The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / rfc / 3 / rfc1801.txt < prev next >

Wrap

Text File | 2003-06-11 | 152.8 KB | 4,092 lines

Network Working Group S. Kille Request for Comments: 1801 ISODE Consortium Category: Experimental June 1995 X.400-MHS use of the X.500 Directory to support X.400-MHS Routing Status of this Memo This memo defines an Experimental Protocol for the Internet community. This memo does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Table of Contents 1 Introduction 3 2 Goals 3 3 Approach 5 4 Direct vs Indirect Connection 6 5 X.400 and RFC 822 8 6 Objects 9 7 Communities 10 8 Routing Trees 11 8.1 Routing Tree Definition . . . . . . . 12 8.2 The Open Community Routing Tree . . . . . 12 8.3 Routing Tree Location . . . . . . . 13 8.4 Example Routing Trees . . . . . . . 13 8.5 Use of Routing Trees to look up Information . . 13 9 Routing Tree Selection 14 9.1 Routing Tree Order . . . . . . . . 14 9.2 Example use of Routing Trees . . . . . . 15 9.2.1 Fully Open Organisation . . . . . 15 9.2.2 Open Organisation with Fallback . . . 15 9.2.3 Minimal-routing MTA . . . . . . 16 9.2.4 Organisation with Firewall . . . . . 16 9.2.5 Well Known Entry Points . . . . . 16 9.2.6 ADMD using the Open Community for Advertising 16 9.2.7 ADMD/PRMD gateway . . . . . . . 17 10 Routing Information 17 10.1 Multiple routing trees . . . . . . . 20 10.2 MTA Choice . . . . . . . . . . 22 10.3 Routing Filters . . . . . . . . . 25 10.4 Indirect Connectivity . . . . . . . 26 11 Local Addresses (UAs) 27 11.1 Searching for Local Users . . . . . . 30 12 Direct Lookup 30 13 Alternate Routes 30 Kille Experimental [Page 1] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 13.1 Finding Alternate Routes . . . . . . . 30 13.2 Sharing routing information . . . . . . 31 14 Looking up Information in the Directory 31 15 Naming MTAs 33 15.1 Naming 1984 MTAs . . . . . . . . . 35 16 Attributes Associated with the MTA 35 17 Bilateral Agreements 36 18 MTA Selection 38 18.1 Dealing with protocol mismatches . . . . . 38 18.2 Supported Protocols . . . . . . . . 39 18.3 MTA Capability Restrictions . . . . . . 39 18.4 Subtree Capability Restrictions . . . . . 40 19 MTA Pulling Messages 41 20 Security and Policy 42 20.1 Finding the Name of the Calling MTA . . . . 42 20.2 Authentication . . . . . . . . . 42 20.3 Authentication Information . . . . . . 44 21 Policy and Authorisation 46 21.1 Simple MTA Policy . . . . . . . . 46 21.2 Complex MTA Policy . . . . . . . . 47 22 Delivery 49 22.1 Redirects . . . . . . . . . . 49 22.2 Underspecified O/R Addresses . . . . . . 50 22.3 Non Delivery . . . . . . . . . . 51 22.4 Bad Addresses . . . . . . . . . 51 23 Submission 53 23.1 Normal Derivation . . . . . . . . 53 23.2 Roles and Groups . . . . . . . . . 53 24 Access Units 54 25 The Overall Routing Algorithm 54 26 Performance 55 27 Acknowledgements 55 28 References 56 29 Security Considerations 57 30 Author's Address 58 A Object Identifier Assignment 59 B Community Identifier Assignments 60 C Protocol Identifier Assignments 60 D ASN.1 Summary 61 E Regular Expression Syntax 71 List of Figures 1 Location of Routing Trees . . . . . . 12 2 Routing Tree Use Definition . . . . . . 14 3 Routing Information at a Node . . . . . 17 4 Indirect Access . . . . . . . . . 25 5 UA Attributes . . . . . . . . . 27 6 MTA Definitions . . . . . . . . . 33 7 MTA Bilateral Table Entry . . . . . . 36 Kille Experimental [Page 2] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 8 Bilateral Table Attribute . . . . . . 37 9 Supported MTS Extensions . . . . . . . 39 10 Subtree Capability Restriction . . . . . 40 11 Pulling Messages . . . . . . . . . 41 12 Authentication Requirements . . . . . . 43 13 MTA Authentication Parameters . . . . . 45 14 Simple MTA Policy Specification . . . . . 46 15 Redirect Definition . . . . . . . . 48 16 Non Delivery Information . . . . . . . 50 17 Bad Address Pointers . . . . . . . . 52 18 Access Unit Attributes . . . . . . . 53 19 Object Identifier Assignment . . . . . . 59 20 Transport Community Object Identifier Assignments 60 21 Protocol Object Identifier Assignments . . . 61 22 ASN.1 Summary . . . . . . . . . 61 1. Introduction MHS Routing is the problem of controlling the path of a message as it traverses one or more MTAs to reach its destination recipients. Routing starts with a recipient O/R Address, and parameters associated with the message to be routed. It is assumed that this is known a priori, or is derived at submission time as described in Section 23. The key problem in routing is to map from an O/R Address onto an MTA (next hop). This shall be an MTA which in some sense is "nearer" to the destination UA. This is done repeatedly until the message can be directly delivered to the recipient UA. There are a number of things which need to be considered to determine this. These are discussed in the subsequent sections. A description of the overall routing process is given in Section 25. 2. Goals Application level routing for MHS is a complex procedure, with many requirements. The following goals for the solution are set: o Straightforward to manage. Non-trivial configuration of routing for current message handling systems is a black art, often involving gathering and processing many tables, and editing complex configuration files. Many problems are solved in a very ad hoc manner. Managing routing for MHS is the most serious headache for most mail system managers. o Economic, both in terms of network and computational resources. Kille Experimental [Page 3] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 o Robust. Errors and out of date information shall cause minimal and localised damage. o Deal with link failures. There needs to be some ability to choose alternative routes. In general, it is desirable that the routing approach be redundant. o Load sharing. Information on routes shall allow "equal" routes to be specified, and thus facilitate load sharing. o Support format and protocol conversion o Dynamic and automatic. There shall be no need for manual propagation of tables or administrator intervention. o Policy robust. It shall not allow specification of policies which cause undesirable routing effects. o Reasonably straightforward to implement. o Deal with X.400, RFC 822, and their interaction. o Extensible to other mail architectures o Recognise existing RFC 822 routing, and coexist smoothly. o Improve RFC 822 routing capabilities. This is particularly important for RFC 822 sites not in the SMTP Internet. o Deal correctly with different X.400 protocols (P1, P3, P7), and with 1984, 1988 and 1992 versions. o Support X.400 operation over multiple protocol stacks (TCP/IP, CONS, CLNS) and in different communities. o Messages shall be routed consistently. Alternate routing strategies, which might introduce unexpected delay, shall be used with care (e.g., routing through a protocol converter due to unavailability of an MTA). o Delay between message submission and delivery shall be minimised. This has indirect impact on the routing approaches used. o Interact sensibly with ADMD services. o Be global in scope Kille Experimental [Page 4] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 o Routing strategy shall deal with a scale of order of magnitude 1,000,000 -- 100,000,000 MTAs. o Routing strategy shall deal with of order 1,000,000 -- 100,000,000 Organisations. o Information about alterations in topology shall propagate rapidly to sites affected by the change. o Removal, examination, or destruction of messages by third parties shall be difficult. This is hard to quantify, but "difficult" shall be comparable to the effort needed to break system security on a typical MTA system. o As with current Research Networks, it is recognised that prevention of forged mail will not always be possible. However, this shall be as hard as can be afforded. o Sufficient tracing and logging shall be available to track down security violations and faults. o Optimisation of routing messages with multiple recipients, in cases where this involves selection of preferred single recipient routes. The following are not initial goals: o Advanced optimisation of routing messages with multiple recipients, noting dependencies between the recipients to find routes which would not have been chosen for any of the single recipients. o Dynamic load balancing. The approach does not give a means to determine load. However, information on alternate routes is provided, which is the static information needed for load balancing. 3. Approach A broad problem statement, and a survey of earlier approaches to the problem is given in the COSINE Study on MHS Topology and Routing [8]. The interim (table-based) approach suggested in this study, whilst not being followed in detail, broadly reflects what the research X.400 (GO-MHS) community is doing. The evolving specification of the RARE table format is defined in [5]. This document specifies the envisaged longer term approach. Kille Experimental [Page 5] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 Some documents have made useful contributions to this work: o A paper by the editor on MHS use of directory, which laid out the broad approach of mapping the O/R Address space on to the DIT [7]. o Initial ISO Standardisation work on MHS use of Directory for routing [19]. Subsequent ISO work in this area has drawn from earlier drafts of this specification. o The work of the VERDI Project [3]. o Work by Kevin Jordan of CDC [6]. o The routing approach of ACSNet [4, 17] paper. This gives useful ideas on incremental routing, and replicating routing data. o A lot of work on network routing is becoming increasingly relevant. As the MHS routing problem increases in size, and network routing increases in sophistication (e.g., policy based routing), the two areas have increasing amounts in common. For example, see [2]. 4. Direct vs Indirect Connection Two extreme approaches to routing connectivity are: 1. High connectivity between MTAs. An example of this is the way the Domain Name Server system is used on the DARPA/NSF Internet. Essentially, all MTAs are fully interconnected. 2. Low connectivity between MTAs. An example of this is the UUCP network. In general an intermediate approach is desirable. Too sparse a connectivity is inefficient, and leads to undue delays. However, full connectivity is not desirable, for the reasons discussed below. A number of general issues related to relaying are now considered. The reasons for avoiding relaying are clear. These include. o Efficiency. If there is an open network, it is desirable that it be used. o Extra hops introduce delay, and increase the (very small) possibility of message loss. As a basic principle, hop count shall be minimised. o Busy relays or Well Known Entry points can introduce high delay and lead to single point of failure. Kille Experimental [Page 6] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 o If there is only one hop, it is straightforward for the user to monitor progress of messages submitted. If a message is delayed, the user can take appropriate action. o Many users like the security of direct transmission. It is an argument often given very strongly for use of SMTP. Despite these very powerful arguments, there are a number of reasons why some level of relaying is desirable: o Charge optimisation. If there is an expensive network/link to be traversed, it may make sense to restrict its usage to a small number of MTAs. This would allow for optimisation with respect to the charging policy of this link. o Copy optimisation. If a message is being sent to two remote MTAs which are close together, it is usually optimal to send the message to one of the MTAs (for both recipients), and let it pass a copy to the other MTA. o To access an intermediate MTA for some value added service. In particular for: -- Message Format Conversion -- Distribution List expansion o Dealing with different protocols. The store and forward approach allows for straightforward conversion. Relevant cases include: -- Provision of X.400 over different OSI Stacks (e.g., Connectionless Network Service). -- Use of a different version of X.400. -- Interaction with non-X.400 mail services o To compensate for inadequate directory services: If tables are maintained in an ad hoc manner, the manual effort to gain full connectivity is too high. o To hide complexity of structure. If an organisation has many MTAs, it may still be advantageous to advertise a single entry point to the outside world. It will be more efficient to have an extra hop, than to (widely) distribute the information required to connect directly. This will also encourage stability, as organisations need to change internal structure much more frequently than their external entry points. For many Kille Experimental [Page 7] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 organisations, establishing such firewalls is high priority. o To handle authorisation, charging and security issues. In general, it is desirable to deal with user oriented authorisation at the application level. This is essential when MHS specific parameters shall be taken into consideration. It may well be beneficial for organisations to have a single MTA providing access to the external world, which can apply a uniform access policy (e.g., as to which people are allowed access). This would be particularly true in a multi-vendor environment, where different systems would otherwise have to enforce the same policy --- using different vendor-specific mechanisms. In summary there are strong reasons for an intermediate approach. This will be achieved by providing mechanisms for both direct and indirect connectivity. The manager of a configuration will then be able to make appropriate choices for the environment. Two models of managing large scale routing have evolved: 1. Use of a global directory/database. This is the approach proposed here. 2. Use of a routing table in each MTA, which is managed either by a management protocol or by directory. This is coupled with means to exchange routing information between MTAs. This approach is more analogous to how network level routing is commonly performed. It has good characteristics in terms of managing links and dealing with link related policy. However, it assumes limited connectivity and does not adapt well to a network environment with high connectivity available. 5. X.400 and RFC 822 This document defines mechanisms for X.400 message routing. It is important that this can be integrated with RFC 822 based routing, as many MTAs will work in both communities. This routing document is written with this problem in mind, and some work to verify this has been done. support for RFC 822 routing using the same basic infrastructure is defined in a companion document [13]. In addition support for X.400/RFC 822 gatewaying is needed, to support interaction. Directory based mechanisms for this are defined in [16]. The advantages of the approach defined by this set of specifications are: o Uniform management for sites which wish to support both protocols. o Simpler management for gateways. Kille Experimental [Page 8] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 o Improved routing services for RFC 822 only sites. For sites which are only X.400 or only RFC 822, the mechanisms associated with gatewaying or with the other form of addressing are not needed. 