RFC 1716
Towards Requirements for IP Routers
An EGP implementation MUST include support for the abort
timer (as documented in section 4.1.4 of RFC-904). An
implementation SHOULD use the abort timer in the Idle state
to automatically issue a Start event to restart the protocol
machine. Recommended values are P4 for a critical error
(Administratively prohibited, Protocol Violation and
Parameter Problem) and P5 for all others. The abort timer
SHOULD NOT be started when a Stop event was manually
initiated (such as via a network management protocol).
Cease command received in Idle state: RFC-904, pp. 13
When the EGP state machine is in the Idle state, it MUST
reply to Cease commands with a Cease-ack response.
Hello Polling Mode: RFC-904, pp. 11
An EGP implementation MUST include support for both active
and passive polling modes.
Neighbor Acquisition Messages: RFC-904, pp. 18
As noted the Hello and Poll Intervals should only be present
in Request and Confirm messages. Therefore the length of an
EGP Neighbor Acquisition Message is 14 bytes for a Request
or Confirm message and 10 bytes for a Refuse, Cease or
Cease-ack message. Implementations MUST NOT send 14 bytes
for Refuse, Cease or Cease-ack messages but MUST allow for
implementations that send 14 bytes for these messages.
Sequence Numbers: RFC-904, pp. 10
Response or indication packets received with a sequence
number not equal to S MUST be discarded. The send sequence
number S MUST be incremented just before the time a Poll
command is sent and at no other times.
7.3.4 INTER-AS ROUTING WITHOUT AN EXTERIOR PROTOCOL
It is possible to exchange routing information between two
autonomous systems or routing domains without using a standard
exterior routing protocol between two separate, standard interior
routing protocols. The most common way of doing this is to run
both interior protocols independently in one of the border routers
with an exchange of route information between the two processes.
As with the exchange of information from an EGP to an IGP, without
appropriate controls these exchanges of routing information
between two IGPs in a single router are subject to creation of
routing loops.
7.4 STATIC ROUTING
Static routing provides a means of explicitly defining the next hop
from a router for a particular destination. A router SHOULD provide
a means for defining a static route to a destination, where the
destination is defined by an address and an address mask. The
mechanism SHOULD also allow for a metric to be specified for each
static route.
A router which supports a dynamic routing protocol MUST allow static
routes to be defined with any metric valid for the routing protocol
used. The router MUST provide the ability for the user to specify a
list of static routes which may or may not be propagated via the
routing protocol. In addition, a router SHOULD support the following
additional information if it supports a routing protocol that could
make use of the information. They are:
o TOS,
o Subnet mask, or
o A metric specific to a given routing protocol that can import the
route.
DISCUSSION:
We intend that one needs to support only the things useful to the
given routing protocol. The need for TOS should not require the
vendor to implement the other parts if they are not used.
Whether a router prefers a static route over a dynamic route (or vice
versa) or whether the associated metrics are used to choose between
conflicting static and dynamic routes SHOULD be configurable for each
static route.
A router MUST allow a metric to be assigned to a static route for
each routing domain that it supports. Each such metric MUST be
explicitly assigned to a specific routing domain. For example:
route 36.0.0.0 255.0.0.0 via 192.19.200.3 rip metric 3
route 36.21.0.0 255.255.0.0 via 192.19.200.4 ospf inter-area
metric 27
route 36.22.0.0 255.255.0.0 via 192.19.200.5 egp 123 metric 99
route 36.23.0.0 255.255.0.0 via 192.19.200.6 igrp 47 metric 1 2
3 4 5
DISCUSSION:
It has been suggested that, ideally, static routes should have
preference values rather than metrics (since metrics can only be
compared with metrics of other routes in the same routing domain,
the metric of a static route could only be compared with metrics
of other static routes). This is contrary to some current
implementations, where static routes really do have metrics, and
those metrics are used to determine whether a particular dynamic
route overrides the static route to the same destination. Thus,
this document uses the term metric rather than preference.
This technique essentially makes the static route into a RIP
route, or an OSPF route (or whatever, depending on the domain of
the metric). Thus, the route lookup algorithm of that domain
applies. However, this is NOT route leaking, in that coercing a
static route into a dynamic routing domain does not authorize the
router to redistribute the route into the dynamic routing domain.
For static routes not put into a specific routing domain, the
route lookup algorithm is:
(1) Basic match
(2) Longest match
(3) Weak TOS (if TOS supported)
(4) Best metric (where metric are implementation-defined)
The last step may not be necessary, but it's useful in the case
where you want to have a primary static route over one interface
and a secondary static route over an alternate interface, with
failover to the alternate path if the interface for the primary
route fails.
7.5 FILTERING OF ROUTING INFORMATION
Each router within a network makes forwarding decisions based upon
information contained within its forwarding database. In a simple
network the contents of the database may be statically configured.
As the network grows more complex, the need for dynamic updating of
the forwarding database becomes critical to the efficient operation
of the network.
If the data flow through a network is to be as efficient as possible,
it is necessary to provide a mechanism for controlling the
propagation of the information a router uses to build its forwarding
database. This control takes the form of choosing which sources of
routing information should be trusted and selecting which pieces of
the information to believe. The resulting forwarding database is a
filtered version of the available routing information.
In addition to efficiency, controlling the propagation of routing
information can reduce instability by preventing the spread of
incorrect or bad routing information.
