draft-ietf-crisp-firs-ipv6-02.txt   draft-ietf-crisp-firs-ipv6-03.txt 
INTERNET-DRAFT Eric A. Hall INTERNET-DRAFT Eric A. Hall
Document: draft-ietf-crisp-firs-ipv6-02.txt July 2003 Document: draft-ietf-crisp-firs-ipv6-03.txt August 2003
Expires: February, 2004 Expires: March, 2004
Category: Experimental Category: Experimental
Defining and Locating IPv6 Address Blocks Defining and Locating IPv6 Address Blocks
in the Federated Internet Registry Service in the Federated Internet Registry Service
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. all provisions of Section 10 of RFC 2026.
skipping to change at line 48 skipping to change at line 48
This document defines LDAP schema and searching rules for IPv6 This document defines LDAP schema and searching rules for IPv6
address blocks, in support of the Federated Internet Registry address blocks, in support of the Federated Internet Registry
Service (FIRS) described in [FIRS-ARCH] and [FIRS-CORE]. Service (FIRS) described in [FIRS-ARCH] and [FIRS-CORE].
Table of Contents Table of Contents
1. Introduction...............................................2 1. Introduction...............................................2
2. Prerequisites and Terminology..............................2 2. Prerequisites and Terminology..............................2
3. Naming Syntax..............................................3 3. Naming Syntax..............................................3
4. Object Classes and Attributes..............................4 4. Object Classes and Attributes..............................4
5. Query Processing Rules.....................................7 5. Query Processing Rules.....................................8
5.1. Query Pre-Processing....................................7 5.1. Query Pre-Processing....................................8
5.2. Query Bootstrapping.....................................8 5.2. LDAP Matching...........................................9
5.3. LDAP Matching...........................................8 5.3. Example Query..........................................11
5.4. Example Query..........................................10 6. Security Considerations...................................12
6. Security Considerations...................................11 7. IANA Considerations.......................................12
7. IANA Considerations.......................................11
8. Normative References......................................12 8. Normative References......................................12
9. Changes from Previous Versions............................13 9. Changes from Previous Versions............................13
10. Author's Address..........................................14 10. Author's Address..........................................14
11. Acknowledgments...........................................14 11. Acknowledgments...........................................15
12. Full Copyright Statement..................................14 12. Full Copyright Statement..................................15
1. Introduction 1. Introduction
This specification defines the naming syntax, object classes, This specification defines the naming syntax, object classes,
attributes, matching filters, and query processing rules for attributes, matching filters, and query processing rules for
storing and locating IPv6 address blocks in the FIRS service. storing and locating IPv6 address blocks in the FIRS service.
Refer to [FIRS-ARCH] for information on the FIRS architecture and Refer to [FIRS-ARCH] for information on the FIRS architecture and
[FIRS-CORE] for the schema definitions and rules which govern the [FIRS-CORE] for the schema definitions and rules which govern the
FIRS service as a whole. FIRS service as a whole.
skipping to change at line 88 skipping to change at line 87
2. Prerequisites and Terminology 2. Prerequisites and Terminology
The complete set of specifications in the FIRS collection The complete set of specifications in the FIRS collection
cumulative define a structured and distributed information service cumulative define a structured and distributed information service
using LDAPv3 for the data-formatting and transport functions. This using LDAPv3 for the data-formatting and transport functions. This
specification should be read in the context of that set, which specification should be read in the context of that set, which
currently includes [FIRS-ARCH], [FIRS-CORE], [FIRS-DNS], currently includes [FIRS-ARCH], [FIRS-CORE], [FIRS-DNS],
[FIRS-DNSRR], [FIRS-CONTCT], [FIRS-ASN] and [FIRS-IPV4]. [FIRS-DNSRR], [FIRS-CONTCT], [FIRS-ASN] and [FIRS-IPV4].
Hall I-D Expires: February 2004 [page 2] Hall I-D Expires: March 2004 [page 2]
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in RFC 2119. in this document are to be interpreted as described in RFC 2119.
3. Naming Syntax 3. Naming Syntax
The naming syntax for IPv6 address blocks in FIRS MUST follow the The naming syntax for IPv6 address blocks in FIRS MUST follow the
form of "cn=<inetIpv6NetworkSyntax>,cn=inetResources,<partition>", form of "cn=<inetIpv6NetworkSyntax>,cn=inetResources,<partition>",
where <inetIpv6NetworkSyntaxf> is the IPv6 address block resource, where <inetIpv6NetworkSyntaxf> is the IPv6 address block resource,
and where <partition> is a sequence of domainComponent relative and where <partition> is a sequence of domainComponent relative
skipping to change at line 126 skipping to change at line 125
uncompressed form. Nibbles with a value of zero MUST be uncompressed form. Nibbles with a value of zero MUST be
represented by the hexadecimal sequence of "0000". represented by the hexadecimal sequence of "0000".
