Internet DRAFT - draft-ietf-shim6-functional-dec

draft-ietf-shim6-functional-dec







Network Working Group                                         M. Bagnulo
Internet-Draft                                                      UC3M
Expires: January 16, 2006                                       J. Arkko
                                                                Ericsson
                                                           July 15, 2005


          Functional decomposition of the multihoming protocol
                   draft-ietf-shim6-functional-dec-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 16, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   In this note we will present a functional decomposition of the
   multihomig protocol i.e. the protocol for preserving established
   communications in multihomed environments.  We will do so by
   describing a protocol walkthrough, presenting which functions have to
   be performed at each stage and the messages required to accomplish
   them.  The functional decomposition presented in this draft is based
   on the general functional analysis of multihoming approaches



Bagnulo & Arkko         Expires January 16, 2006                [Page 1]

Internet-Draft          Functional decomposition               July 2005


   presented in [3].

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Initial contact  . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1   Initial contact  . . . . . . . . . . . . . . . . . . . . .  4
     2.2   Failure during startup . . . . . . . . . . . . . . . . . .  4
   3.  Capabilities detection and shim host-pair context
       establishment  . . . . . . . . . . . . . . . . . . . . . . . .  6
     3.1   Capabilities detection . . . . . . . . . . . . . . . . . .  6
       3.1.1   Node Configuration . . . . . . . . . . . . . . . . . .  6
       3.1.2   DNS Configuration  . . . . . . . . . . . . . . . . . .  6
       3.1.3   Host-Based Dynamic Discovery . . . . . . . . . . . . .  7
       3.1.4   Timing . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.2   Shim host-pair context establishment . . . . . . . . . . .  8
       3.2.1   Security Information . . . . . . . . . . . . . . . . .  9
       3.2.2   DoS protection.  . . . . . . . . . . . . . . . . . . .  9
       3.2.3   Resulting shim host-pair context establishement
               exchange . . . . . . . . . . . . . . . . . . . . . . . 10
   4.  Locator set management . . . . . . . . . . . . . . . . . . . . 11
     4.1   Security of the exchange for adding locators . . . . . . . 11
     4.2   Security of the exchange for deleting locators . . . . . . 11
   5.  Re-homing procedure  . . . . . . . . . . . . . . . . . . . . . 13
     5.1   Security . . . . . . . . . . . . . . . . . . . . . . . . . 13
   6.  Removal of shim session state  . . . . . . . . . . . . . . . . 15
     6.1   Security . . . . . . . . . . . . . . . . . . . . . . . . . 15
   7.  Security considerations  . . . . . . . . . . . . . . . . . . . 16
   8.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 17
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
     9.1   Normative References . . . . . . . . . . . . . . . . . . . 18
     9.2   Informative References . . . . . . . . . . . . . . . . . . 18
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18
       Intellectual Property and Copyright Statements . . . . . . . . 19

















Bagnulo & Arkko         Expires January 16, 2006                [Page 2]

Internet-Draft          Functional decomposition               July 2005


1.  Introduction

   In this note we will present a functional decomposition of the
   multihoming protocol i.e. the protocol for preserving established
   communications in multihomed environments.  We will do so by
   describing a protocol walkthrough, presenting which functions have to
   be performed at each stage and the messages required to accomplish
   them.  The functional decomposition presented in this draft is based
   on the general functional analysis of multihoming approaches
   presented in [3].

   We will first present some possible procedures for the initial
   contact and session state establishment.  Next, we will consider the
   management of the available locator set.  Then, we will consider the
   re-homing of an ongoing communication and finally we will deal with
   session state removal.

   This note is agnostic to the security mechanism used in protecting
   the control messages related to multihoming.  However, when it is
   deemed necessary, a security analysis that attempts to understand the
   security required for the message exchange will be included.






























