Independent Submission M. Boucadair Request for Comments: 6431 P. Levis Category: Informational France Telecom ISSN: 2070-1721 G. Bajko T. Savolainen Nokia T. Tsou Huawei Technologies (USA) November 2011
Independent Submission M. Boucadair Request for Comments: 6431 P. Levis Category: Informational France Telecom ISSN: 2070-1721 G. Bajko T. Savolainen Nokia T. Tsou Huawei Technologies (USA) November 2011
Huawei Port Range Configuration Options for PPP IP Control Protocol (IPCP)
华为PPP IP控制协议(IPCP)的端口范围配置选项
Abstract
摘要
This document defines two Huawei IPCP (IP Control Protocol) options used to convey a set of ports. These options can be used in the context of port range-based solutions or NAT-based solutions for port delegation and forwarding purposes.
本文档定义了用于传输一组端口的两个华为IPCP(IP控制协议)选项。这些选项可在基于端口范围的解决方案或基于NAT的解决方案中用于端口委派和转发目的。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6431.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6431.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................2 1.1. Use Cases ..................................................3 1.2. Terminology ................................................3 1.3. Requirements Language ......................................4 2. Port Range Options ..............................................4 2.1. Description of Port Range Value and Port Range Mask ........4 2.2. Cryptographically Random Port Range Option .................6 2.2.1. Random Port Delegation Function .....................6 2.2.2. Description of Cryptographically Random Port Range Option ........................................8 2.3. Illustration Examples .....................................10 2.3.1. Overview ...........................................10 2.3.2. Successful Flow: Port Range Options Supported by Both the Client and the Server ..................10 2.3.3. Port Range Option Not Supported by the Server ......11 2.3.4. Port Range Option Not Supported by the Client ......13 3. Security Considerations ........................................14 4. Contributors ...................................................14 5. Acknowledgements ...............................................14 6. References .....................................................14 6.1. Normative References ......................................14 6.2. Informative References ....................................15
1. Introduction ....................................................2 1.1. Use Cases ..................................................3 1.2. Terminology ................................................3 1.3. Requirements Language ......................................4 2. Port Range Options ..............................................4 2.1. Description of Port Range Value and Port Range Mask ........4 2.2. Cryptographically Random Port Range Option .................6 2.2.1. Random Port Delegation Function .....................6 2.2.2. Description of Cryptographically Random Port Range Option ........................................8 2.3. Illustration Examples .....................................10 2.3.1. Overview ...........................................10 2.3.2. Successful Flow: Port Range Options Supported by Both the Client and the Server ..................10 2.3.3. Port Range Option Not Supported by the Server ......11 2.3.4. Port Range Option Not Supported by the Client ......13 3. Security Considerations ........................................14 4. Contributors ...................................................14 5. Acknowledgements ...............................................14 6. References .....................................................14 6.1. Normative References ......................................14 6.2. Informative References ....................................15
Within the context of IPv4 address depletion, several solutions have been investigated to share IPv4 addresses. Two flavors can be distinguished: NAT-based solutions (e.g., Carrier-Grade NAT (CGN) [CGN-REQS]) and port range-based solutions (e.g., [RFC6346] [PORT-RANGE-ARCH] [SAM]). Port range-based solutions do not require an additional NAT level in the service provider's domain. Several means may be used to convey port range information.
在IPv4地址耗尽的背景下,已经研究了几种共享IPv4地址的解决方案。可以区分两种类型:基于NAT的解决方案(例如,运营商级NAT(CGN)[CGN-REQS])和基于端口范围的解决方案(例如,[RFC6346][port-range-ARCH][SAM])。基于端口范围的解决方案不需要在服务提供商的域中增加NAT级别。可以使用几种方法来传送端口范围信息。
This document defines the notion of "Port Mask", which is generic and flexible. Several allocation schemes may be implemented when using a Port Mask. It proposes a basic mechanism that allows the allocation of a unique port range to a requesting client. This document defines Huawei IPCP options to be used to carry port range information.
本文档定义了“端口掩码”的概念,它是通用的和灵活的。当使用端口掩码时,可以实现几种分配方案。它提出了一种基本机制,允许向请求客户端分配唯一的端口范围。本文档定义了用于传输端口范围信息的华为IPCP选项。
IPv4 address exhaustion is only provided as an example of the usage of the PPP IPCP options defined in this document. In particular, Port Range options may be used independently of the presence of the IP-Address IPCP Option.
IPv4地址耗尽仅作为使用本文档中定义的PPP IPCP选项的示例提供。特别地,端口范围选项可以独立于IP地址IPCP选项的存在而使用。
This document adheres to the considerations defined in [RFC2153].
本文件遵循[RFC2153]中定义的注意事项。
This document is not a product of the PPPEXT working group.
本文件不是PPPEXT工作组的产品。
Note that IPR disclosures apply to this document (see https://datatracker.ietf.org/ipr/).