In some cases local policy may require that complete routing
information not be widely propagated.
These filtering requirements apply only to non-SPF-based protocols
(and therefore not at all to routers which don't implement any
distance vector protocols).
7.5.1 Route Validation
A router SHOULD log as an error any routing update advertising a
route to network zero, subnet zero, or subnet -1, unless the
routing protocol from which the update was received uses those
values to encode special routes (such as default routes).
7.5.2 Basic Route Filtering
Filtering of routing information allows control of paths used by a
router to forward packets it receives. A router should be
selective in which sources of routing information it listens to
and what routes it believes. Therefore, a router MUST provide the
ability to specify:
o On which logical interfaces routing information will be
accepted and which routes will be accepted from each logical
interface.
o Whether all routes or only a default route is advertised on a
logical interface.
Some routing protocols do not recognize logical interfaces as a
source of routing information. In such cases the router MUST
provide the ability to specify
o from which other routers routing information will be accepted.
For example, assume a router connecting one or more leaf networks
to the main portion or backbone of a larger network. Since each
of the leaf networks has only one path in and out, the router can
simply send a default route to them. It advertises the leaf
networks to the main network.
7.5.3 Advanced Route Filtering
As the topology of a network grows more complex, the need for more
complex route filtering arises. Therefore, a router SHOULD
provide the ability to specify independently for each routing
protocol:
o Which logical interfaces or routers routing information
(routes) will be accepted from and which routes will be
believed from each other router or logical interface,
o Which routes will be sent via which logical interface(s), and
o Which routers routing information will be sent to, if this is
supported by the routing protocol in use.
In many situations it is desirable to assign a reliability
ordering to routing information received from another router
instead of the simple believe or don't believe choice listed in
the first bullet above. A router MAY provide the ability to
specify:
o A reliability or preference to be assigned to each route
received. A route with higher reliability will be chosen over
one with lower reliability regardless of the routing metric
associated with each route.
If a router supports assignment of preferences, the router MUST
NOT propagate any routes it does not prefer as first party
information. If the routing protocol being used to propagate the
routes does not support distinguishing between first and third
party information, the router MUST NOT propagate any routes it
does not prefer.
DISCUSSION:
For example, assume a router receives a route to network C from
router R and a route to the same network from router S. If
router R is considered more reliable than router S traffic
destined for network C will be forwarded to router R regardless
of the route received from router S.
Routing information for routes which the router does not use
(router S in the above example) MUST NOT be passed to any other
router.
7.6 INTER-ROUTING-PROTOCOL INFORMATION EXCHANGE
Routers MUST be able to exchange routing information between separate
IP interior routing protocols, if independent IP routing processes
can run in the same router. Routers MUST provide some mechanism for
avoiding routing loops when routers are configured for bi-directional
exchange of routing information between two separate interior routing
processes. Routers MUST provide some priority mechanism for choosing
routes from among independent routing processes. Routers SHOULD
provide administrative control of IGP-IGP exchange when used across
administrative boundaries.
Routers SHOULD provide some mechanism for translating or transforming
metrics on a per network basis. Routers (or routing protocols) MAY
allow for global preference of exterior routes imported into an IGP.
DISCUSSION:
Different IGPs use different metrics, requiring some translation
technique when introducing information from one protocol into
another protocol with a different form of metric. Some IGPs can
run multiple instances within the same router or set of routers.
In this case metric information can be preserved exactly or
translated.
There are at least two techniques for translation between
different routing processes. The static (or reachability)
approach uses the existence of a route advertisement in one IGP to
generate a route advertisement in the other IGP with a given
metric. The translation or tabular approach uses the metric in
one IGP to create a metric in the other IGP through use of either
a function (such as adding a constant) or a table lookup.
Bi-directional exchange of routing information is dangerous
without control mechanisms to limit feedback. This is the same
problem that distance vector routing protocols must address with
the split horizon technique and that EGP addresses with the
third-party rule. Routing loops can be avoided explicitly through
use of tables or lists of permitted/denied routes or implicitly
through use of a split horizon rule, a no-third-party rule, or a
route tagging mechanism. Vendors are encouraged to use implicit
techniques where possible to make administration easier for
network operators.
8. APPLICATION LAYER - NETWORK MANAGEMENT PROTOCOLS
Note that this chapter supersedes any requirements stated in section 6.3
of [INTRO:3].
8.1 The Simple Network Management Protocol - SNMP
8.1.1 SNMP Protocol Elements
Routers MUST be manageable by SNMP [MGT:3]. The SNMP MUST operate
using UDP/IP as its transport and network protocols. Others MAY
be supported (e.g., see [MGT:25, MGT:26, MGT:27, and MGT:28]).
SNMP management operations MUST operate as if the SNMP was
implemented on the router itself. Specifically, management
operations MUST be effected by sending SNMP management requests to
any of the IP addresses assigned to any of the router's
interfaces. The actual management operation may be performed
either by the router or by a proxy for the router.
DISCUSSION:
This wording is intended to allow management either by proxy,
where the proxy device responds to SNMP packets which have one
of the router's IP addresses in the packets destination address
field, or the SNMP is implemented directly in the router itself
and receives packets and responds to them in the proper manner.
It is important that management operations can be sent to one
of the router's IP Addresses. In diagnosing network problems
the only thing identifying the router that is available may be
one of the router's IP address; obtained perhaps by looking
through another router's routing table.