Bagnulo & Arkko         Expires January 16, 2006                [Page 3]

Internet-Draft          Functional decomposition               July 2005


2.  Initial contact

2.1  Initial contact

   During the initial contact, the minimum information that has to be
   exchanged by the two communicating nodes is: the identifiers that
   have to be presented to the upper layers, and a reachable locator for
   each node.  In the case that the the identifier presented to the
   upper layers is a valid reachable locator, then only this address
   that will perform both roles has to be exchanged.  If this is the
   case, no special multihoming features are required.  This means that
   as long as the identifier and the locator used are the same IPv6
   address, there is no need to perform any special multihoming exchange
   for the initial contact and regular IPv6 can be used.  However, if an
   identifier that is different from the locator used for exchanging the
   initial packet is used, then the multihoming protocol has to be used
   even to perform the initial contact between the two nodes, starting
   by the capabilities detection procedure described in section 2.1.2.

2.2  Failure during startup

   In the case that the locator used for initial contact is unreachable,
   there are two possible approaches that can be followed:



      One approach is to simply retry the initial contact using a
      different locator.  This means that the initial contact procedure
      is started all over again, using a different locator.  This
      approach is likely to be the one required when the shim-capable
      host is establishing communications with legacy hosts that don't
      support the multihoming protocol.  In this case, the address
      included in the initial packet is both the locator and the
      identifier and if it is not reachable, an alternative address has
      to be used.  Such retrying would by default occur at the
      application layer, which is aware of the multiple addresses.  It
      might be possible to optimize this should the transport protocol
      be made aware of the multiple addresses.



      Another approach is to change locator while preserving the
      identifier.  This approach is not supported by legacy IPv6 nodes,
      so the multihoming protocol has to be used in this approach.
      However, this scheme would allow to recover from failures on
      locators used for initial contact in a upper layer transparent
      fashion.  However, if this is the case, the full multihoming
      protocol has to be used for initial contact, starting by the



Bagnulo & Arkko         Expires January 16, 2006                [Page 4]

Internet-Draft          Functional decomposition               July 2005


      capabilities detection procedure described next.


















































Bagnulo & Arkko         Expires January 16, 2006                [Page 5]

Internet-Draft          Functional decomposition               July 2005


3.  Capabilities detection and shim host-pair context establishment

   When a shim capable host desires to obtain the enhanced features
   provided by the multihoming protocol in the communications
   established with a given peer node, it has to first determine if shim
   capabilities are available in the peer node and second establish a
   shim host-pair context, as defined in [5].In this section we will
   analyze the different mechanisms to perform both actions.

3.1  Capabilities detection

   This section presents a number of possible approaches for the
   capability detection, and analyzes their properties.

3.1.1  Node Configuration

   A simplistic approach would be to require the shim capability from
   peers, if a node supports the shim and has been configured to use it.
   However, this would severely limit the ability of the node to
   communicate until the feature is widely supported.

3.1.2  DNS Configuration

   A better configuration-based approach would be to add some
   information to the DNS to tell the peers whether the target node
   supports the shim or not.  For instance, a new RR record could be
   used.  This way each node could dynamically decide whether it can run
   the shim with the peer or not.  This could often be known before
   actually attempting to communicate.

   This approach requires that every node that wishes to use the shim
   must have a DNS entry.  In addition, the ability to use shim and the
   information stored to the DNS may not always be synchronized.  For
   instance, changing the operating system might remove shim capability
   from a particular user's machine, leading to a need for updating DNS.
   This synchronization problem could be avoided by the use of Dynamic
   DNS updates -- with the implied requirements for setting up a
   security association between the DNS servers and client machines.

   Similarly, the manually updated DNS approach requires support for
   Dynamic DNS [2] where RFC 3041  [1] or other dynamically changing
   addresses are used.

   Finally, all DNS-based approaches suffer from an an administrative
   split between the actual nodes and the ones storing data about them;
   establishing Dynamic DNS or manual updates may be hard for a private
   subscriber of a large operator, for instance.




