Network Working Group T. Johannsen
Request for Comments: 1608 Dresden University
Category: Experimental G. Mansfield
AIC Systems Laboratory
M. Kosters
Network Solutions,Inc.
S. Sataluri
AT&T Bell Laboratories
March 1994
Representing IP Information in the X.500 Directory
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. This memo does not specify an Internet standard of any
kind. Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Abstract
This document describes the objects necessary to include information
about IP networks and IP numbers in the X.500 Directory. It extends
the work "Charting networks in the X.500 Directory" [1] where a
general framework is presented for representing networks in the
Directory by applying it to IP networks. This application of the
Directory is intended to support the work of IP network assigning
authorities, NICs, as well as other applications looking for a
mapping of IP numbers to data of related networks. Furthermore,
Autonomous Systems and related routing policy information can be
represented in the Directory along with their relationship to
networks and organizations.
Johannsen, Mansfield, Kosters & Sataluri [Page 1]
RFC 1608 IP Information in the X.500 Directory March 1994
Table of Contents
1. Introduction 2
2. IP images of networks 3
2.1 IP network image 3
2.2 IP node image 5
2.3 IP network interface image 6
2.4 Autonomous Systems 7
3. Number assignment information 7
3.1 Delegated Block object 8
3.2 IP Group object 9
3.3 IP Reference object 10
3.4 AS Block object 10
3.5 AS Reference object 10
4. Directory tree 11
4.1 IP image objects 11
4.2 AS objects 11
4.3 Namespace objects 11
4.4 Relationship to organizational entries 13
5. Security Considerations 14
6. Authors' Addresses 15
References 16
Appendix: OID tables 17
1. Introduction
Information related to the Internet Network Infrastructure is created
and stored by a number of different organizations, such as the
Internet Assigned Numbers Authority (IANA), Internet Registry (IR),
Network Information Centers (NICs), and the NSFNET Network Operations
Center (NOC). This information is generally "mastered" (stored and
maintained) by these organizations on a centralized basis, i.e.,
there is a single place to look for a definitive list of entries for
these categories. This has worked well in the past but given the
tremendous growth of the Internet and its number of users and
networks, it is essential that a distributed schema be used.
The X.500 Directory offers the appropriate technology for
implementing this distributed method of managing network
infrastructure information.
The following goals are addressed in this document:
o Provision of IP specific images of network elements
o Mapping from Network Number to network, owner, provider etc.
o Support of delegation of IP address blocks
o Storage of high-level routing policies and AS information
o Support of "classless" network address formats
Johannsen, Mansfield, Kosters & Sataluri [Page 2]
RFC 1608 IP Information in the X.500 Directory March 1994
o Provision of several organizational images of a network
It may be noted that the document basically consists of two parts.
In the first part, an IP specific extension of the general framework
"Charting networks in the Directory" [1] is given. Objects defined
by the application of this framework are related to IP numbers. An IP
namespace is defined in the second part of this paper, referring to
IP network elements defined at the beginning.
2. IP images of networks
As defined in [1], networks are modeled as a set of subnetworks and
nodes, called network elements in the remainder. To obtain a
particular view of a network element, images were introduced. Below,
images of network elements for an IP specific view are defined.
Please note that images contain references to underlying physical
information about elements.
In the remainder, ipStringSyntax is used as attribute type for all
attributes that are to hold an IP number. Currently, there are two
definitions for a syntax like this:
o IpAddress as of [5]
o ip as of [6]
It is suggested to use CaseIgnoreStringSyntax for implementations for
the time being with the convention to use the ordinary IP syntax.
Nevertheless, an OID has been reserved for ipStringSyntax (see
Appendix).
