Network Working Group P. Ferguson
Request for Comments: 2267 Cisco Systems, Inc.
Category: Informational D. Senie
BlazeNet, Inc.
January 1998
Network Working Group P. Ferguson
Request for Comments: 2267 Cisco Systems, Inc.
Category: Informational D. Senie
BlazeNet, Inc.
January 1998
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
网络入口过滤:击败使用IP源地址欺骗的拒绝服务攻击
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
Abstract
摘要
Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.
最近发生的各种使用伪造源地址的拒绝服务(DoS)攻击已被证明是互联网服务提供商和整个互联网社区的一个棘手问题。本文讨论了一种简单、有效和直接的方法,用于使用入口流量过滤来禁止DoS攻击,这些攻击使用伪造的IP地址从Internet服务提供商(ISP)聚合点的“后方”传播。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Restricting forged traffic . . . . . . . . . . . . . . . . 5
4. Further capabilities for networking equipment. . . . . . . 6
5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations. . . . . . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . 8
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9
11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Restricting forged traffic . . . . . . . . . . . . . . . . 5
4. Further capabilities for networking equipment. . . . . . . 6
5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations. . . . . . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . 8
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9
11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10
A resurgence of Denial of Service Attacks [1] aimed at various targets in the Internet have produced new challenges within the Internet Service Provider (ISP) and network security communities to find new and innovative methods to mitigate these types of attacks. The difficulties in reaching this goal are numerous; some simple tools already exist to limit the effectiveness and scope of these attacks, but they have not been widely implemented.
针对互联网上各种目标的拒绝服务攻击[1]死灰复燃,给互联网服务提供商(ISP)和网络安全社区带来了新的挑战,他们需要找到新的创新方法来缓解这些类型的攻击。实现这一目标的困难是多方面的,;一些简单的工具已经存在,以限制这些攻击的有效性和范围,但它们尚未得到广泛实施。
This method of attack has been known for some time. Defending against it, however, has been an ongoing concern. Bill Cheswick is quoted in [2] as saying that he pulled a chapter from his book, "Firewalls and Internet Security" [3], at the last minute because there was no way for an administrator of the system under attack to effectively defend the system. By mentioning the method, he was concerned about encouraging it's use.
这种攻击方法早就为人所知。然而,为其辩护一直是一个令人担忧的问题。[2]引用Bill Cheswick的话说,他在最后一刻从他的书《防火墙和互联网安全》[3]中抽出了一章,因为受攻击系统的管理员无法有效地保护系统。通过提到这种方法,他关心的是如何鼓励人们使用它。
While the filtering method discussed in this document does absolutely nothing to protect against flooding attacks which originate from valid prefixes (IP addresses), it will prohibit an attacker within the originating network from launching an attack of this nature using forged source addresses that do not conform to ingress filtering rules. All providers of Internet connectivity are urged to implement filtering described in this document to prohibit attackers from using forged source addresses which do not reside within a range of legitimately advertised prefixes. In other words, if an ISP is aggregating routing announcements for multiple downstream networks, strict traffic filtering should be used to prohibit traffic which claims to have originated from outside of these aggregated announcements.
虽然本文档中讨论的过滤方法完全不能防止源于有效前缀(IP地址)的泛洪攻击,但它将禁止源网络中的攻击者使用不符合入口过滤规则的伪造源地址发起此类攻击。敦促所有互联网连接提供商实施本文档中描述的过滤,以禁止攻击者使用伪造的源地址,这些地址不在合法公布的前缀范围内。换句话说,如果ISP正在聚合多个下游网络的路由公告,则应使用严格的流量过滤来禁止声称来自这些聚合公告外部的流量。
An additional benefit of implementing this type of filtering is that it enables the originator to be easily traced to it's true source, since the attacker would have to use a valid, and legitimately reachable, source address.
