draft-ietf-crisp-firs-ipv4-01.txt   draft-ietf-crisp-firs-ipv4-02.txt 
INTERNET-DRAFT Eric A. Hall INTERNET-DRAFT Eric A. Hall
Document: draft-ietf-crisp-firs-ipv4-01.txt May 2003 Document: draft-ietf-crisp-firs-ipv4-02.txt July 2003
Expires: December, 2003 Expires: February, 2004
Category: Experimental Category: Experimental
Defining and Locating IPv4 Address Blocks Defining and Locating IPv4 Address Blocks
in the Federated Internet Registry Service in the Federated Internet Registry Service
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. all provisions of Section 10 of RFC 2026.
skipping to change at line 44 skipping to change at line 44
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
This document defines LDAP schema and searching rules for IPv4 This document defines LDAP schema and searching rules for IPv4
address blocks, in support of the Federated Internet Registry address blocks, in support of the Federated Internet Registry
Service (FIRS) described in [FIRS-ARCH] and [FIRS-CORE]. Service (FIRS) described in [FIRS-ARCH] and [FIRS-CORE].
Table of Contents Table of Contents
1. Introduction..............................................2 1. Introduction...............................................2
2. Prerequisites and Terminology.............................2 2. Prerequisites and Terminology..............................2
3. Naming Syntax.............................................3 3. Naming Syntax..............................................3
4. Object Classes and Attributes.............................5 4. Object Classes and Attributes..............................4
5. Query Processing Rules....................................7 5. Query Processing Rules.....................................7
5.1. Query Pre-Processing...................................8 5.1. Query Pre-Processing....................................7
5.2. Query Bootstrapping....................................8 5.2. Query Bootstrapping.....................................8
5.3. LDAP Matching..........................................9 5.3. LDAP Matching...........................................9
5.4. Example Query.........................................10 5.4. Example Query..........................................10
6. Security Considerations..................................11 6. Security Considerations...................................12
7. IANA Considerations......................................11 7. IANA Considerations.......................................12
8. Author's Addresses.......................................12 8. Normative References......................................12
9. Normative References.....................................12 9. Changes from Previous Versions............................13
10. Acknowledgments..........................................13 10. Author's Address..........................................14
11. Changes from Previous Versions...........................13 11. Acknowledgments...........................................14
12. Full Copyright Statement.................................14 12. Full Copyright Statement..................................15
1. Introduction 1. Introduction
This specification defines the naming syntax, object classes, This specification defines the naming syntax, object classes,
attributes, matching filters, and query processing rules for attributes, matching filters, and query processing rules for
storing and locating IPv4 address blocks in the FIRS service. storing and locating IPv4 address blocks in the FIRS service.
Refer to [FIRS-ARCH] for information on the FIRS architecture and Refer to [FIRS-ARCH] for information on the FIRS architecture and
[FIRS-CORE] for the schema definitions and rules which govern the [FIRS-CORE] for the schema definitions and rules which govern the
FIRS service as a whole. FIRS service as a whole.
skipping to change at line 84 skipping to change at line 84
The definitions in this specification are intended to be used with The definitions in this specification are intended to be used with
FIRS. Their usage outside of FIRS is not prohibited, but any such FIRS. Their usage outside of FIRS is not prohibited, but any such
usage is beyond this specification's scope of authority. usage is beyond this specification's scope of authority.
2. Prerequisites and Terminology 2. Prerequisites and Terminology
The complete set of specifications in the FIRS collection The complete set of specifications in the FIRS collection
cumulative define a structured and distributed information service cumulative define a structured and distributed information service
using LDAPv3 for the data-formatting and transport functions. This using LDAPv3 for the data-formatting and transport functions. This
specification should be read in the context of the complete set of specification should be read in the context of that set, which
specifications, which currently include the following: currently includes [FIRS-ARCH], [FIRS-CORE], [FIRS-DNS],
[FIRS-DNSRR], [FIRS-CONTCT], [FIRS-ASN] and [FIRS-IPV6].
Hall I-D Expires: December 2003 [page 2]
draft-ietf-crisp-firs-arch-01, "The Federated Internet
Registry Service: Architecture and Implementation"
[FIRS-ARCH]
draft-ietf-crisp-firs-core-01, "The Federated Internet
Registry Service: Core Elements" [FIRS-CORE]
draft-ietf-crisp-firs-dns-01, "Defining and Locating DNS
Domains in the Federated Internet Registry Service"
[FIRS-DNS]
draft-ietf-crisp-firs-dnsrr-01, "Defining and Locating DNS
Resource Records in the Federated Internet Registry
Service" [FIRS-DNSRR]
draft-ietf-crisp-firs-contact-01, "Defining and Locating
Contact Persons in the Federated Internet Registry Service"
[FIRS-CONTCT]
draft-ietf-crisp-firs-asn-01, "Defining and Locating
Autonomous System Numbers in the Federated Internet
Registry Service" [FIRS-ASN]
draft-ietf-crisp-firs-ipv4-01, "Defining and Locating IPv4
Address Blocks in the Federated Internet Registry Service"
(this document) [FIRS-IPV4]
draft-ietf-crisp-firs-ipv6-01, "Defining and Locating IPv6
Address Blocks in the Federated Internet Registry Service"
[FIRS-IPV6]
Hall I-D Expires: February 2004 [page 2]
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in RFC 2119. in this document are to be interpreted as described in RFC 2119.