请注意,知识产权披露适用于本文件(参见https://datatracker.ietf.org/ipr/).
Port Range options can be used in port range-based solutions (e.g., [RFC6346]) or in a CGN-based solution. These options can be used in a CGN context to bypass the NAT (i.e., for transparent NAT traversal, and to avoid involving several NAT levels in the path) or to delegate one or a set of ports to the requesting client (e.g., to avoid the ALG (Application Level Gateway), or for port forwarding).
端口范围选项可用于基于端口范围的解决方案(例如,[RFC6346])或基于CGN的解决方案。这些选项可在CGN上下文中用于绕过NAT(即,用于透明NAT遍历,并避免在路径中涉及多个NAT级别),或将一个或一组端口委托给请求客户端(例如,避免ALG(应用程序级网关),或用于端口转发)。
Section 3.3.1 of [RFC6346] specifies an example of usage of the options defined in this document.
[RFC6346]第3.3.1节规定了本文件中定义的选项的使用示例。
To differentiate between a port range containing a contiguous span of port numbers and a port range with non-contiguous and possibly random port numbers, the following denominations are used:
要区分包含连续端口号范围的端口范围和包含非连续且可能是随机端口号的端口范围,请使用以下名称:
o Contiguous Port Range: A set of port values that form a contiguous sequence.
o 连续端口范围:形成连续序列的一组端口值。
o Non-Contiguous Port Range: A set of port values that do not form a contiguous sequence.
o 非连续端口范围:不构成连续序列的一组端口值。
o Random Port Range: A cryptographically random set of port values.
o 随机端口范围:以加密方式随机设置的端口值。
Unless explicitly mentioned, "Port Mask" refers to the tuple (Port Range Value, Port Range Mask).
除非明确提及,“端口掩码”指的是元组(端口范围值,端口范围掩码)。
In addition, this document makes use of the following terms:
此外,本文件使用了以下术语:
o Delegated port or delegated port range: A port or a range of ports that belong to an IP address managed by an upstream device (such as NAT) and that are delegated to a client for use as the source address and port when sending packets.
o 委托端口或委托端口范围:属于上游设备(如NAT)管理的IP地址的端口或端口范围,委托给客户机作为发送数据包时的源地址和端口。
o Forwarded port or forwarder port range: A port or a range of ports that belong to an IP address managed by an upstream device such as (NAT) and that are statically mapped to the internal IP address of the client and same port number of the client.
o 转发端口或转发器端口范围:属于上游设备(如NAT)管理的IP地址的端口或端口范围,静态映射到客户端的内部IP地址和客户端的相同端口号。
This memo uses the same terminology as [RFC1661].
本备忘录使用与[RFC1661]相同的术语。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
This section defines the IPCP Option for port range delegation. The format of vendor-specific options is defined in [RFC2153]. Below are the values to be conveyed when the Port Range Option is used:
本节定义了端口范围委派的IPCP选项。供应商特定选项的格式在[RFC2153]中定义。以下是使用端口范围选项时要传递的值:
o Organizationally Unique Identifier (OUI): This field is set to 781DBA (hex).
o 组织唯一标识符(OUI):此字段设置为781DBA(十六进制)。
o Kind: This field is set to F0 (hex).
o 种类:该字段设置为F0(十六进制)。
o Value(s): The content of this field is specified in Sections 2.1 and 2.2.2.
o 值:第2.1节和第2.2.2节规定了该字段的内容。
The Port Range Value and Port Range Mask are used to specify one range of ports (contiguous or non-contiguous) pertaining to a given IP address. Concretely, the Port Range Mask and Port Range Value are used to notify a remote peer about the Port Mask to be applied when selecting a port value as a source port. The Port Range Value is used to infer a set of allowed port values. A Port Range Mask defines a set of ports that all have in common a subset of pre-positioned bits. This set of ports is also referred to as the port range.
端口范围值和端口范围掩码用于指定与给定IP地址相关的一个端口范围(连续或非连续)。具体地说,端口范围掩码和端口范围值用于在选择端口值作为源端口时通知远程对等方要应用的端口掩码。端口范围值用于推断一组允许的端口值。端口范围掩码定义了一组端口,这些端口都有一个预先定位位的子集。这组端口也称为端口范围。
Two port numbers are said to belong to the same port range if and only if they have the same Port Range Mask.
当且仅当两个端口号具有相同的端口范围掩码时,才称它们属于相同的端口范围。
A Port Mask is composed of a Port Range Value and a Port Range Mask:
端口掩码由端口范围值和端口范围掩码组成:
o The Port Range Value indicates the value of the significant bits of the Port Mask. The Port Range Value is coded as follows:
o 端口范围值指示端口掩码的有效位的值。端口范围值编码如下:
* The significant bits may take a value of 0 or 1.
* 有效位的值可以是0或1。
* All of the other bits (i.e., non-significant ones) are set to 0.
