字段值指定一个或多个单播地址作为合法或非法源。
Note that the unicast source addresses specified by this attribute are those that are seen by a receiver. Therefore, if source addresses undergo translation en route from the original sender to the receiver - e.g., due to Network Address Translation (NAT) or some tunneling mechanism - then the SDP "source-filter" attribute, as presented to the receiver, will not be accurate unless the source addresses therein are also translated accordingly.
请注意,此属性指定的单播源地址是接收器可以看到的地址。因此,如果源地址在从原始发送方到接收方的途中经历了转换(例如,由于网络地址转换(NAT)或某种隧道机制),则呈现给接收方的SDP“源过滤器”属性将不准确,除非其中的源地址也相应地被转换。
The source-filter attribute has the following syntax:
“源筛选器”属性具有以下语法:
a=source-filter: <filter-mode> <filter-spec>
a=source-filter: <filter-mode> <filter-spec>
The <filter-mode> is either "incl" or "excl" (for inclusion or exclusion, respectively). The <filter-spec> has four sub-components:
<filter mode>为“incl”或“excl”(分别用于包含或排除)。<filter spec>有四个子组件:
<nettype> <address-types> <dest-address> <src-list>
<nettype> <address-types> <dest-address> <src-list>
A <filter-mode> of "incl" means that an incoming packet is accepted only if its source address is in the set specified by <src-list>. A <filter-mode> of "excl" means that an incoming packet is rejected if its source address is in the set specified by <src-list>.
“incl”的<filter mode>表示只有当传入数据包的源地址在<src list>指定的集合中时,才会接受该数据包。“excl”的<filter mode>表示如果传入数据包的源地址在<src list>指定的集合中,则拒绝该数据包。
The first sub-field, <nettype>, indicates the network type, since SDP is protocol independent. This document is most relevant to the value "IN", which designates the Internet Protocol.
第一个子字段<nettype>,表示网络类型,因为SDP与协议无关。本文档与指定Internet协议的值“IN”最相关。
The second sub-field, <address-types>, identifies the address family, and for the purpose of this document may be either <addrtype> value "IP4" or "IP6". Alternately, when <dest-address> is an FQDN, the value MAY be "*" to apply to both address types, since either address type can be returned from a DNS lookup.
第二个子字段,<address types>,标识地址系列,在本文档中,可以是<addrtype>值“IP4”或“IP6”。或者,当<dest address>是FQDN时,该值可以是“*”以应用于两种地址类型,因为可以从DNS查找返回任何一种地址类型。
The third sub-field, <dest-address>, is the destination address, which MUST correspond to one or more of the session's "connection-address" field values. It may be either a unicast or multicast address, an FQDN, or the "*" wildcard to match any/all of the session's "connection-address" values.
第三个子字段<dest address>是目标地址,它必须对应于会话的一个或多个“连接地址”字段值。它可以是单播或多播地址、FQDN或“*”通配符,以匹配会话的任何/所有“连接地址”值。
The fourth sub-field, <src-list>, is the list of source hosts/interfaces in the source-filter, and consists of one or more unicast addresses or FQDNs, separated by space characters.
第四个子字段,<src list>,是源筛选器中的源主机/接口列表,由一个或多个单播地址或FQDN组成,由空格字符分隔。
The format and content of these semantic elements are derived from and compatible with those defined in [SDP]. For more detail, see Appendix A of this document.
这些语义元素的格式和内容源自[SDP]中定义的语义元素,并与之兼容。有关更多详细信息,请参见本文件附录A。
There are a number of details to consider when parsing the SDP source-filter syntax.
解析SDP源筛选器语法时有许多细节需要考虑。
The <dest-address> value in a "source-filter" attribute MUST correspond to an existing <connection-field> value in the session description. The only exception to this is when a "*" wildcard is used to indicate that the source-filter applies to all <connection-field> values.
“源筛选器”属性中的<dest address>值必须与会话描述中现有的<connection field>值相对应。唯一的例外是使用“*”通配符指示源筛选器应用于所有<connection field>值。
When the <dest-address> value is a multicast address, the field value MUST NOT include the sub-fields <ttl> and <number of addresses> from the <connection-address> value. If the <connection-address> specifies more than one multicast address (in the <number of addresses> field), then a source filter, if any, for each such address must be stated explicitly, using a separate "a=source-filter" line for each address (unless a "*" wildcard is used for <dest-address>). See section 3.2.4 for an example.