3. Naming Syntax 3. Naming Syntax
The naming syntax for IPv4 address blocks in FIRS MUST follow the The naming syntax for IPv4 address blocks in FIRS MUST follow the
form of "cn=<inetIpv4NetworkSyntax>,cn=inetResources,<partition>", form of "cn=<inetIpv4NetworkSyntax>,cn=inetResources,<partition>",
where <inetIpv4NetworkSyntax > is the IPv4 address block resource, where <inetIpv4NetworkSyntax > is the IPv4 address block resource,
and where <partition> is a sequence of domainComponent relative and where <partition> is a sequence of domainComponent relative
distinguished names which identifies the scope of authority for distinguished names which identifies the scope of authority for
the selected directory partition. the selected directory partition.
The inetIpv4NetworkSyntax rules use the traditional "dotted-quad" The inetIpv4NetworkSyntax rules use the traditional "dotted-quad"
notation, where each of four sub-components provide a decimal notation, where each of four sub-components provide a decimal
Hall I-D Expires: December 2003 [page 3]
value that represents one octet from a 32-bit IPv4 address, with value that represents one octet from a 32-bit IPv4 address, with
the sub-components being separated by a full-stop (period) the sub-components being separated by a full-stop (period)
character, and with the four-part sequence being followed by a "/" character, and with the four-part sequence being followed by a "/"
character and a three-digit decimal "prefix" value. character and a decimal "prefix" value.
Entries which use the inetIpv4NetworkSyntax MUST use the starting Entries which use the inetIpv4NetworkSyntax MUST use the starting
address from a range of inclusive addresses, and MUST use CIDR address from a range of inclusive addresses, and MUST use CIDR
prefix notation. In this manner, it is possible to create an prefix notation. In this manner, it is possible to create an
inetIpv4Network entry for a range of addresses of any size inetIpv4Network entry for a range of addresses of any size
(including a single host). (including a single host).
The leading zeroes from each octet MUST be removed before the The leading zeroes from each octet MUST be removed before the
value is stored or used in a query. Octets which have a value of value is stored or used in a query. Octets which have a value of
zero MUST be represented by the single-digit numeric value of "0". zero MUST be represented by the single-digit value of "0".
If an input string does not match this syntax, a FIRS-aware If an input string does not match this syntax, a FIRS-aware
application MAY attempt to manipulate the input string to form a application MAY attempt to manipulate the input string to form a
valid value. For example, if a user enters a traditional IPv4 valid value. For example, if a user enters a traditional IPv4
address without specifying a prefix value, the application MAY address without specifying a prefix value, the application MAY
append "/32" to the end of the input string to form a valid append "/32" to the end of the input string to form a valid
assertion value. Similarly, if a user provides an octal or assertion value. Similarly, if a user provides an octal or
hexadecimal value, the client MAY attempt to convert the input hexadecimal value, the client MAY attempt to convert the input
string to the traditional dotted-quad IPv4 address notation. string to the traditional dotted-quad IPv4 address notation.
An augmented BNF for this syntax is as follows: An augmented BNF for this syntax is as follows:
inetIpv4NetworkSyntax = inetIpv4Octet "." inetIpv4Octet "." inetIpv4NetworkSyntax = inetIpv4Octet "." inetIpv4Octet "."
inetIpv4Octet "." inetIpv4Octet "/" inetIpv4Prefix inetIpv4Octet "." inetIpv4Octet "/" inetIpv4Prefix
Hall I-D Expires: February 2004 [page 3]
inetIpv4Octet = decimal value between "0" and "255" inetIpv4Octet = decimal value between "0" and "255"
inclusive, with the non-affective leading zeroes removed inclusive, with the non-affective leading zeroes removed
inetIpv4Prefix = decimal value between "1" and "32" inetIpv4Prefix = decimal value between "1" and "32"
inclusive, with the non-affective leading zeroes removed inclusive, with the non-affective leading zeroes removed
The schema definition for inetIpv4NetworkSyntax is as follows: The schema definition for inetIpv4NetworkSyntax is as follows:
inetIpv4NetworkSyntax inetIpv4NetworkSyntax
( 1.3.6.1.4.1.7161.1.2.1 NAME 'inetIpv4NetworkSyntax' DESC ( 1.3.6.1.4.1.7161.1.5.0 NAME 'inetIpv4NetworkSyntax' DESC
'An IPv4 address and prefix.' ) 'An IPv4 address and prefix.' )
For example, an IPv4 address block with a range of addresses For example, an IPv4 address block with a range of addresses
between "10.0.0.0" and "10.0.255.255" inclusive would be written between "10.0.0.0" and "10.0.255.255" inclusive would be written
as "cn=10.0.0.0/16", while a host address of "192.0.2.14" would be as "cn=10.0.0.0/16", while a host address of "192.0.2.14" would be
written as "cn=192.0.2.14/32". written as "cn=192.0.2.14/32".
Hall I-D Expires: December 2003 [page 4]
Note that the entry name of "cn=0.0.0.0/0" encompasses the entire Note that the entry name of "cn=0.0.0.0/0" encompasses the entire
IPv4 address space. IPv4 address space.
Note that the use of "/" is illegal as data in URLs, and MUST be Note that the use of "/" is illegal as data in URLs, and MUST be
escaped before it is stored in a URL as data. escaped before it is stored in a URL as data.
