rfc708.Elements of a Distributed Programming System

The Dell EMC S5048-ON switch is an innovative, future-ready T op-of-Rack (T oR) open networking switch providing excellent capabilities and cost-effectiveness for the enterprise, mid-market, Tier2 cloud and NFV service providers with demanding compute and storage traffic environments.The S5048F-ON 25GbE switch is Dell’s latest disaggregated hardware and software data center networking solution that provides backward compatible 25GbE server port connections, 100GbE uplinks, storage optimized architecture, and a broad range of functionality to meet the growing demands of today’s data center environment now and in the future.The compact S5048F-ON model design provides industry-leading density with up to 72 ports of 25GbE or up to 48 ports of 25GbE and 6 ports of 100GbE in a 1RU form factor.Using industry-leading hardware and a choice of Dell’s OS9 or select 3rd party network operating systems and tools, the S5048F-ON delivers non-blocking performance* for workloads sensitive to packet loss. The compact S5048F-ON model provides multi rate speed enabling denser footprints and simplifying migration to 25GbE server connections and 100GbE fabrics. Priority-based flow control (PFC), data center bridge exchange (DCBX) and enhanced transmission selection (ETS) make the S5048F-ON an excellent choice for DCB environments.Maximum performance and functionalityThe Dell EMC Networking S-Series S5048F-ON is a high-performance, multi-function, 10/25/40/50/100 GbE T oR switch purpose-built for applications in high-performance data center, cloud and computing environments.In addition, the S5048F-ON incorporates multiple architectural features that optimize data center network flexibility, efficiency, and availability, including IO panel to PSU airflow or PSU to IO panel airflow for hot/cold aisle environments, and redundant, hot-swappable power supplies and fans. Key applications• Organizations looking to enter the software-defined data center era with a choice of networking technologies designed to deliver theflexibility they need• Native high-density 25 GbE T oR server access in high-performance data center environments• 25 GbE backward compatible to 10G and 1G for future proofing and data center server migration to faster uplink speeds.• Capability to support mixed 25G and 10G servers on front panel ports • iSCSI storage deployment including DCB converged lossless transactions • Suitable as a T oR or Leaf switch in 100G Active Fabric implementations • As a high speed VXLAN L2 gateway that connects the hypervisor-based overlay networks with non-virtualized infrastructure• Emerging applications requiring hardware support for new protocols Key features• 1RU high-density 25/10/1 GbE T oR switch with up to forty eight ports of native 25 GbE (SFP28) ports supporting 25 GbE without breakout cables• Multi-rate 100GbE ports support 10/25/40/50/100 GbE• 3.6 Tbps (full-duplex) non-blocking, store and forward switching fabric delivers line-rate performance under full load*• Scalable L2 and L3 Ethernet switching with QoS and a full comple-ment of standards-based IPv4 and IPv6 features, including OSPF and BGP routing support• L2 multipath support via Virtual Link Trunking (VLT) and multiple VLT (mVLT) multi-chassis link aggregation technology• VRF-lite enables sharing of networking infrastructure and provides L3 traffic isolation across tenants• Open Automation Framework adding automated configuration and provisioning capabilities to simplify the management of networkenvironments• Jumbo frame support for large data transfers• 128 link aggregation groups with up to eight members per group, using enhanced hashing• Redundant, hot-swappable power supplies and fans• I/O panel to power supply airflow or power supply to I/O panel airflow • T ool-less enterprise ReadyRails™ mounting kits reducing time and resources for switch rack installation• Power-efficient operation up to 45°C helping reduce cooling costs in temperature-constrained deployments (Dell EMC Fresh Air 2.0compliant)• Converged network support for DCB and ECN capability• Supports the open source Open Network Install Environment (ONIE) for zero touch installation of alternate network operating systems• Fibre Channel, FCoE, FCoE transit (FIP Snooping) and NPIV ProxyDELL EMC NETWORKING S5048F-ONHigh-performance open networking top-of-rack switch with native 25G server ports and 100G network fabric connectivity**future deliverable48 line-rate 25 Gigabit Ethernet SFP28 ports6 line-rate 100 Gigabit Ethernet QSFP28 ports1 RJ45 console/management port with RS232signaling1 Micro-USB type B optional console port1 10/100/1000 Base-T Ethernet port used asmanagement port1 USB type A port for the external mass storage Size: 1 RU, 1.72 h x 17.1 w x 18” d(4.4 h x 43.4 w x 45.7 cm d)Weight: 22lbs (9.98kg)ISO 7779 A-weighted sound pressure level: 59.6 dBA at 73.4°F (23°C)Power supply: 100–240 VAC 50/60 HzMax. thermal output: 1956 BTU/hMax. current draw per system:5.73A/4.8A at 100/120V AC2.87A/2.4A at 200/240V ACMax. power consumption: 573 Watts (AC)T yp. power consumption: 288 Watts (AC) with all optics loadedMax. operating specifications:Operating temperature: 32° to 113°F (0° to 45°C) Operating humidity: 10 to 90% (RH), non-condensingFresh Air Compliant to 45°CMax. non-operating specifications:Storage temperature: –40° to 158°F (–40° to70°C)Storage humidity: 5 to 95% (RH), non-condensing RedundancyT wo hot swappable redundant power suppliesHot swappable redundant fansPerformanceSwitch fabric capacity: 3.6TbpsForwarding capacity: Up to 2,678 MppsPacket buffer memory: 22MB (16MB supported in initial release)CPU memory: 8GBMAC addresses: 132K (in scaled-l2-switch mode) ARP table: 82K (in scaled-l3-hosts mode)IPv4 routes: Up to 128KIPv6 routes: Up to 64K (20k currently supported) Multicast hosts: Up to 8KLink aggregation: 128 groups, 32 members per LAG groupLayer 2 VLANs: 4KMSTP: 64 instancesLAG Load Balancing: Based on layer 2, IPv4 or IPv6 header, or tunnel inner header contentsQoS data queues: 8QoS control queues: 12QoS: 1024 entries per TileIngress ACL: 1024 entries per TileEgress ACL: 1k entries per TilePre-Ingress ACL: 1k entries per TileIEEE Compliance802.1AB LLDP802.1D Bridging, STP802.1p L2 Prioritization802.1Q VLAN T agging, Double VLAN T agging,GVRP802.1Qbb PFC802.1Qaz ETS802.1s MSTP802.1w RSTP802.1X Network Access Control802.3ab Gigabit Ethernet (1000BASE-T) orbreakout802.3ac Frame Extensions for VLAN T agging 802.3ad Link Aggregation with LACP 802.3ba 40 Gigabit Ethernet (40GBase-SR4,40GBase-CR4, 40GBase-LR4, 100GBase-SR10, 100GBase-LR4, 100GBase-ER4) onoptical ports802.3bj 100 Gigabit Ethernet802.3u Fast Ethernet (100Base-TX) on mgmtports802.3x Flow Control802.3z Gigabit Ethernet (1000Base-X) with QSAANSI/TIA-1057 LLDP-MEDForce10 PVST+Jumbo MTU support 9,416 bytesLayer2 Protocols4301 Security Architecture for IPSec*4302 IPSec Authentication Header*4303 ESP Protocol*802.1D Compatible802.1p L2 Prioritization802.1Q VLAN T agging802.1s MSTP802.1w RSTP802.1t RPVST+802.3ad Link Aggregation with LACPVL T Virtual Link T runkingRFC Compliance768 UDP793 TCP854 T elnet959 FTP1321 MD51350 TFTP2474 Differentiated Services2698 T wo Rate Three Color Marker3164 Syslog4254 S SHv2General IPv4 Protocols791 I Pv4792 ICMP826 ARP1027 Proxy ARP1035 DNS (client)1042 Ethernet Transmission1191 Path MTU Discovery1305 NTPv41519 CIDR1542 BOOTP (relay)1858 IP Fragment Filtering2131 DHCP (server and relay)5798 V RRP3021 31-bit Prefixes3046 D HCP Option 82 (Relay)1812 Requirements for IPv4 Routers1918 Address Allocation for Private Internets2474 Diffserv Field in IPv4 and Ipv6 Headers2596 A ssured Forwarding PHB Group3195 Reliable Delivery for Syslog3246 E xpedited Assured Forwarding4364 V RF-lite (IPv4 VRF with OSPF and BGP)*General IPv6 Protocols1981 Path MTU Discovery*2460 I Pv62461 Neighbor Discovery*2462 S tateless Address AutoConfig2463 I CMPv62675 Jumbo grams3587 Global Unicast Address Format4291 IPv6 Addressing2464 T ransmission of IPv6 Packets over EthernetNetworks2711 IPv6 Router Alert Option4007 I Pv6 Scoped Address Architectureand Routers4291 IPv6 Addressing Architecture4861 Neighbor Discovery for IPv64862 I Pv6 Stateless Address Autoconfiguration5095 Deprecation of T ype 0 Routing Headers in IPv6IPv6 Management support (telnet, FTP, TACACS,RADI US, SSH, NTP)RIP1058 RIPv12453 R I Pv2OSPF (v2/v3)1587 NSSA (not supported in OSPFv3)1745 OSPF/BGP interaction1765 OSPF Database overflow2154 MD52328 OSPFv22370 Opaque LSA3101 OSPF NSSA3623 O SPF Graceful Restart (Helper mode)*BGP1997 Communities2385 M D52439 R oute Flap Damping2545 B GP-4 Multiprotocol Extensions for IPv6I nter-Domain Routing2796 Route Reflection2842 C apabilities2858 M ultiprotocol Extensions2918 Route Refresh3065 C onfederations4271 BGP-44360 E xtended Communities4893 4-byte ASN5396 4-byte ASN Representation5492 C apabilities AdvertisementMulticast1112 IGMPv12236 I GMPv23376 IGMPv3MSDPPIM-SMPIM-SSMNetwork Management1155 SMIv11157 SNMPv11212 Concise MIB Definitions1215 SNMP Traps1493 Bridges MIB1850 OSPFv2 MIB1901 Community-Based SNMPv22011 IP MIB2096 I P Forwarding T able MIB2578 SMI v22579 T extual Conventions for SMIv22580 C onformance Statements for SMIv22618 RADIUS Authentication MIB2665 E thernet-Like Interfaces MIB2674 Extended Bridge MIB2787 VRRP MIB2819 RMON MIB (groups 1, 2, 3, 9)2863 I nterfaces MIB3273 RMON High Capacity MIB3410 SNMPv33411 SNMPv3 Management Framework3412 Message Processing and Dispatching for theSimple Network Management Protocol (SNMP)3413 SNMP Applications3414 User-based Security Model (USM) forSNMPv33415 VACM for SNMP3416 SNMPv23417 Transport mappings for SNMP3418 SNMP MIB3434 R MON High Capacity Alarm MIB3584 C oexistance between SNMP v1, v2 and v3 4022 I P MIB4087 IP Tunnel MIB4113 UDP MIB4133 Entity MIB4292 M IB for IP4293 M IB for IPv6 T extual Conventions4502 R MONv2 (groups 1,2,3,9)5060 PIM MIBANSI/TIA-1057 LLDP-MED MIBDell_ITA.Rev_1_1 MIBdraft-ietf-idr-bgp4-mib-06 BGP MIBv1IEEE 802.1AB LLDP MIBIEEE 802.1AB LLDP DOT1 MIBIEEE 802.1AB LLDP DOT3 MIB sFlowv5 sFlowv5 MIB (version 1.3)DELL-NETWORKING-BGP4-V2-MIB(draft-ietf-idr-bgp4-mibv2-05)DELL-NETWORKING-IF-EXTENSION-MIBDELL-NETWORKING-LINK-AGGREGATION-MIB DELL-NETWORKING-COPY-CONFIG-MIBDELL-NETWORKING-PRODUCTS-MIBDELL-NETWORKING-CHASSIS-MIBDELL-NETWORKING-SMIDELL-NETWORKING-TCDELL-NETWORKING-TRAP-EVENT-MIBDELL-NETWORKING-SYSTEM-COMPONENT-MIB