当<dest address>值是多播地址时,字段值不得包括<connection address>值中的子字段<ttl>和<number of addresses>。如果<connection address>指定了多个多播地址(在<number of addresses>字段中),则必须使用单独的“a=source filter”行(除非<dest address>使用“*”通配符),明确说明每个此类地址的源筛选器(如果有)。示例见第3.2.4节。
When the <addrtype> value is the "*" wildcard, the <dest-address> MUST be either an FQDN or "*" (i.e., it MUST NOT be an IPv4 or IPv6 address). See section 3.2.6 for an example.
当<addrtype>值是“*”通配符时,<dest address>必须是FQDN或“*”(即,它不能是IPv4或IPv6地址)。有关示例,请参见第3.2.6节。
As has always been the case, the default behavior when a source-filter attribute is not provided in a session description is that all traffic sent to the specified <connection-address> value should be accepted (i.e., from any source address). The source-filter grammar does not include syntax to express either "exclude none" or "include all."
与往常一样,会话描述中未提供源筛选器属性时的默认行为是,应接受发送到指定<连接地址>值的所有流量(即,来自任何源地址)。源筛选器语法不包含表示“排除无”或“包含全部”的语法
Like the standard <connection-field> described in [SDP], the location of the "source-filter" attribute determines whether it applies to the entire session or only to a specific medium (i.e., "session-level" or "media-level"). A media-level source-filter will always completely override a session-level source-filter.
与[SDP]中描述的标准<connection field>类似,“source filter”属性的位置确定它是应用于整个会话还是仅应用于特定介质(即“会话级别”或“介质级别”)。媒体级源筛选器将始终完全覆盖会话级源筛选器。
A "source-filter" need not be located at the same hierarchy level as its corresponding <connection-field>. So, a media-level <source-filter> can reference a session-level <connection-field> value, and a session-level "source-filter" can be applied to all matching media-level <connection-field> values. See section 3.2.3 for an example.
“源筛选器”不必与其对应的<connection field>位于同一层次结构级别。因此,媒体级别<source filter>可以引用会话级别<connection field>值,会话级别“source filter”可以应用于所有匹配的媒体级别<connection field>值。有关示例,请参见第3.2.3节。
An SDP description MUST NOT contain more than one session-level "source-filter" attribute that covers the same destination address, or more than one media-level "source-filter" attribute that covers the same destination address.
SDP描述不能包含多个会话级“源筛选器”属性(涵盖相同的目标地址),也不能包含多个媒体级“源筛选器”属性(涵盖相同的目标地址)。
There is no specified limit to the number of entries allowed in the <src-list>; however, there are practical limits that should be considered. For example, depending on the transport to be used for the session description, there may be a limit to the total size of the session description (e.g., as determined by the maximum payload in a single datagram). Also, when the source-filter is applied to control protocols, there may be a limit to the number of source addresses that can be sent. These limits are outside the scope of this document, but should be considered when defining source-filter values for SDP.
<src list>中允许的条目数量没有规定限制;然而,有一些实际的限制需要考虑。例如,根据用于会话描述的传输,会话描述的总大小可能有限制(例如,由单个数据报中的最大有效负载确定)。此外,当源过滤器应用于控制协议时,可以发送的源地址数量可能会受到限制。这些限制超出了本文档的范围,但在为SDP定义源筛选器值时应予以考虑。
Here are a number of examples that illustrate how to use the source-filter attribute in some common scenarios. We use the following session description components as the starting point for the examples to follow. For each example, we show the source filter with additional relevant information and provide a brief explanation.
