BS ISO IEC 29341-24-11-2017 Information technology UPnP Device Architecture Internet gateway device control protocol Level 2 Wide area network internet protocol v6 Firewal.pdf

1、Information technology UPnP Device Architecture Part 24-11: Internet gateway device control protocol Level 2 Wide area network internet protocol v6 Firewall control service BS ISO/IEC 29341-24-11:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information techn

2、ology UPnP Device Architecture Part 24-11: Internet gateway device control protocol Level 2 Wide area network internet protocol v6 Firewall control service Technologies de linformation Architecture de dispositif UPnP Partie 24-11: Protocole de contrle de dispositif de passerelle Internet Niveau 2 Pr

3、otocole internet de rseau tendu v6 Service de contrle du pare-feu INTERNATIONAL STANDARD ISO/IEC 29341-24-11 Reference number ISO/IEC 29341-24-11:2017(E) First edition 2017-09 ISO/IEC 2017 National foreword This British Standard is the UK implementation of ISO/IEC 29341-24-11:2017. The UK participat

4、ion in its preparation was entrusted to Technical Committee ICT/-/1, Information systems co-ordination. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users ar

5、e responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 90855 2 ICS 35.200 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the

6、 Standards Policy and Strategy Committee on 30 September 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 293412411:2017Information technology UPnP Device Architecture Part 24-11: Internet gateway device control protocol Level 2 Wide area network in

7、ternet protocol v6 Firewall control service Technologies de linformation Architecture de dispositif UPnP Partie 24-11: Protocole de contrle de dispositif de passerelle Internet Niveau 2 Protocole internet de rseau tendu v6 Service de contrle du pare-feu INTERNATIONAL STANDARD ISO/IEC 29341-24-11 Ref

8、erence number ISO/IEC 29341-24-11:2017(E) First edition 2017-09 ISO/IEC 2017 BS ISO/IEC 293412411:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduce

9、d or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. IS

10、O copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 29341-24-11:2017(E) BS ISO/IEC 293412411:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in

11、 Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can

12、 be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 29341-24-11:2017(E) ISO/IEC 293

13、41-24-11:2017(E) ISO/IEC 2017 All rights reserved iii CONTENTS 1 Scope 1 2 Normative References . 1 3 Terms, definitions, symbols and abbreviations 2 4 Notations and conventions . 4 Notation . 4 4.1Data types 4 4.2Vendor-defined extensions 4 4.3 5 Service Model 4 Service Type 4 5.1Service Architectu

14、re 5 5.2State Variables . 5 5.3Summary 5 5.3.1FirewallEnabled 5 5.3.2InboundPinholeAllowed . 6 5.3.3A_ARG_TYPE_OutboundPinholeTimeout 6 5.3.4A_ARG_TYPE_IPv6Address 6 5.3.5A_ARG_TYPE_Port . 6 5.3.6A_ARG_TYPE_Protocol 6 5.3.7A_ARG_TYPE_LeaseTime 6 5.3.8A_ARG_TYPE_UniqueID . 7 5.3.9A_ARG_TYPE_PinholePa

15、ckets . 7 5.3.10A_ARG_TYPE_Boolean 7 5.3.11Relationships among State Variables . 7 5.3.12Eventing and Moderation 7 5.4Summary 7 5.4.1Eventing of FirewallEnabled 7 5.4.2Eventing of InboundPinholeAllowed . 7 5.4.3Actions . 7 5.5Summary 7 5.5.1GetFirewallStatus() . 8 5.5.2GetOutboundPinholeTimeout() 8

16、5.5.3AddPinhole() 10 5.5.4UpdatePinhole() . 12 5.5.5DeletePinhole() 13 5.5.6GetPinholePackets() 14 5.5.7CheckPinholeWorking() 15 5.5.8Relationships Between Actions . 17 5.5.9Error Code Summary 17 5.5.10Service Behavioral Model 17 5.6 6 XML Service Description . 18 Annex A (informative) Theory of Ope