Bagnulo & Arkko         Expires January 16, 2006                [Page 6]

Internet-Draft          Functional decomposition               July 2005


   On the other hand, a DNS-based mechanism may work well if the chosen
   Multi6 protocol is based on the use of DNS, such as in NOID [4].

3.1.3  Host-Based Dynamic Discovery

   A host-based mechanism discovers the shim-capability directly between
   the communicating nodes.  Two variants of this mechanism exist:

   Independent



      This mechanism adds a message pair for the discovery.  If the peer
      responds to the message that the initiator sends, then both nodes
      know that they support the shim.

   Integrated



      This mechanism uses the rest of the shim signaling, doing both
      actual shim work and capability detection at the same time.

   In the interest of reducing number of initial communications latency,
   the second approach would be preferrable.  We also argue that a
   multihoming protocol MUST do an initial (or at least an early)
   signaling exchange in any case.  This is because the nodes need to
   discover alternate locators PRIOR to a multihoming event disabling
   the current ones.  For instance, lets assume hosts A and B
   communicate over two separate links without going through the
   Internet.  Lets further assume the nodes use plain IPv6 at the
   beginning without shim, and use one of the links and its prefix P for
   communication, with addresses P::A and P::B. If this link goes down,
   the obvious multihoming solution would be to switch to Q::A and Q::B,
   the other link and its prefix.  However, neither side is aware that
   the other node is available under the Q prefix, so communications can
   not continue.

   On the other hand, the integrated approach makes the initial packets
   larger which is a disadvantage when the peer does not support
   multihoming.  However, we do not expect the shim part of the initial
   packets to be large or contain many addresses on the average, so this
   seems like a good engineering tradeoff.

3.1.4  Timing

   Capability detection needs to occurr prior to or at the same time as
   Multi6 state is created between peers.  If the capabilities are



Bagnulo & Arkko         Expires January 16, 2006                [Page 7]

Internet-Draft          Functional decomposition               July 2005


   stored in DNS, a convenient time to look this information is at the
   time a DNS query is made (even if it may not always lead to an actual
   communication attempt later).  If host-based discovery is used, the
   best time to perform it is in the initial Multi6 exchange packets.

   The capabilities of the peer must be remembered while the shim state
   exists; the state persistence is discussed in Section 5 of [4].  The
   capabilities should preferrably be cached even beyond this, in order
   to avoid discovering the capabilities and/or locators of peers when
   they are contacted again within a small time frame.

   Negative caching should be used to remember the peers which do not
   support multihoming.  Depending on the type of the chosen capability
   detection mechanisms, this state is indexed either by an IP address
   or by both IP addresses and identifiers.  The latter becomes
   necessary if DNS configuration indicates an identifier and Multi6
   cabability, but the node refuses to communicate using the shim.

3.2  Shim host-pair context establishment

   Once that the the shim protocol support is confirmed, the ULP
   identifiers associated to the shim host-pair context need to be
   defined.

   With respect to locator exchange, it is clear that at least one
   locator (the one included in the source address field of the packet)
   is exchanged in the initial contact.  The question would be if
   additional locators are needed to be exchanged during the shim host-
   pair context  establishment phase.  Several considerations should be
   taken into account at this point: On one hand, the capability of
   recovering from an outage may depend on knowing alternative locators
   of the other node.  It is clear that a node is aware of its own
   locators, so a possible approach would be that if a failure is
   detected, the node simply tries to communicate using an alternative
   source locator.  Since  both nodes behave this way, a failure in any
   single locator used in the communication can be recovered.  However,
   in the case that both locators used in the communication fail
   simultaneously, the approach of trying different source addresses
   will not be enough to restore the communication.  This is basically
   because retrying with a different source address assumes that at
   least on of the original locators is working.  So, in order to be
   able to provide fault tolerance support in the situations when both
   locators fail simultaneously, it is required that at least one of the
   nodes is aware of multiple locators of its correspondent node.  On
   the other hand, exchanging alternative locator information imposes an
   additional overhead in the communication, which is only useful if an
   outage occurs (which is supposed not to be so frequent).