If an input string does not match this syntax, a FIRS-aware If an input string does not match this syntax, a FIRS-aware
application MAY attempt to manipulate the input string to form a application MAY attempt to manipulate the input string to form a
valid value. For example, if a user enters a zero-compressed IPv6 valid value. For example, if a user enters a zero-compressed IPv6
address such as "3ffe:ffff::", the application MAY convert the address such as "3ffe:ffff::", the application MAY convert the
input value to "3ffe:ffff:0000:0000:0000:0000:0000:0000/32" in input value to "3ffe:ffff:0000:0000:0000:0000:0000:0000/32" in
order to form a valid inetIpv6NetworkSyntax form. order to form a valid inetIpv6NetworkSyntax form.
Hall I-D Expires: March 2004 [page 3]
An augmented BNF for this syntax is as follows: An augmented BNF for this syntax is as follows:
inetIpv6NetworkSyntax = inetIpv6Octet ":" inetIpv6Octet ":" inetIpv6NetworkSyntax = inetIpv6Octet ":" inetIpv6Octet ":"
inetIpv6Octet ":" inetIpv6Octet ":" inetIpv6Octet ":" inetIpv6Octet ":" inetIpv6Octet ":" inetIpv6Octet ":"
inetIpv6Octet ":" inetIpv6Octet ":" inetIpv6Octet "/" inetIpv6Octet ":" inetIpv6Octet ":" inetIpv6Octet "/"
inetIpv6Prefix inetIpv6Prefix
Hall I-D Expires: February 2004 [page 3]
inetIpv6Octet = 4*4nibblePart inetIpv6Octet = 4*4nibblePart
nibblePart = hexadecimal digit between "0" and "F" inclusive nibblePart = hexadecimal digit between "0" and "F" inclusive
inetIpv6Prefix = decimal value between "1" and "128" inetIpv6Prefix = decimal value between "1" and "128"
inclusive, with the non-affective leading zeroes removed inclusive, with the non-affective leading zeroes removed
The inetIpv6NetworkSyntax syntax is as follows: The inetIpv6NetworkSyntax syntax is as follows:
inetIpv6NetworkSyntax inetIpv6NetworkSyntax
( 1.3.6.1.4.1.7161.1.6.0 NAME 'inetIpv6NetworkSyntax' DESC ( 1.3.6.1.4.1.7161.1.6.0
'An IPv6 address and prefix.' ) NAME 'inetIpv6NetworkSyntax'
DESC 'An IPv6 address and prefix.' )
For example, an IPv6 network with a range of addresses between For example, an IPv6 network with a range of addresses between
"3ffe:ffff::" and "3ffe:ffff:ffff:ffff:ffff:ffff:ffff:ffff" would "3ffe:ffff::" and "3ffe:ffff:ffff:ffff:ffff:ffff:ffff:ffff" would
be written as "cn=3ffe:ffff:0000:0000:0000:0000:0000:0000/32". be written as "cn=3ffe:ffff:0000:0000:0000:0000:0000:0000/32".
Similarly, a host address of "3ffe:ffff::1:2:3:4" would be written Similarly, a host address of "3ffe:ffff::1:2:3:4" would be written
as "cn=3ffe:ffff:0000:0000:0001:0002:0003:0004/128". as "cn=3ffe:ffff:0000:0000:0001:0002:0003:0004/128".
Note that the entry name of Note that the entry name of
"cn=0000:0000:0000:0000:0000:0000:0000:0000/0" encompasses the "cn=0000:0000:0000:0000:0000:0000:0000:0000/0" encompasses the
entire IPv6 address space. entire IPv6 address space.
Note that the use of "/" is illegal as data in URLs, and MUST be Note that the use of "/" is illegal as data in URLs, and MUST be
escaped before it is stored in a URL as data. escaped before it is stored in a URL as data.
4. Object Classes and Attributes 4. Object Classes and Attributes
IPv6 address block entries in FIRS MUST use the inetIpv6Network IPv6 address block entries in FIRS MUST use the inetIpv6Network
object class, in addition to the mandatory object classes defined object class, in addition to the mandatory object classes defined
in [FIRS-CORE]. IPv6 address block entries MUST be treated as in [FIRS-CORE]. IPv6 address block entries MUST be treated as
containers capable of holding subordinate entries. If an entry containers capable of holding subordinate entries.
exists as a referral source, the entry MUST also be defined with
the referral object class, in addition to the above requirements. If an entry exists as a referral source, the entry MUST be defined
with the referral object class, in addition to the other object
classes defined above. Referral sources MUST NOT contain
Hall I-D Expires: March 2004 [page 4]
subordinate entries. Refer to section 3.5 of [FIRS-CORE] for more
information on referral entries in FIRS.
The inetIpv6Network object class is a structural object class The inetIpv6Network object class is a structural object class
which is subordinate to the inetResources object class. The which is subordinate to the inetResources object class. The
inetIpv6Network object class has no mandatory attributes, although inetIpv6Network object class has no mandatory attributes, although
it does have several optional attributes. The inetIpv6Network it does have several optional attributes. The inetIpv6Network
object class also inherits the attributes defined in the object class also inherits the attributes defined in the
inetResources object class, including the "cn" naming attribute. inetResources object class, including the "cn" naming attribute.
