BS ISO IEC 29341-24-11-2017 Information technology UPnP Device Architecture Internet gateway device control protocol Level 2 Wide area network internet protocol v6 Firewall control.pdf

1、Information technology UPnP Device ArchitecturePart 24-11: Internet gateway device control protocol Level 2 Wide area network internet protocol v6 Firewall control serviceBS ISO/IEC 29341-24-11:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technolog

2、y UPnP Device Architecture Part 24-11: Internet gateway device control protocol Level 2 Wide area network internet protocol v6 Firewall control serviceTechnologies de linformation Architecture de dispositif UPnP Partie 24-11: Protocole de contrle de dispositif de passerelle Internet Niveau 2 Protoco

3、le internet de rseau tendu v6 Service de contrle du pare-feuINTERNATIONAL STANDARDISO/IEC 29341-24-11Reference numberISO/IEC 29341-24-11:2017(E)First edition2017-09 ISO/IEC 2017National forewordThis British Standard is the UK implementation of ISO/IEC 29341-24-11:2017.The UK participation in its pre

4、paration was entrusted to Technical Committee ICT/-/1, Information systems co-ordination.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible fo

5、r its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017ISBN 978 0 580 90855 2ICS 35.200Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy an

6、d Strategy Committee on 30 September 2017.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS ISO/IEC 293412411:2017Information technology UPnP Device Architecture Part 24-11: Internet gateway device control protocol Level 2 Wide area network internet protocol v6 Firew

7、all control serviceTechnologies de linformation Architecture de dispositif UPnP Partie 24-11: Protocole de contrle de dispositif de passerelle Internet Niveau 2 Protocole internet de rseau tendu v6 Service de contrle du pare-feuINTERNATIONAL STANDARDISO/IEC 29341-24-11Reference numberISO/IEC 29341-2

8、4-11:2017(E)First edition2017-09 ISO/IEC 2017BS ISO/IEC 293412411:2017ii ISO/IEC 2017 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

9、 or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet

10、8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgISO/IEC 29341-24-11:2017(E)BS ISO/IEC 293412411:2017ii ISO/IEC 2017 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in SwitzerlandAll rights reserved. Unless otherw

11、ise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address be

12、low or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgISO/IEC 29341-24-11:2017(E)ISO/IEC 29341-24-11:2017(E) ISO/IEC 2017 All rights reserved iii CO

13、NTENTS 1 Scope 1 2 Normative References . 1 3 Terms, definitions, symbols and abbreviations 2 4 Notations and conventions . 4 Notation . 4 4.1Data types 4 4.2Vendor-defined extensions 4 4.35 Service Model 4 Service Type 4 5.1Service Architecture 5 5.2State Variables . 5 5.3Summary 5 5.3.1FirewallEna

14、bled 5 5.3.2InboundPinholeAllowed . 6 5.3.3A_ARG_TYPE_OutboundPinholeTimeout 6 5.3.4A_ARG_TYPE_IPv6Address 6 5.3.5A_ARG_TYPE_Port . 6 5.3.6A_ARG_TYPE_Protocol 6 5.3.7A_ARG_TYPE_LeaseTime 6 5.3.8A_ARG_TYPE_UniqueID . 7 5.3.9A_ARG_TYPE_PinholePackets . 7 5.3.10A_ARG_TYPE_Boolean 7 5.3.11Relationships

15、among State Variables . 7 5.3.12Eventing and Moderation 7 5.4Summary 7 5.4.1Eventing of FirewallEnabled 7 5.4.2Eventing of InboundPinholeAllowed . 7 5.4.3Actions . 7 5.5Summary 7 5.5.1GetFirewallStatus() . 8 5.5.2GetOutboundPinholeTimeout() 8 5.5.3AddPinhole() 10 5.5.4UpdatePinhole() . 12 5.5.5Delet

16、ePinhole() 13 5.5.6GetPinholePackets() 14 5.5.7CheckPinholeWorking() 15 5.5.8Relationships Between Actions . 17 5.5.9Error Code Summary 17 5.5.10Service Behavioral Model 17 5.66 XML Service Description . 18 Annex A (informative) Theory of Operation . 23 A.1 IPv4 NAT and IPv6 firewall control relatio

17、nship . 23 A.2 Start-up . 23 A.3 Outbound pinhole management 24 A.3.1 Outbound pinhole creation 24 A.3.2 Outbound pinhole refresh . 24 BS ISO/IEC 293412411:2017ISO/IEC 29341-24-11:2017(E) iv ISO/IEC 2017 All rights reserved A.3.3 Outbound pinhole lifecycle . 25 A.4 Inbound Pinhole management 25 A.4.

