One document matched: draft-taylor-midcom-semgen-00.txt
Middlebox Communications (midcom) T. Taylor
Internet Draft Nortel Networks
Document: draft-taylor-midcom-semgen-00.txt
Expires: March 2003 September 2002
General Considerations For MIDCOM Semantics
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [i].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document is written to aid the process of selecting and
completing the definition of the MIDCOM protocol, which will operate
between MIDCOM agents and middleboxes such as firewalls and NATs. It
describes the semantics which the protocol must support. These
semantics are derived from the MIDCOM requirements and the MIDCOM
usage scenarios which helped to inspire the requirements.
This document was derived from draft-taylor-midcom-semantics-00.txt.
The present version incorporates tentative conclusions reached in
discussion at the IETF 54 meeting of the MIDCOM WG. It removes the
concrete expression of the MIDCOM requests, responses, and
notifications in favour of those presented in draft-stiemerling-
midcom-semantics-xx.txt.
Taylor Expires - March 2003 [Page 1]
General Considerations For MIDCOM Semantics Sep 2002
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [ii].
The notation [X:y] (example [3:2.14]) denotes section y of reference
X.
In message flows, A->M indicates information passed from the MIDCOM
Agent to the Middlebox. M->A indicates information passed from the
Middlebox to the MIDCOM Agent.
Table of Contents
1. Introduction...................................................3
1.1 Terminology.................................................3
1.2 Changes From The Predecessor Documents......................3
1.3 New Issues..................................................4
2. Semantic Implications Of The MIDCOM Framework..................4
2.1 Agent Identity..............................................4
2.2 MIDCOM Session..............................................4
2.3 Filters, Policy Actions, Policy Rules.......................5
2.4 MIDCOM Scenarios............................................7
2.5 MIDCOM Timers..............................................11
3. Semantic Implications Of The MIDCOM Requirements..............11
4. Security Considerations.......................................16
5. References....................................................16
6. Acknowledgments...............................................16
7. Author's Addresses............................................17
Taylor Expires - March 2003 [Page 2]
General Considerations For MIDCOM Semantics Sep 2002
1. Introduction
This document presents the semantics which must be supported by the
MIDCOM protocol. The purpose and framework within which this
protocol will operate are described in [iii]. The detailed
requirements which the protocol must satisfy are described in [iv].
This document first reviews the framework and requirements and draws
out their implications for the semantics of the protocol. It then
summarizes the results as a series of possible information flows
between the MIDCOM agent and middlebox and associated behaviour. It
demonstrates that these proposed information flows do indeed meet the
requirements. Finally it specifies the semantics formally using
ABNF.
1.1 Terminology
"MIDCOM agent" (or simply "agent") and "middlebox" have the meanings
given in [3]. "Agent" in this document always denotes a MIDCOM
agent.
Terminology is inconsistent between the framework and the
requirements documents. This document assumes that the term "policy
rule" defined in [3] is the same concept as "ruleset" in [4]. The
term "rule" is often used to denote "policy rule".
1.2 Changes From The Predecessor Documents
The previous list of issues has been cleared on the basis of
discussion at the MIDCOM meeting at IETF 54. As a result of that
discussion, the following changes have been made in this document:
i) Policy rule takeover is now on an individual policy rule rather
than session basis. To facilitate this, policy rule identifiers
are now specified to be globally unique rather than unique per
session.
ii) Policy rule life has no relationship to the life of the session
in which the rule was created. If the session terminates, the
policy rules created in that session remain until they expire.
iii) A policy rule is assigned to a group (given a group identifier)
when it is created. Group identifiers are also specified to be
globally unique.
iv) Only the "allow" action is supported. The "deny" action is no
longer seen as a requirement. (It is viewed as an
administrative rather than MIDCOM function.)
Taylor Expires - March 2003 [Page 3]
General Considerations For MIDCOM Semantics Sep 2002
v) A policy rule contains only one filter.
vi) Address ranges are supported in filter expressions.
In addition to these changes:
vii) The filter expression has been extended to handle twice-NAT
configurations.
viii) The "Policy Rule Request" operation in the previous version of
this document has been replaced with "Enable Request", to make
clear the restricted scope of the operation. This is a follow-
on from (iv) above.
1.3 New Issues
1.3.1 Purpose Of Groups
There seemed to be some debate over the role of groups. This
document currently assumes that a group is a shortcut reference to
the individual policy rules assigned to it.
