draft-ietf-crisp-firs-ipv4-02.txt   draft-ietf-crisp-firs-ipv4-03.txt 
INTERNET-DRAFT Eric A. Hall INTERNET-DRAFT Eric A. Hall
Document: draft-ietf-crisp-firs-ipv4-02.txt July 2003 Document: draft-ietf-crisp-firs-ipv4-03.txt August 2003
Expires: February, 2004 Expires: March, 2004
Category: Experimental Category: Experimental
Defining and Locating IPv4 Address Blocks Defining and Locating IPv4 Address Blocks
in the Federated Internet Registry Service in the Federated Internet Registry Service
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. all provisions of Section 10 of RFC 2026.
skipping to change at line 48 skipping to change at line 48
This document defines LDAP schema and searching rules for IPv4 This document defines LDAP schema and searching rules for IPv4
address blocks, in support of the Federated Internet Registry address blocks, in support of the Federated Internet Registry
Service (FIRS) described in [FIRS-ARCH] and [FIRS-CORE]. Service (FIRS) described in [FIRS-ARCH] and [FIRS-CORE].
Table of Contents Table of Contents
1. Introduction...............................................2 1. Introduction...............................................2
2. Prerequisites and Terminology..............................2 2. Prerequisites and Terminology..............................2
3. Naming Syntax..............................................3 3. Naming Syntax..............................................3
4. Object Classes and Attributes..............................4 4. Object Classes and Attributes..............................4
5. Query Processing Rules.....................................7 5. Query Processing Rules.....................................8
5.1. Query Pre-Processing....................................7 5.1. Query Pre-Processing....................................9
5.2. Query Bootstrapping.....................................8 5.2. LDAP Matching..........................................10
5.3. LDAP Matching...........................................9 5.3. Example Query..........................................11
5.4. Example Query..........................................10 6. Security Considerations...................................13
6. Security Considerations...................................12 7. IANA Considerations.......................................13
7. IANA Considerations.......................................12 8. Normative References......................................13
8. Normative References......................................12 9. Changes from Previous Versions............................14
9. Changes from Previous Versions............................13 10. Author's Address..........................................15
10. Author's Address..........................................14 11. Acknowledgments...........................................15
11. Acknowledgments...........................................14 12. Full Copyright Statement..................................16
12. Full Copyright Statement..................................15
1. Introduction 1. Introduction
This specification defines the naming syntax, object classes, This specification defines the naming syntax, object classes,
attributes, matching filters, and query processing rules for attributes, matching filters, and query processing rules for
storing and locating IPv4 address blocks in the FIRS service. storing and locating IPv4 address blocks in the FIRS service.
Refer to [FIRS-ARCH] for information on the FIRS architecture and Refer to [FIRS-ARCH] for information on the FIRS architecture and
[FIRS-CORE] for the schema definitions and rules which govern the [FIRS-CORE] for the schema definitions and rules which govern the
FIRS service as a whole. FIRS service as a whole.
skipping to change at line 88 skipping to change at line 87
2. Prerequisites and Terminology 2. Prerequisites and Terminology
The complete set of specifications in the FIRS collection The complete set of specifications in the FIRS collection
cumulative define a structured and distributed information service cumulative define a structured and distributed information service
using LDAPv3 for the data-formatting and transport functions. This using LDAPv3 for the data-formatting and transport functions. This
specification should be read in the context of that set, which specification should be read in the context of that set, which
currently includes [FIRS-ARCH], [FIRS-CORE], [FIRS-DNS], currently includes [FIRS-ARCH], [FIRS-CORE], [FIRS-DNS],
[FIRS-DNSRR], [FIRS-CONTCT], [FIRS-ASN] and [FIRS-IPV6]. [FIRS-DNSRR], [FIRS-CONTCT], [FIRS-ASN] and [FIRS-IPV6].
Hall I-D Expires: February 2004 [page 2] Hall I-D Expires: March 2004 [page 2]
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in RFC 2119. in this document are to be interpreted as described in RFC 2119.
3. Naming Syntax 3. Naming Syntax
The naming syntax for IPv4 address blocks in FIRS MUST follow the The naming syntax for IPv4 address blocks in FIRS MUST follow the
form of "cn=<inetIpv4NetworkSyntax>,cn=inetResources,<partition>", form of "cn=<inetIpv4NetworkSyntax>,cn=inetResources,<partition>",
where <inetIpv4NetworkSyntax> is the IPv4 address block resource, where <inetIpv4NetworkSyntax> is the IPv4 address block resource,
and where <partition> is a sequence of domainComponent relative and where <partition> is a sequence of domainComponent relative
skipping to change at line 112 skipping to change at line 111
The inetIpv4NetworkSyntax rules use the traditional "dotted-quad" The inetIpv4NetworkSyntax rules use the traditional "dotted-quad"
notation, where each of four sub-components provide a decimal notation, where each of four sub-components provide a decimal
value that represents one octet from a 32-bit IPv4 address, with value that represents one octet from a 32-bit IPv4 address, with
the sub-components being separated by a full-stop (period) the sub-components being separated by a full-stop (period)
character, and with the four-part sequence being followed by a "/" character, and with the four-part sequence being followed by a "/"
character and a decimal "prefix" value. character and a decimal "prefix" value.
