tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 1812


Requirements for IP Version 4 Routers

Part 6 of 8, p. 109 to 133
Prev RFC Part       Next RFC Part


prevText      Top      Up      ToC       Page 109 


   Exterior Gateway Protocols are utilized for inter-Autonomous System
   routing to exchange reachability information for a set of networks
   internal to a particular autonomous system to a neighboring
   autonomous system.

   The area of inter-AS routing is a current topic of research inside
   the Internet Engineering Task Force.  The Exterior Gateway Protocol
   (EGP) described in Section [Appendix F.1] has traditionally been the
   inter-AS protocol of choice, but is now historical.  The Border
   Gateway Protocol (BGP) eliminates many of the restrictions and
   limitations of EGP, and is therefore growing rapidly in popularity.
   A router is not required to implement any inter-AS routing protocol.
   However, if a router does implement EGP it also MUST IMPLEMENT BGP.
   Although it was not designed as an exterior gateway protocol, RIP
   (described in Section [7.2.4]) is sometimes used for inter-AS


   The Border Gateway Protocol (BGP-4) is an inter-AS routing protocol
   that exchanges network reachability information with other BGP
   speakers.  The information for a network includes the complete list
   of ASs that traffic must transit to reach that network.  This
   information can then be used to insure loop-free paths.  This
   information is sufficient to construct a graph of AS connectivity
   from which routing loops may be pruned and some policy decisions at
   the AS level may be enforced.

   BGP is defined by [ROUTE:4].  [ROUTE:5] specifies the proper usage of
   BGP in the Internet, and provides some useful implementation hints
   and guidelines.  [ROUTE:12] and [ROUTE:13] provide additional useful

   To comply with Section [8.3] of this memo, a router that implements
   BGP is required to implement the BGP MIB [MGT:15].

   To characterize the set of policy decisions that can be enforced
   using BGP, one must focus on the rule that an AS advertises to its
   neighbor ASs only those routes that it itself uses.  This rule
   reflects the hop-by-hop routing paradigm generally used throughout
   the current Internet.  Note that some policies cannot be supported by
   the hop-by-hop routing paradigm and thus require techniques such as

Top      Up      ToC       Page 110 
   source routing to enforce.  For example, BGP does not enable one AS
   to send traffic to a neighbor AS intending that traffic take a
   different route from that taken by traffic originating in the
   neighbor AS.  On the other hand, BGP can support any policy
   conforming to the hop-by-hop routing paradigm.

   Implementors of BGP are strongly encouraged to follow the
   recommendations outlined in Section 6 of [ROUTE:5]. Protocol Walk-through

   While BGP provides support for quite complex routing policies (as an
   example see Section 4.2 in [ROUTE:5]), it is not required for all BGP
   implementors to support such policies.  At a minimum, however, a BGP

   (1) SHOULD allow an AS to control announcements of the BGP learned
        routes to adjacent AS's.  Implementations SHOULD support such
        control with at least the granularity of a single network.
        Implementations SHOULD also support such control with the
        granularity of an autonomous system, where the autonomous system
        may be either the autonomous system that originated the route,
        or the autonomous system that advertised the route to the local
        system (adjacent autonomous system).

   (2) SHOULD allow an AS to prefer a particular path to a destination
        (when more than one path is available).  Such function SHOULD be
        implemented by allowing system administrator to assign weights
        to Autonomous Systems, and making route selection process to
        select a route with the lowest weight (where weight of a route
        is defined as a sum of weights of all AS's in the AS_PATH path
        attribute associated with that route).

   (3) SHOULD allow an AS to ignore routes with certain AS's in the
        AS_PATH path attribute.  Such function can be implemented by
        using technique outlined in (2), and by assigning infinity as
        weights for such AS's.  The route selection process must ignore
        routes that have weight equal to infinity.


   It is possible to exchange routing information between two autonomous
   systems or routing domains without using a standard exterior routing
   protocol between two separate, standard interior routing protocols.
   The most common way of doing this is to run both interior protocols
   independently in one of the border routers with an exchange of route
   information between the two processes.

Top      Up      ToC       Page 111 
   As with the exchange of information from an EGP to an IGP, without
   appropriate controls these exchanges of routing information between
   two IGPs in a single router are subject to creation of routing loops.


   Static routing provides a means of explicitly defining the next hop
   from a router for a particular destination.  A router SHOULD provide
   a means for defining a static route to a destination, where the
   destination is defined by a network prefix.  The mechanism SHOULD
   also allow for a metric to be specified for each static route.

   A router that supports a dynamic routing protocol MUST allow static
   routes to be defined with any metric valid for the routing protocol
   used.  The router MUST provide the ability for the user to specify a
   list of static routes that may or may not be propagated through the
   routing protocol.  In addition, a router SHOULD support the following
   additional information if it supports a routing protocol that could
   make use of the information.  They are:

   o TOS,

   o Subnet Mask, or

   o Prefix Length, or

   o A metric specific to a given routing protocol that can import the

      We intend that one needs to support only the things useful to the
      given routing protocol.  The need for TOS should not require the
      vendor to implement the other parts if they are not used.

      Whether a router prefers a static route over a dynamic route (or
      vice versa) or whether the associated metrics are used to choose
      between conflicting static and dynamic routes SHOULD be
      configurable for each static route.