6. Objects It is useful to start with a manager's perspective. Here is the set of object classes used in this specification. It is important that all information entered relates to something which is being managed. If this is achieved, configuration decisions are much more likely to be correct. In the examples, distinguished names are written using the String Syntax for Distinguished Names [11]. The list of objects used in this specification is: User An entry representing a single human user. This will typically be named in an organisational context. For example: CN=Edgar Smythe, O=Zydeco Services, C=GB This entry would have associated information, such as telephone number, postal address, and mailbox. MTA A Message Transfer Agent. In general, the binding between machines and MTAs will be complex. Often a small number of MTAs will be used to support many machines, by use of local approaches such as shared filestores. MTAs may support multiple protocols, and will identify separate addressing information for each protocol. To achieve support for multiple protocols, an MTA is modelled as an Application Process, which is named in the directory. Each MTA will have one or more associated Application Entities. Each Application Entity is named as a child of the Application Process, using a common name which conveniently identifies the Application Entity relative to the Application Process. Each Application Entity supports a single protocol, although different Application Entities may support the same protocol. Where an MTA only supports one protocol or where the addressing information for all of the protocols supported have different attributes to represent addressing information (e.g., P1(88) and SMTP) the Application Entity(ies) may be represented by the single Application Process entry. User Agent (Mailbox) This defines the User Agent (UA) to which mail may be delivered. This will define the account with which the UA is associated, and may also point to the user(s) associated with Kille Experimental [Page 9] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 the UA. It will identify which MTAs are able to access the UA. (In the formal X.400 model, there will be a single MTA delivering to a UA. In many practical configurations, multiple MTAs can deliver to a single UA. This will increase robustness, and is desirable.) Role Some organisational function. For example: CN=System Manager, OU=Sales, O=Zydeco Services, C=GB The associated entry would indicate the occupant of the role. Distribution Lists There would be an entry representing the distribution list, with information about the list, the manger, and members of the list. 7. Communities There are two basic types of agreement in which an MTA may participate in order to facilitate routing: Bilateral Agreements An agreement between a pair of MTAs to route certain types of traffic. This MTA pair agreement usually reflects some form of special agreement and in general bilateral information shall be held for the link at both ends. In some cases, this information shall be private. Open Agreements An agreement between a collection of MTAs to behave in a cooperative fashion to route traffic. This may be viewed as a general bilateral agreement. It is important to ensure that there are sufficient agreements in place for all messages to be routed. This will usually be done by having agreements which correspond to the addressing hierarchy. For X.400, this is the model where a PRMD connects to an ADMD, and the ADMD provides the inter PRMD connectivity, by the ability to route to all other ADMDs. Other agreements may be added to this hierarchy, in order to improve the efficiency of routing. In general, there may be valid addresses, which cannot be routed to, either for connectivity or policy reasons. We model these two types of agreements as communities. A community is a scope in which an MTA advertises its services and learns about other services. Each MTA will: 1. Register its services in one or more communities. Kille Experimental [Page 10] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 2. Look up services in one or more communities. In most cases an MTA will deal with a very small number of communities --- very often one only. There are a number of different types of community. The open community This is a public/global scope. It reflects routing information which is made available to any MTA which wishes to use it. The local community This is the scope of a single MTA. It reflects routing information private to the MTA. It will contain an MTA's view of the set of bilateral agreements in which it participates, and routing information private and local to the MTA. Hierarchical communities A hierarchical community is a subtree of the O/R Address tree. For example, it might be a management domain, an organisation, or an organisational unit. This sort of community will allow for firewalls to be established. A community can have complex internal structure, and register a small subset of that in the open community. Closed communities A closed community is a set of MTAs which agrees to route amongst themselves. Examples of this might be ADMDs within a country, or a set of PRMDs representing the same organisation in multiple countries. Formally, a community indicates the scope over which a service is advertised. In practice, it will tend to reflect the scope of services offered. It does not make sense to offer a public service, and only advertise it locally. Public advertising of a private service makes more sense, and this is shown below. In general, having a community offer services corresponding to the scope in which they are advertised will lead to routing efficiency. Examples of how communities can be used to implement a range of routing policies are given in Section 9.2. 8. Routing Trees Communities are a useful abstract definition of the routing approach taken by this specification. Each community is represented in the directory as a routing tree. There will be many routing trees instantiated in the directory. Typically, an MTA will only be registered in and make use of a small number of routing trees. In most cases, it will register in and use the same set of routing trees. Kille Experimental [Page 11] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 8.1 Routing Tree Definition Each community has a model of the O/R address space. Within a community, there is a general model of what to do with a given O/R Address. This is structured hierarchically, according to the O/R address hierarchy. A community can register different possible actions, depending on the depth of match. This might include identifying the MTA associated with a UA which is matched fully, and providing a default route for an O/R address where there is no match in the community --- and all intermediate forms. The name structure of a routing tree follows the O/R address hierarchy, which is specified in a separate document [15]. Where there is any routing action associated with a node in a routing tree, the node is of object class routingInformation, as defined in Section 10. 8.2 The Open Community Routing Tree The routing tree of the open community starts at the root of the DIT. This routing tree also serves the special function of instantiating the global O/R Address space in the Directory. Thus, if a UA wishes to publish information to the world, this hierarchy allows it to do so. The O/R Address hierarchy is a registered tree, which may be instantiated in the directory. Names at all points in the tree are valid, and there is no requirement that the namespace is instantiated by the owner of the name. For example, a PRMD may make an entry in the DIT, even if the ADMD above it does not. In this case, there will be a "skeletal" entry for the ADMD, which is used to hang the PRMD entry in place. The skeletal entry contains the minimum number of entries which are needed for it to exist in the DIT (Object Class and Attribute information needed for the relative distinguished name). This entry may be placed there solely to support the subordinate entry, as its existence is inferred by the subordinate entry. Only the owner of the entry may place information into it. An analogous situation in current operational practice is to make DIT entries for Countries and US States. --------------------------------------------------------------------- routingTreeRoot OBJECT-CLASS ::= { SUBCLASS OF {routingInformation|subtree} ID oc-routing-tree-root} Figure 1: Location of Routing Trees --------------------------------------------------------------------- Kille Experimental [Page 12] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 8.3 Routing Tree Location All routing trees follow the same O/R address hierarchy. Routing trees other than the open community routing tree are rooted at arbitrary parts of the DIT. These routing trees are instantiated using the subtree mechanism defined in the companion document "Representing Tables and Subtrees in the Directory" [15]. A routing tree is identified by the point at which it is rooted. An MTA will use a list of routing trees, as determined by the mechanism described in Section 9. Routing trees may be located in either the organisational or O/R address structured part of the DIT. All routing trees, other than the open community routing tree, are rooted by an entry of object class routingTreeRoot, as defined in Figure 1. 8.4 Example Routing Trees Consider routing trees with entries for O/R Address: P=ABC; A=XYZMail; C=GB; In the open community routing tree, this would have a distinguished name of: PRMD=ABC, ADMD=XYZMail, C=GB Consider a routing tree which is private to: O=Zydeco Services, C=GB They might choose to label a routing tree root "Zydeco Routing Tree", which would lead to a routing tree root of: CN=Zydeco Routing Tree, O=Zydeco Services, C=GB The O/R address in question would be stored in this routing tree as: PRMD=ABC, ADMD=XYZMail C=GB, CN=Zydeco Routing Tree, O=Zydeco Services, C=GB 8.5 Use of Routing Trees to look up Information Lookup of an O/R address in a routing tree is done as follows: 1. Map the O/R address onto the O/R address hierarchy described in [15] in order to generate a Distinguished Name. Kille Experimental [Page 13] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 2. Append this to the Distinguished Name of the routing tree, and then look up the whole name. 3. Handling of errors will depend on the application of the lookup, and is discussed later. Note that it is valid to look up a null O/R Address, as the routing tree root may contain default routing information for the routing tree. This is held in the root entry of the routing tree, which is a subclass of routingInformation. The open community routing tree does not have a default. Routing trees may have aliases into other routing trees. This will typically be done to optimise lookups from the first routing tree which a given MTA uses. Lookup needs to take account of this. 9. Routing Tree Selection The list of routing trees which a given MTA uses will be represented in the directory. This uses the attribute defined in Figure 2. --------------------------------------------------------------------- routingTreeList ATTRIBUTE ::= { WITH SYNTAX RoutingTreeList SINGLE VALUE ID at-routing-tree-list} RoutingTreeList ::= SEQUENCE OF RoutingTreeName RoutingTreeName ::= DistinguishedName Figure 2: Routing Tree Use Definition --------------------------------------------------------------------- This attribute defines the routing trees used by an MTA, and the order in which they are used. Holding these in the directory eases configuration management. It also enables an MTA to calculate the routing choice of any other MTA which follows this specification, provided that none of its routing trees have access restrictions. This will facilitate debugging routing problems. 9.1 Routing Tree Order The order in which routing trees are used will be critical to the operation of this algorithm. A common approach will be: Kille Experimental [Page 14] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 1. Access one or more shared private routing trees to access private routing information. 2. Utilise the open routing tree. 3. Fall back to a default route from one of the private routing trees. Initially, the open routing tree will be very sparse, and there will be little routing information in ADMD level nodes. Access to many services will only be via ADMD services, which in turn will only be accessible via private links. For most MTAs, the fallback routing will be important, in order to gain access to an MTA which has the right private connections configured. In general, for a site, UAs will be registered in one routing tree only, in order to avoid duplication. They may be placed into other routing trees by use of aliases, in order to gain performance. For some sites, Users and UAs with a 1:1 mapping will be mapped onto single entries by use of aliases. 9.2 Example use of Routing Trees Some examples of how this structure might be used are now given. Many other combinations are possible to suit organisational requirements. 9.2.1 Fully Open Organisation The simplest usage is to place all routing information in the open community routing tree. An organisation will simply establish O/R addresses for all of its UAs in the open community tree, each registering its supporting MTA. This will give access to all systems accessible from this open community. 9.2.2 Open Organisation with Fallback In practice, some MTAs and MDs will not be directly reachable from the open community (e.g., ADMDs with a strong model of bilateral agreements). These services will only be available to users/communities with appropriate agreements in place. Therefore it will be useful to have a second (local) routing tree, containing only the name of the fallback MTA at its root. In many cases, this fallback would be to an ADMD connection. Thus, open routing will be tried first, and if this fails the message will be routed to a single selected MTA. Kille Experimental [Page 15] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 9.2.3 Minimal-routing MTA The simplest approach to routing for an MTA is to deliver messages to associated users, and send everything else to another MTA (possibly with backup). An organisation using MTAs with this approach will register its users as for the fully open organisation. A single routing tree will be established, with the name of the organisation being aliased into the open community routing tree. Thus the MTA will correctly identify local users, but use a fallback mechanism for all other addresses. 9.2.4 Organisation with Firewall An organisation can establish an organisation community to build a firewall, with the overall organisation being registered in the open community. This is an important structure, which it is important to support cleanly. o Some MTAs are registered in the open community routing tree to give access into the organisation. This will include the O/R tree down to the organisational level. Full O/R Address verification will not take place externally. o All users are registered in a private (organisational) routing tree. o All MTAs in the organisation are registered in the organisation's private routing tree, and access information in the organisation's community. This gives full internal connectivity. o Some MTAs in the organisation access the open community routing tree. These MTAs take traffic from the organisation to the outside world. These will often be the same MTAs that are externally advertised. 9.2.5 Well Known Entry Points Well known entry points will be used to provide access to countries and MDs which are oriented to private links. A private routing tree will be established, which indicates these links. This tree would be shared by the well known entry points. 