实施此类过滤的另一个好处是,它使发起人能够轻松地追踪到其真实来源,因为攻击者必须使用有效且可合法访问的源地址。
A simplified diagram of the TCP SYN flooding problem is depicted below:
TCP SYN泛洪问题的简化图如下所示:
9.0.0.0/8
host <----- router <--- Internet <----- router <-- attacker
9.0.0.0/8
host <----- router <--- Internet <----- router <-- attacker
TCP/SYN
<---------------------------------------------
Source: 192.168.0.4/32
TCP/SYN
<---------------------------------------------
Source: 192.168.0.4/32
SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Source: 10.0.0.13/32
SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Source: 172.16.0.2/32
SYN/ACK
no route
SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Source: 10.0.0.13/32
SYN/ACK
no route
TCP/SYN
<---------------------------------------------
Source: 172.16.0.2/32
SYN/ACK
no route
[etc.]
[等]
Assume:
假设:
o The "host" is the targeted machine.
o “主机”是目标机器。
o The attacker resides within the "valid" prefix, 9.0.0.0/8.
o 攻击者位于“有效”前缀9.0.0.0/8内。
o The attacker launches the attack using randomly changing source addresses; in this example, the source addresses are depicted as from within [4], which are not generally present in the global Internet routing tables, and therefore, unreachable. However, any unreachable prefix could be used to perpetrate this attack method.
o 攻击者使用随机更改的源地址发起攻击;在这个例子中,源地址被描述为来自[4]中的地址,这些地址通常不存在于全局互联网路由表中,因此是不可访问的。但是,任何无法访问的前缀都可以用来实施此攻击方法。
Also worthy of mention is a case wherein the source address is forged to appear to have originated from within another legitimate network which appears in the global routing table(s). For example, an attacker using a valid network address could wreak havoc by making the attack appear to come from an organization which did not, in fact, originate the attack and was completely innocent. In such cases, the administrator of a system under attack may be inclined to filter all traffic coming from the apparent attack source. Adding such a filter would then result in a denial of service to legitimate, non-hostile end-systems. In this case, the administrator of the system under attack unwittingly becomes an accomplice of the attacker.
还值得一提的是一种情况,其中源地址被伪造成似乎来自出现在全局路由表中的另一合法网络。例如,使用有效网络地址的攻击者可能会造成严重破坏,使攻击看起来来自一个实际上并非发起攻击且完全无辜的组织。在这种情况下,受攻击系统的管理员可能倾向于过滤来自明显攻击源的所有流量。添加这样的过滤器将导致对合法、非恶意终端系统的拒绝服务。在这种情况下,受攻击系统的管理员无意中成为攻击者的共犯。
Further complicating matters, TCP SYN flood attacks will result in SYN-ACK packets being sent to one or many hosts which have no involvement in the attack, but which become secondary victims. This allows the attacker to abuse two or more systems at once.
更复杂的是,TCP SYN洪水攻击将导致SYN-ACK数据包被发送到一个或多个主机,这些主机与攻击无关,但成为次要受害者。这允许攻击者同时滥用两个或多个系统。
Similar attacks have been attempted using UDP and ICMP flooding. The former attack (UDP flooding) uses forged packets to try and connect the chargen UDP service to the echo UDP service at another site. Systems administrators should NEVER allow UDP packets destined for system diagnostic ports from outside of their administrative domain to reach their systems. The latter attack (ICMP flooding), uses an insidious feature in IP subnet broadcast replication mechanics. This attack relies on a router serving a large multi-access broadcast network to frame an IP broadcast address (such as one destined for 10.255.255.255) into a Layer 2 broadcast frame (for ethernet, FF:FF:FF:FF:FF:FF). Ethernet NIC hardware (MAC-layer hardware, specifically) will only listen to a select number of addresses in normal operation. The one MAC address that all devices share in common in normal operation is the media broadcast, or FF:FF:FF:FF:FF:FF. In this case, a device will take the packet and send an interrupt for processing. Thus, a flood of these broadcast frames will consume all available resources on an end-system [9]. It is perhaps prudent that system administrators should consider ensuring that their border routers do not allow directed broadcast packets to be forwarded through their routers as a default.