4. Object Classes and Attributes 4. Object Classes and Attributes
IPv4 address block entries in FIRS MUST use the inetIpv4Network IPv4 address block entries in FIRS MUST use the inetIpv4Network
object class, in addition to the mandatory object classes defined object class, in addition to the mandatory object classes defined
skipping to change at line 205 skipping to change at line 173
exists as a referral source, the entry MUST also be defined with exists as a referral source, the entry MUST also be defined with
the referral object class, in addition to the above requirements. the referral object class, in addition to the above requirements.
The inetIpv4Network object class is a structural object class The inetIpv4Network object class is a structural object class
which is subordinate to the inetResources object class. The which is subordinate to the inetResources object class. The
inetIpv4Network object class has no mandatory attributes, although inetIpv4Network object class has no mandatory attributes, although
it does have several optional attributes. The inetIpv4Network it does have several optional attributes. The inetIpv4Network
object class also inherits the attributes defined in the object class also inherits the attributes defined in the
inetResources object class, including the "cn" naming attribute. inetResources object class, including the "cn" naming attribute.
Hall I-D Expires: February 2004 [page 4]
The schema definition for the inetIpv4Network object class is as The schema definition for the inetIpv4Network object class is as
follows: follows:
inetIpv4Network inetIpv4Network
( 1.3.6.1.4.1.7161.1.2.0 NAME 'inetIpv4Network' DESC 'IPv4 ( 1.3.6.1.4.1.7161.1.5.1
network attributes.' SUP inetResources STRUCTURAL MAY ( NAME 'inetIpv4Network'
inetIpv4DelegationStatus $ inetIpv4DelegationDate $ DESC 'IPv4 network attributes.'
SUP inetResources
STRUCTURAL
MAY ( inetIpv4DelegationStatus $ inetIpv4DelegationDate $
inetIpv4Registrar $ inetIpv4Registry $ inetIpv4Contacts $ inetIpv4Registrar $ inetIpv4Registry $ inetIpv4Contacts $
inetIpv4RoutingContacts $ ) ) inetIpv4RoutingContacts ) )
The attributes from the inetIpv4Network object class are described The attributes from the inetIpv4Network object class are described
below: below:
inetIpv4Contacts inetIpv4Contacts
( 1.3.6.1.4.1.7161.1.2.2 NAME 'inetIpv4Contacts' DESC ( 1.3.6.1.4.1.7161.1.5.2
'Contacts for general administrative issues concerning this NAME 'inetIpv4Contacts'
IPv4 address block.' EQUALITY caseIgnoreMatch SYNTAX DESC 'Contacts for general administrative issues concerning
inetContactSyntax ) this IPv4 address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.7.1 )
Hall I-D Expires: December 2003 [page 5]
inetIpv4DelegationDate inetIpv4DelegationDate
( 1.3.6.1.4.1.7161.1.2.3 NAME 'inetIpv4DelegationDate' DESC ( 1.3.6.1.4.1.7161.1.5.3
'Date this IPv4 address block was delegated.' EQUALITY NAME 'inetIpv4DelegationDate'
generalizedTimeMatch ORDERING generalizedTimeOrderingMatch DESC 'Date this IPv4 address block was delegated.'
SYNTAX generalizedTime SINGLE-VALUE ) EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
inetIpv4DelegationStatus inetIpv4DelegationStatus
( 1.3.6.1.4.1.7161.1.2.4 NAME 'inetIpv4DelegationStatus' DESC ( 1.3.6.1.4.1.7161.1.5.4
'Delegation status of this IPv4 address block.' EQUALITY NAME 'inetIpv4DelegationStatus'
numericStringMatch SYNTAX numericString{2} SINGLE-VALUE ) DESC 'Delegation status of this IPv4 address block.'
EQUALITY numericStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{2}
SINGLE-VALUE )
NOTE: In an effort to facilitate internationalization and NOTE: In an effort to facilitate internationalization and
programmatic processing, the current status of a delegation programmatic processing, the current status of a delegation
is identified by a 16-bit integer. The values and status is identified by a 16-bit integer. The values and status
mapping is as follows: mapping is as follows:
Hall I-D Expires: February 2004 [page 5]
0 Reserved delegation (permanently inactive) 0 Reserved delegation (permanently inactive)
1 Assigned and active (normal state) 1 Assigned and active (normal state)
2 Assigned but not yet active (new delegation) 2 Assigned but not yet active (new delegation)
3 Assigned but on hold (disputed) 3 Assigned but on hold (disputed)
4 Assignment revoked (database purge pending) 4 Assignment revoked (database purge pending)
Additional values are reserved for future use, and are to Additional values are reserved for future use, and are to
be administered by IANA. be administered by IANA.