      A router MUST allow a metric to be assigned to a static route for
      each routing domain that it supports.  Each such metric MUST be
      explicitly assigned to a specific routing domain.  For example:

           route via rip metric 3

           route via ospf inter-area metric 27

           route via egp 123 metric 99

Top      Up      ToC       Page 112 
      It has been suggested that, ideally, static routes should have
      preference values rather than metrics (since metrics can only be
      compared with metrics of other routes in the same routing domain,
      the metric of a static route could only be compared with metrics
      of other static routes).  This is contrary to some current
      implementations, where static routes really do have metrics, and
      those metrics are used to determine whether a particular dynamic
      route overrides the static route to the same destination.  Thus,
      this document uses the term metric rather than preference.

      This technique essentially makes the static route into a RIP
      route, or an OSPF route (or whatever, depending on the domain of
      the metric).  Thus, the route lookup algorithm of that domain
      applies.  However, this is NOT route leaking, in that coercing a
      static route into a dynamic routing domain does not authorize the
      router to redistribute the route into the dynamic routing domain.

      For static routes not put into a specific routing domain, the
      route lookup algorithm is:

      (1) Basic match

      (2) Longest match

      (3) Weak TOS (if TOS supported)

      (4) Best metric (where metric are implementation-defined)

      The last step may not be necessary, but it's useful in the case
      where you want to have a primary static route over one interface
      and a secondary static route over an alternate interface, with
      failover to the alternate path if the interface for the primary
      route fails.


   Each router within a network makes forwarding decisions based upon
   information contained within its forwarding database.  In a simple
   network the contents of the database may be configured statically.
   As the network grows more complex, the need for dynamic updating of
   the forwarding database becomes critical to the efficient operation
   of the network.

   If the data flow through a network is to be as efficient as possible,
   it is necessary to provide a mechanism for controlling the
   propagation of the information a router uses to build its forwarding
   database.  This control takes the form of choosing which sources of

Top      Up      ToC       Page 113 
   routing information should be trusted and selecting which pieces of
   the information to believe.  The resulting forwarding database is a
   filtered version of the available routing information.

   In addition to efficiency, controlling the propagation of routing
   information can reduce instability by preventing the spread of
   incorrect or bad routing information.

   In some cases local policy may require that complete routing
   information not be widely propagated.

   These filtering requirements apply only to non-SPF-based protocols
   (and therefore not at all to routers which don't implement any
   distance vector protocols).

7.5.1 Route Validation

   A router SHOULD log as an error any routing update advertising a
   route that violates the specifications of this memo, unless the
   routing protocol from which the update was received uses those values
   to encode special routes (such as default routes).

7.5.2 Basic Route Filtering

   Filtering of routing information allows control of paths used by a
   router to forward packets it receives.  A router should be selective
   in which sources of routing information it listens to and what routes
   it believes.  Therefore, a router MUST provide the ability to

   o On which logical interfaces routing information will be accepted
      and which routes will be accepted from each logical interface.

   o Whether all routes or only a default route is advertised on a
      logical interface.

   Some routing protocols do not recognize logical interfaces as a
   source of routing information.  In such cases the router MUST provide
   the ability to specify

   o from which other routers routing information will be accepted.

   For example, assume a router connecting one or more leaf networks to
   the main portion or backbone of a larger network.  Since each of the
   leaf networks has only one path in and out, the router can simply
   send a default route to them.  It advertises the leaf networks to the
   main network.

Top      Up      ToC       Page 114 
7.5.3 Advanced Route Filtering

   As the topology of a network grows more complex, the need for more
   complex route filtering arises.  Therefore, a router SHOULD provide
   the ability to specify independently for each routing protocol:

   o Which logical interfaces or routers routing information (routes)
      will be accepted from and which routes will be believed from each
      other router or logical interface,

   o Which routes will be sent via which logical interface(s), and

   o Which routers routing information will be sent to, if this is
      supported by the routing protocol in use.

   In many situations it is desirable to assign a reliability ordering
   to routing information received from another router instead of the
   simple believe or don't believe choice listed in the first bullet
   above.  A router MAY provide the ability to specify:

   o A reliability or preference to be assigned to each route received.
      A route with higher reliability will be chosen over one with lower
      reliability regardless of the routing metric associated with each

   If a router supports assignment of preferences, the router MUST NOT
   propagate any routes it does not prefer as first party information.
   If the routing protocol being used to propagate the routes does not
   support distinguishing between first and third party information, the
   router MUST NOT propagate any routes it does not prefer.

      For example, assume a router receives a route to network C from
      router R and a route to the same network from router S.  If router
      R is considered more reliable than router S traffic destined for
      network C will be forwarded to router R regardless of the route
      received from router S.

   Routing information for routes which the router does not use (router
   S in the above example) MUST NOT be passed to any other router.


   Routers MUST be able to exchange routing information between separate
   IP interior routing protocols, if independent IP routing processes
   can run in the same router.  Routers MUST provide some mechanism for
   avoiding routing loops when routers are configured for bi-directional
   exchange of routing information between two separate interior routing

Top      Up      ToC       Page 115 
   processes.  Routers MUST provide some priority mechanism for choosing
   routes from independent routing processes.  Routers SHOULD provide
   administrative control of IGP-IGP exchange when used across
   administrative boundaries.

   Routers SHOULD provide some mechanism for translating or transforming
   metrics on a per network basis.  Routers (or routing protocols) MAY
   allow for global preference of exterior routes imported into an IGP.