18、1 Inbound pinhole creation 25 A.4.2 Checking that an inbound pinhole is working . 26 A.4.3 Inbound pinhole refresh 27 A.4.4 Inbound pinhole state transition diagram . 28 Annex B (normative) Security Considerations . 29 B.1 Overview . 29 B.2 Firewall Assets, Risks and Threats . 29 B.3 Firewall Contro

19、l Policy and Recommendations . 29 Annex C (informative) Bibliography 31 Figure A.1 Outbound pinhole creation . 24 Figure A.2 Outbound pinhole refresh . 25 Figure A.3 Outbound pinhole state transition diagram 25 Figure A.4 Inbound pinhole creation 26 Figure A.5 Checking that an inbound pinhole is wor

20、king 27 Figure A.6 Inbound pinhole refresh and deletion 28 Figure A.7 Inbound pinhole state transition diagram 28 Table 1 State Variables . 5 Table 2 allowedValueRange for A_ARG_TYPE_OutboundPinholeTimeout 6 Table 3 allowedValueRange for A_ARG_TYPE_LeaseTime 6 Table 4 Eventing and Moderation . 7 Tab

21、le 5 Actions . 7 Table 6 Arguments for GetFirewallStatus() . 8 Table 7 Error Codes for GetFirewallStatus() . 8 Table 8 Arguments for GetOutboundPinholeTimeout() 9 Table 9 Error Codes for GetOutboundPinholeTimeout() . 10 Table 10 Arguments for AddPinhole() 10 Table 11 Error Codes for AddPinhole() 11

22、Table 12 Arguments for UpdatePinhole() . 12 Table 13 Error Codes for UpdatePinhole() . 13 Table 14 Arguments for DeletePinhole() 13 Table 15 Error Codes for DeletePinhole() 14 Table 16 Arguments for GetPinholePackets() 14 Table 17 Error Codes for GetPinholePackets() 15 Table 18 Arguments for CheckPi

23、nholeWorking() 16 Table 19 Error Codes for CheckPinholeWorking() 16 Table 20 Error Code Summary 17 BS ISO/IEC 293412411:2017ISO/IEC 29341-24-11:2017(E) iv ISO/IEC 2017 All rights reserved A.3.3 Outbound pinhole lifecycle . 25 A.4 Inbound Pinhole management 25 A.4.1 Inbound pinhole creation 25 A.4.2

24、Checking that an inbound pinhole is working . 26 A.4.3 Inbound pinhole refresh 27 A.4.4 Inbound pinhole state transition diagram . 28 Annex B (normative) Security Considerations . 29 B.1 Overview . 29 B.2 Firewall Assets, Risks and Threats . 29 B.3 Firewall Control Policy and Recommendations . 29 An

25、nex C (informative) Bibliography 31 Figure A.1 Outbound pinhole creation . 24 Figure A.2 Outbound pinhole refresh . 25 Figure A.3 Outbound pinhole state transition diagram 25 Figure A.4 Inbound pinhole creation 26 Figure A.5 Checking that an inbound pinhole is working 27 Figure A.6 Inbound pinhole r

26、efresh and deletion 28 Figure A.7 Inbound pinhole state transition diagram 28 Table 1 State Variables . 5 Table 2 allowedValueRange for A_ARG_TYPE_OutboundPinholeTimeout 6 Table 3 allowedValueRange for A_ARG_TYPE_LeaseTime 6 Table 4 Eventing and Moderation . 7 Table 5 Actions . 7 Table 6 Arguments f

27、or GetFirewallStatus() . 8 Table 7 Error Codes for GetFirewallStatus() . 8 Table 8 Arguments for GetOutboundPinholeTimeout() 9 Table 9 Error Codes for GetOutboundPinholeTimeout() . 10 Table 10 Arguments for AddPinhole() 10 Table 11 Error Codes for AddPinhole() 11 Table 12 Arguments for UpdatePinhole