17、ration . 23 A.1 IPv4 NAT and IPv6 firewall control relationship . 23 A.2 Start-up . 23 A.3 Outbound pinhole management 24 A.3.1 Outbound pinhole creation 24 A.3.2 Outbound pinhole refresh . 24 BS ISO/IEC 293412411:2017ISO/IEC 29341-24-11:2017(E) iv ISO/IEC 2017 All rights reserved A.3.3 Outbound pin

18、hole lifecycle . 25 A.4 Inbound Pinhole management 25 A.4.1 Inbound pinhole creation 25 A.4.2 Checking that an inbound pinhole is working . 26 A.4.3 Inbound pinhole refresh 27 A.4.4 Inbound pinhole state transition diagram . 28 Annex B (normative) Security Considerations . 29 B.1 Overview . 29 B.2 F

19、irewall Assets, Risks and Threats . 29 B.3 Firewall Control Policy and Recommendations . 29 Annex C (informative) Bibliography 31 Figure A.1 Outbound pinhole creation . 24 Figure A.2 Outbound pinhole refresh . 25 Figure A.3 Outbound pinhole state transition diagram 25 Figure A.4 Inbound pinhole crea

20、tion 26 Figure A.5 Checking that an inbound pinhole is working 27 Figure A.6 Inbound pinhole refresh and deletion 28 Figure A.7 Inbound pinhole state transition diagram 28 Table 1 State Variables . 5 Table 2 allowedValueRange for A_ARG_TYPE_OutboundPinholeTimeout 6 Table 3 allowedValueRange for A_AR

21、G_TYPE_LeaseTime 6 Table 4 Eventing and Moderation . 7 Table 5 Actions . 7 Table 6 Arguments for GetFirewallStatus() . 8 Table 7 Error Codes for GetFirewallStatus() . 8 Table 8 Arguments for GetOutboundPinholeTimeout() 9 Table 9 Error Codes for GetOutboundPinholeTimeout() . 10 Table 10 Arguments for

22、 AddPinhole() 10 Table 11 Error Codes for AddPinhole() 11 Table 12 Arguments for UpdatePinhole() . 12 Table 13 Error Codes for UpdatePinhole() . 13 Table 14 Arguments for DeletePinhole() 13 Table 15 Error Codes for DeletePinhole() 14 Table 16 Arguments for GetPinholePackets() 14 Table 17 Error Codes

23、 for GetPinholePackets() 15 Table 18 Arguments for CheckPinholeWorking() 16 Table 19 Error Codes for CheckPinholeWorking() 16 Table 20 Error Code Summary 17 BS ISO/IEC 293412411:2017ISO/IEC 29341-24-11:2017(E) iv ISO/IEC 2017 All rights reserved A.3.3 Outbound pinhole lifecycle . 25 A.4 Inbound Pinh

24、ole management 25 A.4.1 Inbound pinhole creation 25 A.4.2 Checking that an inbound pinhole is working . 26 A.4.3 Inbound pinhole refresh 27 A.4.4 Inbound pinhole state transition diagram . 28 Annex B (normative) Security Considerations . 29 B.1 Overview . 29 B.2 Firewall Assets, Risks and Threats .

25、29 B.3 Firewall Control Policy and Recommendations . 29 Annex C (informative) Bibliography 31 Figure A.1 Outbound pinhole creation . 24 Figure A.2 Outbound pinhole refresh . 25 Figure A.3 Outbound pinhole state transition diagram 25 Figure A.4 Inbound pinhole creation 26 Figure A.5 Checking that an

26、inbound pinhole is working 27 Figure A.6 Inbound pinhole refresh and deletion 28 Figure A.7 Inbound pinhole state transition diagram 28 Table 1 State Variables . 5 Table 2 allowedValueRange for A_ARG_TYPE_OutboundPinholeTimeout 6 Table 3 allowedValueRange for A_ARG_TYPE_LeaseTime 6 Table 4 Eventing

27、and Moderation . 7 Table 5 Actions . 7 Table 6 Arguments for GetFirewallStatus() . 8 Table 7 Error Codes for GetFirewallStatus() . 8 Table 8 Arguments for GetOutboundPinholeTimeout() 9 Table 9 Error Codes for GetOutboundPinholeTimeout() . 10 Table 10 Arguments for AddPinhole() 10 Table 11 Error Code