Hall I-D Expires: February 2004 [page 4]
The schema definition for the inetIpv6Network object class is as The schema definition for the inetIpv6Network object class is as
follows: follows:
inetIpv6Network inetIpv6Network
( 1.3.6.1.4.1.7161.1.6.1 ( 1.3.6.1.4.1.7161.1.6.1
NAME 'inetIpv6Network' NAME 'inetIpv6Network'
DESC 'IPv6 network attributes.' DESC 'IPv6 network attributes.'
SUP inetResources SUP inetResources
STRUCTURAL STRUCTURAL
MAY ( inetIpv6DelegationStatus $ inetIpv6DelegationDate $ MAY ( inetIpv6DelegationStatus $ inetIpv6DelegationDate $
inetIpv6Registrar $ inetIpv6Registry $ inetIpv6Contacts $ inetIpv6Registrar $ inetIpv6Registry $ inetIpv6Contacts $
inetIpv6RoutingContacts ) ) inetIpv6RoutingContacts $ inetIpv6ParentNetwork $
inetIpv6SiblingNetworks $ inetIpv6ChildNetworks ) )
The attributes from the inetIpv6Network object class are described The attributes from the inetIpv6Network object class are described
below: below:
inetIpv6Contacts inetIpv6Contacts
( 1.3.6.1.4.1.7161.1.6.2 ( 1.3.6.1.4.1.7161.1.6.2
NAME 'inetIpv6Contacts' NAME 'inetIpv6Contacts'
DESC 'Contacts for general administrative issues concerning DESC 'Contacts for general administrative issues concerning
this IPv6 address block.' this address block.'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.7.1 ) SYNTAX 1.3.6.1.4.1.7161.1.4.0 )
inetIpv6DelegationDate inetIpv6DelegationDate
( 1.3.6.1.4.1.7161.1.6.3 ( 1.3.6.1.4.1.7161.1.6.3
NAME 'inetIpv6DelegationDate' NAME 'inetIpv6DelegationDate'
DESC 'Date this IPv6 address block was delegated.' DESC 'Date this address block was delegated.'
EQUALITY generalizedTimeMatch EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE ) SINGLE-VALUE )
Hall I-D Expires: March 2004 [page 5]
inetIpv6DelegationStatus inetIpv6DelegationStatus
( 1.3.6.1.4.1.7161.1.6.4 ( 1.3.6.1.4.1.7161.1.6.4
NAME 'inetIpv6DelegationStatus' NAME 'inetIpv6DelegationStatus'
DESC 'Delegation status of this IPv6 address block.' DESC 'Delegation status of this address block.'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{2} SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{2}
SINGLE-VALUE ) SINGLE-VALUE )
Hall I-D Expires: February 2004 [page 5]
NOTE: In an effort to facilitate internationalization and NOTE: In an effort to facilitate internationalization and
programmatic processing, the current status of a delegation programmatic processing, the current status of a delegation
is identified by a 16-bit integer. The values and status is identified by a 16-bit integer. The values and status
mapping is as follows: mapping is as follows:
0 Reserved delegation (permanently inactive) 0 Reserved delegation (permanently inactive)
1 Assigned and active (normal state) 1 Assigned and active (normal state)
2 Assigned but not yet active (new delegation) 2 Assigned but not yet active (new delegation)
3 Assigned but on hold (disputed) 3 Assigned but on hold (disputed)
4 Assignment revoked (database purge pending) 4 Assignment revoked (database purge pending)
skipping to change at line 240 skipping to change at line 246
Additional values are reserved for future use, and are to Additional values are reserved for future use, and are to
be administered by IANA. be administered by IANA.
Note that there is no status code for "unassigned"; Note that there is no status code for "unassigned";
unassigned entries SHOULD NOT exist, and SHOULD NOT be unassigned entries SHOULD NOT exist, and SHOULD NOT be
returned as answers. returned as answers.
inetIpv6Registrar inetIpv6Registrar
( 1.3.6.1.4.1.7161.1.6.5 ( 1.3.6.1.4.1.7161.1.6.5
NAME 'inetIpv6Registrar' NAME 'inetIpv6Registrar'
DESC 'Registrar who delegated this IPv6 address block.' DESC 'Registrar or sub-registry who delegated this address
block.'
EQUALITY caseExactMatch EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
NOTE: The inetIpv6Registrar attribute uses a URL to NOTE: The inetIpv6Registrar attribute uses a URL to
indicate the registrar who delegated the address block. The indicate the registrar who delegated the address block. The
attribute structure is identical to the labeledURI attribute structure is identical to the labeledURI
attribute, as defined in [RFC2798], including the URL and attribute, as defined in [RFC2798], including the URL and
textual comments. The data can refer to any valid URL. textual comments. The data can refer to any valid URL.