已尝试使用UDP和ICMP泛洪进行类似的攻击。前一种攻击(UDP洪泛)使用伪造数据包尝试将chargen UDP服务连接到另一站点的echo UDP服务。系统管理员不应允许从其管理域之外发送到系统诊断端口的UDP数据包到达其系统。后一种攻击(ICMP洪泛)使用IP子网广播复制机制中的一种隐蔽特性。此攻击依赖于服务于大型多址广播网络的路由器将IP广播地址(例如,发送到10.255.255.255的地址)帧入第2层广播帧(对于以太网,FF:FF:FF:FF:FF)。以太网NIC硬件(特别是MAC层硬件)在正常操作中只侦听选定数量的地址。所有设备在正常操作中共享的一个MAC地址是媒体广播,或FF:FF:FF:FF:FF。在这种情况下,设备将接收数据包并发送中断进行处理。因此,这些广播帧的泛滥将消耗终端系统上的所有可用资源[9]。系统管理员应该考虑确保他们的边界路由器不允许定向的广播包作为默认的路由器通过它们的路由器转发。
When an TCP SYN attack is launched using unreachable source address, the target host attempts to reserve resources waiting for a response. The attacker repeatedly changes the bogus source address on each new packet sent, thus exhausting additional host resources.
当使用无法访问的源地址发起TCP SYN攻击时,目标主机会尝试保留资源以等待响应。攻击者在发送的每个新数据包上重复更改假源地址,从而耗尽额外的主机资源。
Alternatively, if the attacker uses someone else's valid host address as the source address, the system under attack will send a large number of SYN/ACK packets to what it believes is the originator of the connection establishment sequence. In this fashion, the attacker does damage to two systems: the destination target system, as well as the system which is actually using the spoofed address in the global routing system.
或者,如果攻击者使用其他人的有效主机地址作为源地址,则受攻击的系统将向其认为是连接建立序列发起人的系统发送大量SYN/ACK数据包。以这种方式,攻击者会破坏两个系统:目标系统和在全局路由系统中实际使用伪造地址的系统。
The result of both attack methods is extremely degraded performance, or worse, a system crash.
这两种攻击方法的结果都会导致性能严重下降,甚至系统崩溃。
In response to this threat, most operating system vendors have modified their software to allow the targeted servers to sustain attacks with very high connection attempt rates. This is a welcome and necessary part of the solution to the problem. Ingress filtering will take time to be implemented pervasively and be fully effective, but the extensions to the operating systems can be implemented quickly. This combination should prove effective against source address spoofing. See [1] for vendor and platform software upgrade information.
为了应对这种威胁,大多数操作系统供应商都修改了其软件,使目标服务器能够以极高的连接尝试率抵御攻击。这是解决问题的一个受欢迎和必要的部分。入口过滤需要时间才能全面实施并完全有效,但操作系统的扩展可以快速实施。这种组合应该证明对源地址欺骗是有效的。有关供应商和平台软件升级信息,请参见[1]。
The problems encountered with this type of attack are numerous, and involve shortcomings in host software implementations, routing methodologies, and the TCP/IP protocols themselves. However, by restricting transit traffic which originates from a downstream network to known, and intentionally advertised, prefix(es), the problem of source address spoofing can be virtually eliminated in this attack scenario.