* 所有其他位(即,非有效位)设置为0。
o The Port Range Mask indicates, by the bit(s) set to 1, the position of the significant bits of the Port Range Value.
o 端口范围掩码通过设置为1的位指示端口范围值的有效位的位置。
This IPCP Configuration Option provides a way to negotiate the Port Range to be used on the local end of the link. It allows the sender of the Configure-Request message to state which port range associated with a given IP address is desired, or to request that the peer provide the configuration. The peer can provide this information by NAKing the option, and returning a valid port range (i.e., (Port Range Value, Port Range Mask)).
此IPCP配置选项提供了协商链路本地端使用的端口范围的方法。它允许Configure Request消息的发送方声明需要与给定IP地址关联的端口范围,或者请求对等方提供配置。对等方可以通过nak选项并返回有效的端口范围(即(端口范围值、端口范围掩码))来提供此信息。
If a peer issues a request enclosing the IPCP Port Range Option and the server does not support this option, the Port Range Option is rejected by the server.
如果对等方发出包含IPCP端口范围选项的请求,而服务器不支持此选项,则服务器将拒绝端口范围选项。
The set of ports conveyed in an IPCP Port Range Option applies to all transport protocols.
IPCP端口范围选项中传输的端口集适用于所有传输协议。
The set of ports conveyed in an IPCP Port Range Option is revoked when the link is no longer up (e.g., when Terminate-Request and Terminate-Ack are exchanged).
当链路不再运行时(例如,当交换终止请求和终止确认时),IPCP端口范围选项中传输的端口集被撤销。
The Port Range IPCP option adheres to the format defined in Section 2.1 of [RFC2153]. The "Value(s)" field of the option defined in [RFC2153] when conveying the Port Range IPCP Option is provided in Figure 1.
端口范围IPCP选项遵循[RFC2153]第2.1节中定义的格式。传输端口范围IPCP选项时,[RFC2153]中定义的选项的“值”字段如图1所示。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M| Reserved | Port Range Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Port Range Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M| Reserved | Port Range Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Port Range Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Most significant bit (MSB) network order is used for encoding the Port Range Value and Port Range Mask fields.
最高有效位(MSB)网络顺序用于对端口范围值和端口范围掩码字段进行编码。
Figure 1: Format of the Port Range IPCP Option
图1:端口范围IPCP选项的格式
o M: mode bit. The mode bit indicates the mode for which the port range is allocated. A value of zero indicates that the port ranges are delegated, while a value of 1 indicates that the port ranges are port-forwarded.
o M:模式位。模式位表示为其分配端口范围的模式。值为零表示委派端口范围,值为1表示端口范围为端口转发。
o Port Range Value (PRV): The PRV indicates the value of the significant bits of the Port Mask. By default, no PRV is assigned.
o 端口范围值(PRV):PRV表示端口掩码的有效位的值。默认情况下,不分配PRV。
o Port Range Mask (PRM): The Port Range Mask indicates the position of the bits that are used to build the Port Range Value. By default, no PRM value is assigned. The 1 values in the Port Range Mask indicate by their position the significant bits of the Port Range Value.
o 端口范围掩码(PRM):端口范围掩码指示用于构建端口范围值的位的位置。默认情况下,不指定PRM值。端口范围掩码中的1值通过其位置指示端口范围值的有效位。
Figure 2 provides an example of the resulting port range:
图2提供了结果端口范围的示例:
- The Port Range Mask is set to 0001010000000000 (5120).
- 端口范围掩码设置为000010000000000(5120)。
- The Port Range Value is set to 0000010000000000 (1024).
- 端口范围值设置为000001000000000(1024)。
0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | (two significant bits) v v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | (two significant bits) v v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |x x x 0 x 1 x x x x x x x x x x| Usable ports +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (x may be set to 0 or 1)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |x x x 0 x 1 x x x x x x x x x x| Usable ports +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (x may be set to 0 or 1)
Figure 2: Example of Port Range Mask and Port Range Value
图2:端口范围掩码和端口范围值示例
Port values belonging to this port range must have the fourth bit from the left set to 0, and the sixth bit from the left set to 1. Only these port values will be used by the peer when enforcing the configuration conveyed by PPP IPCP.
属于此端口范围的端口值必须将左侧的第四位设置为0,将左侧的第六位设置为1。当强制执行PPP IPCP传送的配置时,对等方将仅使用这些端口值。
A cryptographically random Port Range Option may be used as a mitigation tool against blind attacks such as those described in [RFC6056].
加密随机端口范围选项可用作抵御盲攻击的缓解工具,如[RFC6056]中所述。
Delegating random ports can be achieved by defining a function that takes as input a key 'K' and an integer 'x' within the 1024-65535 port range and produces an output 'y' also within the 1024-65535 port range.