2.1 IP network image
IP network image is one application of network images and therefore
inherits the networkImageClass. This class is given below for
reference only, its definition can be found in [1].
networkImage OBJECT CLASS
SUBCLASS of ImageCommunicationObject
MAY CONTAIN
externalGateway :: distinguishedNameSyntax,
/* points to one or more nodes that act
as gateway for the protocol application
this image refers to */
An IP network combines all network elements that have a common IP
network number. Presently, IP network numbers fall into one of the
classes A, B, or C. However, sub- and supernetworking is already done
broadly, and classless networks numbers are expected to be assigned
Johannsen, Mansfield, Kosters & Sataluri [Page 3]
RFC 1608 IP Information in the X.500 Directory March 1994
soon. [2] proposes to assign bitwise contiguous blocks of class-C-
addresses to all networks with more than 255 nodes. The definition of
IP network, therefore, is always related to common network number and
network mask.
IP networks have a very close relationship to the Domain Name System.
Several attributes are introduced to take care of these relations.
Though we do not intend to abolish the existing DNS service, the
schema defined here is able to provide the mapping IP number to
domain name and vice versa.
An IP network image object as defined below is intended to provide
technical and administrative data for one IP network. Attributes hold
information that a NIC-WHOIS server would reveal for the network, and
more.
ipNetworkImage OBJECT CLASS
SUBCLASS of NetworkImage
MUST CONTAIN
ipNetworkImageName :: CaseIgnoreString,
/* common name */
ipNwNumber :: IPStringSyntax,
/* the IP network number for
this (sub)network */
ipNwMask :: IPStringSyntax
/* mask that applies to ipNwNumber
in order to define classless
network number; also used for routing */
MAY CONTAIN
/* DNS related info ; e.g. - */
associatedDomain :: CaseIgnoreStringSyntax,
/* the domain name associated to this IP network;
As there is not always a 1:1 mapping between traditional
IP numbers and domain names, the name given here
should contain the "closest match".
1) (sub)network does not have a domain name
of its own, but is part of a bigger domain:
take name of that domain
2) network is divided into several domains,
therefore having more than one domain name:
list all of them.
Note: a reverse mapping of domain names to
networks/nodes can be achieved by a modified
implementation of RFC1279 */
inAddrServer :: DistinguishedNameSyntax,
/* refers to the ipNodeImageObject of the
inaddr Server that holds information about
Johannsen, Mansfield, Kosters & Sataluri [Page 4]
RFC 1608 IP Information in the X.500 Directory March 1994
this network */
/* routing policy; e.g. - */
asNumber :: integerStringSyntax,
/* number of Autonomous System this network belongs to */
acceptedUsagePolicy :: caseIgnoreStringSyntax,
/* semantics to be defined */
/* Any other - */
provider :: DistinguishedNameSyntax,
/* points to network provider */
onlineDate :: uTCTimeSyntax
/* date when network got connected to the Internet */
2.2 IP node image
If a node in the network is running the IP protocol, an
ipNodeImageObject should be created for this node. This image is a
subclass of nodeImageClass and holds IP specific information. The
nodeImageClass is given below for reference only, its definition can
be found in [1].
nodeImage OBJECT CLASS
SUBCLASS of ImageCommunicationObject
/* no attributes common for all nodeImages have been
defined yet */
An ipNodeImage is used to obtain technical and administrative
information on a host. The object is defined as follows:
ipNodeImage OBJECT CLASS
SUBCLASS of NodeImage
MUST CONTAIN
ipNodeName :: CaseIgnoreString
/* common name, it is advised to use
the hostname for this purpose */
MAY CONTAIN
protocol :: CaseIgnoreString,
/* name and version of IP protocol running */
domainName :: CaseIgnoreString,
/* the complete domain name of this node;
CNAMEs can be stored additionally to the
DNS A record name;
further relationships, like MX record entries,
should be taken care of by the domain name tree
according to RFC 1279 */
Johannsen, Mansfield, Kosters & Sataluri [Page 5]
RFC 1608 IP Information in the X.500 Directory March 1994
2.3 IP network interface image
The most important IP related information of a node (its IP
addresses) is registered with ipNetworkInterfaceImageObjects. This
picture is accurate as a node can have several IP addresses, but at
most one per interface. Furthermore, it shows clearly the
relationship between interface and neighboring IP network.