Note that there is no status code for "unassigned"; Note that there is no status code for "unassigned";
unassigned entries SHOULD NOT exist, and SHOULD NOT be unassigned entries SHOULD NOT exist, and SHOULD NOT be
returned as answers. returned as answers.
inetIpv4Registrar inetIpv4Registrar
( 1.3.6.1.4.1.7161.1.2.5 NAME 'inetIpv4Registrar' DESC ( 1.3.6.1.4.1.7161.1.5.5
'Registrar who delegated this IPv4 address block.' EQUALITY NAME 'inetIpv4Registrar'
caseIgnoreMatch SYNTAX directoryString ) DESC 'Registrar who delegated this IPv4 address block.'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
NOTE: The inetIpv4Registrar attribute uses a URL to NOTE: The inetIpv4Registrar attribute uses a URL to
indicate the registrar who delegated the address block. The indicate the registrar who delegated the address block. The
attribute structure is identical to the labeledURI attribute structure is identical to the labeledURI
attribute, as defined in [RFC2798], including the URL and attribute, as defined in [RFC2798], including the URL and
textual comments. The data can refer to any valid URL. textual comments. The data can refer to any valid URL.
inetIpv4Registry inetIpv4Registry
( 1.3.6.1.4.1.7161.1.2.6 NAME 'inetIpv4Registry' DESC ( 1.3.6.1.4.1.7161.1.5.6
'Registry where this IPv4 address block is managed.' NAME 'inetIpv4Registry'
EQUALITY caseIgnoreMatch SYNTAX directoryString ) DESC 'Registry where this IPv4 address block is managed.'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
Hall I-D Expires: December 2003 [page 6]
NOTE: The inetIpv4Registry attribute uses a URL to indicate NOTE: The inetIpv4Registry attribute uses a URL to indicate
the registry who is ultimately responsible for the address the registry who is ultimately responsible for the address
block. The attribute structure is identical to the block. The attribute structure is identical to the
labeledURI attribute, as defined in [RFC2798], including labeledURI attribute, as defined in [RFC2798], including
the URL and textual comments. The data can refer to any the URL and textual comments. The data can refer to any
valid URL. valid URL.
Hall I-D Expires: February 2004 [page 6]
inetIpv4RoutingContacts inetIpv4RoutingContacts
( 1.3.6.1.4.1.7161.1.2.7 NAME 'inetIpv4RoutingContacts' DESC ( 1.3.6.1.4.1.7161.1.5.7
'Contacts for routing-related problems with this IPv4 NAME 'inetIpv4RoutingContacts'
address block.' EQUALITY caseExactMatch SYNTAX DESC 'Contacts for routing-related problems with this IPv4
inetContactSyntax ) address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.7.1 )
An example of the inetIpv4Network object class is shown in Figure An example of the inetIpv4Network object class is shown in Figure
1 below. The example includes attributes from the inetIpv4Network, 1 below. The example includes attributes from the inetIpv4Network,
inetResources, and inetAssociatedResources object classes. inetResources, and inetAssociatedResources object classes.
cn=192.0.2.0/24,cn=inetResources,dc=arin,dc=net cn=192.0.2.0/24,cn=inetResources,dc=arin,dc=net
[top object class] [top object class]
[inetResources object class] [inetResources object class]
[inetIpv4Network object class] [inetIpv4Network object class]
[inetAssociatedResources object class] [inetAssociatedResources object class]
skipping to change at line 316 skipping to change at line 302
Figure 1: The entry for the 192.0.2.0/24 address block in the Figure 1: The entry for the 192.0.2.0/24 address block in the
dc=arin,dc=net partition. dc=arin,dc=net partition.
5. Query Processing Rules 5. Query Processing Rules
Queries for IPv4 address blocks have several special requirements, Queries for IPv4 address blocks have several special requirements,
as discussed in the following sections. as discussed in the following sections.
Refer to [FIRS-CORE] for general information about FIRS queries. Refer to [FIRS-CORE] for general information about FIRS queries.
Hall I-D Expires: December 2003 [page 7]
5.1. Query Pre-Processing 5.1. Query Pre-Processing
Clients MUST ensure that the query input is normalized according Clients MUST ensure that the query input is normalized according
to the rules specified in section 3 before the input is used as to the rules specified in section 3 before the input is used as
the assertion value to the resulting LDAP query. the assertion value in the resulting LDAP query.
Hall I-D Expires: February 2004 [page 7]
The authoritative partition for an IPv4 address block is The authoritative partition for an IPv4 address block is
determined by mapping the normalized input to an associated determined by mapping the normalized input to an associated
reverse-lookup DNS domain name, and then mapping the resulting DNS reverse-lookup DNS domain name, and then mapping the resulting DNS
domain name to a sequence of domainComponent labels. domain name to a sequence of domainComponent labels.
The least-significant octet MUST include the subnet prefix in this The least-significant octet MUST include the subnet prefix in this
mapping process, except in those cases where the address falls on mapping process, except in those cases where the address falls on
an eight-bit boundary. In those cases where the address block an eight-bit boundary. In those cases where the address block
specifies a 32-bit host address, the subnet prefix MUST be specifies a 32-bit host address, the subnet prefix MUST be
stripped from the input during the mapping process. In those cases stripped from the input during the mapping process. In those cases
where the address block specifies a legacy "address class", the where the address block specifies a legacy "address class", the
least-significant octet and subnet prefix MUST both be stripped least-significant octet and subnet prefix MUST both be stripped
from the input during the mapping process. These steps are from the input during the mapping process. These steps are
necessary in order to ensure that the reverse-pointer delegations necessary in order to ensure that the reverse-pointer delegations
in the public DNS are correctly matched to the authoritative in the public DNS are correctly matched to the authoritative
partitions (note that these rules only apply to the mapping partitions (note that these rules only apply to the mapping
process by which an authoritative partition is constructed, and process by which an authoritative partition is constructed, and do
does not apply to the process by which the entry-specific relative not apply to the process by which the entry-specific relative
distinguished name is constructed). distinguished name is constructed).
