A Taxonomy on Private Use Fields in Protocols
213 El Rancho GrandeKerrvilleTexas78028USlonvick.ietf@gmail.comPENPrivate name spacePrivate name spacePrivate usePrivate Enterprise NumberPrivate Enterprise Code
The fields in protocols that are reserved for private use have been purposefully unregulated.
This document attempts to provide some classifications for the way that private use fields
have been used in protocols developed in the IETF.
Simply put, communications protocols are standardized ways for computing entities to convey information.
Within each communications protocol, there must be standardized pieces of information that will be
communicated, and there may be non-standardized information that can be communicated.
Time Protocol is an example of a protocol that only conveys standardized
information. There is no way to add anything other than what is specified in the document. On the other hand,
DoD standard Transmission Control Protocol does have "options" but they
must be registered through the IANA , which does not leave any room for
optional information supplied by equipment vendors, network operators, or experimenters. Finally,
Vendor-Identifying Vendor Options for Dynamic Host Configuration Protocol version 4 (DHCPv4)
does allow for vendor specific options.
If a network operator wanted to add specific information to the Time Protocol,
they could modify the code of the senders and receivers and run this within their own domain without any
problems. However, if an equipment vendor wanted to include information specific to their equipment,
they would have to ensure that all senders and receivers within all network domains would either accept the
change in the protocol, or would not have problems with it. As a final case, if several equipment vendors
desired to add equipment-specific information to this protocol, they would have to take great care that
only their own receivers would accept information from their own transmitters. An extension to that would
be that if one equipment vendor would like to transmit or receive the same information that another vendor
is using.
For the case of TCP , standard options are expected; senders may use them and
receivers may be configured
to act upon that information, or to ignore it. If an experimenter wants to add an option, they will have
to create a new IETF RFC with the details, or obtain approval from the IESG to have the IANA add to
the registry . Similarly, if equipment vendors Foo and Bar were to have a need
for a similar option within TCP, they would each have to go through the process to add to the registry.
On the other hand, if a properly crafted multipurpose, private use option were to be registered, such as
in the case of multiple vendor instances within
Vendor-Identifying Vendor Options for Dynamic Host Configuration Protocol version 4 (DHCPv4)
then vendors and
experimenters would each be able to use it for their own purposes as long as all network participants
can easily differentiate between the entities using the option.
This document explores the various ways that protocols may allow optional information using fields
designated as "private use" to be included in protocols, without disrupting the desired harmony of the network.
Guidelines for Writing an IANA Considerations Section in RFCs
describes that values of specific name spaces may either be registered with the IANA, or not.
In most cases, there are well defined values for name spaces. However, as the document
explains, not all name spaces require centralized administration.
In that document, it seems to be assumed that private use name spaces will be domain specific and
it will be up to the administrators of any domain to avoid conflicts. The first example given about
private use name spaces refers to Dynamic Host Configuration Protocol and
presumably DHCP Options and BOOTP Vendor Extensions. In this the example states
that "site-specific options in DHCP have significance only within a single site". As noted below this became a
problem that was rectified in a later revision of DHCP.
Later works identified a need to place a scope on private use name spaces. The second example of private use
name spaces in is from
STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES
which describes X- headers. Again, there is no effort made to control the name space. It appears however that
the users of X- headers have self-organized; most consistently use features that are universally useful and
many have incorporated identifiers for useful features that may overlap.
In this document, the following words are defined to prevent ambiguity. Some of these words have not been used in the
referenced works but their meanings can be ascertained.
communications protocol - a formal description of digital message formats and the rules for exchanging those messages
in or between computing systems and in telecommunications
protocol frame - a defined container of fields used to convey information in a communications protocol
field - any defined container within a communications protocol frame
standard option - a field in a protocol frame that may only use values that are strictly defined within a specification
private use option - a field in a protocol frame that is reserved for private or local use only name spaces
name space - the set of possible values a field may contain; its actual content may be a name, a number or another kind of value
Examples
communications protocol - The File Transfer Protocol is an example of a communications protocol.
It has well defined fields and standard options. The Syslog Protocol is another example of a
communications protocol. It has well defined fields, standard options, and it also has private use options.
protocol frame - An Internet Protocol packet is considered to be a protocol frame.
In the case of The File Transfer Protocol, an FTP message from the client to the server within the
Internet Protocol containing an FTP command is a protocol frame. In the case of
The Syslog Protocol, a message from the client to the server within the
Internet Protocol containing a syslog message is also a protocol frame.
field - In the case of The File Transfer Protocol, a command will be contained within a field.
In the case of The Syslog Protocol, the HOSTNAME is a field.
standard option - In the case of The File Transfer Protocol,
an FTP command, such as CDUP and QUIT, is a standard option. The reason that a command is
a standard option is that only the values listed by the IANA in the registry may be used. The
standard options are not limited to the values defined in the original RFC, but also include any additions to the
registry.