IpNetworkInterfaceImage is a subclass of networkInterfaceImageClass.
The networkInterfaceImageClass is given below for reference only, its
definition can be found in [1]. Note that for
ipNetworkInterfaceImage all references are drawn in the context of
IP, i.e., networkInterfaceAddress becomes an IP address and
connectedNetwork points to an ipNetworkImageObject.
networkInterfaceImage OBJECT CLASS
SUBCLASS of ImageCommunicationObject
MAY CONTAIN
networkInterfaceAddress :: caseIgnoreStringSyntax,
/* this interface's address in the context the
image refers to, e.g. IP number, NSAP */
connectedNetwork :: distinguishedNameSyntax
/* pointer to networkImageObject that describes
the network this interface is attached to in terms
of the protocol or application the images
indicates */
Additionally, ipNetworkInterfaceImageObject has the following
properties:
ipNetworkInterfaceImage OBJECT CLASS
SUBCLASS of NetworkInterfaceImage
MUST CONTAIN
ipNetworkInterfaceName :: CaseIgnoreStringSyntax
/* It is suggested that the interface name
is derived from the name of the logical
device this interface represents for the
operating system, e.g. le0, COM1 */
MAY CONTAIN
ipNwMask :: IPStringSyntax
/* mask that applies to networkInterfaceAddress for
routing of packets to nodes on the connected
(broadcast) network;
Note: This is only a fraction
of the routing table information
for this interface, namely for one hop. */
Johannsen, Mansfield, Kosters & Sataluri [Page 6]
RFC 1608 IP Information in the X.500 Directory March 1994
2.4 Autonomous Systems
Autonomous Systems (AS) are defined in asObject which is a subclass of
imageCommunicationObject. It provides technical and administrative
information of an AS. Furthermore, routing policies can be stored with
the AS object. The definition of the AS object is aligned with the
corresponding database object defined in [3].
as OBJECT CLASS
SUBCLASS of ImageCommunicationObject
MUST CONTAIN
asNumber :: IntegerStringSyntax
MAY CONTAIN
asName :: CaseIgnoreStringSyntax,
/* if there is a name different from AS */
asIn :: CaseIgnoreStringSyntax,
/* accepted routes from other AS */
/* for syntax and semantics refer [3] */
asOut :: CaseIgnoreStringSyntax,
/* generated routes announced to others */
/* for syntax and semantics refer [3] */
asDefault ::CaseIgnoreStringSyntax,
/* how default routing is handled */
/* for syntax and semantics refer [3] */
asGuardian :: DistinguishedNameSyntax, */
/* DN of guardian of this AS */
lastModifiedDate :: UTCtimeSyntax */
/* important as routes change frequently */
Note that routing policies for an Autonomous System are represented
by the {asIn, asOut} attributes of asObject. Due to performance
constraints of present X.500 technology, it will probably not be used
directly by routers for dynamic routing. However, it certainly can
be used in network management systems to determine the allowed paths
[i.e., in accordance with published policies] between two networks.
This will be useful in finding alternate paths, and evaluating the
connectivity of networks.
3. Number assignment information
In the following, Directory objects have been defined to represent IP
and AS (Autonomous System) namespace in the Directory. Their purpose
is to provide
o mapping from IP number to IP network element (network or node)
o mapping from IP number to AS number and vice versa
o assignment and delegation information
Johannsen, Mansfield, Kosters & Sataluri [Page 7]
RFC 1608 IP Information in the X.500 Directory March 1994
The need for a global, distributed database supporting the objectives
arises mainly from distributed IP- and AS-number assignment.
Describing all IP numbers with one of the new objects delegatedBlock,
ipGroup and ipReference leads to the desired information. AS number
information is stored with the objects asBlock and asReference.