For example, a host-specific IPv4 address block of "192.0.2.14/32" For example, a host-specific IPv4 address block of "192.0.2.14/32"
would be mapped to the reverse-lookup DNS domain name of would be mapped to the reverse-lookup DNS domain name of
"14.2.0.192.in-addr.arpa." which would in turn be mapped to "14.2.0.192.in-addr.arpa." which would in turn be mapped to
"dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa". Meanwhile, the "Class "dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa". Meanwhile, the "Class
C" block of "192.0.2.0/24" would be mapped to the reverse-lookup C" block of "192.0.2.0/24" would be mapped to the reverse-lookup
DNS domain name of "2.0.192.in-addr.arpa." which would in turn be DNS domain name of "2.0.192.in-addr.arpa." which would in turn be
mapped to "dc=2,dc=0,dc=192,dc=in-addr,dc=arpa". Finally, a mapped to "dc=2,dc=0,dc=192,dc=in-addr,dc=arpa". Finally, a
classless IPv4 address block of "192.0.2.0/20" would be mapped to classless IPv4 address block of "192.0.2.0/20" would be mapped to
the reverse-lookup DNS domain name of "0/14.2.0.192.in-addr.arpa" the reverse-lookup domain name of "0/20.14.2.0.192.in-addr.arpa"
which would in turn be mapped to the fully-qualified distinguished which would in turn be mapped to the fully-qualified distinguished
name of "dc=0/14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa". name of "dc=0/20,dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa".
5.2. Query Bootstrapping 5.2. Query Bootstrapping
FIRS clients MUST use the top-down bootstrap model by default for FIRS clients MUST use the targeted bootstrap model by default for
IPv4 address block queries. As such, the search base for default IPv4 address block queries, using the "in-addr.arpa" zone as the
queries would be set to "dc=arpa" rather than being set to the seed domain for the initial query.
fully-qualified distinguished name of the authoritative partition.
Hall I-D Expires: December 2003 [page 8] FIRS clients MAY use the top-down or bottom-up bootstrap models
FIRS clients MAY use the targeted or bottom-up bootstrap models
for queries if necessary or desirable. However, it is not likely for queries if necessary or desirable. However, it is not likely
that entries will be found for all IPv4 address block resources that entries will be found for all IPv4 address block resources
using these models. As such, the top-down bootstrap model will be using these models. As such, the targeted bootstrap model will be
the most useful in most cases, and MUST be used by default. the most useful in most cases, and MUST be used by default.
Hall I-D Expires: February 2004 [page 8]
5.3. LDAP Matching 5.3. LDAP Matching
FIRS clients MUST use the inetIpv4NetworkMatch extensible matching If the server advertises the inetIpv4Network object class in the
filter in LDAP searches for IPv4 address block entries. firsVersion server control, FIRS clients MUST use the
inetIpv4NetworkMatch extensible matching filter in LDAP searches
for IPv4 network entries.
The inetIpv4NetworkMatch filter provides an identifier and search The inetIpv4NetworkMatch filter provides an identifier and search
string format which collectively inform a queried server that a string format which collectively inform a queried server that a
specific IPv4 address should be searched for, and that any specific IPv4 address should be searched for, and that any
matching inetIpv4network object class entries should be returned. matching inetIpv4network object class entries should be returned.
The inetIpv4NetworkMatch extensibleMatch filter is defined as The inetIpv4NetworkMatch extensibleMatch filter is defined as
follows: follows:
inetIpv4NetworkMatch inetIpv4NetworkMatch
( 1.3.6.1.4.1.7161.1.2.8 NAME 'inetIpv4NetworkMatch' SYNTAX ( 1.3.6.1.4.1.7161.1.0.5 NAME 'inetIpv4NetworkMatch' SYNTAX
inetIpv4NetworkSyntax ) inetIpv4NetworkSyntax )
The assertion value MUST be a normalized IPv4 address, using the The assertion value MUST be a normalized IPv4 address, using the
inetIpv4NetworkSyntax defined in section 3. inetIpv4NetworkSyntax defined in section 3.
A FIRS server MUST compare the assertion value against the RDN of A FIRS server MUST compare the assertion value against the RDN of
all entries in the inetResources container of the partition all entries in the inetResources container of the partition
specified in the search base which have an object class of specified in the search base which have an object class of
inetIpv4Network. Any entry with an object class of inetIpv4Network inetIpv4Network. Any entry with an object class of inetIpv4Network
and with a relative distinguished name which clearly encompasses and with a relative distinguished name which clearly encompasses
the IPv4 address provided in the assertion value MUST be returned. the IPv4 address provided in the assertion value MUST be returned.
Entries which do not clearly encompass the queried address MUST Entries which do not clearly encompass the queried address MUST
NOT be returned. Entries which do not have an object class of NOT be returned. Entries which do not have an object class of
inetIpv4Network MUST NOT be returned. inetIpv4Network MUST NOT be returned.