此类攻击遇到的问题很多,包括主机软件实现、路由方法和TCP/IP协议本身的缺陷。然而,通过将来自下游网络的传输流量限制为已知且有意宣传的前缀,在这种攻击场景中,源地址欺骗的问题实际上可以消除。
11.0.0.0/8
/
router 1
/
/
/ 9.0.0.0/8
ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker
A B C D 2
/
/
/
router 3
/
12.0.0.0/8
11.0.0.0/8
/
router 1
/
/
/ 9.0.0.0/8
ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker
A B C D 2
/
/
/
router 3
/
12.0.0.0/8
In the example above, the attacker resides within 9.0.0.0/8, which is provided Internet connectivity by ISP D. An input traffic filter on the ingress (input) link of "router 2", which provides connectivity to the attacker's network, restricts traffic to allow only traffic originating from source addresses within the 9.0.0.0/8 prefix, and prohibits an attacker from using "invalid" source addresses which reside outside of this prefix range.
在上面的示例中,攻击者驻留在ISP D提供的Internet连接的9.0.0.0/8中。“路由器2”的入口(输入)链路上的输入流量过滤器提供与攻击者网络的连接,限制流量,仅允许来自9.0.0.0/8前缀内源地址的流量,并禁止攻击者使用位于此前缀范围之外的“无效”源地址。
In other words, the ingress filter on "router 2" above would check:
换句话说,上述“路由器2”上的入口过滤器将检查:
IF packet's source address from within 9.0.0.0/8 THEN forward as appropriate
如果数据包的源地址在9.0.0.0/8范围内,则视情况转发
IF packet's source address is anything else THEN deny packet
若数据包的源地址是其他地址,那个么拒绝数据包
Network administrators should log information on packets which are dropped. This then provides a basis for monitoring any suspicious activity.
网络管理员应记录丢弃的数据包的信息。这就为监测任何可疑活动提供了基础。
Additional functions should be considered for future platform implementations. The following one is worth noting:
对于未来的平台实施,应考虑其他功能。以下一点值得注意:
o Implementation of automatic filtering on remote access servers. In most cases, a user dialing into an access server is an individual user on a single PC. The ONLY valid source IP address for packets originating from that PC is the one assigned by the ISP (whether statically or dynamically assigned). The remote access server could check every packet on ingress to ensure the user is not spoofing the source address on the packets which he is originating. Obviously, provisions also need to be made for cases where the customer legitimately is attaching a net or subnet via a remote router, but this could certainly be implemented as an optional parameter. We have received reports that some vendors and some ISPs are already starting to implement this capability.
o 在远程访问服务器上实现自动筛选。在大多数情况下,拨入访问服务器的用户是单个PC上的单个用户。来自该PC的数据包的唯一有效源IP地址是ISP分配的(静态或动态分配的)。远程访问服务器可以检查入口上的每个数据包,以确保用户没有欺骗他发起的数据包上的源地址。显然,还需要为客户通过远程路由器合法连接网络或子网的情况做出规定,但这当然可以作为可选参数实现。我们收到报告称,一些供应商和一些ISP已经开始实施此功能。
We considered suggesting routers also validate the source IP address of the sender as suggested in [8], but that methodology will not operate well in the real networks out there today. The method suggested is to look up source addresses to see that the return path to that address would flow out the same interface as the packet arrived upon. With the number of asymmetric routes in the Internet, this would clearly be problematic.
我们考虑建议路由器也验证发送方的源IP地址,如[8]中所建议的,但这种方法在今天的实际网络中无法很好地运行。建议的方法是查找源地址,以查看到该地址的返回路径将与到达的数据包流出相同的接口。由于互联网上存在大量不对称路由,这显然是个问题。
Filtering of this nature has the potential to break some types of "special" services. It is in the best interest of the ISP offering these types of special services, however, to consider alternate methods of implementing these services to avoid being affected by ingress traffic filtering.