Entries which use the inetIpv4NetworkSyntax MUST use the starting Entries which use the inetIpv4NetworkSyntax MUST use the starting
address from a range of inclusive addresses, and MUST use CIDR address from a range of inclusive addresses, and MUST use CIDR
prefix notation. In this manner, it is possible to create an prefix notation. In this manner, it is possible to create an
inetIpv4Network entry for a range of addresses of any size inetIpv4Network entry for a range of addresses of any size,
(including a single host). including a single host address or the entire IPv4 address space.
The leading zeroes from each octet MUST be removed before the The leading zeroes from each octet MUST be removed before the
value is stored or used in a query. Octets which have a value of value is stored or used in a query. Octets which have a value of
zero MUST be represented by the single-digit value of "0". zero MUST be represented by the single-digit value of "0".
If an input string does not match this syntax, a FIRS-aware If an input string does not match this syntax, a FIRS-aware
application MAY attempt to manipulate the input string to form a application MAY attempt to manipulate the input string to form a
valid value. For example, if a user enters a traditional IPv4 valid value. For example, if a user enters a traditional IPv4
address without specifying a prefix value, the application MAY address without specifying a prefix value, the application MAY
append "/32" to the end of the input string to form a valid append "/32" to the end of the input string to form a valid
assertion value. Similarly, if a user provides an octal or assertion value. Similarly, if a user provides an octal or
hexadecimal value, the client MAY attempt to convert the input hexadecimal value, the client MAY attempt to convert the input
string to the traditional dotted-quad IPv4 address notation. string to the traditional dotted-quad IPv4 address notation.
Hall I-D Expires: March 2004 [page 3]
An augmented BNF for this syntax is as follows: An augmented BNF for this syntax is as follows:
inetIpv4NetworkSyntax = inetIpv4Octet "." inetIpv4Octet "." inetIpv4NetworkSyntax = inetIpv4Octet "." inetIpv4Octet "."
inetIpv4Octet "." inetIpv4Octet "/" inetIpv4Prefix inetIpv4Octet "." inetIpv4Octet "/" inetIpv4Prefix
Hall I-D Expires: February 2004 [page 3]
inetIpv4Octet = decimal value between "0" and "255" inetIpv4Octet = decimal value between "0" and "255"
inclusive, with the non-affective leading zeroes removed inclusive, with the non-affective leading zeroes removed
inetIpv4Prefix = decimal value between "1" and "32" inetIpv4Prefix = decimal value between "1" and "32"
inclusive, with the non-affective leading zeroes removed inclusive, with the non-affective leading zeroes removed
The schema definition for inetIpv4NetworkSyntax is as follows: The schema definition for inetIpv4NetworkSyntax is as follows:
inetIpv4NetworkSyntax inetIpv4NetworkSyntax
( 1.3.6.1.4.1.7161.1.5.0 NAME 'inetIpv4NetworkSyntax' DESC ( 1.3.6.1.4.1.7161.1.5.0
'An IPv4 address and prefix.' ) NAME 'inetIpv4NetworkSyntax'
DESC 'An IPv4 address and prefix.' )
For example, an IPv4 address block with a range of addresses For example, an IPv4 address block with a range of addresses
between "10.0.0.0" and "10.0.255.255" inclusive would be written between "10.0.0.0" and "10.0.255.255" inclusive would be written
as "cn=10.0.0.0/16", while a host address of "192.0.2.14" would be as "cn=10.0.0.0/16", while a host address of "192.0.2.14" would be
written as "cn=192.0.2.14/32". written as "cn=192.0.2.14/32".
Note that the entry name of "cn=0.0.0.0/0" encompasses the entire Note that the entry name of "cn=0.0.0.0/0" encompasses the entire
IPv4 address space. IPv4 address space.
Note that the use of "/" is illegal as data in URLs, and MUST be Note that the use of "/" is illegal as data in URLs, and MUST be
escaped before it is stored in a URL as data. escaped before it is stored in a URL as data.
4. Object Classes and Attributes 4. Object Classes and Attributes
IPv4 address block entries in FIRS MUST use the inetIpv4Network IPv4 address block entries in FIRS MUST use the inetIpv4Network
object class, in addition to the mandatory object classes defined object class, in addition to the mandatory object classes defined
in [FIRS-CORE]. IPv4 address block entries MUST be treated as in [FIRS-CORE]. IPv4 address block entries MUST be treated as
containers capable of holding subordinate entries. If an entry containers capable of holding subordinate entries.
exists as a referral source, the entry MUST also be defined with
the referral object class, in addition to the above requirements. If an entry exists as a referral source, the entry MUST be defined
with the referral object class, in addition to the other object
classes defined above. Referral sources MUST NOT contain
subordinate entries. Refer to section 3.5 of [FIRS-CORE] for more
information on referral entries in FIRS.