In order to ensure that all of the relevant entries are found In order to ensure that all of the relevant entries are found
(including any referrals), the search filters for these resources (including any referrals), the search filters for these resources
MUST specify the inetIpv4Network object class along with the MUST specify the inetIpv4Network object class along with the
search criteria. For example, "(&(objectclass=inetIpv4Network) search criteria. For example, "(&(objectclass=inetIpv4Network)
(1.3.6.1.4.1.7161.1.2.8:=192.0.2.0/24))" with a search base of (1.3.6.1.4.1.7161.1.5.8:=192.0.2.0/24))" with a search base of
"cn=inetResources,dc=arin,dc=net" would find all of the "cn=inetResources,dc=arin,dc=net" would find all of the
inetIpv4Network object class entries which were superior to the inetIpv4Network object class entries which were superior to the
"192.0.2.0/24" address block in the "dc=arin,dc=net" partition. "192.0.2.0/24" address block in the "dc=arin,dc=net" partition.
Hall I-D Expires: December 2003 [page 9]
Note that the entry name of "cn=0.0.0.0/0" encompasses the entire Note that the entry name of "cn=0.0.0.0/0" encompasses the entire
IPv4 address space. When used in conjunction with referrals, this IPv4 address space. When used in conjunction with referrals, this
entry MAY be used to redirect all inetIpv4NetworkMatch queries to entry MAY be used to redirect all inetIpv4NetworkMatch queries to
another partition for subsequent processing. another partition for subsequent processing.
Hall I-D Expires: February 2004 [page 9]
The matching filters defined in this specification MUST be The matching filters defined in this specification MUST be
supported by FIRS clients and servers. FIRS servers MAY support supported by FIRS clients and servers. FIRS servers MAY support
additional sub-string filters, soundex filters, or any other additional sub-string filters, soundex filters, or any other
filters they wish (these may be required to support generic LDAP filters they wish (these may be required to support generic LDAP
clients), although FIRS clients MUST NOT expect any additional clients), although FIRS clients MUST NOT expect any additional
filters to be available. filters to be available.
If the server does not advertise support for the inetIpv4Network
object class in the firsVersion server control, the client MAY
choose to emulate this matching process through the use of
locally-constructed filters. Since the inetIpv4NetworkMatch filter
simply locates all of the entries in the delegation path to the
named network, it is possible that a client could emulate this
query by generating distinct queries for any entries associated
with the parent networks.
For example, if the user asked for information about the
"192.0.2.14/32" network resource but the server does not advertise
support for the inetIpv4Network object class, the client could
theoretically issue secondary queries for inetIpv4Network entries
with cn attributes that begin with "192.0.2" or "192.0".
Unfortunately, this kind of matching is not guaranteed to work in
most situations, and clients also need to be careful not to issue
overly-broad queries that match all answers. As such, if the
server advertises support for the inetIpv4Network object class in
the firsVersion control, then the client MUST use the
inetIpv4NetworkMatch filter defined above.
5.4. Example Query 5.4. Example Query
The following example assumes that the user has specified The following example assumes that the user has specified
"192.0.2.14/32" as the query value: "192.0.2.14/32" as the query value:
a. Normalize the input, which is "192.0.2.14/32" in this case. a. Normalize the input, which is "192.0.2.14/32" in this case.
b. Determine the authoritative partition. b. Determine the canonical authoritative partition.
1. Map the input sequence to the reverse-lookup domain 1. Map the input sequence to the reverse-lookup domain
name, which is "14.2.0.192.in-addr.arpa" in this case. name, which is "14.2.0.192.in-addr.arpa" in this case.
2. Map the domain name to an authoritative partition, 2. Determine the initial domain name which is appropriate
which is "dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa" for the bootstrap model in use. In the default case of
in this case. By default, queries for IPv4 address a targeted query, use "in-addr.arpa". In the case of a
blocks use the top-down model, meaning that the right- bottom-up query, use the label sequence determined in
most relative distinguished name of "dc=arpa" will be
used as the authoritative partition. Hall I-D Expires: February 2004 [page 10]
step 5.4.b.1. In the case of a top-down query, set the
domain name to "arpa".
3. Map the domain name to an authoritative partition,
which would be "dc=in-addr,dc=arpa" if the default
bootstrap model were in use.
c. Determine the search base for the query, which will be c. Determine the search base for the query, which will be
"cn=inetResources,dc=arpa" if the defaults are used. "cn=inetResources,dc=arpa" if the defaults are used.
d. Initiate a DNS lookup for the SRV resource records d. Initiate a DNS lookup for the SRV resource records
associated with "_ldap._tcp.arpa." For the purpose of this associated with "_ldap._tcp.in-addr.arpa." For the purpose
example, assume that this lookup succeeds, with the DNS of this example, assume that this lookup succeeds, with the
response message indicating that "firs.iana.org" is the DNS response message indicating that "firs.iana.org" is the
preferred LDAP server. preferred LDAP server.
e. Submit an LDAPv3 query to the specified server, using e. Submit an LDAPv3 query to the specified server, using
"(&(objectClass=inetIpv4Network) "(&(objectClass=inetIpv4Network)
(1.3.6.1.4.1.7161.1.2.8:=192.0.2.14/32))" as the matching (1.3.6.1.4.1.7161.1.5.8:=192.0.2.14/32))" as the matching
filter, "cn=inetResources,dc=arpa" as the search base, and filter, "cn=inetResources,dc=in-addr,dc=arpa" as the search
the global query defaults defined in [FIRS-CORE]. base, and the global query defaults defined in [FIRS-CORE].