2. Semantic Implications Of The MIDCOM Framework
2.1 Agent Identity
The framework speaks of the ability for a MIDCOM Policy Decision
Point to revoke authorization for a MIDCOM Agent [3:2.9], and of
MIDCOM Agent profiles [3:2.11]. For these concepts to be
enforceable, the MIDCOM Agent must be associated with an identifier
which must be presented at least at the start of a MIDCOM session and
which must be associated with its profile.
2.2 MIDCOM Session
[3:2.12] speaks of the MIDCOM session. [3:4] provides a requirement
for a formal information exchange to start up or to terminate a
MIDCOM session. Start-up is initiated by the MIDCOM Agent, while
either the Agent or Middlebox may terminate the session. This
requirement raises the possibility of using a session identifier in
subsequent messages to indicate the session to which each is related.
However, the present document assumes that the Agent (or Middlebox)
identifier and accompanying credentials provide an adequate
representation of the session in messages between the two entities.
Taylor Expires - March 2003 [Page 4]
General Considerations For MIDCOM Semantics Sep 2002
2.3 Filters, Policy Actions, Policy Rules
[3:2.15] defines a policy rule as a combination of one or more
filters and an action. The basic idea is that packets matching the
filter have the action applied to them. The canonical form of the
filter in [3] is the 5-tuple:
{source address, source port, destination address, destination
port, protocol}
The MIDCOM meeting at IETF 54 decided that "deny" actions are
currently out of scope. This decision is obviously subject to
further testing on the Working Group list, but assuming that it
stands, the actions we must define are those that allow flows through
NATs and firewalls.
The 5-tuple shown above is sufficient to identify the packet flows to
be enabled if and only if the internal and external address spaces
are non-overlapping. In the general case there may be such overlap.
To cover this general case, the filter must include a direction, "IN"
or "OUT".
For a pure firewall operation, the filter itself provides enough
information to enable the flow. When the Middlebox performs a NAT or
NAPT operation, however, additional information is needed.
The discussion which follows uses the term "address-port" for
brevity, but address and port should be considered as separate
components to be specified in any concrete policy rule. In
particular, in some situations one of these components may be
specified while the other is left wildcarded.
The possibilities are illustrated in Figure 1.
-------------
| Middlebox |
S | | D
Flow A +--------------------->-------------------+
| |
S D'| | D
Flow B +---------------+----->-------------------+
| |
S | |S' D
Flow C +--------------------->-----+-------------+
| |
S D'| |S' D
Flow D +---------------+----->-----+-------------+
| |
-------------
Taylor Expires - March 2003 [Page 5]
General Considerations For MIDCOM Semantics Sep 2002
Figure 1: Possible Flow Arrangements Through The Middlebox
In Figure 1, Flow A represents a pure firewall operation. The source
and destination for the incoming packets will be passed on without
change in the packets as forwarded.
Flow B represents a typical public-to-private flow through a NAT.
The source is S in both the arriving and forwarded packets, but the
destination is changed from public address-port D' to private
address-port D.
Flow C represents a typical private-to-public flow through a NAT.
The destination is D for the arriving and forwarded packets, but the
source is changed from the private address-port S to the public
address-port S'.
Finally, Flow D represents a twice-NAT situation. Arriving packets
have source address-port S, destination address-port D'. Forwarded
packets have source address-port S', destination address-port D.
To cover all these cases, it is clear that the policy rule has to be
augmented by two more components: the source address-port and the
destination address-port for the forwarded packet.
In some cases it is necessary to enable flows before (typically) the
external address-port is known. Thus the policy rule semantics
should allow the use of an "ANY" wildcard for either S or D in the
notation of Figure 1.
In other cases it is necessary to reserve the address-port binding
without enabling the flow, since it is contrary to local policy to
open a pinhole before the external address is known. The flow is
enabled subsequently when the missing information becomes available.
Thus the semantics of the MIDCOM protocol must allow for two separate
operations: an address-bind request and an enable request, where the
latter may update the policy rule by specifying an S or D address-
port which was wildcarded in the address-bind request. To tie the
two requests together, it is necessary to have a policy rule
identifier which the Middlebox can use to correlate them. Further
requirements on the policy rule identifier are noted below.