The inetIpv4Network object class is a structural object class The inetIpv4Network object class is a structural object class
which is subordinate to the inetResources object class. The which is subordinate to the inetResources object class. The
inetIpv4Network object class has no mandatory attributes, although inetIpv4Network object class has no mandatory attributes, although
Hall I-D Expires: March 2004 [page 4]
it does have several optional attributes. The inetIpv4Network it does have several optional attributes. The inetIpv4Network
object class also inherits the attributes defined in the object class also inherits the attributes defined in the
inetResources object class, including the "cn" naming attribute. inetResources object class, including the "cn" naming attribute.
Hall I-D Expires: February 2004 [page 4]
The schema definition for the inetIpv4Network object class is as The schema definition for the inetIpv4Network object class is as
follows: follows:
inetIpv4Network inetIpv4Network
( 1.3.6.1.4.1.7161.1.5.1 ( 1.3.6.1.4.1.7161.1.5.1
NAME 'inetIpv4Network' NAME 'inetIpv4Network'
DESC 'IPv4 network attributes.' DESC 'IPv4 network attributes.'
SUP inetResources SUP inetResources
STRUCTURAL STRUCTURAL
MAY ( inetIpv4DelegationStatus $ inetIpv4DelegationDate $ MAY ( inetIpv4DelegationStatus $ inetIpv4DelegationDate $
inetIpv4Registrar $ inetIpv4Registry $ inetIpv4Contacts $ inetIpv4Registrar $ inetIpv4Registry $ inetIpv4Contacts $
inetIpv4RoutingContacts ) ) inetIpv4RoutingContacts $ inetIpv4ParentNetwork $
inetIpv4SiblingNetworks $ inetIpv4ChildNetworks ) )
The attributes from the inetIpv4Network object class are described The attributes from the inetIpv4Network object class are described
below: below:
inetIpv4Contacts inetIpv4Contacts
( 1.3.6.1.4.1.7161.1.5.2 ( 1.3.6.1.4.1.7161.1.5.2
NAME 'inetIpv4Contacts' NAME 'inetIpv4Contacts'
DESC 'Contacts for general administrative issues concerning DESC 'Contacts for general administrative issues concerning
this IPv4 address block.' this address block.'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.7.1 ) SYNTAX 1.3.6.1.4.1.7161.1.4.0 )
inetIpv4DelegationDate inetIpv4DelegationDate
( 1.3.6.1.4.1.7161.1.5.3 ( 1.3.6.1.4.1.7161.1.5.3
NAME 'inetIpv4DelegationDate' NAME 'inetIpv4DelegationDate'
DESC 'Date this IPv4 address block was delegated.' DESC 'Date this address block was delegated.'
EQUALITY generalizedTimeMatch EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE ) SINGLE-VALUE )
inetIpv4DelegationStatus inetIpv4DelegationStatus
( 1.3.6.1.4.1.7161.1.5.4 ( 1.3.6.1.4.1.7161.1.5.4
NAME 'inetIpv4DelegationStatus' NAME 'inetIpv4DelegationStatus'
DESC 'Delegation status of this IPv4 address block.' DESC 'Delegation status of this address block.'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{2} SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{2}
SINGLE-VALUE ) SINGLE-VALUE )
Hall I-D Expires: March 2004 [page 5]
NOTE: In an effort to facilitate internationalization and NOTE: In an effort to facilitate internationalization and
programmatic processing, the current status of a delegation programmatic processing, the current status of a delegation
is identified by a 16-bit integer. The values and status is identified by a 16-bit integer. The values and status
mapping is as follows: mapping is as follows:
Hall I-D Expires: February 2004 [page 5]
0 Reserved delegation (permanently inactive) 0 Reserved delegation (permanently inactive)
1 Assigned and active (normal state) 1 Assigned and active (normal state)
2 Assigned but not yet active (new delegation) 2 Assigned but not yet active (new delegation)
3 Assigned but on hold (disputed) 3 Assigned but on hold (disputed)
4 Assignment revoked (database purge pending) 4 Assignment revoked (database purge pending)
Additional values are reserved for future use, and are to Additional values are reserved for future use, and are to
be administered by IANA. be administered by IANA.
Note that there is no status code for "unassigned"; Note that there is no status code for "unassigned";
unassigned entries SHOULD NOT exist, and SHOULD NOT be unassigned entries SHOULD NOT exist, and SHOULD NOT be
returned as answers. returned as answers.
inetIpv4Registrar inetIpv4Registrar
( 1.3.6.1.4.1.7161.1.5.5 ( 1.3.6.1.4.1.7161.1.5.5
NAME 'inetIpv4Registrar' NAME 'inetIpv4Registrar'
DESC 'Registrar who delegated this IPv4 address block.' DESC 'Registrar or sub-registry who delegated this address
block.'
EQUALITY caseExactMatch EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
NOTE: The inetIpv4Registrar attribute uses a URL to NOTE: The inetIpv4Registrar attribute uses a URL to
indicate the registrar who delegated the address block. The indicate the registrar who delegated the address block. The
attribute structure is identical to the labeledURI attribute structure is identical to the labeledURI
attribute, as defined in [RFC2798], including the URL and attribute, as defined in [RFC2798], including the URL and
textual comments. The data can refer to any valid URL. textual comments. The data can refer to any valid URL.
inetIpv4Registry inetIpv4Registry
( 1.3.6.1.4.1.7161.1.5.6 ( 1.3.6.1.4.1.7161.1.5.6
NAME 'inetIpv4Registry' NAME 'inetIpv4Registry'
DESC 'Registry where this IPv4 address block is managed.' DESC 'Regional registry where this address block is
managed.'