Bagnulo & Arkko         Expires January 16, 2006                [Page 8]

Internet-Draft          Functional decomposition               July 2005


   In conclusion, adding additional locators in the shim host-pair
   context establishment exchange provides enhanced fault tolerance but
   it imposes an additional cost.  A reasonable approach would be that
   the shim host-pair context establishment exchange should support the
   exchange of additional locators, but should not mandate it.  In
   addition, the multihoming protocol should support the exchange
   additional locators during the lifetime of the session.

   Besides the identifiers and locators associated to the shim session,
   it may be required to negotiate Context Tags that allow to identify
   data packets that belong to that shim host-pair context.  The need of
   such Context Tags depends on the demultiplexing mechanism used, as
   described in [5]

3.2.1  Security Information

   In addition, it seems that security related information needs to be
   exchanged during the shim host-pair context establishment exchange.

   Including a sort of cookie/key/hash chain anchor in the exchange,
   limits the potential attackers to those present in the path during
   this initial exchange.  It also implies that in order to complete the
   exchange, the other node must be receiving the reply packets.  In
   addition, such key would be useful to secure future exchanges.  So,
   it seems a good option to exchange a shared secret during the shim
   host-pair context establishment exchange.

   The exchange of additional security information may be required to
   provide protection against future attacks, depending on the security
   scheme used.

3.2.2  DoS protection.

   Depending on the mechanism used to provide protection against future
   attacks, the shim host-pair context establishment exchange may more
   or less susceptible to DoS attacks.  If the security mechanism used
   requires a considerable amount of processing, it may be used to
   launch a DoS attack consuming the processing power of the receiver.
   In addition, after the exchange is completed, a state is created in
   each node, storing information about identifiers, multiple locators,
   keys and so on.  Such state requires memory, so it can be used by a
   malicious node to generate a DoS attack based in memory consumption.
   In order to provide some protection from these attacks, the receiver
   node should not create any state until the initiating node has done
   so.  This can be achieved by using a 4 way exchange, where the
   receiver does not create any state until the third packet and the
   initiator has to prove that it has some state created after receiving
   the second packet.  This can be done by the initiator by showing some



Bagnulo & Arkko         Expires January 16, 2006                [Page 9]

Internet-Draft          Functional decomposition               July 2005


   information received in the second packet and that the receiver can
   regenerate without requiring some specific information (like hashing
   a key and the initiator address).  The result is not a complete
   protection from such attacks, since the resulting state in the
   receiver is long lived, and the attacker can discard its state after
   finishing the 4 way handshake.  However, after the 4 way handshake,
   the receiver will know a valid locator of the attacker, which can be
   used to track the attacker.

3.2.3  Resulting shim host-pair context establishement exchange


   Initiator                  Receiver
     |        P1                 |
     |-------------------------->|
     |        P2                 |
     |<--------------------------|
     |        P3                 |
     |-------------------------->|
     |        P4                 |
     |<--------------------------|


   P1 is essentially a request to initiate an exchange.  It will also be
   used to detect the shim capability of the receiver.

   P2 will provide the information needed by the initiator to prove that
   he has some state about this communication.  So, P2 will contain
   something like a Hash of a secret key of the receiver (common to all
   initiators) and the initiator's address.  The receiver will receive
   P1 and generate P2 without creating any state specific to this
   communication.  It would be possible to also include the alternative
   locators of the receiver in P2.  The question about this if this
   couldn't be used as an amplifier to launch other DoS attacks to third
   parties.

   P3 will contain the Hash obtained in P2.  In addition, it will
   contain the identifier used for this communication and it may contain
   alternative locator information.  In addition, information to
   validate the locator set may be included.  Finally, the key/cookie/
   hash chain anchor related information is also included.

   P4 serves as an acknowledgment of the information received in P3 and
   it also includes information about alternative locators, identifier
   and key/cookie/hash chain anchor related information that hasn't been
   exchanged yet.