Finally, it is sometimes necessary to reserve bindings for a sequence
of destination ports, beginning with a port of specified parity (e.g.
particularly in the case of RTP/RTCP).
Summing up, the complete policy rule consists of a filter part and a
mapping part. The filter part consists of the classical 5-tuple
describing the arriving packet plus the flow direction. The mapping
Taylor Expires - March 2003 [Page 6]
General Considerations For MIDCOM Semantics Sep 2002
part consists of the address and port for the source and destination
of the packet as forwarded, and the port count where a sequence of
ports must be enabled. In addition, the address-bind request may
indicate that the first port of a sequence must have a specified
parity.
2.4 MIDCOM Scenarios
[3:7] presents three scenarios for the operation of the MIDCOM
protocol in mid-session.
Scenario [3:7.1], firewall control
The messaging sequence includes three MIDCOM operations:
a) A->M: Open up the firewall to outgoing flows of RTP and RTCP.
M->A: OK.
b) A->M: Open up the firewall to incoming flows of RTP and RTCP.
M->A: OK.
c) A->M: Close firewall to the previously enabled incoming and
outgoing flows.
M->A: OK.
Operations a) and b) have the semantics of address binding and flow
enabling where the source and destination address-ports in the
mapping part of the rule are identical to the source and destination
address-ports in the filter part. The protocol is UDP, the direction
is OUT in the case of a) and IN in the case of b), and no wildcarding
is necessary because all of the addresses are known at the time of
rule instantiation. Each rule specifies a sequence of two ports.
(Specification of parity is unnecessary because the forwarded
destination port value is specified explicitly in the mapping part.)
Operation c) uninstalls the two rules installed by a) and b).
Scenario [3:7.2], NAPT control
The messaging sequence includes the following MIDCOM operations:
a) A->M: Query Port-BIND for port 5060 incoming to the Middlebox
public address.
M->A: returns Port-BIND.
b) A->M: Query NAT session descriptor for SIP flow from external
to private endpoint (where address of latter came from the
first query).
Taylor Expires - March 2003 [Page 7]
General Considerations For MIDCOM Semantics Sep 2002
M->A: returns session descriptor.
c) A->M: Create NAT sessions for outgoing flows of RTP and RTCP
(adjacent ports). Link sessions to SIP control session.
M->A: returns session descriptor.
d) A->M: Create Port-BINDs for incoming RTP, RTCP flows (adjacent
ports).
M->A: returns Port-BINDs.
e) A->M: Create NAT session for incoming flows of RTP and RTCP
(adjacent ports). Link session to SIP control session.
M->A: returns session descriptor.
f) A->M: end session bundle.
M->A: OK.
Operations a) and b) allow the Agent to determine the private address
of the internal endpoint. In terms of the filter semantics defined
above, these operations are equivalent to a single query requesting
the return of any active Policy Rules for which the filter includes
the following in its scope:
{ source address = Ea (the external endpoint address),
source port = ANY,
destination address = Ma (the external address at the Middlebox),
destination port = 5060,
protocol = ANY,
direction = IN
}
Note the wildcarded protocol in this expression. Presumably the
Middlebox will consult with the MIDCOM PDP to determine the permitted
scope of the query. The returned Policy Rule (probably only one in
this example) should be associated with an identifier so that it can
be referred to in later operations.
Operation c) is similar to operation a) in the previous case, except
that the address-port values in the mapping part of the policy rule
are no longer identical to the corresponding values in the filter
part. The address-binding request has a filter part with the
content:
{ source address = Pa (the internal endpoint address),
source port = ANY,
destination address = CHOOSE,
destination port = CHOOSE,
protocol = UDP,
direction = OUT
Taylor Expires - March 2003 [Page 8]
General Considerations For MIDCOM Semantics Sep 2002
}
The mapping part of the address-binding request is as follows:
{ source address = CHOOSE,
source port = CHOOSE,
destination address = Ea (the external endpoint address),
destination port = <the external endpoint RTP port>,
port count = 2
}
It is unnecessary to specify parity of the first port in the request
because the destination port is specified explicitly.
The Middlebox is expected to supply values for the CHOOSE components
in its reply. In a twice-NAT configuration it will assign a private
address and port to the destination in the filter part; otherwise it
will copy the destination address and port from the mapping part. In
any event it assigns values to the source address and port in the
mapping part. It maintains all of these values as part of the its
record of the policy rule, and applies them when the rule is
activated (flow enabled).