DELL-NETWORKING-FIB-MIBDELL-NETWORKING-FPSTATS-MIBDELL-NETWORKING-ISIS-MIBDELL-NETWORKING-FIPSNOOPING-MIBDELL-NETWORKING-VIRTUAL-LINK-TRUNK-MIB DELL-NETWORKING-DCB-MIBDELL-NETWORKING-OPENFLOW-MIBDELL-NETWORKING-BMP-MIBDELL-NETWORKING-BPSTATS-MIBSecuritydraft-grant-tacacs-02 TACACS+2404 The Use of HMACSHA-1-96 within ESP and AH 2865 R ADI US3162 Radius and IPv63579 RADIUS support for EAP3580 802.1X with RADIUS3768 EAP3826 A ES Cipher Algorithm in the SNMP User Base Security Model4250, 4251, 4252, 4253, 4254 SSHv24301 Security Architecture for IPSec4302 I PSec Authentication Header4807 IPsecv Security Policy DB MIBData center bridging802.1Qbb Priority-Based Flow Control802.1Qaz Enhanced Transmission Selection (ETS)* Data Center Bridging eXchange (DCBx)DCBx Application TLV (iSCSI, FCoE*) Regulatory complianceSafetyUL/CSA 60950-1, Second EditionEN 60950-1, Second EditionIEC 60950-1, Second Edition Including All National Deviations and Group DifferencesEN 60825-1 Safety of Laser Products Part 1: Equipment Classification Requirements and User’s GuideEN 60825-2 Safety of Laser Products Part 2: Safety of Optical Fibre Communication SystemsIEC 62368-1FDA Regulation 21 CFR 1040.10 and 1040.11 Emissions & ImmunityFCC Part 15 (CFR 47) (USA) Class AICES-003 (Canada) Class AEN55032: 2015 (Europe) Class ACISPR32 (International) Class AAS/NZS CISPR32 (Australia and New Zealand) Class AVCCI (Japan) Class AKN32 (Korea) Class ACNS13438 (T aiwan) Class ACISPR22EN55022EN61000-3-2EN61000-3-3EN61000-6-1EN300 386EN 61000-4-2 ESDEN 61000-4-3 Radiated ImmunityEN 61000-4-4 EFTEN 61000-4-5 SurgeEN 61000-4-6 Low Frequency Conducted Immunity NEBSGR-63-CoreGR-1089-CoreATT-TP-76200VZ.TPR.9305RoHSRoHS 6 and China RoHS compliantCertificationsJapan: VCCI V3/2009 Class AUSA: FCC CFR 47 Part 15, Subpart B:2009, Class A Warranty1 Year Return to DepotLearn more at /NetworkingIT Lifecycle Servicesfor NetworkingExperts, insights and easeOur highly trained experts, withinnovative tools and proven processes,help you transform your IT investments into strategic advantages.Plan & DesignLet us analyze yourmultivendor environmentand deliver a comprehensivereport and action plan to buildupon the existing network andimprove performance.Deploy & IntegrateGet new wired or wirelessnetwork technology installedand configured with ProDeploy.Reduce costs, save time, andget up and running fast.EducateEnsure your staff builds theright skills for long-termsuccess. Get certified on DellEMC Networking technologyand learn how to increaseperformance and optimizeinfrastructure.Manage & SupportGain access to technical expertsand quickly resolve multivendornetworking challenges withProSupport. Spend less timeresolving network issues andmore time innovating.OptimizeMaximize performance fordynamic IT environments withDell EMC Optimize. Benefitfrom in-depth predictiveanalysis, remote monitoringand a dedicated systemsanalyst for your network.RetireWe can help you resell or retireexcess hardware while meetinglocal regulatory guidelines andacting in an environmentallyresponsible way.Learn more at/lifecycleservices*Future release**Packet sizes over 147 Bytes。

Revision HistoryContentsIntroduction 4 Overview (4)Supporting Resources (4)Intended Audience (4)Service Overview 5 Service Purpose (5)How it works? (5)Service Endpoints 7 Staging (7)PostExportUsage (7)GetExportUsageStatus (7)Production (7)PostExportUsage (7)GetExportUsageStatus (7)Service Request & Response 8 Request (8)Authentication (8)PostExportUsage (9)GetExportUsageStatus (11)Response (11)PostExportUsage (11)GetExportUsageStatus (12)Output CSV File Structure (14)Sample Requests / Responses 17 PostExportUsage (17)GetExportUsageStatus (17)Formatting Standards 19 Error Messages 20 HTTP Status codes & errors (20)400 Bad Request errors (21)TablesTable 1: Detailed Authentication JSON Request Structure (9)Table 2: Detailed PostExportUsage JSON Request Structure (11)Table 3: Detailed GetExportUsageStatus JSON Request Structure (11)Table 4: Detailed PostExportUsage JSON Response Structure (12)Table 5: Detailed GetExportUsageStatus JSON Response Structure (13)Table 6: Detailed Output CSV Structure (16)Table 7: HTTP Status Codes & Errors (20)Table 8: 400 Bad Request Errors (21)FiguresFigure 1: File Generation Process (5)IntroductionOverviewThe Autodesk Partner Web Services platform is an automation solution for low-touch order placement by partners directly to Autodesk. This platform enables true B2B web service transactions between distribution partners and Autodesk.For partners to effectively implement Autodesk web services, partner developers should be familiar with RESTful web services, OAuth, and the JSON data-interchange format. Supporting ResourcesAutodesk Partner Developer Portal: The Autodesk Partner Developer Portal is a site for partner developers to build and test applications by subscribing to Autodesk Partner Web Services. The portal features a robust repository of service documentation, an ongoing conduit to the services to support partner teams, and a community to allow partner developers to share insights and information with each other. A partner administrator can invite and manage developers and keep track of all applications they create. Developers can learn and test services to help with application integration. For more information, please visit the Autodesk Partner Developer Portal.Authentication API Documentation: The Authentication API Documentation is intended to help partner developers understand and use the OAuth 2.0 industry-standard protocol for authorization required to use Autodesk Partner Web Services. The documentation provides basic information on web service integration and examples of developing a typical application. For more information, please visit the Autodesk Partner Developer Portal for the latest version of the API Authentication Guide.Intended AudienceThis guide is designed to teach architects, consultants, and developers about the Autodesk Partner Web Services platform, the onboarding process, and API implementation guidelines.Service OverviewService PurposeExportUsage API enables partners to export individual usage events for both regular Single User (SUS) and Flex Subscriptions:•Usage events for Single User Subscriptions represent logins by individual users to their products.•Usage events for Flex Subscriptions represent events where Tokens were burned down when users accessed and used individual products in their Flex Portfolio.How it works?File Generation ProcessFigure 1: File Generation Process1.Perform the Data request2.Store the password and jobID returned from the POST request3.Poll the jobID endpoint which will get redirected to the file when ready4.Download the file5.Decrypt the file using openssl and the password from step 26.Unzip the file using any standard unzip utility7.Export the data contained in the CSV file into Partner’s CRM/Database/System1.Data RequestThe POST request will be processed asynchronously and will queue the request and return the response on the job status check once it is completed.Please note that this is a POST API which will run asynchronously. A successful request to the service will return an HTTPS 202 redirect and a Location header pointing to an API endpoint for fetching the status of the created task. Partners can follow the redirect to check the status of their task.2.Status check and file download1.Check job while processing with GET handling 200-HTTPS response code2.Check job while processing returns completed processing with a 303-HTTPS response codeand a new Location Header3.Check the processed file by doing a GET on the returned location. Note this will be a signedURL with a short duration span to get it. In case it is expired you will have to repeat the step above to get a new non expired URL3.File decryptionFor security and data protection reasons, the created file is encrypted and only the authorized Partner will have access to the contained information. To decrypt the downloaded file, the password returned in the response of ExportUsage will be used. Please use the following commands based on your system’s OS:Linux/Unix/MacOSWindowsOnce the file has been decrypted, any standard unzip utility can be used to obtain the resulting CSV file.Resulting CSV file will follow RFC 4180: Common Format and MIME Type for Comma-Separated Values (CSV) Files.Service Endpoints StagingPostExportUsagehttps:///v1/export/usage GetExportUsageStatushttps:///v1/export/usage/{id} Production PostExportUsagehttps:///v1/export/usage GetExportUsageStatushttps:///v1/export/usage/{id}Service Request & ResponseRequestThe following tables explain the schema for the Request of the ExportUsage service.Please note that:•Bold denote objects and arrays•Cardinality: (M) Mandatory, (O) OptionalAuthenticationThese fields will be sent with every Request.* Please refer to https:///contents/files/user-guides/en/pws-api-authentication-guide.pdf for API Authentication details.Autodesk® Partner WebServices ExportUsage Service Reference Manual • 8PostExportUsageAutodesk® Partner WebServices ExportUsage Service Reference Manual • 9Table 2: Detailed PostExportUsage JSON Request Structure GetExportUsageStatusResponseThe following information represents the Response schema for the ExportUsage service.Please note that:•Bold denote objects and arrays•Cardinality: (M) Mandatory, (O) OptionalPostExportUsageGetExportUsageStatusOnce the job is completed, the service will respond with a 303 HTTPS Code, redirecting automatically to the file’s remote loc ation.Output CSV File Structure The information returned in the ExportUsage API is as follows:Sample Requests / Responses The following information are sample requests and responses to be used as reference. PostExportUsageGetExportUsageStatusFormatting StandardsUUID v4 – Unique, randomly generated stringhttps:///wiki/Universally_unique_identifier#Version_4_.28random.29 ISO 8601 – YYYY-MM-DD date format/iso/home/standards/iso8601.htmISO 639-1 – Two letter language code/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=22109 ISO 3166-1 alpha-2 format – two letter country code form/iso/country_codesRFC 1480 – Common Format and MIME Type for Comma-Separated Values (CSV) Files https:///html/rfc4180Error MessagesHTTP Status codes & errorsThe following are all known HTTP status codes, error codes, and messages returned by the service due to a failure to authenticate, bad request, or exceeding maximum traffic allowed by the service.400 Bad Request errorsThe following are all error codes, messages, and the reason for error returned when the service produces a 400 Bad Request or 500 Internal Server Error response.。