      Different IGPs use different metrics, requiring some translation
      technique when introducing information from one protocol into
      another protocol with a different form of metric.  Some IGPs can
      run multiple instances within the same router or set of routers.
      In this case metric information can be preserved exactly or

      There are at least two techniques for translation between
      different routing processes.  The static (or reachability)
      approach uses the existence of a route advertisement in one IGP to
      generate a route advertisement in the other IGP with a given
      metric.  The translation or tabular approach uses the metric in
      one IGP to create a metric in the other IGP through use of either
      a function (such as adding a constant) or a table lookup.

      Bi-directional exchange of routing information is dangerous
      without control mechanisms to limit feedback.  This is the same
      problem that distance vector routing protocols must address with
      the split horizon technique and that EGP addresses with the
      third-party rule.  Routing loops can be avoided explicitly through
      use of tables or lists of permitted/denied routes or implicitly
      through use of a split horizon rule, a no-third-party rule, or a
      route tagging mechanism.  Vendors are encouraged to use implicit
      techniques where possible to make administration easier for
      network operators.


   Note that this chapter supersedes any requirements stated under

8.1 The Simple Network Management Protocol - SNMP

8.1.1 SNMP Protocol Elements

   Routers MUST be manageable by SNMP [MGT:3].  The SNMP MUST operate
   using UDP/IP as its transport and network protocols.  Others MAY be
   supported (e.g., see [MGT:25, MGT:26, MGT:27, and MGT:28]).  SNMP

Top      Up      ToC       Page 116 
   management operations MUST operate as if the SNMP was implemented on
   the router itself.  Specifically, management operations MUST be
   effected by sending SNMP management requests to any of the IP
   addresses assigned to any of the router's interfaces.  The actual
   management operation may be performed either by the router or by a
   proxy for the router.

      This wording is intended to allow management either by proxy,
      where the proxy device responds to SNMP packets that have one of
      the router's IP addresses in the packets destination address
      field, or the SNMP is implemented directly in the router itself
      and receives packets and responds to them in the proper manner.

      It is important that management operations can be sent to one of
      the router's IP Addresses.  In diagnosing network problems the
      only thing identifying the router that is available may be one of
      the router's IP address; obtained perhaps by looking through
      another router's routing table.

   All SNMP operations (get, get-next, get-response, set, and trap) MUST
   be implemented.

   Routers MUST provide a mechanism for rate-limiting the generation of
   SNMP trap messages.  Routers MAY provide this mechanism through the
   algorithms for asynchronous alert management described in [MGT:5].

      Although there is general agreement about the need to rate-limit
      traps, there is not yet consensus on how this is best achieved.
      The reference cited is considered experimental.

8.2 Community Table

   For the purposes of this specification, we assume that there is an
   abstract `community table' in the router.  This table contains
   several entries, each entry for a specific community and containing
   the parameters necessary to completely define the attributes of that
   community.  The actual implementation method of the abstract
   community table is, of course, implementation specific.

   A router's community table MUST allow for at least one entry and
   SHOULD allow for at least two entries.

      A community table with zero capacity is useless.  It means that
      the router will not recognize any communities and, therefore, all
      SNMP operations will be rejected.

Top      Up      ToC       Page 117 
      Therefore, one entry is the minimal useful size of the table.
      Having two entries allows one entry to be limited to read-only
      access while the other would have write capabilities.

   Routers MUST allow the user to manually (i.e., without using SNMP)
   examine, add, delete and change entries in the SNMP community table.
   The user MUST be able to set the community name or construct a MIB
   view.  The user MUST be able to configure communities as read-only
   (i.e., they do not allow SETs) or read-write (i.e., they do allow

   The user MUST be able to define at least one IP address to which
   notifications are sent for each community or MIB view, if traps are
   used.  These addresses SHOULD be definable on a community or MIB view
   basis.  It SHOULD be possible to enable or disable notifications on a
   community or MIB view basis.

   A router SHOULD provide the ability to specify a list of valid
   network managers for any particular community.  If enabled, a router
   MUST validate the source address of the SNMP datagram against the
   list and MUST discard the datagram if its address does not appear.
   If the datagram is discarded the router MUST take all actions
   appropriate to an SNMP authentication failure.

      This is a rather limited authentication system, but coupled with
      various forms of packet filtering may provide some small measure
      of increased security.

   The community table MUST be saved in non-volatile storage.

   The initial state of the community table SHOULD contain one entry,
   with the community name string public and read-only access.  The
   default state of this entry MUST NOT send traps.  If it is
   implemented, then this entry MUST remain in the community table until
   the administrator changes it or deletes it.

      By default, traps are not sent to this community.  Trap PDUs are
      sent to unicast IP addresses.  This address must be configured
      into the router in some manner.  Before the configuration occurs,
      there is no such address, so to whom should the trap be sent?
      Therefore trap sending to the public community defaults to be
      disabled.  This can, of course, be changed by an administrative
      operation once the router is operational.