Hall I-D Expires: March 2004 [page 6]
inetIpv6Registry inetIpv6Registry
( 1.3.6.1.4.1.7161.1.6.6 ( 1.3.6.1.4.1.7161.1.6.6
NAME 'inetIpv6Registry' NAME 'inetIpv6Registry'
DESC 'Registry where this IPv6 address block is managed.' DESC 'Regional registry where this address block is
managed.'
EQUALITY caseExactMatch EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
NOTE: The inetIpv6Registry attribute uses a URL to indicate NOTE: The inetIpv6Registry attribute uses a URL to indicate
the registry who is ultimately responsible for the address the registry who is ultimately responsible for the address
block. The attribute structure is identical to the block. The attribute structure is identical to the
labeledURI attribute, as defined in [RFC2798], including labeledURI attribute, as defined in [RFC2798], including
the URL and textual comments. The data can refer to any the URL and textual comments. The data can refer to any
valid URL. valid URL.
Hall I-D Expires: February 2004 [page 6] inetIpv6ParentNetworks
inetIpv6RoutingContacts
( 1.3.6.1.4.1.7161.1.6.7 ( 1.3.6.1.4.1.7161.1.6.7
NAME 'inetIpv6ParentNetworks'
DESC 'IPv6 parent networks directly associated with this
address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.6.0 )
inetIpv6SiblingNetworks
( 1.3.6.1.4.1.7161.1.6.8
NAME 'inetIpv6SiblingNetworks'
DESC 'IPv6 sibling networks directly associated with this
address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.6.0 )
inetIpv6ChildNetworks
( 1.3.6.1.4.1.7161.1.6.9
NAME 'inetIpv6ChildNetworks'
DESC 'IPv6 child networks directly associated with this
address block.'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.6.0 )
Hall I-D Expires: March 2004 [page 7]
inetIpv6RoutingContacts
( 1.3.6.1.4.1.7161.1.6.10
NAME 'inetIpv6RoutingContacts' NAME 'inetIpv6RoutingContacts'
DESC 'Contacts for routing-related problems with this IP6 DESC 'Contacts for routing-related problems with this
address block.' address block.'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.7161.1.7.1 ) SYNTAX 1.3.6.1.4.1.7161.1.4.0 )
An example of the inetIpv6Network object class is shown in Figure An example of the inetIpv6Network object class is shown in Figure
1 below. The example includes attributes from the inetIpv6Network, 1 below. The example includes attributes from the inetIpv6Network,
inetResources, and inetAssociatedResources object classes. inetResources, and inetAssociatedResources object classes.
cn=3ffe:ffff:0000:0000:0000:0000:0000:0000/32, cn=3ffe:ffff:0000:0000:0000:0000:0000:0000/32,
cn=inetResources,dc=arin,dc=net cn=inetResources,dc=arin,dc=net
[top object class] [top object class]
[inetResources object class] [inetResources object class]
[inetIpv6Network object class] [inetIpv6Network object class]
skipping to change at line 308 skipping to change at line 341
5. Query Processing Rules 5. Query Processing Rules
Queries for IPv6 address blocks have several special requirements, Queries for IPv6 address blocks have several special requirements,
as discussed in the following sections. as discussed in the following sections.
Refer to [FIRS-CORE] for general information about FIRS queries. Refer to [FIRS-CORE] for general information about FIRS queries.
5.1. Query Pre-Processing 5.1. Query Pre-Processing
Clients MUST ensure that the query input is normalized according FIRS clients MUST use the targeted bootstrap model by default for
to the rules specified in section 3 before the input is used as IPv6 address block queries, using the "ip6.arpa" zone as the seed
the assertion value to the resulting LDAP query. domain for the initial query.
Hall I-D Expires: February 2004 [page 7] Hall I-D Expires: March 2004 [page 8]
The authoritative partition for an IPv6 address block is FIRS clients MAY use the top-down or bottom-up bootstrap models
determined by mapping the normalized input to an associated for queries if necessary or desirable. However, it is not likely
reverse-lookup DNS domain name (using the process as defined in that entries will be found for all IPv6 address block resources
RFC 1886 [RFC1886], as amended by RFC 3152 [RFC3152]), and then using these models. As such, the targeted bootstrap model will be
mapping the resulting DNS domain name to a sequence of the most useful in most cases, and MUST be used by default.
domainComponent labels. The subnet prefix sequence MUST be
stripped from the input address block as part of this mapping
process (note that these rules only apply to the mapping process
by which an authoritative partition is constructed, and does not
apply to the process by which the entry-specific relative
distinguished name is constructed).
Due to the 128-bit addresses and the rules defined in [RFC1886], a When the bottom-up bootstrap model is used, the authoritative
fully-formed IPv6 reverse-lookup domain name will have 34 labels, partition for an IPv6 address block is determined by mapping the
which result in very large distinguished names. normalized input to an associated reverse-lookup DNS domain name
(using the process as defined in RFC 1886 [RFC1886], as amended by
RFC 3152 [RFC3152]), and then mapping the resulting DNS domain
name to a sequence of domainComponent labels. The subnet prefix
sequence MUST be stripped from the input address block as part of
this mapping process (note that these rules only apply to the
mapping process by which an authoritative partition is
constructed, and does not apply to the process by which the entry-
specific relative distinguished name is constructed). Due to the
128-bit addresses and the rules defined in [RFC1886], a fully-
formed IPv6 reverse-lookup domain name will have 34 labels, which
result in very large distinguished names.