委派随机端口可以通过定义一个函数来实现,该函数将1024-65535端口范围内的键“K”和整数“x”作为输入,并生成1024-65535端口范围内的输出“y”。
The cryptographic mechanism uses the 1024-65535 port range rather than the ephemeral range, 49152-65535, for generating a set of ports to optimize IPv4 address utilization efficiency (see "Appendix B. Address Space Multiplicative Factor" of [RFC6269]). This behavior is compliant with the recommendation to use the whole 1024-65535 port range for the ephemeral port selection algorithms (see Section 3.2 of [RFC6056]).
加密机制使用1024-65535端口范围而不是临时范围49152-65535来生成一组端口,以优化IPv4地址利用率(请参见[RFC6269]的“附录B.地址空间乘法因子”)。此行为符合建议,即临时端口选择算法使用整个1024-65535端口范围(见[RFC6056]第3.2节)。
The cryptographic mechanism ensures that the entire 64k port range can be efficiently distributed to multiple nodes such that when nodes calculate the ports, the results will never overlap with ports that other nodes have calculated (property of permutation), and ports in the reserved range (smaller than 1024) are not used. As the randomization is done cryptographically, an attacker seeing a node using some port X cannot determine which other ports the node may be using (as the attacker does not know the key). Calculation of the random port list is done as follows:
加密机制确保可以将整个64k端口范围有效地分配给多个节点,这样当节点计算端口时,结果将永远不会与其他节点计算的端口重叠(置换属性),并且不使用保留范围(小于1024)中的端口。由于随机化是以加密方式进行的,攻击者看到某个节点使用某个端口X时无法确定该节点可能使用的其他端口(因为攻击者不知道密钥)。随机端口列表的计算如下所示:
The cryptographic mechanism uses an encryption function y = E(K,x) that takes as input a key K (for example, 128 bits) and an integer x (the plaintext) in the 1024-65535 port range, and produces an output y (the ciphertext), also an integer in the 1024-65535 port range. This section describes one such encryption function, but others are also possible.
加密机制使用加密函数y=E(K,x),该函数以1024-65535端口范围内的密钥K(例如,128位)和整数x(明文)作为输入,并生成输出y(密文),也是1024-65535端口范围内的整数。本节介绍了一种此类加密功能,但也可以使用其他功能。
The server will select the key K. When the server wants to allocate, for example, 2048 random ports, it selects a starting point 'a' (1024 <= a <= 65536-2048) such that the port range (a, a+2048) does not overlap with any other active client, and calculates the values E(K,a), E(K,a+1), E(K,a+2), ..., E(K,a+2046), E(K,a+2047). These are the port numbers allocated for this node. Instead of sending the port numbers individually, the server just sends the values 'K', 'a', and '2048'. The client will then repeat the same calculation.
服务器将选择密钥K。例如,当服务器想要分配2048个随机端口时,它会选择一个起始点“a”(1024<=a<=65536-2048),以便端口范围(a,a+2048)不会与任何其他活动客户端重叠,并计算值E(K,a),E(K,a+1),E(K,a+2),…,E(K,a+2046),E(K,a+2047)。这些是为此节点分配的端口号。服务器只发送值“K”、“a”和“2048”,而不是单独发送端口号。然后,客户机将重复相同的计算。
The server SHOULD use a different key K for each IPv4 address it allocates, to make attacks as difficult as possible. This way, learning the key K used in IPv4 address IP1 would not help in attacking IPv4 address IP2 where IP2 is allocated by the same server to different nodes.
服务器应为其分配的每个IPv4地址使用不同的密钥K,以使攻击尽可能困难。这样,学习IPv4地址IP1中使用的密钥K将无助于攻击IPv4地址IP2,其中IP2由同一服务器分配给不同的节点。
With typical encryption functions (such as AES and DES), the input (plaintext) and output (ciphertext) are blocks of some fixed size -- for example, 128 bits for AES, and 64 bits for DES. For port randomization, we need an encryption function whose input and output is an integer in the 1024-65535 port range.
对于典型的加密功能(如AES和DES),输入(明文)和输出(密文)是一些固定大小的块——例如,AES为128位,DES为64位。对于端口随机化,我们需要一个加密函数,其输入和输出是1024-65535端口范围内的整数。
One possible way to do this is to use the 'Generalized Feistel Cipher' [CIPHERS] construction by Black and Rogaway, with AES as the underlying round function.
一种可能的方法是使用Black和Rogaway的“广义Feistel密码”构造,将AES作为基础的轮函数。
This would look as follows (using pseudo-code):
这将如下所示(使用伪代码):
def E(k, x): y = Feistel16(k, x) if y >= 1024: return y else: return E(k, y)
def E(k, x): y = Feistel16(k, x) if y >= 1024: return y else: return E(k, y)
Note that although E(k,x) is recursive, it is guaranteed to terminate. The average number of iterations is just slightly over 1.