下面是一些示例,说明如何在一些常见场景中使用“源过滤器”属性。我们使用以下会话描述组件作为后续示例的起点。对于每个示例,我们都会显示源过滤器以及其他相关信息,并提供简要说明。
<session-description> = v=0 o=The King <Elvis@example.com> s=Elvis Impersonation i=All Elvis, all the time u=http://www.example.com/ElvisLive/ t=0 0 a=recvonly
<session-description> = v=0 o=The King <Elvis@example.com> s=Elvis Impersonation i=All Elvis, all the time u=http://www.example.com/ElvisLive/ t=0 0 a=recvonly
<media-description 1> = m=audio 54320 RTP/AVP 0
<media-description 1> = m=audio 54320 RTP/AVP 0
<media-description 2> = m=video 54322 RTP/AVP 34
<media-description 2> = m=video 54322 RTP/AVP 34
Multicast addresses in the Source-Specific Multicast [SSM] range require a single unicast sender address for each multicast destination, so the source-filter specification provides a natural fit. In this example, a session member should receive only traffic sent from 192.0.2.10 to the multicast session address 232.3.4.5.
源特定多播[SSM]范围内的多播地址要求每个多播目的地都有一个单播发送方地址,因此源筛选器规范提供了一个自然匹配。在此示例中,会话成员应仅接收从192.0.2.10发送到多播会话地址232.3.4.5的通信量。
<session-description>
<会话描述>
c=IN IP4 232.3.4.5/127 a=source-filter: incl IN IP4 232.3.4.5 192.0.2.10
c=IN IP4 232.3.4.5/127 a=source-filter: incl IN IP4 232.3.4.5 192.0.2.10
<media-description 1>
<media description 1>
This source-filter example uses an inclusion list with a single multicast "connection-address" as the destination and single unicast address as the source. Note that the value of the connection-address matches the value specified in the connection-field.
此源筛选器示例使用包含列表,其中单个多播“连接地址”作为目标,单个单播地址作为源。请注意,连接地址的值与连接字段中指定的值匹配。
Also note that since the connection-field is located in the session-description section, the source-filter applies to all media.
还请注意,由于连接字段位于会话描述部分,因此源过滤器适用于所有介质。
Furthermore, if the SDP description specifies an RTP session (e.g., its "m=" line(s) specify "RTP/AVP" as the transport protocol), then the "incl" specification will apply not only to RTP packets, but also to any RTCP packets that are sent to the specified multicast address. This means that, as a side effect of the "incl" specification, the only possible multicast RTCP packets will be "Sender Report" (SR) packets sent from the specified source address.
此外,如果SDP描述指定RTP会话(例如,其“m=”行指定“RTP/AVP”作为传输协议),则“incl”规范将不仅适用于RTP分组,而且适用于发送到指定多播地址的任何RTCP分组。这意味着,作为“incl”规范的副作用,唯一可能的多播RTCP数据包将是从指定源地址发送的“发送方报告”(SR)数据包。
Because of this, an SDP description for a Source-Specific Multicast (SSM) RTP session SHOULD also include an
因此,源特定多播(SSM)RTP会话的SDP描述还应包括
a=rtcp-unicast ...
a=rtcp单播。。。
attribute, as described in [RTCP-SSM] (section 10.1). This specifies that RTCP "Reception Report" (RR) packets are to be sent back via unicast.
属性,如[RTCP-SSM](第10.1节)所述。这指定RTCP“接收报告”(RR)数据包将通过单播发送回。
Typically, an SDP session <connection-address> value is a multicast address, although it is also possible to use either a unicast address or FQDN. This example illustrates a scenario whereby a session description indicates the unicast source address 192.0.2.10 in an exclusion filter. In effect, this sample source-filter says, "destination 192.0.2.11 should accept traffic from any sender *except* 192.0.2.10."
通常,SDP session<connection address>值是多播地址,但也可以使用单播地址或FQDN。此示例说明了一种场景,其中会话描述指示排除筛选器中的单播源地址192.0.2.10。实际上,这个示例源过滤器说,“目的地192.0.2.11应该接受来自任何发送方*的流量,除了*192.0.2.10。”
<session-description>
<会话描述>
c=IN IP4 192.0.2.11 a=source-filter: excl IN IP4 192.0.2.11 192.0.2.10
c=在IP4 192.0.2.11中a=源过滤器:在IP4 192.0.2.11中排除192.0.2.10
<media-description 1>
<media description 1>
This source-filter example uses the wildcard "*" value for <dest-addr> to correspond to any/all <connection-address> values. Hence, the only legitimate source for traffic sent to either
This source-filter example uses the wildcard "*" value for <dest-addr> to correspond to any/all <connection-address> values. Hence, the only legitimate source for traffic sent to either
232.2.2.2 or 232.4.4.4 multicast addresses is 192.0.2.10. Traffic sent from any other unicast source address should be discarded by the receiver.
