rfc3304.txt

RFC 的详细文档！

   action required is to proceed without the unknown attribute being
   taken into account or the request is to be rejected.  Where
   attributes may be ignored if not understood, a means may be provided
   to inform the client about what has been ignored.

   This states that failure modes must be robust, providing sufficient
   information for the agent or middlebox, to be able to accommodate the
   failure or to retry with a new option that is more likely to succeed.

2.2.6.

   To enable management systems to interact with the Midcom environment,
   the protocol must include failure reasons that allow the Midcom Agent
   behavior to be modified as a result of the information contained in
   the reason.  Failure reasons need to be chosen such that they do not
   make an attack on security easier.

2.2.7.

   The Midcom protocol must not preclude multiple authorized agents from
   working on the same ruleset.






Swale, et al.                Informational                      [Page 5]

RFC 3304                  Midcom Requirements                August 2002


2.2.8.

   The Midcom protocol must be able to carry filtering rules, including
   but not limited to the 5-tuple, from the midcom agent to the
   middlebox.

   By "5-tuple", we refer to the standard <source address, source port,
   destination address, destination port, transport protocol> tuple.
   Other filtering elements may be carried, as well.

2.2.9.

   When the middlebox performs a port mapping function, the protocol
   should allow the Midcom agent to request that the external port
   number have the same oddity as the internal port.

   This requirement is to support RTP and RTCP [RFC1889] "oddity"
   requirements.

2.2.10.

   When the middlebox performs a port mapping function, the protocol
   should allow the Midcom agent to request that a consecutive range of
   external port numbers be mapped to consecutive internal ports.  This
   requirement is to support RTP and RTCP "sequence" requirements.

2.2.11.

   It should be possible to define rulesets that contain a more specific
   filter spec than an overlapping ruleset.  This should allow agents to
   request actions for the subset that contradict those of the
   overlapping set.

   This should allow a Midcom agent to request to a Midcom server
   controlling a firewall function that a subset of the traffic that
   would be allowed by the overlapping ruleset be specifically
   disallowed.

2.3.  General Security Requirements

2.3.1.

   The Midcom protocol must provide for message authentication,
   confidentiality, and integrity.







Swale, et al.                Informational                      [Page 6]

RFC 3304                  Midcom Requirements                August 2002


2.3.2.

   The Midcom protocol must allow for optional confidentiality
   protection of control messages.  If provided, the mechanism should
   allow a choice in the algorithm to be used.

2.3.3.

   The Midcom protocol must operate across un-trusted domains, between
   the Midcom agent and middlebox in a secure fashion.

2.3.4.

   The Midcom protocol must define mechanisms to mitigate replay attacks
   on the control messages.

3. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use other technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementers or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

4.  Security Considerations

   The security requirements for a midcom protocol are discussed in
   section 2.3.









Swale, et al.                Informational                      [Page 7]

RFC 3304                  Midcom Requirements                August 2002


5.  Normative References

   [MCFW]    Srisuresh, S., Kuthan, J., Rosenberg, J., Molitor, A. and
             A.  Rayhan, "Middlebox communication architecture and
             framework", RFC 3303, Date.*

   [RFC1889] Schulzrinne, H., Casner, S., Frederick, R. and V. Jacobson,
             "RTP: A Transport Protocol for Real-Time Applications", RFC
             1889, January 1996.

6.  Informative References

   [RFC2026] Bradner, S. "The Internet Standards Process -- Revision 3",
             BCP 9, RFC 2026. October 1996.

Authors' Addresses

   Richard Swale
   BTexact Technologies
   Callisto House
   Adastral Park
   Ipswich United Kingdom
   EMail:  richard.swale@bt.com

   Paul Sijben
   Lucent Technologies EMEA BV
   Huizen
   Netherlands
   EMail: paul.sijben@picopoint.com

   Philip Mart
   Marconi Communications Ltd.
   Edge Lane
   Liverpool
   United Kingdom
   EMail: philip.mart@marconi.com

   Scott Brim
   Cisco Systems
   146 Honness Lane
   Ithaca, NY 14850
   EMail: sbrim@cisco.com

   Melinda Shore
   Cisco Systems
   809 Hayts Road
   Ithaca, NY 14850
   EMail: mshore@cisco.com



Swale, et al.                Informational                      [Page 8]

RFC 3304                  Midcom Requirements                August 2002


Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Swale, et al.                Informational                      [Page 9]