Top      Up      ToC       Page 118 
8.3 Standard MIBS

   All MIBS relevant to a router's configuration are to be implemented.
   To wit:

   o The System, Interface, IP, ICMP, and UDP groups of MIB-II [MGT:2]
      MUST be implemented.

   o The Interface Extensions MIB [MGT:18] MUST be implemented.

   o The IP Forwarding Table MIB [MGT:20] MUST be implemented.

   o If the router implements TCP (e.g., for Telnet) then the TCP group
      of MIB-II [MGT:2] MUST be implemented.

   o If the router implements EGP then the EGP group of MIB-II [MGT:2]
      MUST be implemented.

   o If the router supports OSPF then the OSPF MIB [MGT:14] MUST be

   o If the router supports BGP then the BGP MIB [MGT:15] MUST be

   o If the router has Ethernet, 802.3, or StarLan interfaces then the
      Ethernet-Like MIB [MGT:6] MUST be implemented.

   o If the router has 802.4 interfaces then the 802.4 MIB [MGT:7] MUST
      be implemented.

   o If the router has 802.5 interfaces then the 802.5 MIB [MGT:8] MUST
      be implemented.

   o If the router has FDDI interfaces that implement ANSI SMT 7.3 then
      the FDDI MIB [MGT:9] MUST be implemented.

   o If the router has FDDI interfaces that implement ANSI SMT 6.2 then
      the FDDI MIB [MGT:29] MUST be implemented.

   o If the router has interfaces that use V.24 signalling, such as RS-
      232, V.10, V.11, V.35, V.36, or RS-422/423/449, then the RS-232
      [MGT:10] MIB MUST be implemented.

   o If the router has T1/DS1 interfaces then the T1/DS1 MIB [MGT:16]
      MUST be implemented.

   o If the router has T3/DS3 interfaces then the T3/DS3 MIB [MGT:17]
      MUST be implemented.

Top      Up      ToC       Page 119 
   o If the router has SMDS interfaces then the SMDS Interface Protocol
      MIB [MGT:19] MUST be implemented.

   o If the router supports PPP over any of its interfaces then the PPP
      MIBs [MGT:11], [MGT:12], and [MGT:13] MUST be implemented.

   o If the router supports RIP Version 2 then the RIP Version 2 MIB
      [MGT:21] MUST be implemented.

   o If the router supports X.25 over any of its interfaces then the
      X.25 MIBs [MGT:22, MGT:23 and MGT:24] MUST be implemented.

8.4 Vendor Specific MIBS

   The Internet Standard and Experimental MIBs do not cover the entire
   range of statistical, state, configuration and control information
   that may be available in a network element.  This information is,
   nevertheless, extremely useful.  Vendors of routers (and other
   network devices) generally have developed MIB extensions that cover
   this information.  These MIB extensions are called Vendor Specific

   The Vendor Specific MIB for the router MUST provide access to all
   statistical, state, configuration, and control information that is
   not available through the Standard and Experimental MIBs that have
   been implemented.  This information MUST be available for both
   monitoring and control operations.

      The intent of this requirement is to provide the ability to do
      anything on the router through SNMP that can be done through a
      console, and vice versa.  A certain minimal amount of
      configuration is necessary before SNMP can operate (e.g., the
      router must have an IP address).  This initial configuration can
      not be done through SNMP.  However, once the initial configuration
      is done, full capabilities ought to be available through network

   The vendor SHOULD make available the specifications for all Vendor
   Specific MIB variables.  These specifications MUST conform to the SMI
   [MGT:1] and the descriptions MUST be in the form specified in

      Making the Vendor Specific MIB available to the user is necessary.
      Without this information the users would not be able to configure
      their network management systems to be able to access the Vendor
      Specific parameters.  These parameters would then be useless.

Top      Up      ToC       Page 120 
      ne 2 The format of the MIB specification is also specified.
      Parsers that read MIB specifications and generate the needed
      tables for the network management station are available.  These
      parsers generally understand only the standard MIB specification

8.5 Saving Changes

   Parameters altered by SNMP MAY be saved to non-volatile storage.

      Reasons why this requirement is a MAY:

      o The exact physical nature of non-volatile storage is not
         specified in this document.  Hence, parameters may be saved in
         NVRAM/EEPROM, local floppy or hard disk, or in some TFTP file
         server or BOOTP server, etc.  Suppose that this information is
         in a file that is retrieved through TFTP.  In that case, a
         change made to a configuration parameter on the router would
         need to be propagated back to the file server holding the
         configuration file.  Alternatively, the SNMP operation would
         need to be directed to the file server, and then the change
         somehow propagated to the router.  The answer to this problem
         does not seem obvious.

         This also places more requirements on the host holding the
         configuration information than just having an available TFTP
         server, so much more that its probably unsafe for a vendor to
         assume that any potential customer will have a suitable host

      o The timing of committing changed parameters to non-volatile
         storage is still an issue for debate.  Some prefer to commit
         all changes immediately.  Others prefer to commit changes to
         non-volatile storage only upon an explicit command.


   For all additional application protocols that a router implements,
   the router MUST be compliant and SHOULD be unconditionally compliant
   with the relevant requirements of [INTRO:3].


9.1.1 Introduction

   The Bootstrap Protocol (BOOTP) is a UDP/IP-based protocol that allows
   a booting host to configure itself dynamically and without user

Top      Up      ToC       Page 121 
   supervision.  BOOTP provides a means to notify a host of its assigned
   IP address, the IP address of a boot server host, and the name of a
   file to be loaded into memory and executed ([APPL:1]).  Other
   configuration information such as the local prefix length or subnet
   mask, the local time offset, the addresses of default routers, and
   the addresses of various Internet servers can also be communicated to
   a host using BOOTP ([APPL:2]).