Furthermore, all assigned numbers have some properties in common.
Therefore, an objectclass assignedNumberClass is introduced. This
class exports attributes to delegatedBlock, ipGroup, ipReference,
asBlock, and asReference.
AssignedNumberClass is defined as follows ("number" always refers to
IP number of delegatedBlock, network, host, and AS number, resp.):
assignedNumberClass OBJECT CLASS
SUBCLASS of top
MAY CONTAIN
assBy :: DistinguishedNameSyntax,
/* refers to an organization or organizationalRole
that assigned the number to assTo (see below) */
assTo :: DistinguishedNameSyntax,
/* refers to organization or organizationalRole
that the number was assigned to. This does not
imply that assTo "owns" this number now. */
assDate :: uTCTimeSyntax,
/* date of assignment for this number */
nicHandle :: CaseIgnoreStringSyntax,
/* gives the unique ID for a description
related to this number.
format: "handle : nic-domain-name"
example: MAK21 : rs.internic.net */
relNwElement :: DistinguishedNameSyntax,
/* the network element related to this number
(network or node) */
3.1 Delegated Block object
This object provides information on a block of IP addresses delegated
to some local-authority or service provider. Only contiguous blocks
can be represented with the following schema. If an organization
(say, a NIC) has been assigned several IP network numbers which do
not form a contiguous block, it might want to use a different form of
representing that fact (e.g., using imageNetworks). The
delegatedBlock object holds lower and upper bounds of the block.
Note that the above does not make any assumption about the network
masks being constrained by byte boundaries. We can thus represent
subnetting within a "network (number)" that often happens within an
Johannsen, Mansfield, Kosters & Sataluri [Page 8]
RFC 1608 IP Information in the X.500 Directory March 1994
organization in the same framework.
This schema does lead to some granularity in the otherwise flat IP-
number space. Further, the granularity is significant as it may be
used to identify the administrator of the block - a service provider
or a domain manager. E.g., it fits well into the schema of
aggregating networks for routing purposes as has been proposed in
[4].
The object delegatedBlock is of the form:
delegatedBlock OBJECT CLASS
SUBCLASS of AssignedNumberClass
MUST CONTAIN
delegatedBlockName :: caseIgnoreStringSyntax,
lowerBound :: IPStringSyntax,
/* smallest IP address belonging to the
block, e.g. 195.100.0.0 */
upperBound :: IPStringSyntax
/* highest IP address belonging to the
block, e.g. 195.103.255.255 */
The attribute relNwElement (inherited from AssignedNumberClass) can
point to a networkImage covering all networks within the block if
this makes sense.
3.2 IP Group object
This object provides information for an IP network number. Its
purpose is basically only to
o show that the number has been assigned, and
o provide a reference to the descriptive ipNetworkObject for
this network.
Regardless of the actual value of x, IP group objects may exist for
IP numbers x.0.0.0, x.y.0.0 and x.y.z.0. This approach includes
"classical" class-A, -B and -C network addresses as well as any kind
of super- and subnetworking.
The IP group object is a subclass of assignedNumberClass. The
attribute relNwElement points to an ipNetworkImage as defined above.
ipGroup OBJECT CLASS
SUBCLASS of AssignedNumberClass
MUST CONTAIN
ipGroupName :: IPStringSyntax,
/* IP number; x.0.0.0 or x.y.0.0 or x.y.z.0
Johannsen, Mansfield, Kosters & Sataluri [Page 9]
RFC 1608 IP Information in the X.500 Directory March 1994
where x, y, z in 1..255 */
ipNwMask :: IPStringSyntax
/* mask that applies to all numbers
within the group; used to define
classless networking; */
3.3 IP Reference object
There is one IP reference object for each IP host address. The
purpose of this object is to
o tell that this IP number is already assigned to a node
o give a pointer to the related ipNodeImageObject
The IP reference object is a subclass of assignedNumberClass. The
attribute relNwElement points to an ipNodeImage.