All SNMP operations (get, get-next, get-response, set, and trap)
MUST be implemented.
Routers MUST provide a mechanism for rate-limiting the generation
of SNMP trap messages. Routers MAY provide this mechanism via the
algorithms for asynchronous alert management described in [MGT:5].
DISCUSSION:
Although there is general agreement about the need to rate-
limit traps, there is not yet consensus on how this is best
achieved. The reference cited is considered experimental.
8.2 Community Table
For the purposes of this specification, we assume that there is an
abstract `community table' in the router. This table contains
several entries, each entry for a specific community and containing
the parameters necessary to completely define the attributes of that
community. The actual implementation method of the abstract
community table is, of course, implementation specific.
A router's community table MUST allow for at least one entry and
SHOULD allow for at least two entries.
DISCUSSION:
A community table with zero capacity is useless. It means that
the router will not recognize any communities and, therefore, all
SNMP operations will be rejected.
Therefore, one entry is the minimal useful size of the table.
Having two entries allows one entry to be limited to read-only
access while the other would have write capabilities.
Routers MUST allow the user to manually (i.e., without using SNMP)
examine, add, delete and change entries in the SNMP community table.
The user MUST be able to set the community name. The user MUST be
able to configure communities as read-only (i.e., they do not allow
SETs) or read-write (i.e., they do allow SETs).
The user MUST be able to define at least one IP address to which
traps are sent for each community. These addresses MUST be definable
on a per-community basis. Traps MUST be enablable or disablable on a
per-community basis.
A router SHOULD provide the ability to specify a list of valid
network managers for any particular community. If enabled, a router
MUST validate the source address of the SNMP datagram against the
list and MUST discard the datagram if its address does not appear.
If the datagram is discarded the router MUST take all actions
appropriate to an SNMP authentication failure.
DISCUSSION:
This is a rather limited authentication system, but coupled with
various forms of packet filtering may provide some small measure
of increased security.
The community table MUST be saved in non-volatile storage.
The initial state of the community table SHOULD contain one entry,
with the community name string public and read-only access. The
default state of this entry MUST NOT send traps. If it is
implemented, then this entry MUST remain in the community table until
the administrator changes it or deletes it.
DISCUSSION:
By default, traps are not sent to this community. Trap PDUs are
sent to unicast IP addresses. This address must be configured into
the router in some manner. Before the configuration occurs, there
is no such address, so to whom should the trap be sent? Therefore
trap sending to the public community defaults to be disabled. This
can, of course, be changed by an administrative operation once the
router is operational.
8.3 Standard MIBS
All MIBS relevant to a router's configuration are to be implemented.
To wit:
o The System, Interface, IP, ICMP, and UDP groups of MIB-II [MGT:2]
MUST be implemented.
o The Interface Extensions MIB [MGT:18] MUST be implemented.
o The IP Forwarding Table MIB [MGT:20] MUST be implemented.
o If the router implements TCP (e.g. for Telnet) then the TCP group
of MIB-II [MGT:2] MUST be implemented.
o If the router implements EGP then the EGP group of MIB-II [MGT:2]
MUST be implemented.
o If the router supports OSPF then the OSPF MIB [MGT:14] MUST be
implemented.
o If the router supports BGP then the BGP MIB [MGT:15] MUST be
implemented.
o If the router has Ethernet, 802.3, or StarLan interfaces then the
Ethernet-Like MIB [MGT:6] MUST be implemented.
o If the router has 802.4 interfaces then the 802.4 MIB [MGT:7] MAY
be implemented.
o If the router has 802.5 interfaces then the 802.5 MIB [MGT:8] MUST
be implemented.
o If the router has FDDI interfaces that implement ANSI SMT 7.3 then
the FDDI MIB [MGT:9] MUST be implemented.
o If the router has FDDI interfaces that implement ANSI SMT 6.2 then
the FDDI MIB [MGT:29] MUST be implemented.
o If the router has RS-232 interfaces then the RS-232 [MGT:10] MIB
MUST be implemented.
o If the router has T1/DS1 interfaces then the T1/DS1 MIB [MGT:16]
MUST be implemented.
o If the router has T3/DS3 interfaces then the T3/DS3 MIB [MGT:17]
MUST be implemented.
o If the router has SMDS interfaces then the SMDS Interface Protocol
MIB [MGT:19] MUST be implemented.
o If the router supports PPP over any of its interfaces then the PPP
MIBs [MGT:11], [MGT:12], and [MGT:13] MUST be implemented.
o If the router supports RIP Version 2 then the RIP Version 2 MIB
[MGT:21] MUST be implemented.
o If the router supports X.25 over any of its interfaces then the
X.25 MIBs [MGT:22, MGT:23 and MGT:24] MUST be implemented.
8.4 Vendor Specific MIBS
The Internet Standard and Experimental MIBs do not cover the entire
range of statistical, state, configuration and control information
that may be available in a network element. This information is,
never the less, extremely useful. Vendors of routers (and other
network devices) generally have developed MIB extensions that cover
this information. These MIB extensions are called Vendor Specific
MIBs.
The Vendor Specific MIB for the router MUST provide access to all
statistical, state, configuration, and control information that is
not available through the Standard and Experimental MIBs that have
been implemented. This information MUST be available for both
monitoring and control operations.