9.1.2 BOOTP Relay Agents

   In many cases, BOOTP clients and their associated BOOTP server(s) do
   not reside on the same IP (sub)network.  In such cases, a third-party
   agent is required to transfer BOOTP messages between clients and
   servers.  Such an agent was originally referred to as a BOOTP
   forwarding agent.  However, to avoid confusion with the IP forwarding
   function of a router, the name BOOTP relay agent has been adopted

      A BOOTP relay agent performs a task that is distinct from a
      router's normal IP forwarding function.  While a router normally
      switches IP datagrams between networks more-or-less transparently,
      a BOOTP relay agent may more properly be thought to receive BOOTP
      messages as a final destination and then generate new BOOTP
      messages as a result.  One should resist the notion of simply
      forwarding a BOOTP message straight through like a regular packet.

   This relay-agent functionality is most conveniently located in the
   routers that interconnect the clients and servers (although it may
   alternatively be located in a host that is directly connected to the
   client (sub)net).

   A router MAY provide BOOTP relay-agent capability.  If it does, it
   MUST conform to the specifications in [APPL:3].

   Section [5.2.3] discussed the circumstances under which a packet is
   delivered locally (to the router).  All locally delivered UDP
   messages whose UDP destination port number is BOOTPS (67) are
   considered for special processing by the router's logical BOOTP relay

   Sections [] and [5.3.7] discussed invalid IP source
   addresses.  According to these rules, a router must not forward any
   received datagram whose IP source address is  However,
   routers that support a BOOTP relay agent MUST accept for local
   delivery to the relay agent BOOTREQUEST messages whose IP source
   address is

Top      Up      ToC       Page 122 

   This chapter supersedes any requirements of [INTRO:3] relating to
   "Extensions to the IP Module."

   Facilities to support operation and maintenance (O&M) activities form
   an essential part of any router implementation.  Although these
   functions do not seem to relate directly to interoperability, they
   are essential to the network manager who must make the router
   interoperate and must track down problems when it doesn't.  This
   chapter also includes some discussion of router initialization and of
   facilities to assist network managers in securing and accounting for
   their networks.

10.1 Introduction

   The following kinds of activities are included under router O&M:

   o Diagnosing hardware problems in the router's processor, in its
      network interfaces, or in its connected networks, modems, or
      communication lines.

   o Installing new hardware

   o Installing new software.

   o Restarting or rebooting the router after a crash.

   o Configuring (or reconfiguring) the router.

   o Detecting and diagnosing Internet problems such as congestion,
      routing loops, bad IP addresses, black holes, packet avalanches,
      and misbehaved hosts.

   o Changing network topology, either temporarily (e.g., to bypass a
      communication line problem) or permanently.

   o Monitoring the status and performance of the routers and the
      connected networks.

   o Collecting traffic statistics for use in (Inter-)network planning.

   o Coordinating the above activities with appropriate vendors and
      telecommunications specialists.

   Routers and their connected communication lines are often operated as
   a system by a centralized O&M organization.  This organization may
   maintain a (Inter-)network operation center, or NOC, to carry out its

Top      Up      ToC       Page 123 
   O&M functions.  It is essential that routers support remote control
   and monitoring from such a NOC through an Internet path, since
   routers might not be connected to the same network as their NOC.
   Since a network failure may temporarily preclude network access, many
   NOCs insist that routers be accessible for network management through
   an alternative means, often dial-up modems attached to console ports
   on the routers.

   Since an IP packet traversing an internet will often use routers
   under the control of more than one NOC, Internet problem diagnosis
   will often involve cooperation of personnel of more than one NOC.  In
   some cases, the same router may need to be monitored by more than one
   NOC, but only if necessary, because excessive monitoring could impact
   a router's performance.

   The tools available for monitoring at a NOC may cover a wide range of
   sophistication.  Current implementations include multi-window,
   dynamic displays of the entire router system.  The use of AI
   techniques for automatic problem diagnosis is proposed for the

   Router O&M facilities discussed here are only a part of the large and
   difficult problem of Internet management.  These problems encompass
   not only multiple management organizations, but also multiple
   protocol layers.  For example, at the current stage of evolution of
   the Internet architecture, there is a strong coupling between host
   TCP implementations and eventual IP-level congestion in the router
   system [OPER:1].  Therefore, diagnosis of congestion problems will
   sometimes require the monitoring of TCP statistics in hosts.  There
   are currently a number of R&D efforts in progress in the area of
   Internet management and more specifically router O&M.  These R&D
   efforts have already produced standards for router O&M.  This is also
   an area in which vendor creativity can make a significant

10.2 Router Initialization

10.2.1 Minimum Router Configuration

   There exists a minimum set of conditions that must be satisfied
   before a router may forward packets.  A router MUST NOT enable
   forwarding on any physical interface unless either:

   (1) The router knows the IP address and associated subnet mask or
        network prefix length of at least one logical interface
        associated with that physical interface, or

Top      Up      ToC       Page 124 
   (2) The router knows that the interface is an unnumbered interface
        and knows its router-id.

   These parameters MUST be explicitly configured:

   o A router MUST NOT use factory-configured default values for its IP
      addresses, prefix lengths, or router-id, and

   o A router MUST NOT assume that an unconfigured interface is an
      unnumbered interface.

      There have been instances in which routers have been shipped with
      vendor-installed default addresses for interfaces.  In a few
      cases, this has resulted in routers advertising these default
      addresses into active networks.