EQUALITY caseExactMatch EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
NOTE: The inetIpv4Registry attribute uses a URL to indicate NOTE: The inetIpv4Registry attribute uses a URL to indicate
the registry who is ultimately responsible for the address the registry who is ultimately responsible for the address
block. The attribute structure is identical to the block. The attribute structure is identical to the
labeledURI attribute, as defined in [RFC2798], including labeledURI attribute, as defined in [RFC2798], including
the URL and textual comments. The data can refer to any the URL and textual comments. The data can refer to any
valid URL. valid URL.
Hall I-D Expires: February 2004 [page 6] Hall I-D Expires: March 2004 [page 6]
inetIpv4RoutingContacts inetIpv4ParentNetworks
( 1.3.6.1.4.1.7161.1.5.7 ( 1.3.6.1.4.1.7161.1.5.7
NAME 'inetIpv4ParentNetworks'
DESC 'IPv4 parent networks directly associated with this
address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.5.0 )
inetIpv4SiblingNetworks
( 1.3.6.1.4.1.7161.1.5.8
NAME 'inetIpv4SiblingNetworks'
DESC 'IPv4 sibling networks directly associated with this
address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.5.0 )
inetIpv4ChildNetworks
( 1.3.6.1.4.1.7161.1.5.9
NAME 'inetIpv4ChildNetworks'
DESC 'IPv4 child networks directly associated with this
address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.5.0 )
inetIpv4RoutingContacts
( 1.3.6.1.4.1.7161.1.5.10
NAME 'inetIpv4RoutingContacts' NAME 'inetIpv4RoutingContacts'
DESC 'Contacts for routing-related problems with this IPv4 DESC 'Contacts for routing-related problems with this
address block.' address block.'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.7.1 ) SYNTAX 1.3.6.1.4.1.7161.1.4.0 )
An example of the inetIpv4Network object class is shown in Figure Hall I-D Expires: March 2004 [page 7]
1 below. The example includes attributes from the inetIpv4Network, Two examples of the of the inetIpv4Network object class are shown
inetResources, and inetAssociatedResources object classes. in Figure 1 below. The examples also include attributes from the
iinetResources, inetAssociatedResources, and referral object
classes.
cn=192.0.2.0/24,cn=inetResources,dc=arin,dc=net cn=192.0.2.0/24,cn=inetResources,dc=in-addr,dc=arpa
[top object class] [top object class]
[inetResources object class] [inetResources object class]
[inetIpv4Network object class] [inetIpv4Network object class]
[inetAssociatedResources object class] [inetAssociatedResources object class]
| |
+-attribute: description +-attribute: description
| value: "Example Hosting's IPv4 address block" | value: "Example Hosting's IPv4 address block"
| |
+-attribute: inetIpv4Contacts +-attribute: inetIpv4Contacts
| value: "hostmaster@example.com" | value: "hostmaster@example.com"
| |
+-attribute: inetAssociatedAsNumbers +-attribute: inetAssociatedAsNumbers
| value: "65535" | value: "65535"
| |
+-attribute: inetIpv4Registrar +-attribute: inetIpv4Registry
value: "http://www.arin.net/ (ARIN)" | value: "http://www.arin.net/ (ARIN)"
|
+-cn=ref1,cn=192.0.2.0/24,cn=inetResources,dc=in-addr,dc=arpa
[top object class]
[inetResources object class]
[inetIpv4Network object class]
[referral object class]
|
+-attribute: ref
value: "ldap:///dc=arin,dc=net???
(1.3.6.1.4.1.7161.1.5.0.1:=192.0.2.0%2F24)"
Figure 1: The entry for the 192.0.2.0/24 address block in the Figure 1: The entry for the 192.0.2.0/24 address block in the
dc=arin,dc=net partition. dc=in-addr,dc=arpa partition, and a child referral entry.
Note that the "/" separator in the LDAP referral URL shown in
Figure 1 has been escaped as "%2F" to be made URL-safe.
5. Query Processing Rules 5. Query Processing Rules
Queries for IPv4 address blocks have several special requirements, Queries for IPv4 address blocks have several special requirements,
as discussed in the following sections. as discussed in the following sections.
Refer to [FIRS-CORE] for general information about FIRS queries. Refer to [FIRS-CORE] for general information about FIRS queries.
Hall I-D Expires: March 2004 [page 8]
5.1. Query Pre-Processing 5.1. Query Pre-Processing
Clients MUST ensure that the query input is normalized according FIRS clients MUST use the targeted bootstrap model by default for
to the rules specified in section 3 before the input is used as IPv4 address block queries, using the "in-addr.arpa" zone as the
the assertion value in the resulting LDAP query. seed domain for the initial query.