DISCUSSION:
The intent of this requirement is to provide the ability to do
anything on the router via SNMP that can be done via a console. A
certain minimal amount of configuration is necessary before SNMP
can operate (e.g., the router must have an IP address). This
initial configuration can not be done via SNMP. However, once the
initial configuration is done, full capabilities ought to be
available via network management.
The vendor SHOULD make available the specifications for all Vendor
Specific MIB variables. These specifications MUST conform to the SMI
[MGT:1] and the descriptions MUST be in the form specified in
[MGT:4].
DISCUSSION:
Making the Vendor Specific MIB available to the user is necessary.
Without this information the users would not be able to configure
their network management systems to be able to access the Vendor
Specific parameters. These parameters would then be useless.
The format of the MIB specification is also specified. Parsers
which read MIB specifications and generate the needed tables for
the network management station are available. These parsers
generally understand only the standard MIB specification format.
8.5 Saving Changes
Parameters altered by SNMP MAY be saved to non-volatile storage.
DISCUSSION:
Reasons why this requirement is a MAY:
o The exact physical nature of non-volatile storage is not
specified in this document. Hence, parameters may be saved in
NVRAM/EEPROM, local floppy or hard disk, or in some TFTP file
server or BOOTP server, etc. Suppose that that this information
is in a file that is retrieved via TFTP. In that case, a change
made to a configuration parameter on the router would need to
be propagated back to the file server holding the configuration
file. Alternatively, the SNMP operation would need to be
directed to the file server, and then the change somehow
propagated to the router. The answer to this problem does not
seem obvious.
This also places more requirements on the host holding the
configuration information than just having an available tftp
server, so much more that its probably unsafe for a vendor to
assume that any potential customer will have a suitable host
available.
o The timing of committing changed parameters to non-volatile
storage is still an issue for debate. Some prefer to commit all
changes immediately. Others prefer to commit changes to non-
volatile storage only upon an explicit command.
9. APPLICATION LAYER - MISCELLANEOUS PROTOCOLS
For all additional application protocols that a router implements, the
router MUST be compliant and SHOULD be unconditionally compliant with
the relevant requirements of [INTRO:3].
9.1 BOOTP
9.1.1 Introduction
The Bootstrap Protocol (BOOTP) is a UDP/IP-based protocol which
allows a booting host to configure itself dynamically and without
user supervision. BOOTP provides a means to notify a host of its
assigned IP address, the IP address of a boot server host, and the
name of a file to be loaded into memory and executed ([APPL:1]).
Other configuration information such as the local subnet mask, the
local time offset, the addresses of default routers, and the
addresses of various Internet servers can also be communicated to
a host using BOOTP ([APPL:2]).
9.1.2 BOOTP Relay Agents
In many cases, BOOTP clients and their associated BOOTP server(s)
do not reside on the same IP network or subnet. In such cases, a
third-party agent is required to transfer BOOTP messages between
clients and servers. Such an agent was originally referred to as
a BOOTP forwarding agent. However, in order to avoid confusion
with the IP forwarding function of a router, the name BOOTP relay
agent has been adopted instead.
DISCUSSION:
A BOOTP relay agent performs a task which is distinct from a
router's normal IP forwarding function. While a router
normally switches IP datagrams between networks more-or-less
transparently, a BOOTP relay agent may more properly be thought
to receive BOOTP messages as a final destination and then
generate new BOOTP messages as a result. One should resist the
notion of simply forwarding a BOOTP message straight through
like a regular packet.
This relay-agent functionality is most conveniently located in the
routers which interconnect the clients and servers (although it
may alternatively be located in a host which is directly connected
to the client subnet).
A router MAY provide BOOTP relay-agent capability. If it does, it
MUST conform to the specifications in [APPL:3].
Section [5.2.3] discussed the circumstances under which a packet
is delivered locally (to the router). All locally delivered UDP
messages whose UDP destination port number is BOOTPS (67) are
considered for special processing by the router's logical BOOTP
relay agent.
Sections [4.2.2.11] and [5.3.7] discussed invalid IP source
addresses. According to these rules, a router must not forward
any received datagram whose IP source address is 0.0.0.0.
However, routers which support a BOOTP relay agent MUST accept for
local delivery to the relay agent BOOTREQUEST messages whose IP
source address is 0.0.0.0.
10. OPERATIONS AND MAINTENANCE
This chapter supersedes any requirements stated in section 6.2 of
[INTRO:3].
Facilities to support operation and maintenance (O&M) activities form an
essential part of any router implementation. Although these functions
do not seem to relate directly to interoperability, they are essential
to the network manager who must make the router interoperate and must
track down problems when it doesn't. This chapter also includes some
discussion of router initialization and of facilities to assist network
managers in securing and accounting for their networks.
10.1 Introduction
The following kinds of activities are included under router O&M:
o Diagnosing hardware problems in the router's processor, in its
network interfaces, or in its connected networks, modems, or
communication lines.
o Installing new hardware
o Installing new software.
o Restarting or rebooting the router after a crash.
o Configuring (or reconfiguring) the router.
o Detecting and diagnosing Internet problems such as congestion,
routing loops, bad IP addresses, black holes, packet avalanches,
and misbehaved hosts.
o Changing network topology, either temporarily (e.g., to bypass a
communication line problem) or permanently.
o Monitoring the status and performance of the routers and the
connected networks.
o Collecting traffic statistics for use in (Inter-)network planning.
o Coordinating the above activities with appropriate vendors and
telecommunications specialists.