9.2.6 ADMD using the Open Community for Advertising An ADMD uses the open community for advertising. It advertises its existence and also restrictive policy. This will be useful for: Kille Experimental [Page 16] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 o Address validation o Advertising the mechanism for a bilateral link to be established 9.2.7 ADMD/PRMD gateway An MTA provides a gateway from a PRMD to an ADMD. It is important to note that many X.400 MDs will not use the directory. This is quite legitimate. This technique can be used to register access into such communities from those that use the directory. o The MTA registers the ADMD in its local community (private link) o The MTA registers itself in the PRMD's community to give access to the ADMD. 10. Routing Information Routing trees are defined in the previous section, and are used as a framework to hold routing information. Each node, other than a skeletal one, in a routing tree has information associated with it, which is defined by the object class routingInformation in Figure 3. This structure is fundamental to the operation of this specification, and it is recommended that it be studied with care. --------------------------------------------------------------------- routingInformation OBJECT-CLASS ::= { SUBCLASS OF top KIND auxiliary MAY CONTAIN { subtreeInformation| routingFilter| routingFailureAction| mTAInfo| accessMD| 10 nonDeliveryInfo| badAddressSearchPoint| badAddressSearchAttributes} ID oc-routing-information} -- No naming attributes as this is not a -- structural object class subtreeInformation ATTRIBUTE ::= { 20 WITH SYNTAX SubtreeInfo SINGLE VALUE Kille Experimental [Page 17] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 ID at-subtree-information} SubtreeInfo ::= ENUMERATED { all-children-present(0), not-all-children-present(1) } routingFilter ATTRIBUTE ::= { 30 WITH SYNTAX RoutingFilter ID at-routing-filter} RoutingFilter ::= SEQUENCE{ attribute-type OBJECT-IDENTIFIER, weight RouteWeight, dda-key String OPTIONAL, regex-match IA5String OPTIONAL, node DistinguishedName } 40 String ::= CHOICE {PrintableString, TeletexString} routingFailureAction ATTRIBUTE ::= { WITH SYNTAX RoutingFailureAction SINGLE VALUE ID at-routing-failure-action} RoutingFailureAction ::= ENUMERATED { next-level(0), 50 next-tree-only(1), next-tree-first(2), stop(3) } mTAInfo ATTRIBUTE ::= { WITH SYNTAX MTAInfo ID at-mta-info} MTAInfo ::= SEQUENCE { 60 name DistinguishedName, weight [1] RouteWeight DEFAULT preferred-access, mta-attributes [2] SET OF Attribute OPTIONAL, ae-info SEQUENCE OF SEQUENCE { aEQualifier PrintableString, ae-weight RouteWeight DEFAULT preferred-access, ae-attributes SET OF Attribute OPTIONAL} OPTIONAL } RouteWeight ::= INTEGER {endpoint(0), 70 Kille Experimental [Page 18] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 preferred-access(5), backup(10)} (0..20) Figure 3: Routing Information at a Node --------------------------------------------------------------------- For example, information might be associated with the (PRMD) node: PRMD=ABC, ADMD=XYZMail, C=GB If this node was in the open community routing tree, then the information represents information published by the owner of the PRMD relating to public access to that PRMD. If this node was present in another routing tree, it would represent information published by the owner of the routing tree about access information to the referenced PRMD. The attributes associated with a routingInformation node provide the following information: Implicit That the node corresponds to a partial or entire valid O/R address. This is implicit in the existence of the entry. Object Class If the node is a UA. This will be true if the node is of object class routedUA. This is described further in Section 11. If it is not of this object class, it is an intermediate node in the O/R Address hierarchy. routingFilter A set of routing filters, defined by the routingFilter attribute. This attribute provides for routing on information in the unmatched part of the O/R Address. This is described in Section 10.3. subtreeInformation Whether or not the node is authoritative for the level below is specified by the subtreeInformation attribute. If it is authoritative, indicated by the value all-children-present, this will give the basis for (permanently) rejecting invalid O/R Addresses. The attribute is encoded as enumerated, as it may be later possible to add partial authority (e.g., for certain attribute types). If this attribute is missing, the node is assumed to be non-authoritative (not-all-children-present). The value all-children-present simply means that all of the child entries are present, and that this can be used to determine invalid addresses. There are no implications about the presence of routing information. Thus it is possible to verify an entire address, but only to route on one of the higher level components. For example, consider the node: Kille Experimental [Page 19] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 MHS-O=Zydeco, PRMD=ABC, ADMD=XYZMail, C=GB An organisation which has a bilateral agreement with this organisation has this entry in its routing tree, with no children entries. This is marked as non-authoritative. There is a second routing tree maintained by Zydeco, which contains all of the children of this node, and is marked as authoritative. When considering an O/R Address MHS-G=Random + MHS-S=Unknown, MHS-O=Zydeco, PRMD=ABC, ADMD=XYZMail, C=GB only the second, authoritative, routing tree can be used to determine that this address is invalid. In practice, the manager configuring the non-authoritative tree, will be able to select whether an MTA using this tree will proceed to full verification, or route based on the partially verified information. mTAInfo A list of MTAs and associated information defined by the mTAInfo attribute. This information is discussed further in Sections 15 and 18. This information is the key information associated with the node. When a node is matched in a lookup, it indicates the validity of the route, and a set of MTAs to connect to. Selection of MTAs is discussed in Sections 18 and Section 10.2. routingFailureAction An action to be taken if none of the MTAs can be used directly (or if there are no MTAs present) is defined by the routingFailureAction attribute. Use of this attribute and multiple routing trees is described in Section 10.1. accessMD The accessMD attribute is discussed in Section 10.4. This attribute is used to indicate MDs which provide indirect access to the part of the tree that is being routed to. badAddressSearchPoint/badAddressSearchAttributes The badAddressSearchPoint and badAddressSearchAttributes are discussed in Section 17. This attribute is for when an address has been rejected, and allows information on alternative addresses to be found. 10.1 Multiple routing trees A routing decision will usually be made on the basis of information contained within multiple routing trees. This section describes the algorithms relating to use of multiple routing trees. Issues relating to the use of X.500 and handling of errors is discussed in Section 14. The routing decision works by examining a series of Kille Experimental [Page 20] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 entries (nodes) in one or more routing trees. This information is summarised in Figure 3. Each entry may contain information on possible next-hop MTAs. When an entry is found which enables the message to be routed, one of the routing options determined at this point is selected, and a routing decision is made. It is possible that further entries may be examined, in order to determine other routing options. This sort of heuristic is not discussed here. When a single routing tree is used, the longest possible match based on the O/R address to be routed to is found. This entry, and then each of its parents in turn is considered, ending with the routing tree root node (except in the case of the open routing tree, which does not have such a node). When multiple routing trees are considered, the basic approach is to treat them in a defined order. This is supplemented by a mechanism whereby if a matched node cannot be used directly, the routing algorithm will have the choice to move up a level in the current routing tree, or to move on to the next routing tree with an option to move back to the first tree later. This option to move back is to allow for the common case where a tree is used to specify two things: 1. Routing information private to the MTA (e.g., local UAs or routing info for bilateral links). 2. Default routing information for the case where other routing has failed. The actions allow for a tree to be followed, for the private information, then for other trees to be used, and finally to fall back to the default situation. For very complex configurations it might be necessary to split this into two trees. The options defined by routingFailureAction, to be used when the information in the entry does not enable a direct route, are: next-level Move up a level in the current routing tree. This is the action implied if the attribute is omitted. This will usually be the best action in the open community routing tree. next-tree-only Move to the next tree, and do no further processing on the current tree. This will be useful optimisation for a routing tree where it is known that there is no useful additional routing information higher in the routing tree. next-tree-first Move to the next tree, and then default back to the next level in this tree when all processing is completed on subsequent trees. This will be useful for an MTA to operate in the sequence: Kille Experimental [Page 21] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 1. Check for optimised private routes 2. Try other available information 3. Fall back to a local default route stop This address is unroutable. No processing shall be done in any trees. For the root entry of a routing tree, the default action and next- level are interpreted as next-tree-only. 10.2 MTA Choice This section considers how the choice between alternate MTAs is made. First, it is useful to consider the conditions why an MTA is entered into a node of the routing tree: o The manager for the node of the tree shall place it there. This is a formality, but critical in terms of overall authority. o The MTA manager shall agree to it being placed there. For a well operated MTA, the access policy of the MTA will be set to enforce this. o The MTA will in general (for some class of message) be prepared to route to any valid O/R address in the subtree implied by the address. The only exception to this is where the MTA will route to a subset of the tree which cannot easily be expressed by making entries at the level below. An example might be an MTA prepared to route to all of the subtree, with certain explicit exceptions. Information on each MTA is stored in an mTAInfo attribute, which is defined in Figure 3. This attribute contains: name The Distinguished Name of the MTA (Application Process) weight A weighting factor (Route Weight) which gives a basis to choose between different MTAs. This is described in Section 10.2. mta-attributes Attributes from the MTA's entry. Information on the MTA will always be stored in the MTA's entry. The MTA is represented here as a structure, which enables some of this entry information to be represented in the routing node. This is effectively a maintained cache, and can lead to considerable performance optimisation. For example if ten MTAs were represented at a node, another MTA making a routing decision might Kille Experimental [Page 22] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 need to make ten directory reads in order to obtain the information needed. If any attributes are present here, all of the attributes needed to make a routing decision shall be included, and also all attributes at the Application Entity level. ae-info Where an MTA supports a single protocol only, or the protocols it supports have address information that can be represented in non-conflicting attributes, then the MTA may be represented as an application process only. In this case, the ae-info structure which gives information on associated application entities may be omitted, as the MTA is represented by a single application entity which has the same name as the application process. In other cases, the names of all application entities shall be included. A weight is associated with each application entity to allow the MTA to indicate a preference between its application entities. The structure of information within ae-info is as follows: ae-qualifier A printable string (e.g., "x400-88"), which is the value of the common name of the relative distinguished name of the application entity. This can be used with the application process name to derive the application entity title. ae-weight A weighting factor (Route Weight) which gives a basis to choose between different Application Entities (not between different MTAs). This is described below. ae-attributes Attributes from the AEs entry. Information in the mta-attributes and ae-info is present as a performance optimisation, so that routing choices can be made with a much smaller number of directory operations. Using this information, whose presence is optional, is equivalent to looking up the information in the MTA. If this information is present, it shall be maintained to be the same as that information stored in the MTA entry. Despite this maintenence requirement, use of this performance optimisation data is optional, and the information may always be looked up from the MTA entry. Note: It has been suggested that substantial performance optimisation will be achieved by caching, and that the performance gained from maintaining these attributes does not justify the effort of maintaining the entries. If this is borne out by operational experience, this will be reflected in future versions of this specification. Kille Experimental [Page 23] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 Route weighting is a mechanism to distinguish between different route choices. A routing weight may be associated with the MTA in the context of a routing tree entry. This is because routing weight will always be context dependent. This will allow machines which have other functions to be used as backup MTAs. The Route Weight is an integer in range 0--20. The lower the value, the better the choice of MTA. Where the weight is equal, and no other factors apply, the choice between the MTAs shall be random to facilitate load balancing. If the MTA itself is in the list, it shall only route to an MTA of lower weight. The exact values will be chosen by the manager of the relevant part of the routing tree. For guidance, three fixed points are given: o 0. For an MTA which can deliver directly to the entire subtree implied by the position in the routing tree. o 5. For an MTA which is preferred for this point in the subtree. o 10. For a backup MTA. When an organisation registers in multiple routing trees, the route weight used is dependent on the context of the subtree. In general it is not possible to compare weights between subtrees. In some cases, use of route weighting can be used to divert traffic away from expensive links. Attributes present in an MTA Entry are defined in various parts of this specification. A summary and pointers to these sections is given in Section 16. Attributes that are available in the MTA entry and will be needed for making a routing choice are: protocolInformation applicationContext mhs-deliverable-content-length responderAuthenticationRequirements initiatorAuthenticationRequirements responderPullingAuthenticationRequirements initiatorPullingAuthenticationRequirements initiatorP1Mode Kille Experimental [Page 24] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 responderP1Mode polledMTAs Current MTA shall be in list if message is to be pulled. mTAsAllowedToPoll supportedMTSExtensions If any MTA attributes are present in the mTAInfo attribute, all of the attributes that may affect routing choice shall be present. Other attributes may be present. A full list of MTA attributes, with summaries of their descriptions are given in Section 16, with a formal definition in Figure 6. 