Hall I-D Expires: February 2004 [page 7] FIRS clients MAY use the top-down or bottom-up bootstrap models
The authoritative partition for an IPv4 address block is for queries if necessary or desirable. However, it is not likely
determined by mapping the normalized input to an associated that entries will be found for all IPv4 address block resources
reverse-lookup DNS domain name, and then mapping the resulting DNS using these models. As such, the targeted bootstrap model will be
domain name to a sequence of domainComponent labels. the most useful in most cases, and MUST be used by default.
When the bottom-up bootstrap model is used, the authoritative
partition for an IPv4 address block is determined by mapping the
normalized input to an associated reverse-lookup DNS domain name,
and then mapping the resulting DNS domain name to a sequence of
domainComponent labels.
The least-significant octet MUST include the subnet prefix in this The least-significant octet MUST include the subnet prefix in this
mapping process, except in those cases where the address falls on mapping process, except in those cases where the address falls on
an eight-bit boundary. In those cases where the address block an eight-bit boundary. In those cases where the address block
specifies a 32-bit host address, the subnet prefix MUST be specifies a 32-bit host address, the subnet prefix MUST be
stripped from the input during the mapping process. In those cases stripped from the input during the mapping process. In those cases
where the address block specifies a legacy "address class", the where the address block specifies a legacy "address class", the
least-significant octet and subnet prefix MUST both be stripped least-significant octet and subnet prefix MUST both be stripped
from the input during the mapping process. These steps are from the input during the mapping process. These steps are
necessary in order to ensure that the reverse-pointer delegations necessary in order to ensure that the reverse-pointer delegations
in the public DNS are correctly matched to the authoritative in the public DNS are correctly matched to the authoritative
partitions (note that these rules only apply to the mapping partitions (note that these rules only apply to the mapping
process by which an authoritative partition is constructed, and do process by which an authoritative partition is constructed, and do
not apply to the process by which the entry-specific relative not apply to the process by which the entry-specific relative
distinguished name is constructed). distinguished name is constructed).
For example, a host-specific IPv4 address block of "192.0.2.14/32" For example, a host-specific IPv4 address block of "192.0.2.14/32"
would be mapped to the reverse-lookup DNS domain name of would be mapped to the reverse-lookup DNS domain name of
"14.2.0.192.in-addr.arpa." which would in turn be mapped to "14.2.0.192.in-addr.arpa." which would in turn be mapped to
"dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa". Meanwhile, the "Class "dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa", and which would then
C" block of "192.0.2.0/24" would be mapped to the reverse-lookup be used as the authoritative partition for the bottom-up bootstrap
DNS domain name of "2.0.192.in-addr.arpa." which would in turn be process. Similarly, a classless IPv4 address block of
mapped to "dc=2,dc=0,dc=192,dc=in-addr,dc=arpa". Finally, a "192.0.2.0/20" would be mapped to the reverse-lookup domain name
classless IPv4 address block of "192.0.2.0/20" would be mapped to of "0/20.14.2.0.192.in-addr.arpa", which would be mapped to the
the reverse-lookup domain name of "0/20.14.2.0.192.in-addr.arpa" fully-qualified distinguished name of
which would in turn be mapped to the fully-qualified distinguished "dc=0/20,dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa".
name of "dc=0/20,dc=14,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa".
5.2. Query Bootstrapping
FIRS clients MUST use the targeted bootstrap model by default for
IPv4 address block queries, using the "in-addr.arpa" zone as the
seed domain for the initial query.
FIRS clients MAY use the top-down or bottom-up bootstrap models
for queries if necessary or desirable. However, it is not likely
that entries will be found for all IPv4 address block resources
using these models. As such, the targeted bootstrap model will be
the most useful in most cases, and MUST be used by default.
Hall I-D Expires: February 2004 [page 8] Hall I-D Expires: March 2004 [page 9]
5.3. LDAP Matching 5.2. LDAP Matching
If the server advertises the inetIpv4Network object class in the If the server advertises the inetIpv4Network object class and
firsVersion server control, FIRS clients MUST use the inetIpv4NetworkMatch matching filter in the inetResourcesControl
inetIpv4NetworkMatch extensible matching filter in LDAP searches server control, FIRS clients MUST use the inetIpv4NetworkMatch
for IPv4 network entries. matching filter in LDAP searches for IPv4 network entries.
The inetIpv4NetworkMatch filter provides an identifier and search The inetIpv4NetworkMatch filter provides an identifier and search
string format which collectively inform a queried server that a string format which collectively inform a queried server that a
specific IPv4 address should be searched for, and that any specific IPv4 address should be searched for, and that any
matching inetIpv4network object class entries should be returned. matching inetIpv4network object class entries should be returned.
The inetIpv4NetworkMatch extensibleMatch filter is defined as The inetIpv4NetworkMatch filter is defined as follows:
follows:
inetIpv4NetworkMatch inetIpv4NetworkMatch
( 1.3.6.1.4.1.7161.1.0.5 NAME 'inetIpv4NetworkMatch' SYNTAX (1.3.6.1.4.1.7161.1.5.0.1
inetIpv4NetworkSyntax ) NAME 'inetIpv4NetworkMatch'
SYNTAX inetIpv4NetworkSyntax )
The assertion value MUST be a normalized IPv4 address, using the Clients MUST ensure that the query input is normalized according
inetIpv4NetworkSyntax defined in section 3. to the rules specified in section 3 before the input is used as
the assertion value in the resulting LDAP query.