Routers and their connected communication lines are often operated as
a system by a centralized O&M organization. This organization may
maintain a (Inter-)network operation center, or NOC, to carry out its
O&M functions. It is essential that routers support remote control
and monitoring from such a NOC through an Internet path, since
routers might not be connected to the same network as their NOC.
Since a network failure may temporarily preclude network access, many
NOCs insist that routers be accessible for network management via an
alternative means, often dialup modems attached to console ports on
the routers.
Since an IP packet traversing an internet will often use routers
under the control of more than one NOC, Internet problem diagnosis
will often involve cooperation of personnel of more than one NOC. In
some cases, the same router may need to be monitored by more than one
NOC, but only if necessary, because excessive monitoring could impact
a router's performance.
The tools available for monitoring at a NOC may cover a wide range of
sophistication. Current implementations include multi-window, dynamic
displays of the entire router system. The use of AI techniques for
automatic problem diagnosis is proposed for the future.
Router O&M facilities discussed here are only a part of the large and
difficult problem of Internet management. These problems encompass
not only multiple management organizations, but also multiple
protocol layers. For example, at the current stage of evolution of
the Internet architecture, there is a strong coupling between host
TCP implementations and eventual IP-level congestion in the router
system [OPER:1]. Therefore, diagnosis of congestion problems will
sometimes require the monitoring of TCP statistics in hosts. There
are currently a number of R&D efforts in progress in the area of
Internet management and more specifically router O&M. These R&D
efforts have already produced standards for router O&M. This is also
an area in which vendor creativity can make a significant
contribution.
10.2 Router Initialization
10.2.1 Minimum Router Configuration
There exists a minimum set of conditions that must be satisfied
before a router may forward packets. A router MUST NOT enable
forwarding on any physical interface unless either:
(1) The router knows the IP address and associated subnet mask of
at least one logical interface associated with that physical
interface, or
(2) The router knows that the interface is an unnumbered
interface and also knows its router-id.
These parameters MUST be explicitly configured:
o A router MUST NOT use factory-configured default values for its
IP addresses, subnet masks, or router-id, and
o A router MUST NOT assume that an unconfigured interface is an
unnumbered interface.
DISCUSSION:
There have been instances in which routers have been shipped
with vendor-installed default addresses for interfaces. In a
few cases, this has resulted in routers advertising these
default addresses into active networks.
10.2.2 Address and Address Mask Initialization
A router MUST allow its IP addresses and their subnet masks to be
statically configured and saved in permanent storage.
A router MAY obtain its IP addresses and their corresponding
subnet masks dynamically as a side effect of the system
initialization process (see Section 10.2.3]);
If the dynamic method is provided, the choice of method to be used
in a particular router MUST be configurable.
As was described in Section [4.2.2.11], IP addresses are not
permitted to have the value 0 or -1 for any of the <Host-number>,
<Network-number>, or <Subnet-number> fields. Therefore, a router
SHOULD NOT allow an IP address or subnet mask to be set to a value
which would make any of the the three fields above have the value
zero or -1.
DISCUSSION:
It is possible using variable length subnet masks to create
situations in which routing is ambiguous (i.e., two routes with
different but equally-specific subnet masks match a particular
destination address). We suspect that a router could, when
setting a subnet mask, check whether the mask would cause
routing to be ambiguous, and that implementors might be able to
decrease their customer support costs by having routers
prohibit or log such erroneous configurations. However, at
this time we do not require routers to make such checks because
we know of no published method for accurately making this
check.
A router SHOULD make the following checks on any subnet mask it
installs:
o The mask is not all 1-bits.
o The bits which correspond to the network number part of the
address are all set to 1.
DISCUSSION:
The masks associated with routes are also sometimes called
subnet masks, this test should not be applied to them.
10.2.3 Network Booting using BOOTP and TFTP
There has been a lot of discussion on how routers can and should
be booted from the network. In general, these discussions have
centered around BOOTP and TFTP. Currently, there are routers that
boot with TFTP from the network. There is no reason that BOOTP
could not be used for locating the server that the boot image
should be loaded from.
In general, BOOTP is a protocol used to boot end systems, and
requires some stretching to accommodate its use with routers. If
a router is using BOOTP to locate the current boot host, it should
send a BOOTP Request with its hardware address for its first
interface, or, if it has been previously configured otherwise,
with either another interface's hardware address, or another
number to put in the hardware address field of the BOOTP packet.
This is to allow routers without hardware addresses (like sync
line only routers) to use BOOTP for bootload discovery. TFTP can
then be used to retrieve the image found in the BOOTP Reply. If
there are no configured interfaces or numbers to use, a router MAY
cycle through the interface hardware addresses it has until a
match is found by the BOOTP server.
A router SHOULD IMPLEMENT the ability to store parameters learned
via BOOTP into local stable storage. A router MAY implement the
ability to store a system image loaded over the network into local
stable storage.
A router MAY have a facility to allow a remote user to request
that the router get a new boot image. Differentiation should be
made between getting the new boot image from one of three
locations: the one included in the request, from the last boot
image server, and using BOOTP to locate a server.