The above expressions for the address-binding filter and mapping
parts in fact provide all the information the Middlebox needs even in
a pure firewall operation. This makes it clear that it is
unnecessary to specify either the filter part destination address-
port or the mapping part source address-port in an address-binding
request. These can be implicitly assumed to be CHOOSE in all cases.
The Middlebox takes appropriate action based on its own
configuration, without the Agent needing to be aware of that
configuration.
Operations d) and e) are semantically equivalent to operation c),
except that they apply in the inbound direction with the appropriate
filter part source address and mapping part destination address-port.
Operations c), d), and e) also require the assignment of the new
rules to the same session bundle as the previously installed SIP
control Policy Rules. This introduces the concept of a session
bundle identifier, which must be supplied at the address-bind stage
in case the session is aborted before the flow is ever activated.
Since it is the Agent that is aware of the scope of a session, the
session bundle identifier is provided in the address-bind request.
Operation f) requires an information exchange where the Agent
supplies the session bundle identifier and requests deactivation of
all rules in the session bundle.
Taylor Expires - March 2003 [Page 9]
General Considerations For MIDCOM Semantics Sep 2002
Scenario [3:7.3]: Middlebox implementing NAPT and firewall
The messaging sequence includes the following MIDCOM operations:
a) A->M: Query Port-BIND for mapped address (assumed known), port
5060.
M->A: returns Port-BIND.
b) A->M: Query NAT session descriptor for SIP flow from external to
private endpoint.
M->A: returns session descriptor.
c) A->M: Create NAT sessions for outgoing flows of RTP and RTCP.
Link sessions to SIP control session.
M->A: returns session descriptor.
d) A->M: Open up the firewall to outgoing flows of RTP and RTCP.
M->A: OK.
e) A->M: Create Port-BINDs for incoming RTP, RTCP flows (adjacent
ports).
M->A: returns Port-BINDs.
f) A->M: Create NAT session for incoming flows of RTP and RTCP.
Link session to SIP control session.
M->A: returns session descriptor.
g) A->M: Open up the firewall to incoming flows of RTP and RTCP.
M->A: OK.
h) A->M: end NAPT session bundle.
M->A: OK.
i) A->M: Close firewall to the previously enabled incoming and
outgoing flows.
M->A: OK.
a) and b) are the same as in the previous case.
c) is equivalent to the address-bind phase of operation c) in the
previous case, while d) corresponds to the flow enabling phase of
that operation. Similarly, e) and f) correspond to the address-bind
phase of operations d) and e) in the previous case, and g)
corresponds to the flow enabling phase of those operations.
Finally, h) and i) are semantically equivalent to deactivation of the
bundle of rules created in the previous steps.
Taylor Expires - March 2003 [Page 10]
General Considerations For MIDCOM Semantics Sep 2002
Summary Of Observations
In summary, the three scenarios have demonstrated the need for
information exchanges supporting querying of instantiated policy
rules against a pattern, activating Policy Rules (generally with
wildcards), creating bundles of Policy rules, deactivating individual
policy rules, and deactivating bundles of Policy Rules.
2.5 MIDCOM Timers
[3:8.3] talks about the potential usefulness of timers in the MIDCOM
protocol, to facilitate resource cleanup. This raises the question
of whether the timer values should be visible to the Agent. Given
that their intended use is to compensate for Agent outages, an
information exchange prior to timer expiry seems indicated.
3. Semantic Implications Of The MIDCOM Requirements
This section reviews the semantic implications of the requirements
documented in [4].
[4:2.1.1]: authorization.
This requirement implies the need for credentials in any request the
Agent sends to the Middlebox, sufficient to allow the latter to
determine the Agent's scope of authority.
[4:2.1.2]: one MIDCOM Agent dealing with multiple Middleboxes
This implies that a parameter must be present in each message coming
from a Middlebox, identifying that Middlebox uniquely. The session
identifier discussed in section 2.2 might serve that purpose, beyond
the initial setup of the session.
[4:2.1.3]: one Middlebox dealing with multiple MIDCOM Agents
Similarly, this implies that a parameter must be present in each
message coming from a MIDCOM Agent, identifying that MIDCOM Agent
instance uniquely. MIDCOM Agent identifiers were discussed in
section 2.1. Again, the session identifier may serve the purpose
after initial session setup.