10.3 Routing Filters This attribute provides for routing on information in the unmatched part of the O/R Address, including: o Routing on the basis of an O/R Address component type o Routing on the basis of a substring match of an O/R address component. This might be used to route X121 addressed faxes to an appropriate MTA. When present, the procedures of analysing the routing filters shall be followed before other actions. The routing filter overrides mTAInfo and accessMD attributes, which means that the routing filter must be considered first. Only in the event that no routing filters match shall the mTAInfo and accessMD attributes be considered. The components of the routingFilter attribute are: --------------------------------------------------------------------- attribute-type This gives the attribute type to be matched, and is selected from the attribute types which have not been matched to identify the routing entry. The filter applies to this attribute type. If there is no regular expression present (as defined below), the filter is true if the attribute is present. The value is the object identifier of the X.500 attribute type (e.g., at-prmd-name). weight This gives the weight of the filter, which is encoded as a Route Weight, with lower values indicating higher priority. If multiple filters match, the weight of each matched filter is used to select between them. If the weight is the same, then a random choice shall be made. Kille Experimental [Page 25] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 dda-key If the attribute is domain defined, then this parameter may be used to identify the key. accessMD ATTRIBUTE ::= { SUBTYPE OF distinguishedName ID at-access-md} Figure 4: Indirect Access --------------------------------------------------------------------- regex-match This string is used to give a regular expression match on the attribute value. The syntax for regular expressions is defined in Appendix E. node This distinguished name specifies the entry which holds routing information for the filter. It shall be an entry with object class routingInformation, which can be used to determine the MTA or MTA choice. All of the attributes from this entry should be used, as if they had been directly returned from the current entry (i.e., the procedure recurses). The current entry does not set defaults. An example of use of routing filters is now given, showing how to route on X121 address to a fax gateway in Germany. Consider the routing point. PRMD=ABC, ADMD=XYZMail, C=GB The entry associated would have two routing filters: 1. One with type x121 and no regular expression, to route a default fax gateway. 2. One with type x121 and a regular expression ^9262 to route all German faxes to a fax gateway located in Germany with which there is a bilateral agreement. This would have a lower weight, so that it would be selected over the default fax gateway. 10.4 Indirect Connectivity In some cases a part of the O/R Address space will be accessed indirectly. For example, an ADMD without access from the open community might have an agreement with another MD to provide this access. This is achieved by use of the accessMD attribute defined in Figure 4. If this attribute is found, the routing algorithm shall read the entry pointed to by this distinguished name. It shall be an Kille Experimental [Page 26] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 entry with object class routingInformation, which can be used to determine the MTA or MTA choice and route according to the information retrieve to this access MD. All of the attributes from this entry should be used, as if they had been directly returned from the current entry (i.e., the procedure recurses). The current entry does not set defaults. The attribute is called an MD, as this is descriptive of its normal use. It might point to a more closely defined part of the O/R Address space. It is possible for both access MD and MTAs to be specified. This might be done if the MTAs only support access over a restricted set of transport stacks. In this case, the access MD shall only be routed to if it is not possible to route to any of the MTAs. This structure can also be used as an optimisation, where a set of MTAs provides access to several parts of the O/R Address space. Rather than repeat the MTA information (list of MTAs) in each reference to the MD, a single access MD is used as a means of grouping the MTAs. The value of the Distinguished Name of the access MD will probably not be meaningful in this case (e.g., it might be the name "Access MTA List", within the organisation.) If the MTA routing is unable to access the information in the Access MD due to directory security restrictions, the routing algorithm shall continue as if no MTA information was located in the routing entry. 11. Local Addresses (UAs) Local addresses (UAs) are a special case for routing: the endpoint. The definition of the routedUA object class is given in Figure 5. This identifies a User Agent in a routing tree. This is needed for several reasons: --------------------------------------------------------------------- routedUA OBJECT-CLASS ::= { SUBCLASS OF {routingInformation} KIND auxiliary MAY CONTAIN { -- from X.402 mhs-deliverable-content-length| mhs-deliverable-content-types| mhs-deliverable-eits| mhs-message-store| 10 mhs-preferred-delivery-methods| Kille Experimental [Page 27] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 -- defined here supportedExtensions| redirect| supportingMTA| userName| nonDeliveryInfo} ID oc-routed-ua} supportedExtensions ATTRIBUTE ::= { 20 SUBTYPE OF objectIdentifier ID at-supported-extensions} supportingMTA ATTRIBUTE ::= { SUBTYPE OF mTAInfo ID at-supporting-mta} userName ATTRIBUTE ::= { SUBTYPE OF distinguishedName ID at-user-name} 30 Figure 5: UA Attributes --------------------------------------------------------------------- 1. To allow UAs to be defined without having an entry in another part of the DIT. 2. To identify which (leaf and non-leaf) nodes in a routing tree are User Agents. In a pure X.400 environment, a UA (as distinct from a connecting part of the O/R address space) is simply identified by object class. Thus an organisation entry can itself be a UA. A UA need not be a leaf, and can thus have children in the tree. 3. To allow UA parameters as defined in X.402 (e.g., the mhs-deliverable-eits) to be determined efficiently from the routing tree, without having to go to the user's entry. 4. To provide access to other information associated with the UA, as defined below. The following attributes are defined associated with the UA. supportedExtensions MTS extensions supported by the MTA, which affect delivery. supportingMTA The MTAs which support a UA directly are noted in the supportingMTA attribute, which may be multi-valued. In the X.400 model, only one MTA is associated with a UA. In practice, it is Kille Experimental [Page 28] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 possible and useful for several MTAs to be able to deliver to a single UA. This attribute is a subtype of mTAInfo, and it defines access information for an MTA which is able to deliver to the UA. There may also be an mTAInfo attribute in the entry. Components of the supportingMTA attribute are interpreted in the same manner as mtaInfo is for routing, with one exception. The values of the Route Weight are interpreted in the following manner: o 0. A preferred MTA for delivery. o 5. A backup MTA. o 10. A backup MTA, which is not presferred. The supportingMTA attribute shall be present, unless the address is being non-delivered or redirected, in which case it may be omitted. redirect The redirect attribute controls redirects, as described in Section 22.1. userName The attribute userName points to the distinguished Name of the user, as defined by the mhs-user in X.402. The pointer from the user to the O/R Address is achieved by the mhs-or-addresses attribute. This makes the UA/User linkage symmetrical. nonDeliveryInfo The attribute nonDeliveryInfo mandates non-delivery to this address, as described in Section 22.3. When routing to a UA, an MTA will read the supportingMTA attribute. If it finds its own name present, it will know that the UA is local, and invoke appropriate procedures for local delivery (e.g., co- resident or P3 access information). The cost of holding these attributes for each UA at a site will often be reduced by use of shared attributes (as defined in X.500(93)). Misconfiguration of the supportingMTA attribute could have serious operational and possibly security problems, although for the most part no worse than general routing configuration problems. An MTA using this attribute may choose to perform certain sanity checks, which might be to verify the routing tree or subtree that the entry resides in. The linkage between the UA and User entries was noted above. It is also possible to use a single entry for both User and UA, as there is no conflict between the attributes in each of the objects. In this case, the entries shall be in one part of the DIT, with aliases from Kille Experimental [Page 29] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 the other. Because the UA and User are named with different attributes, the aliases shall be at the leaf level. 11.1 Searching for Local Users The approach defined in this specification performs all routing by use of reads. This is done for performance reasons, as it is a reasonable expectation that all DSA implementations will support a high performance read operation. For local routing only, an MTA in cooperation with the provider of the local routing tree may choose to use a search operation to perform routing. The major benefit of this is that there will not be a need to store aliases for alternate names, and so the directory storage requirement and alias management will be reduced. The difficulty with this approach is that it is hard to define search criteria that would be effective in all situations and well supported by all DUAs. There are also issues about determining the validity of a route on the basis of partial matches. 12. Direct Lookup Where an O/R address is registered in the open community and has one or more "open" MTAs which support it, this will be optimised by storing MTA information in the O/R address entry. In general, the Directory will support this by use of attribute inheritance or an implementation will optimise the storage or repeated information, and so there will not be a large storage overhead implied. This is a function of the basic routing approach. As a further optimisation of this case, the User's distinguished name entry may contain the mTAInfo attribute. This can be looked up from the distinguished name, and thus routing on submission can be achieved by use of a single read. Note: This performance optimisation has a management overhead, and further experience is needed to determine if the effort justifies the performance improvement. 13. Alternate Routes 13.1 Finding Alternate Routes The routing algorithm selects a single MTA to be routed to. It could be extended to find alternate routes to a single MTA with possibly different weights. How far this is done is a local configuration choice. Provision of backup routing is desirable, and leads to robust service, but excessive use of alternate routing is not usually beneficial. It will often force messages onto convoluted paths, when there was only a short outage on the preferred path. It is important Kille Experimental [Page 30] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 to note that this strategy will lead to picking the first acceptable route. It is important to configure the routing trees so that the first route identified will also be the best route. 13.2 Sharing routing information So far, only single addresses have been considered. Improving routing choice for multiple addresses is analogous to dealing with multiple routes. This section defines an optional improvement. When multiple addresses are present, and alternate routes are available, the preferred routes may be chosen so as to maximise the number of recipients sent with each message. Specification of routing trees can facilitate this optimisation. Suppose there is a set of addresses (e.g., in an organisation) which have different MTAs, but have access to an MTA which will do local switching. If each address is registered with the optimal MTA as preferred, but has the "hub" MTA registered with a higher route weight, then optimisation may occur when a message is sent to multiple addresses in the group. 14. Looking up Information in the Directory The description so far has been abstract about lookup of information. This section considers how information is looked up in the Directory. Consider that an O/R Address is presented for lookup, and there is a sequence of routing trees. At any point in the lookup sequence, there is one of a set of actions that can take place: Entry Found Information from the entry (node) is returned and shall be examined. The routing process continues or terminates, based on this information. Entry Not Found Return information on the length of best possible match to the routing algorithm. Temporary Reject The MTA shall stop the calculation, and repeat the request later. Repeated temporary rejects should be handled in a similar manner to the way the local MTA would handle the failure to connect to a remote MTA. Permanent Reject Administrative error on the directory which may be fixed in future, but which currently prevents routing. The routing calculation should be stopped and the message non-delivered. The algorithm proceeds by a series of directory read operations. If the read operation is successful, the Entry Found procedure should be Kille Experimental [Page 31] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 followed. Errors from the lookup (directory read) shall be handled in terms of the above procedures as follows. The following handling is used when following a routing tree: AttributeError This leads to a Permanent Reject. NameError Entry Not Found is used. The matched parameter is used to determine the number of components of the name that have matched (possibly zero). The read may then repeated with this name. This is the normal case, and allows the "best" entry in the routingn tree to be located with two reads. Referral The referral shall be followed, and then the procedure recurses. SecurityError Entry Not Found is used. Return a match length of one less than the name provided. ServiceError This leads to a Temporary Reject. There will be cases where the algorithm moves to a name outside of the routing tree being followed (Following an accessMD attribute, or a redirect or a matched routing filter). The handling will be the same as above, except: NameError This leads to a Permanent Reject. SecurityError This leads to a Permanent Reject. When reading objects which of not of object class routingInformation, the following error handling is used: AttributeError This leads to a Permanent Reject. NameError This leads to a Permanent Reject. Referral The referral shall be followed, and then the procedure recurses. SecurityError In the case of an MTA, treat as if it is not possible to route to this MTA. In other cases, this leads to a Permanent Reject. ServiceError This leads to a Temporary Reject. The algorithm specifies the object class of entries which are read. If an object class does not match what is expected, this shall lead to a permanent reject. Kille Experimental [Page 32] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 15. Naming MTAs MTAs need to be named in the DIT, but the name does not have routing significance. The MTA name is simply a unique key. Attributes associated with naming MTAs are given in Figure 6. This figure also gives a list of attributes, which may be present in the MTA entry. The use of most of these is explained in subsequent sections. The mTAName and globalDomainID attributes are needed to define the information that an MTA places in trace information. As noted previously, an MTA is represented as an Application Process, with one or more Application Entities. --------------------------------------------------------------------- mTAName ATTRIBUTE ::= { SUBTYPE OF name WITH SYNTAX DirectoryString{ub-mta-name-length} SINGLE VALUE ID at-mta-name} -- used for naming when -- MTA is named in O=R Address Hierarchy globalDomainID ATTRIBUTE ::= { 10 WITH SYNTAX GlobalDomainIdentifier SINGLE VALUE ID at-global-domain-id} -- both attributes present when MTA -- is named outside O=R Address Hierarchy -- to enable trace to be written mTAApplicationProcess OBJECT-CLASS ::= { SUBCLASS OF {application-process} KIND auxiliary 20 MAY CONTAIN { mTAWillRoute| globalDomainID| routingTreeList| localAccessUnit| accessUnitsUsed } ID oc-mta-application-process} mTA OBJECT CLASS ::= { -- Application Entity 30 SUBCLASS OF {mhs-message-transfer-agent} KIND structural MAY CONTAIN { mTAName| globalDomainID| -- per AE variant Kille Experimental [Page 33] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 responderAuthenticationRequirements| initiatorAuthenticationRequirements| responderPullingAuthenticationRequirements| initiatorPullingAuthenticationRequirements| initiatorP1Mode| 40 responderP1Mode| polledMTAs| protocolInformation| respondingRTSCredentials| initiatingRTSCredentials| callingPresentationAddress| callingSelectorValidity| bilateralTable| mTAWillRoute| mhs-deliverable-content-length| 