注意,尽管E(k,x)是递归的,但它保证终止。平均迭代次数略多于1次。
Feistel16 is a 16-bit block cipher:
Feistel16是一种16位分组密码:
def Feistel16(k, x): left = x & 0xff right = x >> 8 for round = 1 to 3: temp = left ^ FeistelRound(k, round, right)) left = right right = temp return (right << 8) | left
def Feistel16(k, x): left = x & 0xff right = x >> 8 for round = 1 to 3: temp = left ^ FeistelRound(k, round, right)) left = right right = temp return (right << 8) | left
The Feistel round function uses:
Feistel round函数使用:
def FeistelRound(k, round, x): msg[0] = round msg[1] = x msg[2...15] = 0 return AES(k, msg)[0]
def FeistelRound(k,round,x):msg[0]=round msg[1]=x msg[2…15]=0返回AES(k,msg)[0]
Performance: To generate a list of 2048 port numbers, about 6000 calls to AES are required (i.e., encrypting 96 kilobytes). Thus, it will not be a problem for any device that can do, for example, HTTPS (web browsing over Secure Sockets Layer/Transport Layer Security (SSL/TLS)).
性能:要生成2048个端口号的列表,需要对AES进行大约6000次调用(即加密96 KB)。因此,对于任何可以使用HTTPS(通过安全套接字层/传输层安全性(SSL/TLS)进行web浏览)的设备来说,这都不是问题。
The cryptographically random Port Range IPCP Option adheres to the format defined in Section 2.1 of [RFC2153]. The "Value(s)" field of the option defined in [RFC2153] when conveying the cryptographically random Port Range IPCP Option is illustrated in Figure 3.
加密随机端口范围IPCP选项遵循[RFC2153]第2.1节中定义的格式。传输加密随机端口范围IPCP选项时,[RFC2153]中定义的选项的“值”字段如图3所示。
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M| Reserved | function | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | starting point | number of delegated ports | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | key K ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M| Reserved | function | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | starting point | number of delegated ports | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | key K ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Format of the Cryptographically Random Port Range Option
图3:加密随机端口范围选项的格式
o M: mode bit. The mode bit indicates the mode for which the port range is allocated. A value of zero indicates that the port ranges are delegated, while a value of 1 indicates that the port ranges are port-forwarded.
o M:模式位。模式位表示为其分配端口范围的模式。值为零表示委派端口范围,值为1表示端口范围为端口转发。
o Function: A 16-bit field whose value is associated with predefined encryption functions. This specification associates value 1 with the predefined function described in Section 2.2.1.
o 函数:一个16位字段,其值与预定义的加密函数相关联。本规范将值1与第2.2.1节中所述的预定义功能相关联。
o Starting Point: A 16-bit value used as an input to the specified function.
o 起始点:用作指定函数输入的16位值。
o Number of delegated ports: A 16-bit value specifying the number of ports delegated to the client for use as source port values.
o 委派端口数:一个16位值,指定委派给客户端用作源端口值的端口数。
o Key K: A 128-bit key used as input to the predefined function for delegated port calculation.
o K键:一个128位的键,用作预定义函数的输入,用于委托端口计算。
When the option is included in the IPCP Configure-Request, the "Key K" and "Starting Point" fields SHALL be set to all zeros. The requester MAY indicate in the "Function" field which encryption function the requester prefers, and in the "Number of Delegated Ports" field the number of ports the requester would like to obtain. If the requester has no preference, it SHALL also set the "Function" field and/or "Number of Delegated Ports" field to zero.
当选项包含在IPCP配置请求中时,“键K”和“起点”字段应设置为全零。请求者可在“功能”字段中指明请求者更喜欢哪种加密功能,并在“授权端口数”字段中指明请求者希望获得的端口数。如果请求者没有偏好,还应将“功能”字段和/或“委托端口数”字段设置为零。
The usage of the option in IPCP message negotiation (Request/Reject/ Nak/Ack) follows the logic described for Port Mask and Port Range options in Section 2.1.
IPCP消息协商(请求/拒绝/Nak/Ack)中选项的使用遵循第2.1节中描述的端口掩码和端口范围选项逻辑。
The following flows provide examples of the usage of IPCP to convey the Port Range Option. As illustrated in Figures 4, 5, and 6, IPCP messages are exchanged between a Host and a BRAS (Broadband Remote Access Server).
以下流程提供了使用IPCP传递端口范围选项的示例。如图4、5和6所示,IPCP消息在主机和BRAS(宽带远程访问服务器)之间交换。
2.3.2. Successful Flow: Port Range Options Supported by Both the Client and the Server
2.3.2. 成功流:客户端和服务器都支持的端口范围选项
The following message exchange (Figure 4) depicts a successful IPCP configuration operation where the Port Range IPCP Option is used.