Network Working Group A. Gulbrandsen Request for Comments: 2782 Troll Technologies Obsoletes: 2052 P. Vixie Category: Standards Track Internet Software Consortium L. Esibov Microsoft Corp. February 2000 A DNS RR for specifying the location of services (DNS SRV)Status of this MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited.Copyright NoticeCopyright (C) The Internet Society (2000). All Rights Reserved.AbstractThis document describes a DNS RR which specifies the location of the server(s) for a specific protocol and domain.Overview and rationaleCurrently, one must either know the exact address of a server tocontact it, or broadcast a question.The SRV RR allows administrators to use several servers for a single domain, to move services from host to host with little fuss, and todesignate some hosts as primary servers for a service and others asbackups.Clients ask for a specific service/protocol for a specific domain(the word domain is used here in the strict RFC 1034 sense), and get back the names of any available servers.Note that where this document refers to "address records", it means A RR’s, AAAA RR’s, or their most modern equivalent.Gulbrandsen, et al. Standards Track [Page 1]DefinitionsThe key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY"used in this document are to be interpreted as specified in [BCP 14]. Other terms used in this document are defined in the DNSspecification, RFC 1034.Applicability StatementIn general, it is expected that SRV records will be used by clientsfor applications where the relevant protocol specification indicates that clients should use the SRV record. Such specification MUSTdefine the symbolic name to be used in the Service field of the SRVrecord as described below. It also MUST include securityconsiderations. Service SRV records SHOULD NOT be used in the absence of such specification.Introductory exampleIf a SRV-cognizant LDAP client wants to discover a LDAP server thatsupports TCP protocol and provides LDAP service for the domain., it does a lookup of_ldap._as described in [ARM]. The example zone file near the end of thismemo contains answering RRs for an SRV query.Note: LDAP is chosen as an example for illustrative purposes only,and the LDAP examples used in this document should not be considered a definitive statement on the recommended way for LDAP to use SRVrecords. As described in the earlier applicability section, consultthe appropriate LDAP documents for the recommended procedures.The format of the SRV RRHere is the format of the SRV RR, whose DNS type code is 33:_Service._ TTL Class SRV Priority Weight Port Target(There is an example near the end of this document.)ServiceThe symbolic name of the desired service, as defined in Assigned Numbers [STD 2] or locally. An underscore (_) is prepended tothe service identifier to avoid collisions with DNS labels that occur in nature.Gulbrandsen, et al. Standards Track [Page 2]Some widely used services, notably POP, don’t have a singleuniversal name. If Assigned Numbers names the serviceindicated, that name is the only name which is legal for SRVlookups. The Service is case insensitive.ProtoThe symbolic name of the desired protocol, with an underscore(_) prepended to prevent collisions with DNS labels that occurin nature. _TCP and _UDP are at present the most useful values for this field, though any name defined by Assigned Numbers orlocally may be used (as for Service). The Proto is caseinsensitive.NameThe domain this RR refers to. The SRV RR is unique in that the name one searches for is not this name; the example near the end shows this clearly.TTLStandard DNS meaning [RFC 1035].ClassStandard DNS meaning [RFC 1035]. SRV records occur in the INClass.PriorityThe priority of this target host. A client MUST attempt tocontact the target host with the lowest-numbered priority it can reach; target hosts with the same priority SHOULD be tried in an order defined by the weight field. The range is 0-65535. This is a 16 bit unsigned integer in network byte order.WeightA server selection mechanism. The weight field specifies arelative weight for entries with the same priority. Largerweights SHOULD be given a proportionately higher probability of being selected. The range of this number is 0-65535. This is a 16 bit unsigned integer in network byte order. Domainadministrators SHOULD use Weight 0 when there isn’t any serverselection to do, to make the RR easier to read for humans (less noisy). In the presence of records containing weights greaterthan 0, records with weight 0 should have a very small chance of being selected.In the absence of a protocol whose specification calls for theuse of other weighting information, a client arranges the SRVRRs of the same Priority in the order in which target hosts, Gulbrandsen, et al. Standards Track [Page 3]specified by the SRV RRs, will be contacted. The followingalgorithm SHOULD be used to order the SRV RRs of the samepriority:To select a target to be contacted next, arrange all SRV RRs(that have not been ordered yet) in any order, except that allthose with weight 0 are placed at the beginning of the list.Compute the sum of the weights of those RRs, and with each RRassociate the running sum in the selected order. Then choose auniform random number between 0 and the sum computed(inclusive), and select the RR whose running sum value is thefirst in the selected order which is greater than or equal tothe random number selected. The target host specified in theselected SRV RR is the next one to be contacted by the client.Remove this SRV RR from the set of the unordered SRV RRs andapply the described algorithm to the unordered SRV RRs to select the next target host. Continue the ordering process until there are no unordered SRV RRs. This process is repeated for eachPriority.PortThe port on this target host of this service. The range is 0-65535. This is a 16 bit unsigned integer in network byte order. This is often as specified in Assigned Numbers but need not be. TargetThe domain name of the target host. There MUST be one or moreaddress records for this name, the name MUST NOT be an alias (in the sense of RFC 1034 or RFC 2181). Implementors are urged, but not required, to return the address record(s) in the Additional Data section. Unless and until permitted by future standardsaction, name compression is not to be used for this field.A Target of "." means that the service is decidedly notavailable at this domain.Domain administrator adviceExpecting everyone to update their client applications when the first server publishes a SRV RR is futile (even if desirable). ThereforeSRV would have to coexist with address record lookups for existingprotocols, and DNS administrators should try to provide addressrecords to support old clients:- Where the services for a single domain are spread over severalhosts, it seems advisable to have a list of address records atthe same DNS node as the SRV RR, listing reasonable (if perhaps Gulbrandsen, et al. Standards Track [Page 4]suboptimal) fallback hosts for Telnet, NNTP and other protocols likely to be used with this name. Note that some programs only try the first address they get back from e.g. gethostbyname(),and we don’t know how widespread this behavior is.- Where one service is provided by several hosts, one can eitherprovide address records for all the hosts (in which case theround-robin mechanism, where available, will share the loadequally) or just for one (presumably the fastest).- If a host is intended to provide a service only when the mainserver(s) is/are down, it probably shouldn’t be listed inaddress records.- Hosts that are referenced by backup address records must use the port number specified in Assigned Numbers for the service.- Designers of future protocols for which "secondary servers" isnot useful (or meaningful) may choose to not use SRV’s supportfor secondary servers. Clients for such protocols may use orignore SRV RRs with Priority higher than the RR with the lowest Priority for a domain.Currently there’s a practical limit of 512 bytes for DNS replies.Until all resolvers can handle larger responses, domainadministrators are strongly advised to keep their SRV replies below512 bytes.All round numbers, wrote Dr. Johnson, are false, and these numbersare very round: A reply packet has a 30-byte overhead plus the nameof the service ("_ldap._" for instance); each SRV RRadds 20 bytes plus the name of the target host; each NS RR in the NS section is 15 bytes plus the name of the name server host; andfinally each A RR in the additional data section is 20 bytes or so,and there are A’s for each SRV and NS RR mentioned in the answer.This size estimate is extremely crude, but shouldn’t underestimatethe actual answer size by much. If an answer may be close to thelimit, using a DNS query tool (e.g. "dig") to look at the actualanswer is a good idea.The "Weight" fieldWeight, the server selection field, is not quite satisfactory, butthe actual load on typical servers changes much too quickly to bekept around in DNS caches. It seems to the authors that offeringadministrators a way to say "this machine is three times as fast asthat one" is the best that can practically be done.Gulbrandsen, et al. Standards Track [Page 5]The only way the authors can see of getting a "better" load figure is asking a separate server when the client selects a server andcontacts it. For short-lived services an extra step in theconnection establishment seems too expensive, and for long-livedservices, the load figure may well be thrown off a minute after theconnection is established when someone else starts or finishes aheavy job.Note: There are currently various experiments at providing relativenetwork proximity estimation, available bandwidth estimation, andsimilar services. Use of the SRV record with such facilities, and in particular the interpretation of the Weight field when thesefacilities are used, is for further study. Weight is only intendedfor static, not dynamic, server selection. Using SRV weight fordynamic server selection would require assigning unreasonably shortTTLs to the SRV RRs, which would limit the usefulness of the DNScaching mechanism, thus increasing overall network load anddecreasing overall reliability. Server selection via SRV is onlyintended to express static information such as "this server has afaster CPU than that one" or "this server has a much better networkconnection than that one".The Port numberCurrently, the translation from service name to port number happensat the client, often using a file such as /etc/services.Moving this information to the DNS makes it less necessary to update these files on every single computer of the net every time a newservice is added, and makes it possible to move standard services out of the "root-only" port range on unix.Usage rulesA SRV-cognizant client SHOULD use this procedure to locate a list of servers and connect to the preferred one:Do a lookup for QNAME=_service._protocol.target, QCLASS=IN,QTYPE=SRV.If the reply is NOERROR, ANCOUNT>0 and there is at least oneSRV RR which specifies the requested Service and Protocol inthe reply:If there is precisely one SRV RR, and its Target is "."