For example, an IPv6 address of For example, an IPv6 address of
"3ffe:ffff:0000:0000:0000:0000:0000:0000/32" would be mapped to "3ffe:ffff:0000:0000:0000:0000:0000:0000/32" would be mapped to
the reverse-lookup DNS domain name of the reverse-lookup DNS domain name of
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3. "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.
ip6.arpa." which would in turn be mapped to "dc=0,dc=0,dc=0,dc=0, ip6.arpa." which would in turn be mapped to "dc=0,dc=0,dc=0,dc=0,
dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0, dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,
dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=f,dc=f,dc=f,dc=f,dc=e,dc=f, dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=0,dc=f,dc=f,dc=f,dc=f,dc=e,dc=f,
dc=f,dc=3,dc=ip6,dc=arpa". dc=f,dc=3,dc=ip6,dc=arpa", which would then be used as the
authoritative partition for the bottom-up bootstrap process.
5.2. Query Bootstrapping
FIRS clients MUST use the targeted bootstrap model by default for
IPv6 address block queries, using the "ip6.arpa" zone as the seed
domain for the initial query.
FIRS clients MAY use the top-down or bottom-up bootstrap models
for queries if necessary or desirable. However, it is not likely
that entries will be found for all IPv6 address block resources
using these models. As such, the targeted bootstrap model will be
the most useful in most cases, and MUST be used by default.
5.3. LDAP Matching 5.2. LDAP Matching
If the server advertises the inetIpv6Network object class in the If the server advertises the inetIpv6Network object class and
firsVersion server control, FIRS clients MUST use the inetIpv6NetworkMatch matching filter in the inetResourcesControl
inetIpv6NetworkMatch extensible matching filter in LDAP searches server control, FIRS clients MUST use the inetIpv6NetworkMatch
for Ipv6 network entries. matching filter in LDAP searches for IPv6 network entries.
Hall I-D Expires: February 2004 [page 8]
The inetIpv6NetworkMatch filter provides an identifier and search The inetIpv6NetworkMatch filter provides an identifier and search
string format which collectively inform a queried server that a string format which collectively inform a queried server that a
specific IPv6 address should be searched for, and that any specific IPv6 address should be searched for, and that any
matching inetIpv6network object class entries should be returned. matching inetIpv6network object class entries should be returned.
The inetIpv6NetworkMatch extensibleMatch filter is defined as Hall I-D Expires: March 2004 [page 9]
follows: The inetIpv6NetworkMatch matching filter is defined as follows:
inetIpv6NetworkMatch inetIpv6NetworkMatch
( 1.3.6.1.4.1.7161.1.0.6 NAME 'inetIpv6NetworkMatch' SYNTAX ( 1.3.6.1.4.1.7161.1.6.0.1
inetIpv6NetworkSyntax ) NAME 'inetIpv6NetworkMatch'
SYNTAX 1.3.6.1.4.1.7161.1.6.0 )
The assertion value MUST be a normalized IPv6 address, using the Clients MUST ensure that the query input is normalized according
inetIpv6NetworkSyntax defined in section 3. to the rules specified in section 3 before the input is used as
the assertion value to the resulting LDAP query.
A FIRS server MUST compare the assertion value against the RDN of A FIRS server MUST compare the assertion value against the
all entries in the inetResources container of the partition distinguished name of all entries within and beneath the container
specified in the search base which have an object class of of the partition specified in the search base. Any entry in that
inetIpv6Network. Any entry with an object class of inetIpv6Network hierarchy with an object class of inetIpv4Network and a
and with a relative distinguished name which clearly encompasses distinguished name that is clearly superior to the IPv6 address
the IPv6 address provided in the assertion value MUST be returned. provided in the assertion value MUST be returned. Entries which do
Entries which do not clearly encompass the queried address MUST not have an object class of inetIpv6Network MUST NOT be returned.
NOT be returned. Entries which do not have an object class of Entries which are not clearly superior to the queried address MUST
inetIpv6Network MUST NOT be returned. NOT be returned.
In order to ensure that all of the relevant entries are found Note that "superiority" means that the address ranges specified in
(including any referrals), the search filters for these resources the entry names clearly encompass the address range specified in
MUST specify the inetIpv6Network object class along with the the assertion value. This can be reverse-computed by repeatedly
search criteria. For example, "(&(objectclass=inetIpv6Network) shrinking the prefix size of the address in the assertion value,
(1.3.6.1.4.1.7161.1.6.8:= and using the resulting network/prefix pair as a matching value.
3ffe:ffff:0000:0000:0000:0000:0000:0000/32))" with a search base
of "cn=inetResources,dc=arin,dc=net" would find all of the An example of this matching logic for IPv4 addresses is shown in
inetIpv6Network object class entries which were superior to the section 5.2 of [FIRS-IPV4].