Bagnulo & Arkko         Expires January 16, 2006               [Page 10]

Internet-Draft          Functional decomposition               July 2005


4.  Locator set management

   The management of the locator set involves adding new locators and
   removing existing locators.

   The reasons for adding a new locator are pretty straightforward:
   there is an additional locator that the holder node wants to add to
   the available set.  The reasons for that may be that a new locator is
   available in the node (e.g. a mobile node) or simply that the node
   wants to obtain enhanced fault tolerance by adding additional
   locators to the available set.

   The reasons for deleting an existing locator are essentially local.
   Nodes have local information about the status of their own locators.
   In case that one of the locators becomes unavailable for some reason
   (e.g. it is deprecated through Router Advertisement) it would make
   sense to inform the other nodes that this locator should no longer be
   used.

   There are two possible approaches to the addition and removal of
   locators: atomic and differential approaches.  Atomic approaches
   essentially send the complete locators set each time that a variation
   in the locator set occurs.  In this case, there is only one message
   exchange defined i.e. a message that informs about the new locator
   set and an acknowledgment message.  Differential messages send the
   differences between the existing locator set and the new one.  In
   this case, a message for adding a new locator and another message for
   deleting locators have to be defined.  Both messages can be
   acknowledged.  The atomic approach imposes additional overhead, since
   all the locator set has to be exchanged each time while the
   differential approach requires re-synchronization of both ends
   through changes i.e. that both ends have the same idea about what the
   current locator set is.

4.1  Security of the exchange for adding locators

   The additional locators conveyed through this mechanism should belong
   to the node that performed the initial exchange.  Security
   information must be included in this messages to prove that.  One
   possibility is to include information about the key/cookie/hash chain
   defined in the initial exchange.  This is not enough to prevent
   future attacks.  In order to provide future attack protection,
   alternative schemes like HBA or CGAs has to be used.

4.2  Security of the exchange for deleting locators

   The security required for the message for removing a locator may be
   achieved using the key/cookie/hash chain information created during



Bagnulo & Arkko         Expires January 16, 2006               [Page 11]

Internet-Draft          Functional decomposition               July 2005


   the initial contact exchange.


















































Bagnulo & Arkko         Expires January 16, 2006               [Page 12]

Internet-Draft          Functional decomposition               July 2005


5.  Re-homing procedure

   The re-homing procedure occurs when a new locator pair is to be used
   for the communication.  The reason for a re-homing is essentially
   that the current locator pair is no longer working.  The re-homing
   procedure involves detecting that the locator pair currently in use
   is no longer working, exploring alternative locator pairs and re-
   homing the communication to the reachable locator pair.

   In order to verify that a locator pair is working, a Reachability
   Test exchange is needed.  This can be used to check if the locator
   pair that is being used is working properly or to explore if
   potential locator pairs are working.  In addition, in the last case,
   the Reachability Test is also a mechanism to prevent thrid-party
   flooding attacks.

   The Reachability Test exchange includes the following packets:

      Reachability Test (RT) packet: including the random nonce and
      maybe information related to the initial key/cookie/hash chain



      Reachability Test Reply (RTR) packet: include the nonce of the RT
      packet and maybe information related to the initial key/cookie/
      hash chain

   In the case that a bidirectional path is available, the pair of
   locators contained in the RT and RTR packets will be the same.
   However, if only two disjoints unidirectional paths are available,
   the locators contained in the RT will differ from the ones included
   in the RTR.  Additional discussion on this topic can be found in [6].