In the case of The Syslog Protocol, an SD-ID may be a standard option.
The example given in Section 7.1.4
of of
is a standard option because all of the
fields are listed in the document and in the IANA registry .
private use option - In the case of The Syslog Protocol, an SD-ID may be a private use option. Example 3 given in Section 6.5
contains a private use option.
Specifically, the SD-ID starting with "[exampleSDID@32473 ..." is not a specifically defined option in the RFC, nor
is it registered in the IANA registry . It is a way for an equipment vendor to insert their specific information
without having to register anything. In this case if the receiver knows the format of that SD-ID then it can
immediately interpret its meaning. However, if it does not know how to interpret that SD-ID, it can still log
the message and an Operator or Administrator can look up its meaning at a later time.
name space - In the same Example 3 from Section 6.5 of The Syslog Protocol,
"exampleSDID@32473" provides the name space
so the context of the rest of the SD-ID may be interpreted. Specifically the Private Enterprise Number
(PEN) is used to associate the option with a private enterprise, and the text before
the "@" identifies the option defined within that private enterprise.
This section contains a review of RFCs that allow the use of private use options. There seem to be three ways
to address the name space: via a global origin, via a truncated numerical origin, and via a namespace based upon
the domain name.
Likely, the first private use option was defined in the
Structure and Identification of Management Information for TCP/IP-based Internets
which was first used in
A Simple Network Management Protocol (SNMP).
The structure of management information (SMI) has been updated and
is currently defined as the
Structure of Management Information Version 2 (SMIv2).
SMI is a well described tree of OBJECT IDENTIFIERs. It has an origin and a path for defined object identifiers
which this document describes as standard options. It also allows for experimental and vendor
specific object identifiers, which are described as private use options in this document. The IANA maintains a
registry of these Network Management Parameters .
The Internet subtree of experimental OBJECT IDENTIFIERs starts with the prefix:
1.3.6.1.3., and
the Internet subtree of private enterprise OBJECT IDENTIFIERs starts with the prefix:
1.3.6.1.4.1.
This is followed by a Private Enterprise Number (PEN) and then the OBJECT IDENTIFIERs
defined by that enterprise.
While this is very practical and practicable for SNMP, fully qualified SMIs do not lend themselves well for other uses as
a generic private use option.
Rather than using the entire SMI, protocol engineers started using just the Private Enterprise Number
. This reduces the length of the identifier but continues to provide an
identifier through a globally unique name space. This subsection provides examples of how the PEN has
been used to provide private use options.
The Remote Authentication Dial In User Service (RADIUS) specification
documented how to use just the PEN (without the rest of the SMI path to the root) to allow
"vendors" to articulate their own options. In this document, these are called Vendor-Specific Attributes (VSA).
The updated RADIUS document, , gives guidance for using the VSA.
Servers not equipped to interpret the vendor-specific information
sent by a client MUST ignore it (although it may be reported).
Clients which do not receive desired vendor-specific information
SHOULD make an attempt to operate without it, although they may do
so (and report they are doing so) in a degraded mode.
The Attribute-Specific field is dependent on the vendor's definition of that attribute.
It SHOULD be encoded as a sequence of vendor type / vendor length / value fields.
Multiple subattributes MAY be encoded within a single Vendor-Specific Attribute, although they do not have to be.
There are many attributes defined in RADIUS which may be considered to be standard variables.
Each of these attributes are specified within a "type length value" (tlv) container.
For this protocol, the VSA "type" is a specific numerical value which separates it from other attributes.
Type 26 (decimal) denotes a VSA, and the PEN starts the "value" which should then include a subsequent nested
tlv so the vendor may enumerate their own options within the field.
Mobile IP Vendor Specific Extensions
defines two extensions that can be used for making organization
specific extensions by vendors/organizations for their own specific
purposes for Mobile IP . Mobile IP has been revised several times and is currently
specified in IP Mobility Support for IPv4, Revised.
In this specification, two tlv's have been defined to contain private use options. These are called
Vendor/Organization Specific Extensions (VSE).
When the Critical Vendor/Organization Specific Extension (CVSE) is encountered but not recognized,
the message containing the extension MUST be silently discarded.
When a Normal Vendor/Organization Specific Extension (NVSE) is
encountered but not recognized, the extension SHOULD be ignored, but
the rest of the Extensions and message data MUST still be processed.
Having two VSEs of this nature for private use options is consistent with the original Mobile IP specification
which states:
When an Extension numbered in either of these sets within the range 0
through 127 is encountered but not recognized, the message containing
that Extension MUST be silently discarded. When an Extension
numbered in the range 128 through 255 is encountered which is not
recognized, that particular Extension is ignored, but the rest of the
Extensions and message data MUST still be processed.