232.2.2.2或232.4.4.4多播地址为192.0.2.10。来自任何其他接收方的任何单播通信都应被丢弃。
<session-description>
<会话描述>
a=source-filter: incl IN IP4 * 192.0.2.10
a=source-filter: incl IN IP4 * 192.0.2.10
<media-description 1>
<media description 1>
c=IN IP4 232.2.2.2/127
c=在IP4 232.2.2.2/127中
<media-description 2>
<media description 2>
c=IN IP4 232.4.4.4/63
c=在IP4 232.4.4.4/63中
In this example, the <connection-address> specifies three multicast addresses: 224.2.1.1, 224.2.1.2, and 224.2.1.3. The first and third of these addresses are given source filters. However, in this example the second address - 224.2.1.2 - is *not* given a source filter.
在本例中,<connection address>指定了三个多播地址:224.2.1.1、224.2.1.2和224.2.1.3。这些地址中的第一个和第三个是给定的源过滤器。但是,在本例中,第二个地址224.2.1.2*没有*给定源筛选器。
<session-description>
<会话描述>
c=IN IP4 224.2.1.1/127/3 a=source-filter: incl IN IP4 224.2.1.1 192.0.2.10 a=source-filter: incl IN IP4 224.2.1.3 192.0.2.42
c=IN IP4 224.2.1.1/127/3 a=source-filter: incl IN IP4 224.2.1.1 192.0.2.10 a=source-filter: incl IN IP4 224.2.1.3 192.0.2.42
<media-description 1>
<media description 1>
This simple example defines a single session-level source-filter that references a single IPv6 multicast destination and source pair. The IP multicast traffic sent to FFOE::11A is valid only from the unicast source address 2001:DB8:1:2:240:96FF:FE25:8EC9.
这个简单的示例定义了一个引用单个IPv6多播目标和源对的单个会话级源筛选器。发送到FFOE::11A的IP多播流量仅从单播源地址2001:DB8:1:2:240:96FF:FE25:8EC9有效。
<session-description>
<会话描述>
c=IN IP6 FF0E::11A/127 a=source-filter incl IN IP6 FF0E::11A 2001:DB8:1:2:240:96FF:FE25:8EC9
c=IN IP6 FF0E::11A/127 a=source-filter incl IN IP6 FF0E::11A 2001:DB8:1:2:240:96FF:FE25:8EC9
<media-description 1>
<media description 1>
This example illustrates use of the <addrtype> "*" wildcard, along with multicast and source FQDNs that may resolve to either an IPv6 or IPv4 address, or both. Although typically both the multicast and source addresses will be the same (either both IPv4 or both IPv6), using the wildcard for addrtype in the source filter allows asymmetry between the two addresses (so an IPv4 source address may be used with an IPv6 multicast address).
此示例说明了如何使用<addrtype>“*”通配符,以及可能解析为IPv6或IPv4地址或两者的多播和源FQDN。虽然通常多播地址和源地址都相同(IPv4或IPv6),但在源筛选器中使用addrtype的通配符允许两个地址之间不对称(因此IPv4源地址可以与IPv6多播地址一起使用)。
<session-description>
<会话描述>
c=IN IP4 channel-1.example.com/127 c=IN IP6 channel-1.example.com/127 a=source-filter: incl IN * channel-1.example.com src-1.example.com
c=IN IP4 channel-1.example.com/127 c=IN IP6 channel-1.example.com/127 a=source-filter: incl IN * channel-1.example.com src-1.example.com
<media-description 1>
<media description 1>
The "source-filter" attribute is not intended to be used as an 'offer' in an SDP offer-answer exchange [OFFER], because sets of source addresses do not represent 'capabilities' or 'limitations' of the offerer, and because the offerer does not, in general, have a priori knowledge of which IP source address(es) will be included in an answer. While an answerer may include the "source-filter" attribute in his/her answer (e.g., to designate a SSM session), the answerer SHOULD ignore any "source-filter" attribute that was present in the original offer.