Hall I-D Expires: December 2003 [page 10]
f. Assume that the queried server returns a continuation f. Assume that the queried server returns a continuation
reference referral which points to reference referral which points to
"ldap:///cn=inetResources,dc=arin,dc=net". The "ldap:///cn=inetResources,dc=arin,dc=net". The
distinguished name element of distinguished name element of
"cn=inetResources,dc=arin,dc=net" will be used as the new "cn=inetResources,dc=arin,dc=net" will be used as the new
search base, while "dc=arin,dc=net" will be used as the new search base, while "dc=arin,dc=net" will be used as the new
authoritative partition. authoritative partition.
g. Initiate a DNS lookup for the SRV resource records g. Initiate a DNS lookup for the SRV resource records
associated with "_ldap._tcp. arin.net." For the purpose of associated with "_ldap._tcp. arin.net." For the purpose of
this example, assume that this lookup succeeds, with the this example, assume that this lookup succeeds, with the
DNS response message indicating that "firs.arin.net" is the DNS response message indicating that "firs.arin.net" is the
preferred LDAP server. preferred LDAP server.
h. Submit an LDAPv3 query to the specified server, using h. Submit an LDAPv3 query to the specified server, using
"(&(objectClass=inetIpv4Network) "(&(objectClass=inetIpv4Network)
(1.3.6.1.4.1.7161.1.2.8:=192.0.2.14/32)" as the matching (1.3.6.1.4.1.7161.1.5.8:=192.0.2.14/32)" as the matching
filter, "cn=inetResources,dc=arin,dc=net" as the search filter, "cn=inetResources,dc=arin,dc=net" as the search
base, and the global query defaults defined in [FIRS-CORE]. base, and the global query defaults defined in [FIRS-CORE].
i. Assume that no other referrals are received. Display the i. Assume that no other referrals are received. Display the
answer data which has been received and exit the query. answer data which has been received and exit the query.
Hall I-D Expires: February 2004 [page 11]
6. Security Considerations 6. Security Considerations
Security considerations are discussed in [FIRS-ARCH]. Security considerations are discussed in [FIRS-ARCH].
7. IANA Considerations 7. IANA Considerations
This specification uses the "dc=arpa" directory partition by This specification uses the "dc=in-addr,dc=arpa" directory
default, with the expectation that FIRS-capable LDAP servers will partition by default. It is expected that authoritative LDAP
be established, with this partition containing IPv4-specific partitions will be mapped to that zone, and that FIRS-capable LDAP
entries which will provide referrals to the appropriate servers will be established to service this partition, with this
registrar's partitions. It is further expected that IANA will partition containing IPv4-specific entries which will provide
oversee the creation and management of the ARPA domain's LDAP SRV referrals to the appropriate RIR partitions. It is further
resource records, the "dc=arpa" LDAP partition, and the necessary expected that IANA will oversee the creation and management of the
LDAP servers. in-addr.arpa domain's LDAP SRV resource records, the
"dc=in-addr,dc=arpa" LDAP partition, and the necessary LDAP
servers.
The inetIpv4DelegationStatus attribute uses numeric code values. The inetIpv4DelegationStatus attribute uses numeric code values.
It is expected that IANA will manage the assignment of these It is expected that IANA will manage the assignment of these
values. values.
Additional IANA considerations are discussed in [FIRS-ARCH]. Additional IANA considerations are discussed in [FIRS-ARCH].
Hall I-D Expires: December 2003 [page 11] 8. Normative References
8. Author's Addresses
Eric A. Hall
ehall@ehsco.com
9. Normative References
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R.,
and Sataluri, S. "Using Domains in LDAP/X.500 and Sataluri, S. "Using Domains in LDAP/X.500
DNs", RFC 2247, January 1998. DNs", RFC 2247, January 1998.
[RFC2251] Wahl, M., Howes, T., and Kille, S. [RFC2251] Wahl, M., Howes, T., and Kille, S.
"Lightweight Directory Access Protocol (v3)", "Lightweight Directory Access Protocol (v3)",
RFC 2251, December 1997. RFC 2251, December 1997.
[RFC2252] Wahl, M., Coulbeck, A., Howes, T., and Kille, [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and Kille,
S. "Lightweight Directory Access Protocol S. "Lightweight Directory Access Protocol
(v3): Attribute Syntax Definitions", RFC 2252, (v3): Attribute Syntax Definitions", RFC 2252,
December 1997. December 1997.
[RFC2254] Howes, T. "The String Representation of LDAP [RFC2254] Howes, T. "The String Representation of LDAP
Search Filters", RFC 2254, December 1997. Search Filters", RFC 2254, December 1997.
[FIRS-ARCH] Hall, E. "The Federated Internet Registry [FIRS-ARCH] Hall, E. "The Federated Internet Registry
Service: Architecture and Implementation Service: Architecture and Implementation
Guide", draft-ietf-crisp-firs-arch-01, May Guide", draft-ietf-crisp-firs-arch-02, July
2003. 2003.
Hall I-D Expires: February 2004 [page 12]
[FIRS-ASN] Hall, E. "Defining and Locating Autonomous [FIRS-ASN] Hall, E. "Defining and Locating Autonomous
System Numbers in the Federated Internet System Numbers in the Federated Internet
Registry Service", draft-ietf-crisp-firs-asn- Registry Service", draft-ietf-crisp-firs-asn-
01, May 2003. 02, July 2003.