The introduction to
Vendor-Identifying Vendor Options for
Dynamic Host Configuration Protocol version 4 (DHCPv4) states:
The DHCP protocol for IPv4, , defines options that allow
a client to indicate its vendor type (option 60), and the DHCP client
and server to exchange vendor-specific information (option 43) .
Although there is no prohibition against passing multiple copies of
these options in a single packet, doing so would introduce ambiguity
of interpretation, particularly if conveying vendor-specific
information for multiple vendors.
This meant that Dynamic Host Configuration Protocol
specified that there was one instance of the vendor type, and the receiver used that name space
to set the scope for the fields in the vendor-specific information option.
This situation was resolved with the publication of
Vendor-Identifying Vendor Options for
Dynamic Host Configuration Protocol version 4 (DHCPv4) which states:
The Dynamic Host Configuration Protocol (DHCP) options for Vendor
Class and Vendor-Specific Information can be limiting or ambiguous
when a DHCP client represents multiple vendors.
That specification () then used the PEN
to defined a unique name space for private use options in
this protocol. Similar to other protocols of this era, tlv containers were used.
Recording IP flow information is the subject of the
Specification of the IP Flow Information Export (IPFIX) Protocol
for the Exchange of IP Traffic Flow Information.
Since flows may be created and concluded very quickly, processing speed is essential
to this protocol. As such, it is a protocol based upon binary fields that can be
interpreted quickly.
Even though the protocol is binary oriented rather than character oriented, it still uses
the PEN to identify the origin of the private use option. All options are identified as
Information Elements in this specification. The first field of each Information Element
is a single bit identified as the Enterprise bit, which is defined as follows:
Enterprise bit. This is the first bit of the Field Specifier. If
this bit is zero, the Information Element Identifier identifies an
IETF-specified Information Element, and the four-octet Enterprise
Number field MUST NOT be present. If this bit is one, the
Information Element identifier identifies an enterprise-specific
Information Element, and the Enterprise Number filed MUST be
present.
The specification goes on to say:
The Collecting Process MUST note the Information Element identifier
of any Information Element that it does not understand and MAY
discard that Information Element from the Flow Record.
The Syslog Protocol also uses the PEN to
uniquely qualify the name space for a private use option. Standard options do not contain the "@"
character. Private use options must have the PEN following the "@" character. This allows a
vendor or experimenter to have overlapping name spaces which the PEN will then uniquely identify.
For example a standard option is tzKnown which may only have associated values of "0" and "1". However
tzKnown@32473 may have any value assigned to it by the owner of enterprise number 32473.
Syslog transport receivers are supposed to accept all correctly formatted Syslog messages.
Unlike RADIUS, the receiving Syslog application does not have to have immediate knowledge of all variable
options to continue operations. If a private use option is not immediately known to the receiving
application, it may still store the message and an Operator or Administrator may look it up at a
later time if they are really interested.
The Secure Shell (SSH) Protocol Architecture uses character strings rather
than PENs. Similar to Syslog, but actually predating it, standard options must not have the "@" character
in them. Private use options will have an origin identifier preceding an "@" character followed by a name space
field. For example, in The Secure Shell (SSH) Connection Protocol SSH
channels may be opened by specifying a channel type when sending the SSH_MSG_CHANNEL_OPEN message. Standard
options for the channel type include "session" and "x11". A private use option for a channel type could be
"example_session@example.com".
Obviously, these character strings are domain names .
This is specified in The Secure Shell (SSH) Protocol Architecture.
Generally, the guidance given is that if a private use option of this nature is not understood it is to
convey to its peer an error code.
This section summarizes the observed characteristics
of private use options that are successful and deployed.
There seem to be three characteristics of successful private use options.
A private use option requires a path to an origin that has the authority to
create and maintain the option. As shown above, this referent should be unique, and not dependent
upon local interpretation.
In the case of SNMP, the globally unique origin is the
International Standards Organization
which is accredited by the United Nations to maintain this structure. However, the
namespace resolves to the PEN which does not seem to be globally unique.
The PEN is sourced by the Internet Assigned Numbers Authority (IANA).
While there seems to be no reports of problems using PENs, PENs do not seem to be unique.
It appears that some private enterprises have registered multiple PENs, and that there are some private
enterprises whose PENs are no longer serviceable, mostly because they have been acquired by other
companies, or they have gone out of business.
Domain names have similar problems as they can be more ephemeral than eternal. The top level domains
are maintained by the Internet Corporation for Assigned Names and Numbers
however the specific names are assigned much more locally. Unlike PENs that become unserviceable
when their owning organization goes out of business, domain names that fall into disuse may be
acquired and used by entirely different organizations. Again however, like the use of PENs there
have not been any problems reported from this.
Once the source of authority is established, an actual option, or options, must be specified.