“源筛选器”属性不打算用作SDP要约-应答交换[要约]中的“要约”,因为源地址集不代表要约人的“能力”或“限制”,并且因为要约人通常不知道应答中将包含哪个IP源地址。虽然应答者可能在其回答中包含“源过滤器”属性(例如,指定SSM会话),但应答者应忽略原始报价中存在的任何“源过滤器”属性。
Defining a list of legitimate sources for a multicast destination address represents a departure from the Any-Source Multicast (ASM) model, as originally described in [IGMPv1]. The ASM model supports anonymous senders and all types of multicast applications (e.g., many-to-many). Use of a source-filter excludes some (unknown or undesirable) senders, which lends itself more to one-to-many or few-to-few type multicast applications.
定义多播目标地址的合法源列表表示偏离了[IGMPv1]中最初描述的任何源多播(ASM)模型。ASM模型支持匿名发送者和所有类型的多播应用程序(例如,多对多)。源筛选器的使用排除了某些(未知或不需要的)发送方,这使其自身更适合于一对多或几对几类型的多播应用程序。
Although these two models have contrasting operational characteristics and requirements, they can coexist on the same network using the same protocols. Use of source-filters do not corrupt the ASM semantics but provide more control for receivers, at their discretion.
尽管这两种模型具有截然不同的操作特性和要求,但它们可以在使用相同协议的同一网络上共存。源过滤器的使用不会破坏ASM语义,但会根据接收者的判断为其提供更多的控制。
See [SDP] for security considerations specific to the Session Description Protocol in general. The central issue relevant to using source address filters is the question of address authenticity.
请参阅[SDP],了解会话描述协议的安全注意事项。与使用源地址筛选器相关的中心问题是地址真实性问题。
Using the source IP address for authentication is weak, since addresses are often dynamically assigned and it is possible for a sender to "spoof" its source address (i.e., use one other than its own) in datagrams that it sends. Proper router configuration, however, can reduce the likelihood of "spoofed" source addresses being sent to or from a network. Specifically, border routers are encouraged to filter traffic so that datagrams with invalid source addresses are not forwarded (e.g., routers drop datagrams if the source address is non-local) [FILTERING]. This, however, does not prevent IP source addresses from being spoofed on a Local Area Network (LAN).
使用源IP地址进行身份验证是很弱的,因为地址通常是动态分配的,并且发送方有可能在其发送的数据报中“欺骗”其源地址(即使用自己的地址以外的地址)。然而,适当的路由器配置可以降低向网络发送或从网络发送“伪造”源地址的可能性。具体而言,鼓励边界路由器过滤流量,以便不转发具有无效源地址的数据报(例如,如果源地址是非本地的,则路由器丢弃数据报)[过滤]。然而,这并不能防止IP源地址在局域网(LAN)上被欺骗。
Also, as noted in section 3 above, tunneling or NAT mechanisms may require corresponding translation of the addresses specified in the SDP "source-filter" attribute, and furthermore, may cause a set of original source addresses to be translated to a smaller set of source addresses as seen by the receiver.
此外,如上文第3节所述,隧道或NAT机制可能需要对SDP“源过滤器”属性中指定的地址进行相应的转换,并且,还可能导致将一组原始源地址转换为接收机看到的较小的源地址集。
Use of FQDNs for either <dest-address> or <src-list> values provides a layer of indirection that provides great flexibility. However, it also exposes the source-filter to any security inadequacies that the DNS system may have. If unsecured, it is conceivable that the DNS server could return illegitimate addresses.
对<dest address>或<src list>值使用FQDN提供了一个间接层,提供了极大的灵活性。但是,它也会使源过滤器暴露于DNS系统可能存在的任何安全缺陷。如果不安全,DNS服务器可能返回非法地址。
In addition, if source-filtering is implemented by sharing the source-filter information with network elements, then the security of the protocol(s) that are used for this (e.g., [IGMPv3]) becomes important, to ensure that legitimate traffic (and only legitimate traffic) is received.