ipReference OBJECT CLASS
SUBCLASS of AssignedNumberClass
MUST CONTAIN
ipReferenceName :: IPString
/* value is always IP address */
3.4 AS block object
The AS block object is used to show delegation of blocks of AS
numbers to regional registries. This is similar to delegatedBlock of
ipNetwork numbers.
asBlock OBJECT CLASS
SUBCLASS of AssignedNumberClass
MUST CONTAIN
asBlockName :: caseIgnoreStringSyntax,
asLowerBound :: integerStringSyntax,
asUpperBound :: integerStringSyntax
An AS block will comprise several consecutive AS numbers. Objects to
describe these numbers may be stored in asObjects.
3.5 AS reference object
An AS reference object is used to show that an Autonomous System
number has been assigned (and thus can not be given to somebody
else). Similar to ipGroup, asReference does not contain technical
details about an autonomous system itself but rather points (with
relNwElement) to a descriptive asObject.
According to [1], IP image entries will be stored underneath the
organization / organizationalUnit entry of the entity responsible for
that network. The case that such an entry does not yet exist in the
white-pages pilot is discussed in 4.4 below.
4.2 AS objects
The technical and administrative description of an AS is basically
maintained by NICs, network providers, or other special
organizations. It is suggested that these organizations build a
subtree for information on AS which they are responsible for.
4.3 Namespace objects
The new IP namespace objects build a single tree in the Directory. It
is suggested that this tree will have a root of type
organizationalUnit within @o=Internet@ou=Network Information.
objectClass= organizationalUnit
organizationalUnitName= IP networks
description= root of IP number tree
RFC 1608 IP Information in the X.500 Directory March 1994
The tree is built under an administrative and an implementational
view. Nowadays, network numbers usually are assigned to
organizations by (national) Network Information Centers (NIC) which
themselves have got a block of IP network numbers assigned from
another authority (e.g., IR at top level). This concept of delegated
blocks falling apart in smaller delegated blocks and IP network
numbers is used to model the Directory tree. Thus, an ipGroup object
is always subordinate of a delegated block object (namely the
delegated block including this IP number). Network numbers that were
directly assigned by a top-level authority, i.e., have not been
object of a delegation to a local assigning authority, will all be at
one level in the Directory. Already today, however, we find many
delegations within the traditional class A-, B- and C-addresses.
Such a delegation is represented by a delegated block object, having
the assigned IP network numbers as subordinates. Also, part of the
block can be further delegated to another authority, leading to
another delegated block object within the parent delegated block's
tree. Usually, subordinates of ipGroup objects are ipReferences,
i.e., single IP addresses as assigned to nodes. To support
subnetworking, it is also allowed to divide ipGroups into several
subnetwork ipGroups, each representing an IP subnetwork. In such
cases, subnetwork numbers are given as subordinates to the assigned
IP network number. Network masks clarify what the subnetwork
addresses are.
RFC 1608 IP Information in the X.500 Directory March 1994
disadvantages in the look-up procedure. In that case one might think
of combining both object classes with the aim to provide one object
describing administrative and technical data for an IP network.
As Autonomous Systems are an additional namespace to the existing IP
number space, they should go into a separate subtree. It is suggested
that this is an organizationalUnit within @o=Internet@ou=Network
Information.
objectClass= organizationalUnit
organizationalUnitName= AS numbers
description= root of Autonomous System number space
Similar to blocks of IP network numbers, blocks of AS numbers are
sometimes delegated to another registry. This is expressed by asBlock
objects. These objects come below the root of the AS number space.
All AS numbers falling into such a block are stored as subordinates
of the block. An AS block may have smaller AS blocks underneath if
delegation is extended.