10.3 Operation and Maintenance
10.3.1 Introduction
There is a range of possible models for performing O&M functions
on a router. At one extreme is the local-only model, under which
the O&M functions can only be executed locally (e.g., from a
terminal plugged into the router machine). At the other extreme,
the fully-remote model allows only an absolute minimum of
functions to be performed locally (e.g., forcing a boot), with
most O&M being done remotely from the NOC. There are intermediate
models, such as one in which NOC personnel can log into the router
as a host, using the Telnet protocol, to perform functions which
can also be invoked locally. The local-only model may be adequate
in a few router installations, but in general remote operation
from a NOC will be required, and therefore remote O&M provisions
are required for most routers.
Remote O&M functions may be exercised through a control agent
(program). In the direct approach, the router would support
remote O&M functions directly from the NOC using standard Internet
protocols (e.g., SNMP, UDP or TCP); in the indirect approach, the
control agent would support these protocols and control the router
itself using proprietary protocols. The direct approach is
preferred, although either approach is acceptable. The use of
specialized host hardware and/or software requiring significant
additional investment is discouraged; nevertheless, some vendors
may elect to provide the control agent as an integrated part of
the network in which the routers are a part. If this is the case,
it is required that a means be available to operate the control
agent from a remote site using Internet protocols and paths and
with equivalent functionality with respect to a local agent
terminal.
It is desirable that a control agent and any other NOC software
tools which a vendor provides operate as user programs in a
standard operating system. The use of the standard Internet
protocols UDP and TCP for communicating with the routers should
facilitate this.
Remote router monitoring and (especially) remote router control
present important access control problems which must be addressed.
Care must also be taken to ensure control of the use of router
resources for these functions. It is not desirable to let router
monitoring take more than some limited fraction of the router CPU
time, for example. On the other hand, O&M functions must receive
priority so they can be exercised when the router is congested,
since often that is when O&M is most needed.
10.3.2 Out Of Band Access
Routers MUST support Out-Of-Band (OOB) access. OOB access SHOULD
provide the same functionality as in-band access.
DISCUSSION:
This Out-Of-Band access will allow the NOC a way to access
isolated routers during times when network access is not
available.
Out-Of-Band access is an important management tool for the
network administrator. It allows the access of equipment
independent of the network connections. There are many ways to
achieve this access. Whichever one is used it is important
that the access is independent of the network connections. An
example of Out-Of-Band access would be a serial port connected
to a modem that provides dial up access to the router.
It is important that the OOB access provides the same
functionality as in-band access. In-band access, or accessing
equipment through the existing network connection, is limiting,
because most of the time, administrators need to reach
equipment to figure out why it is unreachable. In band access
is still very important for configuring a router, and for
troubleshooting more subtle problems.
10.3.2 Router O&M Functions
10.3.2.1 Maintenance - Hardware Diagnosis
Each router SHOULD operate as a stand-alone device for the
purposes of local hardware maintenance. Means SHOULD be
available to run diagnostic programs at the router site using
only on-site tools. A router SHOULD be able to run diagnostics
in case of a fault. For suggested hardware and software
diagnostics see Section [10.3.3].
10.3.2.2 Control - Dumping and Rebooting
A router MUST include both in-band and out-of-band mechanisms
to allow the network manager to reload, stop, and restart the
router. A router SHOULD also contain a mechanism (such as a
watchdog timer) which will reboot the router automatically if
it hangs due to a software or hardware fault.
A router SHOULD IMPLEMENT a mechanism for dumping the contents
of a router's memory (and/or other state useful for vendor
debugging after a crash), and either saving them on a stable
storage device local to the router or saving them on another
host via an up-line dump mechanism such as TFTP (see [OPER:2],
[INTRO:3]).
10.3.2.3 Control - Configuring the Router
Every router has configuration parameters which may need to be
set. It SHOULD be possible to update the parameters without
rebooting the router; at worst, a restart MAY be required.
There may be cases when it is not possible to change parameters
without rebooting the router (for instance, changing the IP
address of an interface). In these cases, care should be taken
to minimize disruption to the router and the surrounding
network.
There SHOULD be a way to configure the router over the network
either manually or automatically. A router SHOULD be able to
upload or download its parameters from a host or another
router, and these parameters SHOULD be convertible into some
sort of text format for making changes and then back to the
form the router can read. A router SHOULD have some sort of
stable storage for its configuration. A router SHOULD NOT
believe protocols such as RARP, ICMP Address Mask Reply, and
MAY not believe BOOTP.
DISCUSSION:
It is necessary to note here that in the future RARP, ICMP
Address Mask Reply, BOOTP and other mechanisms may be needed
to allow a router to auto-configure. Although routers may
in the future be able to configure automatically, the intent
here is to discourage this practice in a production
environment until such time as auto-configuration has been
tested more thoroughly. The intent is NOT to discourage
auto-configuration all together. In cases where a router is
expected to get its configuration automatically it may be
wise to allow the router to believe these things as it comes
up and then ignore them after it has gotten its
configuration.
10.3.2.4 Netbooting of System Software
A router SHOULD keep its system image in local non-volatile
storage such as PROM, NVRAM, or disk. It MAY also be able to
load its system software over the network from a host or
another router.
A router which can keep its system image in local non-volatile
storage MAY be configurable to boot its system image over the
network. A router which offers this option SHOULD be
configurable to boot the system image in its non-volatile local
storage if it is unable to boot its system image over the
network.