[FIRS-CONTCT] Hall, E. "Defining and Locating Contact [FIRS-CONTCT] Hall, E. "Defining and Locating Contact
Persons in the Federated Internet Registry Persons in the Federated Internet Registry
Service", draft-ietf-crisp-firs-contact-01, Service", draft-ietf-crisp-firs-contact-02,
May 2003. July 2003.
[FIRS-CORE] Hall, E. "The Federated Internet Registry [FIRS-CORE] Hall, E. "The Federated Internet Registry
Service: Core Elements", draft-ietf-crisp- Service: Core Elements", draft-ietf-crisp-
firs-core-01, May 2003. firs-core-02, July 2003.
[FIRS-DNS] Hall, E. "Defining and Locating DNS Domains in [FIRS-DNS] Hall, E. "Defining and Locating DNS Domains in
the Federated Internet Registry Service", the Federated Internet Registry Service",
draft-ietf-crisp-firs-dns-01, May 2003. draft-ietf-crisp-firs-dns-02, July 2003.
[FIRS-DNSRR] Hall, E. "Defining and Locating DNS Resource [FIRS-DNSRR] Hall, E. "Defining and Locating DNS Resource
Records in the Federated Internet Registry Records in the Federated Internet Registry
Service", draft-ietf-crisp-firs-dnsrr-02, July
Hall I-D Expires: December 2003 [page 12]
Service", draft-ietf-crisp-firs-dnsrr-01, May
2003. 2003.
[FIRS-IPV4] Hall, E. "Defining and Locating IPv4 Address [FIRS-IPV4] Hall, E. "Defining and Locating IPv4 Address
Blocks in the Federated Internet Registry Blocks in the Federated Internet Registry
Service", draft-ietf-crisp-firs-ipv4-01, May Service", draft-ietf-crisp-firs-ipv4-02, July
2003. 2003.
[FIRS-IPV6] Hall, E. "Defining and Locating IPv6 Address [FIRS-IPV6] Hall, E. "Defining and Locating IPv6 Address
Blocks in the Federated Internet Registry Blocks in the Federated Internet Registry
Service", draft-ietf-crisp-firs-ipv6-01, May Service", draft-ietf-crisp-firs-ipv6-02, July
2003. 2003.
10. Acknowledgments 9. Changes from Previous Versions
Funding for the RFC editor function is currently provided by the
Internet Society.
Portions of this document were funded by Verisign Labs. draft-ietf-crisp-firs-ipv4-02:
The first version of this specification was co-authored by Andrew * Several clarifications and corrections have been made.
Newton of Verisign Labs, and subsequent versions continue to be
developed with his active participation.
11. Changes from Previous Versions * Changed the default bootstrap model to use targeted
queries, with "in-addr.arpa" as the default zone and
"dc=in-addr,dc=arpa" as the default partition.
draft-ietf-crisp-firs-ipv4-01: draft-ietf-crisp-firs-ipv4-01:
* Several clarifications and corrections have been made. * Several clarifications and corrections have been made.
Hall I-D Expires: February 2004 [page 13]
draft-ietf-crisp-firs-ipv4-00: draft-ietf-crisp-firs-ipv4-00:
* Restructured the document set. * Restructured the document set.
* "Attribute references" have been eliminated from the * "Attribute references" have been eliminated from the
specification. All referential attributes now provide specification. All referential attributes now provide
actual data instead of URL pointers to data. Clients that actual data instead of URL pointers to data. Clients that
wish to retrieve these values will need to start new wish to retrieve these values will need to start new
queries using the data values instead of URLs. queries using the data values instead of URLs.
* The attribute-specific operational attributes have been * The attribute-specific operational attributes have been
eliminated as unnecessary. eliminated as unnecessary.
* The inetIpv4Registrar and inetIpv4Registry attributes were * The inetIpv4Registrar and inetIpv4Registry attributes were
added. added.
Hall I-D Expires: December 2003 [page 13]
* Several attributes had their OIDs changed. NOTE THAT THIS * Several attributes had their OIDs changed. NOTE THAT THIS
IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO
ADDITIONAL CHANGES AS THIS DOCUMENT IS EDITED. ADDITIONAL CHANGES AS THIS DOCUMENT IS EDITED.
* Several typographical errors have been fixed. * Several typographical errors have been fixed.
* Some unnecessary text has been removed. * Some unnecessary text has been removed.
10. Author's Address
Eric A. Hall
ehall@ehsco.com
11. Acknowledgments
Funding for the RFC editor function is currently provided by the
Internet Society.
Portions of this document were funded by VeriSign Labs.
The first version of this specification was co-authored by Andrew
Newton of VeriSign Labs, and subsequent versions continue to be
developed with his active participation. Edward Lewis also
contributed significant feedback to this specification in the
later stages of its developments.
Hall I-D Expires: February 2004 [page 14]
12. Full Copyright Statement 12. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared, explain it or assist in its implementation may be prepared,
copied, published and distributed, in whole or in part, without copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative and this paragraph are included on all such copies and derivative
skipping to change at line 634 skipping to change at line 660
The limited permissions granted above are perpetual and will not The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assigns. be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Hall I-D Expires: December 2003 [page 14] Hall I-D Expires: February 2004 [page 15]
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/