(the root domain), abort.Gulbrandsen, et al. Standards Track [Page 6]Else, for all such RR’s, build a list of (Priority, Weight, Target) tuplesSort the list by priority (lowest number first)Create a new empty listFor each distinct priority levelWhile there are still elements left at this prioritylevelSelect an element as specified above, in thedescription of Weight in "The format of the SRVRR" Section, and move it to the tail of the newlistFor each element in the new listquery the DNS for address records for the Target oruse any such records found in the Additional Datasection of the earlier SRV response.for each address record found, try to connect to the(protocol, address, service).elseDo a lookup for QNAME=target, QCLASS=IN, QTYPE=Afor each address record found, try to connect to the(protocol, address, service)Notes:- Port numbers SHOULD NOT be used in place of the symbolic serviceor protocol names (for the same reason why variant names cannotbe allowed: Applications would have to do two or more lookups).- If a truncated response comes back from an SRV query, the rulesdescribed in [RFC 2181] shall apply.- A client MUST parse all of the RR’s in the reply.- If the Additional Data section doesn’t contain address recordsfor all the SRV RR’s and the client may want to connect to thetarget host(s) involved, the client MUST look up the addressrecord(s). (This happens quite often when the address recordhas shorter TTL than the SRV or NS RR’s.)Gulbrandsen, et al. Standards Track [Page 7]- Future protocols could be designed to use SRV RR lookups as themeans by which clients locate their servers.Fictional exampleThis example uses fictional service "foobar" as an aid inunderstanding SRV records. If ever service "foobar" is implemented,it is not intended that it will necessarily use SRV records. This is (part of) the zone file for , a still-unused domain:$ORIGIN .@ SOA . . (1995032001 3600 3600 604800 86400 )NS .NS .NS .; foobar - use old-slow-box or new-fast-box if either is; available, make three quarters of the logins go to; new-fast-box._foobar._tcp SRV 0 1 9 .SRV 0 3 9 .; if neither old-slow-box or new-fast-box is up, switch to; using the sysdmin’s box and the serverSRV 1 0 9 .SRV 1 0 9 .server A 172.30.79.10old-slow-box A 172.30.79.11sysadmins-box A 172.30.79.12new-fast-box A 172.30.79.13; NO other services are supported*._tcp SRV 0 0 0 .*._udp SRV 0 0 0 .Gulbrandsen, et al. Standards Track [Page 8]In this example, a client of the "foobar" service in the"." domain needs an SRV lookup of"_foobar._." and possibly A lookups of "new-fast-." and/or the other hosts named. The size of the SRV reply is approximately 365 bytes:30 bytes general overhead20 bytes for the query string, "_foobar._."130 bytes for 4 SRV RR’s, 20 bytes each plus the lengths of "new- fast-box", "old-slow-box", "server" and "sysadmins-box" -"" in the query section is quoted here and doesn’tneed to be counted again.75 bytes for 3 NS RRs, 15 bytes each plus the lengths of "server", "." and "ns2" - again, "." is quoted and only needs to be counted once.120 bytes for the 6 address records (assuming IPv4 only) mentioned by the SRV and NS RR’s.IANA ConsiderationsThe IANA has assigned RR type value 33 to the SRV RR. No other IANA services are required by this document.Changes from RFC 2052This document obsoletes RFC 2052. The major change from thatprevious, experimental, version of this specification is that now the protocol and service labels are prepended with an underscore, tolower the probability of an accidental clash with a similar name used for unrelated purposes. Aside from that, changes are only intendedto increase the clarity and completeness of the document. Thisdocument especially clarifies the use of the Weight field of the SRV records.Security ConsiderationsThe authors believe this RR to not cause any new security problems.Some problems become more visible, though.- The ability to specify ports on a fine-grained basis obviouslychanges how a router can filter packets. It becomes impossibleto block internal clients from accessing specific externalservices, slightly harder to block internal users from runningunauthorized services, and more important for the routeroperations and DNS operations personnel to cooperate.- There is no way a site can keep its hosts from being referencedas servers. This could lead to denial of service.Gulbrandsen, et al. Standards Track [Page 9]- With SRV, DNS spoofers can supply false port numbers, as well ashost names and addresses. Because this vulnerability existsalready, with names and addresses, this is not a newvulnerability, merely a slightly extended one, with littlepractical effect.ReferencesSTD 2: Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.RFC 1034: Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.RFC 1035: Mockapetris, P., "Domain names - Implementation andSpecification", STD 13, RFC 1035, November 1987.RFC 974: Partridge, C., "Mail routing and the domain system", STD14, RFC 974, January 1986.BCP 14: Bradner, S., "Key words for use in RFCs to IndicateRequirement Levels", BCP 14, RFC 2119, March 1997.RFC 2181: Elz, R. and R. Bush, "Clarifications to the DNSSpecification", RFC 2181, July 1997.RFC 2219: Hamilton, M. and R. Wright, "Use of DNS Aliases for Network Services", BCP 17, RFC 2219, October 1997.BCP 14: Bradner, S., "Key words for use in RFCs to IndicateRequirement Levels", BCP 14, RFC 2119, March 1997.ARM: Armijo, M., Esibov, L. and P. Leach, "Discovering LDAPServices with DNS", Work in Progress.KDC-DNS: Hornstein, K. and J. Altman, "Distributing Kerberos KDC and Realm Information with DNS", Work in Progress.Gulbrandsen, et al. Standards Track [Page 10]AcknowledgementsThe algorithm used to select from the weighted SRV RRs of equalpriority is adapted from one supplied by Dan Bernstein.Authors’ AddressesArnt GulbrandsenTroll TechWaldemar Thranes gate 98BN-0175 Oslo, NorwayFax: +47 22806380Phone: +47 22806390EMail: arnt@troll.noPaul VixieInternet Software Consortium950 Charter StreetRedwood City, CA 94063Phone: +1 650 779 7001Levon EsibovMicrosoft CorporationOne Microsoft WayRedmond, WA 98052EMail: levone@Gulbrandsen, et al. Standards Track [Page 11]Full Copyright StatementCopyright (C) The Internet Society (2000). All Rights Reserved.This document and translations of it may be copied and furnished toothers, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, publishedand distributed, in whole or in part, without restriction of anykind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, thisdocument itself may not be modified in any way, such as by removingthe copyright notice or references to the Internet Society or otherInternet organizations, except as needed for the purpose ofdeveloping Internet standards in which case the procedures forcopyrights defined in the Internet Standards process must befollowed, or as required to translate it into languages other thanEnglish.The limited permissions granted above are perpetual and will not berevoked by the Internet Society or its successors or assigns.This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERINGTASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDINGBUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATIONHEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.AcknowledgementFunding for the RFC Editor function is currently provided by theInternet Society.Gulbrandsen, et al. Standards Track [Page 12]。

FortiAuthenticator FSSO Features§Enables identity and role-based security policies in the Fortinet secured enterprise network without the need for additional authentication through integration with Active Directory§Strengthens enterprise security by simplifying and centralizing the management of user identity informationAdditional FortiAuthenticator Features§Secure Two-factor / OTP Authentication with full support for FortiToken §RADIUS and LDAP Authentication§Certificate management for enterprise VPN deployment §IEEE802.1X support for wired and wireless network securitycommunicating this information to FortiGate devices for use in Identity-Based Policies.FortiAuthenticator delivers transparent identification via a wide range of methods: §Polling of an Active Directory Domain Controller;§Integration with FortiAuthenticator Single Sign-On Mobility Agent which detects login, IP address changes and logout;§FSSO Portal based authentication with tracking widgets to reduce the need for repeated authentications;§Monitoring of RADIUS Accounting Start records.DATA SHEETFortiAuthenticator ™User Identity Management and SIngle Sign-OnDATA SHEET: FortiAuthenticator ™HIGHLIGHTSFortiAuthenticator Single Sign-On User Identification MethodsFortiAuthenticator can identify users through a varied range of methods and integrate with third party LDAP or Active Directory systems to apply group or role data to the user and communicate with FortiGate for use in Identity based policies. FortiAuthenticator is completely flexible and can utilize these methods in combination. For example, in a large enterprise,primary method for transparent authentication with fallback to the portal for non-domain systems or guest users.Key Features & BenefitsFSSO Transparent User IdentificationZero impact for enterprise users.Integration with LDAP and AD for group membership Utilizes existing systems for network authorization information, reducing deployment times and streamlining management processes. Integration with existing