4.4 Relationship to organizational entries
Organizational information (i.e., white-pages-like information about
an organization, its departments and employees) occurs at several
places in the network DIT - [org of IP-Number, org of AS-Number, org
of Admin- contact, However, it will be basically mastered
[administered, maintained] by the organization itself in the
Directory Management Domain (DMD) over which the organization has the
authority. This gives rise to some tricky problems - a typical
example is that of a NIC which holds the AS, DNS, IP, ... subtrees
of the DIT.
A good strategy would avoid explicit duplication of information. By
explicit duplication of information we understand information being
duplicated outside the directory framework, e.g., by having several
master entries for one and the same piece of information. The only
way to avoid duplication would be to have relevant entries point to
the pertinent organizational entry for organizational information.
But since
o most organizations do not, as yet, have an entry in the DIT and
o the reliability of the access to an organizations DIT when
stored in a remote DSA cannot be taken for granted,
the following framework is adopted to accommodate the conflicting
requirements /conditions.
RFC 1608 IP Information in the X.500 Directory March 1994
o A copy of all the necessary organization-info is retained
at the NICs DSA. Since only the necessary info will be kept
the NIC will not be burdened to act as the repository of the
organizations DIT. These objects may be kept in a separate
subtree of affiliated-organizations [organizations
affiliated to the NIC]. Though the affiliated organizations node
does not really represent a locality, it is suggested to define
the node as objectClass locality. This does not break the
Directory schema when entries of organizations shall become
subordinate to the NICs organization's entry.
o The problem of information duplication/consistency will arise when
organizational DITs/DSAs do come into existence. At that stage a
shadowing mechanism which will attempt to maintain the data
consistency may be resorted to. The X.500/ISO 9594(1993)
implementations are expected to provide appropriate shadowing
mechanisms along X.525.
It may be noted that what is suggested is not a duplication of an
entire white-pages-like structure at the NIC. It suggests an
"affiliated organizations node". The entries under this node will be
organization objects with a limited number of attributes, i.e., the
attributes to hold the organization info necessary for the NIC:
nothing more, nothing less. Operationally, and content wise the NIC
DSA will hold exactly the amount of info that is desired by the NIC.
When an organization sets up its DSA and when the organization
informs the NIC about it, the NIC will set up the shadowing
arrangement to obtain info on changes of interest [and forget about
it].
It may be emphasized that the entries under affiliated organizations
are physical entities [replicated and refined from the Master
entries, if and when they exist...] rather than alias entries. If a
NIC dislikes the idea of users poring over the entries in the
affiliated organizations - appropriate access control can be applied.
Though duplication is unavoidable, the proposal attempts to make it
transparent, by delegating the responsibility of maintaining the
integrity to the Directory.
This issue is discussed in greater detail in a separate document [7].
RFC 1608 IP Information in the X.500 Directory March 1994
References
[1] Mansfield, G., Johannsen, T., and M. Knopper, "Charting Networks
in the X.500 Directory", RFC 1609, AIC Systems Laboratory,
Dresden University, Merit Networks,Inc., March 1994.
[2] Gerich, E., "Guidelines for Management of IP Address Space", RFC
1466, Merit, May 1993.
[3] Bates, T., Jouanigot, J.-M., Karrenberg, D., Lothberg, P., and M.
Terpstra, "Representation of IP Routing Policies in the RIPE
Database", Document ripe-81, RIPE, February 1993.
[4] Fuller, V., Li, T., Yu, J., and K. Varadhan, "Supernetting: An
Address Assignment and Aggregation Strategy", RFC 1338, BARRNet,
cisco, MERIT, OARnet, June 1992.
[5] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based internets", STD 16, RFC
1155, Performance Systems International, Hughes LAN Systems, May
1990.
[6] Barker, P., and S. Kille, "The COSINE and Internet X.500 Schema",
RFC 1274, University College London, November 1991.
[7] Mansfield, G., Johannsen, T., and J. Murai, J., "Deployment
Strategy for the Directory in the Internet", AIC Systems
Laboratory, Dresden University, Keio University, Work in
Progress, July 1993.