DISCUSSION:
It is important that the router be able to come up and run
on its own. NVRAM may be a particular solution for routers
used in large networks, since changing PROMs can be quite
time consuming for a network manager responsible for
numerous or geographically dispersed routers. It is
important to be able to netboot the system image because
there should be an easy way for a router to get a bug fix or
new feature more quickly than getting PROMS installed. Also
if the router has NVRAM instead of PROMs, it will netboot
the image and then put it in NVRAM.
A router MAY also be able to distinguish between different
configurations based on which software it is running. If
configuration commands change from one software version to
another, it would be helpful if the router could use the
configuration that was compatible with the software.
10.3.2.5 Detecting and responding to misconfiguration
There MUST be mechanisms for detecting and responding to
misconfigurations. If a command is executed incorrectly, the
router SHOULD give an error message. The router SHOULD NOT
accept a poorly formed command as if it were correct.
DISCUSSION:
There are cases where it is not possible to detect errors:
the command is correctly formed, but incorrect with respect
to the network. This may be detected by the router, but may
not be possible.
Another form of misconfiguration is misconfiguration of the
network to which the router is attached. A router MAY detect
misconfigurations in the network. The router MAY log these
findings to a file, either on the router or a host, so that the
network manager will see that there are possible problems on
the network.
DISCUSSION:
Examples of such misconfigurations might be another router
with the same address as the one in question or a router
with the wrong subnet mask. If a router detects such
problems it is probably not the best idea for the router to
try to fix the situation. That could cause more harm than
good.
10.3.2.6 Minimizing Disruption
Changing the configuration of a router SHOULD have minimal
affect on the network. Routing tables SHOULD NOT be
unnecessarily flushed when a simple change is made to the
router. If a router is running several routing protocols,
stopping one routing protocol SHOULD NOT disrupt other routing
protocols, except in the case where one network is learned by
more than one routing protocol.
DISCUSSION:
It is the goal of a network manager to run a network so that
users of the network get the best connectivity possible.
Reloading a router for simple configuration changes can
cause disruptions in routing and ultimately cause
disruptions to the network and its users. If routing tables
are unnecessarily flushed, for instance, the default route
will be lost as well as specific routes to sites within the
network. This sort of disruption will cause significant
downtime for the users. It is the purpose of this section to
point out that whenever possible, these disruptions should
be avoided.
10.3.2.7 Control - Troubleshooting Problems
(1) A router MUST provide in-band network access, but (except
as required by Section [8.2]) for security considerations
this access SHOULD be disabled by default. Vendors MUST
document the default state of any in-band access.
DISCUSSION:
In-band access primarily refers to access via the
normal network protocols which may or may not affect
the permanent operational state of the router. This
includes, but is not limited to Telnet/RLOGIN console
access and SNMP operations.
This was a point of contention between the operational
out of the box and secure out of the box contingents.
Any automagic access to the router may introduce
insecurities, but it may be more important for the
customer to have a router which is accessible over the
network as soon as it is plugged in. At least one
vendor supplies routers without any external console
access and depends on being able to access the router
via the network to complete its configuration.
Basically, it is the vendors call whether or not in-
band access is enabled by default; but it is also the
vendors responsibility to make its customers aware of
possible insecurities.
(2) A router MUST provide the ability to initiate an ICMP
echo. The following options SHOULD be implemented:
o Choice of data patterns
o Choice of packet size
o Record route
and the following additional options MAY be implemented:
o Loose source route
o Strict source route
o Timestamps
(3) A router SHOULD provide the ability to initiate a
traceroute. If traceroute is provided, then the 3rd party
traceroute SHOULD be implemented.
Each of the above three facilities (if implemented) SHOULD have
access restrictions placed on it to prevent its abuse by
unauthorized persons.
10.4 Security Considerations
10.4.1 Auditing and Audit Trails
Auditing and billing are the bane of the network operator, but are
the two features most requested by those in charge of network
security and those who are responsible for paying the bills. In
the context of security, auditing is desirable if it helps you
keep your network working and protects your resources from abuse,
without costing you more than those resources are worth.
(1) Configuration Changes
Router SHOULD provide a method for auditing a configuration
change of a router, even if it's something as simple as
recording the operator's initials and time of change.
DISCUSSION:
Having the ability to track who made changes and when is
highly desirable, especially if your packets suddenly
start getting routed through Alaska on their way across
town.
(2) Packet Accounting
Vendors should strongly consider providing a system for
tracking traffic levels between pairs of hosts or networks.
A mechanism for limiting the collection of this information
to specific pairs of hosts or networks is also strongly
encouraged.
DISCUSSION:
A host traffic matrix as described above can give the
network operator a glimpse of traffic trends not apparent
from other statistics. It can also identify hosts or
networks which are probing the structure of the attached
networks - e.g., a single external host which tries to
send packets to every IP address in the network address
range for a connected network.
(3) Security Auditing
Routers MUST provide a method for auditing security related
failures or violations to include:
o Authorization Failures: bad passwords, invalid SNMP
communities, invalid authorization tokens,
o Violations of Policy Controls: Prohibited Source Routes,
Filtered Destinations, and
o Authorization Approvals: good passwords - Telnet in-band
access, console access.