10.2.2 Address and Prefix Initialization

   A router MUST allow its IP addresses and their address masks or
   prefix lengths to be statically configured and saved in non-volatile

   A router MAY obtain its IP addresses and their corresponding address
   masks dynamically as a side effect of the system initialization
   process (see Section 10.2.3]);

   If the dynamic method is provided, the choice of method to be used in
   a particular router MUST be configurable.

   As was described in Section [], IP addresses are not
   permitted to have the value 0 or -1 in the <Host-number> or
   <Network-prefix> fields.  Therefore, a router SHOULD NOT allow an IP
   address or address mask to be set to a value that would make any of
   the these fields above have the value zero or -1.

      It is possible using arbitrary address masks to create situations
      in which routing is ambiguous (i.e., two routes with different but
      equally specific subnet masks match a particular destination
      address).  This is one of the strongest arguments for the use of
      network prefixes, and the reason the use of discontiguous subnet
      masks is not permitted.

   A router SHOULD make the following checks on any address mask it

Top      Up      ToC       Page 125 
   o The mask is neither all ones nor all zeroes (the prefix length is
      neither zero nor 32).

   o The bits which correspond to the network prefix part of the address
      are all set to 1.

   o The bits that correspond to the network prefix are contiguous.

      The masks associated with routes are also sometimes called subnet
      masks, this test should not be applied to them.

10.2.3 Network Booting using BOOTP and TFTP

   There has been much discussion of how routers can and should be
   booted from the network.  These discussions have revolved around
   BOOTP and TFTP.  Currently, there are routers that boot with TFTP
   from the network.  There is no reason that BOOTP could not be used
   for locating the server that the boot image should be loaded from.

   BOOTP is a protocol used to boot end systems, and requires some
   stretching to accommodate its use with routers.  If a router is using
   BOOTP to locate the current boot host, it should send a BOOTP Request
   with its hardware address for its first interface, or, if it has been
   previously configured otherwise, with either another interface's
   hardware address, or another number to put in the hardware address
   field of the BOOTP packet.  This is to allow routers without hardware
   addresses (like synchronous line only routers) to use BOOTP for
   bootload discovery.  TFTP can then be used to retrieve the image
   found in the BOOTP Reply.  If there are no configured interfaces or
   numbers to use, a router MAY cycle through the interface hardware
   addresses it has until a match is found by the BOOTP server.

   A router SHOULD IMPLEMENT the ability to store parameters learned
   through BOOTP into local non-volatile storage.  A router MAY
   implement the ability to store a system image loaded over the network
   into local stable storage.

   A router MAY have a facility to allow a remote user to request that
   the router get a new boot image.  Differentiation should be made
   between getting the new boot image from one of three locations: the
   one included in the request, from the last boot image server, and
   using BOOTP to locate a server.

Top      Up      ToC       Page 126 
10.3 Operation and Maintenance

10.3.1 Introduction

   There is a range of possible models for performing O&M functions on a
   router.  At one extreme is the local-only model, under which the O&M
   functions can only be executed locally (e.g., from a terminal plugged
   into the router machine).  At the other extreme, the fully remote
   model allows only an absolute minimum of functions to be performed
   locally (e.g., forcing a boot), with most O&M being done remotely
   from the NOC.  There are intermediate models, such as one in which
   NOC personnel can log into the router as a host, using the Telnet
   protocol, to perform functions that can also be invoked locally.  The
   local-only model may be adequate in a few router installations, but
   remote operation from a NOC is normally required, and therefore
   remote O&M provisions are required for most routers.

   Remote O&M functions may be exercised through a control agent
   (program).  In the direct approach, the router would support remote
   O&M functions directly from the NOC using standard Internet protocols
   (e.g., SNMP, UDP or TCP); in the indirect approach, the control agent
   would support these protocols and control the router itself using
   proprietary protocols.  The direct approach is preferred, although
   either approach is acceptable.  The use of specialized host hardware
   and/or software requiring significant additional investment is
   discouraged; nevertheless, some vendors may elect to provide the
   control agent as an integrated part of the network in which the
   routers are a part.  If this is the case, it is required that a means
   be available to operate the control agent from a remote site using
   Internet protocols and paths and with equivalent functionality with
   respect to a local agent terminal.

   It is desirable that a control agent and any other NOC software tools
   that a vendor provides operate as user programs in a standard
   operating system.  The use of the standard Internet protocols UDP and
   TCP for communicating with the routers should facilitate this.

   Remote router monitoring and (especially) remote router control
   present important access control problems that must be addressed.
   Care must also be taken to ensure control of the use of router
   resources for these functions.  It is not desirable to let router
   monitoring take more than some limited fraction of the router CPU
   time, for example.  On the other hand, O&M functions must receive
   priority so they can be exercised when the router is congested, since
   often that is when O&M is most needed.

Top      Up      ToC       Page 127 
10.3.2 Out Of Band Access

   Routers MUST support Out-Of-Band (OOB) access.  OOB access SHOULD
   provide the same functionality as in-band access.  This access SHOULD
   implement access controls, to prevent unauthorized access.

      This Out-Of-Band access will allow the NOC a way to access
      isolated routers during times when network access is not

      Out-Of-Band access is an important management tool for the network
      administrator.  It allows the access of equipment independent of
      the network connections.  There are many ways to achieve this
      access.  Whichever one is used it is important that the access is
      independent of the network connections.  An example of Out-Of-Band
      access would be a serial port connected to a modem that provides
      dial up access to the router.