procedures for user management.Wide range of user identification methods Flexible user identification methods for integration with the most diverse of enterprise environments.Enablement of identity and role-based securityAllows security administrator to give users access to the relevant network and application resources appropriate to their role, while retaining control and minimizing risk.DATA SHEET: FortiAuthenticator ™HIGHLIGHTSAdditional FunctionalityStrong User Identity with Two-factor Authentication FortiAuthenticator extends two-factor authentication capability to multiple FortiGate appliances and to third party solutions that support RADIUS or LDAP authentication. User identity information from FortiAuthenticator combined with authentication information from FortiToken ensures that only authorized individuals are granted access to your organization’s sensitive information. This additional layer of security greatly reduces the possibility of data leaks while helping companies meet audit requirements associated with government and business privacy regulations. FortiAuthenticator supports the widest range of tokens possible to suit your user requirements. With the physical time-based FortiToken 200, FortiToken Mobile (for iOS and Android), e-mail and SMS tokens, FortiAuthenticator has token options for all users and scenarios. Two-factor authentication can be used to control access to applications such as FortiGate management, SSL and IPsec VPN, Wireless Captive Portal login and third-party, RADIUS compliant networking equipment.To streamline local user management, FortiAuthenticator includes user self-registration and password recovery features.Enterprise Certificate Based VPNsSite-to-site VPNs often provide access direct to the heart of the enterprise network from many remote locations. Often these VPNs are secured simply by a preshared key, which, if compromised, could give access to the whole network. FortiOS support certificate-based VPNs; however, use of certificate secured VPNs has been limited, primarily due to the overhead and complexity introduced by certificate management. FortiAuthenticator removes this overhead involved by streamlining the bulk deployment of certificates for VPN use in a FortiGate environment by cooperating with FortiManager for the configuration and automating the secure certificate delivery via the SCEP protocol.For client-based certificate VPNs, certificates can be created and stored on the FortiToken 300 USB Certificate store. This secure, pin-protected certificate store is compatible with FortiClient and can be used to enhance the security of client VPN connections in conjunction with FortiAuthenticator.Additional Features & BenefitsRADIUS and LDAP User Authentication Local Authentication database with RADIUS and LDAP interfaces centralizes user management.Wide Range of Strong Authentication MethodsStrong authentication provided by FortiAuthenticator via hardware tokens, e-mail, SMS, e-mail and digital certificates help to enhance password security and mitigate the risk of password disclosure, replay or brute forcing.User Self-registration and Password Recovery Reduces the need for administrator intervention by allowing the user to perform their own registration and resolve their own password issues, which also improves user satisfaction.Integration with Active Directory and LDAP Integration with existing directory simplifies deployment, speeds up installation times and reutilizes existing development.Certificate Management Streamlined certificate management enables rapid, cost-effective deployment of certificate-based authentication methods such as VPN.802.1X AuthenticationDeliver enterprise port access control to validate users connection to the LAN and Wireless LAN to prevent unauthorized access to the network.DATA SHEET: FortiAuthenticator ™SPECIFICATIONSFortiAuthenticator 400CFortiAuthenticator 3000DFortiAuthenticator 1000D FortiAuthenticator 200D FortiAuthenticator Virtual ApplianceFortiAuthenticator 400E FortiAuthenticator 200EDATA SHEET: FortiAuthenticator™Maximum Virtual CPUs SupportedUnlimited Virtual NICs Required (Minimum / Maximum) 1 / 4Virtual Machine Storage (Minimum / Maximum) 60 GB / 2 TB Virtual Machine Memory Required (Minimum / Maximum)512 MB / 64 GBHigh Availability SupportActive-Passive HA and Config Sync HASPECIFICATIONSUL/cUL, CB, GOSTUL/cUL, CB, GOSTGLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein Valbonne 06560Alpes-Maritimes, France Tel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary and may be significantly less effective than the metrics stated herein. Network variables, different network environments and other conditions may negatively affect performance results and other metrics stated herein. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet and any such commitment shall be limited by the disclaimers in this paragraph and other limitations in the written contract. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests, and in no event will Fortinet be responsible for events or issues that are outside of its reasonable control. Notwithstanding anything to the contrary, Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.DATA SHEET: FortiAuthenticator ™ProductSKU DescriptionFortiAuthenticator 200D FAC-200D 4x GE RJ45 ports, 1x 1 TB HDD.FortiAuthenticator 200E FAC-200E 4x GE RJ45 ports, 1x 1 TB HDD.FortiAuthenticator 400C FAC-400C 4x GE RJ45 ports, 1x 1 TB HDD.FortiAuthenticator 400E FAC-400E 4x GE RJ45 ports, 2x 1 TB HDD.FortiAuthenticator 1000D FAC-1000D-E07S 4x GE RJ45 ports, 2x GE SFP , 2x 2 TB HDD.FortiAuthenticator 3000D FAC-3000D 4x GE RJ45 ports, 2x GE SFP , 2x 2 TB HDD.FortiAuthenticator-VM LicenseFAC-VM-Base Base FortiAuthenticator-VM with 100 user license. Unlimited vCPU.FAC-VM-100-UG FortiAuthenticator-VM with 100 user license upgrade. FAC-VM-1000-UG FortiAuthenticator-VM with 1,000 user license upgrade.FAC-VM-10000-UG FortiAuthenticator-VM with 10,000 user license upgrade.FAC-VM-100000-UG FortiAuthenticator-VM with 100,000 user license upgrade.FC1-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–500 users).FC2-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–1100 users).FC3-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–5100 users).FC4-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–10100 users).FC8-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–25100 users).FC5-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–50100 users).FC6-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–100100 users).FC9-10-0ACVM-248-02-12 1 Year 24x7 FortiCare Contract (1–500100 users).FC7-10-0ACVM-248-02-121 Year 24x7 FortiCare Contract (1–1M users).ORDER INFORMATION。

The Oakley Key Determination ProtocolHilarie OrmanUniversity of ArizonaTR9702AbstractThis document describes a protocol,named OAKLEY,by which two authenticated parties can agree on secure and secret keying material.The basic mechanism is the Diffie-Hellman key exchange algorithm.The OAKLEY protocol supports Perfect Forward Secrecy,compatibility with the ISAKMP protocol for managing security associations,user-defined abstract group structures for use with the Diffie-Hellman algorithm,key updates,and incorporation of keys distributed via out-of-band mechanisms.February17,1997Department of Computer ScienceThe University of ArizonaTucson,AZ85721Authors’address:Department of Computer Science,University of Arizona,Tucson,AZ85721.Email:ho@.IPSEC Working Group H.K.Orman INTERNET-DRAFT Dept.of Computer Science,Univ.of Arizona draft-ietf-ipsec-oakley-01.txt May1996The OAKLEY Key Determination Protocol<draft-ietf-ipsec-oakley-01.txt>This document describes a protocol,named OAKLEY, by which two authenticated parties can agree on secure and secret keying material.The basic mechanism is the Diffie-Hellman keyexchange algorithm.The OAKLEY protocol supports Perfect Forward Secrecy,compatibility with the ISAKMP protocol for managing securityassociations,user-defined abstract group structures for use with the Diffie-Hellman algorithm,key updates,and incorporation ofkeys distributed via out-of-band mechanisms.Status of this MemoThis RFC is being distributed to members of the Internet community in order to solicit their comments on the protocol described in it.This draft expires six months from the day of issue.The expiration date will be August24,1996.Required text:This document is an Internet-Draft.Internet-Drafts are workingdocuments of the Internet Engineering Task Force(IETF),itsareas,and its working groups.Note that other groups may alsodistribute working documents as Internet-Drafts.Internet-Drafts are draft documents valid for a maximum of sixmonths and may be updated,replaced,or obsoleted by otherdocuments at any time.It is inappropriate to use Internet-Drafts as reference material or to cite them other than as‘‘work in progress.’’To learn the current status of any Internet-Draft,please checkthe‘‘1id-abstracts.txt’’listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za(Africa), (Europe),munnari.oz.au(Pacific Rim),(US EastCoast),or (US West Coast).Distribution of this memo is unlimited.H.K.Orman[Page1]INTERNET DRAFT May1996 1.INTRODUCTIONKey establishment is the heart of data protection that relies oncryptography,and it is an essential component of the packetprotection mechanisms described in[RFC1825,RFC1826,RFC1827],for example.A scalable and secure key distribution mechanism for the Internet is a necessity.The goal of this protocol is to provide that mechanism,coupled with a great deal of cryptographic strength.The Diffie-Hellman key exchange algorithm provides such a mechanism.It allows two parties to agree on a shared value without requiring encryption.The shared value is immediately available for use in encrypting subsequent conversation, e.g.data transmission and/or authentication.The STS protocol[STS]provides a demonstration of how to embed the algorithm in a secure protocol,one that ensures that in addition to securely sharing a secret,the two parties can be sure of each other’s identities,even when an active attacker exists.Because OAKLEY is a generic key exchange protocol,and because the keys that it generates might be used for encrypting data with a long privacy lifetime,20years or more,it is important that thealgorithms underlying the protocol be able to ensure the security of the keys for that period of time,based on the best predictioncapabilities