Routers MUST provide a method of limiting or disabling such
auditing but auditing SHOULD be on by default. Possible
methods for auditing include listing violations to a console
if present, logging or counting them internally, or logging
them to a remote security server via the SNMP trap mechanism
or the Unix logging mechanism as appropriate. A router MUST
implement at least one of these reporting mechanisms - it MAY
implement more than one.
10.4.2 Configuration Control
A vendor has a responsibility to use good configuration control
practices in the creation of the software/firmware loads for their
routers. In particular, if a vendor makes updates and loads
available for retrieval over the Internet, the vendor should also
provide a way for the customer to confirm the load is a valid one,
perhaps by the verification of a checksum over the load.
DISCUSSION:
Many vendors currently provide short notice updates of their
software products via the Internet. This a good trend and
should be encouraged, but provides a point of vulnerability in
the configuration control process.
If a vendor provides the ability for the customer to change the
configuration parameters of a router remotely, for example via a
Telnet session, the ability to do so SHOULD be configurable and
SHOULD default to off. The router SHOULD require a password or
other valid authentication before permitting remote
reconfiguration.
DISCUSSION:
Allowing your properly identified network operator to twiddle
with your routers is necessary; allowing anyone else to do so
is foolhardy.
A router MUST NOT have undocumented back door access and master
passwords. A vendor MUST ensure any such access added for
purposes of debugging or product development are deleted before
the product is distributed to its customers.
DISCUSSION:
A vendor has a responsibility to its customers to ensure they
are aware of the vulnerabilities present in its code by
intention - e.g. in-band access. Trap doors, back doors and
master passwords intentional or unintentional can turn a
relatively secure router into a major problem on an operational
network. The supposed operational benefits are not matched by
the potential problems.
11. REFERENCES
Implementors should be aware that Internet protocol standards are
occasionally updated. These references are current as of this writing,
but a cautious implementor will always check a recent version of the RFC
index to ensure that an RFC has not been updated or superseded by
another, more recent RFC. Reference [INTRO:6] explains various ways to
obtain a current RFC index.
APPL:1.
B. Croft and J. Gilmore, Bootstrap Protocol (BOOTP), Request For
Comments (RFC) 951, Stanford and SUN Microsystems, September 1985.
APPL:2.
S. Alexander and R. Droms, DHCP Options and BOOTP Vendor
Extensions, Request For Comments (RFC) 1533, Lachman Technology,
Inc., Bucknell University, October 1993.
APPL:3.
W. Wimer, Clarifications and Extensions for the Bootstrap Protocol,
Request For Comments (RFC) 1542, Carnegie Mellon University,
October 1993.
ARCH:1.
DDN Protocol Handbook, NIC-50004, NIC-50005, NIC-50006 (three
volumes), DDN Network Information Center, SRI International, Menlo
Park, California, USA, December 1985.
ARCH:2.
V. Cerf and R. Kahn, A Protocol for Packet Network
Intercommunication," IEEE Transactions on Communication, May 1974.
Also included in [ARCH:1].
ARCH:3.
J. Postel, C. Sunshine, and D. Cohen, The ARPA Internet Protocol,"
Computer Networks, vol. 5, no. 4, July 1981. Also included in
[ARCH:1].
ARCH:4.
B. Leiner, J. Postel, R. Cole, and D. Mills, The DARPA Internet
Protocol Suite, Proceedings of INFOCOM '85, IEEE, Washington, DC,
March 1985. Also in: IEEE Communications Magazine, March 1985.
Also available from the Information Sciences Institute, University
of Southern California as Technical Report ISI-RS-85-153.
ARCH:5.
D. Comer, Internetworking With TCP/IP Volume 1: Principles,
Protocols, and Architecture, Prentice Hall, Englewood Cliffs, NJ,
1991.
ARCH:6.
W. Stallings, Handbook of Computer-Communications Standards Volume
3: The TCP/IP Protocol Suite, Macmillan, New York, NY, 1990.
ARCH:7.
J. Postel, Internet Official Protocol Standards, Request For
Comments (RFC) 1610, STD 1, USC/Information Sciences Institute,
July 1994.
ARCH:8.
Information processing systems - Open Systems Interconnection -
Basic Reference Model, ISO 7489, International Standards
Organization, 1984.
FORWARD:1.
IETF CIP Working Group (C. Topolcic, Editor), Experimental Internet
Stream Protocol, Version 2 (ST-II), Request For Comments (RFC)
1190, CIP Working Group, October 1990.
FORWARD:2.
A. Mankin and K. Ramakrishnan, Editors, Gateway Congestion Control
Survey, Request For Comments (RFC) 1254, MITRE, Digital Equipment
Corporation, August 1991.
FORWARD:3.
J. Nagle, On Packet Switches with Infinite Storage, IEEE
Transactions on Communications, vol. COM-35, no. 4, April 1987.
FORWARD:4.
R. Jain, K. Ramakrishnan, and D. Chiu, Congestion Avoidance in
Computer Networks With a Connectionless Network Layer, Technical
Report DEC-TR-506, Digital Equipment Corporation.
FORWARD:5.
V. Jacobson, Congestion Avoidance and Control, Proceedings of
SIGCOMM '88, Association for Computing Machinery, August 1988.
FORWARD:6.
W. Barns, Precedence and Priority Access Implementation for
Department of Defense Data Networks, Technical Report MTR-91W00029,
The Mitre Corporation, McLean, Virginia, USA, July 1991.
(next page on part 6)