50 routingTreeList| supportedMTSExtensions| mTAsAllowedToPoll } ID oc-mta} Figure 6: MTA Definitions --------------------------------------------------------------------- In X.400 (1984), MTAs are named by MD and a single string. This style of naming is supported, with MTAs named in the O/R Address tree relative to the root of the DIT (or possibly in a different routing tree). The mTAName attribute is used to name MTAs in this case. For X.400(88) the Distinguished Name shall be passed as an AE Title. MTAs may be named with any other DN, which can be in the O/R Address or Organisational DIT hierarchy. There are several reasons why MTAs might be named differently. o The flat naming space is inadequate to support large MDs. MTA name assignment using the directory would be awkward. o An MD does not wish to register its MTAs in this way (essentially, it prefers to give them private names in the directory). o An organisation has a policy for naming application processes, which does not fit this approach. In this case, the MTA entry shall contain the correct information to be inserted in trace. The mTAName and globalDomainID attributes are used to do this. They are single value. For an MTA which inserts different trace in different circumstances, a more complex approach would be needed. Kille Experimental [Page 34] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 An MD may choose to name its MTAs outside of the O/R address hierarchy, and then link some or all of them with aliases. A pointer from this space may help in resolving information based on MTA Trace. The situation considered so far is where an MTA supports one application context (protocol). The MTA is represented in the directory by a single directory entry, having no subordinate applicationEntity entries. This name is considered to be the name of the MTA and its Application Process Title. The MTA has no Application Entity Qualifier, and so this is also the Application Entity Title. In the case where an MTA supports more than one application context, the Application Process Title is exactly the same as above, but it also has one or more subordinate applicationEntity entries. Each of these subordinate entries is associated with a single application context. The relative distinguished name of the subordinate applicationEntity entry is the Application Entity Qualifier of the Application Entity Title. The Application Entity Title is the distinguished name of the applicationEntity. The term MTA Name is used to refer to the Application Process Title. 15.1 Naming 1984 MTAs Some simplifications are necessary for 1984 MTAs, and only one naming approach may be used. This is because Directory Names are not carried in the protocol, and so it must be possible to derive the name algorithmically from parameters carried. In X.400, MTAs are named by MD and a single string. This style of naming is supported, with MTAs named in the O/R Address tree relative to the root of the DIT (or possibly in a different routing tree). The MTAName attribute is used to name MTAs in this case. 16. Attributes Associated with the MTA This section lists the attributes which may be associated with an MTA as defined in Figure 6, and gives pointers to the sections that describe them. mTAName Section 15. globalDomainID Section 15. protocolInformation Section 18.1. applicationContext Section 18.2. mhs-deliverable-content-length Section 18.3. responderAuthenticationRequirements Section 20.2. Kille Experimental [Page 35] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 initiatorAuthenticationRequirements Section 20.2. responderPullingAuthenticationRequirements Section 20.2. initiatorPullingAuthenticationRequirements Section 20.2. initiatorP1Mode Section 19. responderP1Mode Section 19. polledMTAs Section 19. mTAsAllowedToPoll Section 19. respondingRTSCredentials Section 20.3. initiatingRTSCredentials Section 20.3. callingPresentationAddress Section 20.3. callingSelectorValidity Section 20.3. bilateralTable Section 17. mTAWillRoute Section 21. routingTreeList Section 9. supportedMTSExtensions Section 18.3. --------------------------------------------------------------------- mTABilateralTableEntry OBJECT-CLASS ::= SUBCLASS OF {mTA| distinguishedNameTableEntry} ID oc-mta-bilateral-table-entry} Figure 7: MTA Bilateral Table Entry --------------------------------------------------------------------- 17. Bilateral Agreements Each MTA has an entry in the DIT. This will be information which is globally valid, and will be useful for handling general information about the MTA and for information common to all connections. In many cases, this will be all that is needed. This global information may be restricted by access control, and so need not be globally available. In some cases, MTAs will maintain bilateral and Kille Experimental [Page 36] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 multilateral agreements, which hold authentication and related information which is not globally valid. This section describes a mechanism for grouping such information into tables, which enables an MTA to have bilateral information or for a group of MTAs to share multilateral information. The description is for bilateral information, but is equally applicable to multilateral agreements. For the purpose of a bilateral agreement, the MTA is considered to be an application entity. This means that when this is distinct from the application process, that the agreements are protocol specific. A bilateral agreement is represented by one entry associated with each MTA participating in the bilateral agreement. For one end of the bilateral agreement, the agreement information will be keyed by the name of the MTA at the other end. Each party to the agreement will set up the entry which represents its half of the agreed policy. The fact that these correspond is controlled by the external agreement. In many cases, only one half of the agreement will be in the directory. The other half might be in an ADMD MTA configuration file. MTA bilateral information is stored in a table, as defined in [15]. An MTA has access to a sequence of such tables, each of which controls agreements in both directions for a given MTA. Where an MTA is represented in multiple tables, the first agreement shall be used. This allows an MTA to participate in multilateral agreements, and to have private agreements which override these. The definition of entries in this table are defined in Figure 7. This table will usually be access controlled so that only a single MTA or selected MTAs which appear externally as one MTA can access it. --------------------------------------------------------------------- bilateralTable ATTRIBUTE ::= { WITH SYNTAX SEQUENCE OF DistinguishedName SINGLE VALUE ID at-bilateral-table} Figure 8: Bilateral Table Attribute --------------------------------------------------------------------- Each entry in the table is of the object class distinguishedNameTableEntry, which is used to name the entry by the distinguished name of the MTA. In some cases discussed in Section 20.1, there will also be aliases of type textTableEntry. The MTA attributes needed as a part of the bilateral agreement (typically MTA Name/Password pairs), as described in Section 20.3, will always be Kille Experimental [Page 37] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 present. Other MTA attributes (e.g., presentation address) may be present for one of two reasons: 1. As a performance optimisation 2. Because the MTA does not have a global entry Every MTA with bilateral agreements will define a bilateral MTA table. When a connection from a remote MTA is received, its Distinguished Name is used to generate the name of the table entry. For 1984, the MTA Name exchanged at the RTS level is used as a key into the table. The location of the bilateral tables used by the MTA and the order in which they are used are defined by the bilateralTable attribute in the MTA entry, which is defined in Figure 8. All of the MTA information described in Section 16 may be used in the bilateral table entries. This will allow bilateral control of a wide range of parameters. Note: For some bilateral connections there is a need control various other functions, such as trace stripping and originator address manipulation. For now, this is left to implementation specific extensions. This is expected to be reviewed in light of implementation experience. 18. MTA Selection 18.1 Dealing with protocol mismatches MTAs may operate over different stacks. This means that some MTAs cannot talk directly to each other. Even where the protocols are the same, there may be reasons why a direct connection is not possible. An environment where there is full connectivity over a single stack is known as a transport community [9]. The set of transport communities supported by an MTA is specified by use of the protocolInformation attribute defined in X.500(93). This is represented as a separate attribute for the convenience of making routing decisions. Kille Experimental [Page 38] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 --------------------------------------------------------------------- supportedMTSExtensions ATTRIBUTE ::= { SUBTYPE OF objectIdentifier ID at-supported-mts-extensions} Figure 9: Supported MTS Extensions --------------------------------------------------------------------- A community is identified by an object identifier, and so the mechanism supports both well known and private communities. A list of object identifiers corresponding to well known communities is given in Appendix B. 18.2 Supported Protocols It is important to know the protocol capabilities of an MTA. This is done by the application context. There are standard definitions for the following 1988 protocols. o P3 (with and without RTS, both user and MTS initiated) o P7 (with and without RTS). o P1 (various modes). Strictly, this is the only one that matters for routing. In order to support P1(1984) and P1(1988) in X.410 mode, application contexts which define these protocols are given in Appendix C. This context is for use in the directory only, and would never be exchanged over the network. For routing purposes, a message store which is not co-resident with an MTA is represented as if it had a co-resident MTA and configured with a single link to its supporting MTA. In cases where the UA is involved in exchanges, the UA will be of object class mhs-user-agent, and this will allow for appropriate communication information to be registered. 18.3 MTA Capability Restrictions In addition to policy restrictions, described in Section 21, an MTA may have capability restrictions. The maximum size of MPDU is defined by the standard attribute mhs-deliverable-content-length. The supported MTS extensions are defined by a new attribute specified in Figure 9. Kille Experimental [Page 39] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 --------------------------------------------------------------------- restrictedSubtree OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN { subtreeDeliverableContentLength| subtreeDeliverableContentTypes| subtreeDeliverableEITs} ID oc-restricted-subtree} 10 subtreeDeliverableContentLength ATTRIBUTE ::= { SUBTYPE OF mhs-deliverable-content-length ID at-subtree-deliverable-content-length} subtreeDeliverableContentTypes ATTRIBUTE ::= { SUBTYPE OF mhs-deliverable-content-types ID at-subtree-deliverable-content-types} subtreeDeliverableEITs ATTRIBUTE ::= { SUBTYPE OF mhs-deliverable-eits 20 ID at-subtree-deliverable-eits} Figure 10: Subtree Capability Restriction --------------------------------------------------------------------- It may be useful to define other capability restrictions, for example to enable routing of messages around MTAs with specific deficiencies. It has been suggested using MTA capabilities as an optimised means of expressing capabilities of all users associated with the MTA. This is felt to be undesirable. 18.4 Subtree Capability Restrictions In many cases, users of a subtree will share the same capabilities. It is possible to specify this by use of attributes, as defined in Figure 10. This will allow for restrictions to be determined in cases where there is no entry for the user or O/R Address. This will be a useful optimisation in cases where the UA capability information is not available from the directory, either for policy reasons or because it is not there. This information may also be present in the domain tree (RFC 822). This shall be implemented as a collective attribute, so that it is available to all entries in the subtree below the entry. This can also be used for setting defaults in the subtree. Kille Experimental [Page 40] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 --------------------------------------------------------------------- initiatorP1Mode ATTRIBUTE ::= { WITH SYNTAX P1Mode SINGLE VALUE ID at-initiator-p1-mode} responderP1Mode ATTRIBUTE ::= { WITH SYNTAX P1Mode SINGLE VALUE ID at-responder-p1-mode} 10 P1Mode ::= ENUMERATED { push-only(0), pull-only(1), twa(2) } polledMTAs ATTRIBUTE ::= { WITH SYNTAX PolledMTAs ID at-polled-mtas} 20 PolledMTAs ::= SEQUENCE { mta DistinguishedName, poll-frequency INTEGER OPTIONAL --frequency in minutes } mTAsAllowedToPoll ATTRIBUTE ::= { SUBTYPE OF distinguishedName ID at-mtas-allowed-to-poll} Figure 11: Pulling Messages --------------------------------------------------------------------- 19. MTA Pulling Messages Pulling messages between MTAs, typically by use of two way alternate, is for bilateral agreement. It is not the common case. There are two circumstances in which it can arise. 1. Making use of a connection that was opened to push messages. 2. Explicitly polling in order to pull messages Attributes to support this are defined in Figure 11. These attributes indicate the capabilities of an MTA to pull messages, and allows a list of polled MTAs to be specified. If omitted, the normal case of push-only is specified. In the MTA Entry, the polledMTAs Kille Experimental [Page 41] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 attribute indicates MTAs which are to be polled and the mTAsAllowedToPoll attribute indicates MTAs that may poll the current MTA. 20. Security and Policy 20.1 Finding the Name of the Calling MTA A key issue for authentication is for the called MTA to find the name of the calling MTA. This is needed for it to be able to look up information on a bilateral agreement. Where X.400(88) is used, the name is available as a distinguished name from the AE-Title derived from the AP-Title and AE-Qualifier in the A-Associate. For X.400(84), it will not be possible to derive a global name from the bind. The MTA Name exchanged in the RTS Bind will provide a key into the private bilateral agreement table (or tables), where the connection information can be verified. Thus for X.400(1984) it will only be possible to have bilateral inbound links or no authentication of the calling MTA. Note: CDC use a search here, as a mechanism to use a single table and an 88/84 independent access. This may be considered for general adoption. It appears to make the data model cleaner, possibly at the expense of some performance. This will be considered in the light of implementation experience. 