A FIRS server MUST compare the assertion value against the RDN of A FIRS server MUST compare the assertion value against the
all entries in the inetResources container of the partition distinguished name of all entries within and beneath the container
specified in the search base which have an object class of of the partition specified in the search base. Any entry in that
inetIpv4Network. Any entry with an object class of inetIpv4Network hierarchy with an object class of inetIpv4Network and a
and with a relative distinguished name which clearly encompasses distinguished name that is clearly superior to the IPv4 address
the IPv4 address provided in the assertion value MUST be returned. provided in the assertion value MUST be returned. Entries which do
Entries which do not clearly encompass the queried address MUST not have an object class of inetIpv4Network MUST NOT be returned.
NOT be returned. Entries which do not have an object class of Entries which are not clearly superior to the queried address MUST
inetIpv4Network MUST NOT be returned. NOT be returned.
In order to ensure that all of the relevant entries are found Note that "superiority" means that the address ranges specified in
(including any referrals), the search filters for these resources the entry names clearly encompass the address range specified in
MUST specify the inetIpv4Network object class along with the the assertion value. This can be reverse-computed by repeatedly
search criteria. For example, "(&(objectclass=inetIpv4Network) shrinking the prefix size of the address in the assertion value,
(1.3.6.1.4.1.7161.1.5.8:=192.0.2.0/24))" with a search base of and using the resulting network/prefix pair as a matching value.
"cn=inetResources,dc=arin,dc=net" would find all of the
inetIpv4Network object class entries which were superior to the Hall I-D Expires: March 2004 [page 10]
"192.0.2.0/24" address block in the "dc=arin,dc=net" partition. An example of this matching logic is illustrated below, using the
assertion value of "10.127.0.0/16" and the search base of
"cn=inetResources,dc=in-addr,dc=arpa":
set searchBase "cn=inetResources,dc=in-addr,dc=arpa"
find ( ( objectClass equals inetIpv4Network) and
( ( nameComponent equals "cn=10.127.0.0/16" ) or
( nameComponent equals "cn=10.126.0.0/15") ) or
( nameComponent equals "cn=10.124.0.0/14") ) or
( nameComponent equals "cn=10.120.0.0/13") ) or
( nameComponent equals "cn=10.112.0.0/12") ) or
( nameComponent equals "cn=10.96.0.0/11") ) or
( nameComponent equals "cn=10.64.0.0/10") ) or
( nameComponent equals "cn=10.0.0.0/9") ) or
( nameComponent equals "cn=10.0.0.0/8") )
Note that the entry name of "cn=0.0.0.0/0" encompasses the entire Note that the entry name of "cn=0.0.0.0/0" encompasses the entire
IPv4 address space. When used in conjunction with referrals, this IPv4 address space. When used in conjunction with referrals, this
entry MAY be used to redirect all inetIpv4NetworkMatch queries to entry MAY be used to redirect all inetIpv4NetworkMatch queries to
another partition for subsequent processing. another partition for subsequent processing.
Hall I-D Expires: February 2004 [page 9]
The matching filters defined in this specification MUST be The matching filters defined in this specification MUST be
supported by FIRS clients and servers. FIRS servers MAY support supported by FIRS clients and servers. FIRS servers MAY support
additional sub-string filters, soundex filters, or any other additional matching filters, although FIRS clients MUST NOT expect
filters they wish (these may be required to support generic LDAP any additional filters to be available.
clients), although FIRS clients MUST NOT expect any additional
filters to be available.
If the server does not advertise support for the inetIpv4Network
object class in the firsVersion server control, the client MAY
choose to emulate this matching process through the use of
locally-constructed filters. Since the inetIpv4NetworkMatch filter
simply locates all of the entries in the delegation path to the
named network, it is possible that a client could emulate this
query by generating distinct queries for any entries associated
with the parent networks.
For example, if the user asked for information about the
"192.0.2.14/32" network resource but the server does not advertise
support for the inetIpv4Network object class, the client could
theoretically issue secondary queries for inetIpv4Network entries
with cn attributes that begin with "192.0.2" or "192.0".
Unfortunately, this kind of matching is not guaranteed to work in If the server does not advertise support for the
most situations, and clients also need to be careful not to issue inetIpv4NetworkMatch matching filter in the inetResourcesControl
overly-broad queries that match all answers. As such, if the server control, the client MAY choose to emulate this matching
server advertises support for the inetIpv4Network object class in filter through the use of locally-constructed equalityMatch
the firsVersion control, then the client MUST use the filters. However, this process can result in incomplete answers in
inetIpv4NetworkMatch filter defined above. some cases, so if the server advertises support for the
inetIpv4NetworkMatch matching filter in the inetResourcesControl
control, the client MUST use it.
5.4. Example Query 5.3. Example Query
The following example assumes that the user has specified The following example assumes that the user has specified
"192.0.2.14/32" as the query value: "192.0.2.14/32" as the query value:
a. Normalize the input, which is "192.0.2.14/32" in this case. a. Normalize the input, which is "192.0.2.14/32" in this case.
b. Determine the canonical authoritative partition. b. Determine the canonical authoritative partition.