      It is important that the OOB access provides the same
      functionality as in-band access.  In-band access, or accessing
      equipment through the existing network connection, is limiting,
      because most of the time, administrators need to reach equipment
      to figure out why it is unreachable.  In band access is still very
      important for configuring a router, and for troubleshooting more
      subtle problems.

10.3.3 Router O&M Functions Maintenance - Hardware Diagnosis

   Each router SHOULD operate as a stand-alone device for the purposes
   of local hardware maintenance.  Means SHOULD be available to run
   diagnostic programs at the router site using only on-site tools.  A
   router SHOULD be able to run diagnostics in case of a fault.  For
   suggested hardware and software diagnostics see Section [10.3.3]. Control - Dumping and Rebooting

   A router MUST include both in-band and out-of-band mechanisms to
   allow the network manager to reload, stop, and restart the router.  A
   router SHOULD also contain a mechanism (such as a watchdog timer)
   which will reboot the router automatically if it hangs due to a
   software or hardware fault.

   A router SHOULD IMPLEMENT a mechanism for dumping the contents of a
   router's memory (and/or other state useful for vendor debugging after
   a crash), and either saving them on a stable storage device local to

Top      Up      ToC       Page 128 
   the router or saving them on another host via an up-line dump
   mechanism such as TFTP (see [OPER:2], [INTRO:3]). Control - Configuring the Router

   Every router has configuration parameters that may need to be set.
   It SHOULD be possible to update the parameters without rebooting the
   router; at worst, a restart MAY be required.  There may be cases when
   it is not possible to change parameters without rebooting the router
   (for instance, changing the IP address of an interface).  In these
   cases, care should be taken to minimize disruption to the router and
   the surrounding network.

   There SHOULD be a way to configure the router over the network either
   manually or automatically.  A router SHOULD be able to upload or
   download its parameters from a host or another router.  A means
   SHOULD be provided, either as an application program or a router
   function, to convert between the parameter format and a human-
   editable format.  A router SHOULD have some sort of stable storage
   for its configuration.  A router SHOULD NOT believe protocols such as
   RARP, ICMP Address Mask Reply, and MAY not believe BOOTP.

      It is necessary to note here that in the future RARP, ICMP Address
      Mask Reply, BOOTP and other mechanisms may be needed to allow a
      router to auto-configure.  Although routers may in the future be
      able to configure automatically, the intent here is to discourage
      this practice in a production environment until auto-configuration
      has been tested more thoroughly.  The intent is NOT to discourage
      auto-configuration all together.  In cases where a router is
      expected to get its configuration automatically it may be wise to
      allow the router to believe these things as it comes up and then
      ignore them after it has gotten its configuration. Net Booting of System Software

      A router SHOULD keep its system image in local non-volatile
      storage such as PROM, NVRAM, or disk.  It MAY also be able to load
      its system software over the network from a host or another

      A router that can keep its system image in local non-volatile
      storage MAY be configurable to boot its system image over the
      network.  A router that offers this option SHOULD be configurable
      to boot the system image in its non-volatile local storage if it
      is unable to boot its system image over the network.

Top      Up      ToC       Page 129 
      It is important that the router be able to come up and run on its
      own.  NVRAM may be a particular solution for routers used in large
      networks, since changing PROMs can be quite time consuming for a
      network manager responsible for numerous or geographically
      dispersed routers.  It is important to be able to netboot the
      system image because there should be an easy way for a router to
      get a bug fix or new feature more quickly than getting PROMs
      installed.  Also if the router has NVRAM instead of PROMs, it will
      netboot the image and then put it in NVRAM.

      Routers SHOULD perform some basic consistency check on any image
      loaded, to detect and perhaps prevent incorrect images.

   A router MAY also be able to distinguish between different
   configurations based on which software it is running.  If
   configuration commands change from one software version to another,
   it would be helpful if the router could use the configuration that
   was compatible with the software. Detecting and responding to misconfiguration

   There MUST be mechanisms for detecting and responding to
   misconfigurations.  If a command is executed incorrectly, the router
   SHOULD give an error message.  The router SHOULD NOT accept a poorly
   formed command as if it were correct.

      There are cases where it is not possible to detect errors: the
      command is correctly formed, but incorrect with respect to the
      network.  This may be detected by the router, but may not be

   Another form of misconfiguration is misconfiguration of the network
   to which the router is attached.  A router MAY detect
   misconfigurations in the network.  The router MAY log these findings
   to a file, either on the router or a host, so that the network
   manager will see that there are possible problems on the network.

      Examples of such misconfigurations might be another router with
      the same address as the one in question or a router with the wrong
      address mask.  If a router detects such problems it is probably
      not the best idea for the router to try to fix the situation.
      That could cause more harm than good.

Top      Up      ToC       Page 130 Minimizing Disruption

   Changing the configuration of a router SHOULD have minimal affect on
   the network.  Routing tables SHOULD NOT be unnecessarily flushed when
   a simple change is made to the router.  If a router is running
   several routing protocols, stopping one routing protocol SHOULD NOT
   disrupt other routing protocols, except in the case where one network
   is learned by more than one routing protocol.