In the case of SNMP, after the vendor identifier (the PEN) in the management information
base (MIB) a vendor can create many different trees to identify objects. This may result in a very large number
of object identifiers which are called private use options in this document.
The PEN can used in myriad ways.
For RADIUS, the PEN is used as the first field in the resolution of an option.
The recommendation is that the vendor then create a tlv, or multiple tlv's, within the option field.
That would allow a vendor to specify multiple values, each with a different focus,
within the same option field by concatenating tlv's.
Mobile IP allows that a vendor may have multiple private use options within
a protocol frame. Each will start as any other option, will include the PEN as the source of authority
to specify the option, and will then have a "type" field to denote the focus of the option. The "type"
will either be the Vendor-NVSE-Type or the Vendor-CVSE-Type. Regardless, there is only one "value" allowed
in each option field. A vendor wishing to include multiple private use options would then have to
create multiple options, each with a different focus, within a protocol frame.
As it is used today, DHCP only allows a single instance of the PEN as
a vendor option identifier in a protocol frame. Within the option, sub-option codes are to be used as the start of one or more tlv's
which will allow a vendor to specify as many private use options as they need. This is similar to
RADIUS.
In the IPFIX template, private use options are described within Information
Elements. These may have multiple values described through Information Element Identifiers, which makes
this quite extensible.
The Syslog protocol allows for the focus of the private use option to be
fully defined by the vendor within the structured data. Specifically, a vendor may define a "type" of
private use option by concatenating it with the PEN by using the @ character. Within the bounds of
the structured data, multiple elements may be used that have identifiers and values.
Finally, in the SSH protocol, the focus of the option is dependent upon context.
For example, ourcipher-cbcexample.com can only be used when negotiating ciphers, while example_sessionexample.com
can only be used when negotiating channel types per the examples in .
The value of each private use option must be extensible but bounded. (I'd write more but see .)
Private use options are useful to the community and are gaining popularity. This is a way to allow
vendors, network operators, and experimenters to convey dynamic information without going
through a rigorous process to register each variable.
There is no "one size fits all" mechanism. The use of a very specific and fixed format works very well
for IPFIX which requires speed in processing. On the other hand, the open nature of the private use
options in Syslog is appropriate for that protocol.
The structure of the SMI is uniform and globally unique, but the pen is not up to date. It appears that
the people listed as the contacts for some of the organizations have moved on, and that some of the
organizations have either been acquired by other organizations or have gone out of business. It also
appears that some organizations have registered multiple PENs. The author is really not sure why they
would need to do that so any clue here would be appreciated.
Using the PEN with an extension or even with an entire SMI may be constrained to fit nicely into a
binary oriented protocol that has strict field lengths. Using domain names, as SSH does, may also be fit within binary protocols
but since domain name lengths vary, tlv's or some other mechanism may need to be used to establish the boundaries
of fields.
RADIUS dictates what to do if a private use option is not understood by a receiver.
Mobile IP Vendor Specific Extensions builds on that by letting a receiver know
if it must process the entire packet containing a private use option, or if it may ignore a private use option
that it doesn't understand but yet continue processing the rest of the packet. On the other hand, Syslog
does not require a receiver to understand anything about any private use options. It is expected that
receivers that do understand the private use options will be able to take actions more appropriately based
on the information they receiver.
From that, it is important to define in protocol specifications what actions to take when a receiver receives
a frame with a private use options.
This section will be removed prior to publication.
Now that I've written it, I'm thinking that I should pivot the "characteristics" section. I think it would be
easier to explain source/focus/value on a per protocol basis rather than each with examples within each
protocol. That will be done in -01. :-)
I need to revise the Issues section. I'd like to write a lot more description there but I want this
version out the door first.
This document reviews ways that options are being used in various protocols.
As such, there are no security considerations inherent in this document.
Readers and implementers should be aware of the context of implementing options
in their own protocols.
This document does not propose a standard and does not require the
IANA to do anything.
The idea for documenting this came from questions asked in the SIP-CLF Working Group and the
author is grateful for the discussion around this topic.
The following people have contributed to this document. Listing their names here does
not mean that they endorse the document, but that they have contributed to its
substance.
David Harrington, Dan Romascanu and Bert Wijnen.
IANA Transmission Control Protocol (TCP) Parameters, TCP Option Kind NumbersInternet Assigned Numbers AuthorityIANA FTP Commands and ExtensionsInternet Assigned Numbers AuthorityIANA syslog ParameterInternet Assigned Numbers AuthorityNetwork Management ParametersInternet Assigned Numbers AuthorityIANA PRIVATE ENTERPRISE NUMBERSInternet Assigned Numbers AuthorityWikipedia entry for communication protocolWikipedia - the Free DictionaryInternational Standards OrganizationInternational Standards OrganizationInternet Corporation for Assigned Names and NumbersInternet Corporation for Assigned Names and Numbers