Hall I-D Expires: March 2004 [page 11]
1. Map the input sequence to the reverse-lookup domain 1. Map the input sequence to the reverse-lookup domain
name, which is "14.2.0.192.in-addr.arpa" in this case. name, which is "14.2.0.192.in-addr.arpa" in this case.
2. Determine the initial domain name which is appropriate 2. Determine the initial domain name which is appropriate
for the bootstrap model in use. In the default case of for the bootstrap model in use. In the default case of
a targeted query, use "in-addr.arpa". In the case of a a targeted query, use "in-addr.arpa". In the case of a
bottom-up query, use the label sequence determined in bottom-up query, use the label sequence determined in
step 5.3.b.1. In the case of a top-down query, set the
Hall I-D Expires: February 2004 [page 10]
step 5.4.b.1. In the case of a top-down query, set the
domain name to "arpa". domain name to "arpa".
3. Map the domain name to an authoritative partition, 3. Map the domain name to an authoritative partition,
which would be "dc=in-addr,dc=arpa" if the default which would be "dc=in-addr,dc=arpa" if the default
bootstrap model were in use. bootstrap model were in use.
c. Determine the search base for the query, which will be c. Determine the search base for the query, which will be
"cn=inetResources,dc=arpa" if the defaults are used. "cn=inetResources,dc=arpa" if the defaults are used.
d. Initiate a DNS lookup for the SRV resource records d. Initiate a DNS lookup for the SRV resource records
skipping to change at line 487 skipping to change at line 526
g. Initiate a DNS lookup for the SRV resource records g. Initiate a DNS lookup for the SRV resource records
associated with "_ldap._tcp. arin.net." For the purpose of associated with "_ldap._tcp. arin.net." For the purpose of
this example, assume that this lookup succeeds, with the this example, assume that this lookup succeeds, with the
DNS response message indicating that "firs.arin.net" is the DNS response message indicating that "firs.arin.net" is the
preferred LDAP server. preferred LDAP server.
h. Submit an LDAPv3 query to the specified server, using h. Submit an LDAPv3 query to the specified server, using
"(&(objectClass=inetIpv4Network) "(&(objectClass=inetIpv4Network)
(1.3.6.1.4.1.7161.1.5.8:=192.0.2.14/32)" as the matching (1.3.6.1.4.1.7161.1.5.8:=192.0.2.14/32)" as the matching
Hall I-D Expires: March 2004 [page 12]
filter, "cn=inetResources,dc=arin,dc=net" as the search filter, "cn=inetResources,dc=arin,dc=net" as the search
base, and the global query defaults defined in [FIRS-CORE]. base, and the global query defaults defined in [FIRS-CORE].
i. Assume that no other referrals are received. Display the i. Assume that no other referrals are received. Display the
answer data which has been received and exit the query. answer data which has been received and exit the query.
Hall I-D Expires: February 2004 [page 11]
6. Security Considerations 6. Security Considerations
Security considerations are discussed in [FIRS-ARCH]. Security considerations are discussed in [FIRS-ARCH].
7. IANA Considerations 7. IANA Considerations
This specification uses the "dc=in-addr,dc=arpa" directory This specification uses the "dc=in-addr,dc=arpa" directory
partition by default. It is expected that authoritative LDAP partition by default. It is expected that authoritative LDAP
partitions will be mapped to that zone, and that FIRS-capable LDAP partitions will be mapped to that zone, and that FIRS-capable LDAP
servers will be established to service this partition, with this servers will be established to service this partition, with this
skipping to change at line 535 skipping to change at line 575
RFC 2251, December 1997. RFC 2251, December 1997.
[RFC2252] Wahl, M., Coulbeck, A., Howes, T., and Kille, [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and Kille,
S. "Lightweight Directory Access Protocol S. "Lightweight Directory Access Protocol
(v3): Attribute Syntax Definitions", RFC 2252, (v3): Attribute Syntax Definitions", RFC 2252,
December 1997. December 1997.
[RFC2254] Howes, T. "The String Representation of LDAP [RFC2254] Howes, T. "The String Representation of LDAP
Search Filters", RFC 2254, December 1997. Search Filters", RFC 2254, December 1997.
Hall I-D Expires: March 2004 [page 13]
[FIRS-ARCH] Hall, E. "The Federated Internet Registry [FIRS-ARCH] Hall, E. "The Federated Internet Registry
Service: Architecture and Implementation Service: Architecture and Implementation
Guide", draft-ietf-crisp-firs-arch-02, July Guide", draft-ietf-crisp-firs-arch-03, August
2003. 2003.
Hall I-D Expires: February 2004 [page 12]
[FIRS-ASN] Hall, E. "Defining and Locating Autonomous [FIRS-ASN] Hall, E. "Defining and Locating Autonomous
System Numbers in the Federated Internet System Numbers in the Federated Internet
Registry Service", draft-ietf-crisp-firs-asn- Registry Service", draft-ietf-crisp-firs-asn-
02, July 2003. 03, August 2003.