      It is the goal of a network manager to run a network so that users
      of the network get the best connectivity possible.  Reloading a
      router for simple configuration changes can cause disruptions in
      routing and ultimately cause disruptions to the network and its
      users.  If routing tables are unnecessarily flushed, for instance,
      the default route will be lost as well as specific routes to sites
      within the network.  This sort of disruption will cause
      significant downtime for the users.  It is the purpose of this
      section to point out that whenever possible, these disruptions
      should be avoided. Control - Troubleshooting Problems

      (1) A router MUST provide in-band network access, but (except as
           required by Section [8.2]) for security considerations this
           access SHOULD be disabled by default.  Vendors MUST document
           the default state of any in-band access.  This access SHOULD
           implement access controls, to prevent unauthorized access.

      In-band access primarily refers to access through the normal
      network protocols that may or may not affect the permanent
      operational state of the router.  This includes, but is not
      limited to Telnet/RLOGIN console access and SNMP operations.

      This was a point of contention between the operational out of the
      box and secure out of The box contingents.  Any automagic access
      to the router may introduce insecurities, but it may be more
      important for the customer to have a router that is accessible
      over the network as soon as it is plugged in.  At least one vendor
      supplies routers without any external console access and depends
      on being able to access the router through the network to complete
      its configuration.

      It is the vendors call whether in-band access is enabled by
      default; but it is also the vendor's responsibility to make its
      customers aware of possible insecurities.

Top      Up      ToC       Page 131 
      (2) A router MUST provide the ability to initiate an ICMP echo.
           The following options SHOULD be implemented:

           o Choice of data patterns

           o Choice of packet size

           o Record route

           and the following additional options MAY be implemented:

           o Loose source route

           o Strict source route

           o Timestamps

      (3) A router SHOULD provide the ability to initiate a traceroute.
           If traceroute is provided, then the 3rd party traceroute
           SHOULD be implemented.

   Each of the above three facilities (if implemented) SHOULD have
   access restrictions placed on it to prevent its abuse by unauthorized

10.4 Security Considerations

10.4.1 Auditing and Audit Trails

   Auditing and billing are the bane of the network operator, but are
   the two features most requested by those in charge of network
   security and those who are responsible for paying the bills.  In the
   context of security, auditing is desirable if it helps you keep your
   network working and protects your resources from abuse, without
   costing you more than those resources are worth.

   (1) Configuration Changes

        Router SHOULD provide a method for auditing a configuration
        change of a router, even if it's something as simple as
        recording the operator's initials and time of change.

      Configuration change logging (who made a configuration change,
      what was changed, and when) is very useful, especially when
      traffic is suddenly routed through Alaska on its way across town.
      So is the ability to revert to a previous configuration.

Top      Up      ToC       Page 132 
      (2) Packet Accounting

           Vendors should strongly consider providing a system for
           tracking traffic levels between pairs of hosts or networks.
           A mechanism for limiting the collection of this information
           to specific pairs of hosts or networks is also strongly

      A host traffic matrix as described above can give the network
      operator a glimpse of traffic trends not apparent from other
      statistics.  It can also identify hosts or networks that are
      probing the structure of the attached networks - e.g., a single
      external host that tries to send packets to every IP address in
      the network address range for a connected network.

      (3) Security Auditing

           Routers MUST provide a method for auditing security related
           failures or violations to include:

           o Authorization Failures: bad passwords, invalid SNMP
              communities, invalid authorization tokens,

           o Violations of Policy Controls: Prohibited Source Routes,
              Filtered Destinations, and

           o Authorization Approvals: good passwords - Telnet in-band
              access, console access.

           Routers MUST provide a method of limiting or disabling such
           auditing but auditing SHOULD be on by default.  Possible
           methods for auditing include listing violations to a console
           if present, logging or counting them internally, or logging
           them to a remote security server through the SNMP trap
           mechanism or the Unix logging mechanism as appropriate.  A
           router MUST implement at least one of these reporting
           mechanisms - it MAY implement more than one.

10.4.2 Configuration Control

   A vendor has a responsibility to use good configuration control
   practices in the creation of the software/firmware loads for their
   routers.  In particular, if a vendor makes updates and loads
   available for retrieval over the Internet, the vendor should also
   provide a way for the customer to confirm the load is a valid one,
   perhaps by the verification of a checksum over the load.

Top      Up      ToC       Page 133 
      Many vendors currently provide short notice updates of their
      software products through the Internet.  This a good trend and
      should be encouraged, but provides a point of vulnerability in the
      configuration control process.

   If a vendor provides the ability for the customer to change the
   configuration parameters of a router remotely, for example through a
   Telnet session, the ability to do so SHOULD be configurable and
   SHOULD default to off.  The router SHOULD require  valid
   authentication before permitting remote reconfiguration.  This
   authentication procedure SHOULD NOT transmit the authentication
   secret over the network.  For example, if telnet is implemented, the
   vendor SHOULD IMPLEMENT Kerberos, S-Key, or a similar authentication

      Allowing your properly identified network operator to twiddle with
      your routers is necessary; allowing anyone else to do so is

   A router MUST NOT have undocumented back door access and master
   passwords.  A vendor MUST ensure any such access added for purposes
   of debugging or product development are deleted before the product is
   distributed to its customers.

      A vendor has a responsibility to its customers to ensure they are
      aware of the vulnerabilities present in its code by intention -
      e.g., in-band access.  Trap doors, back doors and master passwords
      intentional or unintentional can turn a relatively secure router
      into a major problem on an operational network.  The supposed
      operational benefits are not matched by the potential problems.

(page 133 continued on part 7)

Next RFC Part