[4:2.1.4]: deterministic Middlebox behaviour when multiple MIDCOM
Agents interact with it.
This implies several points:
Taylor Expires - March 2003 [Page 11]
General Considerations For MIDCOM Semantics Sep 2002
. well-defined Middlebox behaviour when it processes
requests, particularly when conflicts are encountered;
. the behavioural equivalent of mutual exclusion, such that
requests affecting the same resources (for example,
involving overlapping filter specifications) are required
to be processed serially;
. requests can be of sufficiently large extent that the Agent
can accomplish what it needs in a single request, thus
avoiding deadlock.
[4:2.1.5]: known and stable state
The explanation of this requirement suggests that a request
identifier parameter is needed for each request, that each request
must have a reply, and that the reply must include the request
identifier parameter as well as the result of the request.
The requirement also appears to imply the need for a MIDCOM Agent to
be able to audit the Middlebox state as it relates to requests made
in the past by that Agent. As an optimization, the audit request may
include parameters limiting the scope of the audit. The response
includes a state parameter expressed as a sequence of Policy Rules.
In view of the potential volume of information, provision should be
made for segmentation of the response.
Auditing can be seen as an additional use of the query exchange
documented as part of the scenario analysis in section 2.4.
[4:2.1.6]: Middlebox reporting status
This implies a a need for a Middlebox to send autonomous
notifications to a MIDCOM Agent. It is assumed that [4:2.1.6]
relates to the operational status of the Middlebox as a whole, and
possibly also the state it retains on behalf of a given Agent.
Accordingly, the status notification should be able to express the
following situations:
. Middlebox going out of service
. Middlebox returned to service, having retained all state
(i.e. sessions, Policy Rules and associated timers)
. Middlebox returned to service, state information lost or
stale
. Middlebox congested.
[4:2.1.7]: autonomous reporting of conditions and autonomous actions
The main thrust of the explanation of this requirement is that the
Middlebox be able to report autonomously actions taken with regard to
Taylor Expires - March 2003 [Page 12]
General Considerations For MIDCOM Semantics Sep 2002
particular Policy Rules. The information passed must therefore
include the Policy Rule identifier(s), the action taken, and the
reason for the action.
[4:2.1.8]: mutual authentication
This requirement bears upon session startup in the first place, with
proper follow-up to maintain the integrity of the session in
subsequent messages.
[4:2.1.9]: either entity can terminate a session
This implies a formal exchange to terminate a session. Based on
discussion at IETF 54, the end of a session does not affect the life
of policy rules created during that session.
[4:2.1.10]: MIDCOM Agent can determine success or failure of a
request
This implies that every request must have a reply, and the reply must
indicate the outcome of the request.
[4:2.1.11]: version interworking
There seems to be agreement to include protocol version in each
message, governing the content of that message. It is possible the
initial message of a session should include an additional parameter
listing the versions supported by the originator.
If the protocol has identifiable options the initial message of the
session in each direction should include a parameter indicating what
options the message sender supports.
[4:2.1.12]: deterministic behaviour for overlapping rulesets
There is some dispute over what deterministic means in this case.
The issue is described at length in section 1.2.4 above. In keeping
with existing implementation, we postulate an aggregate model of
Middlebox operation as follows:
a) rules are retained in their original form (including mappings)
rather than aggregated;
b) as each packet passes through the Middlebox, it is checked
against the filter portion of each active rule in turn;
c) if a match is found, the action associated with that rule is
applied;
Taylor Expires - March 2003 [Page 13]
General Considerations For MIDCOM Semantics Sep 2002
d) if no match is found, the default action set by the Middlebox
administrator is applied;
e) rules are evaluated in the order in which they were installed
(first-come, first-served).
For a given sequence of rules this always gives the same per-packet
outcomes. In that sense it is deterministic, even if the Agent
installing a given rule cannot know in advance what the effect of
that rule will be unless it knows the complete sequence of rules
installed at the Middlebox.
[4:2.2.1]: extensibility
It would be possible to add content to the semantic description as a
placeholder for new material, but there doesn't seem to be much point
in doing so.
[4:2.2.2]: control of multiple functions
The semantic content of firewall and NAT/NAPT control have been
captured in the Policy Rule description in section 2.3. This
formulation may also be applicable to other Middlebox types.