[FIRS-CONTCT] Hall, E. "Defining and Locating Contact [FIRS-CONTCT] Hall, E. "Defining and Locating Contact
Persons in the Federated Internet Registry Persons in the Federated Internet Registry
Service", draft-ietf-crisp-firs-contact-02, Service", draft-ietf-crisp-firs-contact-03,
July 2003. August 2003.
[FIRS-CORE] Hall, E. "The Federated Internet Registry [FIRS-CORE] Hall, E. "The Federated Internet Registry
Service: Core Elements", draft-ietf-crisp- Service: Core Elements", draft-ietf-crisp-
firs-core-02, July 2003. firs-core-03, August 2003.
[FIRS-DNS] Hall, E. "Defining and Locating DNS Domains in [FIRS-DNS] Hall, E. "Defining and Locating DNS Domains in
the Federated Internet Registry Service", the Federated Internet Registry Service",
draft-ietf-crisp-firs-dns-02, July 2003. draft-ietf-crisp-firs-dns-03, August 2003.
[FIRS-DNSRR] Hall, E. "Defining and Locating DNS Resource [FIRS-DNSRR] Hall, E. "Defining and Locating DNS Resource
Records in the Federated Internet Registry Records in the Federated Internet Registry
Service", draft-ietf-crisp-firs-dnsrr-02, July Service", draft-ietf-crisp-firs-dnsrr-02, July
2003. 2003.
[FIRS-IPV4] Hall, E. "Defining and Locating IPv4 Address
Blocks in the Federated Internet Registry
Service", draft-ietf-crisp-firs-ipv4-02, July
2003.
[FIRS-IPV6] Hall, E. "Defining and Locating IPv6 Address [FIRS-IPV6] Hall, E. "Defining and Locating IPv6 Address
Blocks in the Federated Internet Registry Blocks in the Federated Internet Registry
Service", draft-ietf-crisp-firs-ipv6-02, July Service", draft-ietf-crisp-firs-ipv6-03,
2003. August 2003.
9. Changes from Previous Versions 9. Changes from Previous Versions
draft-ietf-crisp-firs-ipv4-03:
* Several clarifications and corrections have been made.
* Clarified the matching behavior, and added sample logic
that demonstrates efficient matching behavior.
* Added the inetIpv4ParentNetworks, inetIpv4SiblingNetworks,
and inetIpv4ChildNetworks attributes.
* Several attributes had their OIDs changed. NOTE THAT THIS
IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO
ADDITIONAL CHANGES AS THIS DOCUMENT IS EDITED.
Hall I-D Expires: March 2004 [page 14]
draft-ietf-crisp-firs-ipv4-02: draft-ietf-crisp-firs-ipv4-02:
* Several clarifications and corrections have been made. * Several clarifications and corrections have been made.
* Changed the default bootstrap model to use targeted * Changed the default bootstrap model to use targeted
queries, with "in-addr.arpa" as the default zone and queries, with "in-addr.arpa" as the default zone and
"dc=in-addr,dc=arpa" as the default partition. "dc=in-addr,dc=arpa" as the default partition.
draft-ietf-crisp-firs-ipv4-01: draft-ietf-crisp-firs-ipv4-01:
* Several clarifications and corrections have been made. * Several clarifications and corrections have been made.
Hall I-D Expires: February 2004 [page 13]
draft-ietf-crisp-firs-ipv4-00: draft-ietf-crisp-firs-ipv4-00:
* Restructured the document set. * Restructured the document set.
* "Attribute references" have been eliminated from the * "Attribute references" have been eliminated from the
specification. All referential attributes now provide specification. All referential attributes now provide
actual data instead of URL pointers to data. Clients that actual data instead of URL pointers to data. Clients that
wish to retrieve these values will need to start new wish to retrieve these values will need to start new
queries using the data values instead of URLs. queries using the data values instead of URLs.
skipping to change at line 623 skipping to change at line 672
10. Author's Address 10. Author's Address
Eric A. Hall Eric A. Hall
ehall@ehsco.com ehall@ehsco.com
11. Acknowledgments 11. Acknowledgments
Funding for the RFC editor function is currently provided by the Funding for the RFC editor function is currently provided by the
Internet Society. Internet Society.
Hall I-D Expires: March 2004 [page 15]
Portions of this document were funded by VeriSign Labs. Portions of this document were funded by VeriSign Labs.
The first version of this specification was co-authored by Andrew The first version of this specification was co-authored by Andrew
Newton of VeriSign Labs, and subsequent versions continue to be Newton of VeriSign Labs, and subsequent versions continue to be
developed with his active participation. Edward Lewis also developed with his active participation. Edward Lewis also
contributed significant feedback to this specification in the contributed significant feedback to this specification in the
later stages of its developments. later stages of its developments.
Hall I-D Expires: February 2004 [page 14]
12. Full Copyright Statement 12. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared, explain it or assist in its implementation may be prepared,
copied, published and distributed, in whole or in part, without copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative and this paragraph are included on all such copies and derivative
skipping to change at line 660 skipping to change at line 709
The limited permissions granted above are perpetual and will not The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assigns. be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Hall I-D Expires: February 2004 [page 15] Hall I-D Expires: March 2004 [page 16]
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/