这种性质的过滤有可能破坏某些类型的“特殊”服务。然而,提供这些类型的特殊服务的ISP的最佳利益是考虑实施这些服务的替代方法,以避免受到入口流量过滤的影响。
Mobile IP, as defined in [6], is specifically affected by ingress traffic filtering. As specified, traffic to the mobile node is tunneled, but traffic from the mobile node is not tunneled. This results in packets from the mobile node(s) which have source addresses that do not match with the network where the station is attached. The Mobile IP Working Group is addressing this problem by specifying "reverse tunnels" in [7]. This work in progress provides a method for the data transmitted from the mobile node to be tunneled to the home agent before transmission to the Internet. There are additional benefits to the reverse tunneling scheme, including better handling of multicast traffic. Those implementing mobile IP systems are encouraged to implement this method of reverse tunneling.
如[6]中所定义,移动IP特别受到入口流量过滤的影响。按照规定,到移动节点的流量是隧道式的,但来自移动节点的流量不是隧道式的。这会导致来自移动节点的数据包,这些数据包的源地址与连接该站的网络不匹配。移动IP工作组通过在[7]中指定“反向隧道”来解决这个问题。这项正在进行的工作提供了一种方法,用于将从移动节点传输的数据在传输到因特网之前通过隧道传输到归属代理。反向隧道方案还有其他好处,包括更好地处理多播流量。鼓励那些实施移动IP系统的人实施这种反向隧道方法。
As mentioned previously, while ingress traffic filtering drastically reduces the success of source address spoofing, it does not preclude an attacker using a forged source address of another host within the permitted prefix filter range. It does, however, ensure that when an attack of this nature does indeed occur, a network administrator can be sure that the attack is actually originating from within the known prefixes that are being advertised. This simplifies tracking down the culprit, and at worst, the administrator can block a range of source addresses until the problem is resolved.
如前所述,虽然入口流量过滤会大大降低源地址欺骗的成功率,但它并不排除攻击者在允许的前缀过滤范围内使用另一主机的伪造源地址。但是,它确实可以确保,当确实发生这种性质的攻击时,网络管理员可以确保该攻击实际上是从正在公布的已知前缀中发起的。这简化了对罪犯的追踪,在最坏的情况下,管理员可以阻止一系列源地址,直到问题得到解决。
If ingress filtering is used in an environment where DHCP or BOOTP is used, the network administrator would be well advised to ensure that packets with a source address of 0.0.0.0 and a destination of 255.255.255.255 are allowed to reach the relay agent in routers when appropriate. The scope of directed broadcast replication should be controlled, however, and not arbitrarily forwarded.
如果在使用DHCP或BOOTP的环境中使用入口过滤,则建议网络管理员确保允许源地址为0.0.0.0、目标地址为255.255.255.255的数据包在适当时到达路由器中的中继代理。但是,应该控制定向广播复制的范围,而不是任意转发。
Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks. Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible. In addition to aiding the Internet community as a whole to defeat this attack method, it can also assist service providers in locating the source of the attack if service providers can categorically demonstrate that their network already has ingress filtering in place on customer links.
互联网连接网络外围的入口流量过滤将降低源地址欺骗拒绝服务攻击的有效性。网络服务提供商和管理员已经开始在外围路由器上实施这种类型的过滤,建议所有服务提供商尽快这样做。除了帮助整个互联网社区击败这种攻击方法外,如果服务提供商能够明确证明其网络已经在客户链接上设置了入口过滤,它还可以帮助服务提供商定位攻击源。
Corporate network administrators should implement filtering to ensure their corporate networks are not the source of such problems. Indeed, filtering could be used within an organization to ensure users do not cause problems by improperly attaching systems to the wrong networks. The filtering could also, in practice, block a disgruntled employee from anonymous attacks.
公司网络管理员应实施过滤,以确保其公司网络不是此类问题的根源。事实上,过滤可以在组织内部使用,以确保用户不会因为将系统不当连接到错误的网络而导致问题。实际上,这种过滤还可以阻止不满的员工受到匿名攻击。
It is the responsibility of all network administrators to ensure they do not become the unwitting source of an attack of this nature.