此外,如果源过滤是通过与网络元件共享源过滤信息来实现的,则用于此目的的协议(例如,[IGMPv3])的安全性变得很重要,以确保接收到合法流量(且仅合法流量)。
For these reasons, receivers SHOULD NOT treat the SDP "source-filter" attribute as being its sole mechanism for protecting the integrity of received content.
出于这些原因,接收方不应将SDP“源过滤器”属性视为其保护接收内容完整性的唯一机制。
As recommended by [SDP] (Appendix B), the new attribute name "source-filter" has been registered with IANA, as follows:
根据[SDP](附录B)的建议,新属性名称“源过滤器”已在IANA注册,如下所示:
The following contact information shall be used for all registrations included here:
以下联系信息应用于此处包含的所有注册:
Contact: Ross Finlayson email: finlayson (at) live555.com phone: +1-650-254-1184
联系电话:+254-layson.com
SDP Attribute ("att-field"): Attribute name: source-filter Long form: Source Filter Type of name: att-field Type of attribute: Session level or media level Subject to charset: No Purpose: See this document Reference: This document Values: See this document, and registrations below
SDP属性(“att字段”):属性名称:源筛选器长格式:源筛选器名称类型:att字段属性类型:会话级别或媒体级别取决于字符集:无用途:参见本文档参考:本文档值:参见本文档和下面的注册
The authors would like to thank Dave Thaler and Mark Handley, whose input provided much of the substance of this document. Magnus Westerlund also provided valuable feedback during editing.
作者要感谢Dave Thaler和Mark Handley,他们的投入提供了本文件的大部分内容。Magnus Westerlund在编辑期间也提供了宝贵的反馈。
[ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 4234, October 2005.
[ABNF]Crocker,D.,Ed.和P.Overell,“语法规范的扩充BNF:ABNF”,RFC 42342005年10月。
[REQMNT] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[需求]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[SDP] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, July 2006.
[SDP]Handley,M.,Jacobson,V.,和C.Perkins,“SDP:会话描述协议”,RFC4566,2006年7月。
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.
[UTF-8]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[FILTERING] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[过滤]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[IGMPv1] Deering, S., "Host extensions for IP multicasting", STD 5, RFC 1112, August 1989.
[IGMPv1]Deering,S.,“IP多播的主机扩展”,STD 5,RFC 1112,1989年8月。
[IGMPv3] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A. Thyagarajan, "Internet Group Management Protocol, Version 3", RFC 3376, October 2002.
[IGMPv3]Cain,B.,Deering,S.,Kouvelas,I.,Fenner,B.,和A.Thyagarajan,“互联网组管理协议,第3版”,RFC 3376,2002年10月。
[MSF-API] Thaler, D., Fenner, B., and B. Quinn, "Socket Interface Extensions for Multicast Source Filters", RFC 3678, January 2004.
[MSF-API]Thaler,D.,Fenner,B.,和B.Quinn,“多播源过滤器的套接字接口扩展”,RFC 3678,2004年1月。
[OFFER] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with Session Description Protocol (SDP)", RFC 3264, June 2002.
[报价]Rosenberg,J.和H.Schulzrinne,“具有会话描述协议(SDP)的报价/应答模型”,RFC 3264,2002年6月。
[RTCP-SSM] Chesterfield, J., E. Schooler, J. Ott, "RTCP Extensions for Single-Source Multicast Sessions with Unicast Feedback", Work in Progress, October 2004.
[RTCP-SSM]Chesterfield,J.,E.Schooler,J.Ott,“具有单播反馈的单源多播会话的RTCP扩展”,正在进行的工作,2004年10月。
[SSM] Bhattacharyya, S., "An Overview of Source-Specific Multicast (SSM)", RFC 3569, July 2003.
[SSM]Bhattacharyya,S.,“源特定多播(SSM)概述”,RFC 3569,2003年7月。
This appendix provides an Augmented BNF [ABNF] grammar for expressing an exclusion or inclusion list of one or more (IPv4 or IPv6) unicast source addresses. It is intended as an extension to the grammar for the Session Description Protocol, as defined in [SDP]. Specifically, it describes the syntax for the new "source-filter" attribute field, which MAY be either a session-level or media-level attribute.