下面的消息交换(图4)描述了一个成功的IPCP配置操作,其中使用了PortRange IPCP选项。
+-----+ +-----+ | Host| | BRAS| +-----+ +-----+ | | | (1) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | | PORT RANGE VALUE=0 | | PORT RANGE MASK=0 | |===============================================>| | | | (2) IPCP Configure-Nak | | IP ADDRESS=a.b.c.d | | PORT RANGE VALUE=80 | | PORT RANGE MASK=496 | |<===============================================| | | | (3) IPCP Configure-Request | | IP ADDRESS=a.b.c.d | | PORT RANGE VALUE=80 | | PORT RANGE MASK=496 | |===============================================>| | | | (4) IPCP Configure-Ack | | IP ADDRESS=a.b.c.d | | PORT RANGE VALUE=80 | | PORT RANGE MASK=496 | |<===============================================| | |
+-----+ +-----+ | Host| | BRAS| +-----+ +-----+ | | | (1) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | | PORT RANGE VALUE=0 | | PORT RANGE MASK=0 | |===============================================>| | | | (2) IPCP Configure-Nak | | IP ADDRESS=a.b.c.d | | PORT RANGE VALUE=80 | | PORT RANGE MASK=496 | |<===============================================| | | | (3) IPCP Configure-Request | | IP ADDRESS=a.b.c.d | | PORT RANGE VALUE=80 | | PORT RANGE MASK=496 | |===============================================>| | | | (4) IPCP Configure-Ack | | IP ADDRESS=a.b.c.d | | PORT RANGE VALUE=80 | | PORT RANGE MASK=496 | |<===============================================| | |
Figure 4: Successful Flow
图4:成功的流程
The main steps of this flow are listed below:
此流程的主要步骤如下所示:
(1) The Host sends a first Configure-Request, which includes the set of options it desires to negotiate. All of these configuration options are negotiated simultaneously. In this step, the Configure-Request carries information about the IP address, the Port Range Value, and the Port Range Mask. The IP-Address Option is set to 0.0.0.0, the Port Range Value is set to 0, and the Port Range Mask is set to 0.
(1) 主机发送第一个配置请求,其中包括它希望协商的选项集。所有这些配置选项都是同时协商的。在此步骤中,配置请求携带有关IP地址、端口范围值和端口范围掩码的信息。IP地址选项设置为0.0.0.0,端口范围值设置为0,端口范围掩码设置为0。
(2) The BRAS sends back a Configure-Nak and sets the enclosed options to its preferred values. In this step, the IP-Address Option is set to a.b.c.d, the Port Range Value is set to 80, and the Port Range Mask is set to 496.
(2) BRAS发回配置Nak,并将附带的选项设置为其首选值。在此步骤中,IP地址选项设置为a.b.c.d,端口范围值设置为80,端口范围掩码设置为496。
(3) The Host re-sends a Configure-Request requesting that the IP-Address Option be set to a.b.c.d, the Port Range Value be set to 80, and the Port Range Mask be set to 496.
(3) 主机重新发送一个配置请求,请求将IP地址选项设置为a.b.c.d,端口范围值设置为80,端口范围掩码设置为496。
(4) The BRAS sends a Configure-Ack message.
(4) BRAS发送配置确认消息。
As a result of this exchange, the Host is configured to use a.b.c.d as its local IP address, and the following 128 contiguous port ranges resulting from the Port Mask (Port Range Value == 0, Port Range Mask == 496):
作为此交换的结果,主机被配置为使用a.b.c.d作为其本地IP地址,以及由端口掩码产生的以下128个连续端口范围(端口范围值==0,端口范围掩码==496):
- from 80 to 95
- 从80岁到95岁
- from 592 to 607
- 从592年到607年
- ...
- ...
- from 65104 to 65119
- 从65104到65119
Figure 5 depicts an exchange of messages where the BRAS does not support the IPCP Port Range Option.
图5描述了BRAS不支持IPCP端口范围选项的消息交换。
+-----+ +-----+ | Host| | BRAS| +-----+ +-----+ | | | (1) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | | PORT RANGE VALUE=0 | | PORT RANGE MASK=0 | |===============================================>| | | | (2) IPCP Configure-Reject | | PORT RANGE VALUE=0 | | PORT RANGE MASK=0 | |<===============================================| | | | (3) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | |===============================================>| | | | (4) IPCP Configure-Nak | | IP ADDRESS=a.b.c.d | |<===============================================| | | | (5) IPCP Configure-Request | | IP ADDRESS=a.b.c.d | |===============================================>| | | | (6) IPCP Configure-Ack | | IP ADDRESS=a.b.c.d | |<===============================================| | |
+-----+ +-----+ | Host| | BRAS| +-----+ +-----+ | | | (1) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | | PORT RANGE VALUE=0 | | PORT RANGE MASK=0 | |===============================================>| | | | (2) IPCP Configure-Reject | | PORT RANGE VALUE=0 | | PORT RANGE MASK=0 | |<===============================================| | | | (3) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | |===============================================>| | | | (4) IPCP Configure-Nak | | IP ADDRESS=a.b.c.d | |<===============================================| | | | (5) IPCP Configure-Request | | IP ADDRESS=a.b.c.d | |===============================================>| | | | (6) IPCP Configure-Ack | | IP ADDRESS=a.b.c.d | |<===============================================| | |
Figure 5: Failed Flow: Port Range Option Not Supported by the Server
图5:服务器不支持失败的流:端口范围选项
The main steps of this flow are listed below:
此流程的主要步骤如下所示:
(1) The Host sends a first Configure-Request, which includes the set of options it desires to negotiate. All of these configuration options are negotiated simultaneously. In this step, the Configure-Request carries the codes of the IP-Address, Port Range Value, and Port Range Mask options. The IP-Address Option is set to 0.0.0.0, the Port Range Value is set to 0, and the Port Range Mask is set to 0.