available for seeing into the mathematical future.The protocol therefore has two options for adding to the difficulties faced by an attacker who has a large amount of recorded key exchange traffic at his disposal(a passive attacker).These options areuseful for deriving keys which will be used for encryption.The OAKLEY protocol is related to STS,sharing the similarity ofauthenticating the Diffie-Hellman exponentials and using them for determining a shared key,and also of achieving Perfect ForwardSecrecy for the shared key,but it differs from the STS protocol in several ways.The first is the addition of a weak address identificationmechanism("cookies",described by Phil Karn[Photuris])to helpavoid denial of service attacks.The second extension is to allow the two parties to selectmutually agreeable supporting algorithms for the protocol:theencryption method,the key derivation method,and theauthentication method.Thirdly,the authentication does not depend on encryption usingthe Diffie-Hellman exponentials;instead,the authenticationvalidates the binding of the exponentials to the identities of the parties.The protocol does not require the two parties compute the sharedexponentials prior to authentication.This protocol adds additional security to the derivation of keysmeant for use with encryption(as opposed to authentication)by H.K.Orman[Page2]INTERNET DRAFT May1996 including a dependence on an additional algorithm.The derivation of keys for encryption is made to depend not only on the Diffie-Hellman algorithm,but also on the cryptographic method used tosecurely authenticate the communicating parties to each other.Finally,this protocol explicitly defines how the two parties can select the mathematical structures(group representation andoperation)for performing the Diffie-Hellman algorithm;they canuse standard groups or define their er-defined groupsprovide an additional degree of long-term security.OAKLEY has several options for distributing keys.In addition to the classic Diffie-Hellman exchange,this protocol can be used to derivea new key from an existing key and to distribute an externallyderived key by encrypting it.The protocol allows two parties to use all or some of the anti-clogging and perfect forward secrecy features.It also permits the use of authentication based on symmetric encryption or non-encryption algorithms.This flexibility is included in order to allow theparties to use the features that are best suited to their security and performance requirements.This document draws extensively in spirit and approach from thePhoturis draft by Karn and Simpson[Photuris](and from discussions with the authors),specifics of the ISAKMP draft by Schertler et al.[ISAKMP],and it was also influenced by papers by Paul van Oorschot and Hugo Krawcyzk.2.The Protocol Outline2.1General RemarksThe OAKLEY protocol is used to establish a shared key with anassigned identifier and associated authenticated identities for the two parties.The name of the key can be used later to derivesecurity associations for the RFC1826and RFC1827protocols(AH and ESP)or to achieve other network security goals.Each key is associated with algorithms that are used forauthentication,privacy,and one-way functions.These are ancillary algorithms for OAKLEY;their appearance in subsequent securityassociation definitions derived with other protocols is neitherrequired nor prohibited.The specification of the details of how to apply an algorithm to data is called a transform.This document does not supply the transformdefinitions;they will be in separate RFC’s.The anti-clogging tokens,or"cookies",provide a weak form of source address identification for both parties;the cookie exchange can be completed before they perform the computationally expensive part of the protocol(large integer exponentiations).H.K.Orman[Page3]INTERNET DRAFT May1996 It is important to note that OAKLEY uses the cookies for twopurposes:anti-clogging and key naming.The two parties to theprotocol each contribute one cookie at the initiation of keyestablishment;the pair of cookies becomes the key identifier(KEYID),a reusable name for the keying material.Because of this dual role,we will use the notation for the concatenation of thecookies("COOKIE-I,COOKIE-R")interchangeably with the symbol"KEYID".OAKLEY is designed to be a compatible component of the ISAKMPprotocol[ISAKMP],which runs over the UDP protocol using a well-known port(see the RFC on port assignments,STD02-RFC-1700).The only technical requirement for the protocol environment is that the underlying protocol stack must be able to supply the Internet address of the remote party for each message.Thus,OAKLEY could,in theory, be used directly over the IP protocol or over UDP,if suitableprotocol or port number assignments were available.The machine running OAKLEY must provide a good random numbergenerator,as described in[RFC1750],as the source of random numbers required in this protocol description.Any mention of a"nonce"implies that the nonce value is generated by such a generator.The same is true for"pseudorandom"values.2.2NotationThe section describes the notation used in this document for message sequences and content.2.2.1Message descriptionsThe protocol exchanges below are written in an abbreviated notation that is intended to convey the essential elements of the exchange ina clear manner.A brief guide to the notation follows.The detailedformats and assigned values are given in the appendices.In order to represent message exchanges succinctly,this document uses an abbreviated notation that describes each message in terms of its source and destination and relevant fields.Arrows("->")indicate whether the message sent from the initiator to the responder,or vice versa("<-").The fields in the message are named and comma separated.Theprotocol uses the convention that the first several fields constitutea fixed header format for all messages.For example,consider a HYPOTHETICAL exchange of messages involving afixed format message,the four fixed fields being two"cookies",the third field being a message type name,the fourth field being amulti-precision integer representing a power of a number:Initiator Responder->Cookie-I,0,OK_KEYX,gˆx->H.K.Orman[Page4]INTERNET DRAFT May1996 <-Cookie-R,Cookie-I,OK_KEYX,gˆy<-The notation describes a two message sequence.The initiator begins by sending a message with4fields to the responder;the first field has the unspecified value"Cookie-I",second field has the numeric value0,the third field indicates the message type is OK_KEYX,the fourth value is an abstract group element g to the x’th power.The second line indicates that the responder replies with value"Cookie-R"in the first field,a copy of the"Cookie-I"value in the second field,message type OK_KEYX,and the number g raised to the y’th power.The value OK_KEYX is in capitals to indicate that it is a uniqueconstant(constants are defined the appendices).2.2.2Guide to symbolsCookie-I and Cookie-R(or CKY-I and CKY-R)are64-bit pseudo-random numbers.The generation method must ensure with high probability that the numbers are unique over some previous time period,such as one hour.KEYID is the concatenation of the initiator and responder cookies and the domain of interpretation;it is the name of keying material.sKEYID is used to denote the keying material named by the KEYID.It is never transmitted,but it is used in various calculationsperformed by the two parties.OK_KEYX,OK_NEWGRP,and OK_SET_DEF are distinct message types.IDP is a bit indicating whether or not material after the encryption boundary(see appendix D),is encrypted.gˆx and gˆy are encodings of group elements,where g is a special group element indicated in the group description(see Appendix Group Descriptors)and gˆx indicates that element raised to the x’th power.The type of the encoding is either a variable precision integer or a pair of such integers,as indicated in the group operation in the group description.Note that we will write gˆxy as a short-hand for gˆ(xy).See Appendix J for references that describe implementing large integer computations and the relationship between various group definitions and basic arithmetic operations.EHAO is a list of encryption/hash/authentication choices.Each item is a of pair values:a class name and an algorithm name.EHAS is a set of three items selected from the EHAO list,one from each of the classes for encryption,hash,authentication.GRP is a name(32-bit value)for the group and its relevantparameters:the size of the integers,the arithmetic operation,and the generator element.There are a few pre-defined GRP’s(for768 H.K.Orman[Page5]INTERNET DRAFT May1996 bit modular exponentiation groups,1024bit modexp,2048bit modexp, 155-bit elliptic curve,see Appendix H),but participants can share other group descriptions in a later protocol stage(see the section NEW GROUP).The symbol vertical bar"|"is used to denote concatenation of bit strings.Ni and Nr are nonces selected by the initiator and responder,respectively.ID(I)and ID(R)are the identities to be used in authenticating the initiator and responder respectively.E{x}Ki indicates the encryption of x using the public key of theinitiator.Encryption is done using the algorithm associated with the authentication method;usually this will be RSA.S{x}Ki indicates the signature over x using the private key(signing key)of the ually this will be RSA or DSS.prf(a,b)denotes the result of applying pseudo-random function"a"to data"b".prf(0,b)denotes the application of a one-way function to data"b".The similarity with the previous notation is deliberate and indicates that a single algorithm, e.g.MD5,might will used for both purposes.In the first case a"keyed"MD5transform would be used with key"a";in the second case the transform would have the fixed key value zero, resulting in a one-way function.2.3The Key Exchange Message OverviewThe goal of key exchange processing of the secure establishment of common keying information state in the two parties.This stateinformation is a key name,secret keying material,the identification of the two parties,and three algorithms for use duringauthentication:encryption(for privacy of the identities of the two parties),hashing(a pseudorandom function for protecting theintegrity of the messages and for authentication),and authentication (the algorithm on which the authentication is based).The encodings and meanings for these choices are presented in