本附录提供了扩展的BNF[ABNF]语法,用于表示一个或多个(IPv4或IPv6)单播源地址的排除或包含列表。它是对[SDP]中定义的会话描述协议语法的扩展。具体地说,它描述了新的“源过滤器”属性字段的语法,该字段可以是会话级或媒体级属性。
The "dest-address" value in each source-filter field MUST match an existing connection-field value, unless the wildcard connection-address value "*" is specified.
每个源筛选器字段中的“dest address”值必须与现有连接字段值匹配,除非指定了通配符连接地址值“*”。
source-filter = "source-filter" ":" SP filter-mode SP filter-spec ; SP is the ASCII 'space' character ; (0x20, defined in [ABNF]).
source filter=“source filter”“:“SP filter mode SP filter spec;SP是ASCII“空格”字符;(0x20,在[ABNF]中定义)。
filter-mode = "excl" / "incl" ; either exclusion or inclusion mode.
filter-mode = "excl" / "incl" ; either exclusion or inclusion mode.
filter-spec = nettype SP address-types SP dest-address SP src-list ; nettype is as defined in [SDP].
过滤器规格=nettype SP地址类型SP目的地地址SP src列表;nettype如[SDP]中所定义。
address-types = "*" / addrtype ; "*" for all address types (both IP4 and IP6), ; but only when <dest-address> and <src-list> ; reference FQDNs. ; addrtype is as defined in [SDP].
address-types = "*" / addrtype ; "*" for all address types (both IP4 and IP6), ; but only when <dest-address> and <src-list> ; reference FQDNs. ; addrtype is as defined in [SDP].
dest-address = "*" / basic-multicast-address / unicast-address ; "*" applies to all connection-address values. ; unicast-address is as defined in [SDP].
dest address=“*”/基本多播地址/单播地址;“*”适用于所有连接地址值;单播地址如[SDP]中所定义。
src-list = *(unicast-address SP) unicast-address ; one or more unicast source addresses (in ; standard IPv4 or IPv6 ASCII-notation form) ; or FQDNs. ; unicast-address is as defined in [SDP].
src-list = *(unicast-address SP) unicast-address ; one or more unicast source addresses (in ; standard IPv4 or IPv6 ASCII-notation form) ; or FQDNs. ; unicast-address is as defined in [SDP].
basic-multicast-address = basic-IP4-multicast / basic-IP6-multicast / FQDN / extn-addr ; i.e., the same as multicast-address ; defined in [SDP], except that the ; /<ttl> and /<number of addresses> ; fields are not included. ; FQDN and extn-addr are as defined ; in [SDP].
basic-multicast-address = basic-IP4-multicast / basic-IP6-multicast / FQDN / extn-addr ; i.e., the same as multicast-address ; defined in [SDP], except that the ; /<ttl> and /<number of addresses> ; fields are not included. ; FQDN and extn-addr are as defined ; in [SDP].
basic-IP4-multicast = m1 3( "." decimal-uchar ) ; m1 and decimal-uchar are as defined ; in [SDP].
basic-IP4-multicast=m13(“.”十进制uchar);m1和十进制uchar定义如下;在[SDP]中。
basic-IP6-multicast = hexpart ; hexpart is as defined in [SDP].
basic-IP6-multicast=hexpart;六角零件的定义见[SDP]。
Authors' Addresses
作者地址
Bob Quinn BoxnArrow.com 31 Caldwell Road Waltham, MA 02453
马萨诸塞州沃尔瑟姆考德威尔路31号,邮编02453
Phone: +1-781-577-1539 EMail: rcq@boxnarrow.com
Phone: +1-781-577-1539 EMail: rcq@boxnarrow.com
Ross Finlayson Live Networks, Inc. 650 Castro St., suite 120-196 Mountain View, CA 94041
Ross Finlayson Live Networks,Inc.加利福尼亚州山景城卡斯特罗街650号120-196室,邮编94041
EMail: finlayson@live555.com
EMail: finlayson@live555.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。