20.2 Authentication The levels of authentication required by an MTA will have an impact on routing. For example, if an MTA requires strong authentication, not all MTAs will be able to route to it. The attributes which define the authentication requirements are defined in Figure 12. The attributes specify authentication levels for the following cases: Responder These are the checks that the responder will make on the initiator's credentials. Initiator These are the checks that the initiator will make on the responders credentials. Very often, no checks are needed --- establishing the connection is sufficient. Responder Pulling These are responder checks when messages are pulled. These will often be stronger than for pushing. Initiator Pulling For completeness. Kille Experimental [Page 42] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 If an attribute is omitted, no checks are required. If multiple checks are required, then each of the relevant bits shall be set. The attribute is single value, which implies that the MTA must set a single authentication policy. --------------------------------------------------------------------- responderAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-responder-authentication-requirements} initiatorAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-initiator-authentication-requirements} 10 responderPullingAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-responder-pulling-authentication-requirements} initiatorPullingAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-initiator-pulling-authentication-requirements} 20 AuthenticationRequirements ::= BITSTRING { mta-name-present(0), aet-present(1), aet-valid(2), network-address(3), simple-authentication(4), strong-authentication(5), bilateral-agreement-needed(6)} Figure 12: Authentication Requirements --------------------------------------------------------------------- The values of the authentication requirements mean: mta-name-present That an RTS level MTA parameter shall be present for logging purposes. aet-present That a distinguished name application entity title shall be provided at the ACSE level. Kille Experimental [Page 43] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 aet-valid As for aet-present, and that the AET be registered in the directory. This may be looked up as a part of the validation process. If mta-name-present is set, the RTS value of mta and password shall correspond to those registered in the directory. network-address This can only be used for the responder. The AET shall be looked up in the directory, and the callingPresentationAddress attribute matched against the calling address. This shall match exactly at the network level. The validity of selectors will be matched according to the callingSelectorValidity attribute. simple-authentication All MTA and password parameters needed for simple authentication shall be used. This will usually be in conjunction with a bilateral agreement. strong-authentication Use of strong authentication. bilateral-agreement-needed This means that this MTA will only accept connections in conjunction with a bilateral or multilateral agreements. This link cannot be used unless such an agreement exists. These attributes may also be used to specify UA/MTA authentication policy. They may be resident in the UA entry in environments where this information cannot be modified by the user. Otherwise, it will be present in an MTA table (represented in the directory). An MTA could choose to have different authentication levels related to different policies (Section 21). This is seen as too complex, and so they are kept independent. The equivalent function can always be achieved by using multiple Application Entities with the application process. 20.3 Authentication Information This section specifies connection information needed by P1. This is essentially RTS parameterisation needed for authentication. This is defined in Figure 13. Confidential bilateral information is implied by these attributes, and this will be held in the bilateral information agreement. This shall have appropriate access control applied. Note that in some cases, MTA information will be split across a private and public entry. Kille Experimental [Page 44] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 --------------------------------------------------------------------- respondingRTSCredentials ATTRIBUTE ::= { WITH SYNTAX RTSCredentials SINGLE VALUE ID at-responding-rts-credentials} initiatingRTSCredentials ATTRIBUTE ::= { WITH SYNTAX RTSCredentials SINGLE VALUE 10 ID at-initiating-rts-credentials} RTSCredentials ::= SEQUENCE { request [0] MTAandPassword OPTIONAL, response [1] MTAandPassword OPTIONAL } MTAandPassword ::= SEQUENCE { MTAName, 20 Password } -- MTAName and Password -- from X.411 callingPresentationAddress ATTRIBUTE ::= { SUBTYPE OF presentationAddress MULTI VALUE ID at-calling-presentation-address} callingSelectorValidity ATTRIBUTE ::= { 30 WITH SYNTAX CallingSelectorValidity SINGLE VALUE ID at-calling-selector-validity} CallingSelectorValidity ::= ENUMERATED { all-selectors-fixed(0), tsel-may-vary(1), all-selectors-may-vary(2) } Figure 13: MTA Authentication Parameters --------------------------------------------------------------------- Kille Experimental [Page 45] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 --------------------------------------------------------------------- mTAWillRoute ATTRIBUTE ::= { WITH SYNTAX MTAWillRoute ID at-mta-will-route} MTAWillRoute ::= SEQUENCE { from [0] SET OF ORAddressPrefix OPTIONAL, to [1] SET OF ORAddressPrefix OPTIONAL, from-excludes [2] SET OF ORAddressPrefix OPTIONAL, to-excludes [3] SET OF ORAddressPrefix OPTIONAL } 10 ORAddressPrefix ::= DistinguishedName Figure 14: Simple MTA Policy Specification --------------------------------------------------------------------- The parameters are: Initiating Credentials The credentials to be used when the local MTA initiates the association. It gives the credentials to insert into the request, and those expected in the response. Responding Credentials The credentials to be used when the remote MTA initiates the association. It gives the credential expected in the request, and those to be inserted into the response. Remote Presentation Address Valid presentation addresses, which the remote MTA may connect from. If an MTA/Password pair is omitted, the MTA shall default to the local MTA Name, and the password shall default to a zero-length OCTET STRING. Note: Future versions of this specification may add more information here relating to parameters required for strong authentication. 21. Policy and Authorisation 21.1 Simple MTA Policy The routing trees will generally be configured in order to identify MTAs which will route to the destination. A simple means is identified to specify an MTA's policy. This is defined in Figure 14. If this attribute is omitted, the MTA shall route all traffic to the implied destinations from the context of the routing tree for any MTAs that have valid access to the routing tree. Kille Experimental [Page 46] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 The multi-valued attribute gives a set of policies which the MTA will route. O/R Addresses are represented by a prefix, which identifies a subtree. A distinguished name encoding of O/R Address is used. There are three components: from This gives a set of O/R addresses which are granted permission by this attribute value. If omitted, "all" is implied. to This gives the set of acceptable destinations. If omitted, "all" is implied. from-excludes This defines (by prefix) subtrees of the O/R address tree which are explicitly excluded from the "from" definition. If omitted, there are no exclusions. to-excludes This defines (by prefix) subtrees of the O/R address tree which are explicitly excluded from the "to" definition. If omitted, there are no exclusions. This simple policy will suffice for most cases. In particular, it gives sufficient information for most real situations where a policy choice is forced, and the application of this policy would prevent a message being routed. This simple prefixing approach does not deal explicitly with alias dereferencing. The prefixes refer to O/R addresses where aliases have been dereferenced. To match against these prefixes, O/R addresses being matched need to be "normalised by being looked up in the directory to resolve alias values. If the lookup fails, it shall be assumed that the provided address is already normalised. This means that policy may be misinterpreted for parts of the DIT not referenced in the directory. The originator refers to the MTS originator, and the recipient to the MTS recipient, following any list expansion or redirect. This simple policy does not apply to delivery reports. Any advertised route shall work for delivery reports, and it does not makes sense to regulate this on the basis of the sender. 21.2 Complex MTA Policy MTAs will generally have a much more complex policy mechanism, such as that provided by PP MTA [10]. Representing this as a part of the routing decision is not done here, but may be addressed in future versions. Some of the issues which need to be tackled are: Kille Experimental [Page 47] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 o Use of charging and non-charging nets o Policy dependent on message size o Different policy for delivery reports. o Policy dependent on attributes of the originator or recipient (e.g., mail from students) o Content type and encoded information types o The path which the message has traversed to reach the MTA o MTA bilateral agreements o Pulling messages o Costs. This sort of policy information may also be for information only. MTAs may apply more complex routing policies. However, this shall not lead to the rejection of messages which might otherwise be correctly routed on the published policy information. Policies relating to submission do not need to be public. They can be private to the MTA. --------------------------------------------------------------------- redirect ATTRIBUTE ::= { WITH SYNTAX Redirect SINGLE VALUE ID at-redirect} Redirect ::= SEQUENCE OF SEQUENCE { or-name ORName, reason RedirectionReason, -- from X.411 filter CHOICE { 10 min-size [1] INTEGER, max-size [2] INTEGER, content [3] ContentType, eit [4] ExternalEncodedInformationType } OPTIONAL } Figure 15: Redirect Definition --------------------------------------------------------------------- Kille Experimental [Page 48] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 22. Delivery 22.1 Redirects There is a need to specify redirects in the Directory. This will be useful for alternate names where an equivalent name (synonym) defined by an alias is not natural. An example where this might be appropriate is to redirect mail to a new O/R address where a user had changed organisation. A mechanism is given to allow conditional (filtered) redirects for different types of messages. This allow small messages, large messages, or messages containing specific EITs or content to be redirected. The definitions are given in Figure 15. Redirection is specified by the redirect attribute. If present, this attribute shall be processed before supportingMTA and nonDeliveryInfo. These two attributes shall only be considered if it is determined that no redirection applies. The redirect attribute is a sequence of elements which are considered in the order specified. Each element is examined in turn. The first element which applies is used, and no further elements are examined. Use of an element for redirection, shall follow the X.400 procedures for redirection, and an element shall not be used if prevented by a service control. If the redirect attribute is processed and no redirection is generated, processing shall continue irrespective of service controls. If non- delivery is intended in this event, this shall be achieved by use of the nonDeliveryInfo attribute. The components have the following interpretations: or-name This X.400 O/R Name is for use in the redirection. This O/R Name will contain an optional directory name and optional O/R address. One or both of the must be present. If the O/R Address element is present, the Directory Name, if present, is for information only. and is to be placed in the X.400 redirection. If the O/R address element is absent, the Directory Name shall be present and shall be looked up to determine the O/R address of the redirected recipient. The O/R Address of the intended recipient will either be present or derived by lookup. Routing shall be done on the basis of this O/R Address. reason This is the reason information to be placed in the X.400 redirect, and it shall take one of the following values of RedirectReason defined in X.411: recipient-assigned-alternate-recipient; recipient-MD-assigned-alternate-recipient; or alias. It shall not have the value originator-requested-alternate-recipient. Kille Experimental [Page 49] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 filter If filter is absent, the redirect is mandoatory and shall be followed. If the filter is present, use of the redirect under consideration depends on the type of filter as follows: min-size Follow redirect if the message (MT content) is larger than min-size (measured in kBytes). max-size Follow redirect if the message (MT content) is smaller than max-size (measured in kBytes). content Follow redirect if message content is of type content. eit Follow redirect if the encoded information types registered in the envelope contain eit. When a delivery report is sent to an address which would be redirected, X.400 would ignore the redirect. This means that every O/R address would need to have a valid means of delivery. This would seem to be awkward to manage. Therefore, the redirect shall be followed, and the delivery report delivered to the redirected address. These redirects are handled directly by the MTA. Redirects can also be initiated by the UA, for example in the context of a P7 interaction. --------------------------------------------------------------------- nonDeliveryInfo ATTRIBUTE ::= { WITH SYNTAX NonDeliveryReason SINGLE VALUE ID at-non-delivery-info} NonDeliveryReason ::= SEQUENCE { reason INTEGER (0..ub-reason-codes), diagnostic INTEGER (0..ub-diagnostic-codes) OPTIONAL, supplementaryInfo PrintableString OPTIONAL } 10 Figure 16: Non Delivery Information --------------------------------------------------------------------- 22.2 Underspecified O/R Addresses X.400 requires that some underspecified O/R Addresses are handled in a given way (e.g., if a surname is given without initials or given name). Where an underspecified O/R Address is to be treated as if it were another O/R Address, an alias shall be used. If the O/R Address Kille Experimental [Page 50] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 is to be rejected as ambiguous, an entry shall be created in the DIT, and forced non-delivery specified for this reason. Note: It is also possible to handle this situation by searching. An MTA conforming to this specification may handle underspecified addresses in this manner. The choice of mechanism will be reviewed after operational experience with both approaches. 22.3 Non Delivery It is possible for a manager to define an address to non-deliver with specified reason and diagnostic codes. This might be used for a range of management purposes. The attribute to do this is defined in Figure 16. If a nonDeliveryInfo attribute is present, any supportingMTA attribute shall be ignored and the message non- delivered. 