(1) 主机发送第一个配置请求,其中包括它希望协商的选项集。所有这些配置选项都是同时协商的。在此步骤中,配置请求携带IP地址、端口范围值和端口范围掩码选项的代码。IP地址选项设置为0.0.0.0,端口范围值设置为0,端口范围掩码设置为0。
(2) The BRAS sends back a Configure-Reject to decline the Port Range Option.
(2) BRAS发回配置拒绝以拒绝端口范围选项。
(3) The Host sends a Configure-Request, which includes only the codes of the IP-Address Option. In this step, the IP-Address Option is set to 0.0.0.0.
(3) 主机发送一个配置请求,该请求仅包括IP地址选项的代码。在此步骤中,IP地址选项设置为0.0.0.0。
(4) The BRAS sends back a Configure-Nak and sets the enclosed option to its preferred value. In this step, the IP-Address Option is set to a.b.c.d.
(4) BRAS发回一个配置Nak,并将封闭选项设置为其首选值。在此步骤中,IP地址选项设置为a.b.c.d。
(5) The Host re-sends a Configure-Request requesting that the IP-Address Option be set to a.b.c.d.
(5) 主机重新发送配置请求,请求将IP地址选项设置为a.b.c.d。
(6) The BRAS sends a Configure-Ack message.
(6) BRAS发送配置确认消息。
As a result of this exchange, the Host is configured to use a.b.c.d as its local IP address. This IP address is not a shared IP address.
通过此交换,主机被配置为使用a.b.c.d作为其本地IP地址。此IP地址不是共享IP地址。
Figure 6 depicts exchanges where only shared IP addresses are assigned to end-users' devices. The server is configured to assign only shared IP addresses. If Port Range options are not enclosed in the configuration request, the request is rejected, and the requesting peer will be unable to access the service.
图6描述了仅将共享IP地址分配给最终用户设备的交换。服务器配置为仅分配共享IP地址。如果端口范围选项未包含在配置请求中,则请求将被拒绝,请求的对等方将无法访问服务。
+-----+ +-----+ | Host| | BRAS| +-----+ +-----+ | | | (1) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | |===============================================>| | | | (2) IPCP Protocol-Reject | |<===============================================| | |
+-----+ +-----+ | Host| | BRAS| +-----+ +-----+ | | | (1) IPCP Configure-Request | | IP ADDRESS=0.0.0.0 | |===============================================>| | | | (2) IPCP Protocol-Reject | |<===============================================| | |
Figure 6: Port Range Option Not Supported by the Client
图6:客户端不支持的端口范围选项
The main steps of this flow are listed below:
此流程的主要步骤如下所示:
(1) The Host sends a Configure-Request requesting that the IP-Address Option be set to 0.0.0.0, and without enclosing the Port Range Option.
(1) 主机发送一个配置请求,请求将IP地址选项设置为0.0.0.0,并且不包含端口范围选项。
(2) The BRAS sends a Protocol-Reject message.
(2) BRAS发送协议拒绝消息。
As a result of this exchange, the Host is not able to access the service.
由于此交换,主机无法访问该服务。
This document does not introduce any security issues in addition to those related to PPP. Service providers should use authentication mechanisms such as the Challenge Handshake Authentication Protocol (CHAP) [RFC1994] or PPP link encryption [RFC1968].
除与PPP相关的安全问题外,本文件未介绍任何安全问题。服务提供商应使用验证机制,如质询握手验证协议(CHAP)[RFC1994]或PPP链路加密[RFC1968]。
The use of small and non-random port ranges may increase host exposure to attacks, as described in [RFC6056]. This risk can be reduced by using larger port ranges, by using the random Port Range Option, or by activating means to improve the robustness of TCP against blind in-window attacks [RFC5961].
如[RFC6056]所述,使用较小且非随机的端口范围可能会增加主机遭受攻击的风险。通过使用更大的端口范围,通过使用随机端口范围选项,或通过激活手段提高TCP对窗口内盲攻击的鲁棒性,可以降低这种风险[RFC5961]。
Jean-Luc Grimault and Alain Villefranque contributed to this document.