"3ffe:ffff:0000:0000:0000:0000:0000:0000/32" address block in the
"dc=arin,dc=net" partition.
Note that the entry name of Note that the entry name of
"cn=0000:0000:0000:0000:0000:0000:0000:0000/0" encompasses the "cn=0000:0000:0000:0000:0000:0000:0000:0000/0" encompasses the
entire IPv6 address space. When used in conjunction with entire IPv6 address space. When used in conjunction with
referrals, this entry MAY be used to redirect all referrals, this entry MAY be used to redirect all
inetIpv6NetworkMatch queries to another partition for subsequent inetIpv6NetworkMatch queries to another partition for subsequent
processing. processing.
The matching filters defined in this specification MUST be The matching filters defined in this specification MUST be
supported by FIRS clients and servers. FIRS servers MAY support supported by FIRS clients and servers. FIRS servers MAY support
additional sub-string filters, soundex filters, or any other additional matching filters, although FIRS clients MUST NOT expect
any additional filters to be available.
Hall I-D Expires: February 2004 [page 9]
filters they wish (these may be required to support generic LDAP
clients), although FIRS clients MUST NOT expect any additional
filters to be available.
If the server does not advertise support for the inetIpv6Network
object class in the firsVersion server control, the client MAY
choose to emulate this matching process through the use of
locally-constructed filters. Since the inetIpv6NetworkMatch filter
simply locates all of the entries in the delegation path to the
named network, it is possible that a client could emulate this
query by generating distinct queries for any entries associated
with the parent networks.
For example, if the user asked for information about the If the server does not advertise support for the
"3ffe:ffff:0000:0000:0000:0000:0000:0000/32" network resource but inetIpv6NetworkMatch matching filter in the inetResourcesControl
the server does not advertise support for the inetIpv6Network server control, the client MAY choose to emulate this matching
object class, the client could theoretically issue secondary
queries for inetIpv6Network entries with cn attributes that begin
with "3ffe:ffff:0000:0000:" or the like.
Unfortunately, this kind of matching is not guaranteed to work in Hall I-D Expires: March 2004 [page 10]
most situations, and clients also need to be careful not to issue filter through the use of locally-constructed equalityMatch
overly-broad queries that match all answers. As such, if the filters. However, this process can result in incomplete answers in
server advertises support for the inetIpv6Network object class in some cases, so if the server advertises support for the
the firsVersion control, then the client MUST use the inetIpv6NetworkMatch matching filter in the inetResourcesControl
inetIpv6NetworkMatch filter defined above. control, the client MUST use it.
5.4. Example Query 5.3. Example Query
The following example assumes that the user has specified The following example assumes that the user has specified
"3ffe:ffff:0000:0000:0000:0000:0000:0000/32" as the query value: "3ffe:ffff:0000:0000:0000:0000:0000:0000/32" as the query value:
a. Normalize the input, which is a. Normalize the input, which is
"3ffe:ffff:0000:0000:0000:0000:0000:0000/32" in this case. "3ffe:ffff:0000:0000:0000:0000:0000:0000/32" in this case.
b. Determine the canonical authoritative partition. b. Determine the canonical authoritative partition.
1. Map the input sequence to the reverse-lookup domain 1. Map the input sequence to the reverse-lookup domain
name, which is "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. name, which is "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa." in this case. 0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa." in this case.
2. Determine the domain name which is appropriate for the 2. Determine the domain name which is appropriate for the
bootstrap model in use. In the default case of a bootstrap model in use. In the default case of a
targeted query, use the label sequence of "ip6.arpa". targeted query, use the label sequence of "ip6.arpa".
In the case of a bottom-up query, use the label In the case of a bottom-up query, use the label
sequence determined in step 5.3.b.1. In the case of a
Hall I-D Expires: February 2004 [page 10]
sequence determined in step 5.4.b.1. In the case of a
top-down query, set the domain name to "arpa". top-down query, set the domain name to "arpa".
3. Map the domain name to an authoritative partition, 3. Map the domain name to an authoritative partition,
which would be "dc=ip6,dc=arpa" if the default which would be "dc=ip6,dc=arpa" if the default
bootstrap model were in use. bootstrap model were in use.
c. Determine the search base for the query, which will be c. Determine the search base for the query, which will be
"cn=inetResources,dc=ip6,dc=arpa" if the defaults are used. "cn=inetResources,dc=ip6,dc=arpa" if the defaults are used.
d. Initiate a DNS lookup for the SRV resource records d. Initiate a DNS lookup for the SRV resource records
associated with "_ldap._tcp.ip6.arpa." For the purpose of associated with "_ldap._tcp.ip6.arpa." For the purpose of
this example, assume that this lookup succeeds, with the this example, assume that this lookup succeeds, with the
DNS response message indicating that "firs.iana.org" is the DNS response message indicating that "firs.iana.org" is the
preferred LDAP server. preferred LDAP server.
e. Submit an LDAPv3 query to the specified server, using e. Submit an LDAPv3 query to the specified server, using
"(&(objectClass=inetIpv6Network)(1.3.6.1.4.1.7161.1.6.8:= "(1.3.6.1.4.1.7161.1.6.0.1:=
3ffe:ffff:0000:0000:0000:0000:0000:0000/32)" as the 3ffe:ffff:0000:0000:0000:0000:0000:0000/32)" as the
matching filter, "cn=inetResources,dc=ip6,dc=arpa" as the matching filter, "cn=inetResources,dc=ip6,dc=arpa" as the
search base, and the global query defaults defined in search base, and the global query defaults defined in
[FIRS-CORE]. [FIRS-CORE].