22.4 Bad Addresses If there is a bad address, it is desirable to do a directory search to find alternatives. This is a helpful user service and may be supported. This function is invoked after address checking has failed, and where this is no user supplied alternate recipient. This function would be an MTA-chosen alternative to administratively assigned alternate recipient. Attributes to support handling of bad addresses are defined in Figure 17. The attributes are: badAddressSearchPoint This gives the point (or list of points) from which to search. badAddressSearchAttributes This gives the set of attribute types to search on. The default is common name. Kille Experimental [Page 51] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 --------------------------------------------------------------------- badAddressSearchPoint ATTRIBUTE ::= { SUBTYPE OF distinguishedName ID at-bad-address-search-point} badAddressSearchAttributes ATTRIBUTE ::= { WITH SYNTAX AttributeType ID at-bad-address-search-attributes} alternativeAddressInformation EXTENSION 10 AlternativeAddressInformation ::= id-alternative-address-information -- X.400(92) continues to use MACRO notation AlternativeAddressInformation ::= SET OF SEQUENCE { distinguished-name DistinguishedName OPTIONAL, or-address ORAddress OPTIONAL, other-useful-info SET OF Attribute } Figure 17: Bad Address Pointers --------------------------------------------------------------------- Searches are always single level, and always use approximate match. If a small number of matches are made, this is returned to the originator by use of the per recipient AlternativeAddressInformation in the delivery report (DR). This shall be marked non-critical, so that it will not cause the DR to be discarded (e.g., in downgrading to X.400(1984)). This attribute allows the Distinguished Name and O/R Address of possible alternate recipients to be returned with the delivery report. There is also the possibility to attach extra information in the form of directory attributes. Typically this might be used to return attributes of the entry which were matched in the search. A summary of the information shall also be returned using the delivery report supplementary information filed (e.g., "your message could not be delivered to smith, try J. Smith or P. Smith"), so that the information is available to user agents not supporting this extension. Note the length restriction of this field is 256 (ub-supplementary-info-length) in X.400(1988). If the directory search fails, or there are no matches returned, a delivery report shall be returned as if this extra check had not been made. Note: It might be useful to allow control of search type, and also single level vs subtree. This issue is for further study. Kille Experimental [Page 52] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 --------------------------------------------------------------------- localAccessUnit ATTRIBUTE ::= { WITH SYNTAX AccessUnitType ID at-local-access-unit} AccessUnitType ::= ENUMERATED { fax (1), physical-delivery (2), teletex (3), telex (4) } 10 accessUnitsUsed ATTRIBUTE ::= { WITH SYNTAX SelectedAccessUnit ID at-access-units-used} SelectedAccessUnit ::= SEQUENCE { type AccessUnitType, providing-MTA DistinguishedName, filter SET OF ORAddress OPTIONAL } Figure 18: Access UnitAttributes --------------------------------------------------------------------- 23. Submission A message may be submitted with Distinguished Name only. If the MTA to which the message is submitted supports this service, this section describes how the mapping is done. 23.1 Normal Derivation The Distinguished Name is looked up to find the attribute mhs-or- addresses. If the attribute is single value, it is straightforward. If there are multiple values, one O/R address shall be selected at random. 23.2 Roles and Groups Some support for roles is given. If there is no O/R address, and the entry is of object class role, then the roleOccupant attribute shall be dereferenced, and the message submitted to each of the role occupants. Similarly, if the entry is of object class group, where the groupMember attribute is used. Kille Experimental [Page 53] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 24. Access Units Attributes needed for support of Access Units, as defined in X.400(88), are defined in Figure 18. The attributes defined are: localAccessUnit This defines the list of access units supported by the MTA. accessUnitsUsed This defines which access units are used by the MTA, giving the type and MTA. An O/R Address filter is provided to control which access unit is used for a given recipient. For a filter to match an address, all attributes specificed in the filter shall match the given address. This is specified as an O/R Address, so that routing to access units can be filtered on the basis of attributes not mapped onto the directory (e.g., postal attributes). Where a remote MTA is used, it may be necessary to use source routing. Note 1: This mechanism might be used to replace the routefilter mechanism of the MTS routing. Comments are solicited. Note 2: It has been proposed to add a more powerful filter mechanism. Comments are solicited. Note 3: The utility of this specification as a mechanism to route faxes and other non MHS messages has been noted, but not explored. Comments as to how and if this should be developed are solicited. These three issues are for further study. 25. The Overall Routing Algorithm Having provided all the pieces, a summary of how routing works can be given. The core of the X.400 routing is described in Section 10. A sequence of routing trees are followed. As nodes of the routing tree are matched, a set of MTAs will be identified for evaluation as possible next hops. If all of these are rejected, the trees are followed further. (It might be argued that the trees should be followed to find alternate routes in the case that only one MTA is acceptable. This is not proposed.) A set of MTAs is evaluated on the following criteria: o If an MTA is the local MTA, deliver locally. o Supported protocols. The MTA shall support a protocol that the current MTA supports, as described in Section 18.2. Kille Experimental [Page 54] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 (Note that this could be an RFC 822 protocol, as well as an X.400 protocol.) o The protocols shall share a common transport community, as described in Section 18.1. o There shall be no capability restrictions in the MTA which prevents transfer of the current message, as described in Section 18.3. o There shall be no policy restrictions in the MTA which prevents transfer of the current message, as described in Section 21. o The authentication requirements of the MTA shall be met by the local MTA, as described in Section 20.2. o If the authentication (Section 20.2) indicates that a bilateral agreement is present, the MTA shall be listed in the local set of bilateral agreements, as described in Section 17. o In cases where the recipient UA's capabilities can be determined, there should either be no mismatch, or there shall be an ability to use local or remote reformatting capabilities, as described in [12]. 26. Performance The routing algorithm has been designed with performance in mind. In particular, care has been taken to use only the read function, which will in general be optimised. Routing trees may be configured so that routing decisions can be made with only two directory reads. More complex configurations will not require a substantially larger number of operations. 27. Acknowledgements This memo is the central document of a series of specifications [14, 15, 16], and to other work in progress. The acknowledgements for all of this work is given here. Previous work, which significantly influenced these specifications is described in Section 3. This lead to an initial proposal by the editor, which was subsequently split into eight documents. Work on this specifications has been done by the IETF MHS-DS working group. Special credit is given to the joint chairs of this group: Harald Alvestrand (Uninett) and Kevin Jordan (CDC). Credit is given to all members of the WG. Those who have made active contribution include: Piete Brooks (Cambridge University); Allan Cargille (University of Wisconsin); Jim Craigie (JNT); Dennis Doyle (SSS); Urs Eppenberger (SWITCH); Peter Furniss; Christian Kille Experimental [Page 55] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 Huitema (Inria); Marko Kaittola (Dante); Sylvain Langlois (EDF); Lucy Loftin (AT&T GIS); Julian Onions (NEXOR); Paul-Andre Pays (Inria); Colin Robbins (NEXOR); Michael Roe (Cambridge University); Jim Romaguera (Netconsult); Michael Storz (Leibniz Rechenzentrum); Mark Wahl (ISODE Consortium); Alan Young (ISODE Consortium). This work was partly funded by the COSINE Paradise project. 28. References [1] The Directory --- overview of concepts, models and services, 1993. CCITT X.500 Series Recommendations. [2] J.N. Chiappa. A new IP routing and addressing architecture, 1991. [3] A. Consael, M. Tschicholz, O. Wenzel, K. Bonacker, and M. Busch. DFN-Directory nutzung durch MHS, April 1990. GMD Report. [4] P. Dick-Lauder, R.J. Kummerfeld, and K.R. Elz. ACSNet - the Australian alternative to UUCP. In EUUG Conference, Paris, pages 60--69, April 1985. [5] Eppenberger, U., "Routing Coordination for X.400 MHS Services Within a Multi Protocol / Multi Network Environment Table Format V3 for Static Routing", RFC 1465, SWITCH, May 1993. [6] K.E. Jordan. Using X.500 directory services in support of X.400 routing and address mapping, November 1991. Private Note. [7] S.E. Kille. MHS use of directory service for routing. In IFIP 6.5 Conference on Message Handling, Munich, pages 157--164. North Holland Publishing, April 1987. [8] S.E. Kille. Topology and routing for MHS. COSINE Specification Phase 7.7, RARE, 1988. [9] Kille, S., "Encoding Network Addresses to support operation over non-OSI lower layers", RFC 1277, Department of Computer Science, University College London, November 1991. [10] S.E. Kille. Implementing X.400 and X.500: The PP and QUIPU Systems. Artech House, 1991. ISBN 0-89006-564-0. [11] Kille, S., "A Representation of Distinguished Names (OSI-DS 23 (v5))", RFC 1485, Department of Computer Science, University College London, January 1992. Kille Experimental [Page 56] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 [12] Kille, S., Mhs use of X.500 directory to support mhs content conversion, Work in Progress, July 1993. [13] Kille, S., "Use of the X.500 directory to support routing for RFC 822 and related protocols", Work in Progress, July 1993. [14] Kille, S., "Representing tables and subtrees in the X.500 directory", Work in Progress, September 1994. [15] Kille, S., "Representing the O/R Address hierarchy in the X.500 directory information tree", Work in Progress, September 1994. [16] Kille, S., "Use of the X.500 directory to support mapping between X.400 and RFC 822 addresses", Work in Progress, September 1994. [17] Lauder, P., Kummerfeld, R., and A. Fekete. Hierarchical network routing. In Tricomm 91, 1991. [18] CCITT recommendations X.400 / ISO 10021, April 1988. CCITT SG 5/VII / ISO/IEC JTC1, Message Handling: System and Service Overview. [19] Zen and the ART of navigating through the dark and murky regions of the message transfer system: Working document on MTS routing, September 1991. ISO SC 18 SWG Messaging. 29. Security Considerations Security issues are not discussed in this memo. Kille Experimental [Page 57] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 30. Author's Address Steve Kille ISODE Consortium The Dome The Square Richmond TW9 1DT England Phone: +44-81-332-9091 EMail: S.Kille@ISODE.COM X.400: I=S; S=Kille; O=ISODE Consortium; P=ISODE; A=Mailnet; C=FI; DN: CN=Steve Kille, O=ISODE Consortium, C=GB UFN: S. Kille, ISODE Consortium, GB Kille Experimental [Page 58] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 A Object Identifier Assignment ----------------------------------------------------------------------- mhs-ds OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) isode-consortium (453) mhs-ds (7)} routing OBJECT IDENTIFIER ::= {mhs-ds 3} oc OBJECT IDENTIFIER ::= {routing 1} at OBJECT IDENTIFIER ::= {routing 2} id OBJECT IDENTIFIER ::= {routing 3} 10 oc-mta OBJECT IDENTIFIER ::= {oc 1} oc-mta-bilateral-table-entry OBJECT IDENTIFIER ::= {oc 2} oc-routing-information OBJECT IDENTIFIER ::= {oc 3} oc-restricted-subtree OBJECT IDENTIFIER ::= {oc 4} oc-routed-ua OBJECT IDENTIFIER ::= {oc 8} oc-routing-tree-root OBJECT IDENTIFIER ::= {oc 6} oc-mta-application-process OBJECT IDENTIFIER ::= {oc 7} at-access-md OBJECT IDENTIFIER ::= {at 1} at-access-units-used OBJECT IDENTIFIER ::= {at 2} 20 at-subtree-information OBJECT IDENTIFIER ::= {at 3} at-bad-address-search-attributes OBJECT IDENTIFIER ::= {at 4} at-bad-address-search-point OBJECT IDENTIFIER ::= {at 5} at-calling-selector-validity OBJECT IDENTIFIER ::= {at 7} at-global-domain-id OBJECT IDENTIFIER ::= {at 10} at-initiating-rts-credentials OBJECT IDENTIFIER ::= {at 11} at-initiator-authentication-requirements OBJECT IDENTIFIER ::= {at 12}30 at-initiator-p1-mode OBJECT IDENTIFIER ::= {at 13} at-initiator-pulling-authentication-requirements OBJECT IDENTIFIER ::= {at 14} at-local-access-unit OBJECT IDENTIFIER ::= {at 15} at-redirect OBJECT IDENTIFIER ::= {at 46} at-mta-info OBJECT IDENTIFIER ::= {at 40} at-mta-name OBJECT IDENTIFIER ::= {at 19} at-mta-will-route OBJECT IDENTIFIER ::= {at 21} at-calling-presentation-address OBJECT IDENTIFIER ::= {at 22} at-responder-authentication-requirements OBJECT IDENTIFIER ::= {at 23}40 at-responder-p1-mode OBJECT IDENTIFIER ::= {at 24} at-responder-pulling-authentication-requirements OBJECT IDENTIFIER ::= {at 25} Kille Experimental [Page 59] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 at-responding-rts-credentials OBJECT IDENTIFIER ::= {at 26} at-routing-failure-action OBJECT IDENTIFIER ::= {at 27} at-routing-filter OBJECT IDENTIFIER ::= {at 28} at-routing-tree-list OBJECT IDENTIFIER ::= {at 29} at-subtree-deliverable-content-length OBJECT IDENTIFIER ::= {at 30} at-subtree-deliverable-content-types OBJECT IDENTIFIER ::= {at 31} at-subtree-deliverable-eits OBJECT IDENTIFIER ::= {at 32} at-supporting-mta OBJECT IDENTIFIER ::= {at 33} 50 at-transport-community OBJECT IDENTIFIER ::= {at 34} at-user-name OBJECT IDENTIFIER ::= {at 35} at-non-delivery-info OBJECT IDENTIFIER ::= {at 47} at-polled-mtas OBJECT IDENTIFIER ::= {at 37} at-bilateral-table OBJECT IDENTIFIER {at 45} at-supported-extension OBJECT IDENTIFIER {at 42} at-supported-mts-extension OBJECT IDENTIFIER {at 43} at-mtas-allowed-to-poll OBJECT IDENTIFIER {at 44} id-alternative-address-information OBJECT IDENTIFIER ::= {id 1} 60 Figure 19: Object Identifier Assignment ----------------------------------------------------------------------- B Community Identifier Assignments ----------------------------------------------------------------------- ts-communities OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) isode-consortium (453) ts-communities (4)} tc-cons OBJECT IDENTIFIER ::= {ts-communities 1} -- OSI CONS tc-clns OBJECT IDENTIFIER ::= {ts-communities 2} -- OSI CLNS tc-internet OBJECT IDENTIFIER ::= {ts-communities 3}-- Internet+RFC1006 tc-int-x25 OBJECT IDENTIFIER ::= {ts-communities 4} -- International X.25 -- Without CONS10 tc-ixi OBJECT IDENTIFIER ::= {ts-communities 5} -- IXI (Europe) tc-janet OBJECT IDENTIFIER ::= {ts-communities 6} -- Janet (UK) Figure 20: Transport Community Object Identifier Assignments ----------------------------------------------------------------------- Kille Experimental [Page 60] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 C Protocol Identifier Assignments ----------------------------------------------------------------------- mail-protocol OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1) private(4)n enterprises(1) isode-consortium (453) mail-protocol (5)} ac-p1-1984 OBJECT IDENTIFIER ::= {mail-protocol 1} -- p1(1984) ac-smtp OBJECT IDENTIFIER ::= {mail-protocol 2} -- SMTP ac-uucp OBJECT IDENTIFIER ::= {mail-protocol 3} -- UUCP Mail ac-jnt-mail OBJECT IDENTIFIER ::= {mail-protocol 4} -- JNT Mail (UK) ac-p1-1988-x410 OBJECT IDENTIFIER ::= {mail-protocol 5} -- p1(1988) in X.410 mode ac-p3-1984 OBJECT IDENTIFIER ::= {mail-protocol 6} -- p3(1984) 10 Figure 21: Protocol Object Identifier Assignments ----------------------------------------------------------------------- D ASN.1 Summary ----------------------------------------------------------------------- MHS-DS-Definitions DEFINITIONS ::= BEGIN -- assign OID to module -- define imports and exports routingTreeRoot OBJECT-CLASS ::= { SUBCLASS OF {routingInformation|subtree} ID oc-routing-tree-root} 10 routingTreeList ATTRIBUTE ::= { WITH SYNTAX RoutingTreeList SINGLE VALUE ID at-routing-tree-list} RoutingTreeList ::= SEQUENCE OF RoutingTreeName RoutingTreeName ::= DistinguishedName 20 routingInformation OBJECT-CLASS ::= { SUBCLASS OF top KIND auxiliary MAY CONTAIN { Kille Experimental [Page 61] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 subtreeInformation| routingFilter| routingFailureAction| mTAInfo| accessMD| nonDeliveryInfo| 30 badAddressSearchPoint| badAddressSearchAttributes} ID oc-routing-information} -- No naming attributes as this is not a -- structural object class subtreeInformation ATTRIBUTE ::= { WITH SYNTAX SubtreeInfo 40 SINGLE VALUE ID at-subtree-information} SubtreeInfo ::= ENUMERATED { all-children-present(0), not-all-children-present(1) } routingFilter ATTRIBUTE ::= { WITH SYNTAX RoutingFilter 50 ID at-routing-filter} RoutingFilter ::= SEQUENCE{ attribute-type OBJECT-IDENTIFIER, weight RouteWeight, dda-key String OPTIONAL, regex-match IA5String OPTIONAL, node DistinguishedName } 60 String ::= CHOICE {PrintableString, TeletexString} routingFailureAction ATTRIBUTE ::= { WITH SYNTAX RoutingFailureAction