[4:2.2.3]: ruleset groups
The need for information exchanges to create such groups (referred to
as session bundles) has been documented above in connection with the
scenarios.
[4:2.2.4]: ruleset lifetime extension
This implies a possible need for several information exchanges:
. allowing the Agent to associate a lifetime (and perhaps a
grace period) with a Policy rule at the time of
installation
. allowing the Agent to audit the remaining lifetime for a
Policy Rule (most reasonably as a parameter of a general
Policy Rule audit capability)
. allowing the Middlebox to indicate when a Policy Rule is
about to expire
. allowing the Agent to reset the remaining lifetime.
[4:2.2.5]: action on unknown attributes
Taylor Expires - March 2003 [Page 14]
General Considerations For MIDCOM Semantics Sep 2002
This requires a sub-field within certain attributes indicating
whether the attribute can be ignored if not understood or stops the
request from being processed. It also implies that the
responses to individual requests must identify components of the
request which have caused failure or which have been ignored.
[4:2.2.6]: failure reasons
A failure reason element must be a potential part of responses.
Possible failure reasons are listed in the next section.
[4:2.2.7]: multiple authorised Agents working on the same ruleset
This implies a requirement that Policy Rule identifiers are unique
within the Middlebox, hence should be assigned by the Middlebox in
the reply to the address-bind request. Of course, this masks a set
of requirements on operations outside of the MIDCOM protocol: sharing
of Policy Rule and possibly session bundle identifiers between
Agents, and authorization of one Agent to operate on policy rules set
up by another one.
[4:2.2.8]: transport of filtering rules
The filters of this semantic analysis are not, of course, the
concrete expression of filters in the protocol itself. This analysis
indicates within which information exchanges filters will have to be
carried.
[4:2.2.9]: matching parity ("oddity")
This requirement has already been recognized and incorporated in the
semantic representation of a Policy Rule filter in section 2.3.
[4:2.2.10]: ranges of ports
Also covered in section 2.3. The requirement extends beyond RTP/RTCP
pairs to sequences of such pairs required for layered encoding.
[4:2.2.11]: contradictory actions for sub-filters
Assuming that the contradictory actions are represented by separate
Policy Rules, and assuming the model of Middlebox operation described
in the discussion of requirement [4:2.1.12], this requirement is met
provided that the rule with the sub-filter is installed before the
main rule. This is an operational requirement given semantics
already defined.
Taylor Expires - March 2003 [Page 15]
General Considerations For MIDCOM Semantics Sep 2002
Requirements For Security
The security-related requirements postulated in [4:2.3] will have
semantic consequences, but the details depend on the chosen
mechanisms.
4. Security Considerations
This draft may receive its own discussion of security considerations,
but for the moment these are well covered by the discussion in [3]
and specific requirements in [4].
5. References
[1] Bradner, S., "The Internet Standards Process -- Revision 3",
BCP 9, RFC 2026, October 1996.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[3] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, A. Rayhan,
"Middlebox communication architecture and framework", draft-
ietf-midcom-framework-07.txt, RFC 3303, August 2002.
[4] R. Swale, P. Mart, P. Sijben, S. Brim, M. Shore, "Middlebox
Communications (midcom) Protocol Requirements", draft-ietf-
midcom-requirements-05.txt, RFC 3304, August 2002.
[5] Srisuresh, P. and M. Holdrege, "IP Network Address Translator
(NAT) Terminology and Considerations", RFC 2663, August 1999.
6. Acknowledgments
Cedric Aoun contributed to the initial version of this document,
begun before list discussion of the topic of MIDCOM semantics. The
list discussion itself benefited from interventions by Ben Campbell,
Bob Penfield, Paul Sijben, Martin Stiemerling, Christian Huitema,
Scott Brim, Juergen Quittek, Ted Hardie, John LaCour, Andrew Molitor,
Reinaldo Penno, Sanjoy Sen, Jiri Kuthan, James Renko, Joel Halprin,
Cullen Jennings, and Adina Simu.
Taylor Expires - March 2003 [Page 16]
MIDCOM Semantics September 2002
7. Authors Address
Tom Taylor
Nortel Networks
Ottawa, Canada
Phone: +1 613 736 0961
Email: taylor@nortelnetworks.com
Taylor Expires - March 2003 [Page 17]
| PAFTECH AB 2003-2026 | 2026-04-24 10:26:47 |