Hall I-D Expires: March 2004 [page 11]
f. Assume that no referrals are received. Display the answer f. Assume that no referrals are received. Display the answer
data which has been received and exit the query. data which has been received and exit the query.
6. Security Considerations 6. Security Considerations
Security considerations are discussed in [FIRS-ARCH]. Security considerations are discussed in [FIRS-ARCH].
7. IANA Considerations 7. IANA Considerations
This specification uses the "dc=ip6,dc=arpa" directory partition This specification uses the "dc=ip6,dc=arpa" directory partition
skipping to change at line 499 skipping to change at line 508
containing IPv6-specific entries which will provide referrals to containing IPv6-specific entries which will provide referrals to
the appropriate RIR partitions. It is further expected that IANA the appropriate RIR partitions. It is further expected that IANA
will oversee the creation and management of the ip6.arpa domain's will oversee the creation and management of the ip6.arpa domain's
LDAP SRV resource records, the "dc=ip6,dc=arpa" LDAP partition, LDAP SRV resource records, the "dc=ip6,dc=arpa" LDAP partition,
and the necessary LDAP servers. and the necessary LDAP servers.
The inetIpv6DelegationStatus attribute uses numeric code values. The inetIpv6DelegationStatus attribute uses numeric code values.
It is expected that IANA will manage the assignment of these It is expected that IANA will manage the assignment of these
values. values.
Hall I-D Expires: February 2004 [page 11]
Additional IANA considerations are discussed in [FIRS-ARCH]. Additional IANA considerations are discussed in [FIRS-ARCH].
8. Normative References 8. Normative References
[RFC1886] Thomson, S., and Huitema, C. "DNS Extensions [RFC1886] Thomson, S., and Huitema, C. "DNS Extensions
to support IP version 6", RFC 1886, December to support IP version 6", RFC 1886, December
1995. 1995.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R.,
and Sataluri, S. "Using Domains in LDAP/X.500 and Sataluri, S. "Using Domains in LDAP/X.500
skipping to change at line 524 skipping to change at line 532
RFC 2251, December 1997. RFC 2251, December 1997.
[RFC2252] Wahl, M., Coulbeck, A., Howes, T., and Kille, [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and Kille,
S. "Lightweight Directory Access Protocol S. "Lightweight Directory Access Protocol
(v3): Attribute Syntax Definitions", RFC 2252, (v3): Attribute Syntax Definitions", RFC 2252,
December 1997. December 1997.
[RFC2254] Howes, T. "The String Representation of LDAP [RFC2254] Howes, T. "The String Representation of LDAP
Search Filters", RFC 2254, December 1997. Search Filters", RFC 2254, December 1997.
Hall I-D Expires: March 2004 [page 12]
[RFC3152] Bush, R. "Delegation of IP6.ARPA", RFC 3152, [RFC3152] Bush, R. "Delegation of IP6.ARPA", RFC 3152,
August 2001. August 2001.
[FIRS-ARCH] Hall, E. "The Federated Internet Registry [FIRS-ARCH] Hall, E. "The Federated Internet Registry
Service: Architecture and Implementation Service: Architecture and Implementation
Guide", draft-ietf-crisp-firs-arch-02, July Guide", draft-ietf-crisp-firs-arch-03, August
2003. 2003.
[FIRS-ASN] Hall, E. "Defining and Locating Autonomous [FIRS-ASN] Hall, E. "Defining and Locating Autonomous
System Numbers in the Federated Internet System Numbers in the Federated Internet
Registry Service", draft-ietf-crisp-firs-asn- Registry Service", draft-ietf-crisp-firs-asn-
02, July 2003. 03, August 2003.
[FIRS-CONTCT] Hall, E. "Defining and Locating Contact [FIRS-CONTCT] Hall, E. "Defining and Locating Contact
Persons in the Federated Internet Registry Persons in the Federated Internet Registry
Service", draft-ietf-crisp-firs-contact-02, Service", draft-ietf-crisp-firs-contact-03,
July 2003. August 2003.
[FIRS-CORE] Hall, E. "The Federated Internet Registry [FIRS-CORE] Hall, E. "The Federated Internet Registry
Service: Core Elements", draft-ietf-crisp- Service: Core Elements", draft-ietf-crisp-
firs-core-02, July 2003. firs-core-03, August 2003.