28、s for AddPinhole() 11 Table 12 Arguments for UpdatePinhole() . 12 Table 13 Error Codes for UpdatePinhole() . 13 Table 14 Arguments for DeletePinhole() 13 Table 15 Error Codes for DeletePinhole() 14 Table 16 Arguments for GetPinholePackets() 14 Table 17 Error Codes for GetPinholePackets() 15 Table 18

29、 Arguments for CheckPinholeWorking() 16 Table 19 Error Codes for CheckPinholeWorking() 16 Table 20 Error Code Summary 17 ISO/IEC 29341-24-11:2017(E) ISO/IEC 2017 All rights reserved v Foreword ISO (the International Organization for Standardization) and IE C (the International Electrotechnical Commi

30、ssion) form the specialized system for wo rldwide standardization. National bodies that are members of ISO or IEC participate in t he development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. I

31、SO and IEC technical committees collaborate in fields of mutual interest. Other inte rnational organizations, governmental and nongovernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, I

32、SO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance

33、 with the editorial rules of the ISO/IEC Directives, Part 2 (see http:/www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent right

34、s. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitu

35、te an endorsement. For an explanation on the voluntary nature of Standard, the meaning of the ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Forewor

36、d Supplementary information ISO/IEC 293412411was prepared by UPnP Forum and adopted, under the PAS procedure, by joint technical committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of ISO and IEC. The list of all currently available parts of ISO/IEC 2934

37、1 series, under the general title Information technology UPnP Device Architecture, can be found on the ISO web site. BS ISO/IEC 293412411:2017ISO/IEC 29341-24-11:2017(E) vi ISO/IEC 2017 All rights reserved Introduction ISO and IEC draw attention to the fact that it is claimed that compliance with th

38、is document may involve the use of patents as indicated below. ISO and IEC take no position concerning the evidence, validity and scope of these patent rights. The holders of -these patent rights have assured ISO and IEC that they are willing to negotiate licenses under reasonable and non-discrimina

39、tory terms and conditions with applicants throughout the world. In this respect, the statements of the holders of these patent rights are registered with ISO and IEC. Intel Corporation has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Inte

40、l Corporation Standards Licensing Department 5200 NE Elam Young Parkway MS: JFS-98 USA Hillsboro, Oregon 97124 Microsoft Corporation has informed IEC and ISO that it has patent applications or granted patents as listed below: 6101499 / US; 6687755 / US; 6910068 / US; 7130895 / US; 6725281 / US; 7089

41、307 / US; 7069312 / US; 10/783 524 /US Information may be obtained from: Microsoft Corporation One Microsoft Way USA Redmond WA 98052 Philips International B.V. has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Philips International B.V. I

42、P 6687755 / US; 6910068 / US; 7130895 / US; 6725281 / US; 7089307 / US; 7069312 / US; 10/783 524 /US Information may be obtained from: Microsoft Corporation One Microsoft Way USA Redmond WA 98052 Philips International B.V. has informed IEC and ISO that it has patent applications or granted patents.

43、Information may be obtained from: Philips International B.V. IP 6 170 007 / US; 6 139 177 / US; 6 529 936 / US; 6 470 339 / US; 6 571 388 / US; 6 205 466 / US Information may be obtained from: Hewlett Packard Company 1501 Page Mill Road USA Palo Alto, CA 94304 Samsung Electronics Co. Ltd. has inform

44、ed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Digital Media Business, Samsung Electronics Co. Ltd. 416 Maetan-3 Dong, Yeongtang-Gu, KR Suwon City 443-742 Huawei Technologies Co., Ltd. has informed IEC and ISO that it has patent applications or g

45、ranted patents. Information may be obtained from: Huawei Technologies Co., Ltd. Administration Building, Bantian Longgang District Shenzhen China 518129 Qualcomm Incorporated has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Qualcomm Incor

46、porated 5775 Morehouse Drive San Diego, CA USA 92121 Telecom Italia S.p.A.has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Telecom Italia S.p.A. Via Reiss Romoli, 274 Turin - Italy 10148 Cisco Systems informed IEC and ISO that it has pate

47、nt applications or granted patents. Information may be obtained from: Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA 95134 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all such patent rights. BS ISO/IEC 293412411:2017