Appendix B.The main mode exchange has five optional features:stateless cookie exchange,perfect forward secrecy for the keying material,secrecy for the identities,perfect forward secrecy for identity secrecy,useof signatures(for non-repudiation).The two parties can use all or none of these features.The general outline of processing is that the Initiator of theexchange begins by specifying as much information as he wishes in his first message.The Responder replies,supplying as much information H.K.Orman[Page6]INTERNET DRAFT May1996 as he wishes.The two sides exchange messages,supplying moreinformation each time,until their requirements are satisfied.The choice of how much information to include in each message dependson which options are desirable.For example,if stateless cookiesare not a requirement,and identity secrecy and perfect forwardsecrecy for the keying material are not requirements,and if non-repudiatable signatures are acceptable,then the exchange can becompleted in three messages.Additional features may increase the number of roundtrips needed forthe keying material determination.ISAKMP provides fields for specifying the security associationparameters for use with the AH and ESP protocols.These securityassociation payload types are specified in the ISAKMP draft;thepayload types can be protected with OAKLEY keying material andalgorithms,but this document does not discuss their use.2.3.1The Essential Key Exchange Message FieldsThere are12fields in an OAKLEY key exchange message.Not all thefields are relevant in every message;if a field is not relevant itcan have a null value or not be present(no payload).CK-I originator cookie.CK-R responder cookie.MSGTYPE for key exchange,will be ISA_KE&AUTH_REQ or ISA_KE&AUTH_REP;for new group definitions,will be ISA_NEW_GROUP_REQor ISA_NEW_GROUP_REPGRP the name of the Diffie-Hellman group used for the exchangegˆx(or gˆy)variable length integer representing a power ofgroup generatorEHAO or EHAS encryption,hash,authentication functions,offeredand selectedIDP an indicator as to whether or not encryption withgˆxy follows(perfect forward secrecy for ID’s) ID(I)the identity for the InitiatorID(R)the identity for the ResponderNi nonce supplied by the InitiatorNr nonce supplied by the ResponderThe construction of the cookies is implementation dependent.PhilKarn has recommended making them the result of a one-way functionapplied to a secret value(changed periodically),the local andremote IP address,and the local and remote UDP port.In this way,the cookies remain stateless and expire periodically.Note that with OAKLEY,this would cause the KEYID’s derived from the secret value to also expire,necessitating the removal of any state informationassociated with it.The encryption functions used with OAKLEY must be cryptographicH.K.Orman[Page7]INTERNET DRAFT May1996 transforms which guarantee privacy and integrity for the messagedata.Merely using DES in CBC mode is not permissible.TheMANDATORY and OPTIONAL transforms will include any that satisfy thiscriteria and are defined for use with RFC1827(ESP).The one-way(hash)functions used with OAKLEY must be cryptographictransforms which can be used as either keyed hash(pseudo-random)ornon-keyed transforms.The MANDATORY and OPTIONAL transforms willinclude any that are defined for use with RFC1826(AH).Where nonces are indicated,they will be variable precision integerswith an entropy value that matches the"strength"attribute of theGRP used with the exchange.If no GRP is indicated,the nonces mustbe at least90bits long.The pseudo-random generator for the noncematerial should start with initial data that has at least90bits ofentropy;see RFC1750.2.3.2Mapping to ISAKMP Message StructuresAll the OAKLEY message fields correspond to ISAKMP message payloadsor payload components.The relevant payload fields are the SApayload,the AUTH payload,the Certificate Payload,the Key ExchangePayload.Some of the ISAKMP header and payload fields will have constantvalues when used with OAKLEY:DOI,the Domain of Interpretation,will have the value INTERNET.In thisdocument,the DOI will not be mentioned;it is assumed that thesoftware implementing OAKLEY will always be in the IPv4or IPv6DOI.Unless otherwise noted,the Key Exchange Identifier is Oakley Main Mode.In the SA Payload,the Situation is ISAKMPIDIn the following we indicate where each OAKLEY field appears in theISAKMP message structure.CK-I ISAKMP headerCK-R ISAKMP headerMSGTYPE Message Type in ISAKMP headerGRP In ISAKMP header(replaces SPI’s)gˆx(or gˆy)Key Exchange Payload,encoded as a variable precision integer EHAO and EHAS SA payload,Proposal sectionIDP Exchange field in the AUTH Payload headerID(I)AUTH payload,Identity fieldID(R)AUTH payload,Identity fieldNi AUTH payload,Nonce FieldNr AUTH payload,Nonce FieldS{...}Kx AUTH payload,Data Fieldprf{K,...}AUTH payload,Data FieldH.K.Orman[Page8]INTERNET DRAFT May19962.4The Key Exchange ProtocolThe exact number and content of messages exchanged during an OAKLEYkey exchange depends on which options the Initiator and Responderwant to use.A key exchange can be completed with three or moremessages,depending on those options.The three components of the key determination protocol are the1.cookie exchange(optionally stateless)2.Diffie-Hellman half-key exchange(optional,but essential forperfect forward secrecy)3.authentication(options:privacy for ID’s,privacy for ID’s with PFS,non-repudiatable)The initiator can supply as little information as a bare exchangeexchange request,carrying no additional information.On the otherhand the initiator can begin by supplying all of the informationnecessary for the responder to authenticate the request and completethe key determination quickly,if the responder chooses to acceptthis method.If not,the responder can reply with a minimal amountof information(at the minimum,a cookie).The Initiator is responsible for retransmitting messages if theprotocol does not terminate in a timely fashion.The Responder musttherefore avoid discarding reply information until it is acknowledgedby Initiator in the course of continuing the protocol.The remainder of this section contains examples demonstrating how touse OAKLEY options.2.4.1An Aggressive ExampleThe following example indicates how two parties can complete a keyexchange in two messages.The identities are not secret,the derivedkeying material is protected by PFS.By using digital signatures,the two parties will have a proof ofcommunication that can be recorded and presented later to a thirdparty.The keying material implied by the group exponentials is not neededfor completing the exchange.If it is desirable to defer thecomputation,the implementation can save the"x"and"gˆy"values andmark the keying material as"uncomputed".It can be computed fromthis information later.Initiator Responder ------------------->CKY-I,0,OK_KEYX,GRP,gˆx,EHAO,NIDP,-> ID(I),ID(R),Ni,S{ID(I),ID(R),Ni,0,GRP,gˆx,EHAO}Ki<-CKY-R,CKY-I,OK_KEYX,GRP,gˆy,EHAS,NIDP,H.K.Orman[Page9]INTERNET DRAFT May1996 ID(R),ID(I),Nr,NiS{ID(R),ID(I),Nr,Ni,GRP,gˆy,EHAS}Kr<-->CKY-I,CKY-R,OK_KEYX,0,0,0,NIDP,-> Ni,Nr,S{ID(I),ID(R),Ni,Nr}KiNB"NIDP"means that the PFS option for hiding identities is not used.i.e.,the identities are not encrypted using gˆxyThe result of this exchange is a key with KEYID=CKY-I|CKY-R andvaluesKEYID=prf(Ni|Nr,gˆxy|CKY-I|CKY-R).The processing outline for this exchange is as follows:InitiationThe initiator generates a unique cookie and associates it with the expected IP address of the responder,and its chosen stateinformation:GRP,gˆx,EHAO list.The first authentication choice in the EHAO list is an algorithm that supports digital signatures, and this is used to sign the ID’s and the nonce and group id.The initiator furthernotes that the key is in the initial state of"unauthenticated",andsets a timer for possible retransmission and/or termination of the request.When responder receives the message,he may choose to ignore all the information and treat it as merely a request for a cookie,creating no state.If CKY-I is not already in use by the source address in the IP header,the responder generates a unique cookie,CKY-R.The next steps depend on the responders preferences.The minimalrequired response is to reply with the first cookie field set to zero and CKY-R in the second field.For this example we will assume that responder is more aggressive and accepts the following:group GRP,first authentication choice(which must be a digital signature),lack of perfect forward secrecy for protecting the identities,identity ID(I),identity ID(R)The responder must validate the signature over the signed portion of the message,and associate the pair(CKY-I,CKY-R)with the following state information:the network address of the messagekey state of"unauthenticated"the first algorithm from the authentication offergroup GRP and a gˆy value in group GRPH.K.Orman[Page10]INTERNET DRAFT May1996 the nonce Ni and a pseudorandomly selected value Nra timer for possible destruction of the state.The responder then signs the state information with the public key of ID(R)and sends it to the initiator.In this example,to expedite the protocol,the responder implicitly accepts the first algorithm in the Authentication class of the EHAO list.This because he cannot validate the initiator signaturewithout accepting the algorithm for doing the signature.Theresponder’s EHAS list will also reflect his acceptance.The initiator receives the reply message andvalidates that CKY-I is a valid association for the networkaddress of the incoming message,adds the CKY-R value to the state for the pair(CKY-I,networkaddress),and associates all state information with the pair(CKY-I,CKY-R),adds gˆy to its state information,pseudorandomly chooses an exponent x and computes thecorresponding gˆx value,saves the EHA selections in the state,optionally computes(gˆx)ˆy(=gˆxy)at this point,andsends the reply message,signed with the public key of ID(I).marks the KEYID(CKY-I|CKY-R)as authenticated.When the responder receives this message,it marks the key as being in the authenticated state.If it has not already done so,it should compute gˆxy and associate it with the KEYID.Note that although PFS for identity protection is not used,PFS for the derived keying material is still present because the Diffie-Hellman half-keys gˆx and gˆy are exchanged.2.4.1.1Signature via Pseudo-Random FunctionsThe aggressive example is written to suggest that public