[FIRS-DNS] Hall, E. "Defining and Locating DNS Domains in [FIRS-DNS] Hall, E. "Defining and Locating DNS Domains in
the Federated Internet Registry Service", the Federated Internet Registry Service",
draft-ietf-crisp-firs-dns-02, July 2003. draft-ietf-crisp-firs-dns-03, August 2003.
Hall I-D Expires: February 2004 [page 12]
[FIRS-DNSRR] Hall, E. "Defining and Locating DNS Resource [FIRS-DNSRR] Hall, E. "Defining and Locating DNS Resource
Records in the Federated Internet Registry Records in the Federated Internet Registry
Service", draft-ietf-crisp-firs-dnsrr-02, July Service", draft-ietf-crisp-firs-dnsrr-02, July
2003. 2003.
[FIRS-IPV4] Hall, E. "Defining and Locating IPv4 Address [FIRS-IPV4] Hall, E. "Defining and Locating IPv4 Address
Blocks in the Federated Internet Registry Blocks in the Federated Internet Registry
Service", draft-ietf-crisp-firs-ipv4-02, July Service", draft-ietf-crisp-firs-ipv4-03,
2003. August 2003.
[FIRS-IPV6] Hall, E. "Defining and Locating IPv6 Address
Blocks in the Federated Internet Registry
Service", draft-ietf-crisp-firs-ipv6-02, July
2003.
9. Changes from Previous Versions 9. Changes from Previous Versions
draft-ietf-crisp-firs-ipv6-03:
* Several clarifications and corrections have been made.
* Added the inetIpv6ParentNetworks, inetIpv6SiblingNetworks,
and inetIpv6ChildNetworks attributes.
* Several attributes had their OIDs changed. NOTE THAT THIS
IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO
ADDITIONAL CHANGES AS THIS DOCUMENT IS EDITED.
Hall I-D Expires: March 2004 [page 13]
draft-ietf-crisp-firs-ipv6-02: draft-ietf-crisp-firs-ipv6-02:
* Several clarifications and corrections have been made. * Several clarifications and corrections have been made.
* Changed the default bootstrap model to use targeted * Changed the default bootstrap model to use targeted
queries, with "ip6.arpa" as the default zone and queries, with "ip6.arpa" as the default zone and
"dc=ip6,dc=arpa" as the default partition. "dc=ip6,dc=arpa" as the default partition.
* Several attributes had their OIDs changed. NOTE THAT THIS * Several attributes had their OIDs changed. NOTE THAT THIS
IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO
skipping to change at line 600 skipping to change at line 615
actual data instead of URL pointers to data. Clients that actual data instead of URL pointers to data. Clients that
wish to retrieve these values will need to start new wish to retrieve these values will need to start new
queries using the data values instead of URLs. queries using the data values instead of URLs.
* The attribute-specific operational attributes have been * The attribute-specific operational attributes have been
eliminated as unnecessary. eliminated as unnecessary.
* The inetIpv6Registrar and inetIpv6Registry attributes were * The inetIpv6Registrar and inetIpv6Registry attributes were
added. added.
Hall I-D Expires: February 2004 [page 13]
* Several attributes had their OIDs changed. NOTE THAT THIS * Several attributes had their OIDs changed. NOTE THAT THIS
IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO IS AN INTERNET DRAFT, AND THAT THE OIDS ARE SUBJECT TO
ADDITIONAL CHANGES AS THIS DOCUMENT IS EDITED. ADDITIONAL CHANGES AS THIS DOCUMENT IS EDITED.
* Several typographical errors have been fixed. * Several typographical errors have been fixed.
* Some unnecessary text has been removed. * Some unnecessary text has been removed.
10. Author's Address 10. Author's Address
Eric A. Hall Eric A. Hall
ehall@ehsco.com ehall@ehsco.com
Hall I-D Expires: March 2004 [page 14]
11. Acknowledgments 11. Acknowledgments
Funding for the RFC editor function is currently provided by the Funding for the RFC editor function is currently provided by the
Internet Society. Internet Society.
Portions of this document were funded by VeriSign Labs. Portions of this document were funded by VeriSign Labs.
The first version of this specification was co-authored by Andrew The first version of this specification was co-authored by Andrew
Newton of VeriSign Labs, and subsequent versions continue to be Newton of VeriSign Labs, and subsequent versions continue to be
developed with his active participation. Edward Lewis also developed with his active participation. Edward Lewis also
skipping to change at line 645 skipping to change at line 660
restriction of any kind, provided that the above copyright notice restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any works. However, this document itself may not be modified in any
way, such as by removing the copyright notice or references to the way, such as by removing the copyright notice or references to the
Internet Society or other Internet organizations, except as needed Internet Society or other Internet organizations, except as needed
for the purpose of developing Internet standards in which case the for the purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards procedures for copyrights defined in the Internet Standards
process must be followed, or as required to translate it into process must be followed, or as required to translate it into
languages other than English. languages other than English.
Hall I-D Expires: February 2004 [page 14]
The limited permissions granted above are perpetual and will not The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assigns. be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Hall I-D Expires: February 2004 [page 15] Hall I-D Expires: March 2004 [page 15]
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/