SINGLE VALUE ID at-routing-failure-action} RoutingFailureAction ::= ENUMERATED { next-level(0), next-tree-only(1), 70 next-tree-first(2), stop(3) } Kille Experimental [Page 62] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 mTAInfo ATTRIBUTE ::= { WITH SYNTAX MTAInfo ID at-mta-info} MTAInfo ::= SEQUENCE { name DistinguishedName, 80 weight [1] RouteWeight DEFAULT preferred-access, mta-attributes [2] SET OF Attribute OPTIONAL, ae-info SEQUENCE OF SEQUENCE { aEQualifier PrintableString, ae-weight RouteWeight DEFAULT preferred-access, ae-attributes SET OF Attribute OPTIONAL} OPTIONAL } RouteWeight ::= INTEGER {endpoint(0), preferred-access(5), 90 backup(10)} (0..20) accessMD ATTRIBUTE ::= { SUBTYPE OF distinguishedName ID at-access-md} routedUA OBJECT-CLASS ::= { SUBCLASS OF {routingInformation} KIND auxiliary MAY CONTAIN { 100 -- from X.402 mhs-deliverable-content-length| mhs-deliverable-content-types| mhs-deliverable-eits| mhs-message-store| mhs-preferred-delivery-methods| -- defined here supportedExtensions| redirect| supportingMTA| 110 userName| nonDeliveryInfo} ID oc-routed-ua} supportedExtensions ATTRIBUTE ::= { SUBTYPE OF objectIdentifier ID at-supported-extensions} supportingMTA ATTRIBUTE ::= { SUBTYPE OF mTAInfo 120 ID at-supporting-mta} Kille Experimental [Page 63] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 userName ATTRIBUTE ::= { SUBTYPE OF distinguishedName ID at-user-name} mTAName ATTRIBUTE ::= { SUBTYPE OF name WITH SYNTAX DirectoryString{ub-mta-name-length} SINGLE VALUE 130 ID at-mta-name} -- used for naming when -- MTA is named in O=R Address Hierarchy globalDomainID ATTRIBUTE ::= { WITH SYNTAX GlobalDomainIdentifier SINGLE VALUE ID at-global-domain-id} -- both attributes present when MTA -- is named outside O=R Address Hierarchy 140 -- to enable trace to be written mTAApplicationProcess OBJECT-CLASS ::= { SUBCLASS OF {application-process} KIND auxiliary MAY CONTAIN { mTAWillRoute| globalDomainID| routingTreeList| localAccessUnit| 150 accessUnitsUsed } ID oc-mta-application-process} mTA OBJECT CLASS ::= { -- Application Entity SUBCLASS OF {mhs-message-transfer-agent} KIND structural MAY CONTAIN { mTAName| globalDomainID| -- per AE variant 160 responderAuthenticationRequirements| initiatorAuthenticationRequirements| responderPullingAuthenticationRequirements| initiatorPullingAuthenticationRequirements| initiatorP1Mode| responderP1Mode| polledMTAs| protocolInformation| respondingRTSCredentials| initiatingRTSCredentials| 170 Kille Experimental [Page 64] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 callingPresentationAddress| callingSelectorValidity| bilateralTable| mTAWillRoute| mhs-deliverable-content-length| routingTreeList| supportedMTSExtensions| mTAsAllowedToPoll } ID oc-mta} 180 mTABilateralTableEntry OBJECT-CLASS ::= SUBCLASS OF {mTA| distinguishedNameTableEntry} ID oc-mta-bilateral-table-entry} bilateralTable ATTRIBUTE ::= { WITH SYNTAX SEQUENCE OF DistinguishedName SINGLE VALUE ID at-bilateral-table} 190 supportedMTSExtensions ATTRIBUTE ::= { SUBTYPE OF objectIdentifier ID at-supported-mts-extensions} restrictedSubtree OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN { subtreeDeliverableContentLength| subtreeDeliverableContentTypes| 200 subtreeDeliverableEITs} ID oc-restricted-subtree} subtreeDeliverableContentLength ATTRIBUTE ::= { SUBTYPE OF mhs-deliverable-content-length ID at-subtree-deliverable-content-length} subtreeDeliverableContentTypes ATTRIBUTE ::= { SUBTYPE OF mhs-deliverable-content-types ID at-subtree-deliverable-content-types} 210 subtreeDeliverableEITs ATTRIBUTE ::= { SUBTYPE OF mhs-deliverable-eits ID at-subtree-deliverable-eits} initiatorP1Mode ATTRIBUTE ::= { WITH SYNTAX P1Mode Kille Experimental [Page 65] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 SINGLE VALUE ID at-initiator-p1-mode} 220 responderP1Mode ATTRIBUTE ::= { WITH SYNTAX P1Mode SINGLE VALUE ID at-responder-p1-mode} P1Mode ::= ENUMERATED { push-only(0), pull-only(1), twa(2) } 230 polledMTAs ATTRIBUTE ::= { WITH SYNTAX PolledMTAs ID at-polled-mtas} PolledMTAs ::= SEQUENCE { mta DistinguishedName, poll-frequency INTEGER OPTIONAL --frequency in minutes } 240 mTAsAllowedToPoll ATTRIBUTE ::= { SUBTYPE OF distinguishedName ID at-mtas-allowed-to-poll} responderAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-responder-authentication-requirements} 250 initiatorAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-initiator-authentication-requirements} responderPullingAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-responder-pulling-authentication-requirements} 260 initiatorPullingAuthenticationRequirements ATTRIBUTE ::= { WITH SYNTAX AuthenticationRequirements SINGLE VALUE ID at-initiator-pulling-authentication-requirements} AuthenticationRequirements ::= BITSTRING { Kille Experimental [Page 66] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 mta-name-present(0), aet-present(1), aet-valid(2), network-address(3), 270 simple-authentication(4), strong-authentication(5), bilateral-agreement-needed(6)} respondingRTSCredentials ATTRIBUTE ::= { WITH SYNTAX RTSCredentials SINGLE VALUE ID at-responding-rts-credentials} 280 initiatingRTSCredentials ATTRIBUTE ::= { WITH SYNTAX RTSCredentials SINGLE VALUE ID at-initiating-rts-credentials} RTSCredentials ::= SEQUENCE { request [0] MTAandPassword OPTIONAL, response [1] MTAandPassword OPTIONAL } 290 MTAandPassword ::= SEQUENCE { MTAName, Password } -- MTAName and Password -- from X.411 callingPresentationAddress ATTRIBUTE ::= { SUBTYPE OF presentationAddress MULTI VALUE 300 ID at-calling-presentation-address} callingSelectorValidity ATTRIBUTE ::= { WITH SYNTAX CallingSelectorValidity SINGLE VALUE ID at-calling-selector-validity} CallingSelectorValidity ::= ENUMERATED { all-selectors-fixed(0), tsel-may-vary(1), 310 all-selectors-may-vary(2) } mTAWillRoute ATTRIBUTE ::= { WITH SYNTAX MTAWillRoute Kille Experimental [Page 67] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 ID at-mta-will-route} MTAWillRoute ::= SEQUENCE { from [0] SET OF ORAddressPrefix OPTIONAL, to [1] SET OF ORAddressPrefix OPTIONAL, from-excludes [2] SET OF ORAddressPrefix OPTIONAL, 320 to-excludes [3] SET OF ORAddressPrefix OPTIONAL } ORAddressPrefix ::= DistinguishedName redirect ATTRIBUTE ::= { WITH SYNTAX Redirect SINGLE VALUE ID at-redirect} Redirect ::= SEQUENCE OF SEQUENCE { 330 or-name ORName, reason RedirectionReason, -- from X.411 filter CHOICE { min-size [1] INTEGER, max-size [2] INTEGER, content [3] ContentType, eit [4] ExternalEncodedInformationType } OPTIONAL } nonDeliveryInfo ATTRIBUTE ::= { 340 WITH SYNTAX NonDeliveryReason SINGLE VALUE ID at-non-delivery-info} NonDeliveryReason ::= SEQUENCE { reason INTEGER (0..ub-reason-codes), diagnostic INTEGER (0..ub-diagnostic-codes) OPTIONAL, supplementaryInfo PrintableString OPTIONAL } badAddressSearchPoint ATTRIBUTE ::= { 350 SUBTYPE OF distinguishedName ID at-bad-address-search-point} badAddressSearchAttributes ATTRIBUTE ::= { WITH SYNTAX AttributeType ID at-bad-address-search-attributes} alternativeAddressInformation EXTENSION AlternativeAddressInformation ::= id-alternative-address-information 360 -- X.400(92) continues to use MACRO notation Kille Experimental [Page 68] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 AlternativeAddressInformation ::= SET OF SEQUENCE { distinguished-name DistinguishedName OPTIONAL, or-address ORAddress OPTIONAL, other-useful-info SET OF Attribute } localAccessUnit ATTRIBUTE ::= { WITH SYNTAX AccessUnitType ID at-local-access-unit} 370 AccessUnitType ::= ENUMERATED { fax (1), physical-delivery (2), teletex (3), telex (4) } accessUnitsUsed ATTRIBUTE ::= { WITH SYNTAX SelectedAccessUnit ID at-access-units-used} 380 SelectedAccessUnit ::= SEQUENCE { type AccessUnitType, providing-MTA DistinguishedName, filter SET OF ORAddress OPTIONAL } mhs-ds OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) isode-consortium (453) mhs-ds (7)} routing OBJECT IDENTIFIER ::= {mhs-ds 3} 390 oc OBJECT IDENTIFIER ::= {routing 1} at OBJECT IDENTIFIER ::= {routing 2} id OBJECT IDENTIFIER ::= {routing 3} oc-mta OBJECT IDENTIFIER ::= {oc 1} oc-mta-bilateral-table-entry OBJECT IDENTIFIER ::= {oc 2} oc-routing-information OBJECT IDENTIFIER ::= {oc 3} oc-restricted-subtree OBJECT IDENTIFIER ::= {oc 4} oc-routed-ua OBJECT IDENTIFIER ::= {oc 8} 400 oc-routing-tree-root OBJECT IDENTIFIER ::= {oc 6} oc-mta-application-process OBJECT IDENTIFIER ::= {oc 7} at-access-md OBJECT IDENTIFIER ::= {at 1} at-access-units-used OBJECT IDENTIFIER ::= {at 2} at-subtree-information OBJECT IDENTIFIER ::= {at 3} at-bad-address-search-attributes OBJECT IDENTIFIER ::= {at 4} at-bad-address-search-point OBJECT IDENTIFIER ::= {at 5} at-calling-selector-validity OBJECT IDENTIFIER ::= {at 7} 410 Kille Experimental [Page 69] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 at-global-domain-id OBJECT IDENTIFIER ::= {at 10} at-initiating-rts-credentials OBJECT IDENTIFIER ::= {at 11} at-initiator-authentication-requirements OBJECT IDENTIFIER ::= {at 12} at-initiator-p1-mode OBJECT IDENTIFIER ::= {at 13} at-initiator-pulling-authentication-requirements OBJECT IDENTIFIER ::= {at 14} at-local-access-unit OBJECT IDENTIFIER ::= {at 15} at-redirect OBJECT IDENTIFIER ::= {at 46} at-mta-info OBJECT IDENTIFIER ::= {at 40} 420 at-mta-name OBJECT IDENTIFIER ::= {at 19} at-mta-will-route OBJECT IDENTIFIER ::= {at 21} at-calling-presentation-address OBJECT IDENTIFIER ::= {at 22} at-responder-authentication-requirements OBJECT IDENTIFIER ::= {at 23} at-responder-p1-mode OBJECT IDENTIFIER ::= {at 24} at-responder-pulling-authentication-requirements OBJECT IDENTIFIER ::= {at 25} at-responding-rts-credentials OBJECT IDENTIFIER ::= {at 26} at-routing-failure-action OBJECT IDENTIFIER ::= {at 27} at-routing-filter OBJECT IDENTIFIER ::= {at 28} 430 at-routing-tree-list OBJECT IDENTIFIER ::= {at 29} at-subtree-deliverable-content-length OBJECT IDENTIFIER ::= {at 30} at-subtree-deliverable-content-types OBJECT IDENTIFIER ::= {at 31} at-subtree-deliverable-eits OBJECT IDENTIFIER ::= {at 32} at-supporting-mta OBJECT IDENTIFIER ::= {at 33} at-transport-community OBJECT IDENTIFIER ::= {at 34} at-user-name OBJECT IDENTIFIER ::= {at 35} at-non-delivery-info OBJECT IDENTIFIER ::= {at 47} at-polled-mtas OBJECT IDENTIFIER ::= {at 37} at-bilateral-table OBJECT IDENTIFIER {at 45} 440 at-supported-extension OBJECT IDENTIFIER {at 42} at-supported-mts-extension OBJECT IDENTIFIER {at 43} at-mtas-allowed-to-poll OBJECT IDENTIFIER {at 44} id-alternative-address-information OBJECT IDENTIFIER ::= {id 1} ts-communities OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) isode-consortium (453) ts-communities (4)} 450 tc-cons OBJECT IDENTIFIER ::= {ts-communities 1} -- OSI CONS tc-clns OBJECT IDENTIFIER ::= {ts-communities 2} -- OSI CLNS tc-internet OBJECT IDENTIFIER ::= {ts-communities 3}-- Internet+RFC1006 tc-int-x25 OBJECT IDENTIFIER ::= {ts-communities 4} -- International X.25 -- Without CONS tc-ixi OBJECT IDENTIFIER ::= {ts-communities 5} -- IXI (Europe) tc-janet OBJECT IDENTIFIER ::= {ts-communities 6} -- Janet (UK) Kille Experimental [Page 70] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 mail-protocol OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) isode-consortium (453) mail-protocol (5)} 460 ac-p1-1984 OBJECT IDENTIFIER ::= {mail-protocol 1} -- p1(1984) ac-smtp OBJECT IDENTIFIER ::= {mail-protocol 2} -- SMTP ac-uucp OBJECT IDENTIFIER ::= {mail-protocol 3} -- UUCP Mail ac-jnt-mail OBJECT IDENTIFIER ::= {mail-protocol 4} -- JNT Mail (UK) ac-p1-1988-x410 OBJECT IDENTIFIER ::= {mail-protocol 5} -- p1(1988) in X.410 mode ac-p3-1984 OBJECT IDENTIFIER ::= {mail-protocol 6} -- p3(1984) END Figure 22: ASN.1 Summary ----------------------------------------------------------------------- E Regular Expression Syntax This appendix defines a form of regular expression for pattern matching. This pattern matching is derived from commonly available regular expression software including UNIX egrep(1) The matching is modified to be case insensitive. A regular expression (RE) specifies a set of character strings to match against - such as "any string containing digits 5 through 9". A member of this set of strings is said to be matched by the regular expression. Where multiple matches are present in a line, a regular expression matches the longest of the leftmost matching strings. Regular expressions can be built up from the following "single-character" RE's: c Any ordinary character not listed below. An ordinary character matches itself. \ Backslash. When followed by a special character, the RE matches the "quoted" character, cancelling the special nature of the character. . Dot. Matches any single character. ^ As the leftmost character, a caret (or circumflex) con- strains the RE to match the leftmost portion of a string. A match of this type is called an "anchored match" because it is "anchored" to a specific place in the string. The ^ character loses its special meaning if it appears in any position other Kille Experimental [Page 71] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 than the start of the RE. $ As the rightmost character, a dollar sign constrains the RE to match the rightmost portion of a string. The $ character loses its special meaning if it appears in any position other than at the end of the RE. ^RE$ The construction ^RE$ constrains the RE to match the entire string. [c...] A nonempty string of characters, enclosed in square brackets matches any single character in the string. For example, [abcxyz] matches any single character from the set `abcxyz'. When the first character of the string is a caret (^), then the RE matches any charac- ter except those in the remainder of the string. For example, `[^45678]' matches any character except `45678'. A caret in any other position is interpreted as an ordinary character. []c...] The right square bracket does not terminate the enclosed string if it is the first character (after an initial `^', if any), in the bracketed string. In this position it is treated as an ordinary character. [l-r] The minus sign (hyphen), between two characters, indicates a range of consecutive ASCII characters to match. For example, the range `[0-9]' is equivalent to the string `[0123456789]'. Such a bracketed string of characters is known as a character class. The `-' is treated as an ordinary character if it occurs first (or first after an initial ^) or last in the string. The following rules and special characters allow for con-structing RE's from single-character RE's: A concatenation of RE's matches a concatenation of text strings, each of which is a match for a successive RE in the search pattern. * A regular expression, followed by an asterisk (*) matches zero or more occurrences of the regular expression. For example, [a-z][a-z]* matches any string of one or more lower case letters. Kille Experimental [Page 72] RFC 1801 X.400-MHS Routing using X.500 Directory June 1995 + A regular expression, followed by a plus character (+) matches one or more occurrences of the regular expression. For example, [a-z]+ matches any string of one or more lower case letters. ? A regular expression, followed by a question mark (?) matches zero or one occurrences of the regular expression. For example, ^[a-z]?[0-9]* matches a string starting with an optional lower case letter, followed by zero or more digits. {m} {m,} {m,n} A regular expression, followed by {m}, {m,}, or {m,n} matches a range of occurrences of the regular expression. The values of m and n must be non-negative integers less than 256; {m} matches exactly m occurrences; {m,} matches at least m occurrences; {m,n} matches any number of occurrences between m and n inclusive. Whenever a choice exists, the regular expression matches as many occurrences as possible. | Alternation: two regular expressions separated by `|' or NEWLINE match either a match for the first or a match for the second. (...) A regular expression enclosed between the character sequences ( and ) matches whatever the unadorned RE matches. The order of precedence of operators at the same parenthesis level is `[ ]' (character classes), then `*' `+' `?' '{m,n}' (closures), then concatenation, then `|' (alternation) and NEWLINE. Kille Experimental [Page 73]