keytechnology is used for the signatures.However,a pseudorandomfunction can be used,if the parties have previously agreed to such ascheme and have a shared key.If the first proposal in the EHAO list is an"existing key"method, then the KEYID named in that proposal will supply the keying material for the"signature"which is computed using the"H"algorithmassociated with the KEYID.H.K.Orman[Page11]INTERNET DRAFT May1996 Suppose the first proposal in EHAO isEXISTING-KEY,32and the"H"algorithm for KEYID32is MD5-HMAC,by prior negotiation.The keying material is some string of bits,call it sK32.Then in the first message in the aggressive exchange,where the signature S{ID(I),ID(R),Ni,0,GRP,gˆx,EHAO}Kiis indicated,the signature computation would be performed by MD5-HMAC_func(KEY=sK32,DATA=ID(I)|ID(R)|Ni|0|GRP|gˆx |EHAO)(The exact definition of the algorithm corresponding to"MD5-HMAC-func"will appear in the RFC defining that transform).The result of this computation appears in the Authentication payload.2.4.2An Aggressive Example With Hidden IdentitiesThe following example indicates how two parties can complete a key exchange without using digital signatures.Public key cryptography hides the identities during authentication.The group exponentials are exchanged and authenticated,but the implied keying material(gˆxy)is not needed during the exchange.This exchange has an important difference from the previous signature scheme---in the first message,an identity for the responder is indicated as cleartext:ID(R’).However,the identity hidden with the public key cryptography is different:ID(R).This happensbecause the Initiator must somehow tell the Responder whichpublic/private key pair to use for the decryption,but at the same time,the identity is hidden by encryption with that public key.The Initiator might elect to forgo secrecy of the Responder identity, but this is undesirable.Instead,if there is a well-known identity for the Responder node,the public key for that identity can be used to encrypt the actual Responder identity.Initiator Responder ------------------->CKY-I,0,OK_KEYX,GRP,gˆx,EHAO,NIDP,-> ID(R’),E{ID(I),ID(R),E{Ni}Kr}Kr’,<-CKY-R,CKY-I,OK_KEYX,GRP,gˆy,EHAS,NIDP,E{ID(R),ID(I),Nr}Ki,prf(Kir,ID(R)|ID(I)|Nr|Ni|GRP|gˆy|gˆx)<-->CKY-I,CKY-R,OK_KEYX,GRP,0,0,NIDP,prf(Kir,ID(I)|ID(R)|Ni|Nr|GRP|gˆx|gˆy)->。

1 Datasheet | NRF | Version 4.0Copyright © 2020, Oracle and/or its affiliates | PublicOracle Communications Cloud Native Core, NetworkRepository Function (NRF)Oracle Communications Cloud Native Core, Network Repository Function (NRF) serves as a registrar for all 5G Network Functions (NFs) and allow the NFs to register and discover each other via a standards based API. The NRF enhances flexibility and efficiency of the 5G core network and is a key component required to implement the new Service Based Architecture (SBA) in the 5G core.OVERVIEWWith its high speeds, low latency and massive bandwidth features, 5G promises to cater to a vast array of use cases. To support these, the control plane architecture of the 5G core network is drastically enhanced. The control plane in the 5G core network is based on Service Based Architecture (SBA) wherein different Network Functions (NFs) expose their services to other NFs in the core using new the Service BasedInterfaces (SBIs). This decoupling between the service consumer and service provider increases the flexibility and efficiency of the new 5G core network. 3GPP has defined a dedicated function called NF Repository Function to enable this kind of service discovery and management.PRODUCT DESCRIPTIONOracle Communications Cloud Native Core, Network Repository Function is a key component of the 5G Service Based Architecture. The NRF works to maintain an updated repository of all the 5G elements available in the operator's network. It also keeps the status of the services provided by each of the elements in the 5G core that are expected to be instantiated, scaled and terminated without manual intervention. Given its role in the 5G core, the Oracle Communications NRF interacts with every other element in the core of the Home Public Land Mobile Network (HPLMN) and provides management and discovery services besides providing authorization andKey Business BenefitsOracle Communications Network Reposiroty Function is the practical realization of SBA. It is the mostfundamental NF required to implement 5G:∙ Works as a centralized repository to increases the efficiency, scalability and flexibility of a 5G core network. ∙ Helps CSPs to effectively manage their 5G network by providing automated resource control in the core ∙ Improves 5G network robustness by eliminating the need for network configuration every time a new NF is added or removed from the network, or every time NF capacity is updated due to elasticity needs. .2 Datasheet | NRF | Version 4.0Copyright © 2020, Oracle and/or its affiliates | Publicauthentication. It not only reduces the processing burden on consumer NFs, but also supports options to prioritize discovery results based on: location,registered priority, capacity,Or, nework load.Oracle Communications NRF functions in stand-alone mode as defined in 3GPP Rel. 16. However there are significant benefits in integrating it with OracleCommunications Service Communication Proxy (SCP) for better selection results. Oracle Communication Cloud Native Core, NRF supports a range of differentiated features like monitoring and visibility, auto scaling up/down, NRF overload andnotification throttling, enhanced discovery based on true load and is HTTPS & Oauth 2.0 compliant. The feature rich Oracle’s NRF supports the following:∙API gateway: The API gateway hides the deployment details of internal services and other components from external entities. OracleCommunications NRF uses Ambassador API gateway to enable this.∙NF Registration: This microservice provides the registration functionality defined as part of NRF management services. It stores the registered profiles.∙NF Subscription: This microservice provides the subscription functionality defined as part of NRF management services. It stores the subscription data and sends NF notification to the consumer subscribed for NF services.∙ NF Discovery: This microservice provides the functionality defined as part of NRF discovery services.∙ Oracle Communications NRF Auditor: This is an internal microservice, it removes stale entries from the NRF database.∙ Enhanced discovery: Configurable option to limit the instances returned in discovery result.∙ Supports monitoring and visibility to provide network traffic view. ∙Supports loggings and tracing.Table 1: Services offered by Oracle Communications Cloud Native Core NRF ServicesDecsriptionNRF Management ServiceRegister NF instance (NFRegister) – Allows for an NF instance to register its profile.Update NF instance (NFUpdate) – Allows for an NF instance to update partially or replace the parameters of its profile in the NRFDe-register NF instance (NFDeregister ) - Allows for an NF instance to de-register its profileSubscribe to Status (NFStatusSubscribe ) – Allows for an NF instance to subscribe to changes on the status of other NF instances registered in the NRFUnsubscribe to Status (NFStatusUnsubscribe) – Allow for an NF instance to unsubscribe to changes on the status of other NF instancesReceive Notifications of Status (NFStatusNotify) – Allows the NRF to notify of changes in NF instances status to any subscribers of NF status.Key Features∙ Implemented as a cloud nativefunctionality based on microservices architecture ∙ Compliant with 3GPP Release 16 specifications ∙ Supports enhanced discovery ∙ Supports NF management, discovery and authorization services ∙ Supports deployment at PLMN/shared slice and slice specific levels ∙ Supports recursive lookups ∙ Supports discovery to/from foreign PLMNs ∙ Can be combined with Oracle SCP to enable more optimized NF selection ∙ Supports full address resolution database ∙ Provides metrics, kpi(s), alerts, tracing and logging ∙ Supports custom NF3 Datasheet | NRF | Version 4.0Copyright © 2020, Oracle and/or its affiliates | PublicFigure 1. Oracle Communications Cloud Native Core, NRF System ArchitectureSUMMARYNetwork Repository Function completes a 5G core network and helps CSPs to fully exploit the flexibility and efficiency of the new 5G core network architecture bydecoupling the service consumers and service providers. Given its role in the 5G core, the NRF interacts with every other element in the core of the HPLMN and supports SBA. Oracle Communications is on the journey of reimagining communications to connect the world, and focus deeply on quality, customer centricity and security to design various telecom applications. In the same capacity Oracle Communications NRF is designed with cutting edge Oracle engineering and is compliant with 3GPP release 16 standards. Oracle Communications empowers CSPs to launch the best in breed features and create differentiation in the market by offering world class reliable products.Oracle Communications Solutions ∙ Oracle Communications Cloud Native Core, Binding Support Function (BSF) ∙ Oracle Communications Cloud Native Core, Service Communication Proxy (SCP) ∙ Oracle Communications Cloud Native Core, Unified Data Repository (UDR) ∙ Oracle Communications Cloud Native Core, Unstructured Data Storage Function (UDSF) ∙ Oracle Communications Cloud Native Core, Policy Control Function (PCF) ∙ Oracle Communications Cloud Native Core, Policy and Charging Rules Function (cnPCRF) ∙ Oracle Communications Cloud Native Core, Network Function Cloud Native Environment (NF CNE) ∙ Oracle Communications Cloud Native Core, Interworking and Mediation Function (IWF) ∙ Oracle Communications Cloud Native Core, Network Exposure Function (NEF) ∙ Oracle Communications Cloud Native Core, Network Slice Selection Function (NSSF)∙ Oracle Communications Cloud Native Core, Security and Edge Protection Proxy (SEPP) Oracle Communications Cloud Native deployable Network Functions (NFs) enable service providers to manage and monetize the 5G network. CSPs can manage and analyze quality of service and create policies for innovative digital lifestyle services through OracleCommunications products and solutions.CONNECT WITH USCall +1.800.ORACLE1 or visit .Outside North America, find your local office at /contact./oracle /oracleCopyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0120。