28、() . 12 Table 13 Error Codes for UpdatePinhole() . 13 Table 14 Arguments for DeletePinhole() 13 Table 15 Error Codes for DeletePinhole() 14 Table 16 Arguments for GetPinholePackets() 14 Table 17 Error Codes for GetPinholePackets() 15 Table 18 Arguments for CheckPinholeWorking() 16 Table 19 Error Cod

29、es for CheckPinholeWorking() 16 Table 20 Error Code Summary 17 ISO/IEC 29341-24-11:2017(E) ISO/IEC 2017 All rights reserved v Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardiz

30、ation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutu

31、al interest. Other international organizations, governmental and nongovernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and

32、 those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (s

33、ee http:/www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the developm

34、ent of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the voluntary nature

35、of Standard, the meaning of the ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword Supplementary information ISO/IEC 293412411was prepared by U

36、PnP Forum and adopted, under the PAS procedure, by joint technical committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of ISO and IEC. The list of all currently available parts of ISO/IEC 29341 series, under the general title Information technology UPnP

37、Device Architecture, can be found on the ISO web site. BS ISO/IEC 293412411:2017ISO/IEC 29341-24-11:2017(E) vi ISO/IEC 2017 All rights reserved Introduction ISO and IEC draw attention to the fact that it is claimed that compliance with this document may involve the use of patents as indicated below.

38、 ISO and IEC take no position concerning the evidence, validity and scope of these patent rights. The holders of -these patent rights have assured ISO and IEC that they are willing to negotiate licenses under reasonable and non-discriminatory terms and conditions with applicants throughout the world

39、. In this respect, the statements of the holders of these patent rights are registered with ISO and IEC. Intel Corporation has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Intel Corporation Standards Licensing Department 5200 NE Elam Youn

40、g Parkway MS: JFS-98 USA Hillsboro, Oregon 97124 Microsoft Corporation has informed IEC and ISO that it has patent applications or granted patents as listed below: 6101499 / US; 6687755 / US; 6910068 / US; 7130895 / US; 6725281 / US; 7089307 / US; 7069312 / US; 10/783 524 /US Information may be obta

41、ined from: Microsoft Corporation One Microsoft Way USA Redmond WA 98052 Philips International B.V. has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Philips International B.V. IP 6687755 / US; 6910068 / US; 7130895 / US; 6725281 / US; 7089

42、307 / US; 7069312 / US; 10/783 524 /US Information may be obtained from: Microsoft Corporation One Microsoft Way USA Redmond WA 98052 Philips International B.V. has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Philips International B.V. I

43、P 6 170 007 / US; 6 139 177 / US; 6 529 936 / US; 6 470 339 / US; 6 571 388 / US; 6 205 466 / US Information may be obtained from: Hewlett Packard Company 1501 Page Mill Road USA Palo Alto, CA 94304 Samsung Electronics Co. Ltd. has informed IEC and ISO that it has patent applications or granted pate

44、nts. Information may be obtained from: Digital Media Business, Samsung Electronics Co. Ltd. 416 Maetan-3 Dong, Yeongtang-Gu, KR Suwon City 443-742 Huawei Technologies Co., Ltd. has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Huawei Techn

45、ologies Co., Ltd. Administration Building, Bantian Longgang District Shenzhen China 518129 Qualcomm Incorporated has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Qualcomm Incorporated 5775 Morehouse Drive San Diego, CA USA 92121 Telecom I

46、talia S.p.A.has informed IEC and ISO that it has patent applications or granted patents. Information may be obtained from: Telecom Italia S.p.A. Via Reiss Romoli, 274 Turin - Italy 10148 Cisco Systems informed IEC and ISO that it has patent applications or granted patents. Information may be obtaine

47、d from: Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA 95134 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all such p

48、atent rights. BS ISO/IEC 293412411:2017ISO/IEC 29341-24-11:2017(E) viii ISO/IEC 2017 All rights reserved Original UPnP Document Reference may be made in this document to original UPnP documents. These references are retained in order to maintain consistency between the specifications as published by

49、 ISO/IEC and by UPnP Implementers Corporation and later by UPnP Forum. The following table indicates the original UPnP document titles and the corresponding part of ISO/IEC 29341: UPnP Document Title ISO/IEC 29341 Part UPnP Device Architecture 1.0 ISO/IEC 29341-1:2008 UPnP Device Architecture Version 1.0 ISO/IEC 29341-1:2011 UPnP Device Arc