Jean-Luc Grimault和Alain Villefranque对此文件做出了贡献。
The authors would like to thank C. Jacquenet, J. Carlson, B. Carpenter, M. Townsley, and J. Arkko for their review.
作者要感谢C.Jacquenet、J.Carlson、B.Carpenter、M.Townsley和J.Arkko的评论。
[RFC1661] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.
[RFC1661]辛普森,W.,编辑,“点对点协议(PPP)”,标准51,RFC1661,1994年7月。
[RFC1968] Meyer, G., "The PPP Encryption Control Protocol (ECP)", RFC 1968, June 1996.
[RFC1968]Meyer,G.“PPP加密控制协议(ECP)”,RFC 1968,1996年6月。
[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.
[RFC1994]辛普森,W.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2153] Simpson, W., "PPP Vendor Extensions", RFC 2153, May 1997.
[RFC2153]辛普森,W.,“PPP供应商扩展”,RFC 2153,1997年5月。
[RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's Robustness to Blind In-Window Attacks", RFC 5961, August 2010.
[RFC5961]Ramaiah,A.,Stewart,R.,和M.Dalal,“提高TCP对窗口盲攻击的鲁棒性”,RFC 59612010年8月。
[CGN-REQS] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common requirements for Carrier Grade NAT (CGN)", Work in Progress, October 2011.
[CGN-REQS]Perreault,S.,Ed.,Yamagata,I.,Miyakawa,S.,Nakagawa,A.,和H.Ashida,“载体级NAT(CGN)的通用要求”,在建工程,2011年10月。
[CIPHERS] Black, J. and P. Rogaway, "Ciphers with Arbitrary Finite Domains. Topics in Cryptology", CT-RSA 2002, Lecture Notes in Computer Science, vol. 2271, 2002.
[CIPHERS]Black,J.和P.Rogaway,“具有任意有限域的密码。密码学中的主题”,CT-RSA 2002,计算机科学课堂讲稿,第2271卷,2002年。
[PORT-RANGE-ARCH] Boucadair, M., Ed., Levis, P., Bajko, G., and T. Savolainen, "IPv4 Connectivity Access in the Context of IPv4 Address Exhaustion: Port Range based IP Architecture", Work in Progress, July 2009.
[PORT-RANGE-ARCH]Boucadair,M.,Ed.,Levis,P.,Bajko,G.,和T.Savolainen,“IPv4地址耗尽情况下的IPv4连接访问:基于端口范围的IP架构”,正在进行的工作,2009年7月。
[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-Protocol Port Randomization", BCP 156, RFC 6056, January 2011.
[RFC6056]Larsen,M.和F.Gont,“传输协议端口随机化建议”,BCP 156,RFC 6056,2011年1月。
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and P. Roberts, "Issues with IP Address Sharing", RFC 6269, June 2011.
[RFC6269]福特,M.,Ed.,Boucadair,M.,Durand,A.,Levis,P.,和P.Roberts,“IP地址共享问题”,RFC 6269,2011年6月。
[RFC6346] Bush, R., Ed., "The Address plus Port (A+P) Approach to the IPv4 Address Shortage", RFC 6346, August 2011.
[RFC6346]Bush,R.,Ed.,“IPv4地址短缺的地址加端口(A+P)方法”,RFC 63462011年8月。
[SAM] Despres, R., "Scalable Multihoming across IPv6 Local-Address Routing Zones Global-Prefix/Local-Address Stateless Address Mapping (SAM)", Work in Progress, July 2009.
[SAM]Despres,R.,“跨IPv6本地地址路由区域的可扩展多宿主全局前缀/本地地址无状态地址映射(SAM)”,正在进行的工作,2009年7月。
Authors' Addresses
作者地址
Mohamed Boucadair France Telecom Rennes 35000 France
穆罕默德·布卡达尔法国电信雷恩35000法国
EMail: mohamed.boucadair@orange.com
EMail: mohamed.boucadair@orange.com
Pierre Levis France Telecom Caen France
皮埃尔·列维斯法国电信公司
EMail: pierre.levis@orange.com
EMail: pierre.levis@orange.com
Gabor Bajko Nokia
诺基亚公司
EMail: gabor.bajko@nokia.com
EMail: gabor.bajko@nokia.com
Teemu Savolainen Nokia
蒂姆·萨沃莱宁诺基亚
EMail: teemu.savolainen@nokia.com
EMail: teemu.savolainen@nokia.com
Tina Tsou Huawei Technologies (USA) 2330 Central Expressway Santa Clara, CA 95050 USA
Tina Tsou Huawei Technologies(美国)美国加利福尼亚州圣克拉拉中央高速公路2330号,邮编95050
Phone: +1 408 330 4424 EMail: tina.tsou.zouting@huawei.com
Phone: +1 408 330 4424 EMail: tina.tsou.zouting@huawei.com