所有网络管理员都有责任确保他们不会无意中成为此类攻击的来源。
The primary intent of this document is to inherently increase security practices and awareness for the Internet community as a whole; as more Internet Providers and corporate network administrators implement ingress filtering, the opportunity for an attacker to use forged source addresses as an attack methodology will significantly lessen. Tracking the source of an attack is simplified
本文件的主要目的是从本质上提高整个互联网社区的安全实践和意识;随着越来越多的互联网提供商和公司网络管理员实施入口过滤,攻击者使用伪造源地址作为攻击方法的机会将大大减少。对攻击源的跟踪简化了
when the source is more likely to be "valid." By reducing the number and frequency of attacks in the Internet as a whole, there will be more resources for tracking the attacks which ultimately do occur.
当来源更可能是“有效的”时。通过减少整个互联网上的攻击数量和频率,将有更多的资源用于跟踪最终发生的攻击。
The North American Network Operators Group (NANOG) [5] group as a whole deserves special credit for openly discussing these issues and actively seeking possible solutions. Also, thanks to Justin Newton [Priori Networks] and Steve Bielagus [OpenROUTE Networks, Inc.] for their comments and contributions.
北美网络运营商集团(NANOG)[5]作为一个整体,公开讨论这些问题并积极寻求可能的解决方案,值得特别赞扬。此外,感谢贾斯汀·牛顿(Priori Networks)和史蒂夫·比拉格斯(OpenROUTE Networks,Inc.)的评论和贡献。
[1] CERT Advisory CA-96.21; TCP SYN Flooding and IP Spoofing Attacks; September 24, 1996.
[1] 证书咨询CA-96.21;TCP SYN洪泛和IP欺骗攻击;1996年9月24日。
[2] B. Ziegler, "Hacker Tangles Panix Web Site", Wall Street Journal, 12 September 1996.
[2] B.Ziegler,“黑客纠缠Panix网站”,《华尔街日报》,1996年9月12日。
[3] "Firewalls and Internet Security: Repelling the Wily Hacker"; William R. Cheswick and Steven M. Bellovin, Addison-Wesley Publishing Company, 1994; ISBN 0-201-63357-4.
[3] “防火墙和互联网安全:击退狡猾的黑客”;威廉·切斯维克和史蒂文·贝洛文,艾迪生·韦斯利出版公司,1994年;ISBN 0-201-63357-4。
[4] Rekhter, Y., Moskowitz, R., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", RFC 1918, February 1996.
[4] Rekhter,Y.,Moskowitz,R.,Karrenberg,D.,de Groot,G.,和E.Lear,“私人互联网地址分配”,RFC 1918,1996年2月。
[5] The North American Network Operators Group; http://www.nanog.org.
[5] 北美网络运营商集团;http://www.nanog.org.
[6] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
[6] Perkins,C.,“IP移动支持”,RFC 2002,1996年10月。
[7] Montenegro, G., "Reverse Tunneling Mobile IP", Work in Progress.
[7] 黑山G.“反向隧道移动IP”,正在进行中。
[8] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995.
[8] Baker,F.,“IP版本4路由器的要求”,RFC 1812,1995年6月。
[9] Thanks to: Craig Huegen; See: http://www.quadrunner.com/~chuegen/smurf.txt.
[9] 感谢:克雷格·休根;见:http://www.quadrunner.com/~chuegen/smurf.txt。
Paul Ferguson cisco Systems, Inc. 400 Herndon Parkway Herndon, VA USA 20170
Paul Ferguson cisco Systems,Inc.美国弗吉尼亚州赫恩登市赫恩登大道400号,邮编:20170
EMail: ferguson@cisco.com
EMail: ferguson@cisco.com
Daniel Senie BlazeNet, Inc. 4 Mechanic Street Natick, MA USA 01760
Daniel Senie BlazeNet,Inc.美国马萨诸塞州纳蒂克机械街4号01760
EMail: dts@senie.com
EMail: dts@senie.com
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。