5.1  Security

   In any case, it is required to know if there is a node replying at
   the other end.  The messages should include a nonce in order to match
   the replies with original messages.  In addition, the nonce should be
   randomly selected, imposing the reception of the initial message to
   be able to properly generate the reply.  Finally, including
   information related to the key/cookie/hash chain defined in the
   initial exchange would guarantee that only the node involved in the
   initial exchange can participate in the reachability exchange
   (depending on the particular mechanism, this may be more or less
   expensive) In the case that the mechanism is used to prevent third-
   party flooding attacks additional security measures are needed, since
   any shim capable host would reply to a Reachability Test request,
   precluding its usage as flooding attack prevention.  So, in order to



Bagnulo & Arkko         Expires January 16, 2006               [Page 13]

Internet-Draft          Functional decomposition               July 2005


   use this mechanism to prevent flooding, additional checks are needed.
   One option would be to include information related to the key/cookie/
   hash chain defined in the initial exchange as described above.
   Another option would be to require that nodes only reply Reachability
   Test requests coming from nodes that they are already communicating
   with.













































Bagnulo & Arkko         Expires January 16, 2006               [Page 14]

Internet-Draft          Functional decomposition               July 2005


6.  Removal of shim session state

   There are essentially two approaches for discarding an existing state
   about locators, keys and identifiers of a correspondent node: a
   coordinated approach and an unilateral approach.

   In the unilateral approach, each node discards the information about
   the other node without coordination with the other node based on some
   local timers and heuristics.  No packet exchange is required for
   this.  In this case, it would be possible that one of the nodes has
   discarded the state while the other node still hasn't.  In this case,
   an error message may be required to inform about the situation.

   In the coordinated approach, there is a closing exchange that is
   performed in order to coordinate the process, in order to make sure
   that both nodes discard the state related to the previous
   communication.  This would require a pair of messages Close and
   Close-ACK.

6.1  Security

   The Close message has to be secured using the key/cookie/hash chain
   information created during the initial contact exchange.




























Bagnulo & Arkko         Expires January 16, 2006               [Page 15]

Internet-Draft          Functional decomposition               July 2005


7.  Security considerations

   The security requirements of each message exchange considered in this
   note are detailed in the same section where the message exchange is
   analyzed.














































Bagnulo & Arkko         Expires January 16, 2006               [Page 16]

Internet-Draft          Functional decomposition               July 2005


8.  Contributors

   This document was originally produced of a MULTI6 design team
   consisting of (in alphabetical order):  Jari Arkko, Marcelo Bagnulo
   Braun, Iljitsch van Beijnum, Geoff Huston, Erik Nordmark, Margaret
   Wasserman, and Jukka Ylitalo.













































Bagnulo & Arkko         Expires January 16, 2006               [Page 17]

Internet-Draft          Functional decomposition               July 2005


9.  References

9.1  Normative References

   [1]  Narten, T. and R. Draves, "Privacy Extensions for Stateless
        Address Autoconfiguration in IPv6", RFC 3041, January 2001.

   [2]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
        Update", RFC 3007, November 2000.

9.2  Informative References

   [3]  Huston, G., "Architectural Approaches to Multi-Homing for IPv6",
        draft-huston-multi6-architectures-01 (work in progress),
        June 2004.

   [4]  Nordmark, E., "Multihoming without IP Identifiers",
        draft-nordmark-multi6-noid-02 (work in progress), July 2004.

   [5]  Nordmark, E. and M. Bagnulo, "Multihoming L3 Shim Approach",
        draft-nordmark-multi6dt-shim-00.txt (work in progress),
        October 2004.

   [6]  Arkko, J., "Failure Detection and Locator Selection in Multi6",
        draft-multi6dt-failure-detection-00 (work in progress),
        October 2004.


Authors' Addresses

   Marcelo Bagnulo
   Universidad Carlos III de Madrid
   Av. Universidad 30
   Leganes, Madrid  28911
   SPAIN

   Phone: 34 91 6249500
   Email: marcelo@it.uc3m.es
   URI:   http://www.it.uc3m.es


   Jari Arkko
   Ericsson
   Jorvas  02420
   Finland

   Email: jari.arkko@ericsson.com




Bagnulo & Arkko         Expires January 16, 2006               [Page 18]

Internet-Draft          Functional decomposition               July 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Bagnulo & Arkko         Expires January 16, 2006               [Page 19]